From 1ec7a038f656d32150bf8177c53d6fc8e14d4606 Mon Sep 17 00:00:00 2001 From: Marcos Yacob Date: Tue, 18 Oct 2022 17:28:17 -0300 Subject: [PATCH 001/257] Upgrade go health (#3507) Signed-off-by: Marcos Yacob --- go.mod | 2 +- go.sum | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index 3071aa99c2..be54b87a99 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork v1.1.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0 github.com/GoogleCloudPlatform/cloudsql-proxy v1.32.0 - github.com/InVisionApp/go-health/v2 v2.1.2 + github.com/InVisionApp/go-health/v2 v2.1.3 github.com/InVisionApp/go-logger v1.0.1 github.com/Microsoft/go-winio v0.6.0 github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129 diff --git a/go.sum b/go.sum index a055bcfda5..4054c9aeb8 100644 --- a/go.sum +++ b/go.sum @@ -113,8 +113,8 @@ github.com/DataDog/datadog-go v3.2.0+incompatible h1:qSG2N4FghB1He/r2mFrWKCaL7dX github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= github.com/GoogleCloudPlatform/cloudsql-proxy v1.32.0 h1:647YHw0ZJ3Uu5xlkytf1li7dqJ9mHg9zabuKdZP0vYU= github.com/GoogleCloudPlatform/cloudsql-proxy v1.32.0/go.mod h1:FjoDxLvxFAbnXFuUKkzM7rY66YaU/YHezlau786y9hs= -github.com/InVisionApp/go-health/v2 v2.1.2 h1:rWTIgU3XdMTn/oBJgIrCnrso1pHcI65biN+CUOpknq0= -github.com/InVisionApp/go-health/v2 v2.1.2/go.mod h1:Iz2FZRfK3sJecRvGCIgyBsKOjILdKTdLGiGFaO+JDYc= +github.com/InVisionApp/go-health/v2 v2.1.3 h1:PCMJAp+W5fynmBBmx/ovM44eG5w97NhXcea8O7lLso4= +github.com/InVisionApp/go-health/v2 v2.1.3/go.mod h1:7uPEpT8hbSNRNSFFbukF39eQQebNVbpPA44JpC2Q+9I= github.com/InVisionApp/go-logger v1.0.1 h1:WFL19PViM1mHUmUWfsv5zMo379KSWj2MRmBlzMFDRiE= github.com/InVisionApp/go-logger v1.0.1/go.mod h1:+cGTDSn+P8105aZkeOfIhdd7vFO5X1afUHcjvanY0L8= github.com/Masterminds/goutils v1.1.0 h1:zukEsf/1JZwCMgHiK3GZftabmxiCw4apj3a28RPBiVg= @@ -974,7 +974,7 @@ github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1 github.com/yuin/gopher-lua v0.0.0-20190514113301-1cd887cd7036/go.mod h1:gqRgreBUhTSL0GeU64rtZ3Uq3wtjOa/TB2YfrtkCbVQ= github.com/yusufpapurcu/wmi v1.2.2 h1:KBNDSne4vP5mbSWnJbO+51IMOXJB67QiYCSBrubbPRg= github.com/yusufpapurcu/wmi v1.2.2/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= -github.com/zaffka/mongodb-boltdb-mock v0.0.0-20180816124423-49954d88fa3e/go.mod h1:GsDD1qsG+86MeeCG7ndi6Ei3iGthKL3wQ7PTFigDfNY= +github.com/zaffka/mongodb-boltdb-mock v0.0.0-20221014194232-b4bb03fbe3a0/go.mod h1:GsDD1qsG+86MeeCG7ndi6Ei3iGthKL3wQ7PTFigDfNY= github.com/zeebo/errs v1.2.2/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= github.com/zeebo/errs v1.3.0 h1:hmiaKqgYZzcVgRL1Vkc1Mn2914BbzB0IBxs+ebeutGs= github.com/zeebo/errs v1.3.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= From 50d677f7c63a0ed178f952756c3ed17af6e2e6d2 Mon Sep 17 00:00:00 2001 From: Guilherme Oliveira do Carmo Carvalho <33766735+guilhermocc@users.noreply.github.com> Date: Wed, 19 Oct 2022 14:47:31 -0300 Subject: [PATCH 002/257] Enable agent path template customization for azure_msi node attestor plugin (#3488) Signed-off-by: Guilherme Carvalho --- conf/server/server_full.conf | 11 ++- doc/plugin_server_nodeattestor_azure_msi.md | 32 +++++-- doc/plugin_server_nodeattestor_gcp_iit.md | 43 +++++++--- pkg/common/plugin/azure/msi.go | 38 ++++++--- pkg/common/plugin/azure/msi_test.go | 83 ++++++++++++++++--- .../plugin/nodeattestor/azuremsi/msi.go | 38 ++++++--- .../plugin/nodeattestor/azuremsi/msi_test.go | 64 +++++++++++--- 7 files changed, 238 insertions(+), 71 deletions(-) diff --git a/conf/server/server_full.conf b/conf/server/server_full.conf index 06d57bb52b..8444c49b4d 100644 --- a/conf/server/server_full.conf +++ b/conf/server/server_full.conf @@ -8,7 +8,7 @@ server { # domain as the server and need not have a corresponding admin registration # entry with the server. # admin_ids = ["spiffe://example.org/my/admin"] - + # bind_address: IP address or DNS name of the SPIRE server. # Default: 0.0.0.0. bind_address = "127.0.0.1" @@ -145,7 +145,7 @@ server { # default_svid_ttl: The default SVID TTL. Default: 1h. # default_svid_ttl = "1h" - + # omit_x509svid_uid: If true, the subject on X509-SVIDs will not contain # the unique ID attribute. This configurable is deprecated and will be # removed from a future release. @@ -329,10 +329,9 @@ plugins { # # app_secret = "" # # } # # } - # } - - # # } - # # } + # # agent_path_template: A URL path portion format of Agent's SPIFFE ID. + # # Describe in text/template format. + # # agent_path_template = "" # } # } diff --git a/doc/plugin_server_nodeattestor_azure_msi.md b/doc/plugin_server_nodeattestor_azure_msi.md index 90a10785f3..6a98574922 100644 --- a/doc/plugin_server_nodeattestor_azure_msi.md +++ b/doc/plugin_server_nodeattestor_azure_msi.md @@ -17,20 +17,22 @@ attestation or to resolve selectors. ## Configuration -| Configuration | Required | Description | Default | -| --------------- | ----------- | ----------------------- | -| `tenants` | Required | A map of tenants, keyed by tenant ID, that are authorized for attestation. Tokens for unspecified tenants are rejected. | | +| Configuration | Required | Description | Default | +|-----------------------|----------|-------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------| +| `tenants` | Required | A map of tenants, keyed by tenant ID, that are authorized for attestation. Tokens for unspecified tenants are rejected. | | +| `agent_path_template` | Optional | A URL path portion format of Agent's SPIFFE ID. Describe in text/template format. | `"/{{ .PluginName }}/{{ .TenantID }}/{{ .PrincipalID }}"` | + Each tenant in the main configuration supports the following -| Configuration | Required | Description | Default | -| ----------------- | ----------- | ----------------------- | +| Configuration | Required | Description | Default | +|-------------------|--------------------------------------|-----------------------------------------------------------------------------------------------------------|-------------------------------| | `resource_id` | Optional | The resource ID (or audience) for the tenant's MSI token. Tokens for a different resource ID are rejected | https://management.azure.com/ | -| `use_msi` | [Optional](#authenticating-to-azure) | Whether or not to use MSI to authenticate to Azure services for selector resolution. | false | -| `subscription_id` | [Optional](#authenticating-to-azure) | The subscription the tenant resides in | | -| `app_id` | [Optional](#authenticating-to-azure) | The application id | | -| `app_secret` | [Optional](#authenticating-to-azure) | The application secret | | +| `use_msi` | [Optional](#authenticating-to-azure) | Whether or not to use MSI to authenticate to Azure services for selector resolution. | false | +| `subscription_id` | [Optional](#authenticating-to-azure) | The subscription the tenant resides in | | +| `app_id` | [Optional](#authenticating-to-azure) | The application id | | +| `app_secret` | [Optional](#authenticating-to-azure) | The application secret | | It is important to note that the resource ID MUST be for a well known Azure service, or an app ID for a registered app in Azure AD. Azure will not issue an @@ -97,6 +99,18 @@ The plugin produces the following selectors. All of the selectors have the type `azure_msi`. +## Agent Path Template +The agent path template is a way of customizing the format of generated SPIFFE IDs for agents. +The template formatter is using Golang text/template conventions, it can reference values provided by the plugin or in a [MSI access token](https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens#payload-claims). + +Some useful values are: + +| Value | Description | +|-----------------------|------------------------------------------------------------| +| .PluginName | The name of the plugin | +| .TenantID | Azure tenant identifier | +| .PrincipalID | A identifier that is unique to a particular application ID | + ## Security Considerations The Azure Managed Service Identity token, which this attestor leverages to prove node identity, is available to any process running on the node by default. As a result, it is possible for non-agent code running on a node to attest to the SPIRE Server, allowing it to obtain any workload identity that the node is authorized to run. diff --git a/doc/plugin_server_nodeattestor_gcp_iit.md b/doc/plugin_server_nodeattestor_gcp_iit.md index 71659b3493..7dad8bc449 100644 --- a/doc/plugin_server_nodeattestor_gcp_iit.md +++ b/doc/plugin_server_nodeattestor_gcp_iit.md @@ -8,14 +8,15 @@ This plugin requires an allow list of ProjectID from which nodes can be attested ## Configuration -| Configuration | Description | Default | -|---------------------------|-----------------------------------------------------------------------------------------------------------------------------------------|---------| -| `projectid_allow_list` | List of ProjectIDs from which nodes can be attested. | | -| `use_instance_metadata` | If true, instance metadata is fetched from the Google Compute Engine API and used to augment the node selectors produced by the plugin. | false | -| `service_account_file` | Path to the service account file used to authenticate with the Google Compute Engine API | | -| `allowed_label_keys` | Instance label keys considered for selectors | | -| `allowed_metadata_keys` | Instance metadata keys considered for selectors | | -| `max_metadata_value_size` | Sets the maximum metadata value size considered by the plugin for selectors | 128 | +| Configuration | Description | Default | +|---------------------------|-----------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------| +| `projectid_allow_list` | List of ProjectIDs from which nodes can be attested. | | +| `use_instance_metadata` | If true, instance metadata is fetched from the Google Compute Engine API and used to augment the node selectors produced by the plugin. | false | +| `service_account_file` | Path to the service account file used to authenticate with the Google Compute Engine API | | +| `allowed_label_keys` | Instance label keys considered for selectors | | +| `allowed_metadata_keys` | Instance metadata keys considered for selectors | | +| `max_metadata_value_size` | Sets the maximum metadata value size considered by the plugin for selectors | 128 | +| `agent_path_template` | A URL path portion format of Agent's SPIFFE ID. Describe in text/template format. | `"/{{ .PluginName }}/{{ .ProjectID }}/{{ .InstanceID }}"` | A sample configuration: @@ -31,11 +32,11 @@ A sample configuration: This plugin generates the following selectors based on information contained in the Instance Identity Token: -| Selector | Example | Description | -| -------------------------- | ------------------------------------------------------------ | ----------------------------------------- | -| `gcp_iit:project-id` | `gcp_iit:project-id:big-kahuna-123456` | ID of the project containing the instance | -| `gcp_iit:zone` | `gcp_iit:zone:us-west1-b` | Zone containing the instance | -| `gcp_iit:instance-name` | `gcp_iit:instance-name:blog-server` | Name of the instance | +| Selector | Example | Description | +|-------------------------|----------------------------------------|-------------------------------------------| +| `gcp_iit:project-id` | `gcp_iit:project-id:big-kahuna-123456` | ID of the project containing the instance | +| `gcp_iit:zone` | `gcp_iit:zone:us-west1-b` | Zone containing the instance | +| `gcp_iit:instance-name` | `gcp_iit:instance-name:blog-server` | Name of the instance | If `use_instance_metadata` is true, then the Google Compute Engine API is queried for instance metadata which is used to populate these additional selectors: @@ -67,6 +68,22 @@ The plugin uses the Application Default Credentials to authenticate with the Goo The service account must have IAM permissions and Authorization Scopes granting access to the following APIs: * [compute.instances.get](https://cloud.google.com/compute/docs/reference/rest/v1/instances/get) +## Agent Path Template +The agent path template is a way of customizing the format of generated SPIFFE IDs for agents. +The template formatter is using Golang text/template conventions, it can reference values provided by the plugin or in a [Compute Engine identity token](https://cloud.google.com/compute/docs/instances/verifying-instance-identity#payload). + +Some useful values are: + +| Value | Description | +|----------------------------|------------------------------------------------------------------| +| .PluginName | The name of the plugin | +| .ProjectID | The ID for the project where the instance was created | +| .InstanceID | The unique ID for the instance to which this token belongs. | +| .ProjectNumber | The unique number for the project where you created the instance | +| .Zone | The zone where the instance is located | +| .InstanceCreationTimestamp | A Unix timestamp indicating when you created the instance. | + + ## Security Considerations The Instance Identity Token, which this attestor leverages to prove node identity, is available to any process running on the node by default. As a result, it is possible for non-agent code running on a node to attest to the SPIRE Server, allowing it to obtain any workload identity that the node is authorized to run. diff --git a/pkg/common/plugin/azure/msi.go b/pkg/common/plugin/azure/msi.go index 4868b144bb..201d36815e 100644 --- a/pkg/common/plugin/azure/msi.go +++ b/pkg/common/plugin/azure/msi.go @@ -5,9 +5,10 @@ import ( "encoding/json" "io" "net/http" - "net/url" - "path" + "github.com/spiffe/go-spiffe/v2/spiffeid" + "github.com/spiffe/spire/pkg/common/agentpathtemplate" + "github.com/spiffe/spire/pkg/common/idutil" "github.com/zeebo/errs" "gopkg.in/square/go-jose.v2/jwt" ) @@ -17,8 +18,12 @@ const ( // audience of the MSI token. The current value is the service ID for the // Resource Manager API. DefaultMSIResourceID = "https://management.azure.com/" + PluginName = "azure_msi" ) +// DefaultAgentPathTemplate is the default text/template +var DefaultAgentPathTemplate = agentpathtemplate.MustParse("/{{ .PluginName }}/{{ .TenantID }}/{{ .PrincipalID }}") + type ComputeMetadata struct { Name string `json:"name"` SubscriptionID string `json:"subscriptionId"` @@ -35,16 +40,8 @@ type MSIAttestationData struct { type MSITokenClaims struct { jwt.Claims - TenantID string `json:"tid,omitempty"` -} - -func (c *MSITokenClaims) AgentID(trustDomain string) string { - u := url.URL{ - Scheme: "spiffe", - Host: trustDomain, - Path: path.Join("spire", "agent", "azure_msi", c.TenantID, c.Subject), - } - return u.String() + TenantID string `json:"tid,omitempty"` + PrincipalID string `json:"sub,omitempty"` } type HTTPClient interface { @@ -125,6 +122,23 @@ func FetchInstanceMetadata(ctx context.Context, cl HTTPClient) (*InstanceMetadat return metadata, nil } +type agentPathTemplateData struct { + MSITokenClaims + PluginName string +} + +func MakeAgentID(td spiffeid.TrustDomain, agentPathTemplate *agentpathtemplate.Template, claims *MSITokenClaims) (spiffeid.ID, error) { + agentPath, err := agentPathTemplate.Execute(agentPathTemplateData{ + MSITokenClaims: *claims, + PluginName: PluginName, + }) + if err != nil { + return spiffeid.ID{}, err + } + + return idutil.AgentID(td, agentPath) +} + func tryRead(r io.Reader) string { b := make([]byte, 1024) n, _ := r.Read(b) diff --git a/pkg/common/plugin/azure/msi_test.go b/pkg/common/plugin/azure/msi_test.go index f134e94b74..c8af4d87e2 100644 --- a/pkg/common/plugin/azure/msi_test.go +++ b/pkg/common/plugin/azure/msi_test.go @@ -2,26 +2,20 @@ package azure import ( "context" + "errors" "fmt" "io" "net/http" "strings" "testing" + "github.com/spiffe/go-spiffe/v2/spiffeid" + "github.com/spiffe/spire/pkg/common/agentpathtemplate" + "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "gopkg.in/square/go-jose.v2/jwt" ) -func TestMSITokenClaims(t *testing.T) { - claims := MSITokenClaims{ - Claims: jwt.Claims{ - Subject: "PRINCIPALID", - }, - TenantID: "TENANTID", - } - require.Equal(t, "spiffe://example.org/spire/agent/azure_msi/TENANTID/PRINCIPALID", claims.AgentID("example.org")) -} - func TestFetchMSIToken(t *testing.T) { ctx := context.Background() @@ -114,6 +108,75 @@ func TestFetchInstanceMetadata(t *testing.T) { require.Equal(t, expected, metadata) } +func TestMakeAgentID(t *testing.T) { + type args struct { + td string + agentPathTemplate string + claims *MSITokenClaims + } + tests := []struct { + name string + args args + want string + errWanted error + }{ + { + name: "successfully applies template", + args: args{ + td: "example.org", + agentPathTemplate: "/{{ .PluginName }}/{{ .TenantID }}/{{ .PrincipalID }}", + claims: &MSITokenClaims{ + Claims: jwt.Claims{}, + TenantID: "TENANTID", + PrincipalID: "PRINCIPALID", + }, + }, + want: "spiffe://example.org/spire/agent/azure_msi/TENANTID/PRINCIPALID", + errWanted: nil, + }, + { + name: "error applying template with non-existent field", + args: args{ + td: "example.org", + agentPathTemplate: "/{{ .PluginName }}/{{ .TenantID }}/{{ .NonExistent }}", + claims: &MSITokenClaims{ + Claims: jwt.Claims{}, + TenantID: "TENANTID", + PrincipalID: "PRINCIPALID", + }, + }, + want: "", + errWanted: errors.New("template: agent-path:1:38: executing \"agent-path\" at <.NonExistent>: can't evaluate field NonExistent in type azure.agentPathTemplateData"), + }, + { + name: "error building agent ID with invalid path", + args: args{ + td: "example.org", + agentPathTemplate: "/{{ .PluginName }}/{{ .TenantID }}/{{ .PrincipalID }}", + claims: &MSITokenClaims{ + Claims: jwt.Claims{}, + }, + }, + want: "", + errWanted: errors.New("invalid agent path suffix \"/azure_msi//\": path cannot contain empty segments"), + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + td := spiffeid.RequireTrustDomainFromString(test.args.td) + agentPathTemplate, _ := agentpathtemplate.Parse(test.args.agentPathTemplate) + got, err := MakeAgentID(td, agentPathTemplate, test.args.claims) + if test.errWanted != nil { + require.EqualError(t, err, test.errWanted.Error()) + return + } + assert.NoError(t, err) + assert.Equal(t, test.want, got.String()) + }) + } +} + func fakeTokenHTTPClient(statusCode int, body string) HTTPClient { return HTTPClientFunc(func(req *http.Request) (*http.Response, error) { // assert the expected request values diff --git a/pkg/server/plugin/nodeattestor/azuremsi/msi.go b/pkg/server/plugin/nodeattestor/azuremsi/msi.go index 0ff13cc3ad..a4cfbc1da1 100644 --- a/pkg/server/plugin/nodeattestor/azuremsi/msi.go +++ b/pkg/server/plugin/nodeattestor/azuremsi/msi.go @@ -20,6 +20,7 @@ import ( "github.com/spiffe/go-spiffe/v2/spiffeid" nodeattestorv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/server/nodeattestor/v1" configv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/service/common/config/v1" + "github.com/spiffe/spire/pkg/common/agentpathtemplate" "github.com/spiffe/spire/pkg/common/catalog" "github.com/spiffe/spire/pkg/common/jwtutil" "github.com/spiffe/spire/pkg/common/plugin/azure" @@ -69,7 +70,8 @@ type TenantConfig struct { } type MSIAttestorConfig struct { - Tenants map[string]*TenantConfig `hcl:"tenants" json:"tenants"` + Tenants map[string]*TenantConfig `hcl:"tenants" json:"tenants"` + AgentPathTemplate string `hcl:"agent_path_template" json:"agent_path_template"` } type tenantConfig struct { @@ -78,8 +80,9 @@ type tenantConfig struct { } type msiAttestorConfig struct { - td spiffeid.TrustDomain - tenants map[string]*tenantConfig + td spiffeid.TrustDomain + tenants map[string]*tenantConfig + idPathTemplate *agentpathtemplate.Template } type MSIAttestorPlugin struct { @@ -168,17 +171,22 @@ func (p *MSIAttestorPlugin) Attest(stream nodeattestorv1.NodeAttestor_AttestServ if err := token.Claims(&keys[0], claims); err != nil { return status.Errorf(codes.InvalidArgument, "unable to verify token: %v", err) } + switch { case claims.TenantID == "": return status.Error(codes.Internal, "token missing tenant ID claim") - case claims.Subject == "": + case claims.PrincipalID == "": return status.Error(codes.Internal, "token missing subject claim") } // Before doing the work to validate the token, ensure that this MSI token // has not already been used to attest an agent. - agentID := claims.AgentID(config.td.String()) - if err := p.AssessTOFU(stream.Context(), agentID, p.log); err != nil { + agentID, err := azure.MakeAgentID(config.td, config.idPathTemplate, claims) + if err != nil { + return status.Errorf(codes.Internal, "unable to make agent ID: %v", err) + } + + if err := p.AssessTOFU(stream.Context(), agentID.String(), p.log); err != nil { return err } @@ -196,7 +204,7 @@ func (p *MSIAttestorPlugin) Attest(stream nodeattestorv1.NodeAttestor_AttestServ var selectorValues []string if tenant.client != nil { - selectorValues, err = p.resolve(stream.Context(), tenant.client, claims.Subject) + selectorValues, err = p.resolve(stream.Context(), tenant.client, claims.PrincipalID) if err != nil { return err } @@ -205,7 +213,7 @@ func (p *MSIAttestorPlugin) Attest(stream nodeattestorv1.NodeAttestor_AttestServ return stream.Send(&nodeattestorv1.AttestResponse{ Response: &nodeattestorv1.AttestResponse_AgentAttributes{ AgentAttributes: &nodeattestorv1.AgentAttributes{ - SpiffeId: agentID, + SpiffeId: agentID.String(), CanReattest: false, SelectorValues: selectorValues, }, @@ -297,9 +305,19 @@ func (p *MSIAttestorPlugin) Configure(ctx context.Context, req *configv1.Configu } } + tmpl := azure.DefaultAgentPathTemplate + if len(hclConfig.AgentPathTemplate) > 0 { + var err error + tmpl, err = agentpathtemplate.Parse(hclConfig.AgentPathTemplate) + if err != nil { + return nil, status.Errorf(codes.InvalidArgument, "failed to parse agent path template: %q", hclConfig.AgentPathTemplate) + } + } + p.setConfig(&msiAttestorConfig{ - td: td, - tenants: tenants, + td: td, + tenants: tenants, + idPathTemplate: tmpl, }) return &configv1.ConfigureResponse{}, nil } diff --git a/pkg/server/plugin/nodeattestor/azuremsi/msi_test.go b/pkg/server/plugin/nodeattestor/azuremsi/msi_test.go index 39cc16d084..2a1b6a00d7 100644 --- a/pkg/server/plugin/nodeattestor/azuremsi/msi_test.go +++ b/pkg/server/plugin/nodeattestor/azuremsi/msi_test.go @@ -235,6 +235,44 @@ func (s *MSIAttestorSuite) TestAttestSuccessWithCustomResourceID() { vmSelectors) } +func (s *MSIAttestorSuite) TestAttestSuccessWithCustomSPIFFEIDTemplate() { + s.setVirtualMachine(&armcompute.VirtualMachine{ + Properties: &armcompute.VirtualMachineProperties{}, + }) + + payload := s.signAttestPayload("KEYID", resourceID, "TENANTID", "PRINCIPALID") + + selectorValues := append([]string{}, vmSelectors...) + sort.Strings(selectorValues) + + var expected []*common.Selector + for _, selectorValue := range selectorValues { + expected = append(expected, &common.Selector{ + Type: "azure_msi", + Value: selectorValue, + }) + } + + attestorWithCustomAgentTemplate := s.loadPluginWithConfig( + ` + tenants = { + "TENANTID" = { + resource_id = "https://example.org/app/" + use_msi = true + } + "TENANTID2" = { + use_msi = true + } + } + agent_path_template = "/{{ .PluginName }}/{{ .TenantID }}" + `) + resp, err := attestorWithCustomAgentTemplate.Attest(context.Background(), payload, expectNoChallenge) + s.Require().NoError(err) + s.Require().NotNil(resp) + s.Require().Equal("spiffe://example.org/spire/agent/azure_msi/TENANTID", resp.AgentID) + s.RequireProtoListEqual(expected, resp.Selectors) +} + func (s *MSIAttestorSuite) TestAttestSuccessWithNoClientCredentials() { s.attestor = s.loadPlugin(plugintest.Configure(` tenants = { @@ -586,6 +624,20 @@ func (s *MSIAttestorSuite) signAttestPayload(keyID, audience, tenantID, principa } func (s *MSIAttestorSuite) loadPlugin(options ...plugintest.Option) nodeattestor.NodeAttestor { + return s.loadPluginWithConfig(` + tenants = { + "TENANTID" = { + resource_id = "https://example.org/app/" + use_msi = true + } + "TENANTID2" = { + use_msi = true + } + } + `, options...) +} + +func (s *MSIAttestorSuite) loadPluginWithConfig(config string, options ...plugintest.Option) nodeattestor.NodeAttestor { attestor := New() attestor.hooks.now = func() time.Time { return s.now @@ -609,17 +661,7 @@ func (s *MSIAttestorSuite) loadPlugin(options ...plugintest.Option) nodeattestor plugintest.CoreConfig(catalog.CoreConfig{ TrustDomain: spiffeid.RequireTrustDomainFromString("example.org"), }), - plugintest.Configure(` - tenants = { - "TENANTID" = { - resource_id = "https://example.org/app/" - use_msi = true - } - "TENANTID2" = { - use_msi = true - } - } - `), + plugintest.Configure(config), }, options...)...) return v1 } From e375f1085d229d07827e97e7f2155283c387917d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 19 Oct 2022 13:51:41 -0600 Subject: [PATCH 003/257] Bump github.com/docker/docker (#3508) Bumps [github.com/docker/docker](https://github.com/docker/docker) from 20.10.18+incompatible to 20.10.20+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Changelog](https://github.com/moby/moby/blob/master/CHANGELOG.md) - [Commits](https://github.com/docker/docker/compare/v20.10.18...v20.10.20) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Andrew Harding --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index be54b87a99..83cf3c4cac 100644 --- a/go.mod +++ b/go.mod @@ -29,7 +29,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/sts v1.16.16 github.com/blang/semver/v4 v4.0.0 github.com/cenkalti/backoff/v3 v3.2.2 - github.com/docker/docker v20.10.18+incompatible + github.com/docker/docker v20.10.20+incompatible github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1 github.com/go-logr/logr v1.2.3 github.com/go-sql-driver/mysql v1.6.0 diff --git a/go.sum b/go.sum index 4054c9aeb8..1477e40740 100644 --- a/go.sum +++ b/go.sum @@ -284,8 +284,8 @@ github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ= github.com/docker/distribution v2.7.1+incompatible h1:a5mlkVzth6W5A4fOsS3D2EO5BUmsJpcB+cRlLU7cSug= github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v20.10.18+incompatible h1:SN84VYXTBNGn92T/QwIRPlum9zfemfitN7pbsp26WSc= -github.com/docker/docker v20.10.18+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v20.10.20+incompatible h1:kH9tx6XO+359d+iAkumyKDc5Q1kOwPuAUaeri48nD6E= +github.com/docker/docker v20.10.20+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw= From 6f54e32abb7ae64e338eb8233cb342d2c340b105 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 19 Oct 2022 14:56:34 -0600 Subject: [PATCH 004/257] Bump k8s.io/client-go from 0.25.2 to 0.25.3 (#3509) Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.25.2 to 0.25.3. - [Release notes](https://github.com/kubernetes/client-go/releases) - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](https://github.com/kubernetes/client-go/compare/v0.25.2...v0.25.3) --- updated-dependencies: - dependency-name: k8s.io/client-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Andrew Harding --- go.mod | 6 +++--- go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 83cf3c4cac..3e7c9d446e 100644 --- a/go.mod +++ b/go.mod @@ -72,9 +72,9 @@ require ( google.golang.org/grpc v1.50.0 google.golang.org/protobuf v1.28.1 gopkg.in/square/go-jose.v2 v2.6.0 - k8s.io/api v0.25.2 - k8s.io/apimachinery v0.25.2 - k8s.io/client-go v0.25.2 + k8s.io/api v0.25.3 + k8s.io/apimachinery v0.25.3 + k8s.io/client-go v0.25.3 k8s.io/kube-aggregator v0.23.3 k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed sigs.k8s.io/controller-runtime v0.13.0 diff --git a/go.sum b/go.sum index 1477e40740..d59c0c1967 100644 --- a/go.sum +++ b/go.sum @@ -1646,17 +1646,17 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= k8s.io/api v0.23.3/go.mod h1:w258XdGyvCmnBj/vGzQMj6kzdufJZVUwEM1U2fRJwSQ= -k8s.io/api v0.25.2 h1:v6G8RyFcwf0HR5jQGIAYlvtRNrxMJQG1xJzaSeVnIS8= -k8s.io/api v0.25.2/go.mod h1:qP1Rn4sCVFwx/xIhe+we2cwBLTXNcheRyYXwajonhy0= +k8s.io/api v0.25.3 h1:Q1v5UFfYe87vi5H7NU0p4RXC26PPMT8KOpr1TLQbCMQ= +k8s.io/api v0.25.3/go.mod h1:o42gKscFrEVjHdQnyRenACrMtbuJsVdP+WVjqejfzmI= k8s.io/apiextensions-apiserver v0.25.0 h1:CJ9zlyXAbq0FIW8CD7HHyozCMBpDSiH7EdrSTCZcZFY= k8s.io/apiextensions-apiserver v0.25.0/go.mod h1:3pAjZiN4zw7R8aZC5gR0y3/vCkGlAjCazcg1me8iB/E= k8s.io/apimachinery v0.23.3/go.mod h1:BEuFMMBaIbcOqVIJqNZJXGFTP4W6AycEpb5+m/97hrM= -k8s.io/apimachinery v0.25.2 h1:WbxfAjCx+AeN8Ilp9joWnyJ6xu9OMeS/fsfjK/5zaQs= -k8s.io/apimachinery v0.25.2/go.mod h1:hqqA1X0bsgsxI6dXsJ4HnNTBOmJNxyPp8dw3u2fSHwA= +k8s.io/apimachinery v0.25.3 h1:7o9ium4uyUOM76t6aunP0nZuex7gDf8VGwkR5RcJnQc= +k8s.io/apimachinery v0.25.3/go.mod h1:jaF9C/iPNM1FuLl7Zuy5b9v+n35HGSh6AQ4HYRkCqwo= k8s.io/apiserver v0.23.3/go.mod h1:3HhsTmC+Pn+Jctw+Ow0LHA4dQ4oXrQ4XJDzrVDG64T4= k8s.io/client-go v0.23.3/go.mod h1:47oMd+YvAOqZM7pcQ6neJtBiFH7alOyfunYN48VsmwE= -k8s.io/client-go v0.25.2 h1:SUPp9p5CwM0yXGQrwYurw9LWz+YtMwhWd0GqOsSiefo= -k8s.io/client-go v0.25.2/go.mod h1:i7cNU7N+yGQmJkewcRD2+Vuj4iz7b30kI8OcL3horQ4= +k8s.io/client-go v0.25.3 h1:oB4Dyl8d6UbfDHD8Bv8evKylzs3BXzzufLiO27xuPs0= +k8s.io/client-go v0.25.3/go.mod h1:t39LPczAIMwycjcXkVc+CB+PZV69jQuNx4um5ORDjQA= k8s.io/code-generator v0.23.3/go.mod h1:S0Q1JVA+kSzTI1oUvbKAxZY/DYbA/ZUb4Uknog12ETk= k8s.io/component-base v0.23.3/go.mod h1:1Smc4C60rWG7d3HjSYpIwEbySQ3YWg0uzH5a2AtaTLg= k8s.io/component-base v0.25.0 h1:haVKlLkPCFZhkcqB6WCvpVxftrg6+FK5x1ZuaIDaQ5Y= From 38f152e1a17c067188b7ffdd30d3574d9cd3271d Mon Sep 17 00:00:00 2001 From: Marcos Yacob Date: Wed, 19 Oct 2022 18:33:03 -0300 Subject: [PATCH 005/257] Remove go health dependency (#3513) Signed-off-by: Marcos Yacob --- go.mod | 2 - go.sum | 19 -- pkg/common/health/cache.go | 211 ++++++++++++++++++++ pkg/common/health/cache_test.go | 321 +++++++++++++++++++++++++++++++ pkg/common/health/health.go | 68 ++----- pkg/common/health/health_test.go | 118 ++++++++++++ pkg/common/health/logger.go | 45 ----- pkg/common/telemetry/names.go | 12 ++ 8 files changed, 681 insertions(+), 115 deletions(-) create mode 100644 pkg/common/health/cache.go create mode 100644 pkg/common/health/cache_test.go delete mode 100644 pkg/common/health/logger.go diff --git a/go.mod b/go.mod index 3e7c9d446e..e3033d2492 100644 --- a/go.mod +++ b/go.mod @@ -12,8 +12,6 @@ require ( github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork v1.1.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0 github.com/GoogleCloudPlatform/cloudsql-proxy v1.32.0 - github.com/InVisionApp/go-health/v2 v2.1.3 - github.com/InVisionApp/go-logger v1.0.1 github.com/Microsoft/go-winio v0.6.0 github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129 github.com/armon/go-metrics v0.4.1 diff --git a/go.sum b/go.sum index d59c0c1967..1aaaca6c00 100644 --- a/go.sum +++ b/go.sum @@ -108,15 +108,10 @@ github.com/AzureAD/microsoft-authentication-library-for-go v0.5.1 h1:BWe8a+f/t+7 github.com/AzureAD/microsoft-authentication-library-for-go v0.5.1/go.mod h1:Vt9sXTKwMyGcOxSmLDMnGPgqsUg7m8pe215qMLrDXw4= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/DATA-DOG/go-sqlmock v1.3.3/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM= github.com/DataDog/datadog-go v3.2.0+incompatible h1:qSG2N4FghB1He/r2mFrWKCaL7dXCilEuNEeAn20fdD4= github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= github.com/GoogleCloudPlatform/cloudsql-proxy v1.32.0 h1:647YHw0ZJ3Uu5xlkytf1li7dqJ9mHg9zabuKdZP0vYU= github.com/GoogleCloudPlatform/cloudsql-proxy v1.32.0/go.mod h1:FjoDxLvxFAbnXFuUKkzM7rY66YaU/YHezlau786y9hs= -github.com/InVisionApp/go-health/v2 v2.1.3 h1:PCMJAp+W5fynmBBmx/ovM44eG5w97NhXcea8O7lLso4= -github.com/InVisionApp/go-health/v2 v2.1.3/go.mod h1:7uPEpT8hbSNRNSFFbukF39eQQebNVbpPA44JpC2Q+9I= -github.com/InVisionApp/go-logger v1.0.1 h1:WFL19PViM1mHUmUWfsv5zMo379KSWj2MRmBlzMFDRiE= -github.com/InVisionApp/go-logger v1.0.1/go.mod h1:+cGTDSn+P8105aZkeOfIhdd7vFO5X1afUHcjvanY0L8= github.com/Masterminds/goutils v1.1.0 h1:zukEsf/1JZwCMgHiK3GZftabmxiCw4apj3a28RPBiVg= github.com/Masterminds/goutils v1.1.0/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= github.com/Masterminds/semver/v3 v3.1.1 h1:hLg3sBzpNErnxhQtUy/mmLR2I9foDujNK030IGemrRc= @@ -136,7 +131,6 @@ github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tN github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= -github.com/StackExchange/wmi v0.0.0-20190523213315-cbe66965904d/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg= github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8= github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= @@ -144,8 +138,6 @@ github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuy github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= -github.com/alicebob/gopher-json v0.0.0-20180125190556-5a6b3ba71ee6/go.mod h1:SGnFV6hVsYE877CKEZ6tDNTjaSXYUk6QqoIK6PrAtcc= -github.com/alicebob/miniredis v2.5.0+incompatible/go.mod h1:8HZjEj4yU0dwhYHky+DxYx+6BMjkBbe5ONFIF1MXffk= github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129 h1:MzBOUgng9orim59UnfUTLRjMpd09C5uEVQ6RPGeCaVI= github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129/go.mod h1:rFgpPQZYZ8vdbc+48xibu8ALc3yeyd64IhHS+PU6Yyg= github.com/andybalholm/cascadia v1.1.0/go.mod h1:GsXiBklL0woXo1j/WYWtSYYC4ouU9PqHO0sqidkEA4Y= @@ -217,8 +209,6 @@ github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqO github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= -github.com/boltdb/bolt v1.3.1/go.mod h1:clJnj/oiGkjum5o1McbSZDSLxVThjynRyGBgiAx27Ps= -github.com/bradfitz/gomemcache v0.0.0-20190913173617-a41fca850d0b/go.mod h1:H0wQNHz2YrLsuXOZozoeDmnHXkNCRmMW0gwFWDfEZDA= github.com/bytecodealliance/wasmtime-go v1.0.0 h1:9u9gqaUiaJeN5IoD1L7egD8atOnTGyJcNp8BhkL9cUU= github.com/cactus/go-statsd-client/statsd v0.0.0-20200423205355-cb0885a1018c/go.mod h1:l/bIBLeOl9eX+wxJAzxS4TveKRtAqlyDpHjhkfO0MEI= github.com/cenkalti/backoff/v3 v3.2.2 h1:cfUAAO3yvKMYKPrvhDuHSwQnhZNk/RMHKdZqKTxfm6M= @@ -338,7 +328,6 @@ github.com/getkin/kin-openapi v0.76.0/go.mod h1:660oXbgy5JFMKreazJaQTw7o+X00qeSy github.com/getsentry/raven-go v0.2.0/go.mod h1:KungGk8q33+aIAZUIVWZDr2OfAEBsO49PX4NzFV5kcQ= github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= @@ -359,7 +348,6 @@ github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbV github.com/go-logr/zapr v1.2.0/go.mod h1:Qa4Bsj2Vb+FAVeAKsLD8RLQ+YRJB8YDmOAKxaBQf7Ro= github.com/go-logr/zapr v1.2.3 h1:a9vnzlIBPQBBkeaR9IuMUfmVOrQlkoC4YfPoFkX3T7A= github.com/go-logr/zapr v1.2.3/go.mod h1:eIauM6P8qSvTw5o2ez6UEAfGjQKrxQTl5EoK+Qa2oG4= -github.com/go-ole/go-ole v1.2.4/go.mod h1:XCwSNxSkXRo4vlyPy93sltvi/qJq0jqQhjqQNIwKuxM= github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY= github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= @@ -371,7 +359,6 @@ github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng= github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= -github.com/go-redis/redis v6.15.5+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA= github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfCHuOE= github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= @@ -436,7 +423,6 @@ github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiu github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= -github.com/gomodule/redigo v2.0.0+incompatible/go.mod h1:B4C85qUVwatsJoIUNIfCRsp7qO0iAmpGFZ4EELWSbC4= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= @@ -793,7 +779,6 @@ github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9k github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo/v2 v2.1.6 h1:Fx2POJZfKRQcM1pH49qSZiYeu319wji004qX+GDovrU= github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= -github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q= @@ -878,7 +863,6 @@ github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkB github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= -github.com/shirou/gopsutil v2.18.12+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA= github.com/shirou/gopsutil/v3 v3.22.9 h1:yibtJhIVEMcdw+tCTbOPiF1VcsuDeTE4utJ8Dm4c5eA= github.com/shirou/gopsutil/v3 v3.22.9/go.mod h1:bBYl1kjgEJpWpxeHmLI+dVHWtyAwfcmSBLDsp2TNT8A= github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24/go.mod h1:M+9NzErvs504Cn4c5DxATwIqPbtswREoFCre64PpcG4= @@ -971,10 +955,8 @@ github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= -github.com/yuin/gopher-lua v0.0.0-20190514113301-1cd887cd7036/go.mod h1:gqRgreBUhTSL0GeU64rtZ3Uq3wtjOa/TB2YfrtkCbVQ= github.com/yusufpapurcu/wmi v1.2.2 h1:KBNDSne4vP5mbSWnJbO+51IMOXJB67QiYCSBrubbPRg= github.com/yusufpapurcu/wmi v1.2.2/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= -github.com/zaffka/mongodb-boltdb-mock v0.0.0-20221014194232-b4bb03fbe3a0/go.mod h1:GsDD1qsG+86MeeCG7ndi6Ei3iGthKL3wQ7PTFigDfNY= github.com/zeebo/errs v1.2.2/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= github.com/zeebo/errs v1.3.0 h1:hmiaKqgYZzcVgRL1Vkc1Mn2914BbzB0IBxs+ebeutGs= github.com/zeebo/errs v1.3.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= @@ -1205,7 +1187,6 @@ golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5h golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190204203706-41f3e6584952/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= diff --git a/pkg/common/health/cache.go b/pkg/common/health/cache.go new file mode 100644 index 0000000000..dcf5f1fd0b --- /dev/null +++ b/pkg/common/health/cache.go @@ -0,0 +1,211 @@ +package health + +import ( + "context" + "errors" + "fmt" + "sync" + "time" + + "github.com/andres-erbsen/clock" + "github.com/sirupsen/logrus" + "github.com/spiffe/spire/pkg/common/telemetry" +) + +type checkState struct { + // err is the error returned from a failed health check + err error + + // details contains more contextual detail about a + // failing health check. + details State + + // checkTime is the time of the last health check + checkTime time.Time + + // contiguousFailures the number of failures that occurred in a row + contiguousFailures int64 + + // timeOfFirstFailure the time of the initial transitional failure for + // any given health check + timeOfFirstFailure time.Time +} + +type checkerSubsystem struct { + state checkState + checkable Checkable +} + +func newCache(log logrus.FieldLogger, clock clock.Clock) *cache { + return &cache{ + checkerSubsystems: make(map[string]*checkerSubsystem), + log: log, + clk: clock, + } +} + +type cache struct { + checkerSubsystems map[string]*checkerSubsystem + + mtx sync.RWMutex + clk clock.Clock + + log logrus.FieldLogger + hooks struct { + statusUpdated chan struct{} + } +} + +func (c *cache) addCheck(name string, checkable Checkable) error { + c.mtx.Lock() + defer c.mtx.Unlock() + + if _, ok := c.checkerSubsystems[name]; ok { + return fmt.Errorf("check %q has already been added", name) + } + + c.checkerSubsystems[name] = &checkerSubsystem{ + checkable: checkable, + } + return nil +} + +func (c *cache) getCheckerSubsystems() map[string]*checkerSubsystem { + c.mtx.RLock() + defer c.mtx.RUnlock() + + checkerSubsystems := make(map[string]*checkerSubsystem, len(c.checkerSubsystems)) + for k, v := range c.checkerSubsystems { + checkerSubsystems[k] = &checkerSubsystem{ + checkable: v.checkable, + state: v.state, + } + } + return checkerSubsystems +} + +func (c *cache) getStatuses() map[string]checkState { + c.mtx.RLock() + defer c.mtx.RUnlock() + + statuses := make(map[string]checkState, len(c.checkerSubsystems)) + for k, v := range c.checkerSubsystems { + statuses[k] = v.state + } + + return statuses +} + +func (c *cache) start(ctx context.Context) error { + c.mtx.RLock() + defer c.mtx.RUnlock() + + if len(c.checkerSubsystems) < 1 { + return errors.New("no health checks defined") + } + + c.startRunner(ctx) + return nil +} + +func (c *cache) startRunner(ctx context.Context) { + c.log.Debug("Initializing health checkers") + checkFunc := func() { + for name, checker := range c.getCheckerSubsystems() { + state, err := verifyStatus(checker.checkable) + + checkState := checkState{ + details: state, + checkTime: c.clk.Now(), + } + if err != nil { + c.log.WithField("check", name). + WithError(err). + Error("Health check has failed") + checkState.err = err + } + + c.setStatus(name, checker.state, checkState) + } + if c.hooks.statusUpdated != nil { + c.hooks.statusUpdated <- struct{}{} + } + } + + ticker := c.clk.Ticker(readyCheckInterval) + + go func() { + defer func() { + c.log.Debug("Finishing health checker") + ticker.Stop() + }() + for { + checkFunc() + + select { + case <-ticker.C: + case <-ctx.Done(): + return + } + } + }() +} + +func (c *cache) setStatus(name string, prevState checkState, state checkState) { + c.embellishState(name, &prevState, &state) + + c.mtx.Lock() + defer c.mtx.Unlock() + + // We are sure that checker exist in this plase, to be able to check + // status of a subsytem we must call the checker inside this map + c.checkerSubsystems[name].state = state +} + +func (c *cache) embellishState(name string, prevState, state *checkState) { + switch { + case state.err == nil && prevState.err == nil: + // All fine continue + case state.err != nil && prevState.err == nil: + // State start to fail, add log and set failures tracking + c.log.WithFields(logrus.Fields{ + telemetry.Check: name, + telemetry.Details: state.details, + telemetry.Error: state.err.Error(), + }).Warn("Health check failed") + + state.timeOfFirstFailure = c.clk.Now() + state.contiguousFailures = 1 + + case state.err != nil && prevState.err != nil: + // Error still happening, carry the time of first failure from the previous state + state.timeOfFirstFailure = prevState.timeOfFirstFailure + state.contiguousFailures = prevState.contiguousFailures + 1 + + case state.err == nil && prevState.err != nil: + // Current state has no error, notify about error recovering + failureSeconds := c.clk.Now().Sub(prevState.timeOfFirstFailure).Seconds() + c.log.WithFields(logrus.Fields{ + telemetry.Check: name, + telemetry.Details: state.details, + telemetry.Error: prevState.err.Error(), + telemetry.Failures: prevState.contiguousFailures, + telemetry.Duration: failureSeconds, + }).Info("Health check recovered") + } +} + +func verifyStatus(check Checkable) (State, error) { + state := check.CheckHealth() + var err error + switch { + case state.Ready && state.Live: + case state.Ready && !state.Live: + err = errors.New("subsystem is not live") + case !state.Ready && state.Live: + err = errors.New("subsystem is not ready") + case !state.Ready && !state.Live: + err = errors.New("subsystem is not live or ready") + } + return state, err +} diff --git a/pkg/common/health/cache_test.go b/pkg/common/health/cache_test.go new file mode 100644 index 0000000000..657824da9e --- /dev/null +++ b/pkg/common/health/cache_test.go @@ -0,0 +1,321 @@ +package health + +import ( + "context" + "errors" + "testing" + "time" + + "github.com/andres-erbsen/clock" + "github.com/sirupsen/logrus" + "github.com/sirupsen/logrus/hooks/test" + "github.com/spiffe/spire/pkg/common/telemetry" + "github.com/spiffe/spire/test/spiretest" + "github.com/stretchr/testify/require" +) + +func TestAddCheck(t *testing.T) { + log, _ := test.NewNullLogger() + t.Run("add check no error", func(t *testing.T) { + c := newCache(log, clock.New()) + err := c.addCheck("foh", &fakeCheckable{}) + require.NoError(t, err) + }) + + t.Run("add duplicated checker", func(t *testing.T) { + c := newCache(log, clock.New()) + err := c.addCheck("foo", &fakeCheckable{}) + require.NoError(t, err) + + err = c.addCheck("bar", &fakeCheckable{}) + require.NoError(t, err) + + err = c.addCheck("foo", &fakeCheckable{}) + require.EqualError(t, err, `check "foo" has already been added`) + }) +} + +func TestStartNoCheckerSet(t *testing.T) { + clockMock := clock.NewMock() + + log, hook := test.NewNullLogger() + log.Level = logrus.DebugLevel + + c := newCache(log, clockMock) + + err := c.start(context.Background()) + require.EqualError(t, err, "no health checks defined") + require.Empty(t, hook.Entries) +} + +func TestHealthFailsAndRecover(t *testing.T) { + log, hook := test.NewNullLogger() + log.Level = logrus.DebugLevel + waitFor := make(chan struct{}, 1) + clockMock := clock.NewMock() + + c := newCache(log, clockMock) + c.hooks.statusUpdated = waitFor + + fooChecker := &fakeCheckable{ + state: State{ + Live: true, + Ready: true, + LiveDetails: healthDetails{}, + ReadyDetails: healthDetails{}, + }, + } + barChecker := &fakeCheckable{ + state: State{ + Live: true, + Ready: true, + LiveDetails: healthDetails{}, + ReadyDetails: healthDetails{}, + }, + } + + err := c.addCheck("foo", fooChecker) + require.NoError(t, err) + + err = c.addCheck("bar", barChecker) + require.NoError(t, err) + + ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute) + defer cancel() + + err = c.start(ctx) + require.NoError(t, err) + + t.Run("start successfully", func(t *testing.T) { + // Wait for initial calls + select { + case <-waitFor: + case <-ctx.Done(): + require.Fail(t, "unable to get updates because context is finished") + } + expectLogs := []spiretest.LogEntry{ + { + Level: logrus.DebugLevel, + Message: "Initializing health checkers", + }, + } + expectStatus := map[string]checkState{ + "foo": { + details: State{ + Live: true, + Ready: true, + LiveDetails: healthDetails{}, + ReadyDetails: healthDetails{}, + }, + checkTime: clockMock.Now(), + }, + "bar": { + details: State{ + Live: true, + Ready: true, + LiveDetails: healthDetails{}, + ReadyDetails: healthDetails{}, + }, + checkTime: clockMock.Now(), + }, + } + + spiretest.AssertLogs(t, hook.AllEntries(), expectLogs) + require.Equal(t, expectStatus, c.getStatuses()) + }) + + // Clean logs + hook.Reset() + + // Health start to fail + fooChecker.state = State{ + Live: false, + Ready: false, + LiveDetails: healthDetails{Err: "live is failing"}, + ReadyDetails: healthDetails{Err: "ready is failing"}, + } + + t.Run("health start to fail", func(t *testing.T) { + // Move to next interval + clockMock.Add(readyCheckInterval) + + // Wait for new call + select { + case <-waitFor: + case <-ctx.Done(): + require.Fail(t, "unable to get updates because context is finished") + } + + expectStatus := map[string]checkState{ + "foo": { + details: State{ + Live: false, + Ready: false, + LiveDetails: healthDetails{Err: "live is failing"}, + ReadyDetails: healthDetails{Err: "ready is failing"}, + }, + checkTime: clockMock.Now(), + err: errors.New("subsystem is not live or ready"), + contiguousFailures: 1, + timeOfFirstFailure: clockMock.Now(), + }, + "bar": { + details: State{ + Live: true, + Ready: true, + LiveDetails: healthDetails{}, + ReadyDetails: healthDetails{}, + }, + checkTime: clockMock.Now(), + }, + } + + expectLogs := []spiretest.LogEntry{ + { + Level: logrus.ErrorLevel, + Message: "Health check has failed", + Data: logrus.Fields{ + telemetry.Check: "foo", + telemetry.Error: "subsystem is not live or ready", + }, + }, + { + Level: logrus.WarnLevel, + Message: "Health check failed", + Data: logrus.Fields{ + telemetry.Check: "foo", + telemetry.Details: "{false false {live is failing} {ready is failing}}", + telemetry.Error: "subsystem is not live or ready", + }, + }, + } + + spiretest.AssertLogs(t, hook.AllEntries(), expectLogs) + require.Equal(t, expectStatus, c.getStatuses()) + }) + + t.Run("health still failing", func(t *testing.T) { + hook.Reset() + previousFailureDate := clockMock.Now() + + // Move to next interval + clockMock.Add(readyCheckInterval) + + // Wait for new call + select { + case <-waitFor: + case <-ctx.Done(): + require.Fail(t, "unable to get updates because context is finished") + } + + expectStatus := map[string]checkState{ + "foo": { + details: State{ + Live: false, + Ready: false, + LiveDetails: healthDetails{Err: "live is failing"}, + ReadyDetails: healthDetails{Err: "ready is failing"}, + }, + checkTime: clockMock.Now(), + err: errors.New("subsystem is not live or ready"), + contiguousFailures: 2, + timeOfFirstFailure: previousFailureDate, + }, + "bar": { + details: State{ + Live: true, + Ready: true, + LiveDetails: healthDetails{}, + ReadyDetails: healthDetails{}, + }, + checkTime: clockMock.Now(), + }, + } + + expectLogs := []spiretest.LogEntry{ + { + Level: logrus.ErrorLevel, + Message: "Health check has failed", + Data: logrus.Fields{ + telemetry.Check: "foo", + telemetry.Error: "subsystem is not live or ready", + }, + }, + } + + spiretest.AssertLogs(t, hook.AllEntries(), expectLogs) + require.Equal(t, expectStatus, c.getStatuses()) + }) + + // Health start to recover + fooChecker.state = State{ + Live: true, + Ready: true, + LiveDetails: healthDetails{}, + ReadyDetails: healthDetails{}, + } + + t.Run("health recovered", func(t *testing.T) { + hook.Reset() + + // Move to next interval + clockMock.Add(readyCheckInterval) + + // Wait for new call + select { + case <-waitFor: + case <-ctx.Done(): + require.Fail(t, "unable to get updates because context is finished") + } + + expectStatus := map[string]checkState{ + "foo": { + details: State{ + Live: true, + Ready: true, + LiveDetails: healthDetails{}, + ReadyDetails: healthDetails{}, + }, + checkTime: clockMock.Now(), + }, + "bar": { + details: State{ + Live: true, + Ready: true, + LiveDetails: healthDetails{}, + ReadyDetails: healthDetails{}, + }, + checkTime: clockMock.Now(), + }, + } + + expectLogs := []spiretest.LogEntry{ + { + Level: logrus.InfoLevel, + Message: "Health check recovered", + Data: logrus.Fields{ + telemetry.Check: "foo", + telemetry.Details: "{true true {} {}}", + telemetry.Duration: "120", + telemetry.Error: "subsystem is not live or ready", + telemetry.Failures: "2", + }, + }, + } + + spiretest.AssertLogs(t, hook.AllEntries(), expectLogs) + require.Equal(t, expectStatus, c.getStatuses()) + }) +} + +type fakeCheckable struct { + state State +} + +func (f *fakeCheckable) CheckHealth() State { + return f.state +} + +type healthDetails struct { + Err string `json:"err,omitempty"` +} diff --git a/pkg/common/health/health.go b/pkg/common/health/health.go index 8f6415e55d..40d9132617 100644 --- a/pkg/common/health/health.go +++ b/pkg/common/health/health.go @@ -9,7 +9,7 @@ import ( "sync" "time" - "github.com/InVisionApp/go-health/v2" + "github.com/andres-erbsen/clock" "github.com/sirupsen/logrus" "github.com/spiffe/spire/pkg/common/telemetry" "google.golang.org/grpc" @@ -61,13 +61,14 @@ type ServableChecker interface { } func NewChecker(config Config, log logrus.FieldLogger) ServableChecker { - hc := health.New() - l := log.WithField(telemetry.SubsystemName, "health") - hc.StatusListener = &statusListener{log: l} - hc.Logger = &logadapter{FieldLogger: l} - c := &checker{config: config, hc: hc, log: l} + c := &checker{ + config: config, + log: l, + + cache: newCache(l, clock.New()), + } // Start HTTP server if ListenerEnabled is true if config.ListenerEnabled { @@ -91,29 +92,24 @@ type checker struct { server *http.Server - hc *health.Health - mutex sync.Mutex // Mutex protects non-threadsafe hc + mutex sync.Mutex // Mutex protects non-threadsafe - log logrus.FieldLogger + log logrus.FieldLogger + cache *cache } func (c *checker) AddCheck(name string, checkable Checkable) error { c.mutex.Lock() defer c.mutex.Unlock() - return c.hc.AddCheck(&health.Config{ - Name: name, - Checker: checkableWrapper{checkable: checkable}, - Interval: readyCheckInterval, - Fatal: true, - }) + return c.cache.addCheck(name, checkable) } func (c *checker) ListenAndServe(ctx context.Context) error { c.mutex.Lock() defer c.mutex.Unlock() - if err := c.hc.Start(); err != nil { + if err := c.cache.start(ctx); err != nil { return err } @@ -134,16 +130,12 @@ func (c *checker) ListenAndServe(ctx context.Context) error { defer wg.Done() <-ctx.Done() if c.server != nil { - c.server.Close() + _ = c.server.Close() } }() wg.Wait() - if err := c.hc.Stop(); err != nil { - c.log.WithError(err).Warn("Error stopping health checks") - } - return nil } @@ -169,32 +161,30 @@ func WaitForTestDial(ctx context.Context, addr net.Addr) { return } - conn.Close() + _ = conn.Close() } // LiveState returns the global live state and details. func (c *checker) LiveState() (bool, interface{}) { - states, _, _ := c.hc.State() - live, _, details, _ := c.checkStates(states) + live, _, details, _ := c.checkStates() return live, details } // ReadyState returns the global ready state and details. func (c *checker) ReadyState() (bool, interface{}) { - states, _, _ := c.hc.State() - _, ready, _, details := c.checkStates(states) + _, ready, _, details := c.checkStates() return ready, details } -func (c *checker) checkStates(states map[string]health.State) (bool, bool, interface{}, interface{}) { +func (c *checker) checkStates() (bool, bool, interface{}, interface{}) { isLive, isReady := true, true liveDetails := make(map[string]interface{}) readyDetails := make(map[string]interface{}) - for subsystemName, subsystemState := range states { - state := subsystemState.Details.(State) + for subsystemName, subsystemState := range c.cache.getStatuses() { + state := subsystemState.details if !state.Live { isLive = false } @@ -235,23 +225,3 @@ func (c *checker) readyHandler(w http.ResponseWriter, req *http.Request) { w.WriteHeader(statusCode) _ = json.NewEncoder(w).Encode(details) } - -// checkableWrapper wraps Checkable in something that conforms to health.ICheckable -type checkableWrapper struct { - checkable Checkable -} - -func (c checkableWrapper) Status() (interface{}, error) { - state := c.checkable.CheckHealth() - var err error - switch { - case state.Ready && state.Live: - case state.Ready && !state.Live: - err = errors.New("subsystem is not live") - case !state.Ready && state.Live: - err = errors.New("subsystem is not ready") - case !state.Ready && !state.Live: - err = errors.New("subsystem is not live or ready") - } - return state, err -} diff --git a/pkg/common/health/health_test.go b/pkg/common/health/health_test.go index 3cb626bcb6..071ccd0db1 100644 --- a/pkg/common/health/health_test.go +++ b/pkg/common/health/health_test.go @@ -1,10 +1,17 @@ package health import ( + "context" + "io" + "net/http" "testing" + "time" + "github.com/andres-erbsen/clock" + "github.com/sirupsen/logrus/hooks/test" logtest "github.com/sirupsen/logrus/hooks/test" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" ) func TestServerDisabledByDefault(t *testing.T) { @@ -20,3 +27,114 @@ func TestServerEnabled(t *testing.T) { assert.NotNil(t, checker.server) } + +func TestCheckerListeners(t *testing.T) { + log, _ := test.NewNullLogger() + config := Config{ + ListenerEnabled: true, + BindAddress: "localhost", + BindPort: "12345", + } + + servableChecker := NewChecker(config, log) + + fooCheker := &fakeCheckable{ + state: State{ + Live: true, + Ready: true, + ReadyDetails: healthDetails{}, + LiveDetails: healthDetails{}, + }, + } + err := servableChecker.AddCheck("foo", fooCheker) + require.NoError(t, err) + + barChecker := &fakeCheckable{ + state: State{ + Live: true, + Ready: true, + ReadyDetails: healthDetails{}, + LiveDetails: healthDetails{}, + }, + } + err = servableChecker.AddCheck("bar", barChecker) + require.NoError(t, err) + + // Get checker to set a chan in order to wait until sync is done + finalChecker, ok := servableChecker.(*checker) + require.True(t, ok) + + clk := clock.NewMock() + finalChecker.cache.clk = clk + + waitFor := make(chan struct{}, 1) + finalChecker.cache.hooks.statusUpdated = waitFor + + ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute) + defer cancel() + + go func() { + _ = servableChecker.ListenAndServe(ctx) + }() + + t.Run("success ready", func(t *testing.T) { + resp, err := http.Get("http://localhost:12345/ready") + require.NoError(t, err) + defer resp.Body.Close() + + require.Equal(t, http.StatusOK, resp.StatusCode) + + actual, err := io.ReadAll(resp.Body) + require.NoError(t, err) + require.JSONEq(t, "{\"bar\":{},\"foo\":{}}\n", string(actual)) + }) + + t.Run("success live", func(t *testing.T) { + resp, err := http.Get("http://localhost:12345/live") + require.NoError(t, err) + defer resp.Body.Close() + + require.Equal(t, http.StatusOK, resp.StatusCode) + + actual, err := io.ReadAll(resp.Body) + require.NoError(t, err) + require.JSONEq(t, "{\"bar\":{},\"foo\":{}}\n", string(actual)) + }) + + fooCheker.state.Live = false + fooCheker.state.LiveDetails = healthDetails{Err: "live fails"} + + barChecker.state.Ready = false + barChecker.state.ReadyDetails = healthDetails{Err: "ready fails"} + + clk.Add(readyCheckInterval) + select { + case <-waitFor: + case <-ctx.Done(): + require.Fail(t, "unable to get updates") + } + + t.Run("live fails", func(t *testing.T) { + resp, err := http.Get("http://localhost:12345/live") + require.NoError(t, err) + defer resp.Body.Close() + + require.Equal(t, http.StatusInternalServerError, resp.StatusCode) + + actual, err := io.ReadAll(resp.Body) + require.NoError(t, err) + require.JSONEq(t, "{\"bar\":{},\"foo\":{\"err\":\"live fails\"}}\n", string(actual)) + }) + + t.Run("ready fails", func(t *testing.T) { + resp, err := http.Get("http://localhost:12345/ready") + require.NoError(t, err) + defer resp.Body.Close() + + require.Equal(t, http.StatusInternalServerError, resp.StatusCode) + + actual, err := io.ReadAll(resp.Body) + require.NoError(t, err) + require.JSONEq(t, "{\"bar\":{\"err\":\"ready fails\"},\"foo\":{}}\n", string(actual)) + }) +} diff --git a/pkg/common/health/logger.go b/pkg/common/health/logger.go deleted file mode 100644 index 66c41962d5..0000000000 --- a/pkg/common/health/logger.go +++ /dev/null @@ -1,45 +0,0 @@ -package health - -import ( - "github.com/InVisionApp/go-health/v2" - log "github.com/InVisionApp/go-logger" - "github.com/sirupsen/logrus" -) - -// statusListener logs -type statusListener struct { - log logrus.FieldLogger -} - -// Assert statusListener implements IStatusListener -var _ health.IStatusListener = &statusListener{} - -// HealthCheckFailed is triggered when a health check fails the first time -func (sl *statusListener) HealthCheckFailed(entry *health.State) { - sl.log.WithField("check", entry.Name). - WithField("details", entry.Details). - WithField("error", entry.Err). - Warn("Health check failed") -} - -// HealthCheckRecovered is triggered when a health check recovers -func (sl *statusListener) HealthCheckRecovered(entry *health.State, recordedFailures int64, failureDurationSeconds float64) { - sl.log.WithField("check", entry.Name). - WithField("details", entry.Details). - WithField("error", entry.Err). - WithField("failures", recordedFailures). - WithField("duration", failureDurationSeconds). - Info("Health check recovered") -} - -// logadapter adapts types between InVisionApp/go-logger and logrus -type logadapter struct { - logrus.FieldLogger -} - -// WithFields wraps logrus.Fieldlogger to implement the Logger interface in InVisionApp/go-logger -func (l *logadapter) WithFields(fields log.Fields) log.Logger { - return &logadapter{ - FieldLogger: l.FieldLogger.WithFields(logrus.Fields(fields)), - } -} diff --git a/pkg/common/telemetry/names.go b/pkg/common/telemetry/names.go index 5ab5c38b9d..6f7207eb10 100644 --- a/pkg/common/telemetry/names.go +++ b/pkg/common/telemetry/names.go @@ -192,6 +192,9 @@ const ( // CGroupPath tags a linux CGroup path, most likely for use in attestation CGroupPath = "cgroup_path" + // Check tags a health check subsystem + Check = "check" + // Connection functionality related to some connection; should be used with other tags // to add clarity Connection = "connection" @@ -221,6 +224,12 @@ const ( // DeprecatedServiceName tags the deprecated service name DeprecatedServiceName = "deprecated_service_name" + // Details tags details response from a health check subsystem + Details = "details" + + // Duration is the amount of seconds that an error is active + Duration = "duration" + // DiscoveredSelectors tags selectors for some registration DiscoveredSelectors = "discovered_selectors" @@ -266,6 +275,9 @@ const ( // External tag something as external (e.g. external plugin) External = "external" + // Failures amount of concatenated errors + Failures = "failures" + // FederatedAdded labels some count of federated bundles that have been added to an entity FederatedAdded = "fed_add" From 965c6199899bed0b75460b6463850eb3b456efc2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 19 Oct 2022 16:08:43 -0600 Subject: [PATCH 006/257] Bump google.golang.org/grpc from 1.50.0 to 1.50.1 (#3510) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.50.0 to 1.50.1. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.50.0...v1.50.1) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Andrew Harding --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index e3033d2492..2a46eb3a09 100644 --- a/go.mod +++ b/go.mod @@ -67,7 +67,7 @@ require ( golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 google.golang.org/api v0.98.0 google.golang.org/genproto v0.0.0-20220920201722-2b89144ce006 - google.golang.org/grpc v1.50.0 + google.golang.org/grpc v1.50.1 google.golang.org/protobuf v1.28.1 gopkg.in/square/go-jose.v2 v2.6.0 k8s.io/api v0.25.3 diff --git a/go.sum b/go.sum index 1aaaca6c00..1d4105f412 100644 --- a/go.sum +++ b/go.sum @@ -1557,8 +1557,8 @@ google.golang.org/grpc v1.46.2/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACu google.golang.org/grpc v1.47.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= -google.golang.org/grpc v1.50.0 h1:fPVVDxY9w++VjTZsYvXWqEf9Rqar/e+9zYfxKK+W+YU= -google.golang.org/grpc v1.50.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= +google.golang.org/grpc v1.50.1 h1:DS/BukOZWp8s6p4Dt/tOaJaTQyPyOoCcrjroHuCeLzY= +google.golang.org/grpc v1.50.1/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/grpc/examples v0.0.0-20201130180447-c456688b1860/go.mod h1:Ly7ZA/ARzg8fnPU9TyZIxoz33sEUuWX7txiqs8lPTgE= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= From 7eb425460ab9be35acae8e0acbcff6e49dcec496 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 19 Oct 2022 17:53:35 -0600 Subject: [PATCH 007/257] Bump google.golang.org/api from 0.98.0 to 0.100.0 (#3512) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.98.0 to 0.100.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.98.0...v0.100.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 18 +++++++++--------- go.sum | 32 ++++++++++++++++++-------------- 2 files changed, 27 insertions(+), 23 deletions(-) diff --git a/go.mod b/go.mod index 2a46eb3a09..083440d31e 100644 --- a/go.mod +++ b/go.mod @@ -37,7 +37,7 @@ require ( github.com/google/go-cmp v0.5.9 github.com/google/go-tpm v0.3.3 github.com/google/go-tpm-tools v0.3.9 - github.com/googleapis/gax-go/v2 v2.5.1 + github.com/googleapis/gax-go/v2 v2.6.0 github.com/gorilla/handlers v1.5.1 github.com/hashicorp/go-hclog v1.3.1 github.com/hashicorp/go-plugin v1.4.5 @@ -61,12 +61,12 @@ require ( github.com/uber-go/tally/v4 v4.1.3 github.com/zeebo/errs v1.3.0 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa - golang.org/x/net v0.0.0-20220909164309-bea034e7d591 - golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 + golang.org/x/net v0.0.0-20221014081412-f15817d10f9b + golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0 golang.org/x/sys v0.0.0-20220907062415-87db552b00fd golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 - google.golang.org/api v0.98.0 - google.golang.org/genproto v0.0.0-20220920201722-2b89144ce006 + google.golang.org/api v0.100.0 + google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a google.golang.org/grpc v1.50.1 google.golang.org/protobuf v1.28.1 gopkg.in/square/go-jose.v2 v2.6.0 @@ -80,7 +80,7 @@ require ( require ( cloud.google.com/go v0.104.0 // indirect - cloud.google.com/go/compute v1.9.0 // indirect + cloud.google.com/go/compute v1.10.0 // indirect cloud.google.com/go/iam v0.3.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect @@ -136,7 +136,7 @@ require ( github.com/google/gnostic v0.5.7-v3refs // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/google/uuid v1.3.0 // indirect - github.com/googleapis/enterprise-certificate-proxy v0.1.0 // indirect + github.com/googleapis/enterprise-certificate-proxy v0.2.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/hashicorp/go-immutable-radix v1.3.1 // indirect @@ -201,11 +201,11 @@ require ( go.uber.org/multierr v1.8.0 // indirect go.uber.org/zap v1.23.0 // indirect golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect - golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1 // indirect + golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783 // indirect golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect golang.org/x/text v0.3.7 // indirect golang.org/x/tools v0.1.12 // indirect - golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f // indirect + golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect google.golang.org/appengine v1.6.7 // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/go.sum b/go.sum index 1d4105f412..08eb077425 100644 --- a/go.sum +++ b/go.sum @@ -43,8 +43,9 @@ cloud.google.com/go/compute v1.5.0/go.mod h1:9SMHyhJlzhlkJqrPAc839t2BZFTSk6Jdj6m cloud.google.com/go/compute v1.6.0/go.mod h1:T29tfhtVbq1wvAPo0E3+7vhgmkOYeXjhFvz/FMzPu0s= cloud.google.com/go/compute v1.6.1/go.mod h1:g85FgpzFvNULZ+S8AYq87axRKuf2Kh7deLqV/jJ3thU= cloud.google.com/go/compute v1.7.0/go.mod h1:435lt8av5oL9P3fv1OEzSbSUe+ybHXGMPQHHZWZxy9U= -cloud.google.com/go/compute v1.9.0 h1:ED/FP4xv8GJw63v556/ASNc1CeeLUO2Bs8nzaHchkHg= cloud.google.com/go/compute v1.9.0/go.mod h1:lWv1h/zUWTm/LozzfTJhBSkd6ShQq8la8VeeuOEGxfY= +cloud.google.com/go/compute v1.10.0 h1:aoLIYaA1fX3ywihqpBk2APQKOo20nXsp1GEZQbx5Jk4= +cloud.google.com/go/compute v1.10.0/go.mod h1:ER5CLbMxl90o2jtNbGSbtfOpQKR0t15FOtRsugnLrlU= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk= @@ -486,8 +487,9 @@ github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+ github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8= -github.com/googleapis/enterprise-certificate-proxy v0.1.0 h1:zO8WHNx/MYiAKJ3d5spxZXZE6KHmIQGQcAzwUzV7qQw= github.com/googleapis/enterprise-certificate-proxy v0.1.0/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8= +github.com/googleapis/enterprise-certificate-proxy v0.2.0 h1:y8Yozv7SZtlU//QXbezB6QkpuE6jMD2/gfzk4AftXjs= +github.com/googleapis/enterprise-certificate-proxy v0.2.0/go.mod h1:8C0jb7/mgJe/9KK8Lm7X9ctZC2t60YyIpYEI16jx0Qg= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0= @@ -495,8 +497,9 @@ github.com/googleapis/gax-go/v2 v2.1.1/go.mod h1:hddJymUZASv3XPyGkUpKj8pPO47Rmb0 github.com/googleapis/gax-go/v2 v2.2.0/go.mod h1:as02EH8zWkzwUoLbBaFeQ+arQaj/OthfcblKl4IGNaM= github.com/googleapis/gax-go/v2 v2.3.0/go.mod h1:b8LNqSzNabLiUpXKkY7HAR5jr6bIT99EXz9pXxye9YM= github.com/googleapis/gax-go/v2 v2.4.0/go.mod h1:XOTVJ59hdnfJLIP/dh8n5CGryZR2LxK9wbMD5+iXC6c= -github.com/googleapis/gax-go/v2 v2.5.1 h1:kBRZU0PSuI7PspsSb/ChWoVResUcwNVIdpB049pKTiw= github.com/googleapis/gax-go/v2 v2.5.1/go.mod h1:h6B0KMMFNtI2ddbGJn3T3ZbwkeT6yqEF02fYlzkUCyo= +github.com/googleapis/gax-go/v2 v2.6.0 h1:SXk3ABtQYDT/OH8jAyvEOQ58mgawq5C4o/4/89qN2ZU= +github.com/googleapis/gax-go/v2 v2.6.0/go.mod h1:1mjbznJAPHFpesgE5ucqfYEscaz5kMdcIDwU/6+DDoY= github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU= github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA= github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4= @@ -1138,8 +1141,8 @@ golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220907135653-1e95f45603a7/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= -golang.org/x/net v0.0.0-20220909164309-bea034e7d591 h1:D0B/7al0LLrVC8aWF4+oxpv/m8bc7ViFfVS8/gXGdqI= -golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= +golang.org/x/net v0.0.0-20221014081412-f15817d10f9b h1:tvrvnPFcdzp294diPnrdZZZ8XUt2Tyj7svb7X52iDuU= +golang.org/x/net v0.0.0-20221014081412-f15817d10f9b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1163,8 +1166,8 @@ golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE= golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE= golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= -golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1 h1:lxqLZaMad/dJHMFZH0NiNpiEZI/nhgWhe4wgzpE+MuA= -golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= +golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783 h1:nt+Q6cXKz4MosCSpnbMtqiQ8Oz0pxTef2B4Vca2lvfk= +golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -1177,8 +1180,8 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 h1:uVc8UZUe6tr40fFVnUP5Oj+veunVezqYl9z7DYw9xzw= -golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0 h1:cu5kTvlzcw1Q5S9f5ip1/cpiB4nXvw1XYzFPGgzLUOY= +golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -1376,8 +1379,9 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= -golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f h1:uF6paiQQebLeSXkrTqHqz0MXhXXS1KgF41eUdBNvxK0= golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= +golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk= +golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= gomodules.xyz/jsonpatch/v2 v2.2.0 h1:4pT439QV83L+G9FkcCriY6EkpcK6r6bK+A5FBUMI7qY= gomodules.xyz/jsonpatch/v2 v2.2.0/go.mod h1:WXp+iVDkoLQqPudfQ9GBlwB2eZ5DKOnjQZCYdOS8GPY= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= @@ -1423,8 +1427,8 @@ google.golang.org/api v0.84.0/go.mod h1:NTsGnUFJMYROtiquksZHBWtHfeMC7iYthki7Eq3p google.golang.org/api v0.90.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw= google.golang.org/api v0.91.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw= google.golang.org/api v0.95.0/go.mod h1:eADj+UBuxkh5zlrSntJghuNeg8HwQ1w5lTKkuqaETEI= -google.golang.org/api v0.98.0 h1:yxZrcxXESimy6r6mdL5Q6EnZwmewDJK2dVg3g75s5Dg= -google.golang.org/api v0.98.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s= +google.golang.org/api v0.100.0 h1:LGUYIrbW9pzYQQ8NWXlaIVkgnfubVBZbMFb9P8TK374= +google.golang.org/api v0.100.0/go.mod h1:ZE3Z2+ZOr87Rx7dqFsdRQkRBk36kDtp/h+QpHbB7a70= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -1520,8 +1524,8 @@ google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f/go.mod h1:KEWEmljW google.golang.org/genproto v0.0.0-20220722212130-b98a9ff5e252/go.mod h1:GkXuJDJ6aQ7lnJcRF+SJVgFdQhypqgl3LB1C9vabdRE= google.golang.org/genproto v0.0.0-20220804142021-4e6b2dfa6612/go.mod h1:iHe1svFLAZg9VWz891+QbRMwUv9O/1Ww+/mngYeThbc= google.golang.org/genproto v0.0.0-20220902135211-223410557253/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk= -google.golang.org/genproto v0.0.0-20220920201722-2b89144ce006 h1:mmbq5q8M1t7dhkLw320YK4PsOXm6jdnUAkErImaIqOg= -google.golang.org/genproto v0.0.0-20220920201722-2b89144ce006/go.mod h1:ht8XFiar2npT/g4vkk7O0WYS1sHOHbdujxbEp7CJWbw= +google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a h1:GH6UPn3ixhWcKDhpnEC55S75cerLPdpp3hrhfKYjZgw= +google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM= google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= From dc64066f635474f508ce6b0b19f28bcd221f02cf Mon Sep 17 00:00:00 2001 From: Andrew Harding Date: Thu, 20 Oct 2022 16:26:25 -0600 Subject: [PATCH 008/257] Add CallCounter details in telemetry docs (#3515) Signed-off-by: Andrew Harding --- doc/telemetry.md | 74 ++++++++++++++++++++++++++++++++---------------- 1 file changed, 50 insertions(+), 24 deletions(-) diff --git a/doc/telemetry.md b/doc/telemetry.md index 191d418c98..86fea89fe6 100644 --- a/doc/telemetry.md +++ b/doc/telemetry.md @@ -8,7 +8,7 @@ The following metrics are emitted: | Type | Keys | Labels | Description | |--------------|---------------------------------------------|-------------------|---------------------------------------------------------------------------------------| -| Call Counter | `rpc`, ``, `` | | Call counters over the SPIRE Server RPCs | +| Call Counter | `rpc`, ``, `` | | Call counters over the [SPIRE Server RPCs](https://github.com/spiffe/spire-api-sdk). | | Call Counter | `ca`, `manager`, `bundle`, `prune` | | The CA manager is pruning a bundle. | | Counter | `ca`, `manager`, `bundle`, `pruned` | | The CA manager has successfully pruned a bundle. | | Call Counter | `ca`, `manager`, `jwt_key`, `prepare` | | The CA manager is preparing a JWT Key. | @@ -56,27 +56,53 @@ The following metrics are emitted: ## SPIRE Agent -| Type | Keys | Labels | Description | -|--------------|--------------------------------------------|------------|---------------------------------------------------------------------------| -| Call Counter | `rpc`, ``, `` | | Call counters over the SPIRE Agent RPCs | -| Call Counter | `agent_key_manager`, `generate_key_pair` | | The KeyManager is generating a key pair. | -| Call Counter | `agent_key_manager`, `fetch_private_key` | | The KeyManager is fetching a private key. | -| Call Counter | `agent_key_manager`, `store_private_key` | | The KeyManager is storing a private key. | -| Call Counter | `agent_svid`, `rotate` | | The Agent's SVID is being rotated. | -| Sample | `cache_manager`, `expiring_svids` | | The number of expiring SVIDs that the Cache Manager has. | -| Sample | `cache_manager`, `outdated_svids` | | The number of outdated SVIDs that the Cache Manager has. | -| Call Counter | `manager`, `sync`, `fetch_entries_updates` | | The Sync Manager is fetching entries updates. | -| Call Counter | `manager`, `sync`, `fetch_svids_updates` | | The Sync Manager is fetching SVIDs updates. | -| Call Counter | `node`, `attestor`, `new_svid` | | The Node Attestor is calling to get an SVID. | -| Counter | `sds_api`, `connections` | | The SDS API has successfully established a connection. | -| Gauge | `sds_api`, `connections` | | The number of active connection that the SDS API has. | -| Counter | `workload_api`, `bundles_update`, `jwt` | | The Workload API has successfully updated a JWT bundle. | -| Counter | `workload_api`, `connection` | | The Workload API has successfully established a new connection. | -| Gauge | `workload_api`, `connections` | | The number of active connections that the Workload API has. | -| Sample | `workload_api`, `discovered_selectors` | | The number of selectors discovered during a workload attestation process. | -| Call Counter | `workload_api`, `workload_attestation` | | The Workload API is performing a workload attestation. | -| Call Counter | `workload_api`, `workload_attestor` | `attestor` | The Workload API is invoking a given attestor. | -| Gauge | `started` | `version` | The version of the Agent. | -| Gauge | `uptime_in_ms` | | The uptime of the Agent in milliseconds. | +| Type | Keys | Labels | Description | +|--------------|--------------------------------------------|------------|-------------------------------------------------------------------------------------| +| Call Counter | `rpc`, ``, `` | | Call counters over the [SPIRE Agent RPCs](https://github.com/spiffe/spire-api-sdk). | +| Call Counter | `agent_key_manager`, `generate_key_pair` | | The KeyManager is generating a key pair. | +| Call Counter | `agent_key_manager`, `fetch_private_key` | | The KeyManager is fetching a private key. | +| Call Counter | `agent_key_manager`, `store_private_key` | | The KeyManager is storing a private key. | +| Call Counter | `agent_svid`, `rotate` | | The Agent's SVID is being rotated. | +| Sample | `cache_manager`, `expiring_svids` | | The number of expiring SVIDs that the Cache Manager has. | +| Sample | `cache_manager`, `outdated_svids` | | The number of outdated SVIDs that the Cache Manager has. | +| Call Counter | `manager`, `sync`, `fetch_entries_updates` | | The Sync Manager is fetching entries updates. | +| Call Counter | `manager`, `sync`, `fetch_svids_updates` | | The Sync Manager is fetching SVIDs updates. | +| Call Counter | `node`, `attestor`, `new_svid` | | The Node Attestor is calling to get an SVID. | +| Counter | `sds_api`, `connections` | | The SDS API has successfully established a connection. | +| Gauge | `sds_api`, `connections` | | The number of active connection that the SDS API has. | +| Counter | `workload_api`, `bundles_update`, `jwt` | | The Workload API has successfully updated a JWT bundle. | +| Counter | `workload_api`, `connection` | | The Workload API has successfully established a new connection. | +| Gauge | `workload_api`, `connections` | | The number of active connections that the Workload API has. | +| Sample | `workload_api`, `discovered_selectors` | | The number of selectors discovered during a workload attestation process. | +| Call Counter | `workload_api`, `workload_attestation` | | The Workload API is performing a workload attestation. | +| Call Counter | `workload_api`, `workload_attestor` | `attestor` | The Workload API is invoking a given attestor. | +| Gauge | `started` | `version` | The version of the Agent. | +| Gauge | `uptime_in_ms` | | The uptime of the Agent in milliseconds. | -Note: These are the keys and labels that SPIRE emits, but the format of the metric once ingested could vary depending on the metric collector. E.g. once in StatsD, the metric emitted when rotating an Agent SVID (`agent_svid`, `rotate`) can be found as `spire_agent_agent_svid_rotate_internal_host-agent-0`, where `host-agent-0` is the hostname and `spire-agent` is the service name. +Note: These are the keys and labels that SPIRE emits, but the format of the +metric once ingested could vary depending on the metric collector. For example, +in StatsD, the metric emitted when rotating an Agent SVID (`agent_svid`, +`rotate`) can be found as +`spire_agent_agent_svid_rotate_internal_host-agent-0`, where `host-agent-0` is +the hostname and `spire-agent` is the service name. + +## Call Counters + +Call counters are aggregate metric types that emit several metrics related to +the issuance of a "call" to a method or RPC. The following metrics are +produced for a call counter: +- A counter representing the number of calls using the call counter key +- A sample of the elapsed time for the call using the call counter + key+`".elapsed_time"` + +Additionally, the metrics emitted above each carry a `status` label (in +addition to any other labels for specific to the individual call counter) that +holds the [gRPC status code](https://pkg.go.dev/google.golang.org/grpc/codes#Code) +of the call. + +For example, a successful invocation of the SPIRE Server `AttestAgent` RPC +would produce the following metrics: +``` +spire_server.rpc.agent.v1.agent.attest_agent:1|c|#status:OK +spire_server.rpc.agent.v1.agent.attest_agent.elapsed_time:1.045773|ms|#status:OK +``` From 432d2a398e59035a877235f35416240bd8b85063 Mon Sep 17 00:00:00 2001 From: Guilherme Oliveira do Carmo Carvalho <33766735+guilhermocc@users.noreply.github.com> Date: Fri, 21 Oct 2022 12:34:06 -0300 Subject: [PATCH 009/257] Fix intermittent test by using a timed require statement (#3517) * Fix intermittent test by using a timed require statement Signed-off-by: Guilherme Carvalho --- pkg/common/health/health_test.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkg/common/health/health_test.go b/pkg/common/health/health_test.go index 071ccd0db1..1d96bb94f9 100644 --- a/pkg/common/health/health_test.go +++ b/pkg/common/health/health_test.go @@ -3,6 +3,7 @@ package health import ( "context" "io" + "net" "net/http" "testing" "time" @@ -77,6 +78,11 @@ func TestCheckerListeners(t *testing.T) { _ = servableChecker.ListenAndServe(ctx) }() + require.Eventuallyf(t, func() bool { + _, err := net.Dial("tcp", "localhost:12345") + return err == nil + }, time.Minute, 50*time.Millisecond, "server didn't started in the required time") + t.Run("success ready", func(t *testing.T) { resp, err := http.Get("http://localhost:12345/ready") require.NoError(t, err) From e65c795ace10b8ee3c808e2702b6dd9135ef247d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 24 Oct 2022 13:18:21 -0600 Subject: [PATCH 010/257] Bump github.com/aws/aws-sdk-go-v2/service/sts from 1.16.16 to 1.17.0 (#3520) Bumps [github.com/aws/aws-sdk-go-v2/service/sts](https://github.com/aws/aws-sdk-go-v2) from 1.16.16 to 1.17.0. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/v1.16.16...v1.17.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/sts dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 10 +++++----- go.sum | 15 ++++++++++----- 2 files changed, 15 insertions(+), 10 deletions(-) diff --git a/go.mod b/go.mod index 083440d31e..06c4497a9b 100644 --- a/go.mod +++ b/go.mod @@ -15,7 +15,7 @@ require ( github.com/Microsoft/go-winio v0.6.0 github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129 github.com/armon/go-metrics v0.4.1 - github.com/aws/aws-sdk-go-v2 v1.16.16 + github.com/aws/aws-sdk-go-v2 v1.17.0 github.com/aws/aws-sdk-go-v2/config v1.17.4 github.com/aws/aws-sdk-go-v2/credentials v1.12.17 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.14 @@ -24,7 +24,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 github.com/aws/aws-sdk-go-v2/service/kms v1.18.8 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.0 - github.com/aws/aws-sdk-go-v2/service/sts v1.16.16 + github.com/aws/aws-sdk-go-v2/service/sts v1.17.0 github.com/blang/semver/v4 v4.0.0 github.com/cenkalti/backoff/v3 v3.2.2 github.com/docker/docker v20.10.20+incompatible @@ -99,10 +99,10 @@ require ( github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect github.com/agnivade/levenshtein v1.1.1 // indirect github.com/armon/go-radix v1.0.0 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.23 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.17 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.24 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.18 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.3.21 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.17 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.18 // indirect github.com/aws/aws-sdk-go-v2/service/sso v1.11.20 // indirect github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.2 // indirect github.com/aws/smithy-go v1.13.3 // indirect diff --git a/go.sum b/go.sum index 08eb077425..435c4efeb7 100644 --- a/go.sum +++ b/go.sum @@ -156,8 +156,9 @@ github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgI github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= github.com/aws/aws-sdk-go-v2 v1.16.13/go.mod h1:xSyvSnzh0KLs5H4HJGeIEsNYemUWdNIl0b/rP6SIsLU= github.com/aws/aws-sdk-go-v2 v1.16.15/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k= -github.com/aws/aws-sdk-go-v2 v1.16.16 h1:M1fj4FE2lB4NzRb9Y0xdWsn2P0+2UHVxwKyOa4YJNjk= github.com/aws/aws-sdk-go-v2 v1.16.16/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k= +github.com/aws/aws-sdk-go-v2 v1.17.0 h1:kWm8OZGx0Zvd6PsOfjFtwbw7+uWYp65DK8suo7WVznw= +github.com/aws/aws-sdk-go-v2 v1.17.0/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k= github.com/aws/aws-sdk-go-v2/config v1.17.4 h1:9HY1wbShqObySCHP2Z07blfrSWVX+nVxCZmUuLZKcG8= github.com/aws/aws-sdk-go-v2/config v1.17.4/go.mod h1:ul+ru+huVpfduF9XRmGUq82T8T3K+nIFQuF6F+L+548= github.com/aws/aws-sdk-go-v2/credentials v1.12.17 h1:htUjIJOQcvIUR0jC4eLkdis1DfaLL4EUbIKUFqh2WFA= @@ -166,12 +167,14 @@ github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.14 h1:NZwZFtxXGOEIiCd8jWN55l github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.14/go.mod h1:5CU57SyF5jZLSIw4OOll0PG83ThXwNdkRFOc0EltD/0= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.20/go.mod h1:gdZ5gRUaxThXIZyZQ8MTtgYBk2jbHgp05BO3GcD9Cwc= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.22/go.mod h1:/vNv5Al0bpiF8YdX2Ov6Xy05VTiXsql94yUqJMYaj0w= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.23 h1:s4g/wnzMf+qepSNgTvaQQHNxyMLKSawNhKCPNy++2xY= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.23/go.mod h1:2DFxAQ9pfIRy0imBCJv+vZ2X6RKxves6fbnEuSry6b4= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.24 h1:WFIoN2kiF95/4z4HNcJ9F9B0xFV0vrPlUOf3+uNIujM= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.24/go.mod h1:ghMzB/j2wRbPx5/4jPYxJdOtCG2ggrtY01j8K7FMBDA= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.14/go.mod h1:GEV9jaDPIgayiU+uevxwozcvUOjc+P4aHE2BeSjm2vE= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.16/go.mod h1:62dsXI0BqTIGomDl8Hpm33dv0OntGaVblri3ZRParVQ= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.17 h1:/K482T5A3623WJgWT8w1yRAFK4RzGzEl7y39yhtn9eA= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.17/go.mod h1:pRwaTYCJemADaqCbUAxltMoHKata7hmB5PjEXeu0kfg= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.18 h1:c2RKF0UvfdVI6epHtFjDujlbiK+VeY85dP1i4gmYc5w= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.18/go.mod h1:fkQKYK/jUhCL/wNS1tOPrlYhr9vqutjCz4zZC1wBE1s= github.com/aws/aws-sdk-go-v2/internal/ini v1.3.21 h1:lpwSbLKYTuABo6SyUoC25xAmfO3/TehGS2SmD1EtOL0= github.com/aws/aws-sdk-go-v2/internal/ini v1.3.21/go.mod h1:Q0pktZjvRZk77TBto6yAvUAi7fcse1bdcMctBDVGgBw= github.com/aws/aws-sdk-go-v2/service/acmpca v1.18.0 h1:cnPVlhdCSBY2ee3BAjWvqGHwksQRbWJgDMB5WL2M/j0= @@ -181,8 +184,9 @@ github.com/aws/aws-sdk-go-v2/service/ec2 v1.63.0/go.mod h1:0+6fPoY0SglgzQUs2yml7 github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 h1:m/WtVqEvgwDiUPIW2dtnF2hDE1O62MEflz9ClOlCXAs= github.com/aws/aws-sdk-go-v2/service/iam v1.18.16/go.mod h1:w8wndcRxwILFQAzwkUKyEDz4LDHEBSR78KRdaNjUKQA= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.14/go.mod h1:8qOLjqMzY/S1kh3myDXA1yxK5eD4uN8aOJgKpgvc4OM= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.17 h1:Jrd/oMh0PKQc6+BowB+pLEwLIgaQF29eYbe7E1Av9Ug= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.17/go.mod h1:4nYOrY41Lrbk2170/BGkcJKBhws9Pfn8MG3aGqjjeFI= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.18 h1:5oiCDEOHnYkk7uTVI8Wv6ftdFfb6YlUUNzkeePVIPjY= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.18/go.mod h1:QtCDHDOXunxeihz7iU15e09u9gRIeaa5WeE6FZVnGUo= github.com/aws/aws-sdk-go-v2/service/kms v1.18.8 h1:0YzDYm5rFuwzqwhBg94OYa2TKbdd5dUsf9+uPHwoYns= github.com/aws/aws-sdk-go-v2/service/kms v1.18.8/go.mod h1:NjgXnn0pk5rLSWZIgtx0BCwoCugRXzKZ7cDNsl98W7U= github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.0 h1:Lh1yssM4dinNZuESsXnbi+pID8hoviejLZdLmT175i8= @@ -191,8 +195,9 @@ github.com/aws/aws-sdk-go-v2/service/sso v1.11.20 h1:3raP0UC9rvRyY4/cc4o4F3jTrNo github.com/aws/aws-sdk-go-v2/service/sso v1.11.20/go.mod h1:hPsROgDdgY/NQ1gPt7VJWG0GjSnalDC0DkkMfGEw2gc= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.2 h1:/SYpdjjAtraymql+/r719OgjxezdanAQiLb/NMxDb04= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.2/go.mod h1:5cxfDYtY2mDOlmesy4yycb6lwyy1U/iAUOHKhQLKw/E= -github.com/aws/aws-sdk-go-v2/service/sts v1.16.16 h1:otZvq9r+xjPL7qU/luX2QdBamiN+oSZURRi4sAKymO8= github.com/aws/aws-sdk-go-v2/service/sts v1.16.16/go.mod h1:Y9iBgT1w2vHtYzJEkwD6FqILjDSsvbxcW/+wIYxyse4= +github.com/aws/aws-sdk-go-v2/service/sts v1.17.0 h1:9S0HcZUxKcU3HdN+M6GgLIvdbg9as5aOoHrvwRsPNYU= +github.com/aws/aws-sdk-go-v2/service/sts v1.17.0/go.mod h1:9pZN58zQc5a4Dkdnhu/rI1lNBui1vP5B0giGCuUt2b0= github.com/aws/smithy-go v1.13.1/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/aws/smithy-go v1.13.3 h1:l7LYxGuzK6/K+NzJ2mC+VvLUbae0sL3bXU//04MkmnA= github.com/aws/smithy-go v1.13.3/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= From 11ffa669a72e73b5377fa2b0e3e7103d0e82308c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 24 Oct 2022 14:36:13 -0600 Subject: [PATCH 011/257] Bump github.com/stretchr/testify from 1.8.0 to 1.8.1 (#3521) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.0 to 1.8.1. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](https://github.com/stretchr/testify/compare/v1.8.0...v1.8.1) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 6 ++++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 06c4497a9b..2bdf895d51 100644 --- a/go.mod +++ b/go.mod @@ -57,7 +57,7 @@ require ( github.com/spiffe/go-spiffe/v2 v2.0.1-0.20220414143532-2ed460a8b9d3 github.com/spiffe/spire-api-sdk v1.2.5-0.20220608195902-84fd618158c9 github.com/spiffe/spire-plugin-sdk v1.4.1-0.20220912221658-c42ab2d657f6 - github.com/stretchr/testify v1.8.0 + github.com/stretchr/testify v1.8.1 github.com/uber-go/tally/v4 v4.1.3 github.com/zeebo/errs v1.3.0 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa diff --git a/go.sum b/go.sum index 435c4efeb7..d1fe723e5e 100644 --- a/go.sum +++ b/go.sum @@ -920,8 +920,9 @@ github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= -github.com/stretchr/objx v0.4.0 h1:M2gUjqZET1qApGOWNSnZ49BAIMX4F/1plDv3+l31EJ4= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= @@ -930,8 +931,9 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals= -github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes= github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k= From 81f6a7825ff0a95339b34e8dd7c720bc47989fca Mon Sep 17 00:00:00 2001 From: Dennis Gove Date: Tue, 25 Oct 2022 09:13:45 -0400 Subject: [PATCH 012/257] Avoids using the TPM Simulator on Darwin based systems (#3525) Fixes #2875 This change allows all tests to pass and avoids linting errors on Darwin-based systems. The result is that tests depending on the TPM Simulator will not run on Darwin machines. Signed-off-by: Dennis Gove --- pkg/agent/plugin/nodeattestor/tpmdevid/devid_test.go | 3 +++ pkg/agent/plugin/nodeattestor/tpmdevid/tpmutil/session_test.go | 3 +++ pkg/server/plugin/nodeattestor/tpmdevid/devid_test.go | 3 +++ test/tpmsimulator/simulator.go | 3 +++ 4 files changed, 12 insertions(+) diff --git a/pkg/agent/plugin/nodeattestor/tpmdevid/devid_test.go b/pkg/agent/plugin/nodeattestor/tpmdevid/devid_test.go index 434e54926f..152b6f65fd 100644 --- a/pkg/agent/plugin/nodeattestor/tpmdevid/devid_test.go +++ b/pkg/agent/plugin/nodeattestor/tpmdevid/devid_test.go @@ -1,3 +1,6 @@ +//go:build !darwin +// +build !darwin + package tpmdevid_test import ( diff --git a/pkg/agent/plugin/nodeattestor/tpmdevid/tpmutil/session_test.go b/pkg/agent/plugin/nodeattestor/tpmdevid/tpmutil/session_test.go index 847f6586b7..2b276e6235 100644 --- a/pkg/agent/plugin/nodeattestor/tpmdevid/tpmutil/session_test.go +++ b/pkg/agent/plugin/nodeattestor/tpmdevid/tpmutil/session_test.go @@ -1,3 +1,6 @@ +//go:build !darwin +// +build !darwin + package tpmutil_test import ( diff --git a/pkg/server/plugin/nodeattestor/tpmdevid/devid_test.go b/pkg/server/plugin/nodeattestor/tpmdevid/devid_test.go index 8224a1f0ef..47ef6deeaf 100644 --- a/pkg/server/plugin/nodeattestor/tpmdevid/devid_test.go +++ b/pkg/server/plugin/nodeattestor/tpmdevid/devid_test.go @@ -1,3 +1,6 @@ +//go:build !darwin +// +build !darwin + package tpmdevid_test import ( diff --git a/test/tpmsimulator/simulator.go b/test/tpmsimulator/simulator.go index eeb5566421..ad2650d0eb 100644 --- a/test/tpmsimulator/simulator.go +++ b/test/tpmsimulator/simulator.go @@ -1,3 +1,6 @@ +//go:build !darwin +// +build !darwin + package tpmsimulator import ( From 24033809549a3b4b32ec900a5a3ba91bc50a9010 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 25 Oct 2022 11:43:29 -0600 Subject: [PATCH 013/257] Bump github.com/aws/aws-sdk-go-v2/service/acmpca from 1.18.0 to 1.19.0 (#3524) Bumps [github.com/aws/aws-sdk-go-v2/service/acmpca](https://github.com/aws/aws-sdk-go-v2) from 1.18.0 to 1.19.0. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.18.0...service/s3/v1.19.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/acmpca dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 10 +++++----- go.sum | 16 ++++++++++------ 2 files changed, 15 insertions(+), 11 deletions(-) diff --git a/go.mod b/go.mod index 2bdf895d51..e4baf6a0f7 100644 --- a/go.mod +++ b/go.mod @@ -15,11 +15,11 @@ require ( github.com/Microsoft/go-winio v0.6.0 github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129 github.com/armon/go-metrics v0.4.1 - github.com/aws/aws-sdk-go-v2 v1.17.0 + github.com/aws/aws-sdk-go-v2 v1.17.1 github.com/aws/aws-sdk-go-v2/config v1.17.4 github.com/aws/aws-sdk-go-v2/credentials v1.12.17 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.14 - github.com/aws/aws-sdk-go-v2/service/acmpca v1.18.0 + github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0 github.com/aws/aws-sdk-go-v2/service/ec2 v1.63.0 github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 github.com/aws/aws-sdk-go-v2/service/kms v1.18.8 @@ -99,13 +99,13 @@ require ( github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect github.com/agnivade/levenshtein v1.1.1 // indirect github.com/armon/go-radix v1.0.0 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.24 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.18 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.3.21 // indirect github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.18 // indirect github.com/aws/aws-sdk-go-v2/service/sso v1.11.20 // indirect github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.2 // indirect - github.com/aws/smithy-go v1.13.3 // indirect + github.com/aws/smithy-go v1.13.4 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/bgentry/speakeasy v0.1.0 // indirect github.com/cespare/xxhash/v2 v2.1.2 // indirect diff --git a/go.sum b/go.sum index d1fe723e5e..4e7a3eb6b2 100644 --- a/go.sum +++ b/go.sum @@ -157,8 +157,9 @@ github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:l github.com/aws/aws-sdk-go-v2 v1.16.13/go.mod h1:xSyvSnzh0KLs5H4HJGeIEsNYemUWdNIl0b/rP6SIsLU= github.com/aws/aws-sdk-go-v2 v1.16.15/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k= github.com/aws/aws-sdk-go-v2 v1.16.16/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k= -github.com/aws/aws-sdk-go-v2 v1.17.0 h1:kWm8OZGx0Zvd6PsOfjFtwbw7+uWYp65DK8suo7WVznw= github.com/aws/aws-sdk-go-v2 v1.17.0/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k= +github.com/aws/aws-sdk-go-v2 v1.17.1 h1:02c72fDJr87N8RAC2s3Qu0YuvMRZKNZJ9F+lAehCazk= +github.com/aws/aws-sdk-go-v2 v1.17.1/go.mod h1:JLnGeGONAyi2lWXI1p0PCIOIy333JMVK1U7Hf0aRFLw= github.com/aws/aws-sdk-go-v2/config v1.17.4 h1:9HY1wbShqObySCHP2Z07blfrSWVX+nVxCZmUuLZKcG8= github.com/aws/aws-sdk-go-v2/config v1.17.4/go.mod h1:ul+ru+huVpfduF9XRmGUq82T8T3K+nIFQuF6F+L+548= github.com/aws/aws-sdk-go-v2/credentials v1.12.17 h1:htUjIJOQcvIUR0jC4eLkdis1DfaLL4EUbIKUFqh2WFA= @@ -168,17 +169,19 @@ github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.14/go.mod h1:5CU57SyF5jZLSIw github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.20/go.mod h1:gdZ5gRUaxThXIZyZQ8MTtgYBk2jbHgp05BO3GcD9Cwc= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.22/go.mod h1:/vNv5Al0bpiF8YdX2Ov6Xy05VTiXsql94yUqJMYaj0w= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.23/go.mod h1:2DFxAQ9pfIRy0imBCJv+vZ2X6RKxves6fbnEuSry6b4= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.24 h1:WFIoN2kiF95/4z4HNcJ9F9B0xFV0vrPlUOf3+uNIujM= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.24/go.mod h1:ghMzB/j2wRbPx5/4jPYxJdOtCG2ggrtY01j8K7FMBDA= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25 h1:nBO/RFxeq/IS5G9Of+ZrgucRciie2qpLy++3UGZ+q2E= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25/go.mod h1:Zb29PYkf42vVYQY6pvSyJCJcFHlPIiY+YKdPtwnvMkY= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.14/go.mod h1:GEV9jaDPIgayiU+uevxwozcvUOjc+P4aHE2BeSjm2vE= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.16/go.mod h1:62dsXI0BqTIGomDl8Hpm33dv0OntGaVblri3ZRParVQ= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.17/go.mod h1:pRwaTYCJemADaqCbUAxltMoHKata7hmB5PjEXeu0kfg= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.18 h1:c2RKF0UvfdVI6epHtFjDujlbiK+VeY85dP1i4gmYc5w= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.18/go.mod h1:fkQKYK/jUhCL/wNS1tOPrlYhr9vqutjCz4zZC1wBE1s= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19 h1:oRHDrwCTVT8ZXi4sr9Ld+EXk7N/KGssOr2ygNeojEhw= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19/go.mod h1:6Q0546uHDp421okhmmGfbxzq2hBqbXFNpi4k+Q1JnQA= github.com/aws/aws-sdk-go-v2/internal/ini v1.3.21 h1:lpwSbLKYTuABo6SyUoC25xAmfO3/TehGS2SmD1EtOL0= github.com/aws/aws-sdk-go-v2/internal/ini v1.3.21/go.mod h1:Q0pktZjvRZk77TBto6yAvUAi7fcse1bdcMctBDVGgBw= -github.com/aws/aws-sdk-go-v2/service/acmpca v1.18.0 h1:cnPVlhdCSBY2ee3BAjWvqGHwksQRbWJgDMB5WL2M/j0= -github.com/aws/aws-sdk-go-v2/service/acmpca v1.18.0/go.mod h1:XluaDqrmOOoqZtsCeBJ4A45ZAytjpmjr6bfmSzv/vZg= +github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0 h1:2f0kb+39miQPRp0b7Sqq06+TpxI0Nfcra41QxzJPME8= +github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0/go.mod h1:AVLIBQ9V7mcHd5uZT1+wUbBt4QaI/XcOens85Ib0W1o= github.com/aws/aws-sdk-go-v2/service/ec2 v1.63.0 h1:9ailn+011zwUJdS8RuamANJVAyX+aoUyTaBrw0CHRdE= github.com/aws/aws-sdk-go-v2/service/ec2 v1.63.0/go.mod h1:0+6fPoY0SglgzQUs2yml7X/fup12cMlVumJufh5npRQ= github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 h1:m/WtVqEvgwDiUPIW2dtnF2hDE1O62MEflz9ClOlCXAs= @@ -199,8 +202,9 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.16.16/go.mod h1:Y9iBgT1w2vHtYzJEkwD6 github.com/aws/aws-sdk-go-v2/service/sts v1.17.0 h1:9S0HcZUxKcU3HdN+M6GgLIvdbg9as5aOoHrvwRsPNYU= github.com/aws/aws-sdk-go-v2/service/sts v1.17.0/go.mod h1:9pZN58zQc5a4Dkdnhu/rI1lNBui1vP5B0giGCuUt2b0= github.com/aws/smithy-go v1.13.1/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= -github.com/aws/smithy-go v1.13.3 h1:l7LYxGuzK6/K+NzJ2mC+VvLUbae0sL3bXU//04MkmnA= github.com/aws/smithy-go v1.13.3/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= +github.com/aws/smithy-go v1.13.4 h1:/RN2z1txIJWeXeOkzX+Hk/4Uuvv7dWtCjbmVJcrskyk= +github.com/aws/smithy-go v1.13.4/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM= github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= From 6e2b9e01a8b73e52fe96678dcab999428805a2f2 Mon Sep 17 00:00:00 2001 From: Andrew Harding Date: Tue, 25 Oct 2022 12:25:21 -0600 Subject: [PATCH 014/257] Mark k8s-workload-registrar as deprecated (#3526) Fixes: #3501 Signed-off-by: Andrew Harding --- support/k8s/k8s-workload-registrar/README.md | 2 ++ support/k8s/k8s-workload-registrar/config_crd.go | 2 ++ support/k8s/k8s-workload-registrar/config_reconcile.go | 2 ++ support/k8s/k8s-workload-registrar/mode-crd/README.md | 2 ++ 4 files changed, 8 insertions(+) diff --git a/support/k8s/k8s-workload-registrar/README.md b/support/k8s/k8s-workload-registrar/README.md index da6b0d756f..3da0ba3a53 100644 --- a/support/k8s/k8s-workload-registrar/README.md +++ b/support/k8s/k8s-workload-registrar/README.md @@ -1,5 +1,7 @@ # SPIRE Kubernetes Workload Registrar +** The SPIRE Kubernetes Workload Registrar is deprecated and no longer maintained. Please migrate to the [SPIRE Controller Manager](https://github.com/spiffe/spire-controller-manager). ** + The SPIRE Kubernetes Workload Registrar implements a Kubernetes ValidatingAdmissionWebhook that facilitates automatic workload registration within Kubernetes. diff --git a/support/k8s/k8s-workload-registrar/config_crd.go b/support/k8s/k8s-workload-registrar/config_crd.go index f72a993ab3..77b56d4c5f 100644 --- a/support/k8s/k8s-workload-registrar/config_crd.go +++ b/support/k8s/k8s-workload-registrar/config_crd.go @@ -105,6 +105,8 @@ func (c *CRDMode) Run(ctx context.Context) error { } defer log.Close() + log.Warn("The k8s-workload-registrar is deprecated and no longer maintained. Please migrate to the SPIRE Controller Manager (https://github.com/spiffe/spire-controller-manager).") + // DEPRECATED: remove this check in 1.5.0 since all those who migrate through 1.4.0 will already have moved away if c.LeaderElection && c.LeaderElectionResourceLock == configMapsResourceLock { return errs.New(`the "configmaps" leader election resource lock type is no longer supported`) diff --git a/support/k8s/k8s-workload-registrar/config_reconcile.go b/support/k8s/k8s-workload-registrar/config_reconcile.go index 3f29e0128e..f009a29e37 100644 --- a/support/k8s/k8s-workload-registrar/config_reconcile.go +++ b/support/k8s/k8s-workload-registrar/config_reconcile.go @@ -69,6 +69,8 @@ func (c *ReconcileMode) Run(ctx context.Context) error { })) setupLog := ctrl.Log.WithName("setup") + setupLog.Info("The k8s-workload-registrar is deprecated and no longer maintained. Please migrate to the SPIRE Controller Manager (https://github.com/spiffe/spire-controller-manager).") + // DEPRECATED: remove this check in 1.5.0 since all those who migrate through 1.4.0 will already have moved away if c.LeaderElection && c.LeaderElectionResourceLock == configMapsResourceLock { return errs.New(`the "configmaps" leader election resource lock type is no longer supported`) diff --git a/support/k8s/k8s-workload-registrar/mode-crd/README.md b/support/k8s/k8s-workload-registrar/mode-crd/README.md index f688095136..5c4f001386 100644 --- a/support/k8s/k8s-workload-registrar/mode-crd/README.md +++ b/support/k8s/k8s-workload-registrar/mode-crd/README.md @@ -1,5 +1,7 @@ # SPIRE Kubernetes Workload Registrar (CRD Mode) +** The SPIRE Kubernetes Workload Registrar is deprecated and no longer maintained. Please migrate to the [SPIRE Controller Manager](https://github.com/spiffe/spire-controller-manager). ** + The CRD mode of the SPIRE Kubernetes Workload Registrar uses a Kubernetes Custom Resource Definition (CRD) to integrate SPIRE and Kubernetes. This enables auto and manual generation of SPIFFE IDs from with Kubernetes and the `kubectl` CLI. From 5f2d901dca3d9b7351909eaf9e11889e578d942b Mon Sep 17 00:00:00 2001 From: Guilherme Oliveira do Carmo Carvalho <33766735+guilhermocc@users.noreply.github.com> Date: Tue, 25 Oct 2022 20:06:14 -0300 Subject: [PATCH 015/257] Update cliprinter default flag name (#3528) Signed-off-by: Guilherme Carvalho --- cmd/spire-agent/cli/api/fetch_jwt.go | 4 ++-- pkg/common/cliprinter/flag.go | 20 +++++++++++------ pkg/common/cliprinter/flag_test.go | 32 +++++++++++++++++++++------- 3 files changed, 40 insertions(+), 16 deletions(-) diff --git a/cmd/spire-agent/cli/api/fetch_jwt.go b/cmd/spire-agent/cli/api/fetch_jwt.go index 8bd9b3bbdb..019fa38b27 100644 --- a/cmd/spire-agent/cli/api/fetch_jwt.go +++ b/cmd/spire-agent/cli/api/fetch_jwt.go @@ -55,8 +55,8 @@ func (c *fetchJWTCommand) run(ctx context.Context, env *common_cli.Env, client * func (c *fetchJWTCommand) appendFlags(fs *flag.FlagSet) { fs.Var(&c.audience, "audience", "comma separated list of audience values") fs.StringVar(&c.spiffeID, "spiffeID", "", "SPIFFE ID subject (optional)") - - cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, printPrettyResult) + outputValue := cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, printPrettyResult) + fs.Var(outputValue, "format", "deprecated; use -output") } func (c *fetchJWTCommand) fetchJWTSVID(ctx context.Context, client *workloadClient) (*workload.JWTSVIDResponse, error) { diff --git a/pkg/common/cliprinter/flag.go b/pkg/common/cliprinter/flag.go index 7f90834885..9f1d08d71d 100644 --- a/pkg/common/cliprinter/flag.go +++ b/pkg/common/cliprinter/flag.go @@ -6,10 +6,12 @@ import ( "fmt" ) +const defaultFlagName = "output" + // AppendFlag adds the -format flag to the provided flagset, and populates // the referenced Printer interface with a properly configured printer. -func AppendFlag(p *Printer, fs *flag.FlagSet) { - AppendFlagWithCustomPretty(p, fs, nil) +func AppendFlag(p *Printer, fs *flag.FlagSet) *FormatterFlag { + return AppendFlagWithCustomPretty(p, fs, nil) } // AppendFlagWithCustomPretty is the same as AppendFlag, however it also allows @@ -17,7 +19,7 @@ func AppendFlag(p *Printer, fs *flag.FlagSet) { // to override the pretty print logic that normally ships with this package. Its // intended use is to allow for the adoption of cliprinter while still retaining // backwards compatibility with the legacy/bespoke pretty print output. -func AppendFlagWithCustomPretty(p *Printer, fs *flag.FlagSet, cp CustomPrettyFunc) { +func AppendFlagWithCustomPretty(p *Printer, fs *flag.FlagSet, cp CustomPrettyFunc) *FormatterFlag { // Set the default np := newPrinter(defaultFormatType) np.setCustomPrettyPrinter(cp) @@ -29,7 +31,8 @@ func AppendFlagWithCustomPretty(p *Printer, fs *flag.FlagSet, cp CustomPrettyFun customPretty: cp, } - fs.Var(f, "format", "Desired output format (pretty, json)") + fs.Var(f, defaultFlagName, "Desired output format (pretty, json)") + return f } type FormatterFlag struct { @@ -37,8 +40,9 @@ type FormatterFlag struct { // A pointer to our consumer's Printer interface, along with // its format type - p *Printer - f formatType + p *Printer + f formatType + isSet bool } func (f *FormatterFlag) String() string { @@ -50,6 +54,9 @@ func (f *FormatterFlag) String() string { } func (f *FormatterFlag) Set(formatStr string) error { + if f.isSet && formatTypeToStr(f.f) != formatStr { + return fmt.Errorf("the output format has already been set to %q", formatTypeToStr(f.f)) + } if f.p == nil { return errors.New("internal error: formatter flag not correctly invoked; please report this bug") } @@ -64,5 +71,6 @@ func (f *FormatterFlag) Set(formatStr string) error { *f.p = np f.f = format + f.isSet = true return nil } diff --git a/pkg/common/cliprinter/flag_test.go b/pkg/common/cliprinter/flag_test.go index 737e078f65..2b0b8b7488 100644 --- a/pkg/common/cliprinter/flag_test.go +++ b/pkg/common/cliprinter/flag_test.go @@ -12,6 +12,7 @@ func TestAppendFlag(t *testing.T) { flagCases := []struct { name string input []string + extraFlags []string expectedFormat formatType expectError bool }{ @@ -22,27 +23,40 @@ func TestAppendFlag(t *testing.T) { }, { name: "requires a value", - input: []string{"-format"}, + input: []string{"-output"}, expectError: true, }, + { + name: "error when setting a different value more than once", + input: []string{"-output", "json", "-format", "pretty"}, + extraFlags: []string{"format"}, + expectError: true, + }, + { + name: "works when setting the same value more than once", + input: []string{"-output", "pretty", "-format", "pretty"}, + extraFlags: []string{"format"}, + expectedFormat: pretty, + expectError: false, + }, { name: "requires a valid format", - input: []string{"-format", "nonexistent"}, + input: []string{"-output", "nonexistent"}, expectError: true, }, { name: "works when specifying pretty print", - input: []string{"-format", "pretty"}, + input: []string{"-output", "pretty"}, expectedFormat: pretty, }, { name: "works when specifying json", - input: []string{"-format", "json"}, + input: []string{"-output", "json"}, expectedFormat: json, }, { name: "input is case insensitive", - input: []string{"-format", "jSoN"}, + input: []string{"-output", "jSoN"}, expectedFormat: json, }, } @@ -53,8 +67,10 @@ func TestAppendFlag(t *testing.T) { fs := flag.NewFlagSet("testy", flag.ContinueOnError) fs.SetOutput(new(bytes.Buffer)) - AppendFlag(&p, fs) - + defaultFlagValue := AppendFlag(&p, fs) + for _, flagName := range c.extraFlags { + fs.Var(defaultFlagValue, flagName, "") + } err := fs.Parse(c.input) switch { case err == nil: @@ -101,7 +117,7 @@ func TestAppendFlagWithCustomPretty(t *testing.T) { return nil } AppendFlagWithCustomPretty(&p, fs, cp) - err = fs.Parse([]string{"-format", "pretty"}) + err = fs.Parse([]string{"-output", "pretty"}) if err != nil { t.Fatalf("unexpected error: %v", err) } From bcc05ff5a2cad1d1da144a90e3778840bb098642 Mon Sep 17 00:00:00 2001 From: Dennis Gove Date: Wed, 26 Oct 2022 14:34:57 -0400 Subject: [PATCH 016/257] Issue #2700: Adds support for X509 and JWT specific SVID TTLs (#3445) * Adds support for X509 and JWT specific SVID TTLs Fixes #2700 This change adds support for X509 and JWT specific SVID TTLs in each of the following places * Default values in spire-server configuration. Similar to the existing TTL value, if provided then it must be >= 0. A value of 0 is considered 'unset', meaning there is no default. * Entry records in the database and API During Entry creation and update * If the API call contains a non-zero X509SvidTtl value then that will be stored, else the config default x509SvidTtl value is used * If the API call contains a non-zero JWTSvidTtl value then that will stored, else the config default jwtSvidTtl value is used During X509-SVID creation * If the API call contains a non-zero TTL value then that is used, else * If the stored record contains a non-zero X509SvidTtl value then that will be used, else * If the stored record contains a non-zero TTL value then that will be used, * The hard-coded default X509SvidTTL value will be used During JWT-SVID creation * If the API call contains a non-zero TTL value then that is used, else * If the stored record contains a non-zero JWTSvidTtl value then that will be used, else * If the stored record contains a non-zero TTL value then that will be used, * The hard-coded default JWTSvidTTL value will be used X509SvidTtl and JwtSvidTtl will be considered during the following cases * All must be valid with-respect-to the configured CA TTL - they are all part of the min/max validation checks * Entry sorting now includes each of X509SvidTtl and JwtSvidTtl Signed-off-by: Dennis Gove --- cmd/spire-server/cli/entry/create.go | 53 ++- cmd/spire-server/cli/entry/create_test.go | 176 +++++-- cmd/spire-server/cli/entry/show_test.go | 12 +- cmd/spire-server/cli/entry/update.go | 49 +- cmd/spire-server/cli/entry/update_test.go | 130 +++++- cmd/spire-server/cli/entry/util.go | 12 +- cmd/spire-server/cli/entry/util_posix_test.go | 12 +- cmd/spire-server/cli/entry/util_test.go | 25 +- .../cli/entry/util_windows_test.go | 12 +- cmd/spire-server/cli/run/run.go | 176 ++++--- cmd/spire-server/cli/run/run_test.go | 438 +++++++++++++++--- doc/SPIRE101.md | 91 ++-- doc/spire_server.md | 47 +- go.mod | 2 +- go.sum | 4 +- pkg/agent/manager/cache/cache_test.go | 45 +- pkg/agent/manager/cache/lru_cache_test.go | 4 +- pkg/agent/manager/storecache/cache_test.go | 6 +- pkg/common/protoutil/masks_test.go | 3 +- pkg/common/telemetry/names.go | 8 + pkg/common/util/sort.go | 18 +- pkg/common/util/sort_test.go | 159 ++++--- pkg/server/api/bundle/v1/service_test.go | 9 +- pkg/server/api/entry.go | 21 +- pkg/server/api/entry/v1/service.go | 23 +- pkg/server/api/entry/v1/service_test.go | 178 +++---- pkg/server/api/entry_test.go | 57 ++- pkg/server/api/svid/v1/service.go | 8 +- pkg/server/api/svid/v1/service_test.go | 87 +++- pkg/server/config.go | 7 +- pkg/server/datastore/sqlstore/models.go | 3 +- pkg/server/datastore/sqlstore/sqlstore.go | 105 +++-- .../datastore/sqlstore/sqlstore_test.go | 109 +++-- .../invalid_registration_entries.json | 4 +- pkg/server/server.go | 3 +- proto/spire/common/common.pb.go | 228 +++++---- proto/spire/common/common.proto | 9 +- .../fixture/registration/good-for-update.json | 9 +- test/fixture/registration/good.json | 9 +- 39 files changed, 1606 insertions(+), 745 deletions(-) diff --git a/cmd/spire-server/cli/entry/create.go b/cmd/spire-server/cli/entry/create.go index 18b02b2c2f..dd517de04e 100644 --- a/cmd/spire-server/cli/entry/create.go +++ b/cmd/spire-server/cli/entry/create.go @@ -39,9 +39,17 @@ type createCommand struct { // Workload spiffeID spiffeID string - // TTL for certificates issued to this workload + // TTL for x509 and JWT SVIDs issued to this workload, unless type specific TTLs are set. + // This field is deprecated in favor of the x509SVIDTTL and jwtSVIDTTL fields and will be + // removed in a future release. ttl int + // TTL for x509 SVIDs issued to this workload + x509SVIDTTL int + + // TTL for JWT SVIDs issued to this workload + jwtSVIDTTL int + // List of SPIFFE IDs of trust domains the registration entry is federated with federatesWith StringsFlag @@ -75,7 +83,9 @@ func (*createCommand) Synopsis() string { func (c *createCommand) AppendFlags(f *flag.FlagSet) { f.StringVar(&c.parentID, "parentID", "", "The SPIFFE ID of this record's parent") f.StringVar(&c.spiffeID, "spiffeID", "", "The SPIFFE ID that this record represents") - f.IntVar(&c.ttl, "ttl", 0, "The lifetime, in seconds, for SVIDs issued based on this registration entry") + f.IntVar(&c.ttl, "ttl", 0, "The lifetime, in seconds, for SVIDs issued based on this registration entry. This flag is deprecated in favor of x509SVIDTTL and jwtSVIDTTL and will be removed in a future version") + f.IntVar(&c.x509SVIDTTL, "x509SVIDTTL", 0, "The lifetime, in seconds, for x509-SVIDs issued based on this registration entry. Overrides ttl flag") + f.IntVar(&c.jwtSVIDTTL, "jwtSVIDTTL", 0, "The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry. Overrides ttl flag") f.StringVar(&c.path, "data", "", "Path to a file containing registration JSON (optional). If set to '-', read the JSON from stdin.") f.Var(&c.selectors, "selector", "A colon-delimited type:value selector. Can be used more than once") f.Var(&c.federatesWith, "federatesWith", "SPIFFE ID of a trust domain to federate with. Can be used more than once") @@ -156,6 +166,18 @@ func (c *createCommand) validate() (err error) { return errors.New("a positive TTL is required") } + if c.x509SVIDTTL < 0 { + return errors.New("a positive x509-SVID TTL is required") + } + + if c.jwtSVIDTTL < 0 { + return errors.New("a positive JWT-SVID TTL is required") + } + + if c.ttl > 0 && (c.x509SVIDTTL > 0 || c.jwtSVIDTTL > 0) { + return errors.New("use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag") + } + return nil } @@ -172,13 +194,26 @@ func (c *createCommand) parseConfig() ([]*types.Entry, error) { } e := &types.Entry{ - ParentId: parentID, - SpiffeId: spiffeID, - Ttl: int32(c.ttl), - Downstream: c.downstream, - ExpiresAt: c.entryExpiry, - DnsNames: c.dnsNames, - StoreSvid: c.storeSVID, + ParentId: parentID, + SpiffeId: spiffeID, + Downstream: c.downstream, + ExpiresAt: c.entryExpiry, + DnsNames: c.dnsNames, + StoreSvid: c.storeSVID, + X509SvidTtl: int32(c.x509SVIDTTL), + JwtSvidTtl: int32(c.jwtSVIDTTL), + } + + // c.ttl is deprecated but usable if the new c.x509Svid field is not used. + // c.ttl should not be used to set the jwtSVIDTTL value because the previous + // behavior was to have a hard-coded 5 minute JWT TTL no matter what the value + // of ttl was set to. + // validate(...) ensures that either the new fields or the deprecated field is + // used, but never a mixture. + // + // https://github.com/spiffe/spire/issues/2700 + if e.X509SvidTtl == 0 { + e.X509SvidTtl = int32(c.ttl) } selectors := []*types.Selector{} diff --git a/cmd/spire-server/cli/entry/create_test.go b/cmd/spire-server/cli/entry/create_test.go index dad5bbaada..270d4d9118 100644 --- a/cmd/spire-server/cli/entry/create_test.go +++ b/cmd/spire-server/cli/entry/create_test.go @@ -36,7 +36,35 @@ func TestCreate(t *testing.T) { {Type: "zebra", Value: "zebra:2000"}, {Type: "alpha", Value: "alpha:2000"}, }, - Ttl: 60, + X509SvidTtl: 60, + JwtSvidTtl: 30, + FederatesWith: []string{"spiffe://domaina.test", "spiffe://domainb.test"}, + Admin: true, + ExpiresAt: 1552410266, + DnsNames: []string{"unu1000", "ung1000"}, + Downstream: true, + StoreSvid: true, + }, + Status: &types.Status{ + Code: int32(codes.OK), + Message: "OK", + }, + }, + }, + } + + fakeRespOKFromCmd2 := &entryv1.BatchCreateEntryResponse{ + Results: []*entryv1.BatchCreateEntryResponse_Result{ + { + Entry: &types.Entry{ + Id: "entry-id", + SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/workload"}, + ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/parent"}, + Selectors: []*types.Selector{ + {Type: "zebra", Value: "zebra:2000"}, + {Type: "alpha", Value: "alpha:2000"}, + }, + X509SvidTtl: 60, FederatesWith: []string{"spiffe://domaina.test", "spiffe://domainb.test"}, Admin: true, ExpiresAt: 1552410266, @@ -56,12 +84,13 @@ func TestCreate(t *testing.T) { Results: []*entryv1.BatchCreateEntryResponse_Result{ { Entry: &types.Entry{ - Id: "entry-id-1", - SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/Blog"}, - ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/join_token/TokenBlog"}, - Selectors: []*types.Selector{{Type: "unix", Value: "uid:1111"}}, - Ttl: 200, - Admin: true, + Id: "entry-id-1", + SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/Blog"}, + ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/join_token/TokenBlog"}, + Selectors: []*types.Selector{{Type: "unix", Value: "uid:1111"}}, + X509SvidTtl: 200, + JwtSvidTtl: 30, + Admin: true, }, Status: &types.Status{ Code: int32(codes.OK), @@ -70,11 +99,12 @@ func TestCreate(t *testing.T) { }, { Entry: &types.Entry{ - Id: "entry-id-2", - SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/Database"}, - ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/join_token/TokenDatabase"}, - Selectors: []*types.Selector{{Type: "unix", Value: "uid:1111"}}, - Ttl: 200, + Id: "entry-id-2", + SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/Database"}, + ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/join_token/TokenDatabase"}, + Selectors: []*types.Selector{{Type: "unix", Value: "uid:1111"}}, + X509SvidTtl: 200, + JwtSvidTtl: 30, }, Status: &types.Status{ Code: int32(codes.OK), @@ -90,8 +120,9 @@ func TestCreate(t *testing.T) { {Type: "type", Value: "key1:value"}, {Type: "type", Value: "key2:value"}, }, - StoreSvid: true, - Ttl: 200, + StoreSvid: true, + X509SvidTtl: 200, + JwtSvidTtl: 30, }, Status: &types.Status{ Code: int32(codes.OK), @@ -147,6 +178,21 @@ func TestCreate(t *testing.T) { args: []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "-10"}, expErr: "Error: a positive TTL is required\n", }, + { + name: "Invalid TTL and X509SvidTtl", + args: []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-x509SVIDTTL", "20"}, + expErr: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", + }, + { + name: "Invalid TTL and JwtSvidTtl", + args: []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-jwtSVIDTTL", "20"}, + expErr: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", + }, + { + name: "Invalid TTL and both X509SvidTtl and JwtSvidTtl", + args: []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-x509SVIDTTL", "20", "-jwtSVIDTTL", "30"}, + expErr: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", + }, { name: "Federated node entries", args: []string{"-selector", "unix", "-spiffeID", "spiffe://example.org/workload", "-node", "-federatesWith", "spiffe://another.org"}, @@ -172,7 +218,8 @@ func TestCreate(t *testing.T) { "-parentID", "spiffe://example.org/parent", "-selector", "zebra:zebra:2000", "-selector", "alpha:alpha:2000", - "-ttl", "60", + "-x509SVIDTTL", "60", + "-jwtSVIDTTL", "30", "-federatesWith", "spiffe://domaina.test", "-federatesWith", "spiffe://domainb.test", "-admin", @@ -191,7 +238,8 @@ func TestCreate(t *testing.T) { {Type: "zebra", Value: "zebra:2000"}, {Type: "alpha", Value: "alpha:2000"}, }, - Ttl: 60, + X509SvidTtl: 60, + JwtSvidTtl: 30, FederatesWith: []string{"spiffe://domaina.test", "spiffe://domainb.test"}, Admin: true, ExpiresAt: 1552410266, @@ -207,7 +255,64 @@ SPIFFE ID : spiffe://example.org/workload Parent ID : spiffe://example.org/parent Revision : 0 Downstream : true -TTL : 60 +X509-SVID TTL : 60 +JWT-SVID TTL : 30 +Expiration time : %s +Selector : zebra:zebra:2000 +Selector : alpha:alpha:2000 +FederatesWith : spiffe://domaina.test +FederatesWith : spiffe://domainb.test +DNS name : unu1000 +DNS name : ung1000 +Admin : true +StoreSvid : true + +`, time.Unix(1552410266, 0).UTC()), + }, + { + name: "Create succeeds using deprecated command line arguments", + args: []string{ + "-spiffeID", "spiffe://example.org/workload", + "-parentID", "spiffe://example.org/parent", + "-selector", "zebra:zebra:2000", + "-selector", "alpha:alpha:2000", + "-ttl", "60", + "-federatesWith", "spiffe://domaina.test", + "-federatesWith", "spiffe://domainb.test", + "-admin", + "-entryExpiry", "1552410266", + "-dns", "unu1000", + "-dns", "ung1000", + "-downstream", + "-storeSVID", + }, + expReq: &entryv1.BatchCreateEntryRequest{ + Entries: []*types.Entry{ + { + SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/workload"}, + ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/parent"}, + Selectors: []*types.Selector{ + {Type: "zebra", Value: "zebra:2000"}, + {Type: "alpha", Value: "alpha:2000"}, + }, + X509SvidTtl: 60, + FederatesWith: []string{"spiffe://domaina.test", "spiffe://domainb.test"}, + Admin: true, + ExpiresAt: 1552410266, + DnsNames: []string{"unu1000", "ung1000"}, + Downstream: true, + StoreSvid: true, + }, + }, + }, + fakeResp: fakeRespOKFromCmd2, + expOut: fmt.Sprintf(`Entry ID : entry-id +SPIFFE ID : spiffe://example.org/workload +Parent ID : spiffe://example.org/parent +Revision : 0 +Downstream : true +X509-SVID TTL : 60 +JWT-SVID TTL : default Expiration time : %s Selector : zebra:zebra:2000 Selector : alpha:alpha:2000 @@ -228,17 +333,19 @@ StoreSvid : true expReq: &entryv1.BatchCreateEntryRequest{ Entries: []*types.Entry{ { - SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/Blog"}, - ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/join_token/TokenBlog"}, - Selectors: []*types.Selector{{Type: "unix", Value: "uid:1111"}}, - Ttl: 200, - Admin: true, + SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/Blog"}, + ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/join_token/TokenBlog"}, + Selectors: []*types.Selector{{Type: "unix", Value: "uid:1111"}}, + X509SvidTtl: 200, + JwtSvidTtl: 30, + Admin: true, }, { - SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/Database"}, - ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/join_token/TokenDatabase"}, - Selectors: []*types.Selector{{Type: "unix", Value: "uid:1111"}}, - Ttl: 200, + SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/Database"}, + ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/join_token/TokenDatabase"}, + Selectors: []*types.Selector{{Type: "unix", Value: "uid:1111"}}, + X509SvidTtl: 200, + JwtSvidTtl: 30, }, { SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/storesvid"}, @@ -247,8 +354,9 @@ StoreSvid : true {Type: "type", Value: "key1:value"}, {Type: "type", Value: "key2:value"}, }, - Ttl: 200, - StoreSvid: true, + X509SvidTtl: 200, + JwtSvidTtl: 30, + StoreSvid: true, }, }, }, @@ -257,7 +365,8 @@ StoreSvid : true SPIFFE ID : spiffe://example.org/Blog Parent ID : spiffe://example.org/spire/agent/join_token/TokenBlog Revision : 0 -TTL : 200 +X509-SVID TTL : 200 +JWT-SVID TTL : 30 Selector : unix:uid:1111 Admin : true @@ -265,14 +374,16 @@ Entry ID : entry-id-2 SPIFFE ID : spiffe://example.org/Database Parent ID : spiffe://example.org/spire/agent/join_token/TokenDatabase Revision : 0 -TTL : 200 +X509-SVID TTL : 200 +JWT-SVID TTL : 30 Selector : unix:uid:1111 Entry ID : entry-id-3 SPIFFE ID : spiffe://example.org/storesvid Parent ID : spiffe://example.org/spire/agent/join_token/TokenDatabase Revision : 0 -TTL : 200 +X509-SVID TTL : 200 +JWT-SVID TTL : 30 Selector : type:key1:value Selector : type:key2:value StoreSvid : true @@ -295,7 +406,8 @@ Entry ID : (none) SPIFFE ID : spiffe://example.org/already-exist Parent ID : spiffe://example.org/spire/server Revision : 0 -TTL : default +X509-SVID TTL : default +JWT-SVID TTL : default Selector : unix:uid:1 Error: failed to create one or more entries diff --git a/cmd/spire-server/cli/entry/show_test.go b/cmd/spire-server/cli/entry/show_test.go index 573f6e3d5f..55b689fc7e 100644 --- a/cmd/spire-server/cli/entry/show_test.go +++ b/cmd/spire-server/cli/entry/show_test.go @@ -415,7 +415,8 @@ func getPrintedEntry(idx int) string { SPIFFE ID : spiffe://example.org/son Parent ID : spiffe://example.org/father Revision : 0 -TTL : default +X509-SVID TTL : default +JWT-SVID TTL : default Selector : foo:bar ` @@ -424,7 +425,8 @@ Selector : foo:bar SPIFFE ID : spiffe://example.org/daughter Parent ID : spiffe://example.org/father Revision : 0 -TTL : default +X509-SVID TTL : default +JWT-SVID TTL : default Selector : bar:baz Selector : foo:bar @@ -434,7 +436,8 @@ Selector : foo:bar SPIFFE ID : spiffe://example.org/daughter Parent ID : spiffe://example.org/mother Revision : 0 -TTL : default +X509-SVID TTL : default +JWT-SVID TTL : default Selector : bar:baz Selector : baz:bat FederatesWith : spiffe://domain.test @@ -445,7 +448,8 @@ FederatesWith : spiffe://domain.test SPIFFE ID : spiffe://example.org/son Parent ID : spiffe://example.org/mother Revision : 0 -TTL : default +X509-SVID TTL : default +JWT-SVID TTL : default Expiration time : %s Selector : baz:bat diff --git a/cmd/spire-server/cli/entry/update.go b/cmd/spire-server/cli/entry/update.go index 7684956937..16097c192b 100644 --- a/cmd/spire-server/cli/entry/update.go +++ b/cmd/spire-server/cli/entry/update.go @@ -47,6 +47,12 @@ type updateCommand struct { // TTL for certificates issued to this workload ttl int + // TTL for x509 SVIDs issued to this workload + x509SvidTTL int + + // TTL for JWT SVIDs issued to this workload + jwtSvidTTL int + // List of SPIFFE IDs of trust domains the registration entry is federated with federatesWith StringsFlag @@ -75,7 +81,9 @@ func (c *updateCommand) AppendFlags(f *flag.FlagSet) { f.StringVar(&c.entryID, "entryID", "", "The Registration Entry ID of the record to update") f.StringVar(&c.parentID, "parentID", "", "The SPIFFE ID of this record's parent") f.StringVar(&c.spiffeID, "spiffeID", "", "The SPIFFE ID that this record represents") - f.IntVar(&c.ttl, "ttl", 0, "The lifetime, in seconds, for SVIDs issued based on this registration entry") + f.IntVar(&c.ttl, "ttl", 0, "The lifetime, in seconds, for SVIDs issued based on this registration entry. This flag is deprecated in favor of x509SVIDTTL and jwtSVIDTTL and will be removed in a future version") + f.IntVar(&c.x509SvidTTL, "x509SVIDTTL", 0, "The lifetime, in seconds, for x509-SVIDs issued based on this registration entry. Overrides ttl flag") + f.IntVar(&c.jwtSvidTTL, "jwtSVIDTTL", 0, "The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry. Overrides ttl flag") f.StringVar(&c.path, "data", "", "Path to a file containing registration JSON (optional). If set to '-', read the JSON from stdin.") f.Var(&c.selectors, "selector", "A colon-delimited type:value selector. Can be used more than once") f.Var(&c.federatesWith, "federatesWith", "SPIFFE ID of a trust domain to federate with. Can be used more than once") @@ -155,6 +163,18 @@ func (c *updateCommand) validate() (err error) { return errors.New("a positive TTL is required") } + if c.x509SvidTTL < 0 { + return errors.New("a positive x509-SVID TTL is required") + } + + if c.jwtSvidTTL < 0 { + return errors.New("a positive JWT-SVID TTL is required") + } + + if c.ttl > 0 && (c.x509SvidTTL > 0 || c.jwtSvidTTL > 0) { + return errors.New("use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag") + } + return nil } @@ -170,13 +190,26 @@ func (c *updateCommand) parseConfig() ([]*types.Entry, error) { } e := &types.Entry{ - Id: c.entryID, - ParentId: parentID, - SpiffeId: spiffeID, - Ttl: int32(c.ttl), - Downstream: c.downstream, - ExpiresAt: c.entryExpiry, - DnsNames: c.dnsNames, + Id: c.entryID, + ParentId: parentID, + SpiffeId: spiffeID, + Downstream: c.downstream, + ExpiresAt: c.entryExpiry, + DnsNames: c.dnsNames, + X509SvidTtl: int32(c.x509SvidTTL), + JwtSvidTtl: int32(c.jwtSvidTTL), + } + + // c.ttl is deprecated but usable if the new c.x509Svid field is not used. + // c.ttl should not be used to set the jwtSVIDTTL value because the previous + // behavior was to have a hard-coded 5 minute JWT TTL no matter what the value + // of ttl was set to. + // validate(...) ensures that either the new fields or the deprecated field is + // used, but never a mixture. + // + // https://github.com/spiffe/spire/issues/2700 + if e.X509SvidTtl == 0 { + e.X509SvidTtl = int32(c.ttl) } selectors := []*types.Selector{} diff --git a/cmd/spire-server/cli/entry/update_test.go b/cmd/spire-server/cli/entry/update_test.go index aafc494c45..5fe52d86e3 100644 --- a/cmd/spire-server/cli/entry/update_test.go +++ b/cmd/spire-server/cli/entry/update_test.go @@ -33,7 +33,8 @@ func TestUpdate(t *testing.T) { {Type: "zebra", Value: "zebra:2000"}, {Type: "alpha", Value: "alpha:2000"}, }, - Ttl: 60, + X509SvidTtl: 60, + JwtSvidTtl: 30, FederatesWith: []string{"spiffe://domaina.test", "spiffe://domainb.test"}, Admin: true, ExpiresAt: 1552410266, @@ -49,7 +50,8 @@ func TestUpdate(t *testing.T) { {Type: "type", Value: "key1:value"}, {Type: "type", Value: "key2:value"}, }, - Ttl: 60, + X509SvidTtl: 60, + JwtSvidTtl: 30, FederatesWith: []string{"spiffe://domaina.test", "spiffe://domainb.test"}, ExpiresAt: 1552410266, DnsNames: []string{"unu1000", "ung1000"}, @@ -68,20 +70,22 @@ func TestUpdate(t *testing.T) { } entry2 := &types.Entry{ - Id: "entry-id-1", - SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/Blog"}, - ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/join_token/TokenBlog"}, - Selectors: []*types.Selector{{Type: "unix", Value: "uid:1111"}}, - Ttl: 200, - Admin: true, + Id: "entry-id-1", + SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/Blog"}, + ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/join_token/TokenBlog"}, + Selectors: []*types.Selector{{Type: "unix", Value: "uid:1111"}}, + X509SvidTtl: 200, + JwtSvidTtl: 300, + Admin: true, } entry3 := &types.Entry{ - Id: "entry-id-2", - SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/Database"}, - ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/join_token/TokenDatabase"}, - Selectors: []*types.Selector{{Type: "unix", Value: "uid:1111"}}, - Ttl: 200, + Id: "entry-id-2", + SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/Database"}, + ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/join_token/TokenDatabase"}, + Selectors: []*types.Selector{{Type: "unix", Value: "uid:1111"}}, + X509SvidTtl: 200, + JwtSvidTtl: 300, } entry4 := &types.Entry{ @@ -92,8 +96,26 @@ func TestUpdate(t *testing.T) { {Type: "type", Value: "key1:value"}, {Type: "type", Value: "key2:value"}, }, - StoreSvid: true, - Ttl: 200, + StoreSvid: true, + X509SvidTtl: 200, + JwtSvidTtl: 300, + } + + entry5 := &types.Entry{ + Id: "entry-id", + SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/workload"}, + ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/parent"}, + Selectors: []*types.Selector{ + {Type: "zebra", Value: "zebra:2000"}, + {Type: "alpha", Value: "alpha:2000"}, + }, + X509SvidTtl: 60, + JwtSvidTtl: 0, + FederatesWith: []string{"spiffe://domaina.test", "spiffe://domainb.test"}, + Admin: true, + ExpiresAt: 1552410266, + DnsNames: []string{"unu1000", "ung1000"}, + Downstream: true, } fakeRespOKFromFile := &entryv1.BatchUpdateEntryResponse{ @@ -164,6 +186,21 @@ func TestUpdate(t *testing.T) { args: []string{"-entryID", "entry-id", "-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "-10"}, expErr: "Error: a positive TTL is required\n", }, + { + name: "Invalid TTL and X509SvidTtl", + args: []string{"-entryID", "entry-id", "-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-x509SVIDTTL", "20"}, + expErr: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", + }, + { + name: "Invalid TTL and JwtSvidTtl", + args: []string{"-entryID", "entry-id", "-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-jwtSVIDTTL", "20"}, + expErr: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", + }, + { + name: "Invalid TTL and both X509SvidTtl and JwtSvidTtl", + args: []string{"-entryID", "entry-id", "-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-x509SVIDTTL", "20", "-jwtSVIDTTL", "30"}, + expErr: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", + }, { name: "Server error", args: []string{"-entryID", "entry-id", "-spiffeID", "spiffe://example.org/workload", "-parentID", "spiffe://example.org/parent", "-selector", "unix:uid:1"}, @@ -186,7 +223,8 @@ func TestUpdate(t *testing.T) { "-parentID", "spiffe://example.org/parent", "-selector", "zebra:zebra:2000", "-selector", "alpha:alpha:2000", - "-ttl", "60", + "-x509SVIDTTL", "60", + "-jwtSVIDTTL", "30", "-federatesWith", "spiffe://domaina.test", "-federatesWith", "spiffe://domainb.test", "-admin", @@ -204,7 +242,47 @@ SPIFFE ID : spiffe://example.org/workload Parent ID : spiffe://example.org/parent Revision : 0 Downstream : true -TTL : 60 +X509-SVID TTL : 60 +JWT-SVID TTL : 30 +Expiration time : %s +Selector : zebra:zebra:2000 +Selector : alpha:alpha:2000 +FederatesWith : spiffe://domaina.test +FederatesWith : spiffe://domainb.test +DNS name : unu1000 +DNS name : ung1000 +Admin : true + +`, time.Unix(1552410266, 0).UTC()), + }, + { + name: "Update succeeds using deprecated command line arguments", + args: []string{ + "-entryID", "entry-id", + "-spiffeID", "spiffe://example.org/workload", + "-parentID", "spiffe://example.org/parent", + "-selector", "zebra:zebra:2000", + "-selector", "alpha:alpha:2000", + "-ttl", "60", + "-federatesWith", "spiffe://domaina.test", + "-federatesWith", "spiffe://domainb.test", + "-admin", + "-entryExpiry", "1552410266", + "-dns", "unu1000", + "-dns", "ung1000", + "-downstream", + }, + expReq: &entryv1.BatchUpdateEntryRequest{ + Entries: []*types.Entry{entry5}, + }, + fakeResp: fakeRespOKFromCmd, + expOut: fmt.Sprintf(`Entry ID : entry-id +SPIFFE ID : spiffe://example.org/workload +Parent ID : spiffe://example.org/parent +Revision : 0 +Downstream : true +X509-SVID TTL : 60 +JWT-SVID TTL : 30 Expiration time : %s Selector : zebra:zebra:2000 Selector : alpha:alpha:2000 @@ -224,7 +302,8 @@ Admin : true "-parentID", "spiffe://example.org/parent", "-selector", "type:key1:value", "-selector", "type:key2:value", - "-ttl", "60", + "-x509SVIDTTL", "60", + "-jwtSVIDTTL", "30", "-federatesWith", "spiffe://domaina.test", "-federatesWith", "spiffe://domainb.test", "-entryExpiry", "1552410266", @@ -250,7 +329,8 @@ Admin : true SPIFFE ID : spiffe://example.org/workload Parent ID : spiffe://example.org/parent Revision : 0 -TTL : 60 +X509-SVID TTL : 60 +JWT-SVID TTL : 30 Expiration time : %s Selector : type:key1:value Selector : type:key2:value @@ -275,7 +355,8 @@ StoreSvid : true SPIFFE ID : spiffe://example.org/Blog Parent ID : spiffe://example.org/spire/agent/join_token/TokenBlog Revision : 0 -TTL : 200 +X509-SVID TTL : 200 +JWT-SVID TTL : 300 Selector : unix:uid:1111 Admin : true @@ -283,14 +364,16 @@ Entry ID : entry-id-2 SPIFFE ID : spiffe://example.org/Database Parent ID : spiffe://example.org/spire/agent/join_token/TokenDatabase Revision : 0 -TTL : 200 +X509-SVID TTL : 200 +JWT-SVID TTL : 300 Selector : unix:uid:1111 Entry ID : entry-id-3 SPIFFE ID : spiffe://example.org/Storesvid Parent ID : spiffe://example.org/spire/agent/join_token/TokenDatabase Revision : 0 -TTL : 200 +X509-SVID TTL : 200 +JWT-SVID TTL : 300 Selector : type:key1:value Selector : type:key2:value StoreSvid : true @@ -314,7 +397,8 @@ Entry ID : non-existent-id SPIFFE ID : spiffe://example.org/workload Parent ID : spiffe://example.org/parent Revision : 0 -TTL : default +X509-SVID TTL : default +JWT-SVID TTL : default Selector : unix:uid:1 Error: failed to update one or more entries diff --git a/cmd/spire-server/cli/entry/util.go b/cmd/spire-server/cli/entry/util.go index 5d84cb68b5..c535facc83 100644 --- a/cmd/spire-server/cli/entry/util.go +++ b/cmd/spire-server/cli/entry/util.go @@ -23,10 +23,16 @@ func printEntry(e *types.Entry, printf func(string, ...interface{}) error) { _ = printf("Downstream : %t\n", e.Downstream) } - if e.Ttl == 0 { - _ = printf("TTL : default\n") + if e.X509SvidTtl == 0 { + _ = printf("X509-SVID TTL : default\n") } else { - _ = printf("TTL : %d\n", e.Ttl) + _ = printf("X509-SVID TTL : %d\n", e.X509SvidTtl) + } + + if e.JwtSvidTtl == 0 { + _ = printf("JWT-SVID TTL : default\n") + } else { + _ = printf("JWT-SVID TTL : %d\n", e.JwtSvidTtl) } if e.ExpiresAt != 0 { diff --git a/cmd/spire-server/cli/entry/util_posix_test.go b/cmd/spire-server/cli/entry/util_posix_test.go index 8052dbbd5f..f0346f3fad 100644 --- a/cmd/spire-server/cli/entry/util_posix_test.go +++ b/cmd/spire-server/cli/entry/util_posix_test.go @@ -17,6 +17,8 @@ const ( An expiry, from epoch in seconds, for the resulting registration entry to be pruned -federatesWith value SPIFFE ID of a trust domain to federate with. Can be used more than once + -jwtSVIDTTL int + The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry. Overrides ttl flag -node If set, this entry will be applied to matching nodes rather than workloads -parentID string @@ -30,7 +32,9 @@ const ( -storeSVID A boolean value that, when set, indicates that the resulting issued SVID from this entry must be stored through an SVIDStore plugin -ttl int - The lifetime, in seconds, for SVIDs issued based on this registration entry + The lifetime, in seconds, for SVIDs issued based on this registration entry. This flag is deprecated in favor of x509SVIDTTL and jwtSVIDTTL and will be removed in a future version + -x509SVIDTTL int + The lifetime, in seconds, for x509-SVIDs issued based on this registration entry. Overrides ttl flag ` showUsage = `Usage of entry show: -downstream @@ -67,6 +71,8 @@ const ( The Registration Entry ID of the record to update -federatesWith value SPIFFE ID of a trust domain to federate with. Can be used more than once + -jwtSVIDTTL int + The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry. Overrides ttl flag -parentID string The SPIFFE ID of this record's parent -selector value @@ -78,6 +84,8 @@ const ( -storeSVID A boolean value that, when set, indicates that the resulting issued SVID from this entry must be stored through an SVIDStore plugin -ttl int - The lifetime, in seconds, for SVIDs issued based on this registration entry + The lifetime, in seconds, for SVIDs issued based on this registration entry. This flag is deprecated in favor of x509SVIDTTL and jwtSVIDTTL and will be removed in a future version + -x509SVIDTTL int + The lifetime, in seconds, for x509-SVIDs issued based on this registration entry. Overrides ttl flag ` ) diff --git a/cmd/spire-server/cli/entry/util_test.go b/cmd/spire-server/cli/entry/util_test.go index 774d599acf..ead0d84168 100644 --- a/cmd/spire-server/cli/entry/util_test.go +++ b/cmd/spire-server/cli/entry/util_test.go @@ -69,10 +69,11 @@ func TestParseEntryJSON(t *testing.T) { Value: "uid:1111", }, }, - SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/Blog"}, - ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/join_token/TokenBlog"}, - Ttl: 200, - Admin: true, + SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/Blog"}, + ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/join_token/TokenBlog"}, + X509SvidTtl: 200, + JwtSvidTtl: 30, + Admin: true, } entry2 := &types.Entry{ Selectors: []*types.Selector{ @@ -81,9 +82,10 @@ func TestParseEntryJSON(t *testing.T) { Value: "uid:1111", }, }, - SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/Database"}, - ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/join_token/TokenDatabase"}, - Ttl: 200, + SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/Database"}, + ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/join_token/TokenDatabase"}, + X509SvidTtl: 200, + JwtSvidTtl: 30, } entry3 := &types.Entry{ Selectors: []*types.Selector{ @@ -96,10 +98,11 @@ func TestParseEntryJSON(t *testing.T) { Value: "key2:value", }, }, - SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/storesvid"}, - ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/join_token/TokenDatabase"}, - StoreSvid: true, - Ttl: 200, + SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/storesvid"}, + ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/join_token/TokenDatabase"}, + StoreSvid: true, + X509SvidTtl: 200, + JwtSvidTtl: 30, } expectedEntries := []*types.Entry{ diff --git a/cmd/spire-server/cli/entry/util_windows_test.go b/cmd/spire-server/cli/entry/util_windows_test.go index 2a99c42bce..fba038c055 100644 --- a/cmd/spire-server/cli/entry/util_windows_test.go +++ b/cmd/spire-server/cli/entry/util_windows_test.go @@ -17,6 +17,8 @@ const ( An expiry, from epoch in seconds, for the resulting registration entry to be pruned -federatesWith value SPIFFE ID of a trust domain to federate with. Can be used more than once + -jwtSVIDTTL int + The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry. Overrides ttl flag -namedPipeName string Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") -node @@ -30,7 +32,9 @@ const ( -storeSVID A boolean value that, when set, indicates that the resulting issued SVID from this entry must be stored through an SVIDStore plugin -ttl int - The lifetime, in seconds, for SVIDs issued based on this registration entry + The lifetime, in seconds, for SVIDs issued based on this registration entry. This flag is deprecated in favor of x509SVIDTTL and jwtSVIDTTL and will be removed in a future version + -x509SVIDTTL int + The lifetime, in seconds, for x509-SVIDs issued based on this registration entry. Overrides ttl flag ` showUsage = `Usage of entry show: -downstream @@ -67,6 +71,8 @@ const ( The Registration Entry ID of the record to update -federatesWith value SPIFFE ID of a trust domain to federate with. Can be used more than once + -jwtSVIDTTL int + The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry. Overrides ttl flag -namedPipeName string Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") -parentID string @@ -78,6 +84,8 @@ const ( -storeSVID A boolean value that, when set, indicates that the resulting issued SVID from this entry must be stored through an SVIDStore plugin -ttl int - The lifetime, in seconds, for SVIDs issued based on this registration entry + The lifetime, in seconds, for SVIDs issued based on this registration entry. This flag is deprecated in favor of x509SVIDTTL and jwtSVIDTTL and will be removed in a future version + -x509SVIDTTL int + The lifetime, in seconds, for x509-SVIDs issued based on this registration entry. Overrides ttl flag ` ) diff --git a/cmd/spire-server/cli/run/run.go b/cmd/spire-server/cli/run/run.go index 5dd506b8d3..5dfa4d42b3 100644 --- a/cmd/spire-server/cli/run/run.go +++ b/cmd/spire-server/cli/run/run.go @@ -65,23 +65,25 @@ type Config struct { } type serverConfig struct { - AdminIDs []string `hcl:"admin_ids"` - AgentTTL string `hcl:"agent_ttl"` - AuditLogEnabled bool `hcl:"audit_log_enabled"` - BindAddress string `hcl:"bind_address"` - BindPort int `hcl:"bind_port"` - CAKeyType string `hcl:"ca_key_type"` - CASubject *caSubjectConfig `hcl:"ca_subject"` - CATTL string `hcl:"ca_ttl"` - DataDir string `hcl:"data_dir"` - DefaultSVIDTTL string `hcl:"default_svid_ttl"` - Experimental experimentalConfig `hcl:"experimental"` - Federation *federationConfig `hcl:"federation"` - JWTIssuer string `hcl:"jwt_issuer"` - JWTKeyType string `hcl:"jwt_key_type"` - LogFile string `hcl:"log_file"` - LogLevel string `hcl:"log_level"` - LogFormat string `hcl:"log_format"` + AdminIDs []string `hcl:"admin_ids"` + AgentTTL string `hcl:"agent_ttl"` + AuditLogEnabled bool `hcl:"audit_log_enabled"` + BindAddress string `hcl:"bind_address"` + BindPort int `hcl:"bind_port"` + CAKeyType string `hcl:"ca_key_type"` + CASubject *caSubjectConfig `hcl:"ca_subject"` + CATTL string `hcl:"ca_ttl"` + DataDir string `hcl:"data_dir"` + DefaultSVIDTTL string `hcl:"default_svid_ttl"` + DefaultX509SVIDTTL string `hcl:"default_x509_svid_ttl"` + DefaultJWTSVIDTTL string `hcl:"default_jwt_svid_ttl"` + Experimental experimentalConfig `hcl:"experimental"` + Federation *federationConfig `hcl:"federation"` + JWTIssuer string `hcl:"jwt_issuer"` + JWTKeyType string `hcl:"jwt_key_type"` + LogFile string `hcl:"log_file"` + LogLevel string `hcl:"log_level"` + LogFormat string `hcl:"log_format"` // Deprecated: remove in SPIRE 1.6.0 OmitX509SVIDUID *bool `hcl:"omit_x509svid_uid"` RateLimit rateLimitConfig `hcl:"ratelimit"` @@ -467,12 +469,36 @@ func NewServerConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool sc.AgentTTL = ttl } - if c.Server.DefaultSVIDTTL != "" { + if c.Server.DefaultX509SVIDTTL != "" { + ttl, err := time.ParseDuration(c.Server.DefaultX509SVIDTTL) + if err != nil { + return nil, fmt.Errorf("could not parse default X509 SVID ttl %q: %w", c.Server.DefaultX509SVIDTTL, err) + } + sc.X509SVIDTTL = ttl + + if sc.X509SVIDTTL != 0 && c.Server.DefaultSVIDTTL != "" { + logger.Warnf("both default_x509_svid_ttl and default_svid_ttl are configured; default_x509_svid_ttl (%s) will be used for X509-SVIDs", c.Server.DefaultX509SVIDTTL) + } + } else if c.Server.DefaultSVIDTTL != "" { + logger.Warn("field default_svid_ttl is deprecated; consider using default_x509_svid_ttl and default_jwt_svid_ttl instead") + ttl, err := time.ParseDuration(c.Server.DefaultSVIDTTL) if err != nil { return nil, fmt.Errorf("could not parse default SVID ttl %q: %w", c.Server.DefaultSVIDTTL, err) } - sc.SVIDTTL = ttl + sc.X509SVIDTTL = ttl + } + + if c.Server.DefaultJWTSVIDTTL != "" { + ttl, err := time.ParseDuration(c.Server.DefaultJWTSVIDTTL) + if err != nil { + return nil, fmt.Errorf("could not parse default JWT SVID ttl %q: %w", c.Server.DefaultJWTSVIDTTL, err) + } + sc.JWTSVIDTTL = ttl + + if sc.JWTSVIDTTL != 0 && c.Server.DefaultSVIDTTL != "" { + logger.Warnf("both default_jwt_svid_ttl and default_svid_ttl are configured; default_jwt_svid_ttl (%s) will be used for JWT-SVIDs", c.Server.DefaultJWTSVIDTTL) + } } if c.Server.CATTL != "" { @@ -485,43 +511,57 @@ func NewServerConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool // If the configured TTLs can lead to surprises, then do our best to log an // accurate message and guide the user to resolution - if !hasCompatibleTTLs(sc.CATTL, sc.SVIDTTL) { - msgCATTLTooSmall := fmt.Sprintf( - "The default_svid_ttl is too high for the configured ca_ttl value. "+ - "SVIDs with shorter lifetimes may be issued. "+ - "Please set the default_svid_ttl to %v or less, or the ca_ttl to %v or more, "+ - "to guarantee the full default_svid_ttl lifetime when CA rotations are scheduled.", - printMaxSVIDTTL(sc.CATTL), printMinCATTL(sc.SVIDTTL), - ) - msgSVIDTTLTooLargeAndCATTLTooSmall := fmt.Sprintf( - "The default_svid_ttl is too high and the ca_ttl is too low. "+ - "SVIDs with shorter lifetimes may be issued. "+ - "Please set the default_svid_ttl to %v or less, and the ca_ttl to %v or more, "+ - "to guarantee the full default_svid_ttl lifetime when CA rotations are scheduled.", - printDuration(ca.MaxSVIDTTL()), printMinCATTL(ca.MaxSVIDTTL()), - ) - msgSVIDTTLTooLarge := fmt.Sprintf( - "The default_svid_ttl is too high. "+ - "SVIDs with shorter lifetimes may be issued. "+ - "Please set the default_svid_ttl to %v or less "+ - "to guarantee the full default_svid_ttl lifetime when CA rotations are scheduled.", - printMaxSVIDTTL(sc.CATTL), - ) + ttlChecks := []struct { + name string + ttl time.Duration + }{ + { + name: "default_x509_svid_ttl (or deprecated default_svid_ttl)", + ttl: sc.X509SVIDTTL, + }, + { + name: "default_jwt_svid_ttl", + ttl: sc.JWTSVIDTTL, + }, + } - switch { - case sc.SVIDTTL < ca.MaxSVIDTTL(): - // The SVID TTL is smaller than our cap, but the CA TTL - // is not large enough to accommodate it - sc.Log.Warn(msgCATTLTooSmall) - case sc.CATTL < ca.MinCATTLForSVIDTTL(ca.MaxSVIDTTL()): - // The SVID TTL is larger than our cap, it needs to be - // decreased no matter what. Additionally, the CA TTL is - // too small to accommodate the maximum SVID TTL. - sc.Log.Warn(msgSVIDTTLTooLargeAndCATTLTooSmall) - default: - // The SVID TTL is larger than our cap and needs to be - // decreased. - sc.Log.Warn(msgSVIDTTLTooLarge) + for _, ttlCheck := range ttlChecks { + if !hasCompatibleTTL(sc.CATTL, ttlCheck.ttl) { + var message string + + switch { + case ttlCheck.ttl < ca.MaxSVIDTTL(): + // TTL is smaller than our cap, but the CA TTL + // is not large enough to accommodate it + message = fmt.Sprintf("%s is too high for the configured "+ + "ca_ttl value. SVIDs with shorter lifetimes may "+ + "be issued. Please set %s to %v or less, or the ca_ttl "+ + "to %v or more, to guarantee the full %s lifetime "+ + "when CA rotations are scheduled.", + ttlCheck.name, ttlCheck.name, printMaxSVIDTTL(sc.CATTL), printMinCATTL(ttlCheck.ttl), ttlCheck.name, + ) + case sc.CATTL < ca.MinCATTLForSVIDTTL(ca.MaxSVIDTTL()): + // TTL is larger than our cap, it needs to be + // decreased no matter what. Additionally, the CA TTL is + // too small to accommodate the maximum SVID TTL. + message = fmt.Sprintf("%s is too high and "+ + "the ca_ttl is too low. SVIDs with shorter lifetimes "+ + "may be issued. Please set %s to %v or less, and the "+ + "ca_ttl to %v or more, to guarantee the full %s "+ + "lifetime when CA rotations are scheduled.", + ttlCheck.name, ttlCheck.name, printDuration(ca.MaxSVIDTTL()), printMinCATTL(ca.MaxSVIDTTL()), ttlCheck.name, + ) + default: + // TTL is larger than our cap and needs to be + // decreased. + message = fmt.Sprintf("%s is too high. SVIDs with shorter "+ + "lifetimes may be issued. Please set %s to %v or less "+ + "to guarantee the full %s lifetime when CA rotations "+ + "are scheduled.", + ttlCheck.name, ttlCheck.name, printMaxSVIDTTL(sc.CATTL), ttlCheck.name, + ) + } + sc.Log.Warn(message) } } @@ -791,13 +831,14 @@ func checkForUnknownConfig(c *Config, l logrus.FieldLogger) (err error) { func defaultConfig() *Config { return &Config{ Server: &serverConfig{ - BindAddress: "0.0.0.0", - BindPort: 8081, - CATTL: ca.DefaultCATTL.String(), - LogLevel: defaultLogLevel, - LogFormat: log.DefaultFormat, - DefaultSVIDTTL: ca.DefaultX509SVIDTTL.String(), - Experimental: experimentalConfig{}, + BindAddress: "0.0.0.0", + BindPort: 8081, + CATTL: ca.DefaultCATTL.String(), + LogLevel: defaultLogLevel, + LogFormat: log.DefaultFormat, + DefaultX509SVIDTTL: ca.DefaultX509SVIDTTL.String(), + DefaultJWTSVIDTTL: ca.DefaultJWTSVIDTTL.String(), + Experimental: experimentalConfig{}, }, } } @@ -817,11 +858,12 @@ func keyTypeFromString(s string) (keymanager.KeyType, error) { } } -// hasCompatibleTTLs checks if we can guarantee the configured SVID TTL given the -// configurd CA TTL. If we detect that a new SVIDs TTL may be cut short due to -// a scheduled CA rotation, this function will return false. -func hasCompatibleTTLs(caTTL, svidTTL time.Duration) bool { - return ca.MaxSVIDTTLForCATTL(caTTL) >= svidTTL +// hasCompatibleTTL checks if we can guarantee the configured SVID TTL given the +// configurd CA TTL. If we detect that a new SVID TTL may be cut short due to +// a scheduled CA rotation, this function will return false. This method should +// be called for each SVID TTL we may use +func hasCompatibleTTL(caTTL time.Duration, svidTTL time.Duration) bool { + return svidTTL <= ca.MaxSVIDTTLForCATTL(caTTL) } // printMaxSVIDTTL calculates the display string for a sufficiently short SVID TTL diff --git a/cmd/spire-server/cli/run/run_test.go b/cmd/spire-server/cli/run/run_test.go index 044e057c62..9c5292728c 100644 --- a/cmd/spire-server/cli/run/run_test.go +++ b/cmd/spire-server/cli/run/run_test.go @@ -355,12 +355,34 @@ func TestMergeInput(t *testing.T) { msg: "default_svid_ttl should be configurable by file", fileInput: func(c *Config) { c.Server.DefaultSVIDTTL = "1h" + c.Server.DefaultX509SVIDTTL = "" + c.Server.DefaultJWTSVIDTTL = "" }, cliFlags: []string{}, test: func(t *testing.T, c *Config) { require.Equal(t, "1h", c.Server.DefaultSVIDTTL) }, }, + { + msg: "default_x509_svid_ttl should be configurable by file", + fileInput: func(c *Config) { + c.Server.DefaultX509SVIDTTL = "2h" + }, + cliFlags: []string{}, + test: func(t *testing.T, c *Config) { + require.Equal(t, "2h", c.Server.DefaultX509SVIDTTL) + }, + }, + { + msg: "default_jwt_svid_ttl should be configurable by file", + fileInput: func(c *Config) { + c.Server.DefaultJWTSVIDTTL = "3h" + }, + cliFlags: []string{}, + test: func(t *testing.T, c *Config) { + require.Equal(t, "3h", c.Server.DefaultJWTSVIDTTL) + }, + }, { msg: "trust_domain should not have a default value", fileInput: func(c *Config) {}, @@ -617,9 +639,29 @@ func TestNewServerConfig(t *testing.T) { msg: "default_svid_ttl is correctly parsed", input: func(c *Config) { c.Server.DefaultSVIDTTL = "1m" + c.Server.DefaultX509SVIDTTL = "" + c.Server.DefaultJWTSVIDTTL = "" + }, + test: func(t *testing.T, c *server.Config) { + require.Equal(t, time.Minute, c.X509SVIDTTL) + }, + }, + { + msg: "default_x509_svid_ttl is correctly parsed", + input: func(c *Config) { + c.Server.DefaultX509SVIDTTL = "2m" + }, + test: func(t *testing.T, c *server.Config) { + require.Equal(t, 2*time.Minute, c.X509SVIDTTL) + }, + }, + { + msg: "default_jwt_svid_ttl is correctly parsed", + input: func(c *Config) { + c.Server.DefaultJWTSVIDTTL = "3m" }, test: func(t *testing.T, c *server.Config) { - require.Equal(t, time.Minute, c.SVIDTTL) + require.Equal(t, 3*time.Minute, c.JWTSVIDTTL) }, }, { @@ -627,6 +669,28 @@ func TestNewServerConfig(t *testing.T) { expectError: true, input: func(c *Config) { c.Server.DefaultSVIDTTL = "b" + c.Server.DefaultX509SVIDTTL = "" + c.Server.DefaultJWTSVIDTTL = "" + }, + test: func(t *testing.T, c *server.Config) { + require.Nil(t, c) + }, + }, + { + msg: "invalid default_x509_svid_ttl returns an error", + expectError: true, + input: func(c *Config) { + c.Server.DefaultX509SVIDTTL = "b" + }, + test: func(t *testing.T, c *server.Config) { + require.Nil(t, c) + }, + }, + { + msg: "invalid default_jwt_svid_ttl returns an error", + expectError: true, + input: func(c *Config) { + c.Server.DefaultJWTSVIDTTL = "b" }, test: func(t *testing.T, c *server.Config) { require.Nil(t, c) @@ -1382,64 +1446,234 @@ func TestLogOptions(t *testing.T) { func TestHasCompatibleTTLs(t *testing.T) { cases := []struct { - msg string - caTTL time.Duration - svidTTL time.Duration - hasCompatibleTTLs bool + msg string + caTTL time.Duration + svidTTL time.Duration + x509SvidTTL time.Duration + jwtSvidTTL time.Duration + hasCompatibleSvidTTL bool + hasCompatibleX509SvidTTL bool + hasCompatibleJwtSvidTTL bool }{ { - msg: "Both values are default values", - caTTL: 0, - svidTTL: 0, - hasCompatibleTTLs: true, - }, - { - msg: "ca_ttl is large enough for the default SVID TTL", - caTTL: time.Hour * 7, - svidTTL: 0, - hasCompatibleTTLs: true, - }, - { - msg: "ca_ttl is not large enough for the default SVID TTL", - caTTL: time.Minute * 1, - svidTTL: 0, - hasCompatibleTTLs: false, - }, - { - msg: "default_svid_ttl is small enough for the default CA TTL", - caTTL: 0, - svidTTL: time.Hour * 3, - hasCompatibleTTLs: true, - }, - { - msg: "default_svid_ttl is not small enough for the default CA TTL", - caTTL: 0, - svidTTL: time.Hour * 24, - hasCompatibleTTLs: false, - }, - { - msg: "default_svid_ttl is small enough for the configured CA TTL", - caTTL: time.Hour * 24, - svidTTL: time.Hour * 1, - hasCompatibleTTLs: true, - }, - { - msg: "default_svid_ttl is not small enough for the configured CA TTL", - caTTL: time.Hour * 24, - svidTTL: time.Hour * 23, - hasCompatibleTTLs: false, - }, - { - msg: "default_svid_ttl is larger than the configured CA TTL", - caTTL: time.Hour * 24, - svidTTL: time.Hour * 25, - hasCompatibleTTLs: false, - }, - { - msg: "default_svid_ttl is small enough for the configured CA TTL but larger than the max", - caTTL: time.Hour * 24 * 7 * 4 * 6, // Six months - svidTTL: time.Hour * 24 * 7 * 2, // Two weeks - hasCompatibleTTLs: false, + msg: "All values are default values", + caTTL: 0, + svidTTL: 0, + x509SvidTTL: 0, + jwtSvidTTL: 0, + hasCompatibleSvidTTL: true, + hasCompatibleX509SvidTTL: true, + hasCompatibleJwtSvidTTL: true, + }, + { + msg: "ca_ttl is large enough for all default SVID TTL", + caTTL: time.Hour * 7, + svidTTL: 0, + x509SvidTTL: 0, + jwtSvidTTL: 0, + hasCompatibleSvidTTL: true, + hasCompatibleX509SvidTTL: true, + hasCompatibleJwtSvidTTL: true, + }, + { + msg: "ca_ttl is not large enough for the default SVID TTL", + caTTL: time.Minute * 1, + svidTTL: 0, + x509SvidTTL: 0, + jwtSvidTTL: 0, + hasCompatibleSvidTTL: false, + hasCompatibleX509SvidTTL: false, + hasCompatibleJwtSvidTTL: false, + }, + { + msg: "default_svid_ttl is small enough for the default CA TTL", + caTTL: 0, + svidTTL: time.Hour * 3, + x509SvidTTL: 0, + jwtSvidTTL: 0, + hasCompatibleSvidTTL: true, + hasCompatibleX509SvidTTL: true, + hasCompatibleJwtSvidTTL: true, + }, + { + msg: "default_svid_ttl is not small enough for the default CA TTL", + caTTL: 0, + svidTTL: time.Hour * 24, + x509SvidTTL: 0, + jwtSvidTTL: 0, + hasCompatibleSvidTTL: false, + hasCompatibleX509SvidTTL: true, + hasCompatibleJwtSvidTTL: true, + }, + { + msg: "default_svid_ttl is small enough for the configured CA TTL", + caTTL: time.Hour * 24, + svidTTL: time.Hour * 1, + x509SvidTTL: 0, + jwtSvidTTL: 0, + hasCompatibleSvidTTL: true, + hasCompatibleX509SvidTTL: true, + hasCompatibleJwtSvidTTL: true, + }, + { + msg: "default_svid_ttl is not small enough for the configured CA TTL", + caTTL: time.Hour * 24, + svidTTL: time.Hour * 23, + x509SvidTTL: 0, + jwtSvidTTL: 0, + hasCompatibleSvidTTL: false, + hasCompatibleX509SvidTTL: true, + hasCompatibleJwtSvidTTL: true, + }, + { + msg: "default_svid_ttl is larger than the configured CA TTL", + caTTL: time.Hour * 24, + svidTTL: time.Hour * 25, + x509SvidTTL: 0, + jwtSvidTTL: 0, + hasCompatibleSvidTTL: false, + hasCompatibleX509SvidTTL: true, + hasCompatibleJwtSvidTTL: true, + }, + { + msg: "default_svid_ttl is small enough for the configured CA TTL but larger than the max", + caTTL: time.Hour * 24 * 7 * 4 * 6, // Six months + svidTTL: time.Hour * 24 * 7 * 2, // Two weeks + x509SvidTTL: 0, + jwtSvidTTL: 0, + hasCompatibleSvidTTL: false, + hasCompatibleX509SvidTTL: true, + hasCompatibleJwtSvidTTL: true, + }, + { + msg: "default_x509_svid_ttl is small enough for the default CA TTL", + caTTL: 0, + svidTTL: 0, + x509SvidTTL: time.Hour * 3, + jwtSvidTTL: 0, + hasCompatibleSvidTTL: true, + hasCompatibleX509SvidTTL: true, + hasCompatibleJwtSvidTTL: true, + }, + { + msg: "default_x509_svid_ttl is not small enough for the default CA TTL", + caTTL: 0, + svidTTL: 0, + x509SvidTTL: time.Hour * 24, + jwtSvidTTL: 0, + hasCompatibleSvidTTL: true, + hasCompatibleX509SvidTTL: false, + hasCompatibleJwtSvidTTL: true, + }, + { + msg: "default_x509_svid_ttl is small enough for the configured CA TTL", + caTTL: time.Hour * 24, + svidTTL: 0, + x509SvidTTL: time.Hour * 1, + jwtSvidTTL: 0, + hasCompatibleSvidTTL: true, + hasCompatibleX509SvidTTL: true, + hasCompatibleJwtSvidTTL: true, + }, + { + msg: "default_x509_svid_ttl is not small enough for the configured CA TTL", + caTTL: time.Hour * 24, + svidTTL: 0, + x509SvidTTL: time.Hour * 23, + jwtSvidTTL: 0, + hasCompatibleSvidTTL: true, + hasCompatibleX509SvidTTL: false, + hasCompatibleJwtSvidTTL: true, + }, + { + msg: "default_x509_svid_ttl is larger than the configured CA TTL", + caTTL: time.Hour * 24, + svidTTL: 0, + x509SvidTTL: time.Hour * 25, + jwtSvidTTL: 0, + hasCompatibleSvidTTL: true, + hasCompatibleX509SvidTTL: false, + hasCompatibleJwtSvidTTL: true, + }, + { + msg: "default_x509_svid_ttl is small enough for the configured CA TTL but larger than the max", + caTTL: time.Hour * 24 * 7 * 4 * 6, // Six months + svidTTL: 0, + x509SvidTTL: time.Hour * 24 * 7 * 2, // Two weeks, + jwtSvidTTL: 0, + hasCompatibleSvidTTL: true, + hasCompatibleX509SvidTTL: false, + hasCompatibleJwtSvidTTL: true, + }, + { + msg: "default_jwt_svid_ttl is small enough for the default CA TTL", + caTTL: 0, + svidTTL: 0, + x509SvidTTL: 0, + jwtSvidTTL: time.Hour * 3, + hasCompatibleSvidTTL: true, + hasCompatibleX509SvidTTL: true, + hasCompatibleJwtSvidTTL: true, + }, + { + msg: "default_jwt_svid_ttl is not small enough for the default CA TTL", + caTTL: 0, + svidTTL: 0, + x509SvidTTL: 0, + jwtSvidTTL: time.Hour * 24, + hasCompatibleSvidTTL: true, + hasCompatibleX509SvidTTL: true, + hasCompatibleJwtSvidTTL: false, + }, + { + msg: "default_jwt_svid_ttl is small enough for the configured CA TTL", + caTTL: time.Hour * 24, + svidTTL: 0, + x509SvidTTL: 0, + jwtSvidTTL: time.Hour * 1, + hasCompatibleSvidTTL: true, + hasCompatibleX509SvidTTL: true, + hasCompatibleJwtSvidTTL: true, + }, + { + msg: "default_jwt_svid_ttl is not small enough for the configured CA TTL", + caTTL: time.Hour * 24, + svidTTL: 0, + x509SvidTTL: 0, + jwtSvidTTL: time.Hour * 23, + hasCompatibleSvidTTL: true, + hasCompatibleX509SvidTTL: true, + hasCompatibleJwtSvidTTL: false, + }, + { + msg: "default_jwt_svid_ttl is larger than the configured CA TTL", + caTTL: time.Hour * 24, + svidTTL: 0, + x509SvidTTL: 0, + jwtSvidTTL: time.Hour * 25, + hasCompatibleSvidTTL: true, + hasCompatibleX509SvidTTL: true, + hasCompatibleJwtSvidTTL: false, + }, + { + msg: "default_jwt_svid_ttl is small enough for the configured CA TTL but larger than the max", + caTTL: time.Hour * 24 * 7 * 4 * 6, // Six months + svidTTL: 0, + x509SvidTTL: 0, + jwtSvidTTL: time.Hour * 24 * 7 * 2, // Two weeks,, + hasCompatibleSvidTTL: true, + hasCompatibleX509SvidTTL: true, + hasCompatibleJwtSvidTTL: false, + }, + { + msg: "all default svid_ttls are small enough for the configured CA TTL", + caTTL: time.Hour * 24, + svidTTL: time.Hour * 1, + x509SvidTTL: time.Hour * 1, + jwtSvidTTL: time.Hour * 1, + hasCompatibleSvidTTL: true, + hasCompatibleX509SvidTTL: true, + hasCompatibleJwtSvidTTL: true, }, } @@ -1451,9 +1685,17 @@ func TestHasCompatibleTTLs(t *testing.T) { if testCase.svidTTL == 0 { testCase.svidTTL = ca.DefaultX509SVIDTTL } + if testCase.x509SvidTTL == 0 { + testCase.x509SvidTTL = ca.DefaultX509SVIDTTL + } + if testCase.jwtSvidTTL == 0 { + testCase.jwtSvidTTL = ca.DefaultJWTSVIDTTL + } t.Run(testCase.msg, func(t *testing.T) { - require.Equal(t, testCase.hasCompatibleTTLs, hasCompatibleTTLs(testCase.caTTL, testCase.svidTTL)) + require.Equal(t, testCase.hasCompatibleSvidTTL, hasCompatibleTTL(testCase.caTTL, testCase.svidTTL)) + require.Equal(t, testCase.hasCompatibleX509SvidTTL, hasCompatibleTTL(testCase.caTTL, testCase.x509SvidTTL)) + require.Equal(t, testCase.hasCompatibleJwtSvidTTL, hasCompatibleTTL(testCase.caTTL, testCase.jwtSvidTTL)) }) } } @@ -1498,39 +1740,85 @@ func TestMaxSVIDTTL(t *testing.T) { func TestMinCATTL(t *testing.T) { for _, v := range []struct { - svidTTL time.Duration - expect string + x509SVIDTTL time.Duration + jwtSVIDTTL time.Duration + expect string }{ { - svidTTL: 10 * time.Second, - expect: "1m", + x509SVIDTTL: 10 * time.Second, + jwtSVIDTTL: 1 * time.Second, + expect: "1m", + }, + { + x509SVIDTTL: 15 * time.Second, + jwtSVIDTTL: 1 * time.Second, + expect: "1m30s", + }, + { + x509SVIDTTL: 10 * time.Minute, + jwtSVIDTTL: 1 * time.Second, + expect: "1h", + }, + { + x509SVIDTTL: 22 * time.Minute, + jwtSVIDTTL: 1 * time.Second, + expect: "2h12m", }, { - svidTTL: 15 * time.Second, - expect: "1m30s", + x509SVIDTTL: 24 * time.Hour, + jwtSVIDTTL: 1 * time.Second, + expect: "144h", }, { - svidTTL: 10 * time.Minute, - expect: "1h", + x509SVIDTTL: 0, + jwtSVIDTTL: 1 * time.Second, + expect: "6h", + }, + + { + x509SVIDTTL: 1 * time.Second, + jwtSVIDTTL: 10 * time.Second, + expect: "1m", + }, + { + x509SVIDTTL: 1 * time.Second, + jwtSVIDTTL: 15 * time.Second, + expect: "1m30s", }, { - svidTTL: 22 * time.Minute, - expect: "2h12m", + x509SVIDTTL: 1 * time.Second, + jwtSVIDTTL: 10 * time.Minute, + expect: "1h", }, { - svidTTL: 24 * time.Hour, - expect: "144h", + x509SVIDTTL: 1 * time.Second, + jwtSVIDTTL: 22 * time.Minute, + expect: "2h12m", }, { - svidTTL: 0, - expect: "6h", + x509SVIDTTL: 1 * time.Second, + jwtSVIDTTL: 24 * time.Hour, + expect: "144h", + }, + { + x509SVIDTTL: 1 * time.Second, + jwtSVIDTTL: 0, + expect: "30m", }, } { - if v.svidTTL == 0 { - v.svidTTL = ca.DefaultX509SVIDTTL + if v.x509SVIDTTL == 0 { + v.x509SVIDTTL = ca.DefaultX509SVIDTTL + } + if v.jwtSVIDTTL == 0 { + v.jwtSVIDTTL = ca.DefaultJWTSVIDTTL } - assert.Equal(t, v.expect, printMinCATTL(v.svidTTL)) + // The expected value is the MinCATTL calculated from the largest of the available TTLs + if v.x509SVIDTTL > v.jwtSVIDTTL { + assert.Equal(t, v.expect, printMinCATTL(v.x509SVIDTTL)) + } else { + assert.Equal(t, v.expect, printMinCATTL(v.jwtSVIDTTL)) + } } } diff --git a/doc/SPIRE101.md b/doc/SPIRE101.md index d0d2ebeea2..79e50533e8 100644 --- a/doc/SPIRE101.md +++ b/doc/SPIRE101.md @@ -53,52 +53,51 @@ If you don't already have Docker installed, please follow these [installation in ./bin/spire-server entry --help -6. View the SPIRE Server configuration file. - - cat conf/server/server.conf - - The default SPIRE Server configurations are shown below. A detailed description of each of the SPIRE Server configuration options is in [the Server documentation](/doc/spire_server.md). - - ```hcl - server { - bind_address = "127.0.0.1" - bind_port = "8081" - trust_domain = "example.org" - data_dir = "./.data" - log_level = "DEBUG" - default_svid_ttl = "1h" - ca_subject { - country = ["US"] - organization = ["SPIFFE"] - common_name = "" - } - } - - plugins { - DataStore "sql" { - plugin_data { - database_type = "sqlite3" - connection_string = "./.data/datastore.sqlite3" - } - } - - NodeAttestor "join_token" { - plugin_data { - } - } - - KeyManager "memory" { - plugin_data = {} - } - - UpstreamAuthority "disk" { - plugin_data { - key_file_path = "./conf/server/dummy_upstream_ca.key" - cert_file_path = "./conf/server/dummy_upstream_ca.crt" - } - } - } - ``` + 6. View the SPIRE Server configuration file. + + cat conf/server/server.conf + + The default SPIRE Server configurations are shown below. A detailed description of each of the SPIRE Server configuration options is in [the Server documentation](/doc/spire_server.md). + + ```hcl + server { + bind_address = "127.0.0.1" + bind_port = "8081" + trust_domain = "example.org" + data_dir = "./.data" + log_level = "DEBUG" + ca_subject { + country = ["US"] + organization = ["SPIFFE"] + common_name = "" + } + } + + plugins { + DataStore "sql" { + plugin_data { + database_type = "sqlite3" + connection_string = "./.data/datastore.sqlite3" + } + } + + NodeAttestor "join_token" { + plugin_data { + } + } + + KeyManager "memory" { + plugin_data = {} + } + + UpstreamAuthority "disk" { + plugin_data { + key_file_path = "./conf/server/dummy_upstream_ca.key" + cert_file_path = "./conf/server/dummy_upstream_ca.crt" + } + } + } + ``` 7. Start the SPIRE Server as a background process by running the following command. diff --git a/doc/spire_server.md b/doc/spire_server.md index b209a1dc95..db94100711 100644 --- a/doc/spire_server.md +++ b/doc/spire_server.md @@ -59,22 +59,24 @@ This may be useful for templating configuration files, for example across differ | `ca_subject` | The Subject that CA certificates should use (see below) | | | `ca_ttl` | The default CA/signing key TTL | 24h | | `data_dir` | A directory the server can use for its runtime | | -| `default_svid_ttl` | The default SVID TTL | 1h | -| `experimental` | The experimental options that are subject to change or removal (see below) | | -| `federation` | Bundle endpoints configuration section used for [federation](#federation-configuration) | | +| `default_svid_ttl` | The default SVID TTL. This field is deprecated in favor of default_x509_svid_ttl and default_jwt_svid_ttl and will be removed in a future version. | 1h | +| `default_x509_svid_ttl` | The default X509-SVID TTL (overrides `default_svid_ttl` if set) | 1h | +| `default_jwt_svid_ttl` | The default JWT-SVID TTL (overrides `default_svid_ttl` if set) | 5m | +| `experimental` | The experimental options that are subject to change or removal (see below) | | +| `federation` | Bundle endpoints configuration section used for [federation](#federation-configuration) | | | `jwt_key_type` | The key type used for the server CA (JWT), <rsa-2048|rsa-4096|ec-p256|ec-p384> | The value of `ca_key_type` or ec-p256 if not defined | -| `jwt_issuer` | The issuer claim used when minting JWT-SVIDs | | -| `log_file` | File to write logs to | | +| `jwt_issuer` | The issuer claim used when minting JWT-SVIDs | | +| `log_file` | File to write logs to | | | `log_level` | Sets the logging level <DEBUG|INFO|WARN|ERROR> | INFO | | `log_format` | Format of logs, <text|json> | text | -| `omit_x509svid_uid` | If true, the subject on X509-SVIDs will not contain the unique ID attribute (deprecated) | false | -| `profiling_enabled` | If true, enables a [net/http/pprof](https://pkg.go.dev/net/http/pprof) endpoint | false | -| `profiling_freq` | Frequency of dumping profiling data to disk. Only enabled when `profiling_enabled` is `true` and `profiling_freq` > 0. | | -| `profiling_names` | List of profile names that will be dumped to disk on each profiling tick, see [Profiling Names](#profiling-names) | | -| `profiling_port` | Port number of the [net/http/pprof](https://pkg.go.dev/net/http/pprof) endpoint. Only used when `profiling_enabled` is `true`. | | -| `ratelimit` | Rate limiting configurations, usually used when the server is behind a load balancer (see below) | | -| `socket_path` | Path to bind the SPIRE Server API socket to (Unix only) | /tmp/spire-server/private/api.sock | -| `trust_domain` | The trust domain that this server belongs to (should be no more than 255 characters) | | +| `omit_x509svid_uid` | If true, the subject on X509-SVIDs will not contain the unique ID attribute (deprecated) | false | +| `profiling_enabled` | If true, enables a [net/http/pprof](https://pkg.go.dev/net/http/pprof) endpoint | false | +| `profiling_freq` | Frequency of dumping profiling data to disk. Only enabled when `profiling_enabled` is `true` and `profiling_freq` > 0. | | +| `profiling_names` | List of profile names that will be dumped to disk on each profiling tick, see [Profiling Names](#profiling-names) | | +| `profiling_port` | Port number of the [net/http/pprof](https://pkg.go.dev/net/http/pprof) endpoint. Only used when `profiling_enabled` is `true`. | | +| `ratelimit` | Rate limiting configurations, usually used when the server is behind a load balancer (see below) | | +| `socket_path` | Path to bind the SPIRE Server API socket to (Unix only) | /tmp/spire-server/private/api.sock | +| `trust_domain` | The trust domain that this server belongs to (should be no more than 255 characters) | | | ca_subject | Description | Default | |:----------------------------|--------------------------------|----------------| @@ -278,7 +280,9 @@ Creates registration entries. | `-selector` | A colon-delimited type:value selector used for attestation. This parameter can be used more than once, to specify multiple selectors that must be satisfied. | | | `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock | | `-spiffeID` | The SPIFFE ID that this record represents and will be set to the SVID issued. | | -| `-ttl` | A TTL, in seconds, for any SVID issued as a result of this record. | The TTL configured with `default_svid_ttl` | +| `-ttl` | A TTL, in seconds, for any SVID issued as a result of this record. This flag is deprecated in favor of x509SVIDTTL and jwtSVIDTTL and will be removed in a future version. | The TTL configured with `default_svid_ttl` | +| `-x509SVIDTTL` | A TTL, in seconds, for any X509-SVID issued as a result of this record. Overrides `-ttl` value. | The TTL configured with `default_x509_svid_ttl` | +| `-jwtSVIDTTL` | A TTL, in seconds, for any JWT-SVID issued as a result of this record. Overrides `-ttl` value. | The TTL configured with `default_jwt_svid_ttl` | | `-storeSVID` | A boolean value that, when set, indicates that the resulting issued SVID from this entry must be stored through an SVIDStore plugin | ### `spire-server entry update` @@ -298,7 +302,9 @@ Updates registration entries. | `-selector` | A colon-delimited type:value selector used for attestation. This parameter can be used more than once, to specify multiple selectors that must be satisfied. | | | `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock | | `-spiffeID` | The SPIFFE ID that this record represents and will be set to the SVID issued. | | -| `-ttl` | A TTL, in seconds, for any SVID issued as a result of this record. | The TTL configured with `default_svid_ttl` | +| `-ttl` | A TTL, in seconds, for any SVID issued as a result of this record. This flag is deprecated in favor of x509SVIDTTL and jwtSVIDTTL and will be removed in a future version. | The TTL configured with `default_svid_ttl` | +| `-x509SVIDTTL` | A TTL, in seconds, for any X509-SVID issued as a result of this record. Overrides `-ttl` value. | The TTL configured with `default_x509_svid_ttl` | +| `-jwtSVIDTTL` | A TTL, in seconds, for any JWT-SVID issued as a result of this record. Overrides `-ttl` value. | The TTL configured with `default_jwt_svid_ttl` | | `storeSVID` | A boolean value that, when set, indicates that the resulting issued SVID from this entry must be stored through an SVIDStore plugin | ### `spire-server entry count` @@ -514,11 +520,11 @@ Typically, you may want at least: Mints an X509-SVID. | Command | Action | Default | -|:--------------|:---------------------------------------------------------------------|:-------------------------------------------| +|:--------------|:-------------------------------------------------------------------|:---------------| | `-dns` | A DNS name that will be included in SVID. Can be used more than once | | | `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock | | `-spiffeID` | The SPIFFE ID of the X509-SVID | | -| `-ttl` | The TTL of the X509-SVID | The TTL configured with `default_svid_ttl` | +| `-ttl` | The TTL of the X509-SVID | First non-zero value from `Entry.x509_svid_ttl`, `Entry.ttl`, `default_x509_svid_ttl`, `default_svid_ttl`, `1h` | | `-write` | Directory to write output to instead of stdout | | ### `spire-server jwt mint` @@ -526,11 +532,11 @@ Mints an X509-SVID. Mints a JWT-SVID. | Command | Action | Default | -|:--------------|:-----------------------------------------------------------------------------|:-----------------------------------| +|:--------------|:-------------------------------------------------------------------|:---------------| | `-audience` | Audience claim that will be included in the SVID. Can be used more than once | | | `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock | | `-spiffeID` | The SPIFFE ID of the JWT-SVID | | -| `-ttl` | The TTL of the JWT-SVID | | +| `-ttl` | The TTL of the JWT-SVID | First non-zero value from `Entry.jwt_svid_ttl`, `Entry.ttl`, `default_jwt_svid_ttl`, `5m` | | `-write` | File to write token to instead of stdout | | ## JSON object for `-data` @@ -560,7 +566,8 @@ server { bind_port = "8081" log_level = "INFO" data_dir = "/opt/spire/.data/" - default_svid_ttl = "6h" + default_x509_svid_ttl = "6h" + default_jwt_svid_ttl = "5m" ca_ttl = "72h" ca_subject { country = ["US"] diff --git a/go.mod b/go.mod index e4baf6a0f7..3d6f8a9980 100644 --- a/go.mod +++ b/go.mod @@ -55,7 +55,7 @@ require ( github.com/shirou/gopsutil/v3 v3.22.9 github.com/sirupsen/logrus v1.9.0 github.com/spiffe/go-spiffe/v2 v2.0.1-0.20220414143532-2ed460a8b9d3 - github.com/spiffe/spire-api-sdk v1.2.5-0.20220608195902-84fd618158c9 + github.com/spiffe/spire-api-sdk v1.2.5-0.20221020001527-5895a0279944 github.com/spiffe/spire-plugin-sdk v1.4.1-0.20220912221658-c42ab2d657f6 github.com/stretchr/testify v1.8.1 github.com/uber-go/tally/v4 v4.1.3 diff --git a/go.sum b/go.sum index 4e7a3eb6b2..1e7b1ceed0 100644 --- a/go.sum +++ b/go.sum @@ -916,8 +916,8 @@ github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5q github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns= github.com/spiffe/go-spiffe/v2 v2.0.1-0.20220414143532-2ed460a8b9d3 h1:FpqM5PfWHs4Ze36HwzMpRefrv8kkmxFgtG9Qc6hL7Dc= github.com/spiffe/go-spiffe/v2 v2.0.1-0.20220414143532-2ed460a8b9d3/go.mod h1:ifsAYiK9MOyuGYFUHUQ3K47dj+k/gd4IcWhlCyDJZEU= -github.com/spiffe/spire-api-sdk v1.2.5-0.20220608195902-84fd618158c9 h1:RmpSpUHOboDvGhxLW/32DAlV/DsvUURjojPVDMPDkwM= -github.com/spiffe/spire-api-sdk v1.2.5-0.20220608195902-84fd618158c9/go.mod h1:73BC0cOGkqRQrqoB1Djk7etxN+bE1ypmzZMkhCQs6kY= +github.com/spiffe/spire-api-sdk v1.2.5-0.20221020001527-5895a0279944 h1:yoKYON+goNlajhkpKSfwVPB1qvmeh9MmWDyj5zc4C7o= +github.com/spiffe/spire-api-sdk v1.2.5-0.20221020001527-5895a0279944/go.mod h1:4uuhFlN6KBWjACRP3xXwrOTNnvaLp1zJs8Lribtr4fI= github.com/spiffe/spire-plugin-sdk v1.4.1-0.20220912221658-c42ab2d657f6 h1:QViYo6JR+v2lTMV/w9Py1mWJEXTrLn1Hb6ZsCWSVVek= github.com/spiffe/spire-plugin-sdk v1.4.1-0.20220912221658-c42ab2d657f6/go.mod h1:4KW5J6abGIAyUS8IL7Fi0NOfoWR6jA5LufKPnIdm9FE= github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= diff --git a/pkg/agent/manager/cache/cache_test.go b/pkg/agent/manager/cache/cache_test.go index 8f8372842e..037af7c070 100644 --- a/pkg/agent/manager/cache/cache_test.go +++ b/pkg/agent/manager/cache/cache_test.go @@ -17,14 +17,15 @@ import ( ) var ( - trustDomain1 = spiffeid.RequireTrustDomainFromString("domain.test") - trustDomain2 = spiffeid.RequireTrustDomainFromString("otherdomain.test") - bundleV1 = bundleutil.BundleFromRootCA(trustDomain1, &x509.Certificate{Raw: []byte{1}}) - bundleV2 = bundleutil.BundleFromRootCA(trustDomain1, &x509.Certificate{Raw: []byte{2}}) - bundleV3 = bundleutil.BundleFromRootCA(trustDomain1, &x509.Certificate{Raw: []byte{3}}) - otherBundleV1 = bundleutil.BundleFromRootCA(trustDomain2, &x509.Certificate{Raw: []byte{4}}) - otherBundleV2 = bundleutil.BundleFromRootCA(trustDomain2, &x509.Certificate{Raw: []byte{5}}) - defaultTTL = int32(600) + trustDomain1 = spiffeid.RequireTrustDomainFromString("domain.test") + trustDomain2 = spiffeid.RequireTrustDomainFromString("otherdomain.test") + bundleV1 = bundleutil.BundleFromRootCA(trustDomain1, &x509.Certificate{Raw: []byte{1}}) + bundleV2 = bundleutil.BundleFromRootCA(trustDomain1, &x509.Certificate{Raw: []byte{2}}) + bundleV3 = bundleutil.BundleFromRootCA(trustDomain1, &x509.Certificate{Raw: []byte{3}}) + otherBundleV1 = bundleutil.BundleFromRootCA(trustDomain2, &x509.Certificate{Raw: []byte{4}}) + otherBundleV2 = bundleutil.BundleFromRootCA(trustDomain2, &x509.Certificate{Raw: []byte{5}}) + defaultX509SVIDTTL = int32(700) + defaultJwtSVIDTTL = int32(800) ) func TestFetchWorkloadUpdate(t *testing.T) { @@ -487,7 +488,7 @@ func TestCheckSVIDCallback(t *testing.T) { return false }) - foo := makeRegistrationEntryWithTTL("FOO", 60) + foo := makeRegistrationEntryWithTTL("FOO", 70, 80) // called once for FOO with no SVID callCount := 0 @@ -536,7 +537,7 @@ func TestCheckSVIDCallback(t *testing.T) { func TestGetStaleEntries(t *testing.T) { cache := newTestCache() - foo := makeRegistrationEntryWithTTL("FOO", 60) + foo := makeRegistrationEntryWithTTL("FOO", 70, 80) // Create entry but don't mark it stale cache.UpdateEntries(&UpdateEntries{ @@ -787,21 +788,23 @@ func makeX509SVIDs(entries ...*common.RegistrationEntry) map[string]*X509SVID { func makeRegistrationEntry(id string, selectors ...string) *common.RegistrationEntry { return &common.RegistrationEntry{ - EntryId: id, - SpiffeId: "spiffe://domain.test/" + id, - Selectors: makeSelectors(selectors...), - DnsNames: []string{fmt.Sprintf("name-%s", id)}, - Ttl: defaultTTL, + EntryId: id, + SpiffeId: "spiffe://domain.test/" + id, + Selectors: makeSelectors(selectors...), + DnsNames: []string{fmt.Sprintf("name-%s", id)}, + X509SvidTtl: defaultX509SVIDTTL, + JwtSvidTtl: defaultJwtSVIDTTL, } } -func makeRegistrationEntryWithTTL(id string, ttl int32, selectors ...string) *common.RegistrationEntry { +func makeRegistrationEntryWithTTL(id string, x509SVIDTTL int32, jwtSVIDTTL int32, selectors ...string) *common.RegistrationEntry { return &common.RegistrationEntry{ - EntryId: id, - SpiffeId: "spiffe://domain.test/" + id, - Selectors: makeSelectors(selectors...), - DnsNames: []string{fmt.Sprintf("name-%s", id)}, - Ttl: ttl, + EntryId: id, + SpiffeId: "spiffe://domain.test/" + id, + Selectors: makeSelectors(selectors...), + DnsNames: []string{fmt.Sprintf("name-%s", id)}, + X509SvidTtl: x509SVIDTTL, + JwtSvidTtl: jwtSVIDTTL, } } diff --git a/pkg/agent/manager/cache/lru_cache_test.go b/pkg/agent/manager/cache/lru_cache_test.go index 8fd5ea2bce..520717b811 100644 --- a/pkg/agent/manager/cache/lru_cache_test.go +++ b/pkg/agent/manager/cache/lru_cache_test.go @@ -471,7 +471,7 @@ func TestLRUCacheCheckSVIDCallback(t *testing.T) { return false }) - foo := makeRegistrationEntryWithTTL("FOO", 60) + foo := makeRegistrationEntryWithTTL("FOO", 70, 80) cache.UpdateEntries(&UpdateEntries{ Bundles: makeBundles(bundleV2), @@ -509,7 +509,7 @@ func TestLRUCacheCheckSVIDCallback(t *testing.T) { func TestLRUCacheGetStaleEntries(t *testing.T) { cache := newTestLRUCache() - bar := makeRegistrationEntryWithTTL("BAR", 120, "B") + bar := makeRegistrationEntryWithTTL("BAR", 130, 140, "B") // Create entry but don't mark it stale from checkSVID method; // it will be marked stale cause it does not have SVID cached diff --git a/pkg/agent/manager/storecache/cache_test.go b/pkg/agent/manager/storecache/cache_test.go index cf47b6114a..3a5e850789 100644 --- a/pkg/agent/manager/storecache/cache_test.go +++ b/pkg/agent/manager/storecache/cache_test.go @@ -352,7 +352,8 @@ func TestUpdateEntries(t *testing.T) { setUpdate: func(update cache.UpdateEntries) *cache.UpdateEntries { updatedEntry := createTestEntry() updatedEntry.RevisionNumber = 3 - updatedEntry.Ttl = 1234 + updatedEntry.X509SvidTtl = 2345 + updatedEntry.JwtSvidTtl = 3456 update.RegistrationEntries["foh"] = updatedEntry @@ -375,7 +376,8 @@ func TestUpdateEntries(t *testing.T) { SpiffeId: fohID.String(), StoreSvid: true, RevisionNumber: 3, - Ttl: 1234, + X509SvidTtl: 2345, + JwtSvidTtl: 3456, }, Revision: 2, }, diff --git a/pkg/common/protoutil/masks_test.go b/pkg/common/protoutil/masks_test.go index ff712165c5..2860cb6767 100644 --- a/pkg/common/protoutil/masks_test.go +++ b/pkg/common/protoutil/masks_test.go @@ -29,7 +29,8 @@ func TestAllTrueMasks(t *testing.T) { SpiffeId: true, ParentId: true, Selectors: true, - Ttl: true, + X509SvidTtl: true, + JwtSvidTtl: true, FederatesWith: true, Admin: true, Downstream: true, diff --git a/pkg/common/telemetry/names.go b/pkg/common/telemetry/names.go index 6f7207eb10..7504a53126 100644 --- a/pkg/common/telemetry/names.go +++ b/pkg/common/telemetry/names.go @@ -485,6 +485,14 @@ const ( // with other tags to add clarity TTL = "ttl" + // X509 SVID TTL functionality related to a time-to-live field for X509-SVIDs; should be used + // with other tags to add clarity + X509SVIDTTL = "x509_svid_ttl" + + // JWT SVID TTL functionality related to a time-to-live field for JWT-SVIDs; should be used + // with other tags to add clarity + JWTSVIDTTL = "jwt_svid_ttl" + // Type tags a type Type = "type" diff --git a/pkg/common/util/sort.go b/pkg/common/util/sort.go index ff983cb4d0..7e0ec903bc 100644 --- a/pkg/common/util/sort.go +++ b/pkg/common/util/sort.go @@ -59,10 +59,15 @@ func compareRegistrationEntries(a, b *common.RegistrationEntry) int { return c } + // The order of this switch clause matters. It ensures that sorting occurs by X509SvidTtl then JwtSvidTtl switch { - case a.Ttl < b.Ttl: + case a.X509SvidTtl < b.X509SvidTtl: return -1 - case a.Ttl > b.Ttl: + case a.X509SvidTtl > b.X509SvidTtl: + return 1 + case a.JwtSvidTtl < b.JwtSvidTtl: + return -1 + case a.JwtSvidTtl > b.JwtSvidTtl: return 1 } @@ -133,10 +138,15 @@ func compareTypesEntries(a, b *types.Entry) int { return c } + // The order of this switch clause matters. It ensures that sorting occurs by X509SvidTtl then JwtSvidTtl switch { - case a.Ttl < b.Ttl: + case a.X509SvidTtl < b.X509SvidTtl: + return -1 + case a.X509SvidTtl > b.X509SvidTtl: + return 1 + case a.JwtSvidTtl < b.JwtSvidTtl: return -1 - case a.Ttl > b.Ttl: + case a.JwtSvidTtl > b.JwtSvidTtl: return 1 } diff --git a/pkg/common/util/sort_test.go b/pkg/common/util/sort_test.go index 8fe8a37031..0d3bff25ee 100644 --- a/pkg/common/util/sort_test.go +++ b/pkg/common/util/sort_test.go @@ -34,49 +34,56 @@ func TestDedupRegistrationEntries(t *testing.T) { func TestSortRegistrationEntries(t *testing.T) { entries := []*common.RegistrationEntry{ // entries to assert that spiffe ids are compared for sorting first - {SpiffeId: "a", ParentId: "x", Ttl: 90, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, - {SpiffeId: "b", ParentId: "x", Ttl: 90, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, - {SpiffeId: "c", ParentId: "x", Ttl: 90, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, + {SpiffeId: "a", ParentId: "x", X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, + {SpiffeId: "b", ParentId: "x", X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, + {SpiffeId: "c", ParentId: "x", X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, // entries to assert that parent ids are compared for sorting second - {SpiffeId: "x", ParentId: "a", Ttl: 90, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, - {SpiffeId: "x", ParentId: "b", Ttl: 90, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, - {SpiffeId: "x", ParentId: "c", Ttl: 90, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, - // entries to assert that ttl is compared for sorting third - {SpiffeId: "x", ParentId: "x", Ttl: 10, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, - {SpiffeId: "x", ParentId: "x", Ttl: 20, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, - {SpiffeId: "x", ParentId: "x", Ttl: 30, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, - // entries to assert that selector types are compared for sorting fourth - {SpiffeId: "x", ParentId: "x", Ttl: 90, Selectors: []*common.Selector{{Type: "a", Value: "x"}}}, - {SpiffeId: "x", ParentId: "x", Ttl: 90, Selectors: []*common.Selector{{Type: "b", Value: "x"}}}, - {SpiffeId: "x", ParentId: "x", Ttl: 90, Selectors: []*common.Selector{{Type: "c", Value: "x"}}}, + {SpiffeId: "x", ParentId: "a", X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, + {SpiffeId: "x", ParentId: "b", X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, + {SpiffeId: "x", ParentId: "c", X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, + // entries to assert that x509SvidTtl is compared for sorting third + {SpiffeId: "x", ParentId: "x", X509SvidTtl: 10, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, + {SpiffeId: "x", ParentId: "x", X509SvidTtl: 20, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, + {SpiffeId: "x", ParentId: "x", X509SvidTtl: 30, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, + // entries to assert that jwtSvidTtl is compared for sorting fourth + {SpiffeId: "x", ParentId: "x", X509SvidTtl: 100, JwtSvidTtl: 10, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, + {SpiffeId: "x", ParentId: "x", X509SvidTtl: 100, JwtSvidTtl: 20, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, + {SpiffeId: "x", ParentId: "x", X509SvidTtl: 100, JwtSvidTtl: 30, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, + // entries to assert that selector types are compared for sorting fifth + {SpiffeId: "x", ParentId: "x", X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "a", Value: "x"}}}, + {SpiffeId: "x", ParentId: "x", X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "b", Value: "x"}}}, + {SpiffeId: "x", ParentId: "x", X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "c", Value: "x"}}}, // entries to assert that selector values are included in selector sorting - {SpiffeId: "x", ParentId: "x", Ttl: 90, Selectors: []*common.Selector{{Type: "x", Value: "a"}}}, - {SpiffeId: "x", ParentId: "x", Ttl: 90, Selectors: []*common.Selector{{Type: "x", Value: "b"}}}, - {SpiffeId: "x", ParentId: "x", Ttl: 90, Selectors: []*common.Selector{{Type: "x", Value: "c"}}}, + {SpiffeId: "x", ParentId: "x", X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "x", Value: "a"}}}, + {SpiffeId: "x", ParentId: "x", X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "x", Value: "b"}}}, + {SpiffeId: "x", ParentId: "x", X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "x", Value: "c"}}}, // entry to assert that entries with more selectors come after entries with less - {SpiffeId: "x", ParentId: "x", Ttl: 90, Selectors: []*common.Selector{{Type: "a", Value: "a"}, {Type: "a", Value: "b"}}}, + {SpiffeId: "x", ParentId: "x", X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "a", Value: "a"}, {Type: "a", Value: "b"}}}, // entry to assert that selectors get sorted as well - {SpiffeId: "x", ParentId: "x", Ttl: 90, Selectors: []*common.Selector{{Type: "a", Value: "c"}, {Type: "a", Value: "a"}}}, + {SpiffeId: "x", ParentId: "x", X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "a", Value: "c"}, {Type: "a", Value: "a"}}}, } expected := []*common.RegistrationEntry{ - {SpiffeId: "a", ParentId: "x", Ttl: 90, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, - {SpiffeId: "b", ParentId: "x", Ttl: 90, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, - {SpiffeId: "c", ParentId: "x", Ttl: 90, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, - {SpiffeId: "x", ParentId: "a", Ttl: 90, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, - {SpiffeId: "x", ParentId: "b", Ttl: 90, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, - {SpiffeId: "x", ParentId: "c", Ttl: 90, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, - {SpiffeId: "x", ParentId: "x", Ttl: 10, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, - {SpiffeId: "x", ParentId: "x", Ttl: 20, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, - {SpiffeId: "x", ParentId: "x", Ttl: 30, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, - {SpiffeId: "x", ParentId: "x", Ttl: 90, Selectors: []*common.Selector{{Type: "a", Value: "x"}}}, - {SpiffeId: "x", ParentId: "x", Ttl: 90, Selectors: []*common.Selector{{Type: "b", Value: "x"}}}, - {SpiffeId: "x", ParentId: "x", Ttl: 90, Selectors: []*common.Selector{{Type: "c", Value: "x"}}}, - {SpiffeId: "x", ParentId: "x", Ttl: 90, Selectors: []*common.Selector{{Type: "x", Value: "a"}}}, - {SpiffeId: "x", ParentId: "x", Ttl: 90, Selectors: []*common.Selector{{Type: "x", Value: "b"}}}, - {SpiffeId: "x", ParentId: "x", Ttl: 90, Selectors: []*common.Selector{{Type: "x", Value: "c"}}}, - {SpiffeId: "x", ParentId: "x", Ttl: 90, Selectors: []*common.Selector{{Type: "a", Value: "a"}, {Type: "a", Value: "b"}}}, - {SpiffeId: "x", ParentId: "x", Ttl: 90, Selectors: []*common.Selector{{Type: "a", Value: "a"}, {Type: "a", Value: "c"}}}, + {SpiffeId: "a", ParentId: "x", X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, + {SpiffeId: "b", ParentId: "x", X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, + {SpiffeId: "c", ParentId: "x", X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, + {SpiffeId: "x", ParentId: "a", X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, + {SpiffeId: "x", ParentId: "b", X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, + {SpiffeId: "x", ParentId: "c", X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, + {SpiffeId: "x", ParentId: "x", X509SvidTtl: 10, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, + {SpiffeId: "x", ParentId: "x", X509SvidTtl: 20, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, + {SpiffeId: "x", ParentId: "x", X509SvidTtl: 30, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, + {SpiffeId: "x", ParentId: "x", X509SvidTtl: 100, JwtSvidTtl: 10, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, + {SpiffeId: "x", ParentId: "x", X509SvidTtl: 100, JwtSvidTtl: 20, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, + {SpiffeId: "x", ParentId: "x", X509SvidTtl: 100, JwtSvidTtl: 30, Selectors: []*common.Selector{{Type: "x", Value: "x"}}}, + {SpiffeId: "x", ParentId: "x", X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "a", Value: "x"}}}, + {SpiffeId: "x", ParentId: "x", X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "b", Value: "x"}}}, + {SpiffeId: "x", ParentId: "x", X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "c", Value: "x"}}}, + {SpiffeId: "x", ParentId: "x", X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "x", Value: "a"}}}, + {SpiffeId: "x", ParentId: "x", X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "x", Value: "b"}}}, + {SpiffeId: "x", ParentId: "x", X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "x", Value: "c"}}}, + {SpiffeId: "x", ParentId: "x", X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "a", Value: "a"}, {Type: "a", Value: "b"}}}, + {SpiffeId: "x", ParentId: "x", X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*common.Selector{{Type: "a", Value: "a"}, {Type: "a", Value: "c"}}}, } var actual []*common.RegistrationEntry @@ -122,49 +129,57 @@ func TestSortTypesEntries(t *testing.T) { entries := []*types.Entry{ // entries to assert that spiffe ids are compared for sorting first - {SpiffeId: idA, ParentId: idX, Ttl: 90, Selectors: selectorsX}, - {SpiffeId: idB, ParentId: idX, Ttl: 90, Selectors: selectorsX}, - {SpiffeId: idC, ParentId: idX, Ttl: 90, Selectors: selectorsX}, + {SpiffeId: idA, ParentId: idX, X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: selectorsX}, + {SpiffeId: idB, ParentId: idX, X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: selectorsX}, + {SpiffeId: idC, ParentId: idX, X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: selectorsX}, // entries to assert that parent ids are compared for sorting second - {SpiffeId: idX, ParentId: idA, Ttl: 90, Selectors: selectorsX}, - {SpiffeId: idX, ParentId: idB, Ttl: 90, Selectors: selectorsX}, - {SpiffeId: idX, ParentId: idC, Ttl: 90, Selectors: selectorsX}, - // entries to assert that ttl is compared for sorting third - {SpiffeId: idX, ParentId: idX, Ttl: 10, Selectors: selectorsX}, - {SpiffeId: idX, ParentId: idX, Ttl: 20, Selectors: selectorsX}, - {SpiffeId: idX, ParentId: idX, Ttl: 30, Selectors: selectorsX}, - // entries to assert that selector types are compared for sorting fourth - {SpiffeId: idX, ParentId: idX, Ttl: 90, Selectors: []*types.Selector{{Type: "a", Value: "x"}}}, - {SpiffeId: idX, ParentId: idX, Ttl: 90, Selectors: []*types.Selector{{Type: "b", Value: "x"}}}, - {SpiffeId: idX, ParentId: idX, Ttl: 90, Selectors: []*types.Selector{{Type: "c", Value: "x"}}}, + {SpiffeId: idX, ParentId: idA, X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: selectorsX}, + {SpiffeId: idX, ParentId: idB, X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: selectorsX}, + {SpiffeId: idX, ParentId: idC, X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: selectorsX}, + // entries to assert that x509SvidTtl is compared for sorting third + {SpiffeId: idX, ParentId: idX, X509SvidTtl: 10, JwtSvidTtl: 110, Selectors: selectorsX}, + {SpiffeId: idX, ParentId: idX, X509SvidTtl: 20, JwtSvidTtl: 110, Selectors: selectorsX}, + {SpiffeId: idX, ParentId: idX, X509SvidTtl: 30, JwtSvidTtl: 110, Selectors: selectorsX}, + // entries to assert that jwtSvidTtl is compared for sorting forth + {SpiffeId: idX, ParentId: idX, X509SvidTtl: 100, JwtSvidTtl: 10, Selectors: selectorsX}, + {SpiffeId: idX, ParentId: idX, X509SvidTtl: 100, JwtSvidTtl: 20, Selectors: selectorsX}, + {SpiffeId: idX, ParentId: idX, X509SvidTtl: 100, JwtSvidTtl: 30, Selectors: selectorsX}, + + // entries to assert that selector types are compared for sorting fifth + {SpiffeId: idX, ParentId: idX, X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*types.Selector{{Type: "a", Value: "x"}}}, + {SpiffeId: idX, ParentId: idX, X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*types.Selector{{Type: "b", Value: "x"}}}, + {SpiffeId: idX, ParentId: idX, X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*types.Selector{{Type: "c", Value: "x"}}}, // entries to assert that selector values are included in selector sorting - {SpiffeId: idX, ParentId: idX, Ttl: 90, Selectors: []*types.Selector{{Type: "x", Value: "a"}}}, - {SpiffeId: idX, ParentId: idX, Ttl: 90, Selectors: []*types.Selector{{Type: "x", Value: "b"}}}, - {SpiffeId: idX, ParentId: idX, Ttl: 90, Selectors: []*types.Selector{{Type: "x", Value: "c"}}}, + {SpiffeId: idX, ParentId: idX, X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*types.Selector{{Type: "x", Value: "a"}}}, + {SpiffeId: idX, ParentId: idX, X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*types.Selector{{Type: "x", Value: "b"}}}, + {SpiffeId: idX, ParentId: idX, X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*types.Selector{{Type: "x", Value: "c"}}}, // entry to assert that entries with more selectors come after entries with less - {SpiffeId: idX, ParentId: idX, Ttl: 90, Selectors: []*types.Selector{{Type: "a", Value: "a"}, {Type: "a", Value: "b"}}}, + {SpiffeId: idX, ParentId: idX, X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*types.Selector{{Type: "a", Value: "a"}, {Type: "a", Value: "b"}}}, // entry to assert that selectors get sorted as well - {SpiffeId: idX, ParentId: idX, Ttl: 90, Selectors: []*types.Selector{{Type: "a", Value: "c"}, {Type: "a", Value: "a"}}}, + {SpiffeId: idX, ParentId: idX, X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*types.Selector{{Type: "a", Value: "c"}, {Type: "a", Value: "a"}}}, } expected := []*types.Entry{ - {SpiffeId: &types.SPIFFEID{TrustDomain: "a"}, ParentId: &types.SPIFFEID{TrustDomain: "x"}, Ttl: 90, Selectors: selectorsX}, - {SpiffeId: &types.SPIFFEID{TrustDomain: "b"}, ParentId: &types.SPIFFEID{TrustDomain: "x"}, Ttl: 90, Selectors: selectorsX}, - {SpiffeId: &types.SPIFFEID{TrustDomain: "c"}, ParentId: &types.SPIFFEID{TrustDomain: "x"}, Ttl: 90, Selectors: selectorsX}, - {SpiffeId: &types.SPIFFEID{TrustDomain: "x"}, ParentId: &types.SPIFFEID{TrustDomain: "a"}, Ttl: 90, Selectors: selectorsX}, - {SpiffeId: &types.SPIFFEID{TrustDomain: "x"}, ParentId: &types.SPIFFEID{TrustDomain: "b"}, Ttl: 90, Selectors: selectorsX}, - {SpiffeId: &types.SPIFFEID{TrustDomain: "x"}, ParentId: &types.SPIFFEID{TrustDomain: "c"}, Ttl: 90, Selectors: selectorsX}, - {SpiffeId: idX, ParentId: idX, Ttl: 10, Selectors: selectorsX}, - {SpiffeId: idX, ParentId: idX, Ttl: 20, Selectors: selectorsX}, - {SpiffeId: idX, ParentId: idX, Ttl: 30, Selectors: selectorsX}, - {SpiffeId: idX, ParentId: idX, Ttl: 90, Selectors: []*types.Selector{{Type: "a", Value: "x"}}}, - {SpiffeId: idX, ParentId: idX, Ttl: 90, Selectors: []*types.Selector{{Type: "b", Value: "x"}}}, - {SpiffeId: idX, ParentId: idX, Ttl: 90, Selectors: []*types.Selector{{Type: "c", Value: "x"}}}, - {SpiffeId: idX, ParentId: idX, Ttl: 90, Selectors: []*types.Selector{{Type: "x", Value: "a"}}}, - {SpiffeId: idX, ParentId: idX, Ttl: 90, Selectors: []*types.Selector{{Type: "x", Value: "b"}}}, - {SpiffeId: idX, ParentId: idX, Ttl: 90, Selectors: []*types.Selector{{Type: "x", Value: "c"}}}, - {SpiffeId: idX, ParentId: idX, Ttl: 90, Selectors: []*types.Selector{{Type: "a", Value: "a"}, {Type: "a", Value: "b"}}}, - {SpiffeId: idX, ParentId: idX, Ttl: 90, Selectors: []*types.Selector{{Type: "a", Value: "a"}, {Type: "a", Value: "c"}}}, + {SpiffeId: &types.SPIFFEID{TrustDomain: "a"}, ParentId: &types.SPIFFEID{TrustDomain: "x"}, X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: selectorsX}, + {SpiffeId: &types.SPIFFEID{TrustDomain: "b"}, ParentId: &types.SPIFFEID{TrustDomain: "x"}, X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: selectorsX}, + {SpiffeId: &types.SPIFFEID{TrustDomain: "c"}, ParentId: &types.SPIFFEID{TrustDomain: "x"}, X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: selectorsX}, + {SpiffeId: &types.SPIFFEID{TrustDomain: "x"}, ParentId: &types.SPIFFEID{TrustDomain: "a"}, X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: selectorsX}, + {SpiffeId: &types.SPIFFEID{TrustDomain: "x"}, ParentId: &types.SPIFFEID{TrustDomain: "b"}, X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: selectorsX}, + {SpiffeId: &types.SPIFFEID{TrustDomain: "x"}, ParentId: &types.SPIFFEID{TrustDomain: "c"}, X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: selectorsX}, + {SpiffeId: idX, ParentId: idX, X509SvidTtl: 10, JwtSvidTtl: 110, Selectors: selectorsX}, + {SpiffeId: idX, ParentId: idX, X509SvidTtl: 20, JwtSvidTtl: 110, Selectors: selectorsX}, + {SpiffeId: idX, ParentId: idX, X509SvidTtl: 30, JwtSvidTtl: 110, Selectors: selectorsX}, + {SpiffeId: idX, ParentId: idX, X509SvidTtl: 100, JwtSvidTtl: 10, Selectors: selectorsX}, + {SpiffeId: idX, ParentId: idX, X509SvidTtl: 100, JwtSvidTtl: 20, Selectors: selectorsX}, + {SpiffeId: idX, ParentId: idX, X509SvidTtl: 100, JwtSvidTtl: 30, Selectors: selectorsX}, + {SpiffeId: idX, ParentId: idX, X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*types.Selector{{Type: "a", Value: "x"}}}, + {SpiffeId: idX, ParentId: idX, X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*types.Selector{{Type: "b", Value: "x"}}}, + {SpiffeId: idX, ParentId: idX, X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*types.Selector{{Type: "c", Value: "x"}}}, + {SpiffeId: idX, ParentId: idX, X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*types.Selector{{Type: "x", Value: "a"}}}, + {SpiffeId: idX, ParentId: idX, X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*types.Selector{{Type: "x", Value: "b"}}}, + {SpiffeId: idX, ParentId: idX, X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*types.Selector{{Type: "x", Value: "c"}}}, + {SpiffeId: idX, ParentId: idX, X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*types.Selector{{Type: "a", Value: "a"}, {Type: "a", Value: "b"}}}, + {SpiffeId: idX, ParentId: idX, X509SvidTtl: 100, JwtSvidTtl: 110, Selectors: []*types.Selector{{Type: "a", Value: "a"}, {Type: "a", Value: "c"}}}, } var actual []*types.Entry diff --git a/pkg/server/api/bundle/v1/service_test.go b/pkg/server/api/bundle/v1/service_test.go index 793c6c66f4..f19d5405dc 100644 --- a/pkg/server/api/bundle/v1/service_test.go +++ b/pkg/server/api/bundle/v1/service_test.go @@ -791,10 +791,11 @@ func TestBatchDeleteFederatedBundle(t *testing.T) { td3.IDString(), } newEntry := &common.RegistrationEntry{ - EntryId: "entry1", - ParentId: "spiffe://example.org/foo", - SpiffeId: "spiffe://example.org/bar", - Ttl: 60, + EntryId: "entry1", + ParentId: "spiffe://example.org/foo", + SpiffeId: "spiffe://example.org/bar", + X509SvidTtl: 70, + JwtSvidTtl: 80, Selectors: []*common.Selector{ {Type: "a", Value: "1"}, }, diff --git a/pkg/server/api/entry.go b/pkg/server/api/entry.go index 087100ef36..e1c8bfc292 100644 --- a/pkg/server/api/entry.go +++ b/pkg/server/api/entry.go @@ -61,7 +61,7 @@ func RegistrationEntryToProto(e *common.RegistrationEntry) (*types.Entry, error) SpiffeId: ProtoFromID(spiffeID), ParentId: ProtoFromID(parentID), Selectors: ProtoFromSelectors(e.Selectors), - Ttl: e.Ttl, + X509SvidTtl: e.X509SvidTtl, FederatesWith: federatesWith, Admin: e.Admin, Downstream: e.Downstream, @@ -69,6 +69,7 @@ func RegistrationEntryToProto(e *common.RegistrationEntry) (*types.Entry, error) DnsNames: append([]string(nil), e.DnsNames...), RevisionNumber: e.RevisionNumber, StoreSvid: e.StoreSvid, + JwtSvidTtl: e.JwtSvidTtl, }, nil } @@ -156,11 +157,6 @@ func ProtoToRegistrationEntryWithMask(ctx context.Context, td spiffeid.TrustDoma } } - var ttl int32 - if mask.Ttl { - ttl = e.Ttl - } - var revisionNumber int64 if mask.RevisionNumber { revisionNumber = e.RevisionNumber @@ -171,6 +167,16 @@ func ProtoToRegistrationEntryWithMask(ctx context.Context, td spiffeid.TrustDoma storeSVID = e.StoreSvid } + var x509SvidTTL int32 + if mask.X509SvidTtl { + x509SvidTTL = e.X509SvidTtl + } + + var jwtSvidTTL int32 + if mask.JwtSvidTtl { + jwtSvidTTL = e.JwtSvidTtl + } + return &common.RegistrationEntry{ EntryId: e.Id, ParentId: parentID.String(), @@ -181,8 +187,9 @@ func ProtoToRegistrationEntryWithMask(ctx context.Context, td spiffeid.TrustDoma EntryExpiry: expiresAt, FederatesWith: federatesWith, Selectors: selectors, - Ttl: ttl, RevisionNumber: revisionNumber, StoreSvid: storeSVID, + X509SvidTtl: x509SvidTTL, + JwtSvidTtl: jwtSvidTTL, }, nil } diff --git a/pkg/server/api/entry/v1/service.go b/pkg/server/api/entry/v1/service.go index 3b965db371..794dc40f82 100644 --- a/pkg/server/api/entry/v1/service.go +++ b/pkg/server/api/entry/v1/service.go @@ -350,10 +350,6 @@ func applyMask(e *types.Entry, mask *types.EntryMask) { e.Selectors = nil } - if !mask.Ttl { - e.Ttl = 0 - } - if !mask.FederatesWith { e.FederatesWith = nil } @@ -381,6 +377,14 @@ func applyMask(e *types.Entry, mask *types.EntryMask) { if !mask.StoreSvid { e.StoreSvid = false } + + if !mask.X509SvidTtl { + e.X509SvidTtl = 0 + } + + if !mask.JwtSvidTtl { + e.JwtSvidTtl = 0 + } } func (s *Service) updateEntry(ctx context.Context, e *types.Entry, inputMask *types.EntryMask, outputMask *types.EntryMask) *entryv1.BatchUpdateEntryResponse_Result { @@ -399,7 +403,6 @@ func (s *Service) updateEntry(ctx context.Context, e *types.Entry, inputMask *ty mask = &common.RegistrationEntryMask{ SpiffeId: inputMask.SpiffeId, ParentId: inputMask.ParentId, - Ttl: inputMask.Ttl, FederatesWith: inputMask.FederatesWith, Admin: inputMask.Admin, Downstream: inputMask.Downstream, @@ -407,6 +410,8 @@ func (s *Service) updateEntry(ctx context.Context, e *types.Entry, inputMask *ty DnsNames: inputMask.DnsNames, Selectors: inputMask.Selectors, StoreSvid: inputMask.StoreSvid, + X509SvidTtl: inputMask.X509SvidTtl, + JwtSvidTtl: inputMask.JwtSvidTtl, } } dsEntry, err := s.ds.UpdateRegistrationEntry(ctx, convEntry, mask) @@ -462,8 +467,12 @@ func fieldsFromEntryProto(ctx context.Context, proto *types.Entry, inputMask *ty } } - if inputMask == nil || inputMask.Ttl { - fields[telemetry.TTL] = proto.Ttl + if inputMask == nil || inputMask.X509SvidTtl { + fields[telemetry.X509SVIDTTL] = proto.X509SvidTtl + } + + if inputMask == nil || inputMask.JwtSvidTtl { + fields[telemetry.JWTSVIDTTL] = proto.JwtSvidTtl } if inputMask == nil || inputMask.FederatesWith { diff --git a/pkg/server/api/entry/v1/service_test.go b/pkg/server/api/entry/v1/service_test.go index d002e24d2c..94bcf59f3e 100644 --- a/pkg/server/api/entry/v1/service_test.go +++ b/pkg/server/api/entry/v1/service_test.go @@ -1198,9 +1198,9 @@ func TestGetEntry(t *testing.T) { entry1SpiffeID := spiffeid.RequireFromSegments(td, "bar") expiresAt := time.Now().Unix() goodEntry, err := ds.CreateRegistrationEntry(ctx, &common.RegistrationEntry{ - ParentId: parent.String(), - SpiffeId: entry1SpiffeID.String(), - Ttl: 60, + ParentId: parent.String(), + SpiffeId: entry1SpiffeID.String(), + X509SvidTtl: 60, Selectors: []*common.Selector{ {Type: "unix", Value: "uid:1000"}, {Type: "unix", Value: "gid:1000"}, @@ -1263,10 +1263,10 @@ func TestGetEntry(t *testing.T) { name: "no outputMask", entryID: goodEntry.EntryId, expectEntry: &types.Entry{ - Id: goodEntry.EntryId, - ParentId: api.ProtoFromID(parent), - SpiffeId: api.ProtoFromID(entry1SpiffeID), - Ttl: 60, + Id: goodEntry.EntryId, + ParentId: api.ProtoFromID(parent), + SpiffeId: api.ProtoFromID(entry1SpiffeID), + X509SvidTtl: 60, Selectors: []*types.Selector{ {Type: "unix", Value: "uid:1000"}, {Type: "unix", Value: "gid:1000"}, @@ -1441,9 +1441,9 @@ func TestBatchCreateEntry(t *testing.T) { useDefaultEntryID := "DEFAULT_ENTRY_ID" defaultEntry := &common.RegistrationEntry{ - ParentId: entryParentID.String(), - SpiffeId: entrySpiffeID.String(), - Ttl: 60, + ParentId: entryParentID.String(), + SpiffeId: entrySpiffeID.String(), + X509SvidTtl: 60, Selectors: []*common.Selector{ {Type: "unix", Value: "gid:1000"}, {Type: "unix", Value: "uid:1000"}, @@ -1469,7 +1469,8 @@ func TestBatchCreateEntry(t *testing.T) { Downstream: true, ExpiresAt: expiresAt, FederatesWith: []string{"domain1.org"}, - Ttl: 60, + X509SvidTtl: 45, + JwtSvidTtl: 30, } // Registration entry for test entry testDSEntry := &common.RegistrationEntry{ @@ -1485,7 +1486,8 @@ func TestBatchCreateEntry(t *testing.T) { Downstream: true, EntryExpiry: expiresAt, FederatesWith: []string{"spiffe://domain1.org"}, - Ttl: 60, + X509SvidTtl: 45, + JwtSvidTtl: 30, } for _, tt := range []struct { @@ -1521,7 +1523,8 @@ func TestBatchCreateEntry(t *testing.T) { telemetry.Selectors: "type:value1,type:value2", telemetry.RevisionNumber: "0", telemetry.SPIFFEID: "spiffe://example.org/workload", - telemetry.TTL: "60", + telemetry.X509SVIDTTL: "45", + telemetry.JWTSVIDTTL: "30", telemetry.StoreSvid: "false", }, }, @@ -1547,7 +1550,8 @@ func TestBatchCreateEntry(t *testing.T) { telemetry.RevisionNumber: "0", telemetry.Selectors: "type:value", telemetry.SPIFFEID: "spiffe://example.org/malformed", - telemetry.TTL: "0", + telemetry.X509SVIDTTL: "0", + telemetry.JWTSVIDTTL: "0", telemetry.StoreSvid: "false", }, }, @@ -1565,7 +1569,8 @@ func TestBatchCreateEntry(t *testing.T) { telemetry.RevisionNumber: "0", telemetry.Selectors: "type:value", telemetry.SPIFFEID: "spiffe://example.org/workload2", - telemetry.TTL: "0", + telemetry.X509SVIDTTL: "0", + telemetry.JWTSVIDTTL: "0", telemetry.StoreSvid: "false", }, }, @@ -1657,7 +1662,8 @@ func TestBatchCreateEntry(t *testing.T) { telemetry.Selectors: "type:value1,type:value2", telemetry.RevisionNumber: "0", telemetry.SPIFFEID: "spiffe://example.org/svidstore", - telemetry.TTL: "0", + telemetry.X509SVIDTTL: "0", + telemetry.JWTSVIDTTL: "0", telemetry.StoreSvid: "true", }, }, @@ -1715,7 +1721,8 @@ func TestBatchCreateEntry(t *testing.T) { Downstream: true, ExpiresAt: expiresAt, FederatesWith: []string{"domain1.org"}, - Ttl: 60, + X509SvidTtl: 45, + JwtSvidTtl: 30, StoreSvid: false, }, }, @@ -1739,7 +1746,8 @@ func TestBatchCreateEntry(t *testing.T) { telemetry.RevisionNumber: "0", telemetry.Selectors: "type:value1,type:value2", telemetry.SPIFFEID: "spiffe://example.org/workload", - telemetry.TTL: "60", + telemetry.X509SVIDTTL: "45", + telemetry.JWTSVIDTTL: "30", telemetry.StoreSvid: "false", }, }, @@ -1775,7 +1783,8 @@ func TestBatchCreateEntry(t *testing.T) { telemetry.RevisionNumber: "0", telemetry.Selectors: "type:value1,type:value2", telemetry.SPIFFEID: "spiffe://example.org/workload", - telemetry.TTL: "60", + telemetry.X509SVIDTTL: "45", + telemetry.JWTSVIDTTL: "30", telemetry.StoreSvid: "false", }, }, @@ -1804,10 +1813,11 @@ func TestBatchCreateEntry(t *testing.T) { }, reqEntries: []*types.Entry{ { - Id: "entry1", - ParentId: api.ProtoFromID(entryParentID), - SpiffeId: api.ProtoFromID(entrySpiffeID), - Ttl: 60, + Id: "entry1", + ParentId: api.ProtoFromID(entryParentID), + SpiffeId: api.ProtoFromID(entrySpiffeID), + X509SvidTtl: 45, + JwtSvidTtl: 30, Selectors: []*types.Selector{ {Type: "type", Value: "value1"}, }, @@ -1815,10 +1825,11 @@ func TestBatchCreateEntry(t *testing.T) { }, expectDsEntries: map[string]*common.RegistrationEntry{ "entry1": { - EntryId: "entry1", - ParentId: "spiffe://example.org/foo", - SpiffeId: "spiffe://example.org/bar", - Ttl: 60, + EntryId: "entry1", + ParentId: "spiffe://example.org/foo", + SpiffeId: "spiffe://example.org/bar", + X509SvidTtl: 45, + JwtSvidTtl: 30, Selectors: []*common.Selector{ {Type: "type", Value: "value1"}, }, @@ -1839,7 +1850,8 @@ func TestBatchCreateEntry(t *testing.T) { telemetry.RevisionNumber: "0", telemetry.Selectors: "type:value1", telemetry.SPIFFEID: "spiffe://example.org/bar", - telemetry.TTL: "60", + telemetry.X509SVIDTTL: "45", + telemetry.JWTSVIDTTL: "30", telemetry.StoreSvid: "false", }, }, @@ -1866,10 +1878,11 @@ func TestBatchCreateEntry(t *testing.T) { }, reqEntries: []*types.Entry{ { - ParentId: api.ProtoFromID(entryParentID), - SpiffeId: api.ProtoFromID(entrySpiffeID), - Ttl: 20, - Admin: false, + ParentId: api.ProtoFromID(entryParentID), + SpiffeId: api.ProtoFromID(entrySpiffeID), + X509SvidTtl: 45, + JwtSvidTtl: 30, + Admin: false, Selectors: []*types.Selector{ {Type: "unix", Value: "gid:1000"}, {Type: "unix", Value: "uid:1000"}, @@ -1890,7 +1903,8 @@ func TestBatchCreateEntry(t *testing.T) { telemetry.Selectors: "unix:gid:1000,unix:uid:1000", telemetry.RevisionNumber: "0", telemetry.SPIFFEID: "spiffe://example.org/bar", - telemetry.TTL: "20", + telemetry.X509SVIDTTL: "45", + telemetry.JWTSVIDTTL: "30", telemetry.StatusCode: "AlreadyExists", telemetry.StatusMessage: "similar entry already exists", telemetry.StoreSvid: "false", @@ -1927,7 +1941,8 @@ func TestBatchCreateEntry(t *testing.T) { telemetry.Downstream: "false", telemetry.ExpiresAt: "0", telemetry.RevisionNumber: "0", - telemetry.TTL: "0", + telemetry.X509SVIDTTL: "0", + telemetry.JWTSVIDTTL: "0", telemetry.StoreSvid: "false", telemetry.StatusCode: "InvalidArgument", telemetry.StatusMessage: "failed to convert entry: invalid parent ID: trust domain is missing", @@ -1967,7 +1982,8 @@ func TestBatchCreateEntry(t *testing.T) { telemetry.RevisionNumber: "0", telemetry.Selectors: "type:value1,type:value2", telemetry.SPIFFEID: "spiffe://example.org/workload", - telemetry.TTL: "60", + telemetry.X509SVIDTTL: "45", + telemetry.JWTSVIDTTL: "30", telemetry.StoreSvid: "false", telemetry.StatusCode: "Internal", telemetry.StatusMessage: "failed to create entry: creating error", @@ -2016,7 +2032,8 @@ func TestBatchCreateEntry(t *testing.T) { telemetry.RevisionNumber: "0", telemetry.Selectors: "type:value1,type:value2", telemetry.SPIFFEID: "spiffe://example.org/workload", - telemetry.TTL: "60", + telemetry.X509SVIDTTL: "45", + telemetry.JWTSVIDTTL: "30", telemetry.StoreSvid: "false", telemetry.StatusCode: "Internal", telemetry.StatusMessage: "failed to convert entry: invalid SPIFFE ID: scheme is missing or invalid", @@ -2337,10 +2354,10 @@ func TestBatchDeleteEntry(t *testing.T) { func TestGetAuthorizedEntries(t *testing.T) { entry1 := types.Entry{ - Id: "entry-1", - ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/foo"}, - SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/bar"}, - Ttl: 60, + Id: "entry-1", + ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/foo"}, + SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/bar"}, + X509SvidTtl: 60, Selectors: []*types.Selector{ {Type: "unix", Value: "uid:1000"}, {Type: "unix", Value: "gid:1000"}, @@ -2355,10 +2372,10 @@ func TestGetAuthorizedEntries(t *testing.T) { Downstream: true, } entry2 := types.Entry{ - Id: "entry-2", - ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/foo"}, - SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/baz"}, - Ttl: 3600, + Id: "entry-2", + ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/foo"}, + SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/baz"}, + X509SvidTtl: 3600, Selectors: []*types.Selector{ {Type: "unix", Value: "uid:1001"}, {Type: "unix", Value: "gid:1001"}, @@ -2641,9 +2658,9 @@ func TestBatchUpdateEntry(t *testing.T) { entry1SpiffeID := &types.SPIFFEID{TrustDomain: "example.org", Path: "/workload"} expiresAt := time.Now().Unix() initialEntry := &types.Entry{ - ParentId: parent, - SpiffeId: entry1SpiffeID, - Ttl: 60, + ParentId: parent, + SpiffeId: entry1SpiffeID, + X509SvidTtl: 60, Selectors: []*types.Selector{ {Type: "unix", Value: "uid:1000"}, {Type: "unix", Value: "uid:2000"}, @@ -2657,10 +2674,10 @@ func TestBatchUpdateEntry(t *testing.T) { Downstream: true, } storeSvidEntry := &types.Entry{ - ParentId: parent, - SpiffeId: entry1SpiffeID, - Ttl: 60, - StoreSvid: true, + ParentId: parent, + SpiffeId: entry1SpiffeID, + X509SvidTtl: 60, + StoreSvid: true, Selectors: []*types.Selector{ {Type: "typ", Value: "key1:value"}, {Type: "typ", Value: "key2:value"}, @@ -2671,9 +2688,10 @@ func TestBatchUpdateEntry(t *testing.T) { ExpiresAt: expiresAt, } updateEverythingEntry := &types.Entry{ - ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/validUpdated"}, - SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/validUpdated"}, - Ttl: 500000, + ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/validUpdated"}, + SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/validUpdated"}, + X509SvidTtl: 400000, + JwtSvidTtl: 300000, Selectors: []*types.Selector{ {Type: "unix", Value: "uid:9999"}, }, @@ -2978,23 +2996,23 @@ func TestBatchUpdateEntry(t *testing.T) { }, }, { - name: "Success Update TTL", + name: "Success Update X509SVIDTTL", initialEntries: []*types.Entry{initialEntry}, inputMask: &types.EntryMask{ - Ttl: true, + X509SvidTtl: true, }, outputMask: &types.EntryMask{ - Ttl: true, + X509SvidTtl: true, }, updateEntries: []*types.Entry{ { - Ttl: 1000, + X509SvidTtl: 1000, }, }, expectDsEntries: func(id string) []*types.Entry { modifiedEntry := proto.Clone(initialEntry).(*types.Entry) modifiedEntry.Id = id - modifiedEntry.Ttl = 1000 + modifiedEntry.X509SvidTtl = 1000 modifiedEntry.RevisionNumber = 1 return []*types.Entry{modifiedEntry} }, @@ -3002,7 +3020,7 @@ func TestBatchUpdateEntry(t *testing.T) { { Status: &types.Status{Code: int32(codes.OK), Message: "OK"}, Entry: &types.Entry{ - Ttl: 1000, + X509SvidTtl: 1000, }, }, }, @@ -3015,7 +3033,7 @@ func TestBatchUpdateEntry(t *testing.T) { telemetry.Status: "success", telemetry.Type: "audit", telemetry.RegistrationID: m[entry1SpiffeID.Path], - telemetry.TTL: "1000", + telemetry.X509SVIDTTL: "1000", }, }, } @@ -3241,17 +3259,17 @@ func TestBatchUpdateEntry(t *testing.T) { }, }, { - name: "Success Don't Update TTL", + name: "Success Don't Update X509SVIDTTL", initialEntries: []*types.Entry{initialEntry}, inputMask: &types.EntryMask{ // With this empty, the update operation should be a no-op }, outputMask: &types.EntryMask{ - Ttl: true, + X509SvidTtl: true, }, updateEntries: []*types.Entry{ { - Ttl: 500000, + X509SvidTtl: 500000, }, }, expectDsEntries: func(m string) []*types.Entry { @@ -3264,7 +3282,7 @@ func TestBatchUpdateEntry(t *testing.T) { { Status: &types.Status{Code: int32(codes.OK), Message: "OK"}, Entry: &types.Entry{ - Ttl: 60, + X509SvidTtl: 60, }, }, }, @@ -3593,9 +3611,10 @@ func TestBatchUpdateEntry(t *testing.T) { { Status: &types.Status{Code: int32(codes.OK), Message: "OK"}, Entry: &types.Entry{ - ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/validUpdated"}, - SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/validUpdated"}, - Ttl: 500000, + ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/validUpdated"}, + SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/validUpdated"}, + X509SvidTtl: 400000, + JwtSvidTtl: 300000, Selectors: []*types.Selector{ {Type: "unix", Value: "uid:9999"}, }, @@ -3625,7 +3644,8 @@ func TestBatchUpdateEntry(t *testing.T) { telemetry.RevisionNumber: "0", telemetry.Selectors: "unix:uid:9999", telemetry.SPIFFEID: "spiffe://example.org/validUpdated", - telemetry.TTL: "500000", + telemetry.X509SVIDTTL: "400000", + telemetry.JWTSVIDTTL: "300000", telemetry.StoreSvid: "false", }, }, @@ -3636,21 +3656,21 @@ func TestBatchUpdateEntry(t *testing.T) { name: "Success Nil Output Mask", initialEntries: []*types.Entry{initialEntry}, inputMask: &types.EntryMask{ - Ttl: true, + X509SvidTtl: true, }, outputMask: nil, updateEntries: []*types.Entry{ { - Ttl: 500000, + X509SvidTtl: 500000, }, }, expectResults: []*entryv1.BatchUpdateEntryResponse_Result{ { Status: &types.Status{Code: int32(codes.OK), Message: "OK"}, Entry: &types.Entry{ - ParentId: parent, - SpiffeId: entry1SpiffeID, - Ttl: 500000, + ParentId: parent, + SpiffeId: entry1SpiffeID, + X509SvidTtl: 500000, Selectors: []*types.Selector{ {Type: "unix", Value: "uid:1000"}, {Type: "unix", Value: "uid:2000"}, @@ -3675,7 +3695,7 @@ func TestBatchUpdateEntry(t *testing.T) { telemetry.Status: "success", telemetry.Type: "audit", telemetry.RegistrationID: m[entry1SpiffeID.Path], - telemetry.TTL: "500000", + telemetry.X509SVIDTTL: "500000", }, }, } @@ -3724,19 +3744,19 @@ func TestBatchUpdateEntry(t *testing.T) { name: "Success Empty Output Mask", initialEntries: []*types.Entry{initialEntry}, inputMask: &types.EntryMask{ - Ttl: true, + X509SvidTtl: true, }, // With the output mask empty, the update will take place, but the results will be empty outputMask: &types.EntryMask{}, updateEntries: []*types.Entry{ { - Ttl: 500000, + X509SvidTtl: 500000, }, }, expectDsEntries: func(m string) []*types.Entry { modifiedEntry := proto.Clone(initialEntry).(*types.Entry) modifiedEntry.Id = m - modifiedEntry.Ttl = 500000 + modifiedEntry.X509SvidTtl = 500000 modifiedEntry.RevisionNumber = 1 return []*types.Entry{modifiedEntry} }, @@ -3755,7 +3775,7 @@ func TestBatchUpdateEntry(t *testing.T) { telemetry.Status: "success", telemetry.Type: "audit", telemetry.RegistrationID: m[entry1SpiffeID.Path], - telemetry.TTL: "500000", + telemetry.X509SVIDTTL: "500000", }, }, } diff --git a/pkg/server/api/entry_test.go b/pkg/server/api/entry_test.go index 6d319992ef..1ee008d17c 100644 --- a/pkg/server/api/entry_test.go +++ b/pkg/server/api/entry_test.go @@ -26,10 +26,11 @@ func TestRegistrationEntryToProto(t *testing.T) { { name: "success", entry: &common.RegistrationEntry{ - EntryId: "entry1", - ParentId: "spiffe://example.org/foo", - SpiffeId: "spiffe://example.org/bar", - Ttl: 60, + EntryId: "entry1", + ParentId: "spiffe://example.org/foo", + SpiffeId: "spiffe://example.org/bar", + X509SvidTtl: 70, + JwtSvidTtl: 80, Selectors: []*common.Selector{ {Type: "unix", Value: "uid:1000"}, {Type: "unix", Value: "gid:1000"}, @@ -48,10 +49,11 @@ func TestRegistrationEntryToProto(t *testing.T) { RevisionNumber: 99, }, expectEntry: &types.Entry{ - Id: "entry1", - ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/foo"}, - SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/bar"}, - Ttl: 60, + Id: "entry1", + ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/foo"}, + SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/bar"}, + X509SvidTtl: 70, + JwtSvidTtl: 80, Selectors: []*types.Selector{ {Type: "unix", Value: "uid:1000"}, {Type: "unix", Value: "gid:1000"}, @@ -118,10 +120,11 @@ func TestProtoToRegistrationEntryWithMask(t *testing.T) { { name: "mask including all fields", entry: &types.Entry{ - Id: "entry1", - ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/foo"}, - SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/bar"}, - Ttl: 60, + Id: "entry1", + ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/foo"}, + SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/bar"}, + X509SvidTtl: 70, + JwtSvidTtl: 80, Selectors: []*types.Selector{ {Type: "unix", Value: "uid:1000"}, {Type: "unix", Value: "gid:1000"}, @@ -140,10 +143,11 @@ func TestProtoToRegistrationEntryWithMask(t *testing.T) { RevisionNumber: 99, }, expectEntry: &common.RegistrationEntry{ - EntryId: "entry1", - ParentId: "spiffe://example.org/foo", - SpiffeId: "spiffe://example.org/bar", - Ttl: 60, + EntryId: "entry1", + ParentId: "spiffe://example.org/foo", + SpiffeId: "spiffe://example.org/bar", + X509SvidTtl: 70, + JwtSvidTtl: 80, Selectors: []*common.Selector{ {Type: "unix", Value: "uid:1000"}, {Type: "unix", Value: "gid:1000"}, @@ -168,7 +172,8 @@ func TestProtoToRegistrationEntryWithMask(t *testing.T) { Selectors: []*types.Selector{}, DnsNames: []string{"name1"}, FederatesWith: []string{"domain.test"}, - Ttl: 1, + X509SvidTtl: 2, + JwtSvidTtl: 3, Admin: true, Downstream: true, ExpiresAt: 4, @@ -209,10 +214,11 @@ func TestProtoToRegistrationEntry(t *testing.T) { { name: "success", entry: &types.Entry{ - Id: "entry1", - ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/foo"}, - SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/bar"}, - Ttl: 60, + Id: "entry1", + ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/foo"}, + SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/bar"}, + X509SvidTtl: 70, + JwtSvidTtl: 80, Selectors: []*types.Selector{ {Type: "unix", Value: "uid:1000"}, {Type: "unix", Value: "gid:1000"}, @@ -231,10 +237,11 @@ func TestProtoToRegistrationEntry(t *testing.T) { RevisionNumber: 99, }, expectEntry: &common.RegistrationEntry{ - EntryId: "entry1", - ParentId: "spiffe://example.org/foo", - SpiffeId: "spiffe://example.org/bar", - Ttl: 60, + EntryId: "entry1", + ParentId: "spiffe://example.org/foo", + SpiffeId: "spiffe://example.org/bar", + X509SvidTtl: 70, + JwtSvidTtl: 80, Selectors: []*common.Selector{ {Type: "unix", Value: "uid:1000"}, {Type: "unix", Value: "gid:1000"}, diff --git a/pkg/server/api/svid/v1/service.go b/pkg/server/api/svid/v1/service.go index 7aa49cc83c..9b86dfc408 100644 --- a/pkg/server/api/svid/v1/service.go +++ b/pkg/server/api/svid/v1/service.go @@ -254,7 +254,7 @@ func (s *Service) newX509SVID(ctx context.Context, param *svidv1.NewX509SVIDPara SpiffeID: spiffeID, PublicKey: csr.PublicKey, DNSList: entry.DnsNames, - TTL: time.Duration(entry.Ttl) * time.Second, + TTL: time.Duration(entry.X509SvidTtl) * time.Second, }) if err != nil { return &svidv1.BatchNewX509SVIDResponse_Result{ @@ -338,12 +338,12 @@ func (s *Service) NewJWTSVID(ctx context.Context, req *svidv1.NewJWTSVIDRequest) return nil, api.MakeErr(log, codes.NotFound, "entry not found or not authorized", nil) } - jwtsvid, err := s.mintJWTSVID(ctx, entry.SpiffeId, req.Audience, entry.Ttl) + jwtsvid, err := s.mintJWTSVID(ctx, entry.SpiffeId, req.Audience, entry.JwtSvidTtl) if err != nil { return nil, err } rpccontext.AuditRPCWithFields(ctx, logrus.Fields{ - telemetry.TTL: entry.Ttl, + telemetry.TTL: entry.JwtSvidTtl, }) return &svidv1.NewJWTSVIDResponse{ @@ -377,7 +377,7 @@ func (s *Service) NewDownstreamX509CA(ctx context.Context, req *svidv1.NewDownst x509CASvid, err := s.ca.SignX509CASVID(ctx, ca.X509CASVIDParams{ SpiffeID: s.td.ID(), PublicKey: csr.PublicKey, - TTL: time.Duration(entry.Ttl) * time.Second, + TTL: time.Duration(entry.X509SvidTtl) * time.Second, }) if err != nil { return nil, api.MakeErr(log, codes.Internal, "failed to sign downstream X.509 CA", err) diff --git a/pkg/server/api/svid/v1/service_test.go b/pkg/server/api/svid/v1/service_test.go index ac06da209e..3777881337 100644 --- a/pkg/server/api/svid/v1/service_test.go +++ b/pkg/server/api/svid/v1/service_test.go @@ -831,10 +831,17 @@ func TestServiceNewJWTSVID(t *testing.T) { SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/agent"}, } entryWithTTL := &types.Entry{ - Id: "agent-entry-ttl-id", - ParentId: api.ProtoFromID(agentID), - SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/agent-ttl"}, - Ttl: 10, + Id: "agent-entry-ttl-id", + ParentId: api.ProtoFromID(agentID), + SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/agent-ttl"}, + X509SvidTtl: 10, + } + entryWithJWTTTL := &types.Entry{ + Id: "agent-entry-ttl-id", + ParentId: api.ProtoFromID(agentID), + SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/agent-ttl"}, + X509SvidTtl: 30, // ensure this isn't used + JwtSvidTtl: 10, } invalidEntry := &types.Entry{ Id: "invalid-entry", @@ -842,7 +849,7 @@ func TestServiceNewJWTSVID(t *testing.T) { SpiffeId: &types.SPIFFEID{}, } - test.ef.entries = []*types.Entry{entry, entryWithTTL, invalidEntry} + test.ef.entries = []*types.Entry{entry, entryWithTTL, entryWithJWTTTL, invalidEntry} jwtKey := test.ca.JWTKey() now := test.ca.Clock().Now().UTC() @@ -900,6 +907,25 @@ func TestServiceNewJWTSVID(t *testing.T) { }, }, }, + { + name: "success custom JWT TTL", + audience: []string{"AUDIENCE"}, + entry: entryWithJWTTTL, + expiresAt: now.Add(10 * time.Second), + expectLogs: []spiretest.LogEntry{ + { + Level: logrus.InfoLevel, + Message: "API accessed", + Data: logrus.Fields{ + telemetry.Status: "success", + telemetry.Type: "audit", + telemetry.Audience: "AUDIENCE", + telemetry.RegistrationID: "agent-entry-ttl-id", + telemetry.TTL: "10", + }, + }, + }, + }, { name: "no SPIFFE ID", code: codes.InvalidArgument, @@ -1102,7 +1128,7 @@ func TestServiceNewJWTSVID(t *testing.T) { issuedAt, tt.expiresAt, expiresAt, - time.Duration(tt.entry.Ttl)*time.Second) + time.Duration(tt.entry.X509SvidTtl)*time.Second) }) } } @@ -1123,22 +1149,32 @@ func TestServiceBatchNewX509SVID(t *testing.T) { DnsNames: []string{"entryDNS1", "entryDNS2"}, } ttlEntry := &types.Entry{ - Id: "ttl", - ParentId: api.ProtoFromID(agentID), - SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/ttl"}, - Ttl: 10, + Id: "ttl", + ParentId: api.ProtoFromID(agentID), + SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/ttl"}, + X509SvidTtl: 10, + JwtSvidTtl: 30, // ensures this is ignored + } + x509TtlEntry := &types.Entry{ + Id: "x509ttl", + ParentId: api.ProtoFromID(agentID), + SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/ttl"}, + X509SvidTtl: 50, + JwtSvidTtl: 30, // ensures this is ignored } invalidEntry := &types.Entry{ Id: "invalid", ParentId: api.ProtoFromID(agentID), } - test.ef.entries = []*types.Entry{workloadEntry, dnsEntry, ttlEntry, invalidEntry} + test.ef.entries = []*types.Entry{workloadEntry, dnsEntry, ttlEntry, x509TtlEntry, invalidEntry} x509CA := test.ca.X509CA() now := test.ca.Clock().Now().UTC() - expiresAtFromTTLEntry := now.Add(time.Duration(ttlEntry.Ttl) * time.Second).Unix() + expiresAtFromTTLEntry := now.Add(time.Duration(ttlEntry.X509SvidTtl) * time.Second).Unix() expiresAtFromTTLEntryStr := strconv.FormatInt(expiresAtFromTTLEntry, 10) + expiresAtFromX509TTLEntry := now.Add(time.Duration(x509TtlEntry.X509SvidTtl) * time.Second).Unix() + expiresAtFromX509TTLEntryStr := strconv.FormatInt(expiresAtFromX509TTLEntry, 10) expiresAtFromCA := now.Add(test.ca.X509SVIDTTL()).Unix() expiresAtFromCAStr := strconv.FormatInt(expiresAtFromCA, 10) @@ -1209,6 +1245,29 @@ func TestServiceBatchNewX509SVID(t *testing.T) { }, } }, + }, { + name: "custom x509 ttl", + reqs: []string{x509TtlEntry.Id}, + expectResults: []*expectResult{ + { + entry: x509TtlEntry, + }, + }, + expectLogs: func(m map[string][]byte) []spiretest.LogEntry { + return []spiretest.LogEntry{ + { + Level: logrus.InfoLevel, + Message: "API accessed", + Data: logrus.Fields{ + telemetry.Status: "success", + telemetry.Type: "audit", + telemetry.RegistrationID: "x509ttl", + telemetry.Csr: api.HashByte(m["x509ttl"]), + telemetry.ExpiresAt: expiresAtFromX509TTLEntryStr, + }, + }, + } + }, }, { name: "custom dns", reqs: []string{dnsEntry.Id}, @@ -1725,8 +1784,8 @@ func TestServiceBatchNewX509SVID(t *testing.T) { // Use entry ttl when defined ttl := test.ca.X509SVIDTTL() - if entry.Ttl != 0 { - ttl = time.Duration(entry.Ttl) * time.Second + if entry.X509SvidTtl != 0 { + ttl = time.Duration(entry.X509SvidTtl) * time.Second } expiresAt := now.Add(ttl) diff --git a/pkg/server/config.go b/pkg/server/config.go index 1c970acc9c..ee661c9eea 100644 --- a/pkg/server/config.go +++ b/pkg/server/config.go @@ -59,8 +59,11 @@ type Config struct { // AgentTTL is time-to-live for agent SVIDs AgentTTL time.Duration - // SVIDTTL is default time-to-live for SVIDs - SVIDTTL time.Duration + // X509SVIDTTL is default time-to-live for X509-SVIDs (overrides SVIDTTL) + X509SVIDTTL time.Duration + + // JWTSVIDTTL is default time-to-live for SVIDs (overrides SVIDTTL) + JWTSVIDTTL time.Duration // CATTL is the time-to-live for the server CA. This only applies to // self-signed CA certificates, otherwise it is up to the upstream CA. diff --git a/pkg/server/datastore/sqlstore/models.go b/pkg/server/datastore/sqlstore/models.go index 15fdbdd6ed..eed35d1e59 100644 --- a/pkg/server/datastore/sqlstore/models.go +++ b/pkg/server/datastore/sqlstore/models.go @@ -76,7 +76,7 @@ type RegisteredEntry struct { EntryID string `gorm:"unique_index"` SpiffeID string `gorm:"index"` ParentID string `gorm:"index"` - // TTL of identities derived from this entry + // TTL of identities derived from this entry. This field represents the X509-SVID TTL of the Entry TTL int32 Selectors []Selector FederatesWith []Bundle `gorm:"many2many:federated_registration_entries;"` @@ -99,6 +99,7 @@ type RegisteredEntry struct { Hint string // TTL of X509 identities derived from this entry + // Deprecated: remove this in 1.6.0. The purpose of this column will be fulfilled by the TTL column X509SvidTTL int32 `gorm:"column:x509_svid_ttl"` // TTL of JWT identities derived from this entry diff --git a/pkg/server/datastore/sqlstore/sqlstore.go b/pkg/server/datastore/sqlstore/sqlstore.go index c4cdc3765d..212249a8bd 100644 --- a/pkg/server/datastore/sqlstore/sqlstore.go +++ b/pkg/server/datastore/sqlstore/sqlstore.go @@ -1782,11 +1782,12 @@ func createRegistrationEntry(tx *gorm.DB, entry *common.RegistrationEntry) (*com EntryID: entryID, SpiffeID: entry.SpiffeId, ParentID: entry.ParentId, - TTL: entry.Ttl, + TTL: entry.X509SvidTtl, Admin: entry.Admin, Downstream: entry.Downstream, Expiry: entry.EntryExpiry, StoreSvid: entry.StoreSvid, + JWTSvidTTL: entry.JwtSvidTtl, } if err := tx.Create(&newRegisteredEntry).Error; err != nil { @@ -1907,7 +1908,8 @@ SELECT NULL AS trust_domain, NULL AS dns_name_id, NULL AS dns_name, - revision_number + revision_number, + jwt_svid_ttl AS reg_jwt_svid_ttl FROM registered_entries WHERE id IN (SELECT id FROM listing) @@ -1915,7 +1917,7 @@ WHERE id IN (SELECT id FROM listing) UNION SELECT - F.registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, B.trust_domain, NULL, NULL, NULL + F.registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, B.trust_domain, NULL, NULL, NULL, NULL FROM bundles B INNER JOIN @@ -1928,7 +1930,7 @@ WHERE UNION SELECT - registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, id, value, NULL + registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, id, value, NULL, NULL FROM dns_names WHERE registered_entry_id IN (SELECT id FROM listing) @@ -1936,7 +1938,7 @@ WHERE registered_entry_id IN (SELECT id FROM listing) UNION SELECT - registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, id, type, value, NULL, NULL, NULL, NULL + registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, id, type, value, NULL, NULL, NULL, NULL, NULL FROM selectors WHERE registered_entry_id IN (SELECT id FROM listing) @@ -1967,7 +1969,8 @@ SELECT NULL AS trust_domain, NULL ::integer AS dns_name_id, NULL AS dns_name, - revision_number + revision_number, + jwt_svid_ttl AS reg_jwt_svid_ttl FROM registered_entries WHERE id IN (SELECT id FROM listing) @@ -1975,7 +1978,7 @@ WHERE id IN (SELECT id FROM listing) UNION SELECT - F.registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, B.trust_domain, NULL, NULL, NULL + F.registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, B.trust_domain, NULL, NULL, NULL, NULL FROM bundles B INNER JOIN @@ -1988,7 +1991,7 @@ WHERE UNION SELECT - registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, id, value, NULL + registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, id, value, NULL, NULL FROM dns_names WHERE registered_entry_id IN (SELECT id FROM listing) @@ -1996,7 +1999,7 @@ WHERE registered_entry_id IN (SELECT id FROM listing) UNION SELECT - registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, id, type, value, NULL, NULL, NULL, NULL + registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, id, type, value, NULL, NULL, NULL, NULL, NULL FROM selectors WHERE registered_entry_id IN (SELECT id FROM listing) @@ -2024,7 +2027,8 @@ SELECT B.trust_domain, D.id AS dns_name_id, D.value AS dns_name, - E.revision_number + E.revision_number, + E.jwt_svid_ttl AS reg_jwt_svid_ttl FROM registered_entries E LEFT JOIN @@ -2062,7 +2066,8 @@ SELECT NULL AS trust_domain, NULL AS dns_name_id, NULL AS dns_name, - revision_number + revision_number, + jwt_svid_ttl AS reg_jwt_svid_ttl FROM registered_entries WHERE id IN (SELECT id FROM listing) @@ -2070,7 +2075,7 @@ WHERE id IN (SELECT id FROM listing) UNION SELECT - F.registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, B.trust_domain, NULL, NULL, NULL + F.registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, B.trust_domain, NULL, NULL, NULL, NULL FROM bundles B INNER JOIN @@ -2083,7 +2088,7 @@ WHERE UNION SELECT - registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, id, value, NULL + registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, id, value, NULL, NULL FROM dns_names WHERE registered_entry_id IN (SELECT id FROM listing) @@ -2091,7 +2096,7 @@ WHERE registered_entry_id IN (SELECT id FROM listing) UNION SELECT - registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, id, type, value, NULL, NULL, NULL, NULL + registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, id, type, value, NULL, NULL, NULL, NULL, NULL FROM selectors WHERE registered_entry_id IN (SELECT id FROM listing) @@ -2309,7 +2314,8 @@ SELECT NULL AS trust_domain, NULL AS dns_name_id, NULL AS dns_name, - revision_number + revision_number, + jwt_svid_ttl AS reg_jwt_svid_ttl FROM registered_entries `) @@ -2320,7 +2326,7 @@ FROM UNION SELECT - F.registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, B.trust_domain, NULL, NULL, NULL + F.registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, B.trust_domain, NULL, NULL, NULL, NULL FROM bundles B INNER JOIN @@ -2335,7 +2341,7 @@ ON UNION SELECT - registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, id, value, NULL + registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, id, value, NULL, NULL FROM dns_names `) @@ -2346,7 +2352,7 @@ FROM UNION SELECT - registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, id, type, value, NULL, NULL, NULL, NULL + registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, id, type, value, NULL, NULL, NULL, NULL, NULL FROM selectors `) @@ -2388,7 +2394,8 @@ SELECT NULL AS trust_domain, NULL ::integer AS dns_name_id, NULL AS dns_name, - revision_number + revision_number, + jwt_svid_ttl AS reg_jwt_svid_ttl FROM registered_entries `) @@ -2399,7 +2406,7 @@ FROM UNION SELECT - F.registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, B.trust_domain, NULL, NULL, NULL + F.registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, B.trust_domain, NULL, NULL, NULL, NULL FROM bundles B INNER JOIN @@ -2414,7 +2421,7 @@ ON UNION SELECT - registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, id, value, NULL + registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, id, value, NULL, NULL FROM dns_names `) @@ -2425,7 +2432,7 @@ FROM UNION SELECT - registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, id, type, value, NULL, NULL, NULL, NULL + registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, id, type, value, NULL, NULL, NULL, NULL, NULL FROM selectors `) @@ -2471,7 +2478,8 @@ SELECT B.trust_domain, D.id AS dns_name_id, D.value AS dns_name, - E.revision_number + E.revision_number, + E.jwt_svid_ttl AS reg_jwt_svid_ttl FROM registered_entries E LEFT JOIN @@ -2526,7 +2534,8 @@ SELECT NULL AS trust_domain, NULL AS dns_name_id, NULL AS dns_name, - revision_number + revision_number, + jwt_svid_ttl AS reg_jwt_svid_ttl FROM registered_entries `) @@ -2537,7 +2546,7 @@ FROM UNION SELECT - F.registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, B.trust_domain, NULL, NULL, NULL + F.registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, B.trust_domain, NULL, NULL, NULL, NULL FROM bundles B INNER JOIN @@ -2552,7 +2561,7 @@ ON UNION SELECT - registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, id, value, NULL + registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, id, value, NULL, NULL FROM dns_names `) @@ -2563,7 +2572,7 @@ FROM UNION SELECT - registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, id, type, value, NULL, NULL, NULL, NULL + registered_entry_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, id, type, value, NULL, NULL, NULL, NULL, NULL FROM selectors `) @@ -3018,6 +3027,7 @@ type entryRow struct { DNSNameID sql.NullInt64 DNSName sql.NullString RevisionNumber sql.NullInt64 + RegJwtSvidTTL sql.NullInt64 } func scanEntryRow(rs *sql.Rows, r *entryRow) error { @@ -3038,6 +3048,7 @@ func scanEntryRow(rs *sql.Rows, r *entryRow) error { &r.DNSNameID, &r.DNSName, &r.RevisionNumber, + &r.RegJwtSvidTTL, )) } @@ -3051,9 +3062,6 @@ func fillEntryFromRow(entry *common.RegistrationEntry, r *entryRow) error { if r.ParentID.Valid { entry.ParentId = r.ParentID.String } - if r.RegTTL.Valid { - entry.Ttl = int32(r.RegTTL.Int64) - } if r.Admin.Valid { entry.Admin = r.Admin.Bool } @@ -3087,6 +3095,14 @@ func fillEntryFromRow(entry *common.RegistrationEntry, r *entryRow) error { if r.TrustDomain.Valid { entry.FederatesWith = append(entry.FederatesWith, r.TrustDomain.String) } + + if r.RegTTL.Valid { + entry.X509SvidTtl = int32(r.RegTTL.Int64) + } + + if r.RegJwtSvidTTL.Valid { + entry.JwtSvidTtl = int32(r.RegJwtSvidTTL.Int64) + } return nil } @@ -3166,8 +3182,8 @@ func updateRegistrationEntry(tx *gorm.DB, e *common.RegistrationEntry, mask *com if mask == nil || mask.ParentId { entry.ParentID = e.ParentId } - if mask == nil || mask.Ttl { - entry.TTL = e.Ttl + if mask == nil || mask.X509SvidTtl { + entry.TTL = e.X509SvidTtl } if mask == nil || mask.Admin { entry.Admin = e.Admin @@ -3178,6 +3194,9 @@ func updateRegistrationEntry(tx *gorm.DB, e *common.RegistrationEntry, mask *com if mask == nil || mask.EntryExpiry { entry.Expiry = e.EntryExpiry } + if mask == nil || mask.JwtSvidTtl { + entry.JWTSvidTTL = e.JwtSvidTtl + } // Revision number is increased by 1 on every update call entry.RevisionNumber++ @@ -3546,8 +3565,12 @@ func validateRegistrationEntry(entry *common.RegistrationEntry) error { return sqlError.New("invalid registration entry: missing SPIFFE ID") } - if entry.Ttl < 0 { - return sqlError.New("invalid registration entry: TTL is not set") + if entry.X509SvidTtl < 0 { + return sqlError.New("invalid registration entry: X509SvidTtl is not set") + } + + if entry.JwtSvidTtl < 0 { + return sqlError.New("invalid registration entry: JwtSvidTtl is not set") } return nil @@ -3582,9 +3605,14 @@ func validateRegistrationEntryForUpdate(entry *common.RegistrationEntry, mask *c return sqlError.New("invalid registration entry: missing SPIFFE ID") } - if (mask == nil || mask.Ttl) && - (entry.Ttl < 0) { - return sqlError.New("invalid registration entry: TTL is not set") + if (mask == nil || mask.X509SvidTtl) && + (entry.X509SvidTtl < 0) { + return sqlError.New("invalid registration entry: X509SvidTtl is not set") + } + + if (mask == nil || mask.JwtSvidTtl) && + (entry.JwtSvidTtl < 0) { + return sqlError.New("invalid registration entry: JwtSvidTtl is not set") } return nil @@ -3649,7 +3677,7 @@ func modelToEntry(tx *gorm.DB, model RegisteredEntry) (*common.RegistrationEntry Selectors: selectors, SpiffeId: model.SpiffeID, ParentId: model.ParentID, - Ttl: model.TTL, + X509SvidTtl: model.TTL, FederatesWith: federatesWith, Admin: model.Admin, Downstream: model.Downstream, @@ -3657,6 +3685,7 @@ func modelToEntry(tx *gorm.DB, model RegisteredEntry) (*common.RegistrationEntry DnsNames: dnsList, RevisionNumber: model.RevisionNumber, StoreSvid: model.StoreSvid, + JwtSvidTtl: model.JWTSvidTTL, }, nil } diff --git a/pkg/server/datastore/sqlstore/sqlstore_test.go b/pkg/server/datastore/sqlstore/sqlstore_test.go index ab1f2ff256..d6eb9fb782 100644 --- a/pkg/server/datastore/sqlstore/sqlstore_test.go +++ b/pkg/server/datastore/sqlstore/sqlstore_test.go @@ -1338,9 +1338,9 @@ func (s *PluginSuite) TestFetchRegistrationEntry() { {Type: "Type2", Value: "Value2"}, {Type: "Type3", Value: "Value3"}, }, - SpiffeId: "SpiffeId", - ParentId: "ParentId", - Ttl: 1, + SpiffeId: "SpiffeId", + ParentId: "ParentId", + X509SvidTtl: 1, DnsNames: []string{ "abcd.efg", "somehost", @@ -1353,10 +1353,10 @@ func (s *PluginSuite) TestFetchRegistrationEntry() { Selectors: []*common.Selector{ {Type: "Type1", Value: "Value1"}, }, - SpiffeId: "SpiffeId", - ParentId: "ParentId", - Ttl: 1, - StoreSvid: true, + SpiffeId: "SpiffeId", + ParentId: "ParentId", + X509SvidTtl: 1, + StoreSvid: true, }, }, } { @@ -1383,7 +1383,7 @@ func (s *PluginSuite) TestPruneRegistrationEntries() { }, SpiffeId: "SpiffeId", ParentId: "ParentId", - Ttl: 1, + X509SvidTtl: 1, EntryExpiry: now.Unix(), } @@ -2201,19 +2201,22 @@ func (s *PluginSuite) TestUpdateRegistrationEntry() { {Type: "Type2", Value: "Value2"}, {Type: "Type3", Value: "Value3"}, }, - SpiffeId: "spiffe://example.org/foo", - ParentId: "spiffe://example.org/bar", - Ttl: 1, + SpiffeId: "spiffe://example.org/foo", + ParentId: "spiffe://example.org/bar", + X509SvidTtl: 1, + JwtSvidTtl: 20, }) - entry.Ttl = 2 + entry.X509SvidTtl = 11 + entry.JwtSvidTtl = 21 entry.Admin = true entry.Downstream = true updatedRegistrationEntry, err := s.ds.UpdateRegistrationEntry(ctx, entry, nil) s.Require().NoError(err) // Verify output has expected values - s.Require().Equal(int32(2), entry.Ttl) + s.Require().Equal(int32(11), entry.X509SvidTtl) + s.Require().Equal(int32(21), entry.JwtSvidTtl) s.Require().True(entry.Admin) s.Require().True(entry.Downstream) @@ -2234,9 +2237,9 @@ func (s *PluginSuite) TestUpdateRegistrationEntryWithStoreSvid() { {Type: "Type1", Value: "Value2"}, {Type: "Type1", Value: "Value3"}, }, - SpiffeId: "spiffe://example.org/foo", - ParentId: "spiffe://example.org/bar", - Ttl: 1, + SpiffeId: "spiffe://example.org/foo", + ParentId: "spiffe://example.org/bar", + X509SvidTtl: 1, }) entry.StoreSvid = true @@ -2263,16 +2266,17 @@ func (s *PluginSuite) TestUpdateRegistrationEntryWithStoreSvid() { } func (s *PluginSuite) TestUpdateRegistrationEntryWithMask() { - // There are 9 fields in a registration entry. Of these, 3 have some validation in the SQL - // layer. In this test, we update each of the 9 fields and make sure update works, and also check - // with the mask value false to make sure nothing changes. For the 3 fields that have validation + // There are 11 fields in a registration entry. Of these, 5 have some validation in the SQL + // layer. In this test, we update each of the 11 fields and make sure update works, and also check + // with the mask value false to make sure nothing changes. For the 5 fields that have validation // we try with good data, bad data, and with or without a mask (so 4 cases each.) // Note that most of the input validation is done in the API layer and has more extensive tests there. oldEntry := &common.RegistrationEntry{ ParentId: "spiffe://example.org/oldParentId", SpiffeId: "spiffe://example.org/oldSpiffeId", - Ttl: 1000, + X509SvidTtl: 1000, + JwtSvidTtl: 3000, Selectors: []*common.Selector{{Type: "Type1", Value: "Value1"}}, FederatesWith: []string{"spiffe://dom1.org"}, Admin: false, @@ -2284,7 +2288,8 @@ func (s *PluginSuite) TestUpdateRegistrationEntryWithMask() { newEntry := &common.RegistrationEntry{ ParentId: "spiffe://example.org/oldParentId", SpiffeId: "spiffe://example.org/newSpiffeId", - Ttl: 1000, + X509SvidTtl: 4000, + JwtSvidTtl: 6000, Selectors: []*common.Selector{{Type: "Type2", Value: "Value2"}}, FederatesWith: []string{"spiffe://dom2.org"}, Admin: false, @@ -2296,7 +2301,8 @@ func (s *PluginSuite) TestUpdateRegistrationEntryWithMask() { badEntry := &common.RegistrationEntry{ ParentId: "not a good parent id", SpiffeId: "", - Ttl: -1000, + X509SvidTtl: -1000, + JwtSvidTtl: -3000, Selectors: []*common.Selector{}, FederatesWith: []string{"invalid federated bundle"}, Admin: false, @@ -2341,22 +2347,39 @@ func (s *PluginSuite) TestUpdateRegistrationEntryWithMask() { mask: &common.RegistrationEntryMask{ParentId: false}, update: func(e *common.RegistrationEntry) { e.ParentId = newEntry.ParentId }, result: func(e *common.RegistrationEntry) {}}, - // TTL FIELD -- This field is validated so we check with good and bad data - {name: "Update TTL, Good Data, Mask True", - mask: &common.RegistrationEntryMask{Ttl: true}, - update: func(e *common.RegistrationEntry) { e.Ttl = newEntry.Ttl }, - result: func(e *common.RegistrationEntry) { e.Ttl = newEntry.Ttl }}, - {name: "Update TTL, Good Data, Mask False", - mask: &common.RegistrationEntryMask{Ttl: false}, - update: func(e *common.RegistrationEntry) { e.Ttl = badEntry.Ttl }, + // X509 SVID TTL FIELD -- This field is validated so we check with good and bad data + {name: "Update X509 SVID TTL, Good Data, Mask True", + mask: &common.RegistrationEntryMask{X509SvidTtl: true}, + update: func(e *common.RegistrationEntry) { e.X509SvidTtl = newEntry.X509SvidTtl }, + result: func(e *common.RegistrationEntry) { e.X509SvidTtl = newEntry.X509SvidTtl }}, + {name: "Update X509 SVID TTL, Good Data, Mask False", + mask: &common.RegistrationEntryMask{X509SvidTtl: false}, + update: func(e *common.RegistrationEntry) { e.X509SvidTtl = badEntry.X509SvidTtl }, result: func(e *common.RegistrationEntry) {}}, - {name: "Update TTL, Bad Data, Mask True", - mask: &common.RegistrationEntryMask{Ttl: true}, - update: func(e *common.RegistrationEntry) { e.Ttl = badEntry.Ttl }, - err: errors.New("invalid registration entry: TTL is not set")}, - {name: "Update TTL, Bad Data, Mask False", - mask: &common.RegistrationEntryMask{Ttl: false}, - update: func(e *common.RegistrationEntry) { e.Ttl = badEntry.Ttl }, + {name: "Update X509 SVID TTL, Bad Data, Mask True", + mask: &common.RegistrationEntryMask{X509SvidTtl: true}, + update: func(e *common.RegistrationEntry) { e.X509SvidTtl = badEntry.X509SvidTtl }, + err: errors.New("invalid registration entry: X509SvidTtl is not set")}, + {name: "Update X509 SVID TTL, Bad Data, Mask False", + mask: &common.RegistrationEntryMask{X509SvidTtl: false}, + update: func(e *common.RegistrationEntry) { e.X509SvidTtl = badEntry.X509SvidTtl }, + result: func(e *common.RegistrationEntry) {}}, + // JWT SVID TTL FIELD -- This field is validated so we check with good and bad data + {name: "Update JWT SVID TTL, Good Data, Mask True", + mask: &common.RegistrationEntryMask{JwtSvidTtl: true}, + update: func(e *common.RegistrationEntry) { e.JwtSvidTtl = newEntry.JwtSvidTtl }, + result: func(e *common.RegistrationEntry) { e.JwtSvidTtl = newEntry.JwtSvidTtl }}, + {name: "Update JWT SVID TTL, Good Data, Mask False", + mask: &common.RegistrationEntryMask{JwtSvidTtl: false}, + update: func(e *common.RegistrationEntry) { e.JwtSvidTtl = badEntry.JwtSvidTtl }, + result: func(e *common.RegistrationEntry) {}}, + {name: "Update JWT SVID TTL, Bad Data, Mask True", + mask: &common.RegistrationEntryMask{JwtSvidTtl: true}, + update: func(e *common.RegistrationEntry) { e.JwtSvidTtl = badEntry.JwtSvidTtl }, + err: errors.New("invalid registration entry: JwtSvidTtl is not set")}, + {name: "Update JWT SVID TTL, Bad Data, Mask False", + mask: &common.RegistrationEntryMask{JwtSvidTtl: false}, + update: func(e *common.RegistrationEntry) { e.JwtSvidTtl = badEntry.JwtSvidTtl }, result: func(e *common.RegistrationEntry) {}}, // SELECTORS FIELD -- This field is validated so we check with good and bad data {name: "Update Selectors, Good Data, Mask True", @@ -2494,9 +2517,9 @@ func (s *PluginSuite) TestDeleteRegistrationEntry() { {Type: "Type2", Value: "Value2"}, {Type: "Type3", Value: "Value3"}, }, - SpiffeId: "spiffe://example.org/foo", - ParentId: "spiffe://example.org/bar", - Ttl: 1, + SpiffeId: "spiffe://example.org/foo", + ParentId: "spiffe://example.org/bar", + X509SvidTtl: 1, }) s.createRegistrationEntry(&common.RegistrationEntry{ @@ -2505,9 +2528,9 @@ func (s *PluginSuite) TestDeleteRegistrationEntry() { {Type: "Type4", Value: "Value4"}, {Type: "Type5", Value: "Value5"}, }, - SpiffeId: "spiffe://example.org/baz", - ParentId: "spiffe://example.org/bat", - Ttl: 2, + SpiffeId: "spiffe://example.org/baz", + ParentId: "spiffe://example.org/bat", + X509SvidTtl: 2, }) // We have two registration entries diff --git a/pkg/server/datastore/sqlstore/testdata/invalid_registration_entries.json b/pkg/server/datastore/sqlstore/testdata/invalid_registration_entries.json index 0b40c0fa5e..0628f709c3 100644 --- a/pkg/server/datastore/sqlstore/testdata/invalid_registration_entries.json +++ b/pkg/server/datastore/sqlstore/testdata/invalid_registration_entries.json @@ -15,7 +15,7 @@ } ], "spiffe_id": "SpiffeId", - "ttl": -5 + "x509_svid_ttl": -5 }, { "spiffe_id": "SpiffeId" @@ -32,7 +32,7 @@ } ], "spiffe_id": "SpiffeId3", - "ttl": 2, + "x509_svid_ttl": 2, "store_svid": true }, null diff --git a/pkg/server/server.go b/pkg/server/server.go index 79a0e303af..e700831e5b 100644 --- a/pkg/server/server.go +++ b/pkg/server/server.go @@ -265,7 +265,8 @@ func (s *Server) loadCatalog(ctx context.Context, metrics telemetry.Metrics, ide func (s *Server) newCA(metrics telemetry.Metrics, healthChecker health.Checker) *ca.CA { return ca.NewCA(ca.Config{ Metrics: metrics, - X509SVIDTTL: s.config.SVIDTTL, + X509SVIDTTL: s.config.X509SVIDTTL, + JWTSVIDTTL: s.config.JWTSVIDTTL, JWTIssuer: s.config.JWTIssuer, TrustDomain: s.config.TrustDomain, CASubject: s.config.CASubject, diff --git a/proto/spire/common/common.pb.go b/proto/spire/common/common.pb.go index c53381f492..f928afa8fd 100644 --- a/proto/spire/common/common.pb.go +++ b/proto/spire/common/common.pb.go @@ -354,8 +354,8 @@ type RegistrationEntry struct { // caller. It is defined as a URI comprising a “trust domain” and an // associated path. SpiffeId string `protobuf:"bytes,3,opt,name=spiffe_id,json=spiffeId,proto3" json:"spiffe_id,omitempty"` - // * Time to live. - Ttl int32 `protobuf:"varint,4,opt,name=ttl,proto3" json:"ttl,omitempty"` + // * Time to live for X509-SVIDs generated from this entry. Was previously called 'ttl'. + X509SvidTtl int32 `protobuf:"varint,4,opt,name=x509_svid_ttl,json=x509SvidTtl,proto3" json:"x509_svid_ttl,omitempty"` // * A list of federated trust domain SPIFFE IDs. FederatesWith []string `protobuf:"bytes,5,rep,name=federates_with,json=federatesWith,proto3" json:"federates_with,omitempty"` // * Entry ID @@ -374,6 +374,8 @@ type RegistrationEntry struct { RevisionNumber int64 `protobuf:"varint,11,opt,name=revision_number,json=revisionNumber,proto3" json:"revision_number,omitempty"` // * Determines if the issued SVID must be stored through an SVIDStore plugin StoreSvid bool `protobuf:"varint,12,opt,name=store_svid,json=storeSvid,proto3" json:"store_svid,omitempty"` + // * Time to live for JWT-SVIDs generated from this entry, if set will override ttl field. + JwtSvidTtl int32 `protobuf:"varint,13,opt,name=jwt_svid_ttl,json=jwtSvidTtl,proto3" json:"jwt_svid_ttl,omitempty"` } func (x *RegistrationEntry) Reset() { @@ -429,9 +431,9 @@ func (x *RegistrationEntry) GetSpiffeId() string { return "" } -func (x *RegistrationEntry) GetTtl() int32 { +func (x *RegistrationEntry) GetX509SvidTtl() int32 { if x != nil { - return x.Ttl + return x.X509SvidTtl } return 0 } @@ -492,6 +494,13 @@ func (x *RegistrationEntry) GetStoreSvid() bool { return false } +func (x *RegistrationEntry) GetJwtSvidTtl() int32 { + if x != nil { + return x.JwtSvidTtl + } + return 0 +} + // * The RegistrationEntryMask is used to update only selected fields of the RegistrationEntry type RegistrationEntryMask struct { state protoimpl.MessageState @@ -501,7 +510,7 @@ type RegistrationEntryMask struct { Selectors bool `protobuf:"varint,1,opt,name=selectors,proto3" json:"selectors,omitempty"` ParentId bool `protobuf:"varint,2,opt,name=parent_id,json=parentId,proto3" json:"parent_id,omitempty"` SpiffeId bool `protobuf:"varint,3,opt,name=spiffe_id,json=spiffeId,proto3" json:"spiffe_id,omitempty"` - Ttl bool `protobuf:"varint,4,opt,name=ttl,proto3" json:"ttl,omitempty"` + X509SvidTtl bool `protobuf:"varint,4,opt,name=x509_svid_ttl,json=x509SvidTtl,proto3" json:"x509_svid_ttl,omitempty"` FederatesWith bool `protobuf:"varint,5,opt,name=federates_with,json=federatesWith,proto3" json:"federates_with,omitempty"` EntryId bool `protobuf:"varint,6,opt,name=entry_id,json=entryId,proto3" json:"entry_id,omitempty"` Admin bool `protobuf:"varint,7,opt,name=admin,proto3" json:"admin,omitempty"` @@ -509,6 +518,7 @@ type RegistrationEntryMask struct { EntryExpiry bool `protobuf:"varint,9,opt,name=entryExpiry,proto3" json:"entryExpiry,omitempty"` DnsNames bool `protobuf:"varint,10,opt,name=dns_names,json=dnsNames,proto3" json:"dns_names,omitempty"` StoreSvid bool `protobuf:"varint,11,opt,name=store_svid,json=storeSvid,proto3" json:"store_svid,omitempty"` + JwtSvidTtl bool `protobuf:"varint,12,opt,name=jwt_svid_ttl,json=jwtSvidTtl,proto3" json:"jwt_svid_ttl,omitempty"` } func (x *RegistrationEntryMask) Reset() { @@ -564,9 +574,9 @@ func (x *RegistrationEntryMask) GetSpiffeId() bool { return false } -func (x *RegistrationEntryMask) GetTtl() bool { +func (x *RegistrationEntryMask) GetX509SvidTtl() bool { if x != nil { - return x.Ttl + return x.X509SvidTtl } return false } @@ -620,6 +630,13 @@ func (x *RegistrationEntryMask) GetStoreSvid() bool { return false } +func (x *RegistrationEntryMask) GetJwtSvidTtl() bool { + if x != nil { + return x.JwtSvidTtl + } + return false +} + // * A list of registration entries. type RegistrationEntries struct { state protoimpl.MessageState @@ -1050,7 +1067,7 @@ var file_spire_common_common_proto_rawDesc = []byte{ 0x65, 0x63, 0x74, 0x6f, 0x72, 0x52, 0x09, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x12, 0x21, 0x0a, 0x0c, 0x63, 0x61, 0x6e, 0x5f, 0x72, 0x65, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x18, 0x08, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0b, 0x63, 0x61, 0x6e, 0x52, 0x65, 0x61, 0x74, 0x74, - 0x65, 0x73, 0x74, 0x22, 0x94, 0x03, 0x0a, 0x11, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, + 0x65, 0x73, 0x74, 0x22, 0xc8, 0x03, 0x0a, 0x11, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x34, 0x0a, 0x09, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x53, 0x65, 0x6c, 0x65, @@ -1058,101 +1075,108 @@ var file_spire_common_common_proto_rawDesc = []byte{ 0x1b, 0x0a, 0x09, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x49, 0x64, 0x12, 0x1b, 0x0a, 0x09, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x08, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x49, 0x64, 0x12, 0x10, 0x0a, 0x03, 0x74, 0x74, 0x6c, - 0x18, 0x04, 0x20, 0x01, 0x28, 0x05, 0x52, 0x03, 0x74, 0x74, 0x6c, 0x12, 0x25, 0x0a, 0x0e, 0x66, - 0x65, 0x64, 0x65, 0x72, 0x61, 0x74, 0x65, 0x73, 0x5f, 0x77, 0x69, 0x74, 0x68, 0x18, 0x05, 0x20, - 0x03, 0x28, 0x09, 0x52, 0x0d, 0x66, 0x65, 0x64, 0x65, 0x72, 0x61, 0x74, 0x65, 0x73, 0x57, 0x69, - 0x74, 0x68, 0x12, 0x19, 0x0a, 0x08, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x06, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x49, 0x64, 0x12, 0x14, 0x0a, - 0x05, 0x61, 0x64, 0x6d, 0x69, 0x6e, 0x18, 0x07, 0x20, 0x01, 0x28, 0x08, 0x52, 0x05, 0x61, 0x64, - 0x6d, 0x69, 0x6e, 0x12, 0x1e, 0x0a, 0x0a, 0x64, 0x6f, 0x77, 0x6e, 0x73, 0x74, 0x72, 0x65, 0x61, - 0x6d, 0x18, 0x08, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x64, 0x6f, 0x77, 0x6e, 0x73, 0x74, 0x72, - 0x65, 0x61, 0x6d, 0x12, 0x20, 0x0a, 0x0b, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x45, 0x78, 0x70, 0x69, - 0x72, 0x79, 0x18, 0x09, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0b, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x45, - 0x78, 0x70, 0x69, 0x72, 0x79, 0x12, 0x1b, 0x0a, 0x09, 0x64, 0x6e, 0x73, 0x5f, 0x6e, 0x61, 0x6d, - 0x65, 0x73, 0x18, 0x0a, 0x20, 0x03, 0x28, 0x09, 0x52, 0x08, 0x64, 0x6e, 0x73, 0x4e, 0x61, 0x6d, - 0x65, 0x73, 0x12, 0x27, 0x0a, 0x0f, 0x72, 0x65, 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x6e, - 0x75, 0x6d, 0x62, 0x65, 0x72, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, 0x72, 0x65, 0x76, - 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x4e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x12, 0x1d, 0x0a, 0x0a, 0x73, - 0x74, 0x6f, 0x72, 0x65, 0x5f, 0x73, 0x76, 0x69, 0x64, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x08, 0x52, - 0x09, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x53, 0x76, 0x69, 0x64, 0x22, 0xd7, 0x02, 0x0a, 0x15, 0x52, - 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x45, 0x6e, 0x74, 0x72, 0x79, - 0x4d, 0x61, 0x73, 0x6b, 0x12, 0x1c, 0x0a, 0x09, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, - 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, - 0x72, 0x73, 0x12, 0x1b, 0x0a, 0x09, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18, - 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x49, 0x64, 0x12, - 0x1b, 0x0a, 0x09, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, - 0x28, 0x08, 0x52, 0x08, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x49, 0x64, 0x12, 0x10, 0x0a, 0x03, - 0x74, 0x74, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x03, 0x74, 0x74, 0x6c, 0x12, 0x25, - 0x0a, 0x0e, 0x66, 0x65, 0x64, 0x65, 0x72, 0x61, 0x74, 0x65, 0x73, 0x5f, 0x77, 0x69, 0x74, 0x68, - 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0d, 0x66, 0x65, 0x64, 0x65, 0x72, 0x61, 0x74, 0x65, - 0x73, 0x57, 0x69, 0x74, 0x68, 0x12, 0x19, 0x0a, 0x08, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x5f, 0x69, - 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x49, 0x64, - 0x12, 0x14, 0x0a, 0x05, 0x61, 0x64, 0x6d, 0x69, 0x6e, 0x18, 0x07, 0x20, 0x01, 0x28, 0x08, 0x52, - 0x05, 0x61, 0x64, 0x6d, 0x69, 0x6e, 0x12, 0x1e, 0x0a, 0x0a, 0x64, 0x6f, 0x77, 0x6e, 0x73, 0x74, - 0x72, 0x65, 0x61, 0x6d, 0x18, 0x08, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x64, 0x6f, 0x77, 0x6e, - 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x12, 0x20, 0x0a, 0x0b, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x45, - 0x78, 0x70, 0x69, 0x72, 0x79, 0x18, 0x09, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0b, 0x65, 0x6e, 0x74, - 0x72, 0x79, 0x45, 0x78, 0x70, 0x69, 0x72, 0x79, 0x12, 0x1b, 0x0a, 0x09, 0x64, 0x6e, 0x73, 0x5f, - 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x64, 0x6e, 0x73, - 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x1d, 0x0a, 0x0a, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x5f, 0x73, - 0x76, 0x69, 0x64, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x73, 0x74, 0x6f, 0x72, 0x65, - 0x53, 0x76, 0x69, 0x64, 0x22, 0x50, 0x0a, 0x13, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, - 0x74, 0x69, 0x6f, 0x6e, 0x45, 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, 0x12, 0x39, 0x0a, 0x07, 0x65, - 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x73, - 0x70, 0x69, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x52, 0x65, 0x67, 0x69, - 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x07, 0x65, - 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, 0x22, 0x2a, 0x0a, 0x0b, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, - 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x1b, 0x0a, 0x09, 0x64, 0x65, 0x72, 0x5f, 0x62, 0x79, 0x74, - 0x65, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x08, 0x64, 0x65, 0x72, 0x42, 0x79, 0x74, - 0x65, 0x73, 0x22, 0x59, 0x0a, 0x09, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, - 0x1d, 0x0a, 0x0a, 0x70, 0x6b, 0x69, 0x78, 0x5f, 0x62, 0x79, 0x74, 0x65, 0x73, 0x18, 0x01, 0x20, - 0x01, 0x28, 0x0c, 0x52, 0x09, 0x70, 0x6b, 0x69, 0x78, 0x42, 0x79, 0x74, 0x65, 0x73, 0x12, 0x10, - 0x0a, 0x03, 0x6b, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x69, 0x64, - 0x12, 0x1b, 0x0a, 0x09, 0x6e, 0x6f, 0x74, 0x5f, 0x61, 0x66, 0x74, 0x65, 0x72, 0x18, 0x03, 0x20, - 0x01, 0x28, 0x03, 0x52, 0x08, 0x6e, 0x6f, 0x74, 0x41, 0x66, 0x74, 0x65, 0x72, 0x22, 0xcc, 0x01, - 0x0a, 0x06, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x12, 0x26, 0x0a, 0x0f, 0x74, 0x72, 0x75, 0x73, - 0x74, 0x5f, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x0d, 0x74, 0x72, 0x75, 0x73, 0x74, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x49, 0x64, - 0x12, 0x34, 0x0a, 0x08, 0x72, 0x6f, 0x6f, 0x74, 0x5f, 0x63, 0x61, 0x73, 0x18, 0x02, 0x20, 0x03, - 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, - 0x6e, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x07, 0x72, - 0x6f, 0x6f, 0x74, 0x43, 0x61, 0x73, 0x12, 0x41, 0x0a, 0x10, 0x6a, 0x77, 0x74, 0x5f, 0x73, 0x69, - 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x5f, 0x6b, 0x65, 0x79, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, - 0x32, 0x17, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, - 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x0e, 0x6a, 0x77, 0x74, 0x53, 0x69, - 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x21, 0x0a, 0x0c, 0x72, 0x65, 0x66, - 0x72, 0x65, 0x73, 0x68, 0x5f, 0x68, 0x69, 0x6e, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x03, 0x52, - 0x0b, 0x72, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x48, 0x69, 0x6e, 0x74, 0x22, 0x74, 0x0a, 0x0a, - 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x4d, 0x61, 0x73, 0x6b, 0x12, 0x19, 0x0a, 0x08, 0x72, 0x6f, - 0x6f, 0x74, 0x5f, 0x63, 0x61, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x72, 0x6f, - 0x6f, 0x74, 0x43, 0x61, 0x73, 0x12, 0x28, 0x0a, 0x10, 0x6a, 0x77, 0x74, 0x5f, 0x73, 0x69, 0x67, - 0x6e, 0x69, 0x6e, 0x67, 0x5f, 0x6b, 0x65, 0x79, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, - 0x0e, 0x6a, 0x77, 0x74, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x4b, 0x65, 0x79, 0x73, 0x12, - 0x21, 0x0a, 0x0c, 0x72, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x5f, 0x68, 0x69, 0x6e, 0x74, 0x18, - 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0b, 0x72, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x48, 0x69, - 0x6e, 0x74, 0x22, 0x9f, 0x02, 0x0a, 0x10, 0x41, 0x74, 0x74, 0x65, 0x73, 0x74, 0x65, 0x64, 0x4e, - 0x6f, 0x64, 0x65, 0x4d, 0x61, 0x73, 0x6b, 0x12, 0x32, 0x0a, 0x15, 0x61, 0x74, 0x74, 0x65, 0x73, - 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x74, 0x79, 0x70, 0x65, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x13, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, - 0x69, 0x6f, 0x6e, 0x44, 0x61, 0x74, 0x61, 0x54, 0x79, 0x70, 0x65, 0x12, 0x2c, 0x0a, 0x12, 0x63, + 0x08, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x49, 0x64, 0x12, 0x22, 0x0a, 0x0d, 0x78, 0x35, 0x30, + 0x39, 0x5f, 0x73, 0x76, 0x69, 0x64, 0x5f, 0x74, 0x74, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x05, + 0x52, 0x0b, 0x78, 0x35, 0x30, 0x39, 0x53, 0x76, 0x69, 0x64, 0x54, 0x74, 0x6c, 0x12, 0x25, 0x0a, + 0x0e, 0x66, 0x65, 0x64, 0x65, 0x72, 0x61, 0x74, 0x65, 0x73, 0x5f, 0x77, 0x69, 0x74, 0x68, 0x18, + 0x05, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0d, 0x66, 0x65, 0x64, 0x65, 0x72, 0x61, 0x74, 0x65, 0x73, + 0x57, 0x69, 0x74, 0x68, 0x12, 0x19, 0x0a, 0x08, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x5f, 0x69, 0x64, + 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x49, 0x64, 0x12, + 0x14, 0x0a, 0x05, 0x61, 0x64, 0x6d, 0x69, 0x6e, 0x18, 0x07, 0x20, 0x01, 0x28, 0x08, 0x52, 0x05, + 0x61, 0x64, 0x6d, 0x69, 0x6e, 0x12, 0x1e, 0x0a, 0x0a, 0x64, 0x6f, 0x77, 0x6e, 0x73, 0x74, 0x72, + 0x65, 0x61, 0x6d, 0x18, 0x08, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x64, 0x6f, 0x77, 0x6e, 0x73, + 0x74, 0x72, 0x65, 0x61, 0x6d, 0x12, 0x20, 0x0a, 0x0b, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x45, 0x78, + 0x70, 0x69, 0x72, 0x79, 0x18, 0x09, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0b, 0x65, 0x6e, 0x74, 0x72, + 0x79, 0x45, 0x78, 0x70, 0x69, 0x72, 0x79, 0x12, 0x1b, 0x0a, 0x09, 0x64, 0x6e, 0x73, 0x5f, 0x6e, + 0x61, 0x6d, 0x65, 0x73, 0x18, 0x0a, 0x20, 0x03, 0x28, 0x09, 0x52, 0x08, 0x64, 0x6e, 0x73, 0x4e, + 0x61, 0x6d, 0x65, 0x73, 0x12, 0x27, 0x0a, 0x0f, 0x72, 0x65, 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, + 0x5f, 0x6e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, 0x72, + 0x65, 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x4e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x12, 0x1d, 0x0a, + 0x0a, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x5f, 0x73, 0x76, 0x69, 0x64, 0x18, 0x0c, 0x20, 0x01, 0x28, + 0x08, 0x52, 0x09, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x53, 0x76, 0x69, 0x64, 0x12, 0x20, 0x0a, 0x0c, + 0x6a, 0x77, 0x74, 0x5f, 0x73, 0x76, 0x69, 0x64, 0x5f, 0x74, 0x74, 0x6c, 0x18, 0x0d, 0x20, 0x01, + 0x28, 0x05, 0x52, 0x0a, 0x6a, 0x77, 0x74, 0x53, 0x76, 0x69, 0x64, 0x54, 0x74, 0x6c, 0x22, 0x8b, + 0x03, 0x0a, 0x15, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x45, + 0x6e, 0x74, 0x72, 0x79, 0x4d, 0x61, 0x73, 0x6b, 0x12, 0x1c, 0x0a, 0x09, 0x73, 0x65, 0x6c, 0x65, + 0x63, 0x74, 0x6f, 0x72, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x73, 0x65, 0x6c, + 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x12, 0x1b, 0x0a, 0x09, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, + 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x70, 0x61, 0x72, 0x65, 0x6e, + 0x74, 0x49, 0x64, 0x12, 0x1b, 0x0a, 0x09, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x5f, 0x69, 0x64, + 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x49, 0x64, + 0x12, 0x22, 0x0a, 0x0d, 0x78, 0x35, 0x30, 0x39, 0x5f, 0x73, 0x76, 0x69, 0x64, 0x5f, 0x74, 0x74, + 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0b, 0x78, 0x35, 0x30, 0x39, 0x53, 0x76, 0x69, + 0x64, 0x54, 0x74, 0x6c, 0x12, 0x25, 0x0a, 0x0e, 0x66, 0x65, 0x64, 0x65, 0x72, 0x61, 0x74, 0x65, + 0x73, 0x5f, 0x77, 0x69, 0x74, 0x68, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0d, 0x66, 0x65, + 0x64, 0x65, 0x72, 0x61, 0x74, 0x65, 0x73, 0x57, 0x69, 0x74, 0x68, 0x12, 0x19, 0x0a, 0x08, 0x65, + 0x6e, 0x74, 0x72, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x65, + 0x6e, 0x74, 0x72, 0x79, 0x49, 0x64, 0x12, 0x14, 0x0a, 0x05, 0x61, 0x64, 0x6d, 0x69, 0x6e, 0x18, + 0x07, 0x20, 0x01, 0x28, 0x08, 0x52, 0x05, 0x61, 0x64, 0x6d, 0x69, 0x6e, 0x12, 0x1e, 0x0a, 0x0a, + 0x64, 0x6f, 0x77, 0x6e, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x18, 0x08, 0x20, 0x01, 0x28, 0x08, + 0x52, 0x0a, 0x64, 0x6f, 0x77, 0x6e, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x12, 0x20, 0x0a, 0x0b, + 0x65, 0x6e, 0x74, 0x72, 0x79, 0x45, 0x78, 0x70, 0x69, 0x72, 0x79, 0x18, 0x09, 0x20, 0x01, 0x28, + 0x08, 0x52, 0x0b, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x45, 0x78, 0x70, 0x69, 0x72, 0x79, 0x12, 0x1b, + 0x0a, 0x09, 0x64, 0x6e, 0x73, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x18, 0x0a, 0x20, 0x01, 0x28, + 0x08, 0x52, 0x08, 0x64, 0x6e, 0x73, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x1d, 0x0a, 0x0a, 0x73, + 0x74, 0x6f, 0x72, 0x65, 0x5f, 0x73, 0x76, 0x69, 0x64, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x08, 0x52, + 0x09, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x53, 0x76, 0x69, 0x64, 0x12, 0x20, 0x0a, 0x0c, 0x6a, 0x77, + 0x74, 0x5f, 0x73, 0x76, 0x69, 0x64, 0x5f, 0x74, 0x74, 0x6c, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x08, + 0x52, 0x0a, 0x6a, 0x77, 0x74, 0x53, 0x76, 0x69, 0x64, 0x54, 0x74, 0x6c, 0x22, 0x50, 0x0a, 0x13, + 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x45, 0x6e, 0x74, 0x72, + 0x69, 0x65, 0x73, 0x12, 0x39, 0x0a, 0x07, 0x65, 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, 0x18, 0x01, + 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, + 0x6d, 0x6f, 0x6e, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, + 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x07, 0x65, 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, 0x22, 0x2a, + 0x0a, 0x0b, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x1b, 0x0a, + 0x09, 0x64, 0x65, 0x72, 0x5f, 0x62, 0x79, 0x74, 0x65, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, + 0x52, 0x08, 0x64, 0x65, 0x72, 0x42, 0x79, 0x74, 0x65, 0x73, 0x22, 0x59, 0x0a, 0x09, 0x50, 0x75, + 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x1d, 0x0a, 0x0a, 0x70, 0x6b, 0x69, 0x78, 0x5f, + 0x62, 0x79, 0x74, 0x65, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x70, 0x6b, 0x69, + 0x78, 0x42, 0x79, 0x74, 0x65, 0x73, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x69, 0x64, 0x18, 0x02, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x69, 0x64, 0x12, 0x1b, 0x0a, 0x09, 0x6e, 0x6f, 0x74, 0x5f, + 0x61, 0x66, 0x74, 0x65, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x08, 0x6e, 0x6f, 0x74, + 0x41, 0x66, 0x74, 0x65, 0x72, 0x22, 0xcc, 0x01, 0x0a, 0x06, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, + 0x12, 0x26, 0x0a, 0x0f, 0x74, 0x72, 0x75, 0x73, 0x74, 0x5f, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, + 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x74, 0x72, 0x75, 0x73, 0x74, + 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x49, 0x64, 0x12, 0x34, 0x0a, 0x08, 0x72, 0x6f, 0x6f, 0x74, + 0x5f, 0x63, 0x61, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x73, 0x70, 0x69, + 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, + 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x07, 0x72, 0x6f, 0x6f, 0x74, 0x43, 0x61, 0x73, 0x12, 0x41, + 0x0a, 0x10, 0x6a, 0x77, 0x74, 0x5f, 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x5f, 0x6b, 0x65, + 0x79, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65, + 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, + 0x79, 0x52, 0x0e, 0x6a, 0x77, 0x74, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x4b, 0x65, 0x79, + 0x73, 0x12, 0x21, 0x0a, 0x0c, 0x72, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x5f, 0x68, 0x69, 0x6e, + 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0b, 0x72, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, + 0x48, 0x69, 0x6e, 0x74, 0x22, 0x74, 0x0a, 0x0a, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x4d, 0x61, + 0x73, 0x6b, 0x12, 0x19, 0x0a, 0x08, 0x72, 0x6f, 0x6f, 0x74, 0x5f, 0x63, 0x61, 0x73, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x72, 0x6f, 0x6f, 0x74, 0x43, 0x61, 0x73, 0x12, 0x28, 0x0a, + 0x10, 0x6a, 0x77, 0x74, 0x5f, 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x5f, 0x6b, 0x65, 0x79, + 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0e, 0x6a, 0x77, 0x74, 0x53, 0x69, 0x67, 0x6e, + 0x69, 0x6e, 0x67, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x21, 0x0a, 0x0c, 0x72, 0x65, 0x66, 0x72, 0x65, + 0x73, 0x68, 0x5f, 0x68, 0x69, 0x6e, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0b, 0x72, + 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x48, 0x69, 0x6e, 0x74, 0x22, 0x9f, 0x02, 0x0a, 0x10, 0x41, + 0x74, 0x74, 0x65, 0x73, 0x74, 0x65, 0x64, 0x4e, 0x6f, 0x64, 0x65, 0x4d, 0x61, 0x73, 0x6b, 0x12, + 0x32, 0x0a, 0x15, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x64, + 0x61, 0x74, 0x61, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x13, + 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x44, 0x61, 0x74, 0x61, 0x54, + 0x79, 0x70, 0x65, 0x12, 0x2c, 0x0a, 0x12, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x69, + 0x61, 0x6c, 0x5f, 0x6e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, + 0x10, 0x63, 0x65, 0x72, 0x74, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x4e, 0x75, 0x6d, 0x62, 0x65, + 0x72, 0x12, 0x24, 0x0a, 0x0e, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x6e, 0x6f, 0x74, 0x5f, 0x61, 0x66, + 0x74, 0x65, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0c, 0x63, 0x65, 0x72, 0x74, 0x4e, + 0x6f, 0x74, 0x41, 0x66, 0x74, 0x65, 0x72, 0x12, 0x33, 0x0a, 0x16, 0x6e, 0x65, 0x77, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x5f, 0x6e, 0x75, 0x6d, 0x62, 0x65, - 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x10, 0x63, 0x65, 0x72, 0x74, 0x53, 0x65, 0x72, - 0x69, 0x61, 0x6c, 0x4e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x12, 0x24, 0x0a, 0x0e, 0x63, 0x65, 0x72, - 0x74, 0x5f, 0x6e, 0x6f, 0x74, 0x5f, 0x61, 0x66, 0x74, 0x65, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, - 0x08, 0x52, 0x0c, 0x63, 0x65, 0x72, 0x74, 0x4e, 0x6f, 0x74, 0x41, 0x66, 0x74, 0x65, 0x72, 0x12, - 0x33, 0x0a, 0x16, 0x6e, 0x65, 0x77, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x69, - 0x61, 0x6c, 0x5f, 0x6e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, - 0x13, 0x6e, 0x65, 0x77, 0x43, 0x65, 0x72, 0x74, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x4e, 0x75, - 0x6d, 0x62, 0x65, 0x72, 0x12, 0x2b, 0x0a, 0x12, 0x6e, 0x65, 0x77, 0x5f, 0x63, 0x65, 0x72, 0x74, - 0x5f, 0x6e, 0x6f, 0x74, 0x5f, 0x61, 0x66, 0x74, 0x65, 0x72, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, - 0x52, 0x0f, 0x6e, 0x65, 0x77, 0x43, 0x65, 0x72, 0x74, 0x4e, 0x6f, 0x74, 0x41, 0x66, 0x74, 0x65, - 0x72, 0x12, 0x21, 0x0a, 0x0c, 0x63, 0x61, 0x6e, 0x5f, 0x72, 0x65, 0x61, 0x74, 0x74, 0x65, 0x73, - 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0b, 0x63, 0x61, 0x6e, 0x52, 0x65, 0x61, 0x74, - 0x74, 0x65, 0x73, 0x74, 0x42, 0x2c, 0x5a, 0x2a, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, - 0x6f, 0x6d, 0x2f, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x2f, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2f, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, - 0x6f, 0x6e, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x72, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x13, 0x6e, 0x65, 0x77, 0x43, 0x65, 0x72, 0x74, + 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x4e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x12, 0x2b, 0x0a, 0x12, + 0x6e, 0x65, 0x77, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x6e, 0x6f, 0x74, 0x5f, 0x61, 0x66, 0x74, + 0x65, 0x72, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0f, 0x6e, 0x65, 0x77, 0x43, 0x65, 0x72, + 0x74, 0x4e, 0x6f, 0x74, 0x41, 0x66, 0x74, 0x65, 0x72, 0x12, 0x21, 0x0a, 0x0c, 0x63, 0x61, 0x6e, + 0x5f, 0x72, 0x65, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, + 0x0b, 0x63, 0x61, 0x6e, 0x52, 0x65, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x42, 0x2c, 0x5a, 0x2a, + 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x70, 0x69, 0x66, 0x66, + 0x65, 0x2f, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x73, 0x70, + 0x69, 0x72, 0x65, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x33, } var ( diff --git a/proto/spire/common/common.proto b/proto/spire/common/common.proto index 057698b85d..f42573a127 100644 --- a/proto/spire/common/common.proto +++ b/proto/spire/common/common.proto @@ -68,8 +68,8 @@ message RegistrationEntry { caller. It is defined as a URI comprising a “trust domain” and an associated path. */ string spiffe_id = 3; - /** Time to live. */ - int32 ttl = 4; + /** Time to live for X509-SVIDs generated from this entry. Was previously called 'ttl'. */ + int32 x509_svid_ttl = 4; /** A list of federated trust domain SPIFFE IDs. */ repeated string federates_with = 5; /** Entry ID */ @@ -88,6 +88,8 @@ message RegistrationEntry { int64 revision_number = 11; /** Determines if the issued SVID must be stored through an SVIDStore plugin */ bool store_svid = 12; + /** Time to live for JWT-SVIDs generated from this entry, if set will override ttl field. */ + int32 jwt_svid_ttl = 13; } /** The RegistrationEntryMask is used to update only selected fields of the RegistrationEntry */ @@ -95,7 +97,7 @@ message RegistrationEntryMask { bool selectors = 1; bool parent_id = 2; bool spiffe_id = 3; - bool ttl = 4; + bool x509_svid_ttl = 4; bool federates_with = 5; bool entry_id = 6; bool admin = 7; @@ -103,6 +105,7 @@ message RegistrationEntryMask { bool entryExpiry = 9; bool dns_names = 10; bool store_svid = 11; + bool jwt_svid_ttl = 12; } diff --git a/test/fixture/registration/good-for-update.json b/test/fixture/registration/good-for-update.json index 274ad892fe..b1e12cb49a 100644 --- a/test/fixture/registration/good-for-update.json +++ b/test/fixture/registration/good-for-update.json @@ -10,7 +10,8 @@ ], "spiffe_id": "spiffe://example.org/Blog", "parent_id": "spiffe://example.org/spire/agent/join_token/TokenBlog", - "ttl": 200, + "x509_svid_ttl": 200, + "jwt_svid_ttl": 300, "admin": true }, { @@ -23,7 +24,8 @@ ], "spiffe_id": "spiffe://example.org/Database", "parent_id": "spiffe://example.org/spire/agent/join_token/TokenDatabase", - "ttl": 200 + "x509_svid_ttl": 200, + "jwt_svid_ttl": 300 }, { "entry_id": "entry-id-3", @@ -40,7 +42,8 @@ "spiffe_id": "spiffe://example.org/Storesvid", "parent_id": "spiffe://example.org/spire/agent/join_token/TokenDatabase", "store_svid": true, - "ttl": 200 + "x509_svid_ttl": 200, + "jwt_svid_ttl": 300 } ] } diff --git a/test/fixture/registration/good.json b/test/fixture/registration/good.json index dad588ef89..f0c7fe564f 100644 --- a/test/fixture/registration/good.json +++ b/test/fixture/registration/good.json @@ -9,7 +9,8 @@ ], "spiffe_id": "spiffe://example.org/Blog", "parent_id": "spiffe://example.org/spire/agent/join_token/TokenBlog", - "ttl": 200, + "x509_svid_ttl": 200, + "jwt_svid_ttl": 30, "admin": true }, { @@ -21,7 +22,8 @@ ], "spiffe_id": "spiffe://example.org/Database", "parent_id": "spiffe://example.org/spire/agent/join_token/TokenDatabase", - "ttl": 200 + "x509_svid_ttl": 200, + "jwt_svid_ttl": 30 }, { "selectors": [ @@ -36,7 +38,8 @@ ], "spiffe_id": "spiffe://example.org/storesvid", "parent_id": "spiffe://example.org/spire/agent/join_token/TokenDatabase", - "ttl": 200, + "x509_svid_ttl": 200, + "jwt_svid_ttl": 30, "store_svid": true } ] From dbd610a7bf16008d4faa2d36425d4f107b6e644e Mon Sep 17 00:00:00 2001 From: Andrew Harding Date: Wed, 26 Oct 2022 13:35:33 -0600 Subject: [PATCH 017/257] Use test keys for keymanager and other tests (#3499) This change uses the available test keys instead of generating new keys for the keymanager tests which speeds up the tests and avoids sporadic timeout test failures we've observed in CI/CD, particularly when generating 4096 bit RSA keys. This change also updates the testkey package to no longer fail if a test exceeds the number of pregenerated keys, instead opting to generate the new key and save it to disk so it can be included in the PR introducing the test change. The agent fake keymanager was also updated to use test keys. CI/CD has also been updated to fail the unit-test step if the git repository is no longer clean, implying that there were possibly test keys generated that were not part of the PR. Additionally, to ensure that production key management flows are not broken the real key generation routines are used when the NIGHTLY tests are executing. To prevent spurious timeouts, the go test timeouts are also removed. Signed-off-by: Andrew Harding --- .github/workflows/nightly_build.yaml | 3 + .github/workflows/scripts/run_unit_tests.sh | 4 + .../run_unit_tests_under_race_detector.sh | 4 + Makefile | 6 +- .../plugin/keymanager/base/keymanagerbase.go | 62 +- .../keymanager/base/keymanagerbase_test.go | 14 + pkg/agent/plugin/keymanager/disk/disk.go | 15 +- pkg/agent/plugin/keymanager/disk/disk_test.go | 3 +- pkg/agent/plugin/keymanager/memory/memory.go | 16 +- .../plugin/keymanager/memory/memory_test.go | 2 +- .../plugin/keymanager/test/keymanagertest.go | 11 + pkg/common/pemutil/block.go | 4 +- pkg/server/api/agent/v1/service_test.go | 4 +- .../plugin/keymanager/base/keymanagerbase.go | 66 +- .../keymanager/base/keymanagerbase_test.go | 14 + pkg/server/plugin/keymanager/disk/disk.go | 15 +- .../plugin/keymanager/disk/disk_test.go | 2 +- pkg/server/plugin/keymanager/memory/memory.go | 16 +- .../plugin/keymanager/memory/memory_test.go | 2 +- .../plugin/keymanager/test/keymanagertest.go | 11 + test/fakes/fakeagentkeymanager/keymanager.go | 5 +- test/fakes/fakeserverkeymanager/keymanager.go | 9 +- test/integration/setup/adminclient/client.go | 8 +- .../setup/downstreamclient/client.go | 10 +- test/integration/setup/itclient/client.go | 4 +- .../setup/node-attestation/client.go | 9 +- test/testkey/bucket.go | 116 +++ test/testkey/ec256.pem | 222 +++++ test/testkey/ec384.pem | 32 + test/testkey/generate.sh | 33 - test/testkey/generator.go | 13 + test/testkey/genkeys.go | 106 -- test/testkey/keys.go | 926 ++++-------------- test/testkey/new.go | 165 ---- test/testkey/rsa2048.pem | 58 ++ test/testkey/rsa4096.pem | 106 ++ 36 files changed, 943 insertions(+), 1153 deletions(-) create mode 100644 pkg/agent/plugin/keymanager/base/keymanagerbase_test.go create mode 100644 pkg/server/plugin/keymanager/base/keymanagerbase_test.go create mode 100644 test/testkey/bucket.go create mode 100644 test/testkey/ec256.pem create mode 100644 test/testkey/ec384.pem delete mode 100755 test/testkey/generate.sh create mode 100644 test/testkey/generator.go delete mode 100644 test/testkey/genkeys.go delete mode 100644 test/testkey/new.go create mode 100644 test/testkey/rsa2048.pem create mode 100644 test/testkey/rsa4096.pem diff --git a/.github/workflows/nightly_build.yaml b/.github/workflows/nightly_build.yaml index f276bea2e8..8bbf606cbe 100644 --- a/.github/workflows/nightly_build.yaml +++ b/.github/workflows/nightly_build.yaml @@ -8,6 +8,9 @@ permissions: contents: read packages: write +env: + NIGHTLY: true + jobs: build-and-publish-images: runs-on: ubuntu-20.04 diff --git a/.github/workflows/scripts/run_unit_tests.sh b/.github/workflows/scripts/run_unit_tests.sh index 558f5f970d..501af923ed 100755 --- a/.github/workflows/scripts/run_unit_tests.sh +++ b/.github/workflows/scripts/run_unit_tests.sh @@ -14,3 +14,7 @@ if [ -n "${COVERALLS_TOKEN}" ]; then "$(go env GOPATH)"/bin/goveralls -coverprofile="${COVERPROFILE}" \ -service=github fi + +# This ensures that running the tests didn't modify the source files, for +# example by generating test keys that should have been checked in with the PR. +make git-clean-check diff --git a/.github/workflows/scripts/run_unit_tests_under_race_detector.sh b/.github/workflows/scripts/run_unit_tests_under_race_detector.sh index 6a64da56cb..993ed633b5 100755 --- a/.github/workflows/scripts/run_unit_tests_under_race_detector.sh +++ b/.github/workflows/scripts/run_unit_tests_under_race_detector.sh @@ -14,3 +14,7 @@ if [ -n "${COVERALLS_TOKEN}" ]; then "$(go env GOPATH)"/bin/goveralls -coverprofile="${COVERPROFILE}" \ -service=github fi + +# This ensures that running the tests didn't modify the source files, for +# example by generating test keys that should have been checked in with the PR. +make git-clean-check diff --git a/Makefile b/Makefile index c65d333edb..91ed698707 100644 --- a/Makefile +++ b/Makefile @@ -201,7 +201,11 @@ endif ############################################################################ # Flags passed to all invocations of go test -go_test_flags := -timeout=60s +go_test_flags := +ifeq ($(NIGHTLY),) + # Cap unit-test timout to 60s unless we're running nightlies. + go_test_flags += -timeout=60s +endif go_flags := ifneq ($(GOPARALLEL),) diff --git a/pkg/agent/plugin/keymanager/base/keymanagerbase.go b/pkg/agent/plugin/keymanager/base/keymanagerbase.go index cb845803c3..93d66299e3 100644 --- a/pkg/agent/plugin/keymanager/base/keymanagerbase.go +++ b/pkg/agent/plugin/keymanager/base/keymanagerbase.go @@ -26,20 +26,27 @@ type KeyEntry struct { *keymanagerv1.PublicKey } -// Funcs is a collection of optional callbacks. Default implementations will be +// Config is a collection of optional callbacks. Default implementations will be // used when not provided. -type Funcs struct { - WriteEntries func(ctx context.Context, allEntries []*KeyEntry, newEntry *KeyEntry) error - GenerateRSA2048Key func() (*rsa.PrivateKey, error) - GenerateRSA4096Key func() (*rsa.PrivateKey, error) - GenerateEC256Key func() (*ecdsa.PrivateKey, error) - GenerateEC384Key func() (*ecdsa.PrivateKey, error) +type Config struct { + // Generator is an optional key generator. + Generator Generator + + // WriteEntries is an optional callback used to persist key entries + WriteEntries func(ctx context.Context, allEntries []*KeyEntry, newEntry *KeyEntry) error +} + +type Generator interface { + GenerateRSA2048Key() (*rsa.PrivateKey, error) + GenerateRSA4096Key() (*rsa.PrivateKey, error) + GenerateEC256Key() (*ecdsa.PrivateKey, error) + GenerateEC384Key() (*ecdsa.PrivateKey, error) } // Base is the base KeyManager implementation type Base struct { keymanagerv1.UnsafeKeyManagerServer - funcs Funcs + config Config mu sync.RWMutex entries map[string]*KeyEntry @@ -47,21 +54,12 @@ type Base struct { // New creates a new base key manager using the provided Funcs. Default // implementations are provided for any that aren't set. -func New(funcs Funcs) *Base { - if funcs.GenerateRSA2048Key == nil { - funcs.GenerateRSA2048Key = generateRSA2048Key - } - if funcs.GenerateRSA4096Key == nil { - funcs.GenerateRSA4096Key = generateRSA4096Key - } - if funcs.GenerateEC256Key == nil { - funcs.GenerateEC256Key = generateEC256Key - } - if funcs.GenerateEC384Key == nil { - funcs.GenerateEC384Key = generateEC384Key +func New(config Config) *Base { + if config.Generator == nil { + config.Generator = defaultGenerator{} } return &Base{ - funcs: funcs, + config: config, entries: make(map[string]*KeyEntry), } } @@ -142,8 +140,8 @@ func (m *Base) generateKey(ctx context.Context, req *keymanagerv1.GenerateKeyReq m.entries[req.KeyId] = newEntry - if m.funcs.WriteEntries != nil { - if err := m.funcs.WriteEntries(ctx, entriesSliceFromMap(m.entries), newEntry); err != nil { + if m.config.WriteEntries != nil { + if err := m.config.WriteEntries(ctx, entriesSliceFromMap(m.entries), newEntry); err != nil { if hasEntry { m.entries[req.KeyId] = oldEntry } else { @@ -217,13 +215,13 @@ func (m *Base) generateKeyEntry(keyID string, keyType keymanagerv1.KeyType) (e * var privateKey crypto.Signer switch keyType { case keymanagerv1.KeyType_EC_P256: - privateKey, err = m.funcs.GenerateEC256Key() + privateKey, err = m.config.Generator.GenerateEC256Key() case keymanagerv1.KeyType_EC_P384: - privateKey, err = m.funcs.GenerateEC384Key() + privateKey, err = m.config.Generator.GenerateEC384Key() case keymanagerv1.KeyType_RSA_2048: - privateKey, err = m.funcs.GenerateRSA2048Key() + privateKey, err = m.config.Generator.GenerateRSA2048Key() case keymanagerv1.KeyType_RSA_4096: - privateKey, err = m.funcs.GenerateRSA4096Key() + privateKey, err = m.config.Generator.GenerateRSA4096Key() default: return nil, status.Errorf(codes.InvalidArgument, "unable to generate key %q for unknown key type %q", keyID, keyType) } @@ -299,19 +297,21 @@ func ecdsaKeyType(privateKey *ecdsa.PrivateKey) (keymanagerv1.KeyType, error) { } } -func generateRSA2048Key() (*rsa.PrivateKey, error) { +type defaultGenerator struct{} + +func (defaultGenerator) GenerateRSA2048Key() (*rsa.PrivateKey, error) { return rsa.GenerateKey(rand.Reader, 2048) } -func generateRSA4096Key() (*rsa.PrivateKey, error) { +func (defaultGenerator) GenerateRSA4096Key() (*rsa.PrivateKey, error) { return rsa.GenerateKey(rand.Reader, 4096) } -func generateEC256Key() (*ecdsa.PrivateKey, error) { +func (defaultGenerator) GenerateEC256Key() (*ecdsa.PrivateKey, error) { return ecdsa.GenerateKey(elliptic.P256(), rand.Reader) } -func generateEC384Key() (*ecdsa.PrivateKey, error) { +func (defaultGenerator) GenerateEC384Key() (*ecdsa.PrivateKey, error) { return ecdsa.GenerateKey(elliptic.P384(), rand.Reader) } diff --git a/pkg/agent/plugin/keymanager/base/keymanagerbase_test.go b/pkg/agent/plugin/keymanager/base/keymanagerbase_test.go new file mode 100644 index 0000000000..623717f3f1 --- /dev/null +++ b/pkg/agent/plugin/keymanager/base/keymanagerbase_test.go @@ -0,0 +1,14 @@ +package keymanagerbase + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestNewSetsConfigDefaults(t *testing.T) { + // This test makes sure that we wire up the default functions + b := New(Config{}) + assert.Equal(t, defaultGenerator{}, b.config.Generator) + assert.Nil(t, b.config.WriteEntries) +} diff --git a/pkg/agent/plugin/keymanager/disk/disk.go b/pkg/agent/plugin/keymanager/disk/disk.go index f7d485d246..2dbd91f49e 100644 --- a/pkg/agent/plugin/keymanager/disk/disk.go +++ b/pkg/agent/plugin/keymanager/disk/disk.go @@ -19,11 +19,17 @@ import ( "google.golang.org/grpc/status" ) +type Generator = keymanagerbase.Generator + func BuiltIn() catalog.BuiltIn { - return builtin(New()) + return asBuiltIn(newKeyManager(nil)) +} + +func TestBuiltIn(generator Generator) catalog.BuiltIn { + return asBuiltIn(newKeyManager(generator)) } -func builtin(p *KeyManager) catalog.BuiltIn { +func asBuiltIn(p *KeyManager) catalog.BuiltIn { return catalog.MakeBuiltIn("disk", keymanagerv1.KeyManagerPluginServer(p), configv1.ConfigServiceServer(p)) @@ -43,9 +49,10 @@ type KeyManager struct { config *configuration } -func New() *KeyManager { +func newKeyManager(generator Generator) *KeyManager { m := &KeyManager{} - m.Base = keymanagerbase.New(keymanagerbase.Funcs{ + m.Base = keymanagerbase.New(keymanagerbase.Config{ + Generator: generator, WriteEntries: m.writeEntries, }) return m diff --git a/pkg/agent/plugin/keymanager/disk/disk_test.go b/pkg/agent/plugin/keymanager/disk/disk_test.go index ec14a091dc..6b0f9a5ec5 100644 --- a/pkg/agent/plugin/keymanager/disk/disk_test.go +++ b/pkg/agent/plugin/keymanager/disk/disk_test.go @@ -83,7 +83,8 @@ func TestGenerateKeyPersistence(t *testing.T) { func loadPlugin(t *testing.T, configFmt string, configArgs ...interface{}) (keymanager.KeyManager, error) { km := new(keymanager.V1) var configErr error - plugintest.Load(t, disk.BuiltIn(), km, + + plugintest.Load(t, disk.TestBuiltIn(keymanagertest.NewGenerator()), km, plugintest.Configuref(configFmt, configArgs...), plugintest.CaptureConfigureError(&configErr), ) diff --git a/pkg/agent/plugin/keymanager/memory/memory.go b/pkg/agent/plugin/keymanager/memory/memory.go index 50b524fdd1..b1384f5193 100644 --- a/pkg/agent/plugin/keymanager/memory/memory.go +++ b/pkg/agent/plugin/keymanager/memory/memory.go @@ -6,11 +6,17 @@ import ( "github.com/spiffe/spire/pkg/common/catalog" ) +type Generator = keymanagerbase.Generator + func BuiltIn() catalog.BuiltIn { - return builtin(New()) + return asBuiltIn(newKeyManager(nil)) +} + +func TestBuiltIn(generator Generator) catalog.BuiltIn { + return asBuiltIn(newKeyManager(generator)) } -func builtin(p *KeyManager) catalog.BuiltIn { +func asBuiltIn(p *KeyManager) catalog.BuiltIn { return catalog.MakeBuiltIn("memory", keymanagerv1.KeyManagerPluginServer(p)) } @@ -18,8 +24,10 @@ type KeyManager struct { *keymanagerbase.Base } -func New() *KeyManager { +func newKeyManager(generator Generator) *KeyManager { return &KeyManager{ - Base: keymanagerbase.New(keymanagerbase.Funcs{}), + Base: keymanagerbase.New(keymanagerbase.Config{ + Generator: generator, + }), } } diff --git a/pkg/agent/plugin/keymanager/memory/memory_test.go b/pkg/agent/plugin/keymanager/memory/memory_test.go index 46cc5b0b4a..bf90bee1b7 100644 --- a/pkg/agent/plugin/keymanager/memory/memory_test.go +++ b/pkg/agent/plugin/keymanager/memory/memory_test.go @@ -13,7 +13,7 @@ func TestKeyManagerContract(t *testing.T) { keymanagertest.Test(t, keymanagertest.Config{ Create: func(t *testing.T) keymanager.KeyManager { km := new(keymanager.V1) - plugintest.Load(t, memory.BuiltIn(), km) + plugintest.Load(t, memory.TestBuiltIn(keymanagertest.NewGenerator()), km) return km }, }) diff --git a/pkg/agent/plugin/keymanager/test/keymanagertest.go b/pkg/agent/plugin/keymanager/test/keymanagertest.go index dfc2e5866f..01328e743a 100644 --- a/pkg/agent/plugin/keymanager/test/keymanagertest.go +++ b/pkg/agent/plugin/keymanager/test/keymanagertest.go @@ -10,11 +10,15 @@ import ( "crypto/sha256" "crypto/x509" "math/big" + "os" + "strconv" "testing" "github.com/spiffe/spire/pkg/agent/plugin/keymanager" + keymanagerbase "github.com/spiffe/spire/pkg/agent/plugin/keymanager/base" "github.com/spiffe/spire/pkg/common/plugin" "github.com/spiffe/spire/test/spiretest" + "github.com/spiffe/spire/test/testkey" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "google.golang.org/grpc/codes" @@ -48,6 +52,13 @@ var ( } ) +func NewGenerator() keymanagerbase.Generator { + if nightly, err := strconv.ParseBool(os.Getenv("NIGHTLY")); err == nil && nightly { + return nil + } + return &testkey.Generator{} +} + type CreateFunc = func(t *testing.T) keymanager.KeyManager type Config struct { diff --git a/pkg/common/pemutil/block.go b/pkg/common/pemutil/block.go index 4345e72b61..f9e56a75fc 100644 --- a/pkg/common/pemutil/block.go +++ b/pkg/common/pemutil/block.go @@ -19,11 +19,11 @@ type Block struct { } func LoadBlocks(path string) ([]Block, error) { - return loadBlocks(path, 0, "") + return loadBlocks(path, 0) } func ParseBlocks(pemBytes []byte) ([]Block, error) { - return parseBlocks(pemBytes, 0, "") + return parseBlocks(pemBytes, 0) } func loadBlock(path string, expectedTypes ...string) (*Block, error) { diff --git a/pkg/server/api/agent/v1/service_test.go b/pkg/server/api/agent/v1/service_test.go index 90c808519b..f81e0a48bf 100644 --- a/pkg/server/api/agent/v1/service_test.go +++ b/pkg/server/api/agent/v1/service_test.go @@ -50,6 +50,7 @@ var ( ctx = context.Background() td = spiffeid.RequireTrustDomainFromString("example.org") agentID = spiffeid.RequireFromPath(td, "/agent") + testKey = testkey.MustEC256() testNodes = map[string]*common.AttestedNode{ agent1: { @@ -1597,7 +1598,6 @@ func TestGetAgent(t *testing.T) { } func TestRenewAgent(t *testing.T) { - testKey := testkey.MustEC256() agentIDType := &types.SPIFFEID{TrustDomain: "example.org", Path: "/agent"} defaultNode := &common.AttestedNode{ @@ -2141,7 +2141,7 @@ func TestAttestAgent(t *testing.T) { t, "https://github.com/spiffe/spire/issues/2841", ) - testCsr, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{}, testkey.MustEC256()) + testCsr, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{}, testKey) require.NoError(t, err) _, expectedCsrErr := x509.ParseCertificateRequest([]byte("not a csr")) diff --git a/pkg/server/plugin/keymanager/base/keymanagerbase.go b/pkg/server/plugin/keymanager/base/keymanagerbase.go index befc16d42b..9d9c521906 100644 --- a/pkg/server/plugin/keymanager/base/keymanagerbase.go +++ b/pkg/server/plugin/keymanager/base/keymanagerbase.go @@ -26,42 +26,40 @@ type KeyEntry struct { *keymanagerv1.PublicKey } -// Funcs is a collection of optional callbacks. Default implementations will be +// Config is a collection of optional callbacks. Default implementations will be // used when not provided. -type Funcs struct { - WriteEntries func(ctx context.Context, entries []*KeyEntry) error - GenerateRSA2048Key func() (*rsa.PrivateKey, error) - GenerateRSA4096Key func() (*rsa.PrivateKey, error) - GenerateEC256Key func() (*ecdsa.PrivateKey, error) - GenerateEC384Key func() (*ecdsa.PrivateKey, error) +type Config struct { + // Generator is an optional key generator. + Generator Generator + + // WriteEntries is an optional callback used to persist key entries + WriteEntries func(ctx context.Context, entries []*KeyEntry) error +} + +// Generator is a key generator +type Generator interface { + GenerateRSA2048Key() (*rsa.PrivateKey, error) + GenerateRSA4096Key() (*rsa.PrivateKey, error) + GenerateEC256Key() (*ecdsa.PrivateKey, error) + GenerateEC384Key() (*ecdsa.PrivateKey, error) } // Base is the base KeyManager implementation type Base struct { keymanagerv1.UnsafeKeyManagerServer - funcs Funcs + config Config mu sync.RWMutex entries map[string]*KeyEntry } -// New creates a new base key manager using the provided Funcs. Default -// implementations are provided for any that aren't set. -func New(funcs Funcs) *Base { - if funcs.GenerateRSA2048Key == nil { - funcs.GenerateRSA2048Key = generateRSA2048Key - } - if funcs.GenerateRSA4096Key == nil { - funcs.GenerateRSA4096Key = generateRSA4096Key - } - if funcs.GenerateEC256Key == nil { - funcs.GenerateEC256Key = generateEC256Key - } - if funcs.GenerateEC384Key == nil { - funcs.GenerateEC384Key = generateEC384Key +// New creates a new base key manager using the provided config. +func New(config Config) *Base { + if config.Generator == nil { + config.Generator = defaultGenerator{} } return &Base{ - funcs: funcs, + config: config, entries: make(map[string]*KeyEntry), } } @@ -142,8 +140,8 @@ func (m *Base) generateKey(ctx context.Context, req *keymanagerv1.GenerateKeyReq m.entries[req.KeyId] = newEntry - if m.funcs.WriteEntries != nil { - if err := m.funcs.WriteEntries(ctx, entriesSliceFromMap(m.entries)); err != nil { + if m.config.WriteEntries != nil { + if err := m.config.WriteEntries(ctx, entriesSliceFromMap(m.entries)); err != nil { if hasEntry { m.entries[req.KeyId] = oldEntry } else { @@ -217,13 +215,13 @@ func (m *Base) generateKeyEntry(keyID string, keyType keymanagerv1.KeyType) (e * var privateKey crypto.Signer switch keyType { case keymanagerv1.KeyType_EC_P256: - privateKey, err = m.funcs.GenerateEC256Key() + privateKey, err = m.config.Generator.GenerateEC256Key() case keymanagerv1.KeyType_EC_P384: - privateKey, err = m.funcs.GenerateEC384Key() + privateKey, err = m.config.Generator.GenerateEC384Key() case keymanagerv1.KeyType_RSA_2048: - privateKey, err = m.funcs.GenerateRSA2048Key() + privateKey, err = m.config.Generator.GenerateRSA2048Key() case keymanagerv1.KeyType_RSA_4096: - privateKey, err = m.funcs.GenerateRSA4096Key() + privateKey, err = m.config.Generator.GenerateRSA4096Key() default: return nil, status.Errorf(codes.InvalidArgument, "unable to generate key %q for unknown key type %q", keyID, keyType) } @@ -299,19 +297,21 @@ func ecdsaKeyType(privateKey *ecdsa.PrivateKey) (keymanagerv1.KeyType, error) { } } -func generateRSA2048Key() (*rsa.PrivateKey, error) { +type defaultGenerator struct{} + +func (defaultGenerator) GenerateRSA2048Key() (*rsa.PrivateKey, error) { return rsa.GenerateKey(rand.Reader, 2048) } -func generateRSA4096Key() (*rsa.PrivateKey, error) { +func (defaultGenerator) GenerateRSA4096Key() (*rsa.PrivateKey, error) { return rsa.GenerateKey(rand.Reader, 4096) } -func generateEC256Key() (*ecdsa.PrivateKey, error) { +func (defaultGenerator) GenerateEC256Key() (*ecdsa.PrivateKey, error) { return ecdsa.GenerateKey(elliptic.P256(), rand.Reader) } -func generateEC384Key() (*ecdsa.PrivateKey, error) { +func (defaultGenerator) GenerateEC384Key() (*ecdsa.PrivateKey, error) { return ecdsa.GenerateKey(elliptic.P384(), rand.Reader) } diff --git a/pkg/server/plugin/keymanager/base/keymanagerbase_test.go b/pkg/server/plugin/keymanager/base/keymanagerbase_test.go new file mode 100644 index 0000000000..623717f3f1 --- /dev/null +++ b/pkg/server/plugin/keymanager/base/keymanagerbase_test.go @@ -0,0 +1,14 @@ +package keymanagerbase + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestNewSetsConfigDefaults(t *testing.T) { + // This test makes sure that we wire up the default functions + b := New(Config{}) + assert.Equal(t, defaultGenerator{}, b.config.Generator) + assert.Nil(t, b.config.WriteEntries) +} diff --git a/pkg/server/plugin/keymanager/disk/disk.go b/pkg/server/plugin/keymanager/disk/disk.go index e702efef08..78f781e55e 100644 --- a/pkg/server/plugin/keymanager/disk/disk.go +++ b/pkg/server/plugin/keymanager/disk/disk.go @@ -17,11 +17,17 @@ import ( "google.golang.org/grpc/status" ) +type Generator = keymanagerbase.Generator + func BuiltIn() catalog.BuiltIn { - return builtin(New()) + return asBuiltIn(newKeyManager(nil)) +} + +func TestBuiltIn(generator Generator) catalog.BuiltIn { + return asBuiltIn(newKeyManager(generator)) } -func builtin(p *KeyManager) catalog.BuiltIn { +func asBuiltIn(p *KeyManager) catalog.BuiltIn { return catalog.MakeBuiltIn("disk", keymanagerv1.KeyManagerPluginServer(p), configv1.ConfigServiceServer(p)) @@ -39,10 +45,11 @@ type KeyManager struct { config *configuration } -func New() *KeyManager { +func newKeyManager(generator Generator) *KeyManager { m := &KeyManager{} - m.Base = keymanagerbase.New(keymanagerbase.Funcs{ + m.Base = keymanagerbase.New(keymanagerbase.Config{ WriteEntries: m.writeEntries, + Generator: generator, }) return m } diff --git a/pkg/server/plugin/keymanager/disk/disk_test.go b/pkg/server/plugin/keymanager/disk/disk_test.go index cc050c4093..fcaf04637b 100644 --- a/pkg/server/plugin/keymanager/disk/disk_test.go +++ b/pkg/server/plugin/keymanager/disk/disk_test.go @@ -83,7 +83,7 @@ func TestGenerateKeyPersistence(t *testing.T) { func loadPlugin(t *testing.T, configFmt string, configArgs ...interface{}) (keymanager.KeyManager, error) { km := new(keymanager.V1) var configErr error - plugintest.Load(t, disk.BuiltIn(), km, + plugintest.Load(t, disk.TestBuiltIn(keymanagertest.NewGenerator()), km, plugintest.Configuref(configFmt, configArgs...), plugintest.CaptureConfigureError(&configErr), ) diff --git a/pkg/server/plugin/keymanager/memory/memory.go b/pkg/server/plugin/keymanager/memory/memory.go index a06ae34f4f..76c12f96cf 100644 --- a/pkg/server/plugin/keymanager/memory/memory.go +++ b/pkg/server/plugin/keymanager/memory/memory.go @@ -6,11 +6,17 @@ import ( keymanagerbase "github.com/spiffe/spire/pkg/server/plugin/keymanager/base" ) +type Generator = keymanagerbase.Generator + func BuiltIn() catalog.BuiltIn { - return builtin(New()) + return asBuiltIn(newKeyManager(nil)) +} + +func TestBuiltIn(generator Generator) catalog.BuiltIn { + return asBuiltIn(newKeyManager(generator)) } -func builtin(p *KeyManager) catalog.BuiltIn { +func asBuiltIn(p *KeyManager) catalog.BuiltIn { return catalog.MakeBuiltIn("memory", keymanagerv1.KeyManagerPluginServer(p)) } @@ -18,8 +24,10 @@ type KeyManager struct { *keymanagerbase.Base } -func New() *KeyManager { +func newKeyManager(generator Generator) *KeyManager { return &KeyManager{ - Base: keymanagerbase.New(keymanagerbase.Funcs{}), + Base: keymanagerbase.New(keymanagerbase.Config{ + Generator: generator, + }), } } diff --git a/pkg/server/plugin/keymanager/memory/memory_test.go b/pkg/server/plugin/keymanager/memory/memory_test.go index 205fd2f3c1..11491d890a 100644 --- a/pkg/server/plugin/keymanager/memory/memory_test.go +++ b/pkg/server/plugin/keymanager/memory/memory_test.go @@ -13,7 +13,7 @@ func TestKeyManagerContract(t *testing.T) { keymanagertest.Test(t, keymanagertest.Config{ Create: func(t *testing.T) keymanager.KeyManager { km := new(keymanager.V1) - plugintest.Load(t, memory.BuiltIn(), km) + plugintest.Load(t, memory.TestBuiltIn(keymanagertest.NewGenerator()), km) return km }, }) diff --git a/pkg/server/plugin/keymanager/test/keymanagertest.go b/pkg/server/plugin/keymanager/test/keymanagertest.go index cc6773ed21..058c7e2df7 100644 --- a/pkg/server/plugin/keymanager/test/keymanagertest.go +++ b/pkg/server/plugin/keymanager/test/keymanagertest.go @@ -10,11 +10,15 @@ import ( "crypto/sha256" "crypto/x509" "math/big" + "os" + "strconv" "testing" "github.com/spiffe/spire/pkg/common/plugin" "github.com/spiffe/spire/pkg/server/plugin/keymanager" + keymanagerbase "github.com/spiffe/spire/pkg/server/plugin/keymanager/base" "github.com/spiffe/spire/test/spiretest" + "github.com/spiffe/spire/test/testkey" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "google.golang.org/grpc/codes" @@ -48,6 +52,13 @@ var ( } ) +func NewGenerator() keymanagerbase.Generator { + if nightly, err := strconv.ParseBool(os.Getenv("NIGHTLY")); err == nil && nightly { + return nil + } + return &testkey.Generator{} +} + type CreateFunc = func(t *testing.T) keymanager.KeyManager type Config struct { diff --git a/test/fakes/fakeagentkeymanager/keymanager.go b/test/fakes/fakeagentkeymanager/keymanager.go index 349ef1b885..73908dce83 100644 --- a/test/fakes/fakeagentkeymanager/keymanager.go +++ b/test/fakes/fakeagentkeymanager/keymanager.go @@ -7,15 +7,16 @@ import ( "github.com/spiffe/spire/pkg/agent/plugin/keymanager/disk" "github.com/spiffe/spire/pkg/agent/plugin/keymanager/memory" "github.com/spiffe/spire/test/plugintest" + "github.com/spiffe/spire/test/testkey" ) // New returns a fake key manager func New(t *testing.T, dir string) keymanager.KeyManager { km := new(keymanager.V1) if dir != "" { - plugintest.Load(t, disk.BuiltIn(), km, plugintest.Configuref("directory = %q", dir)) + plugintest.Load(t, disk.TestBuiltIn(&testkey.Generator{}), km, plugintest.Configuref("directory = %q", dir)) } else { - plugintest.Load(t, memory.BuiltIn(), km) + plugintest.Load(t, memory.TestBuiltIn(&testkey.Generator{}), km) } return km } diff --git a/test/fakes/fakeserverkeymanager/keymanager.go b/test/fakes/fakeserverkeymanager/keymanager.go index 53227f7a39..bd345960c6 100644 --- a/test/fakes/fakeserverkeymanager/keymanager.go +++ b/test/fakes/fakeserverkeymanager/keymanager.go @@ -12,14 +12,9 @@ import ( ) func New(t *testing.T) keymanager.KeyManager { - keys := new(testkey.Keys) - plugin := keyManager{ - Base: keymanagerbase.New(keymanagerbase.Funcs{ - GenerateRSA2048Key: keys.NextRSA2048, - GenerateRSA4096Key: keys.NextRSA4096, - GenerateEC256Key: keys.NextEC256, - GenerateEC384Key: keys.NextEC384, + Base: keymanagerbase.New(keymanagerbase.Config{ + Generator: &testkey.Generator{}, }), } diff --git a/test/integration/setup/adminclient/client.go b/test/integration/setup/adminclient/client.go index 46f4429352..21e31a5255 100644 --- a/test/integration/setup/adminclient/client.go +++ b/test/integration/setup/adminclient/client.go @@ -20,8 +20,8 @@ import ( svidv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/svid/v1" "github.com/spiffe/spire-api-sdk/proto/spire/api/server/trustdomain/v1" "github.com/spiffe/spire-api-sdk/proto/spire/api/types" + "github.com/spiffe/spire/pkg/common/pemutil" "github.com/spiffe/spire/test/integration/setup/itclient" - "github.com/spiffe/spire/test/testkey" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" "google.golang.org/protobuf/proto" @@ -50,7 +50,11 @@ Q0qBJEOkL6FrAngY5218TCNUS30YS5HjI2lfyyjB+cSVFXX8Szu019dDBMhV var ( blk, _ = pem.Decode([]byte(testBundle)) pkixBytes, _ = base64.StdEncoding.DecodeString("MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYSlUVLqTD8DEnA4F1EWMTf5RXc5lnCxw+5WKJwngEL3rPc9i4Tgzz9riR3I/NiSlkgRO1WsxBusqpC284j9dXA==") - key = testkey.MustEC256() + key, _ = pemutil.ParseSigner([]byte(`-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgs/CcKxAEIyBBEQ9h +ES2kJbWTz79ut45qAb0UgqrGqmOhRANCAARssWdfmS3D4INrpLBdSBxzso5kPPSX +F21JuznwCuYKNV5LnzhUA3nt2+6e18ZIXUDxl+CpkvCYc10MO6SYg6AE +-----END PRIVATE KEY-----`)) // Used between test entryID = "" agentID = &types.SPIFFEID{} diff --git a/test/integration/setup/downstreamclient/client.go b/test/integration/setup/downstreamclient/client.go index bcf05ee3fd..af8544b441 100644 --- a/test/integration/setup/downstreamclient/client.go +++ b/test/integration/setup/downstreamclient/client.go @@ -13,15 +13,21 @@ import ( bundlev1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/bundle/v1" svidv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/svid/v1" "github.com/spiffe/spire-api-sdk/proto/spire/api/types" + "github.com/spiffe/spire/pkg/common/pemutil" "github.com/spiffe/spire/test/integration/setup/itclient" - "github.com/spiffe/spire/test/testkey" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" "google.golang.org/protobuf/proto" ) var ( - key = testkey.MustEC256() + key, _ = pemutil.ParseSigner([]byte(` +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgs/CcKxAEIyBBEQ9h +ES2kJbWTz79ut45qAb0UgqrGqmOhRANCAARssWdfmS3D4INrpLBdSBxzso5kPPSX +F21JuznwCuYKNV5LnzhUA3nt2+6e18ZIXUDxl+CpkvCYc10MO6SYg6AE +-----END PRIVATE KEY----- +`)) ) func main() { diff --git a/test/integration/setup/itclient/client.go b/test/integration/setup/itclient/client.go index f9d2f4b94e..0dabc46ec5 100644 --- a/test/integration/setup/itclient/client.go +++ b/test/integration/setup/itclient/client.go @@ -2,7 +2,7 @@ package itclient import ( "context" - "crypto/ecdsa" + "crypto" "crypto/tls" "crypto/x509" "flag" @@ -81,7 +81,7 @@ func NewInsecure(ctx context.Context) *Client { } } -func NewWithCert(ctx context.Context, cert *x509.Certificate, key *ecdsa.PrivateKey) *Client { +func NewWithCert(ctx context.Context, cert *x509.Certificate, key crypto.Signer) *Client { flag.Parse() tlsConfig := tls.Config{ diff --git a/test/integration/setup/node-attestation/client.go b/test/integration/setup/node-attestation/client.go index 0af1709c79..1351fc103d 100644 --- a/test/integration/setup/node-attestation/client.go +++ b/test/integration/setup/node-attestation/client.go @@ -17,16 +17,21 @@ import ( agent "github.com/spiffe/spire-api-sdk/proto/spire/api/server/agent/v1" types "github.com/spiffe/spire-api-sdk/proto/spire/api/types" + "github.com/spiffe/spire/pkg/common/pemutil" "github.com/spiffe/spire/pkg/common/plugin/x509pop" "github.com/spiffe/spire/test/integration/setup/itclient" - "github.com/spiffe/spire/test/testkey" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" "google.golang.org/protobuf/proto" ) var ( - key = testkey.MustEC256() + key, _ = pemutil.ParseSigner([]byte(`-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgs/CcKxAEIyBBEQ9h +ES2kJbWTz79ut45qAb0UgqrGqmOhRANCAARssWdfmS3D4INrpLBdSBxzso5kPPSX +F21JuznwCuYKNV5LnzhUA3nt2+6e18ZIXUDxl+CpkvCYc10MO6SYg6AE +-----END PRIVATE KEY-----`)) + testStep = flag.String("testStep", "", "jointoken, attest, ban, renew") tokenName = flag.String("tokenName", "tokenName", "token for attestation") certificate = flag.String("certificate", "", "certificate for api connection") diff --git a/test/testkey/bucket.go b/test/testkey/bucket.go new file mode 100644 index 0000000000..69711da4b5 --- /dev/null +++ b/test/testkey/bucket.go @@ -0,0 +1,116 @@ +package testkey + +import ( + "bytes" + "crypto" + "crypto/x509" + "encoding/pem" + "errors" + "fmt" + "os" + "path/filepath" + "runtime" + "sync" + + "github.com/spiffe/spire/pkg/common/pemutil" +) + +var ( + packageDir string +) + +func init() { + packageDir = initPackageDir() +} + +func initPackageDir() string { + _, file, _, ok := runtime.Caller(0) + if !ok { + panic("unable to obtain caller information") + } + return filepath.Dir(file) +} + +type keyType[K crypto.Signer] interface { + Path() string + GenerateKey() (K, error) +} + +type bucket[KT keyType[K], K crypto.Signer] struct { + kt KT + + mtx sync.Mutex + keys []K +} + +func (b *bucket[KT, K]) At(n int) (key K, err error) { + b.mtx.Lock() + defer b.mtx.Unlock() + + if err := b.load(); err != nil { + return key, err + } + + switch { + case n > len(b.keys): + return key, errors.New("cannot ask for key beyond the end") + case n < len(b.keys): + return b.keys[n], nil + default: + key, err = b.kt.GenerateKey() + if err != nil { + return key, err + } + b.keys = append(b.keys, key) + if err := b.save(); err != nil { + return key, err + } + return key, nil + } +} + +func (b *bucket[KT, K]) load() (err error) { + if b.keys != nil { + return nil + } + + blocks, err := pemutil.LoadBlocks(b.path()) + if err != nil { + if errors.Is(err, os.ErrNotExist) { + return nil + } + return err + } + + keys := make([]K, 0, len(blocks)) + for _, block := range blocks { + key, ok := block.Object.(K) + if !ok { + return fmt.Errorf("expected %T; got %T", key, block.Object) + } + keys = append(keys, key) + } + + b.keys = keys + return nil +} + +func (b *bucket[KT, K]) save() error { + var buf bytes.Buffer + buf.WriteString("// THIS FILE IS GENERATED. DO NOT EDIT THIS FILE DIRECTLY.\n\n") + for _, key := range b.keys { + keyBytes, err := x509.MarshalPKCS8PrivateKey(key) + if err != nil { + return err + } + _ = pem.Encode(&buf, &pem.Block{ + Type: "PRIVATE KEY", + Bytes: keyBytes, + }) + } + return os.WriteFile(b.path(), buf.Bytes(), 0600) +} + +func (b *bucket[KT, K]) path() string { + return filepath.Join(packageDir, b.kt.Path()) +} diff --git a/test/testkey/ec256.pem b/test/testkey/ec256.pem new file mode 100644 index 0000000000..52c2a3ad8a --- /dev/null +++ b/test/testkey/ec256.pem @@ -0,0 +1,222 @@ +// THIS FILE IS GENERATED. DO NOT EDIT THIS FILE DIRECTLY. + +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgs/CcKxAEIyBBEQ9h +ES2kJbWTz79ut45qAb0UgqrGqmOhRANCAARssWdfmS3D4INrpLBdSBxzso5kPPSX +F21JuznwCuYKNV5LnzhUA3nt2+6e18ZIXUDxl+CpkvCYc10MO6SYg6AE +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgCAArepHPkJwmqERo +pfZl0qhRf2rjSBHr21qTiZeXDVqhRANCAAT7HAJMgJVxpRuOiPGRcGSz5VxeSl34 +45bHkNRlDu8MhRZCawM5ihRL1Fga/xQ32/XAI9/hUaYGUmgHNqksgUSB +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgV6cmzRw5HX42HCcX +snyrAoH2QIrwavkpv2iK7zI5ZeGhRANCAATIBgjdfKk1g4aO7iFzGFJjBMg+oPST +s7kdURwISvzqLL7AHh/NZB2K3ygHYSr21uh5bP0xNEf7OJkeljRrB4P6 +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg3+Vfx+cmsP3Xlii+ +GWjzD8KAH4EAxvjTmu5NxM9gARihRANCAASGuhII3x3nxcFnz/SCtibXMjUPtSqU +NpGg5QEiiRxUT3Cwn31MPznLbKCksm9pA9OLBxnTp+geBYc+FPNzpDa9 +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgIRLM8pdBv1SmIN9U +Dj4X274iAsgS3x3YqLnehGZIEXShRANCAAQHwL9hzYAZQao3Kq7BSgtPpkIizU7p +XKq8YMMuuCzLHH9dSUGoeY9fzIVNIuKpV+fGbZGJQbD2qJOB7eKnmNwr +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgvHf/cn5uRP7IPgMd +EPmQwSC82vL7bzYD6vhSOnwNV3mhRANCAASDHYH4T457og/aLIyywEd0yAokGM/e +BGve8253yK5QYtB76IZOHGrGzfMxwbSU3GXnF4G3Pq1cPN6U+wRRrCyW +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg04FTEn6Nq7bO1O2T +9SckWTyHjXuEah5dYhFHlqfD2VuhRANCAAQIglnCh2Bv6RhpDz73Y7AfZ52gZI9m +pjK2LIVimFo+HiGqGLWMqrQrcf992968VTh9eqvC+5u4jaSuorbj/8wq +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQggSbEyQACDOVicuGe +Tn7X2Th3xLMalD13eZXbv6mU2X+hRANCAATedLTufASz/anZIs5eL1AUcUdJz6w6 +t6+QlcIoC6IxT+shp2OPt8b7KpiEllNyfi3nmyXqbKFtaXlJPzIfeUxR +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgwOYQN3832guOFAWK +2VHRxf9k6YBN7/3IvVnp1tY58I+hRANCAASfdlP1vbeaDaL7hDFQpGSoEBb3sEWk +fKW0dguBYS7ZnhwLWPLGPMLdy20pl5YYekg8wdb8tvTNTaBOdCAqOE/g +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg01wVqQTsEqQPM/Cv +5daJ7FAvGsa2OsgB6GGiET3DcUGhRANCAATVNzirHlWDqrFxJ5vj32+yZmetTAoo +QnEy9YZJJMtrKRMcGMb1ie7w6yw1OsM/SW238bHPZfCGqPXF/5zqXRt6 +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQglNQ+ilhINbPXiXp6 ++z9lhv5f2/v2y29x9YvezlclJ0+hRANCAASoHkiYYcDAT1+vY5k6kC2omUQxgAcx +SD8DLIBl1no0P1SBo4lnTKaRIXOdmwhC0+po1/WewhAwcAoKEuufRiC7 +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQghMbLQU9t/+1o21m5 +pOple/l1/1JZYhaDUo5l2Qj7u9OhRANCAAQQVi/9iTzui2jUKp0vz8gpUy54SQJk +y+hs/WYKWZkqmRuuvxKMV/vuC/ZRHA43Aihs4eWqC6xULiFebv4g64x5 +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgt+BJ6enqEMh2Jy1g +o2TXVHdfwlAr8KNOhw1zyIIACvShRANCAAS7En0X7wqBOH/JOWvIqtGe/XCuYMoc +K5RRo0vzxjIBiJBT1v0OV2dsQOA+Wq3G4vFlH3375MXA/zv6cVV8lj3x +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgcKrCV3XwNkv+pr9a +//1sI7XYGZ5FwRtmhQ25N6FiZMahRANCAAS44PF0r2WhrXMIOrmD1Eqx2UTpTCWq +lu18Rrbvi7987+MZOMkRhJHHflmZ4r3X3mAPJcc3AgM7yBSRfclMPEcy +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgCQs10kYNvq5wn4Pg +/6g4RpDaWdGMDjglXd0g4+R10DihRANCAASuht5hSxMmXc8m0uyKmAQjUhnRE/+G +8iF98O3ZtnihpMgDa9vtDYySB5fCPzYsy6q+U1cgSLpXgxD33cESp0Zp +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgMZ1ukUtZhk8OMNjL +Vux90wmhRpiQVxZGWiFPJVJCBWWhRANCAAQZr+FYxKBfbxKjXT2dyzDuYJsIqPr2 +5+Ql5Xf8VmWzGOEe2EGRhbjdP/UR8z5sz+bEqOxTSGHOmw++LCIxf9fD +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgPezarwGukMMyk3vU +QV+fvX5XdZZxoDFKikgLEOGJbdShRANCAAQXs7VTH/Auctv/EZwxdVknY0VTta81 +L3axGhwt84qZfLZA/bkcGLMTWqwEnnx7SBBa0zjicn8pOoxaXYYx8K7E +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgDHmBvYkgP5aHqwHY +Uzx6B9TXkx8YqJeLjDs+KunDIrKhRANCAASpt35K6QAu7vJO6pB/sYzDGmqF5My0 +2RSCDFihHcTKzDzrZTOBVPeZc0wYPTCFpQ3bJmDy0EzB5acLdyhnjGi2 +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg298Bj04e3u1Vm929 +x9ay217Inr7v6hoJH9YL6745xRWhRANCAAT+evK/nRMuQ6vtdYiQXREY2x5uLlBQ +YYHVaKSzf/kzQSz6ggZdk/9oNdL2iL9Ul7jMzvjEvye8y0HzGAv3fCfp +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgWWwhVu45jPCAKa0w +rtjNDdIclhAtTvEpX4e6Y+VoFm+hRANCAAQkwnGHJiC/IKxjWrwEJoNEtl3aiCoH +7Y+q5CK73MfDSFDRJuPXWYVvHhujje8tk3J9wCd9aHVeNws4QEX46T/o +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgUO8p8VnEsA0fcuW+ +Fis/bmjcPYJIR4VSDz6Pkq0792ihRANCAATi2duWJ4iSAjA4F3mSQKd3QugNO4du +dH2xcEnNpkURro4bDM+resgq8ezlF5/ERdzAUk1RNwTBaU9yHvogQ8+A +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgPjwFlD1cQ5KjDbBH +TIjV+Yk1ZpHM3c9nllI1R1uCbp6hRANCAAQR1qN422VuofdtCL/YpHTwHnU4mays +THmQ5a+wSIqwuNCI/p+WzQfFaLQhBTVSdqCOWKhqflSqY+cO2iGVZZkv +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg6hW9p61/L2BeaVZF +Y16WpFA6gzbSfgeH4Zu5s2Zj+r6hRANCAAS9G+rYS4ZhaudCCOxkUYm5gRm/uV1a +tUmjSpPZOxAtI4k7rFS1jAxHGUuNByGe3X0spw2RoQR49ofmIVBfN58+ +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgoljSzaTSojp2EgLB +X1hoibFQGGmSOswQxbWaYMWc9SChRANCAAStsJH1aIGyRPbl98O+riAjK+YNsh1f +Fu9WDM07tBRrskrJnjSN0AurVyhytbobswniVcOhS5bWlLukQZ5RT7cK +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg9bgY1xti7/auMvrE +qpZG9GG+M6ftq9hRDNeUPAv24RGhRANCAAS0txtop4q6q6D3PnzVkSoPCf1HiQzz +NIZfa0YFaGv/YQGziZuIaKhpliSBEIW3Ee8OEBNnkpWa44B48MvAd8NH +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgegrcliR1ICIdgHkD +kYVvNRdM+j8kC5vxPBR3Uxh5R76hRANCAAQcQoV59skUMnFH+0foDTlTzvSWFLGP +9l1RAfXZYKnLYMSa3MZ5hmJYWzKZ5TjR63b6xIm/z/tyjI1UprwBoUP8 +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgoaHkvQjVmxTQq+QK +OyzO0Qw+HAcJavaUlRODsox+V26hRANCAASAXuN4+RMbohgTC+InyOQ8mu8AKEqj +OkfN2FzjVDbHP2IjyupsN1bj2Mu8zxx4AwnquTf/gE97xqbF5zhoUHxc +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgRiQd6++0d8fuGm60 +fbRGw8K3O7z6xHdjMUWkcYYCXjKhRANCAASiJrHkMOsc2l06sB/NP+CTHCFts5ea +79wX8/1fbroymm7FRh0CzYYcP2hP5MFyxlWc6lxV0GPz9p7/bziRM8lX +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgfP9spzAt/sXrv6P6 +fZ2V8AOoNh9fzCZPbMDhNO3dwAihRANCAARYat8zfxqf/1PXgy7cv2R5zFTZD1GJ +6zzInq3DJ1hvoza+EWfD7K9lNZRvdpRjF0m2HsTAyJ8/fbpbfAsis3TA +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgUIT5iwodfbr0JWKV +q26KXRaQIJQ3h6pGivoAg2GdV7GhRANCAATDG2Q4Bj5a9CxL+TZsc7F2G3vyqyVv +DSkBZoGsDIJFATjkj3w7vMETOg833/ev/K735Ubd7Rt43gtep/AmFCYV +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg1hTNnSgVLoGUU02/ +8WnIACBPbKHo1e1V7WTifddwfAihRANCAATXVo6C542OuhxjZmg+C5sW0283SJz2 +lPqeGRc2sdqB2wEBBOkqXsPKE10ONYg1UOPV9Ye/u4g+4H5XoVAdMgYx +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgexAx/7S+6djaXKIp +RcyFpA/6BY+IovMa/SfKIjsMSWKhRANCAATvschwitvaGRgBjJxCGvfjTMGrZ6qg +zvLTuBQHFicda8tiSuexw+hpiSnrv1cX7u5TgJo3Ecr9RjwBi8Xz55GU +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgoYLwhq/afAzm5oA5 +ArZQub+EpIZIuAPwWAUlkexctbyhRANCAATCaf6reaIOZbK/wgIZr1BkTmz2Jk/F +nEsomBCAM10mcXjbTX06ko8w2nmPbvdI2dd6Vzw5oDLvRBRL2xPXy8Dx +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgi9tucdEzl5t85GMY +l27paU4Z2ldWIYEjWP8eegyKKG2hRANCAATDeSAPDA4Rhh7Kgn6T1XcKoIljfQvh +PP+xHR6gCyXuKR6fCQUJwsTz8egSmtaHk2xQSLSwNo9Jwgy5spaxzaXZ +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgauTNUvkbD8ijYlPR +yuTg+Ul/TgBAQqCWl59H6asrbAWhRANCAAQMNUKoLptNj7UXK3J9AOBlCTFiTP3R +JuWlSKdbp19pjbTrrRJ0u8wCohkl43Zcw1ArBzVLTsnJW5knk1DbHUC7 +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgRKUbUj2iaZCgCeOv +5s4l+Dg0KCNvdRs6h0dGVht0Kg+hRANCAASf4W6eAJgxOS57Jn4W9Cd1Wae3+2jR +3+lG6ni7x9xWk9OLYaiWe/+n4yn4QgBAre2Lmjxweq/mhynBmhf+LJUW +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg1xH8jTPXbnkW2dwp +JRn1fo6O2jWh6dX0myqGIPJ5S8GhRANCAARvvjo0/1bQZjFSqS6zSoag61PQmodM +fiiQteFV07/vhcHeTRU35MMu7QS3ENDZP7UpLjVNGoUqYd2+kZ4SeQS9 +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgNd5koqqqfc2RFeMP +lCtJHpVAjSIfHi1HyVUgRlzLKzqhRANCAARdYcJptEArPC5PYPlqnv5FHlDnj+zH +WmlosM36oCGq4029bZFAXnz1uxHpGFsQL2KTPiwnyqD/smBDTjOWIbZF +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgQBz4ZYX9VFAXp8/K +4E6yRev5W6KN0X+YKgFch7TxDEGhRANCAAR7C7O45csLVXzozjoqxDfQaBK2P6UZ +wkGy+NNh0M75CK5pUVfnjFx/y+QVzWrmPYF7qLhquOxv/qatjhk8+n9q +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgfOgPGqv+h9+MZb2W +B55uO4QjYTQtw0Me+3MFeXrjct6hRANCAATmLvOq9++TtdKRCz/L68iZuP/yQFJW +gAR0c13OQIyBufebxDemMD76Re6UzwmjG9H1iz5jIp4BUI8ZMb6z9uQ+ +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg2W/vwkUdAz1Di0pK +II0LSHIFkDcOti75FPsfht/+FdOhRANCAASGANLKu2clEI9XIEDE6GhvtlOe+Nro +fkUqew1tPHw67YdlLoNbpRF1V46DatBMdNNskeUPTbLv5VpOEoIjID+I +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgFwe4zneot+8dLmnu +nh58hl6Uv6+/DteD+pgOPkn3X/qhRANCAAQnoDwjh/WT0iZEmwe68DWzJJAvi+EY +C35bA+9JoBl4GMno+oVavReizY704aVul952NpJ9yJVFw2uWZmDhn5qB +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgcMC42hB+XRKA6ZtF +w0Q0CuLBukTqyX49XOQq/45rb9yhRANCAATYPDZJ95YtsilzwkcuP6Nga+hDAUf2 +tzAlmSuDNzJoxlB5YEmGRji7/STjBK9P3qdy5vDbCVcWQNhc8fBJRv3x +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg2Uw/wBfUIY2YKQF/ +08Cxrmq1vEjQe/pofhnSgD5I7kihRANCAASyL5TIaWoiIaQV+1H80jswPHRU0fzQ +5802QHn0te5ugJ4izcn7JqPss47zkud5X9iuCUwZ0QvvQJBUpvuNTwHM +-----END PRIVATE KEY----- diff --git a/test/testkey/ec384.pem b/test/testkey/ec384.pem new file mode 100644 index 0000000000..0679baf1da --- /dev/null +++ b/test/testkey/ec384.pem @@ -0,0 +1,32 @@ +// THIS FILE IS GENERATED. DO NOT EDIT THIS FILE DIRECTLY. + +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDAo6qtpUSdCIrwS+16g +MtaRsYVf2Z7fPRT4ukHSmMtLgozw/es9VW/tg9QK8GU0LoehZANiAARLpZpT8Qum +17LOc8Lu7xKGndoCQRE01Kkg4keSXq8237rwjUALWMkk35rSh6CaXgbladjUmAbX +6TOHdN2Tn1YKZMzDNI+ENji/wn4bAatn2qahEACUXvIhrNn+jLQ7S4A= +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDATer/8uq6Tv57VBmBM +RVHH8Msy6RS8RkdrNJsPfjIjSP3T7MwmsDQfrVu5WGOCa1ChZANiAATBbvC3ehfN +zZIYfxAykshZoF1W7AUnReX3L+lhI9fGh9svWLwsov8NfUBl2Fp2qsalhbHpW4oW ++P/mkAo8KPvhznfAtbX1lDHLz+TJzyca+KCXA60lmJoZAb5IvsBwGSU= +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDCTilaAMDtR7sO6TOOQ +DNiqNk4ZAW2wt6QyIHStEttR8y2sJfw48FvNR9EQUO7H15WhZANiAARj+OSAnjeO +U0ugQc7AOr0ilCamuGmO+Sf6KdazT2fgSQ8ccaMdxmLhEe+kqJpx/uxRqpZ9t5P8 +TuPpIdkQSP2xf3iaBis5WDY2qql2SajLUZWSCKcHPsz8KNCk8D5udGE= +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDCW3h6M/vAAeBLmNQ/B +4HfLII2o0fzqcj4V7VFTYUIJNmJy9o7aNzrJGlmET7MHQdChZANiAAQedectkFxe +mS+35TbnInQSWS9kU/4YtMYNlqnShT3HWM8cwghlvjUK/Yfawhhi8RhRx7m/U1t+ ++WLnQSdv5oKND6Ast3P50IopE7xWNRbw+T/dtTvih/3PatVivlXhnH8= +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDDJksMQHQQfgybDbkIP +SDKRIn49ua1EAT0cigIQ/jIdgQS3h81JB0l0jx6fi7kR1eqhZANiAARYSu09r7e5 +wKpWaFBscqgkWuK4jJjtCCOU6+f9Z8Hg8275u9rKI2QVzzq2X9Cutz4YtSNnPztn +ljiDXG/UaSGqO1cvjAcTPgrQYlWguFiZRkJmd8DR3sY+iTfLvlI6q44= +-----END PRIVATE KEY----- diff --git a/test/testkey/generate.sh b/test/testkey/generate.sh deleted file mode 100755 index e11c606f70..0000000000 --- a/test/testkey/generate.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/bash - -# generate.sh - regenerate the test keys -# -# This script regenerates the test keys used by unit tests. It should be -# run when the number of keys used to test a package exceeds the number of -# pregenerated keys for that type. - -# The following variables control how many keys of each type are generated: -NUMRSA2048=5 -NUMRSA4096=5 -NUMEC256=48 -NUMEC384=5 - -DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" - -set -e - -cd "${DIR}" - -cleanup() { - rm -f keys.go.tmp -} - -trap cleanup EXIT - -go run genkeys.go \ - -rsa2048="${NUMRSA2048}" \ - -rsa4096="${NUMRSA4096}" \ - -ec256="${NUMEC256}" \ - -ec384="${NUMEC384}" > keys.go.tmp - -mv keys.go.tmp keys.go diff --git a/test/testkey/generator.go b/test/testkey/generator.go new file mode 100644 index 0000000000..4c8360fc39 --- /dev/null +++ b/test/testkey/generator.go @@ -0,0 +1,13 @@ +package testkey + +import ( + "crypto/ecdsa" + "crypto/rsa" +) + +type Generator struct{ keys Keys } + +func (g *Generator) GenerateRSA2048Key() (*rsa.PrivateKey, error) { return g.keys.NextRSA2048() } +func (g *Generator) GenerateRSA4096Key() (*rsa.PrivateKey, error) { return g.keys.NextRSA4096() } +func (g *Generator) GenerateEC256Key() (*ecdsa.PrivateKey, error) { return g.keys.NextEC256() } +func (g *Generator) GenerateEC384Key() (*ecdsa.PrivateKey, error) { return g.keys.NextEC384() } diff --git a/test/testkey/genkeys.go b/test/testkey/genkeys.go deleted file mode 100644 index 47da542ad5..0000000000 --- a/test/testkey/genkeys.go +++ /dev/null @@ -1,106 +0,0 @@ -// +build ignore - -package main - -import ( - "bytes" - "crypto" - "crypto/ecdsa" - "crypto/elliptic" - "crypto/rand" - "crypto/rsa" - "crypto/x509" - "encoding/pem" - "flag" - "fmt" - "go/format" - "io" - "os" - - "github.com/spiffe/spire/test/testkey" -) - -const ( - header = ` // THIS FILE IS GENERATED. DO NOT EDIT THIS FILE DIRECTLY UNLESS YOU ARE -// SEEDING A NEW KEY TYPE. -// -// To seed a new key type, add an empty exported []string variable for that -// key type and adjust the code in generate.sh and genkeys.go accordingly. -package testkey - -var ( -` - footer = `) -` -) - -func main() { - rsa2048 := flag.Int("rsa2048", 0, "Number of rsa2048 keys to generate") - rsa4096 := flag.Int("rsa4096", 0, "Number of rsa4096 keys to generate") - ec256 := flag.Int("ec256", 0, "Number of ec256 keys to generate") - ec384 := flag.Int("ec384", 0, "Number of ec384 keys to generate") - flag.Parse() - - buf := new(bytes.Buffer) - - fmt.Fprintln(buf, header) - - writeKeys(buf, "RSA2048Keys", testkey.RSA2048Keys, *rsa2048, genRSA2048) - writeKeys(buf, "RSA4096Keys", testkey.RSA4096Keys, *rsa4096, genRSA4096) - writeKeys(buf, "EC256Keys", testkey.EC256Keys, *ec256, genEC256) - writeKeys(buf, "EC384Keys", testkey.EC384Keys, *ec384, genEC384) - - fmt.Fprintln(buf, footer) - - formatted, err := format.Source(buf.Bytes()) - if err != nil { - os.Stderr.Write(buf.Bytes()) - panic(err) - } - _, err = os.Stdout.Write(formatted) - check(err) -} - -func writeKeys(buf io.Writer, varName string, existing []string, wanted int, genKey func() crypto.PrivateKey) { - fmt.Fprintf(buf, "%s = []string{\n", varName) - for i := 0; i < wanted; i++ { - if i < len(existing) { - fmt.Fprintf(buf, "`%s`,\n", existing[i]) - } else { - fmt.Fprintf(buf, "`%s`,\n", toPEM(genKey())) - } - } - fmt.Fprintln(buf, "}") -} - -func genRSA2048() crypto.PrivateKey { return genRSA(2048) } -func genRSA4096() crypto.PrivateKey { return genRSA(4096) } -func genEC256() crypto.PrivateKey { return genEC(elliptic.P256()) } -func genEC384() crypto.PrivateKey { return genEC(elliptic.P384()) } - -func genRSA(bits int) *rsa.PrivateKey { - key, err := rsa.GenerateKey(rand.Reader, bits) - check(err) - return key -} - -func genEC(curve elliptic.Curve) *ecdsa.PrivateKey { - key, err := ecdsa.GenerateKey(curve, rand.Reader) - check(err) - return key -} - -func toPEM(key crypto.PrivateKey) string { - data, err := x509.MarshalPKCS8PrivateKey(key) - check(err) - return string(pem.EncodeToMemory(&pem.Block{ - Type: "PRIVATE KEY", - Bytes: data, - })) -} - -func check(err error) { - if err != nil { - panic(err) - } -} diff --git a/test/testkey/keys.go b/test/testkey/keys.go index 5c673f9134..6a407eccae 100644 --- a/test/testkey/keys.go +++ b/test/testkey/keys.go @@ -1,750 +1,190 @@ -// THIS FILE IS GENERATED. DO NOT EDIT THIS FILE DIRECTLY UNLESS YOU ARE -// SEEDING A NEW KEY TYPE. -// -// To seed a new key type, add an empty exported []string variable for that -// key type and adjust the code in generate.sh and genkeys.go accordingly. package testkey +import ( + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rand" + "crypto/rsa" + "sync" + "testing" + + "github.com/stretchr/testify/require" +) + var ( - RSA2048Keys = []string{ - `-----BEGIN PRIVATE KEY----- -MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDd9ubsnFhQErLy -XBIkk2r0d9jbnY4h4h6Q2IbPVLluWDKl9Y8QZgPYAANCQJIIMbkMe0A33d/NIiTd -uAwaNpOuhhECXL4hW/Z+RTSk+hHwmjqbSAYg8a+iY1xoOVgpQqKVnHOjJy7/f2Ce -BkgjxH/PcqaFd27Xh6rrTeE4UvMZ/wqLuGoAdrJACVmW9Ibtb09dI+SxndVMkSIa -GOMbI2x3rmdLmXt4+zIUlczTSe6xJ/Ym/13LcDn5CHAEW5uleuCRNhuAsBhJ7JUF -qoWnZfTWl2JmtT8CsvrJIVQwuBHHD2rSsSczJnk4XqTomWrgkXJ+R5b1vueKZgRl -TWKAf94NAgMBAAECggEBAIbja7Rw0s5efrcAMtpdaAsG5heYaO64bqDRpSNMNqAT -IzxtvTJW/JEAePqDKPun0+/82qrYwA/2ZvcCyQAJGLhfquiHmdfF/kcAIZz8h3hz -EZiaLXdJyNVjkp2X87anUwyeljuZLVuBeiKuaJqr6IwV/ZJwYUDDpp/2pR7Icgni -LNr83j1LLe0P+oyQngMbfP0Ym41Qe3jGicrThRWqhpi1YWclSQqhv6dWl+gDchYg -rhENSQqv9EOs7p7p76mO4j4irPaOeAcKldb2Qy2w5XSNQpcYKeE9dP+WyypwrDJo -tjy4Oe/ytZBx9RSOeIaOPSjtQzAQ0vaRQNryDYp91HUCgYEA4qdizLqOIhpLzHZi -dInUcQywZ0iwn4FNBEJpjYpaRvTPDRpwuM79BJnBLFmqikI/Ux6zbKTJTrRil4w+ -qWi+d4H+lBCt57cQ0TMMO+Wx1ll4yP8H4llDnEG1ShQpzqJozKAhTjEv8PqZ1Ofm -Yup2lAV0VF8vpQ2qAbnwbAKd6+cCgYEA+rQVLJe7TbOifiP57A4yEAD6+9a532cY -XYU4fBr/sO9kprzA9oy9xpObsBWVol/Ps8C6LZxtuy8lRLU5mqYcHXzX9BXMS5lq -1EmILpfTdCSKMx+hKyilPTah4V09XUPloCLMRxOBurYc92bfQqCxoOSAQ3xkV1Lb -HKFHTEyjB+sCgYBg94e3WuDQCjv/f25juUvgCbO2nEykEOdoORl7aoNw8+9ZBcTP -7A4nV7hjRwFFIU6COxI8GsvdFiNP/roYNC24Zy8JHZGpHpLdTV+giIZq0+Bu7Vzs -I5BfW2U6CiJQuv7m/GMDVtvR1wTVJ1lTXEfaz/KS3h4+GPhwwKHxM7VoZQKBgQCL -tNjr3a4yEb2mf5PhWNPLGVDEEJfKB+CLFRcyCbWdOvqi9CKwAiQrScyDprOZJb1Q -FUFq83Yuzon9LORp6tFWGWEakx8ird7baBKsrEzYtxgQfzrIG0FhyFUTimsM0y5e -O6YMobE0hBHGSJx3u6bg2xUjBmnAQ9r4rGNYAIkFewKBgQDHEsehZjp+Yo9mDO6m -FYeZcC7UfRmFqKblJ3wB0CrDCaQj2NJZmDdc8Z4o3c0qzHtBTQqE50Sr9cvw16Mq -ZYzi/WHiVlxyZCdXQhdgO+PNwfNVeJfaHfMClLMQ8jtyiki0xzajGLliZITW8J96 -gXMlunwAVud98zbPY3eTlCxmWA== ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXwSX5zpH+ag9G -QiihIUsjAZ3lCZWIAdGbkb9kiyM/gWzwpawkkRmFM3KMrf4+sv307TZEwmqC9LCo -F4SVbnJ/1hVey/fSM7cvcb4MmFhK60pLEwxFNT6vQ0iDuMDlmsge+1MxyVrmaZf4 -MKnG0+8KYPJ4Lq4AYtwir9lh8mNjAcOCZw/b5jLBQcETgbPdDKqoyFjtFK/CiakW -rptlD/YAnq28Qxhm/ylGYckc7Y4stfrP2zosg3fFQkG7nEuZUluSRlrXG3lA++cx -bbUzjPFVYsQoFybxOP/1dqBLIB7h399srFcrV5A9uNXUH+C73P7ic3Rgn6RvqKLg -JInhAuvrAgMBAAECggEAUiDJBu12L4VJ6TG365YT1vB/nTbnv80JcBGr7Gb2dO8c -fAJko8rEDytFWH3HATD7cOd3N/dVuiHQuTuykXtohHcGzX4RCOf8vEes03iOa35j -Wm6WxiV9hhOzn8iNTRl9QiXjRllii8D4Q1aq2e/E14uN4OfL/oOjTmTn99vfr0jC -mIiHpnpocwO84LWCLtYRWUAHQAi30eY8fc8IbiZfYGK2mEM2PloGG+T2R/x5HDxi -d4nhXbhTFg6eu+0YUFry1EUfhGrab6h3ItxTjg+bw+Jv5VfI/91Vu86NSUQYsG7C -62D1/BPxC27YeGiOqqiMtr2MrY8QQyErckp2kKYEeQKBgQDxl1ocKNAfRuYaRrAq -o7CO+cnEQORSLwv0sghOKq0s+BxSreJcMBgPQ8WOmfFdnpTMX9UyhaL07uFeTqRJ -Mv81BUZBBYUN7I0/at2Z1CVDItmsCK2L5JN2gRh/mbkdcVRxL99u3Fg5h2e5hPnB -uxHBbQ/po0cmBLqrpTm8TC1nZwKBgQDkn1FLGU2P6FyzCaqvppqXDrEULz38AEPa -6lL5SPhIjFyP1SZpl17pwqCjqhW9jgBbamgkvN8BLR0kdYTB0//vpe07TrnS5X5R -Id4FKYoUY6As1+wR8hiV6S9ARTAwEulqFx7YBdT014unpqPt8H77LMYh8grdkA1Z -vP8CiokY3QKBgQCnrxWsVeeezecIdefwsIzrsBSLUz8mi+EQhkGdf6GThOKjwG1M -71TDw5Zr1A3jnR5KfHnOB1OEDgn/GzaMWAkrE+4fU2V2tKmVSudkzgrO/nF3Js7O -Omjf59rJNjl2ZiLmLQQ4Plg+Fe24psNz5BP+3WQeFmZbzQyD9rqMJ5OcIQKBgCoS -F0eWlGtS+xwHP12rbu81SOjJ+MIS2mnCjRpKj0Xqbm4Zb0QnEtQ5eI4lknKbWv13 -i0qXZwI0ZxR6e7+fX42eHxW22wMwMBqF/PE+P6aY3rTh1xNGVbfgfU16be+qy0E2 -l/pwuEuGDrD/PVNf2j4mcx90BwPWql5FJTg2fhwRAoGAUyY4aob6rvb2nh8Beryd -LzG8bRGH2bIwGhoCbPEZ5S9bIt9PD1gdco6K5uu+w36CGSh9G7wsqRT/92uZrhlv -MFz3mtJcSF1oXxngcDXBxklqCYevCAvEMmFDRahFecm0ddpcOPpXZN6o9P3Btb+p -0m4dsUV5gSr7k0ASgzlfUZw= ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDNmNT3nUz9JmxW -XBum91GWWqqpuH6Hei5AYVu2SQx4Z6guXTeSL8Kw8lg/NlnDPDfRJ8Xi3rBwGSsu -NvPg3nIV+QbkhGO6eQPqk1Q7bwYY4YcNNy1QsCrqbRz+C6HB6V0jrVBs4W8F+Px3 -NaygV9gakmi2h/kHI3+Xi6iqVt5FuHHIlo2srl3LUvF71nfYTx3ptkWgBh3DMn1y -N39N8zm0+/08Vu2jBb1O9m8OegcxFejFPZauG2/t2wfLpuBRhetSUHYRCOhE8nxn -/a/ODeTFv62qQnKARAYHY5+qlX3GuW0b+97U6B2GhtMCl6BCyo0bapGSaiP+UNHg -wJiFPKTfAgMBAAECggEALHZZ0DbveGu/0ClZPZGMzmRLNisVCf1tVTT43YIMtVlN -cMFuDCpSA2xVk04QuX0jYRMl43tfUs7OnM77jOzuZTwWtoK/Aou7Qhach8Hp4qWb -TEtbfHCsx0fTlkkzsTjjkJyhoPpbxUHkb29nJsH4lT6GcLsVKusNY9urHTNuHEt0 -s3EDU6zdmJNC1KIAfCRbs/Y7/80zFK/v6HOrTpjsiObPZPVy2UBoYSpUJ3NHm2wd -UaKlRJeAzEWxIEiz/fpRv1qQ72d4OZUZAGuQf3ua7dMk1KGsl9nuKt4/cJNRhYk6 -2IziPKPS3j2Rl3CeYUI9y0ptd+q3uaOdC3aGkHFymQKBgQD1bYF1SDiO0ININpwJ -StPvf78lfkinOeS67tkiwTBB5VThr41LDT9S0u3tK/gY/5TinmBqJ+8KvBTi1lJ1 -acrAAAWgiOWxCQs3AxoqQlvw6zyFhQI7D8kDVa5TuF807WX0aQKsrefcgn2k1uFb -kYAgFz5hpgNxAITlBs7Yw72h+wKBgQDWdBYJ6XN0muI9fkpu4Aw54Lo8y94IKIrk -AxilAwffxeksySfHx/v1vHMNZ1TYalVtARiMEg28dV+GJzQUqZcoVDgm+efw+Eoi -fOtz3JPDPVS+DOS50rsrEUmaNtX91oNGq4Ab0U+zqEnY4SDJRgrYR6sQCXE8cNAD -VnmdYil3bQKBgQDJMX0IBS2APgTxRPtDTtlQo7ux48VxeS894yGTsSV7T6H25TAC -D5kSr6GmZP4cmCCYalcFjzkR5r+EeUfdwt0X6qyyPqd1KsHL1joz3HR8morhtfjv -K/CQUEP5k9JQlDCZXSB5KJNDnKGdaR4TL8MGC6fy6uI1V8SZ76vP3R7u0wKBgGdm -W4X18LwlPbZmoR7qmhqB92n+5hRK8ATWVViiqHZFp5L3fl2+WAb5EQRCcU9TndLL -93j573ORqDg3yM25o29HhDeOwT2Xia8tSh14GirF9IkaEGJkb+hpEnLvw6f7eRpm -8IL5HhPCrbCLg9JoGiyECb/Wvallv3YMiODQhqvVAoGBAK2xCRBYiESYJtDWMg/0 -zQwym38BL0BnN0nI4K0jSk3Nb2ERsKI3F5ESYw+sH8OJcNCrT9yFh046JkdlmJF/ -C/DYvEe7kCKskrTjFVrEszlPHkQ5pvGV+Nhzb2oqqwna/M66uYnZM0Mtucrr6kY1 -1jgfW03PDLuwyn0X4mz4zUnK ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDrDcWv3DXVEt+9 -Ot1bcUcELKMU2tUx9uV2pxJPNkbv5Yhe4dzCLW7XeOFeUA28M9SvEYZB494Q96to -sb3PnLAqgMcrvF+qV01i2C9zUlJQKmgUB7cJucMIBlmWOmIktEAP6ynLoPvZNMNK -GsSSBevRg5XmfFHm+y0g0f7jUIpKRmPjGs5Ja8yTZ/tahT4EbXe/KIdnOzLUOLeI -fqv9tNZG7rIseGrHjo+X380lGQlUPCSjHHOHLuqio0varfbaWxTHgOJosKkNX4Rd -xyxiAYyD04dhBqFxDN9KHAJTmTEBeVTcquBnYYlpW6M+wQkdBxRM9n+2my/Ju+kl -T0fFPxXjAgMBAAECggEATJzrj1t2TGHffT0fgzuTyx+FdDmzfZqcxiTEif8F9hFZ -dpulqcDHPQIQav4qy+oU648JtJZB/kPLoc81L+NBZEkfIfk/MTVNaudN6Aev/qMj -00uEdG4QzJ/NOXMEJDSAIPAkalOpYu2YraG16mZ1q495H2vsAh5iYi0wKAVLXdOd -n5JsPB5GBSsD3p8vR6iiTlLR6pYdpzr9X0zVqvWQmDxcgy+Sq0/PEmSD2WB29I5D -BIzuAwqg5UeYddLFgjkd8+zO3GpqC8WmEtxmQPnL4ACauU3iyhuANWZAtBvYnnxr -94us3dgz6pevxy3F6pIu4Y1TFM+biIDMD5qNlR7PqQKBgQD99S+gmZ+hdLGvAPaD -bTzx/W1Ab6vpm9GoxrDW6+pXKZ3YyMYYJeckEzVZzPVGxSCutSJ5HL6ghZKb/C7g -xq++GnJggxTkOo2Ppi8XWUsp3hYhA/nyBOhyzk8w78sgtoKcqILNcWjQN+cNy4lT -NsbCIbatVM6fD8MvRJEwMvHlDQKBgQDs8atT3NpeTOA1GrXb+y1Jf9n6gFaDRNWw -4RreaGlwlGr6crAnw7Izj3Tv41juWZgUha0mrLqeLHKE7H3S6n7EKl54Y/s1IKzC -DYFGPNsw/4ut+9MG4pTJR8tCOy7ad3YoJqRxnq0LX4EjmW3wZ0ZU7bTnAXKhPV1/ -IyQdEHUKrwKBgE2f5C7yxhhT0vvrD26ctURCcmJ/v8xoFG3CTctj0P1TeywIMoSv -ETe1p1kLjO1U0+iS9TaP0rS+H1IOg0WxdYZmDw/xATHBtAN0iHBamt7xQ1JUJNIV -Lffpl8sdgLk/EC1SVKj3QVJjw/wzeoY0+Avewje49G8qIj8QdlCFQesBAoGAZsWj -9GoU5VYe4anGO7ZEvF6SI49K9wECVwgsaU+MfGJDzIG2WmkNgEO3Ct3nkuqVhkE9 -C0tcXoMU4QbaxIMlnNxrwXhMW4ziogDNk7ONt0EASuSxcYkR1AQp635UIjoyq9Om -/AlBMW+pSdGg1+dToD7CengsSjeduCl73odm3M0CgYAifHPcZXSBWGONhkzixhQo -IPgJg1DwiWFw7Gg4nl5057FIUpY6gs8/SPh0e8hA0xc7P8gvHLTwSn2D+NlqdCYE -ciyHaFafp/aeKMIr+euAbrVJqapN9oKRORMbKjYgd6jrZgTfdFy00amKOIOpi2PP -OdC446+kQaruQKT+MmvASw== ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCyhAPXGbIsrgem -sY9prVXC6kM/VuuZSDUMUzysSxmSEq6MDmmrDsn3yj8+fmeg/GL6Cw9crLUn/asj -wL/RIJZ6TiFLloPn/Qmd4i6j2Gd2dXV+VPCxbI5745wNJsMPA61UDy5HKtyzffjy -ZwINsn6I0O0QjNDLcOhzzTZrl+XeWz0V2BtDpRSXtFnJFZQiVNnR7YXEEkuDlfLg -Ato04geVd1WvUihGjne5tNAeG/iVJT+iY10OMKbLqRrxLLdnv0PAbZVBAk+H3NBY -YHr7AMH5IZua+8sqkL6KWbG9dcfavj067iYW6WuQs5YHawMu5LDPkUB+uQhLPz7T -Q+ao/topAgMBAAECggEBAIgDyiFENNuSJcY+l7S/Gw8OCvrhsVTzDWg8q4fjGLKR -hWi1OpHZDM29zX5CNZcVdhxp/ORxuv2ja5gsLnqax8ycZwX+wrYpuAAR69Nu+TXq -vQDqmxG0UsPWYnoqxIhWFuRrRKl44PvpyZp4Hbpt+7cm6NmpURURDCvfec10yPIn -b5JPwmhPhzhlXQXRTXJ3wSxTdyHDoBjh9ASQpUs97RRcIvvhJsIevkGSweggN+0y -3dl2JcnWzJmYOCDWu9il2/lDN9avl7O1JCItrbVs8znT00JhsMGczTby+61ZYP06 -sk4p4zNRCKk/groj0rO33bpNvylgJXoP+CKEbqgCerkCgYEAxXKwm0iQVUFGZmp6 -6EoABeCRvNH4Rpi1qmHwLvfruygUU9JTkMq3VR+NJzXTnzmEGSGmtJr7bt9xw75Z -Eu1hTPUa/cH9vau9hXG8X1BcaK3f/SD99SN7lTQZSfaYhKURTi7iiUmb2S24Crez -3x3ZiQkWUdVtzLFzu4eGgd1db0MCgYEA53QS0Jqdug6z+ZufDaT5uiJd/gL+3lnx -L8dfPjZ/Ady0ANkbk0C19oqF+XcAPFVJ6w+7ldHF8eD5XqMeeCJ3Cn7q3INg5p6B -IfOp++Kc1wIxytJvBNvwJFhAAJVitecQM1yoXI6xmFzun/a7fovOZVDvtmeXwCWq -kTe41cwgjCMCgYALknI5V6Jl7MJ0hC8Z6CRiM8w21dOIR7D2AHF0P0GIoYu3ce9F -4CuoiIXcU3JItbVBR9CeayrrT5s6TrCnxFPcj8z6LGFzuVoNNSJGL86KsA4dps5b -jK3Ui84joJlFxOrjuym5xB+nNd/AeQ3IuNYkCu1M9IZP5eKTjhjbCZ9NQwKBgQDm -cYAmKDtwOyFgHVywNhjaBUu2E391HPHxUzz18UZlMTwbOA6nfx9s16Dqr1wRtg1B -t8laMqE14XwHiLtWe2Iwlgr7AOei1h/WEQemnYrw2+N9gCU/Hkgrt54JtrKwT92m -ddO/S+dwvt5rcDpflY0q/Pmej+fcTORVb7hdTb7+JwKBgDO37SQ9f7fSU7P5PXKE -zBB/eVv09lnoAfFFDu3wz6//Z4BtyTuJpNvfNFBhBbzc8sigCgBp6ANtgd6HHOgW -MTyxR2dpdn2bV7iCEXVrNBMDlnEZK8XWwR0gSWx+M8LnkpMpMU9wzJEaYLRpbrp0 -JjVArGW5gAB7z4R46Puq/7rx ------END PRIVATE KEY----- -`, + keys Keys + rsa2048Bucket bucket[rsa2048, *rsa.PrivateKey] + rsa4096Bucket bucket[rsa4096, *rsa.PrivateKey] + ec256Bucket bucket[ec256, *ecdsa.PrivateKey] + ec384Bucket bucket[ec384, *ecdsa.PrivateKey] +) + +func NewRSA2048(tb testing.TB) *rsa.PrivateKey { + return keys.NewRSA2048(tb) +} + +func MustRSA2048() *rsa.PrivateKey { + return keys.MustRSA2048() +} + +func NewRSA4096(tb testing.TB) *rsa.PrivateKey { + return keys.NewRSA4096(tb) +} + +func MustRSA4096() *rsa.PrivateKey { + return keys.MustRSA4096() +} + +func NewEC256(tb testing.TB) *ecdsa.PrivateKey { + return keys.NewEC256(tb) +} + +func MustEC256() *ecdsa.PrivateKey { + return keys.MustEC256() +} + +func NewEC384(tb testing.TB) *ecdsa.PrivateKey { + return keys.NewEC384(tb) +} + +func MustEC384() *ecdsa.PrivateKey { + return keys.MustEC384() +} + +type Keys struct { + mtx sync.Mutex + rsa2048Idx int + rsa4096Idx int + ec256Idx int + ec384Idx int +} + +func (ks *Keys) NewRSA2048(tb testing.TB) *rsa.PrivateKey { + key, err := ks.NextRSA2048() + require.NoError(tb, err) + return key +} + +func (ks *Keys) MustRSA2048() *rsa.PrivateKey { + key, err := ks.NextRSA2048() + check(err) + return key +} + +func (ks *Keys) NextRSA2048() (*rsa.PrivateKey, error) { + ks.mtx.Lock() + defer ks.mtx.Unlock() + key, err := rsa2048Bucket.At(ks.rsa2048Idx) + if err != nil { + return nil, err + } + ks.rsa2048Idx++ + return key, nil +} + +func (ks *Keys) NewRSA4096(tb testing.TB) *rsa.PrivateKey { + key, err := ks.NextRSA4096() + require.NoError(tb, err) + return key +} + +func (ks *Keys) MustRSA4096() *rsa.PrivateKey { + key, err := ks.NextRSA4096() + check(err) + return key +} + +func (ks *Keys) NextRSA4096() (*rsa.PrivateKey, error) { + ks.mtx.Lock() + defer ks.mtx.Unlock() + key, err := rsa4096Bucket.At(ks.rsa4096Idx) + if err != nil { + return nil, err } - RSA4096Keys = []string{ - `-----BEGIN PRIVATE KEY----- -MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDg2CKBOThkgFX7 -wnaJsarejOnBjFgC/FuqhxIbogkHc0qgYOJxJsijFp+SDyL8iAt4FhyiOCXQU7cn -G3OpeIuiiXdgWz3QAkXILJX9h2iEzoyyFXWLOVvod3c/gsm/Up2g6NCnSXbADK4c -DJhWIZKETD7ZvI9cf+kT8f7QGi6j6AiIv+7iwVnyyx1zzOrhd7+2rHJF1BvHGc5s -fJ1zbyGx8oPjddmf0JjqA8sGmfC3+ksDviv2HXUrVpg51GosI4Q6euoyHWj3l6N7 -uwVC74WVhz3iIxEuMI4zKKeY1EQNM49My1kbaTt5farDMtR9gwjdacihchd+w3R3 -lKXeebNpukgzBEhM7CiBxJoPl6YLt0HEzPIu1PSxrysQtvTZQwrfIhhYNlc9S26l -P4ggbtlq65j4O/AztambvB7KLlYYbyL3ksD9PpZpco8ZgmQdZVT6GbelaVFZC2U7 -L+xJ6d6Aot3TALuH71j3EXP8Lbhtlfm4pHkFxbp23UlPUmANelUQBCumODWSjJ+H -5bFWnW0UUrVMWNqjaJEs8la1meocbrI3TmUQYgKEgi2rOSUuqVrpmZl0319x9qao -jUbweYXNabfYn38/O7OGeBdF15MdsYXgElERnq2D9ys8TIpGCWDZJuE2Q1tSlVEt -95/9AYm1R9LyYGJ43nCrq72GrZEIjQIDAQABAoICAGekGRuZxZ3F7lxzQfKse8fE -CogV6gfOTW6ofjdQlHrjsPWGUzq3FureJcXMxmLDTw4WmzJHUV7bB+S16bWnhC3y -0Z0P0clNEt93ddf8j7gQAZig/aKkWPIqB0S2Q8q2CUS/rFZALcXO0n7Ja3rgVMo4 -3wu8uBR6PXTdKojAWNlivnRSjInneE/LQpM7VNWDPlK04KPBZuB6y8UEGAu6oTyG -Pjcd/qeFHsdX4kDzupsDe4qJIXh8EaNdciPN/vbDlFLkj4l0NwtR0aDaD03QXLIV -OfhAE85HwXRhfAedaJTxPE+4uCVDd4/D1m/NwVbtjKuK9Fk+3wemjswEMAUB8imf -qJc4hQLTwF48u4qZJIVV2XUBBfp6ztgbSJ39EYlFT75KcLcm29Dr4Yz9jSRZ1WGe -BkZ5BVhm9QCKJyUgmSNKbgntxjboVR0QhdJeD0iSrbeGTr0qU5YQiuOG2PUm1C3n -H0oMpcsjE07jCLNlQqMLrXYPeAZkzwpr+5SzJTTY8CEyIzr6qvwe8U0ghz+MXAsC -NlvOVLKbg+fuOL4/JcGIAp/RyL0msSo0x6BtHABBfnxfNKqmJJ4SOKLglWMaHG7X -fNP2EUSTPFlVH9G71nzmZfmb2CuVsYBuG/4FVIwiWfljWjE00owR5f7sOcDUdPxy -AKbqwNMl3jDRlShdjqqBAoIBAQD8MZGSKyb1IPHjbgBmljHZrRzQjVLHyL3VX4X2 -sdjxMf5BMOANOa7LzTTZ86VUJL05KtNZN/rx3Wd8Wittsp45UBrOiSeLbuoV3PsH -/v/NMh+HeHeuC5fXoqB+gIs7DSTWzgoBEprITtu7T0omdqPKzY6cOY7JK+jzc34h -kD4J9KlpxmkpFyv4Q1fNxvf75S2PsjK+C+8B8qzjlb3IGFkvVH/XSIFAgfzjhoEs -OJ2gCCpc/9nnXiw60igfQrQiOJCWbmsV8VDRUlmGHeaT2UfeBVYri5qkDlfofuFb -DB+SdYJ+0L1pmEdhhLlV4OBeLcMABvKeT7O1lKv09N3mH/PhAoIBAQDkPOSjNBgA -V1Sm4Rn06Q05oVfs2AM0WqWJ6QWSV/Jjpsx4iw1arGSLfZozGyE55LlUKcCW/q6S -ah5OzdrP34TKMoRl6jisyjeys85uUEfJwljHXIeTUXrUnqFbKCu7X7h2AxSqi52Y -z8UiEFYmfjLsT6pMvIeUpC/xFtWq2/8UinL5KxqWI9fOImApO9lvcVkjHbE0OvSz -tsRO+7U4lk9LtA3h97r5JRFLKmdoGG0pGHZCOgQ6x7i9X/iGjk01iRvgwVow/v+W -s2fC4782o8U52w+gmyYip1LFbST1luqrtpaVdVY90erEdnoWX15p8FuKLwWaGAIT -UJlwjI9d+GotAoIBAGqjiyqDlLWSeLXyjbjTScEBsm19VMOl3p+bBMqL6XAT868d -O6BcA82pt+9xVzd9UYYa1cOkKDidpmSuvC5mmQEjHjK3TEFpZRJZnsyCxye9She+ -mNy/ijVkTvku4bDWnf02ooRRmaGZttA9dt1MzXWz9dmZfQcTyi0naO5IT/NlwT04 -6L63TaBs2XPp7nJVNi7M6yfxY98u/mw9pUI3CX85+9TMk9rzHDwZZAWO6xgAW+l3 -RmzPJWS5+L0/N2xA/uKdTiq5H7NjXveXLSjXd8wp9YX0Qi+c4Q8ul5woRDFp/wQg -v/cmrQhPVw85R6aLMymPxoeqrBLcCtpJsIreeAECggEASDfgXKfCJHF9rqQxc2Y+ -sgqUaLPdJ7a7BI1AHxNG9jM0JbxSCGveEKk4no0qEUiHP9NKRjzl/hwn5OWMJBRk -zxn2/MyFDF+cCiaM3ij23idpsgNcPsgcZqSfB9oJJGvgUS8eXex5fH3ZsbKbn+h0 -soNuroNFH0pohQ+loj+kUdqRELiL3BARW/9SkBmI7pNeEhd2F8HD5g2hxiAtMm+V -Pa4GaobZmbYZ57/OIokAGW3NFZ2H8xV5Jir015a1ZYgx0wc7Q5+cPhIcdfVcbqyZ -XnorUrVk9rgdH60ucatEK/tFYJtVI5CFiY63iNa6aCkOvgWs7xpDpdruAkfnoWNW -LQKCAQEA6ghY9gAjf8pcEWP9V2mByzOxsuYlZpRNPDbVhQ2iXIdm/xPjnvBmtsrV -9vIVmpS1wIua2Nvq23hJRdKXkws8jNHDuxezJyXVLoE78LNySMM4BO+Qs5Q/61um -D1+mGveQ+UUnqjpL/a+EebdlcUa5iGKWS8MpadFpXvrWWVvRKJ9zaErc0EB9+n4+ -dxykulk+PlxWFHCT0mVtxJuFXYTVQoxcXkEIuODBJvMBoWDtDdia/KtJh6QNOeQJ -+cp+Pupl6JJV1zbLPYNfoN8HkhDbYG99vsDDJ2oSVNBovudvDag6JPTH6prEO50W -cjIJEVjODcQOtyvsWXYeNL6vxiS+Bw== ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCYWZ7WnnWWEpnz -sgVwdxV074AmcFWFkYdfdvby/ajpdkDLzs3JVTsBdrccgsTtpis4c0vkMC9EjFM9 -vi/M45KlSXSiH27O6v1gxJvTcKq5CkURf5KjCDY4xtBIV4mmE0FS68F7DgQx8BEt -CfQCJstCa+fNfSN9wF3C7cQKNZZc5AnR6DTu33Q2T64n0tTtqP2NQ1+ug6I6F7We -WyhsMTdHDGWZsEZ63Y5+msFc325Rt9wU92RZSzRDxWazwgbtbeF5qysD0jhUdF97 -WrTfz59U8DQ8el7seAMKiM2ezYtCEpr7NU9Xj/7vSU5DR9FWwWAsKOlQDphzrJlr -8m46fnOoMZKZaXoalMXYtnqWJlSHEY7lZLdtur8Hn1BRbzxzvpwE+htH34ekf4i+ -wNUDyNtF9rDq+1ez+X9HqX2wKnatLfT4Xl8QES8oEDLNJ24g5bKITjwnvuZ706ck -rS1UnzFu5A7yRwpNieJ8giqxTHccXihGwARq4MA2BhX+u4hNtWTvzx7/7QFVe2UX -UF/5z2p7EbNf1FGFKTyptygUzOzHLAkuUA0t3JFkk7ZQlh4NzCJShXHMoLgwwzsB -CJ2g6BhzeGO/PTWPCWIcC66y1CmjK2A7LM83RWYHQ0dx5zAiRVrvWajiTC8USmY/ -5L7PaRPhu7vtqaAjLuN/cFWcUMYZOwIDAQABAoICAAQw+wC2jU+apWeh7ypf7FQy -PplQH9oz3cCPmk2nEt2RZkj1II44bQ4mQPVk15weJTRBX8YgWTyOi7+4GsKNRDyN -38qSCM9igaQG5K6Ve+zpTmsj0lnv4OYA+jvzRJMwFmz8lW8YPJ9PFnnhuzfP72md -ZFwv5CkSgMHbHriVLtTRZT/EHqivtxfDa2wnDbqYGpmnT9uSPYVRn6qCoYMQe4/V -1Hm88sNwkvoCse0nLHbNEx30jGs0eXSf2qp5XQ1tJ3XccquBPhF8vh+7qBw8Lwr8 -LMO5LiFdT+AbUWTcDMe9kUv19H/ZM09L+f453JWBbm7olTqhnCoahoIEwmmTjwT3 -sgVYS6aS9ayHRY44+KVIZt17dBiD7s1lQ2HXmBXkPgHt+WlBnElEfAKLenIyoinZ -pRbcG7qoMmcDumPTrJin7//jcidrQh4IZanX9Xm0qvkdrXCGFKZhqf0n4Y4ps138 -J73QO3YDnp9AFdO0p1pNI/60pwKBepRJnXVTpWeyDXunwX+fQZZ1tKu762VQsfUj -ZqiMnzQ2SnNJodrF1KjZs7rwuBFNwnuN21UEH65rk+ZniCq4ONt/vlT0/bV7UV9e -fYcwhDKhLYvApTJsz2THN2dF8Ajbr3H10MQCb5DT5f0biLEmAOB/LCJWBr/Q8+L7 -HC1U3D/EqVvrmCCZ55/RAoIBAQDCaa5jdCw9nnPYIubhu0tKN0AWnkeg+iczK0eZ -SFh/eAvOzpzEsK6oz+wMpKZfc9URSe5pgE462xHwxqlJV414gj44OFeRq9zBDMHj -G/x2cS/rI94Qqp43bdO0aoDDLuA+nIUqlWsYrXEKYjDGEMJBQkO3Zgp59VjdAWMM -X8IiaSTtJQisuQ6q62W2CxcQrEFzRlF7zHBO8RkfSE45uH7U8N13kPOVbrQCFiXN -ecBNNqYNhgqy+xF7g3GpldDlCS8H3vd0Y5VRHWf2dliN3fgQJ7J+7TbhH16CUvIf -xbP5vwAYcROT246y8cQhy4R5e+02Kpb64C5pKJugZhMd1J/5AoIBAQDInMXHRCOj -7tCAVg14udqnX+W4pbgOyoJrLq2ww3p48WbtNBJ3nwkKFNNYLv2zwNLAWkc53mNX -aNRxYXkG1GR++X8FEAWuAgvEwXvqQbg4ouuIpGYlVciNQ0fnMiNVwiPw4VJHlMva -5WjLQn9SJA0WLt9Nqf82yguP6gVOgRiAN1NwXbpfxflj+taTyCUKGULwYWuXK6d0 -HQ2ru16vrpPTP/sFxw0CTYZZ12rlggHH2xBdbjThuuPYSEkvOpOFtQJLMOmSGcyo -MvcSq+s9qQLope9tqWDW9RFcLyn9tux0YpJSbT06YaY9xcTcfuMLdwYg4KVWWjSJ -XjuQ4yfK1ffTAoIBAQCALwQPiQqeejoxeRm4HjDPN0ynXScnSajNAS1NMLlBGprW -eb49pa0TmzwtPeaAqzQCGTf8EeACyGy0z5fQxsx9d4qksOl0H9gG5W11W/+C7LBG -nriNTqHRNDXRECPkDaVHQxY+dJRPihQtX35/KY+bTaCubLZdoVo9JevzvbOX0rHJ -NpDYqY+1PE4s0HUdxiXFZsjVEn++XRNOX/NL9YySxFmRu14P2hUQByBXsX4Mqwqj -ggzN4+KsCIfJ5AD+8qYyz11jPUG3YOcqRu+uYntr03DKZYe4uWEsFpqUPlujQL9E -XlIlPC+DZwsFqVWocACApWY09dlD9sVd5c+W7JmpAoIBAE856rnJZTHmrJ0iXuug -qoOTUcvcVpYwz9S4eIvoh0OgQn/HIsvvGMjMdLLMzBDjQ9gHTz3BYAYzNkMYtY1G -7/FdYxaCv1t7H16y8tcO4Uwsu0wZcOWpvSxct9bMbDwAEeWddrsiPmfSVdKADnxI -FIsAM9weGNZwcKSDTVk1jpGESAWGXoZYTyd29qsiTc5xL4hzUORArz8iAjYiJ0DG -d0bka6Raef7A0yBD/Mlq0H03PH1JesTy4+yUj6KBRaV2WNONG5FBcxuyFPVgw+R0 -DNwIPEhYrg/2dMatMa4rQbKtAxBeZ+HYkqiupBJYYh4zAU6WqXUy5rChcHDF5P8s -BVUCggEAH3Qm6zmqMy24EVA/2K8jYYW0PSY7u8ABh35RZMBPdbUfTueBdkmqip2C -ja6JruI6hVU3pgSjUFLNnV8LrieskUBqeOta7eBurGCLDaHHyjsh9ikgE6GGvEXw -6YSE3xVxB72viwtiudz7WqCbsFO1cf2j/lzMWfC79CfTjCMuAT96p+f6rbVmWkSp -7v+O1A4d6JS5Fl6LrKC4JbnCbtbFGjP84eYmE3fjoWbFsZFHoKo7WTbVZWp80tsx -XMJdcL8JcV/F+SpFYf7vuCVWM0aB0LqrA17pWvugoY7iBn+qvbPG3sewwdFD93oz -pGE13QkqPIkPVUNcrqfxCjZE5wAK5g== ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQDKSUJt0EQMIbwY -Vzqn5yeqXEHmtRZHdJU9jSOz7mnp22ojlaIlzID00Jx/4nXpSANhmicn1IDAaNw7 -lkVgELyxrKogujSDNU4aU1lkGma6tEDkD5mOC5J8Mp1orlnLjTzR061vUIU0dbuV -lv6OjCeKvvnDCjCnujF7kFDZZoZUeKIjB97VKXiaifq02/lrrcNwcjcsfG1sZZFw -kmTxDlDBfN4dGXY2FG8K9Rfm8XK3luexmHDcx+OwDFzv4F05pkb2peVyfg+qPx8t -j4lch5YMYLc6chDINh51DokYa/TzfiyA728iFkayzXZZlIEsPoqN03K2Cb5WaktQ -duarGBY0xmQ7ZVH1+5Q+F6PMjHEMSFWTbiwgNpBfuHsNE0JJHtaeY7T09q6xhRoH -59HOluwi6eOkXR4PWcmxYVxwSe6WY+gpTvEblPGRHYuMD20msAu5cQTCprTjQAra -WMsHLGLmvhQAmMywnfybgmyGJATIDFPsNmj5ckq2tyEZGki1285/FQrHV55gsWTC -74HBohYCLQQnwqEgyQ6gMRWdWHKLyP8xwoEi+KBEYJuAsJFd6fz+5w3pjcBXBbm2 -/vCNv16fyZoULF6FSEyY2FS0LcSC3Hp/n+Fw/b8Fw5sC9utX37ZCVUpPkjCUQjzv -rSq6eZXnCmJltAP/5aRWH7/Pdd2fHwIDAQABAoICAB/tgDak8JiZmn6dBf0KVxBk -j2JCosmUdRnJ9SCpOL5Yi2Aidf1RUelSI+FrdQDlBOOa2SNIPyofYuNkzH5lJeNF -RXT07uTmvPUawrkyEZTWboeQjsQEv5Iqyv2Cx1mBaWAU8QLoyp2FF558vqDxLiyQ -CAvox9UxZi4CkUA/FmSuxaiRzXIHoamCrbduIOgF/Rr6bArxeLPrNBF4icYiZEyl -0Mj3A9l1UDGCjcs9wMWJY/h7/xRZ2G4pBWI3H3/B5uF3PcfcbcyJOfqO9TdNjzlU -6pam+k8fe58uNCVOpNLpz0xqfjf7HB2MoGlzLxA0rtnDzg89anVpQYnpum621ool -2DiBfZUC1FjSA+fsIK+QxptunMZfI9XrZmdvmYxXeBdEWr8BieehtowY8+kEDLHA -VB7szebNsDTVShfxeZTqU6RsqGiUnm4/DKzewsfLHdfg76Oda8eraUxxpdlsqXZ7 -SOW4mGrH/T6CJsW0MmBUkI1vah/7+aUnUyajNXWu2Qvm5z66il4v21kNrjcGGWkg -zEOnAZQhg7CkV1LTkd66ZzsJBZXrVmOuwCkmA8s5RwBW/bjXE5vUkr5LgKlyCDzq -KWo/Xhibkq7Rfe7w4dOmbaRwvsC/78jF7Vdtaho0ZsdMpjfaYi0V30r9X1tAp/G/ -VewoWYWKh9ncpP+uAVSBAoIBAQDSf+jL2R58Wwk/zHWshgDVDPetqgnX8r8dJB0v -5WRmtWjpM7SSnln1GXJavvLiOCehJJh/Iwjofc0DjtHs6iVPgYwEwSzspWhScONy -zJlUJcncsTdoylC06B4KKdHB/ZiCkMwcxecLbH+Zam9+eq5rLdMpANSXV3EeA5is -3dQgDaNhgLE+R2tOy+uwjUJFUpu9ZpbtWGdDC/Ao82xh05pJGYqLcFwRlmmcXDwC -u36ofE7G3tod+MFX1juvmtDvMxYswpTVcNBnuPz9pzEnnqBLGwAfYj9bKc1p0/3I -bTNLnKTYtPGdzO2vdbQ+YFGtoYSmNuh0AaGpVc1ZWJTrLTwXAoIBAQD2AtqTYbbR -jahPtKSu//CvhH63ZUFvMTO7To0kFLpTC6jL1CA16OnJdtaA/wK18pm/ylmnagH/ -eii8EpZa/+2EpZsav4rxxqTMBZMk2jPrf7MGYUpfyZSLHJn7auIysHaz58I1MUWA -8PaBVEHuyyBjKAc78fWVN7+JEhGYFO6xr/YI/iqlSnebYcb8QDX/5UaBTRJvY2An -YEh7j+XalpIpOnS4u6r2krB3umuHsv7PAodjvwCqq5ilA67Um4FZiGuoKyNBVtbj -3GjeH72oeuiAUGE/35PewiVmftHVjsiM8re8AF4jQzGPgIdYXB0qHkxuq+XUwa2H -aMIUoxzE33I5AoIBACa0IgepKjPPQUobu9823FxQABJMW3b7SSyAgWVXFjjUTi/i -s+bperzYKvCIf3wcuxyj7+4gcPjeeJ2Y2vxmqOmPdkFBi5MPbrkJzKhE+kRAlncf -loKMAH7i1vMjcU/r4ujO2tjHgo3VKzj4Gvv0brGCQXsejfgtuby9CItwVhp2p327 -/drnotFgKTvTHUZFxCD1Bfcp9AKd5VCCQYFTOOEL8y9kP2l0cIKxas9NziIIiSuD -ujMck+AkoeDN5HC2wfME6/y6u3b2yn2RCjawseRdWI5ssB2A+CXnNphti6rxaFX4 -HxzWmzVRvQxjBWGZexxcqCz8R88s2Y79/JOpQ40CggEAebdVv3+j/TASK0VcCX11 -7tEmBMTjSAlW6ABoUoay3S2ymQ5d1W5kZRoX7QC+rZjXOw35p5wKWwVsrAiiPWnM -cUmiYOyN6St4E71aXOxcrdKjl6+BJb1Ncjp3cO4j9iJayI4NB1ZWZgJSZBB1Apmb -b5O5aI5BDE/lwwKek9kfc+h0WWSvYtJiNQ1+bwWx8ebVKFoimdvYEgNQOVorxiej -LyTN5Sxs3Mwc5U/lreEAsxk0NUSmJsr5ngMhd+1sZQjbAvw82DIH5fsCI4wewQH2 -kK20P+71cUwrRvfOB9Q6I4pfH3QrH1U6ax6TWENS5qjQ9hy0fLxKh+lrxNwi+sD2 -+QKCAQB0kItTBGLpUqlbuv65klZHYbaiGY+9Nd02lyb0oorjjesfmNk7Gu7HElBz -HOAyLtHOUqDmGSvdIwnSWPTBw6PkVi5avpniootHJJA0dCdvf+CjduVNgME+0lRm -gjKcs153/ZFW8cpxGTAEYHlscWHkOMMxw3NV1Bn0iTR4CgmRC34JE0wrlbPKjDlO -51eTngEgef4iKqzeqlu4mm4JCCFgmWo65kVP3oVMcitEZURsQA8qwUMHwwMzCenZ -9I3/dDGRiCuQXUUpAsCVDkyUF/pgnfm0Uiz75Aac7yTYnI5Ls6OTOQGjLZlRoBh+ -J1YBRcVoKSfYSY2wfkhkMB4t4WwO ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDILondeoXmtDyl -5B6laY+c6rB1iL6hSBBhlRchgR6JvjjpgYCyu0zyM9rK9SUuEnEPeskpGDC2/F8H -FDPNQZt/iXVTDn0lzElt8Y5al6Jn4UBzejMS2jd7GpTqrLbsmvwoHkqaEhKpRlNL -+zPP00XuUSwaAz9STpPC8XPwaQ/8/zO547r0++QegmpMWJX+MMTWr4iVaUY3pMqY -nU+pEppgYsgL9P8OJqRKYZZGJfx/mhW5vZxqj8473wYbfjSb6Yil4G/X2CtrtbnD -ajLjo1ezmyBhiyRusOi+bMTrvfH8aUDLIajOiFMm7Va2MMo/qnVvIBuokUvodQ43 -k1Y0yK6UtblwVtrMryekbu1VD+uuAxDf8+2P1FT5uT72g8sdjHlrUH7shdL0mvpi -CRl5gjAkx0kchZnBSbc/g6EDolEf15xaZpRhruBq5js5ynVsw1BvqQERpx0AGIxo -wVAd5rpVysmQtjhH9pqzf17+lcXU2w6XLNGrijPuIjtk+nN8Ln7pR2WbTufiXToP -qEVhBVO0W3V7M3mI/6AkzrORKiIKLqJZQVR3bGJTk2Bz30awY0WtKsfBp0/0bctH -Q4+pMunJC2yHCjDi4bLIfB9vc/+9BtI6DJVKHHqSIwcqc+vj3sDQRJ+n48U2awm9 -KU6Lw+OchmLWZCQbLLlZOsah8f78sQIDAQABAoICAQCWhNfJHx2b0R5hJlwcyHjh -5l30onOkVclrdm1EFhBeRhgJDAU3XzqGS5NSVG42bEty9kJXkgbfMHhLnFcvGQvR -JAyB/T0AtNDpyF3fpHDLZ0XNDq9kl4xsFhqvMlsBIbBEgjJaEwjRGz36vdHBjPzi -K0rb7GEqhEb6qA8jT/xjoYjFV4T2PIjUn/9JlLqDvSvkuWwb3GKd6F0lz/NcD87g -dqYwx3EYtNmHzETwThPD5po7ZWU9gw/xWMsA1S69pSXIhC/Uvog3nxck5q+JFwMU -26nHbpZgXMlElgijsdlIj+PWWWLSmRLdDEzNBXat1IAkpKHnaAkJqyqbgz+oxNTv -SlqP5NoFOBL+P1S2b2RQG6tpuBgon4oKGwkZLka/MD9l9QYbIRYcKMmHwxV9/SOh -sKhYoKh3AjIGFGla+Qz4dEWIwZ6zdTBsxjP7KR/Jt/Vz9noTOBm9JFNx2jsn0rL7 -LeMcOglq2UW0ollVvXvvd8bV3ku4EXnVpkinC8SOeB9W16DE+RjwvbiaJyy/sOLS -TOd3D8to9K7xsQVKDfOjGDGJsol+u2wb/TyuKozoTLfw/gVc5h1YPX+gwvGCSGtg -AJPRoymxtSJbk2BNg70H/fIfzlCfh4GNgqXA5wap8+QVplYyIDKeEp+iVQOLMM00 -iHjGjoYX+B4SLWTwQkD8AQKCAQEAzHymrBdhK9I+H7yPJrk/M0QBZ27YYCEc0H8f -2xsBnuaW3iUzE6DZJXt88KrgqfrsiGkVWlDQhlQSfKwQj9H9F2vNtx/RBu2aMksw -4ml3qoMdpbd9QIIw8t1jCP451z63IuFU0UbZl0/u9Rxw6v5wwNH1Gq2JOec7kq1V -4AAkP1xivU5Kvqm737aECrPgyV4jne0MaAYH8qGEKVDNu4O9rK5b4SUm7NUamkvL -R90i4JVo0IHYA/Ub4E4i6cHJ7TbtTcp0fShOW3KdLYATym/7Fm9Y3x0SkCETW0io -oyy0L2XqLSeKRq1w0GfXWUpMgGZHtQc+LNFCCriU2qjwcNpFkQKCAQEA+pxABd++ -Kkzgzl6ywExGhO6j3lPX90T3fd8J5TskEZJscLVibGGaoNgxwqKP+oSLFXXTJr/L -NdFfAuhcJ6lSZJoAxxB2PsKrA9VDUuc8Eo/adIHlLrDkVQcroomCJ+0sTHaGXTWl -wgaRa7v13/eV30rpLKNLtjSeMhhSmEP5XvQREziB+qhuSthWzdtGqjnaWEM0RYLG -B5pMpzhAkC4Ey+fywbhiMA2a1w9s0lQfxd6GYaiXpzABhs8I7bRzpxYSEgrqyyYK -skMzCedIm1hb/KgBelqF6MC+///nf6T85/Bh8EyxfjBlFabj7bjrF5mbJkzF55ug -tr8ZviPV76U1IQKCAQAUSMUrywHrm+ZntYepurSHPFa7UOaL2p0GHaYmUO5/ObZ7 -gMspRkpkCnThVsIEeoyeF3ZzyBJ3UL2oulTGP3lQqnP0l2ZfvpAOLyFBRF8Hfgwh -1SrKjF+Yp9dcHAPW0zTNc/a678FD3j0A+XpGBUlgBzO+GrrDEKn7KdCb8MentV1i -E/McKLAnR+6fNSq2Lu1vjAUwCHEfY2A9zPMrh6z4BS++DLZoxdbmuWAH1+rOxmNo -U4j/E4BZZsbV01BZhJpTniKiC66CKcNnsQ3FhggtOIxjTXn67B0EcBeyYAvbq8to -AUUZL7lCIxrck581GXBBh99mCLf5Ykf5zMpVF4HRAoIBAGBOZWgceHbG/mkwCR9O -8JarInwQ2mCitz0+1g2qcYzzKQsTGVSvGX4QNucmE5BhGRXRJqiwccYnxIxYgPmY -3xnb+MqG7/nkU1XwwaN9Sx+S+o9lT45m2gg27jTTBRqU0T49Ght9v0pVvdKZ873y -5jxeDEdkJXdKtzRnFm5/SLiNsHYjdAfAbEoE4y7OwlQuUVMz2EWSIMnRKP3l5yHB -HYTCiQ6a7dirkcJtohMd0uv2PMwQvt632w5UR4kZnIwsNhuK6HnTD687lcSLheJ0 -zTzFz3OWj/lHAN9eFzd9TtdPEEQJJPhqXp44eUTkmCuEkxPf0vnTW6p+u8TO/qrO -YSECggEACgemHnMpPTOmbb0d+OujaIsio3foADEfMt5j+SV4mSs00oIOuw/uouCK -H+eOX/qxfZPJ3pyFsh69qMLevqi+bipC9eb/mAM4zF85guhmgaLKp6/txP9JODB4 -j1EhnQMaSPo3/uPlIgm8pKDCYIgnq1vgoZ/ABqOQqzvkk3SEjbhej9oMSuaezN/o -iv3vHFgFCefQ/uUzd6hD3MYYfTJjxtojI3o2dc/Kd09zB7T+j0HMzX5B1cdhE9p3 -spWlJlc1zL2ENrODzdFfoHJTHTmBx3/NoY2MPswWdZQ7k4vBhRyr3VvwJg42Umz3 -8et6S/QprlpEjtxvp12wZN3Rw+FyxQ== ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDvfzJh+dbhV0Tx -tEaW12JhDYSEeDRl2Z/UFPyA2XitOreZ2+qhSp1OPu9AdsC4M+eGvoi8xqfQahdq -+34WXy6Od7RfE00kbgMXwlquxjGm7dS40qpYd1oGgMiKu4qf/V2DKAqaSFTUwPrk -pxYcuuV32vD5a5JGBnhLlZ042gOt+mcQW4s/FfHcda5DvKowvCAl/I0F63SXP4W3 -bt7v3OKuWWUPYg5z4Yw3z70GBxFQuTVYPbCVLbeKplGt7FkTx/1v1TfwHdTf2l7e -zfHBN/bJ/sRdjiI6/iY8Tpxv5KU9PjtIA4vfwC21DnZtnjILBUDsVQWmzqyJmV4I -YF40boEWTjXrLgNs4sYMYQ2BxhpjVjHeBTDSyI3Ch0RttkBTxW2Mn5+/+Uu8xg6/ -f6cRz6G2H/IaZS6xYOmczLVPJzTv3SGYkgZ4IOZlkSnCl4h4+Pg/nH01eCC53cOz -uuFjpmlGacnyjPd6wzUZZ36WAHSoGLB/lFAib8XIqakuMI7dzDEJVyUWHDF3oP9I -UH424xf6Ue7hKipUc/8Ebg6EX4zTvNN6zv1AjbNnd9eRpe+8CapvHJRWLrvMZOPH -sTG0/sgkpYsxOv2TjHBYeSMuxma5mjdbHNtupu8WtIwO8WC/ctClvGksPBAvcxNg -aITKB6WkDd2CKEXWni6Zuhh+TPxHAQIDAQABAoICAQDgb+rfNirQ8d+CQtcD9MQU -/334Rk2UROUq8p/Of/4/GI+GeDjg/fN8qC2904u3E60c8OFjRydsgH+Bmj0G6hvP -Fw7JKmVYhmAPm+svbjyJmseGjKVmUjLjdTx6BlZaqC1CA/wrqS0WU+LK9Goccmko -cNzyYISratTAwGyeInDgUZDUG3XaoM4PM5kjkWJMWYAnGQ1vRr/0HWtKA3SYg/9K -NCwoxlOU9QFaLCuPwn/PjkEXeHhK1JT0MfjJbHvttbUjYEUTmGEtho7xbT3pPHDh -ywZqRhB+CD38tg6ULUlMo00ap3glLwumaO9CusVa3omA8AxjzbqTGE6uuuCNciE0 -3e7IYQg2JKuw51ugzQJqJ+7SJ1gl0wFUaD0Eu9RNKuc0ZOay2nt9nh1bkD8blNBl -3PGxgrKayPAvk6YFgAiIGnDkO8vw1OPWpT9ebTYcdGKi5vjy8qG59SNWW4UAFPmL -SvqOFHkBo2V/F1u7Kogsf3iTWwhUPtxXyDk8h0AJ9czmAPCVFvt1Iaxo/WQrbPxl -eTTeH6u4g2zlTiC5kCRBYTWnAkj91mVtL0gqOtb0TKtZOQ+bwjmPs6iR0IfZLXH3 -IYEM2SCUsVRnyUwOy0wVwxaV+gcH/j6F2fJPztVBEhANT5BSDD9ExPepaRx9Igc5 -/P23M42p+50/RFG0CB8cIQKCAQEA9r98LmgqHc0cADP38U+/I6hmSbu4S4ZRVE// -no0nKc5PWnFbNmPdb+aPBeXCh/31vuUacogvZ1W+sUFpqjhJnB0UgQA3lmsLm8ox -aM/DheYazlG/pOzIm//pOqbUZK1KuH36z8vUdDQyQV79vaDMCl3C6O2wa9UeEEGX -O2247VPaIbMZza40UC5oOyDQbbOpIPIe7h2y1s3CvrhEPZ/K9P3mMLfzFGY2OJJr -V0no1srBvNMg6QhZW+0PDtseDHfB147vk41iTNMEbnzpnaBP4unRDMDsww6UGbsx -eltDEmPgczv0+1emZutbscMtUXXHyQSrxc/YG4/2XepzqL8xMwKCAQEA+Hob1Vqs -H6Iujntmpe0xE3RAL1ORny3kmrB7mCVQjv+2mbwVU01pYj/TLrb01ALgothRqVaF -MdqX1JoKNe8cOJOtZX1yMLGoav6Djt+d9pe7dR5yebcTEyhqb07ix/rfkA80zNjb -xx7nftioEw/Je8c0PAaUQ/Zw5BijmAHkuJ7YHfmuHH2tTWh9eIPx+ZPb2wK7A0lB -FHMlXHq7k78Cji625gg2KtLuAFK/p5Pa2nDPM8R0uQYbYQfFkWQwFZTTs3DgI+XH -3bR/1b8DRQHmAFi9PzwDFdYFuH5TVuvPPsYTJrTUKWf/6Nt+yqw+lMF3nK68osyS -VE4HKMF24FDO+wKCAQEAluMJgSdZedfPY6Bj4kCt1ZRI2JXeYPDGExTIb6BJbpsm -k1v2NxBifOc0VprllluKRy26Oodk1X/tmF8zyk+ZU8nEnA4R7/2Nn7rI9Br4qYzI -n5oF40iYdCzN5nvWLap6os8G7MLsLBMvGCKKb8dAfqZPZjjTRV2RgMdbP5AdIaPB -JBJtmQUKIG4Adwfd7PeMWQU2PM4Uap5wlEgCEt0AM0h/1xLlpnfKeFWxJjOgGpjq -WBmTam0cl8YjCyaa/WzOMI7LmiM/FVOExjvEcAt0ToJEv9PJ9I2ZqxJ5cyUTos9I -la74ZCp5Kz6JV+7Oa53mido9YD11HYWvVkbkazBfWQKCAQB7gEXhT8YJmxTE4PTu -N+ySnM9iNolEswzTDjEAOFvIF7VsyB1ZYDqnCM4wg+NAlYWNqzM7lbNyShH5K+8z -S3uda1ld/nIJXeQ1+fbtxpu++z/DQLTpZmNmvEnatTzm5PzFn6lAv/DNEcFCPPGd -N9WPXj3KMAL1nMITvWNipF5InTsR+w3dP2Ip/WuPwRU+VY2LV9oYEgr03R6Ozrn4 -/5GHlhR2VVKHCnwdUQPNiSHYPQXf1x+k7zIgkjpSv5dewrBOmiXt8cHbomF/ngdD -/2OQfIrjqTJnYg9J2hAWPfKuYskWDf797aE23hIxLleUnGyVRgygZkm8+WN5kF9D -syaNAoIBAED9uiEtW+4pNErEfkQ+1gW3xGDMR5e7VbZxX2Ijg3Ih4OPU+vGLR6i7 -/V0ES7pBrd7QDpQoDTX0FlOa9B0DzTjn7ksSk4QiySBPzvDNfMEursQIXBivX3Ps -7yRrm7WlgFC5dSlVEx9Iy/dh1zUFA04jIi8wVTTmPvDjhgyXxKp3hPnFWrMYdmG+ -MmRVTmRyDFsKyISntY8uedMnWJBQ1wGUfrcyS+LC+eITQxqXjUZOr1iyJb5P6p/P -fDSD2f9wM9yJtRodalmSUc3MjpGjvP7bDq9jfLU7IFl9SF9Hv8Ty+jyDilXEukIy -AiXjA8gwTuFuQqV/ctSCwLkjwIsEcm8= ------END PRIVATE KEY----- -`, + ks.rsa4096Idx++ + return key, nil +} + +func (ks *Keys) NewEC256(tb testing.TB) *ecdsa.PrivateKey { + key, err := ks.NextEC256() + require.NoError(tb, err) + return key +} + +func (ks *Keys) MustEC256() *ecdsa.PrivateKey { + key, err := ks.NextEC256() + check(err) + return key +} + +func (ks *Keys) NextEC256() (*ecdsa.PrivateKey, error) { + ks.mtx.Lock() + defer ks.mtx.Unlock() + key, err := ec256Bucket.At(ks.ec256Idx) + if err != nil { + return nil, err } - EC256Keys = []string{ - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgUK/9GrMeJQc8qBZE -usHs5xdZrX2sUHPzT0mlkmf0ltihRANCAAS6qfd5FtzLYW+p7NgjqqJuEAyewtzk -4ypsM7PfePnL+45U+mSSypopiiyXvumOlU3uIHpnVhH+dk26KXGHeh2i ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgipJGI9PTJH/73dNK -FsyCqqKnt+qtWs1DhbjQy6NHMMWhRANCAAS1gg9Toh06WJuFU13OrQ7RiDNYAxOt -e5uQ7WiQCfaI5YQmKrdxnorlULQqfIpNC+cMqg0W0DFGL2CJzwDTJ14Q ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgbhW5pPwZVwD1FLhd -4NvL6ZtPsKx/i5t6ArO5lbfK6GShRANCAART9CBatWeRBczMayzJI9Qys16itcac -iCUzwOJgFgcApP4OH66qjqyf1u42FBCtkv6YnS2w1uXUuyIwS21O9qr6 ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQghaGmv8BLMP5RZ54Q -+Wh/QJZRs3rnt5mVn4j/T0NIW2uhRANCAAQAaTwOsuc6Z/fjiW/4JUrRslRSO0s5 -bwMUmgyzoaoewA0SUSOmRT62xzkjuCIrkLy6suaTtyy3HSdSPg87x/1j ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgRGCG38Hvc0k49ZoD -MBJDsLspn3XYUAtHW03a/yoCybyhRANCAAR2MFW2GPrM7G7wWDPg6cUHZlMLZwEB -c8rPuJbAhPJV6eOjddAxAqxIG75Bmui8izCT9VDwG/lamwoootAVrVET ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgXjRHQbCEpWFXm+qv -/fi9fvOvKzxtYcqr3pTBURRwZ52hRANCAASsrmNAipSpVM6oPa6A2H71lW7rP1ee -9X4lzW5VZ0F7MngmT28Hz+w7HLkC1/B0O6/PBKGu9S0EjB4zXxX+54L8 ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgn4G1H1zvIE6ikcP4 -iGip12phmDQr1mdMRCj4+EXKN2ChRANCAAQB5xXAAAofB2PureI1sBx2WN1/OP4b -AoDqcvBCDAC+VYXnOuccSJEIIy10t6ETm+u9lpBma1JBK9WSllOgx/fF ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgpcxZF8IWJ1YoU5uU -yG6joajuVZIvUvOCOwk53aCboUChRANCAAQTaxOAFC9xlHu8VFxsa7ZdN6QKhOc3 -MUr5FPxnH8QLx5ao/GrTNJyyuz1qqQSw1919PWYLsQ0luhYnJvaiLPgZ ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg1gUmTIMwMxVYEgSw -/ompciPQr7c6HXVfuLMnsFPK3eyhRANCAATxYK/Ij+rFAoF6F7Op2omhVEaY/2uZ -W9weD1EOCgoFaK3ckvNHbJUeE8HKrQVlKfU8gU2+/P8n6KQaUyo4GSld ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgfLHhXqfTxo/2VYFR -jU1VVLbM+mFwYpwRYOgUiZy9o6yhRANCAATxGm/9AV0KEV+0DSJHwqTf6fIsAfxx -Hc/rTqjzVpXtoWyWmLOz6G2y1Qj0ZW/3QKGycpiw3l1GrhAGaK1ul2Ax ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg/4Px3iT0ZQA/BgVp -IWjCv/V0JA7FzqX+1RwiLqyRjYuhRANCAARS1HQR07JSdBH+hQpP2GD5dn9wKkUU -vHvxMYv1bnA6VhqgMCjSrWwCSfenLWEbRW0CAclMAo9K9SlFH7ZVvtLY ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgref4P6c+qBkyBs61 -dW7mcGTyE7ZBqPylWJB+C99+b9WhRANCAARF4VMkMWWkFPG1ctkMdD6Mp1fbHHyB -6TJXd9ltV6Eh4m8QKYI95ez0DFMx62bAS1W+J/jI5I45jadOeDDpq8H9 ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgq/svE3eceSNWZPi+ -eS/ql0dSFBTZ4gsbFpyQRAb/5ROhRANCAAQEPUJGOZbiGwxcoERFF3Td2gzznfMr -13JJFFPcWbw9iVCqGBl152gAfCEuw4UXsfHMCNEma6+63P18DQ0odj2M ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgK5G2FM0u53z1N4nG -4mPb2akK1xNxEQgkkzb6M73s2nKhRANCAAS9+qa2cp44F+mg6Efvkk46dByas9G/ -nWHqKeCxknVVavV8J0KaxynYfZrKkm6tKcbyEXK5Z/T2Ev2jk5QgdbSI ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQguw36Cim6Dk5Nqt4O -cVY4/CSoSC/3lrvPO3h93FBHycGhRANCAASGRPrMyFWObIn6vrtI928aGfy8AvDh -MOYGLRJWaNyEEBaiSFRMVASQUfodsyy4Tu1VnnySJPJ+TatlS9H9PcO4 ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg3VG4V0mchdCfDTq0 -9hKoqP4fm6EYFyetRqI+2F4esH2hRANCAAT52Sux7TptEqqeldcNdcYLiwCR0GEv -iYyLQpt+8stBULfjoCHIXdKST03FPcQYZcOa+rllsxosQZgYRbbFlVLU ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgd92sJBhlHwEY+UyR -+C5yWPPESLYyHM2mWGNOM6PCf0ahRANCAATa8/l75iR7MaHJQ3w6CIuYV9Df1Dn+ -0cL0VVsW4XeVWn1VH82Rfq2TZ5rSpDFX/yMutmhlDMhLdHzg/djm4k41 ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgvdEjjGU8j9d+65Kn -xHdW+LfcmpRzEDwE0GGZtV3al8ShRANCAARnyjhSsMqaXBML2l92JJmvD5RmmhLX -qwxdovUobYqeRFEuvfmce3ZQBxVi1QHv48qYcZ82Mwpgz6QbVWm/ut8g ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg6D4PRWoHGemv7FTS -PhX5J2p15zH1pRrnbk3G6xgLbTmhRANCAATab/8LzPBnCHbWFbZuv2qgg9oyZAAy -glsqgXknaTksIYPN7dWuTKPVxnyEf+9r7cN0tnnQSJmcb1pw2rhD7ldd ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg5zuq9eLti1n8DE3i -6HaGLR0poor1778p1bdT5Hy7uvShRANCAASWj6MkvYZ5rNDMMEhT7luavjurfP8B -0hSxtG4pCeFBGyzPq7wn2Kv1UMFvYqKn76Gvjmzt+6caGTXkz5VY7w8X ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgJt0OTLJCFBkRKxwZ -fNL+ZfcoAljJ74GKt8NXbiC+Wr6hRANCAATYb2BkJCJFXJk/HWO/fOOjYYIvT/09 -PhLWbzZlU03nuate7dZUywpbXTMk4Tyr+qSNYiLODBelfcsqy6AIjIMS ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg/+nEFDDOU+A9m1ba -bdXi0dI4qo+g1WDKqMpGpTO6h62hRANCAATDpW9e3GZwZUHQaO8+zmsKcZLs50JG -gfkNN9lIzfcz32VQUBdCItQMhOtMviqs0T9rd6uHfA5Z/VpzWlLjWdDD ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgSP6k8VMAgI1KNoC0 -ObskgkhzSxqqvTiJt9S1RMS55TihRANCAAQp0yKgn1NLjerLbteuN1j7vahp70g+ -nTKHy4jnYCfjRht/f00CZmHjrh3zSpN8vnLenyLJCeuNu6LOXS8uXN+6 ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgQ9NPAUkjmdxMHfme -UppiDHbxRty8o/mJSiFnkyRD0gOhRANCAATDU7RtqlrUkCIG2id0ACiclWTmRVmF -01mMmTmE4ichdaEYhESbS2/vGCp6gh2bcrxWxi4PxBXEZyFiP0pAFFMi ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgB2ORqrDHa/sr9uHt -6zo1Ubvq1D3JRxiJ54irfL8yZ5ehRANCAAQXwPU7DXPEqwt+MwGuU/SzlWLjcx08 -k0yseAZNXxJchQ/iK3JVsgMMLDHEhby/s9Kc9sJCiNMMs5PFGOU99sdF ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgru9XNbWL7ESq4z4n -OqEmg9Wb1GpZwTfDnNj2qNAVw2ChRANCAASOPqa4AU1mzpXqFstiMXI+sHr792pV -uVZPNco126d1nf7tbDwFdhfSS34I2QbFk61ITOiSib2N/WLDdMREDQo9 ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg5NrGviGnBPJqTGPE -YrhZFOh06ZLcEyHBY8pP4DMc12ehRANCAAQiUNAD5PcYy+SJjpdmK3osO3EHziGa -cAiuDbmLHSdogmiNAbg3OHo27xcUrWbfOuaUsP38if8IWqa50Q2IiWqL ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQglRn1lVBAsVf73PAH -to31ZMOi5JpJDSycgLdp+51wzZahRANCAATqW5+8EANPdjPdPD5TYL8XWjK5ix9L -9KimwQ0SouNH0pJxtWpZrcrxV9q17mrDcDLvadayx+SJaq8fisO4GsF/ ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg6b5CHiU3iVDr+S53 -+0D913tHSRamyNPZARB+iFbHJAWhRANCAAS7jPAJDeUXtcqwyP0/on8MjsslpGsS -/tUcjPOKBXY4bPPk1FYZXJ50GsfOOlgFskZwH0uhBmLH9ekJvwG77/N+ ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgcwexygaDJU7nk1zB -hc/C9tzqY7ikN+hpWD9cJgXDWLChRANCAATOGxJ4oN2gYZetZTnekNGfqiffgfki -QXFE7K8qvNzX0Fw16nogXbHjZY2Ua4R4lp5Z+00klwwidum951kpUvMy ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgBYitD0hPUIKi1fNR -/0Ueujdr/9cfTv1bwjDJHTgaJVehRANCAATN3ZjuPJ6F/Y1t1voVqqYQIOH9beeJ -5fMptWuv9kkgjbgoovESeaDFb4esDkWGyp+kjm1lbw/cont15RbsFdrV ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgP+L3PyocfFX3kzGG -AU31veP9SIfGpZ7UOzaYejIA3Q+hRANCAAQ6TvuvFSM8WDJW+5Pnf6LHGlRJHm1L -Fdu+dCzctnvGhvnn00cra31egQTAPebjpH1qsDqoNAPQbemFfWCN4j69 ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgdQmY8K6OK3ew5XMb -2aY/8RTQWj9NZAAqQpSwA77qMQuhRANCAARknOvk29CR2pxpCeN0pYgUaAQKdHCO -wlqlyp91QBdUGZlx8J6/jgrZ38D8U2Vw363zVDXhckLUuU2Lze6gp4Is ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgLjQX3OomTDhQcmfL -50Fe7E22p4yp5TxYRgdLHNT0IuyhRANCAARcCJbXggCNgDSpWfOqDW0qS6WA4Uaw -wjJPTT/MmRZkYYzFVkTTFRRv5IVlBe9ZPARt2CgyUzG7/8t/JfdDYlt8 ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgeKc1FmPMncEdOK/g -aODDxbOl4xviFe8uM6AbI2RxVYOhRANCAAR7t7rKyFdhcQe5ySXXQFqZZ6RxKr6z -8+j/jivPjr9JplGcVBElxMPd5ld1M5T+Dwt9UdpGzSvTOZgJAVm8tHuf ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgrysG2TPf0iJ7OLSb -BfSmKqJAAoDNt6xFOwa6ucL7CjqhRANCAARIX80NR2aaBGj+mnhQrjdzWVn5gSZ1 -q7q+H8ItoqRJmhrUp5ZwZJhHztubgqJd+k3beEUpYpEo4uE7wxg6nwYD ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgWzQq5yIO+v1kmS+X -EuDVPMT6mqPHt3ZlFeh4KFOUCIWhRANCAATWSaxwM0Hvmy8oZ4QjWIdaIRPV1ifq -/KfFYNin0YE6oreMgieOyJl3ovLhD64lGfJxwusuCnCWnTqrHg9Azm+F ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgATitXRcKWwSV1tqc -EGiO0cy//HERRqqEdIbFBJr0nzyhRANCAASbK5LN6dHT2wnboNntpYLYhhnS+aSQ -IXgxbtBWW61ZVrCMcTMItexrvlr4u0nZnSD9Ix6WT5ppkVEhqUSdRH6c ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg5ox3kjgk5NKpttqN -eNoFne2JK2dm3GEKcMLkLYVPefihRANCAAS74JK6pDiXKYrhm34kqvCmIVi5zqUC -+QKf1EkUeGbBSl2cYusavvdvvF1DKG/CkamB2gcmN/gZmGaSp3KH0cdR ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgaDBRFdJrpHDYRlA/ -PnBiydaRlVIAgBDd0S+dwkRzKZqhRANCAAQqXjZweTWYRyuz/bah7+3x9jBgLe+B -OXqYp54tkgrzdWgyML4gIoTcH31yBVuDBpp7fXXwIgFBs8fk+HqCMZ0m ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgPAaQPXSih2cZjt+M -4nsxdSFMywRsb/8NCzEC5i4sXQGhRANCAAQwtbeB0teR1+BN9aThPKh7pbqKqwco -FW+O5gB38oRn2NgenGp+BPNqud/E9YkL6P5nlGSlDdU+/y1Szc50ElwP ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgn6WlKx//YVUvpARJ -HJBVD7jttEgPkARRFUAqdTTonbmhRANCAARKcEk0vUn+/2axPe7dokSTQdZL9u1J -jtH2FiRtbAwoq8NJ7x2IPMgkMxk/UwzP5MKgfnse+TCEdQdctx2tIZzB ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgo6/01yc8yPHCGhnw -XwsLTJT6okgHKh9sLI+b3uY8+bOhRANCAAR6LcuoYD2zNInnuq3A4kw+cFAGHL2w -x+n/qC6YePKHgtKRNDtpPGOLgdtplauAJ3HGILjfMa8+3+nJJGFEhr11 ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgo1cHdeg0VOKb5sUY -2yfk6eSHqseEfLjwVcWTKzqL1F6hRANCAATyqTu3OiC/S14IJECsrIBstUj3wsTd -dZgPp+qMhtGdU9BL0QFsD1h7ETtuGAq7UvzPF9FmWD64lS+Ya36PeAHY ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgyo8VeaX5wXsXUIxI -KberdTk7GNSLi1LIgm+OPiWOP5yhRANCAATTvXLQuC687vWccDD/P1taqk5NBaUV -kZh1hM2WPdQ0KS9M79t3tMMhMr668hvV0NCgmTREf8hWXKOs5TNZft9n ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg/sTG52OLHMyWnoh1 -di/+39XBR7gdZpSaGSe/5UHfycOhRANCAATkLT80tsAsHPa8MsVNwEx+SJf8XTjD -lLl4GbfwBtTK9eCVGMion2yWOfC7/d+3mmuxgbOjclKRhBtQWe6GWSj4 ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgdWqZyrDmBRJkQnFG -UW7lM+W13VNUfustS0z2xdYUurChRANCAARVpDnQXx5xh7zxdAUKPtYgDw04mC+9 -xhxkX8O/pTUW1g5wDLo4ExixYeLOknTEdbf7Y+SS3MFGvZFP6CXJOslj ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgcam2HwlwKA8f8oem -XwbD5BtF0kPSDHtNvGFSTbCUzaWhRANCAAQkrNVWSv8nhtqoE8BVTV7JOaRhGPXD -tm+460V9R+GiVb7dcoOViFtzjWmaFRjl0479XPRNrGb/ShccUFd6gTj8 ------END PRIVATE KEY----- -`, + ks.ec256Idx++ + return key, nil +} + +func (ks *Keys) NewEC384(tb testing.TB) *ecdsa.PrivateKey { + key, err := ks.NextEC384() + require.NoError(tb, err) + return key +} + +func (ks *Keys) MustEC384() *ecdsa.PrivateKey { + key, err := ks.NextEC384() + check(err) + return key +} + +func (ks *Keys) NextEC384() (*ecdsa.PrivateKey, error) { + ks.mtx.Lock() + defer ks.mtx.Unlock() + key, err := ec384Bucket.At(ks.ec384Idx) + if err != nil { + return nil, err } - EC384Keys = []string{ - `-----BEGIN PRIVATE KEY----- -MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDBjTxA8CHSBA4WbaDC7 -urRFMmQVFFPelV+2t/qb1iqvURqZG91V6b8RflZPaM0Bi9ShZANiAAQZVLZ2lTkK -efb4LPehcttZ/QlFKau0XJ7sjRnf2UH5ISB1dFF2wpAIdOTVg8QGD1zlsUxXtxU1 -O/D5aGLYO+FzzUSWoDYvUTecBJ7M/fIXU5Jjv1nO7aP2N3rlnoTllew= ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDCmlwFJbdQaLhlYtNj+ -Q/z5S4DKyr3BHk3P/C+mXxQGhdk7kcNa3z7UpXTQTi6oDKyhZANiAAQHczP3+rbR -Fk1KdrqjwHXmU1c/UAB1yqIRdVY5emGNPhDliSxvj/v0m3L5fbQ4eQSPGfxQzC1h -ik0u1WgJtwcCk9Uy2ER5GoWZWJM2KD5xhuvxYg5BMhceAJhyrrnpNAY= ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDAzFIimBkLyJ8mixa9N -St59PStY8O3F2aesl+7aHYp9lj+Nr4ZuaIbtgnDNqQPCJbOhZANiAARInD8y38Aa -evDUJwq7mKtQUnPZ0zw3+knLI4X6WFuRHnTkzY01EvS+jX4EQkseC8sv1poNfpG7 -e4A1kbORUin/ubWQUnyabMWTAtx90Qsqz9Zw461s3T3TGY7IRqzsHZw= ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDBiXWqxKYtBXQHJC7no -7J/cfv2r1O64LdtggnTUJUtXGyzrRl9xfCuQ2lVsBoCvRWShZANiAASMc8YnMWpp -8LaGqZnalZDdgBwx1OpyGbCtGaIsAi28S/iOOikIZy/ReJ11//GZLGlzgpcpF0PN -mNWWXaMtqWLPC2lzhrYIaE4wwMmE5CaFO0278ZKiW/etRYxTPKof3v4= ------END PRIVATE KEY----- -`, - `-----BEGIN PRIVATE KEY----- -MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDCLgnysr20RBiL1dB8Y -1ZFxosfiUaC/f9J/LinX6s/e9IoURly4vCNpT1LEz5JfX1ShZANiAARxHhVrsVn9 -KxjijeYDejB4QbQrpEQNAGmfTKmwIpJyAZQgHgkrzzNwmuvXRhm3wVKPeONEg6bG -cD5liJh+nQFFpE6gZq3U2Kd+k1V98tc1fzzLOBHGGlkC2d69vUS0ykw= ------END PRIVATE KEY----- -`, + ks.ec384Idx++ + return key, nil +} + +type rsa2048 struct{} + +func (rsa2048) Path() string { return "rsa2048.pem" } + +func (rsa2048) GenerateKey() (*rsa.PrivateKey, error) { + return rsa.GenerateKey(rand.Reader, 2048) +} + +type rsa4096 struct{} + +func (rsa4096) Path() string { return "rsa4096.pem" } + +func (rsa4096) GenerateKey() (*rsa.PrivateKey, error) { + return rsa.GenerateKey(rand.Reader, 4096) +} + +type ec256 struct{} + +func (ec256) Path() string { return "ec256.pem" } + +func (ec256) GenerateKey() (*ecdsa.PrivateKey, error) { + return ecdsa.GenerateKey(elliptic.P256(), rand.Reader) +} + +type ec384 struct{} + +func (ec384) Path() string { return "ec384.pem" } + +func (ec384) GenerateKey() (*ecdsa.PrivateKey, error) { + return ecdsa.GenerateKey(elliptic.P384(), rand.Reader) +} + +func check(err error) { + if err != nil { + panic(err) } -) +} diff --git a/test/testkey/new.go b/test/testkey/new.go deleted file mode 100644 index 80c4b9fc6f..0000000000 --- a/test/testkey/new.go +++ /dev/null @@ -1,165 +0,0 @@ -package testkey - -import ( - "crypto/ecdsa" - "crypto/rsa" - "fmt" - "sync" - "testing" - - "github.com/spiffe/spire/pkg/common/pemutil" - "github.com/stretchr/testify/require" -) - -var keys Keys - -func NewRSA2048(tb testing.TB) *rsa.PrivateKey { - return keys.NewRSA2048(tb) -} - -func MustRSA2048() *rsa.PrivateKey { - return keys.MustRSA2048() -} - -func NewRSA4096(tb testing.TB) *rsa.PrivateKey { - return keys.NewRSA4096(tb) -} - -func MustRSA4096() *rsa.PrivateKey { - return keys.MustRSA4096() -} - -func NewEC256(tb testing.TB) *ecdsa.PrivateKey { - return keys.NewEC256(tb) -} - -func MustEC256() *ecdsa.PrivateKey { - return keys.MustEC256() -} - -func NewEC384(tb testing.TB) *ecdsa.PrivateKey { - return keys.NewEC384(tb) -} - -func MustEC384() *ecdsa.PrivateKey { - return keys.MustEC384() -} - -type Keys struct { - mtx sync.Mutex - - rsa2048Idx int - rsa4096Idx int - ec256Idx int - ec384Idx int -} - -func (ks *Keys) NewRSA2048(tb testing.TB) *rsa.PrivateKey { - key, err := ks.NextRSA2048() - require.NoError(tb, err) - return key -} - -func (ks *Keys) MustRSA2048() *rsa.PrivateKey { - key, err := ks.NextRSA2048() - check(err) - return key -} - -func (ks *Keys) NextRSA2048() (*rsa.PrivateKey, error) { - ks.mtx.Lock() - defer ks.mtx.Unlock() - if ks.rsa2048Idx >= len(RSA2048Keys) { - return nil, fmt.Errorf("exhausted %d pregenerated RSA-2048 test keys in test; use generate.sh to increase amount or refactor test to use less keys", len(RSA2048Keys)) - } - key, err := pemutil.ParseRSAPrivateKey([]byte(RSA2048Keys[ks.rsa2048Idx])) - if err != nil { - return nil, err - } - ks.rsa2048Idx++ - return key, nil -} - -func (ks *Keys) NewRSA4096(tb testing.TB) *rsa.PrivateKey { - key, err := ks.NextRSA4096() - require.NoError(tb, err) - return key -} - -func (ks *Keys) MustRSA4096() *rsa.PrivateKey { - key, err := ks.NextRSA4096() - check(err) - return key -} - -func (ks *Keys) NextRSA4096() (*rsa.PrivateKey, error) { - ks.mtx.Lock() - defer ks.mtx.Unlock() - if ks.rsa4096Idx >= len(RSA4096Keys) { - return nil, fmt.Errorf("exhausted %d pregenerated RSA-4096 test keys in test; use generate.sh to increase amount or refactor test to use less keys", len(RSA4096Keys)) - } - key, err := pemutil.ParseRSAPrivateKey([]byte(RSA4096Keys[ks.rsa4096Idx])) - if err != nil { - return nil, err - } - ks.rsa4096Idx++ - return key, nil -} - -func (ks *Keys) NewEC256(tb testing.TB) *ecdsa.PrivateKey { - key, err := ks.NextEC256() - require.NoError(tb, err) - return key -} - -func (ks *Keys) MustEC256() *ecdsa.PrivateKey { - key, err := ks.NextEC256() - check(err) - return key -} - -func (ks *Keys) NextEC256() (*ecdsa.PrivateKey, error) { - ks.mtx.Lock() - defer ks.mtx.Unlock() - if ks.ec256Idx >= len(EC256Keys) { - return nil, fmt.Errorf("exhausted %d pregenerated EC-256 test keys in test; use generate.sh to increase amount or refactor test to use less keys", len(EC256Keys)) - } - key, err := pemutil.ParseECPrivateKey([]byte(EC256Keys[ks.ec256Idx])) - if err != nil { - return nil, err - } - ks.ec256Idx++ - return key, nil -} - -func (ks *Keys) NewEC384(tb testing.TB) *ecdsa.PrivateKey { - key, err := ks.NextEC384() - require.NoError(tb, err) - return key -} - -func (ks *Keys) MustEC384() *ecdsa.PrivateKey { - key, err := ks.NextEC384() - check(err) - return key -} - -func (ks *Keys) NextEC384() (*ecdsa.PrivateKey, error) { - ks.mtx.Lock() - defer ks.mtx.Unlock() - if ks.ec384Idx >= len(EC384Keys) { - return nil, fmt.Errorf("exhausted %d pregenerated EC-384 test keys in test; use generate.sh to increase amount or refactor test to use less keys", len(EC384Keys)) - } - key, err := pemutil.ParseECPrivateKey([]byte(EC384Keys[ks.ec384Idx])) - if err != nil { - return nil, err - } - ks.ec384Idx++ - return key, nil -} - -func check(err error) { - if err != nil { - panic(err) - } -} diff --git a/test/testkey/rsa2048.pem b/test/testkey/rsa2048.pem new file mode 100644 index 0000000000..edb6fc5033 --- /dev/null +++ b/test/testkey/rsa2048.pem @@ -0,0 +1,58 @@ +// THIS FILE IS GENERATED. DO NOT EDIT THIS FILE DIRECTLY. + +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDPgKiyqylhbW96 +pRi4mM7PqouV6GheFvI6YW1X4zCPqDBDWLDKlG+KBd8wCtoofC8N5mXfzsDldsg3 +7aUlZR3DbiKO5rlPRQ89F33DQHZZE1LefNzsyxyJNYNyX7WLJXn1zI9KNMjzrPTu +pQVmtVB1pCSvxiyRAiSexos059LUudRzIUIFKHKNj6SmKSivgavsFTuNqnpHXObm +UMGmf9NLoY6VX1Kr9lpuch+PerVkrlAZaLMTZ5MqJTI6fnMFHbOGMxrbWUx5ZMXb +WEEBoIWW3O2ZcDMkUYPFR+UjtiJY/nTgIuQuoqzTKvl91QrfCCLjklYX0eYM4FUq +VgfXjNbLAgMBAAECggEBALIBoDatyLDwrYqb6MorJHdXyakPF8Fnk+LrQ1764eTL +FqQfiIIwtkLEaMOQ+7dxWPhmpwxJFIeEz5vS/TJIPTEy4OiQG3ZaOwlghp2iRiSC +BDwjB28HivJV+u56FoZI3wgytNWm1KDdxbyXyjti3aQd7O7xZbf8C6g9kJwRJ3ce +bA9kIcCWWb2LEedD8H+BPEJs867WlMnQjrIkG/xbyghfPbSyLMe5tLQGjSDxkggL +v67zj+D/PNMqPdhP3iVslsK58L4jkFabSotaXzCKzDxN7RkLBjKeRPeISZLghqur +Me+jeCpaoQU71ikp4LCuorPO+0mybDUhpmTGxaGWuXECgYEA4ZQI3GOAOtEaW++w +rH/WrC0piagUTDvv+KzbwpqDeUDP0gZ8ifL6wG2MCE1sq+Pq0ZC0sCgybLukiGoc +zxk+N0TV4D3HpW8b6mKb+DDWExNoZ2uQkzcWZoeWI+D+qCz7+G7vrrq7VVtu+f+l +h+9pGriOjim8Mf1s9iCk6XxSmoMCgYEA63ySPN/vLWVPc618xV82Oy8B9fjUDvqo +eUwsMME6ZAzO0m2/EIf1RAkSMxKmb9t83ecrCPfAekghWtdA/papKD9EMkvE7BoJ +ZSNRShKexq8H8fEFQzOhO2LDTbBDa7WQ1WUPBNBCA1MxiglUe05yDRRFjPpUkZ/k +PpoEfZTJQBkCgYBnWJPqrGdOCwihgCGYFgV64kH6gBe0iW06p68S7Ak53viXR0N9 +S+WXjVivYRFdetDU7A/r+K6JZDpQCRVjyDPZzF6UGpnB8DKA4maEgZNCMA0P/JbC +62UG2i1uCKGC2QEjY2fJzGERDQ+912K18XhctpsRBIvk9y8ZYAFNuxh5EwKBgHH5 +0S31lOX76wCqL4G4G595mRFcZgb5+yD6ZUkTvRc/u7rNs3Rk2akcWtqtZDEvorgk +cwfcIiUNVFeLZ8HRWf5I4NEXKzC7SWDSPz4C1SaFAOtxJILqMldz7eNkNL2lG3yt +dR93TPwfABM3gNRNm5YJAcDCSLxTDz3dfd7qbJ3BAoGAdkdfkqfR2zq/BB7umVfB +8ajMT2htjYahYmuIeO3qTjFJtvcKWhVwqEjwLcMFCPynV4FGZoik952NFNg4vhho +dPTAp1RavBVbGWDTVKkeafEKO75wP1C9E0Je5LKXaqdApnK4etOvyCkYxZhmoHHd +PWyNE1Jsl4DkO0Sf29k4IX4= +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDNdZmv7U7hljYR +1O5XLG4HUk9wwSrerSfQ7Qotfz9Pmg/76NJxjVnlAXTn25/px97diAStgqcPdzTe +zzh7WsJjNZY9CJ/kqdYYsy/ti+fWaOSUlefZ8N15H9tOALjc0x55n/mfCA3/XXmF +dw1NL2bMO2wV8qvOajPcL7Qi4WGcOAjfw73USDsEdP2X2BIr9Bb4ZwY6WLkVAHA7 +CU2Fnbn1Py2Djh7HD+Jl9QlcdfCQxDCAafwrCWgrWpnJiUp5bnUUOW1eSgwHrCV8 +FHWa94wsOhIR+Fq368JnMkvdZQevTx+vuH8oBlBOytGFmBM8mCUkJlLVIzGDKrpi +ZTCEIOoRAgMBAAECggEAYJIqDrroHLhR6ce/z1Ge1eomVMU2tTuGP3lrEz+ALpYn +dSxV3fGmkzFAFcrxOx0q782DBVsn0ukg/KlBzxk1zRPe7gkjvoLlku6GVI0yB2F+ +LyjWtWW1c705g0xrl7/Tzy8WUV2j1qfE+qqeoezp0I0NnLNXdcoNXi096jctfhMw +0EEwog0cTlUZ8UyOz31DcAhE3qZPfVjoXn4E4BmFVQjhQRG+SvUvDOv/tzNX5l81 +vXQTNDld87xSPRjQ0mOdKzCBSXBb+lBrWQubPwIljcB0LapuiLfSBnwWqF6t5Y6/ +CP5GsVS4Sa8S1NTb1oJs4wLUYP9R6qveoxuVD0F3EQKBgQDf6STCAGRQHTAaVCTy +NGpw1jW67GVIsb4xs8Jc/vmXGEUgrOGqAMMFwPSrQT9J5HtM/nnme7QI/gs8NdBC +5Rpd9t5G9zc/RJeg3IwDjD1b3rtIRY8WTD2npR1hovkJhpPY5xSnwqQhg7cV7eRN +o+rqxckjZY8LslYuk2pZqx/JOwKBgQDq54MnBBPM493d/gC2OOzJbR+aCBUHgrxt +3uJi7cXEAFQNOKW/GU+atRDANh1LaILDSkZgaVH2hUiq2pp/Qj/Q6qW9+NPtN7l8 +iHivqtJ79p24j7BWgvamY/Rtdy2Lb/98LFs+Fc5XGKuUd48zGiue6kAi8Cm25wV3 +1ptum+rFIwKBgALesiHqb163gQ5VVcPk+BhKJpYmwYWVAaMRcsROYFSXcwtgK+RJ +7jX8qyYmx/DihNIP0PArVbtnxi0XY3v4A8aAi4jNUl/1ORxOt1y0R3UN/ciHW7Yl +dATaEO5XcGm2195H1/PugrwLPCWDzxFPsIshzdouSw8TUhd2vD45+0ZRAoGAJMg3 +myZiS1Tq6tXZGq9zNF8n8aCOWmy4QKQD4uXEb9p1TtSt72xxMJJlmxNeJu6oexfo +STR0pxtbs5UjWAXxpC754PNTi/OL0do0u50N9Gc7byjgvcsoAAnqvjFJKmpRIQp5 +BxG3C6BLTaYjACd66RlZDZ95iLBIBOnP0NQNQO0CgYAq8QXt3fPeQH9uBxDM4iZc +ouSmyIi8txm9fSOHGqCIJO05plLwsm86LKhSahGCRcMeb9x/tS6l5mEWYnfJ2VVU +5qJXqaX3cHocvNArHVMT+5WeLlaPxd/uxYFuzsoQBhwgdXvYpGhnbl+qHZaofr4z +MyRAxWOZrzW+DKiLPU0V9A== +-----END PRIVATE KEY----- diff --git a/test/testkey/rsa4096.pem b/test/testkey/rsa4096.pem new file mode 100644 index 0000000000..683b75433c --- /dev/null +++ b/test/testkey/rsa4096.pem @@ -0,0 +1,106 @@ +// THIS FILE IS GENERATED. DO NOT EDIT THIS FILE DIRECTLY. + +-----BEGIN PRIVATE KEY----- +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDGun21EpRZIA2y +mksUQsnEuR8kQWpwqaenEj8A8hqGtBISQtXiy5TE3/YOOb5O+AggjvLZJYRV77I4 +rwQDWItMxrIxmqB7km/zzDVGbD91owTQnKcLBiaPfJ6GQc6i/pgSjTaFvsz2YQZA +49k9ipfAPP93ZlDvsWiCdyFaaYb6CNUm/6oSsVNb1p4QhTy40roZJuixR5owDQaR +g4tXemTgfxFkQS39afXguVNHj2f26AnCRn/wBr+sP6HhHMZkV+BDlhvPxUl0LKzj +/gtH4w9qFGDb8w+A2ys1Fna44dMsQDgqr+7HZ/OxtQxa2kpmQZwOM7NZwNwNG+iM +dEsnIXd4G0ODCe54WBMz86ZYMCpAQGx5ZTjYcUEP4RDUpyApPXIwfdf8M6Js1SYJ +QgOpUMpquvvpT72ksdmqYMc3o0/NGbXMIny2Hb9bIcxlaj3nScKTMZwydVGkUbOX +oKoo0ix7eJkYDHsMGM5ei1+/ryjNlhmDlizycVrx+AnFKHRmiU05U7lTiB8nnHnx +RixYbzz329GPIc3eHmUdvtcI8/1Vtp7cQVDN/1yApWmf3rAIvs/aoau65uhU/XbC +2JuA5IeuCCfjxBXB3snEsCY+CrJZ2WJT03/gMj9H/ui9GlZtwzd5gRwMpQB8cfpU +RthNimEjFIYzsgwfhazuLkgyyoef2QIDAQABAoICAD+oQ1Y6UlzOQLUCaaRe1IT4 +i7owXikinzqMRLRH2SlnCxbgY+UXM1txJj9eTdC78NaFE9NtChwBAQTZQx7TQSPh +zfjHwDp1KPleY35gdF95TbSJSZTlbnqt/5WgBNH/XbUrmNh0yvDtGXS1x8PH3l5M +68RSeQCewoxwHrX4ca0sISMx6Ee+l6YmdFF0bIQDtGsUJJuNBR35Pi5khcEKyr+C +1I5ZtqKjS4iltMCKdlIH+ABMVvULJGDHrVIPxpkj8QmVTulaF/Jn0SXjHbf0St6/ +ElvCWyf6jLefr33/kIZvN86stn8XlF9LUF7V59kjkRqXgw7wEUz9sJs1MVGijcLR +V+WKvc9eeSIjofAggsKE5R1+dv6eoI/DixE7sx1DnhDPeHEiEKN9ae1zMf8BaEpY +yNEujGpBfjfKOXb65xYo+AhPfLJeAx3/jCJZ71g6D9MtgOeJdgRfYgIUQmgqg1PJ +gWkpVaAc4OoKkhKnx7A54T6RrOMt76XfWFgP2e3frvzTgDBUkknkrJYx4HIr62Zh +c7umjtVsVsYjpEuvTPXJpUOQWQCc/Szx2DcY6BPZ4n+V9ZVVIMQuv56WuhE/J03Y +LlsmFsIPKxT73C/v59QRjlCkmZl0e3Q9p2jy8t+vwNyjfbP6zla2IEJhg5nkq/j8 +UF1vlDNro+zXBVivb1flAoIBAQDN/El3TMsEJy7sEukuntMpgYXWijalIHGmykMT +XhltKzvj0ZeIV1r2Gu/9DfvBqQFOeG5aYAa0NscrylHsbl6IJYW3wUezJCXm+vSJ +qJuwlIJueVBaN1D+23JbUNFSR/ErS2s/vHf0B0fHqBJVCY4fZl6Bj6m1YGPvh0i9 +UE9eKZGfplROGkzuj5nUXz6hRsKoVjKCU8/r2b+dgqq2cFbUzSuYc/WbGDdmNRjL +rRSpOGmbyQD6hriERQ7agVE+lG8vYdePTAjg1yYm+DUASQzc5dfacgT5eBRD1AFu +KrpVNYq3pz1Aj0ilJjh49+KJU5Blb0fhiTGu84nPaRTgaOUDAoIBAQD2+x7C6uqH +XVYHUaKCoy5EeAZ56K1QSiXdwfrqnZN+Vojt9PjZ2tMRmMnrAd68GbIXGd0h2zYL +rbmbI3EX76ZlAJuW5pPO9iFbU8DGats4gED2mKIavhBJDCZQ/SVYK0oQK3YPxKum +Chxw9sTaS3DbWQiuL9cCmXO3roDa3hKjCaZt4drjy8cxZB4sXq27aCmCIqIRO9bR +5nefuH5XZTQqNIx1cY7lMKQ66Sdk+ArT3vTs/plz7CMuI6BhKalMXMPPZMFvoLXo +XJaGVh8J2m4HXw5xShKCxpViI2VRkULwix3XY/a2qoXHQYlHAVaZbOoBbDy52KHe +Y+1HhEiGYWrzAoIBAFZ/6FX54JMo5TJrqpJSTfhzFMIIHnRvUGqrK0m5zVGjwy2j +OVAe5urMWxVYRu2HTC4osqavBoGtMyx3dLmli3r+zs1gk/xtZKE/p2sba+3WH4PG +2/BWpGOxwa8JHC3CWktFC4+jVHgcio8UTEZ7kbwr3+nma2zoQm82z1v4mqu/JxD0 +5xg5QS85DG87Y/CT53CLagCCs6CmOyoo0gl02XHZisIlh/EOVU1NZNE7KJ77OpYZ +7ZhG9LtOyLMHdReje6FZJA1f76aDktjwiElLY+RrfJ6WHPKp81CcedFKjh70MgF3 +cGhpAyefCj36Up46gjumZHgYhc2jJa78wLCQPAMCggEBAMyQzrfPb5XS/xBs01e0 +5PudFnAfAn5ADAETTErLXYEFF8FQaFW5Y51tmcDm+Z9/AP0VVQ1Xzfn6WINg5alX +u9BoonZoYQDI6HQGeONfWlgAEs6tOYdA6ag3Qf1Oz4GpyVx/Qvhog2uxcEE4g2/z +kHR92Cy+Py5N/4SiKuQdj/4uXgUhTvXisQf9zugdO3TAH7FEEkyH7bRJWceXPj4Q ++xYCFFyqRBsdIMoSl6iPshgu0VsCvgNAERuEMrCHm0w+gYjkATv+Nu1Q0vRNnMPC +gePlHcdD/PUImm6AtsjKslEeSQdAKva9YrTZWWTQfPPzPBcVmW6tOdVDmyLjNFbp +lXUCggEAT1TpUmmFjsfv22hBOkg0cxnOCVhMc9gkLz+6liGsSRg72trFu5HPI5df +QAj9kTXBUY1ttwabONc/qIW4rzw4L+B9aVHwlsJ/UAmYDcLs2POhyZyXW+TIumGQ +yOSp4xcChYKuAc5wPMo6EKW8fduy0ZDNsvG27D1TDMF5O5D0iDfNl5mxu8PK+arh +KHPebppQtib8Yg41FydtxB93TNV6oQ3uNr8rzHeMtu6wWsvOyRHE5Jo+FLVwQ2ZA +KRuh0NnvZfbkBpmtm/cAwq95kpDiXPTB1wTJEPkhP3raMdoeULcEkT/qZA+tnPmo +S0mC+5slUqAYDdmd/ThucLyeANpZTQ== +-----END PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIIJRQIBADANBgkqhkiG9w0BAQEFAASCCS8wggkrAgEAAoICAQDY5mOVDnggcAw4 +UIU7WY8i9sV6xBnTzLPBR6SxxaSGe6remY+6TcETJxIZdM3KiJHFpoRQrxfeqymi +4PGT7wM2KU0taQNjiRESvvRe4N+/7LxHuSo3En/yUSdQqQSAVo7XWWBtjpqtrxRv +iKTbdmjP7hw1FHGOY8fE4vuvGkWMlAOzAu/geFMyWVAeXnPUhVZrzc+RYSZelBD0 +MW5lKc35kFEdGXoLgkhXUk27MqwnkSrcJNkh6OMlMOpYWUT1vHR5K9CZ6W8Nl2J8 +QQ96XnMRc3C/KuhPEMymuiLj2s0bQ+p0j7apPHa2WtFATXOj+oaKO8dQIwP3TGdj +SWrVWx27mGGQ18YY+kYwkhvHaShIX6sVi/l0xc2R4DxVWKeKvpe/UbZrAt3dcOa7 +OnZNCretvk4h5Vegycx+3Ac0df1m6MLTZTn9+lOARVCpvFM6R5QLm0X/VJ3UvesP +PHXszPxxQkAeHuWU8rfORkji4J+7oBZjtLsV1IHKFAjq6iNJQ5pGYnvfP6DrINe3 +iKBsaswjp1ij+kbAUAu9QSl1ait/Np+79fLKlzhREqwjvN63pHFGsecOEx1QFD6A +Vqh13f5lGPYvjXr1ZF3EknVbsxQCpxjyqf0PuSqMBnJcrE7L3IKMmWtwQvFC9Sj6 +QTaO4hjLpZHNFv4Ne5oLJkenchJATQIDAQABAoICAQDTh0xSz7ujluK0AQMOMHeB +l7xbz+eIQTiFJIOfw6qCZRTs5kHfZXkIXrAuF1WjUbEoWw7rSPc0dySx7kJrDUvK +hFj6ElH1vnTiHUxhQ1my6QNtx00+TFJvVWnMJil3p/LCXi3Gaq669+YsJ8zvIvlw +3zyvH3LndLQcdWkTCcIOKUO6TwD1nyM0FRono+G+vxLbK+pkU6SB1FD8dUC+dBim +bHJOuMvncXVvg5q/F9oA9HgiHeWMRn1PhfbllpnENbg5e9uCXr+pN5wapbCcnIQH +3tdz+Dp68V1EtH7WTEp/bqq2Znmzbn4vtT4hQeenYenX4hitNJjnkqG5mJ4R2TyS +LTgoGWdV0YUZtmF3+GsDYZPlEyB3cyoFiyR9yEiXKGPe6A05urPkNTQNjNYlAdLU +Y5pEykYGO1mioCz6bBS1fZSEFasTj/4nrSNx6EOFLdExwn+fC9plbjNM4//HpXiB +X9K5TdeOW7o+guy68zb3ytNTZz0A6j5vKXR2FB62Xqn6Gi4RlcMRgGrbiQEylk41 +lmAh3jcf2JYexXfKZ8TinhKK9iWLe6drhBsFv0/ZtkIaICijteQ73nG9NS0RVpaB +IdgGqw2EMjbR/QJ2dMyag6iMzadeyAhDPInj4T6aPlM4/f/EOcJdqM41T6bn3a8+ +7yF345b5HvFI3futJhRPwQKCAQEA4jj6b4lrs1g5Tbt8rS9qfUEezStKBT6wjgNe +b6JGNXbZUdUax0qW53eGeC+xAn1BvOLVy349Hlt9ScMBUXzHuWPkX0mIerGRpmN9 +k/uEsDl+Rt37Z1excLeLkroNSlSFZsopwoA6dFGF1rgUc+HyKqHUEbZfy+Va9vO5 +BJZJoYp4ugE9YacItOwjipTQWUH6NfUk7BiHGm+WnfawcoXXH0r4O11irg65z3FV +bE/eqUZQflT6yKVSfEFcQqqr5rmBHWueRXUq3S2ugJFYkrj2GFa9QKTZp6jy+yi7 +DqO4FH2CkeT1ABtyrObSJ3IEAg4lAGmiCHuLGOTA6zDcCBB19QKCAQEA9XNEQCMs +d/OmCj7MKiXzvlIARBs2VEdbctmoHwsukPNuoaYjhmGfBPWXdsaMz9M35txeHXFX +77nItjI+yTcZyeP0KlXnAb6YkGHmsoniC60xW/63Nbm+feE1FInpT3+jyoaOa/MK +ASQMiurdJhY0qu5Ce5ygaFehyDntFwOanqv6Z9bow1ZzqKX9IE3wvol3IxGLkyfA +Isjo3j5QPHyHHXBNKrE2dqtDsjuTVo05rbp/P6G6mgIAQjHzBDmeiGy+x3mEv4jT +glx9M354S3chKQifFKdxpZbMF+6ejR24q9LtM6dRFAq+OKdrlXoj81O7Dhinv3z4 +lbHvKMxcrqlR+QKCAQEAvXbLCC8nrITvOVMVEFbt8QlhKqRe0hW2+LmJliVqd8ya +Jhc83jxyNlm8nVwT++m77N5uAIgx2AL345cWu5CuFW68DbIgQ+IEAj7BJfc5If6E +7AVuURb43VZb5v87sk0njPc0EloimtjMJxD00DkkAOCYJF2BzdrBXKKzCkx0Tn8S +rXXsWqTyfdRnz+Divl6rmBVAXxwLyvA6TQIWtVOy39qCG/YSd4SNylc5HAWojkz9 +jVDO2MzdUIPNKWiXoB0tLd68J6ABzkw8IiGY9QlD0w6SYlmukOTG2+M5BwHHYiHc +ASSorPZQDM8kozSydqYyBy5xLnmJ/cdYa6H4JijjIQKCAQEAzSMB9qyu/K2IpuVn +Ew7XEMhN6p3noTZmKq3YgeGBkKmzW6yT4jrygV2UsjMs+oCoJu0kR200NmnKYuPJ +b7f6eK5ooX1b7SxTK9B2097DKkkciKtwiZlsqJ4xE7JTaRrfVGNy4qukP+HWDcBP +BgbnC7jHnbIAqlQbJVGsYmCjuFs5k9Gcha1aSqg3zuj0/Pm8tXVzdpBxV2Ecpqnj +uznEXwk9pSGoyDNJB8wczuiHPTgyI4dSgmaLuscuOOjDI3fnVqWsGbwMMdaE2SWo ++kFdWIMZGVT8eY13k8TdhElDz28gydvbumlkI8tg8fO72iCvpA9dG4Ah7lJg9HMg +PuXKWQKCAQEAuBuXHigvjTOYEenZfeseghiVJrl2VdGpWkPzx9MU4rKqyWbYi4BO +BCmZIP2GiS6Qfb574B4xj5JGRXRipCyfqvUov2kXkwKWzxlAKhgWXvAoPlQ0McVE +vHMt69lFaZ/krjcGBsIHgMsHCtv7cEGehOKf+08Htr9vWuz6Ngwh2LWKVjulgSLj +mPncDDBlHSrwxHh5enFJgxu3SbdMKAfijPpc8gqXNv78WW8pKKII+o76NKSoJHB0 +TCFuEUNgYeEYVkV3yyPj4Ln48PPe5fdkgM7W6z12DpO1ItSWeNycpA4ryYpNonM0 +S2/D8RGzYwaP/msqFg+JYNtXDijdFtINbg== +-----END PRIVATE KEY----- From 80074ed14a322239477422ad93e22133a7e29c56 Mon Sep 17 00:00:00 2001 From: Guilherme Oliveira do Carmo Carvalho <33766735+guilhermocc@users.noreply.github.com> Date: Wed, 26 Oct 2022 18:26:30 -0300 Subject: [PATCH 018/257] Improve run command test coverage (#3505) Signed-off-by: Guilherme Carvalho --- cmd/spire-agent/cli/run/run_posix_test.go | 132 +++++++++++- cmd/spire-agent/cli/run/run_windows_test.go | 116 +++++++++++ cmd/spire-server/cli/run/run_posix_test.go | 188 +++++++++++++++++- cmd/spire-server/cli/run/run_windows_test.go | 117 +++++++++++ pkg/common/fflag/fflag.go | 23 ++- pkg/common/fflag/fflag_test.go | 53 +++++ test/fixture/config/agent_run_posix.conf | 9 + test/fixture/config/agent_run_windows.conf | 9 + .../config/server_run_crash_posix.conf | 33 +++ .../config/server_run_start_posix.conf | 37 ++++ test/fixture/config/server_run_windows.conf | 13 ++ 11 files changed, 726 insertions(+), 4 deletions(-) create mode 100644 test/fixture/config/agent_run_posix.conf create mode 100644 test/fixture/config/agent_run_windows.conf create mode 100644 test/fixture/config/server_run_crash_posix.conf create mode 100644 test/fixture/config/server_run_start_posix.conf create mode 100644 test/fixture/config/server_run_windows.conf diff --git a/cmd/spire-agent/cli/run/run_posix_test.go b/cmd/spire-agent/cli/run/run_posix_test.go index 34e459f8dd..761822c134 100644 --- a/cmd/spire-agent/cli/run/run_posix_test.go +++ b/cmd/spire-agent/cli/run/run_posix_test.go @@ -5,15 +5,145 @@ package run import ( "bytes" + "fmt" "os" + "syscall" "testing" "github.com/hashicorp/hcl/hcl/printer" "github.com/spiffe/spire/pkg/agent" + commoncli "github.com/spiffe/spire/pkg/common/cli" + "github.com/spiffe/spire/pkg/common/fflag" + "github.com/spiffe/spire/pkg/common/log" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) +func TestCommand_Run(t *testing.T) { + testTempDir := t.TempDir() + testDataDir := fmt.Sprintf("%s/data", testTempDir) + testAgentSocketDir := fmt.Sprintf("%s/spire-agent", testTempDir) + + type fields struct { + logOptions []log.Option + env *commoncli.Env + allowUnknownConfig bool + } + type args struct { + args []string + } + type want struct { + code int + dataDirCreated bool + agentUdsDirCreated bool + stderrContent string + } + tests := []struct { + name string + fields fields + args args + want want + }{ + { + name: "don't create any dir when error loading nonexistent config", + args: args{ + args: []string{}, + }, + fields: fields{ + logOptions: []log.Option{}, + env: &commoncli.Env{ + Stderr: new(bytes.Buffer), + }, + allowUnknownConfig: false, + }, + want: want{ + code: 1, + agentUdsDirCreated: false, + dataDirCreated: false, + stderrContent: "could not find config file", + }, + }, + { + name: "don't create any dir when error loading invalid config", + args: args{ + args: []string{ + "-config", "../../../../test/fixture/config/agent_run_posix.conf", + "-namedPipeName", "\\spire-agent\\public\\api", + }, + }, + fields: fields{ + logOptions: []log.Option{}, + env: &commoncli.Env{ + Stderr: new(bytes.Buffer), + }, + allowUnknownConfig: false, + }, + want: want{ + code: 1, + agentUdsDirCreated: false, + dataDirCreated: false, + stderrContent: "flag provided but not defined: -namedPipeName", + }, + }, + { + name: "creates spire-agent uds and data dirs", + args: args{ + args: []string{ + "-config", "../../../../test/fixture/config/agent_run_posix.conf", + "-trustBundle", "../../../../conf/agent/dummy_root_ca.crt", + "-dataDir", testDataDir, + "-socketPath", fmt.Sprintf("%s/spire-agent/api.sock", testTempDir), + }, + }, + fields: fields{ + logOptions: []log.Option{}, + env: &commoncli.Env{ + Stderr: new(bytes.Buffer), + }, + allowUnknownConfig: false, + }, + want: want{ + code: 1, + agentUdsDirCreated: true, + dataDirCreated: true, + }, + }, + } + for _, testCase := range tests { + t.Run(testCase.name, func(t *testing.T) { + _ = fflag.Unload() + os.RemoveAll(testDataDir) + + cmd := &Command{ + logOptions: testCase.fields.logOptions, + env: testCase.fields.env, + allowUnknownConfig: testCase.fields.allowUnknownConfig, + } + + code := cmd.Run(testCase.args.args) + + assert.Equal(t, testCase.want.code, code) + if testCase.want.stderrContent == "" { + assert.Empty(t, testCase.fields.env.Stderr.(*bytes.Buffer).String()) + } else { + assert.Contains(t, testCase.fields.env.Stderr.(*bytes.Buffer).String(), testCase.want.stderrContent) + } + if testCase.want.agentUdsDirCreated { + assert.DirExistsf(t, testAgentSocketDir, "spire-agent uds dir should be created") + currentUmask := syscall.Umask(0) + assert.Equalf(t, currentUmask, 0027, "spire-agent process should be created with 0027 umask") + } else { + assert.NoDirExistsf(t, testAgentSocketDir, "spire-agent uds dir should not be created") + } + if testCase.want.dataDirCreated { + assert.DirExistsf(t, testDataDir, "expected data directory to be created") + } else { + assert.NoDirExistsf(t, testDataDir, "expected data directory to not be created") + } + }) + } +} + func TestParseFlagsGood(t *testing.T) { c, err := parseFlags("run", []string{ "-dataDir=.", @@ -163,7 +293,7 @@ func newAgentConfigCasesOS() []newAgentConfigCase { }, }, { - msg: "admin_socket_path configured with similar folther that socket_path", + msg: "admin_socket_path configured with similar folder that socket_path", input: func(c *Config) { c.Agent.SocketPath = "/tmp/workload/workload.sock" c.Agent.AdminSocketPath = "/tmp/workload-admin/admin.sock" diff --git a/cmd/spire-agent/cli/run/run_windows_test.go b/cmd/spire-agent/cli/run/run_windows_test.go index 1229789c28..79401ada5e 100644 --- a/cmd/spire-agent/cli/run/run_windows_test.go +++ b/cmd/spire-agent/cli/run/run_windows_test.go @@ -5,16 +5,132 @@ package run import ( "bytes" + "fmt" "os" "testing" "github.com/hashicorp/hcl/hcl/printer" "github.com/spiffe/spire/pkg/agent" + commoncli "github.com/spiffe/spire/pkg/common/cli" + "github.com/spiffe/spire/pkg/common/fflag" + "github.com/spiffe/spire/pkg/common/log" "github.com/spiffe/spire/pkg/common/namedpipe" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) +func TestCommand_Run(t *testing.T) { + testTempDir := t.TempDir() + testDataDir := fmt.Sprintf("%s/data", testTempDir) + + type fields struct { + logOptions []log.Option + env *commoncli.Env + allowUnknownConfig bool + } + type args struct { + args []string + } + type want struct { + code int + stderrContent string + dataDirCreated bool + } + tests := []struct { + name string + fields fields + args args + want want + }{ + { + name: "don't create any dir when error loading nonexistent config", + args: args{ + args: []string{}, + }, + fields: fields{ + logOptions: []log.Option{}, + env: &commoncli.Env{ + Stderr: new(bytes.Buffer), + }, + allowUnknownConfig: false, + }, + want: want{ + code: 1, + dataDirCreated: false, + stderrContent: "could not find config file", + }, + }, + { + name: "don't create any dir when error loading invalid config", + args: args{ + args: []string{ + "-config", "../../../../test/fixture/config/agent_run_windows.conf", + "-socketPath", "unix:///tmp/agent.sock", + }, + }, + fields: fields{ + logOptions: []log.Option{}, + env: &commoncli.Env{ + Stderr: new(bytes.Buffer), + }, + allowUnknownConfig: false, + }, + want: want{ + code: 1, + dataDirCreated: false, + stderrContent: "flag provided but not defined: -socketPath", + }, + }, + { + name: "create data dir and uses named pipe", + args: args{ + args: []string{ + "-config", "../../../../test/fixture/config/agent_run_windows.conf", + "-dataDir", testDataDir, + "-namedPipeName", "\\spire-agent\\public\\api", + }, + }, + fields: fields{ + logOptions: []log.Option{}, + env: &commoncli.Env{ + Stderr: new(bytes.Buffer), + }, + allowUnknownConfig: false, + }, + want: want{ + code: 1, + dataDirCreated: true, + }, + }, + } + for _, testCase := range tests { + t.Run(testCase.name, func(t *testing.T) { + _ = fflag.Unload() + os.RemoveAll(testTempDir) + + cmd := &Command{ + logOptions: testCase.fields.logOptions, + env: testCase.fields.env, + allowUnknownConfig: testCase.fields.allowUnknownConfig, + } + + result := cmd.Run(testCase.args.args) + + assert.Equal(t, testCase.want.code, result) + if testCase.want.stderrContent == "" { + assert.Empty(t, testCase.fields.env.Stderr.(*bytes.Buffer).String()) + } else { + assert.Contains(t, testCase.fields.env.Stderr.(*bytes.Buffer).String(), testCase.want.stderrContent) + } + if testCase.want.dataDirCreated { + assert.DirExistsf(t, testDataDir, "expected data directory to be created") + } else { + assert.NoDirExistsf(t, testDataDir, "expected data directory to not be created") + } + }) + } +} + func TestParseFlagsGood(t *testing.T) { c, err := parseFlags("run", []string{ "-dataDir=.", diff --git a/cmd/spire-server/cli/run/run_posix_test.go b/cmd/spire-server/cli/run/run_posix_test.go index 22a0a896a2..5b2c872045 100644 --- a/cmd/spire-server/cli/run/run_posix_test.go +++ b/cmd/spire-server/cli/run/run_posix_test.go @@ -4,18 +4,173 @@ package run import ( + "bytes" + "fmt" "os" + "strings" + "syscall" "testing" + "time" + commoncli "github.com/spiffe/spire/pkg/common/cli" + "github.com/spiffe/spire/pkg/common/fflag" + "github.com/spiffe/spire/pkg/common/log" "github.com/spiffe/spire/pkg/server" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) const ( - configFile = "../../../../test/fixture/config/server_good_posix.conf" + configFile = "../../../../test/fixture/config/server_good_posix.conf" + startConfigFile = "../../../../test/fixture/config/server_run_start_posix.conf" + crashConfigFile = "../../../../test/fixture/config/server_run_crash_posix.conf" ) +func TestCommand_Run(t *testing.T) { + testTempDir := t.TempDir() + testLogFile := testTempDir + "/spire-server.log" + + type fields struct { + logOptions []log.Option + env *commoncli.Env + allowUnknownConfig bool + } + type args struct { + args []string + killServerOnStart bool + } + type want struct { + code int + dataDirCreated string + stderrContent string + } + tests := []struct { + name string + fields fields + args args + configLoaded bool + want want + }{ + { + name: "don't create any dir when error loading nonexistent config", + args: args{ + args: []string{}, + }, + fields: fields{ + logOptions: []log.Option{log.WithOutputFile(testLogFile)}, + env: &commoncli.Env{ + Stderr: new(bytes.Buffer), + }, + allowUnknownConfig: false, + }, + configLoaded: false, + want: want{ + code: 1, + stderrContent: "could not find config file", + }, + }, + { + name: "don't create any dir when error loading invalid config", + args: args{ + args: []string{ + "-config", startConfigFile, + "-namedPipeName", "\\spire-agent\\public\\api", + }, + }, + fields: fields{ + logOptions: []log.Option{log.WithOutputFile(testLogFile)}, + env: &commoncli.Env{ + Stderr: new(bytes.Buffer), + }, + allowUnknownConfig: false, + }, + configLoaded: false, + want: want{ + code: 1, + stderrContent: "flag provided but not defined: -namedPipeName", + }, + }, + { + name: "create data dir when config is loaded and server crashes", + args: args{ + args: []string{ + "-config", crashConfigFile, + "-dataDir", fmt.Sprintf("%s/crash/data", testTempDir), + "-expandEnv", "true", + }, + }, + fields: fields{ + logOptions: []log.Option{log.WithOutputFile(testLogFile)}, + env: &commoncli.Env{ + Stderr: new(bytes.Buffer), + }, + allowUnknownConfig: false, + }, + configLoaded: true, + want: want{ + code: 1, + dataDirCreated: fmt.Sprintf("%s/crash/data", testTempDir), + }, + }, + { + name: "create data dir when config is loaded and server stops", + args: args{ + args: []string{ + "-config", startConfigFile, + "-dataDir", fmt.Sprintf("%s/data", testTempDir), + "-expandEnv", "true", + }, + killServerOnStart: true, + }, + fields: fields{ + logOptions: []log.Option{log.WithOutputFile(testLogFile)}, + env: &commoncli.Env{ + Stderr: new(bytes.Buffer), + }, + allowUnknownConfig: false, + }, + configLoaded: true, + want: want{ + code: 0, + dataDirCreated: fmt.Sprintf("%s/data", testTempDir), + }, + }, + } + for _, testCase := range tests { + t.Run(testCase.name, func(t *testing.T) { + _ = fflag.Unload() + require.NoError(t, os.Setenv("SPIRE_SERVER_TEST_DATA_CONNECTION", fmt.Sprintf("%s/data/datastore.sqlite3", testTempDir))) + os.Remove(testLogFile) + + cmd := &Command{ + logOptions: testCase.fields.logOptions, + env: testCase.fields.env, + allowUnknownConfig: testCase.fields.allowUnknownConfig, + } + + if testCase.args.killServerOnStart { + killServerOnStart(t, testLogFile) + } + + code := cmd.Run(testCase.args.args) + + assert.Equal(t, testCase.want.code, code) + if testCase.want.stderrContent == "" { + assert.Empty(t, testCase.fields.env.Stderr.(*bytes.Buffer).String()) + } else { + assert.Contains(t, testCase.fields.env.Stderr.(*bytes.Buffer).String(), testCase.want.stderrContent) + } + if testCase.want.dataDirCreated != "" { + assert.DirExistsf(t, testCase.want.dataDirCreated, "data directory should be created") + currentUmask := syscall.Umask(0) + assert.Equalf(t, currentUmask, 0027, "spire-server process should have been created with 0027 umask") + } else { + assert.NoDirExistsf(t, testCase.want.dataDirCreated, "data directory should not be created") + } + }) + } +} + func TestParseFlagsGood(t *testing.T) { c, err := parseFlags("run", []string{ "-bindAddress=127.0.0.1", @@ -30,6 +185,37 @@ func TestParseFlagsGood(t *testing.T) { assert.Equal(t, c.LogLevel, "INFO") } +func killServerOnStart(t *testing.T, testLogFile string) { + go func() { + serverStartWaitingTimeout := 10 * time.Second + serverStartWaitingInterval := 100 * time.Millisecond + ticker := time.NewTicker(serverStartWaitingInterval) + timer := time.NewTimer(serverStartWaitingTimeout) + waitingLoop: + for { + select { + case <-timer.C: + panic("server did not start in time") + case <-ticker.C: + logs, err := os.ReadFile(testLogFile) + + if err != nil { + continue + } + if strings.Contains(string(logs), "Starting Server APIs") { + timer.Stop() + break waitingLoop + } + } + } + + err := syscall.Kill(syscall.Getpid(), syscall.SIGINT) + if err != nil { + t.Errorf("Failed to kill process: %v", err) + } + }() +} + func mergeInputCasesOS(t *testing.T) []mergeInputCase { return []mergeInputCase{ { diff --git a/cmd/spire-server/cli/run/run_windows_test.go b/cmd/spire-server/cli/run/run_windows_test.go index 0e9890705f..c421232317 100644 --- a/cmd/spire-server/cli/run/run_windows_test.go +++ b/cmd/spire-server/cli/run/run_windows_test.go @@ -4,9 +4,14 @@ package run import ( + "bytes" + "fmt" "os" "testing" + commoncli "github.com/spiffe/spire/pkg/common/cli" + "github.com/spiffe/spire/pkg/common/fflag" + "github.com/spiffe/spire/pkg/common/log" "github.com/spiffe/spire/pkg/common/namedpipe" "github.com/spiffe/spire/pkg/server" "github.com/stretchr/testify/assert" @@ -17,6 +22,118 @@ const ( configFile = "../../../../test/fixture/config/server_good_windows.conf" ) +func TestCommand_Run(t *testing.T) { + testTempDir := t.TempDir() + testDataDir := fmt.Sprintf("%s/data", testTempDir) + + type fields struct { + logOptions []log.Option + env *commoncli.Env + allowUnknownConfig bool + } + type args struct { + args []string + } + type want struct { + code int + stderrContent string + dataDirCreated bool + } + tests := []struct { + name string + fields fields + args args + want want + }{ + { + name: "don't create data dir when error loading nonexistent config", + args: args{ + args: []string{}, + }, + fields: fields{ + logOptions: []log.Option{}, + env: &commoncli.Env{ + Stderr: new(bytes.Buffer), + }, + allowUnknownConfig: false, + }, + want: want{ + code: 1, + dataDirCreated: false, + stderrContent: "could not find config file", + }, + }, + { + name: "don't create data dir when error loading invalid config", + args: args{ + args: []string{ + "-config", "../../../../test/fixture/config/server_run_windows.conf", + "-socketPath", "unix:///tmp/agent.sock", + }, + }, + fields: fields{ + logOptions: []log.Option{}, + env: &commoncli.Env{ + Stderr: new(bytes.Buffer), + }, + allowUnknownConfig: false, + }, + want: want{ + code: 1, + dataDirCreated: false, + stderrContent: "flag provided but not defined: -socketPath", + }, + }, + { + name: "create data dir when config is loaded", + args: args{ + args: []string{ + "-config", "../../../../test/fixture/config/server_run_windows.conf", + "-dataDir", testDataDir, + }, + }, + fields: fields{ + logOptions: []log.Option{}, + env: &commoncli.Env{ + Stderr: new(bytes.Buffer), + Stdout: new(bytes.Buffer), + }, + allowUnknownConfig: false, + }, + want: want{ + code: 1, + dataDirCreated: true, + }, + }, + } + for _, testCase := range tests { + t.Run(testCase.name, func(t *testing.T) { + _ = fflag.Unload() + os.RemoveAll(testDataDir) + + cmd := &Command{ + logOptions: testCase.fields.logOptions, + env: testCase.fields.env, + allowUnknownConfig: testCase.fields.allowUnknownConfig, + } + + code := cmd.Run(testCase.args.args) + + assert.Equal(t, testCase.want.code, code) + if testCase.want.stderrContent == "" { + assert.Empty(t, testCase.fields.env.Stderr.(*bytes.Buffer).String()) + } else { + assert.Contains(t, testCase.fields.env.Stderr.(*bytes.Buffer).String(), testCase.want.stderrContent) + } + if testCase.want.dataDirCreated { + assert.DirExistsf(t, testDataDir, "data directory should be created") + } else { + assert.NoDirExistsf(t, testDataDir, "data directory should not be created") + } + }) + } +} + func TestParseFlagsGood(t *testing.T) { c, err := parseFlags("run", []string{ "-bindAddress=127.0.0.1", diff --git a/pkg/common/fflag/fflag.go b/pkg/common/fflag/fflag.go index 25d1d62b59..6420cbf7fc 100644 --- a/pkg/common/fflag/fflag.go +++ b/pkg/common/fflag/fflag.go @@ -56,8 +56,9 @@ var ( // Load initializes the fflag package and configures its feature flag state // based on the configuration input. Feature flags are designed to be -// Write-Once-Read-Many, and as such, Load can be called only once. Load will -// return an error if it is called more than once, if the configuration input +// Write-Once-Read-Many, and as such, Load can be called only once (except when Using Unload function +// for test scenarios, which will reset states enabling Load to be called again). +// Load will return an error if it is called more than once, if the configuration input // cannot be parsed, or if an unrecognized flag is set. func Load(rc RawConfig) error { singleton.mtx.Lock() @@ -91,6 +92,24 @@ func Load(rc RawConfig) error { return nil } +// Unload resets the feature flags states to its default values. This function is intended to be used for testing +// purposes only, it is not expected to be called by the normal execution of SPIRE. +func Unload() error { + singleton.mtx.Lock() + defer singleton.mtx.Unlock() + + if !singleton.loaded { + return errors.New("feature flags have not been loaded") + } + + for f := range singleton.flags { + singleton.flags[f] = false + } + + singleton.loaded = false + return nil +} + // IsSet can be used to determine whether or not a particular feature flag is // set. func IsSet(f Flag) bool { diff --git a/pkg/common/fflag/fflag_test.go b/pkg/common/fflag/fflag_test.go index f70161bc36..90d05f443a 100644 --- a/pkg/common/fflag/fflag_test.go +++ b/pkg/common/fflag/fflag_test.go @@ -2,6 +2,9 @@ package fflag import ( "testing" + + "github.com/spiffe/spire/test/spiretest" + "github.com/stretchr/testify/assert" ) func TestLoadOnce(t *testing.T) { @@ -94,6 +97,56 @@ func TestLoad(t *testing.T) { reset() } +func TestUnload(t *testing.T) { + type want struct { + errStr string + unloadedFlags []Flag + } + tests := []struct { + name string + setup func() + want want + }{ + { + name: "unload without loading", + setup: func() { + singleton.mtx.Lock() + defer singleton.mtx.Unlock() + singleton.loaded = false + }, + want: want{ + errStr: "feature flags have not been loaded", + }, + }, + { + name: "unload after loading", + setup: func() { + singleton.mtx.Lock() + defer singleton.mtx.Unlock() + singleton.loaded = true + singleton.flags[FlagTestFlag] = true + }, + want: want{ + unloadedFlags: []Flag{FlagTestFlag}, + }, + }, + } + for _, testCase := range tests { + t.Run(testCase.name, func(t *testing.T) { + testCase.setup() + err := Unload() + if testCase.want.errStr == "" { + assert.NoError(t, err) + } else { + spiretest.AssertErrorContains(t, err, testCase.want.errStr) + } + for _, flag := range testCase.want.unloadedFlags { + assert.False(t, IsSet(flag)) + } + }) + } +} + func reset() { singleton.mtx.Lock() defer singleton.mtx.Unlock() diff --git a/test/fixture/config/agent_run_posix.conf b/test/fixture/config/agent_run_posix.conf new file mode 100644 index 0000000000..9c9ae55255 --- /dev/null +++ b/test/fixture/config/agent_run_posix.conf @@ -0,0 +1,9 @@ +agent { + data_dir = "./.data" + log_level = "DEBUG" + server_address = "127.0.0.1" + server_port = "8081" + trust_domain = "example.org" +} + +plugins {} diff --git a/test/fixture/config/agent_run_windows.conf b/test/fixture/config/agent_run_windows.conf new file mode 100644 index 0000000000..c75a0f599e --- /dev/null +++ b/test/fixture/config/agent_run_windows.conf @@ -0,0 +1,9 @@ +agent { + insecure_bootstrap = true + log_level = "DEBUG" + server_address = "127.0.0.1" + server_port = "8081" + trust_domain = "example.org" +} + +plugins {} diff --git a/test/fixture/config/server_run_crash_posix.conf b/test/fixture/config/server_run_crash_posix.conf new file mode 100644 index 0000000000..1394556879 --- /dev/null +++ b/test/fixture/config/server_run_crash_posix.conf @@ -0,0 +1,33 @@ +server { + bind_address = "127.0.0.1" + bind_port = "8081" + socket_path = "/tmp/spire-server-test/private/api.sock" + trust_domain = "example.org" + log_level = "DEBUG" + ca_subject { + country = ["US"] + organization = ["SPIFFE"] + common_name = "" + } +} + +plugins { + DataStore "sql" { + plugin_data { + } + } + + NodeAttestor "join_token" { + plugin_data { + } + } + + KeyManager "memory" { + plugin_data = {} + } + + UpstreamAuthority "disk" { + plugin_data { + } + } +} diff --git a/test/fixture/config/server_run_start_posix.conf b/test/fixture/config/server_run_start_posix.conf new file mode 100644 index 0000000000..46e8ab9b3d --- /dev/null +++ b/test/fixture/config/server_run_start_posix.conf @@ -0,0 +1,37 @@ +server { + bind_address = "127.0.0.1" + bind_port = "8081" + socket_path = "/tmp/spire-server-test/private/api.sock" + trust_domain = "example.org" + log_level = "DEBUG" + ca_subject { + country = ["US"] + organization = ["SPIFFE"] + common_name = "" + } +} + +plugins { + DataStore "sql" { + plugin_data { + database_type = "sqlite3" + connection_string = "$SPIRE_SERVER_TEST_DATA_CONNECTION" + } + } + + NodeAttestor "join_token" { + plugin_data { + } + } + + KeyManager "memory" { + plugin_data = {} + } + + UpstreamAuthority "disk" { + plugin_data { + key_file_path = "../../../../conf/server/dummy_upstream_ca.key" + cert_file_path = "../../../../conf/server/dummy_upstream_ca.crt" + } + } +} diff --git a/test/fixture/config/server_run_windows.conf b/test/fixture/config/server_run_windows.conf new file mode 100644 index 0000000000..a3542b1a44 --- /dev/null +++ b/test/fixture/config/server_run_windows.conf @@ -0,0 +1,13 @@ +server { + bind_address = "127.0.0.1" + bind_port = "8081" + trust_domain = "example.org" + log_level = "DEBUG" + ca_subject { + country = ["US"] + organization = ["SPIFFE"] + common_name = "" + } +} + +plugins {} From f10a17d7c50ee35ca4364d9e8b82239b42708a51 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 26 Oct 2022 16:12:26 -0600 Subject: [PATCH 019/257] Bump github.com/GoogleCloudPlatform/cloudsql-proxy from 1.32.0 to 1.33.0 (#3529) Bumps [github.com/GoogleCloudPlatform/cloudsql-proxy](https://github.com/GoogleCloudPlatform/cloudsql-proxy) from 1.32.0 to 1.33.0. - [Release notes](https://github.com/GoogleCloudPlatform/cloudsql-proxy/releases) - [Changelog](https://github.com/GoogleCloudPlatform/cloud-sql-proxy/blob/v1.33.0/CHANGELOG.md) - [Commits](https://github.com/GoogleCloudPlatform/cloudsql-proxy/compare/v1.32.0...v1.33.0) --- updated-dependencies: - dependency-name: github.com/GoogleCloudPlatform/cloudsql-proxy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 8 +-- go.sum | 182 ++++++++++++++++++++++++++++++++++++++++++++++++++------- 2 files changed, 164 insertions(+), 26 deletions(-) diff --git a/go.mod b/go.mod index 3d6f8a9980..20006220d8 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,7 @@ require ( github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute v1.0.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork v1.1.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0 - github.com/GoogleCloudPlatform/cloudsql-proxy v1.32.0 + github.com/GoogleCloudPlatform/cloudsql-proxy v1.33.0 github.com/Microsoft/go-winio v0.6.0 github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129 github.com/armon/go-metrics v0.4.1 @@ -64,7 +64,7 @@ require ( golang.org/x/net v0.0.0-20221014081412-f15817d10f9b golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0 golang.org/x/sys v0.0.0-20220907062415-87db552b00fd - golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 + golang.org/x/time v0.1.0 google.golang.org/api v0.100.0 google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a google.golang.org/grpc v1.50.1 @@ -129,7 +129,7 @@ require ( github.com/go-openapi/swag v0.19.14 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect - github.com/golang-jwt/jwt v3.2.1+incompatible // indirect + github.com/golang-jwt/jwt v3.2.2+incompatible // indirect github.com/golang-jwt/jwt/v4 v4.2.0 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/snappy v0.0.4 // indirect @@ -175,7 +175,7 @@ require ( github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 // indirect github.com/pierrec/lz4 v2.5.2+incompatible // indirect - github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4 // indirect + github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/posener/complete v1.2.3 // indirect diff --git a/go.sum b/go.sum index 1e7b1ceed0..8b1e55875b 100644 --- a/go.sum +++ b/go.sum @@ -31,50 +31,158 @@ cloud.google.com/go v0.102.0/go.mod h1:oWcCzKlqJ5zgHQt9YsaeTY9KzIvjyy0ArmiBUgpQ+ cloud.google.com/go v0.102.1/go.mod h1:XZ77E9qnTEnrgEOvr4xzfdX5TRo7fB4T2F4O6+34hIU= cloud.google.com/go v0.104.0 h1:gSmWO7DY1vOm0MVU6DNXM11BWHHsTUmsC5cv1fuW5X8= cloud.google.com/go v0.104.0/go.mod h1:OO6xxXdJyvuJPcEPBLN9BJPD+jep5G1+2U5B5gkRYtA= +cloud.google.com/go/aiplatform v1.22.0/go.mod h1:ig5Nct50bZlzV6NvKaTwmplLLddFx0YReh9WfTO5jKw= +cloud.google.com/go/aiplatform v1.24.0/go.mod h1:67UUvRBKG6GTayHKV8DBv2RtR1t93YRu5B1P3x99mYY= +cloud.google.com/go/analytics v0.11.0/go.mod h1:DjEWCu41bVbYcKyvlws9Er60YE4a//bK6mnhWvQeFNI= +cloud.google.com/go/analytics v0.12.0/go.mod h1:gkfj9h6XRf9+TS4bmuhPEShsh3hH8PAZzm/41OOhQd4= +cloud.google.com/go/area120 v0.5.0/go.mod h1:DE/n4mp+iqVyvxHN41Vf1CR602GiHQjFPusMFW6bGR4= +cloud.google.com/go/area120 v0.6.0/go.mod h1:39yFJqWVgm0UZqWTOdqkLhjoC7uFfgXRC8g/ZegeAh0= +cloud.google.com/go/artifactregistry v1.6.0/go.mod h1:IYt0oBPSAGYj/kprzsBjZ/4LnG/zOcHyFHjWPCi6SAQ= +cloud.google.com/go/artifactregistry v1.7.0/go.mod h1:mqTOFOnGZx8EtSqK/ZWcsm/4U8B77rbcLP6ruDU2Ixk= +cloud.google.com/go/asset v1.5.0/go.mod h1:5mfs8UvcM5wHhqtSv8J1CtxxaQq3AdBxxQi2jGW/K4o= +cloud.google.com/go/asset v1.7.0/go.mod h1:YbENsRK4+xTiL+Ofoj5Ckf+O17kJtgp3Y3nn4uzZz5s= +cloud.google.com/go/assuredworkloads v1.5.0/go.mod h1:n8HOZ6pff6re5KYfBXcFvSViQjDwxFkAkmUFffJRbbY= +cloud.google.com/go/assuredworkloads v1.6.0/go.mod h1:yo2YOk37Yc89Rsd5QMVECvjaMKymF9OP+QXWlKXUkXw= +cloud.google.com/go/automl v1.5.0/go.mod h1:34EjfoFGMZ5sgJ9EoLsRtdPSNZLcfflJR39VbVNS2M0= +cloud.google.com/go/automl v1.6.0/go.mod h1:ugf8a6Fx+zP0D59WLhqgTDsQI9w07o64uf/Is3Nh5p8= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= +cloud.google.com/go/bigquery v1.42.0/go.mod h1:8dRTJxhtG+vwBKzE5OseQn/hiydoQN3EedCaOdYmxRA= +cloud.google.com/go/billing v1.4.0/go.mod h1:g9IdKBEFlItS8bTtlrZdVLWSSdSyFUZKXNS02zKMOZY= +cloud.google.com/go/billing v1.5.0/go.mod h1:mztb1tBc3QekhjSgmpf/CV4LzWXLzCArwpLmP2Gm88s= +cloud.google.com/go/binaryauthorization v1.1.0/go.mod h1:xwnoWu3Y84jbuHa0zd526MJYmtnVXn0syOjaJgy4+dM= +cloud.google.com/go/binaryauthorization v1.2.0/go.mod h1:86WKkJHtRcv5ViNABtYMhhNWRrD1Vpi//uKEy7aYEfI= +cloud.google.com/go/cloudtasks v1.5.0/go.mod h1:fD92REy1x5woxkKEkLdvavGnPJGEn8Uic9nWuLzqCpY= +cloud.google.com/go/cloudtasks v1.6.0/go.mod h1:C6Io+sxuke9/KNRkbQpihnW93SWDU3uXt92nu85HkYI= cloud.google.com/go/compute v0.1.0/go.mod h1:GAesmwr110a34z04OlxYkATPBEfVhkymfTBXtfbBFow= cloud.google.com/go/compute v1.3.0/go.mod h1:cCZiE1NHEtai4wiufUhW8I8S1JKkAnhnQJWM7YD99wM= cloud.google.com/go/compute v1.5.0/go.mod h1:9SMHyhJlzhlkJqrPAc839t2BZFTSk6Jdj6mkzQJeu0M= cloud.google.com/go/compute v1.6.0/go.mod h1:T29tfhtVbq1wvAPo0E3+7vhgmkOYeXjhFvz/FMzPu0s= cloud.google.com/go/compute v1.6.1/go.mod h1:g85FgpzFvNULZ+S8AYq87axRKuf2Kh7deLqV/jJ3thU= cloud.google.com/go/compute v1.7.0/go.mod h1:435lt8av5oL9P3fv1OEzSbSUe+ybHXGMPQHHZWZxy9U= -cloud.google.com/go/compute v1.9.0/go.mod h1:lWv1h/zUWTm/LozzfTJhBSkd6ShQq8la8VeeuOEGxfY= cloud.google.com/go/compute v1.10.0 h1:aoLIYaA1fX3ywihqpBk2APQKOo20nXsp1GEZQbx5Jk4= cloud.google.com/go/compute v1.10.0/go.mod h1:ER5CLbMxl90o2jtNbGSbtfOpQKR0t15FOtRsugnLrlU= +cloud.google.com/go/containeranalysis v0.5.1/go.mod h1:1D92jd8gRR/c0fGMlymRgxWD3Qw9C1ff6/T7mLgVL8I= +cloud.google.com/go/containeranalysis v0.6.0/go.mod h1:HEJoiEIu+lEXM+k7+qLCci0h33lX3ZqoYFdmPcoO7s4= +cloud.google.com/go/datacatalog v1.3.0/go.mod h1:g9svFY6tuR+j+hrTw3J2dNcmI0dzmSiyOzm8kpLq0a0= +cloud.google.com/go/datacatalog v1.5.0/go.mod h1:M7GPLNQeLfWqeIm3iuiruhPzkt65+Bx8dAKvScX8jvs= +cloud.google.com/go/datacatalog v1.6.0/go.mod h1:+aEyF8JKg+uXcIdAmmaMUmZ3q1b/lKLtXCmXdnc0lbc= +cloud.google.com/go/dataflow v0.6.0/go.mod h1:9QwV89cGoxjjSR9/r7eFDqqjtvbKxAK2BaYU6PVk9UM= +cloud.google.com/go/dataflow v0.7.0/go.mod h1:PX526vb4ijFMesO1o202EaUmouZKBpjHsTlCtB4parQ= +cloud.google.com/go/dataform v0.3.0/go.mod h1:cj8uNliRlHpa6L3yVhDOBrUXH+BPAO1+KFMQQNSThKo= +cloud.google.com/go/dataform v0.4.0/go.mod h1:fwV6Y4Ty2yIFL89huYlEkwUPtS7YZinZbzzj5S9FzCE= +cloud.google.com/go/datalabeling v0.5.0/go.mod h1:TGcJ0G2NzcsXSE/97yWjIZO0bXj0KbVlINXMG9ud42I= +cloud.google.com/go/datalabeling v0.6.0/go.mod h1:WqdISuk/+WIGeMkpw/1q7bK/tFEZxsrFJOJdY2bXvTQ= +cloud.google.com/go/dataqna v0.5.0/go.mod h1:90Hyk596ft3zUQ8NkFfvICSIfHFh1Bc7C4cK3vbhkeo= +cloud.google.com/go/dataqna v0.6.0/go.mod h1:1lqNpM7rqNLVgWBJyk5NF6Uen2PHym0jtVJonplVsDA= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= +cloud.google.com/go/datastream v1.2.0/go.mod h1:i/uTP8/fZwgATHS/XFu0TcNUhuA0twZxxQ3EyCUQMwo= +cloud.google.com/go/datastream v1.3.0/go.mod h1:cqlOX8xlyYF/uxhiKn6Hbv6WjwPPuI9W2M9SAXwaLLQ= +cloud.google.com/go/dialogflow v1.15.0/go.mod h1:HbHDWs33WOGJgn6rfzBW1Kv807BE3O1+xGbn59zZWI4= +cloud.google.com/go/dialogflow v1.16.1/go.mod h1:po6LlzGfK+smoSmTBnbkIZY2w8ffjz/RcGSS+sh1el0= +cloud.google.com/go/documentai v1.7.0/go.mod h1:lJvftZB5NRiFSX4moiye1SMxHx0Bc3x1+p9e/RfXYiU= +cloud.google.com/go/documentai v1.8.0/go.mod h1:xGHNEB7CtsnySCNrCFdCyyMz44RhFEEX2Q7UD0c5IhU= +cloud.google.com/go/domains v0.6.0/go.mod h1:T9Rz3GasrpYk6mEGHh4rymIhjlnIuB4ofT1wTxDeT4Y= +cloud.google.com/go/domains v0.7.0/go.mod h1:PtZeqS1xjnXuRPKE/88Iru/LdfoRyEHYA9nFQf4UKpg= +cloud.google.com/go/edgecontainer v0.1.0/go.mod h1:WgkZ9tp10bFxqO8BLPqv2LlfmQF1X8lZqwW4r1BTajk= cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk= +cloud.google.com/go/functions v1.6.0/go.mod h1:3H1UA3qiIPRWD7PeZKLvHZ9SaQhR26XIJcC0A5GbvAk= +cloud.google.com/go/functions v1.7.0/go.mod h1:+d+QBcWM+RsrgZfV9xo6KfA1GlzJfxcfZcRPEhDDfzg= +cloud.google.com/go/gaming v1.5.0/go.mod h1:ol7rGcxP/qHTRQE/RO4bxkXq+Fix0j6D4LFPzYTIrDM= +cloud.google.com/go/gaming v1.6.0/go.mod h1:YMU1GEvA39Qt3zWGyAVA9bpYz/yAhTvaQ1t2sK4KPUA= +cloud.google.com/go/gkeconnect v0.5.0/go.mod h1:c5lsNAg5EwAy7fkqX/+goqFsU1Da/jQFqArp+wGNr/o= +cloud.google.com/go/gkeconnect v0.6.0/go.mod h1:Mln67KyU/sHJEBY8kFZ0xTeyPtzbq9StAVvEULYK16A= +cloud.google.com/go/gkehub v0.9.0/go.mod h1:WYHN6WG8w9bXU0hqNxt8rm5uxnk8IH+lPY9J2TV7BK0= +cloud.google.com/go/gkehub v0.10.0/go.mod h1:UIPwxI0DsrpsVoWpLB0stwKCP+WFVG9+y977wO+hBH0= +cloud.google.com/go/grafeas v0.2.0/go.mod h1:KhxgtF2hb0P191HlY5besjYm6MqTSTj3LSI+M+ByZHc= cloud.google.com/go/iam v0.3.0 h1:exkAomrVUuzx9kWFI1wm3KI0uoDeUFPB4kKGzx6x+Gc= cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY= +cloud.google.com/go/language v1.4.0/go.mod h1:F9dRpNFQmJbkaop6g0JhSBXCNlO90e1KWx5iDdxbWic= +cloud.google.com/go/language v1.6.0/go.mod h1:6dJ8t3B+lUYfStgls25GusK04NLh3eDLQnWM3mdEbhI= +cloud.google.com/go/lifesciences v0.5.0/go.mod h1:3oIKy8ycWGPUyZDR/8RNnTOYevhaMLqh5vLUXs9zvT8= +cloud.google.com/go/lifesciences v0.6.0/go.mod h1:ddj6tSX/7BOnhxCSd3ZcETvtNr8NZ6t/iPhY2Tyfu08= +cloud.google.com/go/mediatranslation v0.5.0/go.mod h1:jGPUhGTybqsPQn91pNXw0xVHfuJ3leR1wj37oU3y1f4= +cloud.google.com/go/mediatranslation v0.6.0/go.mod h1:hHdBCTYNigsBxshbznuIMFNe5QXEowAuNmmC7h8pu5w= +cloud.google.com/go/memcache v1.4.0/go.mod h1:rTOfiGZtJX1AaFUrOgsMHX5kAzaTQ8azHiuDoTPzNsE= +cloud.google.com/go/memcache v1.5.0/go.mod h1:dk3fCK7dVo0cUU2c36jKb4VqKPS22BTkf81Xq617aWM= +cloud.google.com/go/metastore v1.5.0/go.mod h1:2ZNrDcQwghfdtCwJ33nM0+GrBGlVuh8rakL3vdPY3XY= +cloud.google.com/go/metastore v1.6.0/go.mod h1:6cyQTls8CWXzk45G55x57DVQ9gWg7RiH65+YgPsNh9s= +cloud.google.com/go/networkconnectivity v1.4.0/go.mod h1:nOl7YL8odKyAOtzNX73/M5/mGZgqqMeryi6UPZTk/rA= +cloud.google.com/go/networkconnectivity v1.5.0/go.mod h1:3GzqJx7uhtlM3kln0+x5wyFvuVH1pIBJjhCpjzSt75o= +cloud.google.com/go/networksecurity v0.5.0/go.mod h1:xS6fOCoqpVC5zx15Z/MqkfDwH4+m/61A3ODiDV1xmiQ= +cloud.google.com/go/networksecurity v0.6.0/go.mod h1:Q5fjhTr9WMI5mbpRYEbiexTzROf7ZbDzvzCrNl14nyU= +cloud.google.com/go/notebooks v1.2.0/go.mod h1:9+wtppMfVPUeJ8fIWPOq1UnATHISkGXGqTkxeieQ6UY= +cloud.google.com/go/notebooks v1.3.0/go.mod h1:bFR5lj07DtCPC7YAAJ//vHskFBxA5JzYlH68kXVdk34= +cloud.google.com/go/osconfig v1.7.0/go.mod h1:oVHeCeZELfJP7XLxcBGTMBvRO+1nQ5tFG9VQTmYS2Fs= +cloud.google.com/go/osconfig v1.8.0/go.mod h1:EQqZLu5w5XA7eKizepumcvWx+m8mJUhEwiPqWiZeEdg= +cloud.google.com/go/oslogin v1.4.0/go.mod h1:YdgMXWRaElXz/lDk1Na6Fh5orF7gvmJ0FGLIs9LId4E= +cloud.google.com/go/oslogin v1.5.0/go.mod h1:D260Qj11W2qx/HVF29zBg+0fd6YCSjSqLUkY/qEenQU= +cloud.google.com/go/phishingprotection v0.5.0/go.mod h1:Y3HZknsK9bc9dMi+oE8Bim0lczMU6hrX0UpADuMefr0= +cloud.google.com/go/phishingprotection v0.6.0/go.mod h1:9Y3LBLgy0kDTcYET8ZH3bq/7qni15yVUoAxiFxnlSUA= +cloud.google.com/go/privatecatalog v0.5.0/go.mod h1:XgosMUvvPyxDjAVNDYxJ7wBW8//hLDDYmnsNcMGq1K0= +cloud.google.com/go/privatecatalog v0.6.0/go.mod h1:i/fbkZR0hLN29eEWiiwue8Pb+GforiEIBnV9yrRUOKI= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= +cloud.google.com/go/recaptchaenterprise v1.3.1/go.mod h1:OdD+q+y4XGeAlxRaMn1Y7/GveP6zmq76byL6tjPE7d4= +cloud.google.com/go/recaptchaenterprise/v2 v2.1.0/go.mod h1:w9yVqajwroDNTfGuhmOjPDN//rZGySaf6PtFVcSCa7o= +cloud.google.com/go/recaptchaenterprise/v2 v2.2.0/go.mod h1:/Zu5jisWGeERrd5HnlS3EUGb/D335f9k51B/FVil0jk= +cloud.google.com/go/recommendationengine v0.5.0/go.mod h1:E5756pJcVFeVgaQv3WNpImkFP8a+RptV6dDLGPILjvg= +cloud.google.com/go/recommendationengine v0.6.0/go.mod h1:08mq2umu9oIqc7tDy8sx+MNJdLG0fUi3vaSVbztHgJ4= +cloud.google.com/go/recommender v1.5.0/go.mod h1:jdoeiBIVrJe9gQjwd759ecLJbxCDED4A6p+mqoqDvTg= +cloud.google.com/go/recommender v1.6.0/go.mod h1:+yETpm25mcoiECKh9DEScGzIRyDKpZ0cEhWGo+8bo+c= +cloud.google.com/go/redis v1.7.0/go.mod h1:V3x5Jq1jzUcg+UNsRvdmsfuFnit1cfe3Z/PGyq/lm4Y= +cloud.google.com/go/redis v1.8.0/go.mod h1:Fm2szCDavWzBk2cDKxrkmWBqoCiL1+Ctwq7EyqBCA/A= +cloud.google.com/go/retail v1.8.0/go.mod h1:QblKS8waDmNUhghY2TI9O3JLlFk8jybHeV4BF19FrE4= +cloud.google.com/go/retail v1.9.0/go.mod h1:g6jb6mKuCS1QKnH/dpu7isX253absFl6iE92nHwlBUY= +cloud.google.com/go/scheduler v1.4.0/go.mod h1:drcJBmxF3aqZJRhmkHQ9b3uSSpQoltBPGPxGAWROx6s= +cloud.google.com/go/scheduler v1.5.0/go.mod h1:ri073ym49NW3AfT6DZi21vLZrG07GXr5p3H1KxN5QlI= +cloud.google.com/go/secretmanager v1.6.0/go.mod h1:awVa/OXF6IiyaU1wQ34inzQNc4ISIDIrId8qE5QGgKA= cloud.google.com/go/secretmanager v1.7.0 h1:EAPaaxMs1gtdyxK5UN8KfD5tnDBZiFoSroRfjV3EgQU= cloud.google.com/go/secretmanager v1.7.0/go.mod h1:20dYAPbj+H4+pXdBRN2z77yugQJJ30UF2kL9OWPs+L0= +cloud.google.com/go/security v1.5.0/go.mod h1:lgxGdyOKKjHL4YG3/YwIL2zLqMFCKs0UbQwgyZmfJl4= +cloud.google.com/go/security v1.7.0/go.mod h1:mZklORHl6Bg7CNnnjLH//0UlAlaXqiG7Lb9PsPXLfD0= cloud.google.com/go/security v1.8.0 h1:linnRc3/gJYDfKbAtNixVQ52+66DpOx5MmCz0NNxal8= cloud.google.com/go/security v1.8.0/go.mod h1:hAQOwgmaHhztFhiQ41CjDODdWP0+AE1B3sX4OFlq+GU= +cloud.google.com/go/securitycenter v1.13.0/go.mod h1:cv5qNAqjY84FCN6Y9z28WlkKXyWsgLO832YiWwkCWcU= +cloud.google.com/go/securitycenter v1.14.0/go.mod h1:gZLAhtyKv85n52XYWt6RmeBdydyxfPeTrpToDPw4Auc= +cloud.google.com/go/servicedirectory v1.4.0/go.mod h1:gH1MUaZCgtP7qQiI+F+A+OpeKF/HQWgtAddhTbhL2bs= +cloud.google.com/go/servicedirectory v1.5.0/go.mod h1:QMKFL0NUySbpZJ1UZs3oFAmdvVxhhxB6eJ/Vlp73dfg= +cloud.google.com/go/speech v1.6.0/go.mod h1:79tcr4FHCimOp56lwC01xnt/WPJZc4v3gzyT7FoBkCM= +cloud.google.com/go/speech v1.7.0/go.mod h1:KptqL+BAQIhMsj1kOP2la5DSEEerPDuOP/2mmkhHhZQ= cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y= +cloud.google.com/go/storage v1.23.0/go.mod h1:vOEEDNFnciUMhBeT6hsJIn3ieU5cFRmzeLgDvXzfIXc= cloud.google.com/go/storage v1.27.0 h1:YOO045NZI9RKfCj1c5A/ZtuuENUc8OAW+gHdGnDgyMQ= cloud.google.com/go/storage v1.27.0/go.mod h1:x9DOL8TK/ygDUMieqwfhdpQryTeEkhGKMi80i/iqR2s= +cloud.google.com/go/talent v1.1.0/go.mod h1:Vl4pt9jiHKvOgF9KoZo6Kob9oV4lwd/ZD5Cto54zDRw= +cloud.google.com/go/talent v1.2.0/go.mod h1:MoNF9bhFQbiJ6eFD3uSsg0uBALw4n4gaCaEjBw9zo8g= +cloud.google.com/go/videointelligence v1.6.0/go.mod h1:w0DIDlVRKtwPCn/C4iwZIJdvC69yInhW0cfi+p546uU= +cloud.google.com/go/videointelligence v1.7.0/go.mod h1:k8pI/1wAhjznARtVT9U1llUaFNPh7muw8QyOUpavru4= +cloud.google.com/go/vision v1.2.0/go.mod h1:SmNwgObm5DpFBme2xpyOyasvBc1aPdjvMk2bBk0tKD0= +cloud.google.com/go/vision/v2 v2.2.0/go.mod h1:uCdV4PpN1S0jyCyq8sIM42v2Y6zOLkZs+4R9LrGYwFo= +cloud.google.com/go/vision/v2 v2.3.0/go.mod h1:UO61abBx9QRMFkNBbf1D8B1LXdS2cGiiCRx0vSpZoUo= +cloud.google.com/go/webrisk v1.4.0/go.mod h1:Hn8X6Zr+ziE2aNd8SliSDWpEnSS1u4R9+xXZmFiHmGE= +cloud.google.com/go/webrisk v1.5.0/go.mod h1:iPG6fr52Tv7sGk0H6qUFzmL3HHZev1htXuWDEEsqMTg= +cloud.google.com/go/workflows v1.6.0/go.mod h1:6t9F5h/unJz41YqfBmqSASJSXccBLtD1Vwf+KmJENM0= +cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoISEXH2bcHC3M= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= -github.com/Azure/azure-sdk-for-go/sdk/azcore v0.19.0/go.mod h1:h6H6c8enJmmocHUbLiiGY6sx7f9i+X3m1CHdd5c6Rdw= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.0.0/go.mod h1:uGG2W01BaETf0Ozp+QxxKJdMBNRWPdstHG0Fmdwn1/U= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.4 h1:pqrAR74b6EoR4kcxF7L7Wg2B8Jgil9UUZtMvxhEFqWo= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.4/go.mod h1:uGG2W01BaETf0Ozp+QxxKJdMBNRWPdstHG0Fmdwn1/U= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v0.11.0/go.mod h1:HcM1YX14R7CJcghJGOYCgdezslRSVzqwLf/q+4Y2r/0= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.0.0/go.mod h1:+6sju8gk8FRmSajX3Oz4G5Gm7P+mbqE9FVaXXFYTkCM= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0 h1:QkAcEIAKbNL4KoFr4SathZPhDhF4mVwpBMFlYjyAqy8= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0/go.mod h1:bhXu1AjYL+wutSL/kpSq6s7733q2Rb0yuot9Zgfqa/0= -github.com/Azure/azure-sdk-for-go/sdk/internal v0.7.0/go.mod h1:yqy467j36fJxcRV2TzfVZ1pCb5vxm4BtZPUdYWe/Xo8= github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 h1:jp0dGvZ7ZK0mgqnTSClMxa5xuRL7NZgHameVYF6BurY= github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0/go.mod h1:eWRD7oawr1Mu1sLCawqVc0CUiF43ia3qQMxLscsKQ9w= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute v1.0.0 h1:/Di3vB4sNeQ+7A8efjUVENvyB945Wruvstucqp7ZArg= @@ -105,14 +213,15 @@ github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+Z github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo= github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= +github.com/AzureAD/microsoft-authentication-library-for-go v0.4.0/go.mod h1:Vt9sXTKwMyGcOxSmLDMnGPgqsUg7m8pe215qMLrDXw4= github.com/AzureAD/microsoft-authentication-library-for-go v0.5.1 h1:BWe8a+f/t+7KY7zH2mqygeUD0t8hNFXe08p1Pb3/jKE= github.com/AzureAD/microsoft-authentication-library-for-go v0.5.1/go.mod h1:Vt9sXTKwMyGcOxSmLDMnGPgqsUg7m8pe215qMLrDXw4= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/DataDog/datadog-go v3.2.0+incompatible h1:qSG2N4FghB1He/r2mFrWKCaL7dXCilEuNEeAn20fdD4= github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= -github.com/GoogleCloudPlatform/cloudsql-proxy v1.32.0 h1:647YHw0ZJ3Uu5xlkytf1li7dqJ9mHg9zabuKdZP0vYU= -github.com/GoogleCloudPlatform/cloudsql-proxy v1.32.0/go.mod h1:FjoDxLvxFAbnXFuUKkzM7rY66YaU/YHezlau786y9hs= +github.com/GoogleCloudPlatform/cloudsql-proxy v1.33.0 h1:yVfnW2IL8ta7g5q7cPh6CHH5ukyP+Jfk1XCAGo7uF20= +github.com/GoogleCloudPlatform/cloudsql-proxy v1.33.0/go.mod h1:zidPvCHZ3cYESz8ghadYeGOSRJFjcU9k43vUJLvQIcI= github.com/Masterminds/goutils v1.1.0 h1:zukEsf/1JZwCMgHiK3GZftabmxiCw4apj3a28RPBiVg= github.com/Masterminds/goutils v1.1.0/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= github.com/Masterminds/semver/v3 v3.1.1 h1:hLg3sBzpNErnxhQtUy/mmLR2I9foDujNK030IGemrRc= @@ -262,6 +371,7 @@ github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3Ee github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= +github.com/coreos/go-systemd/v22 v22.4.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= @@ -271,15 +381,15 @@ github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/denisenkom/go-mssqldb v0.0.0-20191124224453-732737034ffd h1:83Wprp6ROGeiHFAP8WJdI2RoxALQYgdllERc3N5N2DM= github.com/denisenkom/go-mssqldb v0.0.0-20191124224453-732737034ffd/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU= -github.com/denisenkom/go-mssqldb v0.12.2 h1:1OcPn5GBIobjWNd+8yjfHNIaFX14B1pWI3F9HZy5KXw= -github.com/denisenkom/go-mssqldb v0.12.2/go.mod h1:lnIw1mZukFRZDJYQ0Pb833QS2IaC3l5HkEfra2LJ+sk= github.com/dgraph-io/badger/v3 v3.2103.2 h1:dpyM5eCJAtQCBcMCZcT4UBZchuTJgCywerHHgmxfxM8= github.com/dgraph-io/ristretto v0.1.0 h1:Jv3CGQHp9OjuMBSne1485aDpUkTKEcUqF+jm/LuerPI= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48 h1:fRzb/w+pyskVMQ+UbP35JkH8yB7MYb4q/qhBarqZE6g= github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA= +github.com/dnaeon/go-vcr v1.1.0/go.mod h1:M7tiix8f0r6mKKJ3Yq/kqU1OYf3MnfmBWVbPx/yU9ko= github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ= github.com/docker/distribution v2.7.1+incompatible h1:a5mlkVzth6W5A4fOsS3D2EO5BUmsJpcB+cRlLU7cSug= @@ -385,14 +495,14 @@ github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zV github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/golang-jwt/jwt v3.2.1+incompatible h1:73Z+4BJcrTC+KczS6WvTPvRGOp1WmfEP4Q1lOd9Z/+c= github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= +github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY= +github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-jwt/jwt/v4 v4.2.0 h1:besgBTC8w8HjP6NzQdxwKH9Z5oQMZ24ThTrHp3cZ8eU= github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= -github.com/golang-sql/sqlexp v0.1.0 h1:ZCD6MBpcuOVfGVqsEmY5/4FtYiKz6tSyUv9LPEDei6A= github.com/golang-sql/sqlexp v0.1.0/go.mod h1:J4ad9Vo8ZCWQ2GMrC4UCQy1JpCbwU9m3EOqtpKwwwHI= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/glog v1.0.0 h1:nfP3RFugxnNRyKgeWd4oI1nYvXpxrx8ck8ZrcizshdQ= @@ -640,11 +750,11 @@ github.com/jackc/pgx/v4 v4.0.0-20190420224344-cc3461e65d96/go.mod h1:mdxmSJJuR08 github.com/jackc/pgx/v4 v4.0.0-20190421002000-1b8f0016e912/go.mod h1:no/Y67Jkk/9WuGR0JG/JseM9irFbnEPbuWV2EELPNuM= github.com/jackc/pgx/v4 v4.0.0-pre1.0.20190824185557-6972a5742186/go.mod h1:X+GQnOEnf1dqHGpw7JmHqHc1NxDoalibchSk9/RWuDc= github.com/jackc/pgx/v4 v4.12.1-0.20210724153913-640aa07df17c/go.mod h1:1QD0+tgSXP7iUjYm9C1NxKhny7lq6ee99u/z+IHFcgs= -github.com/jackc/pgx/v4 v4.17.0/go.mod h1:Gd6RmOhtFLTu8cp/Fhq4kP195KrshxYJH3oW8AWJ1pw= +github.com/jackc/pgx/v4 v4.17.2/go.mod h1:lcxIZN44yMIrWI78a5CpucdD14hX0SBDbNRvjDBItsw= github.com/jackc/puddle v0.0.0-20190413234325-e4ced69a3a2b/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= github.com/jackc/puddle v0.0.0-20190608224051-11cab39313c9/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= github.com/jackc/puddle v1.1.3/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= -github.com/jackc/puddle v1.2.1/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= +github.com/jackc/puddle v1.3.0/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/jhump/protoreflect v1.6.0/go.mod h1:eaTn3RZAmMBcV0fifFvlm6VHNz3wSkYyXYWUh7ymB74= github.com/jhump/protoreflect v1.9.0 h1:npqHz788dryJiR/l6K/RUQAyh2SwV91+d1dnh4RjO9w= @@ -734,6 +844,7 @@ github.com/mattn/go-sqlite3 v1.14.15/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= +github.com/microsoft/go-mssqldb v0.17.0/go.mod h1:OkoNGhGEs8EZqchVTtochlXruEhEOaO4S0d2sB5aeGQ= github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= github.com/miekg/dns v1.1.43 h1:JKfpVSCB84vrAmHzyrsxB5NAr5kLoMXZArPSw7Qlgyg= github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= @@ -809,9 +920,9 @@ github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCko github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/pierrec/lz4 v2.5.2+incompatible h1:WCjObylUIOlKy/+7Abdn34TLIkXiA4UWUMhxq9m9ZXI= github.com/pierrec/lz4 v2.5.2+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= -github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4/go.mod h1:4OwLy04Bl9Ef3GJJCoec+30X3LQs/0/m4HFRt/2LUSA= -github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4 h1:Qj1ukM4GlMWXNdMBuXcXfz/Kw9s1qm0CLY32QxuSImI= github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4/go.mod h1:N6UoU20jOqggOuDwUaBQpluzLNDqif3kq9z2wpdYEfQ= +github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9vDA65RGE3NrOnUtO7a+RF9HU= +github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= @@ -1043,13 +1154,13 @@ golang.org/x/crypto v0.0.0-20200414173820-0848c9571904/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201203163018-be400aefbc4c/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa h1:zuSxTR4o9y82ebqCUJYNGJbGPo6sKVl54f/TVDObg1c= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -1128,6 +1239,7 @@ golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/ golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= @@ -1139,7 +1251,6 @@ golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLd golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20210610132358-84b48f89b13b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= @@ -1150,8 +1261,9 @@ golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.0.0-20220617184016-355a448f1bc9/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.0.0-20220907135653-1e95f45603a7/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= +golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/net v0.0.0-20221014081412-f15817d10f9b h1:tvrvnPFcdzp294diPnrdZZZ8XUt2Tyj7svb7X52iDuU= golang.org/x/net v0.0.0-20221014081412-f15817d10f9b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -1177,6 +1289,7 @@ golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE= golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE= golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= +golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783 h1:nt+Q6cXKz4MosCSpnbMtqiQ8Oz0pxTef2B4Vca2lvfk= golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -1262,6 +1375,7 @@ golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210629170331-7dc0b73dc9fb/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -1278,6 +1392,7 @@ golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220224120231-95c6836cb0e7/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220328115105-d36c6a25d886/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -1285,9 +1400,11 @@ golang.org/x/sys v0.0.0-20220502124256-b6088ccd6cba/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220624220833-87e55d714810/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220731174439-a90be440212d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220907062415-87db552b00fd h1:AZeIEzg+8RCELJYq8w+ODLVxFgLMMigSwO/ffKPEd9U= golang.org/x/sys v0.0.0-20220907062415-87db552b00fd/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= @@ -1310,8 +1427,8 @@ golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxb golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 h1:ftMN5LMiBFjbzleLqtoBZk7KdJwhuybIU+FckUHgoyQ= -golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.1.0 h1:xYY+Bajn2a7VBmTM5GikTmnK8ZuX8YgnQCqZpbBNtmA= +golang.org/x/time v0.1.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -1432,12 +1549,17 @@ google.golang.org/api v0.70.0/go.mod h1:Bs4ZM2HGifEvXwd50TtW70ovgJffJYw2oRCOFU/S google.golang.org/api v0.71.0/go.mod h1:4PyU6e6JogV1f9eA4voyrTY2batOLdgZ5qZ5HOCc4j8= google.golang.org/api v0.74.0/go.mod h1:ZpfMZOVRMywNyvJFeqL9HRWBgAuRfSjJFpe9QtRRyDs= google.golang.org/api v0.75.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69ljA= +google.golang.org/api v0.77.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69ljA= google.golang.org/api v0.78.0/go.mod h1:1Sg78yoMLOhlQTeF+ARBoytAcH1NNyyl390YMy6rKmw= google.golang.org/api v0.80.0/go.mod h1:xY3nI94gbvBrE0J6NHXhxOmW97HG7Khjkku6AFB3Hyg= google.golang.org/api v0.84.0/go.mod h1:NTsGnUFJMYROtiquksZHBWtHfeMC7iYthki7Eq3pa8o= +google.golang.org/api v0.85.0/go.mod h1:AqZf8Ep9uZ2pyTvgL+x0D3Zt0eoT9b5E8fmzfu6FO2g= google.golang.org/api v0.90.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw= -google.golang.org/api v0.91.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw= +google.golang.org/api v0.93.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw= google.golang.org/api v0.95.0/go.mod h1:eADj+UBuxkh5zlrSntJghuNeg8HwQ1w5lTKkuqaETEI= +google.golang.org/api v0.96.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s= +google.golang.org/api v0.97.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s= +google.golang.org/api v0.98.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s= google.golang.org/api v0.100.0 h1:LGUYIrbW9pzYQQ8NWXlaIVkgnfubVBZbMFb9P8TK374= google.golang.org/api v0.100.0/go.mod h1:ZE3Z2+ZOr87Rx7dqFsdRQkRBk36kDtp/h+QpHbB7a70= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= @@ -1525,6 +1647,7 @@ google.golang.org/genproto v0.0.0-20220413183235-5e96e2839df9/go.mod h1:8w6bsBMX google.golang.org/genproto v0.0.0-20220414192740-2d67ff6cf2b4/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= google.golang.org/genproto v0.0.0-20220421151946-72621c1f0bd3/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= google.golang.org/genproto v0.0.0-20220429170224-98d788798c3e/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= +google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= google.golang.org/genproto v0.0.0-20220505152158-f39f71e6c8f3/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= google.golang.org/genproto v0.0.0-20220518221133-4f43b3371335/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= google.golang.org/genproto v0.0.0-20220523171625-347a074981d8/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= @@ -1532,9 +1655,23 @@ google.golang.org/genproto v0.0.0-20220608133413-ed9918b62aac/go.mod h1:KEWEmljW google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= google.golang.org/genproto v0.0.0-20220617124728-180714bec0ad/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= +google.golang.org/genproto v0.0.0-20220628213854-d9e0b6570c03/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= google.golang.org/genproto v0.0.0-20220722212130-b98a9ff5e252/go.mod h1:GkXuJDJ6aQ7lnJcRF+SJVgFdQhypqgl3LB1C9vabdRE= -google.golang.org/genproto v0.0.0-20220804142021-4e6b2dfa6612/go.mod h1:iHe1svFLAZg9VWz891+QbRMwUv9O/1Ww+/mngYeThbc= -google.golang.org/genproto v0.0.0-20220902135211-223410557253/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk= +google.golang.org/genproto v0.0.0-20220801145646-83ce21fca29f/go.mod h1:iHe1svFLAZg9VWz891+QbRMwUv9O/1Ww+/mngYeThbc= +google.golang.org/genproto v0.0.0-20220815135757-37a418bb8959/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk= +google.golang.org/genproto v0.0.0-20220817144833-d7fd3f11b9b1/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk= +google.golang.org/genproto v0.0.0-20220822174746-9e6da59bd2fc/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk= +google.golang.org/genproto v0.0.0-20220829144015-23454907ede3/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk= +google.golang.org/genproto v0.0.0-20220829175752-36a9c930ecbf/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk= +google.golang.org/genproto v0.0.0-20220913154956-18f8339a66a5/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo= +google.golang.org/genproto v0.0.0-20220914142337-ca0e39ece12f/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo= +google.golang.org/genproto v0.0.0-20220915135415-7fd63a7952de/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo= +google.golang.org/genproto v0.0.0-20220916172020-2692e8806bfa/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo= +google.golang.org/genproto v0.0.0-20220919141832-68c03719ef51/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo= +google.golang.org/genproto v0.0.0-20220920201722-2b89144ce006/go.mod h1:ht8XFiar2npT/g4vkk7O0WYS1sHOHbdujxbEp7CJWbw= +google.golang.org/genproto v0.0.0-20220926165614-551eb538f295/go.mod h1:woMGP53BroOrRY3xTxlbr8Y3eB/nzAvvFM83q7kG2OI= +google.golang.org/genproto v0.0.0-20220926220553-6981cbe3cfce/go.mod h1:woMGP53BroOrRY3xTxlbr8Y3eB/nzAvvFM83q7kG2OI= +google.golang.org/genproto v0.0.0-20221010155953-15ba04fc1c0e/go.mod h1:3526vdqwhZAwq4wsRUaVG555sVgsNmIjRtO7t/JH29U= google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a h1:GH6UPn3ixhWcKDhpnEC55S75cerLPdpp3hrhfKYjZgw= google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM= google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= @@ -1572,6 +1709,7 @@ google.golang.org/grpc v1.46.2/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACu google.golang.org/grpc v1.47.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= +google.golang.org/grpc v1.50.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= google.golang.org/grpc v1.50.1 h1:DS/BukOZWp8s6p4Dt/tOaJaTQyPyOoCcrjroHuCeLzY= google.golang.org/grpc v1.50.1/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= From 551464d275a119edf830af68d79b9ce371f24a38 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 26 Oct 2022 17:43:05 -0600 Subject: [PATCH 020/257] Bump cloud.google.com/go/secretmanager from 1.7.0 to 1.8.0 (#3530) Bumps [cloud.google.com/go/secretmanager](https://github.com/googleapis/google-cloud-go) from 1.7.0 to 1.8.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/documentai/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/asset/v1.7.0...asset/v1.8.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/secretmanager dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 7 ++++--- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index 20006220d8..238c5c04c8 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/spiffe/spire go 1.19 require ( - cloud.google.com/go/secretmanager v1.7.0 + cloud.google.com/go/secretmanager v1.8.0 cloud.google.com/go/security v1.8.0 cloud.google.com/go/storage v1.27.0 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.4 @@ -81,7 +81,7 @@ require ( require ( cloud.google.com/go v0.104.0 // indirect cloud.google.com/go/compute v1.10.0 // indirect - cloud.google.com/go/iam v0.3.0 // indirect + cloud.google.com/go/iam v0.5.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect github.com/Azure/go-autorest/autorest v0.11.27 // indirect diff --git a/go.sum b/go.sum index 8b1e55875b..16947d403b 100644 --- a/go.sum +++ b/go.sum @@ -100,8 +100,9 @@ cloud.google.com/go/gkeconnect v0.6.0/go.mod h1:Mln67KyU/sHJEBY8kFZ0xTeyPtzbq9St cloud.google.com/go/gkehub v0.9.0/go.mod h1:WYHN6WG8w9bXU0hqNxt8rm5uxnk8IH+lPY9J2TV7BK0= cloud.google.com/go/gkehub v0.10.0/go.mod h1:UIPwxI0DsrpsVoWpLB0stwKCP+WFVG9+y977wO+hBH0= cloud.google.com/go/grafeas v0.2.0/go.mod h1:KhxgtF2hb0P191HlY5besjYm6MqTSTj3LSI+M+ByZHc= -cloud.google.com/go/iam v0.3.0 h1:exkAomrVUuzx9kWFI1wm3KI0uoDeUFPB4kKGzx6x+Gc= cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY= +cloud.google.com/go/iam v0.5.0 h1:fz9X5zyTWBmamZsqvqZqD7khbifcZF/q+Z1J8pfhIUg= +cloud.google.com/go/iam v0.5.0/go.mod h1:wPU9Vt0P4UmCux7mqtRu6jcpPAb74cP1fh50J3QpkUc= cloud.google.com/go/language v1.4.0/go.mod h1:F9dRpNFQmJbkaop6g0JhSBXCNlO90e1KWx5iDdxbWic= cloud.google.com/go/language v1.6.0/go.mod h1:6dJ8t3B+lUYfStgls25GusK04NLh3eDLQnWM3mdEbhI= cloud.google.com/go/lifesciences v0.5.0/go.mod h1:3oIKy8ycWGPUyZDR/8RNnTOYevhaMLqh5vLUXs9zvT8= @@ -144,8 +145,8 @@ cloud.google.com/go/retail v1.9.0/go.mod h1:g6jb6mKuCS1QKnH/dpu7isX253absFl6iE92 cloud.google.com/go/scheduler v1.4.0/go.mod h1:drcJBmxF3aqZJRhmkHQ9b3uSSpQoltBPGPxGAWROx6s= cloud.google.com/go/scheduler v1.5.0/go.mod h1:ri073ym49NW3AfT6DZi21vLZrG07GXr5p3H1KxN5QlI= cloud.google.com/go/secretmanager v1.6.0/go.mod h1:awVa/OXF6IiyaU1wQ34inzQNc4ISIDIrId8qE5QGgKA= -cloud.google.com/go/secretmanager v1.7.0 h1:EAPaaxMs1gtdyxK5UN8KfD5tnDBZiFoSroRfjV3EgQU= -cloud.google.com/go/secretmanager v1.7.0/go.mod h1:20dYAPbj+H4+pXdBRN2z77yugQJJ30UF2kL9OWPs+L0= +cloud.google.com/go/secretmanager v1.8.0 h1:4wYWL2t10q+xUtFFS0QuWlqwQguMrwC6FDpjtMM6cUI= +cloud.google.com/go/secretmanager v1.8.0/go.mod h1:hnVgi/bN5MYHd3Gt0SPuTPPp5ENina1/LxM+2W9U9J4= cloud.google.com/go/security v1.5.0/go.mod h1:lgxGdyOKKjHL4YG3/YwIL2zLqMFCKs0UbQwgyZmfJl4= cloud.google.com/go/security v1.7.0/go.mod h1:mZklORHl6Bg7CNnnjLH//0UlAlaXqiG7Lb9PsPXLfD0= cloud.google.com/go/security v1.8.0 h1:linnRc3/gJYDfKbAtNixVQ52+66DpOx5MmCz0NNxal8= From 05fe6ae4f5a8f4d317667d5232547eb555aa67c7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 26 Oct 2022 20:00:40 -0600 Subject: [PATCH 021/257] Bump github.com/docker/docker (#3531) Bumps [github.com/docker/docker](https://github.com/docker/docker) from 20.10.20+incompatible to 20.10.21+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Changelog](https://github.com/moby/moby/blob/master/CHANGELOG.md) - [Commits](https://github.com/docker/docker/compare/v20.10.20...v20.10.21) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 238c5c04c8..48b78815e9 100644 --- a/go.mod +++ b/go.mod @@ -27,7 +27,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/sts v1.17.0 github.com/blang/semver/v4 v4.0.0 github.com/cenkalti/backoff/v3 v3.2.2 - github.com/docker/docker v20.10.20+incompatible + github.com/docker/docker v20.10.21+incompatible github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1 github.com/go-logr/logr v1.2.3 github.com/go-sql-driver/mysql v1.6.0 diff --git a/go.sum b/go.sum index 16947d403b..f8c2599339 100644 --- a/go.sum +++ b/go.sum @@ -395,8 +395,8 @@ github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ= github.com/docker/distribution v2.7.1+incompatible h1:a5mlkVzth6W5A4fOsS3D2EO5BUmsJpcB+cRlLU7cSug= github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v20.10.20+incompatible h1:kH9tx6XO+359d+iAkumyKDc5Q1kOwPuAUaeri48nD6E= -github.com/docker/docker v20.10.20+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v20.10.21+incompatible h1:UTLdBmHk3bEY+w8qeO5KttOhy6OmXWsl/FEet9Uswog= +github.com/docker/docker v20.10.21+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw= From 740d3956d3dae7a2076f04a4feb7f1d0b4d49887 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 26 Oct 2022 20:53:14 -0600 Subject: [PATCH 022/257] Bump github.com/mattn/go-sqlite3 from 1.14.15 to 1.14.16 (#3532) Bumps [github.com/mattn/go-sqlite3](https://github.com/mattn/go-sqlite3) from 1.14.15 to 1.14.16. - [Release notes](https://github.com/mattn/go-sqlite3/releases) - [Commits](https://github.com/mattn/go-sqlite3/compare/v1.14.15...v1.14.16) --- updated-dependencies: - dependency-name: github.com/mattn/go-sqlite3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 48b78815e9..b8d15038a7 100644 --- a/go.mod +++ b/go.mod @@ -48,7 +48,7 @@ require ( github.com/imkira/go-observer v1.0.3 github.com/jinzhu/gorm v1.9.16 github.com/lib/pq v1.10.7 - github.com/mattn/go-sqlite3 v1.14.15 + github.com/mattn/go-sqlite3 v1.14.16 github.com/mitchellh/cli v1.1.4 github.com/open-policy-agent/opa v0.45.0 github.com/prometheus/client_golang v1.13.0 diff --git a/go.sum b/go.sum index f8c2599339..fe9b86a067 100644 --- a/go.sum +++ b/go.sum @@ -840,8 +840,8 @@ github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Ky github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y= github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= github.com/mattn/go-sqlite3 v1.14.0/go.mod h1:JIl7NbARA7phWnGvh0LKTyg7S9BA+6gx71ShQilpsus= -github.com/mattn/go-sqlite3 v1.14.15 h1:vfoHhTN1af61xCRSWzFIWzx2YskyMTwHLrExkBOjvxI= -github.com/mattn/go-sqlite3 v1.14.15/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg= +github.com/mattn/go-sqlite3 v1.14.16 h1:yOQRA0RpS5PFz/oikGwBEqvAWhWg5ufRz4ETLjwpU1Y= +github.com/mattn/go-sqlite3 v1.14.16/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= From 3cbfb6277d2300d28c01301c83a689818c283a45 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 26 Oct 2022 21:27:17 -0600 Subject: [PATCH 023/257] Bump google.golang.org/api from 0.100.0 to 0.101.0 (#3533) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.100.0 to 0.101.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.100.0...v0.101.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 8 ++++---- go.sum | 12 ++++++++---- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/go.mod b/go.mod index b8d15038a7..318e3a6ebe 100644 --- a/go.mod +++ b/go.mod @@ -62,11 +62,11 @@ require ( github.com/zeebo/errs v1.3.0 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa golang.org/x/net v0.0.0-20221014081412-f15817d10f9b - golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0 + golang.org/x/sync v0.1.0 golang.org/x/sys v0.0.0-20220907062415-87db552b00fd golang.org/x/time v0.1.0 - google.golang.org/api v0.100.0 - google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a + google.golang.org/api v0.101.0 + google.golang.org/genproto v0.0.0-20221018160656-63c7b68cfc55 google.golang.org/grpc v1.50.1 google.golang.org/protobuf v1.28.1 gopkg.in/square/go-jose.v2 v2.6.0 @@ -203,7 +203,7 @@ require ( golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783 // indirect golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect - golang.org/x/text v0.3.7 // indirect + golang.org/x/text v0.4.0 // indirect golang.org/x/tools v0.1.12 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect diff --git a/go.sum b/go.sum index fe9b86a067..fff41d18a6 100644 --- a/go.sum +++ b/go.sum @@ -1305,8 +1305,9 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0 h1:cu5kTvlzcw1Q5S9f5ip1/cpiB4nXvw1XYzFPGgzLUOY= golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o= +golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -1421,8 +1422,9 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg= +golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -1561,8 +1563,9 @@ google.golang.org/api v0.95.0/go.mod h1:eADj+UBuxkh5zlrSntJghuNeg8HwQ1w5lTKkuqaE google.golang.org/api v0.96.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s= google.golang.org/api v0.97.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s= google.golang.org/api v0.98.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s= -google.golang.org/api v0.100.0 h1:LGUYIrbW9pzYQQ8NWXlaIVkgnfubVBZbMFb9P8TK374= google.golang.org/api v0.100.0/go.mod h1:ZE3Z2+ZOr87Rx7dqFsdRQkRBk36kDtp/h+QpHbB7a70= +google.golang.org/api v0.101.0 h1:lJPPeEBIRxGpGLwnBTam1NPEM8Z2BmmXEd3z812pjwM= +google.golang.org/api v0.101.0/go.mod h1:CjxAAWWt3A3VrUE2IGDY2bgK5qhoG/OkyWVlYcP05MY= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -1673,8 +1676,9 @@ google.golang.org/genproto v0.0.0-20220920201722-2b89144ce006/go.mod h1:ht8XFiar google.golang.org/genproto v0.0.0-20220926165614-551eb538f295/go.mod h1:woMGP53BroOrRY3xTxlbr8Y3eB/nzAvvFM83q7kG2OI= google.golang.org/genproto v0.0.0-20220926220553-6981cbe3cfce/go.mod h1:woMGP53BroOrRY3xTxlbr8Y3eB/nzAvvFM83q7kG2OI= google.golang.org/genproto v0.0.0-20221010155953-15ba04fc1c0e/go.mod h1:3526vdqwhZAwq4wsRUaVG555sVgsNmIjRtO7t/JH29U= -google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a h1:GH6UPn3ixhWcKDhpnEC55S75cerLPdpp3hrhfKYjZgw= google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM= +google.golang.org/genproto v0.0.0-20221018160656-63c7b68cfc55 h1:U1u4KB2kx6KR/aJDjQ97hZ15wQs8ZPvDcGcRynBhkvg= +google.golang.org/genproto v0.0.0-20221018160656-63c7b68cfc55/go.mod h1:45EK0dUbEZ2NHjCeAd2LXmyjAgGUGrpGROgjhC3ADck= google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= From dd9e2e51aa2b3bd1dac0ef699a8a4fcd5cd2e56a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 27 Oct 2022 11:05:53 -0700 Subject: [PATCH 024/257] Bump cloud.google.com/go/security from 1.8.0 to 1.9.0 (#3539) Bumps [cloud.google.com/go/security](https://github.com/googleapis/google-cloud-go) from 1.8.0 to 1.9.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/documentai/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/asset/v1.8.0...asset/v1.9.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/security dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index 318e3a6ebe..699d800ffe 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.19 require ( cloud.google.com/go/secretmanager v1.8.0 - cloud.google.com/go/security v1.8.0 + cloud.google.com/go/security v1.9.0 cloud.google.com/go/storage v1.27.0 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.4 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0 diff --git a/go.sum b/go.sum index fff41d18a6..9a505f6983 100644 --- a/go.sum +++ b/go.sum @@ -149,8 +149,9 @@ cloud.google.com/go/secretmanager v1.8.0 h1:4wYWL2t10q+xUtFFS0QuWlqwQguMrwC6FDpj cloud.google.com/go/secretmanager v1.8.0/go.mod h1:hnVgi/bN5MYHd3Gt0SPuTPPp5ENina1/LxM+2W9U9J4= cloud.google.com/go/security v1.5.0/go.mod h1:lgxGdyOKKjHL4YG3/YwIL2zLqMFCKs0UbQwgyZmfJl4= cloud.google.com/go/security v1.7.0/go.mod h1:mZklORHl6Bg7CNnnjLH//0UlAlaXqiG7Lb9PsPXLfD0= -cloud.google.com/go/security v1.8.0 h1:linnRc3/gJYDfKbAtNixVQ52+66DpOx5MmCz0NNxal8= cloud.google.com/go/security v1.8.0/go.mod h1:hAQOwgmaHhztFhiQ41CjDODdWP0+AE1B3sX4OFlq+GU= +cloud.google.com/go/security v1.9.0 h1:o9frPOtXW2f4zMlw4SYPE42LRz/hhrYVWtAEUkPvyA4= +cloud.google.com/go/security v1.9.0/go.mod h1:6Ta1bO8LXI89nZnmnsZGp9lVoVWXqsVbIq/t9dzI+2Q= cloud.google.com/go/securitycenter v1.13.0/go.mod h1:cv5qNAqjY84FCN6Y9z28WlkKXyWsgLO832YiWwkCWcU= cloud.google.com/go/securitycenter v1.14.0/go.mod h1:gZLAhtyKv85n52XYWt6RmeBdydyxfPeTrpToDPw4Auc= cloud.google.com/go/servicedirectory v1.4.0/go.mod h1:gH1MUaZCgtP7qQiI+F+A+OpeKF/HQWgtAddhTbhL2bs= From 1e400b13d58f2fddad6efd9373d9d18ae5655869 Mon Sep 17 00:00:00 2001 From: Keegan Witt Date: Thu, 27 Oct 2022 15:15:25 -0400 Subject: [PATCH 025/257] Fix some spelling issues (#3534) Signed-off-by: Keegan Witt --- ADOPTERS.md | 2 +- CHANGELOG.md | 12 +- conf/agent/agent_full.conf | 2 +- doc/authorization_policy_engine.md | 6 +- ...lugin_agent_svidstore_gcp_secretmanager.md | 4 +- doc/plugin_agent_workloadattestor_k8s.md | 2 +- doc/plugin_server_datastore_sql.md | 2 +- doc/plugin_server_nodeattestor_azure_msi.md | 6 +- doc/plugin_server_notifier_k8sbundle.md | 2 +- doc/plugin_server_upstreamauthority_vault.md | 60 +++---- doc/spire_server.md | 158 +++++++++--------- .../plugin/workloadattestor/k8s/k8s_posix.go | 2 +- .../spire/spire_server_client.go | 2 +- .../upstreamauthority/spire/spire_test.go | 2 +- support/k8s/k8s-workload-registrar/README.md | 4 +- .../k8s-workload-registrar/mode-crd/README.md | 10 +- .../integration/suites/envoy-sds-v2/README.md | 2 +- .../suites/envoy-sds-v3-spiffe-auth/README.md | 2 +- .../docker-compose.yaml | 2 +- .../integration/suites/envoy-sds-v3/README.md | 2 +- test/integration/suites/upgrade/README.md | 2 +- 21 files changed, 143 insertions(+), 143 deletions(-) diff --git a/ADOPTERS.md b/ADOPTERS.md index 05e192f39e..47fe9cda93 100644 --- a/ADOPTERS.md +++ b/ADOPTERS.md @@ -66,7 +66,7 @@ https://aws.amazon.com/blogs/containers/using-mtls-with-spiffe-spire-in-app-mesh * Anthem writes about developing a zero trust framework at Anthem Using SPIFFE and SPIRE: https://upshotstories.com/stories/developing-a-zero-trust-framework-at-anthem-using-spiffe-and-spire -* ARM and VMware showcase hardware backed security for multitenancy at the Edge with SPIFFE & PARSEC +* ARM and VMware showcase hardware backed security for multi-tenancy at the Edge with SPIFFE & PARSEC https://www.youtube.com/watch?v=-I_rCKMyY7Y * Bloomberg talks about TPM node attestation with SPIRE: diff --git a/CHANGELOG.md b/CHANGELOG.md index c4927f865d..6564ce6c00 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -248,7 +248,7 @@ - The GCP CAS UpstreamAuthority now works with the GA release of GCP CAS (#2569) - Fixed a variety of issues with the scratch image, preparatory to publishing as the official image on GitHub Container Registry (#2582) - Kubernetes Workload Attestor now uses the canonical path for the service account token (#2583) -- The server socketPath is now appropriately overriden via the configuration file (#2570) +- The server socketPath is now appropriately overridden via the configuration file (#2570) - The server now restarts appropriately after undergoing forceful shutdown (#2496) - The server CLI list commands now work reliably for large listings (#2456) @@ -312,7 +312,7 @@ - SPIRE Server CLI now has `count` subcommands for agents, entries, and bundles (#2128) - SPIRE Server can now be configured for SPIFFE federation using the configurables defined by the spec (#2340) - SPIRE Server and Agent now expose the standard gRPC health service (#2057, #2058) -- SPIFFE bundle endpoint URL is now configurable in the `federates_with` configuation block (#2340) +- SPIFFE bundle endpoint URL is now configurable in the `federates_with` configuration block (#2340) - SPIRE Agent may now optionally provided unregistered callers with a bundle for SVID validation via the `allow_unauthenticated_verifiers` configurable (#2102) - SPIRE Server JWT key type is now independently configurable via `jwt_key_type` (#1991) - Registration entries can now be queried/filtered by `federates_with` when calling the entry API (#1967) @@ -331,7 +331,7 @@ - SPIRE Server federation configuration in the `federates_with` `bundle_endpoint` block is now deprecated (#2340) - SPIRE Server `gcp_iit` NodeAttestor configurable `projectid_whitelist` is deprecated in favor of `projectid_allow_list` (#2253) - SPIRE Server `k8s_sat` and `k8s_psat` NodeAttestor configurable `service_account_whitelist` is deprecated in favor of `service_account_allow_list` (#2253) -- SPIRE Sever `registration_uds_path`/`-registrationUDSPath` configurable and flag has been deprecateed in favor of `socket_path`/`-socketPath` (#2075) +- SPIRE Server `registration_uds_path`/`-registrationUDSPath` configurable and flag has been deprecated in favor of `socket_path`/`-socketPath` (#2075) ### Removed - SPIRE Server no longer supports SPIFFE IDs with UTF-8 (#2368) @@ -340,7 +340,7 @@ - The `aws_iid` NodeResolver plugin has been removed as it has been obviated (#2191) - The `noop` NodeResolver plugin has been removed (#2189) - The `proto/spire` go module has been removed in favor of the new SDKs (#2161) -- The deprected `enable_sds` configurable has been removed (#2021) +- The deprecated `enable_sds` configurable has been removed (#2021) - The deprecated `experimental bundle` CLI subcommands have been removed (#2062) - SPIRE Server experimental configurables related to federation have been removed (#2062) - SPIRE Server bundle endpoint no longer supports TLS signature schemes utilizing non-SHA256 hashes when ACME is enabled (#2397) @@ -561,7 +561,7 @@ - Users can now opt-out of workload executable hashing when enabling the workload path as a selector (#1078) - Added M3 support to telemetry and other telemetry and logging improvements (#1059, #1085, #1086, #1094, #1102, #1122,#1138,#1160,#1186,#1208) - SQL auto-migration can be disabled (#1089) -- SQL schema compatability checks are aligned with upgrade compatability guarantees (#1089) +- SQL schema compatibility checks are aligned with upgrade compatibility guarantees (#1089) - Agent CLI can provide information on attested nodes (#1098) - SPIRE can tolerate small SVID expiration periods (#1115) - Reduced Docker image sizes by roughly 25% (#1140) @@ -641,7 +641,7 @@ - Fix a bug in AWS IID NodeResolver with instance profile lookup (#888) - Improved workload attestation and fixed a security bug related to PID reuse (#886) - New Kubernetes bundle notifier for keeping a bundle configmap up-to-date (#877) -- New plugin type Notifier for programatically taking action on important events (#877) +- New plugin type Notifier for programmatically taking action on important events (#877) - New NodeAttestor based on SSH certificates (#868, #870) - v2 client library for Workload API interaction (#841) - Back-compat bundle management code removed - bundle is now handled correctly (#858, #859) diff --git a/conf/agent/agent_full.conf b/conf/agent/agent_full.conf index daa113389e..2c0dc8455e 100644 --- a/conf/agent/agent_full.conf +++ b/conf/agent/agent_full.conf @@ -319,7 +319,7 @@ plugins { WorkloadAttestor "k8s" { plugin_data { # kubelet_read_only_port: The kubelet read-only port. This is mutually - # exlusive with kubelet_secure_port. + # exclusive with kubelet_secure_port. kubelet_read_only_port = "10255" # kubelet_secure_port: The kubelet secure port. It defaults to 10250 diff --git a/doc/authorization_policy_engine.md b/doc/authorization_policy_engine.md index 9136bfd8a3..92c46ccb94 100644 --- a/doc/authorization_policy_engine.md +++ b/doc/authorization_policy_engine.md @@ -1,7 +1,7 @@ # Authorization policy engine -**Warning**: Use of custom authorization policies is experiemental and can -result in security degredation if not configured correctly. Please refer to +**Warning**: Use of custom authorization policies is experimental and can +result in security degradation if not configured correctly. Please refer to [this section](#extending-the-policy) for more details on extending the default policy. @@ -224,7 +224,7 @@ allow = true { } ``` -## Example 1b: Sub-department namespacing with exlcusions +## Example 1b: Sub-department namespacing with exclusions Building on top of the previous example, let's say we want to have sub departments, having schedulers for a subset of paths within the trust domain. diff --git a/doc/plugin_agent_svidstore_gcp_secretmanager.md b/doc/plugin_agent_svidstore_gcp_secretmanager.md index 7fd0c1f406..f7936f333b 100644 --- a/doc/plugin_agent_svidstore_gcp_secretmanager.md +++ b/doc/plugin_agent_svidstore_gcp_secretmanager.md @@ -34,7 +34,7 @@ Please note that this plugin does not require permission to read secret payloads | Configuration | Description | DEFAULT | |----------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------| -| service_account_file | (Optional) Path to the service account file used to authenticate with the Google Compute Engine API. By default credentails are retrieved from environment. | Value of `GOOGLE_APPLICATION_CREDENTIALS ` environment variable | +| service_account_file | (Optional) Path to the service account file used to authenticate with the Google Compute Engine API. By default credentials are retrieved from environment. | Value of `GOOGLE_APPLICATION_CREDENTIALS ` environment variable | A sample configuration: @@ -61,7 +61,7 @@ bindings: ### Store selectors -Selectors are used on `storable` entries to describre metadata that is needed by `gcp_secretmanager` in order to store secrets in Google Cloud Secret manager. In case that a `required` selector is not provided, the plugin will return an error at execution time. +Selectors are used on `storable` entries to describe metadata that is needed by `gcp_secretmanager` in order to store secrets in Google Cloud Secret manager. In case that a `required` selector is not provided, the plugin will return an error at execution time. | Selector | Example | Required | Description | |------------------------------------|----------------------------------------------------------------------------------|----------|----------------------------------------------------------------------------| diff --git a/doc/plugin_agent_workloadattestor_k8s.md b/doc/plugin_agent_workloadattestor_k8s.md index 02318fa78b..8ad81b8b8d 100644 --- a/doc/plugin_agent_workloadattestor_k8s.md +++ b/doc/plugin_agent_workloadattestor_k8s.md @@ -43,7 +43,7 @@ since [hostprocess](https://kubernetes.io/docs/tasks/configure-pod-container/cre | Configuration | Description | |--------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `disable_container_selectors` | If true, container selectors are not produced. This can be used to produce pod selectors when the workload pod is known but the workload container is not ready at the time of attestation. | -| `kubelet_read_only_port` | The kubelet read-only port. This is mutually exlusive with `kubelet_secure_port`. | +| `kubelet_read_only_port` | The kubelet read-only port. This is mutually exclusive with `kubelet_secure_port`. | | `kubelet_secure_port` | The kubelet secure port. It defaults to `10250` unless `kubelet_read_only_port` is set. | | `kubelet_ca_path` | The path on disk to a file containing CA certificates used to verify the kubelet certificate. Required unless `skip_kubelet_verification` is set. Defaults to the cluster CA bundle `/run/secrets/kubernetes.io/serviceaccount/ca.crt`. | | `skip_kubelet_verification` | If true, kubelet certificate verification is skipped | diff --git a/doc/plugin_server_datastore_sql.md b/doc/plugin_server_datastore_sql.md index ba821b918a..46dd007036 100644 --- a/doc/plugin_server_datastore_sql.md +++ b/doc/plugin_server_datastore_sql.md @@ -135,4 +135,4 @@ Read Only connection will be used when the optional `ro_connection_string` is se ## SQLite and CGO -SQLite support requires the use of CGO. This is not a concern for users downloading SPIRE or using the offical SPIRE container images. However, if you are building SPIRE from the source code, please note that compiling SPIRE without CGO (e.g. `CGO_ENABLED=0`) will disable SQLite support. +SQLite support requires the use of CGO. This is not a concern for users downloading SPIRE or using the official SPIRE container images. However, if you are building SPIRE from the source code, please note that compiling SPIRE without CGO (e.g. `CGO_ENABLED=0`) will disable SQLite support. diff --git a/doc/plugin_server_nodeattestor_azure_msi.md b/doc/plugin_server_nodeattestor_azure_msi.md index 6a98574922..969887be38 100644 --- a/doc/plugin_server_nodeattestor_azure_msi.md +++ b/doc/plugin_server_nodeattestor_azure_msi.md @@ -48,7 +48,7 @@ Each tenant can be configured to either authenticate with an MSI token (`subscription_id`, `app_id`, and `app_secret`). The SPIRE Server must reside in the same tenant when authenticating with an MSI token. -For backwards compatability reasons the authentication configuration is *NOT* +For backwards compatibility reasons the authentication configuration is *NOT* required, however, it will be in a future release. ### Sample Configurations @@ -70,7 +70,7 @@ required, however, it will be in a future release. } ``` -#### Custom Reseource ID and MSI Authentication +#### Custom Resource ID and MSI Authentication ``` NodeAttestor "azure_msi" { @@ -95,7 +95,7 @@ The plugin produces the following selectors. | Virtual Machine Name | `vm-name:frontend:blog` | The name of the virtual machine (e.g. `blog`) qualified by the resource group (e.g. `frontend`) | | Network Security Group | `network-security-group:frontend:webservers` | The name of the network security group (e.g. `webservers`) qualified by the resource group (e.g. `frontend`) | | Virtual Network | `virtual-network:frontend:vnet` | The name of the virtual network (e.g. `vnet`) qualified by the resource group (e.g. `frontend`) | -| Virtual Network Subnet | `virtual-network:frontend:vnet:default` | The name of the virtual network subnet (e.g. `default`) qualfied by the virtual network and resource group | +| Virtual Network Subnet | `virtual-network:frontend:vnet:default` | The name of the virtual network subnet (e.g. `default`) qualified by the virtual network and resource group | All of the selectors have the type `azure_msi`. diff --git a/doc/plugin_server_notifier_k8sbundle.md b/doc/plugin_server_notifier_k8sbundle.md index 265a3314cc..5495a9da5c 100644 --- a/doc/plugin_server_notifier_k8sbundle.md +++ b/doc/plugin_server_notifier_k8sbundle.md @@ -136,7 +136,7 @@ server to } ``` -### Multipe clusters +### Multiple clusters ``` Notifier "k8sbundle" { diff --git a/doc/plugin_server_upstreamauthority_vault.md b/doc/plugin_server_upstreamauthority_vault.md index e06514de73..74d82f5bb5 100644 --- a/doc/plugin_server_upstreamauthority_vault.md +++ b/doc/plugin_server_upstreamauthority_vault.md @@ -7,17 +7,17 @@ The plugin does not support the `PublishJWTKey` RPC and is therefore not appropr The plugin accepts the following configuration options: -| key | type | required | description | default | -|:----|:-----|:---------|:------------|:--------| -| vault_addr | string | | The URL of the Vault server. (e.g., https://vault.example.com:8443/) | `${VAULT_ADDR}` | -| namespace | string | | Name of the Vault namespace. This is only available in the Vault Enterprise. | `${VAULT_NAMESPACE}` | -| pki_mount_point | string | | Name of the mount point where PKI secret engine is mounted | pki | -| ca_cert_path | string | | Path to a CA certificate file used to verify the Vault server certificate. Only PEM format is supported. | `${VAULT_CACERT}` | -| insecure_skip_verify | bool | | If true, vault client accepts any server certificates | false | -| cert_auth | struct | | Configuration for the Client Certificate authentication method | | -| token_auth | struct | | Configuration for the Token authentication method | | -| approle_auth | struct | | Configuration for the AppRole authentication method | | -| k8s_auth | struct | | Configuration for the Kubernetes authentication method | | +| key | type | required | description | default | +|:---------------------|:-------|:---------|:---------------------------------------------------------------------------------------------------------|:---------------------| +| vault_addr | string | | The URL of the Vault server. (e.g., https://vault.example.com:8443/) | `${VAULT_ADDR}` | +| namespace | string | | Name of the Vault namespace. This is only available in the Vault Enterprise. | `${VAULT_NAMESPACE}` | +| pki_mount_point | string | | Name of the mount point where PKI secret engine is mounted | pki | +| ca_cert_path | string | | Path to a CA certificate file used to verify the Vault server certificate. Only PEM format is supported. | `${VAULT_CACERT}` | +| insecure_skip_verify | bool | | If true, vault client accepts any server certificates | false | +| cert_auth | struct | | Configuration for the Client Certificate authentication method | | +| token_auth | struct | | Configuration for the Token authentication method | | +| approle_auth | struct | | Configuration for the AppRole authentication method | | +| k8s_auth | struct | | Configuration for the Kubernetes authentication method | | The plugin supports **Client Certificate**, **Token** and **AppRole** authentication methods. @@ -43,12 +43,12 @@ path "pki/root/sign-intermediate" { ## Client Certificate Authentication -| key | type | required | description | default | -|:----|:-----|:---------|:------------|:--------| -| cert_auth_mount_point | string | | Name of the mount point where TLS certificate auth method is mounted | cert | -| cert_auth_role_name | string | | Name of the Vault role. If given, the plugin authenticates against only the named role. Default to trying all roles. | | -| client_cert_path | string | | Path to a client certificate file. Only PEM format is supported. | `${VAULT_CLIENT_CERT}` | -| client_key_path | string | | Path to a client private key file. Only PEM format is supported. | `${VAULT_CLIENT_KEY}` | +| key | type | required | description | default | +|:----------------------|:-------|:---------|:---------------------------------------------------------------------------------------------------------------------|:-----------------------| +| cert_auth_mount_point | string | | Name of the mount point where TLS certificate auth method is mounted | cert | +| cert_auth_role_name | string | | Name of the Vault role. If given, the plugin authenticates against only the named role. Default to trying all roles. | | +| client_cert_path | string | | Path to a client certificate file. Only PEM format is supported. | `${VAULT_CLIENT_CERT}` | +| client_key_path | string | | Path to a client private key file. Only PEM format is supported. | `${VAULT_CLIENT_KEY}` | ```hcl UpstreamAuthority "vault" { @@ -81,9 +81,9 @@ path "pki/root/sign-intermediate" { ``` ## Token Authentication -| key | type | required | description | default | -|:----|:-----|:---------|:------------|:--------| -| token | string | | Token string to set into "X-Vault-Token" header | `${VAULT_TOKEN}` | +| key | type | required | description | default | +|:------|:-------|:---------|:------------------------------------------------|:-----------------| +| token | string | | Token string to set into "X-Vault-Token" header | `${VAULT_TOKEN}` | ```hcl @@ -102,11 +102,11 @@ path "pki/root/sign-intermediate" { ``` ## AppRole Authentication -| key | type | required | description | default | -|:----|:-----|:---------|:------------|:--------| -| approle_auth_mount_point | string | | Name of the mount point where the AppRole auth method is mounted | approle | -| approle_id |string | | An identifier of AppRole | `${VAULT_APPROLE_ID}` | -| approle_secret_id | string | | A credential of AppRole | `${VAULT_APPROLE_SECRET_ID}` | +| key | type | required | description | default | +|:-------------------------|:-------|:---------|:-----------------------------------------------------------------|:-----------------------------| +| approle_auth_mount_point | string | | Name of the mount point where the AppRole auth method is mounted | approle | +| approle_id | string | | An identifier of AppRole | `${VAULT_APPROLE_ID}` | +| approle_secret_id | string | | A credential of AppRole | `${VAULT_APPROLE_SECRET_ID}` | ```hcl UpstreamAuthority "vault" { @@ -132,11 +132,11 @@ path "pki/root/sign-intermediate" { ## Kubernetes Authentication -| key | type | required | description | default | -|:----|:-----|:---------|:------------|:--------| -| k8s_auth_mount_point | string | | Name of the mount point where the Kubernetes auth method is mounted | kubernetes | -| k8s_auth_role_name | string |✔| Name of the Vault role. The plugin authenticates against the named role | | -| token_path | string |✔| Path to the Kubernetes Service Account Token to use authentication with the Vault | | +| key | type | required | description | default | +|:---------------------|:-------|:---------|:----------------------------------------------------------------------------------|:-----------| +| k8s_auth_mount_point | string | | Name of the mount point where the Kubernetes auth method is mounted | kubernetes | +| k8s_auth_role_name | string | ✔ | Name of the Vault role. The plugin authenticates against the named role | | +| token_path | string | ✔ | Path to the Kubernetes Service Account Token to use authentication with the Vault | | ```hcl UpstreamAuthority "vault" { diff --git a/doc/spire_server.md b/doc/spire_server.md index db94100711..192d65a03a 100644 --- a/doc/spire_server.md +++ b/doc/spire_server.md @@ -4,13 +4,13 @@ This document is a configuration reference for SPIRE Server. It includes informa ## Plugin types -| Type | Description | -|:---------------|:------------| -| DataStore | Provides persistent storage and HA features. **Note:** Pluggability for the DataStore is no longer supported. Only the built-in SQL plugin can be used. | -| KeyManager | Implements both signing and key storage logic for the server's signing operations. Useful for leveraging hardware-based key operations. | -| NodeAttestor | Implements validation logic for nodes attempting to assert their identity. Generally paired with an agent plugin of the same type. | -| UpstreamAuthority | Allows SPIRE server to integrate with existing PKI systems. | -| Notifier | Notified by SPIRE server for certain events that are happening or have happened. For events that are happening, the notifier can advise SPIRE server on the outcome. | +| Type | Description | +|:------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| DataStore | Provides persistent storage and HA features. **Note:** Pluggability for the DataStore is no longer supported. Only the built-in SQL plugin can be used. | +| KeyManager | Implements both signing and key storage logic for the server's signing operations. Useful for leveraging hardware-based key operations. | +| NodeAttestor | Implements validation logic for nodes attempting to assert their identity. Generally paired with an agent plugin of the same type. | +| UpstreamAuthority | Allows SPIRE server to integrate with existing PKI systems. | +| Notifier | Notified by SPIRE server for certain events that are happening or have happened. For events that are happening, the notifier can advise SPIRE server on the outcome. | ## Built-in plugins @@ -48,35 +48,35 @@ SPIRE configuration files may be represented in either HCL or JSON. Please see t If the -expandEnv flag is passed to SPIRE, `$VARIABLE` or `${VARIABLE}` style environment variables are expanded before parsing. This may be useful for templating configuration files, for example across different trust domains, or for inserting secrets like database connection passwords. -| Configuration | Description | Default | -|:--------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------| -| `admin_ids` | SPIFFE IDs that, when present in a caller's X509-SVID, grant that caller admin privileges. The admin IDs must reside in the same trust domain as the server and need not have a corresponding admin registration entry with the server. | | -| `agent_ttl` | The TTL to use for agent SVIDs | The value of `default_svid_ttl` | -| `audit_log_enabled` | If true, enables audit logging | false | -| `bind_address` | IP address or DNS name of the SPIRE server | 0.0.0.0 | -| `bind_port` | HTTP Port number of the SPIRE server | 8081 | -| `ca_key_type` | The key type used for the server CA (both X509 and JWT), <rsa-2048|rsa-4096|ec-p256|ec-p384> | ec-p256 (the JWT key type can be overridden by `jwt_key_type`) | -| `ca_subject` | The Subject that CA certificates should use (see below) | | -| `ca_ttl` | The default CA/signing key TTL | 24h | -| `data_dir` | A directory the server can use for its runtime | | -| `default_svid_ttl` | The default SVID TTL. This field is deprecated in favor of default_x509_svid_ttl and default_jwt_svid_ttl and will be removed in a future version. | 1h | -| `default_x509_svid_ttl` | The default X509-SVID TTL (overrides `default_svid_ttl` if set) | 1h | -| `default_jwt_svid_ttl` | The default JWT-SVID TTL (overrides `default_svid_ttl` if set) | 5m | -| `experimental` | The experimental options that are subject to change or removal (see below) | | -| `federation` | Bundle endpoints configuration section used for [federation](#federation-configuration) | | -| `jwt_key_type` | The key type used for the server CA (JWT), <rsa-2048|rsa-4096|ec-p256|ec-p384> | The value of `ca_key_type` or ec-p256 if not defined | -| `jwt_issuer` | The issuer claim used when minting JWT-SVIDs | | -| `log_file` | File to write logs to | | -| `log_level` | Sets the logging level <DEBUG|INFO|WARN|ERROR> | INFO | -| `log_format` | Format of logs, <text|json> | text | -| `omit_x509svid_uid` | If true, the subject on X509-SVIDs will not contain the unique ID attribute (deprecated) | false | -| `profiling_enabled` | If true, enables a [net/http/pprof](https://pkg.go.dev/net/http/pprof) endpoint | false | -| `profiling_freq` | Frequency of dumping profiling data to disk. Only enabled when `profiling_enabled` is `true` and `profiling_freq` > 0. | | -| `profiling_names` | List of profile names that will be dumped to disk on each profiling tick, see [Profiling Names](#profiling-names) | | -| `profiling_port` | Port number of the [net/http/pprof](https://pkg.go.dev/net/http/pprof) endpoint. Only used when `profiling_enabled` is `true`. | | -| `ratelimit` | Rate limiting configurations, usually used when the server is behind a load balancer (see below) | | -| `socket_path` | Path to bind the SPIRE Server API socket to (Unix only) | /tmp/spire-server/private/api.sock | -| `trust_domain` | The trust domain that this server belongs to (should be no more than 255 characters) | | +| Configuration | Description | Default | +|:------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------| +| `admin_ids` | SPIFFE IDs that, when present in a caller's X509-SVID, grant that caller admin privileges. The admin IDs must reside in the same trust domain as the server and need not have a corresponding admin registration entry with the server. | | +| `agent_ttl` | The TTL to use for agent SVIDs | The value of `default_svid_ttl` | +| `audit_log_enabled` | If true, enables audit logging | false | +| `bind_address` | IP address or DNS name of the SPIRE server | 0.0.0.0 | +| `bind_port` | HTTP Port number of the SPIRE server | 8081 | +| `ca_key_type` | The key type used for the server CA (both X509 and JWT), <rsa-2048|rsa-4096|ec-p256|ec-p384> | ec-p256 (the JWT key type can be overridden by `jwt_key_type`) | +| `ca_subject` | The Subject that CA certificates should use (see below) | | +| `ca_ttl` | The default CA/signing key TTL | 24h | +| `data_dir` | A directory the server can use for its runtime | | +| `default_svid_ttl` | The default SVID TTL. This field is deprecated in favor of default_x509_svid_ttl and default_jwt_svid_ttl and will be removed in a future version. | 1h | +| `default_x509_svid_ttl` | The default X509-SVID TTL (overrides `default_svid_ttl` if set) | 1h | +| `default_jwt_svid_ttl` | The default JWT-SVID TTL (overrides `default_svid_ttl` if set) | 5m | +| `experimental` | The experimental options that are subject to change or removal (see below) | | +| `federation` | Bundle endpoints configuration section used for [federation](#federation-configuration) | | +| `jwt_key_type` | The key type used for the server CA (JWT), <rsa-2048|rsa-4096|ec-p256|ec-p384> | The value of `ca_key_type` or ec-p256 if not defined | +| `jwt_issuer` | The issuer claim used when minting JWT-SVIDs | | +| `log_file` | File to write logs to | | +| `log_level` | Sets the logging level <DEBUG|INFO|WARN|ERROR> | INFO | +| `log_format` | Format of logs, <text|json> | text | +| `omit_x509svid_uid` | If true, the subject on X509-SVIDs will not contain the unique ID attribute (deprecated) | false | +| `profiling_enabled` | If true, enables a [net/http/pprof](https://pkg.go.dev/net/http/pprof) endpoint | false | +| `profiling_freq` | Frequency of dumping profiling data to disk. Only enabled when `profiling_enabled` is `true` and `profiling_freq` > 0. | | +| `profiling_names` | List of profile names that will be dumped to disk on each profiling tick, see [Profiling Names](#profiling-names) | | +| `profiling_port` | Port number of the [net/http/pprof](https://pkg.go.dev/net/http/pprof) endpoint. Only used when `profiling_enabled` is `true`. | | +| `ratelimit` | Rate limiting configurations, usually used when the server is behind a load balancer (see below) | | +| `socket_path` | Path to bind the SPIRE Server API socket to (Unix only) | /tmp/spire-server/private/api.sock | +| `trust_domain` | The trust domain that this server belongs to (should be no more than 255 characters) | | | ca_subject | Description | Default | |:----------------------------|--------------------------------|----------------| @@ -146,7 +146,7 @@ SPIRE Server can be configured to federate with others SPIRE Servers living in d _Note: static relationships override dynamic relationships. If you need to configure dynamic relationships, see the [`federation`](#spire-server-federation-create) command. Static relationships are not reflected in the `federation` command._ -Configuring a federated trust domain allows a trust domain to authenticate identities issued by other SPIFFE authorities, allowing workloads in one trust domain to securely autenticate workloads in a foreign trust domain. +Configuring a federated trust domain allows a trust domain to authenticate identities issued by other SPIFFE authorities, allowing workloads in one trust domain to securely authenticate workloads in a foreign trust domain. A key element to achieve federation is the use of SPIFFE bundle endpoints, these are resources (represented by URLs) that serve a copy of a trust bundle for a trust domain. Using the `federation` section you will be able to set up SPIRE as a SPIFFE bundle endpoint server and also configure the federated trust domains that this SPIRE Server will fetch bundles from. ```hcl @@ -267,19 +267,19 @@ human-readable registration entry name in addition to the token-based ID. Creates registration entries. -| Command | Action | Default | -|:-----------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-------------------------------------------| -| `-admin` | If set, the SPIFFE ID in this entry will be granted access to the Server APIs | | -| `-data` | Path to a file containing registration data in JSON format (optional, if specified, other flags related with entry information must be omitted). If set to '-', read the JSON from stdin. | | -| `-dns` | A DNS name that will be included in SVIDs issued based on this entry, where appropriate. Can be used more than once | | -| `-downstream` | A boolean value that, when set, indicates that the entry describes a downstream SPIRE server | | -| `-entryExpiry` | An expiry, from epoch in seconds, for the resulting registration entry to be pruned from the datastore. Please note that this is a data management feature and not a security feature (optional). | | -| `-federatesWith` | A list of trust domain SPIFFE IDs representing the trust domains this registration entry federates with. A bundle for that trust domain must already exist | | -| `-node` | If set, this entry will be applied to matching nodes rather than workloads | | -| `-parentID` | The SPIFFE ID of this record's parent. | | -| `-selector` | A colon-delimited type:value selector used for attestation. This parameter can be used more than once, to specify multiple selectors that must be satisfied. | | -| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock | -| `-spiffeID` | The SPIFFE ID that this record represents and will be set to the SVID issued. | | +| Command | Action | Default | +|:-----------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------| +| `-admin` | If set, the SPIFFE ID in this entry will be granted access to the Server APIs | | +| `-data` | Path to a file containing registration data in JSON format (optional, if specified, other flags related with entry information must be omitted). If set to '-', read the JSON from stdin. | | +| `-dns` | A DNS name that will be included in SVIDs issued based on this entry, where appropriate. Can be used more than once | | +| `-downstream` | A boolean value that, when set, indicates that the entry describes a downstream SPIRE server | | +| `-entryExpiry` | An expiry, from epoch in seconds, for the resulting registration entry to be pruned from the datastore. Please note that this is a data management feature and not a security feature (optional). | | +| `-federatesWith` | A list of trust domain SPIFFE IDs representing the trust domains this registration entry federates with. A bundle for that trust domain must already exist | | +| `-node` | If set, this entry will be applied to matching nodes rather than workloads | | +| `-parentID` | The SPIFFE ID of this record's parent. | | +| `-selector` | A colon-delimited type:value selector used for attestation. This parameter can be used more than once, to specify multiple selectors that must be satisfied. | | +| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock | +| `-spiffeID` | The SPIFFE ID that this record represents and will be set to the SVID issued. | | | `-ttl` | A TTL, in seconds, for any SVID issued as a result of this record. This flag is deprecated in favor of x509SVIDTTL and jwtSVIDTTL and will be removed in a future version. | The TTL configured with `default_svid_ttl` | | `-x509SVIDTTL` | A TTL, in seconds, for any X509-SVID issued as a result of this record. Overrides `-ttl` value. | The TTL configured with `default_x509_svid_ttl` | | `-jwtSVIDTTL` | A TTL, in seconds, for any JWT-SVID issued as a result of this record. Overrides `-ttl` value. | The TTL configured with `default_jwt_svid_ttl` | @@ -289,20 +289,20 @@ Creates registration entries. Updates registration entries. -| Command | Action | Default | -|:-----------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-------------------------------------------| -| `-admin` | If true, the SPIFFE ID in this entry will be granted access to the Server APIs | | -| `-data` | Path to a file containing registration data in JSON format (optional, if specified, other flags related with entry information must be omitted). If set to '-', read the JSON from stdin. | | -| `-dns` | A DNS name that will be included in SVIDs issued based on this entry, where appropriate. Can be used more than once | | -| `-downstream` | A boolean value that, when set, indicates that the entry describes a downstream SPIRE server | | -| `-entryExpiry` | An expiry, from epoch in seconds, for the resulting registration entry to be pruned | | -| `-entryID` | The Registration Entry ID of the record to update | | -| `-federatesWith` | A list of trust domain SPIFFE IDs representing the trust domains this registration entry federates with. A bundle for that trust domain must already exist | | -| `-parentID` | The SPIFFE ID of this record's parent. | | -| `-selector` | A colon-delimited type:value selector used for attestation. This parameter can be used more than once, to specify multiple selectors that must be satisfied. | | -| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock | -| `-spiffeID` | The SPIFFE ID that this record represents and will be set to the SVID issued. | | -| `-ttl` | A TTL, in seconds, for any SVID issued as a result of this record. This flag is deprecated in favor of x509SVIDTTL and jwtSVIDTTL and will be removed in a future version. | The TTL configured with `default_svid_ttl` | +| Command | Action | Default | +|:-----------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------| +| `-admin` | If true, the SPIFFE ID in this entry will be granted access to the Server APIs | | +| `-data` | Path to a file containing registration data in JSON format (optional, if specified, other flags related with entry information must be omitted). If set to '-', read the JSON from stdin. | | +| `-dns` | A DNS name that will be included in SVIDs issued based on this entry, where appropriate. Can be used more than once | | +| `-downstream` | A boolean value that, when set, indicates that the entry describes a downstream SPIRE server | | +| `-entryExpiry` | An expiry, from epoch in seconds, for the resulting registration entry to be pruned | | +| `-entryID` | The Registration Entry ID of the record to update | | +| `-federatesWith` | A list of trust domain SPIFFE IDs representing the trust domains this registration entry federates with. A bundle for that trust domain must already exist | | +| `-parentID` | The SPIFFE ID of this record's parent. | | +| `-selector` | A colon-delimited type:value selector used for attestation. This parameter can be used more than once, to specify multiple selectors that must be satisfied. | | +| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock | +| `-spiffeID` | The SPIFFE ID that this record represents and will be set to the SVID issued. | | +| `-ttl` | A TTL, in seconds, for any SVID issued as a result of this record. This flag is deprecated in favor of x509SVIDTTL and jwtSVIDTTL and will be removed in a future version. | The TTL configured with `default_svid_ttl` | | `-x509SVIDTTL` | A TTL, in seconds, for any X509-SVID issued as a result of this record. Overrides `-ttl` value. | The TTL configured with `default_x509_svid_ttl` | | `-jwtSVIDTTL` | A TTL, in seconds, for any JWT-SVID issued as a result of this record. Overrides `-ttl` value. | The TTL configured with `default_jwt_svid_ttl` | | `storeSVID` | A boolean value that, when set, indicates that the resulting issued SVID from this entry must be stored through an SVIDStore plugin | @@ -334,7 +334,7 @@ Displays configured registration entries. | `-entryID` | The Entry ID of the record to show. | | | `-federatesWith` | SPIFFE ID of a trust domain an entry is federate with. Can be used more than once | | | `-parentID` | The Parent ID of the records to show. | | -| `-selector` | A colon-delimeted type:value selector. Can be used more than once to specify multiple selectors. | | +| `-selector` | A colon-delimited type:value selector. Can be used more than once to specify multiple selectors. | | | `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock | | `-spiffeID` | The SPIFFE ID of the records to show. | | @@ -519,25 +519,25 @@ Typically, you may want at least: Mints an X509-SVID. -| Command | Action | Default | -|:--------------|:-------------------------------------------------------------------|:---------------| -| `-dns` | A DNS name that will be included in SVID. Can be used more than once | | -| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock | -| `-spiffeID` | The SPIFFE ID of the X509-SVID | | -| `-ttl` | The TTL of the X509-SVID | First non-zero value from `Entry.x509_svid_ttl`, `Entry.ttl`, `default_x509_svid_ttl`, `default_svid_ttl`, `1h` | -| `-write` | Directory to write output to instead of stdout | | +| Command | Action | Default | +|:--------------|:---------------------------------------------------------------------|:----------------------------------------------------------------------------------------------------------------| +| `-dns` | A DNS name that will be included in SVID. Can be used more than once | | +| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock | +| `-spiffeID` | The SPIFFE ID of the X509-SVID | | +| `-ttl` | The TTL of the X509-SVID | First non-zero value from `Entry.x509_svid_ttl`, `Entry.ttl`, `default_x509_svid_ttl`, `default_svid_ttl`, `1h` | +| `-write` | Directory to write output to instead of stdout | | ### `spire-server jwt mint` Mints a JWT-SVID. -| Command | Action | Default | -|:--------------|:-------------------------------------------------------------------|:---------------| -| `-audience` | Audience claim that will be included in the SVID. Can be used more than once | | -| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock | -| `-spiffeID` | The SPIFFE ID of the JWT-SVID | | -| `-ttl` | The TTL of the JWT-SVID | First non-zero value from `Entry.jwt_svid_ttl`, `Entry.ttl`, `default_jwt_svid_ttl`, `5m` | -| `-write` | File to write token to instead of stdout | | +| Command | Action | Default | +|:--------------|:-----------------------------------------------------------------------------|:------------------------------------------------------------------------------------------| +| `-audience` | Audience claim that will be included in the SVID. Can be used more than once | | +| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock | +| `-spiffeID` | The SPIFFE ID of the JWT-SVID | | +| `-ttl` | The TTL of the JWT-SVID | First non-zero value from `Entry.jwt_svid_ttl`, `Entry.ttl`, `default_jwt_svid_ttl`, `5m` | +| `-write` | File to write token to instead of stdout | | ## JSON object for `-data` diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go index a81555e8ba..6a59068c78 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go @@ -70,7 +70,7 @@ func getPodUIDAndContainerIDFromCGroups(cgroups []cgroups.Cgroup) (types.UID, st return podUID, containerID, nil } -// regexes listed here have to exlusively match a cgroup path +// regexes listed here have to exclusively match a cgroup path // the regexes must include two named groups "poduid" and "containerid" // if the regex needs to exclude certain substrings, the "mustnotmatch" group can be used var cgroupREs = []*regexp.Regexp{ diff --git a/pkg/server/plugin/upstreamauthority/spire/spire_server_client.go b/pkg/server/plugin/upstreamauthority/spire/spire_server_client.go index 8fe65e9656..1217cd1c8c 100644 --- a/pkg/server/plugin/upstreamauthority/spire/spire_server_client.go +++ b/pkg/server/plugin/upstreamauthority/spire/spire_server_client.go @@ -23,7 +23,7 @@ import ( "google.golang.org/grpc/status" ) -// newServerClient creates a new spire-sever client +// newServerClient creates a new spire-server client func newServerClient(serverID spiffeid.ID, serverAddr string, workloadAPIAddr net.Addr, log hclog.Logger) *serverClient { return &serverClient{ serverID: serverID, diff --git a/pkg/server/plugin/upstreamauthority/spire/spire_test.go b/pkg/server/plugin/upstreamauthority/spire/spire_test.go index 9a92fdce12..99ad2425f3 100644 --- a/pkg/server/plugin/upstreamauthority/spire/spire_test.go +++ b/pkg/server/plugin/upstreamauthority/spire/spire_test.go @@ -130,7 +130,7 @@ func TestMintX509CA(t *testing.T) { svidCert, svidKey, err := s.MarshalRaw() require.NoError(t, err) - // Create sever's CA + // Create server's CA serverCert, serverKey := ca.CreateX509Certificate( testca.WithID(spiffeid.RequireFromPath(trustDomain, "/spire/server")), ) diff --git a/support/k8s/k8s-workload-registrar/README.md b/support/k8s/k8s-workload-registrar/README.md index 3da0ba3a53..7bae104a64 100644 --- a/support/k8s/k8s-workload-registrar/README.md +++ b/support/k8s/k8s-workload-registrar/README.md @@ -34,7 +34,7 @@ The configuration file is a **required** by the registrar. It contains | `pod_label` | string | optional | The pod label used for [Label Based Workload Registration](#label-based-workload-registration) | | | `pod_annotation` | string | optional | The pod annotation used for [Annotation Based Workload Registration](#annotation-based-workload-registration) | | | `mode` | string | required | How to run the registrar, either `"reconcile"` or `"crd"`. See [Differences](#differences-between-modes) for more details. | | -| `disabled_namespaces` | []string | optional | Comma seperated list of namespaces to disable auto SVID generation for | `"kube-system", "kube-public"` | +| `disabled_namespaces` | []string | optional | Comma separated list of namespaces to disable auto SVID generation for | `"kube-system", "kube-public"` | The following configuration directives are specific to `"reconcile"` mode: @@ -79,7 +79,7 @@ It may take several seconds for newly created SVIDs to become available to workl ### Federated Entry Registration -The pod annotatation `spiffe.io/federatesWith` can be used to create SPIFFE ID's that federate with other trust domains. +The pod annotation `spiffe.io/federatesWith` can be used to create SPIFFE ID's that federate with other trust domains. To specify multiple trust domains, separate them with commas. diff --git a/support/k8s/k8s-workload-registrar/mode-crd/README.md b/support/k8s/k8s-workload-registrar/mode-crd/README.md index 5c4f001386..da6fdddfcc 100644 --- a/support/k8s/k8s-workload-registrar/mode-crd/README.md +++ b/support/k8s/k8s-workload-registrar/mode-crd/README.md @@ -7,11 +7,11 @@ This enables auto and manual generation of SPIFFE IDs from with Kubernetes and t ## Benefits of CRD Kubernetes Workload Registrar -There are mutiple modes of the Kubernetes Workload Registrar. The benefits of the CRD mode when compared to other modes are: +There are multiple modes of the Kubernetes Workload Registrar. The benefits of the CRD mode when compared to other modes are: -* **`kubectl` integration**: Using a CRD, SPIRE is fully intergrated with Kubernetes. You can view and create SPIFFE IDs directly using `kubectl`, without having to shell into the SPIRE server. -* **Fully event-driven design**: Using the Kubernetes CRD system, the CRD mode Kubernetes Workload Registrar is fully event-driven to minimze resource usage. -* **Standards-based solution**: CRDs are the standard way to extend Kubernetes, with many resources online, such as [kubebuilder](https://book.kubebuilder.io/), discussing the approach. The CRD Kubernetes Worklaod Registrar follows all standards and best practices to ensure it is maintainable. +* **`kubectl` integration**: Using a CRD, SPIRE is fully integrated with Kubernetes. You can view and create SPIFFE IDs directly using `kubectl`, without having to shell into the SPIRE server. +* **Fully event-driven design**: Using the Kubernetes CRD system, the CRD mode Kubernetes Workload Registrar is fully event-driven to minimize resource usage. +* **Standards-based solution**: CRDs are the standard way to extend Kubernetes, with many resources online, such as [kubebuilder](https://book.kubebuilder.io/), discussing the approach. The CRD Kubernetes Workload Registrar follows all standards and best practices to ensure it is maintainable. ## Configuration @@ -51,7 +51,7 @@ The configuration file is a **required** by the registrar. It contains | `server_address` | string | required | Address of the spire server. A local socket can be specified using unix:///path/to/socket. This is not the same as the agent socket. | | | `server_socket_path` | string | optional | Path to the Unix domain socket of the SPIRE server, equivalent to specifying a server_address with a "unix://..." prefix | | | `trust_domain` | string | required | Trust domain of the SPIRE server | | -| `webhook_enabled` | bool | optional | Enable a validating webhook to ensure CRDs are properly fomatted and there are no duplicates. | `false` | +| `webhook_enabled` | bool | optional | Enable a validating webhook to ensure CRDs are properly formatted and there are no duplicates. | `false` | | `webhook_port` | int | optional | The port to use for the validating webhook. | `9443` | | `webhook_service_name` | string | optional | The name of the Kubernetes Service being used for the webhook. | `"k8s-workload-registrar"` | diff --git a/test/integration/suites/envoy-sds-v2/README.md b/test/integration/suites/envoy-sds-v2/README.md index 9fe81f1f32..5218bc6ed2 100644 --- a/test/integration/suites/envoy-sds-v2/README.md +++ b/test/integration/suites/envoy-sds-v2/README.md @@ -4,7 +4,7 @@ Exercises [Envoy](https://www.envoyproxy.io/) [SDS](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret) -compatability within SPIRE by wiring up two workloads that achieve connectivity +compatibility within SPIRE by wiring up two workloads that achieve connectivity using Envoy backed with identities and trust information retrieved from the SPIRE agent SDS implementation. diff --git a/test/integration/suites/envoy-sds-v3-spiffe-auth/README.md b/test/integration/suites/envoy-sds-v3-spiffe-auth/README.md index 3c9f590d14..edc2daeccc 100644 --- a/test/integration/suites/envoy-sds-v3-spiffe-auth/README.md +++ b/test/integration/suites/envoy-sds-v3-spiffe-auth/README.md @@ -4,7 +4,7 @@ Exercises [Envoy](https://www.envoyproxy.io/) [SDS](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret) -compatability within SPIRE by wiring up two workloads that achieve connectivity +compatibility within SPIRE by wiring up two workloads that achieve connectivity using Envoy backed with identities and trust information retrieved from the SPIRE agent SDS implementation. Using [SPIFFE Validator](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto) for certificates handshake. diff --git a/test/integration/suites/envoy-sds-v3-spiffe-auth/docker-compose.yaml b/test/integration/suites/envoy-sds-v3-spiffe-auth/docker-compose.yaml index 20a029ecc3..61fa1b752c 100644 --- a/test/integration/suites/envoy-sds-v3-spiffe-auth/docker-compose.yaml +++ b/test/integration/suites/envoy-sds-v3-spiffe-auth/docker-compose.yaml @@ -2,7 +2,7 @@ version: '3' services: upstream-spire-server: image: spire-server:latest-local - hostname: upstream-spire-sever + hostname: upstream-spire-server volumes: - ./conf/upstream/server:/opt/spire/conf/server command: ["-config", "/opt/spire/conf/server/server.conf"] diff --git a/test/integration/suites/envoy-sds-v3/README.md b/test/integration/suites/envoy-sds-v3/README.md index ecb5c8053b..0b4e883a25 100644 --- a/test/integration/suites/envoy-sds-v3/README.md +++ b/test/integration/suites/envoy-sds-v3/README.md @@ -4,7 +4,7 @@ Exercises [Envoy](https://www.envoyproxy.io/) [SDS](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret) -compatability within SPIRE by wiring up two workloads that achieve connectivity +compatibility within SPIRE by wiring up two workloads that achieve connectivity using Envoy backed with identities and trust information retrieved from the SPIRE agent SDS implementation. diff --git a/test/integration/suites/upgrade/README.md b/test/integration/suites/upgrade/README.md index 9d581bd03e..567576b0c9 100644 --- a/test/integration/suites/upgrade/README.md +++ b/test/integration/suites/upgrade/README.md @@ -39,5 +39,5 @@ should be removed as part of the 0.10.0 release. ## Future considerations -- Provide additional "+/- 1" SPIRE compatability checks, as currently we only +- Provide additional "+/- 1" SPIRE compatibility checks, as currently we only test that the SPIRE components start up and that SVIDs rotate. From 9c7479da76d7fc005768187ac5869ee7bd13737d Mon Sep 17 00:00:00 2001 From: Andrew Harding Date: Thu, 27 Oct 2022 14:56:44 -0600 Subject: [PATCH 026/257] Remove X509-SVID-TTL field from datastore model (#3541) In order to remove the x509_svid_ttl column in 1.6.0, and still support downgrading, we need to remove the X509SvidTtl column from the GORM model in 1.5.0. Otherwise entry creation/updates will fail after the downgrade as the 1.5.x code will still try and set the column, which won't exist anymore. Removing the field from the model does mean that new 1.5.x deployments will not have the x509_svid_ttl column. This shouldn't be problematic on upgrade as long as the column removal migration we do in 1.6.0 is idempotent. Signed-off-by: Andrew Harding --- pkg/server/datastore/sqlstore/models.go | 4 ---- 1 file changed, 4 deletions(-) diff --git a/pkg/server/datastore/sqlstore/models.go b/pkg/server/datastore/sqlstore/models.go index eed35d1e59..2a9f23dda5 100644 --- a/pkg/server/datastore/sqlstore/models.go +++ b/pkg/server/datastore/sqlstore/models.go @@ -98,10 +98,6 @@ type RegisteredEntry struct { // multiple SVIDs Hint string - // TTL of X509 identities derived from this entry - // Deprecated: remove this in 1.6.0. The purpose of this column will be fulfilled by the TTL column - X509SvidTTL int32 `gorm:"column:x509_svid_ttl"` - // TTL of JWT identities derived from this entry JWTSvidTTL int32 `gorm:"column:jwt_svid_ttl"` } From 26127ae5028dc45ae2a61768ea60da74d859f6f7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 28 Oct 2022 10:57:11 -0600 Subject: [PATCH 027/257] Bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.63.0 to 1.64.0 (#3544) Bumps [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2) from 1.63.0 to 1.64.0. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.63.0...service/ec2/v1.64.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 11 ++++------- 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 699d800ffe..e066b33742 100644 --- a/go.mod +++ b/go.mod @@ -20,7 +20,7 @@ require ( github.com/aws/aws-sdk-go-v2/credentials v1.12.17 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.14 github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0 - github.com/aws/aws-sdk-go-v2/service/ec2 v1.63.0 + github.com/aws/aws-sdk-go-v2/service/ec2 v1.64.0 github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 github.com/aws/aws-sdk-go-v2/service/kms v1.18.8 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.0 @@ -102,7 +102,7 @@ require ( github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25 // indirect github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.3.21 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.18 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.19 // indirect github.com/aws/aws-sdk-go-v2/service/sso v1.11.20 // indirect github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.2 // indirect github.com/aws/smithy-go v1.13.4 // indirect diff --git a/go.sum b/go.sum index 9a505f6983..d9c940a12e 100644 --- a/go.sum +++ b/go.sum @@ -267,7 +267,6 @@ github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgI github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= github.com/aws/aws-sdk-go-v2 v1.16.13/go.mod h1:xSyvSnzh0KLs5H4HJGeIEsNYemUWdNIl0b/rP6SIsLU= github.com/aws/aws-sdk-go-v2 v1.16.15/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k= -github.com/aws/aws-sdk-go-v2 v1.16.16/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k= github.com/aws/aws-sdk-go-v2 v1.17.0/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k= github.com/aws/aws-sdk-go-v2 v1.17.1 h1:02c72fDJr87N8RAC2s3Qu0YuvMRZKNZJ9F+lAehCazk= github.com/aws/aws-sdk-go-v2 v1.17.1/go.mod h1:JLnGeGONAyi2lWXI1p0PCIOIy333JMVK1U7Hf0aRFLw= @@ -279,13 +278,11 @@ github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.14 h1:NZwZFtxXGOEIiCd8jWN55l github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.14/go.mod h1:5CU57SyF5jZLSIw4OOll0PG83ThXwNdkRFOc0EltD/0= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.20/go.mod h1:gdZ5gRUaxThXIZyZQ8MTtgYBk2jbHgp05BO3GcD9Cwc= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.22/go.mod h1:/vNv5Al0bpiF8YdX2Ov6Xy05VTiXsql94yUqJMYaj0w= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.23/go.mod h1:2DFxAQ9pfIRy0imBCJv+vZ2X6RKxves6fbnEuSry6b4= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.24/go.mod h1:ghMzB/j2wRbPx5/4jPYxJdOtCG2ggrtY01j8K7FMBDA= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25 h1:nBO/RFxeq/IS5G9Of+ZrgucRciie2qpLy++3UGZ+q2E= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25/go.mod h1:Zb29PYkf42vVYQY6pvSyJCJcFHlPIiY+YKdPtwnvMkY= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.14/go.mod h1:GEV9jaDPIgayiU+uevxwozcvUOjc+P4aHE2BeSjm2vE= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.16/go.mod h1:62dsXI0BqTIGomDl8Hpm33dv0OntGaVblri3ZRParVQ= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.17/go.mod h1:pRwaTYCJemADaqCbUAxltMoHKata7hmB5PjEXeu0kfg= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.18/go.mod h1:fkQKYK/jUhCL/wNS1tOPrlYhr9vqutjCz4zZC1wBE1s= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19 h1:oRHDrwCTVT8ZXi4sr9Ld+EXk7N/KGssOr2ygNeojEhw= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19/go.mod h1:6Q0546uHDp421okhmmGfbxzq2hBqbXFNpi4k+Q1JnQA= @@ -293,14 +290,14 @@ github.com/aws/aws-sdk-go-v2/internal/ini v1.3.21 h1:lpwSbLKYTuABo6SyUoC25xAmfO3 github.com/aws/aws-sdk-go-v2/internal/ini v1.3.21/go.mod h1:Q0pktZjvRZk77TBto6yAvUAi7fcse1bdcMctBDVGgBw= github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0 h1:2f0kb+39miQPRp0b7Sqq06+TpxI0Nfcra41QxzJPME8= github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0/go.mod h1:AVLIBQ9V7mcHd5uZT1+wUbBt4QaI/XcOens85Ib0W1o= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.63.0 h1:9ailn+011zwUJdS8RuamANJVAyX+aoUyTaBrw0CHRdE= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.63.0/go.mod h1:0+6fPoY0SglgzQUs2yml7X/fup12cMlVumJufh5npRQ= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.64.0 h1:zI904mHbXiJgIc5bwpo5jOk1+wDvcX04PyYd2dInh/4= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.64.0/go.mod h1:zul71QqzR4D1a90/5FloZiAnZ1CtuIjVH7R9MP997+A= github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 h1:m/WtVqEvgwDiUPIW2dtnF2hDE1O62MEflz9ClOlCXAs= github.com/aws/aws-sdk-go-v2/service/iam v1.18.16/go.mod h1:w8wndcRxwILFQAzwkUKyEDz4LDHEBSR78KRdaNjUKQA= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.14/go.mod h1:8qOLjqMzY/S1kh3myDXA1yxK5eD4uN8aOJgKpgvc4OM= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.17/go.mod h1:4nYOrY41Lrbk2170/BGkcJKBhws9Pfn8MG3aGqjjeFI= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.18 h1:5oiCDEOHnYkk7uTVI8Wv6ftdFfb6YlUUNzkeePVIPjY= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.18/go.mod h1:QtCDHDOXunxeihz7iU15e09u9gRIeaa5WeE6FZVnGUo= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.19 h1:GE25AWCdNUPh9AOJzI9KIJnja7IwUc1WyUqz/JTyJ/I= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.19/go.mod h1:02CP6iuYP+IVnBX5HULVdSAku/85eHB2Y9EsFhrkEwU= github.com/aws/aws-sdk-go-v2/service/kms v1.18.8 h1:0YzDYm5rFuwzqwhBg94OYa2TKbdd5dUsf9+uPHwoYns= github.com/aws/aws-sdk-go-v2/service/kms v1.18.8/go.mod h1:NjgXnn0pk5rLSWZIgtx0BCwoCugRXzKZ7cDNsl98W7U= github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.0 h1:Lh1yssM4dinNZuESsXnbi+pID8hoviejLZdLmT175i8= From 848b63fc2b39fb676611b8a192a962931b2d387f Mon Sep 17 00:00:00 2001 From: Keegan Witt Date: Mon, 31 Oct 2022 09:49:51 -0400 Subject: [PATCH 028/257] Fix some spelling issues (#3546) Signed-off-by: Keegan Witt --- doc/plugin_server_notifier_k8sbundle.md | 2 +- pkg/server/plugin/notifier/k8sbundle/k8sbundle.go | 6 +++--- support/k8s/k8s-workload-registrar/README.md | 2 +- support/k8s/k8s-workload-registrar/mode-crd/README.md | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/doc/plugin_server_notifier_k8sbundle.md b/doc/plugin_server_notifier_k8sbundle.md index 5495a9da5c..f34f568052 100644 --- a/doc/plugin_server_notifier_k8sbundle.md +++ b/doc/plugin_server_notifier_k8sbundle.md @@ -26,7 +26,7 @@ The following actions are required to set up the plugin. - In the case of in-cluster SPIRE server, it is Service Account that runs the SPIRE server - In the case of out-of-cluster SPIRE server, it is Service Account that interacts with the Kubernetes API server - In the case of setting `webhook_label`, the ClusterRole or Role additionally needs permissions to `get`, `list`, `patch`, and `watch` `mutatingwebhookconfigurations` and `validatingwebhookconfigurations`. - - In the case of setting `api_service_label`, the ClusterRole or Role additonally needs permissions to `get`, `list`, `patch`, and `watch` `apiservices`. + - In the case of setting `api_service_label`, the ClusterRole or Role additionally needs permissions to `get`, `list`, `patch`, and `watch` `apiservices`. - Create the ConfigMap that the plugin pushes For example: diff --git a/pkg/server/plugin/notifier/k8sbundle/k8sbundle.go b/pkg/server/plugin/notifier/k8sbundle/k8sbundle.go index 37a5177311..0bde1d47da 100644 --- a/pkg/server/plugin/notifier/k8sbundle/k8sbundle.go +++ b/pkg/server/plugin/notifier/k8sbundle/k8sbundle.go @@ -471,7 +471,7 @@ func (c configMapClient) Informer(callback informerCallback) cache.SharedIndexIn return nil } -// apiServiceClient encapsulates the Kubenetes API for updating the CA Bundle in an API Service +// apiServiceClient encapsulates the Kubernetes API for updating the CA Bundle in an API Service type apiServiceClient struct { aggregator.Interface apiServiceLabel string @@ -531,7 +531,7 @@ func (c apiServiceClient) Informer(callback informerCallback) cache.SharedIndexI return informer } -// mutatingWebhookClient encapsulates the Kubenetes API for updating the CA Bundle in a mutating webhook +// mutatingWebhookClient encapsulates the Kubernetes API for updating the CA Bundle in a mutating webhook type mutatingWebhookClient struct { kubernetes.Interface webhookLabel string @@ -602,7 +602,7 @@ func (c mutatingWebhookClient) Informer(callback informerCallback) cache.SharedI return informer } -// validatingWebhookClient encapsulates the Kubenetes API for updating the CA Bundle in a validating webhook +// validatingWebhookClient encapsulates the Kubernetes API for updating the CA Bundle in a validating webhook type validatingWebhookClient struct { kubernetes.Interface webhookLabel string diff --git a/support/k8s/k8s-workload-registrar/README.md b/support/k8s/k8s-workload-registrar/README.md index 7bae104a64..7b13364a1e 100644 --- a/support/k8s/k8s-workload-registrar/README.md +++ b/support/k8s/k8s-workload-registrar/README.md @@ -173,7 +173,7 @@ shared volume containing the socket file. ### Reconcile Mode Configuration To use reconcile mode you need to create appropriate roles and bind them to the ServiceAccount you intend to run the controller as. -An example can be found in `mode-reconcile/config/role.yaml`, which you would apply with `kubectl apply -f mode-reconcile/config/role.yaml` +An example can be found in `mode-reconcile/config/roles.yaml`, which you would apply with `kubectl apply -f mode-reconcile/config/role.yaml` ### CRD Mode Configuration diff --git a/support/k8s/k8s-workload-registrar/mode-crd/README.md b/support/k8s/k8s-workload-registrar/mode-crd/README.md index da6fdddfcc..5c6dd064f2 100644 --- a/support/k8s/k8s-workload-registrar/mode-crd/README.md +++ b/support/k8s/k8s-workload-registrar/mode-crd/README.md @@ -51,7 +51,7 @@ The configuration file is a **required** by the registrar. It contains | `server_address` | string | required | Address of the spire server. A local socket can be specified using unix:///path/to/socket. This is not the same as the agent socket. | | | `server_socket_path` | string | optional | Path to the Unix domain socket of the SPIRE server, equivalent to specifying a server_address with a "unix://..." prefix | | | `trust_domain` | string | required | Trust domain of the SPIRE server | | -| `webhook_enabled` | bool | optional | Enable a validating webhook to ensure CRDs are properly formatted and there are no duplicates. | `false` | +| `webhook_enabled` | bool | optional | Enable a validating webhook to ensure CRDs are properly formatted and there are no duplicates. | `false` | | `webhook_port` | int | optional | The port to use for the validating webhook. | `9443` | | `webhook_service_name` | string | optional | The name of the Kubernetes Service being used for the webhook. | `"k8s-workload-registrar"` | @@ -373,7 +373,7 @@ The default SPIFFE ID created with [Identity Template Based Workload Registratio ### Federated Entry Registration -The pod annotatation `spiffe.io/federatesWith` can be used to create SPIFFE ID's that federate with other trust domains. +The pod annotation `spiffe.io/federatesWith` can be used to create SPIFFE ID's that federate with other trust domains. To specify multiple trust domains, separate them with commas. From 7cddbb3306ca0036cdf6504333d686b36aa3c27f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 31 Oct 2022 11:49:56 -0700 Subject: [PATCH 029/257] Bump github.com/hashicorp/vault/sdk from 0.6.0 to 0.6.1 (#3547) Bumps [github.com/hashicorp/vault/sdk](https://github.com/hashicorp/vault) from 0.6.0 to 0.6.1. - [Release notes](https://github.com/hashicorp/vault/releases) - [Changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG.md) - [Commits](https://github.com/hashicorp/vault/compare/v0.6.0...v0.6.1) --- updated-dependencies: - dependency-name: github.com/hashicorp/vault/sdk dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index e066b33742..0cd433fd6e 100644 --- a/go.mod +++ b/go.mod @@ -43,7 +43,7 @@ require ( github.com/hashicorp/go-plugin v1.4.5 github.com/hashicorp/hcl v1.0.1-0.20190430135223-99e2f22d1c94 github.com/hashicorp/vault/api v1.8.1 - github.com/hashicorp/vault/sdk v0.6.0 + github.com/hashicorp/vault/sdk v0.6.1 github.com/imdario/mergo v0.3.13 github.com/imkira/go-observer v1.0.3 github.com/jinzhu/gorm v1.9.16 diff --git a/go.sum b/go.sum index d9c940a12e..246a439fbb 100644 --- a/go.sum +++ b/go.sum @@ -697,8 +697,8 @@ github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2p github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= github.com/hashicorp/vault/api v1.8.1 h1:bMieWIe6dAlqAAPReZO/8zYtXaWUg/21umwqGZpEjCI= github.com/hashicorp/vault/api v1.8.1/go.mod h1:uJrw6D3y9Rv7hhmS17JQC50jbPDAZdjZoTtrCCxxs7E= -github.com/hashicorp/vault/sdk v0.6.0 h1:6Z+In5DXHiUfZvIZdMx7e2loL1PPyDjA4bVh9ZTIAhs= -github.com/hashicorp/vault/sdk v0.6.0/go.mod h1:+DRpzoXIdMvKc88R4qxr+edwy/RvH5QK8itmxLiDHLc= +github.com/hashicorp/vault/sdk v0.6.1 h1:sjZC1z4j5Rh2GXYbkxn5BLK05S1p7+MhW4AgdUmgRUA= +github.com/hashicorp/vault/sdk v0.6.1/go.mod h1:Ck4JuAC6usTphfrrRJCRH+7/N7O2ozZzkm/fzQFt4uM= github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d h1:kJCB4vdITiW1eC1vq2e6IsrXKrZit1bv/TDYFGMp4BQ= github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= From b67649afc7e3626f716dbf2197311641ebcbcdb3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 31 Oct 2022 13:38:45 -0700 Subject: [PATCH 030/257] Bump github.com/hashicorp/vault/api from 1.8.1 to 1.8.2 (#3548) Bumps [github.com/hashicorp/vault/api](https://github.com/hashicorp/vault) from 1.8.1 to 1.8.2. - [Release notes](https://github.com/hashicorp/vault/releases) - [Changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG.md) - [Commits](https://github.com/hashicorp/vault/compare/v1.8.1...v1.8.2) --- updated-dependencies: - dependency-name: github.com/hashicorp/vault/api dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 0cd433fd6e..8d96ebb7a4 100644 --- a/go.mod +++ b/go.mod @@ -42,7 +42,7 @@ require ( github.com/hashicorp/go-hclog v1.3.1 github.com/hashicorp/go-plugin v1.4.5 github.com/hashicorp/hcl v1.0.1-0.20190430135223-99e2f22d1c94 - github.com/hashicorp/vault/api v1.8.1 + github.com/hashicorp/vault/api v1.8.2 github.com/hashicorp/vault/sdk v0.6.1 github.com/imdario/mergo v0.3.13 github.com/imkira/go-observer v1.0.3 diff --git a/go.sum b/go.sum index 246a439fbb..70813d3c3a 100644 --- a/go.sum +++ b/go.sum @@ -695,8 +695,8 @@ github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= -github.com/hashicorp/vault/api v1.8.1 h1:bMieWIe6dAlqAAPReZO/8zYtXaWUg/21umwqGZpEjCI= -github.com/hashicorp/vault/api v1.8.1/go.mod h1:uJrw6D3y9Rv7hhmS17JQC50jbPDAZdjZoTtrCCxxs7E= +github.com/hashicorp/vault/api v1.8.2 h1:C7OL9YtOtwQbTKI9ogB0A1wffRbCN+rH/LLCHO3d8HM= +github.com/hashicorp/vault/api v1.8.2/go.mod h1:ML8aYzBIhY5m1MD1B2Q0JV89cC85YVH4t5kBaZiyVaE= github.com/hashicorp/vault/sdk v0.6.1 h1:sjZC1z4j5Rh2GXYbkxn5BLK05S1p7+MhW4AgdUmgRUA= github.com/hashicorp/vault/sdk v0.6.1/go.mod h1:Ck4JuAC6usTphfrrRJCRH+7/N7O2ozZzkm/fzQFt4uM= github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= From af1ef94107230b8a53aa6d68a849ab0a17169ad3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 31 Oct 2022 14:47:05 -0700 Subject: [PATCH 031/257] Bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.64.0 to 1.65.0 (#3550) Bumps [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2) from 1.64.0 to 1.65.0. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.64.0...service/ec2/v1.65.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 8d96ebb7a4..dd1abd378c 100644 --- a/go.mod +++ b/go.mod @@ -20,7 +20,7 @@ require ( github.com/aws/aws-sdk-go-v2/credentials v1.12.17 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.14 github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0 - github.com/aws/aws-sdk-go-v2/service/ec2 v1.64.0 + github.com/aws/aws-sdk-go-v2/service/ec2 v1.65.0 github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 github.com/aws/aws-sdk-go-v2/service/kms v1.18.8 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.0 diff --git a/go.sum b/go.sum index 70813d3c3a..330164dfa6 100644 --- a/go.sum +++ b/go.sum @@ -290,8 +290,8 @@ github.com/aws/aws-sdk-go-v2/internal/ini v1.3.21 h1:lpwSbLKYTuABo6SyUoC25xAmfO3 github.com/aws/aws-sdk-go-v2/internal/ini v1.3.21/go.mod h1:Q0pktZjvRZk77TBto6yAvUAi7fcse1bdcMctBDVGgBw= github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0 h1:2f0kb+39miQPRp0b7Sqq06+TpxI0Nfcra41QxzJPME8= github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0/go.mod h1:AVLIBQ9V7mcHd5uZT1+wUbBt4QaI/XcOens85Ib0W1o= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.64.0 h1:zI904mHbXiJgIc5bwpo5jOk1+wDvcX04PyYd2dInh/4= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.64.0/go.mod h1:zul71QqzR4D1a90/5FloZiAnZ1CtuIjVH7R9MP997+A= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.65.0 h1:LuklvKRN2P052bAzcyjoHGMI3fFehfBcj8C/uakPWa4= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.65.0/go.mod h1:zul71QqzR4D1a90/5FloZiAnZ1CtuIjVH7R9MP997+A= github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 h1:m/WtVqEvgwDiUPIW2dtnF2hDE1O62MEflz9ClOlCXAs= github.com/aws/aws-sdk-go-v2/service/iam v1.18.16/go.mod h1:w8wndcRxwILFQAzwkUKyEDz4LDHEBSR78KRdaNjUKQA= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.14/go.mod h1:8qOLjqMzY/S1kh3myDXA1yxK5eD4uN8aOJgKpgvc4OM= From f771c78bdcabe109724a61ec318ee480bc7c482f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 31 Oct 2022 16:03:44 -0700 Subject: [PATCH 032/257] Bump github.com/gofrs/uuid from 4.3.0+incompatible to 4.3.1+incompatible (#3551) Bumps [github.com/gofrs/uuid](https://github.com/gofrs/uuid) from 4.3.0+incompatible to 4.3.1+incompatible. - [Release notes](https://github.com/gofrs/uuid/releases) - [Commits](https://github.com/gofrs/uuid/compare/v4.3.0...v4.3.1) --- updated-dependencies: - dependency-name: github.com/gofrs/uuid dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index dd1abd378c..1d5a27fd66 100644 --- a/go.mod +++ b/go.mod @@ -31,7 +31,7 @@ require ( github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1 github.com/go-logr/logr v1.2.3 github.com/go-sql-driver/mysql v1.6.0 - github.com/gofrs/uuid v4.3.0+incompatible + github.com/gofrs/uuid v4.3.1+incompatible github.com/golang/mock v1.6.0 github.com/golang/protobuf v1.5.2 github.com/google/go-cmp v0.5.9 diff --git a/go.sum b/go.sum index 330164dfa6..ee078eb0ef 100644 --- a/go.sum +++ b/go.sum @@ -487,8 +487,8 @@ github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= -github.com/gofrs/uuid v4.3.0+incompatible h1:CaSVZxm5B+7o45rtab4jC2G37WGYX1zQfuU2i6DSvnc= -github.com/gofrs/uuid v4.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= +github.com/gofrs/uuid v4.3.1+incompatible h1:0/KbAdpx3UXAx1kEOWHJeOkpbgRFGHVgv+CFIY7dBJI= +github.com/gofrs/uuid v4.3.1+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= From e98f90e1697964962201a5dc6fc00b5c15a5c279 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 1 Nov 2022 10:03:37 -0700 Subject: [PATCH 033/257] Bump github.com/shirou/gopsutil/v3 from 3.22.9 to 3.22.10 (#3552) Bumps [github.com/shirou/gopsutil/v3](https://github.com/shirou/gopsutil) from 3.22.9 to 3.22.10. - [Release notes](https://github.com/shirou/gopsutil/releases) - [Commits](https://github.com/shirou/gopsutil/compare/v3.22.9...v3.22.10) --- updated-dependencies: - dependency-name: github.com/shirou/gopsutil/v3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 1d5a27fd66..b8ba43a889 100644 --- a/go.mod +++ b/go.mod @@ -52,7 +52,7 @@ require ( github.com/mitchellh/cli v1.1.4 github.com/open-policy-agent/opa v0.45.0 github.com/prometheus/client_golang v1.13.0 - github.com/shirou/gopsutil/v3 v3.22.9 + github.com/shirou/gopsutil/v3 v3.22.10 github.com/sirupsen/logrus v1.9.0 github.com/spiffe/go-spiffe/v2 v2.0.1-0.20220414143532-2ed460a8b9d3 github.com/spiffe/spire-api-sdk v1.2.5-0.20221020001527-5895a0279944 diff --git a/go.sum b/go.sum index ee078eb0ef..1c3cf0fd5e 100644 --- a/go.sum +++ b/go.sum @@ -985,8 +985,8 @@ github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkB github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= -github.com/shirou/gopsutil/v3 v3.22.9 h1:yibtJhIVEMcdw+tCTbOPiF1VcsuDeTE4utJ8Dm4c5eA= -github.com/shirou/gopsutil/v3 v3.22.9/go.mod h1:bBYl1kjgEJpWpxeHmLI+dVHWtyAwfcmSBLDsp2TNT8A= +github.com/shirou/gopsutil/v3 v3.22.10 h1:4KMHdfBRYXGF9skjDWiL4RA2N+E8dRdodU/bOZpPoVg= +github.com/shirou/gopsutil/v3 v3.22.10/go.mod h1:QNza6r4YQoydyCfo6rH0blGfKahgibh4dQmV5xdFkQk= github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24/go.mod h1:M+9NzErvs504Cn4c5DxATwIqPbtswREoFCre64PpcG4= github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ= github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= From 10781c58aae636455d61cb5385bb0120012971ac Mon Sep 17 00:00:00 2001 From: Evan Gilman Date: Tue, 1 Nov 2022 13:41:04 -0700 Subject: [PATCH 034/257] Pin k8s image version in integration tests (#3461) Previously, the integration tests would rely on the default k8s image version, which differs based on the version of kind we're using. This commit explicitly pins the image version such that 1) it's clear what version of k8s is in use, and 2) it's easily changed when needed. Signed-off-by: Evan Gilman --- doc/supported_integrations.md | 2 +- test/integration/common | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/doc/supported_integrations.md b/doc/supported_integrations.md index 6ca46dae1f..9a36122534 100644 --- a/doc/supported_integrations.md +++ b/doc/supported_integrations.md @@ -18,5 +18,5 @@ the last minor version that supports it (v1.16). ## Kubernetes -The SPIRE project currently supports Kubernetes 1.18 through 1.20. Later +The SPIRE project currently supports Kubernetes 1.18 through 1.21. Later versions may also work but are not explicitly exercised by integration tests. diff --git a/test/integration/common b/test/integration/common index 54e7a7651c..5b70248420 100644 --- a/test/integration/common +++ b/test/integration/common @@ -203,12 +203,14 @@ download-kubectl() { } start-kind-cluster() { + K8SIMAGE=kindest/node:v1.21.1@sha256:fae9a58f17f18f06aeac9772ca8b5ac680ebbed985e266f711d936e91d113bad + local kind_path=$1 local kind_name=$2 local kind_config_path=$3 log-info "starting cluster..." - "${kind_path}" create cluster --name "${kind_name}" --config "${kind_config_path}" || fail-now "unable to create cluster" + "${kind_path}" create cluster --name "${kind_name}" --config "${kind_config_path}" --image "${K8SIMAGE}" || fail-now "unable to create cluster" } load-images() { From 39f9da23b3de0df4cb5dc946ff2b1badc1b154fd Mon Sep 17 00:00:00 2001 From: Ryan Turner Date: Wed, 2 Nov 2022 10:03:22 -0700 Subject: [PATCH 035/257] Update Go to 1.19.3 (#3553) Go 1.19.3 is a security release that fixes CVE-2022-41716. Signed-off-by: Ryan Turner --- .github/workflows/pr_build.yaml | 2 +- .github/workflows/release_build.yaml | 2 +- .go-version | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pr_build.yaml b/.github/workflows/pr_build.yaml index b86afd9616..8d928aecb5 100644 --- a/.github/workflows/pr_build.yaml +++ b/.github/workflows/pr_build.yaml @@ -3,7 +3,7 @@ on: pull_request: {} workflow_dispatch: {} env: - GO_VERSION: 1.19.2 + GO_VERSION: 1.19.3 permissions: contents: read diff --git a/.github/workflows/release_build.yaml b/.github/workflows/release_build.yaml index 820ddde217..db6b3f4c9b 100644 --- a/.github/workflows/release_build.yaml +++ b/.github/workflows/release_build.yaml @@ -4,7 +4,7 @@ on: tags: - 'v[0-9].[0-9]+.[0-9]+' env: - GO_VERSION: 1.19.2 + GO_VERSION: 1.19.3 jobs: cache-deps: name: cache-deps (linux) diff --git a/.go-version b/.go-version index 836ae4eda2..1b92e588b7 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.19.2 +1.19.3 From 7e8e4fa7f1bceafe9f062a258b4fb7b1f52da61f Mon Sep 17 00:00:00 2001 From: Ryan Turner Date: Thu, 3 Nov 2022 07:39:43 -0700 Subject: [PATCH 036/257] Update versions in main (#3561) * Update versions in main Signed-off-by: Ryan Turner --- pkg/common/version/version.go | 2 +- pkg/server/datastore/sqlstore/migration.go | 10 ++++++++++ test/integration/suites/upgrade/versions.txt | 2 ++ 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/pkg/common/version/version.go b/pkg/common/version/version.go index 38a42cb492..1924cf8743 100644 --- a/pkg/common/version/version.go +++ b/pkg/common/version/version.go @@ -8,7 +8,7 @@ const ( // IMPORTANT: When updating, make sure to reconcile the versions list that // is part of the upgrade integration test. See // test/integration/suites/upgrade/README.md for details. - Base = "1.5.0" + Base = "1.5.1" ) var ( diff --git a/pkg/server/datastore/sqlstore/migration.go b/pkg/server/datastore/sqlstore/migration.go index 01ee3771f1..d068e7fc5d 100644 --- a/pkg/server/datastore/sqlstore/migration.go +++ b/pkg/server/datastore/sqlstore/migration.go @@ -134,6 +134,12 @@ import ( // | v1.3.2 | 19 | Added x509_svid_ttl and jwt_svid_ttl columns to entries | // |---------| | | // | v1.3.3 | | | +// |---------| | | +// | v1.3.4 | | | +// |---------| | | +// | v1.3.5 | | | +// |---------| | | +// | v1.3.6 | | | // |*********| | | // | v1.4.0 | | | // |---------| | | @@ -144,6 +150,10 @@ import ( // | v1.4.3 | | | // |---------| | | // | v1.4.4 | | | +// |---------| | | +// | v1.4.5 | | | +// |---------| | | +// | v1.5.0 | | | // ================================================================================================ const ( diff --git a/test/integration/suites/upgrade/versions.txt b/test/integration/suites/upgrade/versions.txt index 1638f048b7..e13fcd045b 100644 --- a/test/integration/suites/upgrade/versions.txt +++ b/test/integration/suites/upgrade/versions.txt @@ -3,3 +3,5 @@ 1.4.2 1.4.3 1.4.4 +1.4.5 +1.5.0 From c289fd1e4578e1474cad95ace1d936758f62adf9 Mon Sep 17 00:00:00 2001 From: Ryan Turner Date: Thu, 3 Nov 2022 08:27:32 -0700 Subject: [PATCH 037/257] Bring CHANGELOG.md up to date on main (#3562) Bring CHANGELOG.md up to date on main Signed-off-by: Ryan Turner --- CHANGELOG.md | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6564ce6c00..3c38230603 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,45 @@ # Changelog +## [1.5.0] - 2022-11-02 + +### Added +- X.509-SVID and JWT-SVID TTLs can now be configured separately at both the entry-level and Server default level (#3445) +- Entry protobuf type in `/v1/entry` API includes new `jwt_svid_ttl` field (#3445) +- `k8s-workload-registrar` and `oidc-discovery-provider` CLIs now print their version when the `-version` flag is set (#3475) +- Support for customizing SPIFFE ID paths of SPIRE Agents attested with the `azure_msi` NodeAttestor plugin (#3488) + +### Changed +- Entry `ttl` protobuf field in `/v1/entry` API is renamed to `x509_ttl` (#3445) +- External plugins can no longer be named `join_token` to avoid conflicts with the builtin plugin (#3469) +- `spire-server run` command now supports DNS names for the configured bind address (#3421) +- Documentation improvements (#3468, #3472, #3473, #3474, #3515) + +### Deprecated +- `k8s-workload-registrar` is deprecated in favor of [SPIRE Controller Manager](https://github.com/spiffe/spire-controller-manager) (#3526) +- Server `default_svid_ttl` configuration field is deprecated in favor of `default_x509_svid_ttl` and `default_jwt_svid_ttl` fields (#3445) +- `-ttl` flag in `spire-server entry create` and `spire-server entry update` commands is deprecated in favor of `-x509SVIDTTL` and `-jwtSVIDTTL` flags (#3445) +- `-format` flag in `spire-agent fetch jwt` CLI command is deprecated in favor of `-output` flag (#3528) +- `InMem` telemetry collector is deprecated and no longer enabled by default (#3492) + +### Removed +- NodeResolver plugin type and `azure_msi` builtin NodeResolver plugin (#3470) + +## [1.4.5] - 2022-11-01 + +### Security +- Updated to Go 1.19.3 to address CVE-2022-41716. This vulnerability only affects users configuring external Server or Agent plugins on Windows. + +## [1.4.4] - 2022-10-05 + +### Added +- Experimental support for limiting the number of SVIDs in the agent's cache (#3181) +- Support for attesting Envoy proxy workloads when Istio is configured with holdApplicationUntilProxyStarts (#3460) + +### Changed +- Improved bundle endpoint misconfiguration diagnostics (#3395) +- OIDC Discovery Provider endpoint now has a timeout to read request headers (#3435) +- Small documentation improvements (#3443) + ## [1.4.3] - 2022-10-04 ### Security @@ -46,6 +86,11 @@ - The deprecated webhook mode from the k8s-workload-registrar (#3235) - Support for the configmap leader election lock type from the k8s-workload-registrar (#3241) +## [1.3.6] - 2022-11-01 + +### Security +- Updated to Go 1.18.8 to address CVE-2022-41716. This vulnerability only affects users configuring external Server or Agent plugins on Windows. + ## [1.3.5] - 2022-10-04 ### Security From 375a86ee7df5154821d2f4c55c7e51a4a31750f6 Mon Sep 17 00:00:00 2001 From: Ryan Turner Date: Thu, 3 Nov 2022 09:12:44 -0700 Subject: [PATCH 038/257] Update SECURITY.md (#3564) This document has fallen out of date and does not reflect the currently supported versions. In order to keep this document current without needing to update it for every minor release series, document the policy rather than the exact versions that are supported. Signed-off-by: Ryan Turner Signed-off-by: Ryan Turner Co-authored-by: Marcos Yacob --- SECURITY.md | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 54af466422..77fd1c8b05 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,14 +2,7 @@ ## Supported Versions -Versions of the project that are currently being supported with security updates: - -| Version | Supported | -|---------|--------------------| -| 1.2.x | :white_check_mark: | -| 1.1.x | :white_check_mark: | -| <=1.0.x | :x: | - +The project supports security releases for the current minor release series and the previous minor release series, i.e. v1.X and v1.X-1. Example: if the current release series is v1.5, security fixes will be supported for both the v1.4 and v1.5 series. ## Reporting a Vulnerability From 8f25c481269255e10d6c83e5d5eec32fa66fe2d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?= Date: Thu, 3 Nov 2022 15:28:45 -0300 Subject: [PATCH 039/257] Update the documentation related with the Delegated Identity API (#3565) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Update the documentation related with the Delegated Identity API Signed-off-by: Agustín Martínez Fayó --- doc/spire_agent.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/spire_agent.md b/doc/spire_agent.md index c5e0732655..bf2eb84939 100644 --- a/doc/spire_agent.md +++ b/doc/spire_agent.md @@ -282,9 +282,9 @@ plugins { ``` ## Delegated Identity API -SPIRE agent has support for Delegated Identity API. This API is intended for use cases where a (authorized) workload wants access to the X509-SVIDs and bundles on behalf of another workload. A list of authorized delegates SPIFFE IDs of workloads are defined for this purpose. The API is served over the same endpoint address as the admin API. Based on workload's selectors, a (authorized) workload could be subscribed to get X509-SVIDs and federated bundles from the registered entries that match the provided selectors. +The Delegated Identity API allows an authorized (i.e. delegated) workload to obtain SVIDs and bundles on behalf of workloads that cannot be attested by SPIRE Agent directly. The authorized workload does so by providing SPIRE Agent the selectors that would normally be obtained during workload attestation. The Delegated Identity API is served over the admin API endpoint. -In order to use this API, you shall configure the `admin_socket_path` and `authorized_delegates` (SPIFFE ID list of authorized delegates identities), as the following example: +To enable the Delegated Identity API, configure the admin API endpoint address and the list of SPIFFE IDs for authorized delegates. For example: Unix systems: ```hcl From f110278a91fa983b3a708d835cbb02fdd6d1f002 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 3 Nov 2022 13:19:44 -0700 Subject: [PATCH 040/257] Bump github.com/prometheus/client_golang from 1.13.0 to 1.13.1 (#3556) Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.13.0 to 1.13.1. - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/v1.13.1/CHANGELOG.md) - [Commits](https://github.com/prometheus/client_golang/compare/v1.13.0...v1.13.1) --- updated-dependencies: - dependency-name: github.com/prometheus/client_golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index b8ba43a889..4d6c403e56 100644 --- a/go.mod +++ b/go.mod @@ -51,7 +51,7 @@ require ( github.com/mattn/go-sqlite3 v1.14.16 github.com/mitchellh/cli v1.1.4 github.com/open-policy-agent/opa v0.45.0 - github.com/prometheus/client_golang v1.13.0 + github.com/prometheus/client_golang v1.13.1 github.com/shirou/gopsutil/v3 v3.22.10 github.com/sirupsen/logrus v1.9.0 github.com/spiffe/go-spiffe/v2 v2.0.1-0.20220414143532-2ed460a8b9d3 diff --git a/go.sum b/go.sum index 1c3cf0fd5e..e6bf2c3d64 100644 --- a/go.sum +++ b/go.sum @@ -942,8 +942,8 @@ github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3O github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY= -github.com/prometheus/client_golang v1.13.0 h1:b71QUfeo5M8gq2+evJdTPfZhYMAU0uKPkyPJ7TPsloU= -github.com/prometheus/client_golang v1.13.0/go.mod h1:vTeo+zgvILHsnnj/39Ou/1fPN5nJFOEMgftOUOmlvYQ= +github.com/prometheus/client_golang v1.13.1 h1:3gMjIY2+/hzmqhtUC/aQNYldJA6DtH3CgQvwS+02K1c= +github.com/prometheus/client_golang v1.13.1/go.mod h1:vTeo+zgvILHsnnj/39Ou/1fPN5nJFOEMgftOUOmlvYQ= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= From 990a6a954505637a70ab08d398ef6410b9630ceb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 3 Nov 2022 13:58:08 -0700 Subject: [PATCH 041/257] Bump google.golang.org/api from 0.101.0 to 0.102.0 (#3557) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.101.0 to 0.102.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.101.0...v0.102.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 7 ++++--- go.sum | 13 ++++++++----- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/go.mod b/go.mod index 4d6c403e56..640459a4a3 100644 --- a/go.mod +++ b/go.mod @@ -65,8 +65,8 @@ require ( golang.org/x/sync v0.1.0 golang.org/x/sys v0.0.0-20220907062415-87db552b00fd golang.org/x/time v0.1.0 - google.golang.org/api v0.101.0 - google.golang.org/genproto v0.0.0-20221018160656-63c7b68cfc55 + google.golang.org/api v0.102.0 + google.golang.org/genproto v0.0.0-20221024183307-1bc688fe9f3e google.golang.org/grpc v1.50.1 google.golang.org/protobuf v1.28.1 gopkg.in/square/go-jose.v2 v2.6.0 @@ -80,7 +80,8 @@ require ( require ( cloud.google.com/go v0.104.0 // indirect - cloud.google.com/go/compute v1.10.0 // indirect + cloud.google.com/go/compute v1.12.1 // indirect + cloud.google.com/go/compute/metadata v0.2.1 // indirect cloud.google.com/go/iam v0.5.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect diff --git a/go.sum b/go.sum index e6bf2c3d64..faf35ab84d 100644 --- a/go.sum +++ b/go.sum @@ -64,8 +64,11 @@ cloud.google.com/go/compute v1.5.0/go.mod h1:9SMHyhJlzhlkJqrPAc839t2BZFTSk6Jdj6m cloud.google.com/go/compute v1.6.0/go.mod h1:T29tfhtVbq1wvAPo0E3+7vhgmkOYeXjhFvz/FMzPu0s= cloud.google.com/go/compute v1.6.1/go.mod h1:g85FgpzFvNULZ+S8AYq87axRKuf2Kh7deLqV/jJ3thU= cloud.google.com/go/compute v1.7.0/go.mod h1:435lt8av5oL9P3fv1OEzSbSUe+ybHXGMPQHHZWZxy9U= -cloud.google.com/go/compute v1.10.0 h1:aoLIYaA1fX3ywihqpBk2APQKOo20nXsp1GEZQbx5Jk4= cloud.google.com/go/compute v1.10.0/go.mod h1:ER5CLbMxl90o2jtNbGSbtfOpQKR0t15FOtRsugnLrlU= +cloud.google.com/go/compute v1.12.1 h1:gKVJMEyqV5c/UnpzjjQbo3Rjvvqpr9B1DFSbJC4OXr0= +cloud.google.com/go/compute v1.12.1/go.mod h1:e8yNOBcBONZU1vJKCvCoDw/4JQsA0dpM4x/6PIIOocU= +cloud.google.com/go/compute/metadata v0.2.1 h1:efOwf5ymceDhK6PKMnnrTHP4pppY5L22mle96M1yP48= +cloud.google.com/go/compute/metadata v0.2.1/go.mod h1:jgHgmJd2RKBGzXqF5LR2EZMGxBkeanZ9wwa75XHJgOM= cloud.google.com/go/containeranalysis v0.5.1/go.mod h1:1D92jd8gRR/c0fGMlymRgxWD3Qw9C1ff6/T7mLgVL8I= cloud.google.com/go/containeranalysis v0.6.0/go.mod h1:HEJoiEIu+lEXM+k7+qLCci0h33lX3ZqoYFdmPcoO7s4= cloud.google.com/go/datacatalog v1.3.0/go.mod h1:g9svFY6tuR+j+hrTw3J2dNcmI0dzmSiyOzm8kpLq0a0= @@ -1562,8 +1565,8 @@ google.golang.org/api v0.96.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ google.golang.org/api v0.97.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s= google.golang.org/api v0.98.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s= google.golang.org/api v0.100.0/go.mod h1:ZE3Z2+ZOr87Rx7dqFsdRQkRBk36kDtp/h+QpHbB7a70= -google.golang.org/api v0.101.0 h1:lJPPeEBIRxGpGLwnBTam1NPEM8Z2BmmXEd3z812pjwM= -google.golang.org/api v0.101.0/go.mod h1:CjxAAWWt3A3VrUE2IGDY2bgK5qhoG/OkyWVlYcP05MY= +google.golang.org/api v0.102.0 h1:JxJl2qQ85fRMPNvlZY/enexbxpCjLwGhZUtgfGeQ51I= +google.golang.org/api v0.102.0/go.mod h1:3VFl6/fzoA+qNuS1N1/VfXY4LjoXN/wzeIp7TweWwGo= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -1675,8 +1678,8 @@ google.golang.org/genproto v0.0.0-20220926165614-551eb538f295/go.mod h1:woMGP53B google.golang.org/genproto v0.0.0-20220926220553-6981cbe3cfce/go.mod h1:woMGP53BroOrRY3xTxlbr8Y3eB/nzAvvFM83q7kG2OI= google.golang.org/genproto v0.0.0-20221010155953-15ba04fc1c0e/go.mod h1:3526vdqwhZAwq4wsRUaVG555sVgsNmIjRtO7t/JH29U= google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM= -google.golang.org/genproto v0.0.0-20221018160656-63c7b68cfc55 h1:U1u4KB2kx6KR/aJDjQ97hZ15wQs8ZPvDcGcRynBhkvg= -google.golang.org/genproto v0.0.0-20221018160656-63c7b68cfc55/go.mod h1:45EK0dUbEZ2NHjCeAd2LXmyjAgGUGrpGROgjhC3ADck= +google.golang.org/genproto v0.0.0-20221024183307-1bc688fe9f3e h1:S9GbmC1iCgvbLyAokVCwiO6tVIrU9Y7c5oMx1V/ki/Y= +google.golang.org/genproto v0.0.0-20221024183307-1bc688fe9f3e/go.mod h1:9qHF0xnpdSfF6knlcsnpzUu5y+rpwgbvsyGAZPBMg4s= google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= From 71a27861bc8de2e136aa74799d39255036f0951e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 3 Nov 2022 14:44:31 -0700 Subject: [PATCH 042/257] Bump github.com/googleapis/gax-go/v2 from 2.6.0 to 2.7.0 (#3566) Bumps [github.com/googleapis/gax-go/v2](https://github.com/googleapis/gax-go) from 2.6.0 to 2.7.0. - [Release notes](https://github.com/googleapis/gax-go/releases) - [Commits](https://github.com/googleapis/gax-go/compare/v2.6.0...v2.7.0) --- updated-dependencies: - dependency-name: github.com/googleapis/gax-go/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index 640459a4a3..07fb96a019 100644 --- a/go.mod +++ b/go.mod @@ -37,7 +37,7 @@ require ( github.com/google/go-cmp v0.5.9 github.com/google/go-tpm v0.3.3 github.com/google/go-tpm-tools v0.3.9 - github.com/googleapis/gax-go/v2 v2.6.0 + github.com/googleapis/gax-go/v2 v2.7.0 github.com/gorilla/handlers v1.5.1 github.com/hashicorp/go-hclog v1.3.1 github.com/hashicorp/go-plugin v1.4.5 diff --git a/go.sum b/go.sum index faf35ab84d..ba32760b0d 100644 --- a/go.sum +++ b/go.sum @@ -619,8 +619,9 @@ github.com/googleapis/gax-go/v2 v2.2.0/go.mod h1:as02EH8zWkzwUoLbBaFeQ+arQaj/Oth github.com/googleapis/gax-go/v2 v2.3.0/go.mod h1:b8LNqSzNabLiUpXKkY7HAR5jr6bIT99EXz9pXxye9YM= github.com/googleapis/gax-go/v2 v2.4.0/go.mod h1:XOTVJ59hdnfJLIP/dh8n5CGryZR2LxK9wbMD5+iXC6c= github.com/googleapis/gax-go/v2 v2.5.1/go.mod h1:h6B0KMMFNtI2ddbGJn3T3ZbwkeT6yqEF02fYlzkUCyo= -github.com/googleapis/gax-go/v2 v2.6.0 h1:SXk3ABtQYDT/OH8jAyvEOQ58mgawq5C4o/4/89qN2ZU= github.com/googleapis/gax-go/v2 v2.6.0/go.mod h1:1mjbznJAPHFpesgE5ucqfYEscaz5kMdcIDwU/6+DDoY= +github.com/googleapis/gax-go/v2 v2.7.0 h1:IcsPKeInNvYi7eqSaDjiZqDDKu5rsmunY0Y1YupQSSQ= +github.com/googleapis/gax-go/v2 v2.7.0/go.mod h1:TEop28CZZQ2y+c0VxMUmu1lV+fQx57QpBWsYpwqHJx8= github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU= github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA= github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4= From e4daeb6c9a5a18d4cda4e68d37adf3dbd4d42182 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 3 Nov 2022 16:01:40 -0700 Subject: [PATCH 043/257] Bump sigs.k8s.io/controller-runtime from 0.13.0 to 0.13.1 (#3567) Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.13.0 to 0.13.1. - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/master/RELEASE.md) - [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.13.0...v0.13.1) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-runtime dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 07fb96a019..e83cf566a4 100644 --- a/go.mod +++ b/go.mod @@ -75,7 +75,7 @@ require ( k8s.io/client-go v0.25.3 k8s.io/kube-aggregator v0.23.3 k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed - sigs.k8s.io/controller-runtime v0.13.0 + sigs.k8s.io/controller-runtime v0.13.1 ) require ( diff --git a/go.sum b/go.sum index ba32760b0d..c1cbff2035 100644 --- a/go.sum +++ b/go.sum @@ -1821,8 +1821,8 @@ rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.27/go.mod h1:tq2nT0Kx7W+/f2JVE+zxYtUhdjuELJkVpNz+x/QN5R4= -sigs.k8s.io/controller-runtime v0.13.0 h1:iqa5RNciy7ADWnIc8QxCbOX5FEKVR3uxVxKHRMc2WIQ= -sigs.k8s.io/controller-runtime v0.13.0/go.mod h1:Zbz+el8Yg31jubvAEyglRZGdLAjplZl+PgtYNI6WNTI= +sigs.k8s.io/controller-runtime v0.13.1 h1:tUsRCSJVM1QQOOeViGeX3GMT3dQF1eePPw6sEE3xSlg= +sigs.k8s.io/controller-runtime v0.13.1/go.mod h1:Zbz+el8Yg31jubvAEyglRZGdLAjplZl+PgtYNI6WNTI= sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= From 0b8e3a8911c15742a22642f136bad2a262e02648 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 4 Nov 2022 08:55:23 -0600 Subject: [PATCH 044/257] Bump github.com/open-policy-agent/opa from 0.45.0 to 0.46.1 (#3570) Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.45.0 to 0.46.1. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-policy-agent/opa/compare/v0.45.0...v0.46.1) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/opa dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 8 ++++---- go.sum | 21 +++++++++++---------- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/go.mod b/go.mod index e83cf566a4..5be2a29167 100644 --- a/go.mod +++ b/go.mod @@ -50,7 +50,7 @@ require ( github.com/lib/pq v1.10.7 github.com/mattn/go-sqlite3 v1.14.16 github.com/mitchellh/cli v1.1.4 - github.com/open-policy-agent/opa v0.45.0 + github.com/open-policy-agent/opa v0.46.1 github.com/prometheus/client_golang v1.13.1 github.com/shirou/gopsutil/v3 v3.22.10 github.com/sirupsen/logrus v1.9.0 @@ -63,7 +63,7 @@ require ( golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa golang.org/x/net v0.0.0-20221014081412-f15817d10f9b golang.org/x/sync v0.1.0 - golang.org/x/sys v0.0.0-20220907062415-87db552b00fd + golang.org/x/sys v0.0.0-20221010170243-090e33056c14 golang.org/x/time v0.1.0 google.golang.org/api v0.102.0 google.golang.org/genproto v0.0.0-20221024183307-1bc688fe9f3e @@ -112,7 +112,7 @@ require ( github.com/cespare/xxhash/v2 v2.1.2 // indirect github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490 // indirect github.com/davecgh/go-spew v1.1.1 // indirect - github.com/docker/distribution v2.7.1+incompatible // indirect + github.com/docker/distribution v2.8.1+incompatible // indirect github.com/docker/go-connections v0.4.0 // indirect github.com/docker/go-units v0.4.0 // indirect github.com/emicklei/go-restful/v3 v3.8.0 // indirect @@ -121,7 +121,7 @@ require ( github.com/evanphx/json-patch/v5 v5.6.0 // indirect github.com/fatih/color v1.13.0 // indirect github.com/felixge/httpsnoop v1.0.2 // indirect - github.com/fsnotify/fsnotify v1.5.4 // indirect + github.com/fsnotify/fsnotify v1.6.0 // indirect github.com/ghodss/yaml v1.0.0 // indirect github.com/go-logr/zapr v1.2.3 // indirect github.com/go-ole/go-ole v1.2.6 // indirect diff --git a/go.sum b/go.sum index c1cbff2035..6ff270c9bb 100644 --- a/go.sum +++ b/go.sum @@ -385,8 +385,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/denisenkom/go-mssqldb v0.0.0-20191124224453-732737034ffd h1:83Wprp6ROGeiHFAP8WJdI2RoxALQYgdllERc3N5N2DM= github.com/denisenkom/go-mssqldb v0.0.0-20191124224453-732737034ffd/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU= -github.com/dgraph-io/badger/v3 v3.2103.2 h1:dpyM5eCJAtQCBcMCZcT4UBZchuTJgCywerHHgmxfxM8= -github.com/dgraph-io/ristretto v0.1.0 h1:Jv3CGQHp9OjuMBSne1485aDpUkTKEcUqF+jm/LuerPI= +github.com/dgraph-io/badger/v3 v3.2103.3 h1:s63J1pisDhKpzWslXFe+ChuthuZptpwTE6qEKoczPb4= +github.com/dgraph-io/ristretto v0.1.1 h1:6CWw5tJNgpegArSHpNHJKldNeq03FQCwYvfMVWajOK8= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48 h1:fRzb/w+pyskVMQ+UbP35JkH8yB7MYb4q/qhBarqZE6g= @@ -394,8 +394,8 @@ github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48/go.mod h1:if7Fbed8 github.com/dnaeon/go-vcr v1.1.0/go.mod h1:M7tiix8f0r6mKKJ3Yq/kqU1OYf3MnfmBWVbPx/yU9ko= github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ= -github.com/docker/distribution v2.7.1+incompatible h1:a5mlkVzth6W5A4fOsS3D2EO5BUmsJpcB+cRlLU7cSug= -github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= +github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6bk8XXApsHjKukMl68= +github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v20.10.21+incompatible h1:UTLdBmHk3bEY+w8qeO5KttOhy6OmXWsl/FEet9Uswog= github.com/docker/docker v20.10.21+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= @@ -444,8 +444,8 @@ github.com/foxcpp/go-mockdns v0.0.0-20210729171921-fb145fc6f897 h1:E52jfcE64UG42 github.com/frankban/quicktest v1.13.0 h1:yNZif1OkDfNoDfb9zZa9aXIpejNR4F23Wely0c+Qdqk= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= -github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI= -github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU= +github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= +github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= github.com/getkin/kin-openapi v0.76.0/go.mod h1:660oXbgy5JFMKreazJaQTw7o+X00qeSyhcnluiMv+Xg= github.com/getsentry/raven-go v0.2.0/go.mod h1:KungGk8q33+aIAZUIVWZDr2OfAEBsO49PX4NzFV5kcQ= github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= @@ -908,8 +908,8 @@ github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGV github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q= -github.com/open-policy-agent/opa v0.45.0 h1:P5nuhVRtR+e58fk3CMMbiqr6ZFyWQPNOC3otsorGsFs= -github.com/open-policy-agent/opa v0.45.0/go.mod h1:/OnsYljNEWJ6DXeFOOnoGn8CvwZGMUS4iRqzYdJvmBI= +github.com/open-policy-agent/opa v0.46.1 h1:iG998SLK0rzalex7Hyekeq17b9WtUexM0AuyHrQ7fCc= +github.com/open-policy-agent/opa v0.46.1/go.mod h1:DY9ZkCyz+DKoWI5gDuLw5rGC2RSb37QUeEf+9VjsWkI= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 h1:rc3tiVYb5z54aKaDfakKn0dDjIyPpTtszkjuMzyt7ec= @@ -1409,8 +1409,9 @@ golang.org/x/sys v0.0.0-20220624220833-87e55d714810/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220731174439-a90be440212d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220907062415-87db552b00fd h1:AZeIEzg+8RCELJYq8w+ODLVxFgLMMigSwO/ffKPEd9U= -golang.org/x/sys v0.0.0-20220907062415-87db552b00fd/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20221010170243-090e33056c14 h1:k5II8e6QD8mITdi+okbbmR/cIyEbeXLBhy5Ha4nevyc= +golang.org/x/sys v0.0.0-20221010170243-090e33056c14/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= From 45bb04a3f61eee18e638d8e435eea1f88e509af8 Mon Sep 17 00:00:00 2001 From: Ryan Turner Date: Fri, 4 Nov 2022 09:02:17 -0700 Subject: [PATCH 045/257] Fix upstream-authority-cert-manager test on macOS (#3560) macOS installs LibreSSL at /usr/bin/openssl. Unless macOS users install OpenSSL separately and configure their PATH to point to OpenSSL with precedence over /usr/bin, LibreSSL will be used. LibreSSL prints Issuer and Subject field information from X.509 certificates in a different format than OpenSSL, which was causing some assertions in the upstream-authority-cert-manager integration test to fail on macOS when using LibreSSL. Improve the test to be able to handle both the OpenSSL and LibreSSL formatting of Subject and Issuer X.509 fields. Signed-off-by: Ryan Turner --- .../03-verify-ca | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/test/integration/suites/upstream-authority-cert-manager/03-verify-ca b/test/integration/suites/upstream-authority-cert-manager/03-verify-ca index 724aa04512..b971f4726e 100755 --- a/test/integration/suites/upstream-authority-cert-manager/03-verify-ca +++ b/test/integration/suites/upstream-authority-cert-manager/03-verify-ca @@ -2,9 +2,14 @@ source init-kubectl -expLeafIssuer="issuer=C = US, O = SPIFFE" +expLeafIssuerOpenSSL="issuer=C = US, O = SPIFFE" +expCASubjectOpenSSL="subject=O = cert-manager.io, CN = example.org" + +# On macOS, /usr/bin/openssl is LibreSSL, which outputs certificate details with a different format than OpenSSL +expLeafIssuerLibreSSL="issuer= /C=US/O=SPIFFE" +expCASubjectLibreSSL="subject= /O=cert-manager.io/CN=example.org" + expLeafURI="URI:spiffe://example.org/ns/foo/sa/bar" -expCASubject="subject=O = cert-manager.io, CN = example.org" log-debug "verifying CA..." @@ -13,6 +18,14 @@ leafURIResult=$(./bin/kubectl exec -n spire $(./bin/kubectl get pod -n spire -o leafIssuerResult=$(./bin/kubectl exec -n spire $(./bin/kubectl get pod -n spire -o name) -- cat svid.pem | openssl x509 -noout -issuer) caSubjectResult=$(./bin/kubectl exec -n spire $(./bin/kubectl get pod -n spire -o name) -- cat bundle.pem | openssl x509 -noout -subject) +if [ $(openssl version | awk '{print $1}') == 'LibreSSL' ]; then + expLeafIssuer=$expLeafIssuerLibreSSL + expCASubject=$expCASubjectLibreSSL +else + expLeafIssuer=$expLeafIssuerOpenSSL + expCASubject=$expCASubjectOpenSSL +fi + if [ "$leafURIResult" != "$expLeafURI" ]; then fail-now "unexpected SPIFFE ID in resulting certificate, exp=$expLeafURI got=$leafURIResult" fi From 1962db8ee81fdb04d228a19a8747d64e4739dbbf Mon Sep 17 00:00:00 2001 From: Andres Vega Date: Fri, 4 Nov 2022 09:41:36 -0700 Subject: [PATCH 046/257] Add Unity Technologies to adopters (#3568) Signed-off-by: Andres Vega --- ADOPTERS.md | 1 + 1 file changed, 1 insertion(+) diff --git a/ADOPTERS.md b/ADOPTERS.md index 47fe9cda93..f5d6f3cd54 100644 --- a/ADOPTERS.md +++ b/ADOPTERS.md @@ -13,6 +13,7 @@ Known end users with notable contributions to the advancement of the project inc * Square * Twilio * Uber +* Unity Technologies * Z Lab Corporation SPIFFE and SPIRE are being used by numerous other companies, both large and small, to build higher layer products and services. The list includes but is not limited to: From 57caf583fd33120b61373fb184c8e05136216ac4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 4 Nov 2022 13:03:05 -0600 Subject: [PATCH 047/257] Bump cloud.google.com/go/secretmanager from 1.8.0 to 1.9.0 (#3569) * Bump cloud.google.com/go/secretmanager from 1.8.0 to 1.9.0 Bumps [cloud.google.com/go/secretmanager](https://github.com/googleapis/google-cloud-go) from 1.8.0 to 1.9.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/documentai/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/asset/v1.8.0...asset/v1.9.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/secretmanager dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: Andrew Harding Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Andrew Harding --- go.mod | 9 +++++---- go.sum | 17 ++++++++++------- .../plugin/svidstore/gcpsecretmanager/client.go | 2 +- .../plugin/svidstore/gcpsecretmanager/gcloud.go | 2 +- .../svidstore/gcpsecretmanager/gcloud_test.go | 2 +- .../plugin/upstreamauthority/gcpcas/gcpcas.go | 8 ++++---- .../upstreamauthority/gcpcas/gcpcas_test.go | 2 +- 7 files changed, 23 insertions(+), 19 deletions(-) diff --git a/go.mod b/go.mod index 5be2a29167..497f877774 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/spiffe/spire go 1.19 require ( - cloud.google.com/go/secretmanager v1.8.0 + cloud.google.com/go/secretmanager v1.9.0 cloud.google.com/go/security v1.9.0 cloud.google.com/go/storage v1.27.0 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.4 @@ -66,7 +66,7 @@ require ( golang.org/x/sys v0.0.0-20221010170243-090e33056c14 golang.org/x/time v0.1.0 google.golang.org/api v0.102.0 - google.golang.org/genproto v0.0.0-20221024183307-1bc688fe9f3e + google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c google.golang.org/grpc v1.50.1 google.golang.org/protobuf v1.28.1 gopkg.in/square/go-jose.v2 v2.6.0 @@ -79,10 +79,11 @@ require ( ) require ( - cloud.google.com/go v0.104.0 // indirect + cloud.google.com/go v0.105.0 // indirect cloud.google.com/go/compute v1.12.1 // indirect cloud.google.com/go/compute/metadata v0.2.1 // indirect - cloud.google.com/go/iam v0.5.0 // indirect + cloud.google.com/go/iam v0.6.0 // indirect + cloud.google.com/go/longrunning v0.1.1 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect github.com/Azure/go-autorest/autorest v0.11.27 // indirect diff --git a/go.sum b/go.sum index 6ff270c9bb..1f18c64901 100644 --- a/go.sum +++ b/go.sum @@ -29,8 +29,9 @@ cloud.google.com/go v0.99.0/go.mod h1:w0Xx2nLzqWJPuozYQX+hFfCSI8WioryfRDzkoI/Y2Z cloud.google.com/go v0.100.2/go.mod h1:4Xra9TjzAeYHrl5+oeLlzbM2k3mjVhZh4UqTZ//w99A= cloud.google.com/go v0.102.0/go.mod h1:oWcCzKlqJ5zgHQt9YsaeTY9KzIvjyy0ArmiBUgpQ+nc= cloud.google.com/go v0.102.1/go.mod h1:XZ77E9qnTEnrgEOvr4xzfdX5TRo7fB4T2F4O6+34hIU= -cloud.google.com/go v0.104.0 h1:gSmWO7DY1vOm0MVU6DNXM11BWHHsTUmsC5cv1fuW5X8= cloud.google.com/go v0.104.0/go.mod h1:OO6xxXdJyvuJPcEPBLN9BJPD+jep5G1+2U5B5gkRYtA= +cloud.google.com/go v0.105.0 h1:DNtEKRBAAzeS4KyIory52wWHuClNaXJ5x1F7xa4q+5Y= +cloud.google.com/go v0.105.0/go.mod h1:PrLgOJNe5nfE9UMxKxgXj4mD3voiP+YQ6gdt6KMFOKM= cloud.google.com/go/aiplatform v1.22.0/go.mod h1:ig5Nct50bZlzV6NvKaTwmplLLddFx0YReh9WfTO5jKw= cloud.google.com/go/aiplatform v1.24.0/go.mod h1:67UUvRBKG6GTayHKV8DBv2RtR1t93YRu5B1P3x99mYY= cloud.google.com/go/analytics v0.11.0/go.mod h1:DjEWCu41bVbYcKyvlws9Er60YE4a//bK6mnhWvQeFNI= @@ -104,12 +105,14 @@ cloud.google.com/go/gkehub v0.9.0/go.mod h1:WYHN6WG8w9bXU0hqNxt8rm5uxnk8IH+lPY9J cloud.google.com/go/gkehub v0.10.0/go.mod h1:UIPwxI0DsrpsVoWpLB0stwKCP+WFVG9+y977wO+hBH0= cloud.google.com/go/grafeas v0.2.0/go.mod h1:KhxgtF2hb0P191HlY5besjYm6MqTSTj3LSI+M+ByZHc= cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY= -cloud.google.com/go/iam v0.5.0 h1:fz9X5zyTWBmamZsqvqZqD7khbifcZF/q+Z1J8pfhIUg= -cloud.google.com/go/iam v0.5.0/go.mod h1:wPU9Vt0P4UmCux7mqtRu6jcpPAb74cP1fh50J3QpkUc= +cloud.google.com/go/iam v0.6.0 h1:nsqQC88kT5Iwlm4MeNGTpfMWddp6NB/UOLFTH6m1QfQ= +cloud.google.com/go/iam v0.6.0/go.mod h1:+1AH33ueBne5MzYccyMHtEKqLE4/kJOibtffMHDMFMc= cloud.google.com/go/language v1.4.0/go.mod h1:F9dRpNFQmJbkaop6g0JhSBXCNlO90e1KWx5iDdxbWic= cloud.google.com/go/language v1.6.0/go.mod h1:6dJ8t3B+lUYfStgls25GusK04NLh3eDLQnWM3mdEbhI= cloud.google.com/go/lifesciences v0.5.0/go.mod h1:3oIKy8ycWGPUyZDR/8RNnTOYevhaMLqh5vLUXs9zvT8= cloud.google.com/go/lifesciences v0.6.0/go.mod h1:ddj6tSX/7BOnhxCSd3ZcETvtNr8NZ6t/iPhY2Tyfu08= +cloud.google.com/go/longrunning v0.1.1 h1:y50CXG4j0+qvEukslYFBCrzaXX0qpFbBzc3PchSu/LE= +cloud.google.com/go/longrunning v0.1.1/go.mod h1:UUFxuDWkv22EuY93jjmDMFT5GPQKeFVJBIF6QlTqdsE= cloud.google.com/go/mediatranslation v0.5.0/go.mod h1:jGPUhGTybqsPQn91pNXw0xVHfuJ3leR1wj37oU3y1f4= cloud.google.com/go/mediatranslation v0.6.0/go.mod h1:hHdBCTYNigsBxshbznuIMFNe5QXEowAuNmmC7h8pu5w= cloud.google.com/go/memcache v1.4.0/go.mod h1:rTOfiGZtJX1AaFUrOgsMHX5kAzaTQ8azHiuDoTPzNsE= @@ -148,8 +151,8 @@ cloud.google.com/go/retail v1.9.0/go.mod h1:g6jb6mKuCS1QKnH/dpu7isX253absFl6iE92 cloud.google.com/go/scheduler v1.4.0/go.mod h1:drcJBmxF3aqZJRhmkHQ9b3uSSpQoltBPGPxGAWROx6s= cloud.google.com/go/scheduler v1.5.0/go.mod h1:ri073ym49NW3AfT6DZi21vLZrG07GXr5p3H1KxN5QlI= cloud.google.com/go/secretmanager v1.6.0/go.mod h1:awVa/OXF6IiyaU1wQ34inzQNc4ISIDIrId8qE5QGgKA= -cloud.google.com/go/secretmanager v1.8.0 h1:4wYWL2t10q+xUtFFS0QuWlqwQguMrwC6FDpjtMM6cUI= -cloud.google.com/go/secretmanager v1.8.0/go.mod h1:hnVgi/bN5MYHd3Gt0SPuTPPp5ENina1/LxM+2W9U9J4= +cloud.google.com/go/secretmanager v1.9.0 h1:xE6uXljAC1kCR8iadt9+/blg1fvSbmenlsDN4fT9gqw= +cloud.google.com/go/secretmanager v1.9.0/go.mod h1:b71qH2l1yHmWQHt9LC80akm86mX8AL6X1MA01dW8ht4= cloud.google.com/go/security v1.5.0/go.mod h1:lgxGdyOKKjHL4YG3/YwIL2zLqMFCKs0UbQwgyZmfJl4= cloud.google.com/go/security v1.7.0/go.mod h1:mZklORHl6Bg7CNnnjLH//0UlAlaXqiG7Lb9PsPXLfD0= cloud.google.com/go/security v1.8.0/go.mod h1:hAQOwgmaHhztFhiQ41CjDODdWP0+AE1B3sX4OFlq+GU= @@ -1680,8 +1683,8 @@ google.golang.org/genproto v0.0.0-20220926165614-551eb538f295/go.mod h1:woMGP53B google.golang.org/genproto v0.0.0-20220926220553-6981cbe3cfce/go.mod h1:woMGP53BroOrRY3xTxlbr8Y3eB/nzAvvFM83q7kG2OI= google.golang.org/genproto v0.0.0-20221010155953-15ba04fc1c0e/go.mod h1:3526vdqwhZAwq4wsRUaVG555sVgsNmIjRtO7t/JH29U= google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM= -google.golang.org/genproto v0.0.0-20221024183307-1bc688fe9f3e h1:S9GbmC1iCgvbLyAokVCwiO6tVIrU9Y7c5oMx1V/ki/Y= -google.golang.org/genproto v0.0.0-20221024183307-1bc688fe9f3e/go.mod h1:9qHF0xnpdSfF6knlcsnpzUu5y+rpwgbvsyGAZPBMg4s= +google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c h1:QgY/XxIAIeccR+Ca/rDdKubLIU9rcJ3xfy1DC/Wd2Oo= +google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c/go.mod h1:CGI5F/G+E5bKwmfYo09AXuVN4dD894kIKUFmVbP2/Fo= google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= diff --git a/pkg/agent/plugin/svidstore/gcpsecretmanager/client.go b/pkg/agent/plugin/svidstore/gcpsecretmanager/client.go index 414d09f929..fe80d45896 100644 --- a/pkg/agent/plugin/svidstore/gcpsecretmanager/client.go +++ b/pkg/agent/plugin/svidstore/gcpsecretmanager/client.go @@ -4,9 +4,9 @@ import ( "context" secretmanager "cloud.google.com/go/secretmanager/apiv1" + "cloud.google.com/go/secretmanager/apiv1/secretmanagerpb" gax "github.com/googleapis/gax-go/v2" "google.golang.org/api/option" - secretmanagerpb "google.golang.org/genproto/googleapis/cloud/secretmanager/v1" iampb "google.golang.org/genproto/googleapis/iam/v1" ) diff --git a/pkg/agent/plugin/svidstore/gcpsecretmanager/gcloud.go b/pkg/agent/plugin/svidstore/gcpsecretmanager/gcloud.go index a994eb8256..1360fd024d 100644 --- a/pkg/agent/plugin/svidstore/gcpsecretmanager/gcloud.go +++ b/pkg/agent/plugin/svidstore/gcpsecretmanager/gcloud.go @@ -9,13 +9,13 @@ import ( "strings" "sync" + "cloud.google.com/go/secretmanager/apiv1/secretmanagerpb" "github.com/hashicorp/go-hclog" "github.com/hashicorp/hcl" svidstorev1 "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/agent/svidstore/v1" configv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/service/common/config/v1" "github.com/spiffe/spire/pkg/agent/plugin/svidstore" "github.com/spiffe/spire/pkg/common/catalog" - secretmanagerpb "google.golang.org/genproto/googleapis/cloud/secretmanager/v1" "google.golang.org/genproto/googleapis/iam/v1" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" diff --git a/pkg/agent/plugin/svidstore/gcpsecretmanager/gcloud_test.go b/pkg/agent/plugin/svidstore/gcpsecretmanager/gcloud_test.go index 911193add5..f53c422c8b 100644 --- a/pkg/agent/plugin/svidstore/gcpsecretmanager/gcloud_test.go +++ b/pkg/agent/plugin/svidstore/gcpsecretmanager/gcloud_test.go @@ -11,6 +11,7 @@ import ( "testing" "time" + "cloud.google.com/go/secretmanager/apiv1/secretmanagerpb" gax "github.com/googleapis/gax-go/v2" "github.com/spiffe/go-spiffe/v2/spiffeid" "github.com/spiffe/spire/pkg/agent/plugin/svidstore" @@ -20,7 +21,6 @@ import ( "github.com/spiffe/spire/test/spiretest" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - secretmanagerpb "google.golang.org/genproto/googleapis/cloud/secretmanager/v1" iampb "google.golang.org/genproto/googleapis/iam/v1" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" diff --git a/pkg/server/plugin/upstreamauthority/gcpcas/gcpcas.go b/pkg/server/plugin/upstreamauthority/gcpcas/gcpcas.go index a15171fd8a..fb66f8b0b4 100644 --- a/pkg/server/plugin/upstreamauthority/gcpcas/gcpcas.go +++ b/pkg/server/plugin/upstreamauthority/gcpcas/gcpcas.go @@ -11,7 +11,8 @@ import ( "sync" "time" - pcaapi "cloud.google.com/go/security/privateca/apiv1" + privateca "cloud.google.com/go/security/privateca/apiv1" + "cloud.google.com/go/security/privateca/apiv1/privatecapb" "github.com/hashicorp/go-hclog" "github.com/hashicorp/hcl" "github.com/spiffe/spire-plugin-sdk/pluginsdk" @@ -22,7 +23,6 @@ import ( "github.com/spiffe/spire/pkg/common/pemutil" "github.com/spiffe/spire/pkg/common/x509util" "google.golang.org/api/iterator" - privatecapb "google.golang.org/genproto/googleapis/cloud/security/privateca/v1" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" "google.golang.org/protobuf/types/known/durationpb" @@ -373,7 +373,7 @@ func (p *Plugin) mintX509CA(ctx context.Context, csr []byte, preferredTTL int32) func getClient(ctx context.Context) (CAClient, error) { // https://cloud.google.com/docs/authentication/production#go // The client creation implicitly uses Application Default Credentials (ADC) for authentication - pcaClient, err := pcaapi.NewCertificateAuthorityClient(ctx) + pcaClient, err := privateca.NewCertificateAuthorityClient(ctx) if err != nil { return nil, err } @@ -382,7 +382,7 @@ func getClient(ctx context.Context) (CAClient, error) { } type gcpCAClient struct { - pcaClient *pcaapi.CertificateAuthorityClient + pcaClient *privateca.CertificateAuthorityClient } func (client *gcpCAClient) CreateCertificate(ctx context.Context, req *privatecapb.CreateCertificateRequest) (*privatecapb.Certificate, error) { diff --git a/pkg/server/plugin/upstreamauthority/gcpcas/gcpcas_test.go b/pkg/server/plugin/upstreamauthority/gcpcas/gcpcas_test.go index 92979d8659..ad05ca295a 100644 --- a/pkg/server/plugin/upstreamauthority/gcpcas/gcpcas_test.go +++ b/pkg/server/plugin/upstreamauthority/gcpcas/gcpcas_test.go @@ -11,13 +11,13 @@ import ( "testing" "time" + "cloud.google.com/go/security/privateca/apiv1/privatecapb" "github.com/spiffe/spire/pkg/common/pemutil" commonutil "github.com/spiffe/spire/pkg/common/util" "github.com/spiffe/spire/pkg/server/plugin/upstreamauthority" "github.com/spiffe/spire/test/plugintest" "github.com/spiffe/spire/test/testkey" "github.com/stretchr/testify/require" - privatecapb "google.golang.org/genproto/googleapis/cloud/security/privateca/v1" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" ) From 1c14fbbb533e495b1f22dbbe3687eff2def12901 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 4 Nov 2022 13:47:50 -0600 Subject: [PATCH 048/257] Bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.1.4 to 1.2.0 (#3574) Bumps [github.com/Azure/azure-sdk-for-go/sdk/azcore](https://github.com/Azure/azure-sdk-for-go) from 1.1.4 to 1.2.0. - [Release notes](https://github.com/Azure/azure-sdk-for-go/releases) - [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/Azure/azure-sdk-for-go/compare/sdk/azcore/v1.1.4...v1.2) --- updated-dependencies: - dependency-name: github.com/Azure/azure-sdk-for-go/sdk/azcore dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 497f877774..eff4be5183 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( cloud.google.com/go/secretmanager v1.9.0 cloud.google.com/go/security v1.9.0 cloud.google.com/go/storage v1.27.0 - github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.4 + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.2.0 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute v1.0.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork v1.1.0 diff --git a/go.sum b/go.sum index 1f18c64901..051f879d6e 100644 --- a/go.sum +++ b/go.sum @@ -186,8 +186,8 @@ cloud.google.com/go/workflows v1.6.0/go.mod h1:6t9F5h/unJz41YqfBmqSASJSXccBLtD1V cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoISEXH2bcHC3M= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.0.0/go.mod h1:uGG2W01BaETf0Ozp+QxxKJdMBNRWPdstHG0Fmdwn1/U= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.4 h1:pqrAR74b6EoR4kcxF7L7Wg2B8Jgil9UUZtMvxhEFqWo= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.4/go.mod h1:uGG2W01BaETf0Ozp+QxxKJdMBNRWPdstHG0Fmdwn1/U= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.2.0 h1:sVW/AFBTGyJxDaMYlq0ct3jUXTtj12tQ6zE2GZUgVQw= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.2.0/go.mod h1:uGG2W01BaETf0Ozp+QxxKJdMBNRWPdstHG0Fmdwn1/U= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.0.0/go.mod h1:+6sju8gk8FRmSajX3Oz4G5Gm7P+mbqE9FVaXXFYTkCM= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0 h1:QkAcEIAKbNL4KoFr4SathZPhDhF4mVwpBMFlYjyAqy8= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0/go.mod h1:bhXu1AjYL+wutSL/kpSq6s7733q2Rb0yuot9Zgfqa/0= From c95086b615cd754b017dab37b1604bf89a01b884 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 4 Nov 2022 14:32:58 -0600 Subject: [PATCH 049/257] Bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.65.0 to 1.66.0 (#3576) Bumps [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2) from 1.65.0 to 1.66.0. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.65.0...service/ec2/v1.66.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index eff4be5183..edaae2716e 100644 --- a/go.mod +++ b/go.mod @@ -20,7 +20,7 @@ require ( github.com/aws/aws-sdk-go-v2/credentials v1.12.17 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.14 github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0 - github.com/aws/aws-sdk-go-v2/service/ec2 v1.65.0 + github.com/aws/aws-sdk-go-v2/service/ec2 v1.66.0 github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 github.com/aws/aws-sdk-go-v2/service/kms v1.18.8 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.0 diff --git a/go.sum b/go.sum index 051f879d6e..0bf252b634 100644 --- a/go.sum +++ b/go.sum @@ -296,8 +296,8 @@ github.com/aws/aws-sdk-go-v2/internal/ini v1.3.21 h1:lpwSbLKYTuABo6SyUoC25xAmfO3 github.com/aws/aws-sdk-go-v2/internal/ini v1.3.21/go.mod h1:Q0pktZjvRZk77TBto6yAvUAi7fcse1bdcMctBDVGgBw= github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0 h1:2f0kb+39miQPRp0b7Sqq06+TpxI0Nfcra41QxzJPME8= github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0/go.mod h1:AVLIBQ9V7mcHd5uZT1+wUbBt4QaI/XcOens85Ib0W1o= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.65.0 h1:LuklvKRN2P052bAzcyjoHGMI3fFehfBcj8C/uakPWa4= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.65.0/go.mod h1:zul71QqzR4D1a90/5FloZiAnZ1CtuIjVH7R9MP997+A= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.66.0 h1:yankZN/p8rKWHCgbj6N2SGeZ66XFqOS3Ud80DahavQs= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.66.0/go.mod h1:zul71QqzR4D1a90/5FloZiAnZ1CtuIjVH7R9MP997+A= github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 h1:m/WtVqEvgwDiUPIW2dtnF2hDE1O62MEflz9ClOlCXAs= github.com/aws/aws-sdk-go-v2/service/iam v1.18.16/go.mod h1:w8wndcRxwILFQAzwkUKyEDz4LDHEBSR78KRdaNjUKQA= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.14/go.mod h1:8qOLjqMzY/S1kh3myDXA1yxK5eD4uN8aOJgKpgvc4OM= From c22dc5796a70c52cbad90bea66623e7dee5d2e00 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 4 Nov 2022 15:14:04 -0600 Subject: [PATCH 050/257] Bump cloud.google.com/go/security from 1.9.0 to 1.10.0 (#3573) Bumps [cloud.google.com/go/security](https://github.com/googleapis/google-cloud-go) from 1.9.0 to 1.10.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/documentai/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/asset/v1.9.0...asset/v1.10.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/security dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index edaae2716e..1033d1e82a 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.19 require ( cloud.google.com/go/secretmanager v1.9.0 - cloud.google.com/go/security v1.9.0 + cloud.google.com/go/security v1.10.0 cloud.google.com/go/storage v1.27.0 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.2.0 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0 diff --git a/go.sum b/go.sum index 0bf252b634..509f2e60f4 100644 --- a/go.sum +++ b/go.sum @@ -156,8 +156,8 @@ cloud.google.com/go/secretmanager v1.9.0/go.mod h1:b71qH2l1yHmWQHt9LC80akm86mX8A cloud.google.com/go/security v1.5.0/go.mod h1:lgxGdyOKKjHL4YG3/YwIL2zLqMFCKs0UbQwgyZmfJl4= cloud.google.com/go/security v1.7.0/go.mod h1:mZklORHl6Bg7CNnnjLH//0UlAlaXqiG7Lb9PsPXLfD0= cloud.google.com/go/security v1.8.0/go.mod h1:hAQOwgmaHhztFhiQ41CjDODdWP0+AE1B3sX4OFlq+GU= -cloud.google.com/go/security v1.9.0 h1:o9frPOtXW2f4zMlw4SYPE42LRz/hhrYVWtAEUkPvyA4= -cloud.google.com/go/security v1.9.0/go.mod h1:6Ta1bO8LXI89nZnmnsZGp9lVoVWXqsVbIq/t9dzI+2Q= +cloud.google.com/go/security v1.10.0 h1:KSKzzJMyUoMRQzcz7azIgqAUqxo7rmQ5rYvimMhikqg= +cloud.google.com/go/security v1.10.0/go.mod h1:QtOMZByJVlibUT2h9afNDWRZ1G96gVywH8T5GUSb9IA= cloud.google.com/go/securitycenter v1.13.0/go.mod h1:cv5qNAqjY84FCN6Y9z28WlkKXyWsgLO832YiWwkCWcU= cloud.google.com/go/securitycenter v1.14.0/go.mod h1:gZLAhtyKv85n52XYWt6RmeBdydyxfPeTrpToDPw4Auc= cloud.google.com/go/servicedirectory v1.4.0/go.mod h1:gH1MUaZCgtP7qQiI+F+A+OpeKF/HQWgtAddhTbhL2bs= From d98577f7eb8862a660a91d3a8560bb4bbca7b083 Mon Sep 17 00:00:00 2001 From: Andrew Harding Date: Fri, 4 Nov 2022 16:28:29 -0600 Subject: [PATCH 051/257] Fix racy bundle client tests (#3575) This change fixes test failures in the bundle client package. The failures were caused by non-goroutine safe manipulation of a map of configurations used as a config source and also an errant assertion that didn't account for production code behavior. To fix the non-goroutine safe config source, a new type was introduced that protected the underlying config map with a RW mutex. The errant assertion assumed that only one bundle refresh would be performed for a newly discovered trust domain. However, since the manual refresh operation ends up kicking off a goroutine that will also periodically refresh the bundle, under certain timing conditions, the bundle is refreshed twice. The assertion was updated to ensure that the bundle is updated at least once. Fixes: #2840,#3401 Signed-off-by: Andrew Harding --- pkg/server/bundle/client/manager_test.go | 48 ++++++++++++------------ pkg/server/bundle/client/sources.go | 42 +++++++++++++++++++-- pkg/server/bundle/client/sources_test.go | 12 +++--- pkg/server/server.go | 2 +- 4 files changed, 71 insertions(+), 33 deletions(-) diff --git a/pkg/server/bundle/client/manager_test.go b/pkg/server/bundle/client/manager_test.go index 6d1d390aed..38ccc6ca93 100644 --- a/pkg/server/bundle/client/manager_test.go +++ b/pkg/server/bundle/client/manager_test.go @@ -13,7 +13,6 @@ import ( "github.com/spiffe/spire/pkg/common/telemetry" "github.com/spiffe/spire/test/clock" "github.com/spiffe/spire/test/fakes/fakedatastore" - "github.com/spiffe/spire/test/util" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "github.com/zeebo/errs" @@ -27,12 +26,12 @@ func TestManagerPeriodicBundleRefresh(t *testing.T) { endpointBundle := bundleutil.BundleFromRootCA(trustDomain, createCACertificate(t, "endpoint")) endpointBundle.SetRefreshHint(time.Hour * 2) - source := TrustDomainConfigMap{ + source := NewTrustDomainConfigSet(TrustDomainConfigMap{ trustDomain: TrustDomainConfig{ EndpointURL: "https://example.org/bundle", EndpointProfile: HTTPSWebProfile{}, }, - } + }) testCases := []struct { name string @@ -85,13 +84,9 @@ func TestManagerPeriodicBundleRefresh(t *testing.T) { } func TestManagerOnDemandBundleRefresh(t *testing.T) { - util.SkipFlakyTestUnderRaceDetectorWithFiledIssue( - t, - "https://github.com/spiffe/spire/issues/2840", - ) - trustDomainConfigs := make(TrustDomainConfigMap) + configSet := NewTrustDomainConfigSet(nil) - test := newManagerTest(t, trustDomainConfigs, nil, nil) + test := newManagerTest(t, configSet, nil, nil) // Wait for the config to be refreshed test.WaitForConfigRefresh() @@ -104,15 +99,19 @@ func TestManagerOnDemandBundleRefresh(t *testing.T) { // Now, add the trust domain configuration to the source and assert // that refreshing the bundle reloads configs from the source. - trustDomainConfigs[trustDomain] = TrustDomainConfig{ + configSet.Set(trustDomain, TrustDomainConfig{ EndpointURL: "https://some-domain.test/bundle", EndpointProfile: HTTPSWebProfile{}, - } + }) has, err = test.RefreshBundleFor(trustDomain) assert.True(t, has, "manager should know about the trust domain") assert.EqualError(t, err, "OHNO") - assert.Equal(t, 1, test.UpdateCount(trustDomain)) + + // The update count may be more than 1, since RefreshBundle will update the + // bundle, but also, since the trust domain is newly managed, kick off a + // goroutine that will refresh it as well. + assert.Greater(t, test.UpdateCount(trustDomain), 0) } func TestManagerConfigPeriodicRefresh(t *testing.T) { @@ -141,11 +140,12 @@ func TestManagerConfigPeriodicRefresh(t *testing.T) { }, } - trustDomainConfigs := make(TrustDomainConfigMap) - trustDomainConfigs[td1] = configSPIFFEA - trustDomainConfigs[td2] = configWebA + configSet := NewTrustDomainConfigSet(TrustDomainConfigMap{ + td1: configSPIFFEA, + td2: configWebA, + }) - test := newManagerTest(t, trustDomainConfigs, nil, nil) + test := newManagerTest(t, configSet, nil, nil) // Wait until the config is refreshed and a bundle refresh happens test.WaitForConfigRefresh() @@ -166,9 +166,10 @@ func TestManagerConfigPeriodicRefresh(t *testing.T) { // Now adjust the configuration to drop td1, change td2, and introduce td3. // Both td2 and td3 should have an extra update count. td1 update count will // remain the same. - delete(trustDomainConfigs, td1) - trustDomainConfigs[td2] = configSPIFFEB - trustDomainConfigs[td3] = configWebB + configSet.SetAll(TrustDomainConfigMap{ + td2: configSPIFFEB, + td3: configWebB, + }) // Wait until the config is refreshed and a bundle refresh happens test.AdvanceTime(bundleutil.MinimumRefreshHint + time.Millisecond) @@ -198,10 +199,11 @@ func TestManagerConfigManualRefresh(t *testing.T) { EndpointProfile: HTTPSWebProfile{}, } - trustDomainConfigs := make(TrustDomainConfigMap) - trustDomainConfigs[td1] = config1 + configSet := NewTrustDomainConfigSet(TrustDomainConfigMap{ + td1: config1, + }) - test := newManagerTest(t, trustDomainConfigs, nil, nil) + test := newManagerTest(t, configSet, nil, nil) // Wait for the original config to be loaded test.WaitForConfigRefresh() @@ -210,7 +212,7 @@ func TestManagerConfigManualRefresh(t *testing.T) { }, test.GetTrustDomainConfigs()) // Update config and trigger the reload - trustDomainConfigs[td2] = config2 + configSet.Set(td2, config2) test.manager.TriggerConfigReload() test.WaitForConfigRefresh() require.Equal(t, map[spiffeid.TrustDomain]TrustDomainConfig{ diff --git a/pkg/server/bundle/client/sources.go b/pkg/server/bundle/client/sources.go index f30223f566..b66ff56fc8 100644 --- a/pkg/server/bundle/client/sources.go +++ b/pkg/server/bundle/client/sources.go @@ -2,6 +2,7 @@ package client import ( "context" + "sync" "github.com/sirupsen/logrus" "github.com/spiffe/go-spiffe/v2/spiffeid" @@ -19,10 +20,45 @@ func (fn TrustDomainConfigSourceFunc) GetTrustDomainConfigs(ctx context.Context) return fn(ctx) } -type TrustDomainConfigMap map[spiffeid.TrustDomain]TrustDomainConfig +type TrustDomainConfigMap = map[spiffeid.TrustDomain]TrustDomainConfig -func (m TrustDomainConfigMap) GetTrustDomainConfigs(ctx context.Context) (map[spiffeid.TrustDomain]TrustDomainConfig, error) { - return m, nil +type TrustDomainConfigSet struct { + mtx sync.RWMutex + configMap TrustDomainConfigMap +} + +func NewTrustDomainConfigSet(configs TrustDomainConfigMap) *TrustDomainConfigSet { + s := &TrustDomainConfigSet{} + s.SetAll(configs) + return s +} + +func (s *TrustDomainConfigSet) Set(td spiffeid.TrustDomain, config TrustDomainConfig) { + s.mtx.Lock() + defer s.mtx.Unlock() + s.configMap[td] = config +} + +func (s *TrustDomainConfigSet) SetAll(configMap TrustDomainConfigMap) { + configMap = duplicateTrustDomainConfigMap(configMap) + + s.mtx.Lock() + defer s.mtx.Unlock() + s.configMap = configMap +} + +func (s *TrustDomainConfigSet) GetTrustDomainConfigs(ctx context.Context) (map[spiffeid.TrustDomain]TrustDomainConfig, error) { + s.mtx.RLock() + defer s.mtx.RUnlock() + return s.configMap, nil +} + +func duplicateTrustDomainConfigMap(in TrustDomainConfigMap) TrustDomainConfigMap { + out := make(TrustDomainConfigMap, len(in)) + for td, config := range in { + out[td] = config + } + return out } func MergeTrustDomainConfigSources(sources ...TrustDomainConfigSource) TrustDomainConfigSource { diff --git a/pkg/server/bundle/client/sources_test.go b/pkg/server/bundle/client/sources_test.go index 0dbcead875..ffa498eb45 100644 --- a/pkg/server/bundle/client/sources_test.go +++ b/pkg/server/bundle/client/sources_test.go @@ -21,15 +21,15 @@ var ( ) func TestMergedTrustDomainConfigSource(t *testing.T) { - sourceA := client.TrustDomainConfigMap{ + sourceA := client.NewTrustDomainConfigSet(client.TrustDomainConfigMap{ domain1: client.TrustDomainConfig{EndpointURL: "A"}, - } - sourceB := client.TrustDomainConfigMap{ + }) + sourceB := client.NewTrustDomainConfigSet(client.TrustDomainConfigMap{ domain1: client.TrustDomainConfig{EndpointURL: "B"}, - } - sourceC := client.TrustDomainConfigMap{ + }) + sourceC := client.NewTrustDomainConfigSet(client.TrustDomainConfigMap{ domain2: client.TrustDomainConfig{EndpointURL: "A"}, - } + }) t.Run("context is passed through and error returned", func(t *testing.T) { expectedCtx, cancel := context.WithCancel(context.Background()) diff --git a/pkg/server/server.go b/pkg/server/server.go index e700831e5b..214f550d2a 100644 --- a/pkg/server/server.go +++ b/pkg/server/server.go @@ -353,7 +353,7 @@ func (s *Server) newBundleManager(cat catalog.Catalog, metrics telemetry.Metrics Metrics: metrics, DataStore: cat.GetDataStore(), Source: bundle_client.MergeTrustDomainConfigSources( - bundle_client.TrustDomainConfigMap(s.config.Federation.FederatesWith), + bundle_client.NewTrustDomainConfigSet(s.config.Federation.FederatesWith), bundle_client.DataStoreTrustDomainConfigSource(log, cat.GetDataStore()), ), }) From 9aab1cde1d58751796f0cf446d4d74dd4992c0d5 Mon Sep 17 00:00:00 2001 From: Andrew Harding Date: Tue, 8 Nov 2022 05:45:49 -0700 Subject: [PATCH 052/257] Fix racy AttestAgent tests (#3579) * Fix racy AttestAgent tests Signed-off-by: Andrew Harding --- .../run_unit_tests_under_race_detector.sh | 2 +- Makefile | 7 ----- pkg/server/api/agent/v1/service_test.go | 31 ++++++++++--------- test/spiretest/apiserver.go | 2 +- test/util/race.go | 18 ----------- 5 files changed, 19 insertions(+), 41 deletions(-) diff --git a/.github/workflows/scripts/run_unit_tests_under_race_detector.sh b/.github/workflows/scripts/run_unit_tests_under_race_detector.sh index 993ed633b5..4581c6b501 100755 --- a/.github/workflows/scripts/run_unit_tests_under_race_detector.sh +++ b/.github/workflows/scripts/run_unit_tests_under_race_detector.sh @@ -8,7 +8,7 @@ if [ -n "${COVERALLS_TOKEN}" ]; then go install github.com/mattn/goveralls@v0.0.7 fi -COVERPROFILE="${COVERPROFILE}" make ci-race-test +COVERPROFILE="${COVERPROFILE}" make race-test if [ -n "${COVERALLS_TOKEN}" ]; then "$(go env GOPATH)"/bin/goveralls -coverprofile="${COVERPROFILE}" \ diff --git a/Makefile b/Makefile index 91ed698707..2460aefe85 100644 --- a/Makefile +++ b/Makefile @@ -299,13 +299,6 @@ else $(E)$(go_path) go test $(go_flags) $(go_test_flags) -race ./... endif -ci-race-test: | go-check -ifneq ($(COVERPROFILE),) - $(E)SKIP_FLAKY_TESTS_UNDER_RACE_DETECTOR=1 $(go_path) go test $(go_flags) $(go_test_flags) -race -count=1 -coverprofile="$(COVERPROFILE)" ./... -else - $(E)SKIP_FLAKY_TESTS_UNDER_RACE_DETECTOR=1 $(go_path) go test $(go_flags) $(go_test_flags) -race -count=1 ./... -endif - integration: ifeq ($(os1), windows) $(error Integration tests are not supported on windows) diff --git a/pkg/server/api/agent/v1/service_test.go b/pkg/server/api/agent/v1/service_test.go index f81e0a48bf..0d0101d244 100644 --- a/pkg/server/api/agent/v1/service_test.go +++ b/pkg/server/api/agent/v1/service_test.go @@ -31,7 +31,6 @@ import ( "github.com/spiffe/spire/test/fakes/fakeservernodeattestor" "github.com/spiffe/spire/test/spiretest" "github.com/spiffe/spire/test/testkey" - "github.com/spiffe/spire/test/util" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "google.golang.org/grpc" @@ -2137,10 +2136,6 @@ func TestCreateJoinTokenWithAgentId(t *testing.T) { } func TestAttestAgent(t *testing.T) { - util.SkipFlakyTestUnderRaceDetectorWithFiledIssue( - t, - "https://github.com/spiffe/spire/issues/2841", - ) testCsr, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{}, testKey) require.NoError(t, err) @@ -2998,7 +2993,23 @@ func TestAttestAgent(t *testing.T) { t.Run(tt.name, func(t *testing.T) { // setup test := setupServiceTest(t, 0) - defer test.Cleanup() + defer func() { + // Since this is a bidirectional streaming API, it's possible + // that the server is still emitting auditing logs even though + // we've received the last response from the server. In order + // to avoid racing on the log hook, clean up the test (to make + // sure the server has shut down) before checking for log + // entries. + test.Cleanup() + + // Scrub out client address before comparing logs. + for _, e := range test.logHook.AllEntries() { + if _, ok := e.Data[telemetry.Address]; ok { + e.Data[telemetry.Address] = "" + } + } + spiretest.AssertLogs(t, test.logHook.AllEntries(), tt.expectLogs) + }() ctx, cancel := context.WithCancel(context.Background()) defer cancel() @@ -3040,18 +3051,10 @@ func TestAttestAgent(t *testing.T) { case tt.expectCode != codes.OK: require.Nil(t, result) default: - // Clean address on logs - for _, e := range test.logHook.AllEntries() { - if _, ok := e.Data[telemetry.Address]; ok { - e.Data[telemetry.Address] = "" - } - } - require.NotNil(t, result) test.assertAttestAgentResult(t, tt.expectedID, result) test.assertAgentWasStored(t, tt.expectedID.String(), tt.expectedSelectors) } - spiretest.AssertLogs(t, test.logHook.AllEntries(), tt.expectLogs) }) } } diff --git a/test/spiretest/apiserver.go b/test/spiretest/apiserver.go index 1b4425e6d4..caef4e8c5d 100644 --- a/test/spiretest/apiserver.go +++ b/test/spiretest/apiserver.go @@ -43,7 +43,7 @@ func newAPIServer(t *testing.T, registerFn func(s *grpc.Server), server *grpc.Se done := func() { assert.NoError(t, conn.Close()) - server.Stop() + server.GracefulStop() err := <-errCh switch { case err == nil, errors.Is(err, grpc.ErrServerStopped): diff --git a/test/util/race.go b/test/util/race.go index 088c7d0850..dd1504a169 100644 --- a/test/util/race.go +++ b/test/util/race.go @@ -3,13 +3,10 @@ package util import ( "fmt" "os" - "regexp" "strconv" "testing" ) -const flakyTestEnvKey = "SKIP_FLAKY_TESTS_UNDER_RACE_DETECTOR" - var ( raceTestNumThreads = 2 raceTestNumLoops = 2 @@ -46,18 +43,3 @@ func getEnvInt(name string, fallback int) int { } return fallback } - -func SkipFlakyTestUnderRaceDetectorWithFiledIssue(t *testing.T, issue string) { - t.Helper() - const issuePattern = "https://github.com/spiffe/spire/issues/[[:digit:]]{4,}" - issueRegexp := regexp.MustCompile(issuePattern) - if !issueRegexp.Match([]byte(issue)) { - msg := "Skip only allowed with associated issue. " - msg += "%q does not appear to be an issue. " - msg += "File an issue and specify it to skip a test under race detector." - t.Fatalf(fmt.Sprintf(msg, issue)) - } - if _, skip := os.LookupEnv(flakyTestEnvKey); skip { - t.Skipf("Skipping under race decector until %s is resolved.", issue) - } -} From 800ab8d32267b852b2bb4ceac96e26b5d1c388bf Mon Sep 17 00:00:00 2001 From: Dennis Gove Date: Tue, 8 Nov 2022 13:11:32 -0500 Subject: [PATCH 053/257] Fixes #3581: Ensures that config default_svid_ttl can still be used (#3583) Signed-off-by: Dennis Gove --- cmd/spire-server/cli/run/run.go | 27 +++++++++++++++++---------- cmd/spire-server/cli/run/run_test.go | 2 -- 2 files changed, 17 insertions(+), 12 deletions(-) diff --git a/cmd/spire-server/cli/run/run.go b/cmd/spire-server/cli/run/run.go index 5dfa4d42b3..49ac95ac40 100644 --- a/cmd/spire-server/cli/run/run.go +++ b/cmd/spire-server/cli/run/run.go @@ -469,7 +469,8 @@ func NewServerConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool sc.AgentTTL = ttl } - if c.Server.DefaultX509SVIDTTL != "" { + switch { + case c.Server.DefaultX509SVIDTTL != "": ttl, err := time.ParseDuration(c.Server.DefaultX509SVIDTTL) if err != nil { return nil, fmt.Errorf("could not parse default X509 SVID ttl %q: %w", c.Server.DefaultX509SVIDTTL, err) @@ -479,7 +480,7 @@ func NewServerConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool if sc.X509SVIDTTL != 0 && c.Server.DefaultSVIDTTL != "" { logger.Warnf("both default_x509_svid_ttl and default_svid_ttl are configured; default_x509_svid_ttl (%s) will be used for X509-SVIDs", c.Server.DefaultX509SVIDTTL) } - } else if c.Server.DefaultSVIDTTL != "" { + case c.Server.DefaultSVIDTTL != "": logger.Warn("field default_svid_ttl is deprecated; consider using default_x509_svid_ttl and default_jwt_svid_ttl instead") ttl, err := time.ParseDuration(c.Server.DefaultSVIDTTL) @@ -487,6 +488,10 @@ func NewServerConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool return nil, fmt.Errorf("could not parse default SVID ttl %q: %w", c.Server.DefaultSVIDTTL, err) } sc.X509SVIDTTL = ttl + default: + // If neither new nor deprecated config value is set, then use hard-coded default TTL + // Note, due to back-compat issues we cannot set this default inside defaultConfig() function + sc.X509SVIDTTL = ca.DefaultX509SVIDTTL } if c.Server.DefaultJWTSVIDTTL != "" { @@ -499,6 +504,10 @@ func NewServerConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool if sc.JWTSVIDTTL != 0 && c.Server.DefaultSVIDTTL != "" { logger.Warnf("both default_jwt_svid_ttl and default_svid_ttl are configured; default_jwt_svid_ttl (%s) will be used for JWT-SVIDs", c.Server.DefaultJWTSVIDTTL) } + } else { + // If not set using new field then use hard-coded default TTL + // Note, due to back-compat issues we cannot set this default inside defaultConfig() function + sc.JWTSVIDTTL = ca.DefaultJWTSVIDTTL } if c.Server.CATTL != "" { @@ -831,14 +840,12 @@ func checkForUnknownConfig(c *Config, l logrus.FieldLogger) (err error) { func defaultConfig() *Config { return &Config{ Server: &serverConfig{ - BindAddress: "0.0.0.0", - BindPort: 8081, - CATTL: ca.DefaultCATTL.String(), - LogLevel: defaultLogLevel, - LogFormat: log.DefaultFormat, - DefaultX509SVIDTTL: ca.DefaultX509SVIDTTL.String(), - DefaultJWTSVIDTTL: ca.DefaultJWTSVIDTTL.String(), - Experimental: experimentalConfig{}, + BindAddress: "0.0.0.0", + BindPort: 8081, + CATTL: ca.DefaultCATTL.String(), + LogLevel: defaultLogLevel, + LogFormat: log.DefaultFormat, + Experimental: experimentalConfig{}, }, } } diff --git a/cmd/spire-server/cli/run/run_test.go b/cmd/spire-server/cli/run/run_test.go index 9c5292728c..d4fa675a3b 100644 --- a/cmd/spire-server/cli/run/run_test.go +++ b/cmd/spire-server/cli/run/run_test.go @@ -639,8 +639,6 @@ func TestNewServerConfig(t *testing.T) { msg: "default_svid_ttl is correctly parsed", input: func(c *Config) { c.Server.DefaultSVIDTTL = "1m" - c.Server.DefaultX509SVIDTTL = "" - c.Server.DefaultJWTSVIDTTL = "" }, test: func(t *testing.T, c *server.Config) { require.Equal(t, time.Minute, c.X509SVIDTTL) From 8f8e8431af36ce6adb15831739ce9710708aff61 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?= Date: Tue, 8 Nov 2022 18:25:01 -0300 Subject: [PATCH 054/257] Atomic writing of files on Windows with a specific security descriptor (#3577) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Atomic writing of files on Windows with a specific security descriptor Signed-off-by: Agustín Martínez Fayó --- pkg/agent/plugin/keymanager/disk/disk.go | 2 +- pkg/agent/storage/legacy.go | 4 +- pkg/agent/storage/storage.go | 2 +- pkg/common/diskutil/file_posix.go | 28 ++++-- pkg/common/diskutil/file_posix_test.go | 79 +++++++++++++++++ pkg/common/diskutil/file_test.go | 68 --------------- pkg/common/diskutil/file_windows.go | 100 +++++++++++++++++----- pkg/common/diskutil/file_windows_test.go | 95 ++++++++++++++++++++ pkg/common/sddl/sddl_windows.go | 8 ++ pkg/server/ca/journal.go | 2 +- pkg/server/plugin/keymanager/disk/disk.go | 2 +- 11 files changed, 287 insertions(+), 103 deletions(-) create mode 100644 pkg/common/diskutil/file_posix_test.go delete mode 100644 pkg/common/diskutil/file_test.go create mode 100644 pkg/common/diskutil/file_windows_test.go diff --git a/pkg/agent/plugin/keymanager/disk/disk.go b/pkg/agent/plugin/keymanager/disk/disk.go index 2dbd91f49e..8a91014ad8 100644 --- a/pkg/agent/plugin/keymanager/disk/disk.go +++ b/pkg/agent/plugin/keymanager/disk/disk.go @@ -167,7 +167,7 @@ func writeEntries(path string, entries []*keymanagerbase.KeyEntry) error { return status.Errorf(codes.Internal, "unable to marshal entries: %v", err) } - if err := diskutil.AtomicWriteFile(path, jsonBytes, 0600); err != nil { + if err := diskutil.AtomicWritePrivateFile(path, jsonBytes); err != nil { return status.Errorf(codes.Internal, "unable to write entries: %v", err) } diff --git a/pkg/agent/storage/legacy.go b/pkg/agent/storage/legacy.go index 18a7487ac4..acf1d863bd 100644 --- a/pkg/agent/storage/legacy.go +++ b/pkg/agent/storage/legacy.go @@ -31,7 +31,7 @@ func storeLegacyBundle(dir string, bundle []*x509.Certificate) error { for _, cert := range bundle { data.Write(cert.Raw) } - if err := diskutil.AtomicWriteFile(legacyBundlePath(dir), data.Bytes(), 0600); err != nil { + if err := diskutil.AtomicWritePrivateFile(legacyBundlePath(dir), data.Bytes()); err != nil { return fmt.Errorf("failed to store legacy bundle: %w", err) } return nil @@ -55,7 +55,7 @@ func storeLegacySVID(dir string, svidChain []*x509.Certificate) error { for _, cert := range svidChain { data.Write(cert.Raw) } - if err := diskutil.AtomicWriteFile(legacySVIDPath(dir), data.Bytes(), 0600); err != nil { + if err := diskutil.AtomicWritePrivateFile(legacySVIDPath(dir), data.Bytes()); err != nil { return fmt.Errorf("failed to store legacy SVID: %w", err) } return nil diff --git a/pkg/agent/storage/storage.go b/pkg/agent/storage/storage.go index e1f26886cb..4498d2e1d4 100644 --- a/pkg/agent/storage/storage.go +++ b/pkg/agent/storage/storage.go @@ -244,7 +244,7 @@ func storeData(dir string, data storageData) error { return fmt.Errorf("failed to marshal data: %w", err) } - if err := diskutil.AtomicWriteFile(path, marshaled, 0600); err != nil { + if err := diskutil.AtomicWritePrivateFile(path, marshaled); err != nil { return fmt.Errorf("failed to write data file: %w", err) } diff --git a/pkg/common/diskutil/file_posix.go b/pkg/common/diskutil/file_posix.go index ddee077ba8..180386d3c4 100644 --- a/pkg/common/diskutil/file_posix.go +++ b/pkg/common/diskutil/file_posix.go @@ -8,16 +8,36 @@ import ( "path/filepath" ) -// AtomicWriteFile writes data out. It writes to a temp file first, fsyncs that file, +// AtomicWritePrivateFile writes data out. It writes to a temp file first, fsyncs that file, // then swaps the file in. os.Rename is an atomic operation, so this sequence avoids having // a partially written file at the final location. Finally, fsync is called on the directory // to ensure the rename is persisted. -func AtomicWriteFile(path string, data []byte, mode os.FileMode) error { +func AtomicWritePrivateFile(path string, data []byte) error { + return atomicWrite(path, data, 0600) +} + +// AtomicWritePubliclyReadableFile writes data out. It writes to a temp file first, fsyncs that file, +// then swaps the file in. os.Rename is an atomic operation, so this sequence avoids having +// a partially written file at the final location. Finally, fsync is called on the directory +// to ensure the rename is persisted. +func AtomicWritePubliclyReadableFile(path string, data []byte) error { + return atomicWrite(path, data, 0644) +} + +func CreateDataDirectory(path string) error { + return os.MkdirAll(path, 0755) +} + +func atomicWrite(path string, data []byte, mode os.FileMode) error { tmpPath := path + ".tmp" if err := write(tmpPath, data, mode); err != nil { return err } + return rename(tmpPath, path) +} + +func rename(tmpPath, path string) error { if err := os.Rename(tmpPath, path); err != nil { return err } @@ -35,10 +55,6 @@ func AtomicWriteFile(path string, data []byte, mode os.FileMode) error { return dir.Close() } -func CreateDataDirectory(path string) error { - return os.MkdirAll(path, 0755) -} - func write(tmpPath string, data []byte, mode os.FileMode) error { file, err := os.OpenFile(tmpPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, mode) if err != nil { diff --git a/pkg/common/diskutil/file_posix_test.go b/pkg/common/diskutil/file_posix_test.go new file mode 100644 index 0000000000..c305d54ddf --- /dev/null +++ b/pkg/common/diskutil/file_posix_test.go @@ -0,0 +1,79 @@ +//go:build !windows +// +build !windows + +package diskutil + +import ( + "os" + "path/filepath" + "testing" + + "github.com/spiffe/spire/test/spiretest" + "github.com/stretchr/testify/require" +) + +func TestAtomicWritePrivateFile(t *testing.T) { + dir := spiretest.TempDir(t) + + tests := []struct { + name string + data []byte + atomicWriteFunc func(string, []byte) error + expectMode os.FileMode + }{ + { + name: "basic - AtomicWritePrivateFile", + data: []byte("Hello, World"), + atomicWriteFunc: AtomicWritePrivateFile, + expectMode: 0600, + }, + { + name: "empty - AtomicWritePrivateFile", + data: []byte{}, + atomicWriteFunc: AtomicWritePrivateFile, + expectMode: 0600, + }, + { + name: "binary - AtomicWritePrivateFile", + data: []byte{0xFF, 0, 0xFF, 0x3D, 0xD8, 0xA9, 0xDC, 0xF0, 0x9F, 0x92, 0xA9}, + atomicWriteFunc: AtomicWritePrivateFile, + expectMode: 0600, + }, + { + name: "basic - AtomicWritePubliclyReadableFile", + data: []byte("Hello, World"), + atomicWriteFunc: AtomicWritePubliclyReadableFile, + expectMode: 0644, + }, + { + name: "empty - AtomicWritePubliclyReadableFile", + data: []byte{}, + atomicWriteFunc: AtomicWritePubliclyReadableFile, + expectMode: 0644, + }, + { + name: "binary - AtomicWritePubliclyReadableFile", + data: []byte{0xFF, 0, 0xFF, 0x3D, 0xD8, 0xA9, 0xDC, 0xF0, 0x9F, 0x92, 0xA9}, + atomicWriteFunc: AtomicWritePubliclyReadableFile, + expectMode: 0644, + }, + } + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + file := filepath.Join(dir, "file") + err := tt.atomicWriteFunc(file, tt.data) + require.NoError(t, err) + + info, err := os.Stat(file) + require.NoError(t, err) + require.EqualValues(t, tt.expectMode, info.Mode()) + + content, err := os.ReadFile(file) + require.NoError(t, err) + require.Equal(t, tt.data, content) + + require.NoError(t, os.Remove(file)) + }) + } +} diff --git a/pkg/common/diskutil/file_test.go b/pkg/common/diskutil/file_test.go deleted file mode 100644 index 6389af3f36..0000000000 --- a/pkg/common/diskutil/file_test.go +++ /dev/null @@ -1,68 +0,0 @@ -package diskutil - -import ( - "os" - "path/filepath" - "runtime" - "testing" - - "github.com/spiffe/spire/test/spiretest" - "github.com/stretchr/testify/require" -) - -func TestAtomicWriteFile(t *testing.T) { - dir := spiretest.TempDir(t) - - tests := []struct { - name string - data []byte - mode os.FileMode - expectPosixMode os.FileMode - expectWindowsMode os.FileMode - }{ - { - name: "basic test", - data: []byte("Hello, World"), - mode: 0600, - expectPosixMode: 0600, - expectWindowsMode: 0666, - }, - { - name: "empty", - data: []byte{}, - mode: 0440, - expectPosixMode: 0440, - expectWindowsMode: 0444, - }, - { - name: "binary", - data: []byte{0xFF, 0, 0xFF, 0x3D, 0xD8, 0xA9, 0xDC, 0xF0, 0x9F, 0x92, 0xA9}, - mode: 0644, - expectPosixMode: 0644, - expectWindowsMode: 0666, - }, - } - for _, tt := range tests { - tt := tt - t.Run(tt.name, func(t *testing.T) { - file := filepath.Join(dir, "file") - err := AtomicWriteFile(file, tt.data, tt.mode) - require.NoError(t, err) - - info, err := os.Stat(file) - require.NoError(t, err) - switch runtime.GOOS { - case "windows": - require.EqualValues(t, tt.expectWindowsMode, info.Mode()) - default: - require.EqualValues(t, tt.expectPosixMode, info.Mode()) - } - - content, err := os.ReadFile(file) - require.NoError(t, err) - require.Equal(t, tt.data, content) - - require.NoError(t, os.Remove(file)) - }) - } -} diff --git a/pkg/common/diskutil/file_windows.go b/pkg/common/diskutil/file_windows.go index d440d32719..f192daede8 100644 --- a/pkg/common/diskutil/file_windows.go +++ b/pkg/common/diskutil/file_windows.go @@ -4,6 +4,7 @@ package diskutil import ( + "fmt" "os" "syscall" "unsafe" @@ -17,16 +18,25 @@ const ( movefileWriteThrough = 0x8 ) -// AtomicWriteFile writes data out. It writes to a temp file first, fsyncs that file, -// then swaps the file in. Rename file using a custom MoveFileEx that uses 'MOVEFILE_WRITE_THROUGH' witch waits until -// file is synced to disk. -func AtomicWriteFile(path string, data []byte, mode os.FileMode) error { - tmpPath := path + ".tmp" - if err := write(tmpPath, data, mode); err != nil { - return err - } +type fileAttribs struct { + pathUTF16Ptr *uint16 + sa *windows.SecurityAttributes +} - return atomicRename(tmpPath, path) +// AtomicWritePrivateFile writes data out to a private file. +// It writes to a temp file first, fsyncs that file, then swaps the file in. +// Rename file using a custom MoveFileEx that uses 'MOVEFILE_WRITE_THROUGH' +// witch waits until file is synced to disk. +func AtomicWritePrivateFile(path string, data []byte) error { + return atomicWrite(path, data, sddl.PrivateFile) +} + +// AtomicWritePubliclyReadableFile writes data out to a publicly readable file. +// It writes to a temp file first, fsyncs that file, then swaps the file in. +// Rename file using a custom MoveFileEx that uses 'MOVEFILE_WRITE_THROUGH' +// witch waits until file is synced to disk. +func AtomicWritePubliclyReadableFile(path string, data []byte) error { + return atomicWrite(path, data, sddl.PubliclyReadableFile) } func CreateDataDirectory(path string) error { @@ -78,12 +88,25 @@ func MkdirAll(path string, sddl string) error { return nil } -func write(tmpPath string, data []byte, mode os.FileMode) error { - file, err := os.OpenFile(tmpPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, mode) +func atomicWrite(path string, data []byte, sddl string) error { + tmpPath := path + ".tmp" + if err := write(tmpPath, data, sddl); err != nil { + return err + } + + return atomicRename(tmpPath, path) +} + +func write(tmpPath string, data []byte, sddl string) error { + handle, err := createFileForWriting(tmpPath, sddl) if err != nil { return err } + file := os.NewFile(uintptr(handle), tmpPath) + if file == nil { + return fmt.Errorf("invalid file descriptor for file %q", tmpPath) + } if _, err := file.Write(data); err != nil { file.Close() return err @@ -97,6 +120,25 @@ func write(tmpPath string, data []byte, mode os.FileMode) error { return file.Close() } +func createFileForWriting(path string, sddl string) (windows.Handle, error) { + file, err := getFileWithSecurityAttr(path, sddl) + if err != nil { + return windows.InvalidHandle, err + } + handle, err := windows.CreateFile(file.pathUTF16Ptr, + windows.GENERIC_WRITE, + 0, + file.sa, + windows.CREATE_ALWAYS, + windows.FILE_ATTRIBUTE_NORMAL, + 0) + + if err != nil { + return windows.InvalidHandle, fmt.Errorf("could not create file %q: %w", path, err) + } + return handle, nil +} + func atomicRename(oldPath, newPath string) error { if err := rename(oldPath, newPath); err != nil { return &os.LinkError{ @@ -129,23 +171,35 @@ func rename(oldPath, newPath string) error { // // In the same way as os.MkDir, errors returned are of type *os.PathError. func mkdir(path string, sddl string) error { - sa := windows.SecurityAttributes{Length: 0} - sd, err := windows.SecurityDescriptorFromString(sddl) + file, err := getFileWithSecurityAttr(path, sddl) + if err != nil { + return err + } + + err = windows.CreateDirectory(file.pathUTF16Ptr, file.sa) if err != nil { - return &os.PathError{Op: "mkdir", Path: path, Err: err} + return fmt.Errorf("could not create directory: %w", err) } - sa.Length = uint32(unsafe.Sizeof(sa)) - sa.InheritHandle = 1 - sa.SecurityDescriptor = sd + return nil +} - pathUTF16, err := windows.UTF16PtrFromString(path) +func getFileWithSecurityAttr(path, sddl string) (*fileAttribs, error) { + sd, err := windows.SecurityDescriptorFromString(sddl) if err != nil { - return &os.PathError{Op: "mkdir", Path: path, Err: err} + return nil, fmt.Errorf("could not convert SDDL %q into a self-relative security descriptor object: %w", sddl, err) } - e := windows.CreateDirectory(pathUTF16, &sa) - if e != nil { - return &os.PathError{Op: "mkdir", Path: path, Err: e} + pathUTF16Ptr, err := windows.UTF16PtrFromString(path) + if err != nil { + return nil, fmt.Errorf("could not get pointer to the UTF-16 encoding of path %q: %w", path, err) } - return nil + + return &fileAttribs{ + pathUTF16Ptr: pathUTF16Ptr, + sa: &windows.SecurityAttributes{ + InheritHandle: 1, + Length: uint32(unsafe.Sizeof(windows.SecurityAttributes{})), + SecurityDescriptor: sd, + }, + }, nil } diff --git a/pkg/common/diskutil/file_windows_test.go b/pkg/common/diskutil/file_windows_test.go new file mode 100644 index 0000000000..1cd62785bf --- /dev/null +++ b/pkg/common/diskutil/file_windows_test.go @@ -0,0 +1,95 @@ +//go:build windows +// +build windows + +package diskutil + +import ( + "os" + "path/filepath" + "testing" + + "github.com/spiffe/spire/pkg/common/sddl" + "github.com/spiffe/spire/test/spiretest" + "github.com/stretchr/testify/require" + "golang.org/x/sys/windows" +) + +func TestAtomicWritePrivateFile(t *testing.T) { + dir := spiretest.TempDir(t) + + tests := []struct { + name string + data []byte + expectSecurityDescriptor string + atomicWriteFunc func(string, []byte) error + }{ + { + name: "basic - AtomicWritePrivateFile", + data: []byte("Hello, World"), + expectSecurityDescriptor: sddl.PrivateFile, + atomicWriteFunc: AtomicWritePrivateFile, + }, + { + name: "empty - AtomicWritePrivateFile", + data: []byte{}, + expectSecurityDescriptor: sddl.PrivateFile, + atomicWriteFunc: AtomicWritePrivateFile, + }, + { + name: "binary - AtomicWritePrivateFile", + data: []byte{0xFF, 0, 0xFF, 0x3D, 0xD8, 0xA9, 0xDC, 0xF0, 0x9F, 0x92, 0xA9}, + expectSecurityDescriptor: sddl.PrivateFile, + atomicWriteFunc: AtomicWritePrivateFile, + }, + { + name: "basic - AtomicWritePubliclyReadableFile", + data: []byte("Hello, World"), + expectSecurityDescriptor: sddl.PubliclyReadableFile, + atomicWriteFunc: AtomicWritePubliclyReadableFile, + }, + { + name: "empty - AtomicWritePubliclyReadableFile", + data: []byte{}, + expectSecurityDescriptor: sddl.PubliclyReadableFile, + atomicWriteFunc: AtomicWritePubliclyReadableFile, + }, + { + name: "binary - AtomicWritePubliclyReadableFile", + data: []byte{0xFF, 0, 0xFF, 0x3D, 0xD8, 0xA9, 0xDC, 0xF0, 0x9F, 0x92, 0xA9}, + expectSecurityDescriptor: sddl.PubliclyReadableFile, + atomicWriteFunc: AtomicWritePubliclyReadableFile, + }, + } + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + file := filepath.Join(dir, "file") + err := tt.atomicWriteFunc(file, tt.data) + require.NoError(t, err) + + pathUTF16Ptr, err := windows.UTF16PtrFromString(file) + require.NoError(t, err) + + handle, err := windows.CreateFile(pathUTF16Ptr, + windows.GENERIC_WRITE, + 0, + nil, + windows.OPEN_EXISTING, + windows.FILE_ATTRIBUTE_NORMAL, + 0) + + require.NoError(t, err) + sd, err := windows.GetSecurityInfo(handle, windows.SE_FILE_OBJECT, windows.DACL_SECURITY_INFORMATION) + require.NoError(t, windows.CloseHandle(handle)) + require.NoError(t, err) + + require.Equal(t, sd.String(), tt.expectSecurityDescriptor) + + content, err := os.ReadFile(file) + require.NoError(t, err) + require.Equal(t, tt.data, content) + + require.NoError(t, os.Remove(file)) + }) + } +} diff --git a/pkg/common/sddl/sddl_windows.go b/pkg/common/sddl/sddl_windows.go index cd28de897f..5bd91390b8 100644 --- a/pkg/common/sddl/sddl_windows.go +++ b/pkg/common/sddl/sddl_windows.go @@ -11,6 +11,14 @@ const ( // to the creator owner only. PrivateFile = "D:P(A;;FA;;;OW)" + // PubliclyReadableFile describes a security descriptor using + // the security descriptor definition language (SDDL) that is meant + // to be used to define the access control to files that need to + // be publicly readable but writable only by the owner of the file. + // The security descriptor grants full access to the creator owner + // and read access to everyone. + PubliclyReadableFile = "D:P(A;;FA;;;OW)(A;;FR;;;WD)" + // PrivateListener describes a security descriptor using the // security descriptor definition language (SDDL) that is meant // to be used to define the access control to named pipes diff --git a/pkg/server/ca/journal.go b/pkg/server/ca/journal.go index de939cb111..0df23f84a9 100644 --- a/pkg/server/ca/journal.go +++ b/pkg/server/ca/journal.go @@ -149,7 +149,7 @@ func saveJournalEntries(path string, entries *JournalEntries) error { Bytes: entriesBytes, }) - if err := diskutil.AtomicWriteFile(path, pemBytes, 0644); err != nil { + if err := diskutil.AtomicWritePubliclyReadableFile(path, pemBytes); err != nil { return errs.Wrap(err) } diff --git a/pkg/server/plugin/keymanager/disk/disk.go b/pkg/server/plugin/keymanager/disk/disk.go index 78f781e55e..0dc6b01b8d 100644 --- a/pkg/server/plugin/keymanager/disk/disk.go +++ b/pkg/server/plugin/keymanager/disk/disk.go @@ -150,7 +150,7 @@ func writeEntries(path string, entries []*keymanagerbase.KeyEntry) error { return status.Errorf(codes.Internal, "unable to marshal entries: %v", err) } - if err := diskutil.AtomicWriteFile(path, jsonBytes, 0600); err != nil { + if err := diskutil.AtomicWritePrivateFile(path, jsonBytes); err != nil { return status.Errorf(codes.Internal, "unable to write entries: %v", err) } From 678e1536f0d63afed791a295131e701bebe0ef6b Mon Sep 17 00:00:00 2001 From: Marcos Yacob Date: Tue, 8 Nov 2022 20:57:30 -0300 Subject: [PATCH 055/257] Bump version to 1.5.2 (#3590) Signed-off-by: Marcos Yacob --- CHANGELOG.md | 5 +++++ pkg/common/version/version.go | 2 +- pkg/server/datastore/sqlstore/migration.go | 3 ++- test/integration/suites/upgrade/versions.txt | 1 + 4 files changed, 9 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3c38230603..6ec6405e67 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Changelog +## [1.5.1] - 2022-11-08 + +### Fixed +- The deprecated `default_svid_ttl` configurable is now correctly observed after fixing a regression introduced in 1.5.0 (#3583) + ## [1.5.0] - 2022-11-02 ### Added diff --git a/pkg/common/version/version.go b/pkg/common/version/version.go index 1924cf8743..e149da409a 100644 --- a/pkg/common/version/version.go +++ b/pkg/common/version/version.go @@ -8,7 +8,7 @@ const ( // IMPORTANT: When updating, make sure to reconcile the versions list that // is part of the upgrade integration test. See // test/integration/suites/upgrade/README.md for details. - Base = "1.5.1" + Base = "1.5.2" ) var ( diff --git a/pkg/server/datastore/sqlstore/migration.go b/pkg/server/datastore/sqlstore/migration.go index d068e7fc5d..e3894de173 100644 --- a/pkg/server/datastore/sqlstore/migration.go +++ b/pkg/server/datastore/sqlstore/migration.go @@ -152,8 +152,9 @@ import ( // | v1.4.4 | | | // |---------| | | // | v1.4.5 | | | -// |---------| | | +// |*********| | | // | v1.5.0 | | | +// | v1.5.1 | | | // ================================================================================================ const ( diff --git a/test/integration/suites/upgrade/versions.txt b/test/integration/suites/upgrade/versions.txt index e13fcd045b..480ab7f81b 100644 --- a/test/integration/suites/upgrade/versions.txt +++ b/test/integration/suites/upgrade/versions.txt @@ -5,3 +5,4 @@ 1.4.4 1.4.5 1.5.0 +1.5.1 From 85dec8083c36ee8dc5580cbb09556a38b4a83350 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 9 Nov 2022 12:53:15 -0300 Subject: [PATCH 056/257] Bump cloud.google.com/go/storage from 1.27.0 to 1.28.0 (#3586) Bumps [cloud.google.com/go/storage](https://github.com/googleapis/google-cloud-go) from 1.27.0 to 1.28.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/spanner/v1.27.0...spanner/v1.28.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/storage dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Marcos Yacob --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 1033d1e82a..269580a462 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.19 require ( cloud.google.com/go/secretmanager v1.9.0 cloud.google.com/go/security v1.10.0 - cloud.google.com/go/storage v1.27.0 + cloud.google.com/go/storage v1.28.0 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.2.0 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute v1.0.0 diff --git a/go.sum b/go.sum index 509f2e60f4..7e876e7ada 100644 --- a/go.sum +++ b/go.sum @@ -171,8 +171,8 @@ cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RX cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y= cloud.google.com/go/storage v1.23.0/go.mod h1:vOEEDNFnciUMhBeT6hsJIn3ieU5cFRmzeLgDvXzfIXc= -cloud.google.com/go/storage v1.27.0 h1:YOO045NZI9RKfCj1c5A/ZtuuENUc8OAW+gHdGnDgyMQ= -cloud.google.com/go/storage v1.27.0/go.mod h1:x9DOL8TK/ygDUMieqwfhdpQryTeEkhGKMi80i/iqR2s= +cloud.google.com/go/storage v1.28.0 h1:DLrIZ6xkeZX6K70fU/boWx5INJumt6f+nwwWSHXzzGY= +cloud.google.com/go/storage v1.28.0/go.mod h1:qlgZML35PXA3zoEnIkiPLY4/TOkUleufRlu6qmcf7sI= cloud.google.com/go/talent v1.1.0/go.mod h1:Vl4pt9jiHKvOgF9KoZo6Kob9oV4lwd/ZD5Cto54zDRw= cloud.google.com/go/talent v1.2.0/go.mod h1:MoNF9bhFQbiJ6eFD3uSsg0uBALw4n4gaCaEjBw9zo8g= cloud.google.com/go/videointelligence v1.6.0/go.mod h1:w0DIDlVRKtwPCn/C4iwZIJdvC69yInhW0cfi+p546uU= From 60c8c69b0fb77836397c6389d2e01e016cec714f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 9 Nov 2022 13:51:02 -0300 Subject: [PATCH 057/257] Bump google.golang.org/api from 0.102.0 to 0.103.0 (#3593) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.102.0 to 0.103.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.102.0...v0.103.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 7 ++++--- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index 269580a462..75be99fda5 100644 --- a/go.mod +++ b/go.mod @@ -65,7 +65,7 @@ require ( golang.org/x/sync v0.1.0 golang.org/x/sys v0.0.0-20221010170243-090e33056c14 golang.org/x/time v0.1.0 - google.golang.org/api v0.102.0 + google.golang.org/api v0.103.0 google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c google.golang.org/grpc v1.50.1 google.golang.org/protobuf v1.28.1 @@ -198,7 +198,7 @@ require ( github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/yashtewari/glob-intersection v0.1.0 // indirect github.com/yusufpapurcu/wmi v1.2.2 // indirect - go.opencensus.io v0.23.0 // indirect + go.opencensus.io v0.24.0 // indirect go.uber.org/atomic v1.10.0 // indirect go.uber.org/multierr v1.8.0 // indirect go.uber.org/zap v1.23.0 // indirect diff --git a/go.sum b/go.sum index 7e876e7ada..d4ce3c3790 100644 --- a/go.sum +++ b/go.sum @@ -1107,8 +1107,9 @@ go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= -go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M= go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= +go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= +go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= go.opentelemetry.io/contrib v0.20.0/go.mod h1:G/EtFaa6qaN7+LxqfIAT3GiZa7Wv5DTBUzl5H4LY0Kc= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0/go.mod h1:oVGt1LRbBOBq1A5BQLlUg9UaU/54aiHw8cgjV3aWZ/E= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.20.0/go.mod h1:2AboqHi0CiIZU0qwhtUfCYD1GeUzvvIXWNkhDt7ZMG4= @@ -1570,8 +1571,8 @@ google.golang.org/api v0.96.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ google.golang.org/api v0.97.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s= google.golang.org/api v0.98.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s= google.golang.org/api v0.100.0/go.mod h1:ZE3Z2+ZOr87Rx7dqFsdRQkRBk36kDtp/h+QpHbB7a70= -google.golang.org/api v0.102.0 h1:JxJl2qQ85fRMPNvlZY/enexbxpCjLwGhZUtgfGeQ51I= -google.golang.org/api v0.102.0/go.mod h1:3VFl6/fzoA+qNuS1N1/VfXY4LjoXN/wzeIp7TweWwGo= +google.golang.org/api v0.103.0 h1:9yuVqlu2JCvcLg9p8S3fcFLZij8EPSyvODIY1rkMizQ= +google.golang.org/api v0.103.0/go.mod h1:hGtW6nK1AC+d9si/UBhw8Xli+QMOf6xyNAyJw4qU9w0= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= From 14a30ca94211851d73e3398835d97e306b9d9609 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 9 Nov 2022 14:36:53 -0300 Subject: [PATCH 058/257] Bump golang.org/x/time from 0.1.0 to 0.2.0 (#3588) Bumps [golang.org/x/time](https://github.com/golang/time) from 0.1.0 to 0.2.0. - [Release notes](https://github.com/golang/time/releases) - [Commits](https://github.com/golang/time/compare/v0.1.0...v0.2.0) --- updated-dependencies: - dependency-name: golang.org/x/time dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index 75be99fda5..833c0daac4 100644 --- a/go.mod +++ b/go.mod @@ -64,7 +64,7 @@ require ( golang.org/x/net v0.0.0-20221014081412-f15817d10f9b golang.org/x/sync v0.1.0 golang.org/x/sys v0.0.0-20221010170243-090e33056c14 - golang.org/x/time v0.1.0 + golang.org/x/time v0.2.0 google.golang.org/api v0.103.0 google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c google.golang.org/grpc v1.50.1 diff --git a/go.sum b/go.sum index d4ce3c3790..0a7fcda698 100644 --- a/go.sum +++ b/go.sum @@ -1437,8 +1437,9 @@ golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxb golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.1.0 h1:xYY+Bajn2a7VBmTM5GikTmnK8ZuX8YgnQCqZpbBNtmA= golang.org/x/time v0.1.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.2.0 h1:52I/1L54xyEQAYdtcSuxtiT84KGYTBGXwayxmIpNJhE= +golang.org/x/time v0.2.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= From 31bc1887e9046c624c94837020eaa8e24d61045a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 9 Nov 2022 15:24:11 -0300 Subject: [PATCH 059/257] Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity (#3591) Bumps [github.com/Azure/azure-sdk-for-go/sdk/azidentity](https://github.com/Azure/azure-sdk-for-go) from 1.1.0 to 1.2.0. - [Release notes](https://github.com/Azure/azure-sdk-for-go/releases) - [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md) - [Commits](https://github.com/Azure/azure-sdk-for-go/compare/v1.1...v1.2) --- updated-dependencies: - dependency-name: github.com/Azure/azure-sdk-for-go/sdk/azidentity dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 7 +++---- go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/go.mod b/go.mod index 833c0daac4..0d31f8cb64 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ require ( cloud.google.com/go/security v1.10.0 cloud.google.com/go/storage v1.28.0 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.2.0 - github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0 + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.2.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute v1.0.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork v1.1.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0 @@ -91,7 +91,7 @@ require ( github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect github.com/Azure/go-autorest/logger v0.2.1 // indirect github.com/Azure/go-autorest/tracing v0.6.0 // indirect - github.com/AzureAD/microsoft-authentication-library-for-go v0.5.1 // indirect + github.com/AzureAD/microsoft-authentication-library-for-go v0.7.0 // indirect github.com/DataDog/datadog-go v3.2.0+incompatible // indirect github.com/Masterminds/goutils v1.1.0 // indirect github.com/Masterminds/semver/v3 v3.1.1 // indirect @@ -131,8 +131,7 @@ require ( github.com/go-openapi/swag v0.19.14 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect - github.com/golang-jwt/jwt v3.2.2+incompatible // indirect - github.com/golang-jwt/jwt/v4 v4.2.0 // indirect + github.com/golang-jwt/jwt/v4 v4.4.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/snappy v0.0.4 // indirect github.com/google/gnostic v0.5.7-v3refs // indirect diff --git a/go.sum b/go.sum index 0a7fcda698..653313e065 100644 --- a/go.sum +++ b/go.sum @@ -189,8 +189,8 @@ github.com/Azure/azure-sdk-for-go/sdk/azcore v1.0.0/go.mod h1:uGG2W01BaETf0Ozp+Q github.com/Azure/azure-sdk-for-go/sdk/azcore v1.2.0 h1:sVW/AFBTGyJxDaMYlq0ct3jUXTtj12tQ6zE2GZUgVQw= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.2.0/go.mod h1:uGG2W01BaETf0Ozp+QxxKJdMBNRWPdstHG0Fmdwn1/U= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.0.0/go.mod h1:+6sju8gk8FRmSajX3Oz4G5Gm7P+mbqE9FVaXXFYTkCM= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0 h1:QkAcEIAKbNL4KoFr4SathZPhDhF4mVwpBMFlYjyAqy8= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0/go.mod h1:bhXu1AjYL+wutSL/kpSq6s7733q2Rb0yuot9Zgfqa/0= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.2.0 h1:t/W5MYAuQy81cvM8VUNfRLzhtKpXhVUAN7Cd7KVbTyc= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.2.0/go.mod h1:NBanQUfSWiWn3QEpWDTCU0IjBECKOYvl2R8xdRtMtiM= github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 h1:jp0dGvZ7ZK0mgqnTSClMxa5xuRL7NZgHameVYF6BurY= github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0/go.mod h1:eWRD7oawr1Mu1sLCawqVc0CUiF43ia3qQMxLscsKQ9w= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute v1.0.0 h1:/Di3vB4sNeQ+7A8efjUVENvyB945Wruvstucqp7ZArg= @@ -222,8 +222,8 @@ github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZ github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo= github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= github.com/AzureAD/microsoft-authentication-library-for-go v0.4.0/go.mod h1:Vt9sXTKwMyGcOxSmLDMnGPgqsUg7m8pe215qMLrDXw4= -github.com/AzureAD/microsoft-authentication-library-for-go v0.5.1 h1:BWe8a+f/t+7KY7zH2mqygeUD0t8hNFXe08p1Pb3/jKE= -github.com/AzureAD/microsoft-authentication-library-for-go v0.5.1/go.mod h1:Vt9sXTKwMyGcOxSmLDMnGPgqsUg7m8pe215qMLrDXw4= +github.com/AzureAD/microsoft-authentication-library-for-go v0.7.0 h1:VgSJlZH5u0k2qxSpqyghcFQKmvYckj46uymKK5XzkBM= +github.com/AzureAD/microsoft-authentication-library-for-go v0.7.0/go.mod h1:BDJ5qMFKx9DugEg3+uQSDCdbYPr5s9vBTrL9P8TpqOU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/DataDog/datadog-go v3.2.0+incompatible h1:qSG2N4FghB1He/r2mFrWKCaL7dXCilEuNEeAn20fdD4= @@ -501,11 +501,11 @@ github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXP github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= -github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY= github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= -github.com/golang-jwt/jwt/v4 v4.2.0 h1:besgBTC8w8HjP6NzQdxwKH9Z5oQMZ24ThTrHp3cZ8eU= github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= +github.com/golang-jwt/jwt/v4 v4.4.2 h1:rcc4lwaZgFMCZ5jxF9ABolDcIHdBytAFgqFPbSJQAYs= +github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= github.com/golang-sql/sqlexp v0.1.0/go.mod h1:J4ad9Vo8ZCWQ2GMrC4UCQy1JpCbwU9m3EOqtpKwwwHI= From c137a346146e5e71b52a36f740f3332b71d00444 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 9 Nov 2022 16:05:29 -0300 Subject: [PATCH 060/257] Bump github.com/hashicorp/go-plugin from 1.4.5 to 1.4.6 (#3594) Bumps [github.com/hashicorp/go-plugin](https://github.com/hashicorp/go-plugin) from 1.4.5 to 1.4.6. - [Release notes](https://github.com/hashicorp/go-plugin/releases) - [Changelog](https://github.com/hashicorp/go-plugin/blob/master/CHANGELOG.md) - [Commits](https://github.com/hashicorp/go-plugin/compare/v1.4.5...v1.4.6) --- updated-dependencies: - dependency-name: github.com/hashicorp/go-plugin dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 0d31f8cb64..3409c8d1f5 100644 --- a/go.mod +++ b/go.mod @@ -40,7 +40,7 @@ require ( github.com/googleapis/gax-go/v2 v2.7.0 github.com/gorilla/handlers v1.5.1 github.com/hashicorp/go-hclog v1.3.1 - github.com/hashicorp/go-plugin v1.4.5 + github.com/hashicorp/go-plugin v1.4.6 github.com/hashicorp/hcl v1.0.1-0.20190430135223-99e2f22d1c94 github.com/hashicorp/vault/api v1.8.2 github.com/hashicorp/vault/sdk v0.6.1 diff --git a/go.sum b/go.sum index 653313e065..7bcd3e61e5 100644 --- a/go.sum +++ b/go.sum @@ -665,8 +665,8 @@ github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHh github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= github.com/hashicorp/go-plugin v1.4.0/go.mod h1:5fGEH17QVwTTcR0zV7yhDPLLmFX9YSZ38b18Udy6vYQ= -github.com/hashicorp/go-plugin v1.4.5 h1:oTE/oQR4eghggRg8VY7PAz3dr++VwDNBGCcOfIvHpBo= -github.com/hashicorp/go-plugin v1.4.5/go.mod h1:viDMjcLJuDui6pXb8U4HVfb8AamCWhHGUjr2IrTF67s= +github.com/hashicorp/go-plugin v1.4.6 h1:MDV3UrKQBM3du3G7MApDGvOsMYy3JQJ4exhSoKBAeVA= +github.com/hashicorp/go-plugin v1.4.6/go.mod h1:viDMjcLJuDui6pXb8U4HVfb8AamCWhHGUjr2IrTF67s= github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= github.com/hashicorp/go-retryablehttp v0.6.6 h1:HJunrbHTDDbBb/ay4kxa1n+dLmttUlnP3V9oNE4hmsM= github.com/hashicorp/go-retryablehttp v0.6.6/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= From 0af18e6664263345682566c34aee67cb6b80f0e3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 9 Nov 2022 16:43:31 -0300 Subject: [PATCH 061/257] Bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.66.0 to 1.68.0 (#3592) Bumps [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2) from 1.66.0 to 1.68.0. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.66.0...service/ec2/v1.68.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 3409c8d1f5..0e1dc8fc55 100644 --- a/go.mod +++ b/go.mod @@ -20,7 +20,7 @@ require ( github.com/aws/aws-sdk-go-v2/credentials v1.12.17 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.14 github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0 - github.com/aws/aws-sdk-go-v2/service/ec2 v1.66.0 + github.com/aws/aws-sdk-go-v2/service/ec2 v1.68.0 github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 github.com/aws/aws-sdk-go-v2/service/kms v1.18.8 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.0 diff --git a/go.sum b/go.sum index 7bcd3e61e5..e9a5f4aa8d 100644 --- a/go.sum +++ b/go.sum @@ -296,8 +296,8 @@ github.com/aws/aws-sdk-go-v2/internal/ini v1.3.21 h1:lpwSbLKYTuABo6SyUoC25xAmfO3 github.com/aws/aws-sdk-go-v2/internal/ini v1.3.21/go.mod h1:Q0pktZjvRZk77TBto6yAvUAi7fcse1bdcMctBDVGgBw= github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0 h1:2f0kb+39miQPRp0b7Sqq06+TpxI0Nfcra41QxzJPME8= github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0/go.mod h1:AVLIBQ9V7mcHd5uZT1+wUbBt4QaI/XcOens85Ib0W1o= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.66.0 h1:yankZN/p8rKWHCgbj6N2SGeZ66XFqOS3Ud80DahavQs= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.66.0/go.mod h1:zul71QqzR4D1a90/5FloZiAnZ1CtuIjVH7R9MP997+A= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.68.0 h1:YV+y7FyJuT5krPhCMon9GvY9EJYgznY2nhzcicNYR3Q= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.68.0/go.mod h1:zul71QqzR4D1a90/5FloZiAnZ1CtuIjVH7R9MP997+A= github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 h1:m/WtVqEvgwDiUPIW2dtnF2hDE1O62MEflz9ClOlCXAs= github.com/aws/aws-sdk-go-v2/service/iam v1.18.16/go.mod h1:w8wndcRxwILFQAzwkUKyEDz4LDHEBSR78KRdaNjUKQA= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.14/go.mod h1:8qOLjqMzY/S1kh3myDXA1yxK5eD4uN8aOJgKpgvc4OM= From 9b558df0df1ad87e5a7cdfa06e70d550a01c2cce Mon Sep 17 00:00:00 2001 From: Brandon Menc Date: Wed, 9 Nov 2022 15:22:00 -0500 Subject: [PATCH 062/257] Fix spelling (#3584) Signed-off-by: Brandon Menc --- pkg/server/registration/manager.go | 6 +++--- pkg/server/registration/manager_test.go | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/pkg/server/registration/manager.go b/pkg/server/registration/manager.go index 40fdbeafab..8d5ba5ec29 100644 --- a/pkg/server/registration/manager.go +++ b/pkg/server/registration/manager.go @@ -12,7 +12,7 @@ import ( ) const ( - _pruningCandence = 5 * time.Minute + _pruningCadence = 5 * time.Minute ) // ManagerConfig is the config for the registration manager @@ -40,7 +40,7 @@ func NewManager(c ManagerConfig) *Manager { return &Manager{ c: c, - log: c.Log.WithField(telemetry.RetryInterval, _pruningCandence), + log: c.Log.WithField(telemetry.RetryInterval, _pruningCadence), metrics: c.Metrics, } } @@ -51,7 +51,7 @@ func (m *Manager) Run(ctx context.Context) error { } func (m *Manager) pruneEvery(ctx context.Context) error { - ticker := m.c.Clock.Ticker(_pruningCandence) + ticker := m.c.Clock.Ticker(_pruningCadence) defer ticker.Stop() for { diff --git a/pkg/server/registration/manager_test.go b/pkg/server/registration/manager_test.go index c9ab36ba0d..d71dcf66dd 100644 --- a/pkg/server/registration/manager_test.go +++ b/pkg/server/registration/manager_test.go @@ -42,7 +42,7 @@ func (s *ManagerSuite) TestPruning() { done := s.setupAndRunManager() defer done() - expiry := s.clock.Now().Add(_pruningCandence) + expiry := s.clock.Now().Add(_pruningCadence) // expires right on the pruning time entry1 := &common.RegistrationEntry{ @@ -105,7 +105,7 @@ func (s *ManagerSuite) TestPruning() { s.Equal([]*common.RegistrationEntry{registrationEntry1, registrationEntry2, registrationEntry3}, listResp.Entries) // prune first entry - s.clock.Add(_pruningCandence + time.Second) + s.clock.Add(_pruningCadence + time.Second) s.NoError(s.m.prune(context.Background())) listResp, err = s.ds.ListRegistrationEntries(context.Background(), &datastore.ListRegistrationEntriesRequest{}) s.NoError(err) From 3a597115556aa084d9f4992f20f4cd93f21109f2 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Wed, 9 Nov 2022 21:58:48 +0100 Subject: [PATCH 063/257] Fix OIDC healthcheck to work with k8s healthprobes (#3580) Signed-off-by: Marco Franssen --- support/oidc-discovery-provider/main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/support/oidc-discovery-provider/main.go b/support/oidc-discovery-provider/main.go index 57f391b7a8..d5cc2e13a6 100644 --- a/support/oidc-discovery-provider/main.go +++ b/support/oidc-discovery-provider/main.go @@ -100,7 +100,7 @@ func run(configPath string) error { if config.HealthChecks != nil { go func() { server := &http.Server{ - Addr: fmt.Sprintf("localhost:%d", config.HealthChecks.BindPort), + Addr: fmt.Sprintf(":%d", config.HealthChecks.BindPort), Handler: NewHealthChecksHandler(source, config), ReadHeaderTimeout: 10 * time.Second, } From 1e272b0d2b6ec304fde2c39ee6f73f514c412982 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?= Date: Thu, 10 Nov 2022 17:29:41 -0300 Subject: [PATCH 064/257] Introduce the `gcp_kms` KeyManager plugin (#3410) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Introduce the gcp_kms plugin Signed-off-by: Agustín Martínez Fayó --- conf/server/server_full.conf | 22 + doc/plugin_server_keymanager_gcp_kms.md | 155 ++ go.mod | 3 +- go.sum | 6 +- pkg/server/catalog/keymanager.go | 2 + pkg/server/plugin/keymanager/gcpkms/client.go | 129 ++ .../plugin/keymanager/gcpkms/client_fake.go | 738 +++++++ .../plugin/keymanager/gcpkms/fetcher.go | 172 ++ pkg/server/plugin/keymanager/gcpkms/gcpkms.go | 1082 ++++++++++ .../plugin/keymanager/gcpkms/gcpkms_test.go | 1739 +++++++++++++++++ 10 files changed, 4045 insertions(+), 3 deletions(-) create mode 100644 doc/plugin_server_keymanager_gcp_kms.md create mode 100644 pkg/server/plugin/keymanager/gcpkms/client.go create mode 100644 pkg/server/plugin/keymanager/gcpkms/client_fake.go create mode 100644 pkg/server/plugin/keymanager/gcpkms/fetcher.go create mode 100644 pkg/server/plugin/keymanager/gcpkms/gcpkms.go create mode 100644 pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go diff --git a/conf/server/server_full.conf b/conf/server/server_full.conf index 8444c49b4d..d20b7d7836 100644 --- a/conf/server/server_full.conf +++ b/conf/server/server_full.conf @@ -267,6 +267,28 @@ plugins { # } # } + # KeyManager "gcp_kms": A key manager for signing SVIDs which generates + # and stores keys in Google Cloud KMS. + # KeyManager "gcp_kms" { + # plugin_data = { + # # key_metadata_file: A file path location where information about + # # generated keys will be persisted. + # key_metadata_file = "./file_path" + # + # # key_policy_file: A file path location to a custom IAM Policy (v3) + # # in JSON format to be attached to created CryptoKeys. + # # key_policy_file = "custom-gcp-kms-policy.json" + # + # # key_ring: Resource ID of the key ring where the keys managed by this + # # plugin reside. + # # key_ring = "projects/project/locations/location/keyRings/key-ring" + # + # # service_account_file: Path to the service account file used to + # # authenticate with the Google Cloud KMS API. + # # service_account_file = "" + # } + # } + # KeyManager "memory": A key manager for signing SVIDs which only stores # keys in memory and does not actually persist them anywhere. KeyManager "memory" { diff --git a/doc/plugin_server_keymanager_gcp_kms.md b/doc/plugin_server_keymanager_gcp_kms.md new file mode 100644 index 0000000000..e81f2a82c1 --- /dev/null +++ b/doc/plugin_server_keymanager_gcp_kms.md @@ -0,0 +1,155 @@ +# Server plugin: KeyManager "gcp_kms" + +The `gcp_kms` key manager plugin leverages the Google Cloud Key Management +Service to create, maintain, and rotate key pairs, signing SVIDs as needed. No +Google Cloud principal can view or export the raw cryptographic key material +represented by a key. Instead, Cloud KMS accesses the key material on behalf of +SPIRE. + +## Configuration + +The plugin accepts the following configuration options: + +| Key | Type | Required | Description | Default | +| --- | ---- | -------- | ----------- | ------- | +| key_policy_file | string | no | A file path location to a custom [IAM Policy (v3)](https://cloud.google.com/pubsub/docs/reference/rpc/google.iam.v1#google.iam.v1.Policy) in JSON format to be attached to created CryptoKeys. | "" | +| key_metadata_file | string | yes | A file path location where key metadata used by the plugin will be persisted. See "[Management of keys](#management-of-keys)" for more information. | "" | +| key_ring | string | yes | Resource ID of the key ring where the keys managed by this plugin reside, in the format projects/\*/locations/\*/keyRings/\* | "" | +| service_account_file | string | no | Path to the service account file used to authenticate with the Cloud KMS API. | Value of `GOOGLE_APPLICATION_CREDENTIALS` environment variable. | + +### Authenticating with the Cloud KMS API + +The plugin uses the Application Default Credentials to authenticate with the +Google Cloud KMS API, as documented by [Setting Up Authentication For Server to +Server](https://cloud.google.com/docs/authentication/production). When SPIRE +Server is running inside GCP, it will use the default service account +credentials available to the instance it is running under. When running outside +GCP, or if non-default credentials are needed, the path to the service account +file containing the credentials may be specified using the +`GOOGLE_APPLICATION_CREDENTIALS` environment variable or the +`service_account_file` configurable (see [Configuration](#configuration)). + +### Use of key versions + +In Cloud KMS, the cryptographic key material that is used to sign data is stored +in a key version (CryptoKeyVersion). A key (CryptoKey) can have zero or more key +versions. + +For each SPIRE Key ID that the server manages, this plugin maintains a +CryptoKey. When a key is rotated, a new CryptoKeyVersion is added to the +CryptoKey and the rotated CryptoKeyVersion is scheduled for destruction. + +### Management of keys + +The plugin assigns +[labels](https://cloud.google.com/kms/docs/creating-managing-labels) to the +CryptoKeys that it manages in order to keep track of them. The use of these +labels also allows efficient filtering when performing the listing operations in +the service. All the labels are named with the `spire-` prefix. +Users don't need to interact with the labels managed by the plugin. The +following table is provided for informational purposes only: + +| Label | Description | +| ----- | ----------- | +| spire-server-td | SHA-1 checksum of the trust domain name of the server. | +| spire-server-id | Auto-generated ID that is unique to the server and is persisted in the _Key Metadata File_ (see the `key_metadata_file` configurable). | +| spire-last-update | Unix time of the last time that the plugin updated the +CryptoKey to keep it active. | +| spire-active | Indicates if the CryptoKey is still in use by the plugin. | + +If the _Key Metadata File_ is not found during server startup, the file is +recreated, with a new auto-generated server ID. Consequently, if the file is +lost, the plugin will not be able to identify keys that it has previously +managed and will recreate new keys on demand. + +The plugin attempts to detect and prune stale CryptoKeys. To facilitate stale +CryptoKey detection, the plugin actively updates the `spire-last-update` label +on all CryptoKeys managed by the server every 6 hours. The plugin periodically +scans the CryptoKeys looking for active CryptoKeys within the trust domain that +have a `spire-last-update` value older than two weeks and don't belong to the +server. The corresponding CryptoKeyVersion of those stale CryptoKeys are +scheduled for destruction, and the `spire-active` label in the CryptoKey is +updated to indicate that the CryptoKey is no longer active. Additionally, if +the plugin detects that a CryptoKey doesn't have any enabled CryptoKeyVersions, +it also updates the `spire-active` label in the CryptoKey to set it as inactive. + +### Required permissions + +The plugin requires the following IAM permissions be granted to the +authenticated service account in the configured key ring: + +```text +cloudkms.cryptoKeys.* +cloudkms.cryptoKeyVersions.create +cloudkms.cryptoKeyVersions.destroy +cloudkms.cryptoKeyVersions.get +cloudkms.cryptoKeyVersions.list +cloudkms.cryptoKeyVersions.useToSign +cloudkms.cryptoKeyVersions.viewPublicKey +``` + +### IAM policy + +Google Cloud resources are organized hierarchically, and resources inherit the +allow policies of the parent resource. The plugin set a default IAM policy to +CryptoKeys that it creates. Alternatively, a user defined IAM policy can be +defined. +The effective allow policy for a CryptoKey is the union of the allow policy set +at that resource by the plugin and the allow policy inherited from its parent. + +#### Default IAM policy + +The plugin defines a default IAM policy that is set to created CryptoKeys. This +policy binds the authenticated service account with the Cloud KMS CryptoKey +Signer/Verifier (`roles/cloudkms.signerVerifier`) predefined role. + +```json +{ + "bindings": [ + { + "role": "roles/cloudkms.signerVerifier", + "members": [ + "serviceAccount:SERVICE_ACCOUNT_EMAIL" + ] + } + ], + "version": 3 +} + +``` + +The `roles/cloudkms.signerVerifier` role grants the following permissions: + +```text +cloudkms.cryptoKeyVersions.useToSign +cloudkms.cryptoKeyVersions.useToVerify +cloudkms.cryptoKeyVersions.viewPublicKey +cloudkms.locations.get +cloudkms.locations.list +resourcemanager.projects.get +``` + +#### Custom IAM policy + +It is also possible for the user to define a custom IAM policy that will be +attached to the created CryptoKeys. If the configurable `key_policy_file` is +set, the plugin uses the policy defined in the file instead of the default +policy. +Custom IAM policies must be defined using +[version 3](https://cloud.google.com/iam/docs/policies#versions). + +## Sample Plugin Configuration + +```hcl +KeyManager "gcp_kms" { + plugin_data { + key_ring = "projects/project-id/locations/location/keyRings/keyring" + key_metadata_file = "./gcpkms-key-metadata" + } +} +``` + +## Supported Key Types + +The plugin supports all the key types supported by SPIRE: `rsa-2048`, +`rsa-4096`, `ec-p256`, and `ec-p384`. diff --git a/go.mod b/go.mod index 0e1dc8fc55..733bdb96c1 100644 --- a/go.mod +++ b/go.mod @@ -3,6 +3,8 @@ module github.com/spiffe/spire go 1.19 require ( + cloud.google.com/go/iam v0.7.0 + cloud.google.com/go/kms v1.6.0 cloud.google.com/go/secretmanager v1.9.0 cloud.google.com/go/security v1.10.0 cloud.google.com/go/storage v1.28.0 @@ -82,7 +84,6 @@ require ( cloud.google.com/go v0.105.0 // indirect cloud.google.com/go/compute v1.12.1 // indirect cloud.google.com/go/compute/metadata v0.2.1 // indirect - cloud.google.com/go/iam v0.6.0 // indirect cloud.google.com/go/longrunning v0.1.1 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect diff --git a/go.sum b/go.sum index e9a5f4aa8d..e6c087ce91 100644 --- a/go.sum +++ b/go.sum @@ -105,8 +105,10 @@ cloud.google.com/go/gkehub v0.9.0/go.mod h1:WYHN6WG8w9bXU0hqNxt8rm5uxnk8IH+lPY9J cloud.google.com/go/gkehub v0.10.0/go.mod h1:UIPwxI0DsrpsVoWpLB0stwKCP+WFVG9+y977wO+hBH0= cloud.google.com/go/grafeas v0.2.0/go.mod h1:KhxgtF2hb0P191HlY5besjYm6MqTSTj3LSI+M+ByZHc= cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY= -cloud.google.com/go/iam v0.6.0 h1:nsqQC88kT5Iwlm4MeNGTpfMWddp6NB/UOLFTH6m1QfQ= -cloud.google.com/go/iam v0.6.0/go.mod h1:+1AH33ueBne5MzYccyMHtEKqLE4/kJOibtffMHDMFMc= +cloud.google.com/go/iam v0.7.0 h1:k4MuwOsS7zGJJ+QfZ5vBK8SgHBAvYN/23BWsiihJ1vs= +cloud.google.com/go/iam v0.7.0/go.mod h1:H5Br8wRaDGNc8XP3keLc4unfUUZeyH3Sfl9XpQEYOeg= +cloud.google.com/go/kms v1.6.0 h1:OWRZzrPmOZUzurjI2FBGtgY2mB1WaJkqhw6oIwSj0Yg= +cloud.google.com/go/kms v1.6.0/go.mod h1:Jjy850yySiasBUDi6KFUwUv2n1+o7QZFyuUJg6OgjA0= cloud.google.com/go/language v1.4.0/go.mod h1:F9dRpNFQmJbkaop6g0JhSBXCNlO90e1KWx5iDdxbWic= cloud.google.com/go/language v1.6.0/go.mod h1:6dJ8t3B+lUYfStgls25GusK04NLh3eDLQnWM3mdEbhI= cloud.google.com/go/lifesciences v0.5.0/go.mod h1:3oIKy8ycWGPUyZDR/8RNnTOYevhaMLqh5vLUXs9zvT8= diff --git a/pkg/server/catalog/keymanager.go b/pkg/server/catalog/keymanager.go index e28de3751c..c70f020d41 100644 --- a/pkg/server/catalog/keymanager.go +++ b/pkg/server/catalog/keymanager.go @@ -6,6 +6,7 @@ import ( "github.com/spiffe/spire/pkg/server/plugin/keymanager" "github.com/spiffe/spire/pkg/server/plugin/keymanager/awskms" "github.com/spiffe/spire/pkg/server/plugin/keymanager/disk" + "github.com/spiffe/spire/pkg/server/plugin/keymanager/gcpkms" "github.com/spiffe/spire/pkg/server/plugin/keymanager/memory" ) @@ -29,6 +30,7 @@ func (repo *keyManagerRepository) BuiltIns() []catalog.BuiltIn { return []catalog.BuiltIn{ awskms.BuiltIn(), disk.BuiltIn(), + gcpkms.BuiltIn(), memory.BuiltIn(), } } diff --git a/pkg/server/plugin/keymanager/gcpkms/client.go b/pkg/server/plugin/keymanager/gcpkms/client.go new file mode 100644 index 0000000000..712d633e59 --- /dev/null +++ b/pkg/server/plugin/keymanager/gcpkms/client.go @@ -0,0 +1,129 @@ +package gcpkms + +import ( + "context" + + "cloud.google.com/go/iam" + kms "cloud.google.com/go/kms/apiv1" + "cloud.google.com/go/kms/apiv1/kmspb" + "github.com/googleapis/gax-go/v2" + "google.golang.org/api/oauth2/v2" + "google.golang.org/api/option" + iampb "google.golang.org/genproto/googleapis/iam/v1" +) + +type cloudKeyManagementService interface { + AsymmetricSign(context.Context, *kmspb.AsymmetricSignRequest, ...gax.CallOption) (*kmspb.AsymmetricSignResponse, error) + Close() error + CreateCryptoKey(context.Context, *kmspb.CreateCryptoKeyRequest, ...gax.CallOption) (*kmspb.CryptoKey, error) + CreateCryptoKeyVersion(context.Context, *kmspb.CreateCryptoKeyVersionRequest, ...gax.CallOption) (*kmspb.CryptoKeyVersion, error) + DestroyCryptoKeyVersion(context.Context, *kmspb.DestroyCryptoKeyVersionRequest, ...gax.CallOption) (*kmspb.CryptoKeyVersion, error) + GetCryptoKeyVersion(context.Context, *kmspb.GetCryptoKeyVersionRequest, ...gax.CallOption) (*kmspb.CryptoKeyVersion, error) + GetPublicKey(context.Context, *kmspb.GetPublicKeyRequest, ...gax.CallOption) (*kmspb.PublicKey, error) + GetTokeninfo() (*oauth2.Tokeninfo, error) + ListCryptoKeys(context.Context, *kmspb.ListCryptoKeysRequest, ...gax.CallOption) cryptoKeyIterator + ListCryptoKeyVersions(context.Context, *kmspb.ListCryptoKeyVersionsRequest, ...gax.CallOption) cryptoKeyVersionIterator + ResourceIAM(string) iamHandler + UpdateCryptoKey(context.Context, *kmspb.UpdateCryptoKeyRequest, ...gax.CallOption) (*kmspb.CryptoKey, error) +} + +type kmsClient struct { + client *kms.KeyManagementClient + oauth2Service *oauth2.Service +} + +func (c *kmsClient) AsymmetricSign(ctx context.Context, req *kmspb.AsymmetricSignRequest, opts ...gax.CallOption) (*kmspb.AsymmetricSignResponse, error) { + return c.client.AsymmetricSign(ctx, req, opts...) +} + +func (c *kmsClient) Close() error { + return c.client.Close() +} + +func (c *kmsClient) CreateCryptoKey(ctx context.Context, req *kmspb.CreateCryptoKeyRequest, opts ...gax.CallOption) (*kmspb.CryptoKey, error) { + return c.client.CreateCryptoKey(ctx, req, opts...) +} + +func (c *kmsClient) CreateCryptoKeyVersion(ctx context.Context, req *kmspb.CreateCryptoKeyVersionRequest, opts ...gax.CallOption) (*kmspb.CryptoKeyVersion, error) { + return c.client.CreateCryptoKeyVersion(ctx, req, opts...) +} + +func (c *kmsClient) DestroyCryptoKeyVersion(ctx context.Context, req *kmspb.DestroyCryptoKeyVersionRequest, opts ...gax.CallOption) (*kmspb.CryptoKeyVersion, error) { + return c.client.DestroyCryptoKeyVersion(ctx, req, opts...) +} + +func (c *kmsClient) GetCryptoKeyVersion(ctx context.Context, req *kmspb.GetCryptoKeyVersionRequest, opts ...gax.CallOption) (*kmspb.CryptoKeyVersion, error) { + return c.client.GetCryptoKeyVersion(ctx, req, opts...) +} + +func (c *kmsClient) GetPublicKey(ctx context.Context, req *kmspb.GetPublicKeyRequest, opts ...gax.CallOption) (*kmspb.PublicKey, error) { + return c.client.GetPublicKey(ctx, req, opts...) +} + +func (c *kmsClient) GetTokeninfo() (*oauth2.Tokeninfo, error) { + return c.oauth2Service.Tokeninfo().Do() +} + +func (c *kmsClient) ListCryptoKeys(ctx context.Context, req *kmspb.ListCryptoKeysRequest, opts ...gax.CallOption) cryptoKeyIterator { + return c.client.ListCryptoKeys(ctx, req, opts...) +} + +func (c *kmsClient) ListCryptoKeyVersions(ctx context.Context, req *kmspb.ListCryptoKeyVersionsRequest, opts ...gax.CallOption) cryptoKeyVersionIterator { + return c.client.ListCryptoKeyVersions(ctx, req, opts...) +} + +func (c *kmsClient) ResourceIAM(resourcePath string) iamHandler { + return &iamHandle{ + h: c.client.ResourceIAM(resourcePath), + } +} + +func (c *kmsClient) SetIamPolicy(ctx context.Context, req *iampb.SetIamPolicyRequest, opts ...gax.CallOption) (*iampb.Policy, error) { + return c.client.SetIamPolicy(ctx, req, opts...) +} + +func (c *kmsClient) UpdateCryptoKey(ctx context.Context, req *kmspb.UpdateCryptoKeyRequest, opts ...gax.CallOption) (*kmspb.CryptoKey, error) { + return c.client.UpdateCryptoKey(ctx, req, opts...) +} + +type cryptoKeyIterator interface { + Next() (*kmspb.CryptoKey, error) +} + +type cryptoKeyVersionIterator interface { + Next() (*kmspb.CryptoKeyVersion, error) +} + +type iamHandler interface { + V3() iamHandler3 +} + +type iamHandler3 interface { + Policy(context.Context) (*iam.Policy3, error) + SetPolicy(context.Context, *iam.Policy3) error +} + +type iamHandle struct { + h *iam.Handle +} + +func (i *iamHandle) V3() iamHandler3 { + return i.h.V3() +} + +func newKMSClient(ctx context.Context, opts ...option.ClientOption) (cloudKeyManagementService, error) { + client, err := kms.NewKeyManagementClient(ctx, opts...) + if err != nil { + return nil, err + } + + oauth2Service, err := oauth2.NewService(ctx, opts...) + if err != nil { + return nil, err + } + + return &kmsClient{ + client: client, + oauth2Service: oauth2Service, + }, nil +} diff --git a/pkg/server/plugin/keymanager/gcpkms/client_fake.go b/pkg/server/plugin/keymanager/gcpkms/client_fake.go new file mode 100644 index 0000000000..b08ddc32ff --- /dev/null +++ b/pkg/server/plugin/keymanager/gcpkms/client_fake.go @@ -0,0 +1,738 @@ +package gcpkms + +import ( + "bytes" + "context" + "crypto" + "crypto/ecdsa" + "crypto/rand" + "crypto/rsa" + "crypto/x509" + "encoding/pem" + "errors" + "fmt" + "path" + "reflect" + "strings" + "sync" + "testing" + + "cloud.google.com/go/iam" + "cloud.google.com/go/kms/apiv1/kmspb" + "github.com/googleapis/gax-go/v2" + "github.com/spiffe/spire/test/clock" + "github.com/spiffe/spire/test/testkey" + "google.golang.org/api/iterator" + "google.golang.org/api/oauth2/v2" + "google.golang.org/api/option" + iampb "google.golang.org/genproto/googleapis/iam/v1" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" + "google.golang.org/protobuf/types/known/timestamppb" + "google.golang.org/protobuf/types/known/wrapperspb" +) + +type fakeCryptoKeyIterator struct { + mu sync.RWMutex + + index int + cryptoKeys []*kmspb.CryptoKey + nextErr error +} + +func (i *fakeCryptoKeyIterator) Next() (cryptoKey *kmspb.CryptoKey, err error) { + i.mu.Lock() + defer i.mu.Unlock() + + if i.nextErr != nil { + return nil, i.nextErr + } + + if i.index >= len(i.cryptoKeys) { + return nil, iterator.Done + } + + cryptoKey = i.cryptoKeys[i.index] + i.index++ + return cryptoKey, nil +} + +type fakeCryptoKeyVersionIterator struct { + mu sync.RWMutex + + index int + cryptoKeyVersions []*kmspb.CryptoKeyVersion + nextErr error +} + +func (i *fakeCryptoKeyVersionIterator) Next() (cryptoKeyVersion *kmspb.CryptoKeyVersion, err error) { + i.mu.Lock() + defer i.mu.Unlock() + + if i.nextErr != nil { + return nil, i.nextErr + } + + if i.index >= len(i.cryptoKeyVersions) { + return nil, iterator.Done + } + + cryptoKeyVersion = i.cryptoKeyVersions[i.index] + i.index++ + return cryptoKeyVersion, nil +} + +type fakeCryptoKey struct { + mu sync.RWMutex + *kmspb.CryptoKey + fakeCryptoKeyVersions map[string]*fakeCryptoKeyVersion +} + +func (fck *fakeCryptoKey) fetchFakeCryptoKeyVersions() map[string]*fakeCryptoKeyVersion { + fck.mu.RLock() + defer fck.mu.RUnlock() + + if fck.fakeCryptoKeyVersions == nil { + return nil + } + + fakeCryptoKeyVersions := make(map[string]*fakeCryptoKeyVersion, len(fck.fakeCryptoKeyVersions)) + for key, fakeCryptoKeyVersion := range fck.fakeCryptoKeyVersions { + fakeCryptoKeyVersions[key] = fakeCryptoKeyVersion + } + return fakeCryptoKeyVersions +} + +func (fck *fakeCryptoKey) getLabelValue(key string) string { + fck.mu.RLock() + defer fck.mu.RUnlock() + + return fck.Labels[key] +} + +func (fck *fakeCryptoKey) putFakeCryptoKeyVersion(fckv *fakeCryptoKeyVersion) { + fck.mu.Lock() + defer fck.mu.Unlock() + + fck.fakeCryptoKeyVersions[path.Base(fckv.Name)] = fckv +} + +type fakeCryptoKeyVersion struct { + *kmspb.CryptoKeyVersion + + privateKey crypto.Signer + publicKey *kmspb.PublicKey +} + +type fakeStore struct { + mu sync.RWMutex + fakeCryptoKeys map[string]*fakeCryptoKey + + clk *clock.Mock +} + +func (fs *fakeStore) fetchFakeCryptoKey(name string) (*fakeCryptoKey, bool) { + fs.mu.RLock() + defer fs.mu.RUnlock() + + fakeCryptoKey, ok := fs.fakeCryptoKeys[name] + return fakeCryptoKey, ok +} + +func (fs *fakeStore) fetchFakeCryptoKeys() map[string]*fakeCryptoKey { + fs.mu.RLock() + defer fs.mu.RUnlock() + + if fs.fakeCryptoKeys == nil { + return nil + } + + fakeCryptoKeys := make(map[string]*fakeCryptoKey, len(fs.fakeCryptoKeys)) + for key, fakeCryptoKey := range fs.fakeCryptoKeys { + fakeCryptoKeys[key] = fakeCryptoKey + } + return fakeCryptoKeys +} + +func (fs *fakeStore) fetchFakeCryptoKeyVersion(name string) (*fakeCryptoKeyVersion, error) { + fs.mu.RLock() + defer fs.mu.RUnlock() + + parent := path.Dir(path.Dir(name)) + fakeCryptoKey, ok := fs.fakeCryptoKeys[parent] + if !ok { + return nil, fmt.Errorf("could not get parent CryptoKey for %q CryptoKeyVersion", name) + } + + version := path.Base(name) + fakeCryptoKey.mu.RLock() + defer fakeCryptoKey.mu.RUnlock() + fakeCryptokeyVersion, ok := fakeCryptoKey.fakeCryptoKeyVersions[version] + if ok { + return fakeCryptokeyVersion, nil + } + + return nil, fmt.Errorf("could not find CryptoKeyVersion %q", version) +} + +func (fs *fakeStore) putFakeCryptoKey(fck *fakeCryptoKey) { + fs.mu.Lock() + defer fs.mu.Unlock() + + fs.fakeCryptoKeys[fck.Name] = fck +} + +type fakeIAMHandle struct { + mu sync.RWMutex + expectedPolicy *iam.Policy3 + policyErr error + setPolicyErr error +} + +func (h *fakeIAMHandle) V3() iamHandler3 { + h.mu.RLock() + defer h.mu.RUnlock() + + return &fakeIAMHandle3{ + expectedPolicy: h.expectedPolicy, + policyErr: h.policyErr, + setPolicyErr: h.setPolicyErr, + } +} + +func (h *fakeIAMHandle) setExpectedPolicy(expectedPolicy *iam.Policy3) { + h.mu.Lock() + defer h.mu.Unlock() + + h.expectedPolicy = expectedPolicy +} + +func (h *fakeIAMHandle) setPolicyError(fakeError error) { + h.mu.Lock() + defer h.mu.Unlock() + + h.policyErr = fakeError +} + +func (h *fakeIAMHandle) setSetPolicyErr(fakeError error) { + h.mu.Lock() + defer h.mu.Unlock() + + h.setPolicyErr = fakeError +} + +type fakeIAMHandle3 struct { + mu sync.RWMutex + expectedPolicy *iam.Policy3 + policyErr error + setPolicyErr error +} + +func (h3 *fakeIAMHandle3) Policy(context.Context) (*iam.Policy3, error) { + h3.mu.RLock() + defer h3.mu.RUnlock() + + if h3.policyErr != nil { + return nil, h3.policyErr + } + return &iam.Policy3{}, nil +} + +func (h3 *fakeIAMHandle3) SetPolicy(ctx context.Context, policy *iam.Policy3) error { + h3.mu.Lock() + defer h3.mu.Unlock() + + if h3.expectedPolicy != nil { + if !reflect.DeepEqual(h3.expectedPolicy, policy) { + return fmt.Errorf("unexpected policy: %v", policy) + } + } + + return h3.setPolicyErr +} + +type fakeKMSClient struct { + t *testing.T + + mu sync.RWMutex + asymmetricSignErr error + closeErr error + createCryptoKeyErr error + destroyCryptoKeyVersionErr error + destroyTime *timestamppb.Timestamp + fakeIAMHandle *fakeIAMHandle + getCryptoKeyVersionErr error + getPublicKeyErr error + getTokeninfoErr error + listCryptoKeysErr error + listCryptoKeyVersionsErr error + opts []option.ClientOption + pemCrc32C *wrapperspb.Int64Value + signatureCrc32C *wrapperspb.Int64Value + store fakeStore + tokeninfo *oauth2.Tokeninfo + updateCryptoKeyErr error +} + +func (k *fakeKMSClient) setAsymmetricSignErr(fakeError error) { + k.mu.Lock() + defer k.mu.Unlock() + + k.asymmetricSignErr = fakeError +} + +func (k *fakeKMSClient) setCreateCryptoKeyErr(fakeError error) { + k.mu.Lock() + defer k.mu.Unlock() + + k.createCryptoKeyErr = fakeError +} + +func (k *fakeKMSClient) setDestroyCryptoKeyVersionErr(fakeError error) { + k.mu.Lock() + defer k.mu.Unlock() + + k.destroyCryptoKeyVersionErr = fakeError +} + +func (k *fakeKMSClient) setDestroyTime(fakeDestroyTime *timestamppb.Timestamp) { + k.mu.Lock() + defer k.mu.Unlock() + + k.destroyTime = fakeDestroyTime +} + +func (k *fakeKMSClient) setGetCryptoKeyVersionErr(fakeError error) { + k.mu.Lock() + defer k.mu.Unlock() + + k.getCryptoKeyVersionErr = fakeError +} + +func (k *fakeKMSClient) setGetPublicKeyErr(fakeError error) { + k.mu.Lock() + defer k.mu.Unlock() + + k.getPublicKeyErr = fakeError +} + +func (k *fakeKMSClient) setGetTokeninfoErr(fakeError error) { + k.mu.Lock() + defer k.mu.Unlock() + + k.getTokeninfoErr = fakeError +} + +func (k *fakeKMSClient) setListCryptoKeysErr(fakeError error) { + k.mu.Lock() + defer k.mu.Unlock() + + k.listCryptoKeysErr = fakeError +} + +func (k *fakeKMSClient) setPEMCrc32C(pemCrc32C *wrapperspb.Int64Value) { + k.mu.Lock() + defer k.mu.Unlock() + + k.pemCrc32C = pemCrc32C +} + +func (k *fakeKMSClient) setSignatureCrc32C(signatureCrc32C *wrapperspb.Int64Value) { + k.mu.Lock() + defer k.mu.Unlock() + + k.signatureCrc32C = signatureCrc32C +} + +func (k *fakeKMSClient) setUpdateCryptoKeyErr(fakeError error) { + k.mu.Lock() + defer k.mu.Unlock() + + k.updateCryptoKeyErr = fakeError +} + +func (k *fakeKMSClient) AsymmetricSign(ctx context.Context, signReq *kmspb.AsymmetricSignRequest, opts ...gax.CallOption) (*kmspb.AsymmetricSignResponse, error) { + k.mu.RLock() + defer k.mu.RUnlock() + + if k.asymmetricSignErr != nil { + return nil, k.asymmetricSignErr + } + + if signReq.Digest == nil { + return nil, status.Error(codes.InvalidArgument, "plugin should be signing over a digest") + } + + fakeCryptoKeyVersion, err := k.store.fetchFakeCryptoKeyVersion(signReq.Name) + if err != nil { + return nil, err + } + + signRSA := func(digest []byte, opts crypto.SignerOpts) ([]byte, error) { + if _, ok := fakeCryptoKeyVersion.privateKey.(*rsa.PrivateKey); !ok { + return nil, status.Errorf(codes.InvalidArgument, "invalid signing algorithm for RSA key") + } + return fakeCryptoKeyVersion.privateKey.Sign(rand.Reader, digest, opts) + } + signECDSA := func(digest []byte, opts crypto.SignerOpts) ([]byte, error) { + if _, ok := fakeCryptoKeyVersion.privateKey.(*ecdsa.PrivateKey); !ok { + return nil, status.Errorf(codes.InvalidArgument, "invalid signing algorithm for ECDSA key") + } + return fakeCryptoKeyVersion.privateKey.Sign(rand.Reader, digest, opts) + } + + cryptoKeyName := path.Dir(path.Dir(signReq.Name)) + fck, ok := k.store.fetchFakeCryptoKey(cryptoKeyName) + if !ok { + return nil, status.Errorf(codes.Internal, "could not find CryptoKey %q", cryptoKeyName) + } + var signature []byte + switch fck.VersionTemplate.Algorithm { + case kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256: + signature, err = signECDSA(signReq.Digest.GetSha256(), crypto.SHA256) + case kmspb.CryptoKeyVersion_EC_SIGN_P384_SHA384: + signature, err = signECDSA(signReq.Digest.GetSha384(), crypto.SHA384) + case kmspb.CryptoKeyVersion_RSA_SIGN_PKCS1_2048_SHA256: + signature, err = signRSA(signReq.Digest.GetSha256(), crypto.SHA256) + case kmspb.CryptoKeyVersion_RSA_SIGN_PKCS1_4096_SHA256: + signature, err = signRSA(signReq.Digest.GetSha256(), crypto.SHA256) + default: + return nil, status.Errorf(codes.InvalidArgument, "unsupported signing algorithm: %s", fck.VersionTemplate.Algorithm) + } + if err != nil { + return nil, status.Errorf(codes.Internal, "unable to sign digest: %v", err) + } + + signatureCrc32C := &wrapperspb.Int64Value{Value: int64(crc32Checksum(signature))} + if k.signatureCrc32C != nil { + // Override the SignatureCrc32C value + signatureCrc32C = k.signatureCrc32C + } + + return &kmspb.AsymmetricSignResponse{ + Signature: signature, + SignatureCrc32C: signatureCrc32C, + Name: signReq.Name, + }, nil +} + +func (k *fakeKMSClient) Close() error { + k.mu.RLock() + defer k.mu.RUnlock() + + return k.closeErr +} + +func (k *fakeKMSClient) CreateCryptoKey(ctx context.Context, req *kmspb.CreateCryptoKeyRequest, opts ...gax.CallOption) (*kmspb.CryptoKey, error) { + k.mu.RLock() + defer k.mu.RUnlock() + + if k.createCryptoKeyErr != nil { + return nil, k.createCryptoKeyErr + } + + cryptoKey := &kmspb.CryptoKey{ + Name: path.Join(req.Parent, req.CryptoKeyId), + Labels: req.CryptoKey.Labels, + VersionTemplate: req.CryptoKey.VersionTemplate, + } + version := "1" + fckv, err := k.createFakeCryptoKeyVersion(cryptoKey, version) + if err != nil { + return nil, err + } + + fck := &fakeCryptoKey{ + CryptoKey: cryptoKey, + fakeCryptoKeyVersions: map[string]*fakeCryptoKeyVersion{ + version: fckv, + }, + } + k.store.putFakeCryptoKey(fck) + + return cryptoKey, nil +} + +func (k *fakeKMSClient) CreateCryptoKeyVersion(ctx context.Context, req *kmspb.CreateCryptoKeyVersionRequest, opts ...gax.CallOption) (*kmspb.CryptoKeyVersion, error) { + k.mu.Lock() + defer k.mu.Unlock() + + if k.createCryptoKeyErr != nil { + return nil, k.createCryptoKeyErr + } + + fck, ok := k.store.fakeCryptoKeys[req.Parent] + if !ok { + return nil, fmt.Errorf("could not find parent CryptoKey %q", req.Parent) + } + fckv, err := k.createFakeCryptoKeyVersion(fck.CryptoKey, fmt.Sprint(len(fck.fakeCryptoKeyVersions)+1)) + if err != nil { + return nil, err + } + + fck.putFakeCryptoKeyVersion(fckv) + + return &kmspb.CryptoKeyVersion{ + Algorithm: req.CryptoKeyVersion.Algorithm, + Name: fckv.Name, + State: kmspb.CryptoKeyVersion_ENABLED, + }, nil +} + +func (k *fakeKMSClient) DestroyCryptoKeyVersion(ctx context.Context, req *kmspb.DestroyCryptoKeyVersionRequest, opts ...gax.CallOption) (*kmspb.CryptoKeyVersion, error) { + if k.destroyCryptoKeyVersionErr != nil { + return nil, k.destroyCryptoKeyVersionErr + } + + parent := path.Dir(path.Dir(req.Name)) + fck, ok := k.store.fetchFakeCryptoKey(parent) + if !ok { + return nil, fmt.Errorf("could not get parent CryptoKey for %q CryptoKeyVersion", parent) + } + + fckv, err := k.store.fetchFakeCryptoKeyVersion(req.Name) + if err != nil { + return nil, err + } + + var destroyTime *timestamppb.Timestamp + if k.destroyTime != nil { + destroyTime = k.destroyTime + } else { + destroyTime = timestamppb.Now() + } + + cryptoKeyVersion := &kmspb.CryptoKeyVersion{ + DestroyTime: destroyTime, + Name: fckv.Name, + State: kmspb.CryptoKeyVersion_DESTROY_SCHEDULED, + } + + fckv.CryptoKeyVersion = cryptoKeyVersion + fck.putFakeCryptoKeyVersion(fckv) + + return cryptoKeyVersion, nil +} + +func (k *fakeKMSClient) GetCryptoKeyVersion(ctx context.Context, req *kmspb.GetCryptoKeyVersionRequest, opts ...gax.CallOption) (*kmspb.CryptoKeyVersion, error) { + k.mu.RLock() + defer k.mu.RUnlock() + + if k.getCryptoKeyVersionErr != nil { + return nil, k.getCryptoKeyVersionErr + } + + fakeCryptoKeyVersion, err := k.store.fetchFakeCryptoKeyVersion(req.Name) + if err != nil { + return nil, err + } + + return fakeCryptoKeyVersion.CryptoKeyVersion, nil +} + +func (k *fakeKMSClient) GetPublicKey(ctx context.Context, req *kmspb.GetPublicKeyRequest, opts ...gax.CallOption) (*kmspb.PublicKey, error) { + k.mu.RLock() + defer k.mu.RUnlock() + + if k.getPublicKeyErr != nil { + return nil, k.getPublicKeyErr + } + + fakeCryptoKeyVersion, err := k.store.fetchFakeCryptoKeyVersion(req.Name) + if err != nil { + return nil, err + } + + if k.pemCrc32C != nil { + // Override pemCrc32C + fakeCryptoKeyVersion.publicKey.PemCrc32C = k.pemCrc32C + } + + return fakeCryptoKeyVersion.publicKey, nil +} + +func (k *fakeKMSClient) GetTokeninfo() (*oauth2.Tokeninfo, error) { + k.mu.RLock() + defer k.mu.RUnlock() + + return k.tokeninfo, k.getTokeninfoErr +} + +func (k *fakeKMSClient) ListCryptoKeys(ctx context.Context, req *kmspb.ListCryptoKeysRequest, opts ...gax.CallOption) cryptoKeyIterator { + k.mu.RLock() + defer k.mu.RUnlock() + + if k.listCryptoKeysErr != nil { + return &fakeCryptoKeyIterator{nextErr: k.listCryptoKeysErr} + } + var cryptoKeys []*kmspb.CryptoKey + fakeCryptoKeys := k.store.fetchFakeCryptoKeys() + + for _, fck := range fakeCryptoKeys { + // Make sure that it's within the same Key Ring. + // The Key Ring name es specified in req.Parent. + // The Key Ring name is three levels up from the CryptoKey name. + if req.Parent != path.Dir(path.Dir(path.Dir(fck.Name))) { + // Key Ring doesn't match. + continue + } + + // We Have a simplified filtering logic in this fake implementation, + // where we only care about the spire-active label. + if req.Filter != "" { + if !strings.Contains(req.Filter, "labels.spire-active = true") { + { + k.t.Fatal("Unsupported filter in ListCryptoKeys request") + } + if fck.Labels[labelNameActive] != "true" { + continue + } + } + } + + cryptoKeys = append(cryptoKeys, fck.CryptoKey) + } + + return &fakeCryptoKeyIterator{cryptoKeys: cryptoKeys} +} + +func (k *fakeKMSClient) ListCryptoKeyVersions(ctx context.Context, req *kmspb.ListCryptoKeyVersionsRequest, opts ...gax.CallOption) cryptoKeyVersionIterator { + k.mu.RLock() + defer k.mu.RUnlock() + + if k.listCryptoKeyVersionsErr != nil { + return &fakeCryptoKeyVersionIterator{nextErr: k.listCryptoKeyVersionsErr} + } + + var cryptoKeyVersions []*kmspb.CryptoKeyVersion + fck, ok := k.store.fakeCryptoKeys[req.Parent] + if !ok { + return &fakeCryptoKeyVersionIterator{nextErr: errors.New("parent CryptoKey not found")} + } + + for _, fckv := range fck.fakeCryptoKeyVersions { + // We Have a simplified filtering logic in this fake implementation, + // where we only support filtering by enabled status. + if req.Filter != "" { + if req.Filter != "state = "+kmspb.CryptoKeyVersion_ENABLED.String() { + k.t.Fatal("Unsupported filter in ListCryptoKeyVersions request") + } + if fckv.State != kmspb.CryptoKeyVersion_ENABLED { + continue + } + } + cryptoKeyVersions = append(cryptoKeyVersions, fckv.CryptoKeyVersion) + } + + return &fakeCryptoKeyVersionIterator{cryptoKeyVersions: cryptoKeyVersions} +} + +func (k *fakeKMSClient) ResourceIAM(string) iamHandler { + k.mu.RLock() + defer k.mu.RUnlock() + + return k.fakeIAMHandle +} + +func (k *fakeKMSClient) UpdateCryptoKey(ctx context.Context, req *kmspb.UpdateCryptoKeyRequest, opts ...gax.CallOption) (*kmspb.CryptoKey, error) { + if k.updateCryptoKeyErr != nil { + return nil, k.updateCryptoKeyErr + } + + fck, ok := k.store.fetchFakeCryptoKey(req.CryptoKey.Name) + if !ok { + return nil, fmt.Errorf("could not find CryptoKey %q", req.CryptoKey.Name) + } + + k.mu.Lock() + defer k.mu.Unlock() + + fck.mu.Lock() + defer fck.mu.Unlock() + + fck.CryptoKey = req.CryptoKey + return fck.CryptoKey, nil +} + +func (k *fakeKMSClient) createFakeCryptoKeyVersion(cryptoKey *kmspb.CryptoKey, version string) (*fakeCryptoKeyVersion, error) { + var privateKey crypto.Signer + var testKeys testkey.Keys + + switch cryptoKey.VersionTemplate.Algorithm { + case kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256: + privateKey = testKeys.NewEC256(k.t) + case kmspb.CryptoKeyVersion_EC_SIGN_P384_SHA384: + privateKey = testKeys.NewEC384(k.t) + case kmspb.CryptoKeyVersion_RSA_SIGN_PKCS1_2048_SHA256: + privateKey = testKeys.NewRSA2048(k.t) + case kmspb.CryptoKeyVersion_RSA_SIGN_PKCS1_4096_SHA256: + privateKey = testKeys.NewRSA4096(k.t) + default: + return nil, fmt.Errorf("unknown algorithm %q", cryptoKey.VersionTemplate.Algorithm) + } + + pkixData, err := x509.MarshalPKIXPublicKey(privateKey.Public()) + if err != nil { + return nil, err + } + pemCert := new(bytes.Buffer) + if err = pem.Encode(pemCert, &pem.Block{ + Type: "CERTIFICATE", + Bytes: pkixData, + }); err != nil { + return nil, err + } + + return &fakeCryptoKeyVersion{ + privateKey: privateKey, + publicKey: &kmspb.PublicKey{ + Pem: pemCert.String(), + PemCrc32C: &wrapperspb.Int64Value{Value: int64(crc32Checksum(pemCert.Bytes()))}, + }, + CryptoKeyVersion: &kmspb.CryptoKeyVersion{ + Name: path.Join(cryptoKey.Name, "cryptoKeyVersions", version), + Algorithm: cryptoKey.VersionTemplate.Algorithm, + }, + }, nil +} + +func (k *fakeKMSClient) getDefaultPolicy() *iam.Policy3 { + k.mu.RLock() + defer k.mu.RUnlock() + + policy := new(iam.Policy3) + policy.Bindings = []*iampb.Binding{ + { + Role: "roles/cloudkms.signerVerifier", + Members: []string{fmt.Sprintf("serviceAccount:%s", k.tokeninfo.Email)}, + }, + } + return policy +} + +func (k *fakeKMSClient) putFakeCryptoKeys(fakeCryptoKeys []*fakeCryptoKey) { + for _, fck := range fakeCryptoKeys { + k.store.putFakeCryptoKey(&fakeCryptoKey{ + CryptoKey: fck.CryptoKey, + fakeCryptoKeyVersions: fck.fakeCryptoKeyVersions, + }) + } +} + +func newKMSClientFake(t *testing.T, c *clock.Mock) *fakeKMSClient { + return &fakeKMSClient{ + fakeIAMHandle: &fakeIAMHandle{}, + store: newFakeStore(c), + t: t, + tokeninfo: &oauth2.Tokeninfo{ + Email: "email@example.org", + }, + } +} + +func newFakeStore(c *clock.Mock) fakeStore { + return fakeStore{ + fakeCryptoKeys: make(map[string]*fakeCryptoKey), + clk: c, + } +} diff --git a/pkg/server/plugin/keymanager/gcpkms/fetcher.go b/pkg/server/plugin/keymanager/gcpkms/fetcher.go new file mode 100644 index 0000000000..a418b24f80 --- /dev/null +++ b/pkg/server/plugin/keymanager/gcpkms/fetcher.go @@ -0,0 +1,172 @@ +package gcpkms + +import ( + "context" + "errors" + "fmt" + "strings" + "sync" + + "cloud.google.com/go/kms/apiv1/kmspb" + "github.com/hashicorp/go-hclog" + keymanagerv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/server/keymanager/v1" + "golang.org/x/sync/errgroup" + "google.golang.org/api/iterator" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +type keyFetcher struct { + keyRing string + kmsClient cloudKeyManagementService + log hclog.Logger + serverID string + tdHash string +} + +// fetchKeyEntries requests Cloud KMS to get the list of CryptoKeys that are +// active in this server. They are returned as a keyEntry array. +func (kf *keyFetcher) fetchKeyEntries(ctx context.Context) ([]*keyEntry, error) { + var keyEntries []*keyEntry + var keyEntriesMutex sync.Mutex + g, ctx := errgroup.WithContext(ctx) + + it := kf.kmsClient.ListCryptoKeys(ctx, &kmspb.ListCryptoKeysRequest{ + Parent: kf.keyRing, + Filter: fmt.Sprintf("labels.%s = %s AND labels.%s = %s AND labels.%s = true", + labelNameServerTD, kf.tdHash, labelNameServerID, kf.serverID, labelNameActive), + }) + for { + cryptoKey, err := it.Next() + if errors.Is(err, iterator.Done) { + break + } + if err != nil { + return nil, status.Errorf(codes.Internal, "failed to list SPIRE Server keys in Cloud KMS: %v", err) + } + spireKeyID, ok := getSPIREKeyIDFromCryptoKeyName(cryptoKey.Name) + if !ok { + kf.log.Warn("Could not get SPIRE Key ID from CryptoKey", cryptoKeyNameTag, cryptoKey.Name) + continue + } + + // Trigger a goroutine to get the details of the key + g.Go(func() error { + entries, err := kf.getKeyEntriesFromCryptoKey(ctx, cryptoKey, spireKeyID) + if err != nil { + return err + } + if entries == nil { + return nil + } + + keyEntriesMutex.Lock() + keyEntries = append(keyEntries, entries...) + keyEntriesMutex.Unlock() + return nil + }) + } + + // Wait for all the detail gathering routines to finish. + if err := g.Wait(); err != nil { + statusErr := status.Convert(err) + return nil, status.Errorf(statusErr.Code(), "failed to fetch entries: %v", statusErr.Message()) + } + + return keyEntries, nil +} + +// getKeyEntriesFromCryptoKey builds an array of keyEntry values from the provided +// CryptoKey. In order to do that, Cloud KMS is requested to list the +// CryptoKeyVersions of the CryptoKey. The public key of the CryptoKeyVersion is +// also retrieved from each CryptoKey to construct each keyEntry. +func (kf *keyFetcher) getKeyEntriesFromCryptoKey(ctx context.Context, cryptoKey *kmspb.CryptoKey, spireKeyID string) (keyEntries []*keyEntry, err error) { + if cryptoKey == nil { + return nil, status.Error(codes.Internal, "cryptoKey is nil") + } + + it := kf.kmsClient.ListCryptoKeyVersions(ctx, &kmspb.ListCryptoKeyVersionsRequest{ + Parent: cryptoKey.Name, + // Filter by state, so only enabled keys are returned. This will leave + // out all the versions that have been rotated. + Filter: "state = " + kmspb.CryptoKeyVersion_ENABLED.String(), + }) + for { + cryptoKeyVersion, err := it.Next() + if errors.Is(err, iterator.Done) { + break + } + if err != nil { + return nil, status.Errorf(codes.Internal, "failure listing CryptoKeyVersions: %v", err) + } + keyType, ok := keyTypeFromCryptoKeyVersionAlgorithm(cryptoKeyVersion.Algorithm) + if !ok { + return nil, status.Errorf(codes.Internal, "unsupported CryptoKeyVersionAlgorithm: %v", cryptoKeyVersion.Algorithm) + } + + pubKey, err := getPublicKeyFromCryptoKeyVersion(ctx, kf.kmsClient, cryptoKeyVersion.Name) + if err != nil { + return nil, status.Errorf(codes.Internal, "error getting public key: %v", err) + } + + keyEntry := &keyEntry{ + cryptoKey: cryptoKey, + cryptoKeyVersionName: cryptoKeyVersion.Name, + publicKey: &keymanagerv1.PublicKey{ + Id: spireKeyID, + Type: keyType, + PkixData: pubKey, + Fingerprint: makeFingerprint(pubKey), + }, + } + + keyEntries = append(keyEntries, keyEntry) + } + + return keyEntries, nil +} + +// getSPIREKeyIDFromCryptoKeyName parses a CryptoKey resource name to get the +// SPIRE Key ID. This Key ID is used in the Server KeyManager interface. +func getSPIREKeyIDFromCryptoKeyName(cryptoKeyName string) (string, bool) { + // cryptoKeyName is the resource name for the CryptoKey holding the SPIRE Key + // in the format: projects/*/locations/*/keyRings/*/cryptoKeys/spire-key-*-*. + // Example: projects/project-name/locations/us-east1/keyRings/key-ring-name/cryptoKeys/spire-key-1f2e225a-91d8-4589-a4fe-f88b7bb04bac-x509-CA-A + + // Get the last element of the path. + i := strings.LastIndex(cryptoKeyName, "/") + if i < 0 { + // All CryptoKeys are under a Key Ring; not a valid Crypto Key name. + return "", false + } + + // The i index will indicate us where + // "spire-key-1f2e225a-91d8-4589-a4fe-f88b7bb04bac-x509-CA-A" starts. + // Now we have to get the position where the SPIRE Key ID starts. + // For that, we need to add the length of the CryptoKey name prefix that we + // are using, the UUID length, and the two "-" separators used in our format. + spireKeyIDIndex := i + len(cryptoKeyNamePrefix) + 39 // 39 is the UUID length plus two '-' separators + if spireKeyIDIndex >= len(cryptoKeyName) { + // The index is out of range. + return "", false + } + spireKeyID := cryptoKeyName[spireKeyIDIndex:] + return spireKeyID, true +} + +// keyTypeFromCryptoKeyVersionAlgorithm gets the KeyType that corresponds to the +// given CryptoKeyVersion_CryptoKeyVersionAlgorithm. +func keyTypeFromCryptoKeyVersionAlgorithm(algorithm kmspb.CryptoKeyVersion_CryptoKeyVersionAlgorithm) (keymanagerv1.KeyType, bool) { + switch algorithm { + case kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256: + return keymanagerv1.KeyType_EC_P256, true + case kmspb.CryptoKeyVersion_EC_SIGN_P384_SHA384: + return keymanagerv1.KeyType_EC_P384, true + case kmspb.CryptoKeyVersion_RSA_SIGN_PKCS1_2048_SHA256: + return keymanagerv1.KeyType_RSA_2048, true + case kmspb.CryptoKeyVersion_RSA_SIGN_PKCS1_4096_SHA256: + return keymanagerv1.KeyType_RSA_4096, true + default: + return keymanagerv1.KeyType_UNSPECIFIED_KEY_TYPE, false + } +} diff --git a/pkg/server/plugin/keymanager/gcpkms/gcpkms.go b/pkg/server/plugin/keymanager/gcpkms/gcpkms.go new file mode 100644 index 0000000000..f30cfa763a --- /dev/null +++ b/pkg/server/plugin/keymanager/gcpkms/gcpkms.go @@ -0,0 +1,1082 @@ +package gcpkms + +import ( + "context" + "crypto/sha1" //nolint: gosec // We use sha1 to hash trust domain names in 128 bytes to avoid label value restrictions + "crypto/sha256" + "encoding/hex" + "encoding/json" + "encoding/pem" + "errors" + "fmt" + "hash/crc32" + "os" + "strings" + "sync" + "time" + + "cloud.google.com/go/iam" + "cloud.google.com/go/kms/apiv1/kmspb" + "github.com/andres-erbsen/clock" + "github.com/gofrs/uuid" + "github.com/hashicorp/go-hclog" + "github.com/hashicorp/hcl" + keymanagerv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/server/keymanager/v1" + configv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/service/common/config/v1" + "github.com/spiffe/spire/pkg/common/catalog" + "google.golang.org/api/iterator" + "google.golang.org/api/option" + iampb "google.golang.org/genproto/googleapis/iam/v1" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" + "google.golang.org/protobuf/types/known/fieldmaskpb" +) + +const ( + pluginName = "gcp_kms" + + algorithmTag = "algorithm" + cryptoKeyNameTag = "crypto_key_name" + cryptoKeyVersionNameTag = "crypto_key_version_name" + cryptoKeyVersionStateTag = "crypto_key_version_state" + scheduledDestroyTimeTag = "scheduled_destroy_time" + reasonTag = "reason" + + disposeCryptoKeysFrequency = time.Hour * 48 + keepActiveCryptoKeysFrequency = time.Hour * 6 + maxStaleDuration = time.Hour * 24 * 14 // Two weeks. + + cryptoKeyNamePrefix = "spire-key" + labelNameServerID = "spire-server-id" + labelNameLastUpdate = "spire-last-update" + labelNameServerTD = "spire-server-td" + labelNameActive = "spire-active" +) + +func BuiltIn() catalog.BuiltIn { + return builtin(New()) +} + +func builtin(p *Plugin) catalog.BuiltIn { + return catalog.MakeBuiltIn(pluginName, + keymanagerv1.KeyManagerPluginServer(p), + configv1.ConfigServiceServer(p), + ) +} + +type keyEntry struct { + cryptoKey *kmspb.CryptoKey + cryptoKeyVersionName string + publicKey *keymanagerv1.PublicKey +} + +type pluginHooks struct { + newKMSClient func(context.Context, ...option.ClientOption) (cloudKeyManagementService, error) + + clk clock.Clock + + // Used for testing only. + disposeCryptoKeysSignal chan error + enqueueDestructionSignal chan error + keepActiveCryptoKeysSignal chan error + scheduleDestroySignal chan error + setInactiveSignal chan error +} + +type pluginData struct { + customPolicy *iam.Policy3 + serverID string + tdHash string +} + +// Plugin is the main representation of this keymanager plugin. +type Plugin struct { + keymanagerv1.UnsafeKeyManagerServer + configv1.UnsafeConfigServer + + cancelTasks context.CancelFunc + + config *Config + configMtx sync.RWMutex + + entries map[string]keyEntry + entriesMtx sync.RWMutex + + pd *pluginData + pdMtx sync.RWMutex + + hooks pluginHooks + kmsClient cloudKeyManagementService + log hclog.Logger + scheduleDestroy chan string +} + +// Config provides configuration context for the plugin. +type Config struct { + // File path location where key metadata used by the plugin is persisted. + KeyMetadataFile string `hcl:"key_metadata_file" json:"key_metadata_file"` + + // File path location to a custom IAM Policy (v3) that will be set to + // created CryptoKeys. + KeyPolicyFile string `hcl:"key_policy_file" json:"key_policy_file"` + + // KeyRing is the resource ID of the key ring where the keys managed by this + // plugin reside, in the format projects/*/locations/*/keyRings/*. + KeyRing string `hcl:"key_ring" json:"key_ring"` + + // Path to the service account file used to authenticate with the Cloud KMS + // API. If not specified, the value of the GOOGLE_APPLICATION_CREDENTIALS + // environment variable is used. + ServiceAccountFile string `hcl:"service_account_file" json:"service_account_file"` +} + +// New returns an instantiated plugin. +func New() *Plugin { + return newPlugin(newKMSClient) +} + +// newPlugin returns a new plugin instance. +func newPlugin( + newKMSClient func(context.Context, ...option.ClientOption) (cloudKeyManagementService, error), +) *Plugin { + return &Plugin{ + entries: make(map[string]keyEntry), + hooks: pluginHooks{ + newKMSClient: newKMSClient, + clk: clock.New(), + }, + scheduleDestroy: make(chan string, 120), + } +} + +func (p *Plugin) Close() error { + p.log.Debug("Closing the connection to the Cloud KMS API service") + return p.kmsClient.Close() +} + +// Configure sets up the plugin. +func (p *Plugin) Configure(ctx context.Context, req *configv1.ConfigureRequest) (*configv1.ConfigureResponse, error) { + config, err := parseAndValidateConfig(req.HclConfiguration) + if err != nil { + return nil, err + } + + serverID, err := getOrCreateServerID(config.KeyMetadataFile) + if err != nil { + return nil, err + } + p.log.Debug("Loaded server ID", "server_id", serverID) + var customPolicy *iam.Policy3 + if config.KeyPolicyFile != "" { + if customPolicy, err = parsePolicyFile(config.KeyPolicyFile); err != nil { + return nil, status.Errorf(codes.Internal, "could not parse policy file: %v", err) + } + } + + // Label values do not allow "." and have a maximum length of 63 characters. + // https://cloud.google.com/kms/docs/creating-managing-labels#requirements + // Hash the trust domain name to avoid restrictions. + tdHashBytes := sha1.Sum([]byte(req.CoreConfiguration.TrustDomain)) //nolint: gosec // We use sha1 to hash trust domain names in 128 bytes to avoid label restrictions + tdHashString := hex.EncodeToString(tdHashBytes[:]) + + p.setPluginData(&pluginData{ + customPolicy: customPolicy, + serverID: serverID, + tdHash: tdHashString, + }) + + var opts []option.ClientOption + if config.ServiceAccountFile != "" { + opts = append(opts, option.WithCredentialsFile(config.ServiceAccountFile)) + } + + kc, err := p.hooks.newKMSClient(ctx, opts...) + if err != nil { + return nil, status.Errorf(codes.Internal, "failed to create Google Cloud KMS client: %v", err) + } + + fetcher := &keyFetcher{ + keyRing: config.KeyRing, + kmsClient: kc, + log: p.log, + serverID: serverID, + tdHash: tdHashString, + } + p.log.Debug("Fetching keys from Cloud KMS", "key_ring", config.KeyRing) + keyEntries, err := fetcher.fetchKeyEntries(ctx) + if err != nil { + return nil, err + } + + p.setCache(keyEntries) + p.kmsClient = kc + + // Cancel previous tasks in case of re configure. + if p.cancelTasks != nil { + p.cancelTasks() + } + + p.configMtx.Lock() + defer p.configMtx.Unlock() + p.config = config + + // Start long-running tasks. + ctx, p.cancelTasks = context.WithCancel(context.Background()) + go p.scheduleDestroyTask(ctx) + go p.keepActiveCryptoKeysTask(ctx) + go p.disposeCryptoKeysTask(ctx) + + return &configv1.ConfigureResponse{}, nil +} + +// GenerateKey creates a key in KMS. If a key already exists in the local storage, +// it is updated. +func (p *Plugin) GenerateKey(ctx context.Context, req *keymanagerv1.GenerateKeyRequest) (*keymanagerv1.GenerateKeyResponse, error) { + if req.KeyId == "" { + return nil, status.Error(codes.InvalidArgument, "key id is required") + } + if req.KeyType == keymanagerv1.KeyType_UNSPECIFIED_KEY_TYPE { + return nil, status.Error(codes.InvalidArgument, "key type is required") + } + + pubKey, err := p.createKey(ctx, req.KeyId, req.KeyType) + if err != nil { + return nil, status.Errorf(codes.Internal, "failed to generate key: %v", err) + } + + return &keymanagerv1.GenerateKeyResponse{ + PublicKey: pubKey, + }, nil +} + +// GetPublicKey returns the public key for a given key +func (p *Plugin) GetPublicKey(ctx context.Context, req *keymanagerv1.GetPublicKeyRequest) (*keymanagerv1.GetPublicKeyResponse, error) { + if req.KeyId == "" { + return nil, status.Error(codes.InvalidArgument, "key id is required") + } + + entry, ok := p.getKeyEntry(req.KeyId) + if !ok { + return nil, status.Errorf(codes.NotFound, "key %q not found", req.KeyId) + } + + return &keymanagerv1.GetPublicKeyResponse{ + PublicKey: entry.publicKey, + }, nil +} + +// GetPublicKeys returns the publicKey for all the keys. +func (p *Plugin) GetPublicKeys(context.Context, *keymanagerv1.GetPublicKeysRequest) (*keymanagerv1.GetPublicKeysResponse, error) { + var keys []*keymanagerv1.PublicKey + p.entriesMtx.RLock() + defer p.entriesMtx.RUnlock() + for _, key := range p.entries { + keys = append(keys, key.publicKey) + } + + return &keymanagerv1.GetPublicKeysResponse{PublicKeys: keys}, nil +} + +// SetLogger sets a logger. +func (p *Plugin) SetLogger(log hclog.Logger) { + p.log = log +} + +// SignData creates a digital signature for the data to be signed. +func (p *Plugin) SignData(ctx context.Context, req *keymanagerv1.SignDataRequest) (*keymanagerv1.SignDataResponse, error) { + if req.KeyId == "" { + return nil, status.Error(codes.InvalidArgument, "key id is required") + } + if req.SignerOpts == nil { + return nil, status.Error(codes.InvalidArgument, "signer opts is required") + } + + keyEntry, hasKey := p.getKeyEntry(req.KeyId) + if !hasKey { + return nil, status.Errorf(codes.NotFound, "key %q not found", req.KeyId) + } + + var ( + hashAlgo keymanagerv1.HashAlgorithm + digest *kmspb.Digest + ) + switch opts := req.SignerOpts.(type) { + case *keymanagerv1.SignDataRequest_HashAlgorithm: + hashAlgo = opts.HashAlgorithm + case *keymanagerv1.SignDataRequest_PssOptions: + // RSASSA-PSS is not supported by this plugin. + // See the comment in cryptoKeyVersionAlgorithmFromKeyType function for + // more details. + return nil, status.Error(codes.InvalidArgument, "the only RSA signature scheme supported is RSASSA-PKCS1-v1_5") + default: + return nil, status.Errorf(codes.InvalidArgument, "unsupported signer opts type %T", opts) + } + switch { + case hashAlgo == keymanagerv1.HashAlgorithm_UNSPECIFIED_HASH_ALGORITHM: + return nil, status.Error(codes.InvalidArgument, "hash algorithm is required") + case hashAlgo == keymanagerv1.HashAlgorithm_SHA256: + digest = &kmspb.Digest{ + Digest: &kmspb.Digest_Sha256{Sha256: req.Data}, + } + case hashAlgo == keymanagerv1.HashAlgorithm_SHA384: + digest = &kmspb.Digest{ + Digest: &kmspb.Digest_Sha384{Sha384: req.Data}, + } + default: + return nil, status.Error(codes.InvalidArgument, "hash algorithm not supported") + } + + signResp, err := p.kmsClient.AsymmetricSign(ctx, &kmspb.AsymmetricSignRequest{ + Name: keyEntry.cryptoKeyVersionName, + Digest: digest, + }) + if err != nil { + return nil, status.Errorf(codes.Internal, "failed to sign: %v", err) + } + + // Perform integrity verification. + if int64(crc32Checksum(signResp.Signature)) != signResp.SignatureCrc32C.Value { + return nil, status.Error(codes.Internal, "error signing: response corrupted in-transit") + } + + return &keymanagerv1.SignDataResponse{ + Signature: signResp.Signature, + KeyFingerprint: keyEntry.publicKey.Fingerprint, + }, nil +} + +// createKey creates a new CryptoKey with a new CryptoKeyVersion in Cloud KMS +// if there is not already a cached entry with the specified SPIRE Key ID. +// If the cache already has an entry with this SPIRE Key ID, a new +// CryptoKeyVersion is added to the corresponding CryptoKey in Cloud KMS and the +// old CryptoKeyVersion is enqueued for destruction. +// If there is a specified IAM policy through the KeyPolicyFile configuration, +// that policy is set to the created CryptoKey. If there is no IAM policy specified, +// a default policy is constructed and attached. This function requests Cloud KMS +// to get the public key of the created CryptoKeyVersion. A keyEntry is returned +// with the CryptoKey, CryptoKeyVersion and public key. +func (p *Plugin) createKey(ctx context.Context, spireKeyID string, keyType keymanagerv1.KeyType) (*keymanagerv1.PublicKey, error) { + // If we already have this SPIRE Key ID cached, a new CryptoKeyVersion is + // added to the existing CryptoKey and the cache is updated. The old + // CryptoKeyVersion is enqueued for destruction. + if entry, ok := p.getKeyEntry(spireKeyID); ok { + return p.addCryptoKeyVersionToCachedEntry(ctx, entry, spireKeyID, keyType) + } + + algorithm, err := cryptoKeyVersionAlgorithmFromKeyType(keyType) + if err != nil { + return nil, err + } + + cryptoKeyID, err := p.generateCryptoKeyID(spireKeyID) + if err != nil { + return nil, fmt.Errorf("could not generate CryptoKeyID: %w", err) + } + + cryptoKeyLabels, err := p.getCryptoKeyLabels() + if err != nil { + return nil, status.Errorf(codes.Internal, "could not get CryptoKey labels: %v", err) + } + + config, err := p.getConfig() + if err != nil { + return nil, err + } + + cryptoKey, err := p.kmsClient.CreateCryptoKey(ctx, &kmspb.CreateCryptoKeyRequest{ + CryptoKey: &kmspb.CryptoKey{ + Labels: cryptoKeyLabels, + Purpose: kmspb.CryptoKey_ASYMMETRIC_SIGN, + VersionTemplate: &kmspb.CryptoKeyVersionTemplate{ + Algorithm: algorithm, + }, + }, + CryptoKeyId: cryptoKeyID, + Parent: config.KeyRing, + }) + if err != nil { + return nil, status.Errorf(codes.Internal, "failed to create CryptoKey: %v", err) + } + + log := p.log.With(cryptoKeyNameTag, cryptoKey.Name) + log.Debug("CryptoKey created", algorithmTag, algorithm) + + if err := p.setIamPolicy(ctx, cryptoKey.Name); err != nil { + log.Debug("Failed to set IAM policy") + return nil, status.Errorf(codes.Internal, "failed to set IAM policy: %v", err) + } + + cryptoKeyVersionName := cryptoKey.Name + "/cryptoKeyVersions/1" + log.Debug("CryptoKeyVersion version added", cryptoKeyVersionNameTag, cryptoKeyVersionName) + + pubKey, err := getPublicKeyFromCryptoKeyVersion(ctx, p.kmsClient, cryptoKeyVersionName) + if err != nil { + return nil, status.Errorf(codes.Internal, "failed to get public key: %v", err) + } + newKeyEntry := keyEntry{ + cryptoKey: cryptoKey, + cryptoKeyVersionName: cryptoKeyVersionName, + publicKey: &keymanagerv1.PublicKey{ + Id: spireKeyID, + Type: keyType, + PkixData: pubKey, + Fingerprint: makeFingerprint(pubKey), + }, + } + + p.setKeyEntry(spireKeyID, newKeyEntry) + return newKeyEntry.publicKey, nil +} + +// addCryptoKeyVersionToCachedEntry adds a new CryptoKeyVersion to an existing +// CryptoKey, updating the cached entries. +func (p *Plugin) addCryptoKeyVersionToCachedEntry(ctx context.Context, entry keyEntry, spireKeyID string, keyType keymanagerv1.KeyType) (*keymanagerv1.PublicKey, error) { + algorithm, err := cryptoKeyVersionAlgorithmFromKeyType(keyType) + if err != nil { + return nil, err + } + + // Check if the algorithm has changed and update if needed. + if entry.cryptoKey.VersionTemplate.Algorithm != algorithm { + entry.cryptoKey.VersionTemplate.Algorithm = algorithm + _, err := p.kmsClient.UpdateCryptoKey(ctx, &kmspb.UpdateCryptoKeyRequest{ + CryptoKey: entry.cryptoKey, + }) + if err != nil { + return nil, fmt.Errorf("failed to update CryptoKey with updated algorithm: %w", err) + } + } + cryptoKeyVersion, err := p.kmsClient.CreateCryptoKeyVersion(ctx, &kmspb.CreateCryptoKeyVersionRequest{ + Parent: entry.cryptoKey.Name, + CryptoKeyVersion: &kmspb.CryptoKeyVersion{ + State: kmspb.CryptoKeyVersion_ENABLED, + }, + }) + if err != nil { + return nil, fmt.Errorf("failed to create CryptoKeyVersion: %w", err) + } + p.log.Debug("CryptoKeyVersion added", cryptoKeyNameTag, entry.cryptoKey.Name, cryptoKeyVersionNameTag, cryptoKeyVersion.Name) + + pubKey, err := getPublicKeyFromCryptoKeyVersion(ctx, p.kmsClient, cryptoKeyVersion.Name) + if err != nil { + return nil, fmt.Errorf("failed to get public key: %w", err) + } + + newKeyEntry := keyEntry{ + cryptoKey: entry.cryptoKey, + cryptoKeyVersionName: cryptoKeyVersion.Name, + publicKey: &keymanagerv1.PublicKey{ + Id: spireKeyID, + Type: keyType, + PkixData: pubKey, + Fingerprint: makeFingerprint(pubKey), + }, + } + + p.setKeyEntry(spireKeyID, newKeyEntry) + + if err := p.enqueueDestruction(entry.cryptoKeyVersionName); err != nil { + p.log.Error("Failed to enqueue CryptoKeyVersion for destruction", reasonTag, err) + } + + return newKeyEntry.publicKey, nil +} + +// disposeCryptoKeys looks for active CryptoKeys that haven't been updated +// during the maxStaleDuration time window. Those keys are then enqueued for +// destruction. +func (p *Plugin) disposeCryptoKeys(ctx context.Context) error { + p.log.Debug("Looking for CryptoKeys to dispose") + + config, err := p.getConfig() + if err != nil { + return err + } + + disposeCryptoKeysFilter, err := p.getDisposeCryptoKeysFilter() + if err != nil { + return err + } + itCryptoKeys := p.kmsClient.ListCryptoKeys(ctx, &kmspb.ListCryptoKeysRequest{ + Parent: config.KeyRing, + Filter: disposeCryptoKeysFilter, + }) + + for { + cryptoKey, err := itCryptoKeys.Next() + if errors.Is(err, iterator.Done) { + break + } + if err != nil { + p.log.Error("Failure listing CryptoKeys to dispose", reasonTag, err) + return err + } + + itCryptoKeyVersions := p.kmsClient.ListCryptoKeyVersions(ctx, &kmspb.ListCryptoKeyVersionsRequest{ + Parent: cryptoKey.Name, + Filter: "state = " + kmspb.CryptoKeyVersion_ENABLED.String(), + }) + + // If the CryptoKey doesn't have any enabled CryptoKeyVersion, mark it + // as inactive so it's not returned future calls. + cryptoKeyVersion, err := itCryptoKeyVersions.Next() + if errors.Is(err, iterator.Done) { + p.setInactive(ctx, cryptoKey) + continue + } + + for { + if err != nil { + p.log.Error("Failure listing CryptoKeyVersios", reasonTag, err) + return err + } + + if err := p.enqueueDestruction(cryptoKeyVersion.Name); err != nil { + p.log.With(cryptoKeyNameTag, cryptoKey.Name).Error("Failed to enqueue CryptoKeyVersion for destruction", reasonTag, err) + } + + cryptoKeyVersion, err = itCryptoKeyVersions.Next() + if errors.Is(err, iterator.Done) { + // No more enabled CryptoKeyVersions in this CryptoKey. + break + } + } + } + return nil +} + +// disposeCryptoKeysTask will be run every 24hs. +// It will schedule the destruction of CryptoKeyVersions that have a +// spire-last-update label value older than two weeks. +// It will only schedule the destruction of CryptoKeyVersions belonging to the +// current trust domain but not the current server. The spire-server-td and +// spire-server-id labels are used to identify the trust domain and server. +func (p *Plugin) disposeCryptoKeysTask(ctx context.Context) { + ticker := p.hooks.clk.Ticker(disposeCryptoKeysFrequency) + defer ticker.Stop() + + p.notifyDisposeCryptoKeys(nil) + + for { + select { + case <-ctx.Done(): + return + case <-ticker.C: + err := p.disposeCryptoKeys(ctx) + p.notifyDisposeCryptoKeys(err) + } + } +} + +// enqueueDestruction enqueues the specified CryptoKeyVersion for destruction. +func (p *Plugin) enqueueDestruction(cryptoKeyVersionName string) (err error) { + select { + case p.scheduleDestroy <- cryptoKeyVersionName: + p.log.Debug("CryptoKeyVersion enqueued for destruction", cryptoKeyVersionNameTag, cryptoKeyVersionName) + default: + err = fmt.Errorf("could not enqueue CryptoKeyVersion %q for destruction", cryptoKeyVersionName) + } + + p.notifyEnqueueDestruction(err) + return err +} + +// getAuthenticatedServiceAccount gets the email of the authenticated service +// account that is interacting with the Cloud KMS Service. +func (p *Plugin) getAuthenticatedServiceAccount() (email string, err error) { + tokenInfo, err := p.kmsClient.GetTokeninfo() + if err != nil { + return "", fmt.Errorf("could not get token information: %w", err) + } + + if tokenInfo.Email == "" { + return "", errors.New("could not get email of authenticated service account; email is empty") + } + return tokenInfo.Email, nil +} + +// getConfig gets the configuration of the plugin. +func (p *Plugin) getConfig() (*Config, error) { + p.configMtx.RLock() + defer p.configMtx.RUnlock() + + if p.config == nil { + return nil, status.Error(codes.FailedPrecondition, "not configured") + } + + return p.config, nil +} + +// getCryptoKeyLabels gets the labels that must be set to a new CryptoKey +// that is being created. +func (p *Plugin) getCryptoKeyLabels() (map[string]string, error) { + pd, err := p.getPluginData() + if err != nil { + return nil, err + } + return map[string]string{ + labelNameServerTD: pd.tdHash, + labelNameServerID: pd.serverID, + labelNameActive: "true", + }, nil +} + +// getDisposeCryptoKeysFilter gets the filter to be used to get the list of +// CryptoKeys that are stale but are still marked as active. +func (p *Plugin) getDisposeCryptoKeysFilter() (string, error) { + now := p.hooks.clk.Now() + pd, err := p.getPluginData() + if err != nil { + return "", err + } + return fmt.Sprintf("labels.%s = %s AND labels.%s != %s AND labels.%s = true AND labels.%s < %d", + labelNameServerTD, pd.tdHash, labelNameServerID, pd.serverID, labelNameActive, labelNameLastUpdate, now.Add(-maxStaleDuration).Unix()), nil +} + +// getKeyEntry gets the entry from the cache that matches the provided +// SPIRE Key ID +func (p *Plugin) getKeyEntry(keyID string) (ke keyEntry, ok bool) { + p.entriesMtx.RLock() + defer p.entriesMtx.RUnlock() + + ke, ok = p.entries[keyID] + return ke, ok +} + +// getPluginData gets the pluginData structure maintained by the plugin. +func (p *Plugin) getPluginData() (*pluginData, error) { + p.pdMtx.RLock() + defer p.pdMtx.RUnlock() + + if p.pd == nil { + return nil, status.Error(codes.FailedPrecondition, "plugin data not yet initialized") + } + return p.pd, nil +} + +// setIamPolicy sets the IAM policy specified in the KeyPolicyFile to the given +// resource. If there is no KeyPolicyFile specified, a default policy is constructed +// and set to the resource. +func (p *Plugin) setIamPolicy(ctx context.Context, cryptoKeyName string) (err error) { + log := p.log.With(cryptoKeyNameTag, cryptoKeyName) + + // Get the handle to be able to inspect and change the policy of the + // CryptoKey. + h := p.kmsClient.ResourceIAM(cryptoKeyName) + if h == nil { + return errors.New("could not get Cloud KMS Handle") + } + + // We use V3 for policies. + h3 := h.V3() + if h3 == nil { + return errors.New("could not get Cloud KMS Handle3") + } + + // Get the policy. + policy, err := h3.Policy(ctx) + if err != nil { + return fmt.Errorf("failed to retrieve IAM policy: %w", err) + } + + // We expect the policy to be empty. + if len(policy.Bindings) > 0 { + // The policy is not empty, log the situation and do not replace it. + log.Warn("The CryptoKey already has a policy. No policy will be set.") + return nil + } + pd, err := p.getPluginData() + if err != nil { + return err + } + + if pd.customPolicy != nil { + // There is a custom policy defined. + if err := h3.SetPolicy(ctx, pd.customPolicy); err != nil { + return fmt.Errorf("failed to set custom IAM policy: %w", err) + } + log.Debug("IAM policy updated to use custom policy") + return nil + } + + // No custom policy defined. Build the default policy. + serviceAccount, err := p.getAuthenticatedServiceAccount() + if err != nil { + return status.Errorf(codes.Internal, "failed to get current identity: %v", err) + } + policy.Bindings = []*iampb.Binding{ + { + Role: "roles/cloudkms.signerVerifier", + Members: []string{fmt.Sprintf("serviceAccount:%s", serviceAccount)}, + }, + } + if err := h3.SetPolicy(ctx, policy); err != nil { + return fmt.Errorf("failed to set default IAM policy: %w", err) + } + log.Debug("IAM policy updated to use default policy") + return nil +} + +// setKeyEntry gets the entry from the cache that matches the provided +// SPIRE Key ID +func (p *Plugin) setKeyEntry(keyID string, ke keyEntry) { + p.entriesMtx.Lock() + defer p.entriesMtx.Unlock() + + p.entries[keyID] = ke +} + +// setPluginData sets the pluginData structure maintained by the plugin. +func (p *Plugin) setPluginData(pd *pluginData) { + p.pdMtx.Lock() + defer p.pdMtx.Unlock() + + p.pd = pd +} + +// keepActiveCryptoKeys keeps CryptoKeys managed by this plugin active updating +// the spire-last-update label with the current Unix time. +func (p *Plugin) keepActiveCryptoKeys(ctx context.Context) error { + p.log.Debug("Keeping CryptoKeys managed by this server active") + + p.entriesMtx.Lock() + defer p.entriesMtx.Unlock() + var errs []string + for _, entry := range p.entries { + entry.cryptoKey.Labels[labelNameLastUpdate] = fmt.Sprint(p.hooks.clk.Now().Unix()) + _, err := p.kmsClient.UpdateCryptoKey(ctx, &kmspb.UpdateCryptoKeyRequest{ + UpdateMask: &fieldmaskpb.FieldMask{ + Paths: []string{"labels"}, + }, + CryptoKey: entry.cryptoKey, + }) + if err != nil { + p.log.Error("Failed to update CryptoKey", cryptoKeyNameTag, entry.cryptoKey.Name, reasonTag, err) + errs = append(errs, err.Error()) + } + } + + if errs != nil { + return fmt.Errorf(strings.Join(errs, "; ")) + } + return nil +} + +// keepActiveCryptoKeysTask updates the CryptoKeys in the cache every 6 hours, +// setting the spire-last-update label to the current (Unix) time. +// This is done to be able to detect CryptoKeys that are inactive (not in use +// by any server). +func (p *Plugin) keepActiveCryptoKeysTask(ctx context.Context) { + ticker := p.hooks.clk.Ticker(keepActiveCryptoKeysFrequency) + defer ticker.Stop() + + p.notifyKeepActiveCryptoKeys(nil) + + for { + select { + case <-ctx.Done(): + return + case <-ticker.C: + err := p.keepActiveCryptoKeys(ctx) + p.notifyKeepActiveCryptoKeys(err) + } + } +} + +func (p *Plugin) notifyDestroy(err error) { + if p.hooks.scheduleDestroySignal != nil { + p.hooks.scheduleDestroySignal <- err + } +} + +func (p *Plugin) notifyDisposeCryptoKeys(err error) { + if p.hooks.disposeCryptoKeysSignal != nil { + p.hooks.disposeCryptoKeysSignal <- err + } +} + +func (p *Plugin) notifyEnqueueDestruction(err error) { + if p.hooks.enqueueDestructionSignal != nil { + p.hooks.enqueueDestructionSignal <- err + } +} + +func (p *Plugin) notifySetInactive(err error) { + if p.hooks.setInactiveSignal != nil { + p.hooks.setInactiveSignal <- err + } +} + +func (p *Plugin) notifyKeepActiveCryptoKeys(err error) { + if p.hooks.keepActiveCryptoKeysSignal != nil { + p.hooks.keepActiveCryptoKeysSignal <- err + } +} + +// scheduleDestroyTask is a long running task that schedules the destruction +// of inactive CryptoKeyVersions and sets the corresponding CryptoKey as inactive. +func (p *Plugin) scheduleDestroyTask(ctx context.Context) { + backoffMin := 1 * time.Second + backoffMax := 60 * time.Second + backoff := backoffMin + + for { + select { + case <-ctx.Done(): + return + case cryptoKeyVersionName := <-p.scheduleDestroy: + log := p.log.With(cryptoKeyVersionNameTag, cryptoKeyVersionName) + destroyedCryptoKeyVersion, err := p.kmsClient.DestroyCryptoKeyVersion(ctx, &kmspb.DestroyCryptoKeyVersionRequest{ + Name: cryptoKeyVersionName, + }) + switch status.Code(err) { + case codes.NotFound: + // CryptoKeyVersion is not found, no CryptoKeyVersion to destroy + log.Warn("CryptoKeyVersion not found") + backoff = backoffMin + p.notifyDestroy(err) + continue + case codes.OK: + log.Debug("CryptoKeyVersion scheduled for destruction", scheduledDestroyTimeTag, destroyedCryptoKeyVersion.DestroyTime.AsTime()) + backoff = backoffMin + p.notifyDestroy(nil) + continue + default: + log.Error("It was not possible to schedule CryptoKeyVersion for destruction", reasonTag, err) + + // There was an error in the DestroyCryptoKeyVersion call. + // Try to get the CryptoKeyVersion to know the state of the + // CryptoKeyVersion and if we need to re-enqueue. + cryptoKeyVersion, err := p.kmsClient.GetCryptoKeyVersion(ctx, &kmspb.GetCryptoKeyVersionRequest{ + Name: cryptoKeyVersionName, + }) + switch status.Code(err) { + case codes.NotFound: + // Purely defensive. We don't really expect this situation, + // because this should have been captured during the + // DestroyCryptoKeyVersion call that was just performed. + log.Warn("CryptoKeyVersion not found") + backoff = backoffMin + p.notifyDestroy(err) + continue + case codes.OK: + if cryptoKeyVersion.State != kmspb.CryptoKeyVersion_ENABLED { + // Something external to the plugin modified the state + // of the CryptoKeyVersion. Do not try to schedule it for + // destruction. + log.Warn("CryptoKeyVersion is not enabled, will not be scheduled for destruction", cryptoKeyVersionStateTag, cryptoKeyVersion.State.String()) + backoff = backoffMin + p.notifyDestroy(err) + continue + } + default: + // The GetCryptoKeyVersion call failed. Log this and re-enqueue + // the CryptoKey for destruction. Hopefully, this is a + // recoverable error. + log.Error("Could not get the CryptoKeyVersion while trying to schedule it for destruction", reasonTag, err) + } + + select { + case p.scheduleDestroy <- cryptoKeyVersionName: + log.Debug("CryptoKeyVersion re-enqueued for destruction") + default: + log.Error("Failed to re-enqueue CryptoKeyVersion for destruction") + } + } + p.notifyDestroy(err) + backoff = min(backoff*2, backoffMax) + p.hooks.clk.Sleep(backoff) + } + } +} + +// setInactive updates the spire-active label in the specified CryptoKey to +// indicate that is inactive. +func (p *Plugin) setInactive(ctx context.Context, cryptoKey *kmspb.CryptoKey) { + log := p.log.With(cryptoKeyNameTag, cryptoKey.Name) + + cryptoKey.Labels[labelNameActive] = "false" + _, err := p.kmsClient.UpdateCryptoKey(ctx, &kmspb.UpdateCryptoKeyRequest{ + UpdateMask: &fieldmaskpb.FieldMask{ + Paths: []string{"labels"}, + }, + CryptoKey: cryptoKey, + }) + if err != nil { + log.Error("Could not update CryptoKey as incactive", reasonTag, err) + } + + log.Debug("CryptoKey updated as inactive", cryptoKeyNameTag, cryptoKey.Name) + p.notifySetInactive(err) +} + +// setCache sets the cached entries with the provided entries. +func (p *Plugin) setCache(keyEntries []*keyEntry) { + p.entriesMtx.Lock() + defer p.entriesMtx.Unlock() + + p.entries = make(map[string]keyEntry) + + for _, e := range keyEntries { + p.entries[e.publicKey.Id] = *e + p.log.Debug("Cloud KMS key loaded", cryptoKeyVersionNameTag, e.cryptoKeyVersionName, algorithmTag, e.cryptoKey.VersionTemplate.Algorithm) + } +} + +// createServerID creates a randomly generated UUID to be used as a server ID +// and stores it in the specified idPath. +func createServerID(idPath string) (string, error) { + id, err := generateUniqueID() + if err != nil { + return "", status.Errorf(codes.Internal, "failed to generate ID for server: %v", err) + } + + err = os.WriteFile(idPath, []byte(id), 0600) + if err != nil { + return "", status.Errorf(codes.Internal, "failed to persist server ID on path: %v", err) + } + return id, nil +} + +// cryptoKeyVersionAlgorithmFromKeyType gets the corresponding algorithm of the +// CryptoKeyVersion from the provided key type. +// The returned CryptoKeyVersion_CryptoKeyVersionAlgorithm indicates the +// parameters that must be used for signing. +func cryptoKeyVersionAlgorithmFromKeyType(keyType keymanagerv1.KeyType) (kmspb.CryptoKeyVersion_CryptoKeyVersionAlgorithm, error) { + // CryptoKeyVersion_CryptoKeyVersionAlgorithm specifies the padding algorithm + // and the digest algorithm for RSA signatures. The key type in the Key + // Manager interface does not contain the information about these parameters + // for signing. Currently, there is no way in SPIRE to specify custom + // parameters when signing through the ca.ServerCA interface and + // x509.CreateCertificate defaults to RSASSA-PKCS-v1_5 as the padding + // algorithm and a SHA256 digest. Therefore, for RSA signing keys we + // choose the corresponding CryptoKeyVersion_CryptoKeyVersionAlgorithm using + // RSASSA-PKCS-v1_5 for padding and a SHA256 digest. + switch { + case keyType == keymanagerv1.KeyType_EC_P256: + return kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256, nil + case keyType == keymanagerv1.KeyType_EC_P384: + return kmspb.CryptoKeyVersion_EC_SIGN_P384_SHA384, nil + case keyType == keymanagerv1.KeyType_RSA_2048: + return kmspb.CryptoKeyVersion_RSA_SIGN_PKCS1_2048_SHA256, nil + case keyType == keymanagerv1.KeyType_RSA_4096: + return kmspb.CryptoKeyVersion_RSA_SIGN_PKCS1_4096_SHA256, nil + default: + return kmspb.CryptoKeyVersion_CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED, fmt.Errorf("unsupported key type %q", keyType) + } +} + +// generateCryptoKeyID returns a new identifier to be used as a CryptoKeyID. +// The returned identifier has the form: spire-key--, +// where UUID is a new randomly generated UUID and SPIRE-KEY-ID is provided +// through the spireKeyID paramenter. +func (p *Plugin) generateCryptoKeyID(spireKeyID string) (cryptoKeyID string, err error) { + pd, err := p.getPluginData() + if err != nil { + return "", err + } + return fmt.Sprintf("%s-%s-%s", cryptoKeyNamePrefix, pd.serverID, spireKeyID), nil +} + +// crc32Checksum returns the CRC-32 checksum of data using the polynomial +// represented by the table constructed from the specified data. +// This is used to perform integrity verification of the result when that's +// available in the Cloud Key Management Service API. +// https://cloud.google.com/kms/docs/data-integrity-guidelines +func crc32Checksum(data []byte) uint32 { + t := crc32.MakeTable(crc32.Castagnoli) + return crc32.Checksum(data, t) +} + +// generateUniqueID returns a randomly generated UUID. +func generateUniqueID() (id string, err error) { + u, err := uuid.NewV4() + if err != nil { + return "", status.Errorf(codes.Internal, "could not create a randomly generated UUID: %v", err) + } + + return u.String(), nil +} + +// getOrCreateServerID gets the server ID from the specified file path or creates +// a new server ID if the file does not exist. +func getOrCreateServerID(idPath string) (string, error) { + data, err := os.ReadFile(idPath) + switch { + case errors.Is(err, os.ErrNotExist): + return createServerID(idPath) + case err != nil: + return "", status.Errorf(codes.Internal, "failed to read server ID from path: %v", err) + } + + serverID, err := uuid.FromString(string(data)) + if err != nil { + return "", status.Errorf(codes.Internal, "failed to parse server ID from path: %v", err) + } + return serverID.String(), nil +} + +// getPublicKeyFromCryptoKeyVersion requests Cloud KMS to get the public key +// of the specified CryptoKeyVersion. +func getPublicKeyFromCryptoKeyVersion(ctx context.Context, kmsClient cloudKeyManagementService, cryptoKeyVersionName string) (pubKey []byte, err error) { + kmsPublicKey, err := kmsClient.GetPublicKey(ctx, &kmspb.GetPublicKeyRequest{Name: cryptoKeyVersionName}) + if err != nil { + return nil, err + } + + // Perform integrity verification. + if int64(crc32Checksum([]byte(kmsPublicKey.Pem))) != kmsPublicKey.PemCrc32C.Value { + return nil, fmt.Errorf("response corrupted in-transit") + } + + pemBlock, _ := pem.Decode([]byte(kmsPublicKey.Pem)) + return pemBlock.Bytes, nil +} + +func makeFingerprint(pkixData []byte) string { + s := sha256.Sum256(pkixData) + return hex.EncodeToString(s[:]) +} + +// min returns the minimum of the provided time durations. +func min(x, y time.Duration) time.Duration { + if x < y { + return x + } + return y +} + +// parseAndValidateConfig returns an error if any configuration provided does +// not meet acceptable criteria +func parseAndValidateConfig(c string) (*Config, error) { + config := new(Config) + + if err := hcl.Decode(config, c); err != nil { + return nil, status.Errorf(codes.InvalidArgument, "unable to decode configuration: %v", err) + } + + if config.KeyRing == "" { + return nil, status.Error(codes.InvalidArgument, "configuration is missing the key ring") + } + + if config.KeyMetadataFile == "" { + return nil, status.Error(codes.InvalidArgument, "configuration is missing server ID file path") + } + + return config, nil +} + +// parsePolicyFile parses a file containing iam.Policy3 data in JSON format. +func parsePolicyFile(policyFile string) (*iam.Policy3, error) { + policyBytes, err := os.ReadFile(policyFile) + if err != nil { + return nil, fmt.Errorf("failed to read file: %w", err) + } + + policy := &iam.Policy3{} + if err := json.Unmarshal(policyBytes, policy); err != nil { + return nil, fmt.Errorf("failed to parse custom JSON policy: %w", err) + } + + return policy, nil +} diff --git a/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go b/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go new file mode 100644 index 0000000000..89fffea524 --- /dev/null +++ b/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go @@ -0,0 +1,1739 @@ +package gcpkms + +import ( + "context" + "crypto/sha256" + "crypto/sha512" + "crypto/x509" + "errors" + "fmt" + "os" + "path" + "path/filepath" + "testing" + "time" + + "cloud.google.com/go/kms/apiv1/kmspb" + "github.com/golang/protobuf/ptypes/timestamp" + "github.com/sirupsen/logrus" + "github.com/sirupsen/logrus/hooks/test" + "github.com/spiffe/go-spiffe/v2/spiffeid" + keymanagerv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/server/keymanager/v1" + configv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/service/common/config/v1" + "github.com/spiffe/spire/pkg/common/catalog" + "github.com/spiffe/spire/pkg/server/plugin/keymanager" + keymanagertest "github.com/spiffe/spire/pkg/server/plugin/keymanager/test" + "github.com/spiffe/spire/test/clock" + "github.com/spiffe/spire/test/plugintest" + "github.com/spiffe/spire/test/spiretest" + "github.com/stretchr/testify/require" + "google.golang.org/api/option" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" + "google.golang.org/protobuf/types/known/timestamppb" + "google.golang.org/protobuf/types/known/wrapperspb" +) + +const ( + customPolicy = ` +{ + "bindings": [ + { + "role": "projects/test-project/roles/role-name", + "members": [ + "serviceAccount:test-sa@example.com" + ] + } + ], + "version": 3 +} +` + pemCert = `-----BEGIN CERTIFICATE----- +MIIBKjCB0aADAgECAgEBMAoGCCqGSM49BAMCMAAwIhgPMDAwMTAxMDEwMDAwMDBa +GA85OTk5MTIzMTIzNTk1OVowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHyv +sCk5yi+yhSzNu5aquQwvm8a1Wh+qw1fiHAkhDni+wq+g3TQWxYlV51TCPH030yXs +RxvujD4hUUaIQrXk4KKjODA2MA8GA1UdEwEB/wQFMAMBAf8wIwYDVR0RAQH/BBkw +F4YVc3BpZmZlOi8vZG9tYWluMS50ZXN0MAoGCCqGSM49BAMCA0gAMEUCIA2dO09X +makw2ekuHKWC4hBhCkpr5qY4bI8YUcXfxg/1AiEA67kMyH7bQnr7OVLUrL+b9ylA +dZglS5kKnYigmwDh+/U= +-----END CERTIFICATE----- +` + spireKeyID1 = "spireKeyID-1" + spireKeyID2 = "spireKeyID-2" + testTimeout = 60 * time.Second + validPolicyFile = "custom_policy_file.json" + validServerID = "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee" + validServerIDFile = "test-server-id" + validKeyRing = "projects/project-name/locations/location-name/keyRings/key-ring-name" +) + +var ( + ctx = context.Background() + cryptoKeyName1 = path.Join(validKeyRing, "cryptoKeys", fmt.Sprintf("test-crypto-key/spire-key-%s-spireKeyID-1", validServerID)) + cryptoKeyName2 = path.Join(validKeyRing, "cryptoKeys", fmt.Sprintf("test-crypto-key/spire-key-%s-spireKeyID-2", validServerID)) + fakeTime = timestamppb.Now() + unixEpoch = time.Unix(0, 0) + + pubKey = &kmspb.PublicKey{ + Pem: pemCert, + PemCrc32C: &wrapperspb.Int64Value{Value: int64(crc32Checksum([]byte(pemCert)))}, + } +) + +type pluginTest struct { + plugin *Plugin + fakeKMSClient *fakeKMSClient + log logrus.FieldLogger + logHook *test.Hook + clockHook *clock.Mock +} + +func setupTest(t *testing.T) *pluginTest { + log, logHook := test.NewNullLogger() + log.Level = logrus.DebugLevel + + c := clock.NewMock(t) + c.Set(unixEpoch) + fakeKMSClient := newKMSClientFake(t, c) + p := newPlugin( + func(ctx context.Context, opts ...option.ClientOption) (cloudKeyManagementService, error) { + fakeKMSClient.opts = opts + return fakeKMSClient, nil + }, + ) + km := new(keymanager.V1) + plugintest.Load(t, builtin(p), km, plugintest.Log(log)) + + p.hooks.clk = c + + return &pluginTest{ + plugin: p, + fakeKMSClient: fakeKMSClient, + log: log, + logHook: logHook, + clockHook: c, + } +} + +func TestConfigure(t *testing.T) { + for _, tt := range []struct { + name string + expectMsg string + expectCode codes.Code + expectOpts []option.ClientOption + config *Config + configureRequest *configv1.ConfigureRequest + fakeCryptoKeys []*fakeCryptoKey + getCryptoKeyVersionErr error + listCryptoKeysErr error + describeKeyErr error + getPublicKeyErr error + }{ + { + name: "pass with keys", + config: &Config{ + KeyMetadataFile: createKeyMetadataFile(t, validServerID), + KeyRing: validKeyRing, + }, + fakeCryptoKeys: []*fakeCryptoKey{ + { + CryptoKey: &kmspb.CryptoKey{ + Name: cryptoKeyName1, + Labels: map[string]string{labelNameActive: "true"}, + VersionTemplate: &kmspb.CryptoKeyVersionTemplate{Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256}, + }, + fakeCryptoKeyVersions: map[string]*fakeCryptoKeyVersion{ + "1": { + publicKey: pubKey, + CryptoKeyVersion: &kmspb.CryptoKeyVersion{ + Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256, + Name: fmt.Sprintf("%s/cryptoKeyVersions/1", cryptoKeyName1), + State: kmspb.CryptoKeyVersion_ENABLED, + }, + }, + }, + }, + { + CryptoKey: &kmspb.CryptoKey{ + Name: cryptoKeyName1, + Labels: map[string]string{labelNameActive: "true"}, + VersionTemplate: &kmspb.CryptoKeyVersionTemplate{Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256}, + }, + fakeCryptoKeyVersions: map[string]*fakeCryptoKeyVersion{ + "2": { + publicKey: pubKey, + CryptoKeyVersion: &kmspb.CryptoKeyVersion{ + Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256, + Name: fmt.Sprintf("%s/cryptoKeyVersions/2", cryptoKeyName1), + State: kmspb.CryptoKeyVersion_ENABLED, + }, + }, + }, + }, + { + CryptoKey: &kmspb.CryptoKey{ + Name: cryptoKeyName2, + Labels: map[string]string{labelNameActive: "true"}, + VersionTemplate: &kmspb.CryptoKeyVersionTemplate{Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256}, + }, + fakeCryptoKeyVersions: map[string]*fakeCryptoKeyVersion{ + "1": { + publicKey: pubKey, + CryptoKeyVersion: &kmspb.CryptoKeyVersion{ + Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256, + Name: fmt.Sprintf("%s/cryptoKeyVersions/1", cryptoKeyName2), + State: kmspb.CryptoKeyVersion_ENABLED, + }, + }, + }, + }, + { + CryptoKey: &kmspb.CryptoKey{ + Name: cryptoKeyName2, + Labels: map[string]string{labelNameActive: "true"}, + VersionTemplate: &kmspb.CryptoKeyVersionTemplate{Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256}, + }, + fakeCryptoKeyVersions: map[string]*fakeCryptoKeyVersion{ + "2": { + publicKey: pubKey, + CryptoKeyVersion: &kmspb.CryptoKeyVersion{ + Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256, + Name: fmt.Sprintf("%s/cryptoKeyVersions/2", cryptoKeyName2), + State: kmspb.CryptoKeyVersion_ENABLED, + }, + }, + }, + }, + }, + }, + { + name: "pass without keys", + config: &Config{ + KeyMetadataFile: createKeyMetadataFile(t, validServerID), + KeyRing: validKeyRing, + }, + }, + { + name: "pass without keys - using a service account file", + config: &Config{ + KeyMetadataFile: createKeyMetadataFile(t, validServerID), + KeyRing: validKeyRing, + ServiceAccountFile: "service-account-file", + }, + expectOpts: []option.ClientOption{option.WithCredentialsFile("service-account-file")}, + }, + { + name: "missing key ring", + config: &Config{ + KeyMetadataFile: createKeyMetadataFile(t, validServerID), + }, + expectMsg: "configuration is missing the key ring", + expectCode: codes.InvalidArgument, + }, + { + name: "missing key metadata file", + config: &Config{ + KeyRing: validKeyRing, + }, + expectMsg: "configuration is missing server ID file path", + expectCode: codes.InvalidArgument, + }, + { + name: "custom policy file does not exist", + config: &Config{ + KeyMetadataFile: createKeyMetadataFile(t, validServerID), + KeyPolicyFile: "non-existent-file.json", + KeyRing: validKeyRing, + }, + expectMsg: fmt.Sprintf("could not parse policy file: failed to read file: open non-existent-file.json: %s", spiretest.FileNotFound()), + expectCode: codes.Internal, + }, + { + name: "use custom policy file", + config: &Config{ + KeyMetadataFile: createKeyMetadataFile(t, validServerID), + KeyPolicyFile: getCustomPolicyFile(t), + KeyRing: validKeyRing, + }, + }, + { + name: "empty key metadata file", + config: &Config{ + KeyMetadataFile: createKeyMetadataFile(t, ""), + KeyRing: validKeyRing, + }, + }, + { + name: "invalid server ID in metadata file", + config: &Config{ + KeyMetadataFile: createKeyMetadataFile(t, "invalid-id"), + KeyRing: validKeyRing, + }, + expectMsg: "failed to parse server ID from path: uuid: incorrect UUID length 10 in string \"invalid-id\"", + expectCode: codes.Internal, + }, + { + name: "invalid metadata file path", + config: &Config{ + KeyMetadataFile: "/", + KeyRing: validKeyRing, + }, + expectMsg: "failed to read server ID from path: read /:", + expectCode: codes.Internal, + }, + { + name: "decode error", + configureRequest: configureRequestWithString("{ malformed json }"), + expectMsg: "unable to decode configuration: 1:11: illegal char", + expectCode: codes.InvalidArgument, + }, + { + name: "ListCryptoKeys error", + config: &Config{ + KeyMetadataFile: createKeyMetadataFile(t, validServerID), + KeyRing: validKeyRing, + }, + expectMsg: "failed to list SPIRE Server keys in Cloud KMS: error listing CryptoKeys", + expectCode: codes.Internal, + listCryptoKeysErr: errors.New("error listing CryptoKeys"), + }, + { + name: "unsupported CryptoKeyVersionAlgorithm", + expectMsg: "failed to fetch entries: unsupported CryptoKeyVersionAlgorithm: GOOGLE_SYMMETRIC_ENCRYPTION", + expectCode: codes.Internal, + config: &Config{ + KeyMetadataFile: createKeyMetadataFile(t, validServerID), + KeyRing: validKeyRing, + }, + fakeCryptoKeys: []*fakeCryptoKey{ + { + CryptoKey: &kmspb.CryptoKey{ + Name: cryptoKeyName1, + Labels: map[string]string{labelNameActive: "true"}, + VersionTemplate: &kmspb.CryptoKeyVersionTemplate{Algorithm: kmspb.CryptoKeyVersion_GOOGLE_SYMMETRIC_ENCRYPTION}, + }, + fakeCryptoKeyVersions: map[string]*fakeCryptoKeyVersion{ + "1": { + publicKey: &kmspb.PublicKey{}, + CryptoKeyVersion: &kmspb.CryptoKeyVersion{ + Algorithm: kmspb.CryptoKeyVersion_GOOGLE_SYMMETRIC_ENCRYPTION, + Name: fmt.Sprintf("%s/cryptoKeyVersions/1", cryptoKeyName1), + State: kmspb.CryptoKeyVersion_ENABLED, + }, + }, + }, + }, + }, + }, + { + name: "get public key error", + expectMsg: "failed to fetch entries: error getting public key: get public key error", + expectCode: codes.Internal, + config: &Config{ + KeyMetadataFile: createKeyMetadataFile(t, validServerID), + KeyRing: validKeyRing, + }, + fakeCryptoKeys: []*fakeCryptoKey{ + { + CryptoKey: &kmspb.CryptoKey{ + Name: cryptoKeyName1, + Labels: map[string]string{labelNameActive: "true"}, + VersionTemplate: &kmspb.CryptoKeyVersionTemplate{Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256}, + }, + fakeCryptoKeyVersions: map[string]*fakeCryptoKeyVersion{ + "1": { + publicKey: pubKey, + CryptoKeyVersion: &kmspb.CryptoKeyVersion{ + Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256, + Name: fmt.Sprintf("%s/cryptoKeyVersions/1", cryptoKeyName1), + State: kmspb.CryptoKeyVersion_ENABLED, + }, + }, + }, + }, + }, + getPublicKeyErr: errors.New("get public key error"), + }, + } { + tt := tt + t.Run(tt.name, func(t *testing.T) { + ts := setupTest(t) + ts.fakeKMSClient.putFakeCryptoKeys(tt.fakeCryptoKeys) + ts.fakeKMSClient.setListCryptoKeysErr(tt.listCryptoKeysErr) + ts.fakeKMSClient.setGetCryptoKeyVersionErr(tt.getCryptoKeyVersionErr) + ts.fakeKMSClient.setGetPublicKeyErr(tt.getPublicKeyErr) + + var configureRequest *configv1.ConfigureRequest + if tt.config != nil { + require.Nil(t, tt.configureRequest, "The test case must define a configuration or a configuration request, not both.") + configureRequest = configureRequestFromConfig(tt.config) + } else { + require.Nil(t, tt.config, "The test case must define a configuration or a configuration request, not both.") + configureRequest = tt.configureRequest + } + _, err := ts.plugin.Configure(ctx, configureRequest) + + spiretest.RequireGRPCStatusContains(t, err, tt.expectCode, tt.expectMsg) + if tt.expectCode != codes.OK { + return + } + require.NoError(t, err) + + // Assert the config settings + require.Equal(t, tt.config, ts.plugin.config) + + // Assert that the keys have been loaded + storedFakeCryptoKeys := ts.fakeKMSClient.store.fetchFakeCryptoKeys() + for _, expectedFakeCryptoKey := range storedFakeCryptoKeys { + spireKeyID, ok := getSPIREKeyIDFromCryptoKeyName(expectedFakeCryptoKey.Name) + require.True(t, ok) + + entry, ok := ts.plugin.entries[spireKeyID] + require.True(t, ok) + require.Equal(t, expectedFakeCryptoKey.CryptoKey, entry.cryptoKey) + } + + require.Equal(t, tt.expectOpts, ts.plugin.kmsClient.(*fakeKMSClient).opts) + }) + } +} + +func TestDisposeStaleCryptoKeys(t *testing.T) { + configureRequest := configureRequestWithDefaults(t) + fakeCryptoKeys := []*fakeCryptoKey{ + { + CryptoKey: &kmspb.CryptoKey{ + Name: cryptoKeyName1, + Labels: map[string]string{labelNameActive: "true"}, + VersionTemplate: &kmspb.CryptoKeyVersionTemplate{Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256}, + }, + fakeCryptoKeyVersions: map[string]*fakeCryptoKeyVersion{ + "1": { + publicKey: pubKey, + CryptoKeyVersion: &kmspb.CryptoKeyVersion{ + Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256, + Name: fmt.Sprintf("%s/cryptoKeyVersions/1", cryptoKeyName1), + State: kmspb.CryptoKeyVersion_ENABLED, + }}, + }, + }, + { + CryptoKey: &kmspb.CryptoKey{ + Name: cryptoKeyName2, + Labels: map[string]string{labelNameActive: "true"}, + VersionTemplate: &kmspb.CryptoKeyVersionTemplate{Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256}, + }, + fakeCryptoKeyVersions: map[string]*fakeCryptoKeyVersion{ + "1": { + publicKey: pubKey, + CryptoKeyVersion: &kmspb.CryptoKeyVersion{ + Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256, + Name: fmt.Sprintf("%s/cryptoKeyVersions/1", cryptoKeyName2), + State: kmspb.CryptoKeyVersion_ENABLED, + }}, + }, + }, + } + + ts := setupTest(t) + ts.fakeKMSClient.putFakeCryptoKeys(fakeCryptoKeys) + + ts.plugin.hooks.disposeCryptoKeysSignal = make(chan error) + ts.plugin.hooks.scheduleDestroySignal = make(chan error) + ts.plugin.hooks.setInactiveSignal = make(chan error) + + _, err := ts.plugin.Configure(ctx, configureRequest) + require.NoError(t, err) + + // Move the clock to start disposeCryptoKeysTask. + ts.clockHook.Add(disposeCryptoKeysFrequency) + + // Wait for dispose disposeCryptoKeysTask to be initialized. + _ = waitForSignal(t, ts.plugin.hooks.disposeCryptoKeysSignal) + + // Move the clock to make sure that we have stale CryptoKeys. + ts.clockHook.Add(maxStaleDuration) + + // Wait for destroy notification of all the CryptoKeyVersions. + storedFakeCryptoKeys := ts.fakeKMSClient.store.fetchFakeCryptoKeys() + for _, fck := range storedFakeCryptoKeys { + storedFakeCryptoKeyVersions := fck.fetchFakeCryptoKeyVersions() + for range storedFakeCryptoKeyVersions { + _ = waitForSignal(t, ts.plugin.hooks.scheduleDestroySignal) + } + } + + for _, fck := range storedFakeCryptoKeys { + // The CryptoKeys should be active until the next run of disposeCryptoKeys. + require.Equal(t, "true", fck.getLabelValue(labelNameActive)) + + storedFakeCryptoKeyVersions := fck.fetchFakeCryptoKeyVersions() + for _, fckv := range storedFakeCryptoKeyVersions { + // The status should be changed to CryptoKeyVersion_DESTROY_SCHEDULED. + require.Equal(t, kmspb.CryptoKeyVersion_DESTROY_SCHEDULED, fckv.State, fmt.Sprintf("state mismatch in CryptokeyVersion %q", fckv.Name)) + } + } + + // Move the clock to start disposeCryptoKeysTask again. + ts.clockHook.Add(disposeCryptoKeysFrequency) + + // Wait for dispose disposeCryptoKeysTask to be initialized. + _ = waitForSignal(t, ts.plugin.hooks.disposeCryptoKeysSignal) + + for _, fck := range fakeCryptoKeys { + // Since the CryptoKey doesn't have any enabled CryptoKeyVersions at + // this point, it should be set as inactive. + // Wait for the set inactive signal. + _ = waitForSignal(t, ts.plugin.hooks.setInactiveSignal) + + // The CryptoKey should be inactive now. + fck, ok := ts.fakeKMSClient.store.fetchFakeCryptoKey(fck.Name) + require.True(t, ok) + require.Equal(t, "false", fck.getLabelValue(labelNameActive)) + } +} + +func TestDisposeActiveCryptoKeys(t *testing.T) { + configureRequest := configureRequestWithDefaults(t) + fakeCryptoKeys := []*fakeCryptoKey{ + { + CryptoKey: &kmspb.CryptoKey{ + Name: cryptoKeyName1, + Labels: map[string]string{labelNameActive: "true"}, + VersionTemplate: &kmspb.CryptoKeyVersionTemplate{Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256}, + }, + fakeCryptoKeyVersions: map[string]*fakeCryptoKeyVersion{ + "1": { + publicKey: pubKey, + CryptoKeyVersion: &kmspb.CryptoKeyVersion{ + Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256, + Name: fmt.Sprintf("%s/cryptoKeyVersions/1", cryptoKeyName1), + State: kmspb.CryptoKeyVersion_ENABLED, + }}, + }, + }, + { + CryptoKey: &kmspb.CryptoKey{ + Name: cryptoKeyName2, + Labels: map[string]string{labelNameActive: "true"}, + VersionTemplate: &kmspb.CryptoKeyVersionTemplate{Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256}, + }, + fakeCryptoKeyVersions: map[string]*fakeCryptoKeyVersion{ + "1": { + publicKey: pubKey, + CryptoKeyVersion: &kmspb.CryptoKeyVersion{ + Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256, + Name: fmt.Sprintf("%s/cryptoKeyVersions/1", cryptoKeyName2), + State: kmspb.CryptoKeyVersion_ENABLED, + }}, + }, + }, + } + + ts := setupTest(t) + ts.fakeKMSClient.putFakeCryptoKeys(fakeCryptoKeys) + + ts.plugin.hooks.disposeCryptoKeysSignal = make(chan error) + scheduleDestroySignal := make(chan error) + ts.plugin.hooks.scheduleDestroySignal = scheduleDestroySignal + + _, err := ts.plugin.Configure(ctx, configureRequest) + require.NoError(t, err) + + // Move the clock to start disposeCryptoKeysTask. + ts.clockHook.Add(disposeCryptoKeysFrequency) + + // Wait for dispose disposeCryptoKeysTask to be initialized. + _ = waitForSignal(t, ts.plugin.hooks.disposeCryptoKeysSignal) + + // The CryptoKeys are not stale yet. Assert that they are active and the + // CryptoKeyVersions enabled. + for _, fck := range fakeCryptoKeys { + require.Equal(t, "true", fck.getLabelValue(labelNameActive)) + storedFakeCryptoKeyVersions := fck.fetchFakeCryptoKeyVersions() + for _, fckv := range storedFakeCryptoKeyVersions { + require.Equal(t, kmspb.CryptoKeyVersion_ENABLED, fckv.State, fckv.Name) + } + } +} + +func TestEnqueueDestructionFailure(t *testing.T) { + configureRequest := configureRequestWithDefaults(t) + fakeCryptoKeys := []*fakeCryptoKey{ + { + CryptoKey: &kmspb.CryptoKey{ + Name: cryptoKeyName1, + Labels: map[string]string{labelNameActive: "true"}, + VersionTemplate: &kmspb.CryptoKeyVersionTemplate{Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256}, + }, + fakeCryptoKeyVersions: map[string]*fakeCryptoKeyVersion{ + "1": { + publicKey: pubKey, + CryptoKeyVersion: &kmspb.CryptoKeyVersion{ + Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256, + Name: fmt.Sprintf("%s/cryptoKeyVersions/1", cryptoKeyName1), + State: kmspb.CryptoKeyVersion_ENABLED, + }}, + }, + }, + { + CryptoKey: &kmspb.CryptoKey{ + Name: cryptoKeyName2, + Labels: map[string]string{labelNameActive: "true"}, + VersionTemplate: &kmspb.CryptoKeyVersionTemplate{Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256}, + }, + fakeCryptoKeyVersions: map[string]*fakeCryptoKeyVersion{ + "1": { + publicKey: pubKey, + CryptoKeyVersion: &kmspb.CryptoKeyVersion{ + Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256, + Name: fmt.Sprintf("%s/cryptoKeyVersions/1", cryptoKeyName2), + State: kmspb.CryptoKeyVersion_ENABLED, + }}, + }, + }, + } + + ts := setupTest(t) + // Change the scheduleDestroy channel to be unbuffered. + ts.plugin.scheduleDestroy = make(chan string) + + ts.fakeKMSClient.putFakeCryptoKeys(fakeCryptoKeys) + + ts.plugin.hooks.disposeCryptoKeysSignal = make(chan error, 1) + ts.plugin.hooks.enqueueDestructionSignal = make(chan error, 1) + + _, err := ts.plugin.Configure(ctx, configureRequest) + require.NoError(t, err) + + // Move the clock to start disposeCryptoKeysTask. + ts.clockHook.Add(disposeCryptoKeysFrequency) + + // Wait for dispose disposeCryptoKeysTask to be initialized. + _ = waitForSignal(t, ts.plugin.hooks.disposeCryptoKeysSignal) + + // Move the clock to make sure that we have stale CryptoKeys. + ts.clockHook.Add(maxStaleDuration) + + // Enqueuing the first CryptoKeyVersion for destruction should succeed. + err = waitForSignal(t, ts.plugin.hooks.enqueueDestructionSignal) + require.NoError(t, err) + + // Enqueuing the second CryptoKeyVersion for destruction should fail. + err = waitForSignal(t, ts.plugin.hooks.enqueueDestructionSignal) + require.ErrorContains(t, err, "could not enqueue CryptoKeyVersion") +} + +func TestGenerateKey(t *testing.T) { + for _, tt := range []struct { + configureReq *configv1.ConfigureRequest + expectCode codes.Code + expectMsg string + destroyTime *timestamp.Timestamp + fakeCryptoKeys []*fakeCryptoKey + generateKeyReq *keymanagerv1.GenerateKeyRequest + logs []spiretest.LogEntry + name string + testDisabled bool + waitForDelete bool + + createKeyErr error + destroyCryptoKeyVersionErr error + getCryptoKeyVersionErr error + getPublicKeyErr error + getTokenInfoErr error + updateCryptoKeyErr error + }{ + { + name: "success: non existing key", + generateKeyReq: &keymanagerv1.GenerateKeyRequest{ + KeyId: spireKeyID1, + KeyType: keymanagerv1.KeyType_EC_P256, + }, + }, + { + name: "success: non existing key with special characters", + generateKeyReq: &keymanagerv1.GenerateKeyRequest{ + KeyId: "bundle-acme-foo.bar+rsa", + KeyType: keymanagerv1.KeyType_EC_P256, + }, + }, + { + name: "success: non existing key with default policy", + generateKeyReq: &keymanagerv1.GenerateKeyRequest{ + KeyId: spireKeyID1, + KeyType: keymanagerv1.KeyType_EC_P256, + }, + configureReq: configureRequestWithVars(createKeyMetadataFile(t, ""), "", validKeyRing, "service_account_file"), + }, + { + name: "success: non existing key with custom policy", + generateKeyReq: &keymanagerv1.GenerateKeyRequest{ + KeyId: spireKeyID1, + KeyType: keymanagerv1.KeyType_EC_P256, + }, + configureReq: configureRequestWithVars(createKeyMetadataFile(t, ""), getCustomPolicyFile(t), validKeyRing, "service_account_file"), + }, + { + name: "success: replace old key", + generateKeyReq: &keymanagerv1.GenerateKeyRequest{ + KeyId: spireKeyID1, + KeyType: keymanagerv1.KeyType_EC_P256, + }, + fakeCryptoKeys: []*fakeCryptoKey{ + { + CryptoKey: &kmspb.CryptoKey{ + Name: cryptoKeyName1, + Labels: map[string]string{labelNameActive: "true"}, + VersionTemplate: &kmspb.CryptoKeyVersionTemplate{Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256}, + }, + fakeCryptoKeyVersions: map[string]*fakeCryptoKeyVersion{ + "1": { + publicKey: pubKey, + CryptoKeyVersion: &kmspb.CryptoKeyVersion{ + Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256, + Name: fmt.Sprintf("%s/cryptoKeyVersions/1", cryptoKeyName1), + State: kmspb.CryptoKeyVersion_ENABLED, + }}, + }, + }, + }, + waitForDelete: true, + destroyTime: fakeTime, + logs: []spiretest.LogEntry{ + { + Level: logrus.DebugLevel, + Message: "CryptoKeyVersion scheduled for destruction", + Data: logrus.Fields{ + cryptoKeyVersionNameTag: fmt.Sprintf("%s/cryptoKeyVersions/1", cryptoKeyName1), + scheduledDestroyTimeTag: fakeTime.AsTime().String(), + }, + }, + }, + }, + { + name: "success: EC 384", + generateKeyReq: &keymanagerv1.GenerateKeyRequest{ + KeyId: spireKeyID1, + KeyType: keymanagerv1.KeyType_EC_P384, + }, + }, + { + name: "success: RSA 2048", + generateKeyReq: &keymanagerv1.GenerateKeyRequest{ + KeyId: spireKeyID1, + KeyType: keymanagerv1.KeyType_RSA_2048, + }, + }, + { + name: "success: RSA 4096", + generateKeyReq: &keymanagerv1.GenerateKeyRequest{ + KeyId: spireKeyID1, + KeyType: keymanagerv1.KeyType_RSA_4096, + }, + }, + { + name: "missing key id", + generateKeyReq: &keymanagerv1.GenerateKeyRequest{ + KeyId: "", + KeyType: keymanagerv1.KeyType_EC_P256, + }, + expectMsg: "key id is required", + expectCode: codes.InvalidArgument, + }, + { + name: "missing key type", + generateKeyReq: &keymanagerv1.GenerateKeyRequest{ + KeyId: spireKeyID1, + KeyType: keymanagerv1.KeyType_UNSPECIFIED_KEY_TYPE, + }, + expectMsg: "key type is required", + expectCode: codes.InvalidArgument, + }, + { + name: "unsupported key type", + generateKeyReq: &keymanagerv1.GenerateKeyRequest{ + KeyId: spireKeyID1, + KeyType: 100, + }, + expectMsg: "failed to generate key: unsupported key type \"100\"", + expectCode: codes.Internal, + }, + { + name: "create CryptoKey error", + expectMsg: "failed to create CryptoKey: error creating CryptoKey", + expectCode: codes.Internal, + createKeyErr: errors.New("error creating CryptoKey"), + generateKeyReq: &keymanagerv1.GenerateKeyRequest{ + KeyId: spireKeyID1, + KeyType: keymanagerv1.KeyType_EC_P256, + }, + }, + { + name: "get public key error", + expectMsg: "failed to get public key: public key error", + expectCode: codes.Internal, + getPublicKeyErr: errors.New("public key error"), + generateKeyReq: &keymanagerv1.GenerateKeyRequest{ + KeyId: spireKeyID1, + KeyType: keymanagerv1.KeyType_EC_P256, + }, + }, + { + name: "cryptoKeyVersion not found when scheduling for destruction", + generateKeyReq: &keymanagerv1.GenerateKeyRequest{ + KeyId: spireKeyID1, + KeyType: keymanagerv1.KeyType_EC_P256, + }, + destroyCryptoKeyVersionErr: status.Error(codes.NotFound, ""), + fakeCryptoKeys: []*fakeCryptoKey{ + { + CryptoKey: &kmspb.CryptoKey{ + Name: cryptoKeyName1, + Labels: map[string]string{labelNameActive: "true"}, + VersionTemplate: &kmspb.CryptoKeyVersionTemplate{Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256}, + }, + fakeCryptoKeyVersions: map[string]*fakeCryptoKeyVersion{ + "1": { + publicKey: pubKey, + CryptoKeyVersion: &kmspb.CryptoKeyVersion{ + Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256, + Name: fmt.Sprintf("%s/cryptoKeyVersions/1", cryptoKeyName1), + State: kmspb.CryptoKeyVersion_ENABLED, + }, + }, + }, + }, + }, + waitForDelete: true, + destroyTime: fakeTime, + logs: []spiretest.LogEntry{ + { + Level: logrus.WarnLevel, + Message: "CryptoKeyVersion not found", + Data: logrus.Fields{ + cryptoKeyVersionNameTag: fmt.Sprintf("%s/cryptoKeyVersions/1", cryptoKeyName1), + }, + }, + }, + }, + { + name: "schedule destroy error", + generateKeyReq: &keymanagerv1.GenerateKeyRequest{ + KeyId: spireKeyID1, + KeyType: keymanagerv1.KeyType_EC_P256, + }, + destroyCryptoKeyVersionErr: errors.New("error scheduling CryptoKeyVersion for destruction"), + fakeCryptoKeys: []*fakeCryptoKey{ + { + CryptoKey: &kmspb.CryptoKey{ + Name: cryptoKeyName1, + Labels: map[string]string{labelNameActive: "true"}, + VersionTemplate: &kmspb.CryptoKeyVersionTemplate{Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256}, + }, + fakeCryptoKeyVersions: map[string]*fakeCryptoKeyVersion{ + "1": { + publicKey: pubKey, + CryptoKeyVersion: &kmspb.CryptoKeyVersion{ + Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256, + Name: fmt.Sprintf("%s/cryptoKeyVersions/1", cryptoKeyName1), + State: kmspb.CryptoKeyVersion_ENABLED, + }, + }, + }, + }, + }, + waitForDelete: true, + destroyTime: fakeTime, + logs: []spiretest.LogEntry{ + { + Level: logrus.ErrorLevel, + Message: "It was not possible to schedule CryptoKeyVersion for destruction", + Data: logrus.Fields{ + cryptoKeyVersionNameTag: fmt.Sprintf("%s/cryptoKeyVersions/1", cryptoKeyName1), + reasonTag: "error scheduling CryptoKeyVersion for destruction", + }, + }, + }, + }, + { + name: "cryptoKeyVersion to destroy not enabled", + generateKeyReq: &keymanagerv1.GenerateKeyRequest{ + KeyId: spireKeyID1, + KeyType: keymanagerv1.KeyType_EC_P256, + }, + destroyCryptoKeyVersionErr: errors.New("error scheduling CryptoKeyVersion for destruction"), + fakeCryptoKeys: []*fakeCryptoKey{ + { + CryptoKey: &kmspb.CryptoKey{ + Name: cryptoKeyName1, + Labels: map[string]string{labelNameActive: "true"}, + VersionTemplate: &kmspb.CryptoKeyVersionTemplate{Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256}, + }, + fakeCryptoKeyVersions: map[string]*fakeCryptoKeyVersion{ + "1": { + publicKey: pubKey, + CryptoKeyVersion: &kmspb.CryptoKeyVersion{ + Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256, + Name: fmt.Sprintf("%s/cryptoKeyVersions/1", cryptoKeyName1), + State: kmspb.CryptoKeyVersion_ENABLED, + }, + }, + }, + }, + }, + testDisabled: true, + waitForDelete: true, + destroyTime: fakeTime, + logs: []spiretest.LogEntry{ + { + Level: logrus.WarnLevel, + Message: "CryptoKeyVersion is not enabled, will not be scheduled for destruction", + Data: logrus.Fields{ + cryptoKeyVersionNameTag: fmt.Sprintf("%s/cryptoKeyVersions/1", cryptoKeyName1), + cryptoKeyVersionStateTag: kmspb.CryptoKeyVersion_DISABLED.String(), + }, + }, + }, + }, + { + name: "error getting CryptoKeyVersion", + generateKeyReq: &keymanagerv1.GenerateKeyRequest{ + KeyId: spireKeyID1, + KeyType: keymanagerv1.KeyType_EC_P256, + }, + destroyCryptoKeyVersionErr: errors.New("error scheduling CryptoKeyVersion for destruction"), + getCryptoKeyVersionErr: errors.New("error getting CryptoKeyVersion"), + fakeCryptoKeys: []*fakeCryptoKey{ + { + CryptoKey: &kmspb.CryptoKey{ + Name: cryptoKeyName1, + Labels: map[string]string{labelNameActive: "true"}, + VersionTemplate: &kmspb.CryptoKeyVersionTemplate{Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256}, + }, + fakeCryptoKeyVersions: map[string]*fakeCryptoKeyVersion{ + "1": { + publicKey: pubKey, + CryptoKeyVersion: &kmspb.CryptoKeyVersion{ + Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256, + Name: fmt.Sprintf("%s/cryptoKeyVersions/1", cryptoKeyName1), + State: kmspb.CryptoKeyVersion_ENABLED, + }, + }, + }, + }, + }, + waitForDelete: true, + destroyTime: fakeTime, + logs: []spiretest.LogEntry{ + { + Level: logrus.ErrorLevel, + Message: "Could not get the CryptoKeyVersion while trying to schedule it for destruction", + Data: logrus.Fields{ + cryptoKeyVersionNameTag: fmt.Sprintf("%s/cryptoKeyVersions/1", cryptoKeyName1), + reasonTag: "error getting CryptoKeyVersion", + }, + }, + }, + }, + { + name: "error getting token info", + expectCode: codes.Internal, + expectMsg: "could not get token information: error getting token info", + generateKeyReq: &keymanagerv1.GenerateKeyRequest{ + KeyId: spireKeyID1, + KeyType: keymanagerv1.KeyType_EC_P384, + }, + getTokenInfoErr: errors.New("error getting token info"), + }, + } { + tt := tt + t.Run(tt.name, func(t *testing.T) { + ts := setupTest(t) + ts.fakeKMSClient.setDestroyTime(fakeTime) + ts.fakeKMSClient.putFakeCryptoKeys(tt.fakeCryptoKeys) + ts.fakeKMSClient.setCreateCryptoKeyErr(tt.createKeyErr) + ts.fakeKMSClient.setGetCryptoKeyVersionErr(tt.getCryptoKeyVersionErr) + ts.fakeKMSClient.setGetTokeninfoErr(tt.getTokenInfoErr) + ts.fakeKMSClient.setUpdateCryptoKeyErr(tt.updateCryptoKeyErr) + ts.fakeKMSClient.setDestroyCryptoKeyVersionErr(tt.destroyCryptoKeyVersionErr) + ts.plugin.hooks.scheduleDestroySignal = make(chan error) + + configureReq := tt.configureReq + if configureReq == nil { + configureReq = configureRequestWithDefaults(t) + } + + coreConfig := catalog.CoreConfig{ + TrustDomain: spiffeid.RequireTrustDomainFromString("test.example.org"), + } + km := new(keymanager.V1) + var err error + + plugintest.Load(t, builtin(ts.plugin), km, + plugintest.CaptureConfigureError(&err), + plugintest.CoreConfig(coreConfig), + plugintest.Configure(configureReq.HclConfiguration), + plugintest.Log(ts.log), + ) + require.NoError(t, err) + + ts.fakeKMSClient.setGetPublicKeyErr(tt.getPublicKeyErr) + + resp, err := ts.plugin.GenerateKey(ctx, tt.generateKeyReq) + if tt.expectMsg != "" { + spiretest.RequireGRPCStatusContains(t, err, tt.expectCode, tt.expectMsg) + return + } + + require.NoError(t, err) + require.NotNil(t, resp) + + _, err = ts.plugin.GetPublicKey(ctx, &keymanagerv1.GetPublicKeyRequest{ + KeyId: tt.generateKeyReq.KeyId, + }) + require.NoError(t, err) + + if tt.testDisabled { + // An external system changes the state of the CryptoKeyVersion to be disabled. + fckv := &fakeCryptoKeyVersion{ + CryptoKeyVersion: tt.fakeCryptoKeys[0].fakeCryptoKeyVersions["1"].CryptoKeyVersion, + privateKey: tt.fakeCryptoKeys[0].fakeCryptoKeyVersions["1"].privateKey, + publicKey: tt.fakeCryptoKeys[0].fakeCryptoKeyVersions["1"].publicKey, + } + fckv.State = kmspb.CryptoKeyVersion_DISABLED + + fck, ok := ts.fakeKMSClient.store.fetchFakeCryptoKey(tt.fakeCryptoKeys[0].Name) + require.True(t, ok) + fck.putFakeCryptoKeyVersion(fckv) + } + if !tt.waitForDelete { + spiretest.AssertLogsContainEntries(t, ts.logHook.AllEntries(), tt.logs) + return + } + + select { + case <-ts.plugin.hooks.scheduleDestroySignal: + // The logs emitted by the deletion goroutine and those that + // enqueue deletion can be intermixed, so we cannot depend + // on the exact order of the logs, so we just assert that + // the expected log lines are present somewhere. + spiretest.AssertLogsContainEntries(t, ts.logHook.AllEntries(), tt.logs) + case <-time.After(testTimeout): + t.Fail() + } + }) + } +} + +func TestKeepActiveCryptoKeys(t *testing.T) { + for _, tt := range []struct { + configureRequest *configv1.ConfigureRequest + expectError string + fakeCryptoKeys []*fakeCryptoKey + name string + updateCryptoKeyErr error + }{ + { + name: "keep active CryptoKeys error", + configureRequest: configureRequestWithDefaults(t), + expectError: "error updating CryptoKey", + updateCryptoKeyErr: errors.New("error updating CryptoKey"), + fakeCryptoKeys: []*fakeCryptoKey{ + { + CryptoKey: &kmspb.CryptoKey{ + Name: cryptoKeyName1, + Labels: map[string]string{labelNameActive: "true"}, + VersionTemplate: &kmspb.CryptoKeyVersionTemplate{Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256}, + }, + fakeCryptoKeyVersions: map[string]*fakeCryptoKeyVersion{ + "1": { + publicKey: pubKey, + CryptoKeyVersion: &kmspb.CryptoKeyVersion{ + Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256, + Name: fmt.Sprintf("%s/cryptoKeyVersions/1", cryptoKeyName1), + State: kmspb.CryptoKeyVersion_ENABLED, + }}, + }, + }, + }, + }, + { + name: "keep active CryptoKeys succeeds", + configureRequest: configureRequestWithDefaults(t), + fakeCryptoKeys: []*fakeCryptoKey{ + { + CryptoKey: &kmspb.CryptoKey{ + Name: cryptoKeyName1, + Labels: map[string]string{labelNameActive: "true"}, + VersionTemplate: &kmspb.CryptoKeyVersionTemplate{Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256}, + }, + fakeCryptoKeyVersions: map[string]*fakeCryptoKeyVersion{ + "1": { + publicKey: pubKey, + CryptoKeyVersion: &kmspb.CryptoKeyVersion{ + Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256, + Name: fmt.Sprintf("%s/cryptoKeyVersions/1", cryptoKeyName1), + State: kmspb.CryptoKeyVersion_ENABLED, + }}, + }, + }, + { + CryptoKey: &kmspb.CryptoKey{ + Name: cryptoKeyName2, + Labels: map[string]string{labelNameActive: "true"}, + VersionTemplate: &kmspb.CryptoKeyVersionTemplate{Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256}, + }, + fakeCryptoKeyVersions: map[string]*fakeCryptoKeyVersion{ + "1": { + publicKey: pubKey, + CryptoKeyVersion: &kmspb.CryptoKeyVersion{ + Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256, + Name: fmt.Sprintf("%s/cryptoKeyVersions/1", cryptoKeyName2), + State: kmspb.CryptoKeyVersion_ENABLED, + }}, + }, + }, + }, + }, + } { + tt := tt + t.Run(tt.name, func(t *testing.T) { + ts := setupTest(t) + ts.fakeKMSClient.putFakeCryptoKeys(tt.fakeCryptoKeys) + ts.fakeKMSClient.setUpdateCryptoKeyErr(tt.updateCryptoKeyErr) + ts.plugin.hooks.keepActiveCryptoKeysSignal = make(chan error) + + _, err := ts.plugin.Configure(ctx, tt.configureRequest) + require.NoError(t, err) + + // Wait for keepActiveCryptoKeys task to be initialized. + _ = waitForSignal(t, ts.plugin.hooks.keepActiveCryptoKeysSignal) + + // Move the clock forward so the task is run. + currentTime := unixEpoch.Add(6 * time.Hour) + ts.clockHook.Set(currentTime) + + // Wait for keepActiveCryptoKeys to be run. + err = waitForSignal(t, ts.plugin.hooks.keepActiveCryptoKeysSignal) + + if tt.updateCryptoKeyErr != nil { + require.NotNil(t, err) + require.EqualError(t, err, err.Error()) + return + } + require.NoError(t, err) + + storedFakeCryptoKeys := ts.fakeKMSClient.store.fetchFakeCryptoKeys() + for _, fck := range storedFakeCryptoKeys { + require.EqualValues(t, fck.getLabelValue(labelNameLastUpdate), fmt.Sprint(currentTime.Unix()), fck.CryptoKey.Name) + } + }) + } +} + +func TestGetPublicKeys(t *testing.T) { + for _, tt := range []struct { + name string + err string + fakeCryptoKeys []*fakeCryptoKey + }{ + { + name: "one key", + fakeCryptoKeys: []*fakeCryptoKey{ + { + CryptoKey: &kmspb.CryptoKey{ + Name: cryptoKeyName1, + Labels: map[string]string{labelNameActive: "true"}, + VersionTemplate: &kmspb.CryptoKeyVersionTemplate{Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256}, + }, + fakeCryptoKeyVersions: map[string]*fakeCryptoKeyVersion{ + "1": { + publicKey: pubKey, + CryptoKeyVersion: &kmspb.CryptoKeyVersion{ + Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256, + Name: fmt.Sprintf("%s/cryptoKeyVersions/1", cryptoKeyName1), + State: kmspb.CryptoKeyVersion_ENABLED, + }}, + }, + }, + }, + }, + { + name: "multiple keys", + fakeCryptoKeys: []*fakeCryptoKey{ + { + CryptoKey: &kmspb.CryptoKey{ + Name: cryptoKeyName1, + Labels: map[string]string{labelNameActive: "true"}, + VersionTemplate: &kmspb.CryptoKeyVersionTemplate{Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256}, + }, + fakeCryptoKeyVersions: map[string]*fakeCryptoKeyVersion{ + "1": { + publicKey: pubKey, + CryptoKeyVersion: &kmspb.CryptoKeyVersion{ + Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256, + Name: fmt.Sprintf("%s/cryptoKeyVersions/1", cryptoKeyName1), + State: kmspb.CryptoKeyVersion_ENABLED, + }}, + }, + }, + { + CryptoKey: &kmspb.CryptoKey{ + Name: cryptoKeyName2, + Labels: map[string]string{labelNameActive: "true"}, + VersionTemplate: &kmspb.CryptoKeyVersionTemplate{Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256}, + }, + fakeCryptoKeyVersions: map[string]*fakeCryptoKeyVersion{ + "1": { + publicKey: pubKey, + CryptoKeyVersion: &kmspb.CryptoKeyVersion{ + Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256, + Name: fmt.Sprintf("%s/cryptoKeyVersions/1", cryptoKeyName2), + State: kmspb.CryptoKeyVersion_ENABLED, + }}, + }, + }, + }, + }, + { + name: "non existing keys", + }, + } { + tt := tt + t.Run(tt.name, func(t *testing.T) { + ts := setupTest(t) + ts.fakeKMSClient.putFakeCryptoKeys(tt.fakeCryptoKeys) + _, err := ts.plugin.Configure(ctx, configureRequestWithDefaults(t)) + require.NoError(t, err) + + resp, err := ts.plugin.GetPublicKeys(ctx, &keymanagerv1.GetPublicKeysRequest{}) + + if tt.err != "" { + require.Error(t, err) + require.EqualError(t, err, tt.err) + return + } + + require.NotNil(t, resp) + require.NoError(t, err) + storedFakeCryptoKeys := ts.fakeKMSClient.store.fetchFakeCryptoKeys() + for _, fck := range storedFakeCryptoKeys { + storedFakeCryptoKeyVersions := fck.fetchFakeCryptoKeyVersions() + for _, fckv := range storedFakeCryptoKeyVersions { + pubKey, err := getPublicKeyFromCryptoKeyVersion(ctx, ts.fakeKMSClient, fckv.CryptoKeyVersion.Name) + require.NoError(t, err) + require.Equal(t, pubKey, resp.PublicKeys[0].PkixData) + } + } + }) + } +} + +func TestGetPublicKey(t *testing.T) { + for _, tt := range []struct { + name string + expectCodeConfigure codes.Code + expectMsgConfigure string + expectCodeGetPublicKey codes.Code + expectMsgGetPublicKey string + fakeCryptoKeys []*fakeCryptoKey + keyID string + pemCrc32C *wrapperspb.Int64Value + }{ + { + name: "existing key", + fakeCryptoKeys: []*fakeCryptoKey{ + { + CryptoKey: &kmspb.CryptoKey{ + Name: cryptoKeyName1, + Labels: map[string]string{labelNameActive: "true"}, + VersionTemplate: &kmspb.CryptoKeyVersionTemplate{Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256}, + }, + fakeCryptoKeyVersions: map[string]*fakeCryptoKeyVersion{ + "1": { + publicKey: pubKey, + CryptoKeyVersion: &kmspb.CryptoKeyVersion{ + Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256, + Name: fmt.Sprintf("%s/cryptoKeyVersions/1", cryptoKeyName1), + State: kmspb.CryptoKeyVersion_ENABLED, + }}, + }, + }, + }, + keyID: spireKeyID1, + }, + { + name: "integrity verification error", + expectCodeConfigure: codes.Internal, + expectMsgConfigure: "failed to fetch entries: error getting public key: response corrupted in-transit", + fakeCryptoKeys: []*fakeCryptoKey{ + { + CryptoKey: &kmspb.CryptoKey{ + Name: cryptoKeyName1, + Labels: map[string]string{labelNameActive: "true"}, + VersionTemplate: &kmspb.CryptoKeyVersionTemplate{Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256}, + }, + fakeCryptoKeyVersions: map[string]*fakeCryptoKeyVersion{ + "1": { + publicKey: pubKey, + CryptoKeyVersion: &kmspb.CryptoKeyVersion{ + Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256, + Name: fmt.Sprintf("%s/cryptoKeyVersions/1", cryptoKeyName1), + State: kmspb.CryptoKeyVersion_ENABLED, + }}, + }, + }, + }, + keyID: spireKeyID1, + pemCrc32C: &wrapperspb.Int64Value{Value: 1}, + }, + { + name: "non existing key", + expectMsgGetPublicKey: fmt.Sprintf("key %q not found", spireKeyID1), + expectCodeGetPublicKey: codes.NotFound, + keyID: spireKeyID1, + }, + { + name: "missing key id", + expectMsgGetPublicKey: "key id is required", + expectCodeGetPublicKey: codes.InvalidArgument, + }, + } { + tt := tt + t.Run(tt.name, func(t *testing.T) { + ts := setupTest(t) + ts.fakeKMSClient.setPEMCrc32C(tt.pemCrc32C) + ts.fakeKMSClient.putFakeCryptoKeys(tt.fakeCryptoKeys) + + _, err := ts.plugin.Configure(ctx, configureRequestWithDefaults(t)) + if tt.expectMsgConfigure != "" { + spiretest.RequireGRPCStatusContains(t, err, tt.expectCodeConfigure, tt.expectMsgConfigure) + return + } + + require.NoError(t, err) + resp, err := ts.plugin.GetPublicKey(ctx, &keymanagerv1.GetPublicKeyRequest{ + KeyId: tt.keyID, + }) + if tt.expectMsgGetPublicKey != "" { + spiretest.RequireGRPCStatusContains(t, err, tt.expectCodeGetPublicKey, tt.expectMsgGetPublicKey) + return + } + require.NotNil(t, resp) + require.NoError(t, err) + require.Equal(t, tt.keyID, resp.PublicKey.Id) + require.Equal(t, ts.plugin.entries[tt.keyID].publicKey, resp.PublicKey) + }) + } +} + +func TestKeyManagerContract(t *testing.T) { + create := func(t *testing.T) keymanager.KeyManager { + dir := t.TempDir() + c := clock.NewMock(t) + fakeKMSClient := newKMSClientFake(t, c) + p := newPlugin( + func(ctx context.Context, opts ...option.ClientOption) (cloudKeyManagementService, error) { + return fakeKMSClient, nil + }, + ) + km := new(keymanager.V1) + keyMetadataFile := filepath.ToSlash(filepath.Join(dir, "metadata.json")) + plugintest.Load(t, builtin(p), km, plugintest.Configuref(` + key_metadata_file = %q + key_ring = "projects/project-id/locations/location/keyRings/keyring" + `, keyMetadataFile)) + return km + } + + unsupportedSignatureAlgorithms := map[keymanager.KeyType][]x509.SignatureAlgorithm{ + keymanager.ECP256: {x509.ECDSAWithSHA384, x509.ECDSAWithSHA512}, + keymanager.ECP384: {x509.ECDSAWithSHA256, x509.ECDSAWithSHA512}, + keymanager.RSA2048: {x509.SHA256WithRSAPSS, x509.SHA384WithRSAPSS, x509.SHA512WithRSAPSS, x509.SHA384WithRSA, x509.SHA512WithRSA}, + keymanager.RSA4096: {x509.SHA256WithRSAPSS, x509.SHA384WithRSAPSS, x509.SHA512WithRSAPSS, x509.SHA384WithRSA, x509.SHA512WithRSA}, + } + keymanagertest.Test(t, keymanagertest.Config{ + Create: create, + UnsupportedSignatureAlgorithms: unsupportedSignatureAlgorithms, + }) +} + +func TestSetIAMPolicy(t *testing.T) { + for _, tt := range []struct { + name string + policyErr error + setPolicyErr error + expectError string + useCustomPolicy bool + }{ + { + name: "set default policy", + }, + { + name: "set default policy - error", + expectError: "failed to set default IAM policy: error setting default policy", + setPolicyErr: errors.New("error setting default policy"), + }, + { + name: "set custom policy", + useCustomPolicy: true, + }, + { + name: "set custom policy - error", + expectError: "failed to set custom IAM policy: error setting custom policy", + setPolicyErr: errors.New("error setting custom policy"), + useCustomPolicy: true, + }, + { + name: "get policy error", + expectError: "failed to retrieve IAM policy: error getting policy", + policyErr: errors.New("error getting policy"), + useCustomPolicy: true, + }, + } { + tt := tt + t.Run(tt.name, func(t *testing.T) { + ts := setupTest(t) + ts.fakeKMSClient.fakeIAMHandle.setPolicyError(tt.policyErr) + ts.fakeKMSClient.fakeIAMHandle.setSetPolicyErr(tt.setPolicyErr) + + var configureReq *configv1.ConfigureRequest + if tt.useCustomPolicy { + customPolicyFile := getCustomPolicyFile(t) + configureReq = configureRequestFromConfig(&Config{ + KeyMetadataFile: createKeyMetadataFile(t, validServerID), + KeyPolicyFile: customPolicyFile, + KeyRing: validKeyRing, + ServiceAccountFile: "service_account_file", + }) + expectedPolicy, err := parsePolicyFile(customPolicyFile) + require.NoError(t, err) + ts.fakeKMSClient.fakeIAMHandle.setExpectedPolicy(expectedPolicy) + } else { + ts.fakeKMSClient.fakeIAMHandle.setExpectedPolicy(ts.fakeKMSClient.getDefaultPolicy()) + configureReq = configureRequestWithDefaults(t) + } + _, err := ts.plugin.Configure(ctx, configureReq) + require.NoError(t, err) + + err = ts.plugin.setIamPolicy(ctx, cryptoKeyName1) + if tt.expectError != "" { + require.EqualError(t, err, tt.expectError) + return + } + require.NoError(t, err) + }) + } +} + +func TestSignData(t *testing.T) { + sum256 := sha256.Sum256(nil) + sum384 := sha512.Sum384(nil) + + for _, tt := range []struct { + name string + asymmetricSignErr error + expectMsg string + expectCode codes.Code + generateKeyReq *keymanagerv1.GenerateKeyRequest + signDataReq *keymanagerv1.SignDataRequest + signatureCrc32C *wrapperspb.Int64Value + }{ + { + name: "pass EC SHA256", + generateKeyReq: &keymanagerv1.GenerateKeyRequest{ + KeyId: spireKeyID1, + KeyType: keymanagerv1.KeyType_EC_P256, + }, + signDataReq: &keymanagerv1.SignDataRequest{ + KeyId: spireKeyID1, + Data: sum256[:], + SignerOpts: &keymanagerv1.SignDataRequest_HashAlgorithm{ + HashAlgorithm: keymanagerv1.HashAlgorithm_SHA256, + }, + }, + }, + { + name: "pass EC SHA384", + generateKeyReq: &keymanagerv1.GenerateKeyRequest{ + KeyId: spireKeyID1, + KeyType: keymanagerv1.KeyType_EC_P384, + }, + signDataReq: &keymanagerv1.SignDataRequest{ + KeyId: spireKeyID1, + Data: sum384[:], + SignerOpts: &keymanagerv1.SignDataRequest_HashAlgorithm{ + HashAlgorithm: keymanagerv1.HashAlgorithm_SHA384, + }, + }, + }, + { + name: "pass RSA 2048 SHA 256", + generateKeyReq: &keymanagerv1.GenerateKeyRequest{ + KeyId: spireKeyID1, + KeyType: keymanagerv1.KeyType_RSA_2048, + }, + signDataReq: &keymanagerv1.SignDataRequest{ + KeyId: spireKeyID1, + Data: sum256[:], + SignerOpts: &keymanagerv1.SignDataRequest_HashAlgorithm{ + HashAlgorithm: keymanagerv1.HashAlgorithm_SHA256, + }, + }, + }, + { + name: "pass RSA 4096 SHA 256", + generateKeyReq: &keymanagerv1.GenerateKeyRequest{ + KeyId: spireKeyID1, + KeyType: keymanagerv1.KeyType_RSA_4096, + }, + signDataReq: &keymanagerv1.SignDataRequest{ + KeyId: spireKeyID1, + Data: sum256[:], + SignerOpts: &keymanagerv1.SignDataRequest_HashAlgorithm{ + HashAlgorithm: keymanagerv1.HashAlgorithm_SHA256, + }, + }, + }, + { + name: "pass RSA 2048 SHA 256", + generateKeyReq: &keymanagerv1.GenerateKeyRequest{ + KeyId: spireKeyID1, + KeyType: keymanagerv1.KeyType_RSA_2048, + }, + signDataReq: &keymanagerv1.SignDataRequest{ + KeyId: spireKeyID1, + Data: sum256[:], + SignerOpts: &keymanagerv1.SignDataRequest_HashAlgorithm{ + HashAlgorithm: keymanagerv1.HashAlgorithm_SHA256, + }, + }, + }, + { + name: "missing key id", + expectCode: codes.InvalidArgument, + expectMsg: "key id is required", + signDataReq: &keymanagerv1.SignDataRequest{ + KeyId: "", + Data: sum256[:], + SignerOpts: &keymanagerv1.SignDataRequest_HashAlgorithm{ + HashAlgorithm: keymanagerv1.HashAlgorithm_SHA256, + }, + }, + }, + { + name: "missing key signer opts", + expectCode: codes.InvalidArgument, + expectMsg: "signer opts is required", + signDataReq: &keymanagerv1.SignDataRequest{ + KeyId: spireKeyID1, + Data: sum256[:], + }, + }, + { + name: "missing hash algorithm", + expectCode: codes.InvalidArgument, + expectMsg: "hash algorithm is required", + generateKeyReq: &keymanagerv1.GenerateKeyRequest{ + KeyId: spireKeyID1, + KeyType: keymanagerv1.KeyType_EC_P256, + }, + signDataReq: &keymanagerv1.SignDataRequest{ + KeyId: spireKeyID1, + Data: sum256[:], + SignerOpts: &keymanagerv1.SignDataRequest_HashAlgorithm{ + HashAlgorithm: keymanagerv1.HashAlgorithm_UNSPECIFIED_HASH_ALGORITHM, + }, + }, + }, + { + name: "usupported hash algorithm", + expectCode: codes.InvalidArgument, + expectMsg: "hash algorithm not supported", + generateKeyReq: &keymanagerv1.GenerateKeyRequest{ + KeyId: spireKeyID1, + KeyType: keymanagerv1.KeyType_EC_P256, + }, + signDataReq: &keymanagerv1.SignDataRequest{ + KeyId: spireKeyID1, + Data: sum256[:], + SignerOpts: &keymanagerv1.SignDataRequest_HashAlgorithm{ + HashAlgorithm: 100, + }, + }, + }, + { + name: "non existing key", + expectCode: codes.NotFound, + expectMsg: "key \"does_not_exists\" not found", + signDataReq: &keymanagerv1.SignDataRequest{ + KeyId: "does_not_exists", + Data: sum256[:], + SignerOpts: &keymanagerv1.SignDataRequest_HashAlgorithm{ + HashAlgorithm: keymanagerv1.HashAlgorithm_SHA256, + }, + }, + }, + { + name: "pss not supported", + expectCode: codes.InvalidArgument, + expectMsg: "the only RSA signature scheme supported is RSASSA-PKCS1-v1_5", + generateKeyReq: &keymanagerv1.GenerateKeyRequest{ + KeyId: spireKeyID1, + KeyType: keymanagerv1.KeyType_RSA_2048, + }, + signDataReq: &keymanagerv1.SignDataRequest{ + KeyId: spireKeyID1, + Data: sum256[:], + SignerOpts: &keymanagerv1.SignDataRequest_PssOptions{ + PssOptions: &keymanagerv1.SignDataRequest_PSSOptions{ + HashAlgorithm: keymanagerv1.HashAlgorithm_SHA256, + SaltLength: 256, + }, + }, + }, + }, + { + name: "sign error", + asymmetricSignErr: errors.New("error signing"), + expectCode: codes.Internal, + expectMsg: "failed to sign: error signing", + generateKeyReq: &keymanagerv1.GenerateKeyRequest{ + KeyId: spireKeyID1, + KeyType: keymanagerv1.KeyType_EC_P256, + }, + signDataReq: &keymanagerv1.SignDataRequest{ + KeyId: spireKeyID1, + Data: sum256[:], + SignerOpts: &keymanagerv1.SignDataRequest_HashAlgorithm{ + HashAlgorithm: keymanagerv1.HashAlgorithm_SHA256, + }, + }, + }, + { + name: "integrity verification error", + expectCode: codes.Internal, + expectMsg: "error signing: response corrupted in-transit", + generateKeyReq: &keymanagerv1.GenerateKeyRequest{ + KeyId: spireKeyID1, + KeyType: keymanagerv1.KeyType_EC_P256, + }, + signDataReq: &keymanagerv1.SignDataRequest{ + KeyId: spireKeyID1, + Data: sum256[:], + SignerOpts: &keymanagerv1.SignDataRequest_HashAlgorithm{ + HashAlgorithm: keymanagerv1.HashAlgorithm_SHA256, + }, + }, + signatureCrc32C: &wrapperspb.Int64Value{Value: 1}, + }, + } { + tt := tt + t.Run(tt.name, func(t *testing.T) { + ts := setupTest(t) + ts.fakeKMSClient.setAsymmetricSignErr(tt.asymmetricSignErr) + ts.fakeKMSClient.setSignatureCrc32C(tt.signatureCrc32C) + _, err := ts.plugin.Configure(ctx, configureRequestWithDefaults(t)) + require.NoError(t, err) + if tt.generateKeyReq != nil { + _, err := ts.plugin.GenerateKey(ctx, tt.generateKeyReq) + require.NoError(t, err) + } + + resp, err := ts.plugin.SignData(ctx, tt.signDataReq) + spiretest.RequireGRPCStatusContains(t, err, tt.expectCode, tt.expectMsg) + if tt.expectCode != codes.OK { + return + } + require.NotNil(t, resp) + }) + } +} + +func configureRequestFromConfig(c *Config) *configv1.ConfigureRequest { + return &configv1.ConfigureRequest{ + HclConfiguration: fmt.Sprintf(`{ + "key_metadata_file":"%s", + "key_policy_file":"%s", + "key_ring":"%s", + "service_account_file":"%s" + }`, + c.KeyMetadataFile, + c.KeyPolicyFile, + c.KeyRing, + c.ServiceAccountFile), + CoreConfiguration: &configv1.CoreConfiguration{TrustDomain: "test.example.org"}, + } +} + +func configureRequestWithDefaults(t *testing.T) *configv1.ConfigureRequest { + return &configv1.ConfigureRequest{ + HclConfiguration: serializedConfiguration(createKeyMetadataFile(t, validServerID), validKeyRing), + CoreConfiguration: &configv1.CoreConfiguration{TrustDomain: "test.example.org"}, + } +} + +func configureRequestWithString(config string) *configv1.ConfigureRequest { + return &configv1.ConfigureRequest{ + HclConfiguration: config, + } +} + +func configureRequestWithVars(keyMetadataFile, keyPolicyFile, keyRing, serviceAccountFile string) *configv1.ConfigureRequest { + return &configv1.ConfigureRequest{ + HclConfiguration: fmt.Sprintf(`{ + "key_metadata_file":"%s", + "key_policy_file":"%s", + "key_ring":"%s" + "service_account_file":"%s" + }`, + keyMetadataFile, + keyPolicyFile, + keyRing, + serviceAccountFile), + CoreConfiguration: &configv1.CoreConfiguration{TrustDomain: "test.example.org"}, + } +} + +func createKeyMetadataFile(t *testing.T, content string) string { + tempDir := t.TempDir() + tempFilePath := filepath.ToSlash(filepath.Join(tempDir, validServerIDFile)) + + if content != "" { + err := os.WriteFile(tempFilePath, []byte(content), 0600) + if err != nil { + t.Error(err) + } + } + return tempFilePath +} + +func getCustomPolicyFile(t *testing.T) string { + tempDir := t.TempDir() + tempFilePath := filepath.ToSlash(filepath.Join(tempDir, validPolicyFile)) + err := os.WriteFile(tempFilePath, []byte(customPolicy), 0600) + if err != nil { + t.Error(err) + } + return tempFilePath +} + +func serializedConfiguration(keyMetadataFile, keyRing string) string { + return fmt.Sprintf(`{ + "key_metadata_file":"%s", + "key_ring":"%s" + }`, + keyMetadataFile, + keyRing) +} + +func waitForSignal(t *testing.T, ch chan error) error { + select { + case err := <-ch: + return err + case <-time.After(testTimeout): + t.Fail() + } + return nil +} From a1fccd1eceb26e89679985215ddcc5245949e65d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 11 Nov 2022 12:40:25 -0300 Subject: [PATCH 065/257] Bump github.com/prometheus/client_golang from 1.13.1 to 1.14.0 (#3585) Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.13.1 to 1.14.0. - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md) - [Commits](https://github.com/prometheus/client_golang/compare/v1.13.1...v1.14.0) --- updated-dependencies: - dependency-name: github.com/prometheus/client_golang dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 7 ++++--- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index 733bdb96c1..9dbcb3fdae 100644 --- a/go.mod +++ b/go.mod @@ -53,7 +53,7 @@ require ( github.com/mattn/go-sqlite3 v1.14.16 github.com/mitchellh/cli v1.1.4 github.com/open-policy-agent/opa v0.46.1 - github.com/prometheus/client_golang v1.13.1 + github.com/prometheus/client_golang v1.14.0 github.com/shirou/gopsutil/v3 v3.22.10 github.com/sirupsen/logrus v1.9.0 github.com/spiffe/go-spiffe/v2 v2.0.1-0.20220414143532-2ed460a8b9d3 @@ -182,7 +182,7 @@ require ( github.com/pmezard/go-difflib v1.0.0 // indirect github.com/posener/complete v1.2.3 // indirect github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect - github.com/prometheus/client_model v0.2.0 // indirect + github.com/prometheus/client_model v0.3.0 // indirect github.com/prometheus/common v0.37.0 // indirect github.com/prometheus/procfs v0.8.0 // indirect github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect diff --git a/go.sum b/go.sum index e6c087ce91..7051278796 100644 --- a/go.sum +++ b/go.sum @@ -951,13 +951,14 @@ github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3O github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY= -github.com/prometheus/client_golang v1.13.1 h1:3gMjIY2+/hzmqhtUC/aQNYldJA6DtH3CgQvwS+02K1c= -github.com/prometheus/client_golang v1.13.1/go.mod h1:vTeo+zgvILHsnnj/39Ou/1fPN5nJFOEMgftOUOmlvYQ= +github.com/prometheus/client_golang v1.14.0 h1:nJdhIvne2eSX/XRAFV9PcvFFRbrjbcTUj0VP62TMhnw= +github.com/prometheus/client_golang v1.14.0/go.mod h1:8vpkKitgIVNcqrRBWh1C4TIUQgYNtG/XQE4E/Zae36Y= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/client_model v0.2.0 h1:uq5h0d+GuxiXLJLNABMgp2qUWDPiLvgCzz2dUR+/W/M= github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.3.0 h1:UBgGFHqYdG/TPFD1B1ogZywDqEkwp3fBMvqdiQ7Xew4= +github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w= github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= From f884f59d164ee93f5b54d66d7a18e4d471ac7e1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?= Date: Fri, 11 Nov 2022 14:09:36 -0300 Subject: [PATCH 066/257] Fix race in TestDisposeStaleCryptoKeys (#3605) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Agustín Martínez Fayó --- pkg/server/plugin/keymanager/gcpkms/client_fake.go | 7 +++++++ pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go | 8 +++++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/pkg/server/plugin/keymanager/gcpkms/client_fake.go b/pkg/server/plugin/keymanager/gcpkms/client_fake.go index b08ddc32ff..a10fe611fe 100644 --- a/pkg/server/plugin/keymanager/gcpkms/client_fake.go +++ b/pkg/server/plugin/keymanager/gcpkms/client_fake.go @@ -110,6 +110,13 @@ func (fck *fakeCryptoKey) getLabelValue(key string) string { return fck.Labels[key] } +func (fck *fakeCryptoKey) getName() string { + fck.mu.RLock() + defer fck.mu.RUnlock() + + return fck.Name +} + func (fck *fakeCryptoKey) putFakeCryptoKeyVersion(fckv *fakeCryptoKeyVersion) { fck.mu.Lock() defer fck.mu.Unlock() diff --git a/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go b/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go index 89fffea524..99c1d2b0e7 100644 --- a/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go +++ b/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go @@ -480,14 +480,14 @@ func TestDisposeStaleCryptoKeys(t *testing.T) { // Wait for dispose disposeCryptoKeysTask to be initialized. _ = waitForSignal(t, ts.plugin.hooks.disposeCryptoKeysSignal) - for _, fck := range fakeCryptoKeys { + for _, fck := range storedFakeCryptoKeys { // Since the CryptoKey doesn't have any enabled CryptoKeyVersions at // this point, it should be set as inactive. // Wait for the set inactive signal. _ = waitForSignal(t, ts.plugin.hooks.setInactiveSignal) // The CryptoKey should be inactive now. - fck, ok := ts.fakeKMSClient.store.fetchFakeCryptoKey(fck.Name) + fck, ok := ts.fakeKMSClient.store.fetchFakeCryptoKey(fck.getName()) require.True(t, ok) require.Equal(t, "false", fck.getLabelValue(labelNameActive)) } @@ -548,7 +548,9 @@ func TestDisposeActiveCryptoKeys(t *testing.T) { // The CryptoKeys are not stale yet. Assert that they are active and the // CryptoKeyVersions enabled. - for _, fck := range fakeCryptoKeys { + + storedFakeCryptoKeys := ts.fakeKMSClient.store.fetchFakeCryptoKeys() + for _, fck := range storedFakeCryptoKeys { require.Equal(t, "true", fck.getLabelValue(labelNameActive)) storedFakeCryptoKeyVersions := fck.fetchFakeCryptoKeyVersions() for _, fckv := range storedFakeCryptoKeyVersions { From 7bfcd4745991a9e982df64366c26d91be139e8eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?= Date: Fri, 11 Nov 2022 16:44:02 -0300 Subject: [PATCH 067/257] Use `default_x509_svid_ttl` instead of the deprecated `default_svid_ttl` config (#3606) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Use default_x509_svid_ttl instead of the deprecated default_svid_ttl config Signed-off-by: Agustín Martínez Fayó --- cmd/spire-server/cli/run/run.go | 13 +++++++------ release/posix/spire/conf/server/server.conf | 2 +- release/windows/spire/conf/server/server.conf | 2 +- .../mode-crd/config/spire-server-registrar.yaml | 2 +- .../conf/server/server.conf | 2 +- .../suites/admin-endpoints/conf/server/server.conf | 2 +- .../suites/debug-endpoints/conf/server/server.conf | 2 +- .../delegatedidentity/conf/server/server.conf | 2 +- .../downstream-endpoints/conf/server/server.conf | 2 +- .../suites/envoy-sds-v2/conf/server/server.conf | 2 +- .../conf/downstream-federated/server/server.conf | 2 +- .../conf/upstream/server/server.conf | 2 +- .../suites/envoy-sds-v3/conf/server/server.conf | 2 +- .../suites/evict-agent/conf/server/server.conf | 2 +- .../suites/fetch-x509-svids/conf/server/server.conf | 2 +- .../conf/downstream/server/server.conf | 2 +- .../conf/upstream/server/server.conf | 2 +- .../k8s-crd-mode/conf/server/spire-server.yaml | 2 +- .../k8s-reconcile/conf/server/spire-server.yaml | 2 +- .../intermediateA/server/server.conf | 2 +- .../intermediateB/server/server.conf | 2 +- .../suites/nested-rotation/leafA/server/server.conf | 2 +- .../suites/nested-rotation/leafB/server/server.conf | 2 +- .../suites/nested-rotation/root/server/server.conf | 2 +- .../suites/node-attestation/conf/server/server.conf | 2 +- .../suites/rotation/conf/server/server.conf | 2 +- .../suites/spire-server-cli/conf/server/server.conf | 2 +- .../suites/upgrade/conf/server/server.conf | 2 +- .../conf/server/spire-server.yaml | 2 +- 29 files changed, 35 insertions(+), 34 deletions(-) diff --git a/cmd/spire-server/cli/run/run.go b/cmd/spire-server/cli/run/run.go index 49ac95ac40..a0253ab0ec 100644 --- a/cmd/spire-server/cli/run/run.go +++ b/cmd/spire-server/cli/run/run.go @@ -74,7 +74,6 @@ type serverConfig struct { CASubject *caSubjectConfig `hcl:"ca_subject"` CATTL string `hcl:"ca_ttl"` DataDir string `hcl:"data_dir"` - DefaultSVIDTTL string `hcl:"default_svid_ttl"` DefaultX509SVIDTTL string `hcl:"default_x509_svid_ttl"` DefaultJWTSVIDTTL string `hcl:"default_jwt_svid_ttl"` Experimental experimentalConfig `hcl:"experimental"` @@ -84,11 +83,9 @@ type serverConfig struct { LogFile string `hcl:"log_file"` LogLevel string `hcl:"log_level"` LogFormat string `hcl:"log_format"` - // Deprecated: remove in SPIRE 1.6.0 - OmitX509SVIDUID *bool `hcl:"omit_x509svid_uid"` - RateLimit rateLimitConfig `hcl:"ratelimit"` - SocketPath string `hcl:"socket_path"` - TrustDomain string `hcl:"trust_domain"` + RateLimit rateLimitConfig `hcl:"ratelimit"` + SocketPath string `hcl:"socket_path"` + TrustDomain string `hcl:"trust_domain"` ConfigPath string ExpandEnv bool @@ -99,6 +96,10 @@ type serverConfig struct { ProfilingFreq int `hcl:"profiling_freq"` ProfilingNames []string `hcl:"profiling_names"` + // Deprecated: remove in SPIRE 1.6.0 + DefaultSVIDTTL string `hcl:"default_svid_ttl"` + OmitX509SVIDUID *bool `hcl:"omit_x509svid_uid"` + UnusedKeys []string `hcl:",unusedKeys"` } diff --git a/release/posix/spire/conf/server/server.conf b/release/posix/spire/conf/server/server.conf index 65eb750e17..5f651732d0 100644 --- a/release/posix/spire/conf/server/server.conf +++ b/release/posix/spire/conf/server/server.conf @@ -5,7 +5,7 @@ server { data_dir = "./data/server" log_level = "DEBUG" ca_ttl = "168h" - default_svid_ttl = "48h" + default_x509_svid_ttl = "48h" } plugins { diff --git a/release/windows/spire/conf/server/server.conf b/release/windows/spire/conf/server/server.conf index 1e0222de7b..d52efcec34 100644 --- a/release/windows/spire/conf/server/server.conf +++ b/release/windows/spire/conf/server/server.conf @@ -5,7 +5,7 @@ server { data_dir = "./data/server" log_level = "DEBUG" ca_ttl = "168h" - default_svid_ttl = "48h" + default_x509_svid_ttl = "48h" } plugins { diff --git a/support/k8s/k8s-workload-registrar/mode-crd/config/spire-server-registrar.yaml b/support/k8s/k8s-workload-registrar/mode-crd/config/spire-server-registrar.yaml index f7f38ff063..5e452e46ca 100644 --- a/support/k8s/k8s-workload-registrar/mode-crd/config/spire-server-registrar.yaml +++ b/support/k8s/k8s-workload-registrar/mode-crd/config/spire-server-registrar.yaml @@ -71,7 +71,7 @@ data: trust_domain = "example.org" data_dir = "/run/spire/data" log_level = "DEBUG" - default_svid_ttl = "1h" + default_x509_svid_ttl = "1h" ca_subject = { country = ["US"], organization = ["SPIFFE"], diff --git a/test/integration/suites-windows/windows-workload-attestor/conf/server/server.conf b/test/integration/suites-windows/windows-workload-attestor/conf/server/server.conf index 8d65f456c9..eca7670707 100644 --- a/test/integration/suites-windows/windows-workload-attestor/conf/server/server.conf +++ b/test/integration/suites-windows/windows-workload-attestor/conf/server/server.conf @@ -5,7 +5,7 @@ server { data_dir = "c:/spire/data/server" log_level = "DEBUG" ca_ttl = "1h" - default_svid_ttl = "10m" + default_x509_svid_ttl = "10m" } plugins { diff --git a/test/integration/suites/admin-endpoints/conf/server/server.conf b/test/integration/suites/admin-endpoints/conf/server/server.conf index a8f18c0680..b6b82f9371 100644 --- a/test/integration/suites/admin-endpoints/conf/server/server.conf +++ b/test/integration/suites/admin-endpoints/conf/server/server.conf @@ -5,7 +5,7 @@ server { data_dir = "/opt/spire/data/server" log_level = "DEBUG" ca_ttl = "1h" - default_svid_ttl = "10m" + default_x509_svid_ttl = "10m" } plugins { diff --git a/test/integration/suites/debug-endpoints/conf/server/server.conf b/test/integration/suites/debug-endpoints/conf/server/server.conf index a8f18c0680..b6b82f9371 100644 --- a/test/integration/suites/debug-endpoints/conf/server/server.conf +++ b/test/integration/suites/debug-endpoints/conf/server/server.conf @@ -5,7 +5,7 @@ server { data_dir = "/opt/spire/data/server" log_level = "DEBUG" ca_ttl = "1h" - default_svid_ttl = "10m" + default_x509_svid_ttl = "10m" } plugins { diff --git a/test/integration/suites/delegatedidentity/conf/server/server.conf b/test/integration/suites/delegatedidentity/conf/server/server.conf index a8f18c0680..b6b82f9371 100644 --- a/test/integration/suites/delegatedidentity/conf/server/server.conf +++ b/test/integration/suites/delegatedidentity/conf/server/server.conf @@ -5,7 +5,7 @@ server { data_dir = "/opt/spire/data/server" log_level = "DEBUG" ca_ttl = "1h" - default_svid_ttl = "10m" + default_x509_svid_ttl = "10m" } plugins { diff --git a/test/integration/suites/downstream-endpoints/conf/server/server.conf b/test/integration/suites/downstream-endpoints/conf/server/server.conf index a8f18c0680..b6b82f9371 100644 --- a/test/integration/suites/downstream-endpoints/conf/server/server.conf +++ b/test/integration/suites/downstream-endpoints/conf/server/server.conf @@ -5,7 +5,7 @@ server { data_dir = "/opt/spire/data/server" log_level = "DEBUG" ca_ttl = "1h" - default_svid_ttl = "10m" + default_x509_svid_ttl = "10m" } plugins { diff --git a/test/integration/suites/envoy-sds-v2/conf/server/server.conf b/test/integration/suites/envoy-sds-v2/conf/server/server.conf index 4f3734bdcb..071642c35b 100644 --- a/test/integration/suites/envoy-sds-v2/conf/server/server.conf +++ b/test/integration/suites/envoy-sds-v2/conf/server/server.conf @@ -5,7 +5,7 @@ server { data_dir = "/opt/spire/data/server" log_level = "DEBUG" ca_ttl = "1h" - default_svid_ttl = "1m" + default_x509_svid_ttl = "1m" } plugins { diff --git a/test/integration/suites/envoy-sds-v3-spiffe-auth/conf/downstream-federated/server/server.conf b/test/integration/suites/envoy-sds-v3-spiffe-auth/conf/downstream-federated/server/server.conf index 56723f47df..a457dae5f6 100644 --- a/test/integration/suites/envoy-sds-v3-spiffe-auth/conf/downstream-federated/server/server.conf +++ b/test/integration/suites/envoy-sds-v3-spiffe-auth/conf/downstream-federated/server/server.conf @@ -5,7 +5,7 @@ server { data_dir = "/opt/spire/data/server" log_level = "DEBUG" ca_ttl = "1h" - default_svid_ttl = "5m" + default_x509_svid_ttl = "5m" federation { bundle_endpoint { diff --git a/test/integration/suites/envoy-sds-v3-spiffe-auth/conf/upstream/server/server.conf b/test/integration/suites/envoy-sds-v3-spiffe-auth/conf/upstream/server/server.conf index 4053328a15..205a5c8c61 100644 --- a/test/integration/suites/envoy-sds-v3-spiffe-auth/conf/upstream/server/server.conf +++ b/test/integration/suites/envoy-sds-v3-spiffe-auth/conf/upstream/server/server.conf @@ -5,7 +5,7 @@ server { data_dir = "/opt/spire/data/server" log_level = "DEBUG" ca_ttl = "1h" - default_svid_ttl = "5m" + default_x509_svid_ttl = "5m" federation { bundle_endpoint { diff --git a/test/integration/suites/envoy-sds-v3/conf/server/server.conf b/test/integration/suites/envoy-sds-v3/conf/server/server.conf index 4f3734bdcb..071642c35b 100644 --- a/test/integration/suites/envoy-sds-v3/conf/server/server.conf +++ b/test/integration/suites/envoy-sds-v3/conf/server/server.conf @@ -5,7 +5,7 @@ server { data_dir = "/opt/spire/data/server" log_level = "DEBUG" ca_ttl = "1h" - default_svid_ttl = "1m" + default_x509_svid_ttl = "1m" } plugins { diff --git a/test/integration/suites/evict-agent/conf/server/server.conf b/test/integration/suites/evict-agent/conf/server/server.conf index 308378faf5..cc267504e2 100644 --- a/test/integration/suites/evict-agent/conf/server/server.conf +++ b/test/integration/suites/evict-agent/conf/server/server.conf @@ -5,7 +5,7 @@ server { data_dir = "/opt/spire/data/server" log_level = "DEBUG" ca_ttl = "20m" - default_svid_ttl = "10m" + default_x509_svid_ttl = "10m" } plugins { diff --git a/test/integration/suites/fetch-x509-svids/conf/server/server.conf b/test/integration/suites/fetch-x509-svids/conf/server/server.conf index a8f18c0680..b6b82f9371 100644 --- a/test/integration/suites/fetch-x509-svids/conf/server/server.conf +++ b/test/integration/suites/fetch-x509-svids/conf/server/server.conf @@ -5,7 +5,7 @@ server { data_dir = "/opt/spire/data/server" log_level = "DEBUG" ca_ttl = "1h" - default_svid_ttl = "10m" + default_x509_svid_ttl = "10m" } plugins { diff --git a/test/integration/suites/ghostunnel-federation/conf/downstream/server/server.conf b/test/integration/suites/ghostunnel-federation/conf/downstream/server/server.conf index fe74c3e751..f9876be8cb 100644 --- a/test/integration/suites/ghostunnel-federation/conf/downstream/server/server.conf +++ b/test/integration/suites/ghostunnel-federation/conf/downstream/server/server.conf @@ -5,7 +5,7 @@ server { data_dir = "/opt/spire/data/server" log_level = "DEBUG" ca_ttl = "1h" - default_svid_ttl = "5m" + default_x509_svid_ttl = "5m" federation { bundle_endpoint { diff --git a/test/integration/suites/ghostunnel-federation/conf/upstream/server/server.conf b/test/integration/suites/ghostunnel-federation/conf/upstream/server/server.conf index 7ab66f8ab8..27483708c1 100644 --- a/test/integration/suites/ghostunnel-federation/conf/upstream/server/server.conf +++ b/test/integration/suites/ghostunnel-federation/conf/upstream/server/server.conf @@ -5,7 +5,7 @@ server { data_dir = "/opt/spire/data/server" log_level = "DEBUG" ca_ttl = "1h" - default_svid_ttl = "5m" + default_x509_svid_ttl = "5m" federation { bundle_endpoint { diff --git a/test/integration/suites/k8s-crd-mode/conf/server/spire-server.yaml b/test/integration/suites/k8s-crd-mode/conf/server/spire-server.yaml index bc2c3c11f3..3ce724d952 100644 --- a/test/integration/suites/k8s-crd-mode/conf/server/spire-server.yaml +++ b/test/integration/suites/k8s-crd-mode/conf/server/spire-server.yaml @@ -64,7 +64,7 @@ data: trust_domain = "example.org" data_dir = "/run/spire/data" log_level = "DEBUG" - default_svid_ttl = "1h" + default_x509_svid_ttl = "1h" ca_subject = { country = ["US"], organization = ["SPIFFE"], diff --git a/test/integration/suites/k8s-reconcile/conf/server/spire-server.yaml b/test/integration/suites/k8s-reconcile/conf/server/spire-server.yaml index 5184a43ecc..7b119c016c 100644 --- a/test/integration/suites/k8s-reconcile/conf/server/spire-server.yaml +++ b/test/integration/suites/k8s-reconcile/conf/server/spire-server.yaml @@ -114,7 +114,7 @@ data: trust_domain = "example.org" data_dir = "/run/spire/data" log_level = "DEBUG" - default_svid_ttl = "1h" + default_x509_svid_ttl = "1h" ca_ttl = "12h" ca_subject { country = ["US"] diff --git a/test/integration/suites/nested-rotation/intermediateA/server/server.conf b/test/integration/suites/nested-rotation/intermediateA/server/server.conf index a8941d9a5d..f3524694a1 100644 --- a/test/integration/suites/nested-rotation/intermediateA/server/server.conf +++ b/test/integration/suites/nested-rotation/intermediateA/server/server.conf @@ -5,7 +5,7 @@ server { data_dir = "/opt/spire/data/server" log_level = "DEBUG" ca_ttl = "1h" - default_svid_ttl = "15s" + default_svid_ttl = "15s" # TODO: Update to use default_x509_svid_ttl in 1.6.0. Keep in previous releases for testing. } plugins { diff --git a/test/integration/suites/nested-rotation/intermediateB/server/server.conf b/test/integration/suites/nested-rotation/intermediateB/server/server.conf index a8941d9a5d..f3524694a1 100644 --- a/test/integration/suites/nested-rotation/intermediateB/server/server.conf +++ b/test/integration/suites/nested-rotation/intermediateB/server/server.conf @@ -5,7 +5,7 @@ server { data_dir = "/opt/spire/data/server" log_level = "DEBUG" ca_ttl = "1h" - default_svid_ttl = "15s" + default_svid_ttl = "15s" # TODO: Update to use default_x509_svid_ttl in 1.6.0. Keep in previous releases for testing. } plugins { diff --git a/test/integration/suites/nested-rotation/leafA/server/server.conf b/test/integration/suites/nested-rotation/leafA/server/server.conf index e00d61dfc3..cabaa83057 100644 --- a/test/integration/suites/nested-rotation/leafA/server/server.conf +++ b/test/integration/suites/nested-rotation/leafA/server/server.conf @@ -5,7 +5,7 @@ server { data_dir = "/opt/spire/data/server" log_level = "DEBUG" ca_ttl = "90s" - default_svid_ttl = "15s" + default_svid_ttl = "15s" # TODO: Update to use default_x509_svid_ttl in 1.6.0. Keep in previous releases for testing. } plugins { diff --git a/test/integration/suites/nested-rotation/leafB/server/server.conf b/test/integration/suites/nested-rotation/leafB/server/server.conf index 8aa8b941bc..9d3990838c 100644 --- a/test/integration/suites/nested-rotation/leafB/server/server.conf +++ b/test/integration/suites/nested-rotation/leafB/server/server.conf @@ -5,7 +5,7 @@ server { data_dir = "/opt/spire/data/server" log_level = "DEBUG" ca_ttl = "90s" - default_svid_ttl = "15s" + default_svid_ttl = "15s" # TODO: Update to use default_x509_svid_ttl in 1.6.0. Keep in previous releases for testing. } plugins { diff --git a/test/integration/suites/nested-rotation/root/server/server.conf b/test/integration/suites/nested-rotation/root/server/server.conf index 44200a7114..8da834fc8a 100644 --- a/test/integration/suites/nested-rotation/root/server/server.conf +++ b/test/integration/suites/nested-rotation/root/server/server.conf @@ -5,7 +5,7 @@ server { data_dir = "/opt/spire/data/server" log_level = "DEBUG" ca_ttl = "1h" - default_svid_ttl = "15s" + default_svid_ttl = "15s" # TODO: Update to use default_x509_svid_ttl in 1.6.0. Keep in previous releases for testing. } plugins { diff --git a/test/integration/suites/node-attestation/conf/server/server.conf b/test/integration/suites/node-attestation/conf/server/server.conf index a8f18c0680..b6b82f9371 100644 --- a/test/integration/suites/node-attestation/conf/server/server.conf +++ b/test/integration/suites/node-attestation/conf/server/server.conf @@ -5,7 +5,7 @@ server { data_dir = "/opt/spire/data/server" log_level = "DEBUG" ca_ttl = "1h" - default_svid_ttl = "10m" + default_x509_svid_ttl = "10m" } plugins { diff --git a/test/integration/suites/rotation/conf/server/server.conf b/test/integration/suites/rotation/conf/server/server.conf index 9c004f5ce9..58df05d4f0 100644 --- a/test/integration/suites/rotation/conf/server/server.conf +++ b/test/integration/suites/rotation/conf/server/server.conf @@ -5,7 +5,7 @@ server { data_dir = "/opt/spire/data/server" log_level = "DEBUG" ca_ttl = "1m" - default_svid_ttl = "10s" + default_x509_svid_ttl = "10s" } plugins { diff --git a/test/integration/suites/spire-server-cli/conf/server/server.conf b/test/integration/suites/spire-server-cli/conf/server/server.conf index d3539576fa..95ca171f42 100644 --- a/test/integration/suites/spire-server-cli/conf/server/server.conf +++ b/test/integration/suites/spire-server-cli/conf/server/server.conf @@ -5,7 +5,7 @@ server { data_dir = "/opt/spire/data/server" log_level = "DEBUG" ca_ttl = "1h" - default_svid_ttl = "10m" + default_x509_svid_ttl = "10m" } plugins { diff --git a/test/integration/suites/upgrade/conf/server/server.conf b/test/integration/suites/upgrade/conf/server/server.conf index a339cd61a0..8ba8220f11 100644 --- a/test/integration/suites/upgrade/conf/server/server.conf +++ b/test/integration/suites/upgrade/conf/server/server.conf @@ -5,7 +5,7 @@ server { data_dir = "/opt/spire/data/server" log_level = "DEBUG" ca_ttl = "1m" - default_svid_ttl = "10s" + default_svid_ttl = "10s" # TODO: Update to use default_x509_svid_ttl in 1.6.0. } plugins { diff --git a/test/integration/suites/upstream-authority-cert-manager/conf/server/spire-server.yaml b/test/integration/suites/upstream-authority-cert-manager/conf/server/spire-server.yaml index 607f071d4a..c8bfa4c394 100644 --- a/test/integration/suites/upstream-authority-cert-manager/conf/server/spire-server.yaml +++ b/test/integration/suites/upstream-authority-cert-manager/conf/server/spire-server.yaml @@ -53,7 +53,7 @@ data: trust_domain = "example.org" data_dir = "/run/spire/data" log_level = "DEBUG" - default_svid_ttl = "1h" + default_x509_svid_ttl = "1h" ca_ttl = "12h" ca_subject { country = ["US"] From e303d75075bc9849ce00016aaec0e58142af8d42 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 14 Nov 2022 11:30:24 -0300 Subject: [PATCH 068/257] Bump actions/dependency-review-action from 2 to 3 (#3608) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2 to 3. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/v2...v3) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/depsreview.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/depsreview.yaml b/.github/workflows/depsreview.yaml index a25de591ba..da99d0c548 100644 --- a/.github/workflows/depsreview.yaml +++ b/.github/workflows/depsreview.yaml @@ -11,4 +11,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@v3 - name: 'Dependency Review' - uses: actions/dependency-review-action@v2 + uses: actions/dependency-review-action@v3 From 23b57c6bf83d92cc55e4aaedec9f200f0f93f5a4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 14 Nov 2022 12:22:56 -0300 Subject: [PATCH 069/257] Bump github.com/mitchellh/cli from 1.1.4 to 1.1.5 (#3599) Bumps [github.com/mitchellh/cli](https://github.com/mitchellh/cli) from 1.1.4 to 1.1.5. - [Release notes](https://github.com/mitchellh/cli/releases) - [Commits](https://github.com/mitchellh/cli/compare/v1.1.4...v1.1.5) --- updated-dependencies: - dependency-name: github.com/mitchellh/cli dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 6 +++--- go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 9dbcb3fdae..4e3aa755f0 100644 --- a/go.mod +++ b/go.mod @@ -51,7 +51,7 @@ require ( github.com/jinzhu/gorm v1.9.16 github.com/lib/pq v1.10.7 github.com/mattn/go-sqlite3 v1.14.16 - github.com/mitchellh/cli v1.1.4 + github.com/mitchellh/cli v1.1.5 github.com/open-policy-agent/opa v0.46.1 github.com/prometheus/client_golang v1.14.0 github.com/shirou/gopsutil/v3 v3.22.10 @@ -94,9 +94,9 @@ require ( github.com/Azure/go-autorest/tracing v0.6.0 // indirect github.com/AzureAD/microsoft-authentication-library-for-go v0.7.0 // indirect github.com/DataDog/datadog-go v3.2.0+incompatible // indirect - github.com/Masterminds/goutils v1.1.0 // indirect + github.com/Masterminds/goutils v1.1.1 // indirect github.com/Masterminds/semver/v3 v3.1.1 // indirect - github.com/Masterminds/sprig/v3 v3.2.0 // indirect + github.com/Masterminds/sprig/v3 v3.2.1 // indirect github.com/OneOfOne/xxhash v1.2.8 // indirect github.com/PuerkitoBio/purell v1.1.1 // indirect github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect diff --git a/go.sum b/go.sum index 7051278796..bb5cb8f3dc 100644 --- a/go.sum +++ b/go.sum @@ -232,12 +232,12 @@ github.com/DataDog/datadog-go v3.2.0+incompatible h1:qSG2N4FghB1He/r2mFrWKCaL7dX github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= github.com/GoogleCloudPlatform/cloudsql-proxy v1.33.0 h1:yVfnW2IL8ta7g5q7cPh6CHH5ukyP+Jfk1XCAGo7uF20= github.com/GoogleCloudPlatform/cloudsql-proxy v1.33.0/go.mod h1:zidPvCHZ3cYESz8ghadYeGOSRJFjcU9k43vUJLvQIcI= -github.com/Masterminds/goutils v1.1.0 h1:zukEsf/1JZwCMgHiK3GZftabmxiCw4apj3a28RPBiVg= -github.com/Masterminds/goutils v1.1.0/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= +github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI= +github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= github.com/Masterminds/semver/v3 v3.1.1 h1:hLg3sBzpNErnxhQtUy/mmLR2I9foDujNK030IGemrRc= github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs= -github.com/Masterminds/sprig/v3 v3.2.0 h1:P1ekkbuU73Ui/wS0nK1HOM37hh4xdfZo485UPf8rc+Y= -github.com/Masterminds/sprig/v3 v3.2.0/go.mod h1:tWhwTbUTndesPNeF0C900vKoq283u6zp4APT9vaF3SI= +github.com/Masterminds/sprig/v3 v3.2.1 h1:n6EPaDyLSvCEa3frruQvAiHuNp2dhBlMSmkEr+HuzGc= +github.com/Masterminds/sprig/v3 v3.2.1/go.mod h1:UoaO7Yp8KlPnJIYWTFkMaqPUYKTfGFPhxNuwnnxkKlk= github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= github.com/Microsoft/go-winio v0.6.0 h1:slsWYD/zyx7lCXoZVlvQrj0hPTM1HI4+v1sIda2yDvg= github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE= @@ -856,8 +856,8 @@ github.com/microsoft/go-mssqldb v0.17.0/go.mod h1:OkoNGhGEs8EZqchVTtochlXruEhEOa github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= github.com/miekg/dns v1.1.43 h1:JKfpVSCB84vrAmHzyrsxB5NAr5kLoMXZArPSw7Qlgyg= github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= -github.com/mitchellh/cli v1.1.4 h1:qj8czE26AU4PbiaPXK5uVmMSM+V5BYsFBiM9HhGRLUA= -github.com/mitchellh/cli v1.1.4/go.mod h1:vTLESy5mRhKOs9KDp0/RATawxP1UqBmdrpVRMnpcvKQ= +github.com/mitchellh/cli v1.1.5 h1:OxRIeJXpAMztws/XHlN2vu6imG5Dpq+j61AzAX5fLng= +github.com/mitchellh/cli v1.1.5/go.mod h1:v8+iFts2sPIKUV1ltktPXMCC8fumSKFItNcD2cLtRR4= github.com/mitchellh/copystructure v1.0.0 h1:Laisrj+bAB6b/yJwB5Bt3ITZhGJdqmxquMKeZ+mmkFQ= github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw= github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= From f4fc4eb2b90d055e119433ac76d0f607b58d5858 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 14 Nov 2022 14:38:52 -0300 Subject: [PATCH 070/257] Bump k8s.io/client-go from 0.25.3 to 0.25.4 (#3601) Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.25.3 to 0.25.4. - [Release notes](https://github.com/kubernetes/client-go/releases) - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](https://github.com/kubernetes/client-go/compare/v0.25.3...v0.25.4) --- updated-dependencies: - dependency-name: k8s.io/client-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 6 +++--- go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 4e3aa755f0..d70cc3efea 100644 --- a/go.mod +++ b/go.mod @@ -72,9 +72,9 @@ require ( google.golang.org/grpc v1.50.1 google.golang.org/protobuf v1.28.1 gopkg.in/square/go-jose.v2 v2.6.0 - k8s.io/api v0.25.3 - k8s.io/apimachinery v0.25.3 - k8s.io/client-go v0.25.3 + k8s.io/api v0.25.4 + k8s.io/apimachinery v0.25.4 + k8s.io/client-go v0.25.4 k8s.io/kube-aggregator v0.23.3 k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed sigs.k8s.io/controller-runtime v0.13.1 diff --git a/go.sum b/go.sum index bb5cb8f3dc..8a066b003a 100644 --- a/go.sum +++ b/go.sum @@ -1796,17 +1796,17 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= k8s.io/api v0.23.3/go.mod h1:w258XdGyvCmnBj/vGzQMj6kzdufJZVUwEM1U2fRJwSQ= -k8s.io/api v0.25.3 h1:Q1v5UFfYe87vi5H7NU0p4RXC26PPMT8KOpr1TLQbCMQ= -k8s.io/api v0.25.3/go.mod h1:o42gKscFrEVjHdQnyRenACrMtbuJsVdP+WVjqejfzmI= +k8s.io/api v0.25.4 h1:3YO8J4RtmG7elEgaWMb4HgmpS2CfY1QlaOz9nwB+ZSs= +k8s.io/api v0.25.4/go.mod h1:IG2+RzyPQLllQxnhzD8KQNEu4c4YvyDTpSMztf4A0OQ= k8s.io/apiextensions-apiserver v0.25.0 h1:CJ9zlyXAbq0FIW8CD7HHyozCMBpDSiH7EdrSTCZcZFY= k8s.io/apiextensions-apiserver v0.25.0/go.mod h1:3pAjZiN4zw7R8aZC5gR0y3/vCkGlAjCazcg1me8iB/E= k8s.io/apimachinery v0.23.3/go.mod h1:BEuFMMBaIbcOqVIJqNZJXGFTP4W6AycEpb5+m/97hrM= -k8s.io/apimachinery v0.25.3 h1:7o9ium4uyUOM76t6aunP0nZuex7gDf8VGwkR5RcJnQc= -k8s.io/apimachinery v0.25.3/go.mod h1:jaF9C/iPNM1FuLl7Zuy5b9v+n35HGSh6AQ4HYRkCqwo= +k8s.io/apimachinery v0.25.4 h1:CtXsuaitMESSu339tfhVXhQrPET+EiWnIY1rcurKnAc= +k8s.io/apimachinery v0.25.4/go.mod h1:jaF9C/iPNM1FuLl7Zuy5b9v+n35HGSh6AQ4HYRkCqwo= k8s.io/apiserver v0.23.3/go.mod h1:3HhsTmC+Pn+Jctw+Ow0LHA4dQ4oXrQ4XJDzrVDG64T4= k8s.io/client-go v0.23.3/go.mod h1:47oMd+YvAOqZM7pcQ6neJtBiFH7alOyfunYN48VsmwE= -k8s.io/client-go v0.25.3 h1:oB4Dyl8d6UbfDHD8Bv8evKylzs3BXzzufLiO27xuPs0= -k8s.io/client-go v0.25.3/go.mod h1:t39LPczAIMwycjcXkVc+CB+PZV69jQuNx4um5ORDjQA= +k8s.io/client-go v0.25.4 h1:3RNRDffAkNU56M/a7gUfXaEzdhZlYhoW8dgViGy5fn8= +k8s.io/client-go v0.25.4/go.mod h1:8trHCAC83XKY0wsBIpbirZU4NTUpbuhc2JnI7OruGZw= k8s.io/code-generator v0.23.3/go.mod h1:S0Q1JVA+kSzTI1oUvbKAxZY/DYbA/ZUb4Uknog12ETk= k8s.io/component-base v0.23.3/go.mod h1:1Smc4C60rWG7d3HjSYpIwEbySQ3YWg0uzH5a2AtaTLg= k8s.io/component-base v0.25.0 h1:haVKlLkPCFZhkcqB6WCvpVxftrg6+FK5x1ZuaIDaQ5Y= From 60330f540efb5c52620f87cfc21e2f2b81c4a8f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?= Date: Tue, 15 Nov 2022 18:32:23 -0300 Subject: [PATCH 071/257] Write files on Windows with a specific security descriptor (#3604) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Write files on Windows with a specific security descriptor Signed-off-by: Agustín Martínez Fayó --- cmd/spire-agent/cli/api/fetch_x509.go | 6 +-- .../cli/federation/common_test.go | 2 +- cmd/spire-server/cli/jwt/mint.go | 4 +- cmd/spire-server/cli/jwt/mint_test.go | 4 +- cmd/spire-server/cli/x509/mint.go | 8 +-- pkg/common/diskutil/file_posix.go | 53 +++++++++++++------ pkg/common/diskutil/file_posix_test.go | 38 ++++++++++++- pkg/common/diskutil/file_windows.go | 44 ++++++++++----- pkg/common/diskutil/file_windows_test.go | 38 ++++++++++++- pkg/common/pemutil/certs.go | 9 ---- pkg/common/pemutil/pemutil_test.go | 33 ------------ pkg/server/plugin/keymanager/awskms/awskms.go | 3 +- pkg/server/plugin/keymanager/gcpkms/gcpkms.go | 3 +- .../mode-crd/webhook/webhook_svid.go | 7 ++- 14 files changed, 162 insertions(+), 90 deletions(-) diff --git a/cmd/spire-agent/cli/api/fetch_x509.go b/cmd/spire-agent/cli/api/fetch_x509.go index 58eb6add1b..c1188a6d67 100644 --- a/cmd/spire-agent/cli/api/fetch_x509.go +++ b/cmd/spire-agent/cli/api/fetch_x509.go @@ -8,7 +8,6 @@ import ( "errors" "flag" "fmt" - "os" "path" "time" @@ -18,6 +17,7 @@ import ( "github.com/spiffe/go-spiffe/v2/spiffeid" "github.com/spiffe/go-spiffe/v2/svid/x509svid" common_cli "github.com/spiffe/spire/pkg/common/cli" + "github.com/spiffe/spire/pkg/common/diskutil" ) func NewFetchX509Command() cli.Command { @@ -153,12 +153,12 @@ func (c *fetchX509Command) writeKey(filename string, privateKey crypto.PrivateKe Bytes: data, } - return os.WriteFile(filename, pem.EncodeToMemory(b), 0600) + return diskutil.WritePrivateFile(filename, pem.EncodeToMemory(b)) } // writeFile creates or truncates filename, and writes data to it func (c *fetchX509Command) writeFile(filename string, data []byte) error { - return os.WriteFile(filename, data, 0644) // nolint: gosec // expected permission for certificates + return diskutil.WritePubliclyReadableFile(filename, data) } type X509SVID struct { diff --git a/cmd/spire-server/cli/federation/common_test.go b/cmd/spire-server/cli/federation/common_test.go index 491874c823..8a700fa175 100644 --- a/cmd/spire-server/cli/federation/common_test.go +++ b/cmd/spire-server/cli/federation/common_test.go @@ -239,7 +239,7 @@ func createBundle(t *testing.T, trustDomain string) (*types.Bundle, string) { td := spiffeid.RequireTrustDomainFromString(trustDomain) bundlePath := path.Join(t.TempDir(), "bundle.pem") ca := fakeserverca.New(t, td, &fakeserverca.Options{}) - require.NoError(t, pemutil.SaveCertificates(bundlePath, ca.Bundle(), 0600)) + require.NoError(t, os.WriteFile(bundlePath, pemutil.EncodeCertificates(ca.Bundle()), 0600)) return &types.Bundle{ TrustDomain: td.String(), diff --git a/cmd/spire-server/cli/jwt/mint.go b/cmd/spire-server/cli/jwt/mint.go index 26bb69bd8f..3dd5e5fce8 100644 --- a/cmd/spire-server/cli/jwt/mint.go +++ b/cmd/spire-server/cli/jwt/mint.go @@ -5,7 +5,6 @@ import ( "errors" "flag" "fmt" - "os" "time" "github.com/mitchellh/cli" @@ -14,6 +13,7 @@ import ( "github.com/spiffe/spire-api-sdk/proto/spire/api/types" "github.com/spiffe/spire/cmd/spire-server/util" common_cli "github.com/spiffe/spire/pkg/common/cli" + "github.com/spiffe/spire/pkg/common/diskutil" "gopkg.in/square/go-jose.v2/jwt" ) @@ -81,7 +81,7 @@ func (c *mintCommand) Run(ctx context.Context, env *common_cli.Env, serverClient // Save in file tokenPath := env.JoinPath(c.write) - if err := os.WriteFile(tokenPath, []byte(token), 0600); err != nil { + if err := diskutil.WritePrivateFile(tokenPath, []byte(token)); err != nil { return fmt.Errorf("unable to write token: %w", err) } return env.Printf("JWT-SVID written to %s\n", tokenPath) diff --git a/cmd/spire-server/cli/jwt/mint_test.go b/cmd/spire-server/cli/jwt/mint_test.go index 3342da5ea1..8983b553ce 100644 --- a/cmd/spire-server/cli/jwt/mint_test.go +++ b/cmd/spire-server/cli/jwt/mint_test.go @@ -203,7 +203,7 @@ func TestMintRun(t *testing.T) { }, }, write: "/", - stderr: fmt.Sprintf("Error: unable to write token: open %s: is a directory\n", dir), + stderr: "Error: unable to write token", }, { name: "malformed token", @@ -290,7 +290,7 @@ func TestMintRun(t *testing.T) { code := cmd.Run(args) assert.Equal(t, tt.code, code, "exit code does not match") - assert.Equal(t, tt.stderr, stderr.String(), "stderr does not match") + assert.Contains(t, stderr.String(), tt.stderr, "stderr does not match") req := server.lastMintJWTSVIDRequest() if tt.noRequestExpected { diff --git a/cmd/spire-server/cli/x509/mint.go b/cmd/spire-server/cli/x509/mint.go index 4fd1a27b45..cac497dc42 100644 --- a/cmd/spire-server/cli/x509/mint.go +++ b/cmd/spire-server/cli/x509/mint.go @@ -13,7 +13,6 @@ import ( "flag" "fmt" "net/url" - "os" "time" "github.com/mitchellh/cli" @@ -22,6 +21,7 @@ import ( svidv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/svid/v1" "github.com/spiffe/spire/cmd/spire-server/util" common_cli "github.com/spiffe/spire/pkg/common/cli" + "github.com/spiffe/spire/pkg/common/diskutil" ) type generateKeyFunc func() (crypto.Signer, error) @@ -157,21 +157,21 @@ func (c *mintCommand) Run(ctx context.Context, env *common_cli.Env, serverClient keyPath := env.JoinPath(c.write, "key.pem") bundlePath := env.JoinPath(c.write, "bundle.pem") - if err := os.WriteFile(svidPath, svidPEM.Bytes(), 0644); err != nil { // nolint: gosec // expected permission + if err := diskutil.WritePubliclyReadableFile(svidPath, svidPEM.Bytes()); err != nil { return fmt.Errorf("unable to write SVID: %w", err) } if err := env.Printf("X509-SVID written to %s\n", svidPath); err != nil { return err } - if err := os.WriteFile(keyPath, keyPEM.Bytes(), 0600); err != nil { + if err := diskutil.WritePrivateFile(keyPath, keyPEM.Bytes()); err != nil { return fmt.Errorf("unable to write key: %w", err) } if err := env.Printf("Private key written to %s\n", keyPath); err != nil { return err } - if err := os.WriteFile(bundlePath, bundlePEM.Bytes(), 0644); err != nil { // nolint: gosec // expected permission + if err := diskutil.WritePubliclyReadableFile(bundlePath, bundlePEM.Bytes()); err != nil { return fmt.Errorf("unable to write bundle: %w", err) } return env.Printf("Root CAs written to %s\n", bundlePath) diff --git a/pkg/common/diskutil/file_posix.go b/pkg/common/diskutil/file_posix.go index 180386d3c4..09b56d3a82 100644 --- a/pkg/common/diskutil/file_posix.go +++ b/pkg/common/diskutil/file_posix.go @@ -8,29 +8,46 @@ import ( "path/filepath" ) -// AtomicWritePrivateFile writes data out. It writes to a temp file first, fsyncs that file, -// then swaps the file in. os.Rename is an atomic operation, so this sequence avoids having -// a partially written file at the final location. Finally, fsync is called on the directory -// to ensure the rename is persisted. +const ( + fileModePrivate = 0600 + fileModePubliclyReadable = 0644 +) + +// AtomicWritePrivateFile writes data out to a private file. +// It writes to a temp file first, fsyncs that file, then swaps the file in. +// It renames the file using MoveFileEx with 'MOVEFILE_WRITE_THROUGH', +// which waits until the file is synced to disk. func AtomicWritePrivateFile(path string, data []byte) error { - return atomicWrite(path, data, 0600) + return atomicWrite(path, data, fileModePrivate) } -// AtomicWritePubliclyReadableFile writes data out. It writes to a temp file first, fsyncs that file, -// then swaps the file in. os.Rename is an atomic operation, so this sequence avoids having -// a partially written file at the final location. Finally, fsync is called on the directory -// to ensure the rename is persisted. +// AtomicWritePubliclyReadableFile writes data out to a publicly readable file. +// It writes to a temp file first, fsyncs that file, then swaps the file in. +// It renames the file using MoveFileEx with 'MOVEFILE_WRITE_THROUGH', +// which waits until the file is synced to disk. func AtomicWritePubliclyReadableFile(path string, data []byte) error { - return atomicWrite(path, data, 0644) + return atomicWrite(path, data, fileModePubliclyReadable) } func CreateDataDirectory(path string) error { return os.MkdirAll(path, 0755) } +// WritePrivateFile writes data out to a private file. The file is created if it +// does not exist. If exists, it's overwritten. +func WritePrivateFile(path string, data []byte) error { + return write(path, data, fileModePrivate, false) +} + +// WritePubliclyReadableFile writes data out to a publicly readable file. The +// file is created if it does not exist. If exists, it's overwritten. +func WritePubliclyReadableFile(path string, data []byte) error { + return write(path, data, fileModePubliclyReadable, false) +} + func atomicWrite(path string, data []byte, mode os.FileMode) error { tmpPath := path + ".tmp" - if err := write(tmpPath, data, mode); err != nil { + if err := write(tmpPath, data, mode, true); err != nil { return err } @@ -55,7 +72,11 @@ func rename(tmpPath, path string) error { return dir.Close() } -func write(tmpPath string, data []byte, mode os.FileMode) error { +// write writes to a file in the specified path with the specified +// security descriptor using the provided data. The sync boolean +// argument is used to indicate whether flushing to disk is required +// or not. +func write(tmpPath string, data []byte, mode os.FileMode, sync bool) error { file, err := os.OpenFile(tmpPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, mode) if err != nil { return err @@ -66,9 +87,11 @@ func write(tmpPath string, data []byte, mode os.FileMode) error { return err } - if err := file.Sync(); err != nil { - file.Close() - return err + if sync { + if err := file.Sync(); err != nil { + file.Close() + return err + } } return file.Close() diff --git a/pkg/common/diskutil/file_posix_test.go b/pkg/common/diskutil/file_posix_test.go index c305d54ddf..02a629452d 100644 --- a/pkg/common/diskutil/file_posix_test.go +++ b/pkg/common/diskutil/file_posix_test.go @@ -12,7 +12,7 @@ import ( "github.com/stretchr/testify/require" ) -func TestAtomicWritePrivateFile(t *testing.T) { +func TestWriteFile(t *testing.T) { dir := spiretest.TempDir(t) tests := []struct { @@ -57,6 +57,42 @@ func TestAtomicWritePrivateFile(t *testing.T) { atomicWriteFunc: AtomicWritePubliclyReadableFile, expectMode: 0644, }, + { + name: "basic - WritePrivateFile", + data: []byte("Hello, World"), + atomicWriteFunc: WritePrivateFile, + expectMode: 0600, + }, + { + name: "empty - WritePrivateFile", + data: []byte{}, + atomicWriteFunc: WritePrivateFile, + expectMode: 0600, + }, + { + name: "binary - WritePrivateFile", + data: []byte{0xFF, 0, 0xFF, 0x3D, 0xD8, 0xA9, 0xDC, 0xF0, 0x9F, 0x92, 0xA9}, + atomicWriteFunc: WritePrivateFile, + expectMode: 0600, + }, + { + name: "basic - WritePubliclyReadableFile", + data: []byte("Hello, World"), + atomicWriteFunc: WritePubliclyReadableFile, + expectMode: 0644, + }, + { + name: "empty - WritePubliclyReadableFile", + data: []byte{}, + atomicWriteFunc: WritePubliclyReadableFile, + expectMode: 0644, + }, + { + name: "binary - WritePubliclyReadableFile", + data: []byte{0xFF, 0, 0xFF, 0x3D, 0xD8, 0xA9, 0xDC, 0xF0, 0x9F, 0x92, 0xA9}, + atomicWriteFunc: WritePubliclyReadableFile, + expectMode: 0644, + }, } for _, tt := range tests { tt := tt diff --git a/pkg/common/diskutil/file_windows.go b/pkg/common/diskutil/file_windows.go index f192daede8..b315d2ce9d 100644 --- a/pkg/common/diskutil/file_windows.go +++ b/pkg/common/diskutil/file_windows.go @@ -25,16 +25,16 @@ type fileAttribs struct { // AtomicWritePrivateFile writes data out to a private file. // It writes to a temp file first, fsyncs that file, then swaps the file in. -// Rename file using a custom MoveFileEx that uses 'MOVEFILE_WRITE_THROUGH' -// witch waits until file is synced to disk. +// It renames the file using MoveFileEx with 'MOVEFILE_WRITE_THROUGH', +// which waits until the file is synced to disk. func AtomicWritePrivateFile(path string, data []byte) error { return atomicWrite(path, data, sddl.PrivateFile) } // AtomicWritePubliclyReadableFile writes data out to a publicly readable file. // It writes to a temp file first, fsyncs that file, then swaps the file in. -// Rename file using a custom MoveFileEx that uses 'MOVEFILE_WRITE_THROUGH' -// witch waits until file is synced to disk. +// It renames the file using MoveFileEx with 'MOVEFILE_WRITE_THROUGH', +// which waits until the file is synced to disk. func AtomicWritePubliclyReadableFile(path string, data []byte) error { return atomicWrite(path, data, sddl.PubliclyReadableFile) } @@ -88,33 +88,51 @@ func MkdirAll(path string, sddl string) error { return nil } +// WritePrivateFile writes data out to a private file. The file is created if it +// does not exist. If exists, it's overwritten. +func WritePrivateFile(path string, data []byte) error { + return write(path, data, sddl.PrivateFile, false) +} + +// WritePubliclyReadableFile writes data out to a publicly readable file. The +// file is created if it does not exist. If exists, it's overwritten. +func WritePubliclyReadableFile(path string, data []byte) error { + return write(path, data, sddl.PubliclyReadableFile, false) +} + func atomicWrite(path string, data []byte, sddl string) error { tmpPath := path + ".tmp" - if err := write(tmpPath, data, sddl); err != nil { + if err := write(tmpPath, data, sddl, true); err != nil { return err } return atomicRename(tmpPath, path) } -func write(tmpPath string, data []byte, sddl string) error { - handle, err := createFileForWriting(tmpPath, sddl) +// write writes to a file in the specified path with the specified +// security descriptor using the provided data. The sync boolean +// argument is used to indicate whether flushing to disk is required +// or not. +func write(path string, data []byte, sddl string, sync bool) error { + handle, err := createFileForWriting(path, sddl) if err != nil { return err } - file := os.NewFile(uintptr(handle), tmpPath) + file := os.NewFile(uintptr(handle), path) if file == nil { - return fmt.Errorf("invalid file descriptor for file %q", tmpPath) + return fmt.Errorf("invalid file descriptor for file %q", path) } if _, err := file.Write(data); err != nil { file.Close() - return err + return fmt.Errorf("failed to write to file %q: %w", path, err) } - if err := file.Sync(); err != nil { - file.Close() - return err + if sync { + if err := file.Sync(); err != nil { + file.Close() + return fmt.Errorf("failed to sync file %q: %w", path, err) + } } return file.Close() diff --git a/pkg/common/diskutil/file_windows_test.go b/pkg/common/diskutil/file_windows_test.go index 1cd62785bf..99c7c6fb7a 100644 --- a/pkg/common/diskutil/file_windows_test.go +++ b/pkg/common/diskutil/file_windows_test.go @@ -14,7 +14,7 @@ import ( "golang.org/x/sys/windows" ) -func TestAtomicWritePrivateFile(t *testing.T) { +func TestWriteFile(t *testing.T) { dir := spiretest.TempDir(t) tests := []struct { @@ -59,6 +59,42 @@ func TestAtomicWritePrivateFile(t *testing.T) { expectSecurityDescriptor: sddl.PubliclyReadableFile, atomicWriteFunc: AtomicWritePubliclyReadableFile, }, + { + name: "basic - WritePrivateFile", + data: []byte("Hello, World"), + expectSecurityDescriptor: sddl.PrivateFile, + atomicWriteFunc: WritePrivateFile, + }, + { + name: "empty - WritePrivateFile", + data: []byte{}, + expectSecurityDescriptor: sddl.PrivateFile, + atomicWriteFunc: WritePrivateFile, + }, + { + name: "binary - WritePrivateFile", + data: []byte{0xFF, 0, 0xFF, 0x3D, 0xD8, 0xA9, 0xDC, 0xF0, 0x9F, 0x92, 0xA9}, + expectSecurityDescriptor: sddl.PrivateFile, + atomicWriteFunc: WritePrivateFile, + }, + { + name: "basic - WritePubliclyReadableFile", + data: []byte("Hello, World"), + expectSecurityDescriptor: sddl.PubliclyReadableFile, + atomicWriteFunc: WritePubliclyReadableFile, + }, + { + name: "empty - WritePubliclyReadableFile", + data: []byte{}, + expectSecurityDescriptor: sddl.PubliclyReadableFile, + atomicWriteFunc: WritePubliclyReadableFile, + }, + { + name: "binary - WritePubliclyReadableFile", + data: []byte{0xFF, 0, 0xFF, 0x3D, 0xD8, 0xA9, 0xDC, 0xF0, 0x9F, 0x92, 0xA9}, + expectSecurityDescriptor: sddl.PubliclyReadableFile, + atomicWriteFunc: WritePubliclyReadableFile, + }, } for _, tt := range tests { tt := tt diff --git a/pkg/common/pemutil/certs.go b/pkg/common/pemutil/certs.go index 46c5ac4455..0ef331e265 100644 --- a/pkg/common/pemutil/certs.go +++ b/pkg/common/pemutil/certs.go @@ -5,7 +5,6 @@ import ( "crypto/x509" "encoding/pem" "fmt" - "os" ) func ParseCertificate(pemBytes []byte) (*x509.Certificate, error) { @@ -48,20 +47,12 @@ func EncodeCertificates(certs []*x509.Certificate) []byte { return buf.Bytes() } -func SaveCertificates(path string, certs []*x509.Certificate, mode os.FileMode) error { - return os.WriteFile(path, EncodeCertificates(certs), mode) -} - func EncodeCertificate(cert *x509.Certificate) []byte { var buf bytes.Buffer encodeCertificate(&buf, cert) return buf.Bytes() } -func SaveCertificate(path string, cert *x509.Certificate, mode os.FileMode) error { - return os.WriteFile(path, EncodeCertificate(cert), mode) -} - func certFromObject(object interface{}) (*x509.Certificate, error) { cert, ok := object.(*x509.Certificate) if !ok { diff --git a/pkg/common/pemutil/pemutil_test.go b/pkg/common/pemutil/pemutil_test.go index 981202dacf..03430f135a 100644 --- a/pkg/common/pemutil/pemutil_test.go +++ b/pkg/common/pemutil/pemutil_test.go @@ -4,7 +4,6 @@ import ( "crypto/ecdsa" "crypto/rsa" "os" - "path" "testing" "github.com/stretchr/testify/suite" @@ -272,38 +271,6 @@ func (s *Suite) TestEncodeCertificate() { s.Require().Equal(expCertPem, EncodeCertificate(cert)) } -func (s *Suite) TestSaveCertificate() { - dir, err := os.MkdirTemp("", "pemutil-test") - s.Require().NoError(err) - defer os.Remove(dir) - - certPath := path.Join(dir, "cert") - cert, err := LoadCertificate("testdata/cert.pem") - s.Require().NoError(err) - err = SaveCertificate(certPath, cert, 0600) - s.Require().NoError(err) - - fileContent, err := os.ReadFile(certPath) - s.Require().NoError(err) - s.Require().Equal(EncodeCertificate(cert), fileContent) -} - -func (s *Suite) TestSaveCertificates() { - dir, err := os.MkdirTemp("", "pemutil-test") - s.Require().NoError(err) - defer os.Remove(dir) - - certsPath := path.Join(dir, "certs") - certs, err := LoadCertificates("testdata/certs.pem") - s.Require().NoError(err) - err = SaveCertificates(certsPath, certs, 0600) - s.Require().NoError(err) - - fileContent, err := os.ReadFile(certsPath) - s.Require().NoError(err) - s.Require().Equal(EncodeCertificates(certs), fileContent) -} - func (s *Suite) TestLoadSigner() { // fail if not a private key _, err := LoadSigner("testdata/cert.pem") diff --git a/pkg/server/plugin/keymanager/awskms/awskms.go b/pkg/server/plugin/keymanager/awskms/awskms.go index d31b81ee61..612d82d83c 100644 --- a/pkg/server/plugin/keymanager/awskms/awskms.go +++ b/pkg/server/plugin/keymanager/awskms/awskms.go @@ -23,6 +23,7 @@ import ( keymanagerv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/server/keymanager/v1" configv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/service/common/config/v1" "github.com/spiffe/spire/pkg/common/catalog" + "github.com/spiffe/spire/pkg/common/diskutil" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" ) @@ -947,7 +948,7 @@ func createServerID(idPath string) (string, error) { id := u.String() // persist id - err = os.WriteFile(idPath, []byte(id), 0600) + err = diskutil.WritePrivateFile(idPath, []byte(id)) if err != nil { return "", status.Errorf(codes.Internal, "failed to persist server id on path: %v", err) } diff --git a/pkg/server/plugin/keymanager/gcpkms/gcpkms.go b/pkg/server/plugin/keymanager/gcpkms/gcpkms.go index f30cfa763a..5115531e63 100644 --- a/pkg/server/plugin/keymanager/gcpkms/gcpkms.go +++ b/pkg/server/plugin/keymanager/gcpkms/gcpkms.go @@ -24,6 +24,7 @@ import ( keymanagerv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/server/keymanager/v1" configv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/service/common/config/v1" "github.com/spiffe/spire/pkg/common/catalog" + "github.com/spiffe/spire/pkg/common/diskutil" "google.golang.org/api/iterator" "google.golang.org/api/option" iampb "google.golang.org/genproto/googleapis/iam/v1" @@ -931,7 +932,7 @@ func createServerID(idPath string) (string, error) { return "", status.Errorf(codes.Internal, "failed to generate ID for server: %v", err) } - err = os.WriteFile(idPath, []byte(id), 0600) + err = diskutil.WritePrivateFile(idPath, []byte(id)) if err != nil { return "", status.Errorf(codes.Internal, "failed to persist server ID on path: %v", err) } diff --git a/support/k8s/k8s-workload-registrar/mode-crd/webhook/webhook_svid.go b/support/k8s/k8s-workload-registrar/mode-crd/webhook/webhook_svid.go index ed0481e1e5..5f94654d65 100644 --- a/support/k8s/k8s-workload-registrar/mode-crd/webhook/webhook_svid.go +++ b/support/k8s/k8s-workload-registrar/mode-crd/webhook/webhook_svid.go @@ -21,14 +21,13 @@ import ( "github.com/spiffe/go-spiffe/v2/spiffeid" svidv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/svid/v1" spiretypes "github.com/spiffe/spire-api-sdk/proto/spire/api/types" + "github.com/spiffe/spire/pkg/common/diskutil" "k8s.io/apimachinery/pkg/util/wait" "k8s.io/client-go/util/retry" ) const ( certDirMode = os.FileMode(0o700) - certsFileMode = os.FileMode(0o644) - keyFileMode = os.FileMode(0o600) certsFileName = "tls.crt" keyFileName = "tls.key" ) @@ -181,13 +180,13 @@ func (e *SVID) dumpSVID(svid *spiretypes.X509SVID, key crypto.Signer) error { // Write certificates to disk certsFileName := path.Join(e.c.WebhookCertDir, certsFileName) - if err := os.WriteFile(certsFileName, svidPEM.Bytes(), certsFileMode); err != nil { + if err := diskutil.WritePubliclyReadableFile(certsFileName, svidPEM.Bytes()); err != nil { return err } // Write key to disk keyFileName := path.Join(e.c.WebhookCertDir, keyFileName) - return os.WriteFile(keyFileName, keyPEM.Bytes(), keyFileMode) + return diskutil.WritePrivateFile(keyFileName, keyPEM.Bytes()) } func certHalfLife(cert *x509.Certificate) time.Time { From c4fce5d76a7ebc0fce9954b791663e7ab3db8cee Mon Sep 17 00:00:00 2001 From: Willian Alves Date: Thu, 9 Jun 2022 21:13:21 -0400 Subject: [PATCH 072/257] Added Sigstore workload attestor for SPIRE Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- conf/agent/agent_full.conf | 19 + doc/plugin_agent_nodeattestor_k8s_psat.md | 2 +- doc/plugin_agent_nodeattestor_k8s_sat.md | 4 + doc/plugin_agent_workloadattestor_k8s.md | 60 +- doc/plugin_agent_workloadattestor_windows.md | 20 - doc/plugin_server_nodeattestor_k8s_psat.md | 2 +- doc/scaling_spire.md | 6 +- go.mod | 97 +- go.sum | 1530 +++++++++++++- .../plugin/workloadattestor/k8s/k8s_posix.go | 328 +++ .../plugin/workloadattestor/k8s/k8s_test.go | 423 +++- .../workloadattestor/k8s/sigstore/sigstore.go | 430 ++++ .../k8s/sigstore/sigstore_test.go | 1805 +++++++++++++++++ .../k8s/sigstore/sigstorecache.go | 85 + .../k8s/sigstore/sigstorecache_test.go | 209 ++ 15 files changed, 4928 insertions(+), 92 deletions(-) create mode 100644 pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go create mode 100644 pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go create mode 100644 pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache.go create mode 100644 pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go diff --git a/conf/agent/agent_full.conf b/conf/agent/agent_full.conf index daa113389e..a1856923bb 100644 --- a/conf/agent/agent_full.conf +++ b/conf/agent/agent_full.conf @@ -359,6 +359,25 @@ plugins { # node_name: The name of the node. Overrides the value obtained by # the environment variable specified by node_name_env. # node_name = "" + + sigstore { + # rekor_url: The URL for the rekor STL Server to use with cosign. + # rekor_url = "https://rekor.sigstore.dev" + + # skip_signature_verification_image_list: List of images that should + # not be verified by cosign. They will receive a default + # sigstore-validation:passed selector, but no other sigstore related selectors. + # skip_signature_verification_image_list = ["sha:image1hash","sha:image2hash"] + + # enable_allowed_subjects_list: Boolean indicating whether image + # signatures will be checked against a list of subjects. + # enable_allowed_subjects_list = false + + # allowed_subjects_list: List of subjects that image signatures + # will be checked against, if enabled through the above option. + # signatures from subjects outside this list will receive + # no sigstore-related selectors. These should be email addresses. + # allowed_subjects_list = ["subject1@example.com","subject2@example.com"] } } diff --git a/doc/plugin_agent_nodeattestor_k8s_psat.md b/doc/plugin_agent_nodeattestor_k8s_psat.md index 91ab12f910..2054dff491 100644 --- a/doc/plugin_agent_nodeattestor_k8s_psat.md +++ b/doc/plugin_agent_nodeattestor_k8s_psat.md @@ -50,7 +50,7 @@ volumeMounts: name: spire-agent ``` -A full example of this attestor is provided in [the SPIRE examples repository](https://github.com/spiffe/spire-examples/tree/main/examples/k8s/simple_psat). +A full example of this attestor is provided in [the SPIRE examples repository](https://github.com/spiffe/spire-examples/tree/master/examples/k8s/simple_psat). ## Considerations diff --git a/doc/plugin_agent_nodeattestor_k8s_sat.md b/doc/plugin_agent_nodeattestor_k8s_sat.md index 3a6270eb6e..74ee2b4d32 100644 --- a/doc/plugin_agent_nodeattestor_k8s_sat.md +++ b/doc/plugin_agent_nodeattestor_k8s_sat.md @@ -21,7 +21,11 @@ The main configuration accepts the following values: | `cluster` | Name of the cluster. It must correspond to a cluster configured in the server plugin. | | `token_path` | Path to the service account token on disk | "/var/run/secrets/kubernetes.io/serviceaccount/token" | +<<<<<<< HEAD The token path defaults to the default location Kubernetes uses to place the token and should not need to be overridden in most cases. +======= +The token path defaults to the default location kubernetes uses to place the token and should not need to be overriden in most cases. +>>>>>>> Added Sigstore workload attestor for SPIRE A sample configuration with the default token path: diff --git a/doc/plugin_agent_workloadattestor_k8s.md b/doc/plugin_agent_workloadattestor_k8s.md index 02318fa78b..5a3e1725f1 100644 --- a/doc/plugin_agent_workloadattestor_k8s.md +++ b/doc/plugin_agent_workloadattestor_k8s.md @@ -40,24 +40,39 @@ server name validation against the kubelet certificate. **Note** To run on Windows containers, Kubernetes v1.24+ and containerd v1.6+ are required, since [hostprocess](https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/) container is required on the agent container. -| Configuration | Description | -|--------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `disable_container_selectors` | If true, container selectors are not produced. This can be used to produce pod selectors when the workload pod is known but the workload container is not ready at the time of attestation. | -| `kubelet_read_only_port` | The kubelet read-only port. This is mutually exlusive with `kubelet_secure_port`. | -| `kubelet_secure_port` | The kubelet secure port. It defaults to `10250` unless `kubelet_read_only_port` is set. | -| `kubelet_ca_path` | The path on disk to a file containing CA certificates used to verify the kubelet certificate. Required unless `skip_kubelet_verification` is set. Defaults to the cluster CA bundle `/run/secrets/kubernetes.io/serviceaccount/ca.crt`. | -| `skip_kubelet_verification` | If true, kubelet certificate verification is skipped | -| `token_path` | The path on disk to the bearer token used for kubelet authentication. Defaults to the service account token `/run/secrets/kubernetes.io/serviceaccount/token` | -| `certificate_path` | The path on disk to client certificate used for kubelet authentication | -| `private_key_path` | The path on disk to client key used for kubelet authentication | -| `use_anonymous_authentication` | If true, use anonymous authentication for kubelet communication | -| `node_name_env` | The environment variable used to obtain the node name. Defaults to `MY_NODE_NAME`. | -| `node_name` | The name of the node. Overrides the value obtained by the environment variable specified by `node_name_env`. | - -| Selector | Value | -|--------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| k8s:ns | The workload's namespace | -| k8s:sa | The workload's service account | +| Configuration | Description | +| ------------- | ----------- | +| `disable_container_selectors` | If true, container selectors are not produced. This can be used to produce pod selectors when the workload pod is known but the workload container is not ready at the time of attestation. | +| `kubelet_read_only_port` | The kubelet read-only port. This is mutually exlusive with `kubelet_secure_port`. | +| `kubelet_secure_port` | The kubelet secure port. It defaults to `10250` unless `kubelet_read_only_port` is set. | +| `kubelet_ca_path` | The path on disk to a file containing CA certificates used to verify the kubelet certificate. Required unless `skip_kubelet_verification` is set. Defaults to the cluster CA bundle `/run/secrets/kubernetes.io/serviceaccount/ca.crt`. | +| `skip_kubelet_verification` | If true, kubelet certificate verification is skipped | +| `token_path` | The path on disk to the bearer token used for kubelet authentication. Defaults to the service account token `/run/secrets/kubernetes.io/serviceaccount/token` | +| `certificate_path` | The path on disk to client certificate used for kubelet authentication | +| `private_key_path` | The path on disk to client key used for kubelet authentication | +| `use_anonymous_authentication` | If true, use anonymous authentication for kubelet communication | +| `node_name_env` | The environment variable used to obtain the node name. Defaults to `MY_NODE_NAME`. | +| `node_name` | The name of the node. Overrides the value obtained by the environment variable specified by `node_name_env`. | +| `skip_signature_verification_image_list`| The list of images, described as digest hashes, that should be skipped in signature verification. | +| `enable_allowed_subjects_list`| Enables a list of allowed subjects that are trusted and are allowed to sign container images artificats.| +| `allowed_subjects_list`| The list of allowed subjects enabled by `enable_allowed_subjects_list` each entry represents subject e-mail. | +| `rekor_url` | The URL for the rekor STL Server to use with cosign. | + +### Sigstore workload attestor for SPIRE + +The k8s workload attestor plugins has also capabilities to validate images signatures through [sigstore](https://www.sigstore.dev/) + +The RFC is available [here](https://docs.google.com/document/d/1YVuu7HMHnp8nx3sCPx7R2lCfjjno363s4oiPlI6axF4/edit#heading=h.ttn87ugq19sb) for reference. + +> **Note** you can provide your own CA roots signed through TUF via the cosign initialize command. +This effectively securely pins the CA roots. We allow you to also specify trusted roots via the `SIGSTORE_ROOT_FILE` flag + +### K8s selectors + +| Selector | Value | +| -------- | ----- | +| k8s:ns | The workload's namespace | +| k8s:sa | The workload's service account | | k8s:container-image | The Image OR ImageID of the container in the workload's pod which is requesting an SVID, [as reported by K8S](https://pkg.go.dev/k8s.io/api/core/v1#ContainerStatus). Selector value may be an image tag, such as: `docker.io/envoyproxy/envoy-alpine:v1.16.0`, or a resolved SHA256 image digest, such as `docker.io/envoyproxy/envoy-alpine@sha256:bf862e5f5eca0a73e7e538224578c5cf867ce2be91b5eaed22afc153c00363eb` | | k8s:container-name | The name of the workload's container | | k8s:node-name | The name of the workload's node | @@ -71,6 +86,15 @@ since [hostprocess](https://kubernetes.io/docs/tasks/configure-pod-container/cre | k8s:pod-init-image | An Image OR ImageID of any init container in the workload's pod, [as reported by K8S](https://pkg.go.dev/k8s.io/api/core/v1#ContainerStatus). Selector value may be an image tag, such as: `docker.io/envoyproxy/envoy-alpine:v1.16.0`, or a resolved SHA256 image digest, such as `docker.io/envoyproxy/envoy-alpine@sha256:bf862e5f5eca0a73e7e538224578c5cf867ce2be91b5eaed22afc153c00363eb` | | k8s:pod-init-image-count | The number of init container images in workload's pod | +Sigstore enabled selectors (available when configured to use sigstore) + +| Selector | Value | +| -------- | ----- | +| k8s:containerID:image-signature-content | The value of the signature itself in a hash (eg. "k8s:000000:image-signature-content:MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smA=")| +| k8s:containerID:image-signature-subject | OIDC principal that signed it​ (eg. "k8s:000000:image-signature-subject:spirex@example.com")| +| k8s:containerID:image-signature-logid | A unique LogID for the Rekor transparency log​ (eg. "k8s:000000:image-signature-logid:samplelogID") | +| k8s:containerID:image-signature-integrated-time | The date when the image signature was integrated into the signature transparency log​ (eg. "k8s:000000:image-signature-integrated-time:12345") | +| k8s:sigstore-validation | The confirmation if the signature is valid, has value of "passed" (eg. "k8s:sigstore-validation:passed") | > **Note** `container-image` will ONLY match against the specific container in the pod that is contacting SPIRE on behalf of > the pod, whereas `pod-image` and `pod-init-image` will match against ANY container or init container in the Pod, > respectively. diff --git a/doc/plugin_agent_workloadattestor_windows.md b/doc/plugin_agent_workloadattestor_windows.md index 23fb70b242..e4cccb7f13 100644 --- a/doc/plugin_agent_workloadattestor_windows.md +++ b/doc/plugin_agent_workloadattestor_windows.md @@ -19,26 +19,6 @@ It does so by opening an access token associated with the workload process. The | `windows:group_name:se_group_enabled:true` | The group name of an enabled group associated with the access token from the workload process (e.g. `windows:group_name:se_group_enabled:true:computer-or-domain\mygroup`) | | `windows:group_name:se_group_enabled:false` | The group name of a not enabled group associated with the access token from the workload process (e.g. `windows:group_name:se_group_enabled:false:computer-or-domain\mygroup`) | -Workload path enabled selectors (available when configured with `discover_workload_path = true`): - -| Selector | Value | -|------------------|-----------------------------------------------------------------------------------------------------------------------------------| -| `windows:path` | The path to the workload binary (e.g. `windows:path:C:\Program Files\nginx\nginx.exe`) | -| `windows:sha256` | The SHA256 digest of the workload binary (e.g. `windows:sha256:3a6eb0790f39ac87c94f3856b2dd2c5d110e6811602261a9a923d3bb23adc8b7`) | - -Security Considerations: - -Malicious workloads could cause the SPIRE agent to do expensive work -calculating a sha256 for large workload binaries, causing a denial-of-service. -Defenses against this are: - -- disabling calculation entirely by setting `workload_size_limit` to a negative value -- use `workload_size_limit` to enforce a limit on the binary size the - plugin is willing to hash. However, the same attack could be performed by spawning a - bunch of processes under the limit. - The workload API does not yet support rate limiting, but when it does, this attack can - be mitigated by using rate limiting in conjunction with non-negative `workload_size_limit`. - #### Notes - An enabled group in a token is a group that has the [SE_GROUP_ENABLED](https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-attributes-in-an-access-token) attribute. diff --git a/doc/plugin_server_nodeattestor_k8s_psat.md b/doc/plugin_server_nodeattestor_k8s_psat.md index 8ee81beeda..fe57034d58 100644 --- a/doc/plugin_server_nodeattestor_k8s_psat.md +++ b/doc/plugin_server_nodeattestor_k8s_psat.md @@ -76,4 +76,4 @@ This plugin generates the following selectors: The node and pod selectors are only provided for label keys in the `allowed_node_label_keys` and `allowed_pod_label_keys` configurables. -A full example of this attestor is provided in [the SPIRE examples repository](https://github.com/spiffe/spire-examples/tree/main/examples/k8s/simple_psat) +A full example of this attestor is provided in [the SPIRE examples repository](https://github.com/spiffe/spire-examples/tree/master/examples/k8s/simple_psat) diff --git a/doc/scaling_spire.md b/doc/scaling_spire.md index be8a1b83c7..3bd5fd13b0 100644 --- a/doc/scaling_spire.md +++ b/doc/scaling_spire.md @@ -61,9 +61,9 @@ Another use case is SPIFFE interoperability between organizations, such as betwe These multiple trust domain and interoperability use cases both require a well-defined, interoperable method for a Workload in one trust domain to authenticate a Workload in a different trust domain. Trust between the different trust domains is established by first authenticating the respective bundle endpoint, followed by retrieval of the foreign trust domain bundle via the authenticated endpoint. -For additional detail on how this is achieved, refer to the following SPIFFE spec that describes the mechanism: https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Trust_Domain_and_Bundle.md#5-spiffe-bundle-endpoint +For additional detail on how this is achieved, refer to the following SPIFFE spec that describes the mechanism: https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#5-spiffe-bundle-endpoint -For a tutorial on configuring Federated SPIRE, refer to: https://github.com/spiffe/spire-tutorials/tree/main/docker-compose/federation +For a tutorial on configuring Federated SPIRE, refer to: https://github.com/spiffe/spire-tutorials/tree/master/docker-compose/federation # Interaction with External Systems @@ -84,7 +84,7 @@ SPIRE has a feature to programmatically authenticate on behalf of identified wor The SPIRE OIDC Discovery Provider retrieves a WebPKI certificate using the ACME protocol, which it uses to secure an endpoint that serves an OIDC compatible JWKS bundle and a standard OIDC discovery document. The remote OIDC authenticated service needs then to be configured to locate the endpoint and qualify the WebPKI service. Once this configuration is in place, the remote system’s IAM policies and roles can be set to map to specific SPIFFE IDs. The workload, in turn, will talk to the OIDC-authenticated system by sending a JWT-SVID. The target system then fetches a JWKS from the pre-defined URI which is served by the OIDC Discovery Provider. The target system uses the JWKS file to validate the JWT-SVID, and if the SPIFFE ID contained within the JWT-SVID is authorized to access the requested resource, it serves the request. The workload is then able to access the foreign remote service without possessing any credentials provided by it. For a configuration reference on the OIDC Discovery Provider, see: -https://github.com/spiffe/spire/tree/main/support/oidc-discovery-provider +https://github.com/spiffe/spire/tree/master/support/oidc-discovery-provider For a detailed tutorial on configuring OIDC Federation to Amazon Web Services, refer to: https://spiffe.io/spire/try/oidc-federation-aws/ diff --git a/go.mod b/go.mod index e4baf6a0f7..2b2fc1abfc 100644 --- a/go.mod +++ b/go.mod @@ -35,6 +35,7 @@ require ( github.com/golang/mock v1.6.0 github.com/golang/protobuf v1.5.2 github.com/google/go-cmp v0.5.9 + github.com/google/go-containerregistry v0.7.1-0.20211118220127-abdc633f8305 github.com/google/go-tpm v0.3.3 github.com/google/go-tpm-tools v0.3.9 github.com/googleapis/gax-go/v2 v2.6.0 @@ -53,6 +54,9 @@ require ( github.com/open-policy-agent/opa v0.45.0 github.com/prometheus/client_golang v1.13.0 github.com/shirou/gopsutil/v3 v3.22.9 + github.com/sigstore/cosign v1.4.0 + github.com/sigstore/rekor v0.3.1-0.20211203233407-3278f72b78bd + github.com/sigstore/sigstore v1.0.2-0.20211203233310-c8e7f70eab4e github.com/sirupsen/logrus v1.9.0 github.com/spiffe/go-spiffe/v2 v2.0.1-0.20220414143532-2ed460a8b9d3 github.com/spiffe/spire-api-sdk v1.2.5-0.20220608195902-84fd618158c9 @@ -82,11 +86,17 @@ require ( cloud.google.com/go v0.104.0 // indirect cloud.google.com/go/compute v1.10.0 // indirect cloud.google.com/go/iam v0.3.0 // indirect + cloud.google.com/go/kms v1.1.0 // indirect + github.com/Azure/azure-sdk-for-go v59.4.0+incompatible // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect github.com/Azure/go-autorest/autorest v0.11.27 // indirect github.com/Azure/go-autorest/autorest/adal v0.9.20 // indirect + github.com/Azure/go-autorest/autorest/azure/auth v0.5.9 // indirect + github.com/Azure/go-autorest/autorest/azure/cli v0.4.4 // indirect github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect + github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect + github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect github.com/Azure/go-autorest/logger v0.2.1 // indirect github.com/Azure/go-autorest/tracing v0.6.0 // indirect github.com/AzureAD/microsoft-authentication-library-for-go v0.5.1 // indirect @@ -97,8 +107,12 @@ require ( github.com/OneOfOne/xxhash v1.2.8 // indirect github.com/PuerkitoBio/purell v1.1.1 // indirect github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect + github.com/ReneKroon/ttlcache/v2 v2.9.0 // indirect + github.com/ThalesIgnite/crypto11 v1.2.5 // indirect github.com/agnivade/levenshtein v1.1.1 // indirect github.com/armon/go-radix v1.0.0 // indirect + github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect + github.com/aws/aws-sdk-go v1.43.16 // indirect github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25 // indirect github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.3.21 // indirect @@ -108,10 +122,17 @@ require ( github.com/aws/smithy-go v1.13.4 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/bgentry/speakeasy v0.1.0 // indirect + github.com/blang/semver v3.5.1+incompatible // indirect github.com/cespare/xxhash/v2 v2.1.2 // indirect github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490 // indirect + github.com/containerd/stargz-snapshotter/estargz v0.10.1 // indirect + github.com/coreos/go-oidc/v3 v3.1.0 // indirect + github.com/cyberphone/json-canonicalization v0.0.0-20210823021906-dc406ceaf94b // indirect github.com/davecgh/go-spew v1.1.1 // indirect + github.com/dimchansky/utfbom v1.1.1 // indirect + github.com/docker/cli v20.10.17+incompatible // indirect github.com/docker/distribution v2.7.1+incompatible // indirect + github.com/docker/docker-credential-helpers v0.6.4 // indirect github.com/docker/go-connections v0.4.0 // indirect github.com/docker/go-units v0.4.0 // indirect github.com/emicklei/go-restful/v3 v3.8.0 // indirect @@ -122,11 +143,23 @@ require ( github.com/felixge/httpsnoop v1.0.2 // indirect github.com/fsnotify/fsnotify v1.5.4 // indirect github.com/ghodss/yaml v1.0.0 // indirect + github.com/go-chi/chi v4.1.2+incompatible // indirect github.com/go-logr/zapr v1.2.3 // indirect github.com/go-ole/go-ole v1.2.6 // indirect + github.com/go-openapi/analysis v0.20.1 // indirect + github.com/go-openapi/errors v0.20.1 // indirect github.com/go-openapi/jsonpointer v0.19.5 // indirect - github.com/go-openapi/jsonreference v0.19.5 // indirect - github.com/go-openapi/swag v0.19.14 // indirect + github.com/go-openapi/jsonreference v0.19.6 // indirect + github.com/go-openapi/loads v0.21.0 // indirect + github.com/go-openapi/runtime v0.21.0 // indirect + github.com/go-openapi/spec v0.20.4 // indirect + github.com/go-openapi/strfmt v0.21.1 // indirect + github.com/go-openapi/swag v0.19.15 // indirect + github.com/go-openapi/validate v0.20.3 // indirect + github.com/go-playground/locales v0.14.0 // indirect + github.com/go-playground/universal-translator v0.18.0 // indirect + github.com/go-playground/validator/v10 v10.9.0 // indirect + github.com/go-stack/stack v1.8.0 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt v3.2.1+incompatible // indirect @@ -134,47 +167,60 @@ require ( github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/snappy v0.0.4 // indirect github.com/google/gnostic v0.5.7-v3refs // indirect + github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20211203164431-c75901cce627 // indirect + github.com/google/go-github/v39 v39.2.0 // indirect + github.com/google/go-querystring v1.1.0 // indirect github.com/google/gofuzz v1.2.0 // indirect + github.com/google/trillian v1.4.0 // indirect github.com/google/uuid v1.3.0 // indirect github.com/googleapis/enterprise-certificate-proxy v0.2.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/hashicorp/go-immutable-radix v1.3.1 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect - github.com/hashicorp/go-retryablehttp v0.6.6 // indirect + github.com/hashicorp/go-retryablehttp v0.7.0 // indirect github.com/hashicorp/go-rootcerts v1.0.2 // indirect github.com/hashicorp/go-secure-stdlib/mlock v0.1.1 // indirect github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 // indirect github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect github.com/hashicorp/go-sockaddr v1.0.2 // indirect github.com/hashicorp/go-uuid v1.0.2 // indirect - github.com/hashicorp/go-version v1.2.0 // indirect + github.com/hashicorp/go-version v1.3.0 // indirect github.com/hashicorp/golang-lru v0.5.4 // indirect - github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d // indirect + github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87 // indirect github.com/huandu/xstrings v1.3.2 // indirect - github.com/jhump/protoreflect v1.9.0 // indirect + github.com/in-toto/in-toto-golang v0.4.0-prerelease // indirect + github.com/inconshreveable/mousetrap v1.0.0 // indirect + github.com/jedisct1/go-minisign v0.0.0-20210703085342-c1f07ee84431 // indirect github.com/jinzhu/inflection v1.0.0 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect + github.com/klauspost/compress v1.13.6 // indirect github.com/kylelemons/godebug v1.1.0 // indirect + github.com/leodido/go-urn v1.2.1 // indirect github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect - github.com/mailru/easyjson v0.7.6 // indirect + github.com/magiconair/properties v1.8.5 // indirect + github.com/mailru/easyjson v0.7.7 // indirect github.com/mattn/go-colorable v0.1.12 // indirect github.com/mattn/go-isatty v0.0.14 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect - github.com/mitchellh/copystructure v1.0.0 // indirect + github.com/miekg/pkcs11 v1.1.1 // indirect + github.com/mitchellh/copystructure v1.2.0 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect - github.com/mitchellh/go-testing-interface v1.0.0 // indirect + github.com/mitchellh/go-testing-interface v1.14.1 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect - github.com/mitchellh/reflectwalk v1.0.1 // indirect + github.com/mitchellh/reflectwalk v1.0.2 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect - github.com/oklog/run v1.0.0 // indirect + github.com/oklog/run v1.1.0 // indirect + github.com/oklog/ulid v1.3.1 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 // indirect - github.com/pierrec/lz4 v2.5.2+incompatible // indirect + github.com/opentracing/opentracing-go v1.2.0 // indirect + github.com/pelletier/go-toml v1.9.4 // indirect + github.com/pierrec/lz4 v2.6.1+incompatible // indirect github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect @@ -185,17 +231,36 @@ require ( github.com/prometheus/procfs v0.8.0 // indirect github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect github.com/ryanuber/go-glob v1.0.0 // indirect + github.com/sassoftware/relic v0.0.0-20210427151427-dfb082b79b74 // indirect + github.com/secure-systems-lab/go-securesystemslib v0.2.0 // indirect + github.com/segmentio/ksuid v1.0.4 // indirect + github.com/shibumi/go-pathspec v1.2.0 // indirect github.com/shopspring/decimal v1.2.0 // indirect - github.com/spf13/cast v1.3.1 // indirect + github.com/sigstore/fulcio v0.1.2-0.20211204001059-48e1a254cf10 // indirect + github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect + github.com/spf13/afero v1.6.0 // indirect + github.com/spf13/cast v1.4.1 // indirect + github.com/spf13/cobra v1.5.0 // indirect + github.com/spf13/jwalterweatherman v1.1.0 // indirect github.com/spf13/pflag v1.0.5 // indirect + github.com/spf13/viper v1.9.0 // indirect + github.com/subosito/gotenv v1.2.0 // indirect + github.com/syndtr/goleveldb v1.0.0 // indirect github.com/tchap/go-patricia/v2 v2.3.1 // indirect + github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613 // indirect + github.com/thales-e-security/pool v0.0.2 // indirect + github.com/theupdateframework/go-tuf v0.0.0-20211203210025-7ded50136bf9 // indirect github.com/tklauser/go-sysconf v0.3.10 // indirect github.com/tklauser/numcpus v0.4.0 // indirect github.com/twmb/murmur3 v1.1.6 // indirect + github.com/vbatts/tar-split v0.11.2 // indirect + github.com/vdemeester/k8s-pkg-credentialprovider v1.21.0-1 // indirect + github.com/xanzy/go-gitlab v0.52.2 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/yashtewari/glob-intersection v0.1.0 // indirect github.com/yusufpapurcu/wmi v1.2.2 // indirect + go.mongodb.org/mongo-driver v1.7.5 // indirect go.opencensus.io v0.23.0 // indirect go.uber.org/atomic v1.10.0 // indirect go.uber.org/multierr v1.8.0 // indirect @@ -209,12 +274,16 @@ require ( gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect google.golang.org/appengine v1.6.7 // indirect gopkg.in/inf.v0 v0.9.1 // indirect + gopkg.in/ini.v1 v1.66.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/apiextensions-apiserver v0.25.0 // indirect - k8s.io/component-base v0.25.0 // indirect + k8s.io/cloud-provider v0.21.0 // indirect + k8s.io/component-base v0.25.2 // indirect k8s.io/klog/v2 v2.70.1 // indirect k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 // indirect + k8s.io/legacy-cloud-providers v0.21.0 // indirect + knative.dev/pkg v0.0.0-20211203062937-d37811b71d6a // indirect sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect sigs.k8s.io/yaml v1.3.0 // indirect diff --git a/go.sum b/go.sum index 4e7a3eb6b2..de1dbe31ac 100644 --- a/go.sum +++ b/go.sum @@ -1,11 +1,18 @@ +bazil.org/fuse v0.0.0-20160811212531-371fbbdaa898/go.mod h1:Xbm+BRKSBEpa4q4hTSxohYNQpsxXPbPry4JJWOB3LB8= +bazil.org/fuse v0.0.0-20180421153158-65cc252bf669/go.mod h1:Xbm+BRKSBEpa4q4hTSxohYNQpsxXPbPry4JJWOB3LB8= +bitbucket.org/creachadair/shell v0.0.6/go.mod h1:8Qqi/cYk7vPnsOePHroKXDJYmb5x7ENhtiFtfZq8K+M= +bou.ke/monkey v1.0.2/go.mod h1:OqickVX3tNx6t33n1xvtTtu85YN5s6cKwVug+oHMaIA= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= +cloud.google.com/go v0.39.0/go.mod h1:rVLT6fkc8chs9sfPtFc1SBH6em7n+ZoXaG+87tDISts= cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= +cloud.google.com/go v0.44.3/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To= +cloud.google.com/go v0.51.0/go.mod h1:hWtGJ6gnXH+KgDv+V0zFGDvpi07n3z8ZNj3T1RW0Gcw= cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= @@ -15,14 +22,21 @@ cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOY cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI= cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk= +cloud.google.com/go v0.75.0/go.mod h1:VGuuCn7PG0dwsd5XPVm2Mm3wlh3EL55/79EKB6hlPTY= cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg= cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8= cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0= +cloud.google.com/go v0.82.0/go.mod h1:vlKccHJGuFBFufnAnuB08dfEH9Y3H7dzDzRECFdC2TA= cloud.google.com/go v0.83.0/go.mod h1:Z7MJUsANfY0pYPdw0lbnivPx4/vhy/e2FEkSkF7vAVY= cloud.google.com/go v0.84.0/go.mod h1:RazrYuxIK6Kb7YrzzhPoLmCVzl7Sup4NrbKPg8KHSUM= cloud.google.com/go v0.87.0/go.mod h1:TpDYlFy7vuLzZMMZ+B6iRiELaY7z/gJPaqbMx6mlWcY= +cloud.google.com/go v0.88.0/go.mod h1:dnKwfYbP9hQhefiUvpbcAyoGSHUrOxR20JVElLiUvEY= +cloud.google.com/go v0.89.0/go.mod h1:kRX0mNRHe0e2rC6oNakvwQqzyDmg57xJ+SZU1eT2aDQ= cloud.google.com/go v0.90.0/go.mod h1:kRX0mNRHe0e2rC6oNakvwQqzyDmg57xJ+SZU1eT2aDQ= +cloud.google.com/go v0.92.2/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI= +cloud.google.com/go v0.92.3/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI= cloud.google.com/go v0.93.3/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI= +cloud.google.com/go v0.94.0/go.mod h1:qAlAugsXlC+JWO+Bke5vCtc9ONxjQT3drlTTnAplMW4= cloud.google.com/go v0.94.1/go.mod h1:qAlAugsXlC+JWO+Bke5vCtc9ONxjQT3drlTTnAplMW4= cloud.google.com/go v0.97.0/go.mod h1:GF7l59pYBVlXQIBLx3a761cZ41F9bBH3JUlihCt2Udc= cloud.google.com/go v0.99.0/go.mod h1:w0Xx2nLzqWJPuozYQX+hFfCSI8WioryfRDzkoI/Y2ZA= @@ -49,25 +63,70 @@ cloud.google.com/go/compute v1.10.0/go.mod h1:ER5CLbMxl90o2jtNbGSbtfOpQKR0t15FOt cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk= +cloud.google.com/go/firestore v1.5.0/go.mod h1:c4nNYR1qdq7eaZ+jSc5fonrQN2k3M7sWATcYTiakjEo= +cloud.google.com/go/firestore v1.6.0/go.mod h1:afJwI0vaXwAG54kI7A//lP/lSPDkQORQuMkv56TxEPU= cloud.google.com/go/iam v0.3.0 h1:exkAomrVUuzx9kWFI1wm3KI0uoDeUFPB4kKGzx6x+Gc= cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY= +cloud.google.com/go/kms v0.1.0/go.mod h1:8Qp8PCAypHg4FdmlyW1QRAv09BGQ9Uzh7JnmIZxPk+c= +cloud.google.com/go/kms v1.1.0 h1:1yc4rLqCkVDS9Zvc7m+3mJ47kw0Uo5Q5+sMjcmUVUeM= +cloud.google.com/go/kms v1.1.0/go.mod h1:WdbppnCDMDpOvoYBMn1+gNmOeEoZYqAv+HeuKARGCXI= +cloud.google.com/go/monitoring v0.1.0/go.mod h1:Hpm3XfzJv+UTiXzCG5Ffp0wijzHTC7Cv4eR7o3x/fEE= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= +cloud.google.com/go/pubsub v1.16.0/go.mod h1:6A8EfoWZ/lUvCWStKGwAWauJZSiuV0Mkmu6WilK/TxQ= +cloud.google.com/go/secretmanager v0.1.0/go.mod h1:3nGKHvnzDUVit7U0S9KAKJ4aOsO1xtwRG+7ey5LK1bM= cloud.google.com/go/secretmanager v1.7.0 h1:EAPaaxMs1gtdyxK5UN8KfD5tnDBZiFoSroRfjV3EgQU= cloud.google.com/go/secretmanager v1.7.0/go.mod h1:20dYAPbj+H4+pXdBRN2z77yugQJJ30UF2kL9OWPs+L0= +cloud.google.com/go/security v1.1.0/go.mod h1:Zf3HhjGQIC3yQLUwW5cTcZ0u7sAQqYnvgx9r9KcFOJw= cloud.google.com/go/security v1.8.0 h1:linnRc3/gJYDfKbAtNixVQ52+66DpOx5MmCz0NNxal8= cloud.google.com/go/security v1.8.0/go.mod h1:hAQOwgmaHhztFhiQ41CjDODdWP0+AE1B3sX4OFlq+GU= +cloud.google.com/go/spanner v1.17.0/go.mod h1:+17t2ixFwRG4lWRwE+5kipDR9Ef07Jkmc8z0IbMDKUs= +cloud.google.com/go/spanner v1.18.0/go.mod h1:LvAjUXPeJRGNuGpikMULjhLj/t9cRvdc+fxRoLiugXA= +cloud.google.com/go/spanner v1.25.0/go.mod h1:kQUft3x355hzzaeFbObjsvkzZDgpDkesp3v75WBnI8w= cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= +cloud.google.com/go/storage v1.16.1/go.mod h1:LaNorbty3ehnU3rEjXSNV/NRgQA0O8Y+uh6bPe5UOk4= +cloud.google.com/go/storage v1.18.2/go.mod h1:AiIj7BWXyhO5gGVmYJ+S8tbkCx3yb0IMjua8Aw4naVM= cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y= cloud.google.com/go/storage v1.27.0 h1:YOO045NZI9RKfCj1c5A/ZtuuENUc8OAW+gHdGnDgyMQ= cloud.google.com/go/storage v1.27.0/go.mod h1:x9DOL8TK/ygDUMieqwfhdpQryTeEkhGKMi80i/iqR2s= +cloud.google.com/go/trace v0.1.0/go.mod h1:wxEwsoeRVPbeSkt7ZC9nWCgmoKQRAoySN7XHW2AmI7g= +code.gitea.io/sdk/gitea v0.11.3/go.mod h1:z3uwDV/b9Ls47NGukYM9XhnHtqPh/J+t40lsUrR6JDY= +contrib.go.opencensus.io/exporter/aws v0.0.0-20181029163544-2befc13012d0/go.mod h1:uu1P0UCM/6RbsMrgPa98ll8ZcHM858i/AD06a9aLRCA= +contrib.go.opencensus.io/exporter/aws v0.0.0-20200617204711-c478e41e60e9/go.mod h1:uu1P0UCM/6RbsMrgPa98ll8ZcHM858i/AD06a9aLRCA= +contrib.go.opencensus.io/exporter/ocagent v0.5.0/go.mod h1:ImxhfLRpxoYiSq891pBrLVhN+qmP8BTVvdH2YLs7Gl0= +contrib.go.opencensus.io/exporter/ocagent v0.7.1-0.20200907061046-05415f1de66d/go.mod h1:IshRmMJBhDfFj5Y67nVhMYTTIze91RUeT73ipWKs/GY= +contrib.go.opencensus.io/exporter/prometheus v0.4.0/go.mod h1:o7cosnyfuPVK0tB8q0QmaQNhGnptITnPQB+z1+qeFB0= +contrib.go.opencensus.io/exporter/stackdriver v0.12.1/go.mod h1:iwB6wGarfphGGe/e5CWqyUk/cLzKnWsOKPVW3no6OTw= +contrib.go.opencensus.io/exporter/stackdriver v0.13.5/go.mod h1:aXENhDJ1Y4lIg4EUaVTwzvYETVNZk10Pu26tevFKLUc= +contrib.go.opencensus.io/exporter/stackdriver v0.13.8/go.mod h1:huNtlWx75MwO7qMs0KrMxPZXzNNWebav1Sq/pm02JdQ= +contrib.go.opencensus.io/exporter/zipkin v0.1.2/go.mod h1:mP5xM3rrgOjpn79MM8fZbj3gsxcuytSqtH0dxSWW1RE= +contrib.go.opencensus.io/integrations/ocsql v0.1.4/go.mod h1:8DsSdjz3F+APR+0z0WkU1aRorQCFfRxvqjUUPMbF3fE= +contrib.go.opencensus.io/integrations/ocsql v0.1.7/go.mod h1:8DsSdjz3F+APR+0z0WkU1aRorQCFfRxvqjUUPMbF3fE= +contrib.go.opencensus.io/resource v0.1.1/go.mod h1:F361eGI91LCmW1I/Saf+rX0+OFcigGlFvXwEGEnkRLA= +cuelang.org/go v0.4.0/go.mod h1:tz/edkPi+T37AZcb5GlPY+WJkL6KiDlDVupKwL3vvjs= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= +dmitri.shuralyov.com/gpu/mtl v0.0.0-20201218220906-28db891af037/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= +github.com/AdaLogics/go-fuzz-headers v0.0.0-20211102141018-f7be0cbad29c/go.mod h1:WpB7kf89yJUETZxQnP1kgYPNwlT2jjdDYUCoxVggM3g= +github.com/Azure/azure-amqp-common-go/v2 v2.1.0/go.mod h1:R8rea+gJRuJR6QxTir/XuEd+YuKoUiazDC/N96FiDEU= +github.com/Azure/azure-amqp-common-go/v3 v3.1.0/go.mod h1:PBIGdzcO1teYoufTKMcGibdKaYZv4avS+O6LNIp8bq0= +github.com/Azure/azure-amqp-common-go/v3 v3.1.1/go.mod h1:YsDaPfaO9Ub2XeSKdIy2DfwuiQlHQCauHJwSqtrkECI= +github.com/Azure/azure-pipeline-go v0.2.1/go.mod h1:UGSo8XybXnIGZ3epmeBw7Jdz+HiUVpqIlpz/HKHylF4= +github.com/Azure/azure-pipeline-go v0.2.3/go.mod h1:x841ezTBIMG6O3lAcl8ATHnsOPVl2bqk7S3ta6S6u4k= +github.com/Azure/azure-sdk-for-go v16.2.1+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v29.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v30.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v43.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v51.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v55.8.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v57.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v59.4.0+incompatible h1:gDA8odnngdNd3KYHL2NoK1j9vpWBgEnFSjKKLpkC8Aw= +github.com/Azure/azure-sdk-for-go v59.4.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go/sdk/azcore v0.19.0/go.mod h1:h6H6c8enJmmocHUbLiiGY6sx7f9i+X3m1CHdd5c6Rdw= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.4 h1:pqrAR74b6EoR4kcxF7L7Wg2B8Jgil9UUZtMvxhEFqWo= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.4/go.mod h1:uGG2W01BaETf0Ozp+QxxKJdMBNRWPdstHG0Fmdwn1/U= @@ -84,25 +143,71 @@ github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork v1.1.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork v1.1.0/go.mod h1:243D9iHbcQXoFUtgHJwL7gl2zx1aDuDMjvBZVGr2uW0= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0 h1:ECsQtyERDVz3NP3kvDOTLvbQhqWp/x9EsGKtb4ogUr8= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0/go.mod h1:s1tW/At+xHqjNFvWU4G0c0Qv33KOhvbGNj0RCTQDV8s= +github.com/Azure/azure-service-bus-go v0.9.1/go.mod h1:yzBx6/BUGfjfeqbRZny9AQIbIe3AcV9WZbAdpkoXOa0= +github.com/Azure/azure-service-bus-go v0.10.16/go.mod h1:MlkLwGGf1ewcx5jZadn0gUEty+tTg0RaElr6bPf+QhI= +github.com/Azure/azure-storage-blob-go v0.8.0/go.mod h1:lPI3aLPpuLTeUwh1sViKXFxwl2B6teiRqI0deQUvsw0= +github.com/Azure/azure-storage-blob-go v0.14.0/go.mod h1:SMqIBi+SuiQH32bvyjngEewEeXoPfKMgWlBDaYf6fck= +github.com/Azure/go-amqp v0.13.0/go.mod h1:qj+o8xPCz9tMSbQ83Vp8boHahuRDl5mkNHyt1xlxUTs= +github.com/Azure/go-amqp v0.13.11/go.mod h1:D5ZrjQqB1dyp1A+G73xeL/kNn7D5qHJIIsNNps7YNmk= +github.com/Azure/go-amqp v0.13.12/go.mod h1:D5ZrjQqB1dyp1A+G73xeL/kNn7D5qHJIIsNNps7YNmk= +github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= github.com/Azure/go-ansiterm v0.0.0-20210608223527-2377c96fe795/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8= github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= +github.com/Azure/go-autorest v10.8.1+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= +github.com/Azure/go-autorest v12.0.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= +github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI= +github.com/Azure/go-autorest/autorest v0.11.1/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw= +github.com/Azure/go-autorest/autorest v0.11.3/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw= +github.com/Azure/go-autorest/autorest v0.11.12/go.mod h1:eipySxLmqSyC5s5k1CLupqet0PSENBEDP93LQ9a8QYw= +github.com/Azure/go-autorest/autorest v0.11.17/go.mod h1:eipySxLmqSyC5s5k1CLupqet0PSENBEDP93LQ9a8QYw= github.com/Azure/go-autorest/autorest v0.11.18/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA= +github.com/Azure/go-autorest/autorest v0.11.19/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA= +github.com/Azure/go-autorest/autorest v0.11.20/go.mod h1:o3tqFY+QR40VOlk+pV4d77mORO64jOXSgEnPQgLK6JY= +github.com/Azure/go-autorest/autorest v0.11.22/go.mod h1:BAWYUWGPEtKPzjVkp0Q6an0MJcJDsoh5Z1BFAEFs4Xs= github.com/Azure/go-autorest/autorest v0.11.27 h1:F3R3q42aWytozkV8ihzcgMO4OA4cuqr3bNlsEuF6//A= github.com/Azure/go-autorest/autorest v0.11.27/go.mod h1:7l8ybrIdUmGqZMTD0sRtAr8NvbHjfofbf8RSP2q7w7U= +github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0= +github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg= +github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A= +github.com/Azure/go-autorest/autorest/adal v0.9.11/go.mod h1:nBKAnTomx8gDtl+3ZCJv2v0KACFHWTB2drffI1B68Pk= github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M= +github.com/Azure/go-autorest/autorest/adal v0.9.14/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M= +github.com/Azure/go-autorest/autorest/adal v0.9.15/go.mod h1:tGMin8I49Yij6AQ+rvV+Xa/zwxYQB5hmsd6DkfAx2+A= +github.com/Azure/go-autorest/autorest/adal v0.9.17/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= github.com/Azure/go-autorest/autorest/adal v0.9.20 h1:gJ3E98kMpFB1MFqQCvA1yFab8vthOeD4VlFRQULxahg= github.com/Azure/go-autorest/autorest/adal v0.9.20/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= +github.com/Azure/go-autorest/autorest/azure/auth v0.5.8/go.mod h1:kxyKZTSfKh8OVFWPAgOgQ/frrJgeYQJPyR5fLFmXko4= +github.com/Azure/go-autorest/autorest/azure/auth v0.5.9 h1:Y2CgdzitFDsdMwYMzf9LIZWrrTFysqbRc7b94XVVJ78= +github.com/Azure/go-autorest/autorest/azure/auth v0.5.9/go.mod h1:hg3/1yw0Bq87O3KvvnJoAh34/0zbP7SFizX/qN5JvjU= +github.com/Azure/go-autorest/autorest/azure/cli v0.4.2/go.mod h1:7qkJkT+j6b+hIpzMOwPChJhTqS8VbsqqgULzMNRugoM= +github.com/Azure/go-autorest/autorest/azure/cli v0.4.3/go.mod h1:yAQ2b6eP/CmLPnmLvxtT1ALIY3OR1oFcCqVBi8vHiTc= +github.com/Azure/go-autorest/autorest/azure/cli v0.4.4 h1:iuooz5cZL6VRcO7DVSFYxRcouqn6bFVE/e77Wts50Zk= +github.com/Azure/go-autorest/autorest/azure/cli v0.4.4/go.mod h1:yAQ2b6eP/CmLPnmLvxtT1ALIY3OR1oFcCqVBi8vHiTc= +github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA= github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw= github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= +github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= +github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= +github.com/Azure/go-autorest/autorest/mocks v0.4.0/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= github.com/Azure/go-autorest/autorest/mocks v0.4.2 h1:PGN4EDXnuQbojHbU0UWoNvmu9AGVwYHG9/fkDYhtAfw= github.com/Azure/go-autorest/autorest/mocks v0.4.2/go.mod h1:Vy7OitM9Kei0i1Oj+LvyAWMXJHeKH1MVlzFugfVrmyU= +github.com/Azure/go-autorest/autorest/to v0.2.0/go.mod h1:GunWKJp1AEqgMaGLV+iocmRAJWqST1wQYhyyjXJ3SJc= +github.com/Azure/go-autorest/autorest/to v0.3.0/go.mod h1:MgwOyqaIuKdG4TL/2ywSsIWKAfJfgHDo8ObuUk3t5sA= +github.com/Azure/go-autorest/autorest/to v0.4.0 h1:oXVqrxakqqV1UZdSazDOPOLvOIz+XA683u8EctwboHk= +github.com/Azure/go-autorest/autorest/to v0.4.0/go.mod h1:fE8iZBn7LQR7zH/9XU2NcPR4o9jEImooCeWJcYV/zLE= +github.com/Azure/go-autorest/autorest/validation v0.1.0/go.mod h1:Ha3z/SqBeaalWQvokg3NZAlQTalVMtOIAs1aGK7G6u8= +github.com/Azure/go-autorest/autorest/validation v0.3.1 h1:AgyqjAd94fwNAoTjl/WQXg4VvFeRFpO+UhNyRXqF1ac= +github.com/Azure/go-autorest/autorest/validation v0.3.1/go.mod h1:yhLgjC0Wda5DYXl6JAsWyUe4KVNffhoDhG0zVzUMo3E= +github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc= +github.com/Azure/go-autorest/logger v0.2.0/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg= github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= +github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk= github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo= github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= github.com/AzureAD/microsoft-authentication-library-for-go v0.5.1 h1:BWe8a+f/t+7KY7zH2mqygeUD0t8hNFXe08p1Pb3/jKE= @@ -111,59 +216,160 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/DataDog/datadog-go v3.2.0+incompatible h1:qSG2N4FghB1He/r2mFrWKCaL7dXCilEuNEeAn20fdD4= github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= +github.com/GoogleCloudPlatform/cloudsql-proxy v0.0.0-20191009163259-e802c2cb94ae/go.mod h1:mjwGPas4yKduTyubHvD1Atl9r1rUq8DfVy+gkVvZ+oo= +github.com/GoogleCloudPlatform/cloudsql-proxy v1.24.0/go.mod h1:3tx938GhY4FC+E1KT/jNjDw7Z5qxAEtIiERJ2sXjnII= github.com/GoogleCloudPlatform/cloudsql-proxy v1.32.0 h1:647YHw0ZJ3Uu5xlkytf1li7dqJ9mHg9zabuKdZP0vYU= github.com/GoogleCloudPlatform/cloudsql-proxy v1.32.0/go.mod h1:FjoDxLvxFAbnXFuUKkzM7rY66YaU/YHezlau786y9hs= +github.com/GoogleCloudPlatform/k8s-cloud-provider v0.0.0-20200415212048-7901bc822317/go.mod h1:DF8FZRxMHMGv/vP2lQP6h+dYzzjpuRn24VeRiYn3qjQ= +github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0= github.com/Masterminds/goutils v1.1.0 h1:zukEsf/1JZwCMgHiK3GZftabmxiCw4apj3a28RPBiVg= github.com/Masterminds/goutils v1.1.0/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= +github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= +github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= +github.com/Masterminds/semver/v3 v3.0.3/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs= +github.com/Masterminds/semver/v3 v3.1.0/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs= github.com/Masterminds/semver/v3 v3.1.1 h1:hLg3sBzpNErnxhQtUy/mmLR2I9foDujNK030IGemrRc= github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs= +github.com/Masterminds/sprig v2.15.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o= +github.com/Masterminds/sprig v2.22.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o= github.com/Masterminds/sprig/v3 v3.2.0 h1:P1ekkbuU73Ui/wS0nK1HOM37hh4xdfZo485UPf8rc+Y= github.com/Masterminds/sprig/v3 v3.2.0/go.mod h1:tWhwTbUTndesPNeF0C900vKoq283u6zp4APT9vaF3SI= +github.com/Microsoft/go-winio v0.4.11/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA= +github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA= +github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw= +github.com/Microsoft/go-winio v0.4.16-0.20201130162521-d1ffc52c7331/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugXOPRXwdLnMv0= +github.com/Microsoft/go-winio v0.4.16/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugXOPRXwdLnMv0= +github.com/Microsoft/go-winio v0.4.17-0.20210211115548-6eac466e5fa3/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84= +github.com/Microsoft/go-winio v0.4.17-0.20210324224401-5516f17a5958/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84= +github.com/Microsoft/go-winio v0.4.17/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84= +github.com/Microsoft/go-winio v0.5.0/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84= +github.com/Microsoft/go-winio v0.5.1/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84= github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= github.com/Microsoft/go-winio v0.6.0 h1:slsWYD/zyx7lCXoZVlvQrj0hPTM1HI4+v1sIda2yDvg= github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE= +github.com/Microsoft/hcsshim v0.8.6/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg= +github.com/Microsoft/hcsshim v0.8.7-0.20190325164909-8abdbb8205e4/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg= +github.com/Microsoft/hcsshim v0.8.7/go.mod h1:OHd7sQqRFrYd3RmSgbgji+ctCwkbq2wbEYNSzOYtcBQ= +github.com/Microsoft/hcsshim v0.8.9/go.mod h1:5692vkUqntj1idxauYlpoINNKeqCiG6Sg38RRsjT5y8= +github.com/Microsoft/hcsshim v0.8.14/go.mod h1:NtVKoYxQuTLx6gEq0L96c9Ju4JbRJ4nY2ow3VK6a9Lg= +github.com/Microsoft/hcsshim v0.8.15/go.mod h1:x38A4YbHbdxJtc0sF6oIz+RG0npwSCAvn69iY6URG00= +github.com/Microsoft/hcsshim v0.8.16/go.mod h1:o5/SZqmR7x9JNKsW3pu+nqHm0MF8vbA+VxGOoXdC600= +github.com/Microsoft/hcsshim v0.8.23/go.mod h1:4zegtUJth7lAvFyc6cH2gGQ5B3OFQim01nnU2M8jKDg= +github.com/Microsoft/hcsshim/test v0.0.0-20201218223536-d3e5debf77da/go.mod h1:5hlzMzRKMLyo42nCZ9oml8AdTlq/0cvIaBv6tK1RehU= +github.com/Microsoft/hcsshim/test v0.0.0-20210227013316-43a75bb4edd3/go.mod h1:mw7qgWloBUl75W/gVH3cQszUg1+gUITj7D6NY7ywVnY= github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8= github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q= +github.com/PaesslerAG/gval v1.0.0/go.mod h1:y/nm5yEyTeX6av0OfKJNp9rBNj2XrGhAf5+v24IBN1I= +github.com/PaesslerAG/jsonpath v0.1.0/go.mod h1:4BzmtoM/PI8fPO4aQGIusjGxGir2BzcV0grWtFzq1Y8= +github.com/PaesslerAG/jsonpath v0.1.1/go.mod h1:lVboNxFGal/VwW6d9JzIy56bUsYAP6tH/x80vjnCseY= github.com/PuerkitoBio/goquery v1.5.1/go.mod h1:GsLWisAFVj4WgDibEWF4pvYnkVQBpKBKeU+7zCJoLcc= +github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI= github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/ReneKroon/ttlcache/v2 v2.7.0/go.mod h1:mBxvsNY+BT8qLLd6CuAJubbKo6r0jh3nb5et22bbfGY= +github.com/ReneKroon/ttlcache/v2 v2.9.0 h1:NzwfErbifoNA3djEGwQJXKp/386imbyrc6Qmns5IX7c= +github.com/ReneKroon/ttlcache/v2 v2.9.0/go.mod h1:mBxvsNY+BT8qLLd6CuAJubbKo6r0jh3nb5et22bbfGY= +github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ= +github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo= +github.com/Shopify/sarama v1.30.0/go.mod h1:zujlQQx1kzHsh4jfV1USnptCQrHAEZ2Hk8fTKCulPVs= +github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI= +github.com/Shopify/toxiproxy/v2 v2.1.6-0.20210914104332-15ea381dcdae/go.mod h1:/cvHQkZ1fst0EmZnA5dFtiQdWCNCFYzb+uE2vqVgvx0= +github.com/ThalesIgnite/crypto11 v1.2.5 h1:1IiIIEqYmBvUYFeMnHqRft4bwf/O36jryEUpY+9ef8E= +github.com/ThalesIgnite/crypto11 v1.2.5/go.mod h1:ILDKtnCKiQ7zRoNxcp36Y1ZR8LBPmR2E23+wTQe/MlE= +github.com/VividCortex/gohistogram v1.0.0/go.mod h1:Pf5mBqqDxYaXu3hDrrU+w6nw50o/4+TcAqDqk/vUH7g= +github.com/afex/hystrix-go v0.0.0-20180502004556-fa1af6a1f4f5/go.mod h1:SkGFH1ia65gfNATL8TAiHDNxPzPdmEL5uirI2Uyuz6c= +github.com/agnivade/levenshtein v1.0.1/go.mod h1:CURSv5d9Uaml+FovSIICkLbAUZ9S4RqaHDIsdSBg7lM= github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8= github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo= +github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7/go.mod h1:6zEj6s6u/ghQa61ZWa/C2Aw3RkjiTBOix7dkqa1VLIs= +github.com/alecthomas/jsonschema v0.0.0-20180308105923-f2c93856175a/go.mod h1:qpebaTNSsyUn5rPSJMsfqEtDw71TTggXM6stUDI16HA= +github.com/alecthomas/kingpin v2.2.6+incompatible/go.mod h1:59OFYbFVLKQKq+mqrL6Rw5bR0c3ACQaawgXx0QYndlE= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= +github.com/alexflint/go-filemutex v0.0.0-20171022225611-72bdc8eae2ae/go.mod h1:CgnQgUtFrFz9mxFNtED3jI5tLDjKlOM+oUF/sTk6ps0= github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129 h1:MzBOUgng9orim59UnfUTLRjMpd09C5uEVQ6RPGeCaVI= github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129/go.mod h1:rFgpPQZYZ8vdbc+48xibu8ALc3yeyd64IhHS+PU6Yyg= +github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= github.com/andybalholm/cascadia v1.1.0/go.mod h1:GsXiBklL0woXo1j/WYWtSYYC4ouU9PqHO0sqidkEA4Y= +github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= +github.com/aokoli/goutils v1.0.1/go.mod h1:SijmP0QR8LtwsmDs8Yii5Z/S4trXFGFC2oO5g9DP+DQ= +github.com/apache/beam v2.28.0+incompatible/go.mod h1:/8NX3Qi8vGstDLLaeaU7+lzVEu/ACaQhYjeefzQ0y1o= +github.com/apache/beam v2.32.0+incompatible/go.mod h1:/8NX3Qi8vGstDLLaeaU7+lzVEu/ACaQhYjeefzQ0y1o= +github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= +github.com/apache/thrift v0.13.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= +github.com/apex/log v1.1.4/go.mod h1:AlpoD9aScyQfJDVHmLMEcx4oU6LqzkWp4Mg9GdAcEvQ= +github.com/apex/logs v0.0.4/go.mod h1:XzxuLZ5myVHDy9SAmYpamKKRNApGj54PfYLcFrXqDwo= +github.com/aphistic/golf v0.0.0-20180712155816-02c07f170c5a/go.mod h1:3NqKYiepwy8kCu4PNA+aP7WUV72eXWJeP9/r3/K9aLE= +github.com/aphistic/sweet v0.2.0/go.mod h1:fWDlIh/isSE9n6EPsRmC0det+whmX6dJid3stzu0Xys= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE= github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= +github.com/armon/go-metrics v0.3.0/go.mod h1:zXjbSimjXTd7vOpY8B0/2LpvNvDoXBuplAD+gJD3GYs= +github.com/armon/go-metrics v0.3.3/go.mod h1:4O98XIr/9W0sxpJ8UaYkvjk10Iff7SnFrb4QAOwNTFc= +github.com/armon/go-metrics v0.3.9/go.mod h1:4O98XIr/9W0sxpJ8UaYkvjk10Iff7SnFrb4QAOwNTFc= +github.com/armon/go-metrics v0.3.10/go.mod h1:4O98XIr/9W0sxpJ8UaYkvjk10Iff7SnFrb4QAOwNTFc= github.com/armon/go-metrics v0.4.1 h1:hR91U9KYmb6bLBYLQjyM+3j+rcd/UhE+G78SFnF8gJA= github.com/armon/go-metrics v0.4.1/go.mod h1:E6amYzXo6aW1tqzoZGT755KkbgrJsSdpwZ+3JqfkOG4= github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI= github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= +github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= +github.com/aryann/difflib v0.0.0-20170710044230-e206f873d14a/go.mod h1:DAHtR1m6lCRdSC2Tm3DSWRPvIPr6xNKyeHdqDQSQT+A= +github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= +github.com/asaskevich/govalidator v0.0.0-20200108200545-475eaeb16496/go.mod h1:oGkLhpf+kjZl6xBf758TQhh5XrAeiJv/7FRz/2spLIg= +github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535/go.mod h1:oGkLhpf+kjZl6xBf758TQhh5XrAeiJv/7FRz/2spLIg= +github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= +github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d h1:Byv0BzEl3/e6D5CLfI0j/7hiIEtvGVFPCZ7Ei2oq8iQ= +github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= +github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQwij/eHl5CU= +github.com/aws/aws-sdk-go v1.15.11/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZoCYDt7FT0= +github.com/aws/aws-sdk-go v1.15.27/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZoCYDt7FT0= +github.com/aws/aws-sdk-go v1.19.18/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/aws/aws-sdk-go v1.19.45/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/aws/aws-sdk-go v1.20.6/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/aws/aws-sdk-go v1.23.20/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/aws/aws-sdk-go v1.25.11/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/aws/aws-sdk-go v1.25.37/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/aws/aws-sdk-go v1.30.27/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0= +github.com/aws/aws-sdk-go v1.34.28/go.mod h1:H7NKnBqNVzoTJpGfLrQkkD+ytBA93eiDYi/+8rV9s48= +github.com/aws/aws-sdk-go v1.35.24/go.mod h1:tlPOdRjfxPBpNIwqDj61rmsnA85v9jc0Ps9+muhnW+k= +github.com/aws/aws-sdk-go v1.37.0/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= +github.com/aws/aws-sdk-go v1.40.7/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q= +github.com/aws/aws-sdk-go v1.40.34/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q= +github.com/aws/aws-sdk-go v1.42.1/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q= +github.com/aws/aws-sdk-go v1.42.18/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q= +github.com/aws/aws-sdk-go v1.43.16 h1:Y7wBby44f+tINqJjw5fLH3vA+gFq4uMITIKqditwM14= +github.com/aws/aws-sdk-go v1.43.16/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= +github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g= +github.com/aws/aws-sdk-go-v2 v1.9.0/go.mod h1:cK/D0BBs0b/oWPIcX/Z/obahJK1TT7IPVjy53i/mX/4= github.com/aws/aws-sdk-go-v2 v1.16.13/go.mod h1:xSyvSnzh0KLs5H4HJGeIEsNYemUWdNIl0b/rP6SIsLU= github.com/aws/aws-sdk-go-v2 v1.16.15/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k= github.com/aws/aws-sdk-go-v2 v1.16.16/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k= github.com/aws/aws-sdk-go-v2 v1.17.0/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k= github.com/aws/aws-sdk-go-v2 v1.17.1 h1:02c72fDJr87N8RAC2s3Qu0YuvMRZKNZJ9F+lAehCazk= github.com/aws/aws-sdk-go-v2 v1.17.1/go.mod h1:JLnGeGONAyi2lWXI1p0PCIOIy333JMVK1U7Hf0aRFLw= +github.com/aws/aws-sdk-go-v2/config v1.7.0/go.mod h1:w9+nMZ7soXCe5nT46Ri354SNhXDQ6v+V5wqDjnZE+GY= github.com/aws/aws-sdk-go-v2/config v1.17.4 h1:9HY1wbShqObySCHP2Z07blfrSWVX+nVxCZmUuLZKcG8= github.com/aws/aws-sdk-go-v2/config v1.17.4/go.mod h1:ul+ru+huVpfduF9XRmGUq82T8T3K+nIFQuF6F+L+548= +github.com/aws/aws-sdk-go-v2/credentials v1.4.0/go.mod h1:dgGR+Qq7Wjcd4AOAW5Rf5Tnv3+x7ed6kETXyS9WCuAY= github.com/aws/aws-sdk-go-v2/credentials v1.12.17 h1:htUjIJOQcvIUR0jC4eLkdis1DfaLL4EUbIKUFqh2WFA= github.com/aws/aws-sdk-go-v2/credentials v1.12.17/go.mod h1:jd1mvJulXY7ccHvcSiJceYhv06yWIIRkJnwWEA4IX+g= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.5.0/go.mod h1:CpNzHK9VEFUCknu50kkB8z58AH2B5DvPP7ea1LHve/Y= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.14 h1:NZwZFtxXGOEIiCd8jWN55lexakug543CaO68bTpoLwg= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.14/go.mod h1:5CU57SyF5jZLSIw4OOll0PG83ThXwNdkRFOc0EltD/0= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.20/go.mod h1:gdZ5gRUaxThXIZyZQ8MTtgYBk2jbHgp05BO3GcD9Cwc= @@ -178,6 +384,7 @@ github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.17/go.mod h1:pRwaTYCJemA github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.18/go.mod h1:fkQKYK/jUhCL/wNS1tOPrlYhr9vqutjCz4zZC1wBE1s= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19 h1:oRHDrwCTVT8ZXi4sr9Ld+EXk7N/KGssOr2ygNeojEhw= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19/go.mod h1:6Q0546uHDp421okhmmGfbxzq2hBqbXFNpi4k+Q1JnQA= +github.com/aws/aws-sdk-go-v2/internal/ini v1.2.2/go.mod h1:BQV0agm+JEhqR+2RT5e1XTFIDcAAV0eW6z2trp+iduw= github.com/aws/aws-sdk-go-v2/internal/ini v1.3.21 h1:lpwSbLKYTuABo6SyUoC25xAmfO3/TehGS2SmD1EtOL0= github.com/aws/aws-sdk-go-v2/internal/ini v1.3.21/go.mod h1:Q0pktZjvRZk77TBto6yAvUAi7fcse1bdcMctBDVGgBw= github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0 h1:2f0kb+39miQPRp0b7Sqq06+TpxI0Nfcra41QxzJPME8= @@ -186,44 +393,81 @@ github.com/aws/aws-sdk-go-v2/service/ec2 v1.63.0 h1:9ailn+011zwUJdS8RuamANJVAyX+ github.com/aws/aws-sdk-go-v2/service/ec2 v1.63.0/go.mod h1:0+6fPoY0SglgzQUs2yml7X/fup12cMlVumJufh5npRQ= github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 h1:m/WtVqEvgwDiUPIW2dtnF2hDE1O62MEflz9ClOlCXAs= github.com/aws/aws-sdk-go-v2/service/iam v1.18.16/go.mod h1:w8wndcRxwILFQAzwkUKyEDz4LDHEBSR78KRdaNjUKQA= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.3.0/go.mod h1:R1KK+vY8AfalhG1AOu5e35pOD2SdoPKQCFLTvnxiohk= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.14/go.mod h1:8qOLjqMzY/S1kh3myDXA1yxK5eD4uN8aOJgKpgvc4OM= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.17/go.mod h1:4nYOrY41Lrbk2170/BGkcJKBhws9Pfn8MG3aGqjjeFI= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.18 h1:5oiCDEOHnYkk7uTVI8Wv6ftdFfb6YlUUNzkeePVIPjY= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.18/go.mod h1:QtCDHDOXunxeihz7iU15e09u9gRIeaa5WeE6FZVnGUo= +github.com/aws/aws-sdk-go-v2/service/kms v1.5.0/go.mod h1:w7JuP9Oq1IKMFQPkNe3V6s9rOssXzOVEMNEqK1L1bao= github.com/aws/aws-sdk-go-v2/service/kms v1.18.8 h1:0YzDYm5rFuwzqwhBg94OYa2TKbdd5dUsf9+uPHwoYns= github.com/aws/aws-sdk-go-v2/service/kms v1.18.8/go.mod h1:NjgXnn0pk5rLSWZIgtx0BCwoCugRXzKZ7cDNsl98W7U= +github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.6.0/go.mod h1:B+7C5UKdVq1ylkI/A6O8wcurFtaux0R1njePNPtKwoA= github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.0 h1:Lh1yssM4dinNZuESsXnbi+pID8hoviejLZdLmT175i8= github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.0/go.mod h1:z0y2iDaghoq7uv6kndhrJCTzgVckv8Aak8kpnu2kYjs= +github.com/aws/aws-sdk-go-v2/service/ssm v1.10.0/go.mod h1:4dXS5YNqI3SNbetQ7X7vfsMlX6ZnboJA2dulBwJx7+g= +github.com/aws/aws-sdk-go-v2/service/sso v1.4.0/go.mod h1:+1fpWnL96DL23aXPpMGbsmKe8jLTEfbjuQoA4WS1VaA= github.com/aws/aws-sdk-go-v2/service/sso v1.11.20 h1:3raP0UC9rvRyY4/cc4o4F3jTrNo94AYiarNUGNnq6dU= github.com/aws/aws-sdk-go-v2/service/sso v1.11.20/go.mod h1:hPsROgDdgY/NQ1gPt7VJWG0GjSnalDC0DkkMfGEw2gc= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.2 h1:/SYpdjjAtraymql+/r719OgjxezdanAQiLb/NMxDb04= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.2/go.mod h1:5cxfDYtY2mDOlmesy4yycb6lwyy1U/iAUOHKhQLKw/E= +github.com/aws/aws-sdk-go-v2/service/sts v1.7.0/go.mod h1:0qcSMCyASQPN2sk/1KQLQ2Fh6yq8wm0HSDAimPhzCoM= github.com/aws/aws-sdk-go-v2/service/sts v1.16.16/go.mod h1:Y9iBgT1w2vHtYzJEkwD6FqILjDSsvbxcW/+wIYxyse4= github.com/aws/aws-sdk-go-v2/service/sts v1.17.0 h1:9S0HcZUxKcU3HdN+M6GgLIvdbg9as5aOoHrvwRsPNYU= github.com/aws/aws-sdk-go-v2/service/sts v1.17.0/go.mod h1:9pZN58zQc5a4Dkdnhu/rI1lNBui1vP5B0giGCuUt2b0= +github.com/aws/smithy-go v1.8.0/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAmR5n+E= github.com/aws/smithy-go v1.13.1/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/aws/smithy-go v1.13.3/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/aws/smithy-go v1.13.4 h1:/RN2z1txIJWeXeOkzX+Hk/4Uuvv7dWtCjbmVJcrskyk= github.com/aws/smithy-go v1.13.4/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= +github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59/go.mod h1:q/89r3U2H7sSsE2t6Kca0lfwTK8JdoNGS/yzM/4iH5I= +github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A= github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM= github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= +github.com/beorn7/perks v0.0.0-20160804104726-4c0e84591b9a/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/bgentry/speakeasy v0.1.0 h1:ByYyxL9InA1OWqxJqqp2A5pYHUrCiAL6K3J+LKSsQkY= github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= +github.com/bitly/go-simplejson v0.5.0/go.mod h1:cXHtHw4XUPsvGaxgjIAn8PhEWG9NfngEKAMDJEczWVA= +github.com/bits-and-blooms/bitset v1.2.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA= github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84= github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM= +github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb/go.mod h1:PkYb9DJNAwrSvRx5DYA+gUcOIgTGVMNkfSCbZM8cWpI= +github.com/blang/semver v3.1.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= +github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ= github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= +github.com/blendle/zapdriver v1.3.1/go.mod h1:mdXfREi6u5MArG4j9fewC+FGnXaBR+T4Ox4J2u4eHCc= +github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4= +github.com/bmizerany/perks v0.0.0-20141205001514-d9a9656a3a4b/go.mod h1:ac9efd0D1fsDb3EJvhqgXRbFx7bs2wqZ10HQPeU8U/Q= +github.com/bradfitz/gomemcache v0.0.0-20190913173617-a41fca850d0b/go.mod h1:H0wQNHz2YrLsuXOZozoeDmnHXkNCRmMW0gwFWDfEZDA= +github.com/bshuster-repo/logrus-logstash-hook v0.4.1/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk= +github.com/buger/jsonparser v0.0.0-20180808090653-f4dd9f5a6b44/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s= +github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd/go.mod h1:2oa8nejYd4cQ/b0hMIopN0lCRxU0bueqREvZLWFrtK8= +github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b/go.mod h1:obH5gd0BsqsP2LwDJ9aOkm/6J86V6lyAXCoQWGw3K50= +github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0/go.mod h1:D/8v3kj0zr8ZAKg1AQ6crr+5VwKN5eIywRkfhyM/+dE= +github.com/bytecodealliance/wasmtime-go v0.31.0/go.mod h1:q320gUxqyI8yB+ZqRuaJOEnGkAnHh6WtJjMaT2CW4wI= github.com/bytecodealliance/wasmtime-go v1.0.0 h1:9u9gqaUiaJeN5IoD1L7egD8atOnTGyJcNp8BhkL9cUU= +github.com/c2h5oh/datasize v0.0.0-20171227191756-4eba002a5eae/go.mod h1:S/7n9copUssQ56c7aAgHqftWO4LTf4xY6CGWt8Bc+3M= +github.com/caarlos0/ctrlc v1.0.0/go.mod h1:CdXpj4rmq0q/1Eb44M9zi2nKB0QraNKuRGYGrrHhcQw= github.com/cactus/go-statsd-client/statsd v0.0.0-20200423205355-cb0885a1018c/go.mod h1:l/bIBLeOl9eX+wxJAzxS4TveKRtAqlyDpHjhkfO0MEI= +github.com/campoy/unique v0.0.0-20180121183637-88950e537e7e/go.mod h1:9IOqJGCPMSc6E5ydlp5NIonxObaeu/Iub/X03EKPVYo= +github.com/casbin/casbin/v2 v2.1.2/go.mod h1:YcPU1XXisHhLzuxH9coDNf2FbKpjGlbCg3n9yuLkIJQ= +github.com/cavaliercoder/badio v0.0.0-20160213150051-ce5280129e9e/go.mod h1:V284PjgVwSk4ETmz84rpu9ehpGg7swlIH8npP9k2bGw= +github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e/go.mod h1:oDpT4efm8tSYHXV5tHSdRvBet/b/QzxZ+XyyPehvm3A= +github.com/cavaliercoder/go-rpm v0.0.0-20200122174316-8cb9fd9c31a8/go.mod h1:AZIh1CCnMrcVm6afFf96PBvE2MRpWFco91z8ObJtgDY= +github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM= +github.com/cenkalti/backoff/v3 v3.0.0/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs= github.com/cenkalti/backoff/v3 v3.2.2 h1:cfUAAO3yvKMYKPrvhDuHSwQnhZNk/RMHKdZqKTxfm6M= github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs= +github.com/cenkalti/backoff/v4 v4.1.1/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw= +github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/census-instrumentation/opencensus-proto v0.3.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/certifi/gocertifi v0.0.0-20191021191039-0944d244cd40/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA= github.com/certifi/gocertifi v0.0.0-20200922220541-2c3bb06c6054/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA= github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= @@ -231,11 +475,19 @@ github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghf github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE= github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/checkpoint-restore/go-criu/v4 v4.1.0/go.mod h1:xUQBLp4RLc5zJtWY++yjOoMoB5lihDt7fai+75m+rGw= +github.com/checkpoint-restore/go-criu/v5 v5.0.0/go.mod h1:cfwC0EG7HMUenopBsUf9d89JlCLQIfgVcNsNN0t6T2M= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/cilium/ebpf v0.0.0-20200110133405-4032b1d8aae3/go.mod h1:MA5e5Lr8slmEg9bt0VpxxWqJlO4iwu3FBdHUzV7wQVg= +github.com/cilium/ebpf v0.0.0-20200702112145-1c8d4c9ef775/go.mod h1:7cR51M8ViRLIdUjrmSXlK9pkrsDlLHbO8jiB8X8JnOc= +github.com/cilium/ebpf v0.2.0/go.mod h1:To2CFviqOWL/M0gIMsvSMlqe7em/l1ALkX1PyjrX2Qs= +github.com/cilium/ebpf v0.4.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs= +github.com/cilium/ebpf v0.6.2/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs= github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag= github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I= +github.com/clbanning/x2j v0.0.0-20191024224557-825249438eec/go.mod h1:jMjuTZXRI4dUb/I5gc9Hdhagfvm9+RyrPryS/auMzxE= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= @@ -249,55 +501,222 @@ github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWH github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490 h1:KwaoQzs/WeUxxJqiJsZ4euOly1Az/IgZXXSxlD/UBNk= github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ= +github.com/cockroachdb/apd/v2 v2.0.1/go.mod h1:DDxRlzC2lo3/vSlmSoS7JkqbbrARPuFOGr0B9pvN3Gw= +github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5/go.mod h1:h6jFvWxBdQXxjopDMZyH2UVceIRfR84bdzbkoKrsWNo= github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA= github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f/go.mod h1:i/u985jwjWRlyHXQbwatDASoW0RMlZ/3i9yJHE2xLkI= +github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE/e/2PUdi/liOCUjSTXgM1o87ZssimdTWN964YiIeI= +github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUoc7Ik9EfrFqcylYqgPZ9ANSbTAntnE= +github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb/go.mod h1:ZjrT6AXHbDs86ZSdt/osfBi5qfexBrKUdONk989Wnk4= +github.com/containerd/aufs v0.0.0-20200908144142-dab0cbea06f4/go.mod h1:nukgQABAEopAHvB6j7cnP5zJ+/3aVcE7hCYqvIwAHyE= +github.com/containerd/aufs v0.0.0-20201003224125-76a6863f2989/go.mod h1:AkGGQs9NM2vtYHaUen+NljV0/baGCAPELGm2q9ZXpWU= +github.com/containerd/aufs v0.0.0-20210316121734-20793ff83c97/go.mod h1:kL5kd6KM5TzQjR79jljyi4olc1Vrx6XBlcyj3gNv2PU= +github.com/containerd/aufs v1.0.0/go.mod h1:kL5kd6KM5TzQjR79jljyi4olc1Vrx6XBlcyj3gNv2PU= +github.com/containerd/btrfs v0.0.0-20201111183144-404b9149801e/go.mod h1:jg2QkJcsabfHugurUvvPhS3E08Oxiuh5W/g1ybB4e0E= +github.com/containerd/btrfs v0.0.0-20210316141732-918d888fb676/go.mod h1:zMcX3qkXTAi9GI50+0HOeuV8LU2ryCE/V2vG/ZBiTss= +github.com/containerd/btrfs v1.0.0/go.mod h1:zMcX3qkXTAi9GI50+0HOeuV8LU2ryCE/V2vG/ZBiTss= +github.com/containerd/cgroups v0.0.0-20190717030353-c4b9ac5c7601/go.mod h1:X9rLEHIqSf/wfK8NsPqxJmeZgW4pcfzdXITDrUSJ6uI= +github.com/containerd/cgroups v0.0.0-20190919134610-bf292b21730f/go.mod h1:OApqhQ4XNSNC13gXIwDjhOQxjWa/NxkwZXJ1EvqT0ko= +github.com/containerd/cgroups v0.0.0-20200531161412-0dbf7f05ba59/go.mod h1:pA0z1pT8KYB3TCXK/ocprsh7MAkoW8bZVzPdih9snmM= +github.com/containerd/cgroups v0.0.0-20200710171044-318312a37340/go.mod h1:s5q4SojHctfxANBDvMeIaIovkq29IP48TKAxnhYRxvo= +github.com/containerd/cgroups v0.0.0-20200824123100-0b889c03f102/go.mod h1:s5q4SojHctfxANBDvMeIaIovkq29IP48TKAxnhYRxvo= +github.com/containerd/cgroups v0.0.0-20210114181951-8a68de567b68/go.mod h1:ZJeTFisyysqgcCdecO57Dj79RfL0LNeGiFUqLYQRYLE= +github.com/containerd/cgroups v1.0.1/go.mod h1:0SJrPIenamHDcZhEcJMNBB85rHcUsw4f25ZfBiPYRkU= +github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw= +github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw= +github.com/containerd/console v0.0.0-20191206165004-02ecf6a7291e/go.mod h1:8Pf4gM6VEbTNRIT26AyyU7hxdQU3MvAvxVI0sc00XBE= +github.com/containerd/console v1.0.1/go.mod h1:XUsP6YE/mKtz6bxc+I8UiKKTP04qjQL4qcS3XoQ5xkw= +github.com/containerd/console v1.0.2/go.mod h1:ytZPjGgY2oeTkAONYafi2kSj0aYggsf8acV1PGKCbzQ= +github.com/containerd/containerd v1.2.10/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= +github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= +github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= +github.com/containerd/containerd v1.3.1-0.20191213020239-082f7e3aed57/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= +github.com/containerd/containerd v1.3.2/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= +github.com/containerd/containerd v1.3.4/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= +github.com/containerd/containerd v1.4.0-beta.2.0.20200729163537-40b22ef07410/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= +github.com/containerd/containerd v1.4.1/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= +github.com/containerd/containerd v1.4.3/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= +github.com/containerd/containerd v1.4.9/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= +github.com/containerd/containerd v1.5.0-beta.1/go.mod h1:5HfvG1V2FsKesEGQ17k5/T7V960Tmcumvqn8Mc+pCYQ= +github.com/containerd/containerd v1.5.0-beta.3/go.mod h1:/wr9AVtEM7x9c+n0+stptlo/uBBoBORwEx6ardVcmKU= +github.com/containerd/containerd v1.5.0-beta.4/go.mod h1:GmdgZd2zA2GYIBZ0w09ZvgqEq8EfBp/m3lcVZIvPHhI= +github.com/containerd/containerd v1.5.0-rc.0/go.mod h1:V/IXoMqNGgBlabz3tHD2TWDoTJseu1FGOKuoA4nNb2s= +github.com/containerd/containerd v1.5.2/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g= +github.com/containerd/containerd v1.5.8/go.mod h1:YdFSv5bTFLpG2HIYmfqDpSYYTDX+mc5qtSuYx1YUb/s= +github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= +github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= +github.com/containerd/continuity v0.0.0-20191127005431-f65d91d395eb/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= +github.com/containerd/continuity v0.0.0-20200709052629-daa8e1ccc0bc/go.mod h1:cECdGN1O8G9bgKTlLhuPJimka6Xb/Gg7vYzCTNVxhvo= +github.com/containerd/continuity v0.0.0-20200710164510-efbc4488d8fe/go.mod h1:cECdGN1O8G9bgKTlLhuPJimka6Xb/Gg7vYzCTNVxhvo= +github.com/containerd/continuity v0.0.0-20201208142359-180525291bb7/go.mod h1:kR3BEg7bDFaEddKm54WSmrol1fKWDU1nKYkgrcgZT7Y= +github.com/containerd/continuity v0.0.0-20210208174643-50096c924a4e/go.mod h1:EXlVlkqNba9rJe3j7w3Xa924itAMLgZH4UD/Q4PExuQ= +github.com/containerd/continuity v0.1.0/go.mod h1:ICJu0PwR54nI0yPEnJ6jcS+J7CZAUXrLh8lPo2knzsM= +github.com/containerd/fifo v0.0.0-20180307165137-3d5202aec260/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI= +github.com/containerd/fifo v0.0.0-20190226154929-a9fb20d87448/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI= +github.com/containerd/fifo v0.0.0-20200410184934-f15a3290365b/go.mod h1:jPQ2IAeZRCYxpS/Cm1495vGFww6ecHmMk1YJH2Q5ln0= +github.com/containerd/fifo v0.0.0-20201026212402-0724c46b320c/go.mod h1:jPQ2IAeZRCYxpS/Cm1495vGFww6ecHmMk1YJH2Q5ln0= +github.com/containerd/fifo v0.0.0-20210316144830-115abcc95a1d/go.mod h1:ocF/ME1SX5b1AOlWi9r677YJmCPSwwWnQ9O123vzpE4= +github.com/containerd/fifo v1.0.0/go.mod h1:ocF/ME1SX5b1AOlWi9r677YJmCPSwwWnQ9O123vzpE4= +github.com/containerd/go-cni v1.0.1/go.mod h1:+vUpYxKvAF72G9i1WoDOiPGRtQpqsNW/ZHtSlv++smU= +github.com/containerd/go-cni v1.0.2/go.mod h1:nrNABBHzu0ZwCug9Ije8hL2xBCYh/pjfMb1aZGrrohk= +github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0= +github.com/containerd/go-runc v0.0.0-20190911050354-e029b79d8cda/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0= +github.com/containerd/go-runc v0.0.0-20200220073739-7016d3ce2328/go.mod h1:PpyHrqVs8FTi9vpyHwPwiNEGaACDxT/N/pLcvMSRA9g= +github.com/containerd/go-runc v0.0.0-20201020171139-16b287bc67d0/go.mod h1:cNU0ZbCgCQVZK4lgG3P+9tn9/PaJNmoDXPpoJhDR+Ok= +github.com/containerd/go-runc v1.0.0/go.mod h1:cNU0ZbCgCQVZK4lgG3P+9tn9/PaJNmoDXPpoJhDR+Ok= +github.com/containerd/imgcrypt v1.0.1/go.mod h1:mdd8cEPW7TPgNG4FpuP3sGBiQ7Yi/zak9TYCG3juvb0= +github.com/containerd/imgcrypt v1.0.4-0.20210301171431-0ae5c75f59ba/go.mod h1:6TNsg0ctmizkrOgXRNQjAPFWpMYRWuiB6dSF4Pfa5SA= +github.com/containerd/imgcrypt v1.1.1-0.20210312161619-7ed62a527887/go.mod h1:5AZJNI6sLHJljKuI9IHnw1pWqo/F0nGDOuR9zgTs7ow= +github.com/containerd/imgcrypt v1.1.1/go.mod h1:xpLnwiQmEUJPvQoAapeb2SNCxz7Xr6PJrXQb0Dpc4ms= +github.com/containerd/nri v0.0.0-20201007170849-eb1350a75164/go.mod h1:+2wGSDGFYfE5+So4M5syatU0N0f0LbWpuqyMi4/BE8c= +github.com/containerd/nri v0.0.0-20210316161719-dbaa18c31c14/go.mod h1:lmxnXF6oMkbqs39FiCt1s0R2HSMhcLel9vNL3m4AaeY= +github.com/containerd/nri v0.1.0/go.mod h1:lmxnXF6oMkbqs39FiCt1s0R2HSMhcLel9vNL3m4AaeY= +github.com/containerd/stargz-snapshotter/estargz v0.4.1/go.mod h1:x7Q9dg9QYb4+ELgxmo4gBUeJB0tl5dqH1Sdz0nJU1QM= +github.com/containerd/stargz-snapshotter/estargz v0.6.4/go.mod h1:83VWDqHnurTKliEB0YvWMiCfLDwv4Cjj1X9Vk98GJZw= +github.com/containerd/stargz-snapshotter/estargz v0.7.0/go.mod h1:83VWDqHnurTKliEB0YvWMiCfLDwv4Cjj1X9Vk98GJZw= +github.com/containerd/stargz-snapshotter/estargz v0.10.1 h1:hd1EoVjI2Ax8Cr64tdYqnJ4i4pZU49FkEf5kU8KxQng= +github.com/containerd/stargz-snapshotter/estargz v0.10.1/go.mod h1:aE5PCyhFMwR8sbrErO5eM2GcvkyXTTJremG883D4qF0= +github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o= +github.com/containerd/ttrpc v0.0.0-20190828172938-92c8520ef9f8/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o= +github.com/containerd/ttrpc v0.0.0-20191028202541-4f1b8fe65a5c/go.mod h1:LPm1u0xBw8r8NOKoOdNMeVHSawSsltak+Ihv+etqsE8= +github.com/containerd/ttrpc v1.0.1/go.mod h1:UAxOpgT9ziI0gJrmKvgcZivgxOp8iFPSk8httJEt98Y= +github.com/containerd/ttrpc v1.0.2/go.mod h1:UAxOpgT9ziI0gJrmKvgcZivgxOp8iFPSk8httJEt98Y= +github.com/containerd/ttrpc v1.1.0/go.mod h1:XX4ZTnoOId4HklF4edwc4DcqskFZuvXB1Evzy5KFQpQ= +github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc= +github.com/containerd/typeurl v0.0.0-20190911142611-5eb25027c9fd/go.mod h1:GeKYzf2pQcqv7tJ0AoCuuhtnqhva5LNU3U+OyKxxJpk= +github.com/containerd/typeurl v1.0.1/go.mod h1:TB1hUtrpaiO88KEK56ijojHS1+NeF0izUACaJW2mdXg= +github.com/containerd/typeurl v1.0.2/go.mod h1:9trJWW2sRlGub4wZJRTW83VtbOLS6hwcDZXTn6oPz9s= +github.com/containerd/zfs v0.0.0-20200918131355-0a33824f23a2/go.mod h1:8IgZOBdv8fAgXddBT4dBXJPtxyRsejFIpXoklgxgEjw= +github.com/containerd/zfs v0.0.0-20210301145711-11e8f1707f62/go.mod h1:A9zfAbMlQwE+/is6hi0Xw8ktpL+6glmqZYtevJgaB8Y= +github.com/containerd/zfs v0.0.0-20210315114300-dde8f0fda960/go.mod h1:m+m51S1DvAP6r3FcmYCp54bQ34pyOwTieQDNRIRHsFY= +github.com/containerd/zfs v0.0.0-20210324211415-d5c4544f0433/go.mod h1:m+m51S1DvAP6r3FcmYCp54bQ34pyOwTieQDNRIRHsFY= +github.com/containerd/zfs v1.0.0/go.mod h1:m+m51S1DvAP6r3FcmYCp54bQ34pyOwTieQDNRIRHsFY= +github.com/containernetworking/cni v0.7.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY= +github.com/containernetworking/cni v0.8.0/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY= +github.com/containernetworking/cni v0.8.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY= +github.com/containernetworking/plugins v0.8.6/go.mod h1:qnw5mN19D8fIwkqW7oHHYDHVlzhJpcY6TQxn/fUyDDM= +github.com/containernetworking/plugins v0.9.1/go.mod h1:xP/idU2ldlzN6m4p5LmGiwRDjeJr6FLK6vuiUwoH7P8= +github.com/containers/ocicrypt v1.0.1/go.mod h1:MeJDzk1RJHv89LjsH0Sp5KTY3ZYkjXO/C+bKAeWFIrc= +github.com/containers/ocicrypt v1.1.0/go.mod h1:b8AOe0YR67uU8OqfVNcznfFpAzu3rdgUV4GP9qXPfu4= +github.com/containers/ocicrypt v1.1.1/go.mod h1:Dm55fwWm1YZAjYRaJ94z2mfZikIyIN4B0oB3dj3jFxY= github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= +github.com/coreos/go-iptables v0.4.5/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU= +github.com/coreos/go-iptables v0.5.0/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU= github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= +github.com/coreos/go-oidc/v3 v3.0.0/go.mod h1:rEJ/idjfUyfkBit1eI1fvyr+64/g9dcKpAm8MJMesvo= +github.com/coreos/go-oidc/v3 v3.1.0 h1:6avEvcdvTa1qYsOZ6I5PRkSYHzpTNWgKYmaJfaYbrRw= +github.com/coreos/go-oidc/v3 v3.1.0/go.mod h1:rEJ/idjfUyfkBit1eI1fvyr+64/g9dcKpAm8MJMesvo= github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-systemd v0.0.0-20161114122254-48702e0da86b/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/go-systemd/v22 v22.0.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk= +github.com/coreos/go-systemd/v22 v22.1.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk= github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= +github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= +github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/cyberphone/json-canonicalization v0.0.0-20210303052042-6bc126869bf4/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw= +github.com/cyberphone/json-canonicalization v0.0.0-20210823021906-dc406ceaf94b h1:lMzA7yYThpwx7iYNpTeiQnRH6h5JSfSYMJdz+pxZOW8= +github.com/cyberphone/json-canonicalization v0.0.0-20210823021906-dc406ceaf94b/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw= +github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4= +github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= +github.com/d2g/dhcp4 v0.0.0-20170904100407-a1d1b6c41b1c/go.mod h1:Ct2BUK8SB0YC1SMSibvLzxjeJLnrYEVLULFNiHY9YfQ= +github.com/d2g/dhcp4client v1.0.0/go.mod h1:j0hNfjhrt2SxUOw55nL0ATM/z4Yt3t2Kd1mW34z5W5s= +github.com/d2g/dhcp4server v0.0.0-20181031114812-7d4a0a7f59a5/go.mod h1:Eo87+Kg/IX2hfWJfwxMzLyuSZyxSoAug2nGa1G2QAi8= +github.com/d2g/hardwareaddr v0.0.0-20190221164911-e7d9fbe030e4/go.mod h1:bMl4RjIciD2oAxI7DmWRx6gbeqrkoLqv3MV0vzNad+I= +github.com/danieljoos/wincred v1.0.2/go.mod h1:SnuYRW9lp1oJrZX/dXJqr0cPK5gYXqx3EJbmjhLdK9U= +github.com/danieljoos/wincred v1.1.0/go.mod h1:XYlo+eRTsVA9aHGp7NGjFkPla4m+DCL7hqDjlFjiygg= +github.com/danieljoos/wincred v1.1.1/go.mod h1:gSBQmTx6G0VmLowygiA7ZD0p0E09HJ68vta8z/RT2d0= +github.com/davecgh/go-spew v0.0.0-20161028175848-04cdfd42973b/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/denisenkom/go-mssqldb v0.0.0-20191124224453-732737034ffd/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU= +github.com/denisenkom/go-mssqldb v0.9.0/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU= github.com/denisenkom/go-mssqldb v0.12.2 h1:1OcPn5GBIobjWNd+8yjfHNIaFX14B1pWI3F9HZy5KXw= github.com/denisenkom/go-mssqldb v0.12.2/go.mod h1:lnIw1mZukFRZDJYQ0Pb833QS2IaC3l5HkEfra2LJ+sk= +github.com/denverdino/aliyungo v0.0.0-20190125010748-a747050bb1ba/go.mod h1:dV8lFg6daOBZbT6/BDGIz6Y3WFGn8juu6G+CQ6LHtl0= +github.com/devigned/tab v0.1.1/go.mod h1:XG9mPq0dFghrYvoBF3xdRrJzSTX1b7IQrvaL9mzjeJY= github.com/dgraph-io/badger/v3 v3.2103.2 h1:dpyM5eCJAtQCBcMCZcT4UBZchuTJgCywerHHgmxfxM8= +github.com/dgraph-io/badger/v3 v3.2103.2/go.mod h1:RHo4/GmYcKKh5Lxu63wLEMHJ70Pac2JqZRYGhlyAo2M= github.com/dgraph-io/ristretto v0.1.0 h1:Jv3CGQHp9OjuMBSne1485aDpUkTKEcUqF+jm/LuerPI= +github.com/dgraph-io/ristretto v0.1.0/go.mod h1:fux0lOrBhrVCJd3lcTHsIJhq1T2rokOu6v9Vcb3Q9ug= +github.com/dgrijalva/jwt-go v0.0.0-20170104182250-a601269ab70c/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw= +github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw= +github.com/dgryski/go-gk v0.0.0-20140819190930-201884a44051/go.mod h1:qm+vckxRlDt0aOla0RYJJVeqHZlWfOm2UIxHaqPB46E= +github.com/dgryski/go-lttb v0.0.0-20180810165845-318fcdf10a77/go.mod h1:Va5MyIzkU0rAM92tn3hb3Anb7oz7KcnixF49+2wOMe4= github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48 h1:fRzb/w+pyskVMQ+UbP35JkH8yB7MYb4q/qhBarqZE6g= github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA= +github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= +github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi/U= +github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE= +github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E= github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ= +github.com/docker/cli v0.0.0-20191017083524-a8ff7f821017/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v20.10.7+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v20.10.11+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v20.10.17+incompatible h1:eO2KS7ZFeov5UJeaDmIs1NFEDRf32PaqRpvoEkKBy5M= +github.com/docker/cli v20.10.17+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/distribution v0.0.0-20190905152932-14b96e55d84c/go.mod h1:0+TTO4EOBfRPhZXAeF1Vu+W3hHZ8eLp8PgKVZlcvtFY= +github.com/docker/distribution v2.7.1-0.20190205005809-0d3efadf0154+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/distribution v2.7.1+incompatible h1:a5mlkVzth6W5A4fOsS3D2EO5BUmsJpcB+cRlLU7cSug= github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= +github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v1.4.2-0.20200319182547-c7ad2b866182/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v20.10.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v20.10.11+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker v20.10.20+incompatible h1:kH9tx6XO+359d+iAkumyKDc5Q1kOwPuAUaeri48nD6E= github.com/docker/docker v20.10.20+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y= +github.com/docker/docker-credential-helpers v0.6.4 h1:axCks+yV+2MR3/kZhAmy07yC56WZ2Pwu/fKWtKuZB0o= +github.com/docker/docker-credential-helpers v0.6.4/go.mod h1:ofX3UI0Gz1TteYBjtgs07O36Pyasyp66D2uKT7H8W1c= github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= +github.com/docker/go-events v0.0.0-20170721190031-9461782956ad/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA= +github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA= +github.com/docker/go-metrics v0.0.0-20180209012529-399ea8c73916/go.mod h1:/u0gXw0Gay3ceNrsHubL3BtdOL2fHf93USgMTe0W5dI= +github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw= +github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw= github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= +github.com/docker/libtrust v0.0.0-20150114040149-fa567046d9b1/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE= +github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= +github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/dvyukov/go-fuzz v0.0.0-20210914135545-4980593459a1/go.mod h1:11Gm+ccJnvAhCNLlf5+cS9KjtbaD5I5zaZpFMsTHWTw= +github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs= +github.com/eapache/go-resiliency v1.2.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs= +github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU= +github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I= +github.com/edsrzf/mmap-go v1.0.0/go.mod h1:YO35OhQPt3KJa3ryjFM5Bs14WD66h8eGKpfaBNrHW5M= github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= github.com/emicklei/go-restful/v3 v3.8.0 h1:eCZ8ulSerjdAiaNpF7GxXIE7ZCMo1moN1qX+S609eVw= github.com/emicklei/go-restful/v3 v3.8.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/proto v1.6.15/go.mod h1:rn1FgRS/FANiZdD2djyH7TMA9jdRDcYQ9IEN9yvjX0A= +github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o= +github.com/envoyproxy/go-control-plane v0.6.9/go.mod h1:SBwIajubJHhxtWwsL9s8ss4safvEdbitLhGGK48rN6g= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= @@ -306,51 +725,90 @@ github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.m github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ= github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= +github.com/envoyproxy/go-control-plane v0.10.1/go.mod h1:AY7fTTXNdv/aJ2O5jwpxAPOWUZ7hQAEvzN5Pf27BkQQ= github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1 h1:xvqufLtNVwAhN8NMyWklVgxnWohi+wtMGQMhtxexlm0= github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/envoyproxy/protoc-gen-validate v0.3.0-java/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v0.6.2 h1:JiO+kJTpmYGjEodY7O1Zk8oZcNz1+f30UtwtXoFUPzE= github.com/envoyproxy/protoc-gen-validate v0.6.2/go.mod h1:2t7qjJNvHPx8IjnBOzl9E9/baC+qXE/TeeyBRzgJDws= github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5 h1:Yzb9+7DPaBjB8zlTR87/ElzFsnQfuHnVUVqpZZIcV5Y= github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5/go.mod h1:a2zkGnVExMxdzMo3M0Hi/3sEU+cWnZpSni0O6/Yb/P0= +github.com/etcd-io/gofail v0.0.0-20190801230047-ad7f989257ca/go.mod h1:49H/RkXP8pKaZy4h0d+NW16rSLhyVBt4o6VLJbmOqDE= github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ= +github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84= github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch/v5 v5.5.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww= github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU= github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w= github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo= +github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M= github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/felixge/httpsnoop v1.0.2 h1:+nS9g82KMXccJ/wp0zyRW9ZBHFETmMGtkk+2CTTrW4o= github.com/felixge/httpsnoop v1.0.2/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= +github.com/flynn/go-docopt v0.0.0-20140912013429-f6dd2ebbb31e/go.mod h1:HyVoz1Mz5Co8TFO8EupIdlcpwShBmY98dkT2xeHkvEI= +github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc= github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= +github.com/form3tech-oss/jwt-go v3.2.5+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= +github.com/fortytw2/leaktest v1.2.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g= github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw= +github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g= github.com/foxcpp/go-mockdns v0.0.0-20210729171921-fb145fc6f897 h1:E52jfcE64UG42SwLmrW0QByONfGynWuzBvm86BoB9z8= +github.com/foxcpp/go-mockdns v0.0.0-20210729171921-fb145fc6f897/go.mod h1:lgRN6+KxQBawyIghpnl5CezHFGS9VLzvtVlwxvzXTQ4= +github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVBjqR7JHJk0brhHOZYGmfBYOrK0ZhYMEtBr4= +github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8/go.mod h1:ZhphrRTfi2rbfLwlschooIH4+wKKDR4Pdxhh+TRoA20= +github.com/frankban/quicktest v1.10.0/go.mod h1:ui7WezCLWMWxVWr1GETZY3smRy0G4KWq9vcPtJmFl7Y= +github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k= github.com/frankban/quicktest v1.13.0 h1:yNZif1OkDfNoDfb9zZa9aXIpejNR4F23Wely0c+Qdqk= +github.com/frankban/quicktest v1.13.0/go.mod h1:qLE0fzW0VuyUAJgPU19zByoIr0HtCHN/r/VLSOOIySU= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= +github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5Ai1i3InKU= github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI= github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU= +github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA= +github.com/fullstorydev/grpcurl v1.8.0/go.mod h1:Mn2jWbdMrQGJQ8UD62uNyMumT2acsZUCkZIqFxsQf1o= +github.com/fullstorydev/grpcurl v1.8.1/go.mod h1:3BWhvHZwNO7iLXaQlojdg5NA6SxUDePli4ecpK1N7gw= +github.com/fullstorydev/grpcurl v1.8.2/go.mod h1:YvWNT3xRp2KIRuvCphFodG0fKkMXwaxA9CJgKCcyzUQ= +github.com/garyburd/redigo v0.0.0-20150301180006-535138d7bcd7/go.mod h1:NR3MbYisc3/PwhQ00EMzDiPmrwpPxAn5GI05/YaO1SY= github.com/getkin/kin-openapi v0.76.0/go.mod h1:660oXbgy5JFMKreazJaQTw7o+X00qeSyhcnluiMv+Xg= github.com/getsentry/raven-go v0.2.0/go.mod h1:KungGk8q33+aIAZUIVWZDr2OfAEBsO49PX4NzFV5kcQ= +github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI= +github.com/gin-gonic/gin v1.5.0/go.mod h1:Nd6IXA8m5kNZdNEHMBd93KT+mdY3+bewLgRvmCsR2Do= +github.com/gin-gonic/gin v1.6.3/go.mod h1:75u5sXoLsGZoRN5Sgbi1eraJ4GU3++wFwWzhwvtwp4M= +github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0= +github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q= +github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q= +github.com/go-asn1-ber/asn1-ber v1.3.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= +github.com/go-chi/chi v4.1.2+incompatible h1:fGFk2Gmi/YKXk0OmGfBh0WgmN3XB8lVnEyNz34tQRec= +github.com/go-chi/chi v4.1.2+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-ini/ini v1.25.4/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-kit/kit v0.10.0/go.mod h1:xUsJbQ/Fp4kEt7AFgCuvyX4a71u8h9jB8tj/ORgOZ7o= github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY= github.com/go-kit/log v0.2.0/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0= +github.com/go-ldap/ldap/v3 v3.1.3/go.mod h1:3rbOH3jRS2u6jg2rJnKAMLE/xQyCKIveG2Sa/Cohzb8= +github.com/go-ldap/ldap/v3 v3.1.10/go.mod h1:5Zun81jBTabRaI8lzN7E1JjyEl1g6zI6u9pd8luAK4Q= github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs= github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= +github.com/go-logr/logr v0.4.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0= @@ -360,34 +818,193 @@ github.com/go-logr/zapr v1.2.3 h1:a9vnzlIBPQBBkeaR9IuMUfmVOrQlkoC4YfPoFkX3T7A= github.com/go-logr/zapr v1.2.3/go.mod h1:eIauM6P8qSvTw5o2ez6UEAfGjQKrxQTl5EoK+Qa2oG4= github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY= github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= +github.com/go-openapi/analysis v0.0.0-20180825180245-b006789cd277/go.mod h1:k70tL6pCuVxPJOHXQ+wIac1FUrvNkHolPie/cLEU6hI= +github.com/go-openapi/analysis v0.17.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik= +github.com/go-openapi/analysis v0.18.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik= +github.com/go-openapi/analysis v0.19.2/go.mod h1:3P1osvZa9jKjb8ed2TPng3f0i/UY9snX6gxi44djMjk= +github.com/go-openapi/analysis v0.19.4/go.mod h1:3P1osvZa9jKjb8ed2TPng3f0i/UY9snX6gxi44djMjk= +github.com/go-openapi/analysis v0.19.5/go.mod h1:hkEAkxagaIvIP7VTn8ygJNkd4kAYON2rCu0v0ObL0AU= +github.com/go-openapi/analysis v0.19.10/go.mod h1:qmhS3VNFxBlquFJ0RGoDtylO9y4pgTAUNE9AEEMdlJQ= +github.com/go-openapi/analysis v0.19.16/go.mod h1:GLInF007N83Ad3m8a/CbQ5TPzdnGT7workfHwuVjNVk= +github.com/go-openapi/analysis v0.20.0/go.mod h1:BMchjvaHDykmRMsK40iPtvyOfFdMMxlOmQr9FBZk+Og= +github.com/go-openapi/analysis v0.20.1 h1:zdVbw8yoD4SWZeq+cWdGgquaB0W4VrsJvDJHJND/Ktc= +github.com/go-openapi/analysis v0.20.1/go.mod h1:BMchjvaHDykmRMsK40iPtvyOfFdMMxlOmQr9FBZk+Og= +github.com/go-openapi/errors v0.17.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0= +github.com/go-openapi/errors v0.18.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0= +github.com/go-openapi/errors v0.19.2/go.mod h1:qX0BLWsyaKfvhluLejVpVNwNRdXZhEbTA4kxxpKBC94= +github.com/go-openapi/errors v0.19.3/go.mod h1:qX0BLWsyaKfvhluLejVpVNwNRdXZhEbTA4kxxpKBC94= +github.com/go-openapi/errors v0.19.6/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= +github.com/go-openapi/errors v0.19.7/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= +github.com/go-openapi/errors v0.19.8/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= +github.com/go-openapi/errors v0.19.9/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= +github.com/go-openapi/errors v0.20.1 h1:j23mMDtRxMwIobkpId7sWh7Ddcx4ivaoqUbfXx5P+a8= +github.com/go-openapi/errors v0.20.1/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= +github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0= +github.com/go-openapi/jsonpointer v0.17.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M= +github.com/go-openapi/jsonpointer v0.18.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M= +github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY= github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= +github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg= +github.com/go-openapi/jsonreference v0.17.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I= +github.com/go-openapi/jsonreference v0.18.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I= +github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= -github.com/go-openapi/jsonreference v0.19.5 h1:1WJP/wi4OjB4iV8KVbH73rQaoialJrqv8gitZLxGLtM= github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg= +github.com/go-openapi/jsonreference v0.19.6 h1:UBIxjkht+AWIgYzCDSv2GN+E/togfwXUJFRTWhl2Jjs= +github.com/go-openapi/jsonreference v0.19.6/go.mod h1:diGHMEHg2IqXZGKxqyvWdfWU/aim5Dprw5bqpKkTvns= +github.com/go-openapi/loads v0.17.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU= +github.com/go-openapi/loads v0.18.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU= +github.com/go-openapi/loads v0.19.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU= +github.com/go-openapi/loads v0.19.2/go.mod h1:QAskZPMX5V0C2gvfkGZzJlINuP7Hx/4+ix5jWFxsNPs= +github.com/go-openapi/loads v0.19.3/go.mod h1:YVfqhUCdahYwR3f3iiwQLhicVRvLlU/WO5WPaZvcvSI= +github.com/go-openapi/loads v0.19.5/go.mod h1:dswLCAdonkRufe/gSUC3gN8nTSaB9uaS2es0x5/IbjY= +github.com/go-openapi/loads v0.19.6/go.mod h1:brCsvE6j8mnbmGBh103PT/QLHfbyDxA4hsKvYBNEGVc= +github.com/go-openapi/loads v0.19.7/go.mod h1:brCsvE6j8mnbmGBh103PT/QLHfbyDxA4hsKvYBNEGVc= +github.com/go-openapi/loads v0.20.0/go.mod h1:2LhKquiE513rN5xC6Aan6lYOSddlL8Mp20AW9kpviM4= +github.com/go-openapi/loads v0.20.2/go.mod h1:hTVUotJ+UonAMMZsvakEgmWKgtulweO9vYP2bQYKA/o= +github.com/go-openapi/loads v0.21.0 h1:jYtUO4wwP7psAweisP/MDoOpdzsYEESdoPcsWjHDR68= +github.com/go-openapi/loads v0.21.0/go.mod h1:rHYve9nZrQ4CJhyeIIFJINGCg1tQpx2yJrrNo8sf1ws= +github.com/go-openapi/runtime v0.0.0-20180920151709-4f900dc2ade9/go.mod h1:6v9a6LTXWQCdL8k1AO3cvqx5OtZY/Y9wKTgaoP6YRfA= +github.com/go-openapi/runtime v0.19.0/go.mod h1:OwNfisksmmaZse4+gpV3Ne9AyMOlP1lt4sK4FXt0O64= +github.com/go-openapi/runtime v0.19.4/go.mod h1:X277bwSUBxVlCYR3r7xgZZGKVvBd/29gLDlFGtJ8NL4= +github.com/go-openapi/runtime v0.19.15/go.mod h1:dhGWCTKRXlAfGnQG0ONViOZpjfg0m2gUt9nTQPQZuoo= +github.com/go-openapi/runtime v0.19.16/go.mod h1:5P9104EJgYcizotuXhEuUrzVc+j1RiSjahULvYmlv98= +github.com/go-openapi/runtime v0.19.24/go.mod h1:Lm9YGCeecBnUUkFTxPC4s1+lwrkJ0pthx8YvyjCfkgk= +github.com/go-openapi/runtime v0.21.0 h1:giZ8eT26R+/rx6RX2MkYjZPY8vPYVKDhP/mOazrQHzM= +github.com/go-openapi/runtime v0.21.0/go.mod h1:aQg+kaIQEn+A2CRSY1TxbM8+sT9g2V3aLc1FbIAnbbs= +github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc= +github.com/go-openapi/spec v0.17.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI= +github.com/go-openapi/spec v0.18.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI= +github.com/go-openapi/spec v0.19.2/go.mod h1:sCxk3jxKgioEJikev4fgkNmwS+3kuYdJtcsZsD5zxMY= +github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo= +github.com/go-openapi/spec v0.19.5/go.mod h1:Hm2Jr4jv8G1ciIAo+frC/Ft+rR2kQDh8JHKHb3gWUSk= +github.com/go-openapi/spec v0.19.6/go.mod h1:Hm2Jr4jv8G1ciIAo+frC/Ft+rR2kQDh8JHKHb3gWUSk= +github.com/go-openapi/spec v0.19.8/go.mod h1:Hm2Jr4jv8G1ciIAo+frC/Ft+rR2kQDh8JHKHb3gWUSk= +github.com/go-openapi/spec v0.19.15/go.mod h1:+81FIL1JwC5P3/Iuuozq3pPE9dXdIEGxFutcFKaVbmU= +github.com/go-openapi/spec v0.20.0/go.mod h1:+81FIL1JwC5P3/Iuuozq3pPE9dXdIEGxFutcFKaVbmU= +github.com/go-openapi/spec v0.20.1/go.mod h1:93x7oh+d+FQsmsieroS4cmR3u0p/ywH649a3qwC9OsQ= +github.com/go-openapi/spec v0.20.3/go.mod h1:gG4F8wdEDN+YPBMVnzE85Rbhf+Th2DTvA9nFPQ5AYEg= +github.com/go-openapi/spec v0.20.4 h1:O8hJrt0UMnhHcluhIdUgCLRWyM2x7QkBXRvOs7m+O1M= +github.com/go-openapi/spec v0.20.4/go.mod h1:faYFR1CvsJZ0mNsmsphTMSoRrNV3TEDoAM7FOEWeq8I= +github.com/go-openapi/strfmt v0.17.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU= +github.com/go-openapi/strfmt v0.18.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU= +github.com/go-openapi/strfmt v0.19.0/go.mod h1:+uW+93UVvGGq2qGaZxdDeJqSAqBqBdl+ZPMF/cC8nDY= +github.com/go-openapi/strfmt v0.19.2/go.mod h1:0yX7dbo8mKIvc3XSKp7MNfxw4JytCfCD6+bY1AVL9LU= +github.com/go-openapi/strfmt v0.19.3/go.mod h1:0yX7dbo8mKIvc3XSKp7MNfxw4JytCfCD6+bY1AVL9LU= +github.com/go-openapi/strfmt v0.19.4/go.mod h1:eftuHTlB/dI8Uq8JJOyRlieZf+WkkxUuk0dgdHXr2Qk= +github.com/go-openapi/strfmt v0.19.5/go.mod h1:eftuHTlB/dI8Uq8JJOyRlieZf+WkkxUuk0dgdHXr2Qk= +github.com/go-openapi/strfmt v0.19.11/go.mod h1:UukAYgTaQfqJuAFlNxxMWNvMYiwiXtLsF2VwmoFtbtc= +github.com/go-openapi/strfmt v0.20.0/go.mod h1:UukAYgTaQfqJuAFlNxxMWNvMYiwiXtLsF2VwmoFtbtc= +github.com/go-openapi/strfmt v0.20.2/go.mod h1:43urheQI9dNtE5lTZQfuFJvjYJKPrxicATpEfZwHUNk= +github.com/go-openapi/strfmt v0.21.0/go.mod h1:ZRQ409bWMj+SOgXofQAGTIo2Ebu72Gs+WaRADcS5iNg= +github.com/go-openapi/strfmt v0.21.1 h1:G6s2t5V5kGCHLVbSdZ/6lI8Wm4OzoPFkc3/cjAsKQrM= +github.com/go-openapi/strfmt v0.21.1/go.mod h1:I/XVKeLc5+MM5oPNN7P6urMOpuLXEcNrCX/rPGuWb0k= +github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I= +github.com/go-openapi/swag v0.17.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg= +github.com/go-openapi/swag v0.18.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg= +github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= -github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng= +github.com/go-openapi/swag v0.19.7/go.mod h1:ao+8BpOPyKdpQz3AOJfbeEVpLmWAvlT1IfTe5McPyhY= +github.com/go-openapi/swag v0.19.9/go.mod h1:ao+8BpOPyKdpQz3AOJfbeEVpLmWAvlT1IfTe5McPyhY= +github.com/go-openapi/swag v0.19.12/go.mod h1:eFdyEBkTdoAf/9RXBvj4cr1nH7GD8Kzo5HTt47gr72M= +github.com/go-openapi/swag v0.19.13/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= +github.com/go-openapi/swag v0.19.15 h1:D2NRCBzS9/pEY3gP9Nl8aDqGUcPFrwG2p+CNFrLyrCM= +github.com/go-openapi/swag v0.19.15/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= +github.com/go-openapi/validate v0.18.0/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+MYsct2VUrAJ4= +github.com/go-openapi/validate v0.19.2/go.mod h1:1tRCw7m3jtI8eNWEEliiAqUIcBztB2KDnRCRMUi7GTA= +github.com/go-openapi/validate v0.19.3/go.mod h1:90Vh6jjkTn+OT1Eefm0ZixWNFjhtOH7vS9k0lo6zwJo= +github.com/go-openapi/validate v0.19.10/go.mod h1:RKEZTUWDkxKQxN2jDT7ZnZi2bhZlbNMAuKvKB+IaGx8= +github.com/go-openapi/validate v0.19.12/go.mod h1:Rzou8hA/CBw8donlS6WNEUQupNvUZ0waH08tGe6kAQ4= +github.com/go-openapi/validate v0.19.15/go.mod h1:tbn/fdOwYHgrhPBzidZfJC2MIVvs9GA7monOmWBbeCI= +github.com/go-openapi/validate v0.20.1/go.mod h1:b60iJT+xNNLfaQJUqLI7946tYiFEOuE9E4k54HpKcJ0= +github.com/go-openapi/validate v0.20.3 h1:GZPPhhKSZrE8HjB4eEkoYAZmoWA4+tCemSgINH1/vKw= +github.com/go-openapi/validate v0.20.3/go.mod h1:goDdqVGiigM3jChcrYJxD2joalke3ZXeftD16byIjA4= +github.com/go-piv/piv-go v1.9.0/go.mod h1:NZ2zmjVkfFaL/CF8cVQ/pXdXtuj110zEKGdJM6fJZZM= +github.com/go-playground/assert/v2 v2.0.1 h1:MsBgLAaY856+nPRTKrp3/OZK38U/wa0CcBYNjji3q3A= +github.com/go-playground/assert/v2 v2.0.1/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4= +github.com/go-playground/locales v0.12.1/go.mod h1:IUMDtCfWo/w/mtMfIE/IG2K+Ey3ygWanZIBtBW0W2TM= +github.com/go-playground/locales v0.13.0/go.mod h1:taPMhCMXrRLJO55olJkUXHZBHCxTMfnGwq/HNwmWNS8= +github.com/go-playground/locales v0.14.0 h1:u50s323jtVGugKlcYeyzC0etD1HifMjqmJqb8WugfUU= +github.com/go-playground/locales v0.14.0/go.mod h1:sawfccIbzZTqEDETgFXqTho0QybSa7l++s0DH+LDiLs= +github.com/go-playground/universal-translator v0.16.0/go.mod h1:1AnU7NaIRDWWzGEKwgtJRd2xk99HeFyHw3yid4rvQIY= +github.com/go-playground/universal-translator v0.17.0/go.mod h1:UkSxE5sNxxRwHyU+Scu5vgOQjsIJAF8j9muTVoKLVtA= +github.com/go-playground/universal-translator v0.18.0 h1:82dyy6p4OuJq4/CByFNOn/jYrnRPArHwAcmLoJZxyho= +github.com/go-playground/universal-translator v0.18.0/go.mod h1:UvRDBj+xPUEGrFYl+lu/H90nyDXpg0fqeB/AQUGNTVA= +github.com/go-playground/validator/v10 v10.2.0/go.mod h1:uOYAAleCW8F/7oMFd6aG0GOhaH6EGOAJShg8Id5JGkI= +github.com/go-playground/validator/v10 v10.9.0 h1:NgTtmN58D0m8+UuxtYmGztBJB7VnPgjj221I1QHci2A= +github.com/go-playground/validator/v10 v10.9.0/go.mod h1:74x4gJWsvQexRdW8Pn3dXSGrTK4nAUsbPlLADvpJkos= +github.com/go-redis/redis v6.15.9+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA= +github.com/go-rod/rod v0.101.8/go.mod h1:N/zlT53CfSpq74nb6rOR0K8UF0SPUPBmzBnArrms+mY= +github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= +github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfCHuOE= github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= +github.com/go-stack/stack v1.8.0 h1:5SgMzNM5HxrEjV0ww2lTmX6E2Izsfxas4+YHWRs3Lsk= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= -github.com/go-test/deep v1.0.2 h1:onZX1rnHT3Wv6cqNgYyFOOlgVKJrksuCMCRvJStbMYw= +github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= +github.com/go-test/deep v1.0.2-0.20181118220953-042da051cf31/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= +github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= +github.com/go-test/deep v1.0.7/go.mod h1:QV8Hv/iy04NyLBxAdO9njL0iVPN1S4d/A3NVv1V36o8= +github.com/go-test/deep v1.0.8 h1:TDsG77qcSprGbC6vTN8OuXp5g+J+b5Pcguhf7Zt61VM= +github.com/go-test/deep v1.0.8/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE= +github.com/gobuffalo/attrs v0.0.0-20190224210810-a9411de4debd/go.mod h1:4duuawTqi2wkkpB4ePgWMaai6/Kc6WEz83bhFwpHzj0= +github.com/gobuffalo/depgen v0.0.0-20190329151759-d478694a28d3/go.mod h1:3STtPUQYuzV0gBVOY3vy6CfMm/ljR4pABfrTeHNLHUY= +github.com/gobuffalo/depgen v0.1.0/go.mod h1:+ifsuy7fhi15RWncXQQKjWS9JPkdah5sZvtHc2RXGlg= +github.com/gobuffalo/envy v1.6.15/go.mod h1:n7DRkBerg/aorDM8kbduw5dN3oXGswK5liaSCx4T5NI= +github.com/gobuffalo/envy v1.7.0/go.mod h1:n7DRkBerg/aorDM8kbduw5dN3oXGswK5liaSCx4T5NI= +github.com/gobuffalo/flect v0.1.0/go.mod h1:d2ehjJqGOH/Kjqcoz+F7jHTBbmDb38yXA598Hb50EGs= +github.com/gobuffalo/flect v0.1.1/go.mod h1:8JCgGVbRjJhVgD6399mQr4fx5rRfGKVzFjbj6RE/9UI= +github.com/gobuffalo/flect v0.1.3/go.mod h1:8JCgGVbRjJhVgD6399mQr4fx5rRfGKVzFjbj6RE/9UI= +github.com/gobuffalo/flect v0.2.4/go.mod h1:1ZyCLIbg0YD7sDkzvFdPoOydPtD8y9JQnrOROolUcM8= +github.com/gobuffalo/genny v0.0.0-20190329151137-27723ad26ef9/go.mod h1:rWs4Z12d1Zbf19rlsn0nurr75KqhYp52EAGGxTbBhNk= +github.com/gobuffalo/genny v0.0.0-20190403191548-3ca520ef0d9e/go.mod h1:80lIj3kVJWwOrXWWMRzzdhW3DsrdjILVil/SFKBzF28= +github.com/gobuffalo/genny v0.1.0/go.mod h1:XidbUqzak3lHdS//TPu2OgiFB+51Ur5f7CSnXZ/JDvo= +github.com/gobuffalo/genny v0.1.1/go.mod h1:5TExbEyY48pfunL4QSXxlDOmdsD44RRq4mVZ0Ex28Xk= +github.com/gobuffalo/gitgen v0.0.0-20190315122116-cc086187d211/go.mod h1:vEHJk/E9DmhejeLeNt7UVvlSGv3ziL+djtTr3yyzcOw= +github.com/gobuffalo/gogen v0.0.0-20190315121717-8f38393713f5/go.mod h1:V9QVDIxsgKNZs6L2IYiGR8datgMhB577vzTDqypH360= +github.com/gobuffalo/gogen v0.1.0/go.mod h1:8NTelM5qd8RZ15VjQTFkAW6qOMx5wBbW4dSCS3BY8gg= +github.com/gobuffalo/gogen v0.1.1/go.mod h1:y8iBtmHmGc4qa3urIyo1shvOD8JftTtfcKi+71xfDNE= +github.com/gobuffalo/logger v0.0.0-20190315122211-86e12af44bc2/go.mod h1:QdxcLw541hSGtBnhUc4gaNIXRjiDppFGaDqzbrBd3v8= +github.com/gobuffalo/mapi v1.0.1/go.mod h1:4VAGh89y6rVOvm5A8fKFxYG+wIW6LO1FMTG9hnKStFc= +github.com/gobuffalo/mapi v1.0.2/go.mod h1:4VAGh89y6rVOvm5A8fKFxYG+wIW6LO1FMTG9hnKStFc= +github.com/gobuffalo/packd v0.0.0-20190315124812-a385830c7fc0/go.mod h1:M2Juc+hhDXf/PnmBANFCqx4DM3wRbgDvnVWeG2RIxq4= +github.com/gobuffalo/packd v0.1.0/go.mod h1:M2Juc+hhDXf/PnmBANFCqx4DM3wRbgDvnVWeG2RIxq4= +github.com/gobuffalo/packr/v2 v2.0.9/go.mod h1:emmyGweYTm6Kdper+iywB6YK5YzuKchGtJQZ0Odn4pQ= +github.com/gobuffalo/packr/v2 v2.2.0/go.mod h1:CaAwI0GPIAv+5wKLtv8Afwl+Cm78K/I/VCm/3ptBN+0= +github.com/gobuffalo/syncx v0.0.0-20190224160051-33c29581e754/go.mod h1:HhnNqWY95UYwwW3uSASeV7vtgYkT2t16hJgV3AEPUpw= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= +github.com/gobwas/httphead v0.0.0-20180130184737-2c6c146eadee/go.mod h1:L0fX3K22YWvt/FAX9NnzrNzcI4wNYi9Yku4O0LKYflo= +github.com/gobwas/pool v0.2.0/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw= +github.com/gobwas/ws v1.0.2/go.mod h1:szmBTxLgaFppYjEmNtny/v3w89xOydFnnZMcgRRu/EM= +github.com/godbus/dbus v0.0.0-20151105175453-c7fdd8b5cd55/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw= +github.com/godbus/dbus v0.0.0-20180201030542-885f9cc04c9c/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw= +github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4= +github.com/godbus/dbus v4.1.0+incompatible/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw= +github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= github.com/gofrs/uuid v4.3.0+incompatible h1:CaSVZxm5B+7o45rtab4jC2G37WGYX1zQfuU2i6DSvnc= github.com/gofrs/uuid v4.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= +github.com/gogo/googleapis v1.1.0/go.mod h1:gf4bu3Q80BeJ6H1S1vYPm8/ELATdvryBaNFGgqEef3s= +github.com/gogo/googleapis v1.2.0/go.mod h1:Njal3psf3qN6dwBtQfUmBZh2ybovJ0tlu3o/AC7HYjU= +github.com/gogo/googleapis v1.4.0/go.mod h1:5YRNX2z1oM5gXdAkurHa942MDgEJyk02w4OecKY87+c= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= +github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= +github.com/gogo/protobuf v1.3.0/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang-jwt/jwt v3.2.1+incompatible h1:73Z+4BJcrTC+KczS6WvTPvRGOp1WmfEP4Q1lOd9Z/+c= github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= +github.com/golang-jwt/jwt/v4 v4.1.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-jwt/jwt/v4 v4.2.0 h1:besgBTC8w8HjP6NzQdxwKH9Z5oQMZ24ThTrHp3cZ8eU= github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY= @@ -395,7 +1012,10 @@ github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2V github.com/golang-sql/sqlexp v0.1.0 h1:ZCD6MBpcuOVfGVqsEmY5/4FtYiKz6tSyUv9LPEDei6A= github.com/golang-sql/sqlexp v0.1.0/go.mod h1:J4ad9Vo8ZCWQ2GMrC4UCQy1JpCbwU9m3EOqtpKwwwHI= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/glog v0.0.0-20210429001901-424d2337a529/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/glog v1.0.0 h1:nfP3RFugxnNRyKgeWd4oI1nYvXpxrx8ck8ZrcizshdQ= +github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4= +github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -430,14 +1050,31 @@ github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaS github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM= github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/golang/snappy v0.0.2/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/gonum/blas v0.0.0-20181208220705-f22b278b28ac/go.mod h1:P32wAyui1PQ58Oce/KYkOqQv8cVw1zAapXOl+dRFGbc= +github.com/gonum/diff v0.0.0-20181124234638-500114f11e71/go.mod h1:22dM4PLscQl+Nzf64qNBurVJvfyvZELT0iRW2l/NN70= +github.com/gonum/floats v0.0.0-20181209220543-c233463c7e82/go.mod h1:PxC8OnwL11+aosOB5+iEPoV3picfs8tUpkVd0pDo+Kg= +github.com/gonum/integrate v0.0.0-20181209220457-a422b5c0fdf2/go.mod h1:pDgmNM6seYpwvPos3q+zxlXMsbve6mOIPucUnUOrI7Y= +github.com/gonum/internal v0.0.0-20181124074243-f884aa714029/go.mod h1:Pu4dmpkhSyOzRwuXkOgAvijx4o+4YMUJJo9OvPYMkks= +github.com/gonum/lapack v0.0.0-20181123203213-e4cdc5a0bff9/go.mod h1:XA3DeT6rxh2EAE789SSiSJNqxPaC0aE9J8NTOI0Jo/A= +github.com/gonum/mathext v0.0.0-20181121095525-8a4bf007ea55/go.mod h1:fmo8aiSEWkJeiGXUJf+sPvuDgEFgqIoZSs843ePKrGg= +github.com/gonum/matrix v0.0.0-20181209220409-c518dec07be9/go.mod h1:0EXg4mc1CNP0HCqCz+K4ts155PXIlUywf0wqN+GfPZw= +github.com/gonum/stat v0.0.0-20181125101827-41a0da705a5b/go.mod h1:Z4GIJBJO3Wa4gD4vbwQxXXZ+WHmW6E9ixmNrwvs0iZs= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= +github.com/google/certificate-transparency-go v1.0.21/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg= +github.com/google/certificate-transparency-go v1.1.2-0.20210422104406-9f33727a7a18/go.mod h1:6CKh9dscIRoqc2kC6YUFICHZMT9NrClyPrRVFrdw1QQ= +github.com/google/certificate-transparency-go v1.1.2-0.20210512142713-bed466244fa6/go.mod h1:aF2dp7Dh81mY8Y/zpzyXps4fQW5zQbDu2CxfpJB6NkI= github.com/google/certificate-transparency-go v1.1.2 h1:4hE0GEId6NAW28dFpC+LrRGwQX5dtmXQGDbg8+/MZOM= +github.com/google/certificate-transparency-go v1.1.2/go.mod h1:3OL+HKDqHPUfdKrHVQxO6T8nDLO0HF7LRTlkIWXaWvQ= github.com/google/flatbuffers v1.12.1 h1:MVlul7pQNoDzWRLTw5imwYsl+usrS1TXG2H4jg6ImGw= +github.com/google/flatbuffers v1.12.1/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= github.com/google/gnostic v0.5.7-v3refs h1:FhTMOKj2VhjpouxvWJAV1TL304uMlb9zcDqkl6cEI54= github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ= github.com/google/go-attestation v0.4.4-0.20220404204839-8820d49b18d9 h1:uspQ6yStR6DVxLT7UomcSc/cKEOtM3z6MOslXeXH1Gg= @@ -457,6 +1094,25 @@ github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-containerregistry v0.5.1/go.mod h1:Ct15B4yir3PLOP5jsy0GNeYVaIZs/MK/Jz5any1wFW0= +github.com/google/go-containerregistry v0.5.2-0.20210609162550-f0ce2270b3b4/go.mod h1:R5WRYyTdQqTchlBhX4q+WICGh8HQIL5wDFoFZv7Jq6Q= +github.com/google/go-containerregistry v0.6.0/go.mod h1:euCCtNbZ6tKqi1E72vwDj2xZcN5ttKpZLfa/wSo5iLw= +github.com/google/go-containerregistry v0.7.1-0.20211118220127-abdc633f8305 h1:4upgCb+N0/tewaAT+rPGk8zuKCG1hOoICHvFMxy1CMQ= +github.com/google/go-containerregistry v0.7.1-0.20211118220127-abdc633f8305/go.mod h1:6cMIl1RfryEiPzBE67OgtZdEiLWz4myqCQIiBMy3CsM= +github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20211203164431-c75901cce627 h1:vflk3WrGf1M0n1mG2AqAoVaKlLYFR6PrzTGQAUcklCM= +github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20211203164431-c75901cce627/go.mod h1:j3IqhBG3Ox1NXmmhbWU4UmiHVAf2dUgB7le1Ch7JZQ0= +github.com/google/go-github/v27 v27.0.6/go.mod h1:/0Gr8pJ55COkmv+S/yPKCczSkUPIM/LnFyubufRNIS0= +github.com/google/go-github/v28 v28.1.1/go.mod h1:bsqJWQX05omyWVmc00nEUql9mhQyv38lDZ8kPZcQVoM= +github.com/google/go-github/v39 v39.2.0 h1:rNNM311XtPOz5rDdsJXAp2o8F67X9FnROXTvto3aSnQ= +github.com/google/go-github/v39 v39.2.0/go.mod h1:C1s8C5aCC9L+JXIYpJM5GYytdX52vC1bLvHEF1IhBrE= +github.com/google/go-licenses v0.0.0-20210329231322-ce1d9163b77d/go.mod h1:+TYOmkVoJOpwnS0wfdsJCV9CoD5nJYsHoFk/0CrTK4M= +github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= +github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8= +github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU= +github.com/google/go-replayers/grpcreplay v0.1.0/go.mod h1:8Ig2Idjpr6gifRd6pNVggX6TC1Zw6Jx74AKp7QNH2QE= +github.com/google/go-replayers/grpcreplay v1.1.0/go.mod h1:qzAvJ8/wi57zq7gWqaE6AwLM6miiXUQwP1S+I9icmhk= +github.com/google/go-replayers/httpreplay v0.1.0/go.mod h1:YKZViNhiGgqdBlUbI2MwGpq4pXxNmhJLPHQ7cv2b5no= +github.com/google/go-replayers/httpreplay v1.0.0/go.mod h1:LJhKoTwS5Wy5Ld/peq8dFFG5OfJyHEz7ft+DsTUv25M= github.com/google/go-tpm v0.1.2-0.20190725015402-ae6dd98980d4/go.mod h1:H9HbmUG2YgV/PHITkO7p6wxEEj/v5nlsVWIwumwH2NI= github.com/google/go-tpm v0.3.0/go.mod h1:iVLWvrPp/bHeEkxTFi9WG6K9w0iy2yIszHwZGHPbzAw= github.com/google/go-tpm v0.3.3 h1:P/ZFNBZYXRxc+z7i5uyd8VP7MaDteuLZInzrH2idRGo= @@ -470,8 +1126,11 @@ github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/ github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPgecwXBIDzw5no= +github.com/google/licenseclassifier v0.0.0-20210325184830-bb04aff29e72/go.mod h1:qsqn2hxC+vURpyBRygGUuinTO42MFRLcsmQ/P8v94+M= +github.com/google/mako v0.0.0-20190821191249-122f8dcef9e3/go.mod h1:YzLcVlL+NqWnmUEPuhS1LxDDwGO9WNbVlEXaF4IH35g= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= +github.com/google/martian v2.1.1-0.20190517191504-25dcb96d9e51+incompatible h1:xmapqc1AyLoB+ddYT6r04bD9lIjlOqGaREovi0SzFaE= +github.com/google/martian v2.1.1-0.20190517191504-25dcb96d9e51+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= github.com/google/martian/v3 v3.2.1 h1:d8MncMlErDFTwQGBK1xhv026j9kqhvw1Qv9IbWT1VLQ= @@ -485,20 +1144,36 @@ github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hf github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210506205249-923b5ab0fc1a/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210715191844-86eeefc3e471/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= +github.com/google/rpmpack v0.0.0-20191226140753-aa36bfddb3a0/go.mod h1:RaTPr0KUf2K7fnZYLNDrr8rxAamWs3iNywJLtQ2AzBg= +github.com/google/rpmpack v0.0.0-20210518075352-dc539ef4f2ea/go.mod h1:+y9lKiqDhR4zkLl+V9h4q0rdyrYVsWWm6LLCQP33DIk= +github.com/google/subcommands v1.0.1/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk= +github.com/google/trillian v1.3.14-0.20210409160123-c5ea3abd4a41/go.mod h1:1dPv0CUjNQVFEDuAUFhZql16pw/VlPgaX8qj+g5pVzQ= +github.com/google/trillian v1.3.14-0.20210511103300-67b5f349eefa/go.mod h1:s4jO3Ai4NSvxucdvqUHON0bCqJyoya32eNw6XJwsmNc= +github.com/google/trillian v1.4.0 h1:Wa7XHCVzl8RLsUOr2SzoHUZHYjv0G8KMO1xZGamYkbA= +github.com/google/trillian v1.4.0/go.mod h1:1Bja2nEgMDlEJWWRXBUemSPG9qYw84ZYX2gHRVHlR+g= +github.com/google/uuid v0.0.0-20161128191214-064e2069ce9c/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/wire v0.3.0/go.mod h1:i1DMg/Lu8Sz5yYl25iOdmc5CT5qusaa+zmRWs16741s= +github.com/google/wire v0.5.0/go.mod h1:ngWDr9Qvq3yZA10YrxfyGELY/AFWGVpy9c1LTRi1EoU= github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8= github.com/googleapis/enterprise-certificate-proxy v0.1.0/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8= github.com/googleapis/enterprise-certificate-proxy v0.2.0 h1:y8Yozv7SZtlU//QXbezB6QkpuE6jMD2/gfzk4AftXjs= github.com/googleapis/enterprise-certificate-proxy v0.2.0/go.mod h1:8C0jb7/mgJe/9KK8Lm7X9ctZC2t60YyIpYEI16jx0Qg= +github.com/googleapis/gax-go v2.0.2+incompatible/go.mod h1:SFVmujtThgffbyetf+mdk2eWhX2bMyUtNHzFKcPA9HY= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0= @@ -509,26 +1184,51 @@ github.com/googleapis/gax-go/v2 v2.4.0/go.mod h1:XOTVJ59hdnfJLIP/dh8n5CGryZR2LxK github.com/googleapis/gax-go/v2 v2.5.1/go.mod h1:h6B0KMMFNtI2ddbGJn3T3ZbwkeT6yqEF02fYlzkUCyo= github.com/googleapis/gax-go/v2 v2.6.0 h1:SXk3ABtQYDT/OH8jAyvEOQ58mgawq5C4o/4/89qN2ZU= github.com/googleapis/gax-go/v2 v2.6.0/go.mod h1:1mjbznJAPHFpesgE5ucqfYEscaz5kMdcIDwU/6+DDoY= +github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg= github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU= github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA= github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4= +github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gordonklaus/ineffassign v0.0.0-20200309095847-7953dde2c7bf/go.mod h1:cuNKsD1zp2v6XfE/orVX2QE1LC+i254ceGcVeDT3pTU= +github.com/goreleaser/goreleaser v0.134.0/go.mod h1:ZT6Y2rSYa6NxQzIsdfWWNWAlYGXGbreo66NmE+3X3WQ= +github.com/goreleaser/nfpm v1.2.1/go.mod h1:TtWrABZozuLOttX2uDlYyECfQX7x5XYkVxhjYcR6G9w= +github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg= +github.com/gorilla/handlers v0.0.0-20150720190736-60c7bfde3e33/go.mod h1:Qkdc/uu4tH4g6mTK6auzZ766c4CA0Ng8+o/OAirnOIQ= github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4= github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q= +github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= +github.com/gorilla/mux v1.7.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= +github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= +github.com/gorilla/mux v1.7.4/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= +github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4= +github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM= +github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= +github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= +github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= +github.com/grpc-ecosystem/go-grpc-middleware v1.2.2/go.mod h1:EaizFBKfUKtMIF5iaDEhniwNedqGo9FuLFzppDr3uwI= github.com/grpc-ecosystem/go-grpc-middleware v1.3.0/go.mod h1:z0ButlSOZa5vEBq9m2m2hlwIgKw+rp3sdCBRoJY+30Y= github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= +github.com/grpc-ecosystem/grpc-gateway v1.8.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/grpc-ecosystem/grpc-gateway v1.9.2/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/grpc-ecosystem/grpc-gateway v1.14.6/go.mod h1:zdiPV4Yse/1gnckTHtghG4GkDEdKCRJduHpTxT3/jcw= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/hanwen/go-fuse v1.0.0/go.mod h1:unqXarDXqzAk0rt98O2tVndEPIpUgLD9+rwFisZH3Ok= github.com/hanwen/go-fuse/v2 v2.1.0/go.mod h1:oRyA5eK+pvJyv5otpO/DgccS8y/RvYMaO00GgRLGryc= github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= +github.com/hashicorp/consul/api v1.3.0/go.mod h1:MmDNSzIMUjNpY/mQ398R4bk2FnqQLoPndWW5VkKPlCE= +github.com/hashicorp/consul/api v1.10.1/go.mod h1:XjsvQN+RJGWI2TWy1/kqaE16HrR2J/FWgkYjdZQsX9M= github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= +github.com/hashicorp/consul/sdk v0.3.0/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= +github.com/hashicorp/consul/sdk v0.8.0/go.mod h1:GBvyrGALthsZObzUGsfgHZQDXjg4lOjagTIwIR1vPms= +github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -536,34 +1236,55 @@ github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtng github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= +github.com/hashicorp/go-hclog v0.0.0-20180709165350-ff2cf002a8dd/go.mod h1:9bjs9uLqI8l75knNv3lV1kA55veR+WUPSiKIWcQHudI= github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= +github.com/hashicorp/go-hclog v0.12.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= github.com/hashicorp/go-hclog v0.14.1/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= github.com/hashicorp/go-hclog v0.15.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= +github.com/hashicorp/go-hclog v0.16.1/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= +github.com/hashicorp/go-hclog v0.16.2/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= +github.com/hashicorp/go-hclog v1.0.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= github.com/hashicorp/go-hclog v1.3.1 h1:vDwF1DFNZhntP4DAjuTpOw3uEgMUpXh1pB5fW9DqHpo= github.com/hashicorp/go-hclog v1.3.1/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= +github.com/hashicorp/go-immutable-radix v1.1.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc= github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= +github.com/hashicorp/go-kms-wrapping/entropy v0.1.0/go.mod h1:d1g9WGtAunDNpek8jUIEJnBlbgKS1N2Q61QkHiZyR1g= github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= +github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:JMRHfdO9jKNzS/+BTlxCjKNQHg/jZAft8U7LloJvN7I= github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= +github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA= github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= +github.com/hashicorp/go-plugin v1.0.1/go.mod h1:++UyYGoz3o5w9ZzAdZxtQKrWWP+iqPBn3cQptSMzBuY= github.com/hashicorp/go-plugin v1.4.0/go.mod h1:5fGEH17QVwTTcR0zV7yhDPLLmFX9YSZ38b18Udy6vYQ= +github.com/hashicorp/go-plugin v1.4.3/go.mod h1:5fGEH17QVwTTcR0zV7yhDPLLmFX9YSZ38b18Udy6vYQ= github.com/hashicorp/go-plugin v1.4.5 h1:oTE/oQR4eghggRg8VY7PAz3dr++VwDNBGCcOfIvHpBo= github.com/hashicorp/go-plugin v1.4.5/go.mod h1:viDMjcLJuDui6pXb8U4HVfb8AamCWhHGUjr2IrTF67s= github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= -github.com/hashicorp/go-retryablehttp v0.6.6 h1:HJunrbHTDDbBb/ay4kxa1n+dLmttUlnP3V9oNE4hmsM= +github.com/hashicorp/go-retryablehttp v0.6.2/go.mod h1:gEx6HMUGxYYhJScX7W1Il64m6cc2C1mDaW3NQ9sY1FY= +github.com/hashicorp/go-retryablehttp v0.6.4/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= github.com/hashicorp/go-retryablehttp v0.6.6/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= +github.com/hashicorp/go-retryablehttp v0.6.8/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= +github.com/hashicorp/go-retryablehttp v0.7.0 h1:eu1EI/mbirUgP5C8hVsTNaGZreBDlYiwC1FZWkvQPQ4= +github.com/hashicorp/go-retryablehttp v0.7.0/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU= +github.com/hashicorp/go-rootcerts v1.0.1/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc= github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= +github.com/hashicorp/go-secure-stdlib/base62 v0.1.1/go.mod h1:EdWO6czbmthiwZ3/PUsDV+UD1D5IRU4ActiaWGwt0Yw= github.com/hashicorp/go-secure-stdlib/mlock v0.1.1 h1:cCRo8gK7oq6A2L6LICkUZ+/a5rLiRXFMf1Qd4xSwxTc= github.com/hashicorp/go-secure-stdlib/mlock v0.1.1/go.mod h1:zq93CJChV6L9QTfGKtfBxKqD7BqqXx5O04A/ns2p5+I= +github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= +github.com/hashicorp/go-secure-stdlib/parseutil v0.1.2/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 h1:om4Al8Oy7kCm/B86rLCLah4Dt5Aa0Fr5rYBG60OzwHQ= github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= +github.com/hashicorp/go-secure-stdlib/password v0.1.1/go.mod h1:9hH302QllNwu1o2TGYtSk8I8kTAN0ca1EHpwhm5Mmzo= github.com/hashicorp/go-secure-stdlib/strutil v0.1.1/go.mod h1:gKOamz3EwoIoJq7mlMIRBpVTAUn8qPCrEclOKKWhD3U= github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts= github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4= +github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.1/go.mod h1:l8slYwnJA26yBz+ErHpp2IRCLr0vuOMGBORIz4rRiAs= github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU= github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc= github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A= @@ -572,11 +1293,14 @@ github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/b github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-uuid v1.0.2 h1:cfejS+Tpcp13yd5nYHWDI6qVCny6wyX2Mt5SGur2IGE= github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= -github.com/hashicorp/go-version v1.2.0 h1:3vNe/fWF5CBgRIguda1meWhsZHy3m8gCJ5wx+dIzX/E= +github.com/hashicorp/go-version v1.1.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/hashicorp/go-version v1.3.0 h1:McDWVJIU/y+u1BRV06dPaLfLCaT7fUTJLp5r04x7iNw= +github.com/hashicorp/go-version v1.3.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.3/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc= github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= @@ -584,29 +1308,55 @@ github.com/hashicorp/hcl v1.0.1-0.20190430135223-99e2f22d1c94 h1:LaH4JWe6Q7ICdxL github.com/hashicorp/hcl v1.0.1-0.20190430135223-99e2f22d1c94/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= +github.com/hashicorp/mdns v1.0.1/go.mod h1:4gW7WsVCke5TE7EPeYliwHlRUyBtfCwuFwuMg2DmyNY= github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= +github.com/hashicorp/memberlist v0.2.2/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE= github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= +github.com/hashicorp/serf v0.9.5/go.mod h1:UWDWwZeL5cuWDJdl0C6wrvrUwEqtQ4ZKBKKENpqIUyk= +github.com/hashicorp/vault/api v1.0.5-0.20200519221902-385fac77e20f/go.mod h1:euTFbi2YJgwcju3imEt919lhJKF68nN1cQPq3aA+kBE= +github.com/hashicorp/vault/api v1.1.1/go.mod h1:29UXcn/1cLOPHQNMWA7bCz2By4PSd0VKPAydKXS5yN0= +github.com/hashicorp/vault/api v1.3.0/go.mod h1:EabNQLI0VWbWoGlA+oBLC8PXmR9D60aUVgQGvangFWQ= github.com/hashicorp/vault/api v1.8.1 h1:bMieWIe6dAlqAAPReZO/8zYtXaWUg/21umwqGZpEjCI= github.com/hashicorp/vault/api v1.8.1/go.mod h1:uJrw6D3y9Rv7hhmS17JQC50jbPDAZdjZoTtrCCxxs7E= +github.com/hashicorp/vault/sdk v0.1.14-0.20200519221530-14615acda45f/go.mod h1:WX57W2PwkrOPQ6rVQk+dy5/htHIaB4aBM70EwKThu10= +github.com/hashicorp/vault/sdk v0.2.1/go.mod h1:WfUiO1vYzfBkz1TmoE4ZGU7HD0T0Cl/rZwaxjBkgN4U= +github.com/hashicorp/vault/sdk v0.3.0/go.mod h1:aZ3fNuL5VNydQk8GcLJ2TV8YCRVvyaakYkhZRoVuhj0= github.com/hashicorp/vault/sdk v0.6.0 h1:6Z+In5DXHiUfZvIZdMx7e2loL1PPyDjA4bVh9ZTIAhs= github.com/hashicorp/vault/sdk v0.6.0/go.mod h1:+DRpzoXIdMvKc88R4qxr+edwy/RvH5QK8itmxLiDHLc= github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= -github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d h1:kJCB4vdITiW1eC1vq2e6IsrXKrZit1bv/TDYFGMp4BQ= -github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= +github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87 h1:xixZ2bWeofWV68J+x6AzmKuVM/JWCQwkWm6GW/MUR6I= +github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ= +github.com/howeyc/gopass v0.0.0-20190910152052-7cb4b85ec19c/go.mod h1:lADxMC39cJJqL93Duh1xhAs4I2Zs8mKS89XWXFGp9cs= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/huandu/xstrings v1.0.0/go.mod h1:4qWG/gcEcfX4z/mBDHJ++3ReCw9ibxbsNJbcucJdbSo= +github.com/huandu/xstrings v1.2.0/go.mod h1:DvyZB1rfVYsBIigL8HwpZgxHwXozlTgGqn63UyNX5k4= github.com/huandu/xstrings v1.3.1/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= github.com/huandu/xstrings v1.3.2 h1:L18LIDzqlW6xN2rEkpdV8+oL/IXWJ1APd+vsdYy4Wdw= github.com/huandu/xstrings v1.3.2/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= +github.com/hudl/fargo v1.3.0/go.mod h1:y3CKSmjA+wD2gak7sUSXTAoopbhU08POFhmITJgmKTg= github.com/iancoleman/strcase v0.2.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/imdario/mergo v0.3.4/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/imdario/mergo v0.3.9/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/imdario/mergo v0.3.10/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= +github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk= github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg= github.com/imkira/go-observer v1.0.3 h1:l45TYAEeAB4L2xF6PR2gRLn2NE5tYhudh33MLmC7B80= github.com/imkira/go-observer v1.0.3/go.mod h1:zLzElv2cGTHufQG17IEILJMPDg32TD85fFgKyFv00wU= +github.com/in-toto/in-toto-golang v0.2.1-0.20210627200632-886210ae2ab9/go.mod h1:Skbg04kmfB7IAnEIsspKPg/ny1eiFt/TgPr9SDCHusA= +github.com/in-toto/in-toto-golang v0.3.3/go.mod h1:dbXecHGZSqRubmm5TXtvDSZT5JyaKD7ebVTiC2aMLWY= +github.com/in-toto/in-toto-golang v0.4.0-prerelease h1:70ri0AeRoMUD/bHbetiHURPuOVa2C2L1bu8T6wY5HB4= +github.com/in-toto/in-toto-golang v0.4.0-prerelease/go.mod h1:GviRIbq8Azwe0KsyGanAlpafHZ+qVbekc9SuI3yVp4E= +github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d/go.mod h1:qj24IKcXYK6Iy9ceXlo3Tc+vtHo9lIhSX5JddghvEPo= +github.com/influxdata/tdigest v0.0.0-20180711151920-a7d76c6f093a/go.mod h1:9GkyshztGufsdPQWjH+ifgnIr3xNUL5syI70g2dzU1o= +github.com/j-keck/arping v0.0.0-20160618110441-2cf9dc699c56/go.mod h1:ymszkNOg6tORTn+6F6j+Jc8TOr5osrynvN6ivFWZ2GA= github.com/jackc/chunkreader v1.0.0/go.mod h1:RT6O25fNZIuasFJRyZ4R/Y2BbhasbmZXF9QQ7T3kePo= github.com/jackc/chunkreader/v2 v2.0.0/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk= github.com/jackc/chunkreader/v2 v2.0.1/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk= @@ -645,8 +1395,20 @@ github.com/jackc/puddle v0.0.0-20190413234325-e4ced69a3a2b/go.mod h1:m4B5Dj62Y0f github.com/jackc/puddle v0.0.0-20190608224051-11cab39313c9/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= github.com/jackc/puddle v1.1.3/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= github.com/jackc/puddle v1.2.1/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= +github.com/jarcoal/httpmock v1.0.5/go.mod h1:ATjnClrvW/3tijVmpL/va5Z3aAyGvqU3gCT8nX0Txik= +github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= +github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs= +github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM= +github.com/jcmturner/gofork v1.0.0/go.mod h1:MK8+TM0La+2rjBD4jE12Kj1pCCxK7d2LK/UM3ncEo0o= +github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg= +github.com/jcmturner/gokrb5/v8 v8.4.2/go.mod h1:sb+Xq/fTY5yktf/VxLsE3wlfPqQjp0aWNYyvBVK62bc= +github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= +github.com/jedisct1/go-minisign v0.0.0-20210703085342-c1f07ee84431 h1:zqyV5j9xEuPQw2ma4RzzS9O74UwTq3vcMmpoHyL6xlI= +github.com/jedisct1/go-minisign v0.0.0-20210703085342-c1f07ee84431/go.mod h1:3VIJLjlf5Iako82IX/5KOoCzDmogK5mO+bl+DRItnR8= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/jhump/protoreflect v1.6.0/go.mod h1:eaTn3RZAmMBcV0fifFvlm6VHNz3wSkYyXYWUh7ymB74= +github.com/jhump/protoreflect v1.6.1/go.mod h1:RZQ/lnuN+zqeRVpQigTwO6o0AJUkxbnSnpuG7toUTG4= +github.com/jhump/protoreflect v1.8.2/go.mod h1:7GcYQDdMU/O/BBrl/cX6PNHpXh6cenjd8pneu5yW7Tg= github.com/jhump/protoreflect v1.9.0 h1:npqHz788dryJiR/l6K/RUQAyh2SwV91+d1dnh4RjO9w= github.com/jhump/protoreflect v1.9.0/go.mod h1:7GcYQDdMU/O/BBrl/cX6PNHpXh6cenjd8pneu5yW7Tg= github.com/jinzhu/gorm v1.9.16 h1:+IyIjPEABKRpsu/F8OvDPy9fyQlgsg2luMV2ZIH5i5o= @@ -655,16 +1417,25 @@ github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc= github.com/jinzhu/now v1.0.1 h1:HjfetcXq097iXP0uoPCdnM4Efp5/9MsM0/M+XOTeR3M= github.com/jinzhu/now v1.0.1/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8= +github.com/jmespath/go-jmespath v0.0.0-20160202185014-0b12d6b521d8/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= +github.com/jmespath/go-jmespath v0.0.0-20160803190731-bd40a432e4c7/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= +github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= +github.com/jmespath/go-jmespath v0.3.0/go.mod h1:9QtRXoHjLGCJ5IBSaohpXITPlowMeeYCZ7fLUTSywik= github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= +github.com/joefitzgerald/rainbow-reporter v0.1.0/go.mod h1:481CNgqmVHQZzdIbN52CupLJyoVwB10FQ/IQlF1pdL8= +github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg= github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= +github.com/jpillora/backoff v0.0.0-20180909062703-3050d21c67d7/go.mod h1:2iMrUgbbvHEiQClaW2NsSzMyGHqN+rDFqY705q49KG0= github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= @@ -673,22 +1444,38 @@ github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHm github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= +github.com/juju/ratelimit v1.0.1/go.mod h1:qapgC/Gy+xNh9UxzV13HGGl/6UXNN+ct+vwSgWNm/qk= github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= +github.com/karrick/godirwalk v1.8.0/go.mod h1:H5KPZjojv4lE+QYImBI8xVtrBRgYrIVsaRPx4tDPEn4= +github.com/karrick/godirwalk v1.10.3/go.mod h1:RoGL9dQei4vP9ilrpETWE8CLOZ1kiN0LhBygSwrAsHA= +github.com/kelseyhightower/envconfig v1.4.0/go.mod h1:cccZRl6mQpaq41TPp5QxidR+Sa3axMbJDNb//FQX6Gg= +github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/klauspost/compress v1.9.5/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= +github.com/klauspost/compress v1.10.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= +github.com/klauspost/compress v1.11.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= +github.com/klauspost/compress v1.11.13/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= +github.com/klauspost/compress v1.12.3/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg= +github.com/klauspost/compress v1.13.0/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg= +github.com/klauspost/compress v1.13.5/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= github.com/klauspost/compress v1.13.6 h1:P76CopJELS0TiO2mebmnzgWaajssP/EszplttgQxcgc= +github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= -github.com/kr/pretty v0.2.0 h1:s5hAObm+yFO5uHYt5dYjxi2rXrsnmRpJx4OYvIWUaQs= github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0= +github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA= github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -696,69 +1483,132 @@ github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= +github.com/leodido/go-urn v1.1.0/go.mod h1:+cyI34gQWZcE1eQU7NVgKkkzdXDQHr1dBMtdAPozLkw= +github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII= +github.com/leodido/go-urn v1.2.1 h1:BqpAaACuzVSgi/VLzGZIobT2z4v53pjosyNd9Yv6n/w= +github.com/leodido/go-urn v1.2.1/go.mod h1:zt4jvISO2HfUBqxjfIshjdMTYS56ZS/qv49ictyFfxY= +github.com/letsencrypt/pkcs11key/v4 v4.0.0/go.mod h1:EFUvBDay26dErnNb70Nd0/VW3tJiIbETBPTl9ATXQag= github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.1.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.1.1/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= +github.com/lib/pq v1.8.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/lib/pq v1.10.7 h1:p7ZhMD+KsSRozJr34udlUrhboJwWAgCg34+/ZZNvZZw= github.com/lib/pq v1.10.7/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= +github.com/lightstep/lightstep-tracer-common/golang/gogo v0.0.0-20190605223551-bc2310a04743/go.mod h1:qklhhLq1aX+mtWk9cPHPzaBjWImj5ULL6C7HFJtXQMM= +github.com/lightstep/lightstep-tracer-go v0.18.1/go.mod h1:jlF1pusYV4pidLvZ+XD0UBX0ZE6WURAspgAczcDHrL4= github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ81pIr0yLvtUWk2if982qA3F3QD6H4= github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I= github.com/lyft/protoc-gen-star v0.5.3/go.mod h1:V0xaHgaf5oCCqmcxYcWiDfTiKsZsRc87/1qhoTACD8w= +github.com/lyft/protoc-gen-validate v0.0.13/go.mod h1:XbGvPuh87YZc5TdIa2/I4pLk0QoUACkjt2znoq26NVQ= github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= +github.com/magiconair/properties v1.8.5 h1:b6kJs+EmPFMYGkow9GiUyCyOvIwYetYJ3fSaWak/Gls= github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60= +github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA= +github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs= +github.com/mailru/easyjson v0.7.1/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs= github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= +github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/manifoldco/promptui v0.9.0/go.mod h1:ka04sppxSGFAtxX0qhlYQjISsg9mR4GWtQEhdbn6Pgg= +github.com/markbates/oncer v0.0.0-20181203154359-bf2de49a0be2/go.mod h1:Ld9puTsIW75CHf65OeIOkyKbteujpZVXDpWK6YGZbxE= +github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0= +github.com/marstr/guid v1.1.0/go.mod h1:74gB1z2wpxxInTG6yaqA7KrtM0NZ+RbrcqDvYHefzho= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ= +github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= +github.com/mattn/go-colorable v0.1.11/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4= github.com/mattn/go-colorable v0.1.12 h1:jF+Du6AlPIjs2BiUiQlKOX0rt3SujHxPnksPKZbaA40= github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4= +github.com/mattn/go-ieproxy v0.0.0-20190610004146-91bb50d98149/go.mod h1:31jz6HNzdxOmlERGGEc4v/dMssOfmp2p5bT/okiKFFc= +github.com/mattn/go-ieproxy v0.0.1/go.mod h1:pYabZ6IHcRpFh7vIaLfK7rdcWgFEb3SFJ6/gNWuh88E= github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= github.com/mattn/go-isatty v0.0.7/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= +github.com/mattn/go-isatty v0.0.9/go.mod h1:YNRxwqDuOph6SZLI9vUUz6OYw3QyUt7WiY2yME+cCiQ= github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84= +github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE= github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y= github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= +github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= +github.com/mattn/go-runewidth v0.0.7/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= +github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= +github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= +github.com/mattn/go-shellwords v1.0.3/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o= +github.com/mattn/go-shellwords v1.0.10/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y= github.com/mattn/go-sqlite3 v1.14.0/go.mod h1:JIl7NbARA7phWnGvh0LKTyg7S9BA+6gx71ShQilpsus= github.com/mattn/go-sqlite3 v1.14.15 h1:vfoHhTN1af61xCRSWzFIWzx2YskyMTwHLrExkBOjvxI= github.com/mattn/go-sqlite3 v1.14.15/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg= +github.com/mattn/go-zglob v0.0.1/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= +github.com/maxbrunsfeld/counterfeiter/v6 v6.2.2/go.mod h1:eD9eIE7cdwcMi9rYluz88Jz2VyhSmden33/aXg4oVIY= +github.com/mediocregopher/radix/v4 v4.0.0/go.mod h1:ajchozX/6ELmydxWeWM6xCFHVpZ4+67LXHOTOVR0nCE= +github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE= github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= +github.com/miekg/dns v1.1.17/go.mod h1:WgzbA6oji13JREwiNsRDNfl7jYdPnmz+VEuLrA+/48M= +github.com/miekg/dns v1.1.25/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso= +github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso= github.com/miekg/dns v1.1.43 h1:JKfpVSCB84vrAmHzyrsxB5NAr5kLoMXZArPSw7Qlgyg= +github.com/miekg/dns v1.1.43/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4= +github.com/miekg/pkcs11 v1.0.2/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= +github.com/miekg/pkcs11 v1.0.3-0.20190429190417-a667d056470f/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= +github.com/miekg/pkcs11 v1.0.3/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= +github.com/miekg/pkcs11 v1.1.1 h1:Ugu9pdy6vAYku5DEpVWVFPYnzV+bxB+iRdbuFSu7TvU= +github.com/miekg/pkcs11 v1.1.1/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= +github.com/mistifyio/go-zfs v2.1.2-0.20190413222219-f784269be439+incompatible/go.mod h1:8AuVvqP/mXw1px98n46wfvcGfQ4ci2FwoAjKYxuo3Z4= github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= +github.com/mitchellh/cli v1.1.0/go.mod h1:xcISNoH86gajksDmfB23e/pu+B+GeFRMYmoHXxx3xhI= github.com/mitchellh/cli v1.1.4 h1:qj8czE26AU4PbiaPXK5uVmMSM+V5BYsFBiM9HhGRLUA= github.com/mitchellh/cli v1.1.4/go.mod h1:vTLESy5mRhKOs9KDp0/RATawxP1UqBmdrpVRMnpcvKQ= -github.com/mitchellh/copystructure v1.0.0 h1:Laisrj+bAB6b/yJwB5Bt3ITZhGJdqmxquMKeZ+mmkFQ= github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw= +github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw= +github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-testing-interface v0.0.0-20171004221916-a61a99592b77/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= -github.com/mitchellh/go-testing-interface v1.0.0 h1:fzU/JVNcaqHQEcVFAKeR41fkiLdIPrefOvVG1VZ96U0= github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= +github.com/mitchellh/go-testing-interface v1.14.1 h1:jrgshOhYAUVNMAJiKbEu7EqAwgJJ2JqpQmpLJOu07cU= +github.com/mitchellh/go-testing-interface v1.14.1/go.mod h1:gfgS7OtZj6MA4U1UrDRp04twqAjfvlZyCfX3sDjEym8= github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg= github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY= github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/mitchellh/mapstructure v1.3.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mitchellh/mapstructure v1.3.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mitchellh/mapstructure v1.4.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mitchellh/mapstructure v1.4.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mitchellh/mapstructure v1.4.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mitchellh/osext v0.0.0-20151018003038-5e2d6d41470f/go.mod h1:OkQIRizQZAeMln+1tSwduZz7+Af5oFlKirV/MSYes2A= github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= -github.com/mitchellh/reflectwalk v1.0.1 h1:FVzMWA5RllMAKIdUSC8mdWo3XtwoecrH79BY70sEEpE= github.com/mitchellh/reflectwalk v1.0.1/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= +github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= +github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= +github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc= github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= +github.com/moby/sys/mountinfo v0.4.0/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A= +github.com/moby/sys/mountinfo v0.4.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A= +github.com/moby/sys/symlink v0.1.0/go.mod h1:GGDODQmbFOjFsXvfLVn3+ZRxkch54RkSiGqsZeMYowQ= +github.com/moby/term v0.0.0-20200312100748-672ec06f55cd/go.mod h1:DdlQx2hp0Ss5/fLikoLlEeIYiATotOjgB//nb973jeo= +github.com/moby/term v0.0.0-20201216013528-df9cb8a40635/go.mod h1:FBS0z0QWA44HXygs7VXDUOGoN/1TV3RuWkLO04am3wc= github.com/moby/term v0.0.0-20210610120745-9d4ed1856297/go.mod h1:vgPCkQMyxTZ7IDy8SXRufE172gr8+K/JE/7hHFxHW3A= github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 h1:dcztxKSvZ4Id8iPpHERQBbIJfabdt4wUm5qy3wOL2Zc= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= @@ -769,54 +1619,149 @@ github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3Rllmb github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/modocache/gover v0.0.0-20171022184752-b58185e213c5/go.mod h1:caMODM3PzxT8aQXRPkAt8xlV/e7d7w8GM5g0fa5F0D8= +github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8= +github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc= github.com/montanaflynn/stats v0.6.6/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow= github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= +github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= +github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de/go.mod h1:kJun4WP5gFuHZgRjZUWWuH1DTxCtxbHDOIJsudS8jzY= +github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/mwitkow/go-proto-validators v0.0.0-20180403085117-0950a7990007/go.mod h1:m2XC9Qq0AlmmVksL6FktJCdTYyLk7V3fKyp0sl1yWQo= +github.com/mwitkow/go-proto-validators v0.2.0/go.mod h1:ZfA1hW+UH/2ZHOWvQ3HnQaU0DtnpXu850MZiy+YUgcc= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= +github.com/nats-io/jwt v0.3.0/go.mod h1:fRYCDE99xlTsqUzISS1Bi75UBJ6ljOJQOAAu5VglpSg= +github.com/nats-io/jwt v0.3.2/go.mod h1:/euKqTS1ZD+zzjYrY7pseZrTtWQSjujC7xjPc8wL6eU= +github.com/nats-io/nats-server/v2 v2.1.2/go.mod h1:Afk+wRZqkMQs/p45uXdrVLuab3gwv3Z8C4HTBu8GD/k= +github.com/nats-io/nats.go v1.9.1/go.mod h1:ZjDU1L/7fJ09jvUSRVBR2e7+RnLiiIQyqyzEE/Zbp4w= +github.com/nats-io/nkeys v0.1.0/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w= +github.com/nats-io/nkeys v0.1.3/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w= +github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c= +github.com/ncw/swift v1.0.47/go.mod h1:23YIA4yWVnGwv2dQlN4bB7egfYX6YLn0Yo/S6zZO/ZM= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= github.com/nishanths/predeclared v0.0.0-20200524104333-86fad755b4d3/go.mod h1:nt3d53pc1VYcphSCIaYAJtnPYnr3Zyn8fMq2wvPGPso= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= -github.com/oklog/run v1.0.0 h1:Ru7dDtJNOyC66gQ5dQmaCa0qIsAUFY3sFpK1Xk8igrw= +github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= +github.com/oklog/oklog v0.3.2/go.mod h1:FCV+B7mhrz4o+ueLpx+KqkyXRGMWOYEvfiXtdGtbWGs= github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA= +github.com/oklog/run v1.1.0 h1:GEenZ1cK0+q0+wsJew9qUg/DyD8k3JzYsZAi5gYi2mA= +github.com/oklog/run v1.1.0/go.mod h1:sVPdnTZT1zYwAJeCMu2Th4T21pA3FPOQRfWjQlk7DVU= +github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= +github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= +github.com/olekukonko/tablewriter v0.0.4/go.mod h1:zq6QwlOf5SlnkVbMSr5EoBv3636FWnp+qbPhuoO21uA= +github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY= +github.com/onsi/ginkgo v0.0.0-20151202141238-7f8ab55aaf3b/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.10.3/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.12.0/go.mod h1:oUhWkIvk5aDxtKvDDuw8gItl8pKl42LzjC9KZE0HfGg= github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= +github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= +github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= github.com/onsi/ginkgo/v2 v2.1.6 h1:Fx2POJZfKRQcM1pH49qSZiYeu319wji004qX+GDovrU= +github.com/onsi/gomega v0.0.0-20151007035656-2152b45fa28a/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= +github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= +github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= +github.com/onsi/gomega v1.10.3/go.mod h1:V9xEwhxec5O8UDM77eCW8vLymOMltsqPVYWrpDsH8xc= +github.com/onsi/gomega v1.16.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q= +github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk= +github.com/open-policy-agent/opa v0.35.0/go.mod h1:xEmekKlk6/c+so5HF9wtPnGPXDfBuBsrMGhSHOHEF+U= github.com/open-policy-agent/opa v0.45.0 h1:P5nuhVRtR+e58fk3CMMbiqr6ZFyWQPNOC3otsorGsFs= github.com/open-policy-agent/opa v0.45.0/go.mod h1:/OnsYljNEWJ6DXeFOOnoGn8CvwZGMUS4iRqzYdJvmBI= +github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= +github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= +github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= +github.com/opencontainers/go-digest v1.0.0-rc1.0.20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= +github.com/opencontainers/image-spec v1.0.0/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= +github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= +github.com/opencontainers/image-spec v1.0.2-0.20211117181255-693428a734f5/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 h1:rc3tiVYb5z54aKaDfakKn0dDjIyPpTtszkjuMzyt7ec= github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= +github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= +github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= +github.com/opencontainers/runc v1.0.0-rc8.0.20190926000215-3e425f80a8c9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= +github.com/opencontainers/runc v1.0.0-rc9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= +github.com/opencontainers/runc v1.0.0-rc93/go.mod h1:3NOsor4w32B2tC0Zbl8Knk4Wg84SM2ImC1fxBuqJ/H0= +github.com/opencontainers/runc v1.0.2/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0= +github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/opencontainers/runtime-spec v1.0.2-0.20190207185410-29686dbc5559/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs= +github.com/opencontainers/selinux v1.6.0/go.mod h1:VVGKuOLlE7v4PJyT6h7mNWvq1rzqiriPsEqVhc+svHE= +github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo= +github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8= +github.com/opentracing-contrib/go-observer v0.0.0-20170622124052-a52f23424492/go.mod h1:Ngi6UdF0k5OKD5t5wlmGhe/EDKPoUM3BXZSSfIuJbis= +github.com/opentracing/basictracer-go v1.0.0/go.mod h1:QfBfYuafItcjQuMwinw9GhYKwFXS9KnPs5lxoYwgW74= +github.com/opentracing/opentracing-go v1.0.2/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= +github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs= +github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc= +github.com/openzipkin-contrib/zipkin-go-opentracing v0.4.5/go.mod h1:/wsWhb9smxSfWAKL3wpBW7V8scJMt8N8gnaMCS9E/cA= +github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw= +github.com/openzipkin/zipkin-go v0.2.1/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4= +github.com/openzipkin/zipkin-go v0.2.2/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4= +github.com/openzipkin/zipkin-go v0.3.0/go.mod h1:4c3sLeE8xjNqehmF5RpAFLPLJxXscc0R4l6Zg0P1tTQ= +github.com/otiai10/copy v1.2.0/go.mod h1:rrF5dJ5F0t/EWSYODDu4j9/vEeYHMkc8jt0zJChqQWw= +github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95/go.mod h1:9qAhocn7zKJG+0mI8eUu6xqkFDYS2kb2saOteoSB3cE= +github.com/otiai10/curr v1.0.0/go.mod h1:LskTG5wDwr8Rs+nNQ+1LlxRjAtTZZjtJW4rMXl6j4vs= +github.com/otiai10/mint v1.3.0/go.mod h1:F5AjcsTsWUqX+Na9fpHb52P8pcRX2CI6A3ctIT91xUo= +github.com/otiai10/mint v1.3.1/go.mod h1:/yxELlJQ0ufhjUwhshSj+wFjZ78CnZ48/1wtmBH1OTc= +github.com/pact-foundation/pact-go v1.0.4/go.mod h1:uExwJY4kCzNPcHRj+hCR/HBbOOIwwtUjcrb0b5/5kLM= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/pascaldekloe/goe v0.1.0 h1:cBOtyMzM9HTpWjXfbbunk26uA6nG3a8n06Wieeh0MwY= github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= +github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= +github.com/pelletier/go-buffruneio v0.2.0/go.mod h1:JkE26KsDizTr40EUHkXVtNPvgGtbSNq5BcowyYOWdKo= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= +github.com/pelletier/go-toml v1.4.0/go.mod h1:PN7xzY2wHTK0K9p34ErDQMlFxa51Fk0OUruD3k1mMwo= +github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE= +github.com/pelletier/go-toml v1.8.1/go.mod h1:T2/BmBdy8dvIRq1a/8aqjN41wvWlN4lrapLU/GW4pbc= github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= +github.com/pelletier/go-toml v1.9.4 h1:tjENF6MfZAg8e4ZmZTeWaWiT2vXtsoO6+iuOjFhECwM= +github.com/pelletier/go-toml v1.9.4/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= +github.com/performancecopilot/speed v3.0.0+incompatible/go.mod h1:/CLtqpZ5gBg1M9iaPbIdPPGyKcA8hKdoy6hAWba7Yac= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= -github.com/pierrec/lz4 v2.5.2+incompatible h1:WCjObylUIOlKy/+7Abdn34TLIkXiA4UWUMhxq9m9ZXI= +github.com/peterh/liner v0.0.0-20170211195444-bf27d3ba8e1d/go.mod h1:xIteQHvHuaLYG9IFj6mSxM0fCKrs34IrEQUhOYuGPHc= +github.com/pierrec/lz4 v1.0.2-0.20190131084431-473cd7ce01a1/go.mod h1:3/3N9NVKO0jef7pBehbT1qWhCMrIgbYNnFAZCqQ5LRc= +github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= github.com/pierrec/lz4 v2.5.2+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= +github.com/pierrec/lz4 v2.6.1+incompatible h1:9UY3+iC23yxF0UfGaYrGplQ+79Rg+h/q9FV9ix19jjM= +github.com/pierrec/lz4 v2.6.1+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4/go.mod h1:4OwLy04Bl9Ef3GJJCoec+30X3LQs/0/m4HFRt/2LUSA= github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4 h1:Qj1ukM4GlMWXNdMBuXcXfz/Kw9s1qm0CLY32QxuSImI= github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4/go.mod h1:N6UoU20jOqggOuDwUaBQpluzLNDqif3kq9z2wpdYEfQ= +github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.8.1-0.20171018195549-f15c970de5b7/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/profile v1.2.1/go.mod h1:hJw3o1OdXxsrSjjVksARp5W95eeEaEfptyVZyv6JUPA= github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI= +github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= @@ -825,63 +1770,142 @@ github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSg github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c h1:ncq/mPwQF4JjgDlrVEn3C11VoGHZN7m8qihwgMEtzYw= github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE= github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= +github.com/prometheus/client_golang v0.0.0-20180209125602-c332b6f63c06/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= +github.com/prometheus/client_golang v0.9.2/go.mod h1:OsXs2jCmiKlQ1lTBmv21f2mNfw4xf/QclQDMrYNZzcM= +github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs= github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= +github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g= +github.com/prometheus/client_golang v1.3.0/go.mod h1:hJaj2vgQTGQmVCsAACORcieXFeDPbaTKGT+JTgUa3og= github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU= +github.com/prometheus/client_golang v1.5.1/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU= github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= +github.com/prometheus/client_golang v1.10.0/go.mod h1:WJM3cc3yu7XKBKa/I8WeZm+V3eltZnBwfENSU7mdogU= github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY= github.com/prometheus/client_golang v1.13.0 h1:b71QUfeo5M8gq2+evJdTPfZhYMAU0uKPkyPJ7TPsloU= github.com/prometheus/client_golang v1.13.0/go.mod h1:vTeo+zgvILHsnnj/39Ou/1fPN5nJFOEMgftOUOmlvYQ= +github.com/prometheus/client_model v0.0.0-20171117100541-99fa1f4be8e5/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.1.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.2.0 h1:uq5h0d+GuxiXLJLNABMgp2qUWDPiLvgCzz2dUR+/W/M= github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/common v0.0.0-20180110214958-89604d197083/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= +github.com/prometheus/common v0.0.0-20181126121408-4724e9255275/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= +github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc= +github.com/prometheus/common v0.7.0/go.mod h1:DjGbpBbp5NYNiECxcL/VnbXCCaQpKd3tt26CguLLsqA= github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8bs7vj7HSQ4= github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= +github.com/prometheus/common v0.18.0/go.mod h1:U+gB1OBLb1lF3O42bTCL+FK18tX9Oar16Clt/msog/s= github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc= github.com/prometheus/common v0.28.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= +github.com/prometheus/common v0.29.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= +github.com/prometheus/common v0.30.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= github.com/prometheus/common v0.37.0 h1:ccBbHCgIiT9uSoFY0vX8H3zsNR5eLt17/RQLUvn8pXE= github.com/prometheus/common v0.37.0/go.mod h1:phzohg0JFMnBEFGxTDbfu3QyL5GI8gTQJFhYO5B3mfA= +github.com/prometheus/procfs v0.0.0-20180125133057-cb4147076ac7/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/prometheus/procfs v0.0.0-20190522114515-bc1a522cf7b1/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ= +github.com/prometheus/procfs v0.0.5/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ= github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A= github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= +github.com/prometheus/procfs v0.2.0/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= +github.com/prometheus/procfs v0.7.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= +github.com/prometheus/procfs v0.7.1/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= github.com/prometheus/procfs v0.8.0 h1:ODq8ZFEaYeCaZOJlZZdJA2AbQR98dSHSM1KW/You5mo= github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4= +github.com/prometheus/statsd_exporter v0.21.0/go.mod h1:rbT83sZq2V+p73lHhPZfMc3MLCHmSHelCh9hSGYNLTQ= github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= +github.com/protocolbuffers/txtpbfmt v0.0.0-20201118171849-f6a6b3f636fc/go.mod h1:KbKfKPy2I6ecOIGA9apfheFv14+P3RSmmQvshofQyMY= +github.com/pseudomuto/protoc-gen-doc v1.4.1/go.mod h1:exDTOVwqpp30eV/EDPFLZy3Pwr2sn6hBC1WIYH/UbIg= +github.com/pseudomuto/protoc-gen-doc v1.5.0/go.mod h1:exDTOVwqpp30eV/EDPFLZy3Pwr2sn6hBC1WIYH/UbIg= +github.com/pseudomuto/protokit v0.2.0/go.mod h1:2PdH30hxVHsup8KpBTOXTBeMVhJZVio3Q8ViKSAXT0Q= +github.com/qur/ar v0.0.0-20130629153254-282534b91770/go.mod h1:SjlYv2m9lpV0UW6K7lDqVJwEIIvSjaHbGk7nIfY8Hxw= +github.com/rabbitmq/amqp091-go v1.1.0/go.mod h1:ogQDLSOACsLPsIq0NpbtiifNZi2YOz0VTJ0kHRghqbM= +github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= +github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= +github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= +github.com/rogpeppe/fastuuid v1.1.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= +github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= +github.com/rogpeppe/go-internal v1.8.0 h1:FCbCCtXNOY3UtUuHUYaghJg4y7Fd14rXifAYUAtL9R8= +github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE= +github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU= +github.com/rs/cors v1.8.0/go.mod h1:EBwu+T5AvHOcXwvZIkQFjUN6s8Czyqw12GL/Y0tUyRM= github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ= github.com/rs/zerolog v1.13.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU= github.com/rs/zerolog v1.15.0/go.mod h1:xYTKnLHcpfU2225ny5qZjxnj9NvkumZYjJHlAThCjNc= +github.com/rubiojr/go-vhd v0.0.0-20200706105327-02e210299021/go.mod h1:DM5xW0nvfNNm2uytzsvhI3OnX8uzaRAg8UX/CnDqbto= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= +github.com/safchain/ethtool v0.0.0-20190326074333-42ed695e3de8/go.mod h1:Z0q5wiBQGYcxhMZ6gUqHn6pYNLypFAvaL3UvgZLR0U4= +github.com/sagikazarmark/crypt v0.1.0/go.mod h1:B/mN0msZuINBtQ1zZLEQcegFJJf9vnYIR88KRMEuODE= +github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E= +github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b/go.mod h1:am+Fp8Bt506lA3Rk3QCmSqmYmLMnPDhdDUcosQCAx+I= +github.com/sassoftware/go-rpmutils v0.1.1/go.mod h1:euhXULoBpvAxqrBHEyJS4Tsu3hHxUmQWNymxoJbzgUY= +github.com/sassoftware/relic v0.0.0-20210427151427-dfb082b79b74 h1:sUNzanSKA9z/h8xXl+ZJoxIYZL0Qx306MmxqRrvUgr0= +github.com/sassoftware/relic v0.0.0-20210427151427-dfb082b79b74/go.mod h1:YlB8wFIZmFLZ1JllNBfSURzz52fBxbliNgYALk1UDmk= github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= +github.com/sclevine/spec v1.2.0/go.mod h1:W4J29eT/Kzv7/b9IWLB055Z+qvVC9vt0Arko24q7p+U= github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= +github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo= +github.com/secure-systems-lab/go-securesystemslib v0.1.0/go.mod h1:eIjBmIP8LD2MLBL/DkQWayLiz006Q4p+hCu79rvWleY= +github.com/secure-systems-lab/go-securesystemslib v0.2.0 h1:9beLHgmhA2KEqJkFh1bs/YlnHkazv26GCXqfcUdC1YI= +github.com/secure-systems-lab/go-securesystemslib v0.2.0/go.mod h1:eIjBmIP8LD2MLBL/DkQWayLiz006Q4p+hCu79rvWleY= +github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c= +github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE= +github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= +github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= +github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= +github.com/shibumi/go-pathspec v1.2.0 h1:KVKEDHYk7bQolRMs7nfzjT3SBOCgcXFJzccnj9bsGbA= +github.com/shibumi/go-pathspec v1.2.0/go.mod h1:bDxCftD0fST3qXIlHoQ/fChsU4mWMVklXp1yPErQaaY= github.com/shirou/gopsutil/v3 v3.22.9 h1:yibtJhIVEMcdw+tCTbOPiF1VcsuDeTE4utJ8Dm4c5eA= github.com/shirou/gopsutil/v3 v3.22.9/go.mod h1:bBYl1kjgEJpWpxeHmLI+dVHWtyAwfcmSBLDsp2TNT8A= github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24/go.mod h1:M+9NzErvs504Cn4c5DxATwIqPbtswREoFCre64PpcG4= github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ= github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= +github.com/sigstore/cosign v1.4.0 h1:N5GZCUa0xUk103a7KytUTZk1f185mLvbdRdj8UpgQR4= +github.com/sigstore/cosign v1.4.0/go.mod h1:NBnxsSJUjiXgOKasQsHpwkjQKFCvQbTizlr+/5Ydlm0= +github.com/sigstore/fulcio v0.1.2-0.20211204001059-48e1a254cf10 h1:CbCE3pm2JWMTUgA6V6erGiFKtRsMFM/ZIj+cf5QpT+s= +github.com/sigstore/fulcio v0.1.2-0.20211204001059-48e1a254cf10/go.mod h1:skrBtMLaBrK3Awd0SnDvCSGbBB0l3+nNsBiUC6WOVbM= +github.com/sigstore/rekor v0.3.1-0.20211203233407-3278f72b78bd h1:/Brk1DcfZDc69cDmWZPlHkwe5e3CK8j3BrfUKr6EO6c= +github.com/sigstore/rekor v0.3.1-0.20211203233407-3278f72b78bd/go.mod h1:X/YsXRguEJEDfYs2/vSw6zrq0fgFeML99KhZ6arCNaI= +github.com/sigstore/sigstore v0.0.0-20210729211320-56a91f560f44/go.mod h1:rJpRn7XmR/YrfNGDU9jh+vy5WMeSv5YKfNDBwnFg+Qg= +github.com/sigstore/sigstore v1.0.1/go.mod h1:1+krIdtuf81/fLC8mHPt/7uwYiOg7W8k/PAR7lzKW3w= +github.com/sigstore/sigstore v1.0.2-0.20211203233310-c8e7f70eab4e h1:qxWCfYfujtV4ZlDasR4gkyxmyxmAjbHKhf4q94S/cvs= +github.com/sigstore/sigstore v1.0.2-0.20211203233310-c8e7f70eab4e/go.mod h1:F/4PzB9jSHWZSdBW3JsRmNQRp1MNGHXfSzNfG3Khm1Y= +github.com/sirupsen/logrus v1.0.4-0.20170822132746-89742aefa4b2/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc= +github.com/sirupsen/logrus v1.0.6/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= +github.com/sirupsen/logrus v1.4.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= @@ -889,24 +1913,44 @@ github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0= github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA= +github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog= github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= +github.com/smartystreets/assertions v1.0.0/go.mod h1:kHHU4qYBaI3q23Pp3VPrmWhuIUrLW/7eUrw0BU5VaoM= +github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9/go.mod h1:SnhjPscd9TpLiy1LpzGSKh3bXCfxxXuqd9xmQJy3slM= +github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= +github.com/smartystreets/gunit v1.0.0/go.mod h1:qwPWnhz6pn0NnRBP++URONOVyNkPyr4SauJk4cUOwJs= github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= +github.com/soheilhy/cmux v0.1.5-0.20210205191134-5ec6847320e5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0= github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0= +github.com/sony/gobreaker v0.4.1/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= +github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4= +github.com/spf13/afero v1.6.0 h1:xoax2sJ2DT8S8xA2paPFjDCScCNeWsg75VG0DLRreiY= github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I= github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= -github.com/spf13/cast v1.3.1 h1:nFm6S0SMdyzrzcmThSipiEubIDy8WEXKNZ0UOgiRpng= github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cast v1.4.1 h1:s0hze+J0196ZfEMTs80N7UlFt0BDuQ7Q+JDnHiMWKdA= +github.com/spf13/cast v1.4.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cobra v0.0.2-0.20171109065643-2da4a54c5cee/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= +github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE= +github.com/spf13/cobra v1.1.1/go.mod h1:WnodtKOvamDL/PwE2M4iKs8aMDBZ5Q5klgD3qfVJQMI= github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo= github.com/spf13/cobra v1.2.1/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t68Nk= +github.com/spf13/cobra v1.5.0 h1:X+jTBEBqF0bHN+9cSMgmfuvv2VHJ9ezmFNf9Y/XstYU= +github.com/spf13/cobra v1.5.0/go.mod h1:dWXEIy2H428czQCjInthrTRUg7yKbok+2Qi/yBIJoUM= github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= +github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk= github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= +github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.1-0.20171106142849-4c012f6dcd95/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= @@ -914,19 +1958,33 @@ github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DM github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE= github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns= +github.com/spf13/viper v1.9.0 h1:yR6EXjTp0y0cLN8OZg1CRZmOBdI88UcGkhgyJhu6nZk= +github.com/spf13/viper v1.9.0/go.mod h1:+i6ajR7OX2XaiBkrcZJFK21htRk7eDeLg7+O6bhUPP4= +github.com/spiffe/go-spiffe/v2 v2.0.0-beta.8/go.mod h1:TEfgrEcyFhuSuvqohJt6IxENUNeHfndWCCV1EX7UaVk= github.com/spiffe/go-spiffe/v2 v2.0.1-0.20220414143532-2ed460a8b9d3 h1:FpqM5PfWHs4Ze36HwzMpRefrv8kkmxFgtG9Qc6hL7Dc= github.com/spiffe/go-spiffe/v2 v2.0.1-0.20220414143532-2ed460a8b9d3/go.mod h1:ifsAYiK9MOyuGYFUHUQ3K47dj+k/gd4IcWhlCyDJZEU= github.com/spiffe/spire-api-sdk v1.2.5-0.20220608195902-84fd618158c9 h1:RmpSpUHOboDvGhxLW/32DAlV/DsvUURjojPVDMPDkwM= github.com/spiffe/spire-api-sdk v1.2.5-0.20220608195902-84fd618158c9/go.mod h1:73BC0cOGkqRQrqoB1Djk7etxN+bE1ypmzZMkhCQs6kY= github.com/spiffe/spire-plugin-sdk v1.4.1-0.20220912221658-c42ab2d657f6 h1:QViYo6JR+v2lTMV/w9Py1mWJEXTrLn1Hb6ZsCWSVVek= github.com/spiffe/spire-plugin-sdk v1.4.1-0.20220912221658-c42ab2d657f6/go.mod h1:4KW5J6abGIAyUS8IL7Fi0NOfoWR6jA5LufKPnIdm9FE= +github.com/src-d/gcfg v1.4.0/go.mod h1:p/UMsR43ujA89BJY9duynAwIpvqEujIH/jFlfL7jWoI= +github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980/go.mod h1:AO3tvPzVZ/ayst6UlUKUv6rcPQInYe3IknH3jYhAKu8= github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= +github.com/streadway/amqp v0.0.0-20190404075320-75d898a42a94/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= +github.com/streadway/amqp v0.0.0-20190827072141-edfb9018d271/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= +github.com/streadway/amqp v1.0.0/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= +github.com/streadway/handy v0.0.0-20190108123426-d5acb3125c2a/go.mod h1:qNTQ5P5JnDBl6z3cMAg/SywNDC5ABu5ApDIw6lUbRmI= +github.com/streadway/quantile v0.0.0-20150917103942-b0c588724d25/go.mod h1:lbP8tGiBjZ5YWIc2fzuRpTaz0b/53vT6PEs3QuAWzuU= +github.com/stretchr/objx v0.0.0-20180129172003-8a3f7159479f/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= +github.com/stretchr/objx v0.3.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/testify v0.0.0-20170130113145-4d4bfba8f1d1/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v0.0.0-20180303142811-b89eecf5ca5d/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= @@ -938,15 +1996,45 @@ github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1F github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s= github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= +github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= +github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= +github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= +github.com/syndtr/goleveldb v1.0.0 h1:fBdIW9lB4Iz0n9khmH8w27SJ3QEJ7+IgjPEwGSZiFdE= +github.com/syndtr/goleveldb v1.0.0/go.mod h1:ZVVdQEZoIme9iO1Ch2Jdy24qqXrMMOU6lpPAyBWyWuQ= +github.com/tchap/go-patricia v2.2.6+incompatible/go.mod h1:bmLyhP68RS6kStMGxByiQ23RP/odRBOTVjwp2cDyi6I= github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes= github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k= +github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613 h1:iGnD/q9160NWqKZZ5vY4p0dMiYMRknzctfSkqA4nBDw= +github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613/go.mod h1:g6AnIpDSYMcphz193otpSIzN+11Rs+AAIIC6rm1enug= +github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gtvVDbmPg= +github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU= +github.com/theupdateframework/go-tuf v0.0.0-20210722233521-90e262754396/go.mod h1:L+uU/NRFK/7h0NYAnsmvsX9EghDB5QVCcHCIrK2h5nw= +github.com/theupdateframework/go-tuf v0.0.0-20211006142131-1dc15a86c64d/go.mod h1:oujGMqigj0NWDqeWBCzleayXXtux27r+kHAR2t5Yuk8= +github.com/theupdateframework/go-tuf v0.0.0-20211115152232-a4f2dd6ea314/go.mod h1:pQW1KcCMYPCuZ4pvCkYQhoE2k9SzTuh31AWhf1j/7HM= +github.com/theupdateframework/go-tuf v0.0.0-20211203210025-7ded50136bf9 h1:Toe1Dy1nG62nh3CLZ6/izUrdgjhV/aGHvvu+uwGykxk= +github.com/theupdateframework/go-tuf v0.0.0-20211203210025-7ded50136bf9/go.mod h1:n2n6wwC9BEnYS/C/APAtNln0eM5zYAYOkOTx6VEG/mA= +github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk= +github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs= +github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= +github.com/tilinna/clock v1.0.2/go.mod h1:ZsP7BcY7sEEz7ktc0IVy8Us6boDrK8VradlKRUGfOao= +github.com/tilinna/clock v1.1.0/go.mod h1:ZsP7BcY7sEEz7ktc0IVy8Us6boDrK8VradlKRUGfOao= +github.com/tj/assert v0.0.0-20171129193455-018094318fb0/go.mod h1:mZ9/Rh9oLWpLLDRpvE+3b7gP/C2YyLFYxNmcLnPTMe0= +github.com/tj/go-elastic v0.0.0-20171221160941-36157cbbebc2/go.mod h1:WjeM0Oo1eNAjXGDx2yma7uG2XoyRZTq1uv3M/o7imD0= +github.com/tj/go-kinesis v0.0.0-20171128231115-08b17f58cb1b/go.mod h1:/yhzCV0xPfx6jb1bBgRFjl5lytqVqZXEaeqWP8lTEao= +github.com/tj/go-spin v1.1.0/go.mod h1:Mg1mzmePZm4dva8Qz60H2lHwmJ2loum4VIrLgVnKwh4= github.com/tklauser/go-sysconf v0.3.10 h1:IJ1AZGZRWbY8T5Vfk04D9WOA5WSejdflXxP03OUqALw= github.com/tklauser/go-sysconf v0.3.10/go.mod h1:C8XykCvCb+Gn0oNCWPIlcb0RuglQTYaQ2hGm7jmxEFk= github.com/tklauser/numcpus v0.4.0 h1:E53Dm1HjH1/R2/aoCtXtPgzmElmn51aOkhCFSuZq//o= github.com/tklauser/numcpus v0.4.0/go.mod h1:1+UI3pD8NW14VMwdgJNJ1ESk2UnwhAnz5hMwiKKqXCQ= +github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/tmc/grpc-websocket-proxy v0.0.0-20200427203606-3cfed13b9966/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce/go.mod h1:o8v6yHRoik09Xen7gje4m9ERNah1d1PPsVq1VEx9vE4= +github.com/tsenart/go-tsz v0.0.0-20180814232043-cdeb9e1e981e/go.mod h1:SWZznP1z5Ki7hDT2ioqiFKEse8K9tU2OUvaRI0NeGQo= +github.com/tsenart/vegeta/v12 v12.8.4/go.mod h1:ZiJtwLn/9M4fTPdMY7bdbIeyNeFVE8/AHbWFqCsUuho= github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM= github.com/twmb/murmur3 v1.1.5/go.mod h1:Qq/R7NUyOfr65zD+6Q5IHKsJLwP7exErjN6lyyq3OSQ= github.com/twmb/murmur3 v1.1.6 h1:mqrRot1BRxm+Yct+vavLMou2/iJt0tNVTTC0QoIjaZg= @@ -954,15 +2042,61 @@ github.com/twmb/murmur3 v1.1.6/go.mod h1:Qq/R7NUyOfr65zD+6Q5IHKsJLwP7exErjN6lyyq github.com/uber-go/tally/v4 v4.1.3 h1:dKhkrkVSSJK0AxZCv/MmK5JrWmH+MPG3dgZCbxWk2Yc= github.com/uber-go/tally/v4 v4.1.3/go.mod h1:aXeSTDMl4tNosyf6rdU8jlgScHyjEGGtfJ/uwCIf/vM= github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= +github.com/ugorji/go v1.1.7/go.mod h1:kZn38zHttfInRq0xu/PH0az30d+z6vm202qpg1oXVMw= github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= +github.com/ugorji/go/codec v1.1.7/go.mod h1:Ax+UKWsSmolVDwsd+7N3ZtXu+yMGCf907BLYF3GoBXY= +github.com/ulikunitz/xz v0.5.6/go.mod h1:2bypXElzHzzJZwzH67Y6wb67pO62Rzfn7BSiF4ABRW8= +github.com/ulikunitz/xz v0.5.7/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= +github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= +github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= +github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= +github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/urfave/cli v1.22.4/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/urfave/cli v1.22.5/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI= +github.com/urfave/negroni v1.0.0/go.mod h1:Meg73S6kFm/4PpbYdq35yYWoCZ9mS/YSx+lKnmiohz4= +github.com/vbatts/tar-split v0.11.2 h1:Via6XqJr0hceW4wff3QRzD5gAk/tatMw/4ZA7cTlIME= +github.com/vbatts/tar-split v0.11.2/go.mod h1:vV3ZuO2yWSVsz+pfFzDG/upWH1JhjOiEaWq6kXyQ3VI= +github.com/vdemeester/k8s-pkg-credentialprovider v1.21.0-1 h1:7Ajl3rjeYoB5V47jPknnLbyxYlhMXTTJiQsye5aT7f0= +github.com/vdemeester/k8s-pkg-credentialprovider v1.21.0-1/go.mod h1:l4LxiP0cmEcc5q4BTDE8tZSyIiyXe0T28x37yHpMzoM= +github.com/vektah/gqlparser v1.1.2/go.mod h1:1ycwN7Ij5njmMkPPAOaRFY4rET2Enx7IkVv3vaXspKw= +github.com/vishvananda/netlink v0.0.0-20181108222139-023a6dafdcdf/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk= +github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE= +github.com/vishvananda/netlink v1.1.1-0.20201029203352-d40f9887b852/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho= +github.com/vishvananda/netns v0.0.0-20180720170159-13995c7128cc/go.mod h1:ZjcWmFBXmLKZu9Nxj3WKYEafiSqer2rnvPr0en9UNpI= +github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU= +github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0= +github.com/vmware/govmomi v0.20.3/go.mod h1:URlwyTFZX72RmxtxuaFL2Uj3fD1JTvZdx59bHWk6aFU= +github.com/willf/bitset v1.1.11-0.20200630133818-d5bec3311243/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4= +github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr3+MjI= +github.com/xanzy/go-gitlab v0.31.0/go.mod h1:sPLojNBn68fMUWSxIJtdVVIP8uSBYqesTfDUseX11Ug= +github.com/xanzy/go-gitlab v0.52.2 h1:gkgg1z4ON70sphibtD86Bfmt1qV3mZ0pU0CBBCFAEvQ= +github.com/xanzy/go-gitlab v0.52.2/go.mod h1:Q+hQhV508bDPoBijv7YjK/Lvlb4PhVhJdKqXVQrUoAE= +github.com/xanzy/ssh-agent v0.2.1/go.mod h1:mLlQY/MoOhWBj+gOGMQkOeiEvkx+8pJSI+0Bx9h2kr4= +github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI= +github.com/xdg-go/scram v1.0.2/go.mod h1:1WAq6h33pAW+iRreB34OORO2Nf7qel3VV3fjBj+hCSs= +github.com/xdg-go/stringprep v1.0.2/go.mod h1:8F9zXuvzgwmyT5DUm4GUfZGDdT3W+LCvS6+da4O5kxM= +github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c/go.mod h1:lB8K/P019DLNhemzwFU4jHLhdvlE6uDZjXFejJXr49I= +github.com/xdg/stringprep v0.0.0-20180714160509-73f8eece6fdc/go.mod h1:Jhud4/sHMO4oL310DaZAKk9ZaJ08SJfe+sJh0HrGL1Y= +github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0= github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= +github.com/xeipuuv/gojsonschema v0.0.0-20180618132009-1d523034197f/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs= +github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8/go.mod h1:HUYIGzjTL3rfEspMxjDjgmT5uz5wzYJKVo23qUhYTos= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= +github.com/yashtewari/glob-intersection v0.0.0-20180916065949-5c77d914dd0b/go.mod h1:HptNXiXVDcJjXe9SqMd0v2FsL9f8dz4GnXgltU6q/co= github.com/yashtewari/glob-intersection v0.1.0 h1:6gJvMYQlTDOL3dMsPF6J0+26vwX9MB8/1q3uAdhmTrg= github.com/yashtewari/glob-intersection v0.1.0/go.mod h1:LK7pIC3piUjovexikBbJ26Yml7g8xa5bsjfx2v1fwok= +github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA= +github.com/ysmood/goob v0.3.0/go.mod h1:S3lq113Y91y1UBf1wj1pFOxeahvfKkCk6mTWTWbDdWs= +github.com/ysmood/got v0.15.1/go.mod h1:pE1l4LOwOBhQg6A/8IAatkGp7uZjnalzrZolnlhhMgY= +github.com/ysmood/gotrace v0.2.2/go.mod h1:TzhIG7nHDry5//eYZDYcTzuJLYQIkykJzCRIo4/dzQM= +github.com/ysmood/gson v0.6.4/go.mod h1:3Kzs5zDl21g5F/BlLTNcuAGAYLKt2lV5G8D1zF3RNmg= +github.com/ysmood/leakless v0.7.0/go.mod h1:R8iAXPRaG97QJwqxs74RdwzcRHT1SWCGTNqY8q0JvMQ= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= @@ -971,28 +2105,67 @@ github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1 github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yusufpapurcu/wmi v1.2.2 h1:KBNDSne4vP5mbSWnJbO+51IMOXJB67QiYCSBrubbPRg= github.com/yusufpapurcu/wmi v1.2.2/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= +github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43/go.mod h1:aX5oPXxHm3bOH+xeAttToC8pqch2ScQN/JoXYupl6xs= +github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50/go.mod h1:NUSPSUX/bi6SeDMUh6brw0nXpxHnc96TguQh0+r/ssA= +github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f/go.mod h1:GlGEuHIJweS1mbCqG+7vt2nvWLzLLnRHbXz5JKd/Qbg= +github.com/zalando/go-keyring v0.1.0/go.mod h1:RaxNwUITJaHVdQ0VC7pELPZ3tOWn13nr0gZMZEhpVU0= +github.com/zalando/go-keyring v0.1.1/go.mod h1:OIC+OZ28XbmwFxU/Rp9V7eKzZjamBJwRzC8UFJH9+L8= github.com/zeebo/errs v1.2.2/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= github.com/zeebo/errs v1.3.0 h1:hmiaKqgYZzcVgRL1Vkc1Mn2914BbzB0IBxs+ebeutGs= github.com/zeebo/errs v1.3.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q= go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= +go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= +go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ= go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4= +go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= +go.etcd.io/etcd v0.5.0-alpha.5.0.20200910180754-dd1b699fc489/go.mod h1:yVHk9ub3CSBatqGNg7GRmsnfLWtoW60w4eDYfh7vHDg= +go.etcd.io/etcd/api/v3 v3.5.0-alpha.0/go.mod h1:mPcW6aZJukV6Aa81LSKpBjQXTWlXB5r74ymPoSWa3Sw= go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs= go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g= +go.etcd.io/etcd/client/v2 v2.305.0-alpha.0/go.mod h1:kdV+xzCJ3luEBSIeQyB/OEKkWKd8Zkux4sbDeANrosU= go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ= +go.etcd.io/etcd/client/v3 v3.5.0-alpha.0/go.mod h1:wKt7jgDgf/OfKiYmCq5WFGxOFAkVMLxiiXgLDFhECr8= go.etcd.io/etcd/client/v3 v3.5.0/go.mod h1:AIKXXVX/DQXtfTEqBryiLTUXwON+GuvO6Z7lLS/oTh0= +go.etcd.io/etcd/etcdctl/v3 v3.5.0-alpha.0/go.mod h1:YPwSaBciV5G6Gpt435AasAG3ROetZsKNUzibRa/++oo= +go.etcd.io/etcd/etcdctl/v3 v3.5.0/go.mod h1:vGTfKdsh87RI7kA2JHFBEGxjQEYx+pi299wqEOdi34M= +go.etcd.io/etcd/etcdutl/v3 v3.5.0/go.mod h1:o98rKMCibbFAG8QS9KmvlYDGDShmmIbmRE8vSofzYNg= +go.etcd.io/etcd/pkg/v3 v3.5.0-alpha.0/go.mod h1:tV31atvwzcybuqejDoY3oaNRTtlD2l/Ot78Pc9w7DMY= go.etcd.io/etcd/pkg/v3 v3.5.0/go.mod h1:UzJGatBQ1lXChBkQF0AuAtkRQMYnHubxAEYIrC3MSsE= +go.etcd.io/etcd/raft/v3 v3.5.0-alpha.0/go.mod h1:FAwse6Zlm5v4tEWZaTjmNhe17Int4Oxbu7+2r0DiD3w= go.etcd.io/etcd/raft/v3 v3.5.0/go.mod h1:UFOHSIvO/nKwd4lhkwabrTD3cqW5yVyYYf/KlD00Szc= +go.etcd.io/etcd/server/v3 v3.5.0-alpha.0/go.mod h1:tsKetYpt980ZTpzl/gb+UOJj9RkIyCb1u4wjzMg90BQ= go.etcd.io/etcd/server/v3 v3.5.0/go.mod h1:3Ah5ruV+M+7RZr0+Y/5mNLwC+eQlni+mQmOVdCRJoS4= +go.etcd.io/etcd/tests/v3 v3.5.0-alpha.0/go.mod h1:HnrHxjyCuZ8YDt8PYVyQQ5d1ZQfzJVEtQWllr5Vp/30= +go.etcd.io/etcd/tests/v3 v3.5.0/go.mod h1:f+mtZ1bE1YPvgKdOJV2BKy4JQW0nAFnQehgOE7+WyJE= +go.etcd.io/etcd/v3 v3.5.0-alpha.0/go.mod h1:JZ79d3LV6NUfPjUxXrpiFAYcjhT+06qqw+i28snx8To= +go.etcd.io/etcd/v3 v3.5.0/go.mod h1:FldM0/VzcxYWLvWx1sdA7ghKw7C3L2DvUTzGrcEtsC4= +go.mongodb.org/mongo-driver v1.0.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= +go.mongodb.org/mongo-driver v1.1.1/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= +go.mongodb.org/mongo-driver v1.3.0/go.mod h1:MSWZXKOynuguX+JSvwP8i+58jYCXxbia8HS3gZBapIE= +go.mongodb.org/mongo-driver v1.3.4/go.mod h1:MSWZXKOynuguX+JSvwP8i+58jYCXxbia8HS3gZBapIE= +go.mongodb.org/mongo-driver v1.4.3/go.mod h1:WcMNYLx/IlOxLe6JRJiv2uXuCz6zBLndR4SoGjYphSc= +go.mongodb.org/mongo-driver v1.4.4/go.mod h1:WcMNYLx/IlOxLe6JRJiv2uXuCz6zBLndR4SoGjYphSc= +go.mongodb.org/mongo-driver v1.4.6/go.mod h1:WcMNYLx/IlOxLe6JRJiv2uXuCz6zBLndR4SoGjYphSc= +go.mongodb.org/mongo-driver v1.5.1/go.mod h1:gRXCHX4Jo7J0IJ1oDQyUxF7jfy19UfxniMS4xxMmUqw= +go.mongodb.org/mongo-driver v1.7.3/go.mod h1:NqaYOwnXWr5Pm7AOpO5QFxKJ503nbMse/R79oO62zWg= +go.mongodb.org/mongo-driver v1.7.5 h1:ny3p0reEpgsR2cfA5cjgwFZg3Cv/ofFh/8jbhGtz9VI= +go.mongodb.org/mongo-driver v1.7.5/go.mod h1:VXEWRZ6URJIkUq2SCAyapmhH0ZLRBP+FT4xhp5Zvxng= +go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk= +go.opencensus.io v0.15.0/go.mod h1:UffZAU+4sDEINUGP/B7UfBBkq4fqLu9zXAX7ke6CHW0= +go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= +go.opencensus.io v0.20.2/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= +go.opencensus.io v0.22.6/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M= go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= go.opentelemetry.io/contrib v0.20.0/go.mod h1:G/EtFaa6qaN7+LxqfIAT3GiZa7Wv5DTBUzl5H4LY0Kc= +go.opentelemetry.io/contrib v1.2.0/go.mod h1:EH4yDYeNoaTqn/8yCWQmfNB78VHfGX2Jt2bvnvzBlGM= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0/go.mod h1:oVGt1LRbBOBq1A5BQLlUg9UaU/54aiHw8cgjV3aWZ/E= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.20.0/go.mod h1:2AboqHi0CiIZU0qwhtUfCYD1GeUzvvIXWNkhDt7ZMG4= go.opentelemetry.io/otel v0.20.0/go.mod h1:Y3ugLH2oa81t5QO+Lty+zXf8zC9L26ax4Nzoxm/dooo= @@ -1004,57 +2177,96 @@ go.opentelemetry.io/otel/sdk/export/metric v0.20.0/go.mod h1:h7RBNMsDJ5pmI1zExLi go.opentelemetry.io/otel/sdk/metric v0.20.0/go.mod h1:knxiS8Xd4E/N+ZqKmUPf3gTTZ4/0TjTXukfxjzSTpHE= go.opentelemetry.io/otel/trace v0.20.0/go.mod h1:6GjCW8zgDjwGHGa6GkyeB8+/5vjT16gUEi0Nf1iBdgw= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= +go.opentelemetry.io/proto/otlp v0.11.0/go.mod h1:QpEjXPrNQzrFDZgoTo49dgHR9RYRSrg3NAKnUGl9YpQ= go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= +go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/atomic v1.10.0 h1:9qC72Qh0+3MqyJbAn8YU5xVq1frD8bn3JtD2oXtafVQ= go.uber.org/atomic v1.10.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= +go.uber.org/automaxprocs v1.4.0/go.mod h1:/mTEdr7LvHhs0v7mjdxDreTz1OG5zdZGqgOnhWiR/+Q= go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= +go.uber.org/goleak v1.1.11-0.20210813005559-691160354723/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= go.uber.org/goleak v1.1.12 h1:gZAh5/EyT/HQwlpkCy6wTpqfH9H8Lz8zbm3dZh+OyzA= go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4= go.uber.org/multierr v1.5.0/go.mod h1:FeouvMocqHpRaaGuG9EjoKcStLC43Zu/fmqdUMPcKYU= go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= +go.uber.org/multierr v1.7.0/go.mod h1:7EAYxJLBy9rStEaz58O2t4Uvip6FSURkq8/ppBp95ak= go.uber.org/multierr v1.8.0 h1:dg6GjLku4EH+249NNmoIciG9N/jURbDG+pFlTkhzIC8= go.uber.org/multierr v1.8.0/go.mod h1:7EAYxJLBy9rStEaz58O2t4Uvip6FSURkq8/ppBp95ak= go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA= go.uber.org/zap v1.9.1/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM= +go.uber.org/zap v1.16.0/go.mod h1:MA8QOfq0BHJwdXa996Y4dYkAqRKB8/1K1QMMZVaNZjQ= go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo= +go.uber.org/zap v1.18.1/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI= go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI= +go.uber.org/zap v1.19.1/go.mod h1:j3DNczoxDZroyBnOT1L/Q79cfUMGZxlv/9dzN7SM1rI= go.uber.org/zap v1.23.0 h1:OjGQ5KQDEUawVHxNwQgPpiypGHOxo2mNZsOqTak4fFY= go.uber.org/zap v1.23.0/go.mod h1:D+nX8jyLsMHMYrln8A0rJjFt/T/9/bGgIhAqxv5URuY= +gocloud.dev v0.19.0/go.mod h1:SmKwiR8YwIMMJvQBKLsC3fHNyMwXLw3PMDO+VVteJMI= +gocloud.dev v0.24.0/go.mod h1:uA+als++iBX5ShuG4upQo/3Zoz49iIPlYUWHV5mM8w8= +golang.org/x/crypto v0.0.0-20171113213409-9f005a07e0d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20180501155221-613d6eafa307/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181009213950-7c1a557ab941/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190320223903-b7391e95e576/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190411191339-88737f569e3a/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE= +golang.org/x/crypto v0.0.0-20190418165655-df01cb2cc480/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE= +golang.org/x/crypto v0.0.0-20190422162423-af44ce270edf/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE= +golang.org/x/crypto v0.0.0-20190424203555-c05e17bb3b2d/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190530122614-20be4c3c3ed5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190617133340-57b3e21c3d56/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190829043050-9756ffdc2472/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY= +golang.org/x/crypto v0.0.0-20191002192127-34f69633bfdc/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191117063200-497ca9f6d64f/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20191205180655-e7c4368fe9dd/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200414173820-0848c9571904/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20200930160638-afb6bcd081ae/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20201112155050-0c6587e931a9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201203163018-be400aefbc4c/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= +golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= +golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= +golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8= golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20210920023735-84f357641f63/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa h1:zuSxTR4o9y82ebqCUJYNGJbGPo6sKVl54f/TVDObg1c= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +golang.org/x/exp v0.0.0-20190731235908-ec7cb31e5a56/go.mod h1:JhuoJpWY28nO4Vef9tZUw9qufEGTyX1+7lmHxV5q5G4= golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY= golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= @@ -1062,6 +2274,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= +golang.org/x/exp v0.0.0-20200331195152-e8c3332aa8e5/go.mod h1:4M0jN8W1tt0AVLNr8HDosyJCDCDuyL9N9+3m7wDWgKw= +golang.org/x/exp v0.0.0-20210126221216-84987778548c/go.mod h1:I6l2HNBLBZEcrOoCpyKLdY2lHoRZ8lI4x60KMCQDft4= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -1078,16 +2292,20 @@ golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPI golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= +golang.org/x/mobile v0.0.0-20201217150744-e6ae53a27f4f/go.mod h1:skQtrUTUwhdJvXM/2KKJzY8pDgNr9I/FOMqDVRPBUS4= golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/mod v0.1.1-0.20191209134235-331c550502dd/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.3.1-0.20200828183125-ce943fd02449/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= +golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 h1:6zppjxzCulZykYSLyVDYbneBfbaBIQPYMevg0bEwv2s= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/net v0.0.0-20180218175443-cbe0f9307d01/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1095,24 +2313,35 @@ golang.org/x/net v0.0.0-20180530234432-1e491301e022/go.mod h1:mL1N/T3taQHkDXs73r golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181005035420-146acd28ed58/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181011144130-49bb7cea24b1/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181108082009-03003ca0c849/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190125091013-d26f9f9a57f3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190320064053-1272bf9dcd53/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190619014844-b5b0513f8c1b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191002035440-2ec189313ef0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191112182307-2180aed22343/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191119073136-fc4aabc6c914/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -1120,29 +2349,45 @@ golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200421231249-e086a090c8fd/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200505041828-1ed23360d12c/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200602114024-627f9648deb9/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20200930145003-4acb6c075d10/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20201006153459-a7d1128ccaa0/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210224082022-3d97a244fca7/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= +golang.org/x/net v0.0.0-20210421230115-4e50805a0758/go.mod h1:72T/g9IO56b78aLF+1Kcs5dz7/ng1VjMUvfKvpfy+jM= +golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk= golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210610132358-84b48f89b13b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20210825183410-e898025ed96a/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20210917221730-978cfadd31cf/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20211101193420-4a448f8816b3/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20211111083644-e5c967477495/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20211118161319-6a13c67c3ce4/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= @@ -1155,21 +2400,28 @@ golang.org/x/net v0.0.0-20220907135653-1e95f45603a7/go.mod h1:YDH+HFinaLZZlnHAfS golang.org/x/net v0.0.0-20221014081412-f15817d10f9b h1:tvrvnPFcdzp294diPnrdZZZ8XUt2Tyj7svb7X52iDuU= golang.org/x/net v0.0.0-20221014081412-f15817d10f9b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/oauth2 v0.0.0-20181106182150-f42d05182288/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210126194326-f9ce19ea3013/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210413134643-5e61552d6c78/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210427180440-81ed05c6b58c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20211028175245-ba495a64dcb5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= @@ -1183,10 +2435,12 @@ golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190412183630-56d357773e84/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20200930132711-30421366ff76/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -1200,63 +2454,114 @@ golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5h golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190129075346-302c3dd5f1cc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190221075227-b4e8571b14e0/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190321052220-f7bb7a8bee54/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190419153524-e8e3143a4f4a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190514135907-3a4b5fb9f71f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190522044717-8097e1b27ff5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190531175056-4c3a928424d2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190602015325-4c4f7f33c9ed/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190620070143-6f217b454f45/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190812073006-9eafafc0a87e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191112214154-59a1497f0cea/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191119060738-e882bf8e40c2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191210023423-ac6580df4449/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191220142924-d4481acd189f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200120151820-655fe14d7479/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200420163511-1957bb5e6d1f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200602225109-6fdc65e7d980/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200817155316-9781c653f443/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200828194041-157a740278f4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200909081042-eff7692f9009/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200916030750-2334cc1a136f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200922070232-aee5d888a860/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200923182605-d9f96fdee20d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201117170446-d9b008d0a637/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201202213521-69691e467435/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210223095934-7937bea0104d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210309074719-68d13333faf2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210324051608-47abb6519492/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210412220455-f1c623a9e750/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210420072515-93ed5bcd2bfe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210503080704-8803ae5d1324/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -1271,7 +2576,13 @@ golang.org/x/sys v0.0.0-20210816183151-1e6c022a8912/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210909193231-528a39cd75f3/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210917161153-d61c044b1678/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211110154304-99a53858aa08/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211112193437-faf0a1b62c6b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211117180635-dee7805ff2e1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -1292,6 +2603,7 @@ golang.org/x/sys v0.0.0-20220907062415-87db552b00fd h1:AZeIEzg+8RCELJYq8w+ODLVxF golang.org/x/sys v0.0.0-20220907062415-87db552b00fd/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= @@ -1305,33 +2617,51 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 h1:ftMN5LMiBFjbzleLqtoBZk7KdJwhuybIU+FckUHgoyQ= golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190125232054-d66bd3c5d5a6/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190329151228-23e29df326fe/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190416151739-9c9e1878f421/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190420181800-aa740d480789/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190422233926-fe54fb35175b/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190425163242-31fd60d6bfdc/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190531172133-b3315ee88b7d/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190617190820-da514acc4774/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190624222133-a101b041ded4/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190706070813-72ffa07ba3db/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI= +golang.org/x/tools v0.0.0-20190729092621-ff9f1409240a/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI= golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20190823170909-c4a336ef6a2f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190907020128-2ca718005c18/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191010075000-0337d82405ff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= @@ -1339,12 +2669,14 @@ golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191118222007-07fc4c7f2b98/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200103221440-774c71fcf114/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200117012304-6edc0a871e69/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= @@ -1356,11 +2688,14 @@ golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapK golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= +golang.org/x/tools v0.0.0-20200426102838-f3a5411a4c3b/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200522201501-cb1345f3a375/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200612220849-54c614fe050c/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200616133436-c1934b75d054/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200717024301-6ddee64345a6/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= @@ -1368,11 +2703,16 @@ golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= +golang.org/x/tools v0.0.0-20200916195026-c9a70fc28ce3/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU= +golang.org/x/tools v0.0.0-20201014170642-d1624618ad65/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU= golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20210112230658-8b4aab62c064/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= @@ -1380,6 +2720,7 @@ golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.6-0.20210820212750-d4cc65f0b2ff/go.mod h1:YD9qOF0M9xpSpdWTBbzEl5e/RnCefISl8E5Noe10jFM= +golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo= golang.org/x/tools v0.1.12 h1:VveCTK38A2rkS8ZqFY25HIDFscX5X9OoEhJd3quQmXU= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -1395,36 +2736,49 @@ golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3j golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= gomodules.xyz/jsonpatch/v2 v2.2.0 h1:4pT439QV83L+G9FkcCriY6EkpcK6r6bK+A5FBUMI7qY= gomodules.xyz/jsonpatch/v2 v2.2.0/go.mod h1:WXp+iVDkoLQqPudfQ9GBlwB2eZ5DKOnjQZCYdOS8GPY= +google.golang.org/api v0.0.0-20160322025152-9bf6e6e569ff/go.mod h1:4mhQ8q/RsB7i+udVvVy5NUi08OU8ZlA0gRVgrF7VFY0= +google.golang.org/api v0.3.1/go.mod h1:6wY9I6uQWHQ8EM57III9mq/AjF+i8G65rmVagqKMtkk= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= +google.golang.org/api v0.5.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= +google.golang.org/api v0.6.0/go.mod h1:btoxGiFvQNVUZQ8W08zLtrVS08CNpINPEfxXxgJL1Q4= google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.10.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/api v0.15.1-0.20200106000736-b8fc810ca6b5/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= +google.golang.org/api v0.25.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM= google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc= google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg= google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE= +google.golang.org/api v0.37.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU= google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94= google.golang.org/api v0.44.0/go.mod h1:EBOGZqzyhtvMDoxwS97ctnh0zUmYY6CxqXsc1AvkYD8= +google.golang.org/api v0.45.0/go.mod h1:ISLIJCedJolbZvDfAk+Ctuq5hf+aJ33WgtUsfyFoLXA= +google.golang.org/api v0.46.0/go.mod h1:ceL4oozhkAiTID8XMmJBsIxID/9wMXJVVFXPg4ylg3I= google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59tHXo= google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtukyy4= google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw= google.golang.org/api v0.51.0/go.mod h1:t4HdrdoNgyN5cbEfm7Lum0lcLDLiise1F8qDKX00sOU= +google.golang.org/api v0.52.0/go.mod h1:Him/adpjt0sxtkWViy0b6xyKW/SD71CwdJ7HqJo7SrU= google.golang.org/api v0.54.0/go.mod h1:7C4bFFOvVDGXjfDTAsgGwDgAxRDeQ4X8NvUedIt6z3k= google.golang.org/api v0.55.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE= google.golang.org/api v0.56.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE= google.golang.org/api v0.57.0/go.mod h1:dVPlbZyBo2/OjBpmvNdpn2GRm6rPy75jyU7bmhdrMgI= +google.golang.org/api v0.58.0/go.mod h1:cAbP2FsxoGVNwtgNAmmn3y5G1TWAiVYRmg4yku3lv+E= +google.golang.org/api v0.60.0/go.mod h1:d7rl65NZAkEQ90JFzqBjcRq1TVeG5ZoGV3sSpEnnVb4= google.golang.org/api v0.61.0/go.mod h1:xQRti5UdCmoCEqFxcz93fTl338AVqDgyaDRuOZ3hg9I= google.golang.org/api v0.63.0/go.mod h1:gs4ij2ffTRXwuzzgJl/56BdwJaA194ijkfn++9tDuPo= google.golang.org/api v0.67.0/go.mod h1:ShHKP8E60yPsKNw/w8w+VYaj9H6buA5UqDp8dhbQZ6g= @@ -1441,19 +2795,28 @@ google.golang.org/api v0.95.0/go.mod h1:eADj+UBuxkh5zlrSntJghuNeg8HwQ1w5lTKkuqaE google.golang.org/api v0.100.0 h1:LGUYIrbW9pzYQQ8NWXlaIVkgnfubVBZbMFb9P8TK374= google.golang.org/api v0.100.0/go.mod h1:ZE3Z2+ZOr87Rx7dqFsdRQkRBk36kDtp/h+QpHbB7a70= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.3.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= +google.golang.org/appengine v1.6.2/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/cloud v0.0.0-20151119220103-975617b05ea8/go.mod h1:0H1ncTHf11KCFhTc/+EFRbzSCOZx+VUbRMk55Yv5MYk= google.golang.org/genproto v0.0.0-20170818010345-ee236bd376b0/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20181107211654-5fc9ac540362/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190508193815-b515fa19cec8/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190522204451-c2c4e71fbf69/go.mod h1:z3L6/3dTEVtUr6QSP8miRzeRqwQOioJ9I66odjN4I7s= +google.golang.org/genproto v0.0.0-20190530194941-fb225487d101/go.mod h1:z3L6/3dTEVtUr6QSP8miRzeRqwQOioJ9I66odjN4I7s= +google.golang.org/genproto v0.0.0-20190620144150-6af8c5fc6601/go.mod h1:z3L6/3dTEVtUr6QSP8miRzeRqwQOioJ9I66odjN4I7s= google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= @@ -1462,6 +2825,7 @@ google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvx google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200117163144-32f20d992d24/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA= google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= @@ -1476,6 +2840,7 @@ google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfG google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= +google.golang.org/genproto v0.0.0-20200527145253-8367513e4ece/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= @@ -1484,31 +2849,47 @@ google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201110150050-8816d57aaa9a/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210126160654-44e461bb6506/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210329143202-679c6ae281ee/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= +google.golang.org/genproto v0.0.0-20210331142528-b7513248f0ba/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= +google.golang.org/genproto v0.0.0-20210413151531-c14fb6ef47c3/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= +google.golang.org/genproto v0.0.0-20210427215850-f767ed18ee4d/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= +google.golang.org/genproto v0.0.0-20210429181445-86c259c2b4ab/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= google.golang.org/genproto v0.0.0-20210513213006-bf773b8c8384/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= +google.golang.org/genproto v0.0.0-20210517163617-5e0236093d7a/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= google.golang.org/genproto v0.0.0-20210604141403-392c879c8b08/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= google.golang.org/genproto v0.0.0-20210608205507-b6d2f5bf0d7d/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= google.golang.org/genproto v0.0.0-20210624195500-8bfb893ecb84/go.mod h1:SzzZ/N+nwJDaO1kznhnlzqS8ocJICar6hYhVyhi++24= google.golang.org/genproto v0.0.0-20210713002101-d411969a0d9a/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k= google.golang.org/genproto v0.0.0-20210716133855-ce7ef5c701ea/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k= +google.golang.org/genproto v0.0.0-20210721163202-f1cecdd8b78a/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= +google.golang.org/genproto v0.0.0-20210722135532-667f2b7c528f/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= google.golang.org/genproto v0.0.0-20210728212813-7823e685a01f/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= google.golang.org/genproto v0.0.0-20210805201207-89edb61ffb67/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= google.golang.org/genproto v0.0.0-20210813162853-db860fec028c/go.mod h1:cFeNkxwySK631ADgubI+/XFU/xp8FD5KIVV4rj8UC5w= google.golang.org/genproto v0.0.0-20210821163610-241b8fcbd6c8/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= +google.golang.org/genproto v0.0.0-20210825212027-de86158e7fda/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= google.golang.org/genproto v0.0.0-20210828152312-66f60bf46e71/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= google.golang.org/genproto v0.0.0-20210831024726-fe130286e0e2/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= google.golang.org/genproto v0.0.0-20210903162649-d08c68adba83/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= google.golang.org/genproto v0.0.0-20210909211513-a8c4777a87af/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= +google.golang.org/genproto v0.0.0-20210917145530-b395a37504d4/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= google.golang.org/genproto v0.0.0-20210924002016-3dee208752a0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20211016002631-37fc39342514/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20211018162055-cf77aa76bad2/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20211021150943-2b146023228c/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20211027162914-98a5263abeca/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= @@ -1537,12 +2918,20 @@ google.golang.org/genproto v0.0.0-20220804142021-4e6b2dfa6612/go.mod h1:iHe1svFL google.golang.org/genproto v0.0.0-20220902135211-223410557253/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk= google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a h1:GH6UPn3ixhWcKDhpnEC55S75cerLPdpp3hrhfKYjZgw= google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM= +google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= +google.golang.org/grpc v1.14.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= +google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.20.0/go.mod h1:chYK+tFQF0nDUGJgXMSgLCQk3phJEuONr2DCgLDdAQM= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= +google.golang.org/grpc v1.22.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.22.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= @@ -1552,6 +2941,7 @@ google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3Iji google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.32.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8= @@ -1565,6 +2955,8 @@ google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnD google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= +google.golang.org/grpc v1.41.0/go.mod h1:U3l9uK9J0sini8mHphKoXyaqDA/8VyGnDee1zzIUK6k= +google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= google.golang.org/grpc v1.44.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ= google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= @@ -1593,28 +2985,48 @@ google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQ google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w= google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20141024133853-64131543e789/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= +gopkg.in/cheggaaa/pb.v1 v1.0.28/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/gcfg.v1 v1.2.0/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o= +gopkg.in/gcfg.v1 v1.2.3/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o= +gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo= +gopkg.in/go-playground/assert.v1 v1.2.1/go.mod h1:9RXL0bg/zibRAgZUYszZSwO/z8Y/a8bDuhia5mkpMnE= +gopkg.in/go-playground/validator.v9 v9.29.1/go.mod h1:+c9/zcJMFNgbLvly1L1V+PpxWdVbfP1avr/N00E2vyQ= gopkg.in/inconshreveable/log15.v2 v2.0.0-20180818164646-67afb5ed74ec/go.mod h1:aPpfJ7XW+gOuirDoZ8gHhLh3kZ1B08FtV2bbmy7Jv3s= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/ini.v1 v1.63.2/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/ini.v1 v1.66.0 h1:tYFFjdYXTsNBxJhYBABRbTuaKkX6UBzOvbYwhEcaZJQ= +gopkg.in/ini.v1 v1.66.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= +gopkg.in/square/go-jose.v2 v2.3.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/square/go-jose.v2 v2.4.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= +gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI= gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= +gopkg.in/src-d/go-billy.v4 v4.3.2/go.mod h1:nDjArDMp+XMs1aFAESLRjfGSgfvoYN0hDfzEk0GjC98= +gopkg.in/src-d/go-git-fixtures.v3 v3.5.0/go.mod h1:dLBcvytrw/TYZsNTWCnkNF2DSIlzWYqTe3rJR56Ac7g= +gopkg.in/src-d/go-git.v4 v4.13.1/go.mod h1:nx5NYcxdKxq5fpltdHnPa2Exj4Sx0EclMWZQbYDu2z8= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/validator.v2 v2.0.0-20200605151824-2b28d334fa05/go.mod h1:o4V0GXN9/CAmCsvJ0oXYZvrZOe7syiDZSN1GWGZTGzc= +gopkg.in/warnings.v0 v0.1.1/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= +gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= @@ -1625,15 +3037,20 @@ gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.0-20200121175148-a6ecf24a6d71/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo= +gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk= gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= +honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= @@ -1641,50 +3058,127 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= +k8s.io/api v0.20.1/go.mod h1:KqwcCVogGxQY3nBlRpwt+wpAMF/KjaCc7RpywacvqUo= +k8s.io/api v0.20.4/go.mod h1:++lNL1AJMkDymriNniQsWRkMDzRaX2Y/POTUi8yvqYQ= +k8s.io/api v0.20.6/go.mod h1:X9e8Qag6JV/bL5G6bU8sdVRltWKmdHsFUGS3eVndqE8= +k8s.io/api v0.21.0/go.mod h1:+YbrhBBGgsxbF6o6Kj4KJPJnBmAKuXDeS3E18bgHNVU= +k8s.io/api v0.21.1/go.mod h1:FstGROTmsSHBarKc8bylzXih8BLNYTiS3TZcsoEDg2s= +k8s.io/api v0.21.4/go.mod h1:fTVGP+M4D8+00FN2cMnJqk/eb/GH53bvmNs2SVTmpFk= +k8s.io/api v0.21.7/go.mod h1:9Z7hGak48detDeDBCo3Db9N/EqdFSTOEJ9BpIRC3Cms= k8s.io/api v0.23.3/go.mod h1:w258XdGyvCmnBj/vGzQMj6kzdufJZVUwEM1U2fRJwSQ= k8s.io/api v0.25.3 h1:Q1v5UFfYe87vi5H7NU0p4RXC26PPMT8KOpr1TLQbCMQ= k8s.io/api v0.25.3/go.mod h1:o42gKscFrEVjHdQnyRenACrMtbuJsVdP+WVjqejfzmI= +k8s.io/apiextensions-apiserver v0.21.4/go.mod h1:OoC8LhI9LnV+wKjZkXIBbLUwtnOGJiTRE33qctH5CIk= k8s.io/apiextensions-apiserver v0.25.0 h1:CJ9zlyXAbq0FIW8CD7HHyozCMBpDSiH7EdrSTCZcZFY= k8s.io/apiextensions-apiserver v0.25.0/go.mod h1:3pAjZiN4zw7R8aZC5gR0y3/vCkGlAjCazcg1me8iB/E= +k8s.io/apimachinery v0.20.1/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= +k8s.io/apimachinery v0.20.4/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= +k8s.io/apimachinery v0.20.6/go.mod h1:ejZXtW1Ra6V1O5H8xPBGz+T3+4gfkTCeExAHKU57MAc= +k8s.io/apimachinery v0.21.0/go.mod h1:jbreFvJo3ov9rj7eWT7+sYiRx+qZuCYXwWT1bcDswPY= +k8s.io/apimachinery v0.21.1/go.mod h1:jbreFvJo3ov9rj7eWT7+sYiRx+qZuCYXwWT1bcDswPY= +k8s.io/apimachinery v0.21.4/go.mod h1:H/IM+5vH9kZRNJ4l3x/fXP/5bOPJaVP/guptnZPeCFI= +k8s.io/apimachinery v0.21.7/go.mod h1:Ee84YWaZJo/QdW7/nsjTQCSaCJEJ/CyHkdWbdiBZ3Ns= k8s.io/apimachinery v0.23.3/go.mod h1:BEuFMMBaIbcOqVIJqNZJXGFTP4W6AycEpb5+m/97hrM= k8s.io/apimachinery v0.25.3 h1:7o9ium4uyUOM76t6aunP0nZuex7gDf8VGwkR5RcJnQc= k8s.io/apimachinery v0.25.3/go.mod h1:jaF9C/iPNM1FuLl7Zuy5b9v+n35HGSh6AQ4HYRkCqwo= +k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU= +k8s.io/apiserver v0.20.4/go.mod h1:Mc80thBKOyy7tbvFtB4kJv1kbdD0eIH8k8vianJcbFM= +k8s.io/apiserver v0.20.6/go.mod h1:QIJXNt6i6JB+0YQRNcS0hdRHJlMhflFmsBDeSgT1r8Q= +k8s.io/apiserver v0.21.0/go.mod h1:w2YSn4/WIwYuxG5zJmcqtRdtqgW/J2JRgFAqps3bBpg= +k8s.io/apiserver v0.21.4/go.mod h1:SErUuFBBPZUcD2nsUU8hItxoYheqyYr2o/pCINEPW8g= k8s.io/apiserver v0.23.3/go.mod h1:3HhsTmC+Pn+Jctw+Ow0LHA4dQ4oXrQ4XJDzrVDG64T4= +k8s.io/client-go v0.20.1/go.mod h1:/zcHdt1TeWSd5HoUe6elJmHSQ6uLLgp4bIJHVEuy+/Y= +k8s.io/client-go v0.20.4/go.mod h1:LiMv25ND1gLUdBeYxBIwKpkSC5IsozMMmOOeSJboP+k= +k8s.io/client-go v0.20.6/go.mod h1:nNQMnOvEUEsOzRRFIIkdmYOjAZrC8bgq0ExboWSU1I0= +k8s.io/client-go v0.21.0/go.mod h1:nNBytTF9qPFDEhoqgEPaarobC8QPae13bElIVHzIglA= +k8s.io/client-go v0.21.1/go.mod h1:/kEw4RgW+3xnBGzvp9IWxKSNA+lXn3A7AuH3gdOAzLs= +k8s.io/client-go v0.21.4/go.mod h1:t0/eMKyUAq/DoQ7vW8NVVA00/nomlwC+eInsS8PxSew= +k8s.io/client-go v0.21.7/go.mod h1:IdmcpVUFBlFrzDtr58R5o/q3OaA8AJ+FF6LyE9Fpr0w= k8s.io/client-go v0.23.3/go.mod h1:47oMd+YvAOqZM7pcQ6neJtBiFH7alOyfunYN48VsmwE= k8s.io/client-go v0.25.3 h1:oB4Dyl8d6UbfDHD8Bv8evKylzs3BXzzufLiO27xuPs0= k8s.io/client-go v0.25.3/go.mod h1:t39LPczAIMwycjcXkVc+CB+PZV69jQuNx4um5ORDjQA= +k8s.io/cloud-provider v0.21.0 h1:NSTS+czpv6LQAaIpY/VUghsT4oj62hYmQPErkDKTzKU= +k8s.io/cloud-provider v0.21.0/go.mod h1:z17TQgu3JgUFjcgby8sj5X86YdVK5Pbt+jm/eYMZU9M= +k8s.io/code-generator v0.19.7/go.mod h1:lwEq3YnLYb/7uVXLorOJfxg+cUu2oihFhHZ0n9NIla0= +k8s.io/code-generator v0.21.4/go.mod h1:K3y0Bv9Cz2cOW2vXUrNZlFbflhuPvuadW6JdnN6gGKo= k8s.io/code-generator v0.23.3/go.mod h1:S0Q1JVA+kSzTI1oUvbKAxZY/DYbA/ZUb4Uknog12ETk= +k8s.io/component-base v0.20.1/go.mod h1:guxkoJnNoh8LNrbtiQOlyp2Y2XFCZQmrcg2n/DeYNLk= +k8s.io/component-base v0.20.4/go.mod h1:t4p9EdiagbVCJKrQ1RsA5/V4rFQNDfRlevJajlGwgjI= +k8s.io/component-base v0.20.6/go.mod h1:6f1MPBAeI+mvuts3sIdtpjljHWBQ2cIy38oBIWMYnrM= +k8s.io/component-base v0.21.0/go.mod h1:qvtjz6X0USWXbgmbfXR+Agik4RZ3jv2Bgr5QnZzdPYw= +k8s.io/component-base v0.21.4/go.mod h1:ZKG0eHVX+tUDcaoIGpU3Vtk4TIjMddN9uhEWDmW6Nyg= k8s.io/component-base v0.23.3/go.mod h1:1Smc4C60rWG7d3HjSYpIwEbySQ3YWg0uzH5a2AtaTLg= -k8s.io/component-base v0.25.0 h1:haVKlLkPCFZhkcqB6WCvpVxftrg6+FK5x1ZuaIDaQ5Y= -k8s.io/component-base v0.25.0/go.mod h1:F2Sumv9CnbBlqrpdf7rKZTmmd2meJq0HizeyY/yAFxk= +k8s.io/component-base v0.25.2 h1:Nve/ZyHLUBHz1rqwkjXm/Re6IniNa5k7KgzxZpTfSQY= +k8s.io/component-base v0.25.2/go.mod h1:90W21YMr+Yjg7MX+DohmZLzjsBtaxQDDwaX4YxDkl60= +k8s.io/controller-manager v0.21.0/go.mod h1:Ohy0GRNRKPVjB8C8G+dV+4aPn26m8HYUI6ejloUBvUA= +k8s.io/cri-api v0.17.3/go.mod h1:X1sbHmuXhwaHs9xxYffLqJogVsnI+f6cPRcgPel7ywM= +k8s.io/cri-api v0.20.1/go.mod h1:2JRbKt+BFLTjtrILYVqQK5jqhI+XNdF6UiGMgczeBCI= +k8s.io/cri-api v0.20.4/go.mod h1:2JRbKt+BFLTjtrILYVqQK5jqhI+XNdF6UiGMgczeBCI= +k8s.io/cri-api v0.20.6/go.mod h1:ew44AjNXwyn1s0U4xCKGodU7J1HzBeZ1MpGrpa5r8Yc= +k8s.io/csi-translation-lib v0.21.0/go.mod h1:edq+UMpgqEx3roTuGF/03uIuSOsI986jtu65+ytLlkA= +k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/gengo v0.0.0-20200428234225-8167cfdcfc14/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/gengo v0.0.0-20201113003025-83324d819ded/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= +k8s.io/gengo v0.0.0-20201214224949-b6c5ce23f027/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= +k8s.io/gengo v0.0.0-20210915205010-39e73c8a59cd/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= +k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= +k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= +k8s.io/klog/v2 v2.8.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec= +k8s.io/klog/v2 v2.9.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec= k8s.io/klog/v2 v2.30.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/klog/v2 v2.70.1 h1:7aaoSdahviPmR+XkS7FyxlkkXs6tHISSG03RxleQAVQ= k8s.io/klog/v2 v2.70.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/kube-aggregator v0.23.3 h1:9IP+D+YzIbGor/TArN3pYf9Thj19wYhzLRGRrFaKFSs= k8s.io/kube-aggregator v0.23.3/go.mod h1:pt5QJ3QaIdhZzNlUvN5wndbM0LNT4BvhszGkzy2QdFo= +k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6/go.mod h1:UuqjUnNftUyPE5H64/qeyjQoUZhGpeFDVdxjTeEVN2o= +k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM= +k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7/go.mod h1:wXW5VT87nVfh/iLV8FpR2uDvrFyomxbtb1KivDbvPTE= +k8s.io/kube-openapi v0.0.0-20211110012726-3cc51fd1e909/go.mod h1:wXW5VT87nVfh/iLV8FpR2uDvrFyomxbtb1KivDbvPTE= k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65/go.mod h1:sX9MT8g7NVZM5lVL/j8QyCCJe8YSMW30QvGZWaCIDIk= k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 h1:MQ8BAZPZlWk3S9K4a9NCkIFQtZShWqoha7snGixVgEA= k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1/go.mod h1:C/N6wCaBHeBHkHUesQOQy2/MZqGgMAFPqGsGQLdbZBU= +k8s.io/kubernetes v1.13.0/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk= +k8s.io/legacy-cloud-providers v0.21.0 h1:iWf5xaX9yvYT5mkz8UB96UtISQ5IkrWeuMPMhRp01ZY= +k8s.io/legacy-cloud-providers v0.21.0/go.mod h1:bNxo7gDg+PGkBmT/MFZswLTWdSWK9kAlS1s8DJca5q4= +k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/utils v0.0.0-20210521133846-da695404a2bc/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20211116205334-6203023598ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/utils v0.0.0-20211203121628-587287796c64/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed h1:jAne/RjBTyawwAy0utX5eqigAwz/lQhTmy+Hr/Cpue4= k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +knative.dev/hack v0.0.0-20211122162614-813559cefdda/go.mod h1:PHt8x8yX5Z9pPquBEfIj0X66f8iWkWfR0S/sarACJrI= +knative.dev/pkg v0.0.0-20211203062937-d37811b71d6a h1:3/Mfjwe2D5yP7ZYqU9WsXU/291176d3b0RZ6Ew8xolA= +knative.dev/pkg v0.0.0-20211203062937-d37811b71d6a/go.mod h1:AKPae1Cmj+k0GWXWnF2tKY7q5qPa1mTD7oCP4OeMvEM= +nhooyr.io/websocket v1.8.6/go.mod h1:B70DZP8IakI65RVQ51MsWP/8jndNma26DVA/nFSCgW0= +nhooyr.io/websocket v1.8.7/go.mod h1:B70DZP8IakI65RVQ51MsWP/8jndNma26DVA/nFSCgW0= +pack.ag/amqp v0.11.2/go.mod h1:4/cbmt4EJXSKlG6LCfWHoqmN0uFdy5i/+YFz+fTfhV4= +pgregory.net/rapid v0.3.3/go.mod h1:UYpPVyjFHzYBGHIxLFoupi8vwk6rXNzRY9OMvVxFIOU= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.14/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.15/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.22/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.27/go.mod h1:tq2nT0Kx7W+/f2JVE+zxYtUhdjuELJkVpNz+x/QN5R4= sigs.k8s.io/controller-runtime v0.13.0 h1:iqa5RNciy7ADWnIc8QxCbOX5FEKVR3uxVxKHRMc2WIQ= sigs.k8s.io/controller-runtime v0.13.0/go.mod h1:Zbz+el8Yg31jubvAEyglRZGdLAjplZl+PgtYNI6WNTI= sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= +sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= +sigs.k8s.io/structured-merge-diff/v4 v4.0.3/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= +sigs.k8s.io/structured-merge-diff/v4 v4.1.0/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= +sigs.k8s.io/structured-merge-diff/v4 v4.1.2/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4= sigs.k8s.io/structured-merge-diff/v4 v4.2.1/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4= sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= +sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= +sourcegraph.com/sourcegraph/appdash v0.0.0-20190731080439-ebfcffb1b5c0/go.mod h1:hI742Nqp5OhwiqlzhgfbWU4mW4yO10fP+LoT9WOswdU= diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go index a81555e8ba..856d6a4677 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go @@ -11,6 +11,10 @@ import ( "github.com/hashicorp/go-hclog" "github.com/spiffe/spire/pkg/agent/common/cgroups" + "github.com/spiffe/spire/pkg/agent/plugin/workloadattestor/k8s/sigstore" + "github.com/spiffe/spire/pkg/common/catalog" + "github.com/spiffe/spire/pkg/common/pemutil" + "github.com/spiffe/spire/pkg/common/telemetry" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" "k8s.io/apimachinery/pkg/types" @@ -22,6 +26,330 @@ func (p *Plugin) defaultKubeletCAPath() string { func (p *Plugin) defaultTokenPath() string { return defaultTokenPath +const ( + defaultMaxPollAttempts = 60 + defaultPollRetryInterval = time.Millisecond * 500 + defaultSecureKubeletPort = 10250 + defaultKubeletCAPath = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" + defaultTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token" //nolint: gosec // false positive + defaultNodeNameEnv = "MY_NODE_NAME" + defaultReloadInterval = time.Minute +) + +type containerLookup int + +const ( + containerInPod = iota + containerNotInPod + maximumAmountCache = 10 +) + +func builtin(p *Plugin) catalog.BuiltIn { + return catalog.MakeBuiltIn(pluginName, + workloadattestorv1.WorkloadAttestorPluginServer(p), + configv1.ConfigServiceServer(p), + ) +} + +// HCLConfig holds the configuration parsed from HCL +type HCLConfig struct { + // KubeletReadOnlyPort defines the read only port for the kubelet + // (typically 10255). This option is mutally exclusive with + // KubeletSecurePort. + KubeletReadOnlyPort int `hcl:"kubelet_read_only_port"` + + // KubeletSecurePort defines the secure port for the kubelet (typically + // 10250). This option is mutually exclusive with KubeletReadOnlyPort. + KubeletSecurePort int `hcl:"kubelet_secure_port"` + + // MaxPollAttempts is the maximum number of polling attempts for the + // container hosting the workload process. + MaxPollAttempts int `hcl:"max_poll_attempts"` + + // PollRetryInterval is the time in between polling attempts. + PollRetryInterval string `hcl:"poll_retry_interval"` + + // KubeletCAPath is the path to the CA certificate for authenticating the + // kubelet over the secure port. Required when using the secure port unless + // SkipKubeletVerification is set. Defaults to the cluster trust bundle. + KubeletCAPath string `hcl:"kubelet_ca_path"` + + // SkipKubeletVerification controls whether or not the plugin will + // verify the certificate presented by the kubelet. + SkipKubeletVerification bool `hcl:"skip_kubelet_verification"` + + // TokenPath is the path to the bearer token used to authenticate to the + // secure port. Defaults to the default service account token path unless + // PrivateKeyPath and CertificatePath are specified. + TokenPath string `hcl:"token_path"` + + // CertificatePath is the path to a certificate key used for client + // authentication with the kubelet. Must be used with PrivateKeyPath. + CertificatePath string `hcl:"certificate_path"` + + // PrivateKeyPath is the path to a private key used for client + // authentication with the kubelet. Must be used with CertificatePath. + PrivateKeyPath string `hcl:"private_key_path"` + + // NodeNameEnv is the environment variable used to determine the node name + // for contacting the kubelet. It defaults to "MY_NODE_NAME". If the + // environment variable is not set, and NodeName is not specified, the + // plugin will default to localhost (which requires host networking). + NodeNameEnv string `hcl:"node_name_env"` + + // NodeName is the node name used when contacting the kubelet. If set, it + // takes precedence over NodeNameEnv. + NodeName string `hcl:"node_name"` + + // ReloadInterval controls how often TLS and token configuration is loaded + // from the disk. + ReloadInterval string `hcl:"reload_interval"` + + // RekorURL is the URL for the rekor server to use to verify signatures and public keys + RekorURL string `hcl:"sigstore.rekor_url"` + + // SkippedImages is a list of images that should skip sigstore verification + SkippedImages []string `hcl:"sigstore.skip_signature_verification_image_list"` + + // AllowedSubjects is a flag indicating whether signature subjects should be compared against the allow-list + AllowedSubjectListEnabled bool `hcl:"sigstore.enable_allowed_subjects_list"` + + // AllowedSubjects is a list of subjects that should be allowed after verification + AllowedSubjects []string `hcl:"sigstore.allowed_subjects_list"` +} + +// k8sConfig holds the configuration distilled from HCL +type k8sConfig struct { + Secure bool + Port int + MaxPollAttempts int + PollRetryInterval time.Duration + SkipKubeletVerification bool + TokenPath string + CertificatePath string + PrivateKeyPath string + KubeletCAPath string + NodeName string + ReloadInterval time.Duration + + RekorURL string + SkippedImages []string + + AllowedSubjectListEnabled bool + AllowedSubjects []string + + Client *kubeletClient + LastReload time.Time +} + +type Plugin struct { + workloadattestorv1.UnsafeWorkloadAttestorServer + configv1.UnsafeConfigServer + + log hclog.Logger + fs cgroups.FileSystem + clock clock.Clock + getenv func(string) string + + mu sync.RWMutex + config *k8sConfig + + sigstore sigstore.Sigstore +} + +func New() *Plugin { + newcache := sigstore.NewCache(maximumAmountCache) + return &Plugin{ + fs: cgroups.OSFileSystem{}, + clock: clock.New(), + getenv: os.Getenv, + sigstore: sigstore.New(newcache, nil), + } +} + +func (p *Plugin) SetLogger(log hclog.Logger) { + p.log = log + p.sigstore.SetLogger(log) +} + +func (p *Plugin) Attest(ctx context.Context, req *workloadattestorv1.AttestRequest) (*workloadattestorv1.AttestResponse, error) { + config, err := p.getConfig() + if err != nil { + return nil, err + } + + podUID, containerID, err := p.getPodUIDAndContainerIDFromCGroups(req.Pid) + if err != nil { + return nil, err + } + + // Not a Kubernetes pod + if containerID == "" { + return &workloadattestorv1.AttestResponse{}, nil + } + + log := p.log.With( + telemetry.PodUID, podUID, + telemetry.ContainerID, containerID, + ) + + // Poll pod information and search for the pod with the container. If + // the pod is not found then delay for a little bit and try again. + for attempt := 1; ; attempt++ { + log = log.With(telemetry.Attempt, attempt) + + list, err := config.Client.GetPodList() + if err != nil { + return nil, err + } + + for _, item := range list.Items { + item := item + if item.UID != podUID { + continue + } + + status, lookup := lookUpContainerInPod(containerID, item.Status) + switch lookup { + case containerInPod: + selectors := getSelectorValuesFromPodInfo(&item, status) + log.Debug("Attemping to get signature info from image", status) + sigstoreSelectors, err := p.sigstore.AttestContainerSignatures(status, ctx) + if err != nil { + log.Error("Error retrieving signature payload: ", "error", err) + } else { + selectors = append(selectors, sigstoreSelectors...) + } + + return &workloadattestorv1.AttestResponse{ + SelectorValues: selectors, + }, nil + case containerNotInPod: + } + } + + // if the container was not located after the maximum number of attempts then the search is over. + if attempt >= config.MaxPollAttempts { + log.Warn("Container id not found; giving up") + return nil, status.Error(codes.DeadlineExceeded, "no selectors found after max poll attempts") + } + + // wait a bit for containers to initialize before trying again. + log.Warn("Container id not found", telemetry.RetryInterval, config.PollRetryInterval) + + select { + case <-p.clock.After(config.PollRetryInterval): + case <-ctx.Done(): + return nil, status.Errorf(codes.Canceled, "no selectors found: %v", ctx.Err()) + } + } +} + +func (p *Plugin) Configure(ctx context.Context, req *configv1.ConfigureRequest) (resp *configv1.ConfigureResponse, err error) { + // Parse HCL config payload into config struct + config := new(HCLConfig) + if err := hcl.Decode(config, req.HclConfiguration); err != nil { + return nil, status.Errorf(codes.InvalidArgument, "unable to decode configuration: %v", err) + } + + // Determine max poll attempts with default + maxPollAttempts := config.MaxPollAttempts + if maxPollAttempts <= 0 { + maxPollAttempts = defaultMaxPollAttempts + } + + // Determine poll retry interval with default + var pollRetryInterval time.Duration + if config.PollRetryInterval != "" { + pollRetryInterval, err = time.ParseDuration(config.PollRetryInterval) + if err != nil { + return nil, status.Errorf(codes.InvalidArgument, "unable to parse poll retry interval: %v", err) + } + } + if pollRetryInterval <= 0 { + pollRetryInterval = defaultPollRetryInterval + } + + // Determine reload interval + var reloadInterval time.Duration + if config.ReloadInterval != "" { + reloadInterval, err = time.ParseDuration(config.ReloadInterval) + if err != nil { + return nil, status.Errorf(codes.InvalidArgument, "unable to parse reload interval: %v", err) + } + } + if reloadInterval <= 0 { + reloadInterval = defaultReloadInterval + } + + // Determine which kubelet port to hit. Default to the secure port if none + // is specified (this is backwards compatible because the read-only-port + // config value has always been required, so it should already be set in + // existing configurations that rely on it). + if config.KubeletSecurePort > 0 && config.KubeletReadOnlyPort > 0 { + return nil, status.Error(codes.InvalidArgument, "cannot use both the read-only and secure port") + } + port := config.KubeletReadOnlyPort + secure := false + if port <= 0 { + port = config.KubeletSecurePort + secure = true + } + if port <= 0 { + port = defaultSecureKubeletPort + secure = true + } + + // Determine the node name + nodeName := p.getNodeName(config.NodeName, config.NodeNameEnv) + + // Configure the kubelet client + c := &k8sConfig{ + Secure: secure, + Port: port, + MaxPollAttempts: maxPollAttempts, + PollRetryInterval: pollRetryInterval, + SkipKubeletVerification: config.SkipKubeletVerification, + TokenPath: config.TokenPath, + CertificatePath: config.CertificatePath, + PrivateKeyPath: config.PrivateKeyPath, + KubeletCAPath: config.KubeletCAPath, + NodeName: nodeName, + ReloadInterval: reloadInterval, + + RekorURL: config.RekorURL, + SkippedImages: config.SkippedImages, + AllowedSubjectListEnabled: config.AllowedSubjectListEnabled, + AllowedSubjects: config.AllowedSubjects, + } + if err := p.reloadKubeletClient(c); err != nil { + return nil, err + } + + // Configure sigstore settings + p.sigstore.ClearSkipList() + if c.SkippedImages != nil { + for _, imageID := range c.SkippedImages { + p.sigstore.AddSkippedImage(imageID) + } + } + + p.sigstore.EnableAllowSubjectList(c.AllowedSubjectListEnabled) + p.sigstore.ClearAllowedSubjects() + if c.AllowedSubjects != nil { + for _, subject := range c.AllowedSubjects { + p.sigstore.AddAllowedSubject(subject) + } + } + if c.RekorURL != "" { + if err := p.sigstore.SetRekorURL(c.RekorURL); err != nil { + return nil, err + } + } + + // Set the config + p.setConfig(c) + return &configv1.ConfigureResponse{}, nil } func createHelper(c *Plugin) (ContainerHelper, error) { diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go index be0dfc5bba..1229d078f7 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go @@ -7,6 +7,7 @@ import ( "crypto/tls" "crypto/x509" "crypto/x509/pkix" + "errors" "fmt" "io" "math/big" @@ -18,7 +19,11 @@ import ( "testing" "time" + "github.com/hashicorp/go-hclog" + "github.com/sigstore/cosign/pkg/oci" + "github.com/spiffe/spire/pkg/agent/common/cgroups" "github.com/spiffe/spire/pkg/agent/plugin/workloadattestor" + "github.com/spiffe/spire/pkg/agent/plugin/workloadattestor/k8s/sigstore" "github.com/spiffe/spire/pkg/common/pemutil" "github.com/spiffe/spire/pkg/common/util" "github.com/spiffe/spire/proto/spire/common" @@ -28,6 +33,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "google.golang.org/grpc/codes" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/types" ) const ( @@ -78,6 +85,92 @@ FwOGLt+I3+9beT0vo+pn9Rq0squewFYe3aJbwpkyfP2xOovQCdm4PC8y {Type: "k8s", Value: "container-name:blog"}, } testPodAndContainerSelectors = append(testPodSelectors, testContainerSelectors...) + + testKindPodSelectors = []*common.Selector{ + {Type: "k8s", Value: "container-image:gcr.io/spiffe-io/spire-agent:0.8.1"}, + {Type: "k8s", Value: "container-image:gcr.io/spiffe-io/spire-agent@sha256:1e4c481d76e9ecbd3d8684891e0e46aa021a30920ca04936e1fdcc552747d941"}, + {Type: "k8s", Value: "container-name:workload-api-client"}, + {Type: "k8s", Value: "node-name:kind-control-plane"}, + {Type: "k8s", Value: "ns:default"}, + {Type: "k8s", Value: "pod-image-count:1"}, + {Type: "k8s", Value: "pod-image:gcr.io/spiffe-io/spire-agent:0.8.1"}, + {Type: "k8s", Value: "pod-image:gcr.io/spiffe-io/spire-agent@sha256:1e4c481d76e9ecbd3d8684891e0e46aa021a30920ca04936e1fdcc552747d941"}, + {Type: "k8s", Value: "pod-init-image-count:0"}, + {Type: "k8s", Value: "pod-label:app:sample-workload"}, + {Type: "k8s", Value: "pod-label:pod-template-hash:6658cb9566"}, + {Type: "k8s", Value: "pod-name:sample-workload-6658cb9566-5n4b4"}, + {Type: "k8s", Value: "pod-owner-uid:ReplicaSet:349d135e-3781-43e3-bc25-c900aedf1d0c"}, + {Type: "k8s", Value: "pod-owner:ReplicaSet:sample-workload-6658cb9566"}, + {Type: "k8s", Value: "pod-uid:a2830d0d-b0f0-4ff0-81b5-0ee4e299cf80"}, + {Type: "k8s", Value: "sa:default"}, + } + + testInitPodSelectors = []*common.Selector{ + {Type: "k8s", Value: "container-image:docker-pullable://quay.io/coreos/flannel@sha256:1b401bf0c30bada9a539389c3be652b58fe38463361edf488e6543c8761d4970"}, + {Type: "k8s", Value: "container-image:quay.io/coreos/flannel:v0.9.0-amd64"}, + {Type: "k8s", Value: "container-name:install-cni"}, + {Type: "k8s", Value: "node-name:k8s-node-1"}, + {Type: "k8s", Value: "ns:kube-system"}, + {Type: "k8s", Value: "pod-image-count:1"}, + {Type: "k8s", Value: "pod-image:docker-pullable://quay.io/coreos/flannel@sha256:1b401bf0c30bada9a539389c3be652b58fe38463361edf488e6543c8761d4970"}, + {Type: "k8s", Value: "pod-image:quay.io/coreos/flannel:v0.9.0-amd64"}, + {Type: "k8s", Value: "pod-init-image-count:1"}, + {Type: "k8s", Value: "pod-init-image:docker-pullable://quay.io/coreos/flannel@sha256:1b401bf0c30bada9a539389c3be652b58fe38463361edf488e6543c8761d4970"}, + {Type: "k8s", Value: "pod-init-image:quay.io/coreos/flannel:v0.9.0-amd64"}, + {Type: "k8s", Value: "pod-label:app:flannel"}, + {Type: "k8s", Value: "pod-label:controller-revision-hash:1846323910"}, + {Type: "k8s", Value: "pod-label:pod-template-generation:1"}, + {Type: "k8s", Value: "pod-label:tier:node"}, + {Type: "k8s", Value: "pod-name:kube-flannel-ds-gp1g9"}, + {Type: "k8s", Value: "pod-owner-uid:DaemonSet:2f0350fc-b29d-11e7-9350-020968147796"}, + {Type: "k8s", Value: "pod-owner:DaemonSet:kube-flannel-ds"}, + {Type: "k8s", Value: "pod-uid:d488cae9-b2a0-11e7-9350-020968147796"}, + {Type: "k8s", Value: "sa:flannel"}, + } + testSigstoreSelectors = []*common.Selector{ + {Type: "k8s", Value: "container-image:docker-pullable://localhost/spiffe/blog@sha256:0cfdaced91cb46dd7af48309799a3c351e4ca2d5e1ee9737ca0cbd932cb79898"}, + {Type: "k8s", Value: "container-image:localhost/spiffe/blog:latest"}, + {Type: "k8s", Value: "container-name:blog"}, + {Type: "k8s", Value: "docker://9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961:image-signature-subject:sigstore-subject"}, + {Type: "k8s", Value: "node-name:k8s-node-1"}, + {Type: "k8s", Value: "ns:default"}, + {Type: "k8s", Value: "pod-image-count:2"}, + {Type: "k8s", Value: "pod-image:docker-pullable://localhost/spiffe/blog@sha256:0cfdaced91cb46dd7af48309799a3c351e4ca2d5e1ee9737ca0cbd932cb79898"}, + {Type: "k8s", Value: "pod-image:docker-pullable://localhost/spiffe/ghostunnel@sha256:b2fc20676c92a433b9a91f3f4535faddec0c2c3613849ac12f02c1d5cfcd4c3a"}, + {Type: "k8s", Value: "pod-image:localhost/spiffe/blog:latest"}, + {Type: "k8s", Value: "pod-image:localhost/spiffe/ghostunnel:latest"}, + {Type: "k8s", Value: "pod-init-image-count:0"}, + {Type: "k8s", Value: "pod-label:k8s-app:blog"}, + {Type: "k8s", Value: "pod-label:version:v0"}, + {Type: "k8s", Value: "pod-name:blog-24ck7"}, + {Type: "k8s", Value: "pod-owner-uid:ReplicationController:2c401175-b29f-11e7-9350-020968147796"}, + {Type: "k8s", Value: "pod-owner:ReplicationController:blog"}, + {Type: "k8s", Value: "pod-uid:2c48913c-b29f-11e7-9350-020968147796"}, + {Type: "k8s", Value: "sa:default"}, + {Type: "k8s", Value: "sigstore-validation:passed"}, + } + + testSigstoreSkippedSelectors = []*common.Selector{ + {Type: "k8s", Value: "container-image:docker-pullable://localhost/spiffe/blog@sha256:0cfdaced91cb46dd7af48309799a3c351e4ca2d5e1ee9737ca0cbd932cb79898"}, + {Type: "k8s", Value: "container-image:localhost/spiffe/blog:latest"}, + {Type: "k8s", Value: "container-name:blog"}, + {Type: "k8s", Value: "node-name:k8s-node-1"}, + {Type: "k8s", Value: "ns:default"}, + {Type: "k8s", Value: "pod-image-count:2"}, + {Type: "k8s", Value: "pod-image:docker-pullable://localhost/spiffe/blog@sha256:0cfdaced91cb46dd7af48309799a3c351e4ca2d5e1ee9737ca0cbd932cb79898"}, + {Type: "k8s", Value: "pod-image:docker-pullable://localhost/spiffe/ghostunnel@sha256:b2fc20676c92a433b9a91f3f4535faddec0c2c3613849ac12f02c1d5cfcd4c3a"}, + {Type: "k8s", Value: "pod-image:localhost/spiffe/blog:latest"}, + {Type: "k8s", Value: "pod-image:localhost/spiffe/ghostunnel:latest"}, + {Type: "k8s", Value: "pod-init-image-count:0"}, + {Type: "k8s", Value: "pod-label:k8s-app:blog"}, + {Type: "k8s", Value: "pod-label:version:v0"}, + {Type: "k8s", Value: "pod-name:blog-24ck7"}, + {Type: "k8s", Value: "pod-owner-uid:ReplicationController:2c401175-b29f-11e7-9350-020968147796"}, + {Type: "k8s", Value: "pod-owner:ReplicationController:blog"}, + {Type: "k8s", Value: "pod-uid:2c48913c-b29f-11e7-9350-020968147796"}, + {Type: "k8s", Value: "sa:default"}, + {Type: "k8s", Value: "sigstore-validation:passed"}, + } ) type attestResult struct { @@ -103,7 +196,12 @@ type Suite struct { kubeletCert *x509.Certificate clientCert *x509.Certificate - oc *osConfig + oc *osConfig + sigstoreSelectors []sigstore.SelectorsFromSignatures + sigstoreSigs []oci.Signature + sigstoreSkipSigs bool + sigstoreSkippedSigSelectors []string + sigstoreReturnError error } func (s *Suite) SetupTest() { @@ -116,6 +214,9 @@ func (s *Suite) SetupTest() { s.podList = nil s.env = map[string]string{} s.oc = createOSConfig() + + s.sigstoreSelectors = nil + s.sigstoreSigs = nil } func (s *Suite) TearDownTest() { @@ -130,6 +231,59 @@ func (s *Suite) TestAttestWithPidInPod() { s.requireAttestSuccessWithPod(p) } +func (s *Suite) TestAttestWithSigstoreSignatures() { + s.startInsecureKubelet() + s.setSigstoreSelectors([]sigstore.SelectorsFromSignatures{ + { + Subject: "sigstore-subject", + Verified: true, + }, + }) + p := s.loadInsecurePlugin() + s.requireAttestSuccessWithPodAndSignature(p) + s.setSigstoreSelectors(nil) +} + +func (s *Suite) TestAttestWithSigstoreSkippedImage() { + s.startInsecureKubelet() + // Skip the image + s.setSigstoreSkipSigs(true) + s.setSigstoreSkippedSigSelectors([]string{"sigstore-validation:passed"}) + p := s.loadInsecurePlugin() + s.requireAttestSuccessWithPodAndSkippedImage(p) + s.setSigstoreSkipSigs(false) + s.setSigstoreSkippedSigSelectors(nil) +} + +func (s *Suite) TestAttestWithFailedSigstoreSignatures() { + s.startInsecureKubelet() + p := s.loadInsecurePlugin() + s.setSigstoreReturnError(errors.New("sigstore error")) + s.requireAttestSuccessWithPod(p) + s.setSigstoreReturnError(nil) +} + +func (s *Suite) TestAttestWithPidInKindPod() { + s.startInsecureKubelet() + p := s.loadInsecurePlugin() + + s.requireAttestSuccessWithKindPod(p) +} + +func (s *Suite) TestAttestWithPidInPodSystemdCgroups() { + s.startInsecureKubelet() + p := s.loadInsecurePlugin() + + s.requireAttestSuccessWithPodSystemdCgroups(p) +} + +func (s *Suite) TestAttestWithInitPidInPod() { + s.startInsecureKubelet() + p := s.loadInsecurePlugin() + + s.requireAttestSuccessWithInitPod(p) +} + func (s *Suite) TestAttestWithPidInPodAfterRetry() { s.startInsecureKubelet() p := s.loadInsecurePlugin() @@ -285,23 +439,28 @@ func (s *Suite) TestConfigure() { s.writeCert("some-other-ca", s.kubeletCert) type config struct { - Insecure bool - VerifyKubelet bool - HasNodeName bool - Token string - KubeletURL string - MaxPollAttempts int - PollRetryInterval time.Duration - ReloadInterval time.Duration + Insecure bool + VerifyKubelet bool + HasNodeName bool + Token string + KubeletURL string + MaxPollAttempts int + PollRetryInterval time.Duration + ReloadInterval time.Duration + SkippedImages []string + AllowedSubjectListEnabled bool + AllowedSubjects []string + RekorURL string } testCases := []struct { - name string - raw string - hcl string - config *config - errCode codes.Code - errMsg string + name string + raw string + hcl string + config *config + sigstoreError error + errCode codes.Code + errMsg string }{ { name: "insecure defaults", @@ -507,22 +666,84 @@ func (s *Suite) TestConfigure() { errCode: codes.InvalidArgument, errMsg: "unable to load private key", }, + { + name: "secure defaults with skipped images for sigstore", + hcl: ` + skip_signature_verification_image_list = ["sha:image1hash","sha:image2hash"] + `, + config: &config{ + VerifyKubelet: true, + Token: "default-token", + KubeletURL: "https://127.0.0.1:10250", + MaxPollAttempts: defaultMaxPollAttempts, + PollRetryInterval: defaultPollRetryInterval, + ReloadInterval: defaultReloadInterval, + SkippedImages: []string{ + "sha:image1hash", + "sha:image2hash", + }, + }, + }, + { + name: "secure defaults with allowed subjects for sigstore", + hcl: ` + enable_allowed_subjects_list = true, + allowed_subjects_list = ["spirex@example.com","spirex1@example.com"] + `, + config: &config{ + VerifyKubelet: true, + Token: "default-token", + KubeletURL: "https://127.0.0.1:10250", + MaxPollAttempts: defaultMaxPollAttempts, + PollRetryInterval: defaultPollRetryInterval, + ReloadInterval: defaultReloadInterval, + AllowedSubjectListEnabled: true, + AllowedSubjects: []string{"spirex@example.com", "spirex1@example.com"}, + }, + }, + { + name: "secure defaults with rekor URL", + hcl: ` + rekor_url = "https://rekor.example.com" + `, + config: &config{ + VerifyKubelet: true, + Token: "default-token", + KubeletURL: "https://127.0.0.1:10250", + MaxPollAttempts: defaultMaxPollAttempts, + PollRetryInterval: defaultPollRetryInterval, + ReloadInterval: defaultReloadInterval, + RekorURL: "https://rekor.example.com", + }, + }, + { + name: "secure defaults with empty rekor URL", + hcl: ` + rekor_url = "inva{{{lid}" + `, + sigstoreError: errors.New("Error parsing rekor URI"), + config: nil, + errMsg: "Error parsing rekor URI", + }, } for _, testCase := range testCases { testCase := testCase // alias loop variable as it is used in the closure s.T().Run(testCase.name, func(t *testing.T) { p := s.newPlugin() - + p.sigstore.(*sigstoreMock).returnError = testCase.sigstoreError var err error plugintest.Load(s.T(), builtin(p), nil, plugintest.Configure(testCase.hcl), plugintest.CaptureConfigureError(&err)) - if testCase.errMsg != "" { s.RequireGRPCStatusContains(err, testCase.errCode, testCase.errMsg) return } + if testCase.sigstoreError != nil { + p.sigstore.(*sigstoreMock).returnError = nil + return + } require.NotNil(t, testCase.config, "test case missing expected config") assert.NoError(t, err) @@ -552,10 +773,119 @@ func (s *Suite) TestConfigure() { assert.Equal(t, testCase.config.MaxPollAttempts, c.MaxPollAttempts) assert.Equal(t, testCase.config.PollRetryInterval, c.PollRetryInterval) assert.Equal(t, testCase.config.ReloadInterval, c.ReloadInterval) + assert.Equal(t, testCase.config.SkippedImages, c.SkippedImages) + assert.Equal(t, testCase.config.AllowedSubjectListEnabled, c.AllowedSubjectListEnabled) + assert.Equal(t, testCase.config.AllowedSubjects, c.AllowedSubjects) + assert.Equal(t, testCase.config.RekorURL, c.RekorURL) }) } } +type signature struct { + oci.Signature + + payload []byte + cert *x509.Certificate +} + +func (signature) Annotations() (map[string]string, error) { + return nil, nil +} + +func (s signature) Payload() ([]byte, error) { + return s.payload, nil +} + +func (signature) Base64Signature() (string, error) { + return "", nil +} + +func (s signature) Cert() (*x509.Certificate, error) { + return s.cert, nil +} + +func (signature) Chain() ([]*x509.Certificate, error) { + return nil, nil +} + +func (signature) Bundle() (*oci.Bundle, error) { + return nil, nil +} + +type sigstoreMock struct { + selectors []sigstore.SelectorsFromSignatures + + sigs []oci.Signature + skipSigs bool + skippedSigSelectors []string + returnError error + + rekorURL string +} + +// SetLogger implements sigstore.Sigstore +func (*sigstoreMock) SetLogger(logger hclog.Logger) { +} + +func (s *sigstoreMock) FetchImageSignatures(imageName string, ctx context.Context) ([]oci.Signature, error) { + return s.sigs, s.returnError +} + +func (s *sigstoreMock) SelectorValuesFromSignature(signatures oci.Signature, containerID string) sigstore.SelectorsFromSignatures { + return s.selectors[0] +} + +func (s *sigstoreMock) ExtractSelectorsFromSignatures(signatures []oci.Signature, containerID string) []sigstore.SelectorsFromSignatures { + return s.selectors +} + +func (s *sigstoreMock) ShouldSkipImage(imageID string) (bool, error) { + return s.skipSigs, s.returnError +} + +func (s *sigstoreMock) AddSkippedImage(string) { +} +func (s *sigstoreMock) ClearSkipList() { +} + +func (s *sigstoreMock) AddAllowedSubject(subject string) { +} + +func (s *sigstoreMock) ClearAllowedSubjects() { +} + +func (s *sigstoreMock) EnableAllowSubjectList(flag bool) { +} +func (s *sigstoreMock) AttestContainerSignatures(status *corev1.ContainerStatus, ctx context.Context) ([]string, error) { + if s.skipSigs { + return s.skippedSigSelectors, nil + } + var selectorsString []string + for _, selector := range s.selectors { + if selector.Subject != "" { + selectorsString = append(selectorsString, fmt.Sprintf("%s:image-signature-subject:%s", status.ContainerID, selector.Subject)) + } + if selector.Content != "" { + selectorsString = append(selectorsString, fmt.Sprintf("%s:image-signature-content:%s", status.ContainerID, selector.Content)) + } + if selector.LogID != "" { + selectorsString = append(selectorsString, fmt.Sprintf("%s:image-signature-logid:%s", status.ContainerID, selector.LogID)) + } + if selector.IntegratedTime != "" { + selectorsString = append(selectorsString, fmt.Sprintf("%s:image-signature-integrated-time:%s", status.ContainerID, selector.IntegratedTime)) + } + if selector.Verified { + selectorsString = append(selectorsString, "sigstore-validation:passed") + } + } + return selectorsString, s.returnError +} + +func (s *sigstoreMock) SetRekorURL(url string) error { + s.rekorURL = url + return s.returnError +} + func (s *Suite) newPlugin() *Plugin { p := New() p.fs = testFS(s.dir) @@ -563,6 +893,14 @@ func (s *Suite) newPlugin() *Plugin { p.getenv = func(key string) string { return s.env[key] } + p.sigstore = &sigstoreMock{ + selectors: s.sigstoreSelectors, + sigs: s.sigstoreSigs, + skipSigs: s.sigstoreSkipSigs, + skippedSigSelectors: s.sigstoreSkippedSigSelectors, + returnError: s.sigstoreReturnError, + } + return p } @@ -573,6 +911,32 @@ func (s *Suite) setServer(server *httptest.Server) { s.server = server } +func (s *Suite) setSigstoreSelectors(selectors []sigstore.SelectorsFromSignatures) { + s.sigstoreSelectors = selectors + if s.sigstoreSelectors == nil { + s.sigstoreSigs = nil + return + } + s.sigstoreSigs = []oci.Signature{ + signature{ + payload: []byte("payload"), + cert: &x509.Certificate{}, + }, + } +} + +func (s *Suite) setSigstoreSkipSigs(skip bool) { + s.sigstoreSkipSigs = skip +} + +func (s *Suite) setSigstoreSkippedSigSelectors(selectors []string) { + s.sigstoreSkippedSigSelectors = selectors +} + +func (s *Suite) setSigstoreReturnError(err error) { + s.sigstoreReturnError = err +} + func (s *Suite) writeFile(path, data string) { realPath := filepath.Join(s.dir, path) s.Require().NoError(os.MkdirAll(filepath.Dir(realPath), 0755)) @@ -767,6 +1131,31 @@ func (s *Suite) requireAttestSuccessWithPod(p workloadattestor.WorkloadAttestor) s.addPodListResponse(podListFilePath) s.addGetContainerResponsePidInPod() s.requireAttestSuccess(p, testPodAndContainerSelectors) + s.addCgroupsResponse(cgPidInPodFilePath) +} + +func (s *Suite) requireAttestSuccessWithPodAndSignature(p workloadattestor.WorkloadAttestor) { + s.addPodListResponse(podListFilePath) + s.addCgroupsResponse(cgPidInPodFilePath) + s.requireAttestSuccess(p, testSigstoreSelectors) +} + +func (s *Suite) requireAttestSuccessWithPodAndSkippedImage(p workloadattestor.WorkloadAttestor) { + s.addPodListResponse(podListFilePath) + s.addCgroupsResponse(cgPidInPodFilePath) + s.requireAttestSuccess(p, testSigstoreSkippedSelectors) +} + +func (s *Suite) requireAttestSuccessWithKindPod(p workloadattestor.WorkloadAttestor) { + s.addPodListResponse(kindPodListFilePath) + s.addCgroupsResponse(cgPidInKindPodFilePath) + s.requireAttestSuccess(p, testKindPodSelectors) +} + +func (s *Suite) requireAttestSuccessWithPodSystemdCgroups(p workloadattestor.WorkloadAttestor) { + s.addPodListResponse(podListFilePath) + s.addCgroupsResponse(cgSystemdPidInPodFilePath) + s.requireAttestSuccess(p, testPodSelectors) } func (s *Suite) requireAttestSuccess(p workloadattestor.WorkloadAttestor, expectedSelectors []*common.Selector) { diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go new file mode 100644 index 0000000000..3776544990 --- /dev/null +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -0,0 +1,430 @@ +package sigstore + +import ( + "bytes" + "context" + "crypto/x509" + "encoding/base64" + "encoding/json" + "errors" + "fmt" + "net/url" + "strconv" + "strings" + + "github.com/google/go-containerregistry/pkg/name" + v1 "github.com/google/go-containerregistry/pkg/v1" + "github.com/google/go-containerregistry/pkg/v1/remote" + "github.com/hashicorp/go-hclog" + "github.com/sigstore/cosign/cmd/cosign/cli/fulcio" + "github.com/sigstore/cosign/pkg/cosign" + "github.com/sigstore/cosign/pkg/oci" + rekor "github.com/sigstore/rekor/pkg/generated/client" + "github.com/sigstore/sigstore/pkg/signature/payload" + corev1 "k8s.io/api/core/v1" +) + +const ( + // Signature Verification Selector + signatureVerifiedSelector = "sigstore-validation:passed" +) + +type Sigstore interface { + AttestContainerSignatures(status *corev1.ContainerStatus, ctx context.Context) ([]string, error) + FetchImageSignatures(imageName string, ctx context.Context) ([]oci.Signature, error) + SelectorValuesFromSignature(oci.Signature, string) SelectorsFromSignatures + ExtractSelectorsFromSignatures(signatures []oci.Signature, containerID string) []SelectorsFromSignatures + ShouldSkipImage(imageID string) (bool, error) + AddSkippedImage(imageID string) + ClearSkipList() + AddAllowedSubject(subject string) + EnableAllowSubjectList(bool) + ClearAllowedSubjects() + SetRekorURL(rekorURL string) error + SetLogger(logger hclog.Logger) +} + +type sigstoreImpl struct { + verifyFunction func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) + fetchImageManifestFunction func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) + skippedImages map[string]bool + allowListEnabled bool + subjectAllowList map[string]bool + rekorURL url.URL + checkOptsFunction func(url.URL) *cosign.CheckOpts + logger hclog.Logger + sigstorecache Cache +} + +func New(cache Cache, logger hclog.Logger) Sigstore { + return &sigstoreImpl{ + verifyFunction: cosign.VerifyImageSignatures, + fetchImageManifestFunction: remote.Get, + checkOptsFunction: DefaultCheckOpts, + + rekorURL: url.URL{ + Scheme: rekor.DefaultSchemes[0], + Host: rekor.DefaultHost, + Path: rekor.DefaultBasePath, + }, + logger: logger, + sigstorecache: cache, + } +} + +func DefaultCheckOpts(rekorURL url.URL) *cosign.CheckOpts { + co := &cosign.CheckOpts{} + + // Set the rekor client + co.RekorClient = rekor.NewHTTPClientWithConfig(nil, rekor.DefaultTransportConfig().WithBasePath(rekorURL.Path).WithHost(rekorURL.Host)) + + co.RootCerts = fulcio.GetRoots() + + return co +} + +func (s *sigstoreImpl) SetLogger(logger hclog.Logger) { + s.logger = logger +} + +// FetchImageSignatures retrieves signatures for specified image via cosign, using the specified rekor server. +// Returns a list of verified signatures, and an error if any. +func (s *sigstoreImpl) FetchImageSignatures(imageName string, ctx context.Context) ([]oci.Signature, error) { + ref, err := name.ParseReference(imageName) + if err != nil { + message := fmt.Errorf("error parsing image reference: %w", err) + return nil, message + } + + if _, err := s.ValidateImage(ref); err != nil { + message := fmt.Errorf("could not validate image reference digest: %w", err) + return nil, message + } + + co := s.checkOptsFunction(s.rekorURL) + sigs, ok, err := s.verifyFunction(ctx, ref, co) + if err != nil { + message := fmt.Errorf("error verifying signature: %w", err) + return nil, message + } + if !ok { + return nil, fmt.Errorf("bundle not verified for %q", imageName) + } + + return sigs, nil +} + +// ExtractSelectorsFromSignatures extracts selectors from a list of image signatures. +// returns a list of selector strings. +func (s *sigstoreImpl) ExtractSelectorsFromSignatures(signatures []oci.Signature, containerID string) []SelectorsFromSignatures { + // Payload can be empty if the attestor fails to retrieve it + if signatures == nil { + return nil + } + var selectors []SelectorsFromSignatures + for _, sig := range signatures { + // verify which subject + sigSelectors := s.SelectorValuesFromSignature(sig, containerID) + if sigSelectors.Verified { + selectors = append(selectors, sigSelectors) + } + } + return selectors +} + +// The following structs are used to go through the payload json objects +type BundleSignature struct { + Content string `json:"content"` + Format string `json:"format"` + PublicKey map[string]string `json:"publicKey"` +} + +type BundleSpec struct { + Data map[string]map[string]string `json:"data"` + Signature BundleSignature `json:"signature"` +} + +type BundleBody struct { + APIVersion string `json:"apiVersion"` + Kind string `json:"kind"` + Spec BundleSpec `json:"spec"` +} + +type SelectorsFromSignatures struct { + Subject string + Content string + LogID string + IntegratedTime string + Verified bool +} + +// SelectorValuesFromSignature extracts selectors from a signature. +// returns a list of selectors. +func (s *sigstoreImpl) SelectorValuesFromSignature(signature oci.Signature, containerID string) SelectorsFromSignatures { + var selectorsFromSignatures SelectorsFromSignatures + subject, err := getSignatureSubject(signature) + + if err != nil { + s.logger.Error("Error getting signature subject", "error", err) + return selectorsFromSignatures + } + + if subject == "" { + s.logger.Error("Error getting signature subject: empty subject") + return selectorsFromSignatures + } + + suppress := false + if s.allowListEnabled { + if _, ok := s.subjectAllowList[subject]; !ok { + suppress = true + } + } + + if !suppress { + selectorsFromSignatures.Subject = subject + selectorsFromSignatures.Verified = true + + bundle, err := signature.Bundle() + if err != nil { + s.logger.Error("error getting signature bundle: ", err.Error()) + } else { + sigContent, err := getBundleSignatureContent(bundle) + if err != nil { + s.logger.Error("error getting signature content", "error", err) + } else { + selectorsFromSignatures.Content = sigContent + } + if bundle.Payload.LogID != "" { + selectorsFromSignatures.LogID = bundle.Payload.LogID + } + if bundle.Payload.IntegratedTime != 0 { + selectorsFromSignatures.IntegratedTime = strconv.FormatInt(bundle.Payload.IntegratedTime, 10) + } + } + } + return selectorsFromSignatures +} + +// ShouldSkipImage checks the skip list for the image ID in the container status. +// If the image ID is found in the skip list, it returns true. +// If the image ID is not found in the skip list, it returns false. +func (s *sigstoreImpl) ShouldSkipImage(imageID string) (bool, error) { + if s.skippedImages == nil { + return false, nil + } + if imageID == "" { + return false, errors.New("image ID is empty") + } + _, ok := s.skippedImages[imageID] + return ok, nil +} + +// AddSkippedImage adds the image ID and selectors to the skip list. +func (s *sigstoreImpl) AddSkippedImage(imageID string) { + if s.skippedImages == nil { + s.skippedImages = make(map[string]bool) + } + s.skippedImages[imageID] = true +} + +// ClearSkipList clears the skip list. +func (s *sigstoreImpl) ClearSkipList() { + for k := range s.skippedImages { + delete(s.skippedImages, k) + } + s.skippedImages = nil +} + +// ValidateImage validates if the image manifest hash matches the digest in the image reference +func (s *sigstoreImpl) ValidateImage(ref name.Reference) (bool, error) { + desc, err := s.fetchImageManifestFunction(ref) + if err != nil { + return false, err + } + if len(desc.Manifest) == 0 { + return false, errors.New("manifest is empty") + } + hash, _, err := v1.SHA256(bytes.NewReader(desc.Manifest)) + if err != nil { + return false, err + } + + return validateRefDigest(ref, hash.String()) +} + +func (s *sigstoreImpl) AddAllowedSubject(subject string) { + if s.subjectAllowList == nil { + s.subjectAllowList = make(map[string]bool) + } + s.subjectAllowList[subject] = true +} + +func (s *sigstoreImpl) ClearAllowedSubjects() { + for k := range s.subjectAllowList { + delete(s.subjectAllowList, k) + } + s.subjectAllowList = nil +} + +func (s *sigstoreImpl) EnableAllowSubjectList(flag bool) { + s.allowListEnabled = flag +} + +func (s *sigstoreImpl) AttestContainerSignatures(status *corev1.ContainerStatus, ctx context.Context) ([]string, error) { + skip, _ := s.ShouldSkipImage(status.ImageID) + if skip { + return []string{signatureVerifiedSelector}, nil + } + + imageID := status.ImageID + + cachedSignature := s.sigstorecache.GetSignature(imageID) + if cachedSignature != nil { + s.logger.Debug("Found cached signature", "imageId", imageID) + } else { + signatures, err := s.FetchImageSignatures(imageID, ctx) + if err != nil { + return nil, err + } + + selectors := s.ExtractSelectorsFromSignatures(signatures, status.ContainerID) + + cachedSignature = &Item{ + Key: imageID, + Value: selectors, + } + + s.logger.Debug("Caching signature", "imageID", imageID) + s.sigstorecache.PutSignature(*cachedSignature) + } + + var selectorsString []string + if len(cachedSignature.Value) > 0 { + for _, selector := range cachedSignature.Value { + toString := selectorsToString(selector, status.ContainerID) + selectorsString = append(selectorsString, toString...) + } + selectorsString = append(selectorsString, signatureVerifiedSelector) + } + + return selectorsString, nil +} + +func (s *sigstoreImpl) SetRekorURL(rekorURL string) error { + if rekorURL == "" { + return errors.New("rekor URL is empty") + } + rekorURI, err := url.Parse(rekorURL) + if err != nil { + return fmt.Errorf("failed to parsing rekor URI: %w", err) + } + if rekorURI.Scheme != "" && rekorURI.Scheme != "https" { + return fmt.Errorf("invalid rekor URL Scheme: %s", rekorURI.Scheme) + } + if rekorURI.Host == "" { + return fmt.Errorf("invalid rekor URL Host: %s", rekorURI.Host) + } + s.rekorURL = *rekorURI + return nil +} + +func getSignatureSubject(signature oci.Signature) (string, error) { + if signature == nil { + return "", errors.New("signature is nil") + } + ss := payload.SimpleContainerImage{} + pl, err := signature.Payload() + if err != nil { + return "", err + } + err = json.Unmarshal(pl, &ss) + if err != nil { + return "", err + } + cert, err := signature.Cert() + if err != nil { + return "", fmt.Errorf("failed to access signature certificate: %w", err) + } + + subject := "" + if len(ss.Optional) > 0 { + subjString, ok := ss.Optional["subject"] + if ok { + subj, ok := subjString.(string) + if ok { + subject = subj + } + } + } + if cert != nil { + subject = certSubject(cert) + } + + return subject, nil +} + +func getBundleSignatureContent(bundle *oci.Bundle) (string, error) { + if bundle == nil { + return "", errors.New("bundle is nil") + } + body64, ok := bundle.Payload.Body.(string) + if !ok { + return "", errors.New("payload body is not a string") + } + body, err := base64.StdEncoding.DecodeString(body64) + if err != nil { + return "", err + } + var bundleBody BundleBody + if err := json.Unmarshal(body, &bundleBody); err != nil { + return "", fmt.Errorf("failed to parse bundle body: %w", err) + } + + if bundleBody.Spec.Signature.Content == "" { + return "", errors.New("bundle payload body has no signature content") + } + + return bundleBody.Spec.Signature.Content, nil +} + +func selectorsToString(selectors SelectorsFromSignatures, containerID string) []string { + var selectorsString []string + if selectors.Subject != "" { + selectorsString = append(selectorsString, fmt.Sprintf("%s:image-signature-subject:%s", containerID, selectors.Subject)) + } + if selectors.Content != "" { + selectorsString = append(selectorsString, fmt.Sprintf("%s:image-signature-content:%s", containerID, selectors.Content)) + } + if selectors.LogID != "" { + selectorsString = append(selectorsString, fmt.Sprintf("%s:image-signature-logid:%s", containerID, selectors.LogID)) + } + if selectors.IntegratedTime != "" { + selectorsString = append(selectorsString, fmt.Sprintf("%s:image-signature-integrated-time:%s", containerID, selectors.IntegratedTime)) + } + return selectorsString +} + +func certSubject(c *x509.Certificate) string { + switch { + case c == nil: + return "" + case len(c.EmailAddresses) > 0: + return c.EmailAddresses[0] + case len(c.URIs) > 0: + // removing leading '//' from c.URIs[0].String() + return strings.TrimPrefix(c.URIs[0].String(), "//") + default: + return "" + } +} + +func validateRefDigest(ref name.Reference, digest string) (bool, error) { + if dgst, ok := ref.(name.Digest); ok { + if dgst.DigestStr() == digest { + return true, nil + } + return false, fmt.Errorf("digest %s does not match %s", digest, dgst.DigestStr()) + } + return false, fmt.Errorf("reference %s is not a digest", ref.String()) +} diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go new file mode 100644 index 0000000000..bf2d130adf --- /dev/null +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -0,0 +1,1805 @@ +package sigstore + +import ( + "context" + "crypto" + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rand" + "crypto/x509" + "crypto/x509/pkix" + "errors" + "fmt" + "math/big" + "net/url" + "reflect" + "testing" + "time" + + "github.com/google/go-containerregistry/pkg/name" + v1 "github.com/google/go-containerregistry/pkg/v1" + "github.com/google/go-containerregistry/pkg/v1/remote" + "github.com/hashicorp/go-hclog" + "github.com/sigstore/cosign/pkg/cosign" + "github.com/sigstore/cosign/pkg/oci" + rekor "github.com/sigstore/rekor/pkg/generated/client" + corev1 "k8s.io/api/core/v1" +) + +const ( + maximumAmountCache = 10 +) + +type signature struct { + v1.Layer + + payload []byte + cert *x509.Certificate + bundle *oci.Bundle +} + +func (signature) Annotations() (map[string]string, error) { + return nil, nil +} + +func (s signature) Payload() ([]byte, error) { + return s.payload, nil +} + +func (signature) Base64Signature() (string, error) { + return "", nil +} + +func (s signature) Cert() (*x509.Certificate, error) { + return s.cert, nil +} + +func (signature) Chain() ([]*x509.Certificate, error) { + return nil, nil +} + +func (s signature) Bundle() (*oci.Bundle, error) { + return s.bundle, nil +} + +func createCertificate(template *x509.Certificate, parent *x509.Certificate, pub interface{}, priv crypto.Signer) (*x509.Certificate, error) { + certBytes, err := x509.CreateCertificate(rand.Reader, template, parent, pub, priv) + if err != nil { + return nil, err + } + + cert, err := x509.ParseCertificate(certBytes) + if err != nil { + return nil, err + } + return cert, nil +} + +func GenerateRootCa() (*x509.Certificate, *ecdsa.PrivateKey, error) { + rootTemplate := &x509.Certificate{ + SerialNumber: big.NewInt(1), + Subject: pkix.Name{ + CommonName: "sigstore", + Organization: []string{"sigstore.dev"}, + }, + NotBefore: time.Now().Add(-5 * time.Minute), + NotAfter: time.Now().Add(5 * time.Hour), + KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign, + BasicConstraintsValid: true, + IsCA: true, + } + + priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { + return nil, nil, err + } + + cert, err := createCertificate(rootTemplate, rootTemplate, &priv.PublicKey, priv) + if err != nil { + return nil, nil, err + } + + return cert, priv, nil +} + +func TestNew(t *testing.T) { + newcache := NewCache(maximumAmountCache) + + tests := []struct { + name string + want Sigstore + }{ + { + name: "New", + want: &sigstoreImpl{ + verifyFunction: cosign.VerifyImageSignatures, + fetchImageManifestFunction: remote.Get, + skippedImages: nil, + allowListEnabled: false, + subjectAllowList: map[string]bool{}, + rekorURL: url.URL{Scheme: rekor.DefaultSchemes[0], Host: rekor.DefaultHost, Path: rekor.DefaultBasePath}, + sigstorecache: newcache, + checkOptsFunction: DefaultCheckOpts, + logger: nil, + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := New(newcache, nil); fmt.Sprintf("%v", got) != fmt.Sprintf("%v", tt.want) { + t.Errorf("New() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { + type fields struct { + verifyFunction func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) + fetchImageManifestFunction func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) + } + type args struct { + imageName string + } + emptyCheckOptsFunction := func(url.URL) *cosign.CheckOpts { + co := &cosign.CheckOpts{} + co.RekorClient = new(rekor.Rekor) + rootCert, _, _ := GenerateRootCa() + rootPool := x509.NewCertPool() + rootPool.AddCert(rootCert) + co.RootCerts = rootPool + + return co + } + + tests := []struct { + name string + fields fields + args args + want []oci.Signature + wantErr bool + }{ + { + name: "fetch image with signature", + fields: fields{ + verifyFunction: func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) { + return []oci.Signature{ + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + }, + }, true, nil + }, + fetchImageManifestFunction: func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { + return &remote.Descriptor{ + Manifest: []byte("sometext"), + }, nil + }, + }, + args: args{ + imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", + }, + want: []oci.Signature{ + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + }, + }, + wantErr: false, + }, + { + name: "fetch image with 2 signatures", + fields: fields{ + verifyFunction: func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) { + return []oci.Signature{ + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + }, + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 4","key3": "value 5"}}`), + }, + }, true, nil + }, + fetchImageManifestFunction: func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { + return &remote.Descriptor{ + Manifest: []byte("sometext"), + }, nil + }, + }, + args: args{ + imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", + }, + want: []oci.Signature{ + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + }, + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 4","key3": "value 5"}}`), + }, + }, + wantErr: false, + }, + { + name: "fetch image with no signature", + fields: fields{ + verifyFunction: func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) { + return []oci.Signature{}, true, fmt.Errorf("no matching signatures 1") + }, + fetchImageManifestFunction: func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { + return &remote.Descriptor{ + Manifest: []byte("sometext"), + }, nil + }, + }, + args: args{ + imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", + }, + want: nil, + wantErr: true, + }, + { // TODO: check again, same as above test. should never happen, since the verify function returns an error on empty verified signature list + name: "fetch image with no signature and no error", + fields: fields{ + verifyFunction: func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) { + return []oci.Signature{}, true, fmt.Errorf("no matching signatures 2") + }, + fetchImageManifestFunction: func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { + return &remote.Descriptor{ + Manifest: []byte("sometext"), + }, nil + }, + }, + args: args{ + imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", + // + }, + want: nil, + wantErr: true, + }, + { + name: "fetch image with signature and error", + fields: fields{ + verifyFunction: func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) { + return []oci.Signature{ + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + }, + }, true, errors.New("some error") + }, + fetchImageManifestFunction: func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { + return &remote.Descriptor{ + Manifest: []byte("sometext"), + }, nil + }, + }, + args: args{ + imageName: "docker-registry.com/some/image02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2", + }, + want: nil, + wantErr: true, + }, + { + name: "fetch image with signature no error, bundle not verified", + fields: fields{ + verifyFunction: func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) { + return []oci.Signature{signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + }}, false, nil + }, + fetchImageManifestFunction: func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { + return &remote.Descriptor{ + Manifest: []byte("sometext"), + }, nil + }, + }, + args: args{ + imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", + }, + want: nil, + wantErr: true, + }, + { + name: "fetch image with invalid image reference", + fields: fields{ + verifyFunction: nil, + fetchImageManifestFunction: nil, + }, + args: args{ + imageName: "invali|].url.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", + }, + want: nil, + wantErr: true, + }, + { + name: "fetch image with signature, empty rekor url", + fields: fields{ + verifyFunction: func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) { + return []oci.Signature{ + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + }, + }, true, nil + }, + fetchImageManifestFunction: func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { + return &remote.Descriptor{ + Manifest: []byte("sometext"), + }, nil + }, + }, + args: args{ + imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", + }, + want: []oci.Signature{ + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + }, + }, + wantErr: false, + }, + { + name: "fetch image with invalid image ref", + fields: fields{ + verifyFunction: nil, + fetchImageManifestFunction: func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { + return &remote.Descriptor{ + Manifest: []byte("sometext"), + }, nil + }, + }, + args: args{ + imageName: "docker-registry.com/some/image@sha256:4fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", + }, + want: nil, + wantErr: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + sigstore := sigstoreImpl{ + verifyFunction: tt.fields.verifyFunction, + fetchImageManifestFunction: tt.fields.fetchImageManifestFunction, + sigstorecache: NewCache(maximumAmountCache), + checkOptsFunction: emptyCheckOptsFunction, + } + got, err := sigstore.FetchImageSignatures(tt.args.imageName, context.Background()) + if (err != nil) != tt.wantErr { + t.Errorf("sigstoreImpl.FetchImageSignatures() error = %v, wantErr %v", err, tt.wantErr) + return + } + if !reflect.DeepEqual(got, tt.want) { + t.Errorf("sigstoreImpl.FetchImageSignatures() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { + type fields struct { + verifyFunction func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) + } + type args struct { + signatures []oci.Signature + } + tests := []struct { + name string + fields fields + args args + containerID string + want []SelectorsFromSignatures + wantError bool + }{ + { + name: "extract selector from single image signature array", + fields: fields{ + verifyFunction: nil, + }, + args: args{ + signatures: []oci.Signature{ + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex@example.com"}}`), + bundle: &oci.Bundle{ + Payload: oci.BundlePayload{ + Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", + LogID: "samplelogID", + IntegratedTime: 12345, + }, + }, + }, + }, + }, + containerID: "000000", + want: []SelectorsFromSignatures{ + { + Subject: "spirex@example.com", + Content: "MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smA=", + LogID: "samplelogID", + IntegratedTime: "12345", + Verified: true, + }, + }, + }, + { + name: "extract selector from image signature array with multiple entries", + fields: fields{ + verifyFunction: nil, + }, + args: args{ + signatures: []oci.Signature{ + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex1@example.com","key2": "value 2","key3": "value 3"}}`), + bundle: &oci.Bundle{ + Payload: oci.BundlePayload{ + Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", + LogID: "samplelogID1", + IntegratedTime: 12345, + }, + }, + }, + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex2@example.com","key2": "value 2","key3": "value 3"}}`), + bundle: &oci.Bundle{ + Payload: oci.BundlePayload{ + Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUI9IgogICAgfQogIH0KfQo=", + LogID: "samplelogID2", + IntegratedTime: 12346, + }, + }, + }, + }, + }, + containerID: "111111", + want: []SelectorsFromSignatures{ + { + Subject: "spirex1@example.com", + Content: "MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smA=", + LogID: "samplelogID1", + IntegratedTime: "12345", + Verified: true, + }, + { + Subject: "spirex2@example.com", + Content: "MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smB=", + LogID: "samplelogID2", + IntegratedTime: "12346", + Verified: true, + }, + }, + }, + { + name: "with invalid payload", + fields: fields{ + verifyFunction: nil, + }, + args: args{ + signatures: []oci.Signature{ + signature{ + payload: []byte{}, + }, + }, + }, + containerID: "222222", + want: nil, + }, + { + name: "extract selector from image signature with subject certificate", + fields: fields{ + verifyFunction: nil, + }, + args: args{ + signatures: []oci.Signature{ + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "some reference"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"}}`), + cert: &x509.Certificate{ + EmailAddresses: []string{ + "spirex@example.com", + "spirex2@example.com", + }, + }, + bundle: &oci.Bundle{ + Payload: oci.BundlePayload{ + Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", + LogID: "samplelogID", + IntegratedTime: 12345, + }, + }, + }, + }, + }, + containerID: "333333", + want: []SelectorsFromSignatures{ + { + Subject: "spirex@example.com", + Content: "MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smA=", + LogID: "samplelogID", + IntegratedTime: "12345", + Verified: true, + }, + }, + }, + { + name: "extract selector from image signature with URI certificate", + fields: fields{ + verifyFunction: nil, + }, + args: args{ + signatures: []oci.Signature{ + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "some reference"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"}}`), + cert: &x509.Certificate{ + URIs: []*url.URL{ + { + Scheme: "https", + Host: "www.example.com", + Path: "somepath1", + }, + { + Scheme: "https", + Host: "www.spirex.com", + Path: "somepath2", + }, + }, + }, + bundle: &oci.Bundle{ + Payload: oci.BundlePayload{ + Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", + LogID: "samplelogID", + IntegratedTime: 12345, + }, + }, + }, + }, + }, + containerID: "444444", + want: []SelectorsFromSignatures{ + { + Subject: "https://www.example.com/somepath1", + Content: "MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smA=", + LogID: "samplelogID", + IntegratedTime: "12345", + Verified: true, + }, + }, + }, + { + name: "extract selector from empty array", + fields: fields{ + verifyFunction: nil, + }, + args: args{ + signatures: []oci.Signature{}, + }, + containerID: "555555", + want: nil, + }, + { + name: "extract selector from nil array", + fields: fields{ + verifyFunction: nil, + }, + args: args{ + signatures: nil, + }, + containerID: "666666", + want: nil, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + s := sigstoreImpl{ + verifyFunction: tt.fields.verifyFunction, + logger: hclog.Default(), + } + if got := s.ExtractSelectorsFromSignatures(tt.args.signatures, tt.containerID); !reflect.DeepEqual(got, tt.want) { + t.Errorf("sigstoreImpl.ExtractSelectorsFromSignatures() = %v, want %v", got, tt.want) + } + }) + } +} + +type noCertSignature signature + +func (noCertSignature) Annotations() (map[string]string, error) { + return nil, nil +} + +func (s noCertSignature) Payload() ([]byte, error) { + return s.payload, nil +} + +func (noCertSignature) Base64Signature() (string, error) { + return "", nil +} + +func (noCertSignature) Cert() (*x509.Certificate, error) { + return nil, errors.New("no cert test") +} + +func (noCertSignature) Chain() ([]*x509.Certificate, error) { + return nil, nil +} + +func (noCertSignature) Bundle() (*oci.Bundle, error) { + return nil, nil +} + +type noPayloadSignature signature + +func (noPayloadSignature) Annotations() (map[string]string, error) { + return nil, nil +} + +func (noPayloadSignature) Payload() ([]byte, error) { + return nil, errors.New("no payload test") +} + +func (noPayloadSignature) Base64Signature() (string, error) { + return "", nil +} + +func (s noPayloadSignature) Cert() (*x509.Certificate, error) { + return s.cert, nil +} + +func (noPayloadSignature) Chain() ([]*x509.Certificate, error) { + return nil, nil +} + +func (noPayloadSignature) Bundle() (*oci.Bundle, error) { + return nil, nil +} + +type noBundleSignature signature + +func (noBundleSignature) Annotations() (map[string]string, error) { + return nil, nil +} + +func (s noBundleSignature) Payload() ([]byte, error) { + return s.payload, nil +} + +func (noBundleSignature) Base64Signature() (string, error) { + return "", nil +} + +func (s noBundleSignature) Cert() (*x509.Certificate, error) { + return s.cert, nil +} + +func (noBundleSignature) Chain() ([]*x509.Certificate, error) { + return nil, nil +} + +func (s noBundleSignature) Bundle() (*oci.Bundle, error) { + return nil, fmt.Errorf("no bundle test") +} +func Test_certSubject(t *testing.T) { + type args struct { + c *x509.Certificate + } + tests := []struct { + name string + args args + want string + }{ + { + name: "certSubject_single_email", + args: args{ + c: &x509.Certificate{ + EmailAddresses: []string{"example@example.com"}, + }, + }, + want: "example@example.com", + }, + { + name: "certSubject_multiple_email", + args: args{ + c: &x509.Certificate{ + EmailAddresses: []string{"example1@example1.com", "example2@example1.com"}, + }, + }, + want: "example1@example1.com", + }, + { + name: "certSubject_from_single_URI", + args: args{ + c: &x509.Certificate{ + URIs: []*url.URL{ + { + User: url.User("example"), Host: "example2.com"}, + }, + }, + }, + want: "example@example2.com", + }, + { + name: "certSubject_from_multiple_URIs", + args: args{ + c: &x509.Certificate{ + URIs: []*url.URL{ + { + User: url.User("example1"), + Host: "example2.com", + }, + { + User: url.User("example2"), + Host: "example2.com", + }, + }, + }, + }, + want: "example1@example2.com", + }, + { + name: "certSubject_empty_certificate", + args: args{ + c: &x509.Certificate{}, + }, + want: "", + }, + { + name: "certSubject_nil_certificate", + args: args{ + c: nil, + }, + want: "", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := certSubject(tt.args.c); got != tt.want { + t.Errorf("certSubject() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestSigstoreimpl_SkipImage(t *testing.T) { + type fields struct { + skippedImages map[string](bool) + } + type args struct { + imageID string + } + tests := []struct { + name string + fields fields + args args + want bool + wantErr bool + }{ + { + name: "skipping only image in list", + fields: fields{ + skippedImages: map[string]bool{ + "sha256:sampleimagehash": true, + }, + }, + args: args{ + imageID: "sha256:sampleimagehash", + }, + want: true, + wantErr: false, + }, + { + name: "skipping image in list", + fields: fields{ + skippedImages: map[string]bool{ + "sha256:sampleimagehash": true, + "sha256:sampleimagehash2": true, + "sha256:sampleimagehash3": true, + }, + }, + args: args{ + imageID: "sha256:sampleimagehash2", + }, + want: true, + wantErr: false, + }, + { + name: "image not in list", + fields: fields{ + skippedImages: map[string]bool{ + "sha256:sampleimagehash": true, + "sha256:sampleimagehash3": true, + }, + }, + args: args{ + imageID: "sha256:sampleimagehash2", + }, + want: false, + wantErr: false, + }, + { + name: "empty skip list", + fields: fields{ + skippedImages: nil, + }, + args: args{ + imageID: "sha256:sampleimagehash", + }, + want: false, + wantErr: false, + }, + { + name: "empty imageID", + fields: fields{ + skippedImages: map[string]bool{ + "sha256:sampleimagehash": true, + "sha256:sampleimagehash2": true, + "sha256:sampleimagehash3": true, + }, + }, + args: args{ + imageID: "", + }, + want: false, + wantErr: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + sigstore := sigstoreImpl{ + skippedImages: tt.fields.skippedImages, + } + got, err := sigstore.ShouldSkipImage(tt.args.imageID) + if (err != nil) != tt.wantErr { + t.Errorf("sigstoreImpl.SkipImage() error = %v, wantErr %v", err, tt.wantErr) + return + } + if !reflect.DeepEqual(got, tt.want) { + t.Errorf("sigstoreImpl.SkipImage() = %v, want %v", got, tt.want) + } + }) + } +} + +func Test_getSignatureSubject(t *testing.T) { + type args struct { + signature oci.Signature + } + tests := []struct { + name string + args args + want string + }{ + { + name: "single image signature", + args: args{ + signature: signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + }, + }, + want: "spirex@example.com", + }, + { + name: "empty signature array", + args: args{signature: nil}, + want: "", + }, + { + name: "single image signature, no payload", + args: args{ + signature: noPayloadSignature{}, + }, + want: "", + }, + { + name: "single image signature, no certs", + args: args{ + signature: &noCertSignature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + }, + }, + want: "", + }, + { + name: "single image signature,garbled subject in signature", + args: args{ + signature: &signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "s\\\\||as\0\0aasdasd/....???/.>wd12<><,,,><{}{pirex@example.com","key2": "value 2","key3": "value 3"}}`), + }, + }, + want: "", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got, _ := getSignatureSubject(tt.args.signature); got != tt.want { + t.Errorf("getSignatureSubject() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestSigstoreimpl_AddSkippedImage(t *testing.T) { + type fields struct { + verifyFunction func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) + fetchImageManifestFunction func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) + skippedImages map[string]bool + } + type args struct { + imageID string + } + tests := []struct { + name string + fields fields + args args + want map[string]bool + }{ + { + name: "add skipped image to empty map", + fields: fields{ + verifyFunction: nil, + fetchImageManifestFunction: nil, + skippedImages: nil, + }, + args: args{ + imageID: "sha256:sampleimagehash", + }, + want: map[string]bool{ + "sha256:sampleimagehash": true, + }, + }, + { + name: "add skipped image", + fields: fields{ + verifyFunction: nil, + fetchImageManifestFunction: nil, + skippedImages: map[string]bool{ + "sha256:sampleimagehash1": true, + }, + }, + args: args{ + imageID: "sha256:sampleimagehash", + }, + want: map[string]bool{ + "sha256:sampleimagehash": true, + "sha256:sampleimagehash1": true, + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + sigstore := sigstoreImpl{ + verifyFunction: tt.fields.verifyFunction, + fetchImageManifestFunction: tt.fields.fetchImageManifestFunction, + skippedImages: tt.fields.skippedImages, + } + sigstore.AddSkippedImage(tt.args.imageID) + if !reflect.DeepEqual(sigstore.skippedImages, tt.want) { + t.Errorf("sigstore.skippedImages = %v, want %v", sigstore.skippedImages, tt.want) + } + }) + } +} + +func TestSigstoreimpl_ClearSkipList(t *testing.T) { + type fields struct { + verifyFunction func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) + fetchImageManifestFunction func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) + skippedImages map[string]bool + } + tests := []struct { + name string + fields fields + want map[string]bool + }{ + { + name: "clear single image in map", + fields: fields{ + + verifyFunction: nil, + fetchImageManifestFunction: nil, + skippedImages: map[string]bool{ + "sha256:sampleimagehash": true, + }, + }, + want: nil, + }, + { + name: "clear multiple images map", + fields: fields{ + verifyFunction: nil, + fetchImageManifestFunction: nil, + skippedImages: map[string]bool{ + "sha256:sampleimagehash": true, + "sha256:sampleimagehash1": true, + }, + }, + want: nil, + }, + { + name: "clear on empty map", + fields: fields{ + verifyFunction: nil, + fetchImageManifestFunction: nil, + skippedImages: map[string]bool{}, + }, + want: nil, + }, + { + name: "clear on nil map", + fields: fields{ + verifyFunction: nil, + fetchImageManifestFunction: nil, + skippedImages: nil, + }, + want: nil, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + sigstore := &sigstoreImpl{ + verifyFunction: tt.fields.verifyFunction, + fetchImageManifestFunction: tt.fields.fetchImageManifestFunction, + skippedImages: tt.fields.skippedImages, + } + sigstore.ClearSkipList() + if !reflect.DeepEqual(sigstore.skippedImages, tt.want) { + t.Errorf("sigstore.skippedImages = %v, want %v", sigstore.skippedImages, tt.want) + } + }) + } +} + +func TestSigstoreimpl_ValidateImage(t *testing.T) { + type fields struct { + verifyFunction func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) + fetchImageManifestFunction func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) + skippedImages map[string]bool + } + type args struct { + ref name.Reference + } + tests := []struct { + name string + fields fields + args args + want bool + wantErr bool + }{ + { + name: "validate image", + fields: fields{ + verifyFunction: nil, + fetchImageManifestFunction: func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { + return &remote.Descriptor{ + Manifest: []byte(`sometext`), + }, nil + }, + skippedImages: nil, + }, + args: args{ + ref: func(d name.Digest, err error) name.Digest { return d }(name.NewDigest("example.com/sampleimage@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505")), + }, + want: true, + wantErr: false, + }, + { + name: "error on image manifest fetch", + fields: fields{ + verifyFunction: nil, + fetchImageManifestFunction: func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { + return nil, errors.New("fetch error") + }, + skippedImages: nil, + }, + args: args{ + ref: func(d name.Digest, err error) name.Digest { return d }(name.NewDigest("example.com/sampleimage@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505")), + }, + want: false, + wantErr: true, + }, + { + name: "nil image manifest fetch", + fields: fields{ + verifyFunction: nil, + fetchImageManifestFunction: func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { + return &remote.Descriptor{ + Manifest: nil, + }, nil + }, + skippedImages: nil, + }, + args: args{ + ref: func(d name.Digest, err error) name.Digest { return d }(name.NewDigest("example.com/sampleimage@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505")), + }, + want: false, + wantErr: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + sigstore := &sigstoreImpl{ + verifyFunction: tt.fields.verifyFunction, + skippedImages: tt.fields.skippedImages, + fetchImageManifestFunction: tt.fields.fetchImageManifestFunction, + } + got, err := sigstore.ValidateImage(tt.args.ref) + if (err != nil) != tt.wantErr { + t.Errorf("sigstoreImpl.ValidateImage() error = %v, wantErr %v", err, tt.wantErr) + return + } + if got != tt.want { + t.Errorf("sigstoreImpl.ValidateImage() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestSigstoreimpl_AddAllowedSubject(t *testing.T) { + type fields struct { + subjectAllowList map[string]bool + } + type args struct { + subject string + } + tests := []struct { + name string + fields fields + args args + want map[string]bool + }{ + { + name: "add allowed subject to nil map", + fields: fields{ + subjectAllowList: nil, + }, + args: args{ + subject: "spirex@example.com", + }, + want: map[string]bool{ + "spirex@example.com": true, + }, + }, + { + name: "add allowed subject to empty map", + fields: fields{ + subjectAllowList: map[string]bool{}, + }, + args: args{ + subject: "spirex@example.com", + }, + want: map[string]bool{ + "spirex@example.com": true, + }, + }, + { + name: "add allowed subject to existing map", + fields: fields{ + subjectAllowList: map[string]bool{ + "spirex1@example.com": true, + "spirex2@example.com": true, + "spirex3@example.com": true, + "spirex5@example.com": true, + }, + }, + args: args{ + subject: "spirex4@example.com", + }, + want: map[string]bool{ + "spirex1@example.com": true, + "spirex2@example.com": true, + "spirex3@example.com": true, + "spirex4@example.com": true, + "spirex5@example.com": true, + }, + }, + { + name: "add existing allowed subject to existing map", + fields: fields{ + subjectAllowList: map[string]bool{ + "spirex1@example.com": true, + "spirex2@example.com": true, + "spirex3@example.com": true, + "spirex4@example.com": true, + "spirex5@example.com": true, + }, + }, + args: args{ + subject: "spirex4@example.com", + }, + want: map[string]bool{ + "spirex1@example.com": true, + "spirex2@example.com": true, + "spirex3@example.com": true, + "spirex4@example.com": true, + "spirex5@example.com": true, + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + sigstore := &sigstoreImpl{ + subjectAllowList: tt.fields.subjectAllowList, + } + sigstore.AddAllowedSubject(tt.args.subject) + if !reflect.DeepEqual(sigstore.subjectAllowList, tt.want) { + t.Errorf("sigstore.subjectAllowList = %v, want %v", sigstore.subjectAllowList, tt.want) + } + }) + } +} + +func TestSigstoreimpl_ClearAllowedSubjects(t *testing.T) { + type fields struct { + subjectAllowList map[string]bool + } + tests := []struct { + name string + fields fields + want map[string]bool + }{ + + { + name: "clear existing map", + fields: fields{ + subjectAllowList: map[string]bool{ + "spirex1@example.com": true, + "spirex2@example.com": true, + "spirex3@example.com": true, + "spirex4@example.com": true, + "spirex5@example.com": true, + }, + }, + want: nil, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + sigstore := &sigstoreImpl{ + subjectAllowList: tt.fields.subjectAllowList, + } + sigstore.ClearAllowedSubjects() + if !reflect.DeepEqual(sigstore.subjectAllowList, tt.want) { + t.Errorf("sigstore.subjectAllowList = %v, want %v", sigstore.subjectAllowList, tt.want) + } + }) + } +} + +func TestSigstoreimpl_EnableAllowSubjectList(t *testing.T) { + type fields struct { + allowListEnabled bool + } + type args struct { + flag bool + } + tests := []struct { + name string + fields fields + args args + want bool + }{ + { + name: "disabling subject allow list", + fields: fields{ + allowListEnabled: true, + }, + args: args{ + flag: false, + }, + want: false, + }, + { + name: "enabling subject allow list", + fields: fields{ + allowListEnabled: false, + }, + args: args{ + flag: true, + }, + want: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + sigstore := &sigstoreImpl{ + allowListEnabled: tt.fields.allowListEnabled, + } + sigstore.EnableAllowSubjectList(tt.args.flag) + if sigstore.allowListEnabled != tt.want { + t.Errorf("sigstore.allowListEnabled = %v, want %v", sigstore.allowListEnabled, tt.want) + } + }) + } +} + +func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { + type fields struct { + allowListEnabled bool + subjectAllowList map[string]bool + } + type args struct { + signature oci.Signature + } + tests := []struct { + name string + fields fields + args args + containerID string + want SelectorsFromSignatures + }{ + { + name: "selector from signature", + fields: fields{ + allowListEnabled: false, + subjectAllowList: nil, + }, + args: args{ + signature: signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + bundle: &oci.Bundle{ + Payload: oci.BundlePayload{ + Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", + LogID: "samplelogID", + IntegratedTime: 12345, + }, + }, + }, + }, + containerID: "000000", + want: SelectorsFromSignatures{ + Subject: "spirex@example.com", + Content: "MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smA=", + LogID: "samplelogID", + IntegratedTime: "12345", + Verified: true, + }, + }, + { + name: "selector from signature, empty subject", + fields: fields{ + allowListEnabled: false, + subjectAllowList: nil, + }, + args: args{ + signature: signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "","key2": "value 2","key3": "value 3"}}`), + bundle: &oci.Bundle{ + Payload: oci.BundlePayload{ + Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", + LogID: "samplelogID", + IntegratedTime: 12345, + }, + }, + }, + }, + containerID: "111111", + want: SelectorsFromSignatures{}, + }, + { + name: "selector from signature, not in allowlist", + fields: fields{ + allowListEnabled: true, + subjectAllowList: map[string]bool{ + "spirex2@example.com": true, + }, + }, + args: args{ + signature: signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex1@example.com","key2": "value 2","key3": "value 3"}}`), + }, + }, + containerID: "222222", + want: SelectorsFromSignatures{}, + }, + { + name: "selector from signature, allowedlist enabled, in allowlist", + fields: fields{ + allowListEnabled: true, + subjectAllowList: map[string]bool{ + "spirex@example.com": true, + }, + }, + args: args{ + signature: signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + bundle: &oci.Bundle{ + Payload: oci.BundlePayload{ + Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", + LogID: "samplelogID", + IntegratedTime: 12345, + }, + }, + }, + }, + containerID: "333333", + want: SelectorsFromSignatures{ + + Subject: "spirex@example.com", + Content: "MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smA=", + LogID: "samplelogID", + IntegratedTime: "12345", + Verified: true, + }, + }, + { + name: "selector from signature, allowedlist enabled, in allowlist, empty content", + fields: fields{ + allowListEnabled: true, + subjectAllowList: map[string]bool{ + "spirex@example.com": true, + }, + }, + args: args{ + signature: signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + bundle: &oci.Bundle{ + Payload: oci.BundlePayload{ + Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiIgogICAgfQogIH0KfQ==", + LogID: "samplelogID", + IntegratedTime: 12345, + }, + }, + }, + }, + containerID: "444444", + want: SelectorsFromSignatures{ + Subject: "spirex@example.com", + LogID: "samplelogID", + IntegratedTime: "12345", + Verified: true}, + }, + + { + name: "selector from signature, no bundle", + fields: fields{ + allowListEnabled: false, + subjectAllowList: nil, + }, + args: args{ + signature: noBundleSignature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + }, + }, + containerID: "555555", + want: SelectorsFromSignatures{ + + Subject: "spirex@example.com", + Verified: true, + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + sigstore := &sigstoreImpl{ + allowListEnabled: tt.fields.allowListEnabled, + subjectAllowList: tt.fields.subjectAllowList, + logger: hclog.Default(), + } + if got := sigstore.SelectorValuesFromSignature(tt.args.signature, tt.containerID); !reflect.DeepEqual(got, tt.want) { + t.Errorf("sigstoreImpl.SelectorValuesFromSignature() = %v, want %v", got, tt.want) + } + }) + } +} + +func Test_getBundleSignatureContent(t *testing.T) { + type args struct { + bundle *oci.Bundle + } + tests := []struct { + name string + args args + want string + wantErr bool + }{ + { + name: "nil bundle", + args: args{ + bundle: nil, + }, + want: "", + wantErr: true, + }, + { + name: "Bundle payload body is not a string", + args: args{ + bundle: &oci.Bundle{ + Payload: oci.BundlePayload{ + Body: 42, + }, + }, + }, + want: "", + wantErr: true, + }, + { + name: "Bundle payload body is not valid base64", + args: args{ + bundle: &oci.Bundle{ + Payload: oci.BundlePayload{ + Body: "abc..........def", + }, + }, + }, + want: "", + wantErr: true, + }, + { + name: "Bundle payload body has no signature content", + args: args{ + bundle: &oci.Bundle{ + Payload: oci.BundlePayload{ + Body: "ewogICAgInNwZWMiOiB7CiAgICAgICJzaWduYXR1cmUiOiB7CiAgICAgIH0KICAgIH0KfQ==", + }, + }, + }, + want: "", + wantErr: true, + }, + { + name: "Bundle payload body signature content is empty", + args: args{ + bundle: &oci.Bundle{ + Payload: oci.BundlePayload{ + Body: "ewogICAgInNwZWMiOiB7CiAgICAgICAgInNpZ25hdHVyZSI6IHsKICAgICAgICAiY29udGVudCI6ICIiCiAgICAgICAgfQogICAgfQp9", + }, + }, + }, + want: "", + wantErr: true, + }, + { + name: "Bundle payload body is not a valid JSON", + args: args{ + bundle: &oci.Bundle{ + Payload: oci.BundlePayload{ + Body: "ewogICJzcGVjIjosLCB7CiAgICAic2lnbmF0dXJlIjogewogICAgICAiY29udGVudCI6ICJNRVVDSVFDeWVtOEdjcjBzUEZNUDdmVFhhekNONTdOY041K01qeEp3OU9vMHgyZU0rQUlnZGdCUDk2Qk8xVGUvTmRiakhiVWViMEJVeWU2ZGVSZ1Z0UUV2NU5vNXNtQT0iCiAgICB9CiAgfQp9", + }, + }, + }, + want: "", + wantErr: true, + }, + { + name: "Bundle payload body signature content is correct", + args: args{ + bundle: &oci.Bundle{ + Payload: oci.BundlePayload{ + Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", + LogID: "samplelogID", + IntegratedTime: 12345, + }, + }, + }, + want: "MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smA=", + wantErr: false, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := getBundleSignatureContent(tt.args.bundle) + if (err != nil) != tt.wantErr { + t.Errorf("getBundleSignatureContent() error = %v, wantErr %v", err, tt.wantErr) + return + } + if got != tt.want { + t.Errorf("getBundleSignatureContent() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { + type fields struct { + verifyFunction func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) + fetchImageManifestFunction func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) + skippedImages map[string]bool + rekorURL url.URL + } + + emptyCheckOptsFunction := func(url.URL) *cosign.CheckOpts { + co := &cosign.CheckOpts{} + co.RekorClient = new(rekor.Rekor) + rootCert, _, _ := GenerateRootCa() + rootPool := x509.NewCertPool() + rootPool.AddCert(rootCert) + co.RootCerts = rootPool + + return co + } + + tests := []struct { + name string + fields fields + status corev1.ContainerStatus + want []string + wantErr bool + }{ + { + name: "Attest image with signature", + fields: fields{ + verifyFunction: func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) { + return []oci.Signature{ + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + bundle: &oci.Bundle{ + Payload: oci.BundlePayload{ + Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", + LogID: "samplelogID", + IntegratedTime: 12345, + }, + }, + }, + }, true, nil + }, + fetchImageManifestFunction: func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { + return &remote.Descriptor{ + Manifest: []byte("sometext"), + }, nil + }, + }, + status: corev1.ContainerStatus{ + Image: "spire-agent-sigstore-1", + ImageID: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", + ContainerID: "000000", + }, + want: []string{ + "000000:image-signature-subject:spirex@example.com", "000000:image-signature-content:MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smA=", "000000:image-signature-logid:samplelogID", "000000:image-signature-integrated-time:12345", "sigstore-validation:passed", + }, + wantErr: false, + }, + { + name: "Attest skipped image", + fields: fields{ + verifyFunction: func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) { + return nil, true, nil + }, + fetchImageManifestFunction: func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { + return &remote.Descriptor{ + Manifest: []byte("sometext"), + }, nil + }, + skippedImages: map[string]bool{ + "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505": true, + }, + }, + status: corev1.ContainerStatus{ + Image: "spire-agent-sigstore-2", + ImageID: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", + ContainerID: "111111", + }, + want: []string{ + "sigstore-validation:passed", + }, + wantErr: false, + }, + { + name: "Attest image with no signature", + fields: fields{ + verifyFunction: func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) { + return nil, true, fmt.Errorf("no signature found") + }, + fetchImageManifestFunction: func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { + return &remote.Descriptor{ + Manifest: []byte("sometext"), + }, nil + }, + skippedImages: nil, + }, + status: corev1.ContainerStatus{ + Image: "spire-agent-sigstore-3", + ImageID: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", + ContainerID: "222222", + }, + want: nil, + wantErr: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + sigstore := &sigstoreImpl{ + verifyFunction: tt.fields.verifyFunction, + fetchImageManifestFunction: tt.fields.fetchImageManifestFunction, + skippedImages: tt.fields.skippedImages, + rekorURL: tt.fields.rekorURL, + sigstorecache: NewCache(maximumAmountCache), + checkOptsFunction: emptyCheckOptsFunction, + logger: hclog.Default(), + } + got, err := sigstore.AttestContainerSignatures(&tt.status, context.Background()) + if (err != nil) != tt.wantErr { + t.Errorf("sigstoreImpl.AttestContainerSignatures() error = %v, wantErr %v", err, tt.wantErr) + return + } + if !reflect.DeepEqual(got, tt.want) { + t.Errorf("sigstoreImpl.AttestContainerSignatures() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestSigstoreimpl_SetRekorURL(t *testing.T) { + type fields struct { + rekorURL url.URL + } + type args struct { + rekorURL string + } + tests := []struct { + name string + fields fields + args args + want url.URL + wantErr bool + }{ + { + name: "SetRekorURL", + fields: fields{ + rekorURL: url.URL{}, + }, + args: args{ + rekorURL: "https://rekor.com", + }, + want: url.URL{ + Scheme: "https", + Host: "rekor.com", + }, + wantErr: false, + }, + { + name: "SetRekorURL with empty url", + fields: fields{ + rekorURL: url.URL{ + Scheme: "https", + Host: "non.empty.url", + }, + }, + args: args{ + rekorURL: "", + }, + want: url.URL{ + Scheme: "https", + Host: "non.empty.url", + }, + wantErr: true, + }, + { + name: "SetRekorURL with invalid URL", + fields: fields{ + rekorURL: url.URL{}, + }, + args: args{ + rekorURL: "http://invalid.{{}))}.url.com", // invalid url + }, + want: url.URL{}, + wantErr: true, + }, + { + name: "SetRekorURL with empty host url", + fields: fields{ + rekorURL: url.URL{}, + }, + args: args{ + rekorURL: "path-no-host", // URI parser uses this as path, not host + }, + want: url.URL{}, + wantErr: true, + }, + { + name: "SetRekorURL with invalid URL scheme", + fields: fields{ + rekorURL: url.URL{}, + }, + args: args{ + rekorURL: "abc://invalid.url.com", // invalid scheme + }, + want: url.URL{}, + wantErr: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + sigstore := &sigstoreImpl{ + rekorURL: tt.fields.rekorURL, + } + if err := sigstore.SetRekorURL(tt.args.rekorURL); (err != nil) != tt.wantErr { + t.Errorf("sigstoreImpl.SetRekorURL() error = %v, wantErr %v", err, tt.wantErr) + } + if !reflect.DeepEqual(sigstore.rekorURL, tt.want) { + t.Errorf("sigstoreImpl.SetRekorURL() = %v, want %v", sigstore.rekorURL, tt.want) + } + }) + } +} diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache.go new file mode 100644 index 0000000000..bc617eb440 --- /dev/null +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache.go @@ -0,0 +1,85 @@ +package sigstore + +import ( + "container/list" + "sync" +) + +// Item represents a key-value pair +type Item struct { + Key string + Value []SelectorsFromSignatures +} + +// Cache defines the behaviors of our cache +type Cache interface { + GetSignature(key string) *Item + PutSignature(Item) +} + +// Map for signatures is created +type MapItem struct { + element *list.Element + item *Item +} + +// cacheImpl implements Cache interface +type cacheImpl struct { + size int + items *list.List + mutex sync.RWMutex + itemsMap map[string]MapItem +} + +// NewCache creates and returns a new cache +func NewCache(maximumAmountCache int) Cache { + return &cacheImpl{ + size: maximumAmountCache, + items: list.New(), + mutex: sync.RWMutex{}, + itemsMap: make(map[string]MapItem), + } +} + +// GetSignature returns an existing item from the cache. +// Get also moves the existing item to the front of the items list to indicate that the existing item is recently used. +func (c *cacheImpl) GetSignature(key string) *Item { + c.mutex.RLock() + defer c.mutex.RUnlock() + + e, ok := c.itemsMap[key] + if !ok { + return nil + } + + c.items.MoveToFront(e.element) + + return e.item +} + +// PutSignature puts a new item into the cache. +// Put removes the least recently used item from the items list when the cache is full. +// Put pushes the new item to the front of the items list to indicate that the new item is recently used. +func (c *cacheImpl) PutSignature(i Item) { + c.mutex.Lock() + defer c.mutex.Unlock() + + e, ok := c.itemsMap[i.Key] + if ok { + c.items.Remove(e.element) + c.itemsMap[i.Key] = MapItem{ + element: c.items.PushFront(i.Key), + item: &i, + } + } else { + if c.items.Len() >= c.size { + removed := c.items.Remove(c.items.Back()) + delete(c.itemsMap, removed.(string)) + } + + c.itemsMap[i.Key] = MapItem{ + element: c.items.PushFront(i.Key), + item: &i, + } + } +} diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go new file mode 100644 index 0000000000..4bcbaee505 --- /dev/null +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go @@ -0,0 +1,209 @@ +package sigstore + +import ( + "container/list" + "reflect" + "sync" + "testing" +) + +var ( + selectors1 = Item{ + Key: "signature1", + Value: []SelectorsFromSignatures{ + { + + Subject: "spirex1@example.com", + Content: "content1", + LogID: "1111111111111111", + IntegratedTime: "1111111111111111", + }, + }, + } + + selectors2 = Item{ + Key: "signature2", + Value: []SelectorsFromSignatures{ + { + + Subject: "spirex2@example.com", + Content: "content2", + LogID: "2222222222222222", + IntegratedTime: "2222222222222222", + }, + }, + } + + selectors3 = Item{ + Key: "signature3", + Value: []SelectorsFromSignatures{ + { + Subject: "spirex3@example.com", + Content: "content3", + LogID: "3333333333333333", + IntegratedTime: "3333333333333333", + }, + }, + } + + selectors3Updated = Item{ + Key: "signature3", + Value: []SelectorsFromSignatures{ + { + Subject: "spirex3@example.com", + Content: "content4", + LogID: "4444444444444444", + IntegratedTime: "4444444444444444", + }, + }, + } +) + +func TestNewCache(t *testing.T) { + tests := []struct { + name string + want Cache + }{ + { + name: "New", + want: &cacheImpl{ + size: 3, + items: list.New(), + mutex: sync.RWMutex{}, + itemsMap: make(map[string]MapItem), + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := NewCache(3); !reflect.DeepEqual(got, tt.want) { + t.Errorf("NewCache() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestCacheimpl_GetSignature(t *testing.T) { + m := make(map[string]MapItem) + items := list.New() + + m[selectors1.Key] = MapItem{ + item: &selectors1, + element: items.PushFront(selectors1.Key), + } + m[selectors2.Key] = MapItem{ + item: &selectors2, + element: items.PushFront(selectors2.Key), + } + + cacheInstance := &cacheImpl{ + size: 3, + items: items, + mutex: sync.RWMutex{}, + itemsMap: m, + } + + tests := []struct { + name string + want *Item + key string + errorMessage string + }{ + { + name: "Non existing entry", + want: nil, + key: selectors3.Key, + errorMessage: "A non-existing item's key should return a nil item.", + }, + { + name: "Existing entry", + want: &selectors1, + key: selectors1.Key, + errorMessage: "An existing items key's should return the existing item", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := cacheInstance.GetSignature(tt.key); !reflect.DeepEqual(got, tt.want) { + t.Errorf("%v Got: %v Want: %v", tt.errorMessage, got, tt.want) + } + }) + } +} + +func TestCacheimpl_PutSignature(t *testing.T) { + m := make(map[string]MapItem) + items := list.New() + + cacheInstance := &cacheImpl{ + size: 2, + items: items, + mutex: sync.RWMutex{}, + itemsMap: m, + } + + tests := []struct { + name string + item *Item + wantLength int + wantKey string + wantValue *Item + }{ + { + name: "Put first element", + item: &selectors1, + wantLength: 1, + wantKey: selectors1.Key, + wantValue: &selectors1, + }, + { + name: "Put first element again", + item: &selectors1, + wantLength: 1, + wantKey: selectors1.Key, + wantValue: &selectors1, + }, + { + name: "Put second element", + item: &selectors2, + wantLength: 2, + wantKey: selectors2.Key, + wantValue: &selectors2, + }, + { + name: "Overflow cache", + item: &selectors3, + wantLength: 2, + wantKey: selectors3.Key, + wantValue: &selectors3, + }, + { + name: "Update entry", + item: &selectors3Updated, + wantLength: 2, + wantKey: selectors3.Key, + wantValue: &selectors3Updated, + }, + } + + putKeys := 0 + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + cacheInstance.PutSignature(*tt.item) + putKeys++ + gotLen := cacheInstance.items.Len() + if gotLen != tt.wantLength { + t.Errorf("Item count should be %v after putting %v keys", tt.wantLength, putKeys) + } + gotItem, present := m[tt.wantKey] + if !present { + t.Errorf("Key put but not found: %v", tt.wantKey) + } + + if !reflect.DeepEqual(gotItem.item, tt.wantValue) { + t.Errorf("Value different than expected. \nGot: %v \nWant:%v", gotItem.item, tt.wantValue) + } + }) + } +} From ddc2f143857016c9e49866652cb3ec616f62c499 Mon Sep 17 00:00:00 2001 From: Willian Alves Date: Mon, 13 Jun 2022 20:15:33 -0400 Subject: [PATCH 073/257] Fix hcl on k8s tests Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- pkg/agent/plugin/workloadattestor/k8s/k8s_test.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go index 1229d078f7..1c54ca4c3c 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go @@ -669,7 +669,7 @@ func (s *Suite) TestConfigure() { { name: "secure defaults with skipped images for sigstore", hcl: ` - skip_signature_verification_image_list = ["sha:image1hash","sha:image2hash"] + sigstore.skip_signature_verification_image_list = ["sha:image1hash","sha:image2hash"] `, config: &config{ VerifyKubelet: true, @@ -687,8 +687,8 @@ func (s *Suite) TestConfigure() { { name: "secure defaults with allowed subjects for sigstore", hcl: ` - enable_allowed_subjects_list = true, - allowed_subjects_list = ["spirex@example.com","spirex1@example.com"] + sigstore.enable_allowed_subjects_list = true, + sigstore.allowed_subjects_list = ["spirex@example.com","spirex1@example.com"] `, config: &config{ VerifyKubelet: true, @@ -704,7 +704,7 @@ func (s *Suite) TestConfigure() { { name: "secure defaults with rekor URL", hcl: ` - rekor_url = "https://rekor.example.com" + sigstore.rekor_url = "https://rekor.example.com" `, config: &config{ VerifyKubelet: true, @@ -719,7 +719,7 @@ func (s *Suite) TestConfigure() { { name: "secure defaults with empty rekor URL", hcl: ` - rekor_url = "inva{{{lid}" + sigstore.rekor_url = "inva{{{lid}" `, sigstoreError: errors.New("Error parsing rekor URI"), config: nil, From 8401e1b0103075e47bbb352d2a6c7656d4fc66e5 Mon Sep 17 00:00:00 2001 From: Willian Alves Date: Tue, 14 Jun 2022 08:17:11 -0400 Subject: [PATCH 074/257] Adjust on log message Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go index 856d6a4677..9f708336ee 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go @@ -213,7 +213,7 @@ func (p *Plugin) Attest(ctx context.Context, req *workloadattestorv1.AttestReque switch lookup { case containerInPod: selectors := getSelectorValuesFromPodInfo(&item, status) - log.Debug("Attemping to get signature info from image", status) + log.Debug("Attemping to get signature info from image", status.Name) sigstoreSelectors, err := p.sigstore.AttestContainerSignatures(status, ctx) if err != nil { log.Error("Error retrieving signature payload: ", "error", err) From 1a6ebf9916a40e15224c8310be7abcf00081df46 Mon Sep 17 00:00:00 2001 From: Willian Alves Date: Tue, 14 Jun 2022 15:31:37 -0400 Subject: [PATCH 075/257] Adjust lint error Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go | 2 +- pkg/agent/plugin/workloadattestor/k8s/k8s_test.go | 4 ++-- .../plugin/workloadattestor/k8s/sigstore/sigstore.go | 10 +++++----- .../workloadattestor/k8s/sigstore/sigstore_test.go | 4 ++-- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go index 9f708336ee..cdd7a55397 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go @@ -214,7 +214,7 @@ func (p *Plugin) Attest(ctx context.Context, req *workloadattestorv1.AttestReque case containerInPod: selectors := getSelectorValuesFromPodInfo(&item, status) log.Debug("Attemping to get signature info from image", status.Name) - sigstoreSelectors, err := p.sigstore.AttestContainerSignatures(status, ctx) + sigstoreSelectors, err := p.sigstore.AttestContainerSignatures(ctx, status) if err != nil { log.Error("Error retrieving signature payload: ", "error", err) } else { diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go index 1c54ca4c3c..2fa301756f 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go @@ -827,7 +827,7 @@ type sigstoreMock struct { func (*sigstoreMock) SetLogger(logger hclog.Logger) { } -func (s *sigstoreMock) FetchImageSignatures(imageName string, ctx context.Context) ([]oci.Signature, error) { +func (s *sigstoreMock) FetchImageSignatures(ctx context.Context, imageName string) ([]oci.Signature, error) { return s.sigs, s.returnError } @@ -856,7 +856,7 @@ func (s *sigstoreMock) ClearAllowedSubjects() { func (s *sigstoreMock) EnableAllowSubjectList(flag bool) { } -func (s *sigstoreMock) AttestContainerSignatures(status *corev1.ContainerStatus, ctx context.Context) ([]string, error) { +func (s *sigstoreMock) AttestContainerSignatures(ctx context.Context, status *corev1.ContainerStatus) ([]string, error) { if s.skipSigs { return s.skippedSigSelectors, nil } diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index 3776544990..739d9ccf07 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -30,8 +30,8 @@ const ( ) type Sigstore interface { - AttestContainerSignatures(status *corev1.ContainerStatus, ctx context.Context) ([]string, error) - FetchImageSignatures(imageName string, ctx context.Context) ([]oci.Signature, error) + AttestContainerSignatures(ctx context.Context, status *corev1.ContainerStatus) ([]string, error) + FetchImageSignatures(ctx context.Context, imageName string) ([]oci.Signature, error) SelectorValuesFromSignature(oci.Signature, string) SelectorsFromSignatures ExtractSelectorsFromSignatures(signatures []oci.Signature, containerID string) []SelectorsFromSignatures ShouldSkipImage(imageID string) (bool, error) @@ -89,7 +89,7 @@ func (s *sigstoreImpl) SetLogger(logger hclog.Logger) { // FetchImageSignatures retrieves signatures for specified image via cosign, using the specified rekor server. // Returns a list of verified signatures, and an error if any. -func (s *sigstoreImpl) FetchImageSignatures(imageName string, ctx context.Context) ([]oci.Signature, error) { +func (s *sigstoreImpl) FetchImageSignatures(ctx context.Context, imageName string) ([]oci.Signature, error) { ref, err := name.ParseReference(imageName) if err != nil { message := fmt.Errorf("error parsing image reference: %w", err) @@ -271,7 +271,7 @@ func (s *sigstoreImpl) EnableAllowSubjectList(flag bool) { s.allowListEnabled = flag } -func (s *sigstoreImpl) AttestContainerSignatures(status *corev1.ContainerStatus, ctx context.Context) ([]string, error) { +func (s *sigstoreImpl) AttestContainerSignatures(ctx context.Context, status *corev1.ContainerStatus) ([]string, error) { skip, _ := s.ShouldSkipImage(status.ImageID) if skip { return []string{signatureVerifiedSelector}, nil @@ -283,7 +283,7 @@ func (s *sigstoreImpl) AttestContainerSignatures(status *corev1.ContainerStatus, if cachedSignature != nil { s.logger.Debug("Found cached signature", "imageId", imageID) } else { - signatures, err := s.FetchImageSignatures(imageID, ctx) + signatures, err := s.FetchImageSignatures(ctx, imageID) if err != nil { return nil, err } diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index bf2d130adf..01ba0fd39a 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -359,7 +359,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { sigstorecache: NewCache(maximumAmountCache), checkOptsFunction: emptyCheckOptsFunction, } - got, err := sigstore.FetchImageSignatures(tt.args.imageName, context.Background()) + got, err := sigstore.FetchImageSignatures(context.Background(), tt.args.imageName) if (err != nil) != tt.wantErr { t.Errorf("sigstoreImpl.FetchImageSignatures() error = %v, wantErr %v", err, tt.wantErr) return @@ -1698,7 +1698,7 @@ func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { checkOptsFunction: emptyCheckOptsFunction, logger: hclog.Default(), } - got, err := sigstore.AttestContainerSignatures(&tt.status, context.Background()) + got, err := sigstore.AttestContainerSignatures(context.Background(), &tt.status) if (err != nil) != tt.wantErr { t.Errorf("sigstoreImpl.AttestContainerSignatures() error = %v, wantErr %v", err, tt.wantErr) return From 7f7fa32256d5b06b8300d78a356cb30dd4c195c3 Mon Sep 17 00:00:00 2001 From: Willian Alves Date: Tue, 14 Jun 2022 17:01:03 -0400 Subject: [PATCH 076/257] removed unnecessary code Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- doc/plugin_agent_workloadattestor_unix.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/doc/plugin_agent_workloadattestor_unix.md b/doc/plugin_agent_workloadattestor_unix.md index 8ef8decffe..36e4c4826e 100644 --- a/doc/plugin_agent_workloadattestor_unix.md +++ b/doc/plugin_agent_workloadattestor_unix.md @@ -28,8 +28,6 @@ General selectors: | `unix:supplementary_gid` | **Currently only supported on linux:** The supplementary group ID of the workload (e.g. `unix:supplementary_gid:2000`) | | `unix:supplementary_group` | **Currently only supported on linux:** The supplementary group name of the workload (e.g. `unix:supplementary_group:www-data`) | -Workload path enabled selectors (available when configured with `discover_workload_path = true`): - | Selector | Value | |---------------|--------------------------------------------------------------------------------------------------------------------------------| | `unix:path` | The path to the workload binary (e.g. `unix:path:/usr/bin/nginx`) | From 99cd9398d8453d7b68ecef808236a314edf56ed7 Mon Sep 17 00:00:00 2001 From: Matheus Santos Date: Wed, 15 Jun 2022 17:04:09 -0300 Subject: [PATCH 077/257] refactor: A check has been created to verify if p.sigstore is different from nil and if so the sigstore configuration function is called. Signed-off-by: Matheus Santos Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- .../plugin/workloadattestor/k8s/k8s_posix.go | 48 ++++++++++++------- 1 file changed, 31 insertions(+), 17 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go index cdd7a55397..f231ec7172 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go @@ -326,23 +326,8 @@ func (p *Plugin) Configure(ctx context.Context, req *configv1.ConfigureRequest) return nil, err } - // Configure sigstore settings - p.sigstore.ClearSkipList() - if c.SkippedImages != nil { - for _, imageID := range c.SkippedImages { - p.sigstore.AddSkippedImage(imageID) - } - } - - p.sigstore.EnableAllowSubjectList(c.AllowedSubjectListEnabled) - p.sigstore.ClearAllowedSubjects() - if c.AllowedSubjects != nil { - for _, subject := range c.AllowedSubjects { - p.sigstore.AddAllowedSubject(subject) - } - } - if c.RekorURL != "" { - if err := p.sigstore.SetRekorURL(c.RekorURL); err != nil { + if p.sigstore != nil { + if err:= configureSigstore(c, p.sigstore); err != nil{ return nil, err } } @@ -356,6 +341,35 @@ func createHelper(c *Plugin) (ContainerHelper, error) { return &containerHelper{ fs: c.fs, }, nil + +func configureSigstore(config *k8sConfig, sigstore sigstore.Sigstore) error { + // Configure sigstore settings + sigstore.ClearSkipList() + if config.SkippedImages != nil { + for _, imageID := range config.SkippedImages { + sigstore.AddSkippedImage(imageID) + } + } + + sigstore.EnableAllowSubjectList(config.AllowedSubjectListEnabled) + sigstore.ClearAllowedSubjects() + if config.AllowedSubjects != nil { + for _, subject := range config.AllowedSubjects { + sigstore.AddAllowedSubject(subject) + } + } + if config.RekorURL != "" { + if err := sigstore.SetRekorURL(config.RekorURL); err != nil { + return err + } + } + return nil +} + +func (p *Plugin) setConfig(config *k8sConfig) { + p.mu.Lock() + defer p.mu.Unlock() + p.config = config } type containerHelper struct { From 06f50e661bc2efdbb68799456c1c2cfcf0f26a18 Mon Sep 17 00:00:00 2001 From: Matheus Santos Date: Thu, 16 Jun 2022 09:13:51 -0300 Subject: [PATCH 078/257] fix: fixed lint errors Signed-off-by: Matheus Santos Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go index f231ec7172..e8fe116321 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go @@ -325,13 +325,11 @@ func (p *Plugin) Configure(ctx context.Context, req *configv1.ConfigureRequest) if err := p.reloadKubeletClient(c); err != nil { return nil, err } - if p.sigstore != nil { - if err:= configureSigstore(c, p.sigstore); err != nil{ + if err := configureSigstore(c, p.sigstore); err != nil { return nil, err } } - // Set the config p.setConfig(c) return &configv1.ConfigureResponse{}, nil From ef113d8a1d0bf34f51a1365f2be3c60812d789b7 Mon Sep 17 00:00:00 2001 From: Matheus Santos Date: Thu, 16 Jun 2022 09:23:13 -0300 Subject: [PATCH 079/257] fix: fixed lint errors Signed-off-by: Matheus Santos Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go index e8fe116321..5cce5337c7 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go @@ -347,8 +347,7 @@ func configureSigstore(config *k8sConfig, sigstore sigstore.Sigstore) error { for _, imageID := range config.SkippedImages { sigstore.AddSkippedImage(imageID) } - } - + } sigstore.EnableAllowSubjectList(config.AllowedSubjectListEnabled) sigstore.ClearAllowedSubjects() if config.AllowedSubjects != nil { From 626e65bf760a292ae9d8f06c9b663a598484c332 Mon Sep 17 00:00:00 2001 From: Matheus Santos Date: Thu, 16 Jun 2022 10:54:37 -0300 Subject: [PATCH 080/257] fix: fixed lint errors Signed-off-by: Matheus Santos Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go index 5cce5337c7..9587887b16 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go @@ -347,7 +347,7 @@ func configureSigstore(config *k8sConfig, sigstore sigstore.Sigstore) error { for _, imageID := range config.SkippedImages { sigstore.AddSkippedImage(imageID) } - } + } sigstore.EnableAllowSubjectList(config.AllowedSubjectListEnabled) sigstore.ClearAllowedSubjects() if config.AllowedSubjects != nil { From 484f2035e08dbe7436a99a40de6de2f6f941f2f7 Mon Sep 17 00:00:00 2001 From: Matheus Santos Date: Wed, 22 Jun 2022 15:42:17 -0300 Subject: [PATCH 081/257] refactor: pr adjustments related to cosign Signed-off-by: Matheus Santos Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- .../plugin/workloadattestor/k8s/k8s_test.go | 6 ++- .../workloadattestor/k8s/sigstore/sigstore.go | 41 ++++++++----------- 2 files changed, 21 insertions(+), 26 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go index 2fa301756f..6fdc574f89 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go @@ -721,9 +721,13 @@ func (s *Suite) TestConfigure() { hcl: ` sigstore.rekor_url = "inva{{{lid}" `, - sigstoreError: errors.New("Error parsing rekor URI"), + sigstoreError: errors.New("error parsing rekor URI"), config: nil, +<<<<<<< HEAD errMsg: "Error parsing rekor URI", +======= + err: "error parsing rekor URI", +>>>>>>> refactor: pr adjustments related to cosign }, } diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index 739d9ccf07..dd4232d410 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -174,33 +174,30 @@ func (s *sigstoreImpl) SelectorValuesFromSignature(signature oci.Signature, cont return selectorsFromSignatures } - suppress := false if s.allowListEnabled { if _, ok := s.subjectAllowList[subject]; !ok { - suppress = true + return selectorsFromSignatures } } - if !suppress { - selectorsFromSignatures.Subject = subject - selectorsFromSignatures.Verified = true + selectorsFromSignatures.Subject = subject + selectorsFromSignatures.Verified = true - bundle, err := signature.Bundle() + bundle, err := signature.Bundle() + if err != nil { + s.logger.Error("error getting signature bundle: ", err.Error()) + } else { + sigContent, err := getBundleSignatureContent(bundle) if err != nil { - s.logger.Error("error getting signature bundle: ", err.Error()) + s.logger.Error("error getting signature content", "error", err) } else { - sigContent, err := getBundleSignatureContent(bundle) - if err != nil { - s.logger.Error("error getting signature content", "error", err) - } else { - selectorsFromSignatures.Content = sigContent - } - if bundle.Payload.LogID != "" { - selectorsFromSignatures.LogID = bundle.Payload.LogID - } - if bundle.Payload.IntegratedTime != 0 { - selectorsFromSignatures.IntegratedTime = strconv.FormatInt(bundle.Payload.IntegratedTime, 10) - } + selectorsFromSignatures.Content = sigContent + } + if bundle.Payload.LogID != "" { + selectorsFromSignatures.LogID = bundle.Payload.LogID + } + if bundle.Payload.IntegratedTime != 0 { + selectorsFromSignatures.IntegratedTime = strconv.FormatInt(bundle.Payload.IntegratedTime, 10) } } return selectorsFromSignatures @@ -230,9 +227,6 @@ func (s *sigstoreImpl) AddSkippedImage(imageID string) { // ClearSkipList clears the skip list. func (s *sigstoreImpl) ClearSkipList() { - for k := range s.skippedImages { - delete(s.skippedImages, k) - } s.skippedImages = nil } @@ -261,9 +255,6 @@ func (s *sigstoreImpl) AddAllowedSubject(subject string) { } func (s *sigstoreImpl) ClearAllowedSubjects() { - for k := range s.subjectAllowList { - delete(s.subjectAllowList, k) - } s.subjectAllowList = nil } From 3f350cec2dbee10ceab72ab77f1e7872cf380dbd Mon Sep 17 00:00:00 2001 From: Matheus Santos Date: Thu, 23 Jun 2022 11:37:08 -0300 Subject: [PATCH 082/257] refactor: pr adjustments of logs of errors Signed-off-by: Matheus Santos Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index dd4232d410..a74afaebda 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -165,12 +165,12 @@ func (s *sigstoreImpl) SelectorValuesFromSignature(signature oci.Signature, cont subject, err := getSignatureSubject(signature) if err != nil { - s.logger.Error("Error getting signature subject", "error", err) + s.logger.Error("error getting signature subject: ", err) return selectorsFromSignatures } if subject == "" { - s.logger.Error("Error getting signature subject: empty subject") + s.logger.Error("error getting signature subject: empty subject") return selectorsFromSignatures } @@ -189,7 +189,7 @@ func (s *sigstoreImpl) SelectorValuesFromSignature(signature oci.Signature, cont } else { sigContent, err := getBundleSignatureContent(bundle) if err != nil { - s.logger.Error("error getting signature content", "error", err) + s.logger.Error("error getting signature content: ", err) } else { selectorsFromSignatures.Content = sigContent } From ee577474c8f4ce2bd738795321d92d37a8832402 Mon Sep 17 00:00:00 2001 From: Matheus Santos Date: Thu, 23 Jun 2022 12:26:38 -0300 Subject: [PATCH 083/257] refactor: pr adjustments of logs for errors Signed-off-by: Matheus Santos Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index a74afaebda..9c71b3b84f 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -165,7 +165,7 @@ func (s *sigstoreImpl) SelectorValuesFromSignature(signature oci.Signature, cont subject, err := getSignatureSubject(signature) if err != nil { - s.logger.Error("error getting signature subject: ", err) + s.logger.Error("error getting signature subject", "error", err) return selectorsFromSignatures } @@ -189,7 +189,7 @@ func (s *sigstoreImpl) SelectorValuesFromSignature(signature oci.Signature, cont } else { sigContent, err := getBundleSignatureContent(bundle) if err != nil { - s.logger.Error("error getting signature content: ", err) + s.logger.Error("error getting signature content", "error", err) } else { selectorsFromSignatures.Content = sigContent } From 2e59f95ec672a183c63289e2b2715267f02d4ea8 Mon Sep 17 00:00:00 2001 From: Willian Alves Date: Wed, 29 Jun 2022 15:23:46 -0400 Subject: [PATCH 084/257] fixing CI error Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- go.mod | 6 +++--- go.sum | 15 ++++++++++++--- pkg/agent/plugin/workloadattestor/k8s/k8s_test.go | 4 ---- 3 files changed, 15 insertions(+), 10 deletions(-) diff --git a/go.mod b/go.mod index 2b2fc1abfc..c64f5b5dde 100644 --- a/go.mod +++ b/go.mod @@ -232,7 +232,7 @@ require ( github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect github.com/ryanuber/go-glob v1.0.0 // indirect github.com/sassoftware/relic v0.0.0-20210427151427-dfb082b79b74 // indirect - github.com/secure-systems-lab/go-securesystemslib v0.2.0 // indirect + github.com/secure-systems-lab/go-securesystemslib v0.3.1 // indirect github.com/segmentio/ksuid v1.0.4 // indirect github.com/shibumi/go-pathspec v1.2.0 // indirect github.com/shopspring/decimal v1.2.0 // indirect @@ -245,11 +245,11 @@ require ( github.com/spf13/pflag v1.0.5 // indirect github.com/spf13/viper v1.9.0 // indirect github.com/subosito/gotenv v1.2.0 // indirect - github.com/syndtr/goleveldb v1.0.0 // indirect + github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7 // indirect github.com/tchap/go-patricia/v2 v2.3.1 // indirect github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613 // indirect github.com/thales-e-security/pool v0.0.2 // indirect - github.com/theupdateframework/go-tuf v0.0.0-20211203210025-7ded50136bf9 // indirect + github.com/theupdateframework/go-tuf v0.3.0 // indirect github.com/tklauser/go-sysconf v0.3.10 // indirect github.com/tklauser/numcpus v0.4.0 // indirect github.com/twmb/murmur3 v1.1.6 // indirect diff --git a/go.sum b/go.sum index de1dbe31ac..a28b811f8f 100644 --- a/go.sum +++ b/go.sum @@ -1147,6 +1147,7 @@ github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLe github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210506205249-923b5ab0fc1a/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= @@ -1670,6 +1671,7 @@ github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9k github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= +github.com/onsi/ginkgo/v2 v2.0.0/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c= github.com/onsi/ginkgo/v2 v2.1.6 h1:Fx2POJZfKRQcM1pH49qSZiYeu319wji004qX+GDovrU= github.com/onsi/gomega v0.0.0-20151007035656-2152b45fa28a/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= @@ -1681,6 +1683,8 @@ github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoT github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.10.3/go.mod h1:V9xEwhxec5O8UDM77eCW8vLymOMltsqPVYWrpDsH8xc= github.com/onsi/gomega v1.16.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= +github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= +github.com/onsi/gomega v1.18.1/go.mod h1:0q+aL8jAiMXy9hbwj2mr5GziHiwhAIQpFmmtT5hitRs= github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q= github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk= github.com/open-policy-agent/opa v0.35.0/go.mod h1:xEmekKlk6/c+so5HF9wtPnGPXDfBuBsrMGhSHOHEF+U= @@ -1877,8 +1881,9 @@ github.com/sclevine/spec v1.2.0/go.mod h1:W4J29eT/Kzv7/b9IWLB055Z+qvVC9vt0Arko24 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo= github.com/secure-systems-lab/go-securesystemslib v0.1.0/go.mod h1:eIjBmIP8LD2MLBL/DkQWayLiz006Q4p+hCu79rvWleY= -github.com/secure-systems-lab/go-securesystemslib v0.2.0 h1:9beLHgmhA2KEqJkFh1bs/YlnHkazv26GCXqfcUdC1YI= github.com/secure-systems-lab/go-securesystemslib v0.2.0/go.mod h1:eIjBmIP8LD2MLBL/DkQWayLiz006Q4p+hCu79rvWleY= +github.com/secure-systems-lab/go-securesystemslib v0.3.1 h1:LJuyMziazadwmQRRu1M7GMUo5S1oH1+YxU9FjuSFU8k= +github.com/secure-systems-lab/go-securesystemslib v0.3.1/go.mod h1:o8hhjkbNl2gOamKUA/eNW3xUrntHT9L4W89W1nfj43U= github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c= github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE= github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= @@ -2001,8 +2006,9 @@ github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69 github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= -github.com/syndtr/goleveldb v1.0.0 h1:fBdIW9lB4Iz0n9khmH8w27SJ3QEJ7+IgjPEwGSZiFdE= github.com/syndtr/goleveldb v1.0.0/go.mod h1:ZVVdQEZoIme9iO1Ch2Jdy24qqXrMMOU6lpPAyBWyWuQ= +github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7 h1:epCh84lMvA70Z7CTTCmYQn2CKbY8j86K7/FAIr141uY= +github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7/go.mod h1:q4W45IWZaF22tdD+VEXcAWRA037jwmWEB5VWYORlTpc= github.com/tchap/go-patricia v2.2.6+incompatible/go.mod h1:bmLyhP68RS6kStMGxByiQ23RP/odRBOTVjwp2cDyi6I= github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes= github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k= @@ -2013,8 +2019,9 @@ github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpu github.com/theupdateframework/go-tuf v0.0.0-20210722233521-90e262754396/go.mod h1:L+uU/NRFK/7h0NYAnsmvsX9EghDB5QVCcHCIrK2h5nw= github.com/theupdateframework/go-tuf v0.0.0-20211006142131-1dc15a86c64d/go.mod h1:oujGMqigj0NWDqeWBCzleayXXtux27r+kHAR2t5Yuk8= github.com/theupdateframework/go-tuf v0.0.0-20211115152232-a4f2dd6ea314/go.mod h1:pQW1KcCMYPCuZ4pvCkYQhoE2k9SzTuh31AWhf1j/7HM= -github.com/theupdateframework/go-tuf v0.0.0-20211203210025-7ded50136bf9 h1:Toe1Dy1nG62nh3CLZ6/izUrdgjhV/aGHvvu+uwGykxk= github.com/theupdateframework/go-tuf v0.0.0-20211203210025-7ded50136bf9/go.mod h1:n2n6wwC9BEnYS/C/APAtNln0eM5zYAYOkOTx6VEG/mA= +github.com/theupdateframework/go-tuf v0.3.0 h1:od2sc5+BSkKZhmUG2o2rmruy0BGSmhrbDhCnpxh87X8= +github.com/theupdateframework/go-tuf v0.3.0/go.mod h1:E5XP0wXitrFUHe4b8cUcAAdxBW4LbfnqF4WXXGLgWNo= github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk= github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs= github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= @@ -2359,6 +2366,7 @@ golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/ golang.org/x/net v0.0.0-20200602114024-627f9648deb9/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20200813134508-3edf25e44fcc/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200930145003-4acb6c075d10/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20201006153459-a7d1128ccaa0/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= @@ -2526,6 +2534,7 @@ golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200814200057-3d37ad5750ed/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200817155316-9781c653f443/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200828194041-157a740278f4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go index 6fdc574f89..4ed8c1d388 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go @@ -723,11 +723,7 @@ func (s *Suite) TestConfigure() { `, sigstoreError: errors.New("error parsing rekor URI"), config: nil, -<<<<<<< HEAD errMsg: "Error parsing rekor URI", -======= - err: "error parsing rekor URI", ->>>>>>> refactor: pr adjustments related to cosign }, } From 0309e5e807e39b1e5ba9d5028069147727d9c239 Mon Sep 17 00:00:00 2001 From: Willian Alves Date: Thu, 30 Jun 2022 09:48:12 -0400 Subject: [PATCH 085/257] dependency test Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- go.mod | 168 ++++++---- go.sum | 978 ++++++++++++++++++++++++++++++++++++--------------------- 2 files changed, 734 insertions(+), 412 deletions(-) diff --git a/go.mod b/go.mod index c64f5b5dde..e884fb8e5c 100644 --- a/go.mod +++ b/go.mod @@ -35,7 +35,7 @@ require ( github.com/golang/mock v1.6.0 github.com/golang/protobuf v1.5.2 github.com/google/go-cmp v0.5.9 - github.com/google/go-containerregistry v0.7.1-0.20211118220127-abdc633f8305 + github.com/google/go-containerregistry v0.8.1-0.20220209165246-a44adc326839 github.com/google/go-tpm v0.3.3 github.com/google/go-tpm-tools v0.3.9 github.com/googleapis/gax-go/v2 v2.6.0 @@ -54,11 +54,11 @@ require ( github.com/open-policy-agent/opa v0.45.0 github.com/prometheus/client_golang v1.13.0 github.com/shirou/gopsutil/v3 v3.22.9 - github.com/sigstore/cosign v1.4.0 - github.com/sigstore/rekor v0.3.1-0.20211203233407-3278f72b78bd - github.com/sigstore/sigstore v1.0.2-0.20211203233310-c8e7f70eab4e + github.com/sigstore/cosign v1.9.0 + github.com/sigstore/rekor v0.4.1-0.20220114213500-23f583409af3 + github.com/sigstore/sigstore v1.2.1-0.20220424143412-3d41663116d5 github.com/sirupsen/logrus v1.9.0 - github.com/spiffe/go-spiffe/v2 v2.0.1-0.20220414143532-2ed460a8b9d3 + github.com/spiffe/go-spiffe/v2 v2.1.0 github.com/spiffe/spire-api-sdk v1.2.5-0.20220608195902-84fd618158c9 github.com/spiffe/spire-plugin-sdk v1.4.1-0.20220912221658-c42ab2d657f6 github.com/stretchr/testify v1.8.1 @@ -83,127 +83,148 @@ require ( ) require ( + bitbucket.org/creachadair/shell v0.0.7 // indirect cloud.google.com/go v0.104.0 // indirect cloud.google.com/go/compute v1.10.0 // indirect cloud.google.com/go/iam v0.3.0 // indirect - cloud.google.com/go/kms v1.1.0 // indirect - github.com/Azure/azure-sdk-for-go v59.4.0+incompatible // indirect + github.com/Azure/azure-sdk-for-go v63.3.0+incompatible // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect github.com/Azure/go-autorest/autorest v0.11.27 // indirect github.com/Azure/go-autorest/autorest/adal v0.9.20 // indirect - github.com/Azure/go-autorest/autorest/azure/auth v0.5.9 // indirect - github.com/Azure/go-autorest/autorest/azure/cli v0.4.4 // indirect + github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 // indirect + github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 // indirect github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect - github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect - github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect github.com/Azure/go-autorest/logger v0.2.1 // indirect github.com/Azure/go-autorest/tracing v0.6.0 // indirect github.com/AzureAD/microsoft-authentication-library-for-go v0.5.1 // indirect github.com/DataDog/datadog-go v3.2.0+incompatible // indirect - github.com/Masterminds/goutils v1.1.0 // indirect + github.com/Masterminds/goutils v1.1.1 // indirect github.com/Masterminds/semver/v3 v3.1.1 // indirect - github.com/Masterminds/sprig/v3 v3.2.0 // indirect + github.com/Masterminds/sprig/v3 v3.2.2 // indirect github.com/OneOfOne/xxhash v1.2.8 // indirect + github.com/PaesslerAG/gval v1.0.0 // indirect + github.com/PaesslerAG/jsonpath v0.1.1 // indirect github.com/PuerkitoBio/purell v1.1.1 // indirect github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect - github.com/ReneKroon/ttlcache/v2 v2.9.0 // indirect github.com/ThalesIgnite/crypto11 v1.2.5 // indirect - github.com/agnivade/levenshtein v1.1.1 // indirect github.com/armon/go-radix v1.0.0 // indirect github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect - github.com/aws/aws-sdk-go v1.43.16 // indirect github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25 // indirect github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.3.21 // indirect + github.com/aws/aws-sdk-go-v2/service/ecr v1.15.0 // indirect + github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.12.0 // indirect github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.18 // indirect github.com/aws/aws-sdk-go-v2/service/sso v1.11.20 // indirect github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.2 // indirect github.com/aws/smithy-go v1.13.4 // indirect + github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20220228164355-396b2034c795 // indirect + github.com/benbjohnson/clock v1.1.0 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/bgentry/speakeasy v0.1.0 // indirect github.com/blang/semver v3.5.1+incompatible // indirect + github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect github.com/cespare/xxhash/v2 v2.1.2 // indirect - github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490 // indirect + github.com/chrismellard/docker-credential-acr-env v0.0.0-20220119192733-fe33c00cee21 // indirect + github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe // indirect + github.com/cncf/xds/go v0.0.0-20220520190051-1e77728a1eaa // indirect + github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect github.com/containerd/stargz-snapshotter/estargz v0.10.1 // indirect github.com/coreos/go-oidc/v3 v3.1.0 // indirect + github.com/coreos/go-semver v0.3.0 // indirect + github.com/coreos/go-systemd/v22 v22.3.2 // indirect + github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect github.com/cyberphone/json-canonicalization v0.0.0-20210823021906-dc406ceaf94b // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/dimchansky/utfbom v1.1.1 // indirect github.com/docker/cli v20.10.17+incompatible // indirect - github.com/docker/distribution v2.7.1+incompatible // indirect + github.com/docker/distribution v2.8.0+incompatible // indirect github.com/docker/docker-credential-helpers v0.6.4 // indirect github.com/docker/go-connections v0.4.0 // indirect github.com/docker/go-units v0.4.0 // indirect + github.com/dustin/go-humanize v1.0.0 // indirect github.com/emicklei/go-restful/v3 v3.8.0 // indirect - github.com/envoyproxy/protoc-gen-validate v0.6.2 // indirect + github.com/envoyproxy/protoc-gen-validate v0.6.7 // indirect github.com/evanphx/json-patch v4.12.0+incompatible // indirect github.com/evanphx/json-patch/v5 v5.6.0 // indirect github.com/fatih/color v1.13.0 // indirect github.com/felixge/httpsnoop v1.0.2 // indirect + github.com/form3tech-oss/jwt-go v3.2.5+incompatible // indirect github.com/fsnotify/fsnotify v1.5.4 // indirect + github.com/fullstorydev/grpcurl v1.8.6 // indirect github.com/ghodss/yaml v1.0.0 // indirect github.com/go-chi/chi v4.1.2+incompatible // indirect github.com/go-logr/zapr v1.2.3 // indirect github.com/go-ole/go-ole v1.2.6 // indirect - github.com/go-openapi/analysis v0.20.1 // indirect - github.com/go-openapi/errors v0.20.1 // indirect + github.com/go-openapi/analysis v0.21.2 // indirect + github.com/go-openapi/errors v0.20.2 // indirect github.com/go-openapi/jsonpointer v0.19.5 // indirect github.com/go-openapi/jsonreference v0.19.6 // indirect - github.com/go-openapi/loads v0.21.0 // indirect - github.com/go-openapi/runtime v0.21.0 // indirect + github.com/go-openapi/loads v0.21.1 // indirect + github.com/go-openapi/runtime v0.24.1 // indirect github.com/go-openapi/spec v0.20.4 // indirect - github.com/go-openapi/strfmt v0.21.1 // indirect - github.com/go-openapi/swag v0.19.15 // indirect - github.com/go-openapi/validate v0.20.3 // indirect + github.com/go-openapi/strfmt v0.21.2 // indirect + github.com/go-openapi/swag v0.21.1 // indirect + github.com/go-openapi/validate v0.21.0 // indirect github.com/go-playground/locales v0.14.0 // indirect github.com/go-playground/universal-translator v0.18.0 // indirect - github.com/go-playground/validator/v10 v10.9.0 // indirect - github.com/go-stack/stack v1.8.0 // indirect + github.com/go-playground/validator/v10 v10.10.0 // indirect + github.com/go-stack/stack v1.8.1 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt v3.2.1+incompatible // indirect - github.com/golang-jwt/jwt/v4 v4.2.0 // indirect + github.com/golang-jwt/jwt/v4 v4.3.0 // indirect + github.com/golang/glog v1.0.0 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/snappy v0.0.4 // indirect + github.com/google/btree v1.1.2 // indirect + github.com/google/certificate-transparency-go v1.1.2 // indirect github.com/google/gnostic v0.5.7-v3refs // indirect - github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20211203164431-c75901cce627 // indirect - github.com/google/go-github/v39 v39.2.0 // indirect + github.com/google/go-github/v42 v42.0.0 // indirect github.com/google/go-querystring v1.1.0 // indirect github.com/google/gofuzz v1.2.0 // indirect - github.com/google/trillian v1.4.0 // indirect + github.com/google/trillian v1.4.1 // indirect github.com/google/uuid v1.3.0 // indirect github.com/googleapis/enterprise-certificate-proxy v0.2.0 // indirect + github.com/gorilla/websocket v1.4.2 // indirect + github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect + github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect + github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/hashicorp/go-immutable-radix v1.3.1 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect - github.com/hashicorp/go-retryablehttp v0.7.0 // indirect + github.com/hashicorp/go-retryablehttp v0.7.1 // indirect github.com/hashicorp/go-rootcerts v1.0.2 // indirect - github.com/hashicorp/go-secure-stdlib/mlock v0.1.1 // indirect + github.com/hashicorp/go-secure-stdlib/mlock v0.1.2 // indirect github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 // indirect github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect github.com/hashicorp/go-sockaddr v1.0.2 // indirect - github.com/hashicorp/go-uuid v1.0.2 // indirect - github.com/hashicorp/go-version v1.3.0 // indirect + github.com/hashicorp/go-uuid v1.0.3 // indirect + github.com/hashicorp/go-version v1.5.0 // indirect github.com/hashicorp/golang-lru v0.5.4 // indirect github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87 // indirect github.com/huandu/xstrings v1.3.2 // indirect - github.com/in-toto/in-toto-golang v0.4.0-prerelease // indirect + github.com/in-toto/in-toto-golang v0.3.4-0.20211211042327-af1f9fb822bf // indirect github.com/inconshreveable/mousetrap v1.0.0 // indirect github.com/jedisct1/go-minisign v0.0.0-20210703085342-c1f07ee84431 // indirect + github.com/jhump/protoreflect v1.12.0 // indirect github.com/jinzhu/inflection v1.0.0 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect + github.com/jonboulle/clockwork v0.3.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect - github.com/klauspost/compress v1.13.6 // indirect + github.com/klauspost/compress v1.14.2 // indirect github.com/kylelemons/godebug v1.1.0 // indirect github.com/leodido/go-urn v1.2.1 // indirect + github.com/letsencrypt/boulder v0.0.0-20220331220046-b23ab962616e // indirect github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect - github.com/magiconair/properties v1.8.5 // indirect + github.com/magiconair/properties v1.8.6 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/mattn/go-colorable v0.1.12 // indirect github.com/mattn/go-isatty v0.0.14 // indirect + github.com/mattn/go-runewidth v0.0.13 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect github.com/miekg/pkcs11 v1.1.1 // indirect github.com/mitchellh/copystructure v1.2.0 // indirect @@ -216,12 +237,14 @@ require ( github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/oklog/run v1.1.0 // indirect github.com/oklog/ulid v1.3.1 // indirect + github.com/olekukonko/tablewriter v0.0.5 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect - github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 // indirect + github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198 // indirect github.com/opentracing/opentracing-go v1.2.0 // indirect - github.com/pelletier/go-toml v1.9.4 // indirect + github.com/pelletier/go-toml v1.9.5 // indirect + github.com/pelletier/go-toml/v2 v2.0.1 // indirect github.com/pierrec/lz4 v2.6.1+incompatible // indirect - github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4 // indirect + github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/posener/complete v1.2.3 // indirect @@ -230,38 +253,66 @@ require ( github.com/prometheus/common v0.37.0 // indirect github.com/prometheus/procfs v0.8.0 // indirect github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect + github.com/rivo/uniseg v0.2.0 // indirect + github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/ryanuber/go-glob v1.0.0 // indirect github.com/sassoftware/relic v0.0.0-20210427151427-dfb082b79b74 // indirect - github.com/secure-systems-lab/go-securesystemslib v0.3.1 // indirect + github.com/secure-systems-lab/go-securesystemslib v0.4.0 // indirect github.com/segmentio/ksuid v1.0.4 // indirect - github.com/shibumi/go-pathspec v1.2.0 // indirect + github.com/shibumi/go-pathspec v1.3.0 // indirect github.com/shopspring/decimal v1.2.0 // indirect - github.com/sigstore/fulcio v0.1.2-0.20211204001059-48e1a254cf10 // indirect + github.com/sigstore/fulcio v0.1.2-0.20220114150912-86a2036f9bc7 // indirect github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect - github.com/spf13/afero v1.6.0 // indirect - github.com/spf13/cast v1.4.1 // indirect + github.com/soheilhy/cmux v0.1.5 // indirect + github.com/spf13/afero v1.8.2 // indirect + github.com/spf13/cast v1.5.0 // indirect github.com/spf13/cobra v1.5.0 // indirect github.com/spf13/jwalterweatherman v1.1.0 // indirect github.com/spf13/pflag v1.0.5 // indirect - github.com/spf13/viper v1.9.0 // indirect - github.com/subosito/gotenv v1.2.0 // indirect + github.com/spf13/viper v1.12.0 // indirect + github.com/subosito/gotenv v1.3.0 // indirect github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7 // indirect - github.com/tchap/go-patricia/v2 v2.3.1 // indirect github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613 // indirect github.com/thales-e-security/pool v0.0.2 // indirect github.com/theupdateframework/go-tuf v0.3.0 // indirect + github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect github.com/tklauser/go-sysconf v0.3.10 // indirect github.com/tklauser/numcpus v0.4.0 // indirect + github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 // indirect + github.com/transparency-dev/merkle v0.0.1 // indirect github.com/twmb/murmur3 v1.1.6 // indirect + github.com/urfave/cli v1.22.9 // indirect github.com/vbatts/tar-split v0.11.2 // indirect - github.com/vdemeester/k8s-pkg-credentialprovider v1.21.0-1 // indirect - github.com/xanzy/go-gitlab v0.52.2 // indirect + github.com/xanzy/go-gitlab v0.68.0 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect + github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 // indirect github.com/yashtewari/glob-intersection v0.1.0 // indirect github.com/yusufpapurcu/wmi v1.2.2 // indirect - go.mongodb.org/mongo-driver v1.7.5 // indirect + go.etcd.io/bbolt v1.3.6 // indirect + go.etcd.io/etcd/api/v3 v3.5.4 // indirect + go.etcd.io/etcd/client/pkg/v3 v3.5.4 // indirect + go.etcd.io/etcd/client/v2 v2.305.4 // indirect + go.etcd.io/etcd/client/v3 v3.5.4 // indirect + go.etcd.io/etcd/etcdctl/v3 v3.5.4 // indirect + go.etcd.io/etcd/etcdutl/v3 v3.5.4 // indirect + go.etcd.io/etcd/pkg/v3 v3.5.4 // indirect + go.etcd.io/etcd/raft/v3 v3.5.4 // indirect + go.etcd.io/etcd/server/v3 v3.5.4 // indirect + go.etcd.io/etcd/tests/v3 v3.5.4 // indirect + go.etcd.io/etcd/v3 v3.5.4 // indirect + go.mongodb.org/mongo-driver v1.8.3 // indirect go.opencensus.io v0.23.0 // indirect + go.opentelemetry.io/contrib v1.6.0 // indirect + go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0 // indirect + go.opentelemetry.io/otel v0.20.0 // indirect + go.opentelemetry.io/otel/exporters/otlp v0.20.0 // indirect + go.opentelemetry.io/otel/metric v0.20.0 // indirect + go.opentelemetry.io/otel/sdk v0.20.0 // indirect + go.opentelemetry.io/otel/sdk/export/metric v0.20.0 // indirect + go.opentelemetry.io/otel/sdk/metric v0.20.0 // indirect + go.opentelemetry.io/otel/trace v0.20.0 // indirect + go.opentelemetry.io/proto/otlp v0.12.0 // indirect go.uber.org/atomic v1.10.0 // indirect go.uber.org/multierr v1.8.0 // indirect go.uber.org/zap v1.23.0 // indirect @@ -273,18 +324,21 @@ require ( golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect google.golang.org/appengine v1.6.7 // indirect + gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect gopkg.in/inf.v0 v0.9.1 // indirect - gopkg.in/ini.v1 v1.66.0 // indirect + gopkg.in/ini.v1 v1.66.4 // indirect + gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/apiextensions-apiserver v0.25.0 // indirect - k8s.io/cloud-provider v0.21.0 // indirect k8s.io/component-base v0.25.2 // indirect k8s.io/klog/v2 v2.70.1 // indirect k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 // indirect - k8s.io/legacy-cloud-providers v0.21.0 // indirect - knative.dev/pkg v0.0.0-20211203062937-d37811b71d6a // indirect + knative.dev/pkg v0.0.0-20220325200448-1f7514acd0c2 // indirect sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect + sigs.k8s.io/release-utils v0.6.0 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect sigs.k8s.io/yaml v1.3.0 // indirect ) + +replace github.com/open-policy-agent/opa => github.com/open-policy-agent/opa v0.35.0 diff --git a/go.sum b/go.sum index a28b811f8f..facda7e035 100644 --- a/go.sum +++ b/go.sum @@ -1,6 +1,9 @@ +4d63.com/gochecknoglobals v0.1.0/go.mod h1:wfdC5ZjKSPr7CybKEcgJhUOgeAQW1+7WcyK8OvUilfo= bazil.org/fuse v0.0.0-20160811212531-371fbbdaa898/go.mod h1:Xbm+BRKSBEpa4q4hTSxohYNQpsxXPbPry4JJWOB3LB8= bazil.org/fuse v0.0.0-20180421153158-65cc252bf669/go.mod h1:Xbm+BRKSBEpa4q4hTSxohYNQpsxXPbPry4JJWOB3LB8= bitbucket.org/creachadair/shell v0.0.6/go.mod h1:8Qqi/cYk7vPnsOePHroKXDJYmb5x7ENhtiFtfZq8K+M= +bitbucket.org/creachadair/shell v0.0.7 h1:Z96pB6DkSb7F3Y3BBnJeOZH2gazyMTWlvecSD4vDqfk= +bitbucket.org/creachadair/shell v0.0.7/go.mod h1:oqtXSSvSYr4624lnnabXHaBsYW6RD80caLi2b3hJk0U= bou.ke/monkey v1.0.2/go.mod h1:OqickVX3tNx6t33n1xvtTtu85YN5s6cKwVug+oHMaIA= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= @@ -12,12 +15,12 @@ cloud.google.com/go v0.44.3/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxK cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To= -cloud.google.com/go v0.51.0/go.mod h1:hWtGJ6gnXH+KgDv+V0zFGDvpi07n3z8ZNj3T1RW0Gcw= cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= +cloud.google.com/go v0.60.0/go.mod h1:yw2G51M9IfRboUH61Us8GqCeF1PzPblB823Mn2q2eAU= cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI= @@ -30,16 +33,15 @@ cloud.google.com/go v0.82.0/go.mod h1:vlKccHJGuFBFufnAnuB08dfEH9Y3H7dzDzRECFdC2T cloud.google.com/go v0.83.0/go.mod h1:Z7MJUsANfY0pYPdw0lbnivPx4/vhy/e2FEkSkF7vAVY= cloud.google.com/go v0.84.0/go.mod h1:RazrYuxIK6Kb7YrzzhPoLmCVzl7Sup4NrbKPg8KHSUM= cloud.google.com/go v0.87.0/go.mod h1:TpDYlFy7vuLzZMMZ+B6iRiELaY7z/gJPaqbMx6mlWcY= -cloud.google.com/go v0.88.0/go.mod h1:dnKwfYbP9hQhefiUvpbcAyoGSHUrOxR20JVElLiUvEY= -cloud.google.com/go v0.89.0/go.mod h1:kRX0mNRHe0e2rC6oNakvwQqzyDmg57xJ+SZU1eT2aDQ= cloud.google.com/go v0.90.0/go.mod h1:kRX0mNRHe0e2rC6oNakvwQqzyDmg57xJ+SZU1eT2aDQ= cloud.google.com/go v0.92.2/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI= cloud.google.com/go v0.92.3/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI= cloud.google.com/go v0.93.3/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI= -cloud.google.com/go v0.94.0/go.mod h1:qAlAugsXlC+JWO+Bke5vCtc9ONxjQT3drlTTnAplMW4= cloud.google.com/go v0.94.1/go.mod h1:qAlAugsXlC+JWO+Bke5vCtc9ONxjQT3drlTTnAplMW4= cloud.google.com/go v0.97.0/go.mod h1:GF7l59pYBVlXQIBLx3a761cZ41F9bBH3JUlihCt2Udc= +cloud.google.com/go v0.98.0/go.mod h1:ua6Ush4NALrHk5QXDWnjvZHN93OuF0HfuEPq9I1X0cM= cloud.google.com/go v0.99.0/go.mod h1:w0Xx2nLzqWJPuozYQX+hFfCSI8WioryfRDzkoI/Y2ZA= +cloud.google.com/go v0.100.1/go.mod h1:fs4QogzfH5n2pBXBP9vRiU+eCny7lD2vmFZy79Iuw1U= cloud.google.com/go v0.100.2/go.mod h1:4Xra9TjzAeYHrl5+oeLlzbM2k3mjVhZh4UqTZ//w99A= cloud.google.com/go v0.102.0/go.mod h1:oWcCzKlqJ5zgHQt9YsaeTY9KzIvjyy0ArmiBUgpQ+nc= cloud.google.com/go v0.102.1/go.mod h1:XZ77E9qnTEnrgEOvr4xzfdX5TRo7fB4T2F4O6+34hIU= @@ -51,6 +53,7 @@ cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvf cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= +cloud.google.com/go/bigquery v1.17.0/go.mod h1:pUlbH9kNOnp6ayShsqKLB6w49z14ILAaq0hrjh93Ajw= cloud.google.com/go/compute v0.1.0/go.mod h1:GAesmwr110a34z04OlxYkATPBEfVhkymfTBXtfbBFow= cloud.google.com/go/compute v1.3.0/go.mod h1:cCZiE1NHEtai4wiufUhW8I8S1JKkAnhnQJWM7YD99wM= cloud.google.com/go/compute v1.5.0/go.mod h1:9SMHyhJlzhlkJqrPAc839t2BZFTSk6Jdj6mkzQJeu0M= @@ -62,71 +65,82 @@ cloud.google.com/go/compute v1.10.0 h1:aoLIYaA1fX3ywihqpBk2APQKOo20nXsp1GEZQbx5J cloud.google.com/go/compute v1.10.0/go.mod h1:ER5CLbMxl90o2jtNbGSbtfOpQKR0t15FOtRsugnLrlU= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= +cloud.google.com/go/datastore v1.5.0/go.mod h1:RGUNM0FFAVkYA94BLTxoXBgfIyY1Riq67TwaBXH0lwc= cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk= -cloud.google.com/go/firestore v1.5.0/go.mod h1:c4nNYR1qdq7eaZ+jSc5fonrQN2k3M7sWATcYTiakjEo= cloud.google.com/go/firestore v1.6.0/go.mod h1:afJwI0vaXwAG54kI7A//lP/lSPDkQORQuMkv56TxEPU= +cloud.google.com/go/firestore v1.6.1/go.mod h1:asNXNOzBdyVQmEU+ggO8UPodTkEVFW5Qx+rwHnAz+EY= +cloud.google.com/go/iam v0.1.1/go.mod h1:CKqrcnI/suGpybEHxZ7BMehL0oA4LpdyJdUlTl9jVMw= cloud.google.com/go/iam v0.3.0 h1:exkAomrVUuzx9kWFI1wm3KI0uoDeUFPB4kKGzx6x+Gc= cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY= -cloud.google.com/go/kms v0.1.0/go.mod h1:8Qp8PCAypHg4FdmlyW1QRAv09BGQ9Uzh7JnmIZxPk+c= -cloud.google.com/go/kms v1.1.0 h1:1yc4rLqCkVDS9Zvc7m+3mJ47kw0Uo5Q5+sMjcmUVUeM= +cloud.google.com/go/kms v1.0.0/go.mod h1:nhUehi+w7zht2XrUfvTRNpxrfayBHqP4lu2NSywui/0= cloud.google.com/go/kms v1.1.0/go.mod h1:WdbppnCDMDpOvoYBMn1+gNmOeEoZYqAv+HeuKARGCXI= +cloud.google.com/go/kms v1.4.0 h1:iElbfoE61VeLhnZcGOltqL8HIly8Nhbe5t6JlH9GXjo= cloud.google.com/go/monitoring v0.1.0/go.mod h1:Hpm3XfzJv+UTiXzCG5Ffp0wijzHTC7Cv4eR7o3x/fEE= +cloud.google.com/go/monitoring v1.1.0/go.mod h1:L81pzz7HKn14QCMaCs6NTQkdBnE87TElyanS95vIcl4= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= -cloud.google.com/go/pubsub v1.16.0/go.mod h1:6A8EfoWZ/lUvCWStKGwAWauJZSiuV0Mkmu6WilK/TxQ= -cloud.google.com/go/secretmanager v0.1.0/go.mod h1:3nGKHvnzDUVit7U0S9KAKJ4aOsO1xtwRG+7ey5LK1bM= +cloud.google.com/go/pubsub v1.5.0/go.mod h1:ZEwJccE3z93Z2HWvstpri00jOg7oO4UZDtKhwDwqF0w= +cloud.google.com/go/pubsub v1.11.0-beta.schemas/go.mod h1:llNLsvx+RnsZJoY481TzC1XcdB2hWdR6gSWM5O4vgfs= +cloud.google.com/go/pubsub v1.17.1/go.mod h1:4qDxMr1WsM9+aQAz36ltDwCIM+R0QdlseyFjBuNvnss= +cloud.google.com/go/secretmanager v1.0.0/go.mod h1:+Qkm5qxIJ5mk74xxIXA+87fseaY1JLYBcFPQoc/GQxg= cloud.google.com/go/secretmanager v1.7.0 h1:EAPaaxMs1gtdyxK5UN8KfD5tnDBZiFoSroRfjV3EgQU= cloud.google.com/go/secretmanager v1.7.0/go.mod h1:20dYAPbj+H4+pXdBRN2z77yugQJJ30UF2kL9OWPs+L0= -cloud.google.com/go/security v1.1.0/go.mod h1:Zf3HhjGQIC3yQLUwW5cTcZ0u7sAQqYnvgx9r9KcFOJw= +cloud.google.com/go/security v1.1.1/go.mod h1:QZd0wTwNJNKnl0H4/wAFD10TSX8kI4nk8V6ie6fyc9w= cloud.google.com/go/security v1.8.0 h1:linnRc3/gJYDfKbAtNixVQ52+66DpOx5MmCz0NNxal8= cloud.google.com/go/security v1.8.0/go.mod h1:hAQOwgmaHhztFhiQ41CjDODdWP0+AE1B3sX4OFlq+GU= +cloud.google.com/go/spanner v1.7.0/go.mod h1:sd3K2gZ9Fd0vMPLXzeCrF6fq4i63Q7aTLW/lBIfBkIk= cloud.google.com/go/spanner v1.17.0/go.mod h1:+17t2ixFwRG4lWRwE+5kipDR9Ef07Jkmc8z0IbMDKUs= cloud.google.com/go/spanner v1.18.0/go.mod h1:LvAjUXPeJRGNuGpikMULjhLj/t9cRvdc+fxRoLiugXA= cloud.google.com/go/spanner v1.25.0/go.mod h1:kQUft3x355hzzaeFbObjsvkzZDgpDkesp3v75WBnI8w= +cloud.google.com/go/spanner v1.31.0/go.mod h1:ztDJVUZgEA2xc7HjSNQG+d+2L0bOSsw876/5Hnr78U8= cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= -cloud.google.com/go/storage v1.16.1/go.mod h1:LaNorbty3ehnU3rEjXSNV/NRgQA0O8Y+uh6bPe5UOk4= +cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3fOKtUw0Xmo= +cloud.google.com/go/storage v1.15.0/go.mod h1:mjjQMoxxyGH7Jr8K5qrx6N2O0AHsczI61sMNn03GIZI= cloud.google.com/go/storage v1.18.2/go.mod h1:AiIj7BWXyhO5gGVmYJ+S8tbkCx3yb0IMjua8Aw4naVM= cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y= cloud.google.com/go/storage v1.27.0 h1:YOO045NZI9RKfCj1c5A/ZtuuENUc8OAW+gHdGnDgyMQ= cloud.google.com/go/storage v1.27.0/go.mod h1:x9DOL8TK/ygDUMieqwfhdpQryTeEkhGKMi80i/iqR2s= cloud.google.com/go/trace v0.1.0/go.mod h1:wxEwsoeRVPbeSkt7ZC9nWCgmoKQRAoySN7XHW2AmI7g= +cloud.google.com/go/trace v1.0.0/go.mod h1:4iErSByzxkyHWzzlAj63/Gmjz0NH1ASqhJguHpGcr6A= code.gitea.io/sdk/gitea v0.11.3/go.mod h1:z3uwDV/b9Ls47NGukYM9XhnHtqPh/J+t40lsUrR6JDY= contrib.go.opencensus.io/exporter/aws v0.0.0-20181029163544-2befc13012d0/go.mod h1:uu1P0UCM/6RbsMrgPa98ll8ZcHM858i/AD06a9aLRCA= contrib.go.opencensus.io/exporter/aws v0.0.0-20200617204711-c478e41e60e9/go.mod h1:uu1P0UCM/6RbsMrgPa98ll8ZcHM858i/AD06a9aLRCA= contrib.go.opencensus.io/exporter/ocagent v0.5.0/go.mod h1:ImxhfLRpxoYiSq891pBrLVhN+qmP8BTVvdH2YLs7Gl0= -contrib.go.opencensus.io/exporter/ocagent v0.7.1-0.20200907061046-05415f1de66d/go.mod h1:IshRmMJBhDfFj5Y67nVhMYTTIze91RUeT73ipWKs/GY= -contrib.go.opencensus.io/exporter/prometheus v0.4.0/go.mod h1:o7cosnyfuPVK0tB8q0QmaQNhGnptITnPQB+z1+qeFB0= contrib.go.opencensus.io/exporter/stackdriver v0.12.1/go.mod h1:iwB6wGarfphGGe/e5CWqyUk/cLzKnWsOKPVW3no6OTw= +contrib.go.opencensus.io/exporter/stackdriver v0.13.4/go.mod h1:aXENhDJ1Y4lIg4EUaVTwzvYETVNZk10Pu26tevFKLUc= contrib.go.opencensus.io/exporter/stackdriver v0.13.5/go.mod h1:aXENhDJ1Y4lIg4EUaVTwzvYETVNZk10Pu26tevFKLUc= contrib.go.opencensus.io/exporter/stackdriver v0.13.8/go.mod h1:huNtlWx75MwO7qMs0KrMxPZXzNNWebav1Sq/pm02JdQ= -contrib.go.opencensus.io/exporter/zipkin v0.1.2/go.mod h1:mP5xM3rrgOjpn79MM8fZbj3gsxcuytSqtH0dxSWW1RE= +contrib.go.opencensus.io/exporter/stackdriver v0.13.10/go.mod h1:I5htMbyta491eUxufwwZPQdcKvvgzMB4O9ni41YnIM8= +contrib.go.opencensus.io/exporter/stackdriver v0.13.12/go.mod h1:mmxnWlrvrFdpiOHOhxBaVi1rkc0WOqhgfknj4Yg0SeQ= contrib.go.opencensus.io/integrations/ocsql v0.1.4/go.mod h1:8DsSdjz3F+APR+0z0WkU1aRorQCFfRxvqjUUPMbF3fE= contrib.go.opencensus.io/integrations/ocsql v0.1.7/go.mod h1:8DsSdjz3F+APR+0z0WkU1aRorQCFfRxvqjUUPMbF3fE= contrib.go.opencensus.io/resource v0.1.1/go.mod h1:F361eGI91LCmW1I/Saf+rX0+OFcigGlFvXwEGEnkRLA= -cuelang.org/go v0.4.0/go.mod h1:tz/edkPi+T37AZcb5GlPY+WJkL6KiDlDVupKwL3vvjs= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= -dmitri.shuralyov.com/gpu/mtl v0.0.0-20201218220906-28db891af037/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= +filippo.io/edwards25519 v1.0.0-rc.1/go.mod h1:N1IkdkCkiLB6tki+MYJoSx2JTY9NUlxZE7eHn5EwJns= github.com/AdaLogics/go-fuzz-headers v0.0.0-20211102141018-f7be0cbad29c/go.mod h1:WpB7kf89yJUETZxQnP1kgYPNwlT2jjdDYUCoxVggM3g= +github.com/Antonboom/errname v0.1.5/go.mod h1:DugbBstvPFQbv/5uLcRRzfrNqKE9tVdVCqWCLp6Cifo= +github.com/Antonboom/nilnil v0.1.0/go.mod h1:PhHLvRPSghY5Y7mX4TW+BHZQYo1A8flE5H20D3IPZBo= github.com/Azure/azure-amqp-common-go/v2 v2.1.0/go.mod h1:R8rea+gJRuJR6QxTir/XuEd+YuKoUiazDC/N96FiDEU= -github.com/Azure/azure-amqp-common-go/v3 v3.1.0/go.mod h1:PBIGdzcO1teYoufTKMcGibdKaYZv4avS+O6LNIp8bq0= -github.com/Azure/azure-amqp-common-go/v3 v3.1.1/go.mod h1:YsDaPfaO9Ub2XeSKdIy2DfwuiQlHQCauHJwSqtrkECI= +github.com/Azure/azure-amqp-common-go/v3 v3.2.1/go.mod h1:O6X1iYHP7s2x7NjUKsXVhkwWrQhxrd+d8/3rRadj4CI= +github.com/Azure/azure-amqp-common-go/v3 v3.2.2/go.mod h1:O6X1iYHP7s2x7NjUKsXVhkwWrQhxrd+d8/3rRadj4CI= github.com/Azure/azure-pipeline-go v0.2.1/go.mod h1:UGSo8XybXnIGZ3epmeBw7Jdz+HiUVpqIlpz/HKHylF4= github.com/Azure/azure-pipeline-go v0.2.3/go.mod h1:x841ezTBIMG6O3lAcl8ATHnsOPVl2bqk7S3ta6S6u4k= github.com/Azure/azure-sdk-for-go v16.2.1+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v29.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v30.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go v43.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v46.4.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v51.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go v55.8.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go v57.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go v59.4.0+incompatible h1:gDA8odnngdNd3KYHL2NoK1j9vpWBgEnFSjKKLpkC8Aw= -github.com/Azure/azure-sdk-for-go v59.4.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v59.3.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v60.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v60.3.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v63.3.0+incompatible h1:INepVujzUrmArRZjDLHbtER+FkvCoEwyRCXGqOlmDII= +github.com/Azure/azure-sdk-for-go v63.3.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go/sdk/azcore v0.19.0/go.mod h1:h6H6c8enJmmocHUbLiiGY6sx7f9i+X3m1CHdd5c6Rdw= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.4 h1:pqrAR74b6EoR4kcxF7L7Wg2B8Jgil9UUZtMvxhEFqWo= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.4/go.mod h1:uGG2W01BaETf0Ozp+QxxKJdMBNRWPdstHG0Fmdwn1/U= @@ -144,12 +158,11 @@ github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork v1.1.0/ github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0 h1:ECsQtyERDVz3NP3kvDOTLvbQhqWp/x9EsGKtb4ogUr8= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0/go.mod h1:s1tW/At+xHqjNFvWU4G0c0Qv33KOhvbGNj0RCTQDV8s= github.com/Azure/azure-service-bus-go v0.9.1/go.mod h1:yzBx6/BUGfjfeqbRZny9AQIbIe3AcV9WZbAdpkoXOa0= -github.com/Azure/azure-service-bus-go v0.10.16/go.mod h1:MlkLwGGf1ewcx5jZadn0gUEty+tTg0RaElr6bPf+QhI= +github.com/Azure/azure-service-bus-go v0.11.5/go.mod h1:MI6ge2CuQWBVq+ly456MY7XqNLJip5LO1iSFodbNLbU= github.com/Azure/azure-storage-blob-go v0.8.0/go.mod h1:lPI3aLPpuLTeUwh1sViKXFxwl2B6teiRqI0deQUvsw0= github.com/Azure/azure-storage-blob-go v0.14.0/go.mod h1:SMqIBi+SuiQH32bvyjngEewEeXoPfKMgWlBDaYf6fck= -github.com/Azure/go-amqp v0.13.0/go.mod h1:qj+o8xPCz9tMSbQ83Vp8boHahuRDl5mkNHyt1xlxUTs= -github.com/Azure/go-amqp v0.13.11/go.mod h1:D5ZrjQqB1dyp1A+G73xeL/kNn7D5qHJIIsNNps7YNmk= -github.com/Azure/go-amqp v0.13.12/go.mod h1:D5ZrjQqB1dyp1A+G73xeL/kNn7D5qHJIIsNNps7YNmk= +github.com/Azure/go-amqp v0.16.0/go.mod h1:9YJ3RhxRT1gquYnzpZO1vcYMMpAdJT+QEg6fwmw9Zlg= +github.com/Azure/go-amqp v0.16.4/go.mod h1:9YJ3RhxRT1gquYnzpZO1vcYMMpAdJT+QEg6fwmw9Zlg= github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= github.com/Azure/go-ansiterm v0.0.0-20210608223527-2377c96fe795/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8= @@ -158,72 +171,65 @@ github.com/Azure/go-autorest v10.8.1+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSW github.com/Azure/go-autorest v12.0.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= -github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI= github.com/Azure/go-autorest/autorest v0.11.1/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw= -github.com/Azure/go-autorest/autorest v0.11.3/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw= -github.com/Azure/go-autorest/autorest v0.11.12/go.mod h1:eipySxLmqSyC5s5k1CLupqet0PSENBEDP93LQ9a8QYw= -github.com/Azure/go-autorest/autorest v0.11.17/go.mod h1:eipySxLmqSyC5s5k1CLupqet0PSENBEDP93LQ9a8QYw= +github.com/Azure/go-autorest/autorest v0.11.6/go.mod h1:V6p3pKZx1KKkJubbxnDWrzNhEIfOy/pTGasLqzHIPHs= +github.com/Azure/go-autorest/autorest v0.11.8/go.mod h1:V6p3pKZx1KKkJubbxnDWrzNhEIfOy/pTGasLqzHIPHs= github.com/Azure/go-autorest/autorest v0.11.18/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA= github.com/Azure/go-autorest/autorest v0.11.19/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA= -github.com/Azure/go-autorest/autorest v0.11.20/go.mod h1:o3tqFY+QR40VOlk+pV4d77mORO64jOXSgEnPQgLK6JY= github.com/Azure/go-autorest/autorest v0.11.22/go.mod h1:BAWYUWGPEtKPzjVkp0Q6an0MJcJDsoh5Z1BFAEFs4Xs= +github.com/Azure/go-autorest/autorest v0.11.24/go.mod h1:G6kyRlFnTuSbEYkQGawPfsCswgme4iYf6rfSKUDzbCc= github.com/Azure/go-autorest/autorest v0.11.27 h1:F3R3q42aWytozkV8ihzcgMO4OA4cuqr3bNlsEuF6//A= github.com/Azure/go-autorest/autorest v0.11.27/go.mod h1:7l8ybrIdUmGqZMTD0sRtAr8NvbHjfofbf8RSP2q7w7U= -github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0= github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg= +github.com/Azure/go-autorest/autorest/adal v0.9.4/go.mod h1:/3SMAM86bP6wC9Ev35peQDUeqFZBMH07vvUOmg4z/fE= github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A= -github.com/Azure/go-autorest/autorest/adal v0.9.11/go.mod h1:nBKAnTomx8gDtl+3ZCJv2v0KACFHWTB2drffI1B68Pk= github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M= github.com/Azure/go-autorest/autorest/adal v0.9.14/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M= -github.com/Azure/go-autorest/autorest/adal v0.9.15/go.mod h1:tGMin8I49Yij6AQ+rvV+Xa/zwxYQB5hmsd6DkfAx2+A= github.com/Azure/go-autorest/autorest/adal v0.9.17/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= github.com/Azure/go-autorest/autorest/adal v0.9.20 h1:gJ3E98kMpFB1MFqQCvA1yFab8vthOeD4VlFRQULxahg= github.com/Azure/go-autorest/autorest/adal v0.9.20/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= -github.com/Azure/go-autorest/autorest/azure/auth v0.5.8/go.mod h1:kxyKZTSfKh8OVFWPAgOgQ/frrJgeYQJPyR5fLFmXko4= -github.com/Azure/go-autorest/autorest/azure/auth v0.5.9 h1:Y2CgdzitFDsdMwYMzf9LIZWrrTFysqbRc7b94XVVJ78= +github.com/Azure/go-autorest/autorest/azure/auth v0.5.2/go.mod h1:q98IH4qgc3eWM4/WOeR5+YPmBuy8Lq0jNRDwSM0CuFk= github.com/Azure/go-autorest/autorest/azure/auth v0.5.9/go.mod h1:hg3/1yw0Bq87O3KvvnJoAh34/0zbP7SFizX/qN5JvjU= +github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 h1:P6bYXFoao05z5uhOQzbC3Qd8JqF3jUoocoTeIxkp2cA= +github.com/Azure/go-autorest/autorest/azure/auth v0.5.11/go.mod h1:84w/uV8E37feW2NCJ08uT9VBfjfUHpgLVnG2InYD6cg= +github.com/Azure/go-autorest/autorest/azure/cli v0.4.1/go.mod h1:JfDgiIO1/RPu6z42AdQTyjOoCM2MFhLqSBDvMEkDgcg= github.com/Azure/go-autorest/autorest/azure/cli v0.4.2/go.mod h1:7qkJkT+j6b+hIpzMOwPChJhTqS8VbsqqgULzMNRugoM= -github.com/Azure/go-autorest/autorest/azure/cli v0.4.3/go.mod h1:yAQ2b6eP/CmLPnmLvxtT1ALIY3OR1oFcCqVBi8vHiTc= -github.com/Azure/go-autorest/autorest/azure/cli v0.4.4 h1:iuooz5cZL6VRcO7DVSFYxRcouqn6bFVE/e77Wts50Zk= github.com/Azure/go-autorest/autorest/azure/cli v0.4.4/go.mod h1:yAQ2b6eP/CmLPnmLvxtT1ALIY3OR1oFcCqVBi8vHiTc= -github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA= +github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 h1:0W/yGmFdTIT77fvdlGZ0LMISoLHFJ7Tx4U0yeB+uFs4= +github.com/Azure/go-autorest/autorest/azure/cli v0.4.5/go.mod h1:ADQAXrkgm7acgWVUNamOgh8YNrv4p27l3Wc55oVfpzg= github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw= github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= -github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= -github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= github.com/Azure/go-autorest/autorest/mocks v0.4.0/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= github.com/Azure/go-autorest/autorest/mocks v0.4.2 h1:PGN4EDXnuQbojHbU0UWoNvmu9AGVwYHG9/fkDYhtAfw= github.com/Azure/go-autorest/autorest/mocks v0.4.2/go.mod h1:Vy7OitM9Kei0i1Oj+LvyAWMXJHeKH1MVlzFugfVrmyU= -github.com/Azure/go-autorest/autorest/to v0.2.0/go.mod h1:GunWKJp1AEqgMaGLV+iocmRAJWqST1wQYhyyjXJ3SJc= -github.com/Azure/go-autorest/autorest/to v0.3.0/go.mod h1:MgwOyqaIuKdG4TL/2ywSsIWKAfJfgHDo8ObuUk3t5sA= github.com/Azure/go-autorest/autorest/to v0.4.0 h1:oXVqrxakqqV1UZdSazDOPOLvOIz+XA683u8EctwboHk= github.com/Azure/go-autorest/autorest/to v0.4.0/go.mod h1:fE8iZBn7LQR7zH/9XU2NcPR4o9jEImooCeWJcYV/zLE= -github.com/Azure/go-autorest/autorest/validation v0.1.0/go.mod h1:Ha3z/SqBeaalWQvokg3NZAlQTalVMtOIAs1aGK7G6u8= github.com/Azure/go-autorest/autorest/validation v0.3.1 h1:AgyqjAd94fwNAoTjl/WQXg4VvFeRFpO+UhNyRXqF1ac= github.com/Azure/go-autorest/autorest/validation v0.3.1/go.mod h1:yhLgjC0Wda5DYXl6JAsWyUe4KVNffhoDhG0zVzUMo3E= -github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc= github.com/Azure/go-autorest/logger v0.2.0/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg= github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= -github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk= github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo= github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= github.com/AzureAD/microsoft-authentication-library-for-go v0.5.1 h1:BWe8a+f/t+7KY7zH2mqygeUD0t8hNFXe08p1Pb3/jKE= github.com/AzureAD/microsoft-authentication-library-for-go v0.5.1/go.mod h1:Vt9sXTKwMyGcOxSmLDMnGPgqsUg7m8pe215qMLrDXw4= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/BurntSushi/toml v0.4.1 h1:GaI7EiDXDRfa8VshkTj7Fym7ha+y8/XxIgD2okUIjLw= +github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/DataDog/datadog-go v3.2.0+incompatible h1:qSG2N4FghB1He/r2mFrWKCaL7dXCilEuNEeAn20fdD4= github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= +github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs= github.com/GoogleCloudPlatform/cloudsql-proxy v0.0.0-20191009163259-e802c2cb94ae/go.mod h1:mjwGPas4yKduTyubHvD1Atl9r1rUq8DfVy+gkVvZ+oo= -github.com/GoogleCloudPlatform/cloudsql-proxy v1.24.0/go.mod h1:3tx938GhY4FC+E1KT/jNjDw7Z5qxAEtIiERJ2sXjnII= +github.com/GoogleCloudPlatform/cloudsql-proxy v1.27.0/go.mod h1:bn9iHmAjogMoIPkqBGyJ9R1m9cXGCjBE/cuhBs3oEsQ= github.com/GoogleCloudPlatform/cloudsql-proxy v1.32.0 h1:647YHw0ZJ3Uu5xlkytf1li7dqJ9mHg9zabuKdZP0vYU= github.com/GoogleCloudPlatform/cloudsql-proxy v1.32.0/go.mod h1:FjoDxLvxFAbnXFuUKkzM7rY66YaU/YHezlau786y9hs= -github.com/GoogleCloudPlatform/k8s-cloud-provider v0.0.0-20200415212048-7901bc822317/go.mod h1:DF8FZRxMHMGv/vP2lQP6h+dYzzjpuRn24VeRiYn3qjQ= github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0= -github.com/Masterminds/goutils v1.1.0 h1:zukEsf/1JZwCMgHiK3GZftabmxiCw4apj3a28RPBiVg= github.com/Masterminds/goutils v1.1.0/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= +github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI= +github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= github.com/Masterminds/semver/v3 v3.0.3/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs= @@ -232,8 +238,9 @@ github.com/Masterminds/semver/v3 v3.1.1 h1:hLg3sBzpNErnxhQtUy/mmLR2I9foDujNK030I github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs= github.com/Masterminds/sprig v2.15.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o= github.com/Masterminds/sprig v2.22.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o= -github.com/Masterminds/sprig/v3 v3.2.0 h1:P1ekkbuU73Ui/wS0nK1HOM37hh4xdfZo485UPf8rc+Y= github.com/Masterminds/sprig/v3 v3.2.0/go.mod h1:tWhwTbUTndesPNeF0C900vKoq283u6zp4APT9vaF3SI= +github.com/Masterminds/sprig/v3 v3.2.2 h1:17jRggJu518dr3QaafizSXOjKYp94wKfABxUmyxvxX8= +github.com/Masterminds/sprig/v3 v3.2.2/go.mod h1:UoaO7Yp8KlPnJIYWTFkMaqPUYKTfGFPhxNuwnnxkKlk= github.com/Microsoft/go-winio v0.4.11/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA= github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA= github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw= @@ -242,7 +249,6 @@ github.com/Microsoft/go-winio v0.4.16/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugX github.com/Microsoft/go-winio v0.4.17-0.20210211115548-6eac466e5fa3/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84= github.com/Microsoft/go-winio v0.4.17-0.20210324224401-5516f17a5958/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84= github.com/Microsoft/go-winio v0.4.17/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84= -github.com/Microsoft/go-winio v0.5.0/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84= github.com/Microsoft/go-winio v0.5.1/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84= github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= github.com/Microsoft/go-winio v0.6.0 h1:slsWYD/zyx7lCXoZVlvQrj0hPTM1HI4+v1sIda2yDvg= @@ -262,34 +268,31 @@ github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMo github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8= github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q= +github.com/OpenPeeDeeP/depguard v1.0.1/go.mod h1:xsIw86fROiiwelg+jB2uM9PiKihMMmUx/1V+TNhjQvM= +github.com/PaesslerAG/gval v1.0.0 h1:GEKnRwkWDdf9dOmKcNrar9EA1bz1z9DqPIO1+iLzhd8= github.com/PaesslerAG/gval v1.0.0/go.mod h1:y/nm5yEyTeX6av0OfKJNp9rBNj2XrGhAf5+v24IBN1I= github.com/PaesslerAG/jsonpath v0.1.0/go.mod h1:4BzmtoM/PI8fPO4aQGIusjGxGir2BzcV0grWtFzq1Y8= +github.com/PaesslerAG/jsonpath v0.1.1 h1:c1/AToHQMVsduPAa4Vh6xp2U0evy4t8SWp8imEsylIk= github.com/PaesslerAG/jsonpath v0.1.1/go.mod h1:lVboNxFGal/VwW6d9JzIy56bUsYAP6tH/x80vjnCseY= github.com/PuerkitoBio/goquery v1.5.1/go.mod h1:GsLWisAFVj4WgDibEWF4pvYnkVQBpKBKeU+7zCJoLcc= -github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI= github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= -github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= -github.com/ReneKroon/ttlcache/v2 v2.7.0/go.mod h1:mBxvsNY+BT8qLLd6CuAJubbKo6r0jh3nb5et22bbfGY= -github.com/ReneKroon/ttlcache/v2 v2.9.0 h1:NzwfErbifoNA3djEGwQJXKp/386imbyrc6Qmns5IX7c= -github.com/ReneKroon/ttlcache/v2 v2.9.0/go.mod h1:mBxvsNY+BT8qLLd6CuAJubbKo6r0jh3nb5et22bbfGY= +github.com/ReneKroon/ttlcache/v2 v2.10.0/go.mod h1:mBxvsNY+BT8qLLd6CuAJubbKo6r0jh3nb5et22bbfGY= +github.com/ReneKroon/ttlcache/v2 v2.11.0 h1:OvlcYFYi941SBN3v9dsDcC2N8vRxyHcCmJb3Vl4QMoM= +github.com/ReneKroon/ttlcache/v2 v2.11.0/go.mod h1:mBxvsNY+BT8qLLd6CuAJubbKo6r0jh3nb5et22bbfGY= github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ= github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo= -github.com/Shopify/sarama v1.30.0/go.mod h1:zujlQQx1kzHsh4jfV1USnptCQrHAEZ2Hk8fTKCulPVs= github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI= -github.com/Shopify/toxiproxy/v2 v2.1.6-0.20210914104332-15ea381dcdae/go.mod h1:/cvHQkZ1fst0EmZnA5dFtiQdWCNCFYzb+uE2vqVgvx0= +github.com/StackExchange/wmi v1.2.1/go.mod h1:rcmrprowKIVzvc+NUiLncP2uuArMWLCbu9SBzvHz7e8= github.com/ThalesIgnite/crypto11 v1.2.5 h1:1IiIIEqYmBvUYFeMnHqRft4bwf/O36jryEUpY+9ef8E= github.com/ThalesIgnite/crypto11 v1.2.5/go.mod h1:ILDKtnCKiQ7zRoNxcp36Y1ZR8LBPmR2E23+wTQe/MlE= github.com/VividCortex/gohistogram v1.0.0/go.mod h1:Pf5mBqqDxYaXu3hDrrU+w6nw50o/4+TcAqDqk/vUH7g= github.com/afex/hystrix-go v0.0.0-20180502004556-fa1af6a1f4f5/go.mod h1:SkGFH1ia65gfNATL8TAiHDNxPzPdmEL5uirI2Uyuz6c= github.com/agnivade/levenshtein v1.0.1/go.mod h1:CURSv5d9Uaml+FovSIICkLbAUZ9S4RqaHDIsdSBg7lM= -github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8= -github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo= github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7/go.mod h1:6zEj6s6u/ghQa61ZWa/C2Aw3RkjiTBOix7dkqa1VLIs= -github.com/alecthomas/jsonschema v0.0.0-20180308105923-f2c93856175a/go.mod h1:qpebaTNSsyUn5rPSJMsfqEtDw71TTggXM6stUDI16HA= github.com/alecthomas/kingpin v2.2.6+incompatible/go.mod h1:59OFYbFVLKQKq+mqrL6Rw5bR0c3ACQaawgXx0QYndlE= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= @@ -297,28 +300,29 @@ github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRF github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= github.com/alexflint/go-filemutex v0.0.0-20171022225611-72bdc8eae2ae/go.mod h1:CgnQgUtFrFz9mxFNtED3jI5tLDjKlOM+oUF/sTk6ps0= +github.com/alexkohler/prealloc v1.0.0/go.mod h1:VetnK3dIgFBBKmg0YnD9F9x6Icjd+9cvfHR56wJVlKE= github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129 h1:MzBOUgng9orim59UnfUTLRjMpd09C5uEVQ6RPGeCaVI= github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129/go.mod h1:rFgpPQZYZ8vdbc+48xibu8ALc3yeyd64IhHS+PU6Yyg= github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= +github.com/andybalholm/brotli v1.0.2/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y= +github.com/andybalholm/brotli v1.0.3/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig= github.com/andybalholm/cascadia v1.1.0/go.mod h1:GsXiBklL0woXo1j/WYWtSYYC4ouU9PqHO0sqidkEA4Y= github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c= +github.com/antihax/optional v0.0.0-20180407024304-ca021399b1a6/go.mod h1:V8iCPQYkqmusNa815XgQio277wI47sdRh1dUOLdyC6Q= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/aokoli/goutils v1.0.1/go.mod h1:SijmP0QR8LtwsmDs8Yii5Z/S4trXFGFC2oO5g9DP+DQ= github.com/apache/beam v2.28.0+incompatible/go.mod h1:/8NX3Qi8vGstDLLaeaU7+lzVEu/ACaQhYjeefzQ0y1o= github.com/apache/beam v2.32.0+incompatible/go.mod h1:/8NX3Qi8vGstDLLaeaU7+lzVEu/ACaQhYjeefzQ0y1o= +github.com/apache/beam/sdks/v2 v2.0.0-20211012030016-ef4364519c94/go.mod h1:/kOom7hCyHVzAC/Z7HbZywkZZv6ywF+wb4CvgDVdcB8= github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= github.com/apache/thrift v0.13.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= github.com/apex/log v1.1.4/go.mod h1:AlpoD9aScyQfJDVHmLMEcx4oU6LqzkWp4Mg9GdAcEvQ= github.com/apex/logs v0.0.4/go.mod h1:XzxuLZ5myVHDy9SAmYpamKKRNApGj54PfYLcFrXqDwo= github.com/aphistic/golf v0.0.0-20180712155816-02c07f170c5a/go.mod h1:3NqKYiepwy8kCu4PNA+aP7WUV72eXWJeP9/r3/K9aLE= github.com/aphistic/sweet v0.2.0/go.mod h1:fWDlIh/isSE9n6EPsRmC0det+whmX6dJid3stzu0Xys= -github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q= -github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE= github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= -github.com/armon/go-metrics v0.3.0/go.mod h1:zXjbSimjXTd7vOpY8B0/2LpvNvDoXBuplAD+gJD3GYs= -github.com/armon/go-metrics v0.3.3/go.mod h1:4O98XIr/9W0sxpJ8UaYkvjk10Iff7SnFrb4QAOwNTFc= github.com/armon/go-metrics v0.3.9/go.mod h1:4O98XIr/9W0sxpJ8UaYkvjk10Iff7SnFrb4QAOwNTFc= github.com/armon/go-metrics v0.3.10/go.mod h1:4O98XIr/9W0sxpJ8UaYkvjk10Iff7SnFrb4QAOwNTFc= github.com/armon/go-metrics v0.4.1 h1:hR91U9KYmb6bLBYLQjyM+3j+rcd/UhE+G78SFnF8gJA= @@ -335,6 +339,8 @@ github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535/go.mod h1:o github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d h1:Byv0BzEl3/e6D5CLfI0j/7hiIEtvGVFPCZ7Ei2oq8iQ= github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= +github.com/ashanbrown/forbidigo v1.2.0/go.mod h1:vVW7PEdqEFqapJe95xHkTfB1+XvZXBFg8t0sG2FIxmI= +github.com/ashanbrown/makezero v0.0.0-20210520155254-b6261585ddde/go.mod h1:oG9Dnez7/ESBqc4EdrdNlryeo7d0KcW1ftXHm7nU/UU= github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQwij/eHl5CU= github.com/aws/aws-sdk-go v1.15.11/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZoCYDt7FT0= github.com/aws/aws-sdk-go v1.15.27/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZoCYDt7FT0= @@ -345,80 +351,107 @@ github.com/aws/aws-sdk-go v1.23.20/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpi github.com/aws/aws-sdk-go v1.25.11/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.25.37/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= -github.com/aws/aws-sdk-go v1.30.27/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0= github.com/aws/aws-sdk-go v1.34.28/go.mod h1:H7NKnBqNVzoTJpGfLrQkkD+ytBA93eiDYi/+8rV9s48= -github.com/aws/aws-sdk-go v1.35.24/go.mod h1:tlPOdRjfxPBpNIwqDj61rmsnA85v9jc0Ps9+muhnW+k= +github.com/aws/aws-sdk-go v1.36.30/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= github.com/aws/aws-sdk-go v1.37.0/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= -github.com/aws/aws-sdk-go v1.40.7/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q= -github.com/aws/aws-sdk-go v1.40.34/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q= -github.com/aws/aws-sdk-go v1.42.1/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q= -github.com/aws/aws-sdk-go v1.42.18/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q= -github.com/aws/aws-sdk-go v1.43.16 h1:Y7wBby44f+tINqJjw5fLH3vA+gFq4uMITIKqditwM14= -github.com/aws/aws-sdk-go v1.43.16/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= +github.com/aws/aws-sdk-go v1.42.8/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q= +github.com/aws/aws-sdk-go v1.42.22/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q= +github.com/aws/aws-sdk-go v1.42.25/go.mod h1:gyRszuZ/icHmHAVE4gc/r+cfCmhA1AD+vqfWbgI+eHs= +github.com/aws/aws-sdk-go v1.43.45 h1:2708Bj4uV+ym62MOtBnErm/CDX61C4mFe9V2gXy1caE= github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g= -github.com/aws/aws-sdk-go-v2 v1.9.0/go.mod h1:cK/D0BBs0b/oWPIcX/Z/obahJK1TT7IPVjy53i/mX/4= +github.com/aws/aws-sdk-go-v2 v1.7.1/go.mod h1:L5LuPC1ZgDr2xQS7AmIec/Jlc7O/Y1u2KxJyNVab250= +github.com/aws/aws-sdk-go-v2 v1.11.0/go.mod h1:SQfA+m2ltnu1cA0soUkj4dRSsmITiVQUJvBIZjzfPyQ= +github.com/aws/aws-sdk-go-v2 v1.14.0/go.mod h1:ZA3Y8V0LrlWj63MQAnRHgKf/5QB//LSZCPNWlWrNGLU= github.com/aws/aws-sdk-go-v2 v1.16.13/go.mod h1:xSyvSnzh0KLs5H4HJGeIEsNYemUWdNIl0b/rP6SIsLU= github.com/aws/aws-sdk-go-v2 v1.16.15/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k= github.com/aws/aws-sdk-go-v2 v1.16.16/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k= github.com/aws/aws-sdk-go-v2 v1.17.0/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k= github.com/aws/aws-sdk-go-v2 v1.17.1 h1:02c72fDJr87N8RAC2s3Qu0YuvMRZKNZJ9F+lAehCazk= github.com/aws/aws-sdk-go-v2 v1.17.1/go.mod h1:JLnGeGONAyi2lWXI1p0PCIOIy333JMVK1U7Hf0aRFLw= -github.com/aws/aws-sdk-go-v2/config v1.7.0/go.mod h1:w9+nMZ7soXCe5nT46Ri354SNhXDQ6v+V5wqDjnZE+GY= +github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.0.0/go.mod h1:Xn6sxgRuIDflLRJFj5Ev7UxABIkNbccFPV/p8itDReM= +github.com/aws/aws-sdk-go-v2/config v1.5.0/go.mod h1:RWlPOAW3E3tbtNAqTwvSW54Of/yP3oiZXMI0xfUdjyA= +github.com/aws/aws-sdk-go-v2/config v1.10.1/go.mod h1:auIv5pIIn3jIBHNRcVQcsczn6Pfa6Dyv80Fai0ueoJU= github.com/aws/aws-sdk-go-v2/config v1.17.4 h1:9HY1wbShqObySCHP2Z07blfrSWVX+nVxCZmUuLZKcG8= github.com/aws/aws-sdk-go-v2/config v1.17.4/go.mod h1:ul+ru+huVpfduF9XRmGUq82T8T3K+nIFQuF6F+L+548= -github.com/aws/aws-sdk-go-v2/credentials v1.4.0/go.mod h1:dgGR+Qq7Wjcd4AOAW5Rf5Tnv3+x7ed6kETXyS9WCuAY= +github.com/aws/aws-sdk-go-v2/credentials v1.3.1/go.mod h1:r0n73xwsIVagq8RsxmZbGSRQFj9As3je72C2WzUIToc= +github.com/aws/aws-sdk-go-v2/credentials v1.6.1/go.mod h1:QyvQk1IYTqBWSi1T6UgT/W8DMxBVa5pVuLFSRLLhGf8= github.com/aws/aws-sdk-go-v2/credentials v1.12.17 h1:htUjIJOQcvIUR0jC4eLkdis1DfaLL4EUbIKUFqh2WFA= github.com/aws/aws-sdk-go-v2/credentials v1.12.17/go.mod h1:jd1mvJulXY7ccHvcSiJceYhv06yWIIRkJnwWEA4IX+g= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.5.0/go.mod h1:CpNzHK9VEFUCknu50kkB8z58AH2B5DvPP7ea1LHve/Y= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.3.0/go.mod h1:2LAuqPx1I6jNfaGDucWfA2zqQCYCOMCDHiCOciALyNw= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.8.0/go.mod h1:5E1J3/TTYy6z909QNR0QnXGBpfESYGDqd3O0zqONghU= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.14 h1:NZwZFtxXGOEIiCd8jWN55lexakug543CaO68bTpoLwg= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.14/go.mod h1:5CU57SyF5jZLSIw4OOll0PG83ThXwNdkRFOc0EltD/0= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.7.1/go.mod h1:wN/mvkow08GauDwJ70jnzJ1e+hE+Q3Q7TwpYLXOe9oI= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.0/go.mod h1:NO3Q5ZTTQtO2xIg2+xTXYDiT7knSejfeDm7WGDaOo0U= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.5/go.mod h1:2hXc8ooJqF2nAznsbJQIn+7h851/bu8GVC80OVTTqf8= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.20/go.mod h1:gdZ5gRUaxThXIZyZQ8MTtgYBk2jbHgp05BO3GcD9Cwc= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.22/go.mod h1:/vNv5Al0bpiF8YdX2Ov6Xy05VTiXsql94yUqJMYaj0w= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.23/go.mod h1:2DFxAQ9pfIRy0imBCJv+vZ2X6RKxves6fbnEuSry6b4= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.24/go.mod h1:ghMzB/j2wRbPx5/4jPYxJdOtCG2ggrtY01j8K7FMBDA= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25 h1:nBO/RFxeq/IS5G9Of+ZrgucRciie2qpLy++3UGZ+q2E= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25/go.mod h1:Zb29PYkf42vVYQY6pvSyJCJcFHlPIiY+YKdPtwnvMkY= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.0.0/go.mod h1:anlUzBoEWglcUxUQwZA7HQOEVEnQALVZsizAapB2hq8= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.3.0/go.mod h1:miRSv9l093jX/t/j+mBCaLqFHo9xKYzJ7DGm1BsGoJM= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.14/go.mod h1:GEV9jaDPIgayiU+uevxwozcvUOjc+P4aHE2BeSjm2vE= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.16/go.mod h1:62dsXI0BqTIGomDl8Hpm33dv0OntGaVblri3ZRParVQ= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.17/go.mod h1:pRwaTYCJemADaqCbUAxltMoHKata7hmB5PjEXeu0kfg= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.18/go.mod h1:fkQKYK/jUhCL/wNS1tOPrlYhr9vqutjCz4zZC1wBE1s= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19 h1:oRHDrwCTVT8ZXi4sr9Ld+EXk7N/KGssOr2ygNeojEhw= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19/go.mod h1:6Q0546uHDp421okhmmGfbxzq2hBqbXFNpi4k+Q1JnQA= -github.com/aws/aws-sdk-go-v2/internal/ini v1.2.2/go.mod h1:BQV0agm+JEhqR+2RT5e1XTFIDcAAV0eW6z2trp+iduw= +github.com/aws/aws-sdk-go-v2/internal/ini v1.1.1/go.mod h1:Zy8smImhTdOETZqfyn01iNOe0CNggVbPjCajyaz6Gvg= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.0/go.mod h1:6oXGy4GLpypD3uCh8wcqztigGgmhLToMfjavgh+VySg= github.com/aws/aws-sdk-go-v2/internal/ini v1.3.21 h1:lpwSbLKYTuABo6SyUoC25xAmfO3/TehGS2SmD1EtOL0= github.com/aws/aws-sdk-go-v2/internal/ini v1.3.21/go.mod h1:Q0pktZjvRZk77TBto6yAvUAi7fcse1bdcMctBDVGgBw= github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0 h1:2f0kb+39miQPRp0b7Sqq06+TpxI0Nfcra41QxzJPME8= github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0/go.mod h1:AVLIBQ9V7mcHd5uZT1+wUbBt4QaI/XcOens85Ib0W1o= github.com/aws/aws-sdk-go-v2/service/ec2 v1.63.0 h1:9ailn+011zwUJdS8RuamANJVAyX+aoUyTaBrw0CHRdE= github.com/aws/aws-sdk-go-v2/service/ec2 v1.63.0/go.mod h1:0+6fPoY0SglgzQUs2yml7X/fup12cMlVumJufh5npRQ= +github.com/aws/aws-sdk-go-v2/service/ecr v1.4.1/go.mod h1:FglZcyeiBqcbvyinl+n14aT/EWC7S1MIH+Gan2iizt0= +github.com/aws/aws-sdk-go-v2/service/ecr v1.15.0 h1:lY2Z2sBP+zSbJ6CvvmnFgPcgknoQ0OJV88AwVetRRFk= +github.com/aws/aws-sdk-go-v2/service/ecr v1.15.0/go.mod h1:4zYI85WiYDhFaU1jPFVfkD7HlBcdnITDE3QxDwy4Kus= +github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.4.1/go.mod h1:eD5Eo4drVP2FLTw0G+SMIPWNWvQRGGTtIZR2XeAagoA= +github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.12.0 h1:LsqBpyRofMG6eDs6YGud6FhdGyIyXelAasPOZ6wWLro= +github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.12.0/go.mod h1:IArQ3IBR00FkuraKwudKZZU32OxJfdTdwV+W5iZh3Y4= github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 h1:m/WtVqEvgwDiUPIW2dtnF2hDE1O62MEflz9ClOlCXAs= github.com/aws/aws-sdk-go-v2/service/iam v1.18.16/go.mod h1:w8wndcRxwILFQAzwkUKyEDz4LDHEBSR78KRdaNjUKQA= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.3.0/go.mod h1:R1KK+vY8AfalhG1AOu5e35pOD2SdoPKQCFLTvnxiohk= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.5.0/go.mod h1:80NaCIH9YU3rzTTs/J/ECATjXuRqzo/wB6ukO6MZ0XY= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.2.1/go.mod h1:zceowr5Z1Nh2WVP8bf/3ikB41IZW59E4yIYbg+pC6mw= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.5.0/go.mod h1:Mq6AEc+oEjCUlBuLiK5YwW4shSOAKCQ3tXN0sQeYoBA= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.14/go.mod h1:8qOLjqMzY/S1kh3myDXA1yxK5eD4uN8aOJgKpgvc4OM= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.17/go.mod h1:4nYOrY41Lrbk2170/BGkcJKBhws9Pfn8MG3aGqjjeFI= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.18 h1:5oiCDEOHnYkk7uTVI8Wv6ftdFfb6YlUUNzkeePVIPjY= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.18/go.mod h1:QtCDHDOXunxeihz7iU15e09u9gRIeaa5WeE6FZVnGUo= -github.com/aws/aws-sdk-go-v2/service/kms v1.5.0/go.mod h1:w7JuP9Oq1IKMFQPkNe3V6s9rOssXzOVEMNEqK1L1bao= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.9.0/go.mod h1:xKCZ4YFSF2s4Hnb/J0TLeOsKuGzICzcElaOKNGrVnx4= +github.com/aws/aws-sdk-go-v2/service/kms v1.10.0/go.mod h1:ZkHWL8m5Nw1g9yMXqpCjnIJtSDToAmNbXXZ9gj0bO7s= github.com/aws/aws-sdk-go-v2/service/kms v1.18.8 h1:0YzDYm5rFuwzqwhBg94OYa2TKbdd5dUsf9+uPHwoYns= github.com/aws/aws-sdk-go-v2/service/kms v1.18.8/go.mod h1:NjgXnn0pk5rLSWZIgtx0BCwoCugRXzKZ7cDNsl98W7U= -github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.6.0/go.mod h1:B+7C5UKdVq1ylkI/A6O8wcurFtaux0R1njePNPtKwoA= +github.com/aws/aws-sdk-go-v2/service/s3 v1.19.0/go.mod h1:Gwz3aVctJe6mUY9T//bcALArPUaFmNAy2rTB9qN4No8= +github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.10.0/go.mod h1:qAgsrzF3Z2vvV01j79fs7D75ofCMQe81/OKBJx0rjFY= github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.0 h1:Lh1yssM4dinNZuESsXnbi+pID8hoviejLZdLmT175i8= github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.0/go.mod h1:z0y2iDaghoq7uv6kndhrJCTzgVckv8Aak8kpnu2kYjs= -github.com/aws/aws-sdk-go-v2/service/ssm v1.10.0/go.mod h1:4dXS5YNqI3SNbetQ7X7vfsMlX6ZnboJA2dulBwJx7+g= -github.com/aws/aws-sdk-go-v2/service/sso v1.4.0/go.mod h1:+1fpWnL96DL23aXPpMGbsmKe8jLTEfbjuQoA4WS1VaA= +github.com/aws/aws-sdk-go-v2/service/sns v1.11.0/go.mod h1:LIPf3BTbSY5UeVli+x/1y2Qw1w8T9DYyp7p18Qt8Zc8= +github.com/aws/aws-sdk-go-v2/service/sqs v1.12.0/go.mod h1:TDqDmQnsbgL2ZMIGUf3z9xTzCMqFX7FP1geAgIlYqvA= +github.com/aws/aws-sdk-go-v2/service/ssm v1.15.0/go.mod h1:kJa2uHklY03rKsNSbEsToeUgWJ1PambXBtRNacorRhg= +github.com/aws/aws-sdk-go-v2/service/sso v1.3.1/go.mod h1:J3A3RGUvuCZjvSuZEcOpHDnzZP/sKbhDWV2T1EOzFIM= +github.com/aws/aws-sdk-go-v2/service/sso v1.6.0/go.mod h1:Q/l0ON1annSU+mc0JybDy1Gy6dnJxIcWjphO6qJPzvM= github.com/aws/aws-sdk-go-v2/service/sso v1.11.20 h1:3raP0UC9rvRyY4/cc4o4F3jTrNo94AYiarNUGNnq6dU= github.com/aws/aws-sdk-go-v2/service/sso v1.11.20/go.mod h1:hPsROgDdgY/NQ1gPt7VJWG0GjSnalDC0DkkMfGEw2gc= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.2 h1:/SYpdjjAtraymql+/r719OgjxezdanAQiLb/NMxDb04= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.2/go.mod h1:5cxfDYtY2mDOlmesy4yycb6lwyy1U/iAUOHKhQLKw/E= -github.com/aws/aws-sdk-go-v2/service/sts v1.7.0/go.mod h1:0qcSMCyASQPN2sk/1KQLQ2Fh6yq8wm0HSDAimPhzCoM= +github.com/aws/aws-sdk-go-v2/service/sts v1.6.0/go.mod h1:q7o0j7d7HrJk/vr9uUt3BVRASvcU7gYZB9PUgPiByXg= +github.com/aws/aws-sdk-go-v2/service/sts v1.10.0/go.mod h1:jLKCFqS+1T4i7HDqCP9GM4Uk75YW1cS0o82LdxpMyOE= github.com/aws/aws-sdk-go-v2/service/sts v1.16.16/go.mod h1:Y9iBgT1w2vHtYzJEkwD6FqILjDSsvbxcW/+wIYxyse4= github.com/aws/aws-sdk-go-v2/service/sts v1.17.0 h1:9S0HcZUxKcU3HdN+M6GgLIvdbg9as5aOoHrvwRsPNYU= github.com/aws/aws-sdk-go-v2/service/sts v1.17.0/go.mod h1:9pZN58zQc5a4Dkdnhu/rI1lNBui1vP5B0giGCuUt2b0= -github.com/aws/smithy-go v1.8.0/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAmR5n+E= +github.com/aws/smithy-go v1.6.0/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAmR5n+E= +github.com/aws/smithy-go v1.9.0/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAmR5n+E= +github.com/aws/smithy-go v1.11.0/go.mod h1:3xHYmszWVx2c0kIwQeEVf9uSm4fYZt67FBJnwub1bgM= github.com/aws/smithy-go v1.13.1/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/aws/smithy-go v1.13.3/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/aws/smithy-go v1.13.4 h1:/RN2z1txIJWeXeOkzX+Hk/4Uuvv7dWtCjbmVJcrskyk= github.com/aws/smithy-go v1.13.4/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= +github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20220228164355-396b2034c795 h1:IWeCJzU+IYaO2rVEBlGPTBfe90cmGXFTLdhUFlzDGsY= +github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20220228164355-396b2034c795/go.mod h1:8vJsEZ4iRqG+Vx6pKhWK6U00qcj0KC37IsfszMkY6UE= github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59/go.mod h1:q/89r3U2H7sSsE2t6Kca0lfwTK8JdoNGS/yzM/4iH5I= github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A= github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM= @@ -435,24 +468,26 @@ github.com/bitly/go-simplejson v0.5.0/go.mod h1:cXHtHw4XUPsvGaxgjIAn8PhEWG9NfngE github.com/bits-and-blooms/bitset v1.2.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA= github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84= github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM= +github.com/bkielbasa/cyclop v1.2.0/go.mod h1:qOI0yy6A7dYC4Zgsa72Ppm9kONl0RoIlPbzot9mhmeI= github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb/go.mod h1:PkYb9DJNAwrSvRx5DYA+gUcOIgTGVMNkfSCbZM8cWpI= github.com/blang/semver v3.1.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ= github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= -github.com/blendle/zapdriver v1.3.1/go.mod h1:mdXfREi6u5MArG4j9fewC+FGnXaBR+T4Ox4J2u4eHCc= +github.com/blizzy78/varnamelen v0.3.0/go.mod h1:hbwRdBvoBqxk34XyQ6HA0UH3G0/1TKuv5AC4eaBT0Ec= github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4= -github.com/bmizerany/perks v0.0.0-20141205001514-d9a9656a3a4b/go.mod h1:ac9efd0D1fsDb3EJvhqgXRbFx7bs2wqZ10HQPeU8U/Q= +github.com/bombsimon/wsl/v3 v3.3.0/go.mod h1:st10JtZYLE4D5sC7b8xV4zTKZwAQjCH/Hy2Pm1FNZIc= github.com/bradfitz/gomemcache v0.0.0-20190913173617-a41fca850d0b/go.mod h1:H0wQNHz2YrLsuXOZozoeDmnHXkNCRmMW0gwFWDfEZDA= +github.com/breml/bidichk v0.1.1/go.mod h1:zbfeitpevDUGI7V91Uzzuwrn4Vls8MoBMrwtt78jmso= github.com/bshuster-repo/logrus-logstash-hook v0.4.1/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk= github.com/buger/jsonparser v0.0.0-20180808090653-f4dd9f5a6b44/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s= github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd/go.mod h1:2oa8nejYd4cQ/b0hMIopN0lCRxU0bueqREvZLWFrtK8= github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b/go.mod h1:obH5gd0BsqsP2LwDJ9aOkm/6J86V6lyAXCoQWGw3K50= github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0/go.mod h1:D/8v3kj0zr8ZAKg1AQ6crr+5VwKN5eIywRkfhyM/+dE= +github.com/butuzov/ireturn v0.1.1/go.mod h1:Wh6Zl3IMtTpaIKbmwzqi6olnM9ptYQxxVacMsOEFPoc= github.com/bytecodealliance/wasmtime-go v0.31.0/go.mod h1:q320gUxqyI8yB+ZqRuaJOEnGkAnHh6WtJjMaT2CW4wI= -github.com/bytecodealliance/wasmtime-go v1.0.0 h1:9u9gqaUiaJeN5IoD1L7egD8atOnTGyJcNp8BhkL9cUU= -github.com/c2h5oh/datasize v0.0.0-20171227191756-4eba002a5eae/go.mod h1:S/7n9copUssQ56c7aAgHqftWO4LTf4xY6CGWt8Bc+3M= +github.com/bytecodealliance/wasmtime-go v0.33.1 h1:TFep11LiqCy1B6QUIAtqH3KZTbZcKasm89/AF9sqLnA= github.com/caarlos0/ctrlc v1.0.0/go.mod h1:CdXpj4rmq0q/1Eb44M9zi2nKB0QraNKuRGYGrrHhcQw= github.com/cactus/go-statsd-client/statsd v0.0.0-20200423205355-cb0885a1018c/go.mod h1:l/bIBLeOl9eX+wxJAzxS4TveKRtAqlyDpHjhkfO0MEI= github.com/campoy/unique v0.0.0-20180121183637-88950e537e7e/go.mod h1:9IOqJGCPMSc6E5ydlp5NIonxObaeu/Iub/X03EKPVYo= @@ -467,16 +502,22 @@ github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4r github.com/cenkalti/backoff/v4 v4.1.1/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw= github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/census-instrumentation/opencensus-proto v0.3.0 h1:t/LhUZLVitR1Ow2YOnduCsavhwFUklBMoGVYUCqmCqk= github.com/census-instrumentation/opencensus-proto v0.3.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/certifi/gocertifi v0.0.0-20191021191039-0944d244cd40/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA= +github.com/certifi/gocertifi v0.0.0-20200922220541-2c3bb06c6054 h1:uH66TXeswKn5PW5zdZ39xEwfS9an067BirqA+P4QaLI= github.com/certifi/gocertifi v0.0.0-20200922220541-2c3bb06c6054/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA= github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE= github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/charithe/durationcheck v0.0.9/go.mod h1:SSbRIBVfMjCi/kEB6K65XEA83D6prSM8ap1UCpNKtgg= +github.com/chavacava/garif v0.0.0-20210405164556-e8a0a408d6af/go.mod h1:Qjyv4H3//PWVzTeCezG2b9IRn6myJxJSr4TD/xo6ojU= github.com/checkpoint-restore/go-criu/v4 v4.1.0/go.mod h1:xUQBLp4RLc5zJtWY++yjOoMoB5lihDt7fai+75m+rGw= github.com/checkpoint-restore/go-criu/v5 v5.0.0/go.mod h1:cfwC0EG7HMUenopBsUf9d89JlCLQIfgVcNsNN0t6T2M= +github.com/chrismellard/docker-credential-acr-env v0.0.0-20220119192733-fe33c00cee21 h1:XlpL9EHrPOBJMLDDOf35/G4t5rGAFNNAZQ3cDcWavtc= +github.com/chrismellard/docker-credential-acr-env v0.0.0-20220119192733-fe33c00cee21/go.mod h1:Zlre/PVxuSI9y6/UV4NwGixQ48RHQDSPiUkofr6rbMU= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= @@ -493,22 +534,29 @@ github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGX github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI= +github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe h1:QQ3GSy+MqSHxm/d8nCtnAiZdYFd45cYZPs8vOOIYKfk= +github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI= github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490 h1:KwaoQzs/WeUxxJqiJsZ4euOly1Az/IgZXXSxlD/UBNk= github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20220520190051-1e77728a1eaa h1:B/lvg4tQ5hfFZd4V2hcSfFVfUvAK6GSFKxIIzwnkv8g= +github.com/cncf/xds/go v0.0.0-20220520190051-1e77728a1eaa/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ= -github.com/cockroachdb/apd/v2 v2.0.1/go.mod h1:DDxRlzC2lo3/vSlmSoS7JkqbbrARPuFOGr0B9pvN3Gw= github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= +github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5 h1:xD/lrqdvwsc+O2bjSSi3YqY73Ke3LAiSCx49aCesA0E= github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5/go.mod h1:h6jFvWxBdQXxjopDMZyH2UVceIRfR84bdzbkoKrsWNo= +github.com/cockroachdb/errors v1.2.4 h1:Lap807SXTH5tri2TivECb/4abUkMZC9zRoLarvcKDqs= github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA= +github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f h1:o/kfcElHqOiXqcou5a3rIlMc7oJbMQkeLk0VQJ7zgqY= github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f/go.mod h1:i/u985jwjWRlyHXQbwatDASoW0RMlZ/3i9yJHE2xLkI= github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE/e/2PUdi/liOCUjSTXgM1o87ZssimdTWN964YiIeI= github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUoc7Ik9EfrFqcylYqgPZ9ANSbTAntnE= github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb/go.mod h1:ZjrT6AXHbDs86ZSdt/osfBi5qfexBrKUdONk989Wnk4= +github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be h1:J5BL2kskAlV9ckgEsNQXscjIaLiOYiZ75d4e94E6dcQ= +github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be/go.mod h1:mk5IQ+Y0ZeO87b858TlA645sVcEcbiX6YqP98kt+7+w= github.com/containerd/aufs v0.0.0-20200908144142-dab0cbea06f4/go.mod h1:nukgQABAEopAHvB6j7cnP5zJ+/3aVcE7hCYqvIwAHyE= github.com/containerd/aufs v0.0.0-20201003224125-76a6863f2989/go.mod h1:AkGGQs9NM2vtYHaUen+NljV0/baGCAPELGm2q9ZXpWU= github.com/containerd/aufs v0.0.0-20210316121734-20793ff83c97/go.mod h1:kL5kd6KM5TzQjR79jljyi4olc1Vrx6XBlcyj3gNv2PU= @@ -533,7 +581,6 @@ github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69/go. github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.3.1-0.20191213020239-082f7e3aed57/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.3.2/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= -github.com/containerd/containerd v1.3.4/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.4.0-beta.2.0.20200729163537-40b22ef07410/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.4.1/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.4.3/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= @@ -542,12 +589,11 @@ github.com/containerd/containerd v1.5.0-beta.1/go.mod h1:5HfvG1V2FsKesEGQ17k5/T7 github.com/containerd/containerd v1.5.0-beta.3/go.mod h1:/wr9AVtEM7x9c+n0+stptlo/uBBoBORwEx6ardVcmKU= github.com/containerd/containerd v1.5.0-beta.4/go.mod h1:GmdgZd2zA2GYIBZ0w09ZvgqEq8EfBp/m3lcVZIvPHhI= github.com/containerd/containerd v1.5.0-rc.0/go.mod h1:V/IXoMqNGgBlabz3tHD2TWDoTJseu1FGOKuoA4nNb2s= -github.com/containerd/containerd v1.5.2/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g= github.com/containerd/containerd v1.5.8/go.mod h1:YdFSv5bTFLpG2HIYmfqDpSYYTDX+mc5qtSuYx1YUb/s= +github.com/containerd/containerd v1.5.9/go.mod h1:fvQqCfadDGga5HZyn3j4+dx56qj2I9YwBrlSdalvJYQ= github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= github.com/containerd/continuity v0.0.0-20191127005431-f65d91d395eb/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= -github.com/containerd/continuity v0.0.0-20200709052629-daa8e1ccc0bc/go.mod h1:cECdGN1O8G9bgKTlLhuPJimka6Xb/Gg7vYzCTNVxhvo= github.com/containerd/continuity v0.0.0-20200710164510-efbc4488d8fe/go.mod h1:cECdGN1O8G9bgKTlLhuPJimka6Xb/Gg7vYzCTNVxhvo= github.com/containerd/continuity v0.0.0-20201208142359-180525291bb7/go.mod h1:kR3BEg7bDFaEddKm54WSmrol1fKWDU1nKYkgrcgZT7Y= github.com/containerd/continuity v0.0.0-20210208174643-50096c924a4e/go.mod h1:EXlVlkqNba9rJe3j7w3Xa924itAMLgZH4UD/Q4PExuQ= @@ -572,9 +618,6 @@ github.com/containerd/imgcrypt v1.1.1/go.mod h1:xpLnwiQmEUJPvQoAapeb2SNCxz7Xr6PJ github.com/containerd/nri v0.0.0-20201007170849-eb1350a75164/go.mod h1:+2wGSDGFYfE5+So4M5syatU0N0f0LbWpuqyMi4/BE8c= github.com/containerd/nri v0.0.0-20210316161719-dbaa18c31c14/go.mod h1:lmxnXF6oMkbqs39FiCt1s0R2HSMhcLel9vNL3m4AaeY= github.com/containerd/nri v0.1.0/go.mod h1:lmxnXF6oMkbqs39FiCt1s0R2HSMhcLel9vNL3m4AaeY= -github.com/containerd/stargz-snapshotter/estargz v0.4.1/go.mod h1:x7Q9dg9QYb4+ELgxmo4gBUeJB0tl5dqH1Sdz0nJU1QM= -github.com/containerd/stargz-snapshotter/estargz v0.6.4/go.mod h1:83VWDqHnurTKliEB0YvWMiCfLDwv4Cjj1X9Vk98GJZw= -github.com/containerd/stargz-snapshotter/estargz v0.7.0/go.mod h1:83VWDqHnurTKliEB0YvWMiCfLDwv4Cjj1X9Vk98GJZw= github.com/containerd/stargz-snapshotter/estargz v0.10.1 h1:hd1EoVjI2Ax8Cr64tdYqnJ4i4pZU49FkEf5kU8KxQng= github.com/containerd/stargz-snapshotter/estargz v0.10.1/go.mod h1:aE5PCyhFMwR8sbrErO5eM2GcvkyXTTJremG883D4qF0= github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o= @@ -607,17 +650,19 @@ github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8Nz github.com/coreos/go-iptables v0.4.5/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU= github.com/coreos/go-iptables v0.5.0/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU= github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= -github.com/coreos/go-oidc/v3 v3.0.0/go.mod h1:rEJ/idjfUyfkBit1eI1fvyr+64/g9dcKpAm8MJMesvo= github.com/coreos/go-oidc/v3 v3.1.0 h1:6avEvcdvTa1qYsOZ6I5PRkSYHzpTNWgKYmaJfaYbrRw= github.com/coreos/go-oidc/v3 v3.1.0/go.mod h1:rEJ/idjfUyfkBit1eI1fvyr+64/g9dcKpAm8MJMesvo= github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-semver v0.3.0 h1:wkHLiw0WNATZnSG7epLsujiMCgPAc9xhjJ4tgnAxmfM= github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-systemd v0.0.0-20161114122254-48702e0da86b/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/go-systemd v0.0.0-20190620071333-e64a0ec8b42a/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd/v22 v22.0.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk= github.com/coreos/go-systemd/v22 v22.1.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk= +github.com/coreos/go-systemd/v22 v22.3.2 h1:D9/bQk5vlXQFZ6Kwuu6zaiXJ9oTPe68++AzAJc1DzSI= github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= @@ -625,6 +670,7 @@ github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwc github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/cpuguy83/go-md2man/v2 v2.0.2 h1:p1EgwI/C7NhT0JmVkwCD2ZBK8j4aeHQX2pMHHBfMQ6w= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= @@ -638,6 +684,7 @@ github.com/d2g/dhcp4 v0.0.0-20170904100407-a1d1b6c41b1c/go.mod h1:Ct2BUK8SB0YC1S github.com/d2g/dhcp4client v1.0.0/go.mod h1:j0hNfjhrt2SxUOw55nL0ATM/z4Yt3t2Kd1mW34z5W5s= github.com/d2g/dhcp4server v0.0.0-20181031114812-7d4a0a7f59a5/go.mod h1:Eo87+Kg/IX2hfWJfwxMzLyuSZyxSoAug2nGa1G2QAi8= github.com/d2g/hardwareaddr v0.0.0-20190221164911-e7d9fbe030e4/go.mod h1:bMl4RjIciD2oAxI7DmWRx6gbeqrkoLqv3MV0vzNad+I= +github.com/daixiang0/gci v0.2.9/go.mod h1:+4dZ7TISfSmqfAGv59ePaHfNzgGtIkHAhhdKggP1JAc= github.com/danieljoos/wincred v1.0.2/go.mod h1:SnuYRW9lp1oJrZX/dXJqr0cPK5gYXqx3EJbmjhLdK9U= github.com/danieljoos/wincred v1.1.0/go.mod h1:XYlo+eRTsVA9aHGp7NGjFkPla4m+DCL7hqDjlFjiygg= github.com/danieljoos/wincred v1.1.1/go.mod h1:gSBQmTx6G0VmLowygiA7ZD0p0E09HJ68vta8z/RT2d0= @@ -645,8 +692,9 @@ github.com/davecgh/go-spew v0.0.0-20161028175848-04cdfd42973b/go.mod h1:J7Y8YcW2 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/denis-tingajkin/go-header v0.4.2/go.mod h1:eLRHAVXzE5atsKAnNRDB90WHCFFnBUn4RN0nRcs1LJA= github.com/denisenkom/go-mssqldb v0.0.0-20191124224453-732737034ffd/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU= -github.com/denisenkom/go-mssqldb v0.9.0/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU= +github.com/denisenkom/go-mssqldb v0.11.0/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU= github.com/denisenkom/go-mssqldb v0.12.2 h1:1OcPn5GBIobjWNd+8yjfHNIaFX14B1pWI3F9HZy5KXw= github.com/denisenkom/go-mssqldb v0.12.2/go.mod h1:lnIw1mZukFRZDJYQ0Pb833QS2IaC3l5HkEfra2LJ+sk= github.com/denverdino/aliyungo v0.0.0-20190125010748-a747050bb1ba/go.mod h1:dV8lFg6daOBZbT6/BDGIz6Y3WFGn8juu6G+CQ6LHtl0= @@ -659,30 +707,24 @@ github.com/dgrijalva/jwt-go v0.0.0-20170104182250-a601269ab70c/go.mod h1:E3ru+11 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw= github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw= -github.com/dgryski/go-gk v0.0.0-20140819190930-201884a44051/go.mod h1:qm+vckxRlDt0aOla0RYJJVeqHZlWfOm2UIxHaqPB46E= -github.com/dgryski/go-lttb v0.0.0-20180810165845-318fcdf10a77/go.mod h1:Va5MyIzkU0rAM92tn3hb3Anb7oz7KcnixF49+2wOMe4= github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= -github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48 h1:fRzb/w+pyskVMQ+UbP35JkH8yB7MYb4q/qhBarqZE6g= -github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA= github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi/U= github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE= github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E= github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ= -github.com/docker/cli v0.0.0-20191017083524-a8ff7f821017/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= -github.com/docker/cli v20.10.7+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/cli v20.10.11+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v20.10.12+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/cli v20.10.17+incompatible h1:eO2KS7ZFeov5UJeaDmIs1NFEDRf32PaqRpvoEkKBy5M= github.com/docker/cli v20.10.17+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v0.0.0-20190905152932-14b96e55d84c/go.mod h1:0+TTO4EOBfRPhZXAeF1Vu+W3hHZ8eLp8PgKVZlcvtFY= github.com/docker/distribution v2.7.1-0.20190205005809-0d3efadf0154+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/distribution v2.7.1+incompatible h1:a5mlkVzth6W5A4fOsS3D2EO5BUmsJpcB+cRlLU7cSug= github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker v1.4.2-0.20200319182547-c7ad2b866182/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker v20.10.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/distribution v2.8.0+incompatible h1:l9EaZDICImO1ngI+uTifW+ZYvvz7fKISBAKpg+MbWbY= +github.com/docker/distribution v2.8.0+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v20.10.11+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v20.10.12+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker v20.10.20+incompatible h1:kH9tx6XO+359d+iAkumyKDc5Q1kOwPuAUaeri48nD6E= github.com/docker/docker v20.10.20+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y= @@ -705,7 +747,6 @@ github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/dvyukov/go-fuzz v0.0.0-20210914135545-4980593459a1/go.mod h1:11Gm+ccJnvAhCNLlf5+cS9KjtbaD5I5zaZpFMsTHWTw= github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs= -github.com/eapache/go-resiliency v1.2.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs= github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU= github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I= github.com/edsrzf/mmap-go v1.0.0/go.mod h1:YO35OhQPt3KJa3ryjFM5Bs14WD66h8eGKpfaBNrHW5M= @@ -714,7 +755,6 @@ github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= github.com/emicklei/go-restful/v3 v3.8.0 h1:eCZ8ulSerjdAiaNpF7GxXIE7ZCMo1moN1qX+S609eVw= github.com/emicklei/go-restful/v3 v3.8.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/emicklei/proto v1.6.15/go.mod h1:rn1FgRS/FANiZdD2djyH7TMA9jdRDcYQ9IEN9yvjX0A= github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o= github.com/envoyproxy/go-control-plane v0.6.9/go.mod h1:SBwIajubJHhxtWwsL9s8ss4safvEdbitLhGGK48rN6g= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= @@ -728,13 +768,17 @@ github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go. github.com/envoyproxy/go-control-plane v0.10.1/go.mod h1:AY7fTTXNdv/aJ2O5jwpxAPOWUZ7hQAEvzN5Pf27BkQQ= github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1 h1:xvqufLtNVwAhN8NMyWklVgxnWohi+wtMGQMhtxexlm0= github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE= +github.com/envoyproxy/protoc-gen-validate v0.0.14/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v0.3.0-java/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= -github.com/envoyproxy/protoc-gen-validate v0.6.2 h1:JiO+kJTpmYGjEodY7O1Zk8oZcNz1+f30UtwtXoFUPzE= github.com/envoyproxy/protoc-gen-validate v0.6.2/go.mod h1:2t7qjJNvHPx8IjnBOzl9E9/baC+qXE/TeeyBRzgJDws= +github.com/envoyproxy/protoc-gen-validate v0.6.7 h1:qcZcULcd/abmQg6dwigimCNEyi4gg31M/xaciQlDml8= +github.com/envoyproxy/protoc-gen-validate v0.6.7/go.mod h1:dyJXwwfPK2VSqiB9Klm1J6romD608Ba7Hij42vrOBCo= github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5 h1:Yzb9+7DPaBjB8zlTR87/ElzFsnQfuHnVUVqpZZIcV5Y= github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5/go.mod h1:a2zkGnVExMxdzMo3M0Hi/3sEU+cWnZpSni0O6/Yb/P0= +github.com/esimonov/ifshort v1.0.3/go.mod h1:yZqNJUrNn20K8Q9n2CrjTKYyVEmX209Hgu+M1LBpeZE= github.com/etcd-io/gofail v0.0.0-20190801230047-ad7f989257ca/go.mod h1:49H/RkXP8pKaZy4h0d+NW16rSLhyVBt4o6VLJbmOqDE= +github.com/ettle/strcase v0.1.1/go.mod h1:hzDLsPC7/lwKyBOywSHEP89nt2pDgdy+No1NBA9o9VY= github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ= github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84= @@ -742,12 +786,17 @@ github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQL github.com/evanphx/json-patch/v5 v5.5.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww= github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= +github.com/facebookgo/clock v0.0.0-20150410010913-600d898af40a h1:yDWHCSQ40h88yih2JAcL6Ls/kVkSE8GFACTGVnMPruw= +github.com/facebookgo/limitgroup v0.0.0-20150612190941-6abd8d71ec01 h1:IeaD1VDVBPlx3viJT9Md8if8IxxJnO+x0JCGb054heg= +github.com/facebookgo/muster v0.0.0-20150708232844-fd3d7953fd52 h1:a4DFiKFJiDRGFD1qIcqGLX/WlUMD9dyLSLDt+9QZgt8= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU= +github.com/fatih/color v1.10.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM= github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w= github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo= github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M= +github.com/fatih/structtag v1.2.0/go.mod h1:mBJUNpUnHmRKrKlQQlmCrh5PuhftFbNv8Ys4/aAZl94= github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/felixge/httpsnoop v1.0.2 h1:+nS9g82KMXccJ/wp0zyRW9ZBHFETmMGtkk+2CTTrW4o= github.com/felixge/httpsnoop v1.0.2/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= @@ -755,6 +804,7 @@ github.com/flynn/go-docopt v0.0.0-20140912013429-f6dd2ebbb31e/go.mod h1:HyVoz1Mz github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc= github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= +github.com/form3tech-oss/jwt-go v3.2.5+incompatible h1:/l4kBbb4/vGSsdtB5nUe8L7B9mImVMaBPw9L/0TBHU8= github.com/form3tech-oss/jwt-go v3.2.5+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/fortytw2/leaktest v1.2.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g= github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw= @@ -765,19 +815,24 @@ github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVB github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8/go.mod h1:ZhphrRTfi2rbfLwlschooIH4+wKKDR4Pdxhh+TRoA20= github.com/frankban/quicktest v1.10.0/go.mod h1:ui7WezCLWMWxVWr1GETZY3smRy0G4KWq9vcPtJmFl7Y= github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k= -github.com/frankban/quicktest v1.13.0 h1:yNZif1OkDfNoDfb9zZa9aXIpejNR4F23Wely0c+Qdqk= github.com/frankban/quicktest v1.13.0/go.mod h1:qLE0fzW0VuyUAJgPU19zByoIr0HtCHN/r/VLSOOIySU= +github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5Ai1i3InKU= github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI= github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU= github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA= +github.com/fullstorydev/grpcurl v1.6.0/go.mod h1:ZQ+ayqbKMJNhzLmbpCiurTVlaK2M/3nqZCxaQ2Ze/sM= github.com/fullstorydev/grpcurl v1.8.0/go.mod h1:Mn2jWbdMrQGJQ8UD62uNyMumT2acsZUCkZIqFxsQf1o= github.com/fullstorydev/grpcurl v1.8.1/go.mod h1:3BWhvHZwNO7iLXaQlojdg5NA6SxUDePli4ecpK1N7gw= github.com/fullstorydev/grpcurl v1.8.2/go.mod h1:YvWNT3xRp2KIRuvCphFodG0fKkMXwaxA9CJgKCcyzUQ= +github.com/fullstorydev/grpcurl v1.8.6 h1:WylAwnPauJIofYSHqqMTC1eEfUIzqzevXyogBxnQquo= +github.com/fullstorydev/grpcurl v1.8.6/go.mod h1:WhP7fRQdhxz2TkL97u+TCb505sxfH78W1usyoB3tepw= +github.com/fzipp/gocyclo v0.3.1/go.mod h1:DJHO6AUmbdqj2ET4Z9iArSuwWgYDRryYt2wASxc7x3E= github.com/garyburd/redigo v0.0.0-20150301180006-535138d7bcd7/go.mod h1:NR3MbYisc3/PwhQ00EMzDiPmrwpPxAn5GI05/YaO1SY= github.com/getkin/kin-openapi v0.76.0/go.mod h1:660oXbgy5JFMKreazJaQTw7o+X00qeSyhcnluiMv+Xg= +github.com/getsentry/raven-go v0.2.0 h1:no+xWJRb5ZI7eE8TWgIq1jLulQiIoLG0IfYxv5JYMGs= github.com/getsentry/raven-go v0.2.0/go.mod h1:KungGk8q33+aIAZUIVWZDr2OfAEBsO49PX4NzFV5kcQ= github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= @@ -785,12 +840,14 @@ github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeME github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI= github.com/gin-gonic/gin v1.5.0/go.mod h1:Nd6IXA8m5kNZdNEHMBd93KT+mdY3+bewLgRvmCsR2Do= github.com/gin-gonic/gin v1.6.3/go.mod h1:75u5sXoLsGZoRN5Sgbi1eraJ4GU3++wFwWzhwvtwp4M= +github.com/gin-gonic/gin v1.7.3/go.mod h1:jD2toBW3GZUr5UMcdrwQA10I7RuaFOl/SGeDjXkfUtY= github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0= github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q= github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q= github.com/go-asn1-ber/asn1-ber v1.3.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= github.com/go-chi/chi v4.1.2+incompatible h1:fGFk2Gmi/YKXk0OmGfBh0WgmN3XB8lVnEyNz34tQRec= github.com/go-chi/chi v4.1.2+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ= +github.com/go-critic/go-critic v0.6.1/go.mod h1:SdNCfU0yF3UBjtaZGw6586/WocupMOJuiqgom5DsQxM= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= @@ -800,7 +857,6 @@ github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2 github.com/go-kit/kit v0.10.0/go.mod h1:xUsJbQ/Fp4kEt7AFgCuvyX4a71u8h9jB8tj/ORgOZ7o= github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY= github.com/go-kit/log v0.2.0/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0= -github.com/go-ldap/ldap/v3 v3.1.3/go.mod h1:3rbOH3jRS2u6jg2rJnKAMLE/xQyCKIveG2Sa/Cohzb8= github.com/go-ldap/ldap/v3 v3.1.10/go.mod h1:5Zun81jBTabRaI8lzN7E1JjyEl1g6zI6u9pd8luAK4Q= github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= @@ -808,7 +864,6 @@ github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs= github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= -github.com/go-logr/logr v0.4.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0= @@ -816,6 +871,7 @@ github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbV github.com/go-logr/zapr v1.2.0/go.mod h1:Qa4Bsj2Vb+FAVeAKsLD8RLQ+YRJB8YDmOAKxaBQf7Ro= github.com/go-logr/zapr v1.2.3 h1:a9vnzlIBPQBBkeaR9IuMUfmVOrQlkoC4YfPoFkX3T7A= github.com/go-logr/zapr v1.2.3/go.mod h1:eIauM6P8qSvTw5o2ez6UEAfGjQKrxQTl5EoK+Qa2oG4= +github.com/go-ole/go-ole v1.2.5/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY= github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= github.com/go-openapi/analysis v0.0.0-20180825180245-b006789cd277/go.mod h1:k70tL6pCuVxPJOHXQ+wIac1FUrvNkHolPie/cLEU6hI= @@ -827,8 +883,9 @@ github.com/go-openapi/analysis v0.19.5/go.mod h1:hkEAkxagaIvIP7VTn8ygJNkd4kAYON2 github.com/go-openapi/analysis v0.19.10/go.mod h1:qmhS3VNFxBlquFJ0RGoDtylO9y4pgTAUNE9AEEMdlJQ= github.com/go-openapi/analysis v0.19.16/go.mod h1:GLInF007N83Ad3m8a/CbQ5TPzdnGT7workfHwuVjNVk= github.com/go-openapi/analysis v0.20.0/go.mod h1:BMchjvaHDykmRMsK40iPtvyOfFdMMxlOmQr9FBZk+Og= -github.com/go-openapi/analysis v0.20.1 h1:zdVbw8yoD4SWZeq+cWdGgquaB0W4VrsJvDJHJND/Ktc= github.com/go-openapi/analysis v0.20.1/go.mod h1:BMchjvaHDykmRMsK40iPtvyOfFdMMxlOmQr9FBZk+Og= +github.com/go-openapi/analysis v0.21.2 h1:hXFrOYFHUAMQdu6zwAiKKJHJQ8kqZs1ux/ru1P1wLJU= +github.com/go-openapi/analysis v0.21.2/go.mod h1:HZwRk4RRisyG8vx2Oe6aqeSQcoxRp47Xkp3+K6q+LdY= github.com/go-openapi/errors v0.17.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0= github.com/go-openapi/errors v0.18.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0= github.com/go-openapi/errors v0.19.2/go.mod h1:qX0BLWsyaKfvhluLejVpVNwNRdXZhEbTA4kxxpKBC94= @@ -837,16 +894,15 @@ github.com/go-openapi/errors v0.19.6/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpX github.com/go-openapi/errors v0.19.7/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= github.com/go-openapi/errors v0.19.8/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= github.com/go-openapi/errors v0.19.9/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= -github.com/go-openapi/errors v0.20.1 h1:j23mMDtRxMwIobkpId7sWh7Ddcx4ivaoqUbfXx5P+a8= github.com/go-openapi/errors v0.20.1/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= -github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0= +github.com/go-openapi/errors v0.20.2 h1:dxy7PGTqEh94zj2E3h1cUmQQWiM1+aeCROfAr02EmK8= +github.com/go-openapi/errors v0.20.2/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= github.com/go-openapi/jsonpointer v0.17.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M= github.com/go-openapi/jsonpointer v0.18.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M= github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY= github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= -github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg= github.com/go-openapi/jsonreference v0.17.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I= github.com/go-openapi/jsonreference v0.18.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I= github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= @@ -864,22 +920,22 @@ github.com/go-openapi/loads v0.19.6/go.mod h1:brCsvE6j8mnbmGBh103PT/QLHfbyDxA4hs github.com/go-openapi/loads v0.19.7/go.mod h1:brCsvE6j8mnbmGBh103PT/QLHfbyDxA4hsKvYBNEGVc= github.com/go-openapi/loads v0.20.0/go.mod h1:2LhKquiE513rN5xC6Aan6lYOSddlL8Mp20AW9kpviM4= github.com/go-openapi/loads v0.20.2/go.mod h1:hTVUotJ+UonAMMZsvakEgmWKgtulweO9vYP2bQYKA/o= -github.com/go-openapi/loads v0.21.0 h1:jYtUO4wwP7psAweisP/MDoOpdzsYEESdoPcsWjHDR68= github.com/go-openapi/loads v0.21.0/go.mod h1:rHYve9nZrQ4CJhyeIIFJINGCg1tQpx2yJrrNo8sf1ws= +github.com/go-openapi/loads v0.21.1 h1:Wb3nVZpdEzDTcly8S4HMkey6fjARRzb7iEaySimlDW0= +github.com/go-openapi/loads v0.21.1/go.mod h1:/DtAMXXneXFjbQMGEtbamCZb+4x7eGwkvZCvBmwUG+g= github.com/go-openapi/runtime v0.0.0-20180920151709-4f900dc2ade9/go.mod h1:6v9a6LTXWQCdL8k1AO3cvqx5OtZY/Y9wKTgaoP6YRfA= github.com/go-openapi/runtime v0.19.0/go.mod h1:OwNfisksmmaZse4+gpV3Ne9AyMOlP1lt4sK4FXt0O64= github.com/go-openapi/runtime v0.19.4/go.mod h1:X277bwSUBxVlCYR3r7xgZZGKVvBd/29gLDlFGtJ8NL4= github.com/go-openapi/runtime v0.19.15/go.mod h1:dhGWCTKRXlAfGnQG0ONViOZpjfg0m2gUt9nTQPQZuoo= github.com/go-openapi/runtime v0.19.16/go.mod h1:5P9104EJgYcizotuXhEuUrzVc+j1RiSjahULvYmlv98= github.com/go-openapi/runtime v0.19.24/go.mod h1:Lm9YGCeecBnUUkFTxPC4s1+lwrkJ0pthx8YvyjCfkgk= -github.com/go-openapi/runtime v0.21.0 h1:giZ8eT26R+/rx6RX2MkYjZPY8vPYVKDhP/mOazrQHzM= github.com/go-openapi/runtime v0.21.0/go.mod h1:aQg+kaIQEn+A2CRSY1TxbM8+sT9g2V3aLc1FbIAnbbs= -github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc= +github.com/go-openapi/runtime v0.24.1 h1:Sml5cgQKGYQHF+M7yYSHaH1eOjvTykrddTE/KtQVjqo= +github.com/go-openapi/runtime v0.24.1/go.mod h1:AKurw9fNre+h3ELZfk6ILsfvPN+bvvlaU/M9q/r9hpk= github.com/go-openapi/spec v0.17.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI= github.com/go-openapi/spec v0.18.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI= github.com/go-openapi/spec v0.19.2/go.mod h1:sCxk3jxKgioEJikev4fgkNmwS+3kuYdJtcsZsD5zxMY= github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo= -github.com/go-openapi/spec v0.19.5/go.mod h1:Hm2Jr4jv8G1ciIAo+frC/Ft+rR2kQDh8JHKHb3gWUSk= github.com/go-openapi/spec v0.19.6/go.mod h1:Hm2Jr4jv8G1ciIAo+frC/Ft+rR2kQDh8JHKHb3gWUSk= github.com/go-openapi/spec v0.19.8/go.mod h1:Hm2Jr4jv8G1ciIAo+frC/Ft+rR2kQDh8JHKHb3gWUSk= github.com/go-openapi/spec v0.19.15/go.mod h1:+81FIL1JwC5P3/Iuuozq3pPE9dXdIEGxFutcFKaVbmU= @@ -899,9 +955,9 @@ github.com/go-openapi/strfmt v0.19.11/go.mod h1:UukAYgTaQfqJuAFlNxxMWNvMYiwiXtLs github.com/go-openapi/strfmt v0.20.0/go.mod h1:UukAYgTaQfqJuAFlNxxMWNvMYiwiXtLsF2VwmoFtbtc= github.com/go-openapi/strfmt v0.20.2/go.mod h1:43urheQI9dNtE5lTZQfuFJvjYJKPrxicATpEfZwHUNk= github.com/go-openapi/strfmt v0.21.0/go.mod h1:ZRQ409bWMj+SOgXofQAGTIo2Ebu72Gs+WaRADcS5iNg= -github.com/go-openapi/strfmt v0.21.1 h1:G6s2t5V5kGCHLVbSdZ/6lI8Wm4OzoPFkc3/cjAsKQrM= github.com/go-openapi/strfmt v0.21.1/go.mod h1:I/XVKeLc5+MM5oPNN7P6urMOpuLXEcNrCX/rPGuWb0k= -github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I= +github.com/go-openapi/strfmt v0.21.2 h1:5NDNgadiX1Vhemth/TH4gCGopWSTdDjxl60H3B7f+os= +github.com/go-openapi/strfmt v0.21.2/go.mod h1:I/XVKeLc5+MM5oPNN7P6urMOpuLXEcNrCX/rPGuWb0k= github.com/go-openapi/swag v0.17.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg= github.com/go-openapi/swag v0.18.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg= github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= @@ -911,8 +967,9 @@ github.com/go-openapi/swag v0.19.9/go.mod h1:ao+8BpOPyKdpQz3AOJfbeEVpLmWAvlT1IfT github.com/go-openapi/swag v0.19.12/go.mod h1:eFdyEBkTdoAf/9RXBvj4cr1nH7GD8Kzo5HTt47gr72M= github.com/go-openapi/swag v0.19.13/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= -github.com/go-openapi/swag v0.19.15 h1:D2NRCBzS9/pEY3gP9Nl8aDqGUcPFrwG2p+CNFrLyrCM= github.com/go-openapi/swag v0.19.15/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= +github.com/go-openapi/swag v0.21.1 h1:wm0rhTb5z7qpJRHBdPOMuY4QjVUMbF6/kwoYeRAOrKU= +github.com/go-openapi/swag v0.21.1/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= github.com/go-openapi/validate v0.18.0/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+MYsct2VUrAJ4= github.com/go-openapi/validate v0.19.2/go.mod h1:1tRCw7m3jtI8eNWEEliiAqUIcBztB2KDnRCRMUi7GTA= github.com/go-openapi/validate v0.19.3/go.mod h1:90Vh6jjkTn+OT1Eefm0ZixWNFjhtOH7vS9k0lo6zwJo= @@ -920,9 +977,9 @@ github.com/go-openapi/validate v0.19.10/go.mod h1:RKEZTUWDkxKQxN2jDT7ZnZi2bhZlbN github.com/go-openapi/validate v0.19.12/go.mod h1:Rzou8hA/CBw8donlS6WNEUQupNvUZ0waH08tGe6kAQ4= github.com/go-openapi/validate v0.19.15/go.mod h1:tbn/fdOwYHgrhPBzidZfJC2MIVvs9GA7monOmWBbeCI= github.com/go-openapi/validate v0.20.1/go.mod h1:b60iJT+xNNLfaQJUqLI7946tYiFEOuE9E4k54HpKcJ0= -github.com/go-openapi/validate v0.20.3 h1:GZPPhhKSZrE8HjB4eEkoYAZmoWA4+tCemSgINH1/vKw= github.com/go-openapi/validate v0.20.3/go.mod h1:goDdqVGiigM3jChcrYJxD2joalke3ZXeftD16byIjA4= -github.com/go-piv/piv-go v1.9.0/go.mod h1:NZ2zmjVkfFaL/CF8cVQ/pXdXtuj110zEKGdJM6fJZZM= +github.com/go-openapi/validate v0.21.0 h1:+Wqk39yKOhfpLqNLEC0/eViCkzM5FVXVqrvt526+wcI= +github.com/go-openapi/validate v0.21.0/go.mod h1:rjnrwK57VJ7A8xqfpAOEKRH8yQSGUriMu5/zuPSQ1hg= github.com/go-playground/assert/v2 v2.0.1 h1:MsBgLAaY856+nPRTKrp3/OZK38U/wa0CcBYNjji3q3A= github.com/go-playground/assert/v2 v2.0.1/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4= github.com/go-playground/locales v0.12.1/go.mod h1:IUMDtCfWo/w/mtMfIE/IG2K+Ey3ygWanZIBtBW0W2TM= @@ -934,23 +991,37 @@ github.com/go-playground/universal-translator v0.17.0/go.mod h1:UkSxE5sNxxRwHyU+ github.com/go-playground/universal-translator v0.18.0 h1:82dyy6p4OuJq4/CByFNOn/jYrnRPArHwAcmLoJZxyho= github.com/go-playground/universal-translator v0.18.0/go.mod h1:UvRDBj+xPUEGrFYl+lu/H90nyDXpg0fqeB/AQUGNTVA= github.com/go-playground/validator/v10 v10.2.0/go.mod h1:uOYAAleCW8F/7oMFd6aG0GOhaH6EGOAJShg8Id5JGkI= -github.com/go-playground/validator/v10 v10.9.0 h1:NgTtmN58D0m8+UuxtYmGztBJB7VnPgjj221I1QHci2A= -github.com/go-playground/validator/v10 v10.9.0/go.mod h1:74x4gJWsvQexRdW8Pn3dXSGrTK4nAUsbPlLADvpJkos= +github.com/go-playground/validator/v10 v10.4.1/go.mod h1:nlOn6nFhuKACm19sB/8EGNn9GlaMV7XkbRSipzJ0Ii4= +github.com/go-playground/validator/v10 v10.10.0 h1:I7mrTYv78z8k8VXa/qJlOlEXn/nBh+BF8dHX5nt/dr0= +github.com/go-playground/validator/v10 v10.10.0/go.mod h1:74x4gJWsvQexRdW8Pn3dXSGrTK4nAUsbPlLADvpJkos= +github.com/go-redis/redis v6.15.8+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA= github.com/go-redis/redis v6.15.9+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA= github.com/go-rod/rod v0.101.8/go.mod h1:N/zlT53CfSpq74nb6rOR0K8UF0SPUPBmzBnArrms+mY= +github.com/go-rod/rod v0.106.1 h1:+9YdoTT56KI3KrFfWVr3I13wh0qbhm/Aq+7JvCBA6AQ= github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfCHuOE= github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= -github.com/go-stack/stack v1.8.0 h1:5SgMzNM5HxrEjV0ww2lTmX6E2Izsfxas4+YHWRs3Lsk= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/go-stack/stack v1.8.1 h1:ntEHSVwIt7PNXNpgPmVfMrNhLtgjlmnZha2kOpuRiDw= +github.com/go-stack/stack v1.8.1/go.mod h1:dcoOX6HbPZSZptuspn9bctJ+N/CnF5gGygcUP3XYfe4= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= -github.com/go-test/deep v1.0.2-0.20181118220953-042da051cf31/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= -github.com/go-test/deep v1.0.7/go.mod h1:QV8Hv/iy04NyLBxAdO9njL0iVPN1S4d/A3NVv1V36o8= github.com/go-test/deep v1.0.8 h1:TDsG77qcSprGbC6vTN8OuXp5g+J+b5Pcguhf7Zt61VM= github.com/go-test/deep v1.0.8/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE= +github.com/go-toolsmith/astcast v1.0.0/go.mod h1:mt2OdQTeAQcY4DQgPSArJjHCcOwlX+Wl/kwN+LbLGQ4= +github.com/go-toolsmith/astcopy v1.0.0/go.mod h1:vrgyG+5Bxrnz4MZWPF+pI4R8h3qKRjjyvV/DSez4WVQ= +github.com/go-toolsmith/astequal v1.0.0/go.mod h1:H+xSiq0+LtiDC11+h1G32h7Of5O3CYFJ99GVbS5lDKY= +github.com/go-toolsmith/astequal v1.0.1/go.mod h1:4oGA3EZXTVItV/ipGiOx7NWkY5veFfcsOJVS2YxltLw= +github.com/go-toolsmith/astfmt v1.0.0/go.mod h1:cnWmsOAuq4jJY6Ct5YWlVLmcmLMn1JUPuQIHCY7CJDw= +github.com/go-toolsmith/astinfo v0.0.0-20180906194353-9809ff7efb21/go.mod h1:dDStQCHtmZpYOmjRP/8gHHnCCch3Zz3oEgCdZVdtweU= +github.com/go-toolsmith/astp v1.0.0/go.mod h1:RSyrtpVlfTFGDYRbrjyWP1pYu//tSFcvdYrA8meBmLI= +github.com/go-toolsmith/pkgload v1.0.0/go.mod h1:5eFArkbO80v7Z0kdngIxsRXRMTaX4Ilcwuh3clNrQJc= +github.com/go-toolsmith/strparse v1.0.0/go.mod h1:YI2nUKP9YGZnL/L1/DLFBfixrcjslWct4wyljWhSRy8= +github.com/go-toolsmith/typep v1.0.0/go.mod h1:JSQCQMUPdRlMZFswiq3TGpNp1GMktqkR2Ns5AIQkATU= +github.com/go-toolsmith/typep v1.0.2/go.mod h1:JSQCQMUPdRlMZFswiq3TGpNp1GMktqkR2Ns5AIQkATU= +github.com/go-xmlfmt/xmlfmt v0.0.0-20191208150333-d5b6f63a941b/go.mod h1:aUCEOzzezBEjDBbFBoSiya/gduyIiWYRP6CnSFIV8AM= github.com/gobuffalo/attrs v0.0.0-20190224210810-a9411de4debd/go.mod h1:4duuawTqi2wkkpB4ePgWMaai6/Kc6WEz83bhFwpHzj0= github.com/gobuffalo/depgen v0.0.0-20190329151759-d478694a28d3/go.mod h1:3STtPUQYuzV0gBVOY3vy6CfMm/ljR4pABfrTeHNLHUY= github.com/gobuffalo/depgen v0.1.0/go.mod h1:+ifsuy7fhi15RWncXQQKjWS9JPkdah5sZvtHc2RXGlg= @@ -959,7 +1030,6 @@ github.com/gobuffalo/envy v1.7.0/go.mod h1:n7DRkBerg/aorDM8kbduw5dN3oXGswK5liaSC github.com/gobuffalo/flect v0.1.0/go.mod h1:d2ehjJqGOH/Kjqcoz+F7jHTBbmDb38yXA598Hb50EGs= github.com/gobuffalo/flect v0.1.1/go.mod h1:8JCgGVbRjJhVgD6399mQr4fx5rRfGKVzFjbj6RE/9UI= github.com/gobuffalo/flect v0.1.3/go.mod h1:8JCgGVbRjJhVgD6399mQr4fx5rRfGKVzFjbj6RE/9UI= -github.com/gobuffalo/flect v0.2.4/go.mod h1:1ZyCLIbg0YD7sDkzvFdPoOydPtD8y9JQnrOROolUcM8= github.com/gobuffalo/genny v0.0.0-20190329151137-27723ad26ef9/go.mod h1:rWs4Z12d1Zbf19rlsn0nurr75KqhYp52EAGGxTbBhNk= github.com/gobuffalo/genny v0.0.0-20190403191548-3ca520ef0d9e/go.mod h1:80lIj3kVJWwOrXWWMRzzdhW3DsrdjILVil/SFKBzF28= github.com/gobuffalo/genny v0.1.0/go.mod h1:XidbUqzak3lHdS//TPu2OgiFB+51Ur5f7CSnXZ/JDvo= @@ -987,6 +1057,7 @@ github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e/go.mod h1:bBOAhwG1umN6 github.com/godbus/dbus v4.1.0+incompatible/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw= github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= +github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU= github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= github.com/gofrs/uuid v4.3.0+incompatible h1:CaSVZxm5B+7o45rtab4jC2G37WGYX1zQfuU2i6DSvnc= github.com/gofrs/uuid v4.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= @@ -1005,8 +1076,9 @@ github.com/golang-jwt/jwt v3.2.1+incompatible h1:73Z+4BJcrTC+KczS6WvTPvRGOp1WmfE github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-jwt/jwt/v4 v4.1.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= -github.com/golang-jwt/jwt/v4 v4.2.0 h1:besgBTC8w8HjP6NzQdxwKH9Z5oQMZ24ThTrHp3cZ8eU= github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= +github.com/golang-jwt/jwt/v4 v4.3.0 h1:kHL1vqdqWNfATmA0FNMdmZNMyZI1U6O31X4rlIPoBog= +github.com/golang-jwt/jwt/v4 v4.3.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= github.com/golang-sql/sqlexp v0.1.0 h1:ZCD6MBpcuOVfGVqsEmY5/4FtYiKz6tSyUv9LPEDei6A= @@ -1032,6 +1104,7 @@ github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71 github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8= github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc= github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs= +github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= @@ -1056,19 +1129,23 @@ github.com/golang/snappy v0.0.2/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEW github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= -github.com/gonum/blas v0.0.0-20181208220705-f22b278b28ac/go.mod h1:P32wAyui1PQ58Oce/KYkOqQv8cVw1zAapXOl+dRFGbc= -github.com/gonum/diff v0.0.0-20181124234638-500114f11e71/go.mod h1:22dM4PLscQl+Nzf64qNBurVJvfyvZELT0iRW2l/NN70= -github.com/gonum/floats v0.0.0-20181209220543-c233463c7e82/go.mod h1:PxC8OnwL11+aosOB5+iEPoV3picfs8tUpkVd0pDo+Kg= -github.com/gonum/integrate v0.0.0-20181209220457-a422b5c0fdf2/go.mod h1:pDgmNM6seYpwvPos3q+zxlXMsbve6mOIPucUnUOrI7Y= -github.com/gonum/internal v0.0.0-20181124074243-f884aa714029/go.mod h1:Pu4dmpkhSyOzRwuXkOgAvijx4o+4YMUJJo9OvPYMkks= -github.com/gonum/lapack v0.0.0-20181123203213-e4cdc5a0bff9/go.mod h1:XA3DeT6rxh2EAE789SSiSJNqxPaC0aE9J8NTOI0Jo/A= -github.com/gonum/mathext v0.0.0-20181121095525-8a4bf007ea55/go.mod h1:fmo8aiSEWkJeiGXUJf+sPvuDgEFgqIoZSs843ePKrGg= -github.com/gonum/matrix v0.0.0-20181209220409-c518dec07be9/go.mod h1:0EXg4mc1CNP0HCqCz+K4ts155PXIlUywf0wqN+GfPZw= -github.com/gonum/stat v0.0.0-20181125101827-41a0da705a5b/go.mod h1:Z4GIJBJO3Wa4gD4vbwQxXXZ+WHmW6E9ixmNrwvs0iZs= +github.com/golangci/check v0.0.0-20180506172741-cfe4005ccda2/go.mod h1:k9Qvh+8juN+UKMCS/3jFtGICgW8O96FVaZsaxdzDkR4= +github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a/go.mod h1:ryS0uhF+x9jgbj/N71xsEqODy9BN81/GonCZiOzirOk= +github.com/golangci/go-misc v0.0.0-20180628070357-927a3d87b613/go.mod h1:SyvUF2NxV+sN8upjjeVYr5W7tyxaT1JVtvhKhOn2ii8= +github.com/golangci/gofmt v0.0.0-20190930125516-244bba706f1a/go.mod h1:9qCChq59u/eW8im404Q2WWTrnBUQKjpNYKMbU4M7EFU= +github.com/golangci/golangci-lint v1.43.0/go.mod h1:VIFlUqidx5ggxDfQagdvd9E67UjMXtTHBkBQ7sHoC5Q= +github.com/golangci/lint-1 v0.0.0-20191013205115-297bf364a8e0/go.mod h1:66R6K6P6VWk9I95jvqGxkqJxVWGFy9XlDwLwVz1RCFg= +github.com/golangci/maligned v0.0.0-20180506175553-b1d89398deca/go.mod h1:tvlJhZqDe4LMs4ZHD0oMUlt9G2LWuDGoisJTBzLMV9o= +github.com/golangci/misspell v0.3.5/go.mod h1:dEbvlSfYbMQDtrpRMQU675gSDLDNa8sCPPChZ7PhiVA= +github.com/golangci/revgrep v0.0.0-20210930125155-c22e5001d4f2/go.mod h1:LK+zW4MpyytAWQRz0M4xnzEk50lSvqDQKfx304apFkY= +github.com/golangci/unconvert v0.0.0-20180507085042-28b1c447d1f4/go.mod h1:Izgrg8RkN3rCIMLGE9CyYmU9pY2Jer6DgANEnZ/L/cQ= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= +github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU= +github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= github.com/google/certificate-transparency-go v1.0.21/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg= +github.com/google/certificate-transparency-go v1.1.1/go.mod h1:FDKqPvSXawb2ecErVRrD+nfy23RCzyl7eqVCEmlT1Zs= github.com/google/certificate-transparency-go v1.1.2-0.20210422104406-9f33727a7a18/go.mod h1:6CKh9dscIRoqc2kC6YUFICHZMT9NrClyPrRVFrdw1QQ= github.com/google/certificate-transparency-go v1.1.2-0.20210512142713-bed466244fa6/go.mod h1:aF2dp7Dh81mY8Y/zpzyXps4fQW5zQbDu2CxfpJB6NkI= github.com/google/certificate-transparency-go v1.1.2 h1:4hE0GEId6NAW28dFpC+LrRGwQX5dtmXQGDbg8+/MZOM= @@ -1094,17 +1171,12 @@ github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-containerregistry v0.5.1/go.mod h1:Ct15B4yir3PLOP5jsy0GNeYVaIZs/MK/Jz5any1wFW0= -github.com/google/go-containerregistry v0.5.2-0.20210609162550-f0ce2270b3b4/go.mod h1:R5WRYyTdQqTchlBhX4q+WICGh8HQIL5wDFoFZv7Jq6Q= -github.com/google/go-containerregistry v0.6.0/go.mod h1:euCCtNbZ6tKqi1E72vwDj2xZcN5ttKpZLfa/wSo5iLw= -github.com/google/go-containerregistry v0.7.1-0.20211118220127-abdc633f8305 h1:4upgCb+N0/tewaAT+rPGk8zuKCG1hOoICHvFMxy1CMQ= github.com/google/go-containerregistry v0.7.1-0.20211118220127-abdc633f8305/go.mod h1:6cMIl1RfryEiPzBE67OgtZdEiLWz4myqCQIiBMy3CsM= -github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20211203164431-c75901cce627 h1:vflk3WrGf1M0n1mG2AqAoVaKlLYFR6PrzTGQAUcklCM= -github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20211203164431-c75901cce627/go.mod h1:j3IqhBG3Ox1NXmmhbWU4UmiHVAf2dUgB7le1Ch7JZQ0= -github.com/google/go-github/v27 v27.0.6/go.mod h1:/0Gr8pJ55COkmv+S/yPKCczSkUPIM/LnFyubufRNIS0= +github.com/google/go-containerregistry v0.8.1-0.20220209165246-a44adc326839 h1:7PunQZxMao2q43If8gKj1JFRzapmhgny9NWwXY4PGa4= +github.com/google/go-containerregistry v0.8.1-0.20220209165246-a44adc326839/go.mod h1:cwx3SjrH84Rh9VFJSIhPh43ovyOp3DCWgY3h8nWmdGQ= github.com/google/go-github/v28 v28.1.1/go.mod h1:bsqJWQX05omyWVmc00nEUql9mhQyv38lDZ8kPZcQVoM= -github.com/google/go-github/v39 v39.2.0 h1:rNNM311XtPOz5rDdsJXAp2o8F67X9FnROXTvto3aSnQ= -github.com/google/go-github/v39 v39.2.0/go.mod h1:C1s8C5aCC9L+JXIYpJM5GYytdX52vC1bLvHEF1IhBrE= +github.com/google/go-github/v42 v42.0.0 h1:YNT0FwjPrEysRkLIiKuEfSvBPCGKphW5aS5PxwaoLec= +github.com/google/go-github/v42 v42.0.0/go.mod h1:jgg/jvyI0YlDOM1/ps6XYh04HNQ3vKf0CVko62/EhRg= github.com/google/go-licenses v0.0.0-20210329231322-ce1d9163b77d/go.mod h1:+TYOmkVoJOpwnS0wfdsJCV9CoD5nJYsHoFk/0CrTK4M= github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8= @@ -1127,7 +1199,6 @@ github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/ github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/licenseclassifier v0.0.0-20210325184830-bb04aff29e72/go.mod h1:qsqn2hxC+vURpyBRygGUuinTO42MFRLcsmQ/P8v94+M= -github.com/google/mako v0.0.0-20190821191249-122f8dcef9e3/go.mod h1:YzLcVlL+NqWnmUEPuhS1LxDDwGO9WNbVlEXaF4IH35g= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/martian v2.1.1-0.20190517191504-25dcb96d9e51+incompatible h1:xmapqc1AyLoB+ddYT6r04bD9lIjlOqGaREovi0SzFaE= github.com/google/martian v2.1.1-0.20190517191504-25dcb96d9e51+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= @@ -1141,6 +1212,7 @@ github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hf github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200507031123-427632fa3b1c/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= @@ -1151,16 +1223,17 @@ github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLe github.com/google/pprof v0.0.0-20210506205249-923b5ab0fc1a/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20210715191844-86eeefc3e471/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/rpmpack v0.0.0-20191226140753-aa36bfddb3a0/go.mod h1:RaTPr0KUf2K7fnZYLNDrr8rxAamWs3iNywJLtQ2AzBg= github.com/google/rpmpack v0.0.0-20210518075352-dc539ef4f2ea/go.mod h1:+y9lKiqDhR4zkLl+V9h4q0rdyrYVsWWm6LLCQP33DIk= github.com/google/subcommands v1.0.1/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk= +github.com/google/trillian v1.3.11/go.mod h1:0tPraVHrSDkA3BO6vKX67zgLXs6SsOAbHEivX+9mPgw= github.com/google/trillian v1.3.14-0.20210409160123-c5ea3abd4a41/go.mod h1:1dPv0CUjNQVFEDuAUFhZql16pw/VlPgaX8qj+g5pVzQ= github.com/google/trillian v1.3.14-0.20210511103300-67b5f349eefa/go.mod h1:s4jO3Ai4NSvxucdvqUHON0bCqJyoya32eNw6XJwsmNc= -github.com/google/trillian v1.4.0 h1:Wa7XHCVzl8RLsUOr2SzoHUZHYjv0G8KMO1xZGamYkbA= github.com/google/trillian v1.4.0/go.mod h1:1Bja2nEgMDlEJWWRXBUemSPG9qYw84ZYX2gHRVHlR+g= +github.com/google/trillian v1.4.1 h1:r/LV2L6uq6ijSSQNSyxnLXFU/JY7DaT6AILx1sOx2+8= +github.com/google/trillian v1.4.1/go.mod h1:43IVCsGXxP5mZK9yFkTQdQrMQm/wryNBV2GNEdqzVz8= github.com/google/uuid v0.0.0-20161128191214-064e2069ce9c/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -1189,11 +1262,14 @@ github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3i github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU= github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA= github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4= -github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8= +github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g= +github.com/gookit/color v1.4.2/go.mod h1:fqRyamkC1W8uxl+lxCQxOT09l/vYfZ+QeiX3rKQHCoQ= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gordonklaus/ineffassign v0.0.0-20200309095847-7953dde2c7bf/go.mod h1:cuNKsD1zp2v6XfE/orVX2QE1LC+i254ceGcVeDT3pTU= +github.com/gordonklaus/ineffassign v0.0.0-20210225214923-2e10b2664254/go.mod h1:M9mZEtGIsR1oDaZagNPNG9iq9n2HrhZ17dsXk73V3Lw= github.com/goreleaser/goreleaser v0.134.0/go.mod h1:ZT6Y2rSYa6NxQzIsdfWWNWAlYGXGbreo66NmE+3X3WQ= github.com/goreleaser/nfpm v1.2.1/go.mod h1:TtWrABZozuLOttX2uDlYyECfQX7x5XYkVxhjYcR6G9w= +github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75/go.mod h1:g2644b03hfBX9Ov0ZBDgXXens4rxSxmqFBbhvKv2yVA= github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg= github.com/gorilla/handlers v0.0.0-20150720190736-60c7bfde3e33/go.mod h1:Qkdc/uu4tH4g6mTK6auzZ766c4CA0Ng8+o/OAirnOIQ= github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4= @@ -1201,31 +1277,48 @@ github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= github.com/gorilla/mux v1.7.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= -github.com/gorilla/mux v1.7.4/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= -github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4= -github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM= github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= +github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc= github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= +github.com/gostaticanalysis/analysisutil v0.0.0-20190318220348-4088753ea4d3/go.mod h1:eEOZF4jCKGi+aprrirO9e7WKB3beBRtWgqGunKl6pKE= +github.com/gostaticanalysis/analysisutil v0.0.3/go.mod h1:eEOZF4jCKGi+aprrirO9e7WKB3beBRtWgqGunKl6pKE= +github.com/gostaticanalysis/analysisutil v0.1.0/go.mod h1:dMhHRU9KTiDcuLGdy87/2gTR8WruwYZrKdRq9m1O6uw= +github.com/gostaticanalysis/analysisutil v0.4.1/go.mod h1:18U/DLpRgIUd459wGxVHE0fRgmo1UgHDcbw7F5idXu0= +github.com/gostaticanalysis/analysisutil v0.7.1/go.mod h1:v21E3hY37WKMGSnbsw2S/ojApNWb6C1//mXO48CXbVc= +github.com/gostaticanalysis/comment v1.3.0/go.mod h1:xMicKDx7XRXYdVwY9f9wQpDJVnqWxw9wCauCMKp+IBI= +github.com/gostaticanalysis/comment v1.4.1/go.mod h1:ih6ZxzTHLdadaiSnF5WY3dxUoXfXAlTaRzuaNDlSado= +github.com/gostaticanalysis/comment v1.4.2/go.mod h1:KLUTGDv6HOCotCH8h2erHKmpci2ZoR8VPu34YA2uzdM= +github.com/gostaticanalysis/forcetypeassert v0.0.0-20200621232751-01d4955beaa5/go.mod h1:qZEedyP/sY1lTGV1uJ3VhWZ2mqag3IkWsDHVbplHXak= +github.com/gostaticanalysis/nilerr v0.1.1/go.mod h1:wZYb6YI5YAxxq0i1+VJbY0s2YONW0HU0GPE3+5PWN4A= +github.com/gostaticanalysis/testutil v0.3.1-0.20210208050101-bfb5c8eec0e4/go.mod h1:D+FIZ+7OahH3ePw/izIEeH5I06eKs1IKI4Xr64/Am3M= +github.com/gostaticanalysis/testutil v0.4.0/go.mod h1:bLIoPefWXrRi/ssLFWX1dx7Repi5x3CuviD3dgAZaBU= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-middleware v1.2.2/go.mod h1:EaizFBKfUKtMIF5iaDEhniwNedqGo9FuLFzppDr3uwI= +github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 h1:+9834+KizmvFV7pXQGSXQTsaWhq2GjuNUt0aUU0YBYw= github.com/grpc-ecosystem/go-grpc-middleware v1.3.0/go.mod h1:z0ButlSOZa5vEBq9m2m2hlwIgKw+rp3sdCBRoJY+30Y= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92BcuyuQ/YW4NSIpoGtfXNho= github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= github.com/grpc-ecosystem/grpc-gateway v1.8.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.9.2/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/grpc-ecosystem/grpc-gateway v1.12.1/go.mod h1:8XEsbTttt/W+VvjtQhLACqCisSPWTxCZ7sBRjU6iH9c= github.com/grpc-ecosystem/grpc-gateway v1.14.6/go.mod h1:zdiPV4Yse/1gnckTHtghG4GkDEdKCRJduHpTxT3/jcw= +github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/hanwen/go-fuse v1.0.0/go.mod h1:unqXarDXqzAk0rt98O2tVndEPIpUgLD9+rwFisZH3Ok= github.com/hanwen/go-fuse/v2 v2.1.0/go.mod h1:oRyA5eK+pvJyv5otpO/DgccS8y/RvYMaO00GgRLGryc= github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= github.com/hashicorp/consul/api v1.3.0/go.mod h1:MmDNSzIMUjNpY/mQ398R4bk2FnqQLoPndWW5VkKPlCE= github.com/hashicorp/consul/api v1.10.1/go.mod h1:XjsvQN+RJGWI2TWy1/kqaE16HrR2J/FWgkYjdZQsX9M= +github.com/hashicorp/consul/api v1.11.0/go.mod h1:XjsvQN+RJGWI2TWy1/kqaE16HrR2J/FWgkYjdZQsX9M= +github.com/hashicorp/consul/api v1.12.0/go.mod h1:6pVBMo0ebnYdt2S3H87XhekM/HHrUoTD2XXb/VrZVy0= github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= github.com/hashicorp/consul/sdk v0.3.0/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= github.com/hashicorp/consul/sdk v0.8.0/go.mod h1:GBvyrGALthsZObzUGsfgHZQDXjg4lOjagTIwIR1vPms= @@ -1237,18 +1330,15 @@ github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtng github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= -github.com/hashicorp/go-hclog v0.0.0-20180709165350-ff2cf002a8dd/go.mod h1:9bjs9uLqI8l75knNv3lV1kA55veR+WUPSiKIWcQHudI= github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= github.com/hashicorp/go-hclog v0.12.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= github.com/hashicorp/go-hclog v0.14.1/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= github.com/hashicorp/go-hclog v0.15.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= -github.com/hashicorp/go-hclog v0.16.1/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= github.com/hashicorp/go-hclog v0.16.2/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= github.com/hashicorp/go-hclog v1.0.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= github.com/hashicorp/go-hclog v1.3.1 h1:vDwF1DFNZhntP4DAjuTpOw3uEgMUpXh1pB5fW9DqHpo= github.com/hashicorp/go-hclog v1.3.1/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= -github.com/hashicorp/go-immutable-radix v1.1.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc= github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-kms-wrapping/entropy v0.1.0/go.mod h1:d1g9WGtAunDNpek8jUIEJnBlbgKS1N2Q61QkHiZyR1g= @@ -1258,25 +1348,23 @@ github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHh github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA= github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= -github.com/hashicorp/go-plugin v1.0.1/go.mod h1:++UyYGoz3o5w9ZzAdZxtQKrWWP+iqPBn3cQptSMzBuY= github.com/hashicorp/go-plugin v1.4.0/go.mod h1:5fGEH17QVwTTcR0zV7yhDPLLmFX9YSZ38b18Udy6vYQ= github.com/hashicorp/go-plugin v1.4.3/go.mod h1:5fGEH17QVwTTcR0zV7yhDPLLmFX9YSZ38b18Udy6vYQ= github.com/hashicorp/go-plugin v1.4.5 h1:oTE/oQR4eghggRg8VY7PAz3dr++VwDNBGCcOfIvHpBo= github.com/hashicorp/go-plugin v1.4.5/go.mod h1:viDMjcLJuDui6pXb8U4HVfb8AamCWhHGUjr2IrTF67s= github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= -github.com/hashicorp/go-retryablehttp v0.6.2/go.mod h1:gEx6HMUGxYYhJScX7W1Il64m6cc2C1mDaW3NQ9sY1FY= github.com/hashicorp/go-retryablehttp v0.6.4/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= github.com/hashicorp/go-retryablehttp v0.6.6/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= -github.com/hashicorp/go-retryablehttp v0.6.8/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= -github.com/hashicorp/go-retryablehttp v0.7.0 h1:eu1EI/mbirUgP5C8hVsTNaGZreBDlYiwC1FZWkvQPQ4= github.com/hashicorp/go-retryablehttp v0.7.0/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= +github.com/hashicorp/go-retryablehttp v0.7.1 h1:sUiuQAnLlbvmExtFQs72iFW/HXeUn8Z1aJLQ4LJJbTQ= +github.com/hashicorp/go-retryablehttp v0.7.1/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU= -github.com/hashicorp/go-rootcerts v1.0.1/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc= github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= github.com/hashicorp/go-secure-stdlib/base62 v0.1.1/go.mod h1:EdWO6czbmthiwZ3/PUsDV+UD1D5IRU4ActiaWGwt0Yw= -github.com/hashicorp/go-secure-stdlib/mlock v0.1.1 h1:cCRo8gK7oq6A2L6LICkUZ+/a5rLiRXFMf1Qd4xSwxTc= github.com/hashicorp/go-secure-stdlib/mlock v0.1.1/go.mod h1:zq93CJChV6L9QTfGKtfBxKqD7BqqXx5O04A/ns2p5+I= +github.com/hashicorp/go-secure-stdlib/mlock v0.1.2 h1:p4AKXPPS24tO8Wc8i1gLvSKdmkiSY5xuju57czJ/IJQ= +github.com/hashicorp/go-secure-stdlib/mlock v0.1.2/go.mod h1:zq93CJChV6L9QTfGKtfBxKqD7BqqXx5O04A/ns2p5+I= github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= github.com/hashicorp/go-secure-stdlib/parseutil v0.1.2/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 h1:om4Al8Oy7kCm/B86rLCLah4Dt5Aa0Fr5rYBG60OzwHQ= @@ -1292,16 +1380,17 @@ github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjG github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4= github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= -github.com/hashicorp/go-uuid v1.0.2 h1:cfejS+Tpcp13yd5nYHWDI6qVCny6wyX2Mt5SGur2IGE= github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= -github.com/hashicorp/go-version v1.1.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8= +github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= -github.com/hashicorp/go-version v1.3.0 h1:McDWVJIU/y+u1BRV06dPaLfLCaT7fUTJLp5r04x7iNw= +github.com/hashicorp/go-version v1.2.1/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= github.com/hashicorp/go-version v1.3.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/hashicorp/go-version v1.5.0 h1:O293SZ2Eg+AAYijkVK3jR786Am1bhDEh2GHT0tIVE5E= +github.com/hashicorp/go-version v1.5.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= -github.com/hashicorp/golang-lru v0.5.3/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc= github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= @@ -1310,23 +1399,25 @@ github.com/hashicorp/hcl v1.0.1-0.20190430135223-99e2f22d1c94/go.mod h1:E5yfLk+7 github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= github.com/hashicorp/mdns v1.0.1/go.mod h1:4gW7WsVCke5TE7EPeYliwHlRUyBtfCwuFwuMg2DmyNY= +github.com/hashicorp/mdns v1.0.4/go.mod h1:mtBihi+LeNXGtG8L9dX59gAEa12BDtBQSp4v/YAJqrc= github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= github.com/hashicorp/memberlist v0.2.2/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE= +github.com/hashicorp/memberlist v0.3.0/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE= github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= github.com/hashicorp/serf v0.9.5/go.mod h1:UWDWwZeL5cuWDJdl0C6wrvrUwEqtQ4ZKBKKENpqIUyk= -github.com/hashicorp/vault/api v1.0.5-0.20200519221902-385fac77e20f/go.mod h1:euTFbi2YJgwcju3imEt919lhJKF68nN1cQPq3aA+kBE= -github.com/hashicorp/vault/api v1.1.1/go.mod h1:29UXcn/1cLOPHQNMWA7bCz2By4PSd0VKPAydKXS5yN0= +github.com/hashicorp/serf v0.9.6/go.mod h1:TXZNMjZQijwlDvp+r0b63xZ45H7JmCmgg4gpTwn9UV4= github.com/hashicorp/vault/api v1.3.0/go.mod h1:EabNQLI0VWbWoGlA+oBLC8PXmR9D60aUVgQGvangFWQ= +github.com/hashicorp/vault/api v1.3.1/go.mod h1:QeJoWxMFt+MsuWcYhmwRLwKEXrjwAFFywzhptMsTIUw= github.com/hashicorp/vault/api v1.8.1 h1:bMieWIe6dAlqAAPReZO/8zYtXaWUg/21umwqGZpEjCI= github.com/hashicorp/vault/api v1.8.1/go.mod h1:uJrw6D3y9Rv7hhmS17JQC50jbPDAZdjZoTtrCCxxs7E= -github.com/hashicorp/vault/sdk v0.1.14-0.20200519221530-14615acda45f/go.mod h1:WX57W2PwkrOPQ6rVQk+dy5/htHIaB4aBM70EwKThu10= -github.com/hashicorp/vault/sdk v0.2.1/go.mod h1:WfUiO1vYzfBkz1TmoE4ZGU7HD0T0Cl/rZwaxjBkgN4U= github.com/hashicorp/vault/sdk v0.3.0/go.mod h1:aZ3fNuL5VNydQk8GcLJ2TV8YCRVvyaakYkhZRoVuhj0= github.com/hashicorp/vault/sdk v0.6.0 h1:6Z+In5DXHiUfZvIZdMx7e2loL1PPyDjA4bVh9ZTIAhs= github.com/hashicorp/vault/sdk v0.6.0/go.mod h1:+DRpzoXIdMvKc88R4qxr+edwy/RvH5QK8itmxLiDHLc= github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87 h1:xixZ2bWeofWV68J+x6AzmKuVM/JWCQwkWm6GW/MUR6I= github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ= +github.com/honeycombio/beeline-go v1.1.1 h1:sU8r4ae34uEL3/CguSl8Mr+Asz9DL1nfH9Wwk85Pc7U= +github.com/honeycombio/libhoney-go v1.15.2 h1:5NGcjOxZZma13dmzNcl3OtGbF1hECA0XHJNHEb2t2ck= github.com/howeyc/gopass v0.0.0-20190910152052-7cb4b85ec19c/go.mod h1:lADxMC39cJJqL93Duh1xhAs4I2Zs8mKS89XWXFGp9cs= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/huandu/xstrings v1.0.0/go.mod h1:4qWG/gcEcfX4z/mBDHJ++3ReCw9ibxbsNJbcucJdbSo= @@ -1349,14 +1440,11 @@ github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk= github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg= github.com/imkira/go-observer v1.0.3 h1:l45TYAEeAB4L2xF6PR2gRLn2NE5tYhudh33MLmC7B80= github.com/imkira/go-observer v1.0.3/go.mod h1:zLzElv2cGTHufQG17IEILJMPDg32TD85fFgKyFv00wU= -github.com/in-toto/in-toto-golang v0.2.1-0.20210627200632-886210ae2ab9/go.mod h1:Skbg04kmfB7IAnEIsspKPg/ny1eiFt/TgPr9SDCHusA= -github.com/in-toto/in-toto-golang v0.3.3/go.mod h1:dbXecHGZSqRubmm5TXtvDSZT5JyaKD7ebVTiC2aMLWY= -github.com/in-toto/in-toto-golang v0.4.0-prerelease h1:70ri0AeRoMUD/bHbetiHURPuOVa2C2L1bu8T6wY5HB4= -github.com/in-toto/in-toto-golang v0.4.0-prerelease/go.mod h1:GviRIbq8Azwe0KsyGanAlpafHZ+qVbekc9SuI3yVp4E= +github.com/in-toto/in-toto-golang v0.3.4-0.20211211042327-af1f9fb822bf h1:FU8tuL4IWx/Hq55AO4+13AZn3Kd6uk3Z44OCIZ9coTw= +github.com/in-toto/in-toto-golang v0.3.4-0.20211211042327-af1f9fb822bf/go.mod h1:twl9XmClqj6/h/HANQQYaJZVKPPW/Mz53bd2t6UXGQA= github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d/go.mod h1:qj24IKcXYK6Iy9ceXlo3Tc+vtHo9lIhSX5JddghvEPo= -github.com/influxdata/tdigest v0.0.0-20180711151920-a7d76c6f093a/go.mod h1:9GkyshztGufsdPQWjH+ifgnIr3xNUL5syI70g2dzU1o= github.com/j-keck/arping v0.0.0-20160618110441-2cf9dc699c56/go.mod h1:ymszkNOg6tORTn+6F6j+Jc8TOr5osrynvN6ivFWZ2GA= github.com/jackc/chunkreader v1.0.0/go.mod h1:RT6O25fNZIuasFJRyZ4R/Y2BbhasbmZXF9QQ7T3kePo= github.com/jackc/chunkreader/v2 v2.0.0/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk= @@ -1398,40 +1486,47 @@ github.com/jackc/puddle v1.1.3/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dv github.com/jackc/puddle v1.2.1/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= github.com/jarcoal/httpmock v1.0.5/go.mod h1:ATjnClrvW/3tijVmpL/va5Z3aAyGvqU3gCT8nX0Txik= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= -github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs= -github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM= -github.com/jcmturner/gofork v1.0.0/go.mod h1:MK8+TM0La+2rjBD4jE12Kj1pCCxK7d2LK/UM3ncEo0o= -github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg= -github.com/jcmturner/gokrb5/v8 v8.4.2/go.mod h1:sb+Xq/fTY5yktf/VxLsE3wlfPqQjp0aWNYyvBVK62bc= -github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= github.com/jedisct1/go-minisign v0.0.0-20210703085342-c1f07ee84431 h1:zqyV5j9xEuPQw2ma4RzzS9O74UwTq3vcMmpoHyL6xlI= github.com/jedisct1/go-minisign v0.0.0-20210703085342-c1f07ee84431/go.mod h1:3VIJLjlf5Iako82IX/5KOoCzDmogK5mO+bl+DRItnR8= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= +github.com/jgautheron/goconst v1.5.1/go.mod h1:aAosetZ5zaeC/2EfMeRswtxUFBpe2Hr7HzkgX4fanO4= +github.com/jhump/gopoet v0.0.0-20190322174617-17282ff210b3/go.mod h1:me9yfT6IJSlOL3FCfrg+L6yzUEZ+5jW6WHt4Sk+UPUI= +github.com/jhump/gopoet v0.1.0/go.mod h1:me9yfT6IJSlOL3FCfrg+L6yzUEZ+5jW6WHt4Sk+UPUI= +github.com/jhump/goprotoc v0.5.0/go.mod h1:VrbvcYrQOrTi3i0Vf+m+oqQWk9l72mjkJCYo7UvLHRQ= github.com/jhump/protoreflect v1.6.0/go.mod h1:eaTn3RZAmMBcV0fifFvlm6VHNz3wSkYyXYWUh7ymB74= github.com/jhump/protoreflect v1.6.1/go.mod h1:RZQ/lnuN+zqeRVpQigTwO6o0AJUkxbnSnpuG7toUTG4= github.com/jhump/protoreflect v1.8.2/go.mod h1:7GcYQDdMU/O/BBrl/cX6PNHpXh6cenjd8pneu5yW7Tg= -github.com/jhump/protoreflect v1.9.0 h1:npqHz788dryJiR/l6K/RUQAyh2SwV91+d1dnh4RjO9w= github.com/jhump/protoreflect v1.9.0/go.mod h1:7GcYQDdMU/O/BBrl/cX6PNHpXh6cenjd8pneu5yW7Tg= +github.com/jhump/protoreflect v1.10.3/go.mod h1:7GcYQDdMU/O/BBrl/cX6PNHpXh6cenjd8pneu5yW7Tg= +github.com/jhump/protoreflect v1.11.0/go.mod h1:U7aMIjN0NWq9swDP7xDdoMfRHb35uiuTd3Z9nFXJf5E= +github.com/jhump/protoreflect v1.12.0 h1:1NQ4FpWMgn3by/n1X0fbeKEUxP1wBt7+Oitpv01HR10= +github.com/jhump/protoreflect v1.12.0/go.mod h1:JytZfP5d0r8pVNLZvai7U/MCuTWITgrI4tTg7puQFKI= +github.com/jingyugao/rowserrcheck v1.1.1/go.mod h1:4yvlZSDb3IyDTUZJUmpZfm2Hwok+Dtp+nu2qOq+er9c= github.com/jinzhu/gorm v1.9.16 h1:+IyIjPEABKRpsu/F8OvDPy9fyQlgsg2luMV2ZIH5i5o= github.com/jinzhu/gorm v1.9.16/go.mod h1:G3LB3wezTOWM2ITLzPxEXgSkOXAntiLHS7UdBefADcs= github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E= github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc= github.com/jinzhu/now v1.0.1 h1:HjfetcXq097iXP0uoPCdnM4Efp5/9MsM0/M+XOTeR3M= github.com/jinzhu/now v1.0.1/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8= +github.com/jirfag/go-printf-func-name v0.0.0-20200119135958-7558a9eaa5af/go.mod h1:HEWGJkRDzjJY2sqdDwxccsGicWEf9BQOZsq2tV+xzM0= github.com/jmespath/go-jmespath v0.0.0-20160202185014-0b12d6b521d8/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= github.com/jmespath/go-jmespath v0.0.0-20160803190731-bd40a432e4c7/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= -github.com/jmespath/go-jmespath v0.3.0/go.mod h1:9QtRXoHjLGCJ5IBSaohpXITPlowMeeYCZ7fLUTSywik= github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= -github.com/joefitzgerald/rainbow-reporter v0.1.0/go.mod h1:481CNgqmVHQZzdIbN52CupLJyoVwB10FQ/IQlF1pdL8= +github.com/jmhodges/clock v0.0.0-20160418191101-880ee4c33548 h1:dYTbLf4m0a5u0KLmPfB6mgxbcV7588bOCx79hxa5Sr4= +github.com/jmoiron/sqlx v1.2.0/go.mod h1:1FEQNm3xlJgrMD+FBdI9+xvCksHtbpVBBw5dYhBSsks= github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg= github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= +github.com/jonboulle/clockwork v0.2.0/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8= github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8= +github.com/jonboulle/clockwork v0.3.0 h1:9BSCMi8C+0qdApAp4auwX0RkLGUjs956h0EkuQymUhg= +github.com/jonboulle/clockwork v0.3.0/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= +github.com/josharian/txtarfs v0.0.0-20210218200122-0702f000015a/go.mod h1:izVPOvVRsHiKkeGCT6tYBNWyDVuzj9wAaBb5R9qamfw= github.com/jpillora/backoff v0.0.0-20180909062703-3050d21c67d7/go.mod h1:2iMrUgbbvHEiQClaW2NsSzMyGHqN+rDFqY705q49KG0= github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= @@ -1448,23 +1543,26 @@ github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfV github.com/juju/ratelimit v1.0.1/go.mod h1:qapgC/Gy+xNh9UxzV13HGGl/6UXNN+ct+vwSgWNm/qk= github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= +github.com/julz/importas v0.0.0-20210419104244-841f0c0fe66d/go.mod h1:oSFU2R4XK/P7kNBrnL/FEQlDGN1/6WoxXEjSSXO0DV0= +github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88/go.mod h1:3w7q1U84EfirKl04SVQ/s7nPm1ZPhiXd34z40TNz36k= github.com/karrick/godirwalk v1.8.0/go.mod h1:H5KPZjojv4lE+QYImBI8xVtrBRgYrIVsaRPx4tDPEn4= github.com/karrick/godirwalk v1.10.3/go.mod h1:RoGL9dQei4vP9ilrpETWE8CLOZ1kiN0LhBygSwrAsHA= -github.com/kelseyhightower/envconfig v1.4.0/go.mod h1:cccZRl6mQpaq41TPp5QxidR+Sa3axMbJDNb//FQX6Gg= github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= +github.com/kisielk/errcheck v1.6.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/compress v1.9.5/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= github.com/klauspost/compress v1.10.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= github.com/klauspost/compress v1.11.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= github.com/klauspost/compress v1.11.13/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= github.com/klauspost/compress v1.12.3/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg= -github.com/klauspost/compress v1.13.0/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg= +github.com/klauspost/compress v1.13.4/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg= github.com/klauspost/compress v1.13.5/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= -github.com/klauspost/compress v1.13.6 h1:P76CopJELS0TiO2mebmnzgWaajssP/EszplttgQxcgc= github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= +github.com/klauspost/compress v1.14.2 h1:S0OHlFk/Gbon/yauFJ4FfJJF5V0fc5HbBTJazi28pRw= +github.com/klauspost/compress v1.14.2/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= @@ -1481,33 +1579,47 @@ github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/kulti/thelper v0.4.0/go.mod h1:vMu2Cizjy/grP+jmsvOFDx1kYP6+PD1lqg4Yu5exl2U= +github.com/kunwardeep/paralleltest v1.0.3/go.mod h1:vLydzomDFpk7yu5UX02RmP0H8QfRPOV/oFhWN85Mjb4= github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= +github.com/kyoh86/exportloopref v0.1.8/go.mod h1:1tUcJeiioIs7VWe5gcOObrux3lb66+sBqGZrRkMwPgg= +github.com/ldez/gomoddirectives v0.2.2/go.mod h1:cpgBogWITnCfRq2qGoDkKMEVSaarhdBr6g8G04uz6d0= +github.com/ldez/tagliatelle v0.2.0/go.mod h1:8s6WJQwEYHbKZDsp/LjArytKOG8qaMrKQQ3mFukHs88= github.com/leodido/go-urn v1.1.0/go.mod h1:+cyI34gQWZcE1eQU7NVgKkkzdXDQHr1dBMtdAPozLkw= github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII= github.com/leodido/go-urn v1.2.1 h1:BqpAaACuzVSgi/VLzGZIobT2z4v53pjosyNd9Yv6n/w= github.com/leodido/go-urn v1.2.1/go.mod h1:zt4jvISO2HfUBqxjfIshjdMTYS56ZS/qv49ictyFfxY= +github.com/letsencrypt/boulder v0.0.0-20220331220046-b23ab962616e h1:1aV3EJ4ZMsc63MFU4rB+ccSEhZvvVD71T9RA4Rqd3hI= +github.com/letsencrypt/boulder v0.0.0-20220331220046-b23ab962616e/go.mod h1:Bl3mfF2LHYepsU2XfzMceIglyByfPe1IFAXtO+p37Qk= github.com/letsencrypt/pkcs11key/v4 v4.0.0/go.mod h1:EFUvBDay26dErnNb70Nd0/VW3tJiIbETBPTl9ATXQag= github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.1.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.1.1/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.8.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= +github.com/lib/pq v1.9.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= +github.com/lib/pq v1.10.3/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= +github.com/lib/pq v1.10.4/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/lib/pq v1.10.7 h1:p7ZhMD+KsSRozJr34udlUrhboJwWAgCg34+/ZZNvZZw= github.com/lib/pq v1.10.7/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/lightstep/lightstep-tracer-common/golang/gogo v0.0.0-20190605223551-bc2310a04743/go.mod h1:qklhhLq1aX+mtWk9cPHPzaBjWImj5ULL6C7HFJtXQMM= github.com/lightstep/lightstep-tracer-go v0.18.1/go.mod h1:jlF1pusYV4pidLvZ+XD0UBX0ZE6WURAspgAczcDHrL4= +github.com/linkedin/goavro v2.1.0+incompatible/go.mod h1:bBCwI2eGYpUI/4820s67MElg9tdeLbINjLjiM2xZFYM= +github.com/logrusorgru/aurora v0.0.0-20181002194514-a7b3b318ed4e/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4= github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ81pIr0yLvtUWk2if982qA3F3QD6H4= github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I= github.com/lyft/protoc-gen-star v0.5.3/go.mod h1:V0xaHgaf5oCCqmcxYcWiDfTiKsZsRc87/1qhoTACD8w= +github.com/lyft/protoc-gen-star v0.6.0/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA= github.com/lyft/protoc-gen-validate v0.0.13/go.mod h1:XbGvPuh87YZc5TdIa2/I4pLk0QoUACkjt2znoq26NVQ= github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= -github.com/magiconair/properties v1.8.5 h1:b6kJs+EmPFMYGkow9GiUyCyOvIwYetYJ3fSaWak/Gls= +github.com/magiconair/properties v1.8.4/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60= github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60= -github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/magiconair/properties v1.8.6 h1:5ibWZ6iY0NctNGWo87LalDlEZ6R41TqbbDamhfG/Qzo= +github.com/magiconair/properties v1.8.6/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60= github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= @@ -1517,15 +1629,18 @@ github.com/mailru/easyjson v0.7.1/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7 github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= -github.com/manifoldco/promptui v0.9.0/go.mod h1:ka04sppxSGFAtxX0qhlYQjISsg9mR4GWtQEhdbn6Pgg= +github.com/maratori/testpackage v1.0.1/go.mod h1:ddKdw+XG0Phzhx8BFDTKgpWP4i7MpApTE5fXSKAqwDU= github.com/markbates/oncer v0.0.0-20181203154359-bf2de49a0be2/go.mod h1:Ld9puTsIW75CHf65OeIOkyKbteujpZVXDpWK6YGZbxE= github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0= github.com/marstr/guid v1.1.0/go.mod h1:74gB1z2wpxxInTG6yaqA7KrtM0NZ+RbrcqDvYHefzho= +github.com/matoous/godox v0.0.0-20210227103229-6504466cf951/go.mod h1:1BELzlh859Sh1c6+90blK8lbYy0kwQf1bYlBhBysy1s= +github.com/matryer/is v1.4.0/go.mod h1:8I/i5uYgLzgsgEloJE1U6xx5HkBQpAZvepWuujKwMRU= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ= github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= +github.com/mattn/go-colorable v0.1.8/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= github.com/mattn/go-colorable v0.1.11/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4= github.com/mattn/go-colorable v0.1.12 h1:jF+Du6AlPIjs2BiUiQlKOX0rt3SujHxPnksPKZbaA40= @@ -1544,27 +1659,35 @@ github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Ky github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y= github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= +github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= +github.com/mattn/go-runewidth v0.0.6/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= github.com/mattn/go-runewidth v0.0.7/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= +github.com/mattn/go-runewidth v0.0.13 h1:lTGmDsbAYt5DmK6OnoV7EuIF1wEIFAcxld6ypU4OSgU= github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= github.com/mattn/go-shellwords v1.0.3/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o= github.com/mattn/go-shellwords v1.0.10/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y= +github.com/mattn/go-sqlite3 v1.9.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= github.com/mattn/go-sqlite3 v1.14.0/go.mod h1:JIl7NbARA7phWnGvh0LKTyg7S9BA+6gx71ShQilpsus= github.com/mattn/go-sqlite3 v1.14.15 h1:vfoHhTN1af61xCRSWzFIWzx2YskyMTwHLrExkBOjvxI= github.com/mattn/go-sqlite3 v1.14.15/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg= github.com/mattn/go-zglob v0.0.1/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo= +github.com/mattn/goveralls v0.0.2/go.mod h1:8d1ZMHsd7fW6IRPKQh46F2WRpyib5/X4FOpevwGNQEw= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= -github.com/maxbrunsfeld/counterfeiter/v6 v6.2.2/go.mod h1:eD9eIE7cdwcMi9rYluz88Jz2VyhSmden33/aXg4oVIY= +github.com/mbilski/exhaustivestruct v1.2.0/go.mod h1:OeTBVxQWoEmB2J2JCHmXWPJ0aksxSUOUy+nvtVEfzXc= github.com/mediocregopher/radix/v4 v4.0.0/go.mod h1:ajchozX/6ELmydxWeWM6xCFHVpZ4+67LXHOTOVR0nCE= +github.com/mgechev/dots v0.0.0-20210922191527-e955255bf517/go.mod h1:KQ7+USdGKfpPjXk4Ga+5XxQM4Lm4e3gAogrreFAYpOg= +github.com/mgechev/revive v1.1.2/go.mod h1:bnXsMr+ZTH09V5rssEI+jHAZ4z+ZdyhgO/zsy3EhK+0= github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE= github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= -github.com/miekg/dns v1.1.17/go.mod h1:WgzbA6oji13JREwiNsRDNfl7jYdPnmz+VEuLrA+/48M= github.com/miekg/dns v1.1.25/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso= github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso= -github.com/miekg/dns v1.1.43 h1:JKfpVSCB84vrAmHzyrsxB5NAr5kLoMXZArPSw7Qlgyg= +github.com/miekg/dns v1.1.35/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM= +github.com/miekg/dns v1.1.41/go.mod h1:p6aan82bvRIyn+zDIv9xYNUpwa73JcSh9BKwknJysuI= github.com/miekg/dns v1.1.43/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4= +github.com/miekg/dns v1.1.45 h1:g5fRIhm9nx7g8osrAvgb16QJfmyMsyOCb+J7LSv+Qzk= github.com/miekg/pkcs11 v1.0.2/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= github.com/miekg/pkcs11 v1.0.3-0.20190429190417-a667d056470f/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= github.com/miekg/pkcs11 v1.0.3/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= @@ -1581,6 +1704,7 @@ github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HK github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg= github.com/mitchellh/go-testing-interface v0.0.0-20171004221916-a61a99592b77/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= github.com/mitchellh/go-testing-interface v1.14.1 h1:jrgshOhYAUVNMAJiKbEu7EqAwgJJ2JqpQmpLJOu07cU= @@ -1623,9 +1747,11 @@ github.com/modocache/gover v0.0.0-20171022184752-b58185e213c5/go.mod h1:caMODM3P github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8= github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc= github.com/montanaflynn/stats v0.6.6/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow= +github.com/moricho/tparallel v0.2.1/go.mod h1:fXEIZxG2vdfl0ZF8b42f5a78EhjjD5mX8qUplsoSU4k= github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= -github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de/go.mod h1:kJun4WP5gFuHZgRjZUWWuH1DTxCtxbHDOIJsudS8jzY= +github.com/mozilla/scribe v0.0.0-20180711195314-fb71baf557c1/go.mod h1:FIczTrinKo8VaLxe6PWTPEXRXDIHz2QAwiaBaP5/4a8= +github.com/mozilla/tls-observatory v0.0.0-20210609171429-7bc42856d2e5/go.mod h1:FUqVoUPHSEdDR0MnFM3Dh8AU0pZHLXUD127SAJGER/s= github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= @@ -1635,6 +1761,7 @@ github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRW github.com/mwitkow/go-proto-validators v0.0.0-20180403085117-0950a7990007/go.mod h1:m2XC9Qq0AlmmVksL6FktJCdTYyLk7V3fKyp0sl1yWQo= github.com/mwitkow/go-proto-validators v0.2.0/go.mod h1:ZfA1hW+UH/2ZHOWvQ3HnQaU0DtnpXu850MZiy+YUgcc= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= +github.com/nakabonne/nestif v0.3.1/go.mod h1:9EtoZochLn5iUprVDmDjqGKPofoUEBL8U4Ngq6aY7OE= github.com/nats-io/jwt v0.3.0/go.mod h1:fRYCDE99xlTsqUzISS1Bi75UBJ6ljOJQOAAu5VglpSg= github.com/nats-io/jwt v0.3.2/go.mod h1:/euKqTS1ZD+zzjYrY7pseZrTtWQSjujC7xjPc8wL6eU= github.com/nats-io/nats-server/v2 v2.1.2/go.mod h1:Afk+wRZqkMQs/p45uXdrVLuab3gwv3Z8C4HTBu8GD/k= @@ -1642,9 +1769,14 @@ github.com/nats-io/nats.go v1.9.1/go.mod h1:ZjDU1L/7fJ09jvUSRVBR2e7+RnLiiIQyqyzE github.com/nats-io/nkeys v0.1.0/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w= github.com/nats-io/nkeys v0.1.3/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w= github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c= +github.com/nbutton23/zxcvbn-go v0.0.0-20210217022336-fa2cb2858354/go.mod h1:KSVJerMDfblTH7p5MZaTt+8zaT2iEk3AkVb9PQdZuE8= github.com/ncw/swift v1.0.47/go.mod h1:23YIA4yWVnGwv2dQlN4bB7egfYX6YLn0Yo/S6zZO/ZM= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= +github.com/nightlyone/lockfile v1.0.0/go.mod h1:rywoIealpdNse2r832aiD9jRk8ErCatROs6LzC841CI= +github.com/nishanths/exhaustive v0.2.3/go.mod h1:bhIX678Nx8inLM9PbpvK1yv6oGtoP8BfaIeMzgBNKvc= +github.com/nishanths/predeclared v0.0.0-20190419143655-18a43bb90ffc/go.mod h1:62PewwiQTlm/7Rj+cxVYqZvDIUc+JjZq6GHAC1fsObQ= github.com/nishanths/predeclared v0.0.0-20200524104333-86fad755b4d3/go.mod h1:nt3d53pc1VYcphSCIaYAJtnPYnr3Zyn8fMq2wvPGPso= +github.com/nishanths/predeclared v0.2.1/go.mod h1:HvkGJcA3naj4lOwnFXFDkFxVtSqQMB9sbB1usJ+xjQE= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= @@ -1655,22 +1787,22 @@ github.com/oklog/run v1.1.0/go.mod h1:sVPdnTZT1zYwAJeCMu2Th4T21pA3FPOQRfWjQlk7DV github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= +github.com/olekukonko/tablewriter v0.0.1/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= +github.com/olekukonko/tablewriter v0.0.2/go.mod h1:rSAaSIOAGT9odnlyGlUfAJaoc5w2fSBUmeGDbRWPxyQ= github.com/olekukonko/tablewriter v0.0.4/go.mod h1:zq6QwlOf5SlnkVbMSr5EoBv3636FWnp+qbPhuoO21uA= +github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec= github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY= github.com/onsi/ginkgo v0.0.0-20151202141238-7f8ab55aaf3b/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.10.3/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.12.0/go.mod h1:oUhWkIvk5aDxtKvDDuw8gItl8pKl42LzjC9KZE0HfGg= github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= -github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= github.com/onsi/ginkgo/v2 v2.0.0/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c= github.com/onsi/ginkgo/v2 v2.1.6 h1:Fx2POJZfKRQcM1pH49qSZiYeu319wji004qX+GDovrU= github.com/onsi/gomega v0.0.0-20151007035656-2152b45fa28a/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= @@ -1679,7 +1811,6 @@ github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1Cpa github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= -github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.10.3/go.mod h1:V9xEwhxec5O8UDM77eCW8vLymOMltsqPVYWrpDsH8xc= github.com/onsi/gomega v1.16.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= @@ -1687,9 +1818,8 @@ github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAl github.com/onsi/gomega v1.18.1/go.mod h1:0q+aL8jAiMXy9hbwj2mr5GziHiwhAIQpFmmtT5hitRs= github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q= github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk= +github.com/open-policy-agent/opa v0.35.0 h1:wsXkq/3JJucRUN4h46pn9Zv6cC6fnHWrVxjgoykxM7o= github.com/open-policy-agent/opa v0.35.0/go.mod h1:xEmekKlk6/c+so5HF9wtPnGPXDfBuBsrMGhSHOHEF+U= -github.com/open-policy-agent/opa v0.45.0 h1:P5nuhVRtR+e58fk3CMMbiqr6ZFyWQPNOC3otsorGsFs= -github.com/open-policy-agent/opa v0.45.0/go.mod h1:/OnsYljNEWJ6DXeFOOnoGn8CvwZGMUS4iRqzYdJvmBI= github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= @@ -1699,8 +1829,9 @@ github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3I github.com/opencontainers/image-spec v1.0.0/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= github.com/opencontainers/image-spec v1.0.2-0.20211117181255-693428a734f5/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= -github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 h1:rc3tiVYb5z54aKaDfakKn0dDjIyPpTtszkjuMzyt7ec= -github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= +github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= +github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198 h1:+czc/J8SlhPKLOtVLMQc+xDCFBT73ZStMsRhSsUhsSg= +github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198/go.mod h1:j4h1pJW6ZcJTgMZWP3+7RlG3zTaP02aDZ/Qw0sppK7Q= github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= github.com/opencontainers/runc v1.0.0-rc8.0.20190926000215-3e425f80a8c9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= @@ -1727,7 +1858,6 @@ github.com/openzipkin-contrib/zipkin-go-opentracing v0.4.5/go.mod h1:/wsWhb9smxS github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw= github.com/openzipkin/zipkin-go v0.2.1/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4= github.com/openzipkin/zipkin-go v0.2.2/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4= -github.com/openzipkin/zipkin-go v0.3.0/go.mod h1:4c3sLeE8xjNqehmF5RpAFLPLJxXscc0R4l6Zg0P1tTQ= github.com/otiai10/copy v1.2.0/go.mod h1:rrF5dJ5F0t/EWSYODDu4j9/vEeYHMkc8jt0zJChqQWw= github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95/go.mod h1:9qAhocn7zKJG+0mI8eUu6xqkFDYS2kb2saOteoSB3cE= github.com/otiai10/curr v1.0.0/go.mod h1:LskTG5wDwr8Rs+nNQ+1LlxRjAtTZZjtJW4rMXl6j4vs= @@ -1744,19 +1874,24 @@ github.com/pelletier/go-toml v1.4.0/go.mod h1:PN7xzY2wHTK0K9p34ErDQMlFxa51Fk0OUr github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE= github.com/pelletier/go-toml v1.8.1/go.mod h1:T2/BmBdy8dvIRq1a/8aqjN41wvWlN4lrapLU/GW4pbc= github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= -github.com/pelletier/go-toml v1.9.4 h1:tjENF6MfZAg8e4ZmZTeWaWiT2vXtsoO6+iuOjFhECwM= github.com/pelletier/go-toml v1.9.4/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= +github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8= +github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= +github.com/pelletier/go-toml/v2 v2.0.1 h1:8e3L2cCQzLFi2CR4g7vGFuFxX7Jl1kKX8gW+iV0GUKU= +github.com/pelletier/go-toml/v2 v2.0.1/go.mod h1:r9LEWfGN8R5k0VXJ+0BkIe7MYkRdwZOjgMj2KwnJFUo= github.com/performancecopilot/speed v3.0.0+incompatible/go.mod h1:/CLtqpZ5gBg1M9iaPbIdPPGyKcA8hKdoy6hAWba7Yac= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/peterh/liner v0.0.0-20170211195444-bf27d3ba8e1d/go.mod h1:xIteQHvHuaLYG9IFj6mSxM0fCKrs34IrEQUhOYuGPHc= +github.com/phayes/checkstyle v0.0.0-20170904204023-bfd46e6a821d/go.mod h1:3OzsM7FXDQlpCiw2j81fOmAwQLnZnLGXVKUzeKQXIAw= github.com/pierrec/lz4 v1.0.2-0.20190131084431-473cd7ce01a1/go.mod h1:3/3N9NVKO0jef7pBehbT1qWhCMrIgbYNnFAZCqQ5LRc= github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= github.com/pierrec/lz4 v2.5.2+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= github.com/pierrec/lz4 v2.6.1+incompatible h1:9UY3+iC23yxF0UfGaYrGplQ+79Rg+h/q9FV9ix19jjM= github.com/pierrec/lz4 v2.6.1+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4/go.mod h1:4OwLy04Bl9Ef3GJJCoec+30X3LQs/0/m4HFRt/2LUSA= -github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4 h1:Qj1ukM4GlMWXNdMBuXcXfz/Kw9s1qm0CLY32QxuSImI= github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4/go.mod h1:N6UoU20jOqggOuDwUaBQpluzLNDqif3kq9z2wpdYEfQ= +github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9vDA65RGE3NrOnUtO7a+RF9HU= +github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI= github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1-0.20171018195549-f15c970de5b7/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= @@ -1765,9 +1900,11 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/profile v1.2.1/go.mod h1:hJw3o1OdXxsrSjjVksARp5W95eeEaEfptyVZyv6JUPA= github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI= +github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg= github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/polyfloyd/go-errorlint v0.0.0-20210722154253-910bb7978349/go.mod h1:wi9BfjxjF/bwiZ701TzmfKu6UKC357IOAtNr0Td0Lvw= github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= github.com/posener/complete v1.2.3 h1:NP0eAhjcjImqslEwo/1hq7gpajME0fTLTezBKDqfXqo= github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSgv7Sy7s/s= @@ -1776,7 +1913,6 @@ github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:Om github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= github.com/prometheus/client_golang v0.0.0-20180209125602-c332b6f63c06/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= -github.com/prometheus/client_golang v0.9.2/go.mod h1:OsXs2jCmiKlQ1lTBmv21f2mNfw4xf/QclQDMrYNZzcM= github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs= github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= @@ -1787,6 +1923,7 @@ github.com/prometheus/client_golang v1.5.1/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3O github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= github.com/prometheus/client_golang v1.10.0/go.mod h1:WJM3cc3yu7XKBKa/I8WeZm+V3eltZnBwfENSU7mdogU= github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= +github.com/prometheus/client_golang v1.11.1/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY= github.com/prometheus/client_golang v1.13.0 h1:b71QUfeo5M8gq2+evJdTPfZhYMAU0uKPkyPJ7TPsloU= github.com/prometheus/client_golang v1.13.0/go.mod h1:vTeo+zgvILHsnnj/39Ou/1fPN5nJFOEMgftOUOmlvYQ= @@ -1800,7 +1937,6 @@ github.com/prometheus/client_model v0.2.0 h1:uq5h0d+GuxiXLJLNABMgp2qUWDPiLvgCzz2 github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/common v0.0.0-20180110214958-89604d197083/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= -github.com/prometheus/common v0.0.0-20181126121408-4724e9255275/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= @@ -1814,11 +1950,11 @@ github.com/prometheus/common v0.28.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+ github.com/prometheus/common v0.29.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= github.com/prometheus/common v0.30.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= +github.com/prometheus/common v0.34.0/go.mod h1:gB3sOl7P0TvJabZpLY5uQMpUqRCPPCyRLCZYc7JZTNE= github.com/prometheus/common v0.37.0 h1:ccBbHCgIiT9uSoFY0vX8H3zsNR5eLt17/RQLUvn8pXE= github.com/prometheus/common v0.37.0/go.mod h1:phzohg0JFMnBEFGxTDbfu3QyL5GI8gTQJFhYO5B3mfA= github.com/prometheus/procfs v0.0.0-20180125133057-cb4147076ac7/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= -github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.0-20190522114515-bc1a522cf7b1/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= @@ -1834,18 +1970,27 @@ github.com/prometheus/procfs v0.7.1/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1 github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= github.com/prometheus/procfs v0.8.0 h1:ODq8ZFEaYeCaZOJlZZdJA2AbQR98dSHSM1KW/You5mo= github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4= -github.com/prometheus/statsd_exporter v0.21.0/go.mod h1:rbT83sZq2V+p73lHhPZfMc3MLCHmSHelCh9hSGYNLTQ= +github.com/prometheus/prometheus v2.5.0+incompatible/go.mod h1:oAIUtOny2rjMX0OWN5vPR5/q/twIROJvdqnQKDdil/s= github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= -github.com/protocolbuffers/txtpbfmt v0.0.0-20201118171849-f6a6b3f636fc/go.mod h1:KbKfKPy2I6ecOIGA9apfheFv14+P3RSmmQvshofQyMY= +github.com/pseudomuto/protoc-gen-doc v1.3.2/go.mod h1:y5+P6n3iGrbKG+9O04V5ld71in3v/bX88wUwgt+U8EA= github.com/pseudomuto/protoc-gen-doc v1.4.1/go.mod h1:exDTOVwqpp30eV/EDPFLZy3Pwr2sn6hBC1WIYH/UbIg= github.com/pseudomuto/protoc-gen-doc v1.5.0/go.mod h1:exDTOVwqpp30eV/EDPFLZy3Pwr2sn6hBC1WIYH/UbIg= +github.com/pseudomuto/protoc-gen-doc v1.5.1/go.mod h1:XpMKYg6zkcpgfpCfQ8GcWBDRtRxOmMR5w7pz4Xo+dYM= github.com/pseudomuto/protokit v0.2.0/go.mod h1:2PdH30hxVHsup8KpBTOXTBeMVhJZVio3Q8ViKSAXT0Q= +github.com/quasilyte/go-consistent v0.0.0-20190521200055-c6f3937de18c/go.mod h1:5STLWrekHfjyYwxBRVRXNOSewLJ3PWfDJd1VyTS21fI= +github.com/quasilyte/go-ruleguard v0.3.1-0.20210203134552-1b5a410e1cc8/go.mod h1:KsAh3x0e7Fkpgs+Q9pNLS5XpFSvYCEVl5gP9Pp1xp30= +github.com/quasilyte/go-ruleguard v0.3.13/go.mod h1:Ul8wwdqR6kBVOCt2dipDBkE+T6vAV/iixkrKuRTN1oQ= +github.com/quasilyte/go-ruleguard/dsl v0.3.0/go.mod h1:KeCP03KrjuSO0H1kTuZQCWlQPulDV6YMIXmpQss17rU= +github.com/quasilyte/go-ruleguard/dsl v0.3.10/go.mod h1:KeCP03KrjuSO0H1kTuZQCWlQPulDV6YMIXmpQss17rU= +github.com/quasilyte/go-ruleguard/rules v0.0.0-20201231183845-9e62ed36efe1/go.mod h1:7JTjp89EGyU1d6XfBiXihJNG37wB2VRkd125Q1u7Plc= +github.com/quasilyte/go-ruleguard/rules v0.0.0-20210428214800-545e0d2e0bf7/go.mod h1:4cgAphtvu7Ftv7vOT2ZOYhC6CvBxZixcasr8qIOTA50= +github.com/quasilyte/regex/syntax v0.0.0-20200407221936-30656e2c4a95/go.mod h1:rlzQ04UMyJXu/aOvhd8qT+hvDrFpiwqp8MRXDY9szc0= github.com/qur/ar v0.0.0-20130629153254-282534b91770/go.mod h1:SjlYv2m9lpV0UW6K7lDqVJwEIIvSjaHbGk7nIfY8Hxw= -github.com/rabbitmq/amqp091-go v1.1.0/go.mod h1:ogQDLSOACsLPsIq0NpbtiifNZi2YOz0VTJ0kHRghqbM= github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= +github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY= github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= github.com/rogpeppe/fastuuid v1.1.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= @@ -1854,59 +1999,72 @@ github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= +github.com/rogpeppe/go-internal v1.6.2/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= github.com/rogpeppe/go-internal v1.8.0 h1:FCbCCtXNOY3UtUuHUYaghJg4y7Fd14rXifAYUAtL9R8= github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE= github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU= github.com/rs/cors v1.8.0/go.mod h1:EBwu+T5AvHOcXwvZIkQFjUN6s8Czyqw12GL/Y0tUyRM= +github.com/rs/cors v1.8.2/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU= github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ= github.com/rs/zerolog v1.13.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU= github.com/rs/zerolog v1.15.0/go.mod h1:xYTKnLHcpfU2225ny5qZjxnj9NvkumZYjJHlAThCjNc= -github.com/rubiojr/go-vhd v0.0.0-20200706105327-02e210299021/go.mod h1:DM5xW0nvfNNm2uytzsvhI3OnX8uzaRAg8UX/CnDqbto= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= +github.com/russross/blackfriday v1.6.0/go.mod h1:ti0ldHuxg49ri4ksnFxlkCfN+hvslNlmVHqNRXXJNAY= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/ryancurrah/gomodguard v1.2.3/go.mod h1:rYbA/4Tg5c54mV1sv4sQTP5WOPBcoLtnBZ7/TEhXAbg= +github.com/ryanrolds/sqlclosecheck v0.3.0/go.mod h1:1gREqxyTGR3lVtpngyFo3hZAgk0KCtEdgEkHwDbigdA= github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= github.com/safchain/ethtool v0.0.0-20190326074333-42ed695e3de8/go.mod h1:Z0q5wiBQGYcxhMZ6gUqHn6pYNLypFAvaL3UvgZLR0U4= github.com/sagikazarmark/crypt v0.1.0/go.mod h1:B/mN0msZuINBtQ1zZLEQcegFJJf9vnYIR88KRMEuODE= +github.com/sagikazarmark/crypt v0.3.0/go.mod h1:uD/D+6UF4SrIR1uGEv7bBNkNqLGqUr43MRiaGWX1Nig= +github.com/sagikazarmark/crypt v0.4.0/go.mod h1:ALv2SRj7GxYV4HO9elxH9nS6M9gW+xDNxqmyJ6RfDFM= github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E= +github.com/sanposhiho/wastedassign/v2 v2.0.6/go.mod h1:KyZ0MWTwxxBmfwn33zh3k1dmsbF2ud9pAAGfoLfjhtI= github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b/go.mod h1:am+Fp8Bt506lA3Rk3QCmSqmYmLMnPDhdDUcosQCAx+I= github.com/sassoftware/go-rpmutils v0.1.1/go.mod h1:euhXULoBpvAxqrBHEyJS4Tsu3hHxUmQWNymxoJbzgUY= github.com/sassoftware/relic v0.0.0-20210427151427-dfb082b79b74 h1:sUNzanSKA9z/h8xXl+ZJoxIYZL0Qx306MmxqRrvUgr0= github.com/sassoftware/relic v0.0.0-20210427151427-dfb082b79b74/go.mod h1:YlB8wFIZmFLZ1JllNBfSURzz52fBxbliNgYALk1UDmk= github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= -github.com/sclevine/spec v1.2.0/go.mod h1:W4J29eT/Kzv7/b9IWLB055Z+qvVC9vt0Arko24q7p+U= github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo= -github.com/secure-systems-lab/go-securesystemslib v0.1.0/go.mod h1:eIjBmIP8LD2MLBL/DkQWayLiz006Q4p+hCu79rvWleY= github.com/secure-systems-lab/go-securesystemslib v0.2.0/go.mod h1:eIjBmIP8LD2MLBL/DkQWayLiz006Q4p+hCu79rvWleY= -github.com/secure-systems-lab/go-securesystemslib v0.3.1 h1:LJuyMziazadwmQRRu1M7GMUo5S1oH1+YxU9FjuSFU8k= +github.com/secure-systems-lab/go-securesystemslib v0.3.0/go.mod h1:o8hhjkbNl2gOamKUA/eNW3xUrntHT9L4W89W1nfj43U= github.com/secure-systems-lab/go-securesystemslib v0.3.1/go.mod h1:o8hhjkbNl2gOamKUA/eNW3xUrntHT9L4W89W1nfj43U= +github.com/secure-systems-lab/go-securesystemslib v0.4.0 h1:b23VGrQhTA8cN2CbBw7/FulN9fTtqYUdS5+Oxzt+DUE= +github.com/secure-systems-lab/go-securesystemslib v0.4.0/go.mod h1:FGBZgq2tXWICsxWQW1msNf49F0Pf2Op5Htayx335Qbs= +github.com/securego/gosec/v2 v2.9.1/go.mod h1:oDcDLcatOJxkCGaCaq8lua1jTnYf6Sou4wdiJ1n4iHc= github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c= github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE= github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= -github.com/shibumi/go-pathspec v1.2.0 h1:KVKEDHYk7bQolRMs7nfzjT3SBOCgcXFJzccnj9bsGbA= -github.com/shibumi/go-pathspec v1.2.0/go.mod h1:bDxCftD0fST3qXIlHoQ/fChsU4mWMVklXp1yPErQaaY= +github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c/go.mod h1:/PevMnwAxekIXwN8qQyfc5gl2NlkB3CQlkizAbOkeBs= +github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh5dkI= +github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE= +github.com/shirou/gopsutil/v3 v3.21.10/go.mod h1:t75NhzCZ/dYyPQjyQmrAYP6c8+LCdFANeBMdLPCNnew= github.com/shirou/gopsutil/v3 v3.22.9 h1:yibtJhIVEMcdw+tCTbOPiF1VcsuDeTE4utJ8Dm4c5eA= github.com/shirou/gopsutil/v3 v3.22.9/go.mod h1:bBYl1kjgEJpWpxeHmLI+dVHWtyAwfcmSBLDsp2TNT8A= github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24/go.mod h1:M+9NzErvs504Cn4c5DxATwIqPbtswREoFCre64PpcG4= github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ= github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= +github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk= +github.com/shurcooL/go-goon v0.0.0-20170922171312-37c2f522c041/go.mod h1:N5mDOmsrJOB+vfqUK+7DmDyjhSLIIBnXo9lvZJj3MWQ= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= -github.com/sigstore/cosign v1.4.0 h1:N5GZCUa0xUk103a7KytUTZk1f185mLvbdRdj8UpgQR4= -github.com/sigstore/cosign v1.4.0/go.mod h1:NBnxsSJUjiXgOKasQsHpwkjQKFCvQbTizlr+/5Ydlm0= -github.com/sigstore/fulcio v0.1.2-0.20211204001059-48e1a254cf10 h1:CbCE3pm2JWMTUgA6V6erGiFKtRsMFM/ZIj+cf5QpT+s= -github.com/sigstore/fulcio v0.1.2-0.20211204001059-48e1a254cf10/go.mod h1:skrBtMLaBrK3Awd0SnDvCSGbBB0l3+nNsBiUC6WOVbM= -github.com/sigstore/rekor v0.3.1-0.20211203233407-3278f72b78bd h1:/Brk1DcfZDc69cDmWZPlHkwe5e3CK8j3BrfUKr6EO6c= -github.com/sigstore/rekor v0.3.1-0.20211203233407-3278f72b78bd/go.mod h1:X/YsXRguEJEDfYs2/vSw6zrq0fgFeML99KhZ6arCNaI= -github.com/sigstore/sigstore v0.0.0-20210729211320-56a91f560f44/go.mod h1:rJpRn7XmR/YrfNGDU9jh+vy5WMeSv5YKfNDBwnFg+Qg= -github.com/sigstore/sigstore v1.0.1/go.mod h1:1+krIdtuf81/fLC8mHPt/7uwYiOg7W8k/PAR7lzKW3w= -github.com/sigstore/sigstore v1.0.2-0.20211203233310-c8e7f70eab4e h1:qxWCfYfujtV4ZlDasR4gkyxmyxmAjbHKhf4q94S/cvs= -github.com/sigstore/sigstore v1.0.2-0.20211203233310-c8e7f70eab4e/go.mod h1:F/4PzB9jSHWZSdBW3JsRmNQRp1MNGHXfSzNfG3Khm1Y= +github.com/sigstore/cosign v1.9.0 h1:E1Kkc6I99dNCGfjwU0B7XTJNEpltNi2GUVEQcswY2Ow= +github.com/sigstore/cosign v1.9.0/go.mod h1:AkVaXopS0Z/3h/hVOyvIwKrXMOilKmlLgUlr8FkrKQM= +github.com/sigstore/fulcio v0.1.2-0.20220114150912-86a2036f9bc7 h1:XE7A9lJ+wYhmUFBWYTaw3Ph943zHB4iBYd5R0SX0ZOA= +github.com/sigstore/fulcio v0.1.2-0.20220114150912-86a2036f9bc7/go.mod h1:ANQivY/lfOp9hN92S813LEthkm/kit96hzeIF3SNoZA= +github.com/sigstore/rekor v0.4.1-0.20220114213500-23f583409af3 h1:mbqXrm8YZXN/cJMGeBkgPnswtfrOxDE1f7QZdJ+POQE= +github.com/sigstore/rekor v0.4.1-0.20220114213500-23f583409af3/go.mod h1:u9clLqaVjqV9pExVL1XkM37dGyMCOX/LMocS9nsnWDY= +github.com/sigstore/sigstore v1.0.2-0.20211210190220-04746d994282/go.mod h1:SuM+QIHtnnR9eGsURRLv5JfxM6KeaU0XKA1O7FmLs4Q= +github.com/sigstore/sigstore v1.1.0/go.mod h1:gDpcHw4VwpoL5C6N1Ud1YtBsc+ikRDwDelDlWRyYoE8= +github.com/sigstore/sigstore v1.2.1-0.20220424143412-3d41663116d5 h1:8OL06Knchax4CMtdfquC3ASWQPtYMJgyeQImWQPw6XE= +github.com/sigstore/sigstore v1.2.1-0.20220424143412-3d41663116d5/go.mod h1:OvpZniSE9oRPnW7+mhxljRt2RAQU+TwcnhYbqQsPwPc= github.com/sirupsen/logrus v1.0.4-0.20170822132746-89742aefa4b2/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc= github.com/sirupsen/logrus v1.0.6/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= @@ -1918,8 +2076,10 @@ github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0= github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/sivchari/tenv v1.4.7/go.mod h1:5nF+bITvkebQVanjU6IuMbvIot/7ReNsUV7I5NbprB0= github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA= github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog= +github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262/go.mod h1:MyOHs9Po2fbM1LHej6sBUT8ozbxmMOFG+E+rx/GSGuc= github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= github.com/smartystreets/assertions v1.0.0/go.mod h1:kHHU4qYBaI3q23Pp3VPrmWhuIUrLW/7eUrw0BU5VaoM= github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9/go.mod h1:SnhjPscd9TpLiy1LpzGSKh3bXCfxxXuqd9xmQJy3slM= @@ -1928,19 +2088,25 @@ github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9 github.com/smartystreets/gunit v1.0.0/go.mod h1:qwPWnhz6pn0NnRBP++URONOVyNkPyr4SauJk4cUOwJs= github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= github.com/soheilhy/cmux v0.1.5-0.20210205191134-5ec6847320e5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0= +github.com/soheilhy/cmux v0.1.5 h1:jjzc5WVemNEDTLwv9tlmemhC73tI08BNOIGwBOo10Js= github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0= +github.com/sonatard/noctx v0.0.1/go.mod h1:9D2D/EoULe8Yy2joDHJj7bv3sZoq9AaSb8B4lqBjiZI= github.com/sony/gobreaker v0.4.1/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY= +github.com/sourcegraph/go-diff v0.6.1/go.mod h1:iBszgVvyxdc8SFZ7gm69go2KDdt3ag071iBaWPF6cjs= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4= -github.com/spf13/afero v1.6.0 h1:xoax2sJ2DT8S8xA2paPFjDCScCNeWsg75VG0DLRreiY= +github.com/spf13/afero v1.4.1/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I= github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I= +github.com/spf13/afero v1.8.2 h1:xehSyVa0YnHWsJ49JFljMpg1HX19V6NDZ1fkm1Xznbo= +github.com/spf13/afero v1.8.2/go.mod h1:CtAatgMJh6bJEIs48Ay/FOnkljP3WeGUG0MC1RfAqwo= github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= -github.com/spf13/cast v1.4.1 h1:s0hze+J0196ZfEMTs80N7UlFt0BDuQ7Q+JDnHiMWKdA= github.com/spf13/cast v1.4.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w= +github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU= github.com/spf13/cobra v0.0.2-0.20171109065643-2da4a54c5cee/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= @@ -1948,6 +2114,8 @@ github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHN github.com/spf13/cobra v1.1.1/go.mod h1:WnodtKOvamDL/PwE2M4iKs8aMDBZ5Q5klgD3qfVJQMI= github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo= github.com/spf13/cobra v1.2.1/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t68Nk= +github.com/spf13/cobra v1.3.0/go.mod h1:BrRVncBjOJa/eUcVVm9CE+oC6as8k+VYr4NY7WCi9V4= +github.com/spf13/cobra v1.4.0/go.mod h1:Wo4iy3BUC+X2Fybo0PDqwJIv3dNRiZLHQymsfxlB84g= github.com/spf13/cobra v1.5.0 h1:X+jTBEBqF0bHN+9cSMgmfuvv2VHJ9ezmFNf9Y/XstYU= github.com/spf13/cobra v1.5.0/go.mod h1:dWXEIy2H428czQCjInthrTRUg7yKbok+2Qi/yBIJoUM= github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= @@ -1962,24 +2130,27 @@ github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE= github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= +github.com/spf13/viper v1.7.1/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns= -github.com/spf13/viper v1.9.0 h1:yR6EXjTp0y0cLN8OZg1CRZmOBdI88UcGkhgyJhu6nZk= github.com/spf13/viper v1.9.0/go.mod h1:+i6ajR7OX2XaiBkrcZJFK21htRk7eDeLg7+O6bhUPP4= -github.com/spiffe/go-spiffe/v2 v2.0.0-beta.8/go.mod h1:TEfgrEcyFhuSuvqohJt6IxENUNeHfndWCCV1EX7UaVk= -github.com/spiffe/go-spiffe/v2 v2.0.1-0.20220414143532-2ed460a8b9d3 h1:FpqM5PfWHs4Ze36HwzMpRefrv8kkmxFgtG9Qc6hL7Dc= -github.com/spiffe/go-spiffe/v2 v2.0.1-0.20220414143532-2ed460a8b9d3/go.mod h1:ifsAYiK9MOyuGYFUHUQ3K47dj+k/gd4IcWhlCyDJZEU= +github.com/spf13/viper v1.10.0/go.mod h1:SoyBPwAtKDzypXNDFKN5kzH7ppppbGZtls1UpIy5AsM= +github.com/spf13/viper v1.10.1/go.mod h1:IGlFPqhNAPKRxohIzWpI5QEy4kuI7tcl5WvR+8qy1rU= +github.com/spf13/viper v1.12.0 h1:CZ7eSOd3kZoaYDLbXnmzgQI5RlciuXBMA+18HwHRfZQ= +github.com/spf13/viper v1.12.0/go.mod h1:b6COn30jlNxbm/V2IqWiNWkJ+vZNiMNksliPCiuKtSI= +github.com/spiffe/go-spiffe/v2 v2.1.0 h1:IZRlWhyFpPbJOiK8K+MwEFPU/QCdaW4Zf5bmIKBd3XM= +github.com/spiffe/go-spiffe/v2 v2.1.0/go.mod h1:5qg6rpqlwIub0JAiF1UK9IMD6BpPTmvG6yfSgDBs5lg= github.com/spiffe/spire-api-sdk v1.2.5-0.20220608195902-84fd618158c9 h1:RmpSpUHOboDvGhxLW/32DAlV/DsvUURjojPVDMPDkwM= github.com/spiffe/spire-api-sdk v1.2.5-0.20220608195902-84fd618158c9/go.mod h1:73BC0cOGkqRQrqoB1Djk7etxN+bE1ypmzZMkhCQs6kY= github.com/spiffe/spire-plugin-sdk v1.4.1-0.20220912221658-c42ab2d657f6 h1:QViYo6JR+v2lTMV/w9Py1mWJEXTrLn1Hb6ZsCWSVVek= github.com/spiffe/spire-plugin-sdk v1.4.1-0.20220912221658-c42ab2d657f6/go.mod h1:4KW5J6abGIAyUS8IL7Fi0NOfoWR6jA5LufKPnIdm9FE= github.com/src-d/gcfg v1.4.0/go.mod h1:p/UMsR43ujA89BJY9duynAwIpvqEujIH/jFlfL7jWoI= +github.com/ssgreg/nlreturn/v2 v2.2.1/go.mod h1:E/iiPB78hV7Szg2YfRgyIrk1AD6JVMTRkkxBiELzh2I= github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980/go.mod h1:AO3tvPzVZ/ayst6UlUKUv6rcPQInYe3IknH3jYhAKu8= github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= github.com/streadway/amqp v0.0.0-20190404075320-75d898a42a94/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= github.com/streadway/amqp v0.0.0-20190827072141-edfb9018d271/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= github.com/streadway/amqp v1.0.0/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= github.com/streadway/handy v0.0.0-20190108123426-d5acb3125c2a/go.mod h1:qNTQ5P5JnDBl6z3cMAg/SywNDC5ABu5ApDIw6lUbRmI= -github.com/streadway/quantile v0.0.0-20150917103942-b0c588724d25/go.mod h1:lbP8tGiBjZ5YWIc2fzuRpTaz0b/53vT6PEs3QuAWzuU= github.com/stretchr/objx v0.0.0-20180129172003-8a3f7159479f/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= @@ -1990,6 +2161,7 @@ github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v0.0.0-20170130113145-4d4bfba8f1d1/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v0.0.0-20180303142811-b89eecf5ca5d/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.1.4/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= @@ -2001,8 +2173,10 @@ github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1F github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s= github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= +github.com/subosito/gotenv v1.3.0 h1:mjC+YW8QpAdXibNi+vNWgzmgBH4+5l5dCXv8cNysBLI= +github.com/subosito/gotenv v1.3.0/go.mod h1:YzJjq/33h7nrwdY+iHMhEOEEbW0ovIz0tB6t6PwAXzs= +github.com/sylvia7788/contextcheck v1.0.4/go.mod h1:vuPKJMQ7MQ91ZTqfdyreNKwZjyUg6KO+IebVyQDedZQ= github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= @@ -2010,15 +2184,14 @@ github.com/syndtr/goleveldb v1.0.0/go.mod h1:ZVVdQEZoIme9iO1Ch2Jdy24qqXrMMOU6lpP github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7 h1:epCh84lMvA70Z7CTTCmYQn2CKbY8j86K7/FAIr141uY= github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7/go.mod h1:q4W45IWZaF22tdD+VEXcAWRA037jwmWEB5VWYORlTpc= github.com/tchap/go-patricia v2.2.6+incompatible/go.mod h1:bmLyhP68RS6kStMGxByiQ23RP/odRBOTVjwp2cDyi6I= -github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes= -github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k= +github.com/tdakkota/asciicheck v0.0.0-20200416200610-e657995f937b/go.mod h1:yHp0ai0Z9gUljN3o0xMhYJnH/IcvkdTBOX2fmJ93JEM= +github.com/tenntenn/modver v1.0.1/go.mod h1:bePIyQPb7UeioSRkw3Q0XeMhYZSMx9B8ePqg6SAMGH0= +github.com/tenntenn/text/transform v0.0.0-20200319021203-7eef512accb3/go.mod h1:ON8b8w4BN/kE1EOhwT0o+d62W65a6aPw1nouo9LMgyY= github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613 h1:iGnD/q9160NWqKZZ5vY4p0dMiYMRknzctfSkqA4nBDw= github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613/go.mod h1:g6AnIpDSYMcphz193otpSIzN+11Rs+AAIIC6rm1enug= +github.com/tetafro/godot v1.4.11/go.mod h1:LR3CJpxDVGlYOWn3ZZg1PgNZdTUvzsZWu8xaEohUpn8= github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gtvVDbmPg= github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU= -github.com/theupdateframework/go-tuf v0.0.0-20210722233521-90e262754396/go.mod h1:L+uU/NRFK/7h0NYAnsmvsX9EghDB5QVCcHCIrK2h5nw= -github.com/theupdateframework/go-tuf v0.0.0-20211006142131-1dc15a86c64d/go.mod h1:oujGMqigj0NWDqeWBCzleayXXtux27r+kHAR2t5Yuk8= -github.com/theupdateframework/go-tuf v0.0.0-20211115152232-a4f2dd6ea314/go.mod h1:pQW1KcCMYPCuZ4pvCkYQhoE2k9SzTuh31AWhf1j/7HM= github.com/theupdateframework/go-tuf v0.0.0-20211203210025-7ded50136bf9/go.mod h1:n2n6wwC9BEnYS/C/APAtNln0eM5zYAYOkOTx6VEG/mA= github.com/theupdateframework/go-tuf v0.3.0 h1:od2sc5+BSkKZhmUG2o2rmruy0BGSmhrbDhCnpxh87X8= github.com/theupdateframework/go-tuf v0.3.0/go.mod h1:E5XP0wXitrFUHe4b8cUcAAdxBW4LbfnqF4WXXGLgWNo= @@ -2027,21 +2200,30 @@ github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs= github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= github.com/tilinna/clock v1.0.2/go.mod h1:ZsP7BcY7sEEz7ktc0IVy8Us6boDrK8VradlKRUGfOao= github.com/tilinna/clock v1.1.0/go.mod h1:ZsP7BcY7sEEz7ktc0IVy8Us6boDrK8VradlKRUGfOao= +github.com/timakin/bodyclose v0.0.0-20200424151742-cb6215831a94/go.mod h1:Qimiffbc6q9tBWlVV6x0P9sat/ao1xEkREYPPj9hphk= +github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0= +github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs= github.com/tj/assert v0.0.0-20171129193455-018094318fb0/go.mod h1:mZ9/Rh9oLWpLLDRpvE+3b7gP/C2YyLFYxNmcLnPTMe0= github.com/tj/go-elastic v0.0.0-20171221160941-36157cbbebc2/go.mod h1:WjeM0Oo1eNAjXGDx2yma7uG2XoyRZTq1uv3M/o7imD0= github.com/tj/go-kinesis v0.0.0-20171128231115-08b17f58cb1b/go.mod h1:/yhzCV0xPfx6jb1bBgRFjl5lytqVqZXEaeqWP8lTEao= github.com/tj/go-spin v1.1.0/go.mod h1:Mg1mzmePZm4dva8Qz60H2lHwmJ2loum4VIrLgVnKwh4= +github.com/tklauser/go-sysconf v0.3.9/go.mod h1:11DU/5sG7UexIrp/O6g35hrWzu0JxlwQ3LSFUzyeuhs= github.com/tklauser/go-sysconf v0.3.10 h1:IJ1AZGZRWbY8T5Vfk04D9WOA5WSejdflXxP03OUqALw= github.com/tklauser/go-sysconf v0.3.10/go.mod h1:C8XykCvCb+Gn0oNCWPIlcb0RuglQTYaQ2hGm7jmxEFk= +github.com/tklauser/numcpus v0.3.0/go.mod h1:yFGUr7TUHQRAhyqBcEg0Ge34zDBAsIvJJcyE6boqnA8= github.com/tklauser/numcpus v0.4.0 h1:E53Dm1HjH1/R2/aoCtXtPgzmElmn51aOkhCFSuZq//o= github.com/tklauser/numcpus v0.4.0/go.mod h1:1+UI3pD8NW14VMwdgJNJ1ESk2UnwhAnz5hMwiKKqXCQ= github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20200427203606-3cfed13b9966/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE= +github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk= +github.com/tomarrell/wrapcheck/v2 v2.4.0/go.mod h1:68bQ/eJg55BROaRTbMjC7vuhL2OgfoG8bLp9ZyoBfyY= github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce/go.mod h1:o8v6yHRoik09Xen7gje4m9ERNah1d1PPsVq1VEx9vE4= -github.com/tsenart/go-tsz v0.0.0-20180814232043-cdeb9e1e981e/go.mod h1:SWZznP1z5Ki7hDT2ioqiFKEse8K9tU2OUvaRI0NeGQo= -github.com/tsenart/vegeta/v12 v12.8.4/go.mod h1:ZiJtwLn/9M4fTPdMY7bdbIeyNeFVE8/AHbWFqCsUuho= +github.com/tommy-muehle/go-mnd/v2 v2.4.0/go.mod h1:WsUAkMJMYww6l/ufffCD3m+P7LEvr8TnZn9lwVDlgzw= +github.com/transparency-dev/merkle v0.0.1 h1:T9/9gYB8uZl7VOJIhdwjALeRWlxUxSfDEysjfmx+L9E= +github.com/transparency-dev/merkle v0.0.1/go.mod h1:B8FIw5LTq6DaULoHsVFRzYIUDkl8yuSwCdZnOZGKL/A= github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM= github.com/twmb/murmur3 v1.1.5/go.mod h1:Qq/R7NUyOfr65zD+6Q5IHKsJLwP7exErjN6lyyq3OSQ= github.com/twmb/murmur3 v1.1.6 h1:mqrRot1BRxm+Yct+vavLMou2/iJt0tNVTTC0QoIjaZg= @@ -2055,31 +2237,39 @@ github.com/ugorji/go/codec v1.1.7/go.mod h1:Ax+UKWsSmolVDwsd+7N3ZtXu+yMGCf907BLY github.com/ulikunitz/xz v0.5.6/go.mod h1:2bypXElzHzzJZwzH67Y6wb67pO62Rzfn7BSiF4ABRW8= github.com/ulikunitz/xz v0.5.7/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= +github.com/ultraware/funlen v0.0.3/go.mod h1:Dp4UiAus7Wdb9KUZsYWZEWiRzGuM2kXM1lPbfaF6xhA= +github.com/ultraware/whitespace v0.0.4/go.mod h1:aVMh/gQve5Maj9hQ/hg+F75lr/X5A89uZnzAmWSineA= github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= github.com/urfave/cli v1.22.4/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= -github.com/urfave/cli v1.22.5/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= -github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI= +github.com/urfave/cli v1.22.7/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/urfave/cli v1.22.9 h1:cv3/KhXGBGjEXLC4bH0sLuJ9BewaAbpk5oyMOveu4pw= +github.com/urfave/cli v1.22.9/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= github.com/urfave/negroni v1.0.0/go.mod h1:Meg73S6kFm/4PpbYdq35yYWoCZ9mS/YSx+lKnmiohz4= +github.com/uudashr/gocognit v1.0.5/go.mod h1:wgYz0mitoKOTysqxTDMOUXg+Jb5SvtihkfmugIZYpEA= +github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= +github.com/valyala/fasthttp v1.30.0/go.mod h1:2rsYD01CKFrjjsvFxx75KlEUNpWNBY9JWD3K/7o2Cus= +github.com/valyala/quicktemplate v1.7.0/go.mod h1:sqKJnoaOF88V07vkO+9FL8fb9uZg/VPSJnLYn+LmLk8= +github.com/valyala/tcplisten v1.0.0/go.mod h1:T0xQ8SeCZGxckz9qRXTfG43PvQ/mcWh7FwZEA7Ioqkc= github.com/vbatts/tar-split v0.11.2 h1:Via6XqJr0hceW4wff3QRzD5gAk/tatMw/4ZA7cTlIME= github.com/vbatts/tar-split v0.11.2/go.mod h1:vV3ZuO2yWSVsz+pfFzDG/upWH1JhjOiEaWq6kXyQ3VI= -github.com/vdemeester/k8s-pkg-credentialprovider v1.21.0-1 h1:7Ajl3rjeYoB5V47jPknnLbyxYlhMXTTJiQsye5aT7f0= -github.com/vdemeester/k8s-pkg-credentialprovider v1.21.0-1/go.mod h1:l4LxiP0cmEcc5q4BTDE8tZSyIiyXe0T28x37yHpMzoM= github.com/vektah/gqlparser v1.1.2/go.mod h1:1ycwN7Ij5njmMkPPAOaRFY4rET2Enx7IkVv3vaXspKw= +github.com/viki-org/dnscache v0.0.0-20130720023526-c70c1f23c5d8/go.mod h1:dniwbG03GafCjFohMDmz6Zc6oCuiqgH6tGNyXTkHzXE= github.com/vishvananda/netlink v0.0.0-20181108222139-023a6dafdcdf/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk= github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE= github.com/vishvananda/netlink v1.1.1-0.20201029203352-d40f9887b852/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho= github.com/vishvananda/netns v0.0.0-20180720170159-13995c7128cc/go.mod h1:ZjcWmFBXmLKZu9Nxj3WKYEafiSqer2rnvPr0en9UNpI= github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU= github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0= -github.com/vmware/govmomi v0.20.3/go.mod h1:URlwyTFZX72RmxtxuaFL2Uj3fD1JTvZdx59bHWk6aFU= +github.com/vmihailenco/msgpack/v4 v4.3.12 h1:07s4sz9IReOgdikxLTKNbBdqDMLsjPKXwvCazn8G65U= +github.com/vmihailenco/tagparser v0.1.1 h1:quXMXlA39OCbd2wAdTsGDlK9RkOk6Wuw+x37wVyIuWY= github.com/willf/bitset v1.1.11-0.20200630133818-d5bec3311243/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4= github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr3+MjI= github.com/xanzy/go-gitlab v0.31.0/go.mod h1:sPLojNBn68fMUWSxIJtdVVIP8uSBYqesTfDUseX11Ug= -github.com/xanzy/go-gitlab v0.52.2 h1:gkgg1z4ON70sphibtD86Bfmt1qV3mZ0pU0CBBCFAEvQ= -github.com/xanzy/go-gitlab v0.52.2/go.mod h1:Q+hQhV508bDPoBijv7YjK/Lvlb4PhVhJdKqXVQrUoAE= +github.com/xanzy/go-gitlab v0.68.0 h1:b2iMQHgZ1V+NyRqLRJVv6RFfr4xnd/AASeS/PETYL0Y= +github.com/xanzy/go-gitlab v0.68.0/go.mod h1:o4yExCtdaqlM8YGdDJWuZoBmfxBsmA9TPEjs9mx1UO4= github.com/xanzy/ssh-agent v0.2.1/go.mod h1:mLlQY/MoOhWBj+gOGMQkOeiEvkx+8pJSI+0Bx9h2kr4= github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI= github.com/xdg-go/scram v1.0.2/go.mod h1:1WAq6h33pAW+iRreB34OORO2Nf7qel3VV3fjBj+hCSs= @@ -2092,24 +2282,35 @@ github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0= github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= github.com/xeipuuv/gojsonschema v0.0.0-20180618132009-1d523034197f/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs= +github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8/go.mod h1:HUYIGzjTL3rfEspMxjDjgmT5uz5wzYJKVo23qUhYTos= +github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 h1:eY9dn8+vbi4tKz5Qo6v2eYzo7kUS51QINcR5jNpbZS8= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= +github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778/go.mod h1:2MuV+tbUrU1zIOPMxZ5EncGwgmMJsa+9ucAQZXxsObs= github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= github.com/yashtewari/glob-intersection v0.0.0-20180916065949-5c77d914dd0b/go.mod h1:HptNXiXVDcJjXe9SqMd0v2FsL9f8dz4GnXgltU6q/co= github.com/yashtewari/glob-intersection v0.1.0 h1:6gJvMYQlTDOL3dMsPF6J0+26vwX9MB8/1q3uAdhmTrg= github.com/yashtewari/glob-intersection v0.1.0/go.mod h1:LK7pIC3piUjovexikBbJ26Yml7g8xa5bsjfx2v1fwok= +github.com/yeya24/promlinter v0.1.0/go.mod h1:rs5vtZzeBHqqMwXqFScncpCF6u06lezhZepno9AB1Oc= github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA= github.com/ysmood/goob v0.3.0/go.mod h1:S3lq113Y91y1UBf1wj1pFOxeahvfKkCk6mTWTWbDdWs= +github.com/ysmood/goob v0.4.0 h1:HsxXhyLBeGzWXnqVKtmT9qM7EuVs/XOgkX7T6r1o1AQ= github.com/ysmood/got v0.15.1/go.mod h1:pE1l4LOwOBhQg6A/8IAatkGp7uZjnalzrZolnlhhMgY= github.com/ysmood/gotrace v0.2.2/go.mod h1:TzhIG7nHDry5//eYZDYcTzuJLYQIkykJzCRIo4/dzQM= github.com/ysmood/gson v0.6.4/go.mod h1:3Kzs5zDl21g5F/BlLTNcuAGAYLKt2lV5G8D1zF3RNmg= +github.com/ysmood/gson v0.7.1 h1:zKL2MTGtynxdBdlZjyGsvEOZ7dkxaY5TH6QhAbTgz0Q= +github.com/ysmood/leakless v0.7.0 h1:XCGdaPExyoreoQd+H5qgxM3ReNbSPFsEXpSKwbXbwQw= github.com/ysmood/leakless v0.7.0/go.mod h1:R8iAXPRaG97QJwqxs74RdwzcRHT1SWCGTNqY8q0JvMQ= +github.com/yudai/gojsondiff v1.0.0/go.mod h1:AY32+k2cwILAkW1fbgxQ5mUmMiZFgLIV+FBNExI05xg= +github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82/go.mod h1:lgjkn3NuSvDfVJdfcVVdX+jpBxNmX4rDAzaS45IcYoM= +github.com/yudai/pp v2.0.1+incompatible/go.mod h1:PuxR/8QJ7cyCkFp/aUDS+JY727OFEZkTdatxwunjIkc= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= +github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yusufpapurcu/wmi v1.2.2 h1:KBNDSne4vP5mbSWnJbO+51IMOXJB67QiYCSBrubbPRg= github.com/yusufpapurcu/wmi v1.2.2/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43/go.mod h1:aX5oPXxHm3bOH+xeAttToC8pqch2ScQN/JoXYupl6xs= @@ -2123,30 +2324,58 @@ github.com/zeebo/errs v1.3.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtC github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q= go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= +go.etcd.io/bbolt v1.3.4/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ= go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ= +go.etcd.io/bbolt v1.3.6 h1:/ecaJf0sk1l4l6V4awd65v2C3ILy7MSj+s/x1ADCIMU= go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4= go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= +go.etcd.io/etcd v0.0.0-20200513171258-e048e166ab9c/go.mod h1:xCI7ZzBfRuGgBXyXO6yfWfDmlWd35khcWpUa4L0xI/k= go.etcd.io/etcd v0.5.0-alpha.5.0.20200910180754-dd1b699fc489/go.mod h1:yVHk9ub3CSBatqGNg7GRmsnfLWtoW60w4eDYfh7vHDg= go.etcd.io/etcd/api/v3 v3.5.0-alpha.0/go.mod h1:mPcW6aZJukV6Aa81LSKpBjQXTWlXB5r74ymPoSWa3Sw= go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs= +go.etcd.io/etcd/api/v3 v3.5.1/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs= +go.etcd.io/etcd/api/v3 v3.5.4 h1:OHVyt3TopwtUQ2GKdd5wu3PmmipR4FTwCqoEjSyRdIc= +go.etcd.io/etcd/api/v3 v3.5.4/go.mod h1:5GB2vv4A4AOn3yk7MftYGHkUfGtDHnEraIjym4dYz5A= go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g= +go.etcd.io/etcd/client/pkg/v3 v3.5.1/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g= +go.etcd.io/etcd/client/pkg/v3 v3.5.4 h1:lrneYvz923dvC14R54XcA7FXoZ3mlGZAgmwhfm7HqOg= +go.etcd.io/etcd/client/pkg/v3 v3.5.4/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g= go.etcd.io/etcd/client/v2 v2.305.0-alpha.0/go.mod h1:kdV+xzCJ3luEBSIeQyB/OEKkWKd8Zkux4sbDeANrosU= go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ= +go.etcd.io/etcd/client/v2 v2.305.1/go.mod h1:pMEacxZW7o8pg4CrFE7pquyCJJzZvkvdD2RibOCCCGs= +go.etcd.io/etcd/client/v2 v2.305.4 h1:Dcx3/MYyfKcPNLpR4VVQUP5KgYrBeJtktBwEKkw08Ao= +go.etcd.io/etcd/client/v2 v2.305.4/go.mod h1:Ud+VUwIi9/uQHOMA+4ekToJ12lTxlv0zB/+DHwTGEbU= go.etcd.io/etcd/client/v3 v3.5.0-alpha.0/go.mod h1:wKt7jgDgf/OfKiYmCq5WFGxOFAkVMLxiiXgLDFhECr8= go.etcd.io/etcd/client/v3 v3.5.0/go.mod h1:AIKXXVX/DQXtfTEqBryiLTUXwON+GuvO6Z7lLS/oTh0= +go.etcd.io/etcd/client/v3 v3.5.4 h1:p83BUL3tAYS0OT/r0qglgc3M1JjhM0diV8DSWAhVXv4= +go.etcd.io/etcd/client/v3 v3.5.4/go.mod h1:ZaRkVgBZC+L+dLCjTcF1hRXpgZXQPOvnA/Ak/gq3kiY= go.etcd.io/etcd/etcdctl/v3 v3.5.0-alpha.0/go.mod h1:YPwSaBciV5G6Gpt435AasAG3ROetZsKNUzibRa/++oo= go.etcd.io/etcd/etcdctl/v3 v3.5.0/go.mod h1:vGTfKdsh87RI7kA2JHFBEGxjQEYx+pi299wqEOdi34M= +go.etcd.io/etcd/etcdctl/v3 v3.5.4 h1:LVFzhocId7Vb8SqK3YanpW0rKjlvtkN80ShJpcBDDZk= +go.etcd.io/etcd/etcdctl/v3 v3.5.4/go.mod h1:SMZep1Aj7sUmMSBCHTjkZL/Yw36Vx5Ux61fKbopbb5U= go.etcd.io/etcd/etcdutl/v3 v3.5.0/go.mod h1:o98rKMCibbFAG8QS9KmvlYDGDShmmIbmRE8vSofzYNg= +go.etcd.io/etcd/etcdutl/v3 v3.5.4 h1:TeQGkpXMGnQ+Tgn/dB5yuADyeSZatehBBy6XXSxnO7U= +go.etcd.io/etcd/etcdutl/v3 v3.5.4/go.mod h1:eK9eZfI/BxDQCztpuaJ1E/ufYpMw2Y16dPX1azGWrBU= go.etcd.io/etcd/pkg/v3 v3.5.0-alpha.0/go.mod h1:tV31atvwzcybuqejDoY3oaNRTtlD2l/Ot78Pc9w7DMY= go.etcd.io/etcd/pkg/v3 v3.5.0/go.mod h1:UzJGatBQ1lXChBkQF0AuAtkRQMYnHubxAEYIrC3MSsE= +go.etcd.io/etcd/pkg/v3 v3.5.4 h1:V5Dvl7S39ZDwjkKqJG2BfXgxZ3QREqqKifWQgIw5IM0= +go.etcd.io/etcd/pkg/v3 v3.5.4/go.mod h1:OI+TtO+Aa3nhQSppMbwE4ld3uF1/fqqwbpfndbbrEe0= go.etcd.io/etcd/raft/v3 v3.5.0-alpha.0/go.mod h1:FAwse6Zlm5v4tEWZaTjmNhe17Int4Oxbu7+2r0DiD3w= go.etcd.io/etcd/raft/v3 v3.5.0/go.mod h1:UFOHSIvO/nKwd4lhkwabrTD3cqW5yVyYYf/KlD00Szc= +go.etcd.io/etcd/raft/v3 v3.5.4 h1:YGrnAgRfgXloBNuqa+oBI/aRZMcK/1GS6trJePJ/Gqc= +go.etcd.io/etcd/raft/v3 v3.5.4/go.mod h1:SCuunjYvZFC0fBX0vxMSPjuZmpcSk+XaAcMrD6Do03w= go.etcd.io/etcd/server/v3 v3.5.0-alpha.0/go.mod h1:tsKetYpt980ZTpzl/gb+UOJj9RkIyCb1u4wjzMg90BQ= go.etcd.io/etcd/server/v3 v3.5.0/go.mod h1:3Ah5ruV+M+7RZr0+Y/5mNLwC+eQlni+mQmOVdCRJoS4= +go.etcd.io/etcd/server/v3 v3.5.4 h1:CMAZd0g8Bn5NRhynW6pKhc4FRg41/0QYy3d7aNm9874= +go.etcd.io/etcd/server/v3 v3.5.4/go.mod h1:S5/YTU15KxymM5l3T6b09sNOHPXqGYIZStpuuGbb65c= go.etcd.io/etcd/tests/v3 v3.5.0-alpha.0/go.mod h1:HnrHxjyCuZ8YDt8PYVyQQ5d1ZQfzJVEtQWllr5Vp/30= go.etcd.io/etcd/tests/v3 v3.5.0/go.mod h1:f+mtZ1bE1YPvgKdOJV2BKy4JQW0nAFnQehgOE7+WyJE= +go.etcd.io/etcd/tests/v3 v3.5.4 h1:wiYG8vbDwZO2UatQE9Z3GIv2z52jGg5DvEkTDXm090c= +go.etcd.io/etcd/tests/v3 v3.5.4/go.mod h1:ymig8LjkI1zqAxxMsl+nntzG21dND2hh0UQXl9BaJP8= go.etcd.io/etcd/v3 v3.5.0-alpha.0/go.mod h1:JZ79d3LV6NUfPjUxXrpiFAYcjhT+06qqw+i28snx8To= go.etcd.io/etcd/v3 v3.5.0/go.mod h1:FldM0/VzcxYWLvWx1sdA7ghKw7C3L2DvUTzGrcEtsC4= +go.etcd.io/etcd/v3 v3.5.4 h1:IWyDYI27KTWKGv1OS0Hzysr6514E6e7qfRUVpzr4YFQ= +go.etcd.io/etcd/v3 v3.5.4/go.mod h1:c6jK4IfuWwJU26FD9SeI4cAtvlfu9Iacaxu0vRses1k= go.mongodb.org/mongo-driver v1.0.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= go.mongodb.org/mongo-driver v1.1.1/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= go.mongodb.org/mongo-driver v1.3.0/go.mod h1:MSWZXKOynuguX+JSvwP8i+58jYCXxbia8HS3gZBapIE= @@ -2156,8 +2385,10 @@ go.mongodb.org/mongo-driver v1.4.4/go.mod h1:WcMNYLx/IlOxLe6JRJiv2uXuCz6zBLndR4S go.mongodb.org/mongo-driver v1.4.6/go.mod h1:WcMNYLx/IlOxLe6JRJiv2uXuCz6zBLndR4SoGjYphSc= go.mongodb.org/mongo-driver v1.5.1/go.mod h1:gRXCHX4Jo7J0IJ1oDQyUxF7jfy19UfxniMS4xxMmUqw= go.mongodb.org/mongo-driver v1.7.3/go.mod h1:NqaYOwnXWr5Pm7AOpO5QFxKJ503nbMse/R79oO62zWg= -go.mongodb.org/mongo-driver v1.7.5 h1:ny3p0reEpgsR2cfA5cjgwFZg3Cv/ofFh/8jbhGtz9VI= go.mongodb.org/mongo-driver v1.7.5/go.mod h1:VXEWRZ6URJIkUq2SCAyapmhH0ZLRBP+FT4xhp5Zvxng= +go.mongodb.org/mongo-driver v1.8.3 h1:TDKlTkGDKm9kkJVUOAXDK5/fkqKHJVwYQSpoRfB43R4= +go.mongodb.org/mongo-driver v1.8.3/go.mod h1:0sQWfOeY63QTntERDJJ/0SuKK0T1uVSgKCuAROlKEPY= +go.mozilla.org/mozlog v0.0.0-20170222151521-4bb13139d403/go.mod h1:jHoPAGnDrCy6kaI2tAze5Prf0Nr0w/oNkROt2lw3n3o= go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk= go.opencensus.io v0.15.0/go.mod h1:UffZAU+4sDEINUGP/B7UfBBkq4fqLu9zXAX7ke6CHW0= go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= @@ -2172,19 +2403,32 @@ go.opencensus.io v0.22.6/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M= go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= go.opentelemetry.io/contrib v0.20.0/go.mod h1:G/EtFaa6qaN7+LxqfIAT3GiZa7Wv5DTBUzl5H4LY0Kc= -go.opentelemetry.io/contrib v1.2.0/go.mod h1:EH4yDYeNoaTqn/8yCWQmfNB78VHfGX2Jt2bvnvzBlGM= +go.opentelemetry.io/contrib v1.6.0 h1:xJawAzMuR3s4Au5p/ABHqYFychHjK2AHB9JvkBuBbTA= +go.opentelemetry.io/contrib v1.6.0/go.mod h1:FlyPNX9s4U6MCsWEc5YAK4KzKNHFDsjrDUZijJiXvy8= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0 h1:sO4WKdPAudZGKPcpZT4MJn6JaDmpyLrMPDGGyA1SttE= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0/go.mod h1:oVGt1LRbBOBq1A5BQLlUg9UaU/54aiHw8cgjV3aWZ/E= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.20.0/go.mod h1:2AboqHi0CiIZU0qwhtUfCYD1GeUzvvIXWNkhDt7ZMG4= +go.opentelemetry.io/contrib/propagators v0.19.0 h1:HrixVNZYFjUl/Db+Tr3DhqzLsVW9GeVf/Gye+C5dNUY= +go.opentelemetry.io/otel v0.20.0 h1:eaP0Fqu7SXHwvjiqDq83zImeehOHX8doTvU9AwXON8g= go.opentelemetry.io/otel v0.20.0/go.mod h1:Y3ugLH2oa81t5QO+Lty+zXf8zC9L26ax4Nzoxm/dooo= +go.opentelemetry.io/otel/exporters/otlp v0.20.0 h1:PTNgq9MRmQqqJY0REVbZFvwkYOA85vbdQU/nVfxDyqg= go.opentelemetry.io/otel/exporters/otlp v0.20.0/go.mod h1:YIieizyaN77rtLJra0buKiNBOm9XQfkPEKBeuhoMwAM= +go.opentelemetry.io/otel/metric v0.20.0 h1:4kzhXFP+btKm4jwxpjIqjs41A7MakRFUS86bqLHTIw8= go.opentelemetry.io/otel/metric v0.20.0/go.mod h1:598I5tYlH1vzBjn+BTuhzTCSb/9debfNp6R3s7Pr1eU= +go.opentelemetry.io/otel/oteltest v0.20.0 h1:HiITxCawalo5vQzdHfKeZurV8x7ljcqAgiWzF6Vaeaw= go.opentelemetry.io/otel/oteltest v0.20.0/go.mod h1:L7bgKf9ZB7qCwT9Up7i9/pn0PWIa9FqQ2IQ8LoxiGnw= +go.opentelemetry.io/otel/sdk v0.20.0 h1:JsxtGXd06J8jrnya7fdI/U/MR6yXA5DtbZy+qoHQlr8= go.opentelemetry.io/otel/sdk v0.20.0/go.mod h1:g/IcepuwNsoiX5Byy2nNV0ySUF1em498m7hBWC279Yc= +go.opentelemetry.io/otel/sdk/export/metric v0.20.0 h1:c5VRjxCXdQlx1HjzwGdQHzZaVI82b5EbBgOu2ljD92g= go.opentelemetry.io/otel/sdk/export/metric v0.20.0/go.mod h1:h7RBNMsDJ5pmI1zExLi+bJK+Dr8NQCh0qGhm1KDnNlE= +go.opentelemetry.io/otel/sdk/metric v0.20.0 h1:7ao1wpzHRVKf0OQ7GIxiQJA6X7DLX9o14gmVon7mMK8= go.opentelemetry.io/otel/sdk/metric v0.20.0/go.mod h1:knxiS8Xd4E/N+ZqKmUPf3gTTZ4/0TjTXukfxjzSTpHE= +go.opentelemetry.io/otel/trace v0.20.0 h1:1DL6EXUdcg95gukhuRRvLDO/4X5THh/5dIV52lqtnbw= go.opentelemetry.io/otel/trace v0.20.0/go.mod h1:6GjCW8zgDjwGHGa6GkyeB8+/5vjT16gUEi0Nf1iBdgw= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= -go.opentelemetry.io/proto/otlp v0.11.0/go.mod h1:QpEjXPrNQzrFDZgoTo49dgHR9RYRSrg3NAKnUGl9YpQ= +go.opentelemetry.io/proto/otlp v0.12.0 h1:CMJ/3Wp7iOWES+CYLfnBv+DVmPbB+kmy9PJ92XvlR6c= +go.opentelemetry.io/proto/otlp v0.12.0/go.mod h1:TsIjwGWIx5VFYv9KGVlOpxoBl5Dy+63SUguV7GGvlSQ= +go.step.sm/crypto v0.14.0/go.mod h1:3G0yQr5lQqfEG0CMYz8apC/qMtjLRQlzflL2AxkcN+g= go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= @@ -2198,8 +2442,10 @@ go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A go.uber.org/goleak v1.1.11-0.20210813005559-691160354723/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= go.uber.org/goleak v1.1.12 h1:gZAh5/EyT/HQwlpkCy6wTpqfH9H8Lz8zbm3dZh+OyzA= +go.uber.org/goleak v1.1.12/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4= +go.uber.org/multierr v1.4.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4= go.uber.org/multierr v1.5.0/go.mod h1:FeouvMocqHpRaaGuG9EjoKcStLC43Zu/fmqdUMPcKYU= go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= go.uber.org/multierr v1.7.0/go.mod h1:7EAYxJLBy9rStEaz58O2t4Uvip6FSURkq8/ppBp95ak= @@ -2211,28 +2457,26 @@ go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM= go.uber.org/zap v1.16.0/go.mod h1:MA8QOfq0BHJwdXa996Y4dYkAqRKB8/1K1QMMZVaNZjQ= go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo= -go.uber.org/zap v1.18.1/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI= go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI= go.uber.org/zap v1.19.1/go.mod h1:j3DNczoxDZroyBnOT1L/Q79cfUMGZxlv/9dzN7SM1rI= +go.uber.org/zap v1.20.0/go.mod h1:wjWOCqI0f2ZZrJF/UufIOkiC8ii6tm1iqIsLo76RfJw= +go.uber.org/zap v1.21.0/go.mod h1:wjWOCqI0f2ZZrJF/UufIOkiC8ii6tm1iqIsLo76RfJw= go.uber.org/zap v1.23.0 h1:OjGQ5KQDEUawVHxNwQgPpiypGHOxo2mNZsOqTak4fFY= go.uber.org/zap v1.23.0/go.mod h1:D+nX8jyLsMHMYrln8A0rJjFt/T/9/bGgIhAqxv5URuY= gocloud.dev v0.19.0/go.mod h1:SmKwiR8YwIMMJvQBKLsC3fHNyMwXLw3PMDO+VVteJMI= -gocloud.dev v0.24.0/go.mod h1:uA+als++iBX5ShuG4upQo/3Zoz49iIPlYUWHV5mM8w8= +gocloud.dev v0.24.1-0.20211119014450-028788aaaa4c/go.mod h1:EIJSlY7nvfeoWaV2GauF6es27gZfqtTVon47QFueoyE= golang.org/x/crypto v0.0.0-20171113213409-9f005a07e0d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20180501155221-613d6eafa307/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20181009213950-7c1a557ab941/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= -golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190320223903-b7391e95e576/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190411191339-88737f569e3a/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE= -golang.org/x/crypto v0.0.0-20190418165655-df01cb2cc480/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE= golang.org/x/crypto v0.0.0-20190422162423-af44ce270edf/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE= -golang.org/x/crypto v0.0.0-20190424203555-c05e17bb3b2d/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190530122614-20be4c3c3ed5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= @@ -2241,7 +2485,6 @@ golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20190617133340-57b3e21c3d56/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190829043050-9756ffdc2472/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY= golang.org/x/crypto v0.0.0-20191002192127-34f69633bfdc/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= @@ -2256,24 +2499,29 @@ golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20200930160638-afb6bcd081ae/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20201112155050-0c6587e931a9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201203163018-be400aefbc4c/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= -golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= +golang.org/x/crypto v0.0.0-20201216223049-8b5274cf687f/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= +golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= +golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8= golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20210920023735-84f357641f63/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20211115234514-b4de73f9ece8/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20211202192323-5770296d904e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20211209193657-4570a0811e8b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220131195533-30dcbda58838/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa h1:zuSxTR4o9y82ebqCUJYNGJbGPo6sKVl54f/TVDObg1c= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= -golang.org/x/exp v0.0.0-20190731235908-ec7cb31e5a56/go.mod h1:JhuoJpWY28nO4Vef9tZUw9qufEGTyX1+7lmHxV5q5G4= golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY= golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= @@ -2282,7 +2530,6 @@ golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u0 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= golang.org/x/exp v0.0.0-20200331195152-e8c3332aa8e5/go.mod h1:4M0jN8W1tt0AVLNr8HDosyJCDCDuyL9N9+3m7wDWgKw= -golang.org/x/exp v0.0.0-20210126221216-84987778548c/go.mod h1:I6l2HNBLBZEcrOoCpyKLdY2lHoRZ8lI4x60KMCQDft4= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -2299,20 +2546,18 @@ golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPI golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= -golang.org/x/mobile v0.0.0-20201217150744-e6ae53a27f4f/go.mod h1:skQtrUTUwhdJvXM/2KKJzY8pDgNr9I/FOMqDVRPBUS4= golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= -golang.org/x/mod v0.1.1-0.20191209134235-331c550502dd/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.3.1-0.20200828183125-ce943fd02449/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= +golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 h1:6zppjxzCulZykYSLyVDYbneBfbaBIQPYMevg0bEwv2s= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/net v0.0.0-20180218175443-cbe0f9307d01/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -2377,30 +2622,35 @@ golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20210224082022-3d97a244fca7/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= +golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8= golang.org/x/net v0.0.0-20210421230115-4e50805a0758/go.mod h1:72T/g9IO56b78aLF+1Kcs5dz7/ng1VjMUvfKvpfy+jM= +golang.org/x/net v0.0.0-20210423184538-5f58ad60dda6/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk= golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk= golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20210510120150-4163338589ed/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210610132358-84b48f89b13b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20210825183410-e898025ed96a/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20210917221730-978cfadd31cf/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20211101193420-4a448f8816b3/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20211020060615-d418f374d309/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211111083644-e5c967477495/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211118161319-6a13c67c3ce4/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20211123203042-d83791d6bcd9/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20211208012354-db4efeb81f4b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20211216030914-fe4d6282115f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20220127074510-2fabfed7e28f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.0.0-20220421235706-1d1ef9303861/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= @@ -2429,7 +2679,6 @@ golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20211028175245-ba495a64dcb5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= @@ -2464,8 +2713,6 @@ golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5h golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190129075346-302c3dd5f1cc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190221075227-b4e8571b14e0/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -2486,7 +2733,6 @@ golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190620070143-6f217b454f45/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190812073006-9eafafc0a87e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -2528,7 +2774,6 @@ golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200602225109-6fdc65e7d980/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -2544,6 +2789,7 @@ golang.org/x/sys v0.0.0-20200916030750-2334cc1a136f/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200922070232-aee5d888a860/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200923182605-d9f96fdee20d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201005172224-997123666555/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201117170446-d9b008d0a637/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -2556,7 +2802,6 @@ golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210223095934-7937bea0104d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -2569,6 +2814,7 @@ golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210412220455-f1c623a9e750/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210420072515-93ed5bcd2bfe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210503080704-8803ae5d1324/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -2576,23 +2822,29 @@ golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210629170331-7dc0b73dc9fb/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210816074244-15123e1e1f71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210816183151-1e6c022a8912/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210909193231-528a39cd75f3/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210915083310-ed5796bab164/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210917161153-d61c044b1678/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211013075003-97ac67df715c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211110154304-99a53858aa08/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211112193437-faf0a1b62c6b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211117180635-dee7805ff2e1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211205182925-97ca703d548d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -2601,6 +2853,7 @@ golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220328115105-d36c6a25d886/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220422013727-9388b58f7150/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220502124256-b6088ccd6cba/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -2612,7 +2865,6 @@ golang.org/x/sys v0.0.0-20220907062415-87db552b00fd h1:AZeIEzg+8RCELJYq8w+ODLVxF golang.org/x/sys v0.0.0-20220907062415-87db552b00fd/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= @@ -2635,19 +2887,25 @@ golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e/go.mod h1:tRJNPiyCQ0inRvYxb golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20220411224347-583f2d630306/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 h1:ftMN5LMiBFjbzleLqtoBZk7KdJwhuybIU+FckUHgoyQ= golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20180525024113-a5b4c53f6e8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190110163146-51295c7ec13a/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190125232054-d66bd3c5d5a6/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190307163923-6a08e3108db3/go.mod h1:25r3+/G6/xytQM8iWZKq3Hn0kr0rgFKPUNVEL/dr3z4= golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190311215038-5c2858a9cfe5/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190321232350-e250d351ecad/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190322203728-c1a832b0ad89/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190329151228-23e29df326fe/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190416151739-9c9e1878f421/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= @@ -2664,12 +2922,13 @@ golang.org/x/tools v0.0.0-20190617190820-da514acc4774/go.mod h1:/rFqwRUd4F7ZHNgw golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190624222133-a101b041ded4/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/tools v0.0.0-20190706070813-72ffa07ba3db/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI= golang.org/x/tools v0.0.0-20190729092621-ff9f1409240a/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI= golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20190823170909-c4a336ef6a2f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20190907020128-2ca718005c18/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190910044552-dd2b5c81c578/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190916130336-e45ffcd953cc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191010075000-0337d82405ff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= @@ -2682,11 +2941,12 @@ golang.org/x/tools v0.0.0-20191118222007-07fc4c7f2b98/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200103221440-774c71fcf114/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200117012304-6edc0a871e69/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200117220505-0cba7a3a9ee9/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= @@ -2696,40 +2956,65 @@ golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapK golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= +golang.org/x/tools v0.0.0-20200324003944-a576cf524670/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= +golang.org/x/tools v0.0.0-20200329025819-fd4102a86c65/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= +golang.org/x/tools v0.0.0-20200414032229-332987a829c3/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200422022333-3d57cf2e726e/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200426102838-f3a5411a4c3b/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200522201501-cb1345f3a375/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200612220849-54c614fe050c/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200616133436-c1934b75d054/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200622203043-20e05c1c8ffa/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200624225443-88f3c62a19ff/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200625211823-6506e20df31f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200626171337-aa94e735be7f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200630154851-b2d8b0336632/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200706234117-b22de6825cf7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200717024301-6ddee64345a6/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200724022722-7017fd6b1305/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200812195022-5ae4c3c160a0/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200820010801-b793a1359eac/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200831203904-5a2aa26beb65/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= -golang.org/x/tools v0.0.0-20200916195026-c9a70fc28ce3/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU= +golang.org/x/tools v0.0.0-20201001104356-43ebab892c4c/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU= +golang.org/x/tools v0.0.0-20201002184944-ecd9fd270d5d/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU= golang.org/x/tools v0.0.0-20201014170642-d1624618ad65/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU= +golang.org/x/tools v0.0.0-20201023174141-c8cfbd0f21e6/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20201028025901-8cd080b735b3/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20201114224030-61ea331ec02b/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20201118003311-bd56c0adb394/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20201230224404-63754364767c/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20210101214203-2dba1e4ea05c/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20210104081019-d8d6ddbec6ee/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210112230658-8b4aab62c064/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= +golang.org/x/tools v0.1.1-0.20210205202024-ef80cdb6ec6d/go.mod h1:9bzcO0MWcOuT0tm1iBGzDVPshzfwoVvREIui8C+MHqU= +golang.org/x/tools v0.1.1-0.20210302220138-2ac05c832e1a/go.mod h1:9bzcO0MWcOuT0tm1iBGzDVPshzfwoVvREIui8C+MHqU= golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.6-0.20210820212750-d4cc65f0b2ff/go.mod h1:YD9qOF0M9xpSpdWTBbzEl5e/RnCefISl8E5Noe10jFM= +golang.org/x/tools v0.1.6/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo= golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo= +golang.org/x/tools v0.1.8/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU= +golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E= golang.org/x/tools v0.1.12 h1:VveCTK38A2rkS8ZqFY25HIDFscX5X9OoEhJd3quQmXU= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -2757,14 +3042,12 @@ google.golang.org/api v0.10.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhE google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= -google.golang.org/api v0.15.1-0.20200106000736-b8fc810ca6b5/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= -google.golang.org/api v0.25.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM= google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc= @@ -2781,20 +3064,24 @@ google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59t google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtukyy4= google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw= google.golang.org/api v0.51.0/go.mod h1:t4HdrdoNgyN5cbEfm7Lum0lcLDLiise1F8qDKX00sOU= -google.golang.org/api v0.52.0/go.mod h1:Him/adpjt0sxtkWViy0b6xyKW/SD71CwdJ7HqJo7SrU= google.golang.org/api v0.54.0/go.mod h1:7C4bFFOvVDGXjfDTAsgGwDgAxRDeQ4X8NvUedIt6z3k= google.golang.org/api v0.55.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE= google.golang.org/api v0.56.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE= google.golang.org/api v0.57.0/go.mod h1:dVPlbZyBo2/OjBpmvNdpn2GRm6rPy75jyU7bmhdrMgI= google.golang.org/api v0.58.0/go.mod h1:cAbP2FsxoGVNwtgNAmmn3y5G1TWAiVYRmg4yku3lv+E= +google.golang.org/api v0.59.0/go.mod h1:sT2boj7M9YJxZzgeZqXogmhfmRWDtPzT31xkieUbuZU= google.golang.org/api v0.60.0/go.mod h1:d7rl65NZAkEQ90JFzqBjcRq1TVeG5ZoGV3sSpEnnVb4= google.golang.org/api v0.61.0/go.mod h1:xQRti5UdCmoCEqFxcz93fTl338AVqDgyaDRuOZ3hg9I= +google.golang.org/api v0.62.0/go.mod h1:dKmwPCydfsad4qCH08MSdgWjfHOyfpd4VtDGgRFdavw= google.golang.org/api v0.63.0/go.mod h1:gs4ij2ffTRXwuzzgJl/56BdwJaA194ijkfn++9tDuPo= +google.golang.org/api v0.64.0/go.mod h1:931CdxA8Rm4t6zqTFGSsgwbAEZ2+GMYurbndwSimebM= +google.golang.org/api v0.65.0/go.mod h1:ArYhxgGadlWmqO1IqVujw6Cs8IdD33bTmzKo2Sh+cbg= google.golang.org/api v0.67.0/go.mod h1:ShHKP8E60yPsKNw/w8w+VYaj9H6buA5UqDp8dhbQZ6g= google.golang.org/api v0.70.0/go.mod h1:Bs4ZM2HGifEvXwd50TtW70ovgJffJYw2oRCOFU/SkfA= google.golang.org/api v0.71.0/go.mod h1:4PyU6e6JogV1f9eA4voyrTY2batOLdgZ5qZ5HOCc4j8= google.golang.org/api v0.74.0/go.mod h1:ZpfMZOVRMywNyvJFeqL9HRWBgAuRfSjJFpe9QtRRyDs= google.golang.org/api v0.75.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69ljA= +google.golang.org/api v0.77.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69ljA= google.golang.org/api v0.78.0/go.mod h1:1Sg78yoMLOhlQTeF+ARBoytAcH1NNyyl390YMy6rKmw= google.golang.org/api v0.80.0/go.mod h1:xY3nI94gbvBrE0J6NHXhxOmW97HG7Khjkku6AFB3Hyg= google.golang.org/api v0.84.0/go.mod h1:NTsGnUFJMYROtiquksZHBWtHfeMC7iYthki7Eq3pa8o= @@ -2829,6 +3116,7 @@ google.golang.org/genproto v0.0.0-20190620144150-6af8c5fc6601/go.mod h1:z3L6/3dT google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= +google.golang.org/genproto v0.0.0-20190927181202-20e1ac93f88c/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= @@ -2849,8 +3137,9 @@ google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfG google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto v0.0.0-20200527145253-8367513e4ece/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= +google.golang.org/genproto v0.0.0-20200626011028-ee7919e894b5/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200707001353-8e8330bf89df/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200806141610-86f49bd18e98/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= @@ -2865,13 +3154,17 @@ google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210126160654-44e461bb6506/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210325141258-5636347f2b14/go.mod h1:f2Bd7+2PlaVKmvKQ52aspJZXIDaRQBVdOOBfJ5i8OEs= google.golang.org/genproto v0.0.0-20210329143202-679c6ae281ee/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= google.golang.org/genproto v0.0.0-20210331142528-b7513248f0ba/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= +google.golang.org/genproto v0.0.0-20210406143921-e86de6bf7a46/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= google.golang.org/genproto v0.0.0-20210413151531-c14fb6ef47c3/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= +google.golang.org/genproto v0.0.0-20210420162539-3c870d7478d2/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= google.golang.org/genproto v0.0.0-20210427215850-f767ed18ee4d/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= google.golang.org/genproto v0.0.0-20210429181445-86c259c2b4ab/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= google.golang.org/genproto v0.0.0-20210513213006-bf773b8c8384/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= @@ -2882,27 +3175,33 @@ google.golang.org/genproto v0.0.0-20210608205507-b6d2f5bf0d7d/go.mod h1:UODoCrxH google.golang.org/genproto v0.0.0-20210624195500-8bfb893ecb84/go.mod h1:SzzZ/N+nwJDaO1kznhnlzqS8ocJICar6hYhVyhi++24= google.golang.org/genproto v0.0.0-20210713002101-d411969a0d9a/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k= google.golang.org/genproto v0.0.0-20210716133855-ce7ef5c701ea/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k= -google.golang.org/genproto v0.0.0-20210721163202-f1cecdd8b78a/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= -google.golang.org/genproto v0.0.0-20210722135532-667f2b7c528f/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= google.golang.org/genproto v0.0.0-20210728212813-7823e685a01f/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= google.golang.org/genproto v0.0.0-20210805201207-89edb61ffb67/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= google.golang.org/genproto v0.0.0-20210813162853-db860fec028c/go.mod h1:cFeNkxwySK631ADgubI+/XFU/xp8FD5KIVV4rj8UC5w= google.golang.org/genproto v0.0.0-20210821163610-241b8fcbd6c8/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= -google.golang.org/genproto v0.0.0-20210825212027-de86158e7fda/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= google.golang.org/genproto v0.0.0-20210828152312-66f60bf46e71/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= google.golang.org/genproto v0.0.0-20210831024726-fe130286e0e2/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= google.golang.org/genproto v0.0.0-20210903162649-d08c68adba83/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= google.golang.org/genproto v0.0.0-20210909211513-a8c4777a87af/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= google.golang.org/genproto v0.0.0-20210917145530-b395a37504d4/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= +google.golang.org/genproto v0.0.0-20210921142501-181ce0d877f6/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20210924002016-3dee208752a0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20211008145708-270636b82663/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211016002631-37fc39342514/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211018162055-cf77aa76bad2/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20211019152133-63b7e35f4404/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211021150943-2b146023228c/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20211027162914-98a5263abeca/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20211028162531-8db9c33dc351/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20211129164237-f09f9a12af12/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20211203200212-54befc351ae9/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20211207154714-918901c715cf/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211221195035-429b39de9b1c/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20211223182754-3ac035c7e7cb/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20220111164026-67b88f271998/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20220126215142-9970aeb2e350/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20220207164111-0872dc986b00/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20220218161850-94dd64e39d7c/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= @@ -2914,6 +3213,7 @@ google.golang.org/genproto v0.0.0-20220407144326-9054f6ed7bac/go.mod h1:8w6bsBMX google.golang.org/genproto v0.0.0-20220413183235-5e96e2839df9/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= google.golang.org/genproto v0.0.0-20220414192740-2d67ff6cf2b4/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= google.golang.org/genproto v0.0.0-20220421151946-72621c1f0bd3/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= +google.golang.org/genproto v0.0.0-20220422154200-b37d22cd5731/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= google.golang.org/genproto v0.0.0-20220429170224-98d788798c3e/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= google.golang.org/genproto v0.0.0-20220505152158-f39f71e6c8f3/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= google.golang.org/genproto v0.0.0-20220518221133-4f43b3371335/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= @@ -2929,14 +3229,12 @@ google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a h1:GH6UPn3ixhWcKDh google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM= google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= -google.golang.org/grpc v1.14.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.0/go.mod h1:chYK+tFQF0nDUGJgXMSgLCQk3phJEuONr2DCgLDdAQM= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= -google.golang.org/grpc v1.22.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.22.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= @@ -2946,6 +3244,7 @@ google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60= +google.golang.org/grpc v1.29.0/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= @@ -2966,6 +3265,7 @@ google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9K google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= google.golang.org/grpc v1.41.0/go.mod h1:U3l9uK9J0sini8mHphKoXyaqDA/8VyGnDee1zzIUK6k= google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= +google.golang.org/grpc v1.43.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= google.golang.org/grpc v1.44.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ= google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= @@ -2976,6 +3276,7 @@ google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCD google.golang.org/grpc v1.50.1 h1:DS/BukOZWp8s6p4Dt/tOaJaTQyPyOoCcrjroHuCeLzY= google.golang.org/grpc v1.50.1/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= +google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.2.0/go.mod h1:DNq5QpG7LJqD2AamLZ7zvKE0DEpVl2BSEVjFycAAjRY= google.golang.org/grpc/examples v0.0.0-20201130180447-c456688b1860/go.mod h1:Ly7ZA/ARzg8fnPU9TyZIxoz33sEUuWX7txiqs8lPTgE= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= @@ -2996,6 +3297,7 @@ google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175 google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= +gopkg.in/alexcesaro/statsd.v2 v2.0.0 h1:FXkZSCZIH17vLCO5sO2UucTHsH9pc+17F6pl3JVCwMc= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20141024133853-64131543e789/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -3004,10 +3306,10 @@ gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= +gopkg.in/cheggaaa/pb.v1 v1.0.28 h1:n1tBJnnK2r7g9OW2btFH91V92STTUevLXYFb8gy9EMk= gopkg.in/cheggaaa/pb.v1 v1.0.28/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= -gopkg.in/gcfg.v1 v1.2.0/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o= gopkg.in/gcfg.v1 v1.2.3/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o= gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo= gopkg.in/go-playground/assert.v1 v1.2.1/go.mod h1:9RXL0bg/zibRAgZUYszZSwO/z8Y/a8bDuhia5mkpMnE= @@ -3018,8 +3320,11 @@ gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/ini.v1 v1.63.2/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= -gopkg.in/ini.v1 v1.66.0 h1:tYFFjdYXTsNBxJhYBABRbTuaKkX6UBzOvbYwhEcaZJQ= -gopkg.in/ini.v1 v1.66.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/ini.v1 v1.66.2/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/ini.v1 v1.66.4 h1:SsAcf+mM7mRZo2nJNGt8mZCjG8ZRaNGMURJw7BsIST4= +gopkg.in/ini.v1 v1.66.4/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/linkedin/goavro.v1 v1.0.5/go.mod h1:Aw5GdAbizjOEl0kAMHV9iHmA8reZzW/OKuJAl4Hb9F0= +gopkg.in/natefinch/lumberjack.v2 v2.0.0 h1:1Lc07Kr7qY4U2YPouBjpCLxpiyxIVoxqXgkXLknAOE8= gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= @@ -3034,7 +3339,6 @@ gopkg.in/src-d/go-git.v4 v4.13.1/go.mod h1:nx5NYcxdKxq5fpltdHnPa2Exj4Sx0EclMWZQb gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/validator.v2 v2.0.0-20200605151824-2b28d334fa05/go.mod h1:o4V0GXN9/CAmCsvJ0oXYZvrZOe7syiDZSN1GWGZTGzc= -gopkg.in/warnings.v0 v0.1.1/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= @@ -3042,11 +3346,11 @@ gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.6/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= -gopkg.in/yaml.v3 v3.0.0-20200121175148-a6ecf24a6d71/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= @@ -3067,122 +3371,86 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= +honnef.co/go/tools v0.0.1-2020.1.5/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= +honnef.co/go/tools v0.2.1/go.mod h1:lPVVZ2BS5TfnjLyizF7o7hv7j9/L+8cZY2hLyjP9cGY= k8s.io/api v0.20.1/go.mod h1:KqwcCVogGxQY3nBlRpwt+wpAMF/KjaCc7RpywacvqUo= k8s.io/api v0.20.4/go.mod h1:++lNL1AJMkDymriNniQsWRkMDzRaX2Y/POTUi8yvqYQ= k8s.io/api v0.20.6/go.mod h1:X9e8Qag6JV/bL5G6bU8sdVRltWKmdHsFUGS3eVndqE8= -k8s.io/api v0.21.0/go.mod h1:+YbrhBBGgsxbF6o6Kj4KJPJnBmAKuXDeS3E18bgHNVU= -k8s.io/api v0.21.1/go.mod h1:FstGROTmsSHBarKc8bylzXih8BLNYTiS3TZcsoEDg2s= -k8s.io/api v0.21.4/go.mod h1:fTVGP+M4D8+00FN2cMnJqk/eb/GH53bvmNs2SVTmpFk= -k8s.io/api v0.21.7/go.mod h1:9Z7hGak48detDeDBCo3Db9N/EqdFSTOEJ9BpIRC3Cms= k8s.io/api v0.23.3/go.mod h1:w258XdGyvCmnBj/vGzQMj6kzdufJZVUwEM1U2fRJwSQ= k8s.io/api v0.25.3 h1:Q1v5UFfYe87vi5H7NU0p4RXC26PPMT8KOpr1TLQbCMQ= k8s.io/api v0.25.3/go.mod h1:o42gKscFrEVjHdQnyRenACrMtbuJsVdP+WVjqejfzmI= -k8s.io/apiextensions-apiserver v0.21.4/go.mod h1:OoC8LhI9LnV+wKjZkXIBbLUwtnOGJiTRE33qctH5CIk= k8s.io/apiextensions-apiserver v0.25.0 h1:CJ9zlyXAbq0FIW8CD7HHyozCMBpDSiH7EdrSTCZcZFY= k8s.io/apiextensions-apiserver v0.25.0/go.mod h1:3pAjZiN4zw7R8aZC5gR0y3/vCkGlAjCazcg1me8iB/E= k8s.io/apimachinery v0.20.1/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= k8s.io/apimachinery v0.20.4/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= k8s.io/apimachinery v0.20.6/go.mod h1:ejZXtW1Ra6V1O5H8xPBGz+T3+4gfkTCeExAHKU57MAc= -k8s.io/apimachinery v0.21.0/go.mod h1:jbreFvJo3ov9rj7eWT7+sYiRx+qZuCYXwWT1bcDswPY= -k8s.io/apimachinery v0.21.1/go.mod h1:jbreFvJo3ov9rj7eWT7+sYiRx+qZuCYXwWT1bcDswPY= -k8s.io/apimachinery v0.21.4/go.mod h1:H/IM+5vH9kZRNJ4l3x/fXP/5bOPJaVP/guptnZPeCFI= -k8s.io/apimachinery v0.21.7/go.mod h1:Ee84YWaZJo/QdW7/nsjTQCSaCJEJ/CyHkdWbdiBZ3Ns= k8s.io/apimachinery v0.23.3/go.mod h1:BEuFMMBaIbcOqVIJqNZJXGFTP4W6AycEpb5+m/97hrM= k8s.io/apimachinery v0.25.3 h1:7o9ium4uyUOM76t6aunP0nZuex7gDf8VGwkR5RcJnQc= k8s.io/apimachinery v0.25.3/go.mod h1:jaF9C/iPNM1FuLl7Zuy5b9v+n35HGSh6AQ4HYRkCqwo= k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU= k8s.io/apiserver v0.20.4/go.mod h1:Mc80thBKOyy7tbvFtB4kJv1kbdD0eIH8k8vianJcbFM= k8s.io/apiserver v0.20.6/go.mod h1:QIJXNt6i6JB+0YQRNcS0hdRHJlMhflFmsBDeSgT1r8Q= -k8s.io/apiserver v0.21.0/go.mod h1:w2YSn4/WIwYuxG5zJmcqtRdtqgW/J2JRgFAqps3bBpg= -k8s.io/apiserver v0.21.4/go.mod h1:SErUuFBBPZUcD2nsUU8hItxoYheqyYr2o/pCINEPW8g= k8s.io/apiserver v0.23.3/go.mod h1:3HhsTmC+Pn+Jctw+Ow0LHA4dQ4oXrQ4XJDzrVDG64T4= k8s.io/client-go v0.20.1/go.mod h1:/zcHdt1TeWSd5HoUe6elJmHSQ6uLLgp4bIJHVEuy+/Y= k8s.io/client-go v0.20.4/go.mod h1:LiMv25ND1gLUdBeYxBIwKpkSC5IsozMMmOOeSJboP+k= k8s.io/client-go v0.20.6/go.mod h1:nNQMnOvEUEsOzRRFIIkdmYOjAZrC8bgq0ExboWSU1I0= -k8s.io/client-go v0.21.0/go.mod h1:nNBytTF9qPFDEhoqgEPaarobC8QPae13bElIVHzIglA= -k8s.io/client-go v0.21.1/go.mod h1:/kEw4RgW+3xnBGzvp9IWxKSNA+lXn3A7AuH3gdOAzLs= -k8s.io/client-go v0.21.4/go.mod h1:t0/eMKyUAq/DoQ7vW8NVVA00/nomlwC+eInsS8PxSew= -k8s.io/client-go v0.21.7/go.mod h1:IdmcpVUFBlFrzDtr58R5o/q3OaA8AJ+FF6LyE9Fpr0w= k8s.io/client-go v0.23.3/go.mod h1:47oMd+YvAOqZM7pcQ6neJtBiFH7alOyfunYN48VsmwE= k8s.io/client-go v0.25.3 h1:oB4Dyl8d6UbfDHD8Bv8evKylzs3BXzzufLiO27xuPs0= k8s.io/client-go v0.25.3/go.mod h1:t39LPczAIMwycjcXkVc+CB+PZV69jQuNx4um5ORDjQA= -k8s.io/cloud-provider v0.21.0 h1:NSTS+czpv6LQAaIpY/VUghsT4oj62hYmQPErkDKTzKU= -k8s.io/cloud-provider v0.21.0/go.mod h1:z17TQgu3JgUFjcgby8sj5X86YdVK5Pbt+jm/eYMZU9M= -k8s.io/code-generator v0.19.7/go.mod h1:lwEq3YnLYb/7uVXLorOJfxg+cUu2oihFhHZ0n9NIla0= -k8s.io/code-generator v0.21.4/go.mod h1:K3y0Bv9Cz2cOW2vXUrNZlFbflhuPvuadW6JdnN6gGKo= k8s.io/code-generator v0.23.3/go.mod h1:S0Q1JVA+kSzTI1oUvbKAxZY/DYbA/ZUb4Uknog12ETk= k8s.io/component-base v0.20.1/go.mod h1:guxkoJnNoh8LNrbtiQOlyp2Y2XFCZQmrcg2n/DeYNLk= k8s.io/component-base v0.20.4/go.mod h1:t4p9EdiagbVCJKrQ1RsA5/V4rFQNDfRlevJajlGwgjI= k8s.io/component-base v0.20.6/go.mod h1:6f1MPBAeI+mvuts3sIdtpjljHWBQ2cIy38oBIWMYnrM= -k8s.io/component-base v0.21.0/go.mod h1:qvtjz6X0USWXbgmbfXR+Agik4RZ3jv2Bgr5QnZzdPYw= -k8s.io/component-base v0.21.4/go.mod h1:ZKG0eHVX+tUDcaoIGpU3Vtk4TIjMddN9uhEWDmW6Nyg= k8s.io/component-base v0.23.3/go.mod h1:1Smc4C60rWG7d3HjSYpIwEbySQ3YWg0uzH5a2AtaTLg= k8s.io/component-base v0.25.2 h1:Nve/ZyHLUBHz1rqwkjXm/Re6IniNa5k7KgzxZpTfSQY= k8s.io/component-base v0.25.2/go.mod h1:90W21YMr+Yjg7MX+DohmZLzjsBtaxQDDwaX4YxDkl60= -k8s.io/controller-manager v0.21.0/go.mod h1:Ohy0GRNRKPVjB8C8G+dV+4aPn26m8HYUI6ejloUBvUA= k8s.io/cri-api v0.17.3/go.mod h1:X1sbHmuXhwaHs9xxYffLqJogVsnI+f6cPRcgPel7ywM= k8s.io/cri-api v0.20.1/go.mod h1:2JRbKt+BFLTjtrILYVqQK5jqhI+XNdF6UiGMgczeBCI= k8s.io/cri-api v0.20.4/go.mod h1:2JRbKt+BFLTjtrILYVqQK5jqhI+XNdF6UiGMgczeBCI= k8s.io/cri-api v0.20.6/go.mod h1:ew44AjNXwyn1s0U4xCKGodU7J1HzBeZ1MpGrpa5r8Yc= -k8s.io/csi-translation-lib v0.21.0/go.mod h1:edq+UMpgqEx3roTuGF/03uIuSOsI986jtu65+ytLlkA= k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= -k8s.io/gengo v0.0.0-20200428234225-8167cfdcfc14/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= -k8s.io/gengo v0.0.0-20201113003025-83324d819ded/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= -k8s.io/gengo v0.0.0-20201214224949-b6c5ce23f027/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= -k8s.io/gengo v0.0.0-20210915205010-39e73c8a59cd/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= -k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= -k8s.io/klog/v2 v2.8.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec= -k8s.io/klog/v2 v2.9.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec= k8s.io/klog/v2 v2.30.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/klog/v2 v2.70.1 h1:7aaoSdahviPmR+XkS7FyxlkkXs6tHISSG03RxleQAVQ= k8s.io/klog/v2 v2.70.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/kube-aggregator v0.23.3 h1:9IP+D+YzIbGor/TArN3pYf9Thj19wYhzLRGRrFaKFSs= k8s.io/kube-aggregator v0.23.3/go.mod h1:pt5QJ3QaIdhZzNlUvN5wndbM0LNT4BvhszGkzy2QdFo= -k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6/go.mod h1:UuqjUnNftUyPE5H64/qeyjQoUZhGpeFDVdxjTeEVN2o= k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM= -k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7/go.mod h1:wXW5VT87nVfh/iLV8FpR2uDvrFyomxbtb1KivDbvPTE= -k8s.io/kube-openapi v0.0.0-20211110012726-3cc51fd1e909/go.mod h1:wXW5VT87nVfh/iLV8FpR2uDvrFyomxbtb1KivDbvPTE= k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65/go.mod h1:sX9MT8g7NVZM5lVL/j8QyCCJe8YSMW30QvGZWaCIDIk= k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 h1:MQ8BAZPZlWk3S9K4a9NCkIFQtZShWqoha7snGixVgEA= k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1/go.mod h1:C/N6wCaBHeBHkHUesQOQy2/MZqGgMAFPqGsGQLdbZBU= k8s.io/kubernetes v1.13.0/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk= -k8s.io/legacy-cloud-providers v0.21.0 h1:iWf5xaX9yvYT5mkz8UB96UtISQ5IkrWeuMPMhRp01ZY= -k8s.io/legacy-cloud-providers v0.21.0/go.mod h1:bNxo7gDg+PGkBmT/MFZswLTWdSWK9kAlS1s8DJca5q4= k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -k8s.io/utils v0.0.0-20210521133846-da695404a2bc/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20211116205334-6203023598ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -k8s.io/utils v0.0.0-20211203121628-587287796c64/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed h1:jAne/RjBTyawwAy0utX5eqigAwz/lQhTmy+Hr/Cpue4= k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -knative.dev/hack v0.0.0-20211122162614-813559cefdda/go.mod h1:PHt8x8yX5Z9pPquBEfIj0X66f8iWkWfR0S/sarACJrI= -knative.dev/pkg v0.0.0-20211203062937-d37811b71d6a h1:3/Mfjwe2D5yP7ZYqU9WsXU/291176d3b0RZ6Ew8xolA= -knative.dev/pkg v0.0.0-20211203062937-d37811b71d6a/go.mod h1:AKPae1Cmj+k0GWXWnF2tKY7q5qPa1mTD7oCP4OeMvEM= -nhooyr.io/websocket v1.8.6/go.mod h1:B70DZP8IakI65RVQ51MsWP/8jndNma26DVA/nFSCgW0= +knative.dev/pkg v0.0.0-20220325200448-1f7514acd0c2 h1:dJ1YKQ1IvCfxtYqS1dHm18VT153ntHi5uJsFVv7oxfc= +knative.dev/pkg v0.0.0-20220325200448-1f7514acd0c2/go.mod h1:5xt0nzCwxvQ2N4w71smY7pYm5nVrQ8qnRsMinSLVpio= +mvdan.cc/gofumpt v0.1.1/go.mod h1:yXG1r1WqZVKWbVRtBWKWX9+CxGYfA51nSomhM0woR48= +mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed/go.mod h1:Xkxe497xwlCKkIaQYRfC7CSLworTXY9RMqwhhCm+8Nc= +mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b/go.mod h1:2odslEg/xrtNQqCYg2/jCoyKnw3vv5biOc3JnIcYfL4= +mvdan.cc/unparam v0.0.0-20210104141923-aac4ce9116a7/go.mod h1:hBpJkZE8H/sb+VRFvw2+rBpHNsTBcvSpk61hr8mzXZE= nhooyr.io/websocket v1.8.7/go.mod h1:B70DZP8IakI65RVQ51MsWP/8jndNma26DVA/nFSCgW0= pack.ag/amqp v0.11.2/go.mod h1:4/cbmt4EJXSKlG6LCfWHoqmN0uFdy5i/+YFz+fTfhV4= -pgregory.net/rapid v0.3.3/go.mod h1:UYpPVyjFHzYBGHIxLFoupi8vwk6rXNzRY9OMvVxFIOU= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.14/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.15/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg= -sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.22/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.27/go.mod h1:tq2nT0Kx7W+/f2JVE+zxYtUhdjuELJkVpNz+x/QN5R4= sigs.k8s.io/controller-runtime v0.13.0 h1:iqa5RNciy7ADWnIc8QxCbOX5FEKVR3uxVxKHRMc2WIQ= sigs.k8s.io/controller-runtime v0.13.0/go.mod h1:Zbz+el8Yg31jubvAEyglRZGdLAjplZl+PgtYNI6WNTI= sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= +sigs.k8s.io/release-utils v0.6.0 h1:wJDuzWJqPH4a5FAxAXE2aBvbB6UMIW7iYMhsKnIMQkA= +sigs.k8s.io/release-utils v0.6.0/go.mod h1:kR1/DuYCJ4covppUasYNcA11OixC9O37B/E0ejRfb+c= sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= sigs.k8s.io/structured-merge-diff/v4 v4.0.3/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= -sigs.k8s.io/structured-merge-diff/v4 v4.1.0/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= -sigs.k8s.io/structured-merge-diff/v4 v4.1.2/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4= sigs.k8s.io/structured-merge-diff/v4 v4.2.1/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4= sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= From 7375df4ad594c24232be663ec61657d0054462fa Mon Sep 17 00:00:00 2001 From: Willian Alves Date: Thu, 30 Jun 2022 10:10:17 -0400 Subject: [PATCH 086/257] progress: solving dependency errors, apply marcos diff (#36) Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- .../plugin/workloadattestor/k8s/k8s_test.go | 3 +- .../workloadattestor/k8s/sigstore/sigstore.go | 3 +- .../k8s/sigstore/sigstore_test.go | 77 ++++++++++--------- 3 files changed, 43 insertions(+), 40 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go index 4ed8c1d388..3b0d97ba74 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go @@ -20,6 +20,7 @@ import ( "time" "github.com/hashicorp/go-hclog" + "github.com/sigstore/cosign/pkg/cosign/bundle" "github.com/sigstore/cosign/pkg/oci" "github.com/spiffe/spire/pkg/agent/common/cgroups" "github.com/spiffe/spire/pkg/agent/plugin/workloadattestor" @@ -808,7 +809,7 @@ func (signature) Chain() ([]*x509.Certificate, error) { return nil, nil } -func (signature) Bundle() (*oci.Bundle, error) { +func (signature) Bundle() (*bundle.RekorBundle, error) { return nil, nil } diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index 9c71b3b84f..69648ade76 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -18,6 +18,7 @@ import ( "github.com/hashicorp/go-hclog" "github.com/sigstore/cosign/cmd/cosign/cli/fulcio" "github.com/sigstore/cosign/pkg/cosign" + "github.com/sigstore/cosign/pkg/cosign/bundle" "github.com/sigstore/cosign/pkg/oci" rekor "github.com/sigstore/rekor/pkg/generated/client" "github.com/sigstore/sigstore/pkg/signature/payload" @@ -355,7 +356,7 @@ func getSignatureSubject(signature oci.Signature) (string, error) { return subject, nil } -func getBundleSignatureContent(bundle *oci.Bundle) (string, error) { +func getBundleSignatureContent(bundle *bundle.RekorBundle) (string, error) { if bundle == nil { return "", errors.New("bundle is nil") } diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index 01ba0fd39a..29c0b22f4f 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -21,6 +21,7 @@ import ( "github.com/google/go-containerregistry/pkg/v1/remote" "github.com/hashicorp/go-hclog" "github.com/sigstore/cosign/pkg/cosign" + "github.com/sigstore/cosign/pkg/cosign/bundle" "github.com/sigstore/cosign/pkg/oci" rekor "github.com/sigstore/rekor/pkg/generated/client" corev1 "k8s.io/api/core/v1" @@ -35,7 +36,7 @@ type signature struct { payload []byte cert *x509.Certificate - bundle *oci.Bundle + bundle *bundle.RekorBundle } func (signature) Annotations() (map[string]string, error) { @@ -58,7 +59,7 @@ func (signature) Chain() ([]*x509.Certificate, error) { return nil, nil } -func (s signature) Bundle() (*oci.Bundle, error) { +func (s signature) Bundle() (*bundle.RekorBundle, error) { return s.bundle, nil } @@ -395,8 +396,8 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { signatures: []oci.Signature{ signature{ payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex@example.com"}}`), - bundle: &oci.Bundle{ - Payload: oci.BundlePayload{ + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", LogID: "samplelogID", IntegratedTime: 12345, @@ -425,8 +426,8 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { signatures: []oci.Signature{ signature{ payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex1@example.com","key2": "value 2","key3": "value 3"}}`), - bundle: &oci.Bundle{ - Payload: oci.BundlePayload{ + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", LogID: "samplelogID1", IntegratedTime: 12345, @@ -435,8 +436,8 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { }, signature{ payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex2@example.com","key2": "value 2","key3": "value 3"}}`), - bundle: &oci.Bundle{ - Payload: oci.BundlePayload{ + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUI9IgogICAgfQogIH0KfQo=", LogID: "samplelogID2", IntegratedTime: 12346, @@ -493,8 +494,8 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { "spirex2@example.com", }, }, - bundle: &oci.Bundle{ - Payload: oci.BundlePayload{ + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", LogID: "samplelogID", IntegratedTime: 12345, @@ -537,8 +538,8 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { }, }, }, - bundle: &oci.Bundle{ - Payload: oci.BundlePayload{ + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", LogID: "samplelogID", IntegratedTime: 12345, @@ -616,7 +617,7 @@ func (noCertSignature) Chain() ([]*x509.Certificate, error) { return nil, nil } -func (noCertSignature) Bundle() (*oci.Bundle, error) { +func (noCertSignature) Bundle() (*bundle.RekorBundle, error) { return nil, nil } @@ -642,7 +643,7 @@ func (noPayloadSignature) Chain() ([]*x509.Certificate, error) { return nil, nil } -func (noPayloadSignature) Bundle() (*oci.Bundle, error) { +func (noPayloadSignature) Bundle() (*bundle.RekorBundle, error) { return nil, nil } @@ -668,7 +669,7 @@ func (noBundleSignature) Chain() ([]*x509.Certificate, error) { return nil, nil } -func (s noBundleSignature) Bundle() (*oci.Bundle, error) { +func (s noBundleSignature) Bundle() (*bundle.RekorBundle, error) { return nil, fmt.Errorf("no bundle test") } func Test_certSubject(t *testing.T) { @@ -1328,8 +1329,8 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { args: args{ signature: signature{ payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - bundle: &oci.Bundle{ - Payload: oci.BundlePayload{ + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", LogID: "samplelogID", IntegratedTime: 12345, @@ -1355,8 +1356,8 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { args: args{ signature: signature{ payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "","key2": "value 2","key3": "value 3"}}`), - bundle: &oci.Bundle{ - Payload: oci.BundlePayload{ + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", LogID: "samplelogID", IntegratedTime: 12345, @@ -1394,8 +1395,8 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { args: args{ signature: signature{ payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - bundle: &oci.Bundle{ - Payload: oci.BundlePayload{ + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", LogID: "samplelogID", IntegratedTime: 12345, @@ -1424,8 +1425,8 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { args: args{ signature: signature{ payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - bundle: &oci.Bundle{ - Payload: oci.BundlePayload{ + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiIgogICAgfQogIH0KfQ==", LogID: "samplelogID", IntegratedTime: 12345, @@ -1476,7 +1477,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { func Test_getBundleSignatureContent(t *testing.T) { type args struct { - bundle *oci.Bundle + bundle *bundle.RekorBundle } tests := []struct { name string @@ -1495,8 +1496,8 @@ func Test_getBundleSignatureContent(t *testing.T) { { name: "Bundle payload body is not a string", args: args{ - bundle: &oci.Bundle{ - Payload: oci.BundlePayload{ + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ Body: 42, }, }, @@ -1507,8 +1508,8 @@ func Test_getBundleSignatureContent(t *testing.T) { { name: "Bundle payload body is not valid base64", args: args{ - bundle: &oci.Bundle{ - Payload: oci.BundlePayload{ + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ Body: "abc..........def", }, }, @@ -1519,8 +1520,8 @@ func Test_getBundleSignatureContent(t *testing.T) { { name: "Bundle payload body has no signature content", args: args{ - bundle: &oci.Bundle{ - Payload: oci.BundlePayload{ + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ Body: "ewogICAgInNwZWMiOiB7CiAgICAgICJzaWduYXR1cmUiOiB7CiAgICAgIH0KICAgIH0KfQ==", }, }, @@ -1531,8 +1532,8 @@ func Test_getBundleSignatureContent(t *testing.T) { { name: "Bundle payload body signature content is empty", args: args{ - bundle: &oci.Bundle{ - Payload: oci.BundlePayload{ + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ Body: "ewogICAgInNwZWMiOiB7CiAgICAgICAgInNpZ25hdHVyZSI6IHsKICAgICAgICAiY29udGVudCI6ICIiCiAgICAgICAgfQogICAgfQp9", }, }, @@ -1543,8 +1544,8 @@ func Test_getBundleSignatureContent(t *testing.T) { { name: "Bundle payload body is not a valid JSON", args: args{ - bundle: &oci.Bundle{ - Payload: oci.BundlePayload{ + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ Body: "ewogICJzcGVjIjosLCB7CiAgICAic2lnbmF0dXJlIjogewogICAgICAiY29udGVudCI6ICJNRVVDSVFDeWVtOEdjcjBzUEZNUDdmVFhhekNONTdOY041K01qeEp3OU9vMHgyZU0rQUlnZGdCUDk2Qk8xVGUvTmRiakhiVWViMEJVeWU2ZGVSZ1Z0UUV2NU5vNXNtQT0iCiAgICB9CiAgfQp9", }, }, @@ -1555,8 +1556,8 @@ func Test_getBundleSignatureContent(t *testing.T) { { name: "Bundle payload body signature content is correct", args: args{ - bundle: &oci.Bundle{ - Payload: oci.BundlePayload{ + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", LogID: "samplelogID", IntegratedTime: 12345, @@ -1614,8 +1615,8 @@ func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { return []oci.Signature{ signature{ payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - bundle: &oci.Bundle{ - Payload: oci.BundlePayload{ + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", LogID: "samplelogID", IntegratedTime: 12345, From c0d8bea7f2fdd93a5cd7c91e7f1f62011f775ffd Mon Sep 17 00:00:00 2001 From: Matheus de Farias Cavalcanti Santos Date: Thu, 30 Jun 2022 18:24:55 -0300 Subject: [PATCH 087/257] PR adjustments of code organization and change imageID to a list of strings (#38) Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- .../plugin/workloadattestor/k8s/k8s_posix.go | 6 +- .../plugin/workloadattestor/k8s/k8s_test.go | 2 +- .../workloadattestor/k8s/sigstore/sigstore.go | 60 ++++++++++--------- .../k8s/sigstore/sigstore_test.go | 39 +++++++++++- 4 files changed, 71 insertions(+), 36 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go index 9587887b16..18bd5e271a 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go @@ -343,11 +343,11 @@ func createHelper(c *Plugin) (ContainerHelper, error) { func configureSigstore(config *k8sConfig, sigstore sigstore.Sigstore) error { // Configure sigstore settings sigstore.ClearSkipList() + imageIDList := []string{} if config.SkippedImages != nil { - for _, imageID := range config.SkippedImages { - sigstore.AddSkippedImage(imageID) - } + imageIDList = append(imageIDList, config.SkippedImages...) } + sigstore.AddSkippedImage(imageIDList) sigstore.EnableAllowSubjectList(config.AllowedSubjectListEnabled) sigstore.ClearAllowedSubjects() if config.AllowedSubjects != nil { diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go index 3b0d97ba74..3fd12667d3 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go @@ -844,7 +844,7 @@ func (s *sigstoreMock) ShouldSkipImage(imageID string) (bool, error) { return s.skipSigs, s.returnError } -func (s *sigstoreMock) AddSkippedImage(string) { +func (s *sigstoreMock) AddSkippedImage([]string) { } func (s *sigstoreMock) ClearSkipList() { } diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index 69648ade76..2a64d65714 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -36,7 +36,7 @@ type Sigstore interface { SelectorValuesFromSignature(oci.Signature, string) SelectorsFromSignatures ExtractSelectorsFromSignatures(signatures []oci.Signature, containerID string) []SelectorsFromSignatures ShouldSkipImage(imageID string) (bool, error) - AddSkippedImage(imageID string) + AddSkippedImage(imageID []string) ClearSkipList() AddAllowedSubject(subject string) EnableAllowSubjectList(bool) @@ -57,6 +57,32 @@ type sigstoreImpl struct { sigstorecache Cache } +// The following structs are used to go through the payload json objects +type BundleSignature struct { + Content string `json:"content"` + Format string `json:"format"` + PublicKey map[string]string `json:"publicKey"` +} + +type BundleSpec struct { + Data map[string]map[string]string `json:"data"` + Signature BundleSignature `json:"signature"` +} + +type BundleBody struct { + APIVersion string `json:"apiVersion"` + Kind string `json:"kind"` + Spec BundleSpec `json:"spec"` +} + +type SelectorsFromSignatures struct { + Subject string + Content string + LogID string + IntegratedTime string + Verified bool +} + func New(cache Cache, logger hclog.Logger) Sigstore { return &sigstoreImpl{ verifyFunction: cosign.VerifyImageSignatures, @@ -133,32 +159,6 @@ func (s *sigstoreImpl) ExtractSelectorsFromSignatures(signatures []oci.Signature return selectors } -// The following structs are used to go through the payload json objects -type BundleSignature struct { - Content string `json:"content"` - Format string `json:"format"` - PublicKey map[string]string `json:"publicKey"` -} - -type BundleSpec struct { - Data map[string]map[string]string `json:"data"` - Signature BundleSignature `json:"signature"` -} - -type BundleBody struct { - APIVersion string `json:"apiVersion"` - Kind string `json:"kind"` - Spec BundleSpec `json:"spec"` -} - -type SelectorsFromSignatures struct { - Subject string - Content string - LogID string - IntegratedTime string - Verified bool -} - // SelectorValuesFromSignature extracts selectors from a signature. // returns a list of selectors. func (s *sigstoreImpl) SelectorValuesFromSignature(signature oci.Signature, containerID string) SelectorsFromSignatures { @@ -219,11 +219,13 @@ func (s *sigstoreImpl) ShouldSkipImage(imageID string) (bool, error) { } // AddSkippedImage adds the image ID and selectors to the skip list. -func (s *sigstoreImpl) AddSkippedImage(imageID string) { +func (s *sigstoreImpl) AddSkippedImage(imageIDList []string) { if s.skippedImages == nil { s.skippedImages = make(map[string]bool) } - s.skippedImages[imageID] = true + for _, imageID := range imageIDList { + s.skippedImages[imageID] = true + } } // ClearSkipList clears the skip list. diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index 29c0b22f4f..e9797fa2c1 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -918,7 +918,7 @@ func TestSigstoreimpl_AddSkippedImage(t *testing.T) { skippedImages map[string]bool } type args struct { - imageID string + imageID []string } tests := []struct { name string @@ -934,7 +934,7 @@ func TestSigstoreimpl_AddSkippedImage(t *testing.T) { skippedImages: nil, }, args: args{ - imageID: "sha256:sampleimagehash", + imageID: []string{"sha256:sampleimagehash"}, }, want: map[string]bool{ "sha256:sampleimagehash": true, @@ -950,11 +950,44 @@ func TestSigstoreimpl_AddSkippedImage(t *testing.T) { }, }, args: args{ - imageID: "sha256:sampleimagehash", + imageID: []string{"sha256:sampleimagehash"}, + }, + want: map[string]bool{ + "sha256:sampleimagehash": true, + "sha256:sampleimagehash1": true, + }, + }, + { + name: "add a list of skipped images to empty map", + fields: fields{ + verifyFunction: nil, + fetchImageManifestFunction: nil, + skippedImages: nil, + }, + args: args{ + imageID: []string{"sha256:sampleimagehash", "sha256:sampleimagehash1"}, + }, + want: map[string]bool{ + "sha256:sampleimagehash": true, + "sha256:sampleimagehash1": true, + }, + }, + { + name: "add a list of skipped images to a existing map", + fields: fields{ + verifyFunction: nil, + fetchImageManifestFunction: nil, + skippedImages: map[string]bool{ + "sha256:sampleimagehash": true, + }, + }, + args: args{ + imageID: []string{"sha256:sampleimagehash1", "sha256:sampleimagehash2"}, }, want: map[string]bool{ "sha256:sampleimagehash": true, "sha256:sampleimagehash1": true, + "sha256:sampleimagehash2": true, }, }, } From 26c469f6cdf8a93b7f6a2396060cfd7351992919 Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Fri, 1 Jul 2022 15:17:24 -0300 Subject: [PATCH 088/257] feat: adding plugin mutex lock to configureSigstore. (#37) Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go index 18bd5e271a..790b65e485 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go @@ -326,7 +326,7 @@ func (p *Plugin) Configure(ctx context.Context, req *configv1.ConfigureRequest) return nil, err } if p.sigstore != nil { - if err := configureSigstore(c, p.sigstore); err != nil { + if err := p.configureSigstore(c, p.sigstore); err != nil { return nil, err } } @@ -340,7 +340,10 @@ func createHelper(c *Plugin) (ContainerHelper, error) { fs: c.fs, }, nil -func configureSigstore(config *k8sConfig, sigstore sigstore.Sigstore) error { +func (p *Plugin) configureSigstore(config *k8sConfig, sigstore sigstore.Sigstore) error { + p.mu.Lock() + defer p.mu.Unlock() + // Configure sigstore settings sigstore.ClearSkipList() imageIDList := []string{} From cd0a350297b9f03584541d016bcde52cbbc3432c Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Sat, 2 Jul 2022 17:01:26 -0300 Subject: [PATCH 089/257] SelectorsFromSignature pointer refactor (#33) Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- .../plugin/workloadattestor/k8s/k8s_test.go | 11 ++--- .../workloadattestor/k8s/sigstore/sigstore.go | 44 +++++++++---------- .../k8s/sigstore/sigstore_test.go | 30 ++++--------- 3 files changed, 35 insertions(+), 50 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go index 3fd12667d3..6feb089222 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go @@ -236,8 +236,7 @@ func (s *Suite) TestAttestWithSigstoreSignatures() { s.startInsecureKubelet() s.setSigstoreSelectors([]sigstore.SelectorsFromSignatures{ { - Subject: "sigstore-subject", - Verified: true, + Subject: "sigstore-subject", }, }) p := s.loadInsecurePlugin() @@ -832,8 +831,8 @@ func (s *sigstoreMock) FetchImageSignatures(ctx context.Context, imageName strin return s.sigs, s.returnError } -func (s *sigstoreMock) SelectorValuesFromSignature(signatures oci.Signature, containerID string) sigstore.SelectorsFromSignatures { - return s.selectors[0] +func (s *sigstoreMock) SelectorValuesFromSignature(signatures oci.Signature, containerID string) *sigstore.SelectorsFromSignatures { + return &s.selectors[0] } func (s *sigstoreMock) ExtractSelectorsFromSignatures(signatures []oci.Signature, containerID string) []sigstore.SelectorsFromSignatures { @@ -875,9 +874,7 @@ func (s *sigstoreMock) AttestContainerSignatures(ctx context.Context, status *co if selector.IntegratedTime != "" { selectorsString = append(selectorsString, fmt.Sprintf("%s:image-signature-integrated-time:%s", status.ContainerID, selector.IntegratedTime)) } - if selector.Verified { - selectorsString = append(selectorsString, "sigstore-validation:passed") - } + selectorsString = append(selectorsString, "sigstore-validation:passed") } return selectorsString, s.returnError } diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index 2a64d65714..eb27b5c980 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -33,7 +33,7 @@ const ( type Sigstore interface { AttestContainerSignatures(ctx context.Context, status *corev1.ContainerStatus) ([]string, error) FetchImageSignatures(ctx context.Context, imageName string) ([]oci.Signature, error) - SelectorValuesFromSignature(oci.Signature, string) SelectorsFromSignatures + SelectorValuesFromSignature(oci.Signature, string) *SelectorsFromSignatures ExtractSelectorsFromSignatures(signatures []oci.Signature, containerID string) []SelectorsFromSignatures ShouldSkipImage(imageID string) (bool, error) AddSkippedImage(imageID []string) @@ -80,7 +80,6 @@ type SelectorsFromSignatures struct { Content string LogID string IntegratedTime string - Verified bool } func New(cache Cache, logger hclog.Logger) Sigstore { @@ -152,8 +151,8 @@ func (s *sigstoreImpl) ExtractSelectorsFromSignatures(signatures []oci.Signature for _, sig := range signatures { // verify which subject sigSelectors := s.SelectorValuesFromSignature(sig, containerID) - if sigSelectors.Verified { - selectors = append(selectors, sigSelectors) + if sigSelectors != nil { + selectors = append(selectors, *sigSelectors) } } return selectors @@ -161,45 +160,46 @@ func (s *sigstoreImpl) ExtractSelectorsFromSignatures(signatures []oci.Signature // SelectorValuesFromSignature extracts selectors from a signature. // returns a list of selectors. -func (s *sigstoreImpl) SelectorValuesFromSignature(signature oci.Signature, containerID string) SelectorsFromSignatures { - var selectorsFromSignatures SelectorsFromSignatures +func (s *sigstoreImpl) SelectorValuesFromSignature(signature oci.Signature, containerID string) *SelectorsFromSignatures { + var selectorsFromSignatures *SelectorsFromSignatures subject, err := getSignatureSubject(signature) if err != nil { - s.logger.Error("error getting signature subject", "error", err) + s.logger.Error("Error getting signature subject", "error", err) return selectorsFromSignatures } if subject == "" { - s.logger.Error("error getting signature subject: empty subject") + s.logger.Error("Error getting signature subject:", "error", errors.New("empty subject")) return selectorsFromSignatures } if s.allowListEnabled { if _, ok := s.subjectAllowList[subject]; !ok { + s.logger.Info("Subject not in allow-list", "subject", subject) return selectorsFromSignatures } } + selectorsFromSignatures = &SelectorsFromSignatures{} selectorsFromSignatures.Subject = subject - selectorsFromSignatures.Verified = true bundle, err := signature.Bundle() if err != nil { - s.logger.Error("error getting signature bundle: ", err.Error()) + s.logger.Error("Error getting signature bundle", "error", err) + return selectorsFromSignatures + } + sigContent, err := getBundleSignatureContent(bundle) + if err != nil { + s.logger.Error("Error getting signature content", "error", err) } else { - sigContent, err := getBundleSignatureContent(bundle) - if err != nil { - s.logger.Error("error getting signature content", "error", err) - } else { - selectorsFromSignatures.Content = sigContent - } - if bundle.Payload.LogID != "" { - selectorsFromSignatures.LogID = bundle.Payload.LogID - } - if bundle.Payload.IntegratedTime != 0 { - selectorsFromSignatures.IntegratedTime = strconv.FormatInt(bundle.Payload.IntegratedTime, 10) - } + selectorsFromSignatures.Content = sigContent + } + if bundle.Payload.LogID != "" { + selectorsFromSignatures.LogID = bundle.Payload.LogID + } + if bundle.Payload.IntegratedTime != 0 { + selectorsFromSignatures.IntegratedTime = strconv.FormatInt(bundle.Payload.IntegratedTime, 10) } return selectorsFromSignatures } diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index e9797fa2c1..3349aa965e 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -413,7 +413,6 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { Content: "MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smA=", LogID: "samplelogID", IntegratedTime: "12345", - Verified: true, }, }, }, @@ -453,14 +452,12 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { Content: "MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smA=", LogID: "samplelogID1", IntegratedTime: "12345", - Verified: true, }, { Subject: "spirex2@example.com", Content: "MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smB=", LogID: "samplelogID2", IntegratedTime: "12346", - Verified: true, }, }, }, @@ -511,7 +508,6 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { Content: "MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smA=", LogID: "samplelogID", IntegratedTime: "12345", - Verified: true, }, }, }, @@ -555,7 +551,6 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { Content: "MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smA=", LogID: "samplelogID", IntegratedTime: "12345", - Verified: true, }, }, }, @@ -1351,7 +1346,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { fields fields args args containerID string - want SelectorsFromSignatures + want *SelectorsFromSignatures }{ { name: "selector from signature", @@ -1372,12 +1367,11 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, }, containerID: "000000", - want: SelectorsFromSignatures{ + want: &SelectorsFromSignatures{ Subject: "spirex@example.com", Content: "MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smA=", LogID: "samplelogID", IntegratedTime: "12345", - Verified: true, }, }, { @@ -1399,7 +1393,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, }, containerID: "111111", - want: SelectorsFromSignatures{}, + want: nil, }, { name: "selector from signature, not in allowlist", @@ -1415,7 +1409,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, }, containerID: "222222", - want: SelectorsFromSignatures{}, + want: nil, }, { name: "selector from signature, allowedlist enabled, in allowlist", @@ -1438,13 +1432,11 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, }, containerID: "333333", - want: SelectorsFromSignatures{ - + want: &SelectorsFromSignatures{ Subject: "spirex@example.com", Content: "MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smA=", LogID: "samplelogID", IntegratedTime: "12345", - Verified: true, }, }, { @@ -1468,13 +1460,11 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, }, containerID: "444444", - want: SelectorsFromSignatures{ + want: &SelectorsFromSignatures{ Subject: "spirex@example.com", LogID: "samplelogID", - IntegratedTime: "12345", - Verified: true}, + IntegratedTime: "12345"}, }, - { name: "selector from signature, no bundle", fields: fields{ @@ -1487,10 +1477,8 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, }, containerID: "555555", - want: SelectorsFromSignatures{ - - Subject: "spirex@example.com", - Verified: true, + want: &SelectorsFromSignatures{ + Subject: "spirex@example.com", }, }, } From 99132f1dc3ebb39022fbeb577953e103d7f02ad5 Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Fri, 8 Jul 2022 15:29:30 -0300 Subject: [PATCH 090/257] K8s test refactor (#43) Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- .../plugin/workloadattestor/k8s/k8s_test.go | 42 ++++++++++++++++--- 1 file changed, 36 insertions(+), 6 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go index 6feb089222..8fb130054f 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go @@ -773,9 +773,19 @@ func (s *Suite) TestConfigure() { assert.Equal(t, testCase.config.MaxPollAttempts, c.MaxPollAttempts) assert.Equal(t, testCase.config.PollRetryInterval, c.PollRetryInterval) assert.Equal(t, testCase.config.ReloadInterval, c.ReloadInterval) + assert.Equal(t, testCase.config.SkippedImages, c.SkippedImages) + for _, sImage := range testCase.config.SkippedImages { + assert.Contains(t, p.sigstore.(*sigstoreMock).skippedImages, sImage) + } + assert.Equal(t, testCase.config.AllowedSubjectListEnabled, c.AllowedSubjectListEnabled) + assert.Equal(t, testCase.config.AllowedSubjectListEnabled, p.sigstore.(*sigstoreMock).allowedSubjectListEnabled) + assert.Equal(t, testCase.config.AllowedSubjects, c.AllowedSubjects) + for _, sSubject := range testCase.config.AllowedSubjects { + assert.Contains(t, p.sigstore.(*sigstoreMock).allowedSubjects, sSubject) + } assert.Equal(t, testCase.config.RekorURL, c.RekorURL) }) } @@ -815,10 +825,13 @@ func (signature) Bundle() (*bundle.RekorBundle, error) { type sigstoreMock struct { selectors []sigstore.SelectorsFromSignatures - sigs []oci.Signature - skipSigs bool - skippedSigSelectors []string - returnError error + sigs []oci.Signature + skipSigs bool + skippedSigSelectors []string + returnError error + skippedImages map[string]bool + allowedSubjects map[string]bool + allowedSubjectListEnabled bool rekorURL string } @@ -843,23 +856,40 @@ func (s *sigstoreMock) ShouldSkipImage(imageID string) (bool, error) { return s.skipSigs, s.returnError } -func (s *sigstoreMock) AddSkippedImage([]string) { +func (s *sigstoreMock) AddSkippedImage(images []string) { + if s.skippedImages == nil { + s.skippedImages = make(map[string]bool) + } + for _, imageID := range images { + s.skippedImages[imageID] = true + } } func (s *sigstoreMock) ClearSkipList() { + s.skippedImages = nil } func (s *sigstoreMock) AddAllowedSubject(subject string) { + if s.allowedSubjects == nil { + s.allowedSubjects = make(map[string]bool) + } + s.allowedSubjects[subject] = true } func (s *sigstoreMock) ClearAllowedSubjects() { + s.allowedSubjects = nil } func (s *sigstoreMock) EnableAllowSubjectList(flag bool) { + s.allowedSubjectListEnabled = flag } + func (s *sigstoreMock) AttestContainerSignatures(ctx context.Context, status *corev1.ContainerStatus) ([]string, error) { if s.skipSigs { return s.skippedSigSelectors, nil } + if s.returnError != nil { + return nil, s.returnError + } var selectorsString []string for _, selector := range s.selectors { if selector.Subject != "" { @@ -876,7 +906,7 @@ func (s *sigstoreMock) AttestContainerSignatures(ctx context.Context, status *co } selectorsString = append(selectorsString, "sigstore-validation:passed") } - return selectorsString, s.returnError + return selectorsString, nil } func (s *sigstoreMock) SetRekorURL(url string) error { From d1832cad260cea934955c06047b6eed7bf9da54e Mon Sep 17 00:00:00 2001 From: Thiago Jamir Date: Wed, 13 Jul 2022 12:26:59 -0300 Subject: [PATCH 091/257] Moving the initial state of sigstore on suite to setup (#40) Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- pkg/agent/plugin/workloadattestor/k8s/k8s_test.go | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go index 8fb130054f..de788bafd5 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go @@ -203,6 +203,7 @@ type Suite struct { sigstoreSkipSigs bool sigstoreSkippedSigSelectors []string sigstoreReturnError error + sigstoreMock *sigstoreMock } func (s *Suite) SetupTest() { @@ -218,6 +219,9 @@ func (s *Suite) SetupTest() { s.sigstoreSelectors = nil s.sigstoreSigs = nil + s.sigstoreReturnError = nil + s.sigstoreSkipSigs = false + s.sigstoreSkippedSigSelectors = nil } func (s *Suite) TearDownTest() { @@ -241,7 +245,6 @@ func (s *Suite) TestAttestWithSigstoreSignatures() { }) p := s.loadInsecurePlugin() s.requireAttestSuccessWithPodAndSignature(p) - s.setSigstoreSelectors(nil) } func (s *Suite) TestAttestWithSigstoreSkippedImage() { @@ -251,8 +254,6 @@ func (s *Suite) TestAttestWithSigstoreSkippedImage() { s.setSigstoreSkippedSigSelectors([]string{"sigstore-validation:passed"}) p := s.loadInsecurePlugin() s.requireAttestSuccessWithPodAndSkippedImage(p) - s.setSigstoreSkipSigs(false) - s.setSigstoreSkippedSigSelectors(nil) } func (s *Suite) TestAttestWithFailedSigstoreSignatures() { @@ -260,7 +261,6 @@ func (s *Suite) TestAttestWithFailedSigstoreSignatures() { p := s.loadInsecurePlugin() s.setSigstoreReturnError(errors.New("sigstore error")) s.requireAttestSuccessWithPod(p) - s.setSigstoreReturnError(nil) } func (s *Suite) TestAttestWithPidInKindPod() { @@ -731,7 +731,7 @@ func (s *Suite) TestConfigure() { testCase := testCase // alias loop variable as it is used in the closure s.T().Run(testCase.name, func(t *testing.T) { p := s.newPlugin() - p.sigstore.(*sigstoreMock).returnError = testCase.sigstoreError + s.sigstoreMock.returnError = testCase.sigstoreError var err error plugintest.Load(s.T(), builtin(p), nil, plugintest.Configure(testCase.hcl), @@ -921,7 +921,8 @@ func (s *Suite) newPlugin() *Plugin { p.getenv = func(key string) string { return s.env[key] } - p.sigstore = &sigstoreMock{ + + s.sigstoreMock = &sigstoreMock{ selectors: s.sigstoreSelectors, sigs: s.sigstoreSigs, skipSigs: s.sigstoreSkipSigs, @@ -929,6 +930,7 @@ func (s *Suite) newPlugin() *Plugin { returnError: s.sigstoreReturnError, } + p.sigstore = s.sigstoreMock return p } From b28df1d0b3b89b0f3ed01619241be145d99b3a28 Mon Sep 17 00:00:00 2001 From: Matheus de Farias Cavalcanti Santos Date: Thu, 14 Jul 2022 11:09:30 -0300 Subject: [PATCH 092/257] refactor: refactor of sigstorecache code (#44) Signed-off-by: Matheus Santos Co-authored-by: Matheus Santos Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- .../k8s/sigstore/sigstorecache.go | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache.go index bc617eb440..566c735f88 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache.go @@ -71,15 +71,15 @@ func (c *cacheImpl) PutSignature(i Item) { element: c.items.PushFront(i.Key), item: &i, } - } else { - if c.items.Len() >= c.size { - removed := c.items.Remove(c.items.Back()) - delete(c.itemsMap, removed.(string)) - } + return + } + if c.items.Len() >= c.size { + removed := c.items.Remove(c.items.Back()) + delete(c.itemsMap, removed.(string)) + } - c.itemsMap[i.Key] = MapItem{ - element: c.items.PushFront(i.Key), - item: &i, - } + c.itemsMap[i.Key] = MapItem{ + element: c.items.PushFront(i.Key), + item: &i, } } From 680744e1a02c1ebce813593ded334f336027dbf3 Mon Sep 17 00:00:00 2001 From: Matheus de Farias Cavalcanti Santos Date: Thu, 14 Jul 2022 18:11:17 -0300 Subject: [PATCH 093/257] Refactor of ValidateImage and validateRefDigest functions (#48) Signed-off-by: Matheus Santos Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- .../workloadattestor/k8s/sigstore/sigstore.go | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index eb27b5c980..8503dd1cf4 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -235,7 +235,11 @@ func (s *sigstoreImpl) ClearSkipList() { // ValidateImage validates if the image manifest hash matches the digest in the image reference func (s *sigstoreImpl) ValidateImage(ref name.Reference) (bool, error) { - desc, err := s.fetchImageManifestFunction(ref) + dgst, ok := ref.(name.Digest) + if !ok { + return false, fmt.Errorf("reference %s is not a digest", ref.String()) + } + desc, err := s.fetchImageManifestFunction(dgst) if err != nil { return false, err } @@ -247,7 +251,7 @@ func (s *sigstoreImpl) ValidateImage(ref name.Reference) (bool, error) { return false, err } - return validateRefDigest(ref, hash.String()) + return validateRefDigest(dgst, hash.String()) } func (s *sigstoreImpl) AddAllowedSubject(subject string) { @@ -413,12 +417,9 @@ func certSubject(c *x509.Certificate) string { } } -func validateRefDigest(ref name.Reference, digest string) (bool, error) { - if dgst, ok := ref.(name.Digest); ok { - if dgst.DigestStr() == digest { - return true, nil - } - return false, fmt.Errorf("digest %s does not match %s", digest, dgst.DigestStr()) +func validateRefDigest(dgst name.Digest, digest string) (bool, error) { + if dgst.DigestStr() == digest { + return true, nil } - return false, fmt.Errorf("reference %s is not a digest", ref.String()) + return false, fmt.Errorf("digest %s does not match %s", digest, dgst.DigestStr()) } From cdcb7cf2f573fab52469a5efe2258eec410711a1 Mon Sep 17 00:00:00 2001 From: Matheus de Farias Cavalcanti Santos Date: Thu, 14 Jul 2022 18:12:01 -0300 Subject: [PATCH 094/257] refactor: refactor of sigstore.go code related to subject assignment (#49) Signed-off-by: Matheus Santos Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index 8503dd1cf4..5e01d7322c 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -346,6 +346,10 @@ func getSignatureSubject(signature oci.Signature) (string, error) { } subject := "" + if cert != nil { + subject = certSubject(cert) + return subject, nil + } if len(ss.Optional) > 0 { subjString, ok := ss.Optional["subject"] if ok { @@ -355,9 +359,6 @@ func getSignatureSubject(signature oci.Signature) (string, error) { } } } - if cert != nil { - subject = certSubject(cert) - } return subject, nil } From 43953d21cb6b36e095d7543eef1ae6f0f46ad2b3 Mon Sep 17 00:00:00 2001 From: Willian Alves Date: Mon, 18 Jul 2022 12:50:04 -0400 Subject: [PATCH 095/257] Removed RFC doc link (#57) Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- doc/plugin_agent_workloadattestor_k8s.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/plugin_agent_workloadattestor_k8s.md b/doc/plugin_agent_workloadattestor_k8s.md index 5a3e1725f1..901b182668 100644 --- a/doc/plugin_agent_workloadattestor_k8s.md +++ b/doc/plugin_agent_workloadattestor_k8s.md @@ -62,7 +62,7 @@ since [hostprocess](https://kubernetes.io/docs/tasks/configure-pod-container/cre The k8s workload attestor plugins has also capabilities to validate images signatures through [sigstore](https://www.sigstore.dev/) -The RFC is available [here](https://docs.google.com/document/d/1YVuu7HMHnp8nx3sCPx7R2lCfjjno363s4oiPlI6axF4/edit#heading=h.ttn87ugq19sb) for reference. +Cosign supports container signing, verification, and storage in an OCI registry. Cosign aims to make signatures invisible infrastructure. For this, we’ve chosen the Sigstore ecosystem and artifacts. Digging deeper, we are using: Rekor (signature transparency log), Fulcio (signing certificate issuer and certificate transparency log) and Cosign (container image signing tool) to guarantee the authenticity of the running workload. > **Note** you can provide your own CA roots signed through TUF via the cosign initialize command. This effectively securely pins the CA roots. We allow you to also specify trusted roots via the `SIGSTORE_ROOT_FILE` flag From cb3f0e4aa13f841b270e61e9c0d99c98623b3054 Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Mon, 18 Jul 2022 16:27:02 -0300 Subject: [PATCH 096/257] Add sigstore toggle (#56) * feat: adding option to enable sigstore functions Signed-off-by: Rodrigo Lopes * fix: fixed enable variable if clause Signed-off-by: Rodrigo Lopes * docs: updated documentation on sigstore toggle Signed-off-by: Rodrigo Lopes * feat: moved sigstore options to experimental section Signed-off-by: Rodrigo Lopes * docs: updated docs for experimental k8s options Signed-off-by: Rodrigo Lopes Co-authored-by: Rodrigo Lopes Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- conf/agent/agent_full.conf | 41 ++++++----- doc/plugin_agent_workloadattestor_k8s.md | 9 +++ .../plugin/workloadattestor/k8s/k8s_posix.go | 72 +++++++++++++------ .../plugin/workloadattestor/k8s/k8s_test.go | 41 +++++++++-- 4 files changed, 118 insertions(+), 45 deletions(-) diff --git a/conf/agent/agent_full.conf b/conf/agent/agent_full.conf index a1856923bb..97a06de287 100644 --- a/conf/agent/agent_full.conf +++ b/conf/agent/agent_full.conf @@ -360,24 +360,29 @@ plugins { # the environment variable specified by node_name_env. # node_name = "" - sigstore { - # rekor_url: The URL for the rekor STL Server to use with cosign. - # rekor_url = "https://rekor.sigstore.dev" - - # skip_signature_verification_image_list: List of images that should - # not be verified by cosign. They will receive a default - # sigstore-validation:passed selector, but no other sigstore related selectors. - # skip_signature_verification_image_list = ["sha:image1hash","sha:image2hash"] - - # enable_allowed_subjects_list: Boolean indicating whether image - # signatures will be checked against a list of subjects. - # enable_allowed_subjects_list = false - - # allowed_subjects_list: List of subjects that image signatures - # will be checked against, if enabled through the above option. - # signatures from subjects outside this list will receive - # no sigstore-related selectors. These should be email addresses. - # allowed_subjects_list = ["subject1@example.com","subject2@example.com"] + # experimental: Experimental features. + experimental { + # sigstore: sigstore options. Enables signature checking. + # sigstore { + # rekor_url: The URL for the rekor STL Server to use with cosign. + # rekor_url = "https://rekor.sigstore.dev" + + # skip_signature_verification_image_list: List of images that should + # not be verified by cosign. They will receive a default + # sigstore-validation:passed selector, but no other sigstore related selectors. + # skip_signature_verification_image_list = ["sha:image1hash","sha:image2hash"] + + # enable_allowed_subjects_list: Boolean indicating whether image + # signatures will be checked against a list of subjects. + # enable_allowed_subjects_list = false + + # allowed_subjects_list: List of subjects that image signatures + # will be checked against, if enabled through the above option. + # signatures from subjects outside this list will receive + # no sigstore-related selectors. These should be email addresses. + # allowed_subjects_list = ["subject1@example.com","subject2@example.com"] + # } + } } } diff --git a/doc/plugin_agent_workloadattestor_k8s.md b/doc/plugin_agent_workloadattestor_k8s.md index 901b182668..0a860b4a31 100644 --- a/doc/plugin_agent_workloadattestor_k8s.md +++ b/doc/plugin_agent_workloadattestor_k8s.md @@ -53,11 +53,20 @@ since [hostprocess](https://kubernetes.io/docs/tasks/configure-pod-container/cre | `use_anonymous_authentication` | If true, use anonymous authentication for kubelet communication | | `node_name_env` | The environment variable used to obtain the node name. Defaults to `MY_NODE_NAME`. | | `node_name` | The name of the node. Overrides the value obtained by the environment variable specified by `node_name_env`. | +| `experimental` | experimental options, described below. Currently only contain sigstore options. Defaults to empty. | + +| Experimental options | Description | +| ------------- | ----------- | +| `sigstore`| Sigstore options. Options described below. | + +| Sigstore options | Description | +| ------------- | ----------- | | `skip_signature_verification_image_list`| The list of images, described as digest hashes, that should be skipped in signature verification. | | `enable_allowed_subjects_list`| Enables a list of allowed subjects that are trusted and are allowed to sign container images artificats.| | `allowed_subjects_list`| The list of allowed subjects enabled by `enable_allowed_subjects_list` each entry represents subject e-mail. | | `rekor_url` | The URL for the rekor STL Server to use with cosign. | + ### Sigstore workload attestor for SPIRE The k8s workload attestor plugins has also capabilities to validate images signatures through [sigstore](https://www.sigstore.dev/) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go index 790b65e485..ec2f86c76c 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go @@ -105,17 +105,32 @@ type HCLConfig struct { // from the disk. ReloadInterval string `hcl:"reload_interval"` + // Experimental enables experimental features. + Experimental *ExperimentalK8SConfig `hcl:"experimental,omitempty"` +} + +type ExperimentalK8SConfig struct { + + // Experimental enables experimental features. + Sigstore *ExperimentalSigstoreConfig `hcl:"sigstore,omitempty"` +} + +type ExperimentalSigstoreConfig struct { + + // // EnableSigstore enables sigstore signature checking. + // EnableSigstore bool `hcl:"check_signature_enabled"` + // RekorURL is the URL for the rekor server to use to verify signatures and public keys - RekorURL string `hcl:"sigstore.rekor_url"` + RekorURL string `hcl:"rekor_url"` // SkippedImages is a list of images that should skip sigstore verification - SkippedImages []string `hcl:"sigstore.skip_signature_verification_image_list"` + SkippedImages []string `hcl:"skip_signature_verification_image_list"` // AllowedSubjects is a flag indicating whether signature subjects should be compared against the allow-list - AllowedSubjectListEnabled bool `hcl:"sigstore.enable_allowed_subjects_list"` + AllowedSubjectListEnabled bool `hcl:"enable_allowed_subjects_list"` // AllowedSubjects is a list of subjects that should be allowed after verification - AllowedSubjects []string `hcl:"sigstore.allowed_subjects_list"` + AllowedSubjects []string `hcl:"allowed_subjects_list"` } // k8sConfig holds the configuration distilled from HCL @@ -132,9 +147,9 @@ type k8sConfig struct { NodeName string ReloadInterval time.Duration - RekorURL string - SkippedImages []string - + EnableSigstore bool + RekorURL string + SkippedImages []string AllowedSubjectListEnabled bool AllowedSubjects []string @@ -213,12 +228,14 @@ func (p *Plugin) Attest(ctx context.Context, req *workloadattestorv1.AttestReque switch lookup { case containerInPod: selectors := getSelectorValuesFromPodInfo(&item, status) - log.Debug("Attemping to get signature info from image", status.Name) - sigstoreSelectors, err := p.sigstore.AttestContainerSignatures(ctx, status) - if err != nil { - log.Error("Error retrieving signature payload: ", "error", err) - } else { - selectors = append(selectors, sigstoreSelectors...) + if p.config.EnableSigstore { + log.Debug("Attemping to get signature info from image", status.Name) + sigstoreSelectors, err := p.sigstore.AttestContainerSignatures(ctx, status) + if err != nil { + log.Error("Error retrieving signature payload: ", "error", err) + } else { + selectors = append(selectors, sigstoreSelectors...) + } } return &workloadattestorv1.AttestResponse{ @@ -317,17 +334,32 @@ func (p *Plugin) Configure(ctx context.Context, req *configv1.ConfigureRequest) NodeName: nodeName, ReloadInterval: reloadInterval, - RekorURL: config.RekorURL, - SkippedImages: config.SkippedImages, - AllowedSubjectListEnabled: config.AllowedSubjectListEnabled, - AllowedSubjects: config.AllowedSubjects, + EnableSigstore: false, + RekorURL: "", + SkippedImages: nil, + AllowedSubjectListEnabled: false, + AllowedSubjects: nil, + } + + // set experimental flags + if config.Experimental != nil { + if config.Experimental.Sigstore != nil { + c.EnableSigstore = true + c.RekorURL = config.Experimental.Sigstore.RekorURL + c.SkippedImages = config.Experimental.Sigstore.SkippedImages + c.AllowedSubjectListEnabled = config.Experimental.Sigstore.AllowedSubjectListEnabled + c.AllowedSubjects = config.Experimental.Sigstore.AllowedSubjects + } } + if err := p.reloadKubeletClient(c); err != nil { return nil, err } - if p.sigstore != nil { - if err := p.configureSigstore(c, p.sigstore); err != nil { - return nil, err + if c.EnableSigstore { + if p.sigstore != nil { + if err := p.configureSigstore(c, p.sigstore); err != nil { + return nil, err + } } } // Set the config diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go index de788bafd5..60436bde57 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go @@ -243,7 +243,7 @@ func (s *Suite) TestAttestWithSigstoreSignatures() { Subject: "sigstore-subject", }, }) - p := s.loadInsecurePlugin() + p := s.loadInsecurePluginWithSigstore() s.requireAttestSuccessWithPodAndSignature(p) } @@ -252,7 +252,7 @@ func (s *Suite) TestAttestWithSigstoreSkippedImage() { // Skip the image s.setSigstoreSkipSigs(true) s.setSigstoreSkippedSigSelectors([]string{"sigstore-validation:passed"}) - p := s.loadInsecurePlugin() + p := s.loadInsecurePluginWithSigstore() s.requireAttestSuccessWithPodAndSkippedImage(p) } @@ -669,7 +669,11 @@ func (s *Suite) TestConfigure() { { name: "secure defaults with skipped images for sigstore", hcl: ` - sigstore.skip_signature_verification_image_list = ["sha:image1hash","sha:image2hash"] + experimental = { + sigstore = { + skip_signature_verification_image_list = ["sha:image1hash","sha:image2hash"] + } + } `, config: &config{ VerifyKubelet: true, @@ -687,8 +691,12 @@ func (s *Suite) TestConfigure() { { name: "secure defaults with allowed subjects for sigstore", hcl: ` - sigstore.enable_allowed_subjects_list = true, - sigstore.allowed_subjects_list = ["spirex@example.com","spirex1@example.com"] + experimental = { + sigstore { + enable_allowed_subjects_list = true, + allowed_subjects_list = ["spirex@example.com","spirex1@example.com"] + } + } `, config: &config{ VerifyKubelet: true, @@ -704,7 +712,11 @@ func (s *Suite) TestConfigure() { { name: "secure defaults with rekor URL", hcl: ` - sigstore.rekor_url = "https://rekor.example.com" + experimental = { + sigstore = { + rekor_url = "https://rekor.example.com" + } + } `, config: &config{ VerifyKubelet: true, @@ -719,7 +731,11 @@ func (s *Suite) TestConfigure() { { name: "secure defaults with empty rekor URL", hcl: ` - sigstore.rekor_url = "inva{{{lid}" + experimental = { + sigstore = { + rekor_url = "inva{{{lid}" + } + } `, sigstoreError: errors.New("error parsing rekor URI"), config: nil, @@ -1021,6 +1037,17 @@ func (s *Suite) loadInsecurePluginWithExtra(extraConfig string) workloadattestor `, s.kubeletPort(), extraConfig)) } +func (s *Suite) loadInsecurePluginWithSigstore() workloadattestor.WorkloadAttestor { + return s.loadPlugin(fmt.Sprintf(` + kubelet_read_only_port = %d + max_poll_attempts = 5 + poll_retry_interval = "1s" + experimental { + sigstore {} + } +`, s.kubeletPort())) +} + func (s *Suite) startInsecureKubelet() { s.setServer(httptest.NewServer(http.HandlerFunc(s.serveHTTP))) } From 296a8c44ac15fe71133ab2fed9be4b616f33628e Mon Sep 17 00:00:00 2001 From: Matheus de Farias Cavalcanti Santos Date: Mon, 18 Jul 2022 16:29:26 -0300 Subject: [PATCH 097/257] Adding sigstore cosign adjustments pr 20220715 (#59) * refactor: refactoring the configureSigstore function in k8s_posix.go file Signed-off-by: Matheus Santos * refactor: refactored rekor URL tests and added more test cases Signed-off-by: Matheus Santos Co-authored-by: Matheus Santos Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- pkg/agent/plugin/workloadattestor/k8s/k8s.go | 40 +- .../plugin/workloadattestor/k8s/k8s_posix.go | 544 ++++++++++++----- .../plugin/workloadattestor/k8s/k8s_test.go | 545 +++++++++++++----- .../workloadattestor/k8s/sigstore/sigstore.go | 2 +- 4 files changed, 817 insertions(+), 314 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s.go b/pkg/agent/plugin/workloadattestor/k8s/k8s.go index 27952a7bfa..ea0f11697a 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s.go @@ -1,45 +1,9 @@ package k8s -import ( - "context" - "crypto/tls" - "crypto/x509" - "encoding/json" - "errors" - "fmt" - "io" - "net/http" - "net/url" - "os" - "strconv" - "strings" - "sync" - "time" - - "github.com/andres-erbsen/clock" - "github.com/hashicorp/go-hclog" - "github.com/hashicorp/hcl" - workloadattestorv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/agent/workloadattestor/v1" - configv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/service/common/config/v1" - "github.com/spiffe/spire/pkg/agent/common/cgroups" - "github.com/spiffe/spire/pkg/common/catalog" - "github.com/spiffe/spire/pkg/common/pemutil" - "github.com/spiffe/spire/pkg/common/telemetry" - "google.golang.org/grpc/codes" - "google.golang.org/grpc/status" - corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/types" -) +import "github.com/spiffe/spire/pkg/common/catalog" const ( - pluginName = "k8s" - defaultMaxPollAttempts = 60 - defaultPollRetryInterval = time.Millisecond * 500 - defaultSecureKubeletPort = 10250 - defaultKubeletCAPath = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" - defaultTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token" //nolint: gosec // false positive - defaultNodeNameEnv = "MY_NODE_NAME" - defaultReloadInterval = time.Minute + pluginName = "k8s" ) func BuiltIn() catalog.BuiltIn { diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go index ec2f86c76c..ad211b4792 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go @@ -4,12 +4,29 @@ package k8s import ( + "context" + "crypto/tls" + "crypto/x509" + "encoding/json" + "errors" + "fmt" + "io" "log" + "net/http" + "net/url" + "os" "regexp" + "strconv" "strings" + "sync" + "time" "unicode" + "github.com/andres-erbsen/clock" "github.com/hashicorp/go-hclog" + "github.com/hashicorp/hcl" + workloadattestorv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/agent/workloadattestor/v1" + configv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/service/common/config/v1" "github.com/spiffe/spire/pkg/agent/common/cgroups" "github.com/spiffe/spire/pkg/agent/plugin/workloadattestor/k8s/sigstore" "github.com/spiffe/spire/pkg/common/catalog" @@ -17,15 +34,10 @@ import ( "github.com/spiffe/spire/pkg/common/telemetry" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" + corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" ) -func (p *Plugin) defaultKubeletCAPath() string { - return defaultKubeletCAPath -} - -func (p *Plugin) defaultTokenPath() string { - return defaultTokenPath const ( defaultMaxPollAttempts = 60 defaultPollRetryInterval = time.Millisecond * 500 @@ -111,14 +123,12 @@ type HCLConfig struct { type ExperimentalK8SConfig struct { - // Experimental enables experimental features. - Sigstore *ExperimentalSigstoreConfig `hcl:"sigstore,omitempty"` + // Sigstore contains sigstore specific configs. + Sigstore *SigstoreHCLConfig `hcl:"sigstore,omitempty"` } -type ExperimentalSigstoreConfig struct { - - // // EnableSigstore enables sigstore signature checking. - // EnableSigstore bool `hcl:"check_signature_enabled"` +// SigstoreHCLConfig holds the sigstore configuration parsed from HCL +type SigstoreHCLConfig struct { // RekorURL is the URL for the rekor server to use to verify signatures and public keys RekorURL string `hcl:"rekor_url"` @@ -126,7 +136,7 @@ type ExperimentalSigstoreConfig struct { // SkippedImages is a list of images that should skip sigstore verification SkippedImages []string `hcl:"skip_signature_verification_image_list"` - // AllowedSubjects is a flag indicating whether signature subjects should be compared against the allow-list + // AllowedSubjectListEnabled is a flag indicating whether signature subjects should be compared against AllowedSubjects AllowedSubjectListEnabled bool `hcl:"enable_allowed_subjects_list"` // AllowedSubjects is a list of subjects that should be allowed after verification @@ -147,14 +157,18 @@ type k8sConfig struct { NodeName string ReloadInterval time.Duration - EnableSigstore bool + sigstoreConfig *sigstoreConfig + + Client *kubeletClient + LastReload time.Time +} + +// sigstoreConfig holds the sigstore configuration distilled from HCL +type sigstoreConfig struct { RekorURL string SkippedImages []string AllowedSubjectListEnabled bool AllowedSubjects []string - - Client *kubeletClient - LastReload time.Time } type Plugin struct { @@ -173,18 +187,19 @@ type Plugin struct { } func New() *Plugin { - newcache := sigstore.NewCache(maximumAmountCache) return &Plugin{ fs: cgroups.OSFileSystem{}, clock: clock.New(), getenv: os.Getenv, - sigstore: sigstore.New(newcache, nil), + sigstore: nil, } } func (p *Plugin) SetLogger(log hclog.Logger) { p.log = log - p.sigstore.SetLogger(log) + if p.sigstore != nil { + p.sigstore.SetLogger(log) + } } func (p *Plugin) Attest(ctx context.Context, req *workloadattestorv1.AttestRequest) (*workloadattestorv1.AttestResponse, error) { @@ -228,11 +243,11 @@ func (p *Plugin) Attest(ctx context.Context, req *workloadattestorv1.AttestReque switch lookup { case containerInPod: selectors := getSelectorValuesFromPodInfo(&item, status) - if p.config.EnableSigstore { - log.Debug("Attemping to get signature info from image", status.Name) + if p.config.sigstoreConfig != nil { + log.Debug("Attemping to get signature info for container", telemetry.ContainerName, status.Name) sigstoreSelectors, err := p.sigstore.AttestContainerSignatures(ctx, status) if err != nil { - log.Error("Error retrieving signature payload: ", "error", err) + log.Error("Error retrieving signature payload", "error", err) } else { selectors = append(selectors, sigstoreSelectors...) } @@ -333,45 +348,37 @@ func (p *Plugin) Configure(ctx context.Context, req *configv1.ConfigureRequest) KubeletCAPath: config.KubeletCAPath, NodeName: nodeName, ReloadInterval: reloadInterval, - - EnableSigstore: false, - RekorURL: "", - SkippedImages: nil, - AllowedSubjectListEnabled: false, - AllowedSubjects: nil, } // set experimental flags - if config.Experimental != nil { - if config.Experimental.Sigstore != nil { - c.EnableSigstore = true - c.RekorURL = config.Experimental.Sigstore.RekorURL - c.SkippedImages = config.Experimental.Sigstore.SkippedImages - c.AllowedSubjectListEnabled = config.Experimental.Sigstore.AllowedSubjectListEnabled - c.AllowedSubjects = config.Experimental.Sigstore.AllowedSubjects + if config.Experimental != nil && config.Experimental.Sigstore != nil { + c.sigstoreConfig = &sigstoreConfig{ + RekorURL: config.Experimental.Sigstore.RekorURL, + SkippedImages: config.Experimental.Sigstore.SkippedImages, + AllowedSubjectListEnabled: config.Experimental.Sigstore.AllowedSubjectListEnabled, + AllowedSubjects: config.Experimental.Sigstore.AllowedSubjects, } } if err := p.reloadKubeletClient(c); err != nil { return nil, err } - if c.EnableSigstore { - if p.sigstore != nil { - if err := p.configureSigstore(c, p.sigstore); err != nil { - return nil, err - } + if c.sigstoreConfig != nil { + if p.sigstore == nil { + newcache := sigstore.NewCache(maximumAmountCache) + p.sigstore = sigstore.New(newcache, nil) + p.sigstore.SetLogger(p.log) + } + if err := p.configureSigstore(c, p.sigstore); err != nil { + return nil, err } } + // Set the config p.setConfig(c) return &configv1.ConfigureResponse{}, nil } -func createHelper(c *Plugin) (ContainerHelper, error) { - return &containerHelper{ - fs: c.fs, - }, nil - func (p *Plugin) configureSigstore(config *k8sConfig, sigstore sigstore.Sigstore) error { p.mu.Lock() defer p.mu.Unlock() @@ -379,21 +386,19 @@ func (p *Plugin) configureSigstore(config *k8sConfig, sigstore sigstore.Sigstore // Configure sigstore settings sigstore.ClearSkipList() imageIDList := []string{} - if config.SkippedImages != nil { - imageIDList = append(imageIDList, config.SkippedImages...) + if config.sigstoreConfig.SkippedImages != nil { + imageIDList = append(imageIDList, config.sigstoreConfig.SkippedImages...) } sigstore.AddSkippedImage(imageIDList) - sigstore.EnableAllowSubjectList(config.AllowedSubjectListEnabled) + sigstore.EnableAllowSubjectList(config.sigstoreConfig.AllowedSubjectListEnabled) sigstore.ClearAllowedSubjects() - if config.AllowedSubjects != nil { - for _, subject := range config.AllowedSubjects { + if config.sigstoreConfig.AllowedSubjects != nil { + for _, subject := range config.sigstoreConfig.AllowedSubjects { sigstore.AddAllowedSubject(subject) } } - if config.RekorURL != "" { - if err := sigstore.SetRekorURL(config.RekorURL); err != nil { - return err - } + if err := p.sigstore.SetRekorURL(config.sigstoreConfig.RekorURL); err != nil { + return status.Errorf(codes.InvalidArgument, "failed to parse Rekor URL: %v", err) } return nil } @@ -404,12 +409,21 @@ func (p *Plugin) setConfig(config *k8sConfig) { p.config = config } -type containerHelper struct { - fs cgroups.FileSystem +func (p *Plugin) getConfig() (*k8sConfig, error) { + p.mu.RLock() + defer p.mu.RUnlock() + + if p.config == nil { + return nil, status.Error(codes.FailedPrecondition, "not configured") + } + if err := p.reloadKubeletClient(p.config); err != nil { + p.log.Warn("Unable to load kubelet client", "err", err) + } + return p.config, nil } -func (h *containerHelper) GetPodUIDAndContainerID(pID int32, _ hclog.Logger) (types.UID, string, error) { - cgroups, err := cgroups.GetCgroups(pID, h.fs) +func (p *Plugin) getPodUIDAndContainerIDFromCGroups(pid int32) (types.UID, string, error) { + cgroups, err := cgroups.GetCgroups(pid, p.fs) if err != nil { return "", "", status.Errorf(codes.Internal, "unable to obtain cgroups: %v", err) } @@ -417,6 +431,212 @@ func (h *containerHelper) GetPodUIDAndContainerID(pID int32, _ hclog.Logger) (ty return getPodUIDAndContainerIDFromCGroups(cgroups) } +func (p *Plugin) reloadKubeletClient(config *k8sConfig) (err error) { + // The insecure client only needs to be loaded once. + if !config.Secure { + if config.Client == nil { + config.Client = &kubeletClient{ + URL: url.URL{ + Scheme: "http", + Host: fmt.Sprintf("127.0.0.1:%d", config.Port), + }, + } + } + return nil + } + + // Is the client still fresh? + if config.Client != nil && p.clock.Now().Sub(config.LastReload) < config.ReloadInterval { + return nil + } + + tlsConfig := &tls.Config{ + InsecureSkipVerify: config.SkipKubeletVerification, //nolint: gosec // intentionally configurable + } + + var rootCAs *x509.CertPool + if !config.SkipKubeletVerification { + rootCAs, err = p.loadKubeletCA(config.KubeletCAPath) + if err != nil { + return err + } + } + + switch { + case config.SkipKubeletVerification: + + // When contacting the kubelet over localhost, skip the hostname validation. + // Unfortunately Go does not make this straightforward. We disable + // verification but supply a VerifyPeerCertificate that will be called + // with the raw kubelet certs that we can verify directly. + case config.NodeName == "": + tlsConfig.InsecureSkipVerify = true + tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error { + var certs []*x509.Certificate + for _, rawCert := range rawCerts { + cert, err := x509.ParseCertificate(rawCert) + if err != nil { + return err + } + certs = append(certs, cert) + } + + // this is improbable. + if len(certs) == 0 { + return errors.New("no certs presented by kubelet") + } + + _, err := certs[0].Verify(x509.VerifyOptions{ + Roots: rootCAs, + Intermediates: newCertPool(certs[1:]), + }) + return err + } + default: + tlsConfig.RootCAs = rootCAs + } + + var token string + switch { + case config.CertificatePath != "" && config.PrivateKeyPath != "": + kp, err := p.loadX509KeyPair(config.CertificatePath, config.PrivateKeyPath) + if err != nil { + return err + } + tlsConfig.Certificates = append(tlsConfig.Certificates, *kp) + case config.CertificatePath != "" && config.PrivateKeyPath == "": + return status.Error(codes.InvalidArgument, "the private key path is required with the certificate path") + case config.CertificatePath == "" && config.PrivateKeyPath != "": + return status.Error(codes.InvalidArgument, "the certificate path is required with the private key path") + case config.CertificatePath == "" && config.PrivateKeyPath == "": + token, err = p.loadToken(config.TokenPath) + if err != nil { + return err + } + } + + host := config.NodeName + if host == "" { + host = "127.0.0.1" + } + + config.Client = &kubeletClient{ + Transport: &http.Transport{ + TLSClientConfig: tlsConfig, + }, + URL: url.URL{ + Scheme: "https", + Host: fmt.Sprintf("%s:%d", host, config.Port), + }, + Token: token, + } + config.LastReload = p.clock.Now() + return nil +} + +func (p *Plugin) loadKubeletCA(path string) (*x509.CertPool, error) { + if path == "" { + path = defaultKubeletCAPath + } + caPEM, err := p.readFile(path) + if err != nil { + return nil, status.Errorf(codes.InvalidArgument, "unable to load kubelet CA: %v", err) + } + certs, err := pemutil.ParseCertificates(caPEM) + if err != nil { + return nil, status.Errorf(codes.InvalidArgument, "unable to parse kubelet CA: %v", err) + } + + return newCertPool(certs), nil +} + +func (p *Plugin) loadX509KeyPair(cert, key string) (*tls.Certificate, error) { + certPEM, err := p.readFile(cert) + if err != nil { + return nil, status.Errorf(codes.InvalidArgument, "unable to load certificate: %v", err) + } + keyPEM, err := p.readFile(key) + if err != nil { + return nil, status.Errorf(codes.InvalidArgument, "unable to load private key: %v", err) + } + kp, err := tls.X509KeyPair(certPEM, keyPEM) + if err != nil { + return nil, status.Errorf(codes.InvalidArgument, "unable to load keypair: %v", err) + } + return &kp, nil +} + +func (p *Plugin) loadToken(path string) (string, error) { + if path == "" { + path = defaultTokenPath + } + token, err := p.readFile(path) + if err != nil { + return "", status.Errorf(codes.InvalidArgument, "unable to load token: %v", err) + } + return strings.TrimSpace(string(token)), nil +} + +// readFile reads the contents of a file through the filesystem interface +func (p *Plugin) readFile(path string) ([]byte, error) { + f, err := p.fs.Open(path) + if err != nil { + return nil, err + } + defer f.Close() + return io.ReadAll(f) +} + +func (p *Plugin) getNodeName(name string, env string) string { + switch { + case name != "": + return name + case env != "": + return p.getenv(env) + default: + return p.getenv(defaultNodeNameEnv) + } +} + +type kubeletClient struct { + Transport *http.Transport + URL url.URL + Token string +} + +func (c *kubeletClient) GetPodList() (*corev1.PodList, error) { + url := c.URL + url.Path = "/pods" + req, err := http.NewRequest("GET", url.String(), nil) + if err != nil { + return nil, status.Errorf(codes.Internal, "unable to create request: %v", err) + } + if c.Token != "" { + req.Header.Set("Authorization", "Bearer "+c.Token) + } + + client := &http.Client{} + if c.Transport != nil { + client.Transport = c.Transport + } + resp, err := client.Do(req) + if err != nil { + return nil, status.Errorf(codes.Internal, "unable to perform request: %v", err) + } + defer resp.Body.Close() + + if resp.StatusCode != http.StatusOK { + return nil, status.Errorf(codes.Internal, "unexpected status code on pods response: %d %s", resp.StatusCode, tryRead(resp.Body)) + } + + out := new(corev1.PodList) + if err := json.NewDecoder(resp.Body).Decode(out); err != nil { + return nil, status.Errorf(codes.Internal, "unable to decode kubelet response: %v", err) + } + + return out, nil +} + func getPodUIDAndContainerIDFromCGroups(cgroups []cgroups.Cgroup) (types.UID, string, error) { var podUID types.UID var containerID string @@ -444,64 +664,22 @@ func getPodUIDAndContainerIDFromCGroups(cgroups []cgroups.Cgroup) (types.UID, st return podUID, containerID, nil } -// regexes listed here have to exlusively match a cgroup path -// the regexes must include two named groups "poduid" and "containerid" -// if the regex needs to exclude certain substrings, the "mustnotmatch" group can be used -var cgroupREs = []*regexp.Regexp{ - // the regex used to parse out the pod UID and container ID from a - // cgroup name. It assumes that any ".scope" suffix has been trimmed off - // beforehand. CAUTION: we used to verify that the pod and container id were - // descendants of a kubepods directory, however, as of Kubernetes 1.21, cgroups - // namespaces are in use and therefore we can no longer discern if that is the - // case from within SPIRE agent container (since the container itself is - // namespaced). As such, the regex has been relaxed to simply find the pod UID - // followed by the container ID with allowances for arbitrary punctuation, and - // container runtime prefixes, etc. - regexp.MustCompile(`` + - // "pod"-prefixed Pod UID (with punctuation separated groups) followed by punctuation - `[[:punct:]]pod(?P[[:xdigit:]]{8}[[:punct:]]?[[:xdigit:]]{4}[[:punct:]]?[[:xdigit:]]{4}[[:punct:]]?[[:xdigit:]]{4}[[:punct:]]?[[:xdigit:]]{12})[[:punct:]]` + - // zero or more punctuation separated "segments" (e.g. "docker-") - `(?:[[:^punct:]]+[[:punct:]])*` + - // non-punctuation end of string, i.e., the container ID - `(?P[[:^punct:]]+)$`), - - // This regex applies for container runtimes, that won't put the PodUID into - // the cgroup name. - // Currently only cri-o in combination with kubeedge is known for this abnormally. - regexp.MustCompile(`` + - // intentionally empty poduid group - `(?P)` + - // mustnotmatch group: cgroup path must not include a poduid - `(?Ppod[[:xdigit:]]{8}[[:punct:]]?[[:xdigit:]]{4}[[:punct:]]?[[:xdigit:]]{4}[[:punct:]]?[[:xdigit:]]{4}[[:punct:]]?[[:xdigit:]]{12}[[:punct:]])?` + - // /crio- - `(?:[[:^punct:]]*/*)*crio[[:punct:]]` + - // non-punctuation end of string, i.e., the container ID - `(?P[[:^punct:]]+)$`), -} - -func reSubMatchMap(r *regexp.Regexp, str string) map[string]string { - match := r.FindStringSubmatch(str) - if match == nil { - return nil - } - subMatchMap := make(map[string]string) - for i, name := range r.SubexpNames() { - if i != 0 { - subMatchMap[name] = match[i] - } - } - return subMatchMap -} - -func isValidCGroupPathMatches(matches map[string]string) bool { - if matches == nil { - return false - } - if matches["mustnotmatch"] != "" { - return false - } - return true -} +// cgroupRE is the regex used to parse out the pod UID and container ID from a +// cgroup name. It assumes that any ".scope" suffix has been trimmed off +// beforehand. CAUTION: we used to verify that the pod and container id were +// descendants of a kubepods directory, however, as of Kubernetes 1.21, cgroups +// namespaces are in use and therefore we can no longer discern if that is the +// case from within SPIRE agent container (since the container itself is +// namespaced). As such, the regex has been relaxed to simply find the pod UID +// followed by the container ID with allowances for arbitrary punctuation, and +// container runtime prefixes, etc. +var cgroupRE = regexp.MustCompile(`` + + // "pod"-prefixed Pod UID (with punctuation separated groups) followed by punctuation + `[[:punct:]]pod([[:xdigit:]]{8}[[:punct:]]?[[:xdigit:]]{4}[[:punct:]]?[[:xdigit:]]{4}[[:punct:]]?[[:xdigit:]]{4}[[:punct:]]?[[:xdigit:]]{12})[[:punct:]]` + + // zero or more punctuation separated "segments" (e.g. "docker-") + `(?:[[:^punct:]]+[[:punct:]])*` + + // non-punctuation end of string, i.e., the container ID + `([[:^punct:]]+)$`) func getPodUIDAndContainerIDFromCGroupPath(cgroupPath string) (types.UID, string, bool) { // We are only interested in kube pods entries, for example: @@ -510,30 +688,15 @@ func getPodUIDAndContainerIDFromCGroupPath(cgroupPath string) (types.UID, string // - /kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod2c48913c-b29f-11e7-9350-020968147796.slice/docker-9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961.scope // - /kubepods-besteffort-pod72f7f152_440c_66ac_9084_e0fc1d8a910c.slice:cri-containerd:b2a102854b4969b2ce98dc329c86b4fb2b06e4ad2cc8da9d8a7578c9cd2004a2" // - /../../pod2c48913c-b29f-11e7-9350-020968147796/9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961 - // - 0::/../crio-45490e76e0878aaa4d9808f7d2eefba37f093c3efbba9838b6d8ab804d9bd814.scope + // First trim off any .scope suffix. This allows for a cleaner regex since // we don't have to muck with greediness. TrimSuffix is no-copy so this // is cheap. cgroupPath = strings.TrimSuffix(cgroupPath, ".scope") - var matchResults map[string]string - for _, regex := range cgroupREs { - matches := reSubMatchMap(regex, cgroupPath) - if isValidCGroupPathMatches(matches) { - if matchResults != nil { - log.Printf("More than one regex matches for cgroup %s", cgroupPath) - return "", "", false - } - matchResults = matches - } - } - - if matchResults != nil { - var podUID types.UID - if matchResults["poduid"] != "" { - podUID = canonicalizePodUID(matchResults["poduid"]) - } - return podUID, matchResults["containerid"], true + matches := cgroupRE.FindStringSubmatch(cgroupPath) + if matches != nil { + return canonicalizePodUID(matches[1]), matches[2], true } return "", "", false } @@ -549,3 +712,112 @@ func canonicalizePodUID(uid string) types.UID { return r }, uid)) } + +func lookUpContainerInPod(containerID string, status corev1.PodStatus) (*corev1.ContainerStatus, containerLookup) { + for _, status := range status.ContainerStatuses { + // TODO: should we be keying off of the status or is the lack of a + // container id sufficient to know the container is not ready? + if status.ContainerID == "" { + continue + } + + containerURL, err := url.Parse(status.ContainerID) + if err != nil { + log.Printf("Malformed container id %q: %v", status.ContainerID, err) + continue + } + + if containerID == containerURL.Host { + return &status, containerInPod + } + } + + for _, status := range status.InitContainerStatuses { + // TODO: should we be keying off of the status or is the lack of a + // container id sufficient to know the container is not ready? + if status.ContainerID == "" { + continue + } + + containerURL, err := url.Parse(status.ContainerID) + if err != nil { + log.Printf("Malformed container id %q: %v", status.ContainerID, err) + continue + } + + if containerID == containerURL.Host { + return &status, containerInPod + } + } + + return nil, containerNotInPod +} + +func getPodImageIdentifiers(containerStatusArray []corev1.ContainerStatus) map[string]bool { + // Map is used purely to exclude duplicate selectors, value is unused. + podImages := make(map[string]bool) + // Note that for each pod image we generate *2* matching selectors. + // This is to support matching against ImageID, which has a SHA + // docker.io/envoyproxy/envoy-alpine@sha256:bf862e5f5eca0a73e7e538224578c5cf867ce2be91b5eaed22afc153c00363eb + // as well as + // docker.io/envoyproxy/envoy-alpine:v1.16.0, which does not, + // while also maintaining backwards compatibility and allowing for dynamic workload registration (k8s operator) + // when the SHA is not yet known (e.g. before the image pull is initiated at workload creation time) + // More info here: https://github.com/spiffe/spire/issues/2026 + for _, status := range containerStatusArray { + podImages[status.ImageID] = true + podImages[status.Image] = true + } + return podImages +} + +func getSelectorValuesFromPodInfo(pod *corev1.Pod, status *corev1.ContainerStatus) []string { + podImageIdentifiers := getPodImageIdentifiers(pod.Status.ContainerStatuses) + podInitImageIdentifiers := getPodImageIdentifiers(pod.Status.InitContainerStatuses) + containerImageIdentifiers := getPodImageIdentifiers([]corev1.ContainerStatus{*status}) + + selectorValues := []string{ + fmt.Sprintf("sa:%s", pod.Spec.ServiceAccountName), + fmt.Sprintf("ns:%s", pod.Namespace), + fmt.Sprintf("node-name:%s", pod.Spec.NodeName), + fmt.Sprintf("pod-uid:%s", pod.UID), + fmt.Sprintf("pod-name:%s", pod.Name), + fmt.Sprintf("container-name:%s", status.Name), + fmt.Sprintf("pod-image-count:%s", strconv.Itoa(len(pod.Status.ContainerStatuses))), + fmt.Sprintf("pod-init-image-count:%s", strconv.Itoa(len(pod.Status.InitContainerStatuses))), + } + + for containerImage := range containerImageIdentifiers { + selectorValues = append(selectorValues, fmt.Sprintf("container-image:%s", containerImage)) + } + for podImage := range podImageIdentifiers { + selectorValues = append(selectorValues, fmt.Sprintf("pod-image:%s", podImage)) + } + for podInitImage := range podInitImageIdentifiers { + selectorValues = append(selectorValues, fmt.Sprintf("pod-init-image:%s", podInitImage)) + } + + for k, v := range pod.Labels { + selectorValues = append(selectorValues, fmt.Sprintf("pod-label:%s:%s", k, v)) + } + for _, ownerReference := range pod.OwnerReferences { + selectorValues = append(selectorValues, fmt.Sprintf("pod-owner:%s:%s", ownerReference.Kind, ownerReference.Name)) + selectorValues = append(selectorValues, fmt.Sprintf("pod-owner-uid:%s:%s", ownerReference.Kind, ownerReference.UID)) + } + + return selectorValues +} + +func tryRead(r io.Reader) string { + buf := make([]byte, 1024) + n, _ := r.Read(buf) + return string(buf[:n]) +} + +func newCertPool(certs []*x509.Certificate) *x509.CertPool { + certPool := x509.NewCertPool() + for _, cert := range certs { + certPool.AddCert(cert) + } + return certPool +} diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go index 60436bde57..74efea4955 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go @@ -1,6 +1,11 @@ +//go:build !windows +// +build !windows + +// TODO: attestor is not supported on Windows yet, skip tests until issues solved package k8s import ( + "bytes" "context" "crypto/ecdsa" "crypto/rand" @@ -42,13 +47,22 @@ const ( pid = 123 podListFilePath = "testdata/pod_list.json" + kindPodListFilePath = "testdata/kind_pod_list.json" podListNotRunningFilePath = "testdata/pod_list_not_running.json" + cgPidInPodFilePath = "testdata/cgroups_pid_in_pod.txt" + cgPidInKindPodFilePath = "testdata/cgroups_pid_in_kind_pod.txt" + cgInitPidInPodFilePath = "testdata/cgroups_init_pid_in_pod.txt" + cgPidNotInPodFilePath = "testdata/cgroups_pid_not_in_pod.txt" + cgSystemdPidInPodFilePath = "testdata/systemd_cgroups_pid_in_pod.txt" + certPath = "cert.pem" keyPath = "key.pem" ) var ( + pidCgroupPath = fmt.Sprintf("/proc/%v/cgroup", pid) + clientKey, _ = pemutil.ParseECPrivateKey([]byte(`-----BEGIN PRIVATE KEY----- MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgNRa/6HIy0uwQe8iG Kz24zEvwGiIsTDPHzrLUaml1hQ6hRANCAATz6vtJYIvPM0KOqKpdDPlsOw09hZ8P @@ -197,7 +211,6 @@ type Suite struct { kubeletCert *x509.Certificate clientCert *x509.Certificate - oc *osConfig sigstoreSelectors []sigstore.SelectorsFromSignatures sigstoreSigs []oci.Signature sigstoreSkipSigs bool @@ -215,7 +228,6 @@ func (s *Suite) SetupTest() { s.podList = nil s.env = map[string]string{} - s.oc = createOSConfig() s.sigstoreSelectors = nil s.sigstoreSigs = nil @@ -258,9 +270,33 @@ func (s *Suite) TestAttestWithSigstoreSkippedImage() { func (s *Suite) TestAttestWithFailedSigstoreSignatures() { s.startInsecureKubelet() - p := s.loadInsecurePlugin() - s.setSigstoreReturnError(errors.New("sigstore error")) - s.requireAttestSuccessWithPod(p) + + p := s.newPlugin() + + v1 := new(workloadattestor.V1) + plugintest.Load(s.T(), builtin(p), v1, + plugintest.Configure(fmt.Sprintf(` + kubelet_read_only_port = %d + max_poll_attempts = 5 + poll_retry_interval = "1s" + experimental { + sigstore {} + } + `, s.kubeletPort())), + ) + + buf := bytes.Buffer{} + newLog := hclog.New(&hclog.LoggerOptions{ + Output: &buf, + }) + + p.SetLogger(newLog) + + s.sigstoreMock.returnError = errors.New("sigstore error 123") + + s.requireAttestSuccessWithPod(v1) + s.Require().Contains(buf.String(), "Error retrieving signature payload") + s.Require().Contains(buf.String(), "sigstore error 123") } func (s *Suite) TestAttestWithPidInKindPod() { @@ -291,7 +327,7 @@ func (s *Suite) TestAttestWithPidInPodAfterRetry() { s.addPodListResponse(podListNotRunningFilePath) s.addPodListResponse(podListNotRunningFilePath) s.addPodListResponse(podListFilePath) - s.addGetContainerResponsePidInPod() + s.addCgroupsResponse(cgPidInPodFilePath) resultCh := s.goAttest(p) @@ -314,7 +350,7 @@ func (s *Suite) TestAttestWithPidNotInPodCancelsEarly() { p := s.loadInsecurePlugin() s.addPodListResponse(podListNotRunningFilePath) - s.addGetContainerResponsePidInPod() + s.addCgroupsResponse(cgPidInPodFilePath) ctx, cancel := context.WithCancel(context.Background()) cancel() @@ -331,7 +367,7 @@ func (s *Suite) TestAttestWithPidNotInPodAfterRetry() { s.addPodListResponse(podListNotRunningFilePath) s.addPodListResponse(podListNotRunningFilePath) s.addPodListResponse(podListNotRunningFilePath) - s.addGetContainerResponsePidInPod() + s.addCgroupsResponse(cgPidInPodFilePath) resultCh := s.goAttest(p) @@ -353,9 +389,19 @@ func (s *Suite) TestAttestWithPidNotInPodAfterRetry() { } } +func (s *Suite) TestAttestWithPidNotInPod() { + s.startInsecureKubelet() + p := s.loadInsecurePlugin() + s.addCgroupsResponse(cgPidNotInPodFilePath) + + selectors, err := p.Attest(context.Background(), pid) + s.Require().NoError(err) + s.Require().Empty(selectors) +} + func (s *Suite) TestAttestOverSecurePortViaTokenAuth() { // start up a secure kubelet with host networking and require token auth - s.startSecureKubeletWithTokenAuth(true, "default-token") + s.startSecureKubelet(true, "default-token") // use the service account token for auth p := s.loadSecurePlugin(``) @@ -370,7 +416,7 @@ func (s *Suite) TestAttestOverSecurePortViaTokenAuth() { func (s *Suite) TestAttestOverSecurePortViaClientAuth() { // start up the secure kubelet with host networking and require client certs - s.startSecureKubeletWithClientCertAuth() + s.startSecureKubelet(true, "") // use client certificate for auth p := s.loadSecurePlugin(` @@ -388,19 +434,9 @@ func (s *Suite) TestAttestOverSecurePortViaClientAuth() { s.requireAttestFailure(p, codes.Internal, "tls: bad certificate") } -func (s *Suite) TestAttestOverSecurePortViaAnonymousAuth() { - s.startSecureKubeletWithAnonymousAuth() - - p := s.loadSecurePlugin(` - use_anonymous_authentication = true - `) - - s.requireAttestSuccessWithPod(p) -} - func (s *Suite) TestAttestReachingKubeletViaNodeName() { // start up a secure kubelet with "localhost" certificate and token auth - s.startSecureKubeletWithTokenAuth(false, "default-token") + s.startSecureKubelet(false, "default-token") // pick up the node name from the default env value s.env["MY_NODE_NAME"] = "localhost" @@ -427,12 +463,35 @@ func (s *Suite) TestAttestWhenContainerReadyButContainerSelectorsDisabled() { s.requireAttestSuccess(p, testPodSelectors) } +func (s *Suite) TestAttestAgainstNodeOverride() { + s.startInsecureKubelet() + p := s.loadInsecurePlugin() + s.addCgroupsResponse(cgPidNotInPodFilePath) + + selectors, err := p.Attest(context.Background(), pid) + s.Require().NoError(err) + s.Require().Empty(selectors) +} + +func (s *Suite) TestLogger() { + s.startInsecureKubelet() + + p := s.newPlugin() + plugintest.Load(s.T(), builtin(p), nil) + + newLog := hclog.New(&hclog.LoggerOptions{ + Name: "new_test_logger", + }) + p.SetLogger(newLog) + + s.Require().Same(newLog, p.log) + s.Require().Contains(p.log.Name(), newLog.Name()) + s.Require().Contains(p.log.Name(), "new_test_log") +} + func (s *Suite) TestConfigure() { s.generateCerts("") - kubeletCertPool := x509.NewCertPool() - kubeletCertPool.AddCert(s.kubeletCert) - s.writeFile(defaultTokenPath, "default-token") s.writeFile("token", "other-token") s.writeFile("bad-pem", "BAD PEM") @@ -454,13 +513,13 @@ func (s *Suite) TestConfigure() { } testCases := []struct { - name string - raw string - hcl string - config *config - sigstoreError error - errCode codes.Code - errMsg string + name string + raw string + hcl string + config *config + sigstoreError error + err string + sigstoreEnabled bool }{ { name: "insecure defaults", @@ -551,10 +610,9 @@ func (s *Suite) TestConfigure() { }, { - name: "invalid hcl", - hcl: "bad", - errCode: codes.InvalidArgument, - errMsg: "unable to decode configuration", + name: "invalid hcl", + hcl: "bad", + err: "unable to decode configuration", }, { name: "both insecure and secure ports specified", @@ -562,24 +620,21 @@ func (s *Suite) TestConfigure() { kubelet_read_only_port = 10255 kubelet_secure_port = 10250 `, - errCode: codes.InvalidArgument, - errMsg: "cannot use both the read-only and secure port", + err: "cannot use both the read-only and secure port", }, { name: "non-existent kubelet ca", hcl: ` kubelet_ca_path = "no-such-file" `, - errCode: codes.InvalidArgument, - errMsg: "unable to load kubelet CA", + err: "unable to load kubelet CA", }, { name: "bad kubelet ca", hcl: ` kubelet_ca_path = "bad-pem" `, - errCode: codes.InvalidArgument, - errMsg: "unable to parse kubelet CA", + err: "unable to parse kubelet CA", }, { name: "non-existent token", @@ -587,8 +642,7 @@ func (s *Suite) TestConfigure() { skip_kubelet_verification = true token_path = "no-such-file" `, - errCode: codes.InvalidArgument, - errMsg: "unable to load token", + err: "unable to load token", }, { name: "invalid poll retry interval", @@ -596,8 +650,7 @@ func (s *Suite) TestConfigure() { kubelet_read_only_port = 10255 poll_retry_interval = "blah" `, - errCode: codes.InvalidArgument, - errMsg: "unable to parse poll retry interval", + err: "unable to parse poll retry interval", }, { name: "invalid reload interval", @@ -605,8 +658,7 @@ func (s *Suite) TestConfigure() { kubelet_read_only_port = 10255 reload_interval = "blah" `, - errCode: codes.InvalidArgument, - errMsg: "unable to parse reload interval", + err: "unable to parse reload interval", }, { name: "cert but no key", @@ -614,8 +666,7 @@ func (s *Suite) TestConfigure() { skip_kubelet_verification = true certificate_path = "cert" `, - errCode: codes.InvalidArgument, - errMsg: "the private key path is required with the certificate path", + err: "the private key path is required with the certificate path", }, { name: "key but no cert", @@ -623,8 +674,7 @@ func (s *Suite) TestConfigure() { skip_kubelet_verification = true private_key_path = "key" `, - errCode: codes.InvalidArgument, - errMsg: "the certificate path is required with the private key path", + err: "the certificate path is required with the private key path", }, { name: "bad cert", @@ -633,8 +683,7 @@ func (s *Suite) TestConfigure() { certificate_path = "bad-pem" private_key_path = "key.pem" `, - errCode: codes.InvalidArgument, - errMsg: "unable to load keypair", + err: "unable to load keypair", }, { name: "non-existent cert", @@ -643,8 +692,7 @@ func (s *Suite) TestConfigure() { certificate_path = "no-such-file" private_key_path = "key.pem" `, - errCode: codes.InvalidArgument, - errMsg: "unable to load certificate", + err: "unable to load certificate", }, { name: "bad key", @@ -653,8 +701,7 @@ func (s *Suite) TestConfigure() { certificate_path = "cert.pem" private_key_path = "bad-pem" `, - errCode: codes.InvalidArgument, - errMsg: "unable to load keypair", + err: "unable to load keypair", }, { name: "non-existent key", @@ -663,13 +710,12 @@ func (s *Suite) TestConfigure() { certificate_path = "cert.pem" private_key_path = "no-such-file" `, - errCode: codes.InvalidArgument, - errMsg: "unable to load private key", + err: "unable to load private key", }, { name: "secure defaults with skipped images for sigstore", hcl: ` - experimental = { + experimental = { sigstore = { skip_signature_verification_image_list = ["sha:image1hash","sha:image2hash"] } @@ -687,11 +733,12 @@ func (s *Suite) TestConfigure() { "sha:image2hash", }, }, + sigstoreEnabled: true, }, { name: "secure defaults with allowed subjects for sigstore", hcl: ` - experimental = { + experimental = { sigstore { enable_allowed_subjects_list = true, allowed_subjects_list = ["spirex@example.com","spirex1@example.com"] @@ -708,11 +755,12 @@ func (s *Suite) TestConfigure() { AllowedSubjectListEnabled: true, AllowedSubjects: []string{"spirex@example.com", "spirex1@example.com"}, }, + sigstoreEnabled: true, }, { name: "secure defaults with rekor URL", hcl: ` - experimental = { + experimental = { sigstore = { rekor_url = "https://rekor.example.com" } @@ -727,19 +775,59 @@ func (s *Suite) TestConfigure() { ReloadInterval: defaultReloadInterval, RekorURL: "https://rekor.example.com", }, + sigstoreEnabled: true, }, { name: "secure defaults with empty rekor URL", hcl: ` - experimental = { + experimental = { + sigstore = { + rekor_url = "" + } + } + `, + sigstoreError: errors.New("rekor URL is empty"), + config: nil, + err: "failed to parse Rekor URL: rekor URL is empty", + }, + { + name: "secure defaults for failed parsing rekor URI", + hcl: ` + experimental = { sigstore = { rekor_url = "inva{{{lid}" } } `, - sigstoreError: errors.New("error parsing rekor URI"), + sigstoreError: errors.New("failed parsing rekor URI"), + config: nil, + err: "failed to parse Rekor URL: failed parsing rekor URI", + }, + { + name: "secure defaults for invalid rekor URL Scheme", + hcl: ` + experimental = { + sigstore = { + rekor_url = "htttp://rekor.example.com" + } + } + `, + sigstoreError: errors.New("invalid rekor URL Scheme"), config: nil, - errMsg: "Error parsing rekor URI", + err: "failed to parse Rekor URL: invalid rekor URL Scheme", + }, + { + name: "secure defaults for invalid rekor URL Host", + hcl: ` + experimental = { + sigstore = { + rekor_url = "invalid;.com" + } + } + `, + sigstoreError: errors.New("invalid rekor URL Host"), + config: nil, + err: "failed to parse Rekor URL: invalid rekor URL Host", }, } @@ -752,12 +840,8 @@ func (s *Suite) TestConfigure() { plugintest.Load(s.T(), builtin(p), nil, plugintest.Configure(testCase.hcl), plugintest.CaptureConfigureError(&err)) - if testCase.errMsg != "" { - s.RequireGRPCStatusContains(err, testCase.errCode, testCase.errMsg) - return - } - if testCase.sigstoreError != nil { - p.sigstore.(*sigstoreMock).returnError = nil + if testCase.err != "" { + s.AssertErrorContains(err, testCase.err) return } require.NotNil(t, testCase.config, "test case missing expected config") @@ -775,9 +859,10 @@ func (s *Suite) TestConfigure() { assert.True(t, c.Client.Transport.TLSClientConfig.InsecureSkipVerify) assert.Nil(t, c.Client.Transport.TLSClientConfig.VerifyPeerCertificate) default: + t.Logf("CONFIG: %#v", c.Client.Transport.TLSClientConfig) if testCase.config.HasNodeName { if assert.NotNil(t, c.Client.Transport.TLSClientConfig.RootCAs) { - assert.True(t, c.Client.Transport.TLSClientConfig.RootCAs.Equal(kubeletCertPool)) + assert.Len(t, c.Client.Transport.TLSClientConfig.RootCAs.Subjects(), 1) // nolint // these pools are not system pools so the use of Subjects() is ok for now } } else { assert.True(t, c.Client.Transport.TLSClientConfig.InsecureSkipVerify) @@ -790,19 +875,25 @@ func (s *Suite) TestConfigure() { assert.Equal(t, testCase.config.PollRetryInterval, c.PollRetryInterval) assert.Equal(t, testCase.config.ReloadInterval, c.ReloadInterval) - assert.Equal(t, testCase.config.SkippedImages, c.SkippedImages) - for _, sImage := range testCase.config.SkippedImages { - assert.Contains(t, p.sigstore.(*sigstoreMock).skippedImages, sImage) - } + if testCase.sigstoreEnabled { + assert.NotNil(t, c.sigstoreConfig) - assert.Equal(t, testCase.config.AllowedSubjectListEnabled, c.AllowedSubjectListEnabled) - assert.Equal(t, testCase.config.AllowedSubjectListEnabled, p.sigstore.(*sigstoreMock).allowedSubjectListEnabled) + assert.Equal(t, testCase.config.SkippedImages, c.sigstoreConfig.SkippedImages) + for _, sImage := range testCase.config.SkippedImages { + assert.Contains(t, p.sigstore.(*sigstoreMock).skippedImages, sImage) + } - assert.Equal(t, testCase.config.AllowedSubjects, c.AllowedSubjects) - for _, sSubject := range testCase.config.AllowedSubjects { - assert.Contains(t, p.sigstore.(*sigstoreMock).allowedSubjects, sSubject) + assert.Equal(t, testCase.config.AllowedSubjectListEnabled, c.sigstoreConfig.AllowedSubjectListEnabled) + assert.Equal(t, testCase.config.AllowedSubjectListEnabled, p.sigstore.(*sigstoreMock).allowedSubjectListEnabled) + + assert.Equal(t, testCase.config.AllowedSubjects, c.sigstoreConfig.AllowedSubjects) + for _, sSubject := range testCase.config.AllowedSubjects { + assert.Contains(t, p.sigstore.(*sigstoreMock).allowedSubjects, sSubject) + } + assert.Equal(t, testCase.config.RekorURL, c.sigstoreConfig.RekorURL) + } else { + assert.Nil(t, c.sigstoreConfig) } - assert.Equal(t, testCase.config.RekorURL, c.RekorURL) }) } } @@ -848,12 +939,14 @@ type sigstoreMock struct { skippedImages map[string]bool allowedSubjects map[string]bool allowedSubjectListEnabled bool + log hclog.Logger rekorURL string } // SetLogger implements sigstore.Sigstore -func (*sigstoreMock) SetLogger(logger hclog.Logger) { +func (s *sigstoreMock) SetLogger(logger hclog.Logger) { + s.log = logger } func (s *sigstoreMock) FetchImageSignatures(ctx context.Context, imageName string) ([]oci.Signature, error) { @@ -926,6 +1019,9 @@ func (s *sigstoreMock) AttestContainerSignatures(ctx context.Context, status *co } func (s *sigstoreMock) SetRekorURL(url string) error { + if s.returnError != nil { + return s.returnError + } s.rekorURL = url return s.returnError } @@ -979,10 +1075,6 @@ func (s *Suite) setSigstoreSkippedSigSelectors(selectors []string) { s.sigstoreSkippedSigSelectors = selectors } -func (s *Suite) setSigstoreReturnError(err error) { - s.sigstoreReturnError = err -} - func (s *Suite) writeFile(path, data string) { realPath := filepath.Join(s.dir, path) s.Require().NoError(os.MkdirAll(filepath.Dir(realPath), 0755)) @@ -1009,14 +1101,10 @@ func (s *Suite) kubeletPort() int { func (s *Suite) loadPlugin(configuration string) workloadattestor.WorkloadAttestor { v1 := new(workloadattestor.V1) - p := s.newPlugin() - plugintest.Load(s.T(), builtin(p), v1, + plugintest.Load(s.T(), builtin(s.newPlugin()), v1, plugintest.Configure(configuration), ) - if cHelper := s.oc.getContainerHelper(); cHelper != nil { - p.setContainerHelper(cHelper) - } return v1 } @@ -1061,49 +1149,7 @@ func (s *Suite) generateCerts(nodeName string) { s.writeCert(certPath, s.clientCert) } -func (s *Suite) startSecureKubeletWithClientCertAuth() { - handler := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { - if len(req.TLS.VerifiedChains) == 0 { - http.Error(w, "client auth expected but not used", http.StatusForbidden) - return - } - s.serveHTTP(w, req) - }) - - s.startSecureKubeletServer(false, handler) -} - -func (s *Suite) startSecureKubeletWithTokenAuth(hostNetworking bool, token string) { - handler := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { - if len(req.TLS.VerifiedChains) > 0 { - http.Error(w, "client auth not expected but used", http.StatusForbidden) - return - } - expectedAuth := "Bearer " + token - auth := req.Header.Get("Authorization") - if auth != expectedAuth { - http.Error(w, fmt.Sprintf("expected %q, got %q", expectedAuth, auth), http.StatusForbidden) - return - } - s.serveHTTP(w, req) - }) - - s.startSecureKubeletServer(hostNetworking, handler) -} - -func (s *Suite) startSecureKubeletWithAnonymousAuth() { - handler := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { - if len(req.TLS.VerifiedChains) > 0 { - http.Error(w, "client auth not expected but used", http.StatusForbidden) - return - } - s.serveHTTP(w, req) - }) - - s.startSecureKubeletServer(false, handler) -} - -func (s *Suite) startSecureKubeletServer(hostNetworking bool, handler http.Handler) { +func (s *Suite) startSecureKubelet(hostNetworking bool, token string) { // Use "localhost" in the DNS name unless we're using host networking. This // allows us to use "localhost" as the host directly when configured to // connect to the node name. Otherwise, we'll connect to 127.0.0.1 and @@ -1112,13 +1158,32 @@ func (s *Suite) startSecureKubeletServer(hostNetworking bool, handler http.Handl if hostNetworking { dnsName = "this-name-should-never-be-validated" } - s.generateCerts(dnsName) + clientCAs := x509.NewCertPool() if s.clientCert != nil { clientCAs.AddCert(s.clientCert) } - server := httptest.NewUnstartedServer(handler) + server := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { + if token == "" { + if len(req.TLS.VerifiedChains) == 0 { + http.Error(w, "client auth expected but not used", http.StatusForbidden) + return + } + } else { + if len(req.TLS.VerifiedChains) > 0 { + http.Error(w, "client auth not expected but used", http.StatusForbidden) + return + } + expectedAuth := "Bearer " + token + auth := req.Header.Get("Authorization") + if auth != expectedAuth { + http.Error(w, fmt.Sprintf("expected %q, got %q", expectedAuth, auth), http.StatusForbidden) + return + } + } + s.serveHTTP(w, req) + })) server.TLS = &tls.Config{ Certificates: []tls.Certificate{ { @@ -1186,8 +1251,6 @@ func (s *Suite) writeKey(path string, key *ecdsa.PrivateKey) { func (s *Suite) requireAttestSuccessWithPod(p workloadattestor.WorkloadAttestor) { s.addPodListResponse(podListFilePath) - s.addGetContainerResponsePidInPod() - s.requireAttestSuccess(p, testPodAndContainerSelectors) s.addCgroupsResponse(cgPidInPodFilePath) } @@ -1215,6 +1278,12 @@ func (s *Suite) requireAttestSuccessWithPodSystemdCgroups(p workloadattestor.Wor s.requireAttestSuccess(p, testPodSelectors) } +func (s *Suite) requireAttestSuccessWithInitPod(p workloadattestor.WorkloadAttestor) { + s.addPodListResponse(podListFilePath) + s.addCgroupsResponse(cgInitPidInPodFilePath) + s.requireAttestSuccess(p, testInitPodSelectors) +} + func (s *Suite) requireAttestSuccess(p workloadattestor.WorkloadAttestor, expectedSelectors []*common.Selector) { selectors, err := p.Attest(context.Background(), pid) s.Require().NoError(err) @@ -1255,6 +1324,204 @@ func (s *Suite) addPodListResponse(fixturePath string) { s.podList = append(s.podList, podList) } +func (s *Suite) addCgroupsResponse(fixturePath string) { + wd, err := os.Getwd() + s.Require().NoError(err) + cgroupPath := filepath.Join(s.dir, pidCgroupPath) + s.Require().NoError(os.MkdirAll(filepath.Dir(cgroupPath), 0755)) + os.Remove(cgroupPath) + s.Require().NoError(os.Symlink(filepath.Join(wd, fixturePath), cgroupPath)) +} + +func TestGetContainerIDFromCGroups(t *testing.T) { + makeCGroups := func(groupPaths []string) []cgroups.Cgroup { + var out []cgroups.Cgroup + for _, groupPath := range groupPaths { + out = append(out, cgroups.Cgroup{ + GroupPath: groupPath, + }) + } + return out + } + + for _, tt := range []struct { + name string + cgroupPaths []string + expectPodUID types.UID + expectContainerID string + expectCode codes.Code + expectMsg string + }{ + { + name: "no cgroups", + cgroupPaths: []string{}, + expectPodUID: "", + expectContainerID: "", + expectCode: codes.OK, + }, + { + name: "no container ID in cgroups", + cgroupPaths: []string{ + "/user.slice", + }, + expectPodUID: "", + expectContainerID: "", + expectCode: codes.OK, + }, + { + name: "one container ID in cgroups", + cgroupPaths: []string{ + "/user.slice", + "/kubepods/pod2c48913c-b29f-11e7-9350-020968147796/9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961", + }, + expectPodUID: "2c48913c-b29f-11e7-9350-020968147796", + expectContainerID: "9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961", + expectCode: codes.OK, + }, + { + name: "pod UID canonicalized", + cgroupPaths: []string{ + "/user.slice", + "/kubepods/pod2c48913c_b29f_11e7_9350_020968147796/9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961", + }, + expectPodUID: "2c48913c-b29f-11e7-9350-020968147796", + expectContainerID: "9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961", + expectCode: codes.OK, + }, + { + name: "more than one container ID in cgroups", + cgroupPaths: []string{ + "/user.slice", + "/kubepods/pod2c48913c-b29f-11e7-9350-020968147796/9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961", + "/kubepods/kubepods/besteffort/pod2c48913c-b29f-11e7-9350-020968147796/a55d9ac3b312d8a2627824b6d6dd8af66fbec439bf4e0ec22d6d9945ad337a38", + }, + expectPodUID: "", + expectContainerID: "", + expectCode: codes.FailedPrecondition, + expectMsg: "multiple container IDs found in cgroups (9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961, a55d9ac3b312d8a2627824b6d6dd8af66fbec439bf4e0ec22d6d9945ad337a38)", + }, + { + name: "more than one pod UID in cgroups", + cgroupPaths: []string{ + "/user.slice", + "/kubepods/pod11111111-b29f-11e7-9350-020968147796/9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961", + "/kubepods/kubepods/besteffort/pod22222222-b29f-11e7-9350-020968147796/9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961", + }, + expectPodUID: "", + expectContainerID: "", + expectCode: codes.FailedPrecondition, + expectMsg: "multiple pod UIDs found in cgroups (11111111-b29f-11e7-9350-020968147796, 22222222-b29f-11e7-9350-020968147796)", + }, + } { + tt := tt + t.Run(tt.name, func(t *testing.T) { + podUID, containerID, err := getPodUIDAndContainerIDFromCGroups(makeCGroups(tt.cgroupPaths)) + spiretest.RequireGRPCStatus(t, err, tt.expectCode, tt.expectMsg) + if tt.expectCode != codes.OK { + assert.Empty(t, containerID) + return + } + assert.Equal(t, tt.expectPodUID, podUID) + assert.Equal(t, tt.expectContainerID, containerID) + }) + } +} + +func TestGetPodUIDAndContainerIDFromCGroupPath(t *testing.T) { + for _, tt := range []struct { + name string + cgroupPath string + expectPodUID types.UID + expectContainerID string + }{ + { + name: "without QOS", + cgroupPath: "/kubepods/pod2c48913c-b29f-11e7-9350-020968147796/9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961", + expectPodUID: "2c48913c-b29f-11e7-9350-020968147796", + expectContainerID: "9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961", + }, + { + name: "with QOS", + cgroupPath: "/kubepods/burstable/pod2c48913c-b29f-11e7-9350-020968147796/34a2062fd26c805aa8cf814cdfe479322b791f80afb9ea4db02d50375df14b41", + expectPodUID: "2c48913c-b29f-11e7-9350-020968147796", + expectContainerID: "34a2062fd26c805aa8cf814cdfe479322b791f80afb9ea4db02d50375df14b41", + }, + { + name: "docker for desktop with QOS", + cgroupPath: "/kubepods/kubepods/besteffort/pod6bd2a4d3-a55a-4450-b6fd-2a7ecc72c904/a55d9ac3b312d8a2627824b6d6dd8af66fbec439bf4e0ec22d6d9945ad337a38", + expectPodUID: "6bd2a4d3-a55a-4450-b6fd-2a7ecc72c904", + expectContainerID: "a55d9ac3b312d8a2627824b6d6dd8af66fbec439bf4e0ec22d6d9945ad337a38", + }, + { + name: "kind with QOS", + cgroupPath: "/docker/93529524695bb00d91c1f6dba692ea8d3550c3b94fb2463af7bc9ec82f992d26/kubepods/besteffort/poda2830d0d-b0f0-4ff0-81b5-0ee4e299cf80/09bc3d7ade839efec32b6bec4ec79d099027a668ddba043083ec21d3c3b8f1e6", + expectPodUID: "a2830d0d-b0f0-4ff0-81b5-0ee4e299cf80", + expectContainerID: "09bc3d7ade839efec32b6bec4ec79d099027a668ddba043083ec21d3c3b8f1e6", + }, + { + name: "systemd with QOS and container runtime", + cgroupPath: "/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod2c48913c-b29f-11e7-9350-020968147796.slice/docker-9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961.scope", + expectPodUID: "2c48913c-b29f-11e7-9350-020968147796", + expectContainerID: "9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961", + }, + { + name: "from a different cgroup namespace", + cgroupPath: "/../../../burstable/pod095e82d2-713c-467a-a18a-cbb50a075296/6d1234da0f5aa7fa0ccae4c7d2d109929eb9a81694e6357bcd4547ab3985911b", + expectPodUID: "095e82d2-713c-467a-a18a-cbb50a075296", + expectContainerID: "6d1234da0f5aa7fa0ccae4c7d2d109929eb9a81694e6357bcd4547ab3985911b", + }, + { + name: "not kubepods", + cgroupPath: "/something/poda2830d0d-b0f0-4ff0-81b5-0ee4e299cf80/09bc3d7ade839efec32b6bec4ec79d099027a668ddba043083ec21d3c3b8f1e6", + expectPodUID: "a2830d0d-b0f0-4ff0-81b5-0ee4e299cf80", + expectContainerID: "09bc3d7ade839efec32b6bec4ec79d099027a668ddba043083ec21d3c3b8f1e6", + }, + { + name: "just pod uid and container", + cgroupPath: "/poda2830d0d-b0f0-4ff0-81b5-0ee4e299cf80/09bc3d7ade839efec32b6bec4ec79d099027a668ddba043083ec21d3c3b8f1e6", + expectPodUID: "a2830d0d-b0f0-4ff0-81b5-0ee4e299cf80", + expectContainerID: "09bc3d7ade839efec32b6bec4ec79d099027a668ddba043083ec21d3c3b8f1e6", + }, + { + name: "just container segment", + cgroupPath: "/09bc3d7ade839efec32b6bec4ec79d099027a668ddba043083ec21d3c3b8f1e6", + }, + { + name: "no container segment", + cgroupPath: "/kubepods/poda2830d0d-b0f0-4ff0-81b5-0ee4e299cf80", + }, + { + name: "no pod uid segment", + cgroupPath: "/kubepods/09bc3d7ade839efec32b6bec4ec79d099027a668ddba043083ec21d3c3b8f1e6", + }, + { + name: "cri-containerd", + cgroupPath: "/kubepods-besteffort-pod72f7f152_440c_66ac_9084_e0fc1d8a910c.slice:cri-containerd:b2a102854b4969b2ce98dc329c86b4fb2b06e4ad2cc8da9d8a7578c9cd2004a2", + expectPodUID: "72f7f152-440c-66ac-9084-e0fc1d8a910c", + expectContainerID: "b2a102854b4969b2ce98dc329c86b4fb2b06e4ad2cc8da9d8a7578c9cd2004a2", + }, + { + name: "uid generateds by kubernetes", + cgroupPath: "/kubepods/pod2732ca68f6358eba7703fb6f82a25c94", + }, + } { + tt := tt + t.Run(tt.name, func(t *testing.T) { + t.Logf("cgroup path=%s", tt.cgroupPath) + podUID, containerID, ok := getPodUIDAndContainerIDFromCGroupPath(tt.cgroupPath) + if tt.expectContainerID == "" { + assert.False(t, ok) + assert.Empty(t, podUID) + assert.Empty(t, containerID) + return + } + assert.True(t, ok) + assert.Equal(t, tt.expectPodUID, podUID) + assert.Equal(t, tt.expectContainerID, containerID) + }) + } +} + type testFS string func (fs testFS) Open(path string) (io.ReadCloser, error) { diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index 5e01d7322c..ffc89495b5 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -315,7 +315,7 @@ func (s *sigstoreImpl) SetRekorURL(rekorURL string) error { } rekorURI, err := url.Parse(rekorURL) if err != nil { - return fmt.Errorf("failed to parsing rekor URI: %w", err) + return fmt.Errorf("failed parsing rekor URI: %w", err) } if rekorURI.Scheme != "" && rekorURI.Scheme != "https" { return fmt.Errorf("invalid rekor URL Scheme: %s", rekorURI.Scheme) From 7609c378b59d8b34e3b4d8134b9b531716ebceed Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Tue, 19 Jul 2022 15:45:37 -0300 Subject: [PATCH 098/257] Adding log label (#60) * fix: added label to log line Signed-off-by: Rodrigo Lopes * feat: added telemetry tag for container name Signed-off-by: Rodrigo Lopes * logs: added container name telemetry label to log line Signed-off-by: Rodrigo Lopes * tests: fixed sigstore config on some tests Signed-off-by: Rodrigo Lopes * fix: removed URL empty checking before config as the error is handled in config Signed-off-by: Rodrigo Lopes Co-authored-by: Rodrigo Lopes Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go | 2 +- pkg/common/telemetry/names.go | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go index ad211b4792..ff5092beb7 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go @@ -243,7 +243,7 @@ func (p *Plugin) Attest(ctx context.Context, req *workloadattestorv1.AttestReque switch lookup { case containerInPod: selectors := getSelectorValuesFromPodInfo(&item, status) - if p.config.sigstoreConfig != nil { + if p.config.EnableSigstore { log.Debug("Attemping to get signature info for container", telemetry.ContainerName, status.Name) sigstoreSelectors, err := p.sigstore.AttestContainerSignatures(ctx, status) if err != nil { diff --git a/pkg/common/telemetry/names.go b/pkg/common/telemetry/names.go index 6f7207eb10..5ddc3ab88f 100644 --- a/pkg/common/telemetry/names.go +++ b/pkg/common/telemetry/names.go @@ -206,6 +206,9 @@ const ( // ContainerID tags some container ID, most likely for use in attestation ContainerID = "container_id" + // ContainerName tags some container name, most likely for use in attestation + ContainerName = "container_name" + // Count tags some basic count; should be used with other tags and clear messaging to add clarity Count = "count" From 5e9c2cdfe88b570f38fa6018b4bfdae4e24fb07e Mon Sep 17 00:00:00 2001 From: Willian Alves Date: Tue, 19 Jul 2022 21:29:31 -0400 Subject: [PATCH 099/257] Fixed dependencies Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- go.mod | 2 +- go.sum | 7 +------ 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/go.mod b/go.mod index e884fb8e5c..99e65ed32c 100644 --- a/go.mod +++ b/go.mod @@ -209,7 +209,7 @@ require ( github.com/in-toto/in-toto-golang v0.3.4-0.20211211042327-af1f9fb822bf // indirect github.com/inconshreveable/mousetrap v1.0.0 // indirect github.com/jedisct1/go-minisign v0.0.0-20210703085342-c1f07ee84431 // indirect - github.com/jhump/protoreflect v1.12.0 // indirect + github.com/jhump/protoreflect v1.10.3 // indirect github.com/jinzhu/inflection v1.0.0 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/jonboulle/clockwork v0.3.0 // indirect diff --git a/go.sum b/go.sum index facda7e035..bb0c8c936d 100644 --- a/go.sum +++ b/go.sum @@ -1490,17 +1490,12 @@ github.com/jedisct1/go-minisign v0.0.0-20210703085342-c1f07ee84431 h1:zqyV5j9xEu github.com/jedisct1/go-minisign v0.0.0-20210703085342-c1f07ee84431/go.mod h1:3VIJLjlf5Iako82IX/5KOoCzDmogK5mO+bl+DRItnR8= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/jgautheron/goconst v1.5.1/go.mod h1:aAosetZ5zaeC/2EfMeRswtxUFBpe2Hr7HzkgX4fanO4= -github.com/jhump/gopoet v0.0.0-20190322174617-17282ff210b3/go.mod h1:me9yfT6IJSlOL3FCfrg+L6yzUEZ+5jW6WHt4Sk+UPUI= -github.com/jhump/gopoet v0.1.0/go.mod h1:me9yfT6IJSlOL3FCfrg+L6yzUEZ+5jW6WHt4Sk+UPUI= -github.com/jhump/goprotoc v0.5.0/go.mod h1:VrbvcYrQOrTi3i0Vf+m+oqQWk9l72mjkJCYo7UvLHRQ= github.com/jhump/protoreflect v1.6.0/go.mod h1:eaTn3RZAmMBcV0fifFvlm6VHNz3wSkYyXYWUh7ymB74= github.com/jhump/protoreflect v1.6.1/go.mod h1:RZQ/lnuN+zqeRVpQigTwO6o0AJUkxbnSnpuG7toUTG4= github.com/jhump/protoreflect v1.8.2/go.mod h1:7GcYQDdMU/O/BBrl/cX6PNHpXh6cenjd8pneu5yW7Tg= github.com/jhump/protoreflect v1.9.0/go.mod h1:7GcYQDdMU/O/BBrl/cX6PNHpXh6cenjd8pneu5yW7Tg= +github.com/jhump/protoreflect v1.10.3 h1:8ogeubpKh2TiulA0apmGlW5YAH4U1Vi4TINIP+gpNfQ= github.com/jhump/protoreflect v1.10.3/go.mod h1:7GcYQDdMU/O/BBrl/cX6PNHpXh6cenjd8pneu5yW7Tg= -github.com/jhump/protoreflect v1.11.0/go.mod h1:U7aMIjN0NWq9swDP7xDdoMfRHb35uiuTd3Z9nFXJf5E= -github.com/jhump/protoreflect v1.12.0 h1:1NQ4FpWMgn3by/n1X0fbeKEUxP1wBt7+Oitpv01HR10= -github.com/jhump/protoreflect v1.12.0/go.mod h1:JytZfP5d0r8pVNLZvai7U/MCuTWITgrI4tTg7puQFKI= github.com/jingyugao/rowserrcheck v1.1.1/go.mod h1:4yvlZSDb3IyDTUZJUmpZfm2Hwok+Dtp+nu2qOq+er9c= github.com/jinzhu/gorm v1.9.16 h1:+IyIjPEABKRpsu/F8OvDPy9fyQlgsg2luMV2ZIH5i5o= github.com/jinzhu/gorm v1.9.16/go.mod h1:G3LB3wezTOWM2ITLzPxEXgSkOXAntiLHS7UdBefADcs= From 3fb506d386c1c22d8b7090e3dcd2ca757d921433 Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Wed, 31 Aug 2022 13:18:20 -0300 Subject: [PATCH 100/257] Fix k8s posix (#70) * refactor: renamed ExperimentalSigstoreConfig to SigstoreConfig Signed-off-by: Rodrigo Lopes * docs: fixed comment about AllowedSubjectListEnabled Signed-off-by: Rodrigo Lopes * refactor: flattened chained if blocks Signed-off-by: Rodrigo Lopes * refactor: removed explicit default values for sigstore options from k8sConfig object Signed-off-by: Rodrigo Lopes * refactor: moved internal sigstore config to new struct, removed bool. tests: fixed tests after refactor, added test for sigstore struct pointer value. Signed-off-by: Rodrigo Lopes * refactor: moved sigstore instantiation to Plugin.Configure Signed-off-by: Rodrigo Lopes * tests: removed sigstoreEnabled flag from error cases Signed-off-by: Rodrigo Lopes * fix: removed trailing colon from error message Signed-off-by: Rodrigo Lopes * tests: fixed fetch failure test, added log checking Signed-off-by: Rodrigo Lopes * fix: fixed a comment on sigstore configs Signed-off-by: Rodrigo Lopes * lint: removed unused function Signed-off-by: Rodrigo Lopes * fix: fixed nil reference error Signed-off-by: Rodrigo Lopes * refactor: added logger on Configure, for when Sigstore isn't created until after setLogger Signed-off-by: Rodrigo Lopes Signed-off-by: Rodrigo Lopes Co-authored-by: Rodrigo Lopes Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go index ff5092beb7..ad211b4792 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go @@ -243,7 +243,7 @@ func (p *Plugin) Attest(ctx context.Context, req *workloadattestorv1.AttestReque switch lookup { case containerInPod: selectors := getSelectorValuesFromPodInfo(&item, status) - if p.config.EnableSigstore { + if p.config.sigstoreConfig != nil { log.Debug("Attemping to get signature info for container", telemetry.ContainerName, status.Name) sigstoreSelectors, err := p.sigstore.AttestContainerSignatures(ctx, status) if err != nil { From 558ebbcd229a0990255feb22a997f618d36f690e Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Wed, 31 Aug 2022 13:18:40 -0300 Subject: [PATCH 101/257] Fixing sigstore docs (#71) * docs: added clarifications on config and selectors Signed-off-by: Rodrigo Lopes * docs: fixed github links Signed-off-by: Rodrigo Lopes * docs: fixed a sentence Signed-off-by: Rodrigo Lopes * docs: added back text that was removed by mistake Signed-off-by: Rodrigo Lopes Signed-off-by: Rodrigo Lopes Co-authored-by: Rodrigo Lopes Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- doc/plugin_agent_nodeattestor_k8s_psat.md | 2 +- doc/plugin_agent_workloadattestor_k8s.md | 18 +++++++++--------- doc/plugin_agent_workloadattestor_unix.md | 2 ++ doc/plugin_agent_workloadattestor_windows.md | 20 ++++++++++++++++++++ doc/plugin_server_nodeattestor_k8s_psat.md | 2 +- doc/scaling_spire.md | 6 +++--- 6 files changed, 36 insertions(+), 14 deletions(-) diff --git a/doc/plugin_agent_nodeattestor_k8s_psat.md b/doc/plugin_agent_nodeattestor_k8s_psat.md index 2054dff491..91ab12f910 100644 --- a/doc/plugin_agent_nodeattestor_k8s_psat.md +++ b/doc/plugin_agent_nodeattestor_k8s_psat.md @@ -50,7 +50,7 @@ volumeMounts: name: spire-agent ``` -A full example of this attestor is provided in [the SPIRE examples repository](https://github.com/spiffe/spire-examples/tree/master/examples/k8s/simple_psat). +A full example of this attestor is provided in [the SPIRE examples repository](https://github.com/spiffe/spire-examples/tree/main/examples/k8s/simple_psat). ## Considerations diff --git a/doc/plugin_agent_workloadattestor_k8s.md b/doc/plugin_agent_workloadattestor_k8s.md index 0a860b4a31..16e56a6414 100644 --- a/doc/plugin_agent_workloadattestor_k8s.md +++ b/doc/plugin_agent_workloadattestor_k8s.md @@ -61,15 +61,15 @@ since [hostprocess](https://kubernetes.io/docs/tasks/configure-pod-container/cre | Sigstore options | Description | | ------------- | ----------- | -| `skip_signature_verification_image_list`| The list of images, described as digest hashes, that should be skipped in signature verification. | -| `enable_allowed_subjects_list`| Enables a list of allowed subjects that are trusted and are allowed to sign container images artificats.| -| `allowed_subjects_list`| The list of allowed subjects enabled by `enable_allowed_subjects_list` each entry represents subject e-mail. | -| `rekor_url` | The URL for the rekor STL Server to use with cosign. | +| `skip_signature_verification_image_list`| The list of images, described as digest hashes, that should be skipped in signature verification. Defaults to empty list. | +| `enable_allowed_subjects_list`| Enables a list of allowed subjects that are trusted and are allowed to sign container images artificats. Defaults to 'false'. If true and `allowed_subjects_list` is empty, no workload will pass signature validation. | +| `allowed_subjects_list`| The list of allowed subjects enabled by `enable_allowed_subjects_list` each entry represents subject e-mail. Defaults to empty list. | +| `rekor_url` | The URL for the rekor STL Server to use with cosign. Defaults to 'rekor.sigstore.dev', Rekor's public instance. | ### Sigstore workload attestor for SPIRE -The k8s workload attestor plugins has also capabilities to validate images signatures through [sigstore](https://www.sigstore.dev/) +The k8s workload attestor plugin also has capabilities to validate images signatures through [sigstore](https://www.sigstore.dev/) Cosign supports container signing, verification, and storage in an OCI registry. Cosign aims to make signatures invisible infrastructure. For this, we’ve chosen the Sigstore ecosystem and artifacts. Digging deeper, we are using: Rekor (signature transparency log), Fulcio (signing certificate issuer and certificate transparency log) and Cosign (container image signing tool) to guarantee the authenticity of the running workload. @@ -99,10 +99,10 @@ Sigstore enabled selectors (available when configured to use sigstore) | Selector | Value | | -------- | ----- | -| k8s:containerID:image-signature-content | The value of the signature itself in a hash (eg. "k8s:000000:image-signature-content:MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smA=")| -| k8s:containerID:image-signature-subject | OIDC principal that signed it​ (eg. "k8s:000000:image-signature-subject:spirex@example.com")| -| k8s:containerID:image-signature-logid | A unique LogID for the Rekor transparency log​ (eg. "k8s:000000:image-signature-logid:samplelogID") | -| k8s:containerID:image-signature-integrated-time | The date when the image signature was integrated into the signature transparency log​ (eg. "k8s:000000:image-signature-integrated-time:12345") | +| k8s:${containerID}:image-signature-content | The value of the signature itself in a hash (eg. "k8s:000000:image-signature-content:MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smA=")| +| k8s:${containerID}:image-signature-subject | OIDC principal that signed it​ (eg. "k8s:000000:image-signature-subject:spirex@example.com")| +| k8s:${containerID}:image-signature-logid | A unique LogID for the Rekor transparency log​ (eg. "k8s:000000:image-signature-logid:samplelogID") | +| k8s:${containerID}:image-signature-integrated-time | The time (in Unix timestamp format) when the image signature was integrated into the signature transparency log​ (eg. "k8s:000000:image-signature-integrated-time:12345") | | k8s:sigstore-validation | The confirmation if the signature is valid, has value of "passed" (eg. "k8s:sigstore-validation:passed") | > **Note** `container-image` will ONLY match against the specific container in the pod that is contacting SPIRE on behalf of > the pod, whereas `pod-image` and `pod-init-image` will match against ANY container or init container in the Pod, diff --git a/doc/plugin_agent_workloadattestor_unix.md b/doc/plugin_agent_workloadattestor_unix.md index 36e4c4826e..8ef8decffe 100644 --- a/doc/plugin_agent_workloadattestor_unix.md +++ b/doc/plugin_agent_workloadattestor_unix.md @@ -28,6 +28,8 @@ General selectors: | `unix:supplementary_gid` | **Currently only supported on linux:** The supplementary group ID of the workload (e.g. `unix:supplementary_gid:2000`) | | `unix:supplementary_group` | **Currently only supported on linux:** The supplementary group name of the workload (e.g. `unix:supplementary_group:www-data`) | +Workload path enabled selectors (available when configured with `discover_workload_path = true`): + | Selector | Value | |---------------|--------------------------------------------------------------------------------------------------------------------------------| | `unix:path` | The path to the workload binary (e.g. `unix:path:/usr/bin/nginx`) | diff --git a/doc/plugin_agent_workloadattestor_windows.md b/doc/plugin_agent_workloadattestor_windows.md index e4cccb7f13..23fb70b242 100644 --- a/doc/plugin_agent_workloadattestor_windows.md +++ b/doc/plugin_agent_workloadattestor_windows.md @@ -19,6 +19,26 @@ It does so by opening an access token associated with the workload process. The | `windows:group_name:se_group_enabled:true` | The group name of an enabled group associated with the access token from the workload process (e.g. `windows:group_name:se_group_enabled:true:computer-or-domain\mygroup`) | | `windows:group_name:se_group_enabled:false` | The group name of a not enabled group associated with the access token from the workload process (e.g. `windows:group_name:se_group_enabled:false:computer-or-domain\mygroup`) | +Workload path enabled selectors (available when configured with `discover_workload_path = true`): + +| Selector | Value | +|------------------|-----------------------------------------------------------------------------------------------------------------------------------| +| `windows:path` | The path to the workload binary (e.g. `windows:path:C:\Program Files\nginx\nginx.exe`) | +| `windows:sha256` | The SHA256 digest of the workload binary (e.g. `windows:sha256:3a6eb0790f39ac87c94f3856b2dd2c5d110e6811602261a9a923d3bb23adc8b7`) | + +Security Considerations: + +Malicious workloads could cause the SPIRE agent to do expensive work +calculating a sha256 for large workload binaries, causing a denial-of-service. +Defenses against this are: + +- disabling calculation entirely by setting `workload_size_limit` to a negative value +- use `workload_size_limit` to enforce a limit on the binary size the + plugin is willing to hash. However, the same attack could be performed by spawning a + bunch of processes under the limit. + The workload API does not yet support rate limiting, but when it does, this attack can + be mitigated by using rate limiting in conjunction with non-negative `workload_size_limit`. + #### Notes - An enabled group in a token is a group that has the [SE_GROUP_ENABLED](https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-attributes-in-an-access-token) attribute. diff --git a/doc/plugin_server_nodeattestor_k8s_psat.md b/doc/plugin_server_nodeattestor_k8s_psat.md index fe57034d58..8ee81beeda 100644 --- a/doc/plugin_server_nodeattestor_k8s_psat.md +++ b/doc/plugin_server_nodeattestor_k8s_psat.md @@ -76,4 +76,4 @@ This plugin generates the following selectors: The node and pod selectors are only provided for label keys in the `allowed_node_label_keys` and `allowed_pod_label_keys` configurables. -A full example of this attestor is provided in [the SPIRE examples repository](https://github.com/spiffe/spire-examples/tree/master/examples/k8s/simple_psat) +A full example of this attestor is provided in [the SPIRE examples repository](https://github.com/spiffe/spire-examples/tree/main/examples/k8s/simple_psat) diff --git a/doc/scaling_spire.md b/doc/scaling_spire.md index 3bd5fd13b0..be8a1b83c7 100644 --- a/doc/scaling_spire.md +++ b/doc/scaling_spire.md @@ -61,9 +61,9 @@ Another use case is SPIFFE interoperability between organizations, such as betwe These multiple trust domain and interoperability use cases both require a well-defined, interoperable method for a Workload in one trust domain to authenticate a Workload in a different trust domain. Trust between the different trust domains is established by first authenticating the respective bundle endpoint, followed by retrieval of the foreign trust domain bundle via the authenticated endpoint. -For additional detail on how this is achieved, refer to the following SPIFFE spec that describes the mechanism: https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#5-spiffe-bundle-endpoint +For additional detail on how this is achieved, refer to the following SPIFFE spec that describes the mechanism: https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Trust_Domain_and_Bundle.md#5-spiffe-bundle-endpoint -For a tutorial on configuring Federated SPIRE, refer to: https://github.com/spiffe/spire-tutorials/tree/master/docker-compose/federation +For a tutorial on configuring Federated SPIRE, refer to: https://github.com/spiffe/spire-tutorials/tree/main/docker-compose/federation # Interaction with External Systems @@ -84,7 +84,7 @@ SPIRE has a feature to programmatically authenticate on behalf of identified wor The SPIRE OIDC Discovery Provider retrieves a WebPKI certificate using the ACME protocol, which it uses to secure an endpoint that serves an OIDC compatible JWKS bundle and a standard OIDC discovery document. The remote OIDC authenticated service needs then to be configured to locate the endpoint and qualify the WebPKI service. Once this configuration is in place, the remote system’s IAM policies and roles can be set to map to specific SPIFFE IDs. The workload, in turn, will talk to the OIDC-authenticated system by sending a JWT-SVID. The target system then fetches a JWKS from the pre-defined URI which is served by the OIDC Discovery Provider. The target system uses the JWKS file to validate the JWT-SVID, and if the SPIFFE ID contained within the JWT-SVID is authorized to access the requested resource, it serves the request. The workload is then able to access the foreign remote service without possessing any credentials provided by it. For a configuration reference on the OIDC Discovery Provider, see: -https://github.com/spiffe/spire/tree/master/support/oidc-discovery-provider +https://github.com/spiffe/spire/tree/main/support/oidc-discovery-provider For a detailed tutorial on configuring OIDC Federation to Amazon Web Services, refer to: https://spiffe.io/spire/try/oidc-federation-aws/ From 18da14d225b1f8eb8b55856d3f05dac0bf0e5938 Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Wed, 31 Aug 2022 13:19:15 -0300 Subject: [PATCH 102/257] Fix sigstore (#72) * refactor: removed intermediate variables for error messages Signed-off-by: Rodrigo Lopes * refactor: changed log lines Signed-off-by: Rodrigo Lopes * refactor: refactored SelectorValuesFromSignature returns and vars Signed-off-by: Rodrigo Lopes * fix: removed trailing comma from log line Signed-off-by: Rodrigo Lopes * refactor: moved from nil testing to len testing Signed-off-by: Rodrigo Lopes * refactor: minor fixes to getSignatureSubject Signed-off-by: Rodrigo Lopes * lint: removed newline Signed-off-by: Rodrigo Lopes Signed-off-by: Rodrigo Lopes Co-authored-by: Rodrigo Lopes Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- .../workloadattestor/k8s/sigstore/sigstore.go | 53 ++++++++----------- 1 file changed, 21 insertions(+), 32 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index ffc89495b5..8d2e1db4ee 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -118,20 +118,17 @@ func (s *sigstoreImpl) SetLogger(logger hclog.Logger) { func (s *sigstoreImpl) FetchImageSignatures(ctx context.Context, imageName string) ([]oci.Signature, error) { ref, err := name.ParseReference(imageName) if err != nil { - message := fmt.Errorf("error parsing image reference: %w", err) - return nil, message + return nil, fmt.Errorf("error parsing image reference: %w", err) } if _, err := s.ValidateImage(ref); err != nil { - message := fmt.Errorf("could not validate image reference digest: %w", err) - return nil, message + return nil, fmt.Errorf("could not validate image reference digest: %w", err) } co := s.checkOptsFunction(s.rekorURL) sigs, ok, err := s.verifyFunction(ctx, ref, co) if err != nil { - message := fmt.Errorf("error verifying signature: %w", err) - return nil, message + return nil, fmt.Errorf("error verifying signature: %w", err) } if !ok { return nil, fmt.Errorf("bundle not verified for %q", imageName) @@ -161,28 +158,25 @@ func (s *sigstoreImpl) ExtractSelectorsFromSignatures(signatures []oci.Signature // SelectorValuesFromSignature extracts selectors from a signature. // returns a list of selectors. func (s *sigstoreImpl) SelectorValuesFromSignature(signature oci.Signature, containerID string) *SelectorsFromSignatures { - var selectorsFromSignatures *SelectorsFromSignatures subject, err := getSignatureSubject(signature) - if err != nil { s.logger.Error("Error getting signature subject", "error", err) - return selectorsFromSignatures + return nil } if subject == "" { - s.logger.Error("Error getting signature subject:", "error", errors.New("empty subject")) - return selectorsFromSignatures + s.logger.Error("Error getting signature subject", "error", errors.New("empty subject")) + return nil } if s.allowListEnabled { if _, ok := s.subjectAllowList[subject]; !ok { - s.logger.Info("Subject not in allow-list", "subject", subject) - return selectorsFromSignatures + s.logger.Debug("Subject not in allow-list", "subject", subject) + return nil } } - selectorsFromSignatures = &SelectorsFromSignatures{} - selectorsFromSignatures.Subject = subject + selectorsFromSignatures := &SelectorsFromSignatures{Subject: subject} bundle, err := signature.Bundle() if err != nil { @@ -192,9 +186,9 @@ func (s *sigstoreImpl) SelectorValuesFromSignature(signature oci.Signature, cont sigContent, err := getBundleSignatureContent(bundle) if err != nil { s.logger.Error("Error getting signature content", "error", err) - } else { - selectorsFromSignatures.Content = sigContent } + selectorsFromSignatures.Content = sigContent + if bundle.Payload.LogID != "" { selectorsFromSignatures.LogID = bundle.Payload.LogID } @@ -208,7 +202,7 @@ func (s *sigstoreImpl) SelectorValuesFromSignature(signature oci.Signature, cont // If the image ID is found in the skip list, it returns true. // If the image ID is not found in the skip list, it returns false. func (s *sigstoreImpl) ShouldSkipImage(imageID string) (bool, error) { - if s.skippedImages == nil { + if len(s.skippedImages) == 0 { return false, nil } if imageID == "" { @@ -237,7 +231,7 @@ func (s *sigstoreImpl) ClearSkipList() { func (s *sigstoreImpl) ValidateImage(ref name.Reference) (bool, error) { dgst, ok := ref.(name.Digest) if !ok { - return false, fmt.Errorf("reference %s is not a digest", ref.String()) + return false, fmt.Errorf("reference %T is not a digest", ref) } desc, err := s.fetchImageManifestFunction(dgst) if err != nil { @@ -318,10 +312,10 @@ func (s *sigstoreImpl) SetRekorURL(rekorURL string) error { return fmt.Errorf("failed parsing rekor URI: %w", err) } if rekorURI.Scheme != "" && rekorURI.Scheme != "https" { - return fmt.Errorf("invalid rekor URL Scheme: %s", rekorURI.Scheme) + return fmt.Errorf("invalid rekor URL Scheme %q", rekorURI.Scheme) } if rekorURI.Host == "" { - return fmt.Errorf("invalid rekor URL Host: %s", rekorURI.Host) + return fmt.Errorf("host is required on rekor URL") } s.rekorURL = *rekorURI return nil @@ -336,8 +330,7 @@ func getSignatureSubject(signature oci.Signature) (string, error) { if err != nil { return "", err } - err = json.Unmarshal(pl, &ss) - if err != nil { + if err := json.Unmarshal(pl, &ss); err != nil { return "", err } cert, err := signature.Cert() @@ -345,22 +338,18 @@ func getSignatureSubject(signature oci.Signature) (string, error) { return "", fmt.Errorf("failed to access signature certificate: %w", err) } - subject := "" if cert != nil { - subject = certSubject(cert) - return subject, nil + return certSubject(cert), nil } if len(ss.Optional) > 0 { - subjString, ok := ss.Optional["subject"] - if ok { - subj, ok := subjString.(string) - if ok { - subject = subj + if subjString, ok := ss.Optional["subject"]; ok { + if subj, ok := subjString.(string); ok { + return subj, nil } } } - return subject, nil + return "", errors.New("no subject found in signature") } func getBundleSignatureContent(bundle *bundle.RekorBundle) (string, error) { From 45f6ad4d1338735d551e2b4c54f53e391e1c1b6b Mon Sep 17 00:00:00 2001 From: Willian Alves Date: Wed, 7 Sep 2022 00:59:04 -0300 Subject: [PATCH 103/257] fixing rebase Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- pkg/agent/plugin/workloadattestor/k8s/k8s.go | 227 +++-- .../plugin/workloadattestor/k8s/k8s_posix.go | 824 ++---------------- .../plugin/workloadattestor/k8s/k8s_test.go | 470 +++------- 3 files changed, 381 insertions(+), 1140 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s.go b/pkg/agent/plugin/workloadattestor/k8s/k8s.go index ea0f11697a..0bf7bcba11 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s.go @@ -1,15 +1,60 @@ package k8s -import "github.com/spiffe/spire/pkg/common/catalog" +import ( + "context" + "crypto/tls" + "crypto/x509" + "encoding/json" + "errors" + "fmt" + "io" + "net/http" + "net/url" + "os" + "strconv" + "strings" + "sync" + "time" + + "github.com/andres-erbsen/clock" + "github.com/hashicorp/go-hclog" + "github.com/hashicorp/hcl" + workloadattestorv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/agent/workloadattestor/v1" + configv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/service/common/config/v1" + "github.com/spiffe/spire/pkg/agent/common/cgroups" + "github.com/spiffe/spire/pkg/agent/plugin/workloadattestor/k8s/sigstore" + "github.com/spiffe/spire/pkg/common/catalog" + "github.com/spiffe/spire/pkg/common/pemutil" + "github.com/spiffe/spire/pkg/common/telemetry" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/types" +) const ( - pluginName = "k8s" + pluginName = "k8s" + defaultMaxPollAttempts = 60 + defaultPollRetryInterval = time.Millisecond * 500 + defaultSecureKubeletPort = 10250 + defaultKubeletCAPath = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" + defaultTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token" //nolint: gosec // false positive + defaultNodeNameEnv = "MY_NODE_NAME" + defaultReloadInterval = time.Minute + maximumAmountCache = 10 ) func BuiltIn() catalog.BuiltIn { return builtin(New()) } +type containerLookup int + +const ( + containerInPod = iota + containerNotInPod +) + func builtin(p *Plugin) catalog.BuiltIn { return catalog.MakeBuiltIn(pluginName, workloadattestorv1.WorkloadAttestorPluginServer(p), @@ -83,6 +128,31 @@ type HCLConfig struct { // but the container may not be in a ready state at the time of attestation // (e.g. when a postStart hook has yet to complete). DisableContainerSelectors bool `hcl:"disable_container_selectors"` + + // Experimental enables experimental features. + Experimental *ExperimentalK8SConfig `hcl:"experimental,omitempty"` +} + +type ExperimentalK8SConfig struct { + + // Sigstore contains sigstore specific configs. + Sigstore *SigstoreHCLConfig `hcl:"sigstore,omitempty"` +} + +// SigstoreHCLConfig holds the sigstore configuration parsed from HCL +type SigstoreHCLConfig struct { + + // RekorURL is the URL for the rekor server to use to verify signatures and public keys + RekorURL string `hcl:"rekor_url"` + + // SkippedImages is a list of images that should skip sigstore verification + SkippedImages []string `hcl:"skip_signature_verification_image_list"` + + // AllowedSubjectListEnabled is a flag indicating whether signature subjects should be compared against AllowedSubjects + AllowedSubjectListEnabled bool `hcl:"enable_allowed_subjects_list"` + + // AllowedSubjects is a list of subjects that should be allowed after verification + AllowedSubjects []string `hcl:"allowed_subjects_list"` } // k8sConfig holds the configuration distilled from HCL @@ -99,12 +169,21 @@ type k8sConfig struct { KubeletCAPath string NodeName string ReloadInterval time.Duration - DisableContainerSelectors bool + + sigstoreConfig *sigstoreConfig Client *kubeletClient LastReload time.Time } +// sigstoreConfig holds the sigstore configuration distilled from HCL +type sigstoreConfig struct { + RekorURL string + SkippedImages []string + AllowedSubjectListEnabled bool + AllowedSubjects []string +} + type ContainerHelper interface { GetPodUIDAndContainerID(pID int32, log hclog.Logger) (types.UID, string, error) } @@ -121,18 +200,24 @@ type Plugin struct { mu sync.RWMutex config *k8sConfig + + sigstore sigstore.Sigstore } func New() *Plugin { return &Plugin{ - fs: cgroups.OSFileSystem{}, - clock: clock.New(), - getenv: os.Getenv, + fs: cgroups.OSFileSystem{}, + clock: clock.New(), + getenv: os.Getenv, + sigstore: nil, } } func (p *Plugin) SetLogger(log hclog.Logger) { p.log = log + if p.sigstore != nil { + p.sigstore.SetLogger(log) + } } func (p *Plugin) Attest(ctx context.Context, req *workloadattestorv1.AttestRequest) (*workloadattestorv1.AttestResponse, error) { @@ -145,7 +230,6 @@ func (p *Plugin) Attest(ctx context.Context, req *workloadattestorv1.AttestReque if err != nil { return nil, err } - podKnown := podUID != "" // Not a Kubernetes pod if containerID == "" { @@ -170,36 +254,32 @@ func (p *Plugin) Attest(ctx context.Context, req *workloadattestorv1.AttestReque var attestResponse *workloadattestorv1.AttestResponse for _, item := range list.Items { item := item - if podKnown && item.UID != podUID { - // The pod holding the container is known. Skip unrelated pods. + if isNotPod(item.UID, podUID) { continue } - var selectorValues []string - - containerStatus, containerFound := lookUpContainerInPod(containerID, item.Status, log) - switch { - case containerFound: - // The workload container was found in this pod. Add pod - // selectors. Only add workload container selectors if - // container selectors have not been disabled. - selectorValues = append(selectorValues, getSelectorValuesFromPodInfo(&item)...) - if !config.DisableContainerSelectors { - selectorValues = append(selectorValues, getSelectorValuesFromWorkloadContainerStatus(containerStatus)...) - } - case podKnown && config.DisableContainerSelectors: - // The workload container was not found (i.e. not ready yet?) - // but the pod is known. If container selectors have been - // disabled, then allow the pod selectors to be used. - selectorValues = append(selectorValues, getSelectorValuesFromPodInfo(&item)...) - } - - if len(selectorValues) > 0 { + lookupStatus, lookup := lookUpContainerInPod(containerID, item.Status, log) + switch lookup { + case containerInPod: if attestResponse != nil { log.Warn("Two pods found with same container Id") return nil, status.Error(codes.Internal, "two pods found with same container Id") } - attestResponse = &workloadattestorv1.AttestResponse{SelectorValues: selectorValues} + selectors := getSelectorValuesFromPodInfo(&item, lookupStatus) + + if p.config.sigstoreConfig != nil { + log.Debug("Attemping to get signature info for container", telemetry.ContainerName, lookupStatus.Name) + sigstoreSelectors, err := p.sigstore.AttestContainerSignatures(ctx, lookupStatus) + if err != nil { + log.Error("Error retrieving signature payload", "error", err) + } else { + selectors = append(selectors, sigstoreSelectors...) + } + } + attestResponse = &workloadattestorv1.AttestResponse{ + SelectorValues: selectors, + } + case containerNotInPod: } } @@ -302,18 +382,63 @@ func (p *Plugin) Configure(ctx context.Context, req *configv1.ConfigureRequest) KubeletCAPath: config.KubeletCAPath, NodeName: nodeName, ReloadInterval: reloadInterval, - DisableContainerSelectors: config.DisableContainerSelectors, } + + // set experimental flags + if config.Experimental != nil && config.Experimental.Sigstore != nil { + c.sigstoreConfig = &sigstoreConfig{ + RekorURL: config.Experimental.Sigstore.RekorURL, + SkippedImages: config.Experimental.Sigstore.SkippedImages, + AllowedSubjectListEnabled: config.Experimental.Sigstore.AllowedSubjectListEnabled, + AllowedSubjects: config.Experimental.Sigstore.AllowedSubjects, + } + } + if err := p.reloadKubeletClient(c); err != nil { return nil, err } + if c.sigstoreConfig != nil { + if p.sigstore == nil { + newcache := sigstore.NewCache(maximumAmountCache) + p.sigstore = sigstore.New(newcache, nil) + p.sigstore.SetLogger(p.log) + } + if err := p.configureSigstore(c, p.sigstore); err != nil { + return nil, err + } + } + // Set the config p.setConfig(c) p.setContainerHelper(containerHelper) return &configv1.ConfigureResponse{}, nil } +func (p *Plugin) configureSigstore(config *k8sConfig, sigstore sigstore.Sigstore) error { + p.mu.Lock() + defer p.mu.Unlock() + + // Configure sigstore settings + sigstore.ClearSkipList() + imageIDList := []string{} + if config.sigstoreConfig.SkippedImages != nil { + imageIDList = append(imageIDList, config.sigstoreConfig.SkippedImages...) + } + sigstore.AddSkippedImage(imageIDList) + sigstore.EnableAllowSubjectList(config.sigstoreConfig.AllowedSubjectListEnabled) + sigstore.ClearAllowedSubjects() + if config.sigstoreConfig.AllowedSubjects != nil { + for _, subject := range config.sigstoreConfig.AllowedSubjects { + sigstore.AddAllowedSubject(subject) + } + } + if err := p.sigstore.SetRekorURL(config.sigstoreConfig.RekorURL); err != nil { + return status.Errorf(codes.InvalidArgument, "failed to parse Rekor URL: %v", err) + } + return nil +} + func (p *Plugin) setConfig(config *k8sConfig) { p.mu.Lock() defer p.mu.Unlock() @@ -547,7 +672,7 @@ func (c *kubeletClient) GetPodList() (*corev1.PodList, error) { return out, nil } -func lookUpContainerInPod(containerID string, status corev1.PodStatus, log hclog.Logger) (*corev1.ContainerStatus, bool) { +func lookUpContainerInPod(containerID string, status corev1.PodStatus, log hclog.Logger) (*corev1.ContainerStatus, containerLookup) { for _, status := range status.ContainerStatuses { // TODO: should we be keying off of the status or is the lack of a // container id sufficient to know the container is not ready? @@ -564,7 +689,7 @@ func lookUpContainerInPod(containerID string, status corev1.PodStatus, log hclog } if containerID == containerURL.Host { - return &status, true + return &status, containerInPod } } @@ -584,16 +709,16 @@ func lookUpContainerInPod(containerID string, status corev1.PodStatus, log hclog } if containerID == containerURL.Host { - return &status, true + return &status, containerInPod } } - return nil, false + return nil, containerNotInPod } -func getPodImageIdentifiers(containerStatuses ...corev1.ContainerStatus) map[string]struct{} { +func getPodImageIdentifiers(containerStatusArray []corev1.ContainerStatus) map[string]bool { // Map is used purely to exclude duplicate selectors, value is unused. - podImages := make(map[string]struct{}) + podImages := make(map[string]bool) // Note that for each pod image we generate *2* matching selectors. // This is to support matching against ImageID, which has a SHA // docker.io/envoyproxy/envoy-alpine@sha256:bf862e5f5eca0a73e7e538224578c5cf867ce2be91b5eaed22afc153c00363eb @@ -602,28 +727,36 @@ func getPodImageIdentifiers(containerStatuses ...corev1.ContainerStatus) map[str // while also maintaining backwards compatibility and allowing for dynamic workload registration (k8s operator) // when the SHA is not yet known (e.g. before the image pull is initiated at workload creation time) // More info here: https://github.com/spiffe/spire/issues/2026 - for _, containerStatus := range containerStatuses { - podImages[containerStatus.ImageID] = struct{}{} - podImages[containerStatus.Image] = struct{}{} + for _, status := range containerStatusArray { + podImages[status.ImageID] = true + podImages[status.Image] = true } return podImages } -func getSelectorValuesFromPodInfo(pod *corev1.Pod) []string { +func getSelectorValuesFromPodInfo(pod *corev1.Pod, status *corev1.ContainerStatus) []string { + podImageIdentifiers := getPodImageIdentifiers(pod.Status.ContainerStatuses) + podInitImageIdentifiers := getPodImageIdentifiers(pod.Status.InitContainerStatuses) + containerImageIdentifiers := getPodImageIdentifiers([]corev1.ContainerStatus{*status}) + selectorValues := []string{ fmt.Sprintf("sa:%s", pod.Spec.ServiceAccountName), fmt.Sprintf("ns:%s", pod.Namespace), fmt.Sprintf("node-name:%s", pod.Spec.NodeName), fmt.Sprintf("pod-uid:%s", pod.UID), fmt.Sprintf("pod-name:%s", pod.Name), + fmt.Sprintf("container-name:%s", status.Name), fmt.Sprintf("pod-image-count:%s", strconv.Itoa(len(pod.Status.ContainerStatuses))), fmt.Sprintf("pod-init-image-count:%s", strconv.Itoa(len(pod.Status.InitContainerStatuses))), } - for podImage := range getPodImageIdentifiers(pod.Status.ContainerStatuses...) { + for containerImage := range containerImageIdentifiers { + selectorValues = append(selectorValues, fmt.Sprintf("container-image:%s", containerImage)) + } + for podImage := range podImageIdentifiers { selectorValues = append(selectorValues, fmt.Sprintf("pod-image:%s", podImage)) } - for podInitImage := range getPodImageIdentifiers(pod.Status.InitContainerStatuses...) { + for podInitImage := range podInitImageIdentifiers { selectorValues = append(selectorValues, fmt.Sprintf("pod-init-image:%s", podInitImage)) } @@ -638,14 +771,6 @@ func getSelectorValuesFromPodInfo(pod *corev1.Pod) []string { return selectorValues } -func getSelectorValuesFromWorkloadContainerStatus(status *corev1.ContainerStatus) []string { - selectorValues := []string{fmt.Sprintf("container-name:%s", status.Name)} - for containerImage := range getPodImageIdentifiers(*status) { - selectorValues = append(selectorValues, fmt.Sprintf("container-image:%s", containerImage)) - } - return selectorValues -} - func tryRead(r io.Reader) string { buf := make([]byte, 1024) n, _ := r.Read(buf) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go index ad211b4792..15e2fade92 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go @@ -4,426 +4,38 @@ package k8s import ( - "context" - "crypto/tls" - "crypto/x509" - "encoding/json" - "errors" - "fmt" - "io" "log" - "net/http" - "net/url" - "os" "regexp" - "strconv" "strings" - "sync" - "time" "unicode" - "github.com/andres-erbsen/clock" "github.com/hashicorp/go-hclog" - "github.com/hashicorp/hcl" - workloadattestorv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/agent/workloadattestor/v1" - configv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/service/common/config/v1" "github.com/spiffe/spire/pkg/agent/common/cgroups" - "github.com/spiffe/spire/pkg/agent/plugin/workloadattestor/k8s/sigstore" - "github.com/spiffe/spire/pkg/common/catalog" - "github.com/spiffe/spire/pkg/common/pemutil" - "github.com/spiffe/spire/pkg/common/telemetry" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" - corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" ) -const ( - defaultMaxPollAttempts = 60 - defaultPollRetryInterval = time.Millisecond * 500 - defaultSecureKubeletPort = 10250 - defaultKubeletCAPath = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" - defaultTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token" //nolint: gosec // false positive - defaultNodeNameEnv = "MY_NODE_NAME" - defaultReloadInterval = time.Minute -) - -type containerLookup int - -const ( - containerInPod = iota - containerNotInPod - maximumAmountCache = 10 -) - -func builtin(p *Plugin) catalog.BuiltIn { - return catalog.MakeBuiltIn(pluginName, - workloadattestorv1.WorkloadAttestorPluginServer(p), - configv1.ConfigServiceServer(p), - ) -} - -// HCLConfig holds the configuration parsed from HCL -type HCLConfig struct { - // KubeletReadOnlyPort defines the read only port for the kubelet - // (typically 10255). This option is mutally exclusive with - // KubeletSecurePort. - KubeletReadOnlyPort int `hcl:"kubelet_read_only_port"` - - // KubeletSecurePort defines the secure port for the kubelet (typically - // 10250). This option is mutually exclusive with KubeletReadOnlyPort. - KubeletSecurePort int `hcl:"kubelet_secure_port"` - - // MaxPollAttempts is the maximum number of polling attempts for the - // container hosting the workload process. - MaxPollAttempts int `hcl:"max_poll_attempts"` - - // PollRetryInterval is the time in between polling attempts. - PollRetryInterval string `hcl:"poll_retry_interval"` - - // KubeletCAPath is the path to the CA certificate for authenticating the - // kubelet over the secure port. Required when using the secure port unless - // SkipKubeletVerification is set. Defaults to the cluster trust bundle. - KubeletCAPath string `hcl:"kubelet_ca_path"` - - // SkipKubeletVerification controls whether or not the plugin will - // verify the certificate presented by the kubelet. - SkipKubeletVerification bool `hcl:"skip_kubelet_verification"` - - // TokenPath is the path to the bearer token used to authenticate to the - // secure port. Defaults to the default service account token path unless - // PrivateKeyPath and CertificatePath are specified. - TokenPath string `hcl:"token_path"` - - // CertificatePath is the path to a certificate key used for client - // authentication with the kubelet. Must be used with PrivateKeyPath. - CertificatePath string `hcl:"certificate_path"` - - // PrivateKeyPath is the path to a private key used for client - // authentication with the kubelet. Must be used with CertificatePath. - PrivateKeyPath string `hcl:"private_key_path"` - - // NodeNameEnv is the environment variable used to determine the node name - // for contacting the kubelet. It defaults to "MY_NODE_NAME". If the - // environment variable is not set, and NodeName is not specified, the - // plugin will default to localhost (which requires host networking). - NodeNameEnv string `hcl:"node_name_env"` - - // NodeName is the node name used when contacting the kubelet. If set, it - // takes precedence over NodeNameEnv. - NodeName string `hcl:"node_name"` - - // ReloadInterval controls how often TLS and token configuration is loaded - // from the disk. - ReloadInterval string `hcl:"reload_interval"` - - // Experimental enables experimental features. - Experimental *ExperimentalK8SConfig `hcl:"experimental,omitempty"` +func (p *Plugin) defaultKubeletCAPath() string { + return defaultKubeletCAPath } -type ExperimentalK8SConfig struct { - - // Sigstore contains sigstore specific configs. - Sigstore *SigstoreHCLConfig `hcl:"sigstore,omitempty"` +func (p *Plugin) defaultTokenPath() string { + return defaultTokenPath } -// SigstoreHCLConfig holds the sigstore configuration parsed from HCL -type SigstoreHCLConfig struct { - - // RekorURL is the URL for the rekor server to use to verify signatures and public keys - RekorURL string `hcl:"rekor_url"` - - // SkippedImages is a list of images that should skip sigstore verification - SkippedImages []string `hcl:"skip_signature_verification_image_list"` - - // AllowedSubjectListEnabled is a flag indicating whether signature subjects should be compared against AllowedSubjects - AllowedSubjectListEnabled bool `hcl:"enable_allowed_subjects_list"` - - // AllowedSubjects is a list of subjects that should be allowed after verification - AllowedSubjects []string `hcl:"allowed_subjects_list"` +func createHelper(c *Plugin) (ContainerHelper, error) { + return &containerHelper{ + fs: c.fs, + }, nil } -// k8sConfig holds the configuration distilled from HCL -type k8sConfig struct { - Secure bool - Port int - MaxPollAttempts int - PollRetryInterval time.Duration - SkipKubeletVerification bool - TokenPath string - CertificatePath string - PrivateKeyPath string - KubeletCAPath string - NodeName string - ReloadInterval time.Duration - - sigstoreConfig *sigstoreConfig - - Client *kubeletClient - LastReload time.Time +type containerHelper struct { + fs cgroups.FileSystem } -// sigstoreConfig holds the sigstore configuration distilled from HCL -type sigstoreConfig struct { - RekorURL string - SkippedImages []string - AllowedSubjectListEnabled bool - AllowedSubjects []string -} - -type Plugin struct { - workloadattestorv1.UnsafeWorkloadAttestorServer - configv1.UnsafeConfigServer - - log hclog.Logger - fs cgroups.FileSystem - clock clock.Clock - getenv func(string) string - - mu sync.RWMutex - config *k8sConfig - - sigstore sigstore.Sigstore -} - -func New() *Plugin { - return &Plugin{ - fs: cgroups.OSFileSystem{}, - clock: clock.New(), - getenv: os.Getenv, - sigstore: nil, - } -} - -func (p *Plugin) SetLogger(log hclog.Logger) { - p.log = log - if p.sigstore != nil { - p.sigstore.SetLogger(log) - } -} - -func (p *Plugin) Attest(ctx context.Context, req *workloadattestorv1.AttestRequest) (*workloadattestorv1.AttestResponse, error) { - config, err := p.getConfig() - if err != nil { - return nil, err - } - - podUID, containerID, err := p.getPodUIDAndContainerIDFromCGroups(req.Pid) - if err != nil { - return nil, err - } - - // Not a Kubernetes pod - if containerID == "" { - return &workloadattestorv1.AttestResponse{}, nil - } - - log := p.log.With( - telemetry.PodUID, podUID, - telemetry.ContainerID, containerID, - ) - - // Poll pod information and search for the pod with the container. If - // the pod is not found then delay for a little bit and try again. - for attempt := 1; ; attempt++ { - log = log.With(telemetry.Attempt, attempt) - - list, err := config.Client.GetPodList() - if err != nil { - return nil, err - } - - for _, item := range list.Items { - item := item - if item.UID != podUID { - continue - } - - status, lookup := lookUpContainerInPod(containerID, item.Status) - switch lookup { - case containerInPod: - selectors := getSelectorValuesFromPodInfo(&item, status) - if p.config.sigstoreConfig != nil { - log.Debug("Attemping to get signature info for container", telemetry.ContainerName, status.Name) - sigstoreSelectors, err := p.sigstore.AttestContainerSignatures(ctx, status) - if err != nil { - log.Error("Error retrieving signature payload", "error", err) - } else { - selectors = append(selectors, sigstoreSelectors...) - } - } - - return &workloadattestorv1.AttestResponse{ - SelectorValues: selectors, - }, nil - case containerNotInPod: - } - } - - // if the container was not located after the maximum number of attempts then the search is over. - if attempt >= config.MaxPollAttempts { - log.Warn("Container id not found; giving up") - return nil, status.Error(codes.DeadlineExceeded, "no selectors found after max poll attempts") - } - - // wait a bit for containers to initialize before trying again. - log.Warn("Container id not found", telemetry.RetryInterval, config.PollRetryInterval) - - select { - case <-p.clock.After(config.PollRetryInterval): - case <-ctx.Done(): - return nil, status.Errorf(codes.Canceled, "no selectors found: %v", ctx.Err()) - } - } -} - -func (p *Plugin) Configure(ctx context.Context, req *configv1.ConfigureRequest) (resp *configv1.ConfigureResponse, err error) { - // Parse HCL config payload into config struct - config := new(HCLConfig) - if err := hcl.Decode(config, req.HclConfiguration); err != nil { - return nil, status.Errorf(codes.InvalidArgument, "unable to decode configuration: %v", err) - } - - // Determine max poll attempts with default - maxPollAttempts := config.MaxPollAttempts - if maxPollAttempts <= 0 { - maxPollAttempts = defaultMaxPollAttempts - } - - // Determine poll retry interval with default - var pollRetryInterval time.Duration - if config.PollRetryInterval != "" { - pollRetryInterval, err = time.ParseDuration(config.PollRetryInterval) - if err != nil { - return nil, status.Errorf(codes.InvalidArgument, "unable to parse poll retry interval: %v", err) - } - } - if pollRetryInterval <= 0 { - pollRetryInterval = defaultPollRetryInterval - } - - // Determine reload interval - var reloadInterval time.Duration - if config.ReloadInterval != "" { - reloadInterval, err = time.ParseDuration(config.ReloadInterval) - if err != nil { - return nil, status.Errorf(codes.InvalidArgument, "unable to parse reload interval: %v", err) - } - } - if reloadInterval <= 0 { - reloadInterval = defaultReloadInterval - } - - // Determine which kubelet port to hit. Default to the secure port if none - // is specified (this is backwards compatible because the read-only-port - // config value has always been required, so it should already be set in - // existing configurations that rely on it). - if config.KubeletSecurePort > 0 && config.KubeletReadOnlyPort > 0 { - return nil, status.Error(codes.InvalidArgument, "cannot use both the read-only and secure port") - } - port := config.KubeletReadOnlyPort - secure := false - if port <= 0 { - port = config.KubeletSecurePort - secure = true - } - if port <= 0 { - port = defaultSecureKubeletPort - secure = true - } - - // Determine the node name - nodeName := p.getNodeName(config.NodeName, config.NodeNameEnv) - - // Configure the kubelet client - c := &k8sConfig{ - Secure: secure, - Port: port, - MaxPollAttempts: maxPollAttempts, - PollRetryInterval: pollRetryInterval, - SkipKubeletVerification: config.SkipKubeletVerification, - TokenPath: config.TokenPath, - CertificatePath: config.CertificatePath, - PrivateKeyPath: config.PrivateKeyPath, - KubeletCAPath: config.KubeletCAPath, - NodeName: nodeName, - ReloadInterval: reloadInterval, - } - - // set experimental flags - if config.Experimental != nil && config.Experimental.Sigstore != nil { - c.sigstoreConfig = &sigstoreConfig{ - RekorURL: config.Experimental.Sigstore.RekorURL, - SkippedImages: config.Experimental.Sigstore.SkippedImages, - AllowedSubjectListEnabled: config.Experimental.Sigstore.AllowedSubjectListEnabled, - AllowedSubjects: config.Experimental.Sigstore.AllowedSubjects, - } - } - - if err := p.reloadKubeletClient(c); err != nil { - return nil, err - } - if c.sigstoreConfig != nil { - if p.sigstore == nil { - newcache := sigstore.NewCache(maximumAmountCache) - p.sigstore = sigstore.New(newcache, nil) - p.sigstore.SetLogger(p.log) - } - if err := p.configureSigstore(c, p.sigstore); err != nil { - return nil, err - } - } - - // Set the config - p.setConfig(c) - return &configv1.ConfigureResponse{}, nil -} - -func (p *Plugin) configureSigstore(config *k8sConfig, sigstore sigstore.Sigstore) error { - p.mu.Lock() - defer p.mu.Unlock() - - // Configure sigstore settings - sigstore.ClearSkipList() - imageIDList := []string{} - if config.sigstoreConfig.SkippedImages != nil { - imageIDList = append(imageIDList, config.sigstoreConfig.SkippedImages...) - } - sigstore.AddSkippedImage(imageIDList) - sigstore.EnableAllowSubjectList(config.sigstoreConfig.AllowedSubjectListEnabled) - sigstore.ClearAllowedSubjects() - if config.sigstoreConfig.AllowedSubjects != nil { - for _, subject := range config.sigstoreConfig.AllowedSubjects { - sigstore.AddAllowedSubject(subject) - } - } - if err := p.sigstore.SetRekorURL(config.sigstoreConfig.RekorURL); err != nil { - return status.Errorf(codes.InvalidArgument, "failed to parse Rekor URL: %v", err) - } - return nil -} - -func (p *Plugin) setConfig(config *k8sConfig) { - p.mu.Lock() - defer p.mu.Unlock() - p.config = config -} - -func (p *Plugin) getConfig() (*k8sConfig, error) { - p.mu.RLock() - defer p.mu.RUnlock() - - if p.config == nil { - return nil, status.Error(codes.FailedPrecondition, "not configured") - } - if err := p.reloadKubeletClient(p.config); err != nil { - p.log.Warn("Unable to load kubelet client", "err", err) - } - return p.config, nil -} - -func (p *Plugin) getPodUIDAndContainerIDFromCGroups(pid int32) (types.UID, string, error) { - cgroups, err := cgroups.GetCgroups(pid, p.fs) +func (h *containerHelper) GetPodUIDAndContainerID(pID int32, _ hclog.Logger) (types.UID, string, error) { + cgroups, err := cgroups.GetCgroups(pID, h.fs) if err != nil { return "", "", status.Errorf(codes.Internal, "unable to obtain cgroups: %v", err) } @@ -431,212 +43,6 @@ func (p *Plugin) getPodUIDAndContainerIDFromCGroups(pid int32) (types.UID, strin return getPodUIDAndContainerIDFromCGroups(cgroups) } -func (p *Plugin) reloadKubeletClient(config *k8sConfig) (err error) { - // The insecure client only needs to be loaded once. - if !config.Secure { - if config.Client == nil { - config.Client = &kubeletClient{ - URL: url.URL{ - Scheme: "http", - Host: fmt.Sprintf("127.0.0.1:%d", config.Port), - }, - } - } - return nil - } - - // Is the client still fresh? - if config.Client != nil && p.clock.Now().Sub(config.LastReload) < config.ReloadInterval { - return nil - } - - tlsConfig := &tls.Config{ - InsecureSkipVerify: config.SkipKubeletVerification, //nolint: gosec // intentionally configurable - } - - var rootCAs *x509.CertPool - if !config.SkipKubeletVerification { - rootCAs, err = p.loadKubeletCA(config.KubeletCAPath) - if err != nil { - return err - } - } - - switch { - case config.SkipKubeletVerification: - - // When contacting the kubelet over localhost, skip the hostname validation. - // Unfortunately Go does not make this straightforward. We disable - // verification but supply a VerifyPeerCertificate that will be called - // with the raw kubelet certs that we can verify directly. - case config.NodeName == "": - tlsConfig.InsecureSkipVerify = true - tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error { - var certs []*x509.Certificate - for _, rawCert := range rawCerts { - cert, err := x509.ParseCertificate(rawCert) - if err != nil { - return err - } - certs = append(certs, cert) - } - - // this is improbable. - if len(certs) == 0 { - return errors.New("no certs presented by kubelet") - } - - _, err := certs[0].Verify(x509.VerifyOptions{ - Roots: rootCAs, - Intermediates: newCertPool(certs[1:]), - }) - return err - } - default: - tlsConfig.RootCAs = rootCAs - } - - var token string - switch { - case config.CertificatePath != "" && config.PrivateKeyPath != "": - kp, err := p.loadX509KeyPair(config.CertificatePath, config.PrivateKeyPath) - if err != nil { - return err - } - tlsConfig.Certificates = append(tlsConfig.Certificates, *kp) - case config.CertificatePath != "" && config.PrivateKeyPath == "": - return status.Error(codes.InvalidArgument, "the private key path is required with the certificate path") - case config.CertificatePath == "" && config.PrivateKeyPath != "": - return status.Error(codes.InvalidArgument, "the certificate path is required with the private key path") - case config.CertificatePath == "" && config.PrivateKeyPath == "": - token, err = p.loadToken(config.TokenPath) - if err != nil { - return err - } - } - - host := config.NodeName - if host == "" { - host = "127.0.0.1" - } - - config.Client = &kubeletClient{ - Transport: &http.Transport{ - TLSClientConfig: tlsConfig, - }, - URL: url.URL{ - Scheme: "https", - Host: fmt.Sprintf("%s:%d", host, config.Port), - }, - Token: token, - } - config.LastReload = p.clock.Now() - return nil -} - -func (p *Plugin) loadKubeletCA(path string) (*x509.CertPool, error) { - if path == "" { - path = defaultKubeletCAPath - } - caPEM, err := p.readFile(path) - if err != nil { - return nil, status.Errorf(codes.InvalidArgument, "unable to load kubelet CA: %v", err) - } - certs, err := pemutil.ParseCertificates(caPEM) - if err != nil { - return nil, status.Errorf(codes.InvalidArgument, "unable to parse kubelet CA: %v", err) - } - - return newCertPool(certs), nil -} - -func (p *Plugin) loadX509KeyPair(cert, key string) (*tls.Certificate, error) { - certPEM, err := p.readFile(cert) - if err != nil { - return nil, status.Errorf(codes.InvalidArgument, "unable to load certificate: %v", err) - } - keyPEM, err := p.readFile(key) - if err != nil { - return nil, status.Errorf(codes.InvalidArgument, "unable to load private key: %v", err) - } - kp, err := tls.X509KeyPair(certPEM, keyPEM) - if err != nil { - return nil, status.Errorf(codes.InvalidArgument, "unable to load keypair: %v", err) - } - return &kp, nil -} - -func (p *Plugin) loadToken(path string) (string, error) { - if path == "" { - path = defaultTokenPath - } - token, err := p.readFile(path) - if err != nil { - return "", status.Errorf(codes.InvalidArgument, "unable to load token: %v", err) - } - return strings.TrimSpace(string(token)), nil -} - -// readFile reads the contents of a file through the filesystem interface -func (p *Plugin) readFile(path string) ([]byte, error) { - f, err := p.fs.Open(path) - if err != nil { - return nil, err - } - defer f.Close() - return io.ReadAll(f) -} - -func (p *Plugin) getNodeName(name string, env string) string { - switch { - case name != "": - return name - case env != "": - return p.getenv(env) - default: - return p.getenv(defaultNodeNameEnv) - } -} - -type kubeletClient struct { - Transport *http.Transport - URL url.URL - Token string -} - -func (c *kubeletClient) GetPodList() (*corev1.PodList, error) { - url := c.URL - url.Path = "/pods" - req, err := http.NewRequest("GET", url.String(), nil) - if err != nil { - return nil, status.Errorf(codes.Internal, "unable to create request: %v", err) - } - if c.Token != "" { - req.Header.Set("Authorization", "Bearer "+c.Token) - } - - client := &http.Client{} - if c.Transport != nil { - client.Transport = c.Transport - } - resp, err := client.Do(req) - if err != nil { - return nil, status.Errorf(codes.Internal, "unable to perform request: %v", err) - } - defer resp.Body.Close() - - if resp.StatusCode != http.StatusOK { - return nil, status.Errorf(codes.Internal, "unexpected status code on pods response: %d %s", resp.StatusCode, tryRead(resp.Body)) - } - - out := new(corev1.PodList) - if err := json.NewDecoder(resp.Body).Decode(out); err != nil { - return nil, status.Errorf(codes.Internal, "unable to decode kubelet response: %v", err) - } - - return out, nil -} - func getPodUIDAndContainerIDFromCGroups(cgroups []cgroups.Cgroup) (types.UID, string, error) { var podUID types.UID var containerID string @@ -664,22 +70,64 @@ func getPodUIDAndContainerIDFromCGroups(cgroups []cgroups.Cgroup) (types.UID, st return podUID, containerID, nil } -// cgroupRE is the regex used to parse out the pod UID and container ID from a -// cgroup name. It assumes that any ".scope" suffix has been trimmed off -// beforehand. CAUTION: we used to verify that the pod and container id were -// descendants of a kubepods directory, however, as of Kubernetes 1.21, cgroups -// namespaces are in use and therefore we can no longer discern if that is the -// case from within SPIRE agent container (since the container itself is -// namespaced). As such, the regex has been relaxed to simply find the pod UID -// followed by the container ID with allowances for arbitrary punctuation, and -// container runtime prefixes, etc. -var cgroupRE = regexp.MustCompile(`` + - // "pod"-prefixed Pod UID (with punctuation separated groups) followed by punctuation - `[[:punct:]]pod([[:xdigit:]]{8}[[:punct:]]?[[:xdigit:]]{4}[[:punct:]]?[[:xdigit:]]{4}[[:punct:]]?[[:xdigit:]]{4}[[:punct:]]?[[:xdigit:]]{12})[[:punct:]]` + - // zero or more punctuation separated "segments" (e.g. "docker-") - `(?:[[:^punct:]]+[[:punct:]])*` + - // non-punctuation end of string, i.e., the container ID - `([[:^punct:]]+)$`) +// regexes listed here have to exlusively match a cgroup path +// the regexes must include two named groups "poduid" and "containerid" +// if the regex needs to exclude certain substrings, the "mustnotmatch" group can be used +var cgroupREs = []*regexp.Regexp{ + // the regex used to parse out the pod UID and container ID from a + // cgroup name. It assumes that any ".scope" suffix has been trimmed off + // beforehand. CAUTION: we used to verify that the pod and container id were + // descendants of a kubepods directory, however, as of Kubernetes 1.21, cgroups + // namespaces are in use and therefore we can no longer discern if that is the + // case from within SPIRE agent container (since the container itself is + // namespaced). As such, the regex has been relaxed to simply find the pod UID + // followed by the container ID with allowances for arbitrary punctuation, and + // container runtime prefixes, etc. + regexp.MustCompile(`` + + // "pod"-prefixed Pod UID (with punctuation separated groups) followed by punctuation + `[[:punct:]]pod(?P[[:xdigit:]]{8}[[:punct:]]?[[:xdigit:]]{4}[[:punct:]]?[[:xdigit:]]{4}[[:punct:]]?[[:xdigit:]]{4}[[:punct:]]?[[:xdigit:]]{12})[[:punct:]]` + + // zero or more punctuation separated "segments" (e.g. "docker-") + `(?:[[:^punct:]]+[[:punct:]])*` + + // non-punctuation end of string, i.e., the container ID + `(?P[[:^punct:]]+)$`), + + // This regex applies for container runtimes, that won't put the PodUID into + // the cgroup name. + // Currently only cri-o in combination with kubeedge is known for this abnormally. + regexp.MustCompile(`` + + // intentionally empty poduid group + `(?P)` + + // mustnotmatch group: cgroup path must not include a poduid + `(?Ppod[[:xdigit:]]{8}[[:punct:]]?[[:xdigit:]]{4}[[:punct:]]?[[:xdigit:]]{4}[[:punct:]]?[[:xdigit:]]{4}[[:punct:]]?[[:xdigit:]]{12}[[:punct:]])?` + + // /crio- + `(?:[[:^punct:]]*/*)*crio[[:punct:]]` + + // non-punctuation end of string, i.e., the container ID + `(?P[[:^punct:]]+)$`), +} + +func reSubMatchMap(r *regexp.Regexp, str string) map[string]string { + match := r.FindStringSubmatch(str) + if match == nil { + return nil + } + subMatchMap := make(map[string]string) + for i, name := range r.SubexpNames() { + if i != 0 { + subMatchMap[name] = match[i] + } + } + return subMatchMap +} + +func isValidCGroupPathMatches(matches map[string]string) bool { + if matches == nil { + return false + } + if matches["mustnotmatch"] != "" { + return false + } + return true +} func getPodUIDAndContainerIDFromCGroupPath(cgroupPath string) (types.UID, string, bool) { // We are only interested in kube pods entries, for example: @@ -688,15 +136,30 @@ func getPodUIDAndContainerIDFromCGroupPath(cgroupPath string) (types.UID, string // - /kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod2c48913c-b29f-11e7-9350-020968147796.slice/docker-9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961.scope // - /kubepods-besteffort-pod72f7f152_440c_66ac_9084_e0fc1d8a910c.slice:cri-containerd:b2a102854b4969b2ce98dc329c86b4fb2b06e4ad2cc8da9d8a7578c9cd2004a2" // - /../../pod2c48913c-b29f-11e7-9350-020968147796/9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961 - + // - 0::/../crio-45490e76e0878aaa4d9808f7d2eefba37f093c3efbba9838b6d8ab804d9bd814.scope // First trim off any .scope suffix. This allows for a cleaner regex since // we don't have to muck with greediness. TrimSuffix is no-copy so this // is cheap. cgroupPath = strings.TrimSuffix(cgroupPath, ".scope") - matches := cgroupRE.FindStringSubmatch(cgroupPath) - if matches != nil { - return canonicalizePodUID(matches[1]), matches[2], true + var matchResults map[string]string + for _, regex := range cgroupREs { + matches := reSubMatchMap(regex, cgroupPath) + if isValidCGroupPathMatches(matches) { + if matchResults != nil { + log.Printf("More than one regex matches for cgroup %s", cgroupPath) + return "", "", false + } + matchResults = matches + } + } + + if matchResults != nil { + var podUID types.UID + if matchResults["poduid"] != "" { + podUID = canonicalizePodUID(matchResults["poduid"]) + } + return podUID, matchResults["containerid"], true } return "", "", false } @@ -713,111 +176,6 @@ func canonicalizePodUID(uid string) types.UID { }, uid)) } -func lookUpContainerInPod(containerID string, status corev1.PodStatus) (*corev1.ContainerStatus, containerLookup) { - for _, status := range status.ContainerStatuses { - // TODO: should we be keying off of the status or is the lack of a - // container id sufficient to know the container is not ready? - if status.ContainerID == "" { - continue - } - - containerURL, err := url.Parse(status.ContainerID) - if err != nil { - log.Printf("Malformed container id %q: %v", status.ContainerID, err) - continue - } - - if containerID == containerURL.Host { - return &status, containerInPod - } - } - - for _, status := range status.InitContainerStatuses { - // TODO: should we be keying off of the status or is the lack of a - // container id sufficient to know the container is not ready? - if status.ContainerID == "" { - continue - } - - containerURL, err := url.Parse(status.ContainerID) - if err != nil { - log.Printf("Malformed container id %q: %v", status.ContainerID, err) - continue - } - - if containerID == containerURL.Host { - return &status, containerInPod - } - } - - return nil, containerNotInPod -} - -func getPodImageIdentifiers(containerStatusArray []corev1.ContainerStatus) map[string]bool { - // Map is used purely to exclude duplicate selectors, value is unused. - podImages := make(map[string]bool) - // Note that for each pod image we generate *2* matching selectors. - // This is to support matching against ImageID, which has a SHA - // docker.io/envoyproxy/envoy-alpine@sha256:bf862e5f5eca0a73e7e538224578c5cf867ce2be91b5eaed22afc153c00363eb - // as well as - // docker.io/envoyproxy/envoy-alpine:v1.16.0, which does not, - // while also maintaining backwards compatibility and allowing for dynamic workload registration (k8s operator) - // when the SHA is not yet known (e.g. before the image pull is initiated at workload creation time) - // More info here: https://github.com/spiffe/spire/issues/2026 - for _, status := range containerStatusArray { - podImages[status.ImageID] = true - podImages[status.Image] = true - } - return podImages -} - -func getSelectorValuesFromPodInfo(pod *corev1.Pod, status *corev1.ContainerStatus) []string { - podImageIdentifiers := getPodImageIdentifiers(pod.Status.ContainerStatuses) - podInitImageIdentifiers := getPodImageIdentifiers(pod.Status.InitContainerStatuses) - containerImageIdentifiers := getPodImageIdentifiers([]corev1.ContainerStatus{*status}) - - selectorValues := []string{ - fmt.Sprintf("sa:%s", pod.Spec.ServiceAccountName), - fmt.Sprintf("ns:%s", pod.Namespace), - fmt.Sprintf("node-name:%s", pod.Spec.NodeName), - fmt.Sprintf("pod-uid:%s", pod.UID), - fmt.Sprintf("pod-name:%s", pod.Name), - fmt.Sprintf("container-name:%s", status.Name), - fmt.Sprintf("pod-image-count:%s", strconv.Itoa(len(pod.Status.ContainerStatuses))), - fmt.Sprintf("pod-init-image-count:%s", strconv.Itoa(len(pod.Status.InitContainerStatuses))), - } - - for containerImage := range containerImageIdentifiers { - selectorValues = append(selectorValues, fmt.Sprintf("container-image:%s", containerImage)) - } - for podImage := range podImageIdentifiers { - selectorValues = append(selectorValues, fmt.Sprintf("pod-image:%s", podImage)) - } - for podInitImage := range podInitImageIdentifiers { - selectorValues = append(selectorValues, fmt.Sprintf("pod-init-image:%s", podInitImage)) - } - - for k, v := range pod.Labels { - selectorValues = append(selectorValues, fmt.Sprintf("pod-label:%s:%s", k, v)) - } - for _, ownerReference := range pod.OwnerReferences { - selectorValues = append(selectorValues, fmt.Sprintf("pod-owner:%s:%s", ownerReference.Kind, ownerReference.Name)) - selectorValues = append(selectorValues, fmt.Sprintf("pod-owner-uid:%s:%s", ownerReference.Kind, ownerReference.UID)) - } - - return selectorValues -} - -func tryRead(r io.Reader) string { - buf := make([]byte, 1024) - n, _ := r.Read(buf) - return string(buf[:n]) -} - -func newCertPool(certs []*x509.Certificate) *x509.CertPool { - certPool := x509.NewCertPool() - for _, cert := range certs { - certPool.AddCert(cert) - } - return certPool +func isNotPod(itemPodUID, podUID types.UID) bool { + return podUID != "" && itemPodUID != podUID } diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go index 74efea4955..1dc684221b 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go @@ -1,7 +1,3 @@ -//go:build !windows -// +build !windows - -// TODO: attestor is not supported on Windows yet, skip tests until issues solved package k8s import ( @@ -27,7 +23,6 @@ import ( "github.com/hashicorp/go-hclog" "github.com/sigstore/cosign/pkg/cosign/bundle" "github.com/sigstore/cosign/pkg/oci" - "github.com/spiffe/spire/pkg/agent/common/cgroups" "github.com/spiffe/spire/pkg/agent/plugin/workloadattestor" "github.com/spiffe/spire/pkg/agent/plugin/workloadattestor/k8s/sigstore" "github.com/spiffe/spire/pkg/common/pemutil" @@ -40,29 +35,19 @@ import ( "github.com/stretchr/testify/require" "google.golang.org/grpc/codes" corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/types" ) const ( pid = 123 podListFilePath = "testdata/pod_list.json" - kindPodListFilePath = "testdata/kind_pod_list.json" podListNotRunningFilePath = "testdata/pod_list_not_running.json" - cgPidInPodFilePath = "testdata/cgroups_pid_in_pod.txt" - cgPidInKindPodFilePath = "testdata/cgroups_pid_in_kind_pod.txt" - cgInitPidInPodFilePath = "testdata/cgroups_init_pid_in_pod.txt" - cgPidNotInPodFilePath = "testdata/cgroups_pid_not_in_pod.txt" - cgSystemdPidInPodFilePath = "testdata/systemd_cgroups_pid_in_pod.txt" - certPath = "cert.pem" keyPath = "key.pem" ) var ( - pidCgroupPath = fmt.Sprintf("/proc/%v/cgroup", pid) - clientKey, _ = pemutil.ParseECPrivateKey([]byte(`-----BEGIN PRIVATE KEY----- MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgNRa/6HIy0uwQe8iG Kz24zEvwGiIsTDPHzrLUaml1hQ6hRANCAATz6vtJYIvPM0KOqKpdDPlsOw09hZ8P @@ -101,47 +86,6 @@ FwOGLt+I3+9beT0vo+pn9Rq0squewFYe3aJbwpkyfP2xOovQCdm4PC8y } testPodAndContainerSelectors = append(testPodSelectors, testContainerSelectors...) - testKindPodSelectors = []*common.Selector{ - {Type: "k8s", Value: "container-image:gcr.io/spiffe-io/spire-agent:0.8.1"}, - {Type: "k8s", Value: "container-image:gcr.io/spiffe-io/spire-agent@sha256:1e4c481d76e9ecbd3d8684891e0e46aa021a30920ca04936e1fdcc552747d941"}, - {Type: "k8s", Value: "container-name:workload-api-client"}, - {Type: "k8s", Value: "node-name:kind-control-plane"}, - {Type: "k8s", Value: "ns:default"}, - {Type: "k8s", Value: "pod-image-count:1"}, - {Type: "k8s", Value: "pod-image:gcr.io/spiffe-io/spire-agent:0.8.1"}, - {Type: "k8s", Value: "pod-image:gcr.io/spiffe-io/spire-agent@sha256:1e4c481d76e9ecbd3d8684891e0e46aa021a30920ca04936e1fdcc552747d941"}, - {Type: "k8s", Value: "pod-init-image-count:0"}, - {Type: "k8s", Value: "pod-label:app:sample-workload"}, - {Type: "k8s", Value: "pod-label:pod-template-hash:6658cb9566"}, - {Type: "k8s", Value: "pod-name:sample-workload-6658cb9566-5n4b4"}, - {Type: "k8s", Value: "pod-owner-uid:ReplicaSet:349d135e-3781-43e3-bc25-c900aedf1d0c"}, - {Type: "k8s", Value: "pod-owner:ReplicaSet:sample-workload-6658cb9566"}, - {Type: "k8s", Value: "pod-uid:a2830d0d-b0f0-4ff0-81b5-0ee4e299cf80"}, - {Type: "k8s", Value: "sa:default"}, - } - - testInitPodSelectors = []*common.Selector{ - {Type: "k8s", Value: "container-image:docker-pullable://quay.io/coreos/flannel@sha256:1b401bf0c30bada9a539389c3be652b58fe38463361edf488e6543c8761d4970"}, - {Type: "k8s", Value: "container-image:quay.io/coreos/flannel:v0.9.0-amd64"}, - {Type: "k8s", Value: "container-name:install-cni"}, - {Type: "k8s", Value: "node-name:k8s-node-1"}, - {Type: "k8s", Value: "ns:kube-system"}, - {Type: "k8s", Value: "pod-image-count:1"}, - {Type: "k8s", Value: "pod-image:docker-pullable://quay.io/coreos/flannel@sha256:1b401bf0c30bada9a539389c3be652b58fe38463361edf488e6543c8761d4970"}, - {Type: "k8s", Value: "pod-image:quay.io/coreos/flannel:v0.9.0-amd64"}, - {Type: "k8s", Value: "pod-init-image-count:1"}, - {Type: "k8s", Value: "pod-init-image:docker-pullable://quay.io/coreos/flannel@sha256:1b401bf0c30bada9a539389c3be652b58fe38463361edf488e6543c8761d4970"}, - {Type: "k8s", Value: "pod-init-image:quay.io/coreos/flannel:v0.9.0-amd64"}, - {Type: "k8s", Value: "pod-label:app:flannel"}, - {Type: "k8s", Value: "pod-label:controller-revision-hash:1846323910"}, - {Type: "k8s", Value: "pod-label:pod-template-generation:1"}, - {Type: "k8s", Value: "pod-label:tier:node"}, - {Type: "k8s", Value: "pod-name:kube-flannel-ds-gp1g9"}, - {Type: "k8s", Value: "pod-owner-uid:DaemonSet:2f0350fc-b29d-11e7-9350-020968147796"}, - {Type: "k8s", Value: "pod-owner:DaemonSet:kube-flannel-ds"}, - {Type: "k8s", Value: "pod-uid:d488cae9-b2a0-11e7-9350-020968147796"}, - {Type: "k8s", Value: "sa:flannel"}, - } testSigstoreSelectors = []*common.Selector{ {Type: "k8s", Value: "container-image:docker-pullable://localhost/spiffe/blog@sha256:0cfdaced91cb46dd7af48309799a3c351e4ca2d5e1ee9737ca0cbd932cb79898"}, {Type: "k8s", Value: "container-image:localhost/spiffe/blog:latest"}, @@ -211,6 +155,7 @@ type Suite struct { kubeletCert *x509.Certificate clientCert *x509.Certificate + oc *osConfig sigstoreSelectors []sigstore.SelectorsFromSignatures sigstoreSigs []oci.Signature sigstoreSkipSigs bool @@ -234,6 +179,7 @@ func (s *Suite) SetupTest() { s.sigstoreReturnError = nil s.sigstoreSkipSigs = false s.sigstoreSkippedSigSelectors = nil + s.oc = createOSConfig() } func (s *Suite) TearDownTest() { @@ -299,27 +245,6 @@ func (s *Suite) TestAttestWithFailedSigstoreSignatures() { s.Require().Contains(buf.String(), "sigstore error 123") } -func (s *Suite) TestAttestWithPidInKindPod() { - s.startInsecureKubelet() - p := s.loadInsecurePlugin() - - s.requireAttestSuccessWithKindPod(p) -} - -func (s *Suite) TestAttestWithPidInPodSystemdCgroups() { - s.startInsecureKubelet() - p := s.loadInsecurePlugin() - - s.requireAttestSuccessWithPodSystemdCgroups(p) -} - -func (s *Suite) TestAttestWithInitPidInPod() { - s.startInsecureKubelet() - p := s.loadInsecurePlugin() - - s.requireAttestSuccessWithInitPod(p) -} - func (s *Suite) TestAttestWithPidInPodAfterRetry() { s.startInsecureKubelet() p := s.loadInsecurePlugin() @@ -327,7 +252,7 @@ func (s *Suite) TestAttestWithPidInPodAfterRetry() { s.addPodListResponse(podListNotRunningFilePath) s.addPodListResponse(podListNotRunningFilePath) s.addPodListResponse(podListFilePath) - s.addCgroupsResponse(cgPidInPodFilePath) + s.addGetContainerResponsePidInPod() resultCh := s.goAttest(p) @@ -350,7 +275,7 @@ func (s *Suite) TestAttestWithPidNotInPodCancelsEarly() { p := s.loadInsecurePlugin() s.addPodListResponse(podListNotRunningFilePath) - s.addCgroupsResponse(cgPidInPodFilePath) + s.addGetContainerResponsePidInPod() ctx, cancel := context.WithCancel(context.Background()) cancel() @@ -367,7 +292,7 @@ func (s *Suite) TestAttestWithPidNotInPodAfterRetry() { s.addPodListResponse(podListNotRunningFilePath) s.addPodListResponse(podListNotRunningFilePath) s.addPodListResponse(podListNotRunningFilePath) - s.addCgroupsResponse(cgPidInPodFilePath) + s.addGetContainerResponsePidInPod() resultCh := s.goAttest(p) @@ -389,19 +314,9 @@ func (s *Suite) TestAttestWithPidNotInPodAfterRetry() { } } -func (s *Suite) TestAttestWithPidNotInPod() { - s.startInsecureKubelet() - p := s.loadInsecurePlugin() - s.addCgroupsResponse(cgPidNotInPodFilePath) - - selectors, err := p.Attest(context.Background(), pid) - s.Require().NoError(err) - s.Require().Empty(selectors) -} - func (s *Suite) TestAttestOverSecurePortViaTokenAuth() { // start up a secure kubelet with host networking and require token auth - s.startSecureKubelet(true, "default-token") + s.startSecureKubeletWithTokenAuth(true, "default-token") // use the service account token for auth p := s.loadSecurePlugin(``) @@ -416,7 +331,7 @@ func (s *Suite) TestAttestOverSecurePortViaTokenAuth() { func (s *Suite) TestAttestOverSecurePortViaClientAuth() { // start up the secure kubelet with host networking and require client certs - s.startSecureKubelet(true, "") + s.startSecureKubeletWithClientCertAuth() // use client certificate for auth p := s.loadSecurePlugin(` @@ -434,9 +349,19 @@ func (s *Suite) TestAttestOverSecurePortViaClientAuth() { s.requireAttestFailure(p, codes.Internal, "tls: bad certificate") } +func (s *Suite) TestAttestOverSecurePortViaAnonymousAuth() { + s.startSecureKubeletWithAnonymousAuth() + + p := s.loadSecurePlugin(` + use_anonymous_authentication = true + `) + + s.requireAttestSuccessWithPod(p) +} + func (s *Suite) TestAttestReachingKubeletViaNodeName() { // start up a secure kubelet with "localhost" certificate and token auth - s.startSecureKubelet(false, "default-token") + s.startSecureKubeletWithTokenAuth(false, "default-token") // pick up the node name from the default env value s.env["MY_NODE_NAME"] = "localhost" @@ -492,6 +417,9 @@ func (s *Suite) TestLogger() { func (s *Suite) TestConfigure() { s.generateCerts("") + kubeletCertPool := x509.NewCertPool() + kubeletCertPool.AddCert(s.kubeletCert) + s.writeFile(defaultTokenPath, "default-token") s.writeFile("token", "other-token") s.writeFile("bad-pem", "BAD PEM") @@ -517,8 +445,9 @@ func (s *Suite) TestConfigure() { raw string hcl string config *config + errCode codes.Code + errMsg string sigstoreError error - err string sigstoreEnabled bool }{ { @@ -610,9 +539,10 @@ func (s *Suite) TestConfigure() { }, { - name: "invalid hcl", - hcl: "bad", - err: "unable to decode configuration", + name: "invalid hcl", + hcl: "bad", + errCode: codes.InvalidArgument, + errMsg: "unable to decode configuration", }, { name: "both insecure and secure ports specified", @@ -620,21 +550,24 @@ func (s *Suite) TestConfigure() { kubelet_read_only_port = 10255 kubelet_secure_port = 10250 `, - err: "cannot use both the read-only and secure port", + errCode: codes.InvalidArgument, + errMsg: "cannot use both the read-only and secure port", }, { name: "non-existent kubelet ca", hcl: ` kubelet_ca_path = "no-such-file" `, - err: "unable to load kubelet CA", + errCode: codes.InvalidArgument, + errMsg: "unable to load kubelet CA", }, { name: "bad kubelet ca", hcl: ` kubelet_ca_path = "bad-pem" `, - err: "unable to parse kubelet CA", + errCode: codes.InvalidArgument, + errMsg: "unable to parse kubelet CA", }, { name: "non-existent token", @@ -642,7 +575,8 @@ func (s *Suite) TestConfigure() { skip_kubelet_verification = true token_path = "no-such-file" `, - err: "unable to load token", + errCode: codes.InvalidArgument, + errMsg: "unable to load token", }, { name: "invalid poll retry interval", @@ -650,7 +584,8 @@ func (s *Suite) TestConfigure() { kubelet_read_only_port = 10255 poll_retry_interval = "blah" `, - err: "unable to parse poll retry interval", + errCode: codes.InvalidArgument, + errMsg: "unable to parse poll retry interval", }, { name: "invalid reload interval", @@ -658,7 +593,8 @@ func (s *Suite) TestConfigure() { kubelet_read_only_port = 10255 reload_interval = "blah" `, - err: "unable to parse reload interval", + errCode: codes.InvalidArgument, + errMsg: "unable to parse reload interval", }, { name: "cert but no key", @@ -666,7 +602,8 @@ func (s *Suite) TestConfigure() { skip_kubelet_verification = true certificate_path = "cert" `, - err: "the private key path is required with the certificate path", + errCode: codes.InvalidArgument, + errMsg: "the private key path is required with the certificate path", }, { name: "key but no cert", @@ -674,7 +611,8 @@ func (s *Suite) TestConfigure() { skip_kubelet_verification = true private_key_path = "key" `, - err: "the certificate path is required with the private key path", + errCode: codes.InvalidArgument, + errMsg: "the certificate path is required with the private key path", }, { name: "bad cert", @@ -683,7 +621,8 @@ func (s *Suite) TestConfigure() { certificate_path = "bad-pem" private_key_path = "key.pem" `, - err: "unable to load keypair", + errCode: codes.InvalidArgument, + errMsg: "unable to load keypair", }, { name: "non-existent cert", @@ -692,7 +631,8 @@ func (s *Suite) TestConfigure() { certificate_path = "no-such-file" private_key_path = "key.pem" `, - err: "unable to load certificate", + errCode: codes.InvalidArgument, + errMsg: "unable to load certificate", }, { name: "bad key", @@ -701,7 +641,8 @@ func (s *Suite) TestConfigure() { certificate_path = "cert.pem" private_key_path = "bad-pem" `, - err: "unable to load keypair", + errCode: codes.InvalidArgument, + errMsg: "unable to load keypair", }, { name: "non-existent key", @@ -710,7 +651,8 @@ func (s *Suite) TestConfigure() { certificate_path = "cert.pem" private_key_path = "no-such-file" `, - err: "unable to load private key", + errCode: codes.InvalidArgument, + errMsg: "unable to load private key", }, { name: "secure defaults with skipped images for sigstore", @@ -788,7 +730,8 @@ func (s *Suite) TestConfigure() { `, sigstoreError: errors.New("rekor URL is empty"), config: nil, - err: "failed to parse Rekor URL: rekor URL is empty", + errCode: codes.InvalidArgument, + errMsg: "failed to parse Rekor URL: rekor URL is empty", }, { name: "secure defaults for failed parsing rekor URI", @@ -801,7 +744,8 @@ func (s *Suite) TestConfigure() { `, sigstoreError: errors.New("failed parsing rekor URI"), config: nil, - err: "failed to parse Rekor URL: failed parsing rekor URI", + errCode: codes.InvalidArgument, + errMsg: "failed to parse Rekor URL: failed parsing rekor URI", }, { name: "secure defaults for invalid rekor URL Scheme", @@ -814,7 +758,8 @@ func (s *Suite) TestConfigure() { `, sigstoreError: errors.New("invalid rekor URL Scheme"), config: nil, - err: "failed to parse Rekor URL: invalid rekor URL Scheme", + errCode: codes.InvalidArgument, + errMsg: "failed to parse Rekor URL: invalid rekor URL Scheme", }, { name: "secure defaults for invalid rekor URL Host", @@ -827,7 +772,8 @@ func (s *Suite) TestConfigure() { `, sigstoreError: errors.New("invalid rekor URL Host"), config: nil, - err: "failed to parse Rekor URL: invalid rekor URL Host", + errCode: codes.InvalidArgument, + errMsg: "failed to parse Rekor URL: invalid rekor URL Host", }, } @@ -836,12 +782,14 @@ func (s *Suite) TestConfigure() { s.T().Run(testCase.name, func(t *testing.T) { p := s.newPlugin() s.sigstoreMock.returnError = testCase.sigstoreError + var err error plugintest.Load(s.T(), builtin(p), nil, plugintest.Configure(testCase.hcl), plugintest.CaptureConfigureError(&err)) - if testCase.err != "" { - s.AssertErrorContains(err, testCase.err) + + if testCase.errMsg != "" { + s.RequireGRPCStatusContains(err, testCase.errCode, testCase.errMsg) return } require.NotNil(t, testCase.config, "test case missing expected config") @@ -859,10 +807,9 @@ func (s *Suite) TestConfigure() { assert.True(t, c.Client.Transport.TLSClientConfig.InsecureSkipVerify) assert.Nil(t, c.Client.Transport.TLSClientConfig.VerifyPeerCertificate) default: - t.Logf("CONFIG: %#v", c.Client.Transport.TLSClientConfig) if testCase.config.HasNodeName { if assert.NotNil(t, c.Client.Transport.TLSClientConfig.RootCAs) { - assert.Len(t, c.Client.Transport.TLSClientConfig.RootCAs.Subjects(), 1) // nolint // these pools are not system pools so the use of Subjects() is ok for now + assert.True(t, c.Client.Transport.TLSClientConfig.RootCAs.Equal(kubeletCertPool)) } } else { assert.True(t, c.Client.Transport.TLSClientConfig.InsecureSkipVerify) @@ -1101,10 +1048,14 @@ func (s *Suite) kubeletPort() int { func (s *Suite) loadPlugin(configuration string) workloadattestor.WorkloadAttestor { v1 := new(workloadattestor.V1) - plugintest.Load(s.T(), builtin(s.newPlugin()), v1, + p := s.newPlugin() + plugintest.Load(s.T(), builtin(p), v1, plugintest.Configure(configuration), ) + if cHelper := s.oc.getContainerHelper(); cHelper != nil { + p.setContainerHelper(cHelper) + } return v1 } @@ -1149,7 +1100,49 @@ func (s *Suite) generateCerts(nodeName string) { s.writeCert(certPath, s.clientCert) } -func (s *Suite) startSecureKubelet(hostNetworking bool, token string) { +func (s *Suite) startSecureKubeletWithClientCertAuth() { + handler := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { + if len(req.TLS.VerifiedChains) == 0 { + http.Error(w, "client auth expected but not used", http.StatusForbidden) + return + } + s.serveHTTP(w, req) + }) + + s.startSecureKubeletServer(false, handler) +} + +func (s *Suite) startSecureKubeletWithTokenAuth(hostNetworking bool, token string) { + handler := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { + if len(req.TLS.VerifiedChains) > 0 { + http.Error(w, "client auth not expected but used", http.StatusForbidden) + return + } + expectedAuth := "Bearer " + token + auth := req.Header.Get("Authorization") + if auth != expectedAuth { + http.Error(w, fmt.Sprintf("expected %q, got %q", expectedAuth, auth), http.StatusForbidden) + return + } + s.serveHTTP(w, req) + }) + + s.startSecureKubeletServer(hostNetworking, handler) +} + +func (s *Suite) startSecureKubeletWithAnonymousAuth() { + handler := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { + if len(req.TLS.VerifiedChains) > 0 { + http.Error(w, "client auth not expected but used", http.StatusForbidden) + return + } + s.serveHTTP(w, req) + }) + + s.startSecureKubeletServer(false, handler) +} + +func (s *Suite) startSecureKubeletServer(hostNetworking bool, handler http.Handler) { // Use "localhost" in the DNS name unless we're using host networking. This // allows us to use "localhost" as the host directly when configured to // connect to the node name. Otherwise, we'll connect to 127.0.0.1 and @@ -1158,32 +1151,13 @@ func (s *Suite) startSecureKubelet(hostNetworking bool, token string) { if hostNetworking { dnsName = "this-name-should-never-be-validated" } - s.generateCerts(dnsName) + s.generateCerts(dnsName) clientCAs := x509.NewCertPool() if s.clientCert != nil { clientCAs.AddCert(s.clientCert) } - server := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { - if token == "" { - if len(req.TLS.VerifiedChains) == 0 { - http.Error(w, "client auth expected but not used", http.StatusForbidden) - return - } - } else { - if len(req.TLS.VerifiedChains) > 0 { - http.Error(w, "client auth not expected but used", http.StatusForbidden) - return - } - expectedAuth := "Bearer " + token - auth := req.Header.Get("Authorization") - if auth != expectedAuth { - http.Error(w, fmt.Sprintf("expected %q, got %q", expectedAuth, auth), http.StatusForbidden) - return - } - } - s.serveHTTP(w, req) - })) + server := httptest.NewUnstartedServer(handler) server.TLS = &tls.Config{ Certificates: []tls.Certificate{ { @@ -1266,24 +1240,6 @@ func (s *Suite) requireAttestSuccessWithPodAndSkippedImage(p workloadattestor.Wo s.requireAttestSuccess(p, testSigstoreSkippedSelectors) } -func (s *Suite) requireAttestSuccessWithKindPod(p workloadattestor.WorkloadAttestor) { - s.addPodListResponse(kindPodListFilePath) - s.addCgroupsResponse(cgPidInKindPodFilePath) - s.requireAttestSuccess(p, testKindPodSelectors) -} - -func (s *Suite) requireAttestSuccessWithPodSystemdCgroups(p workloadattestor.WorkloadAttestor) { - s.addPodListResponse(podListFilePath) - s.addCgroupsResponse(cgSystemdPidInPodFilePath) - s.requireAttestSuccess(p, testPodSelectors) -} - -func (s *Suite) requireAttestSuccessWithInitPod(p workloadattestor.WorkloadAttestor) { - s.addPodListResponse(podListFilePath) - s.addCgroupsResponse(cgInitPidInPodFilePath) - s.requireAttestSuccess(p, testInitPodSelectors) -} - func (s *Suite) requireAttestSuccess(p workloadattestor.WorkloadAttestor, expectedSelectors []*common.Selector) { selectors, err := p.Attest(context.Background(), pid) s.Require().NoError(err) @@ -1324,204 +1280,6 @@ func (s *Suite) addPodListResponse(fixturePath string) { s.podList = append(s.podList, podList) } -func (s *Suite) addCgroupsResponse(fixturePath string) { - wd, err := os.Getwd() - s.Require().NoError(err) - cgroupPath := filepath.Join(s.dir, pidCgroupPath) - s.Require().NoError(os.MkdirAll(filepath.Dir(cgroupPath), 0755)) - os.Remove(cgroupPath) - s.Require().NoError(os.Symlink(filepath.Join(wd, fixturePath), cgroupPath)) -} - -func TestGetContainerIDFromCGroups(t *testing.T) { - makeCGroups := func(groupPaths []string) []cgroups.Cgroup { - var out []cgroups.Cgroup - for _, groupPath := range groupPaths { - out = append(out, cgroups.Cgroup{ - GroupPath: groupPath, - }) - } - return out - } - - for _, tt := range []struct { - name string - cgroupPaths []string - expectPodUID types.UID - expectContainerID string - expectCode codes.Code - expectMsg string - }{ - { - name: "no cgroups", - cgroupPaths: []string{}, - expectPodUID: "", - expectContainerID: "", - expectCode: codes.OK, - }, - { - name: "no container ID in cgroups", - cgroupPaths: []string{ - "/user.slice", - }, - expectPodUID: "", - expectContainerID: "", - expectCode: codes.OK, - }, - { - name: "one container ID in cgroups", - cgroupPaths: []string{ - "/user.slice", - "/kubepods/pod2c48913c-b29f-11e7-9350-020968147796/9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961", - }, - expectPodUID: "2c48913c-b29f-11e7-9350-020968147796", - expectContainerID: "9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961", - expectCode: codes.OK, - }, - { - name: "pod UID canonicalized", - cgroupPaths: []string{ - "/user.slice", - "/kubepods/pod2c48913c_b29f_11e7_9350_020968147796/9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961", - }, - expectPodUID: "2c48913c-b29f-11e7-9350-020968147796", - expectContainerID: "9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961", - expectCode: codes.OK, - }, - { - name: "more than one container ID in cgroups", - cgroupPaths: []string{ - "/user.slice", - "/kubepods/pod2c48913c-b29f-11e7-9350-020968147796/9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961", - "/kubepods/kubepods/besteffort/pod2c48913c-b29f-11e7-9350-020968147796/a55d9ac3b312d8a2627824b6d6dd8af66fbec439bf4e0ec22d6d9945ad337a38", - }, - expectPodUID: "", - expectContainerID: "", - expectCode: codes.FailedPrecondition, - expectMsg: "multiple container IDs found in cgroups (9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961, a55d9ac3b312d8a2627824b6d6dd8af66fbec439bf4e0ec22d6d9945ad337a38)", - }, - { - name: "more than one pod UID in cgroups", - cgroupPaths: []string{ - "/user.slice", - "/kubepods/pod11111111-b29f-11e7-9350-020968147796/9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961", - "/kubepods/kubepods/besteffort/pod22222222-b29f-11e7-9350-020968147796/9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961", - }, - expectPodUID: "", - expectContainerID: "", - expectCode: codes.FailedPrecondition, - expectMsg: "multiple pod UIDs found in cgroups (11111111-b29f-11e7-9350-020968147796, 22222222-b29f-11e7-9350-020968147796)", - }, - } { - tt := tt - t.Run(tt.name, func(t *testing.T) { - podUID, containerID, err := getPodUIDAndContainerIDFromCGroups(makeCGroups(tt.cgroupPaths)) - spiretest.RequireGRPCStatus(t, err, tt.expectCode, tt.expectMsg) - if tt.expectCode != codes.OK { - assert.Empty(t, containerID) - return - } - assert.Equal(t, tt.expectPodUID, podUID) - assert.Equal(t, tt.expectContainerID, containerID) - }) - } -} - -func TestGetPodUIDAndContainerIDFromCGroupPath(t *testing.T) { - for _, tt := range []struct { - name string - cgroupPath string - expectPodUID types.UID - expectContainerID string - }{ - { - name: "without QOS", - cgroupPath: "/kubepods/pod2c48913c-b29f-11e7-9350-020968147796/9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961", - expectPodUID: "2c48913c-b29f-11e7-9350-020968147796", - expectContainerID: "9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961", - }, - { - name: "with QOS", - cgroupPath: "/kubepods/burstable/pod2c48913c-b29f-11e7-9350-020968147796/34a2062fd26c805aa8cf814cdfe479322b791f80afb9ea4db02d50375df14b41", - expectPodUID: "2c48913c-b29f-11e7-9350-020968147796", - expectContainerID: "34a2062fd26c805aa8cf814cdfe479322b791f80afb9ea4db02d50375df14b41", - }, - { - name: "docker for desktop with QOS", - cgroupPath: "/kubepods/kubepods/besteffort/pod6bd2a4d3-a55a-4450-b6fd-2a7ecc72c904/a55d9ac3b312d8a2627824b6d6dd8af66fbec439bf4e0ec22d6d9945ad337a38", - expectPodUID: "6bd2a4d3-a55a-4450-b6fd-2a7ecc72c904", - expectContainerID: "a55d9ac3b312d8a2627824b6d6dd8af66fbec439bf4e0ec22d6d9945ad337a38", - }, - { - name: "kind with QOS", - cgroupPath: "/docker/93529524695bb00d91c1f6dba692ea8d3550c3b94fb2463af7bc9ec82f992d26/kubepods/besteffort/poda2830d0d-b0f0-4ff0-81b5-0ee4e299cf80/09bc3d7ade839efec32b6bec4ec79d099027a668ddba043083ec21d3c3b8f1e6", - expectPodUID: "a2830d0d-b0f0-4ff0-81b5-0ee4e299cf80", - expectContainerID: "09bc3d7ade839efec32b6bec4ec79d099027a668ddba043083ec21d3c3b8f1e6", - }, - { - name: "systemd with QOS and container runtime", - cgroupPath: "/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod2c48913c-b29f-11e7-9350-020968147796.slice/docker-9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961.scope", - expectPodUID: "2c48913c-b29f-11e7-9350-020968147796", - expectContainerID: "9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961", - }, - { - name: "from a different cgroup namespace", - cgroupPath: "/../../../burstable/pod095e82d2-713c-467a-a18a-cbb50a075296/6d1234da0f5aa7fa0ccae4c7d2d109929eb9a81694e6357bcd4547ab3985911b", - expectPodUID: "095e82d2-713c-467a-a18a-cbb50a075296", - expectContainerID: "6d1234da0f5aa7fa0ccae4c7d2d109929eb9a81694e6357bcd4547ab3985911b", - }, - { - name: "not kubepods", - cgroupPath: "/something/poda2830d0d-b0f0-4ff0-81b5-0ee4e299cf80/09bc3d7ade839efec32b6bec4ec79d099027a668ddba043083ec21d3c3b8f1e6", - expectPodUID: "a2830d0d-b0f0-4ff0-81b5-0ee4e299cf80", - expectContainerID: "09bc3d7ade839efec32b6bec4ec79d099027a668ddba043083ec21d3c3b8f1e6", - }, - { - name: "just pod uid and container", - cgroupPath: "/poda2830d0d-b0f0-4ff0-81b5-0ee4e299cf80/09bc3d7ade839efec32b6bec4ec79d099027a668ddba043083ec21d3c3b8f1e6", - expectPodUID: "a2830d0d-b0f0-4ff0-81b5-0ee4e299cf80", - expectContainerID: "09bc3d7ade839efec32b6bec4ec79d099027a668ddba043083ec21d3c3b8f1e6", - }, - { - name: "just container segment", - cgroupPath: "/09bc3d7ade839efec32b6bec4ec79d099027a668ddba043083ec21d3c3b8f1e6", - }, - { - name: "no container segment", - cgroupPath: "/kubepods/poda2830d0d-b0f0-4ff0-81b5-0ee4e299cf80", - }, - { - name: "no pod uid segment", - cgroupPath: "/kubepods/09bc3d7ade839efec32b6bec4ec79d099027a668ddba043083ec21d3c3b8f1e6", - }, - { - name: "cri-containerd", - cgroupPath: "/kubepods-besteffort-pod72f7f152_440c_66ac_9084_e0fc1d8a910c.slice:cri-containerd:b2a102854b4969b2ce98dc329c86b4fb2b06e4ad2cc8da9d8a7578c9cd2004a2", - expectPodUID: "72f7f152-440c-66ac-9084-e0fc1d8a910c", - expectContainerID: "b2a102854b4969b2ce98dc329c86b4fb2b06e4ad2cc8da9d8a7578c9cd2004a2", - }, - { - name: "uid generateds by kubernetes", - cgroupPath: "/kubepods/pod2732ca68f6358eba7703fb6f82a25c94", - }, - } { - tt := tt - t.Run(tt.name, func(t *testing.T) { - t.Logf("cgroup path=%s", tt.cgroupPath) - podUID, containerID, ok := getPodUIDAndContainerIDFromCGroupPath(tt.cgroupPath) - if tt.expectContainerID == "" { - assert.False(t, ok) - assert.Empty(t, podUID) - assert.Empty(t, containerID) - return - } - assert.True(t, ok) - assert.Equal(t, tt.expectPodUID, podUID) - assert.Equal(t, tt.expectContainerID, containerID) - }) - } -} - type testFS string func (fs testFS) Open(path string) (io.ReadCloser, error) { From 02c548ea5544ec55fab77899d6466a608e1e8b4d Mon Sep 17 00:00:00 2001 From: Willian Alves Date: Mon, 12 Sep 2022 10:56:40 -0300 Subject: [PATCH 104/257] Refactory on k8s unit tests (#90) * Refactory on k8s unit tests Signed-off-by: Willian Alves * Fixed: Refactory on k8s unit tests Signed-off-by: Willian Alves * Fixed: Refactory on k8s unit tests for windows Signed-off-by: Willian Alves * Fixed: Refactory on k8s unit tests for windows 0 Signed-off-by: Willian Alves * Fixed: Refactory on k8s unit tests for windows 1 Signed-off-by: Willian Alves Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- .../workloadattestor/k8s/k8s_posix_test.go | 196 ++++++++++++++++++ .../plugin/workloadattestor/k8s/k8s_test.go | 171 +++------------ 2 files changed, 223 insertions(+), 144 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go index e93496a017..7c954b5111 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go @@ -4,15 +4,23 @@ package k8s import ( + "bytes" "context" + "crypto/x509" + "errors" "fmt" "os" "path/filepath" "testing" + "github.com/hashicorp/go-hclog" + "github.com/sigstore/cosign/pkg/cosign/bundle" + "github.com/sigstore/cosign/pkg/oci" "github.com/spiffe/spire/pkg/agent/common/cgroups" "github.com/spiffe/spire/pkg/agent/plugin/workloadattestor" + "github.com/spiffe/spire/pkg/agent/plugin/workloadattestor/k8s/sigstore" "github.com/spiffe/spire/proto/spire/common" + "github.com/spiffe/spire/test/plugintest" "github.com/spiffe/spire/test/spiretest" "github.com/stretchr/testify/assert" "google.golang.org/grpc/codes" @@ -95,6 +103,51 @@ var ( {Type: "k8s", Value: "pod-uid:d488cae9-b2a0-11e7-9350-020968147796"}, {Type: "k8s", Value: "sa:flannel"}, } + + testSigstoreSelectors = []*common.Selector{ + {Type: "k8s", Value: "container-image:docker-pullable://localhost/spiffe/blog@sha256:0cfdaced91cb46dd7af48309799a3c351e4ca2d5e1ee9737ca0cbd932cb79898"}, + {Type: "k8s", Value: "container-image:localhost/spiffe/blog:latest"}, + {Type: "k8s", Value: "container-name:blog"}, + {Type: "k8s", Value: "docker://9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961:image-signature-subject:sigstore-subject"}, + {Type: "k8s", Value: "node-name:k8s-node-1"}, + {Type: "k8s", Value: "ns:default"}, + {Type: "k8s", Value: "pod-image-count:2"}, + {Type: "k8s", Value: "pod-image:docker-pullable://localhost/spiffe/blog@sha256:0cfdaced91cb46dd7af48309799a3c351e4ca2d5e1ee9737ca0cbd932cb79898"}, + {Type: "k8s", Value: "pod-image:docker-pullable://localhost/spiffe/ghostunnel@sha256:b2fc20676c92a433b9a91f3f4535faddec0c2c3613849ac12f02c1d5cfcd4c3a"}, + {Type: "k8s", Value: "pod-image:localhost/spiffe/blog:latest"}, + {Type: "k8s", Value: "pod-image:localhost/spiffe/ghostunnel:latest"}, + {Type: "k8s", Value: "pod-init-image-count:0"}, + {Type: "k8s", Value: "pod-label:k8s-app:blog"}, + {Type: "k8s", Value: "pod-label:version:v0"}, + {Type: "k8s", Value: "pod-name:blog-24ck7"}, + {Type: "k8s", Value: "pod-owner-uid:ReplicationController:2c401175-b29f-11e7-9350-020968147796"}, + {Type: "k8s", Value: "pod-owner:ReplicationController:blog"}, + {Type: "k8s", Value: "pod-uid:2c48913c-b29f-11e7-9350-020968147796"}, + {Type: "k8s", Value: "sa:default"}, + {Type: "k8s", Value: "sigstore-validation:passed"}, + } + + testSigstoreSkippedSelectors = []*common.Selector{ + {Type: "k8s", Value: "container-image:docker-pullable://localhost/spiffe/blog@sha256:0cfdaced91cb46dd7af48309799a3c351e4ca2d5e1ee9737ca0cbd932cb79898"}, + {Type: "k8s", Value: "container-image:localhost/spiffe/blog:latest"}, + {Type: "k8s", Value: "container-name:blog"}, + {Type: "k8s", Value: "node-name:k8s-node-1"}, + {Type: "k8s", Value: "ns:default"}, + {Type: "k8s", Value: "pod-image-count:2"}, + {Type: "k8s", Value: "pod-image:docker-pullable://localhost/spiffe/blog@sha256:0cfdaced91cb46dd7af48309799a3c351e4ca2d5e1ee9737ca0cbd932cb79898"}, + {Type: "k8s", Value: "pod-image:docker-pullable://localhost/spiffe/ghostunnel@sha256:b2fc20676c92a433b9a91f3f4535faddec0c2c3613849ac12f02c1d5cfcd4c3a"}, + {Type: "k8s", Value: "pod-image:localhost/spiffe/blog:latest"}, + {Type: "k8s", Value: "pod-image:localhost/spiffe/ghostunnel:latest"}, + {Type: "k8s", Value: "pod-init-image-count:0"}, + {Type: "k8s", Value: "pod-label:k8s-app:blog"}, + {Type: "k8s", Value: "pod-label:version:v0"}, + {Type: "k8s", Value: "pod-name:blog-24ck7"}, + {Type: "k8s", Value: "pod-owner-uid:ReplicationController:2c401175-b29f-11e7-9350-020968147796"}, + {Type: "k8s", Value: "pod-owner:ReplicationController:blog"}, + {Type: "k8s", Value: "pod-uid:2c48913c-b29f-11e7-9350-020968147796"}, + {Type: "k8s", Value: "sa:default"}, + {Type: "k8s", Value: "sigstore-validation:passed"}, + } ) func (s *Suite) TestAttestWithInitPidInPod() { @@ -152,6 +205,126 @@ func (s *Suite) TestAttestAgainstNodeOverride() { s.Require().Empty(selectors) } +type signature struct { + oci.Signature + + payload []byte + cert *x509.Certificate +} + +func (signature) Annotations() (map[string]string, error) { + return nil, nil +} + +func (s signature) Payload() ([]byte, error) { + return s.payload, nil +} + +func (signature) Base64Signature() (string, error) { + return "", nil +} + +func (s signature) Cert() (*x509.Certificate, error) { + return s.cert, nil +} + +func (signature) Chain() ([]*x509.Certificate, error) { + return nil, nil +} + +func (signature) Bundle() (*bundle.RekorBundle, error) { + return nil, nil +} + +func (s *Suite) TestAttestWithSigstoreSignatures() { + s.startInsecureKubelet() + s.setSigstoreSelectors([]sigstore.SelectorsFromSignatures{ + { + Subject: "sigstore-subject", + }, + }) + p := s.loadInsecurePluginWithSigstore() + s.requireAttestSuccessWithPodAndSignature(p) +} + +func (s *Suite) setSigstoreSkipSigs(skip bool) { + s.sigstoreSkipSigs = skip +} + +func (s *Suite) setSigstoreSkippedSigSelectors(selectors []string) { + s.sigstoreSkippedSigSelectors = selectors +} + +func (s *Suite) setSigstoreSelectors(selectors []sigstore.SelectorsFromSignatures) { + s.sigstoreSelectors = selectors + if s.sigstoreSelectors == nil { + s.sigstoreSigs = nil + return + } + s.sigstoreSigs = []oci.Signature{ + signature{ + payload: []byte("payload"), + cert: &x509.Certificate{}, + }, + } +} + +func (s *Suite) TestAttestWithSigstoreSkippedImage() { + s.startInsecureKubelet() + // Skip the image + s.setSigstoreSkipSigs(true) + s.setSigstoreSkippedSigSelectors([]string{"sigstore-validation:passed"}) + p := s.loadInsecurePluginWithSigstore() + s.requireAttestSuccessWithPodAndSkippedImage(p) +} + +func (s *Suite) TestAttestWithFailedSigstoreSignatures() { + s.startInsecureKubelet() + + p := s.newPlugin() + + v1 := new(workloadattestor.V1) + plugintest.Load(s.T(), builtin(p), v1, + plugintest.Configure(fmt.Sprintf(` + kubelet_read_only_port = %d + max_poll_attempts = 5 + poll_retry_interval = "1s" + experimental { + sigstore {} + } + `, s.kubeletPort())), + ) + + buf := bytes.Buffer{} + newLog := hclog.New(&hclog.LoggerOptions{ + Output: &buf, + }) + + p.SetLogger(newLog) + + s.sigstoreMock.returnError = errors.New("sigstore error 123") + + s.requireAttestSuccessWithPod(v1) + s.Require().Contains(buf.String(), "Error retrieving signature payload") + s.Require().Contains(buf.String(), "sigstore error 123") +} + +func (s *Suite) TestLogger() { + s.startInsecureKubelet() + + p := s.newPlugin() + plugintest.Load(s.T(), builtin(p), nil) + + newLog := hclog.New(&hclog.LoggerOptions{ + Name: "new_test_logger", + }) + p.SetLogger(newLog) + + s.Require().Same(newLog, p.log) + s.Require().Contains(p.log.Name(), newLog.Name()) + s.Require().Contains(p.log.Name(), "new_test_log") +} + func (s *Suite) TestAttestWhenContainerNotReadyButContainerSelectorsDisabled() { // This test will not pass on windows since obtaining the container ID is // currently required to identify the workload pod in that environment. @@ -425,3 +598,26 @@ func (o *osConfig) getContainerHelper() ContainerHelper { func createOSConfig() *osConfig { return &osConfig{} } + +func (s *Suite) requireAttestSuccessWithPodAndSignature(p workloadattestor.WorkloadAttestor) { + s.addPodListResponse(podListFilePath) + s.addCgroupsResponse(cgPidInPodFilePath) + s.requireAttestSuccess(p, testSigstoreSelectors) +} + +func (s *Suite) requireAttestSuccessWithPodAndSkippedImage(p workloadattestor.WorkloadAttestor) { + s.addPodListResponse(podListFilePath) + s.addCgroupsResponse(cgPidInPodFilePath) + s.requireAttestSuccess(p, testSigstoreSkippedSelectors) +} + +func (s *Suite) loadInsecurePluginWithSigstore() workloadattestor.WorkloadAttestor { + return s.loadPlugin(fmt.Sprintf(` + kubelet_read_only_port = %d + max_poll_attempts = 5 + poll_retry_interval = "1s" + experimental { + sigstore {} + } +`, s.kubeletPort())) +} diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go index 1dc684221b..44c407108d 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go @@ -1,7 +1,6 @@ package k8s import ( - "bytes" "context" "crypto/ecdsa" "crypto/rand" @@ -21,7 +20,6 @@ import ( "time" "github.com/hashicorp/go-hclog" - "github.com/sigstore/cosign/pkg/cosign/bundle" "github.com/sigstore/cosign/pkg/oci" "github.com/spiffe/spire/pkg/agent/plugin/workloadattestor" "github.com/spiffe/spire/pkg/agent/plugin/workloadattestor/k8s/sigstore" @@ -164,6 +162,21 @@ type Suite struct { sigstoreMock *sigstoreMock } +type sigstoreMock struct { + selectors []sigstore.SelectorsFromSignatures + + sigs []oci.Signature + skipSigs bool + skippedSigSelectors []string + returnError error + skippedImages map[string]bool + allowedSubjects map[string]bool + allowedSubjectListEnabled bool + log hclog.Logger + + rekorURL string +} + func (s *Suite) SetupTest() { s.dir = s.TempDir() s.writeFile(defaultTokenPath, "default-token") @@ -194,57 +207,6 @@ func (s *Suite) TestAttestWithPidInPod() { s.requireAttestSuccessWithPod(p) } -func (s *Suite) TestAttestWithSigstoreSignatures() { - s.startInsecureKubelet() - s.setSigstoreSelectors([]sigstore.SelectorsFromSignatures{ - { - Subject: "sigstore-subject", - }, - }) - p := s.loadInsecurePluginWithSigstore() - s.requireAttestSuccessWithPodAndSignature(p) -} - -func (s *Suite) TestAttestWithSigstoreSkippedImage() { - s.startInsecureKubelet() - // Skip the image - s.setSigstoreSkipSigs(true) - s.setSigstoreSkippedSigSelectors([]string{"sigstore-validation:passed"}) - p := s.loadInsecurePluginWithSigstore() - s.requireAttestSuccessWithPodAndSkippedImage(p) -} - -func (s *Suite) TestAttestWithFailedSigstoreSignatures() { - s.startInsecureKubelet() - - p := s.newPlugin() - - v1 := new(workloadattestor.V1) - plugintest.Load(s.T(), builtin(p), v1, - plugintest.Configure(fmt.Sprintf(` - kubelet_read_only_port = %d - max_poll_attempts = 5 - poll_retry_interval = "1s" - experimental { - sigstore {} - } - `, s.kubeletPort())), - ) - - buf := bytes.Buffer{} - newLog := hclog.New(&hclog.LoggerOptions{ - Output: &buf, - }) - - p.SetLogger(newLog) - - s.sigstoreMock.returnError = errors.New("sigstore error 123") - - s.requireAttestSuccessWithPod(v1) - s.Require().Contains(buf.String(), "Error retrieving signature payload") - s.Require().Contains(buf.String(), "sigstore error 123") -} - func (s *Suite) TestAttestWithPidInPodAfterRetry() { s.startInsecureKubelet() p := s.loadInsecurePlugin() @@ -845,50 +807,20 @@ func (s *Suite) TestConfigure() { } } -type signature struct { - oci.Signature - - payload []byte - cert *x509.Certificate -} - -func (signature) Annotations() (map[string]string, error) { - return nil, nil -} - -func (s signature) Payload() ([]byte, error) { - return s.payload, nil -} - -func (signature) Base64Signature() (string, error) { - return "", nil -} - -func (s signature) Cert() (*x509.Certificate, error) { - return s.cert, nil -} - -func (signature) Chain() ([]*x509.Certificate, error) { - return nil, nil -} - -func (signature) Bundle() (*bundle.RekorBundle, error) { - return nil, nil +func (s *sigstoreMock) AddAllowedSubject(subject string) { + if s.allowedSubjects == nil { + s.allowedSubjects = make(map[string]bool) + } + s.allowedSubjects[subject] = true } -type sigstoreMock struct { - selectors []sigstore.SelectorsFromSignatures - - sigs []oci.Signature - skipSigs bool - skippedSigSelectors []string - returnError error - skippedImages map[string]bool - allowedSubjects map[string]bool - allowedSubjectListEnabled bool - log hclog.Logger - - rekorURL string +func (s *sigstoreMock) AddSkippedImage(images []string) { + if s.skippedImages == nil { + s.skippedImages = make(map[string]bool) + } + for _, imageID := range images { + s.skippedImages[imageID] = true + } } // SetLogger implements sigstore.Sigstore @@ -912,25 +844,10 @@ func (s *sigstoreMock) ShouldSkipImage(imageID string) (bool, error) { return s.skipSigs, s.returnError } -func (s *sigstoreMock) AddSkippedImage(images []string) { - if s.skippedImages == nil { - s.skippedImages = make(map[string]bool) - } - for _, imageID := range images { - s.skippedImages[imageID] = true - } -} func (s *sigstoreMock) ClearSkipList() { s.skippedImages = nil } -func (s *sigstoreMock) AddAllowedSubject(subject string) { - if s.allowedSubjects == nil { - s.allowedSubjects = make(map[string]bool) - } - s.allowedSubjects[subject] = true -} - func (s *sigstoreMock) ClearAllowedSubjects() { s.allowedSubjects = nil } @@ -1000,28 +917,6 @@ func (s *Suite) setServer(server *httptest.Server) { s.server = server } -func (s *Suite) setSigstoreSelectors(selectors []sigstore.SelectorsFromSignatures) { - s.sigstoreSelectors = selectors - if s.sigstoreSelectors == nil { - s.sigstoreSigs = nil - return - } - s.sigstoreSigs = []oci.Signature{ - signature{ - payload: []byte("payload"), - cert: &x509.Certificate{}, - }, - } -} - -func (s *Suite) setSigstoreSkipSigs(skip bool) { - s.sigstoreSkipSigs = skip -} - -func (s *Suite) setSigstoreSkippedSigSelectors(selectors []string) { - s.sigstoreSkippedSigSelectors = selectors -} - func (s *Suite) writeFile(path, data string) { realPath := filepath.Join(s.dir, path) s.Require().NoError(os.MkdirAll(filepath.Dir(realPath), 0755)) @@ -1228,18 +1123,6 @@ func (s *Suite) requireAttestSuccessWithPod(p workloadattestor.WorkloadAttestor) s.addCgroupsResponse(cgPidInPodFilePath) } -func (s *Suite) requireAttestSuccessWithPodAndSignature(p workloadattestor.WorkloadAttestor) { - s.addPodListResponse(podListFilePath) - s.addCgroupsResponse(cgPidInPodFilePath) - s.requireAttestSuccess(p, testSigstoreSelectors) -} - -func (s *Suite) requireAttestSuccessWithPodAndSkippedImage(p workloadattestor.WorkloadAttestor) { - s.addPodListResponse(podListFilePath) - s.addCgroupsResponse(cgPidInPodFilePath) - s.requireAttestSuccess(p, testSigstoreSkippedSelectors) -} - func (s *Suite) requireAttestSuccess(p workloadattestor.WorkloadAttestor, expectedSelectors []*common.Selector) { selectors, err := p.Attest(context.Background(), pid) s.Require().NoError(err) From 525d7ea8746eac5741518f958b44c7e9771beccd Mon Sep 17 00:00:00 2001 From: Matheus de Farias Cavalcanti Santos Date: Tue, 13 Sep 2022 00:17:23 -0300 Subject: [PATCH 105/257] refactor: deleted commented code, empty lines and changed code location (#67) Signed-off-by: Matheus Santos Signed-off-by: Matheus Santos Co-authored-by: Matheus Santos Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- .../workloadattestor/k8s/sigstore/sigstore.go | 24 +++++++++---------- .../k8s/sigstore/sigstore_test.go | 1 - 2 files changed, 12 insertions(+), 13 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index 8d2e1db4ee..2dc54d8bb5 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -45,18 +45,6 @@ type Sigstore interface { SetLogger(logger hclog.Logger) } -type sigstoreImpl struct { - verifyFunction func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) - fetchImageManifestFunction func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) - skippedImages map[string]bool - allowListEnabled bool - subjectAllowList map[string]bool - rekorURL url.URL - checkOptsFunction func(url.URL) *cosign.CheckOpts - logger hclog.Logger - sigstorecache Cache -} - // The following structs are used to go through the payload json objects type BundleSignature struct { Content string `json:"content"` @@ -109,6 +97,18 @@ func DefaultCheckOpts(rekorURL url.URL) *cosign.CheckOpts { return co } +type sigstoreImpl struct { + verifyFunction func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) + fetchImageManifestFunction func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) + skippedImages map[string]bool + allowListEnabled bool + subjectAllowList map[string]bool + rekorURL url.URL + checkOptsFunction func(url.URL) *cosign.CheckOpts + logger hclog.Logger + sigstorecache Cache +} + func (s *sigstoreImpl) SetLogger(logger hclog.Logger) { s.logger = logger } diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index 3349aa965e..e5cd70e0c3 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -250,7 +250,6 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { }, args: args{ imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", - // }, want: nil, wantErr: true, From 9611882efc943417f9a39f62683e470dae0c2b1a Mon Sep 17 00:00:00 2001 From: Matheus de Farias Cavalcanti Santos Date: Tue, 13 Sep 2022 01:06:34 -0300 Subject: [PATCH 106/257] refactor: changed DeepEqual to require.Equal and other changes (#81) * refactor: changed DeepEqual to require.Equal and other changes Signed-off-by: Matheus Santos * refactor: deleted blank line Signed-off-by: Matheus Santos * refactor: added a blank line in the end of the file Signed-off-by: Matheus Santos Signed-off-by: Matheus Santos Co-authored-by: Matheus Santos Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- .../workloadattestor/k8s/k8s_posix_test.go | 17 ++-- .../plugin/workloadattestor/k8s/k8s_test.go | 5 +- .../k8s/sigstore/sigstore_test.go | 89 +++++++------------ .../k8s/sigstore/sigstorecache_test.go | 9 +- 4 files changed, 48 insertions(+), 72 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go index 7c954b5111..47e351a49e 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go @@ -257,15 +257,14 @@ func (s *Suite) setSigstoreSkippedSigSelectors(selectors []string) { func (s *Suite) setSigstoreSelectors(selectors []sigstore.SelectorsFromSignatures) { s.sigstoreSelectors = selectors - if s.sigstoreSelectors == nil { - s.sigstoreSigs = nil - return - } - s.sigstoreSigs = []oci.Signature{ - signature{ - payload: []byte("payload"), - cert: &x509.Certificate{}, - }, + s.sigstoreSigs = nil + if s.sigstoreSelectors != nil { + s.sigstoreSigs = []oci.Signature{ + signature{ + payload: []byte("payload"), + cert: &x509.Certificate{}, + }, + } } } diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go index 44c407108d..1e3eadaa9a 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go @@ -829,7 +829,10 @@ func (s *sigstoreMock) SetLogger(logger hclog.Logger) { } func (s *sigstoreMock) FetchImageSignatures(ctx context.Context, imageName string) ([]oci.Signature, error) { - return s.sigs, s.returnError + if s.returnError != nil { + return nil, s.returnError + } + return s.sigs, nil } func (s *sigstoreMock) SelectorValuesFromSignature(signatures oci.Signature, containerID string) *sigstore.SelectorsFromSignatures { diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index e5cd70e0c3..67e2ac77eb 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -24,6 +24,7 @@ import ( "github.com/sigstore/cosign/pkg/cosign/bundle" "github.com/sigstore/cosign/pkg/oci" rekor "github.com/sigstore/rekor/pkg/generated/client" + "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" ) @@ -589,32 +590,6 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { } } -type noCertSignature signature - -func (noCertSignature) Annotations() (map[string]string, error) { - return nil, nil -} - -func (s noCertSignature) Payload() ([]byte, error) { - return s.payload, nil -} - -func (noCertSignature) Base64Signature() (string, error) { - return "", nil -} - -func (noCertSignature) Cert() (*x509.Certificate, error) { - return nil, errors.New("no cert test") -} - -func (noCertSignature) Chain() ([]*x509.Certificate, error) { - return nil, nil -} - -func (noCertSignature) Bundle() (*bundle.RekorBundle, error) { - return nil, nil -} - type noPayloadSignature signature func (noPayloadSignature) Annotations() (map[string]string, error) { @@ -747,7 +722,7 @@ func Test_certSubject(t *testing.T) { } } -func TestSigstoreimpl_SkipImage(t *testing.T) { +func TestSigstoreimpl_ShouldSkipImage(t *testing.T) { type fields struct { skippedImages map[string](bool) } @@ -840,9 +815,7 @@ func TestSigstoreimpl_SkipImage(t *testing.T) { t.Errorf("sigstoreImpl.SkipImage() error = %v, wantErr %v", err, tt.wantErr) return } - if !reflect.DeepEqual(got, tt.want) { - t.Errorf("sigstoreImpl.SkipImage() = %v, want %v", got, tt.want) - } + require.Equal(t, got, tt.want, "sigstoreImpl.SkipImage() = %v, want %v", got, tt.want) }) } } @@ -922,11 +895,6 @@ func TestSigstoreimpl_AddSkippedImage(t *testing.T) { }{ { name: "add skipped image to empty map", - fields: fields{ - verifyFunction: nil, - fetchImageManifestFunction: nil, - skippedImages: nil, - }, args: args{ imageID: []string{"sha256:sampleimagehash"}, }, @@ -937,8 +905,6 @@ func TestSigstoreimpl_AddSkippedImage(t *testing.T) { { name: "add skipped image", fields: fields{ - verifyFunction: nil, - fetchImageManifestFunction: nil, skippedImages: map[string]bool{ "sha256:sampleimagehash1": true, }, @@ -953,11 +919,6 @@ func TestSigstoreimpl_AddSkippedImage(t *testing.T) { }, { name: "add a list of skipped images to empty map", - fields: fields{ - verifyFunction: nil, - fetchImageManifestFunction: nil, - skippedImages: nil, - }, args: args{ imageID: []string{"sha256:sampleimagehash", "sha256:sampleimagehash1"}, }, @@ -969,8 +930,6 @@ func TestSigstoreimpl_AddSkippedImage(t *testing.T) { { name: "add a list of skipped images to a existing map", fields: fields{ - verifyFunction: nil, - fetchImageManifestFunction: nil, skippedImages: map[string]bool{ "sha256:sampleimagehash": true, }, @@ -993,9 +952,7 @@ func TestSigstoreimpl_AddSkippedImage(t *testing.T) { skippedImages: tt.fields.skippedImages, } sigstore.AddSkippedImage(tt.args.imageID) - if !reflect.DeepEqual(sigstore.skippedImages, tt.want) { - t.Errorf("sigstore.skippedImages = %v, want %v", sigstore.skippedImages, tt.want) - } + require.Equal(t, sigstore.skippedImages, tt.want, "sigstore.skippedImages = %v, want %v", sigstore.skippedImages, tt.want) }) } } @@ -1147,9 +1104,7 @@ func TestSigstoreimpl_ValidateImage(t *testing.T) { t.Errorf("sigstoreImpl.ValidateImage() error = %v, wantErr %v", err, tt.wantErr) return } - if got != tt.want { - t.Errorf("sigstoreImpl.ValidateImage() = %v, want %v", got, tt.want) - } + require.Equal(t, got, tt.want, "sigstoreImpl.ValidateImage() = %v, want %v", got, tt.want) }) } } @@ -1241,9 +1196,7 @@ func TestSigstoreimpl_AddAllowedSubject(t *testing.T) { subjectAllowList: tt.fields.subjectAllowList, } sigstore.AddAllowedSubject(tt.args.subject) - if !reflect.DeepEqual(sigstore.subjectAllowList, tt.want) { - t.Errorf("sigstore.subjectAllowList = %v, want %v", sigstore.subjectAllowList, tt.want) - } + require.Equal(t, sigstore.subjectAllowList, tt.want, "sigstore.subjectAllowList = %v, want %v", sigstore.subjectAllowList, tt.want) }) } } @@ -1818,9 +1771,33 @@ func TestSigstoreimpl_SetRekorURL(t *testing.T) { if err := sigstore.SetRekorURL(tt.args.rekorURL); (err != nil) != tt.wantErr { t.Errorf("sigstoreImpl.SetRekorURL() error = %v, wantErr %v", err, tt.wantErr) } - if !reflect.DeepEqual(sigstore.rekorURL, tt.want) { - t.Errorf("sigstoreImpl.SetRekorURL() = %v, want %v", sigstore.rekorURL, tt.want) - } + require.Equal(t, sigstore.rekorURL, tt.want, "sigstoreImpl.SetRekorURL() = %v, want %v", sigstore.rekorURL, tt.want) }) } } + +type noCertSignature signature + +func (noCertSignature) Annotations() (map[string]string, error) { + return nil, nil +} + +func (s noCertSignature) Payload() ([]byte, error) { + return s.payload, nil +} + +func (noCertSignature) Base64Signature() (string, error) { + return "", nil +} + +func (noCertSignature) Cert() (*x509.Certificate, error) { + return nil, errors.New("no cert test") +} + +func (noCertSignature) Chain() ([]*x509.Certificate, error) { + return nil, nil +} + +func (noCertSignature) Bundle() (*bundle.RekorBundle, error) { + return nil, nil +} diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go index 4bcbaee505..fa95470661 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go @@ -5,6 +5,8 @@ import ( "reflect" "sync" "testing" + + "github.com/stretchr/testify/require" ) var ( @@ -12,7 +14,6 @@ var ( Key: "signature1", Value: []SelectorsFromSignatures{ { - Subject: "spirex1@example.com", Content: "content1", LogID: "1111111111111111", @@ -25,7 +26,6 @@ var ( Key: "signature2", Value: []SelectorsFromSignatures{ { - Subject: "spirex2@example.com", Content: "content2", LogID: "2222222222222222", @@ -200,10 +200,7 @@ func TestCacheimpl_PutSignature(t *testing.T) { if !present { t.Errorf("Key put but not found: %v", tt.wantKey) } - - if !reflect.DeepEqual(gotItem.item, tt.wantValue) { - t.Errorf("Value different than expected. \nGot: %v \nWant:%v", gotItem.item, tt.wantValue) - } + require.Equal(t, gotItem.item, tt.wantValue, "Value different than expected. \nGot: %v \nWant:%v", gotItem.item, tt.wantValue) }) } } From cda7f504611990f7c9b81b3f062b472ef0df7817 Mon Sep 17 00:00:00 2001 From: Willian Alves Date: Wed, 14 Sep 2022 20:41:45 -0300 Subject: [PATCH 107/257] Update doc/plugin_agent_workloadattestor_k8s.md Co-authored-by: Marcos Yacob Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- doc/plugin_agent_workloadattestor_k8s.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/plugin_agent_workloadattestor_k8s.md b/doc/plugin_agent_workloadattestor_k8s.md index 16e56a6414..2336bc9705 100644 --- a/doc/plugin_agent_workloadattestor_k8s.md +++ b/doc/plugin_agent_workloadattestor_k8s.md @@ -53,7 +53,7 @@ since [hostprocess](https://kubernetes.io/docs/tasks/configure-pod-container/cre | `use_anonymous_authentication` | If true, use anonymous authentication for kubelet communication | | `node_name_env` | The environment variable used to obtain the node name. Defaults to `MY_NODE_NAME`. | | `node_name` | The name of the node. Overrides the value obtained by the environment variable specified by `node_name_env`. | -| `experimental` | experimental options, described below. Currently only contain sigstore options. Defaults to empty. | +| `experimental` | The experimental options that are subject to change or removal. | | Experimental options | Description | | ------------- | ----------- | From 8f934a2493a6e6d174a6b5b15813f331f537455f Mon Sep 17 00:00:00 2001 From: Matheus de Farias Cavalcanti Santos Date: Thu, 15 Sep 2022 10:45:48 -0300 Subject: [PATCH 108/257] =?UTF-8?q?refactor:=20pr=20requests=20to=20change?= =?UTF-8?q?=20from=20deepEqual=20to=20require.Equal,=20remo=E2=80=A6=20(#8?= =?UTF-8?q?8)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit refactor: pr requests to change from deepEqual to require.Equal, remove some code from k8s_test file and refactor an error message in sigstorecache_test file Signed-off-by: Matheus Santos Signed-off-by: Matheus Santos Co-authored-by: Matheus Santos Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- .../workloadattestor/k8s/k8s_posix_test.go | 13 ----- .../plugin/workloadattestor/k8s/k8s_test.go | 56 +++++++++---------- .../k8s/sigstore/sigstore_test.go | 14 ++--- .../k8s/sigstore/sigstorecache_test.go | 9 +-- 4 files changed, 36 insertions(+), 56 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go index 47e351a49e..08e5653063 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go @@ -14,7 +14,6 @@ import ( "testing" "github.com/hashicorp/go-hclog" - "github.com/sigstore/cosign/pkg/cosign/bundle" "github.com/sigstore/cosign/pkg/oci" "github.com/spiffe/spire/pkg/agent/common/cgroups" "github.com/spiffe/spire/pkg/agent/plugin/workloadattestor" @@ -212,10 +211,6 @@ type signature struct { cert *x509.Certificate } -func (signature) Annotations() (map[string]string, error) { - return nil, nil -} - func (s signature) Payload() ([]byte, error) { return s.payload, nil } @@ -228,14 +223,6 @@ func (s signature) Cert() (*x509.Certificate, error) { return s.cert, nil } -func (signature) Chain() ([]*x509.Certificate, error) { - return nil, nil -} - -func (signature) Bundle() (*bundle.RekorBundle, error) { - return nil, nil -} - func (s *Suite) TestAttestWithSigstoreSignatures() { s.startInsecureKubelet() s.setSigstoreSelectors([]sigstore.SelectorsFromSignatures{ diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go index 1e3eadaa9a..dcc3847df2 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go @@ -162,21 +162,6 @@ type Suite struct { sigstoreMock *sigstoreMock } -type sigstoreMock struct { - selectors []sigstore.SelectorsFromSignatures - - sigs []oci.Signature - skipSigs bool - skippedSigSelectors []string - returnError error - skippedImages map[string]bool - allowedSubjects map[string]bool - allowedSubjectListEnabled bool - log hclog.Logger - - rekorURL string -} - func (s *Suite) SetupTest() { s.dir = s.TempDir() s.writeFile(defaultTokenPath, "default-token") @@ -807,20 +792,19 @@ func (s *Suite) TestConfigure() { } } -func (s *sigstoreMock) AddAllowedSubject(subject string) { - if s.allowedSubjects == nil { - s.allowedSubjects = make(map[string]bool) - } - s.allowedSubjects[subject] = true -} +type sigstoreMock struct { + selectors []sigstore.SelectorsFromSignatures -func (s *sigstoreMock) AddSkippedImage(images []string) { - if s.skippedImages == nil { - s.skippedImages = make(map[string]bool) - } - for _, imageID := range images { - s.skippedImages[imageID] = true - } + sigs []oci.Signature + skipSigs bool + skippedSigSelectors []string + returnError error + skippedImages map[string]bool + allowedSubjects map[string]bool + allowedSubjectListEnabled bool + log hclog.Logger + + rekorURL string } // SetLogger implements sigstore.Sigstore @@ -1171,3 +1155,19 @@ type testFS string func (fs testFS) Open(path string) (io.ReadCloser, error) { return os.Open(filepath.Join(string(fs), path)) } + +func (s *sigstoreMock) AddAllowedSubject(subject string) { + if s.allowedSubjects == nil { + s.allowedSubjects = make(map[string]bool) + } + s.allowedSubjects[subject] = true +} + +func (s *sigstoreMock) AddSkippedImage(images []string) { + if s.skippedImages == nil { + s.skippedImages = make(map[string]bool) + } + for _, imageID := range images { + s.skippedImages[imageID] = true + } +} diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index 67e2ac77eb..1d426415a0 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -583,9 +583,8 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { verifyFunction: tt.fields.verifyFunction, logger: hclog.Default(), } - if got := s.ExtractSelectorsFromSignatures(tt.args.signatures, tt.containerID); !reflect.DeepEqual(got, tt.want) { - t.Errorf("sigstoreImpl.ExtractSelectorsFromSignatures() = %v, want %v", got, tt.want) - } + got := s.ExtractSelectorsFromSignatures(tt.args.signatures, tt.containerID) + require.Equal(t, got, tt.want, "sigstoreImpl.ExtractSelectorsFromSignatures() = %v, want %v", got, tt.want) }) } } @@ -1441,9 +1440,8 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { subjectAllowList: tt.fields.subjectAllowList, logger: hclog.Default(), } - if got := sigstore.SelectorValuesFromSignature(tt.args.signature, tt.containerID); !reflect.DeepEqual(got, tt.want) { - t.Errorf("sigstoreImpl.SelectorValuesFromSignature() = %v, want %v", got, tt.want) - } + got := sigstore.SelectorValuesFromSignature(tt.args.signature, tt.containerID) + require.Equal(t, got, tt.want, "sigstoreImpl.SelectorValuesFromSignature() = %v, want %v", got, tt.want) }) } } @@ -1677,9 +1675,7 @@ func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { t.Errorf("sigstoreImpl.AttestContainerSignatures() error = %v, wantErr %v", err, tt.wantErr) return } - if !reflect.DeepEqual(got, tt.want) { - t.Errorf("sigstoreImpl.AttestContainerSignatures() = %v, want %v", got, tt.want) - } + require.Equal(t, got, tt.want, "sigstoreImpl.AttestContainerSignatures() = %v, want %v", got, tt.want) }) } } diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go index fa95470661..fbb080add4 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go @@ -125,9 +125,8 @@ func TestCacheimpl_GetSignature(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - if got := cacheInstance.GetSignature(tt.key); !reflect.DeepEqual(got, tt.want) { - t.Errorf("%v Got: %v Want: %v", tt.errorMessage, got, tt.want) - } + got := cacheInstance.GetSignature(tt.key) + require.Equal(t, got, tt.want, "%v Got: %v Want: %v", tt.errorMessage, got, tt.want) }) } } @@ -187,14 +186,12 @@ func TestCacheimpl_PutSignature(t *testing.T) { }, } - putKeys := 0 for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { cacheInstance.PutSignature(*tt.item) - putKeys++ gotLen := cacheInstance.items.Len() if gotLen != tt.wantLength { - t.Errorf("Item count should be %v after putting %v keys", tt.wantLength, putKeys) + t.Errorf("Item count should be %v in test case %q", tt.wantLength, tt.name) } gotItem, present := m[tt.wantKey] if !present { From 09d16b4c547cd953747a2eb05d16c793ed938fac Mon Sep 17 00:00:00 2001 From: Willian Alves Date: Thu, 15 Sep 2022 10:46:42 -0300 Subject: [PATCH 109/257] Removed unnecessary code (#99) Signed-off-by: Willian Alves Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- .../plugin/workloadattestor/k8s/sigstore/sigstore_test.go | 4 ---- 1 file changed, 4 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index 1d426415a0..8c39e1aaf1 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -1050,7 +1050,6 @@ func TestSigstoreimpl_ValidateImage(t *testing.T) { Manifest: []byte(`sometext`), }, nil }, - skippedImages: nil, }, args: args{ ref: func(d name.Digest, err error) name.Digest { return d }(name.NewDigest("example.com/sampleimage@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505")), @@ -1065,7 +1064,6 @@ func TestSigstoreimpl_ValidateImage(t *testing.T) { fetchImageManifestFunction: func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { return nil, errors.New("fetch error") }, - skippedImages: nil, }, args: args{ ref: func(d name.Digest, err error) name.Digest { return d }(name.NewDigest("example.com/sampleimage@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505")), @@ -1082,7 +1080,6 @@ func TestSigstoreimpl_ValidateImage(t *testing.T) { Manifest: nil, }, nil }, - skippedImages: nil, }, args: args{ ref: func(d name.Digest, err error) name.Digest { return d }(name.NewDigest("example.com/sampleimage@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505")), @@ -1648,7 +1645,6 @@ func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { Manifest: []byte("sometext"), }, nil }, - skippedImages: nil, }, status: corev1.ContainerStatus{ Image: "spire-agent-sigstore-3", From 3dc5505161cf7cc2baddee36cb1fb32e091d9547 Mon Sep 17 00:00:00 2001 From: Willian Alves Date: Thu, 15 Sep 2022 14:45:35 -0300 Subject: [PATCH 110/257] Added rekor text in docs (#101) Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- doc/plugin_agent_workloadattestor_k8s.md | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/plugin_agent_workloadattestor_k8s.md b/doc/plugin_agent_workloadattestor_k8s.md index 2336bc9705..e50e6afb43 100644 --- a/doc/plugin_agent_workloadattestor_k8s.md +++ b/doc/plugin_agent_workloadattestor_k8s.md @@ -66,6 +66,7 @@ since [hostprocess](https://kubernetes.io/docs/tasks/configure-pod-container/cre | `allowed_subjects_list`| The list of allowed subjects enabled by `enable_allowed_subjects_list` each entry represents subject e-mail. Defaults to empty list. | | `rekor_url` | The URL for the rekor STL Server to use with cosign. Defaults to 'rekor.sigstore.dev', Rekor's public instance. | +**Note** The sigstore project contains a transparency log called Rekor that provides an immutable, tamper-resistant ledger to record signed metadata to an immutable record. While it is possible to run your own instance, a public instance of rekor is available at rekor.sigstore.dev, cosign defaults to using the public instance. ### Sigstore workload attestor for SPIRE From ce48b93262afaa4af8892fd0084c4e228f329257 Mon Sep 17 00:00:00 2001 From: Willian Alves Date: Tue, 20 Sep 2022 11:53:52 -0300 Subject: [PATCH 111/257] Added test case for last element added as first of list (#106) * Added test case for last element added as first of list Signed-off-by: Willian Alves * tests: removed parallel call to t.Run on sequential tests Signed-off-by: Rodrigo Lopes * tests: added longer sequence of tests and checks Signed-off-by: Rodrigo Lopes * tests: refactored TestNewCache to not use multiple test case syntax for a single test case Signed-off-by: Rodrigo Lopes Signed-off-by: Willian Alves Signed-off-by: Rodrigo Lopes Co-authored-by: Rodrigo Lopes Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- .../k8s/sigstore/sigstorecache_test.go | 310 ++++++++++++++++-- 1 file changed, 274 insertions(+), 36 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go index fbb080add4..18c3f2ff1d 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go @@ -2,7 +2,6 @@ package sigstore import ( "container/list" - "reflect" "sync" "testing" @@ -57,30 +56,29 @@ var ( }, }, } -) -func TestNewCache(t *testing.T) { - tests := []struct { - name string - want Cache - }{ - { - name: "New", - want: &cacheImpl{ - size: 3, - items: list.New(), - mutex: sync.RWMutex{}, - itemsMap: make(map[string]MapItem), + selectors2Updated = Item{ + Key: "signature2", + Value: []SelectorsFromSignatures{ + { + Subject: "spirex2@example.com", + Content: "content5", + LogID: "5555555555555555", + IntegratedTime: "5555555555555555", }, }, } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - if got := NewCache(3); !reflect.DeepEqual(got, tt.want) { - t.Errorf("NewCache() = %v, want %v", got, tt.want) - } - }) +) + +func TestNewCache(t *testing.T) { + want := &cacheImpl{ + size: 3, + items: list.New(), + mutex: sync.RWMutex{}, + itemsMap: make(map[string]MapItem), } + got := NewCache(3) + require.Equal(t, want, got, "NewCache() = %v, want %v", got, want) } func TestCacheimpl_GetSignature(t *testing.T) { @@ -124,10 +122,8 @@ func TestCacheimpl_GetSignature(t *testing.T) { } for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - got := cacheInstance.GetSignature(tt.key) - require.Equal(t, got, tt.want, "%v Got: %v Want: %v", tt.errorMessage, got, tt.want) - }) + got := cacheInstance.GetSignature(tt.key) + require.Equal(t, got, tt.want, "%v Got: %v Want: %v", tt.errorMessage, got, tt.want) } } @@ -187,17 +183,259 @@ func TestCacheimpl_PutSignature(t *testing.T) { } for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - cacheInstance.PutSignature(*tt.item) - gotLen := cacheInstance.items.Len() - if gotLen != tt.wantLength { - t.Errorf("Item count should be %v in test case %q", tt.wantLength, tt.name) - } - gotItem, present := m[tt.wantKey] - if !present { - t.Errorf("Key put but not found: %v", tt.wantKey) - } - require.Equal(t, gotItem.item, tt.wantValue, "Value different than expected. \nGot: %v \nWant:%v", gotItem.item, tt.wantValue) - }) + cacheInstance.PutSignature(*tt.item) + gotLen := cacheInstance.items.Len() + if gotLen != tt.wantLength { + t.Errorf("Item count should be %v in test case %q", tt.wantLength, tt.name) + } + gotItem, present := m[tt.wantKey] + if !present { + t.Errorf("Key put but not found: %v", tt.wantKey) + } + require.Equal(t, gotItem.item, tt.wantValue, "Value different than expected. \nGot: %v \nWant:%v", gotItem.item, tt.wantValue) + } +} + +func TestCacheimpl_CheckOverflowAndUpdates(t *testing.T) { + m := make(map[string]MapItem) + items := list.New() + + cacheInstance := &cacheImpl{ + size: 2, + items: items, + mutex: sync.RWMutex{}, + itemsMap: m, + } + + putSteps1 := []struct { + name string + item *Item + wantLength int + wantKey string + wantValue *Item + wantHeadKey string + }{ + { + name: "Put first element", + item: &selectors1, + wantLength: 1, + wantKey: selectors1.Key, + wantValue: &selectors1, + wantHeadKey: selectors1.Key, + }, + { + name: "Put first element again", + item: &selectors1, + wantLength: 1, + wantKey: selectors1.Key, + wantValue: &selectors1, + wantHeadKey: selectors1.Key, + }, + { + name: "Put second element", + item: &selectors2, + wantLength: 2, + wantKey: selectors2.Key, + wantValue: &selectors2, + wantHeadKey: selectors2.Key, + }, + { + name: "Put third element, Overflow cache", + item: &selectors3, + wantLength: 2, + wantKey: selectors3.Key, + wantValue: &selectors3, + wantHeadKey: selectors3.Key, + }, + { + name: "Update entry", + item: &selectors3Updated, + wantLength: 2, + wantKey: selectors3.Key, + wantValue: &selectors3Updated, + wantHeadKey: selectors3.Key, + }, + { + name: "Put second element, again", + item: &selectors2, + wantLength: 2, + wantKey: selectors2.Key, + wantValue: &selectors2, + wantHeadKey: selectors2.Key, + }, + } + getSteps1 := []struct { + name string + key string + item *Item + wantLength int + wantValue *Item + wantHeadKey string + }{ + { + name: "Get first element", + key: selectors1.Key, + item: nil, + wantLength: 2, + wantHeadKey: selectors2.Key, + }, + { + name: "Get third element", + key: selectors3.Key, + item: &selectors3Updated, + wantLength: 2, + wantHeadKey: selectors3.Key, + }, + { + name: "Get first element, after third element was accessed", + key: selectors1.Key, + item: nil, + wantLength: 2, + wantHeadKey: selectors3.Key, + }, + { + name: "Get second element", + key: selectors2.Key, + item: &selectors2, + wantLength: 2, + wantValue: &selectors2, + wantHeadKey: selectors2.Key, + }, + } + + putSteps2 := []struct { + name string + item *Item + wantLength int + wantKey string + wantValue *Item + wantHeadKey string + }{ + { + name: "Put first element again, overflow cache", + item: &selectors1, + wantLength: 2, + wantKey: selectors1.Key, + wantValue: &selectors1, + wantHeadKey: selectors1.Key, + }, + { + name: "Put second element updated", + item: &selectors2Updated, + wantLength: 2, + wantKey: selectors2.Key, + wantValue: &selectors2Updated, + wantHeadKey: selectors2.Key, + }, + { + name: "Put third element again, overflow cache", + item: &selectors3Updated, + wantLength: 2, + wantKey: selectors3.Key, + wantValue: &selectors3Updated, + wantHeadKey: selectors3.Key, + }, + { + name: "Revert third entry", + item: &selectors3, + wantLength: 2, + wantKey: selectors3.Key, + wantValue: &selectors3, + wantHeadKey: selectors3.Key, + }, + { + name: "Pull second element to front", + item: &selectors2Updated, + wantLength: 2, + wantKey: selectors2.Key, + wantValue: &selectors2Updated, + wantHeadKey: selectors2.Key, + }, + { + name: "Put first element for the last time, overflow cache", + item: &selectors1, + wantLength: 2, + wantKey: selectors1.Key, + wantValue: &selectors1, + wantHeadKey: selectors1.Key, + }, + } + + getSteps2 := []struct { + name string + key string + item *Item + wantLength int + wantValue *Item + wantHeadKey string + }{ + { + name: "Get third element, should fail", + key: selectors3.Key, + item: nil, + wantLength: 2, + wantHeadKey: selectors1.Key, + }, + { + name: "Get third element again, should not change head", + key: selectors3.Key, + item: nil, + wantLength: 2, + wantHeadKey: selectors1.Key, + }, + { + name: "Get first element", + key: selectors1.Key, + item: &selectors1, + wantLength: 2, + wantHeadKey: selectors1.Key, + }, + { + name: "Get second element", + key: selectors2.Key, + item: &selectors2Updated, + wantLength: 2, + wantHeadKey: selectors2.Key, + }, + { + name: "Get third element again, should have new head from last get", + key: selectors3.Key, + item: nil, + wantLength: 2, + wantHeadKey: selectors2.Key, + }, + } + + for _, step := range putSteps1 { + cacheInstance.PutSignature(*step.item) + require.Contains(t, m, step.wantKey, "Key %q should be in the map after step %q", step.wantKey, step.name) + gotItem := m[step.wantKey].item + + require.Equal(t, gotItem, step.wantValue, "Value different than expected. \nGot: %v \nWant:%v", gotItem, step.wantValue) + require.Equal(t, items.Len(), step.wantLength, "Item count should be %v after step %q", step.wantLength, step.name) + require.Equal(t, items.Front().Value, step.wantHeadKey, "First element is %v should be %v after step %q", items.Front().Value, step.wantHeadKey, step.name) + } + for _, step := range getSteps1 { + gotItem := cacheInstance.GetSignature(step.key) + + require.Equal(t, gotItem, step.item, "Value different than expected. \nGot: %v \nWant:%v", gotItem, step.item) + require.Equal(t, items.Len(), step.wantLength, "Item count should be %v after step %q", step.wantLength, step.name) + require.Equal(t, items.Front().Value, step.wantHeadKey, "First element is %v should be %v after step %q", items.Front().Value, step.wantHeadKey, step.name) + } + for _, step := range putSteps2 { + cacheInstance.PutSignature(*step.item) + require.Contains(t, m, step.wantKey, "Key %q should be in the map after step %q", step.wantKey, step.name) + gotItem := m[step.wantKey].item + + require.Equal(t, gotItem, step.wantValue, "Value different than expected. \nGot: %v \nWant:%v", gotItem, step.wantValue) + require.Equal(t, items.Len(), step.wantLength, "Item count should be %v after step %q", step.wantLength, step.name) + require.Equal(t, items.Front().Value, step.wantHeadKey, "First element is %v should be %v after step %q", items.Front().Value, step.wantHeadKey, step.name) + } + for _, step := range getSteps2 { + gotItem := cacheInstance.GetSignature(step.key) + + require.Equal(t, gotItem, step.item, "Value different than expected. \nGot: %v \nWant:%v", gotItem, step.item) + require.Equal(t, items.Len(), step.wantLength, "Item count should be %v after step %q", step.wantLength, step.name) + require.Equal(t, items.Front().Value, step.wantHeadKey, "First element is %v should be %v after step %q", items.Front().Value, step.wantHeadKey, step.name) } } From 0d6903c3286fa6b558ad4346f188225ff3cae32c Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Tue, 20 Sep 2022 11:59:31 -0300 Subject: [PATCH 112/257] fix: refactoring so sigstore errors make attestation fail completely (#107) * fix: refactoring so sigstore errors make attestation fail completely Signed-off-by: Rodrigo Lopes * lint: fixed lint complain Signed-off-by: Rodrigo Lopes * tests: moved new requireAttestFailureWithPod test helper function to k8s_posix_test.go, fixing windows linting Signed-off-by: Rodrigo Lopes Signed-off-by: Rodrigo Lopes Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- pkg/agent/plugin/workloadattestor/k8s/k8s.go | 4 ++-- .../plugin/workloadattestor/k8s/k8s_posix_test.go | 10 ++++++++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s.go b/pkg/agent/plugin/workloadattestor/k8s/k8s.go index 0bf7bcba11..02df29b874 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s.go @@ -272,9 +272,9 @@ func (p *Plugin) Attest(ctx context.Context, req *workloadattestorv1.AttestReque sigstoreSelectors, err := p.sigstore.AttestContainerSignatures(ctx, lookupStatus) if err != nil { log.Error("Error retrieving signature payload", "error", err) - } else { - selectors = append(selectors, sigstoreSelectors...) + return nil, status.Errorf(codes.Internal, "error retrieving signature payload: %v", err) } + selectors = append(selectors, sigstoreSelectors...) } attestResponse = &workloadattestorv1.AttestResponse{ SelectorValues: selectors, diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go index 08e5653063..05359511c0 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go @@ -290,9 +290,9 @@ func (s *Suite) TestAttestWithFailedSigstoreSignatures() { s.sigstoreMock.returnError = errors.New("sigstore error 123") - s.requireAttestSuccessWithPod(v1) + s.requireAttestFailureWithPod(v1, codes.Internal, fmt.Sprintf("error retrieving signature payload: %v", "sigstore error 123")) s.Require().Contains(buf.String(), "Error retrieving signature payload") - s.Require().Contains(buf.String(), "sigstore error 123") + s.Require().Contains(buf.String(), fmt.Sprintf("error=%q", "sigstore error 123")) } func (s *Suite) TestLogger() { @@ -364,6 +364,12 @@ func (s *Suite) requireAttestSuccessWithPodSystemdCgroups(p workloadattestor.Wor s.requireAttestSuccess(p, testPodAndContainerSelectors) } +func (s *Suite) requireAttestFailureWithPod(p workloadattestor.WorkloadAttestor, code codes.Code, contains string) { + s.addPodListResponse(podListFilePath) + s.addGetContainerResponsePidInPod() + s.requireAttestFailure(p, code, contains) +} + func TestGetContainerIDFromCGroups(t *testing.T) { makeCGroups := func(groupPaths []string) []cgroups.Cgroup { var out []cgroups.Cgroup From 01d87ebc61eb50e72c7e100889901a65819c9ff9 Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Tue, 20 Sep 2022 12:07:55 -0300 Subject: [PATCH 113/257] tests: removed repeated tests of failing parsing rekorURL on mock (#112) Signed-off-by: Rodrigo Lopes Signed-off-by: Rodrigo Lopes Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- .../plugin/workloadattestor/k8s/k8s_test.go | 44 +------------------ 1 file changed, 1 insertion(+), 43 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go index dcc3847df2..12d0738425 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go @@ -667,21 +667,7 @@ func (s *Suite) TestConfigure() { sigstoreEnabled: true, }, { - name: "secure defaults with empty rekor URL", - hcl: ` - experimental = { - sigstore = { - rekor_url = "" - } - } - `, - sigstoreError: errors.New("rekor URL is empty"), - config: nil, - errCode: codes.InvalidArgument, - errMsg: "failed to parse Rekor URL: rekor URL is empty", - }, - { - name: "secure defaults for failed parsing rekor URI", + name: "secure defaults, failed parsing rekor URI", hcl: ` experimental = { sigstore = { @@ -694,34 +680,6 @@ func (s *Suite) TestConfigure() { errCode: codes.InvalidArgument, errMsg: "failed to parse Rekor URL: failed parsing rekor URI", }, - { - name: "secure defaults for invalid rekor URL Scheme", - hcl: ` - experimental = { - sigstore = { - rekor_url = "htttp://rekor.example.com" - } - } - `, - sigstoreError: errors.New("invalid rekor URL Scheme"), - config: nil, - errCode: codes.InvalidArgument, - errMsg: "failed to parse Rekor URL: invalid rekor URL Scheme", - }, - { - name: "secure defaults for invalid rekor URL Host", - hcl: ` - experimental = { - sigstore = { - rekor_url = "invalid;.com" - } - } - `, - sigstoreError: errors.New("invalid rekor URL Host"), - config: nil, - errCode: codes.InvalidArgument, - errMsg: "failed to parse Rekor URL: invalid rekor URL Host", - }, } for _, testCase := range testCases { From 99c39fb68cb42b525aa0db40f1f033fdf82c72b8 Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Tue, 20 Sep 2022 14:57:08 -0300 Subject: [PATCH 114/257] Fix sigstore_tests (#91) * refactor: used oci.Signature instead of v1.Layer, and removed unneeded nil functions Signed-off-by: Rodrigo Lopes * refactor: streamlined returns Signed-off-by: Rodrigo Lopes * refactor: removed unused functions for error signature types Signed-off-by: Rodrigo Lopes * refactor: refactored TestNew and added fail messages Signed-off-by: Rodrigo Lopes * refactor: refactored New tests Signed-off-by: Rodrigo Lopes * test: added function mock factory functions Signed-off-by: Rodrigo Lopes * tests: placed deepEqual usage in TestSigstoreimpl_FetchImageSignatures Signed-off-by: Rodrigo Lopes * tests: added argument testing for mock functions in TestSigstoreimpl_FetchImageSignatures Signed-off-by: Rodrigo Lopes * tests: added a comment. Signed-off-by: Rodrigo Lopes * tests: added error value checking to TestSigstoreimpl_FetchImageSignatures Signed-off-by: Rodrigo Lopes * tests: added error and arg checking on TestSigstoreimpl_ValidateImage Signed-off-by: Rodrigo Lopes * tests: refactored function mocks Signed-off-by: Rodrigo Lopes * tests: fixed fail functions Signed-off-by: Rodrigo Lopes * tests: added error and args checking to TestSigstoreimpl_AttestContainerSignatures Signed-off-by: Rodrigo Lopes * tests: added error checking on SetRekorURL Signed-off-by: Rodrigo Lopes * tests: moved signature types and helper functions to end of file Signed-off-by: Rodrigo Lopes * tests: added extra test cases to TestSigstoreimpl_ClearAllowedSubjects Signed-off-by: Rodrigo Lopes * lint: fixing trailing newlines and comment spacing Signed-off-by: Rodrigo Lopes * lint: removed trailing newline Signed-off-by: Rodrigo Lopes Signed-off-by: Rodrigo Lopes Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- .../k8s/sigstore/sigstore_test.go | 862 ++++++++++-------- 1 file changed, 502 insertions(+), 360 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index 8c39e1aaf1..fdce015bbc 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -17,7 +17,6 @@ import ( "time" "github.com/google/go-containerregistry/pkg/name" - v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/remote" "github.com/hashicorp/go-hclog" "github.com/sigstore/cosign/pkg/cosign" @@ -32,49 +31,13 @@ const ( maximumAmountCache = 10 ) -type signature struct { - v1.Layer - - payload []byte - cert *x509.Certificate - bundle *bundle.RekorBundle -} - -func (signature) Annotations() (map[string]string, error) { - return nil, nil -} - -func (s signature) Payload() ([]byte, error) { - return s.payload, nil -} - -func (signature) Base64Signature() (string, error) { - return "", nil -} - -func (s signature) Cert() (*x509.Certificate, error) { - return s.cert, nil -} - -func (signature) Chain() ([]*x509.Certificate, error) { - return nil, nil -} - -func (s signature) Bundle() (*bundle.RekorBundle, error) { - return s.bundle, nil -} - func createCertificate(template *x509.Certificate, parent *x509.Certificate, pub interface{}, priv crypto.Signer) (*x509.Certificate, error) { certBytes, err := x509.CreateCertificate(rand.Reader, template, parent, pub, priv) if err != nil { return nil, err } - cert, err := x509.ParseCertificate(certBytes) - if err != nil { - return nil, err - } - return cert, nil + return x509.ParseCertificate(certBytes) } func GenerateRootCa() (*x509.Certificate, *ecdsa.PrivateKey, error) { @@ -97,89 +60,89 @@ func GenerateRootCa() (*x509.Certificate, *ecdsa.PrivateKey, error) { } cert, err := createCertificate(rootTemplate, rootTemplate, &priv.PublicKey, priv) - if err != nil { - return nil, nil, err - } - - return cert, priv, nil + return cert, priv, err } func TestNew(t *testing.T) { newcache := NewCache(maximumAmountCache) - - tests := []struct { - name string - want Sigstore - }{ - { - name: "New", - want: &sigstoreImpl{ - verifyFunction: cosign.VerifyImageSignatures, - fetchImageManifestFunction: remote.Get, - skippedImages: nil, - allowListEnabled: false, - subjectAllowList: map[string]bool{}, - rekorURL: url.URL{Scheme: rekor.DefaultSchemes[0], Host: rekor.DefaultHost, Path: rekor.DefaultBasePath}, - sigstorecache: newcache, - checkOptsFunction: DefaultCheckOpts, - logger: nil, - }, - }, + want := &sigstoreImpl{ + verifyFunction: cosign.VerifyImageSignatures, + fetchImageManifestFunction: remote.Get, + skippedImages: nil, + allowListEnabled: false, + subjectAllowList: nil, + rekorURL: url.URL{Scheme: rekor.DefaultSchemes[0], Host: rekor.DefaultHost, Path: rekor.DefaultBasePath}, + sigstorecache: newcache, + checkOptsFunction: DefaultCheckOpts, + logger: nil, } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - if got := New(newcache, nil); fmt.Sprintf("%v", got) != fmt.Sprintf("%v", tt.want) { - t.Errorf("New() = %v, want %v", got, tt.want) - } - }) + sigstore := New(newcache, nil) + + if sigImpObj, ok := sigstore.(*sigstoreImpl); !ok { + t.Errorf("object type does not match") + } else { // test each field manually since require.Equal does not work on function pointers + if &(sigImpObj.verifyFunction) == &(want.verifyFunction) { + t.Errorf("verify functions do not match") + } + if &(sigImpObj.fetchImageManifestFunction) == &(want.fetchImageManifestFunction) { + t.Errorf("fetchImageManifest functions do not match") + } + if &(sigImpObj.checkOptsFunction) == &(want.checkOptsFunction) { + t.Errorf("checkOptsFunction functions do not match") + } + require.Equal(t, want.skippedImages, sigImpObj.skippedImages, "skippedImages array is not empty") + require.Equal(t, want.allowListEnabled, sigImpObj.allowListEnabled, "allowListEnabled has wrong value") + require.Equal(t, want.subjectAllowList, sigImpObj.subjectAllowList, "subjectAllowList array is not empty") + require.Equal(t, want.rekorURL, sigImpObj.rekorURL, "rekorURL is different from rekor default") + require.Equal(t, want.sigstorecache, sigImpObj.sigstorecache, "sigstorecache is different from fresh object") + require.Equal(t, want.logger, sigImpObj.logger, "new logger is not nil") } } func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { type fields struct { - verifyFunction func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) - fetchImageManifestFunction func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) + verifyFunction verifyFunctionBinding + fetchImageManifestFunction fetchFunctionBinding } type args struct { imageName string } - emptyCheckOptsFunction := func(url.URL) *cosign.CheckOpts { - co := &cosign.CheckOpts{} - co.RekorClient = new(rekor.Rekor) - rootCert, _, _ := GenerateRootCa() - rootPool := x509.NewCertPool() - rootPool.AddCert(rootCert) - co.RootCerts = rootPool - - return co - } + emptyCheckOpts := &cosign.CheckOpts{} tests := []struct { - name string - fields fields - args args - want []oci.Signature - wantErr bool + name string + fields fields + args args + wantedFetchArguments fetchFunctionArguments + wantedVerifyArguments verifyFunctionArguments + want []oci.Signature + wantErr bool + wantedErr error }{ { name: "fetch image with signature", fields: fields{ - verifyFunction: func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) { - return []oci.Signature{ - signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - }, - }, true, nil - }, - fetchImageManifestFunction: func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { - return &remote.Descriptor{ - Manifest: []byte("sometext"), - }, nil - }, + verifyFunction: createVerifyFunction([]oci.Signature{ + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + }, + }, true, nil), + fetchImageManifestFunction: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), }, args: args{ imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", }, + wantedFetchArguments: fetchFunctionArguments{ + called: true, + ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), + options: nil, + }, + wantedVerifyArguments: verifyFunctionArguments{ + called: true, + context: context.Background(), + ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), + options: emptyCheckOpts, + }, want: []oci.Signature{ signature{ payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), @@ -190,25 +153,30 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { { name: "fetch image with 2 signatures", fields: fields{ - verifyFunction: func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) { - return []oci.Signature{ - signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - }, - signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 4","key3": "value 5"}}`), - }, - }, true, nil - }, - fetchImageManifestFunction: func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { - return &remote.Descriptor{ - Manifest: []byte("sometext"), - }, nil - }, + verifyFunction: createVerifyFunction([]oci.Signature{ + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + }, + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 4","key3": "value 5"}}`), + }, + }, true, nil), + fetchImageManifestFunction: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), }, args: args{ imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", }, + wantedFetchArguments: fetchFunctionArguments{ + called: true, + ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), + options: nil, + }, + wantedVerifyArguments: verifyFunctionArguments{ + called: true, + context: context.Background(), + ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), + options: emptyCheckOpts, + }, want: []oci.Signature{ signature{ payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), @@ -222,112 +190,146 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { { name: "fetch image with no signature", fields: fields{ - verifyFunction: func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) { - return []oci.Signature{}, true, fmt.Errorf("no matching signatures 1") - }, - fetchImageManifestFunction: func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { - return &remote.Descriptor{ - Manifest: []byte("sometext"), - }, nil - }, + verifyFunction: createVerifyFunction(nil, true, errors.New("no matching signatures 2")), + fetchImageManifestFunction: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), }, args: args{ imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", }, - want: nil, - wantErr: true, + wantedFetchArguments: fetchFunctionArguments{ + called: true, + ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), + options: nil, + }, + wantedVerifyArguments: verifyFunctionArguments{ + called: true, + context: context.Background(), + ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), + options: emptyCheckOpts, + }, + want: nil, + wantErr: true, + wantedErr: fmt.Errorf("error verifying signature: %w", errors.New("no matching signatures 2")), }, { // TODO: check again, same as above test. should never happen, since the verify function returns an error on empty verified signature list name: "fetch image with no signature and no error", fields: fields{ - verifyFunction: func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) { - return []oci.Signature{}, true, fmt.Errorf("no matching signatures 2") - }, - fetchImageManifestFunction: func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { - return &remote.Descriptor{ - Manifest: []byte("sometext"), - }, nil - }, + verifyFunction: createVerifyFunction(nil, true, nil), + fetchImageManifestFunction: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), }, args: args{ imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", }, - want: nil, - wantErr: true, + wantedFetchArguments: fetchFunctionArguments{ + called: true, + ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), + options: nil, + }, + wantedVerifyArguments: verifyFunctionArguments{ + called: true, + context: context.Background(), + ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), + options: emptyCheckOpts, + }, + want: nil, + wantErr: false, + wantedErr: nil, }, { name: "fetch image with signature and error", fields: fields{ - verifyFunction: func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) { - return []oci.Signature{ - signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - }, - }, true, errors.New("some error") - }, - fetchImageManifestFunction: func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { - return &remote.Descriptor{ - Manifest: []byte("sometext"), - }, nil - }, + verifyFunction: createVerifyFunction([]oci.Signature{ + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + }, + }, true, errors.New("unexpected error")), + fetchImageManifestFunction: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), }, args: args{ - imageName: "docker-registry.com/some/image02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2", + imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", }, - want: nil, - wantErr: true, + wantedFetchArguments: fetchFunctionArguments{ + called: true, + ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), + options: nil, + }, + wantedVerifyArguments: verifyFunctionArguments{ + called: true, + context: context.Background(), + ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), + options: emptyCheckOpts, + }, + want: nil, + wantErr: true, + wantedErr: fmt.Errorf("error verifying signature: %w", errors.New("unexpected error")), }, { name: "fetch image with signature no error, bundle not verified", fields: fields{ - verifyFunction: func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) { - return []oci.Signature{signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - }}, false, nil - }, - fetchImageManifestFunction: func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { - return &remote.Descriptor{ - Manifest: []byte("sometext"), - }, nil - }, + verifyFunction: createVerifyFunction( + []oci.Signature{ + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + }, + }, false, nil), + fetchImageManifestFunction: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), }, args: args{ imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", }, - want: nil, - wantErr: true, + wantedFetchArguments: fetchFunctionArguments{ + called: true, + ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), + options: nil, + }, + wantedVerifyArguments: verifyFunctionArguments{ + called: true, + context: context.Background(), + ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), + options: emptyCheckOpts, + }, + want: nil, + wantErr: true, + wantedErr: fmt.Errorf("bundle not verified for %q", "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), }, { name: "fetch image with invalid image reference", fields: fields{ - verifyFunction: nil, - fetchImageManifestFunction: nil, + verifyFunction: createNilVerifyFunction(), + fetchImageManifestFunction: createNilFetchFunction(), }, args: args{ imageName: "invali|].url.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", }, - want: nil, - wantErr: true, + want: nil, + wantErr: true, + wantedErr: fmt.Errorf("error parsing image reference: %w", errors.New("could not parse reference: invali|].url.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505")), }, { name: "fetch image with signature, empty rekor url", fields: fields{ - verifyFunction: func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) { - return []oci.Signature{ + verifyFunction: createVerifyFunction( + []oci.Signature{ signature{ payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), }, - }, true, nil - }, - fetchImageManifestFunction: func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { - return &remote.Descriptor{ - Manifest: []byte("sometext"), - }, nil - }, + }, true, nil), + fetchImageManifestFunction: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), }, args: args{ imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", }, + wantedFetchArguments: fetchFunctionArguments{ + called: true, + ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), + options: nil, + }, + wantedVerifyArguments: verifyFunctionArguments{ + called: true, + context: context.Background(), + ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), + options: emptyCheckOpts, + }, want: []oci.Signature{ signature{ payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), @@ -336,38 +338,56 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { wantErr: false, }, { - name: "fetch image with invalid image ref", + name: "fetch image with wrong image hash", fields: fields{ - verifyFunction: nil, - fetchImageManifestFunction: func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { - return &remote.Descriptor{ - Manifest: []byte("sometext"), - }, nil - }, + verifyFunction: createNilVerifyFunction(), + fetchImageManifestFunction: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), }, args: args{ imageName: "docker-registry.com/some/image@sha256:4fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", }, - want: nil, - wantErr: true, + wantedFetchArguments: fetchFunctionArguments{ + called: true, + ref: name.MustParseReference("docker-registry.com/some/image@sha256:4fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), + options: nil, + }, + wantedVerifyArguments: verifyFunctionArguments{}, + want: nil, + wantErr: true, + wantedErr: fmt.Errorf("could not validate image reference digest: %w", errors.New("digest sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505 does not match sha256:4fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505")), }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { + co := &cosign.CheckOpts{} + emptyCheckOptsFunction := createEmptyCheckOptsFunction(co) + if tt.wantedVerifyArguments.options == emptyCheckOpts { + tt.wantedVerifyArguments.options = emptyCheckOptsFunction(url.URL{}) + } + fetchArguments := fetchFunctionArguments{} + verifyArguments := verifyFunctionArguments{} sigstore := sigstoreImpl{ - verifyFunction: tt.fields.verifyFunction, - fetchImageManifestFunction: tt.fields.fetchImageManifestFunction, + verifyFunction: tt.fields.verifyFunction(t, &verifyArguments), + fetchImageManifestFunction: tt.fields.fetchImageManifestFunction(t, &fetchArguments), sigstorecache: NewCache(maximumAmountCache), checkOptsFunction: emptyCheckOptsFunction, } got, err := sigstore.FetchImageSignatures(context.Background(), tt.args.imageName) - if (err != nil) != tt.wantErr { - t.Errorf("sigstoreImpl.FetchImageSignatures() error = %v, wantErr %v", err, tt.wantErr) - return - } - if !reflect.DeepEqual(got, tt.want) { - t.Errorf("sigstoreImpl.FetchImageSignatures() = %v, want %v", got, tt.want) + + if err != nil { + if !tt.wantErr { + t.Errorf("sigstoreImpl.FetchImageSignatures() has error, wantErr %v", tt.wantErr) + } + require.EqualError(t, err, tt.wantedErr.Error(), "sigstoreImpl.FetchImageSignatures() error = %v, wantedErr = %v", err, tt.wantedErr) + } else if tt.wantErr { + t.Errorf("sigstoreImpl.FetchImageSignatures() no error, wantErr = %v, wantedErr %v", tt.wantErr, tt.wantedErr) } + + require.Equal(t, tt.want, got, "sigstoreImpl.FetchImageSignatures() = %v, want %v", got, tt.want) + + require.Equal(t, tt.wantedFetchArguments, fetchArguments, "sigstoreImpl.FetchImageSignatures() fetchArguments = %v, want %v", fetchArguments, tt.wantedFetchArguments) + + require.Equal(t, tt.wantedVerifyArguments, verifyArguments, "sigstoreImpl.FetchImageSignatures() verifyArguments = %v, want %v", verifyArguments, tt.wantedVerifyArguments) }) } } @@ -589,57 +609,6 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { } } -type noPayloadSignature signature - -func (noPayloadSignature) Annotations() (map[string]string, error) { - return nil, nil -} - -func (noPayloadSignature) Payload() ([]byte, error) { - return nil, errors.New("no payload test") -} - -func (noPayloadSignature) Base64Signature() (string, error) { - return "", nil -} - -func (s noPayloadSignature) Cert() (*x509.Certificate, error) { - return s.cert, nil -} - -func (noPayloadSignature) Chain() ([]*x509.Certificate, error) { - return nil, nil -} - -func (noPayloadSignature) Bundle() (*bundle.RekorBundle, error) { - return nil, nil -} - -type noBundleSignature signature - -func (noBundleSignature) Annotations() (map[string]string, error) { - return nil, nil -} - -func (s noBundleSignature) Payload() ([]byte, error) { - return s.payload, nil -} - -func (noBundleSignature) Base64Signature() (string, error) { - return "", nil -} - -func (s noBundleSignature) Cert() (*x509.Certificate, error) { - return s.cert, nil -} - -func (noBundleSignature) Chain() ([]*x509.Certificate, error) { - return nil, nil -} - -func (s noBundleSignature) Bundle() (*bundle.RekorBundle, error) { - return nil, fmt.Errorf("no bundle test") -} func Test_certSubject(t *testing.T) { type args struct { c *x509.Certificate @@ -1027,80 +996,105 @@ func TestSigstoreimpl_ClearSkipList(t *testing.T) { func TestSigstoreimpl_ValidateImage(t *testing.T) { type fields struct { - verifyFunction func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) - fetchImageManifestFunction func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) + verifyFunction verifyFunctionBinding + fetchImageManifestFunction fetchFunctionBinding skippedImages map[string]bool } type args struct { ref name.Reference } tests := []struct { - name string - fields fields - args args - want bool - wantErr bool + name string + fields fields + args args + wantedFetchArguments fetchFunctionArguments + wantedVerifyArguments verifyFunctionArguments + want bool + wantErr bool + wantedErr error }{ { name: "validate image", fields: fields{ - verifyFunction: nil, - fetchImageManifestFunction: func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { - return &remote.Descriptor{ - Manifest: []byte(`sometext`), - }, nil - }, + verifyFunction: createNilVerifyFunction(), + fetchImageManifestFunction: createFetchFunction(&remote.Descriptor{ + Manifest: []byte(`sometext`), + }, nil), }, args: args{ - ref: func(d name.Digest, err error) name.Digest { return d }(name.NewDigest("example.com/sampleimage@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505")), + ref: name.MustParseReference("example.com/sampleimage@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), }, - want: true, - wantErr: false, + wantedFetchArguments: fetchFunctionArguments{ + called: true, + ref: name.MustParseReference("example.com/sampleimage@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), + options: nil, + }, + wantedVerifyArguments: verifyFunctionArguments{}, + want: true, + wantErr: false, }, { name: "error on image manifest fetch", fields: fields{ - verifyFunction: nil, - fetchImageManifestFunction: func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { - return nil, errors.New("fetch error") - }, + verifyFunction: createNilVerifyFunction(), + fetchImageManifestFunction: createFetchFunction(nil, errors.New("fetch error 123")), }, args: args{ - ref: func(d name.Digest, err error) name.Digest { return d }(name.NewDigest("example.com/sampleimage@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505")), + ref: name.MustParseReference("example.com/sampleimage@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), }, - want: false, - wantErr: true, + wantedFetchArguments: fetchFunctionArguments{ + called: true, + ref: name.MustParseReference("example.com/sampleimage@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), + options: nil, + }, + want: false, + wantErr: true, + wantedErr: errors.New("fetch error 123"), }, { name: "nil image manifest fetch", fields: fields{ - verifyFunction: nil, - fetchImageManifestFunction: func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { - return &remote.Descriptor{ - Manifest: nil, - }, nil - }, + verifyFunction: createNilVerifyFunction(), + fetchImageManifestFunction: createFetchFunction(&remote.Descriptor{ + Manifest: nil, + }, nil), }, args: args{ - ref: func(d name.Digest, err error) name.Digest { return d }(name.NewDigest("example.com/sampleimage@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505")), + ref: name.MustParseReference("example.com/sampleimage@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), }, - want: false, - wantErr: true, + wantedFetchArguments: fetchFunctionArguments{ + called: true, + ref: name.MustParseReference("example.com/sampleimage@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), + options: nil, + }, + want: false, + wantErr: true, + wantedErr: errors.New("manifest is empty"), }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { + fetchArguments := fetchFunctionArguments{} + verifyArguments := verifyFunctionArguments{} sigstore := &sigstoreImpl{ - verifyFunction: tt.fields.verifyFunction, + verifyFunction: tt.fields.verifyFunction(t, &verifyArguments), + fetchImageManifestFunction: tt.fields.fetchImageManifestFunction(t, &fetchArguments), skippedImages: tt.fields.skippedImages, - fetchImageManifestFunction: tt.fields.fetchImageManifestFunction, } got, err := sigstore.ValidateImage(tt.args.ref) - if (err != nil) != tt.wantErr { - t.Errorf("sigstoreImpl.ValidateImage() error = %v, wantErr %v", err, tt.wantErr) - return + + if err != nil { + if !tt.wantErr { + t.Errorf("sigstoreImpl.ValidateImage() has error, wantErr %v", tt.wantErr) + } + require.EqualError(t, err, tt.wantedErr.Error(), "sigstoreImpl.ValidateImage() error = %v, wantedErr = %v", err, tt.wantedErr) + } else if tt.wantErr { + t.Errorf("sigstoreImpl.ValidateImage() no error, wantErr = %v, wantedErr %v", tt.wantErr, tt.wantedErr) } - require.Equal(t, got, tt.want, "sigstoreImpl.ValidateImage() = %v, want %v", got, tt.want) + + require.Equal(t, tt.want, got, "sigstoreImpl.ValidateImage() = %v, want %v", got, tt.want) + require.Equal(t, tt.wantedFetchArguments, fetchArguments, "sigstoreImpl.ValidateImage() fetchArguments = %v, want %v", fetchArguments, tt.wantedFetchArguments) + require.Equal(t, tt.wantedVerifyArguments, verifyArguments, "sigstoreImpl.ValidateImage() verifyArguments = %v, want %v", verifyArguments, tt.wantedVerifyArguments) }) } } @@ -1220,6 +1214,20 @@ func TestSigstoreimpl_ClearAllowedSubjects(t *testing.T) { }, want: nil, }, + { + name: "clear empty map", + fields: fields{ + subjectAllowList: map[string]bool{}, + }, + want: nil, + }, + { + name: "clear nil map", + fields: fields{ + subjectAllowList: nil, + }, + want: nil, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { @@ -1552,58 +1560,59 @@ func Test_getBundleSignatureContent(t *testing.T) { func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { type fields struct { - verifyFunction func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) - fetchImageManifestFunction func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) + verifyFunction verifyFunctionBinding + fetchImageManifestFunction fetchFunctionBinding skippedImages map[string]bool rekorURL url.URL } - emptyCheckOptsFunction := func(url.URL) *cosign.CheckOpts { - co := &cosign.CheckOpts{} - co.RekorClient = new(rekor.Rekor) - rootCert, _, _ := GenerateRootCa() - rootPool := x509.NewCertPool() - rootPool.AddCert(rootCert) - co.RootCerts = rootPool - - return co - } + emptyCheckOpts := &cosign.CheckOpts{} tests := []struct { - name string - fields fields - status corev1.ContainerStatus - want []string - wantErr bool + name string + fields fields + status corev1.ContainerStatus + wantedFetchArguments fetchFunctionArguments + wantedVerifyArguments verifyFunctionArguments + want []string + wantErr bool + wantedErr error }{ { name: "Attest image with signature", fields: fields{ - verifyFunction: func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) { - return []oci.Signature{ - signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - bundle: &bundle.RekorBundle{ - Payload: bundle.RekorPayload{ - Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", - LogID: "samplelogID", - IntegratedTime: 12345, - }, + verifyFunction: createVerifyFunction([]oci.Signature{ + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", + LogID: "samplelogID", + IntegratedTime: 12345, }, }, - }, true, nil - }, - fetchImageManifestFunction: func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { - return &remote.Descriptor{ - Manifest: []byte("sometext"), - }, nil - }, + }, + }, true, nil), + fetchImageManifestFunction: createFetchFunction(&remote.Descriptor{ + Manifest: []byte("sometext"), + }, nil), }, status: corev1.ContainerStatus{ Image: "spire-agent-sigstore-1", ImageID: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", ContainerID: "000000", }, + wantedFetchArguments: fetchFunctionArguments{ + called: true, + ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), + options: nil, + }, + wantedVerifyArguments: verifyFunctionArguments{ + called: true, + context: context.Background(), + ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), + options: emptyCheckOpts, + }, want: []string{ "000000:image-signature-subject:spirex@example.com", "000000:image-signature-content:MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smA=", "000000:image-signature-logid:samplelogID", "000000:image-signature-integrated-time:12345", "sigstore-validation:passed", }, @@ -1612,14 +1621,10 @@ func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { { name: "Attest skipped image", fields: fields{ - verifyFunction: func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) { - return nil, true, nil - }, - fetchImageManifestFunction: func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { - return &remote.Descriptor{ - Manifest: []byte("sometext"), - }, nil - }, + verifyFunction: createNilVerifyFunction(), + fetchImageManifestFunction: createFetchFunction(&remote.Descriptor{ + Manifest: []byte("sometext"), + }, nil), skippedImages: map[string]bool{ "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505": true, }, @@ -1637,29 +1642,44 @@ func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { { name: "Attest image with no signature", fields: fields{ - verifyFunction: func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) { - return nil, true, fmt.Errorf("no signature found") - }, - fetchImageManifestFunction: func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { - return &remote.Descriptor{ - Manifest: []byte("sometext"), - }, nil - }, + verifyFunction: createVerifyFunction(nil, true, fmt.Errorf("no signature found")), + fetchImageManifestFunction: createFetchFunction(&remote.Descriptor{ + Manifest: []byte("sometext"), + }, nil), }, status: corev1.ContainerStatus{ Image: "spire-agent-sigstore-3", ImageID: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", ContainerID: "222222", }, - want: nil, - wantErr: true, + wantedFetchArguments: fetchFunctionArguments{ + called: true, + ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), + options: nil, + }, + wantedVerifyArguments: verifyFunctionArguments{ + called: true, + context: context.Background(), + ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), + options: emptyCheckOpts, + }, + want: nil, + wantErr: true, + wantedErr: fmt.Errorf("error verifying signature: %w", errors.New("no signature found")), }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { + co := &cosign.CheckOpts{} + emptyCheckOptsFunction := createEmptyCheckOptsFunction(co) + if tt.wantedVerifyArguments.options == emptyCheckOpts { + tt.wantedVerifyArguments.options = emptyCheckOptsFunction(url.URL{}) + } + fetchArguments := fetchFunctionArguments{} + verifyArguments := verifyFunctionArguments{} sigstore := &sigstoreImpl{ - verifyFunction: tt.fields.verifyFunction, - fetchImageManifestFunction: tt.fields.fetchImageManifestFunction, + verifyFunction: tt.fields.verifyFunction(t, &verifyArguments), + fetchImageManifestFunction: tt.fields.fetchImageManifestFunction(t, &fetchArguments), skippedImages: tt.fields.skippedImages, rekorURL: tt.fields.rekorURL, sigstorecache: NewCache(maximumAmountCache), @@ -1667,11 +1687,19 @@ func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { logger: hclog.Default(), } got, err := sigstore.AttestContainerSignatures(context.Background(), &tt.status) - if (err != nil) != tt.wantErr { - t.Errorf("sigstoreImpl.AttestContainerSignatures() error = %v, wantErr %v", err, tt.wantErr) - return + + if err != nil { + if !tt.wantErr { + t.Errorf("sigstoreImpl.AttestContainerSignatures() has error, wantErr %v", tt.wantErr) + } + require.EqualError(t, err, tt.wantedErr.Error(), "sigstoreImpl.AttestContainerSignatures() error = %v, wantedErr = %v", err, tt.wantedErr) + } else if tt.wantErr { + t.Errorf("sigstoreImpl.AttestContainerSignatures() no error, wantErr = %v, wantedErr %v", tt.wantErr, tt.wantedErr) } - require.Equal(t, got, tt.want, "sigstoreImpl.AttestContainerSignatures() = %v, want %v", got, tt.want) + + require.Equal(t, tt.want, got, "sigstoreImpl.AttestContainerSignatures() = %v, want %v", got, tt.want) + require.Equal(t, tt.wantedFetchArguments, fetchArguments, "sigstoreImpl.AttestContainerSignatures() fetchArguments = %v, wantedFetchArguments = %v", fetchArguments, tt.wantedFetchArguments) + require.Equal(t, tt.wantedVerifyArguments, verifyArguments, "sigstoreImpl.AttestContainerSignatures() verifyArguments = %v, wantedVerifyArguments = %v", verifyArguments, tt.wantedVerifyArguments) }) } } @@ -1684,11 +1712,12 @@ func TestSigstoreimpl_SetRekorURL(t *testing.T) { rekorURL string } tests := []struct { - name string - fields fields - args args - want url.URL - wantErr bool + name string + fields fields + args args + want url.URL + wantErr bool + wantedErr error }{ { name: "SetRekorURL", @@ -1719,7 +1748,8 @@ func TestSigstoreimpl_SetRekorURL(t *testing.T) { Scheme: "https", Host: "non.empty.url", }, - wantErr: true, + wantErr: true, + wantedErr: fmt.Errorf("rekor URL is empty"), }, { name: "SetRekorURL with invalid URL", @@ -1729,8 +1759,9 @@ func TestSigstoreimpl_SetRekorURL(t *testing.T) { args: args{ rekorURL: "http://invalid.{{}))}.url.com", // invalid url }, - want: url.URL{}, - wantErr: true, + want: url.URL{}, + wantErr: true, + wantedErr: fmt.Errorf("failed parsing rekor URI: parse %q: invalid character %q in host name", "http://invalid.{{}))}.url.com", "{"), }, { name: "SetRekorURL with empty host url", @@ -1740,8 +1771,9 @@ func TestSigstoreimpl_SetRekorURL(t *testing.T) { args: args{ rekorURL: "path-no-host", // URI parser uses this as path, not host }, - want: url.URL{}, - wantErr: true, + want: url.URL{}, + wantErr: true, + wantedErr: fmt.Errorf("host is required on rekor URL"), }, { name: "SetRekorURL with invalid URL scheme", @@ -1751,8 +1783,9 @@ func TestSigstoreimpl_SetRekorURL(t *testing.T) { args: args{ rekorURL: "abc://invalid.url.com", // invalid scheme }, - want: url.URL{}, - wantErr: true, + want: url.URL{}, + wantErr: true, + wantedErr: fmt.Errorf("invalid rekor URL Scheme %q", "abc"), }, } for _, tt := range tests { @@ -1760,36 +1793,145 @@ func TestSigstoreimpl_SetRekorURL(t *testing.T) { sigstore := &sigstoreImpl{ rekorURL: tt.fields.rekorURL, } - if err := sigstore.SetRekorURL(tt.args.rekorURL); (err != nil) != tt.wantErr { - t.Errorf("sigstoreImpl.SetRekorURL() error = %v, wantErr %v", err, tt.wantErr) + err := sigstore.SetRekorURL(tt.args.rekorURL) + if err != nil { + if !tt.wantErr { + t.Errorf("sigstoreImpl.SetRekorURL() has error, wantErr %v", tt.wantErr) + } + require.EqualError(t, err, tt.wantedErr.Error(), "sigstoreImpl.SetRekorURL() error = %v, wantedErr = %v", err, tt.wantedErr) + } else if tt.wantErr { + t.Errorf("sigstoreImpl.SetRekorURL() no error, wantErr = %v, wantedErr %v", tt.wantErr, tt.wantedErr) } require.Equal(t, sigstore.rekorURL, tt.want, "sigstoreImpl.SetRekorURL() = %v, want %v", sigstore.rekorURL, tt.want) }) } } -type noCertSignature signature +type signature struct { + oci.Signature -func (noCertSignature) Annotations() (map[string]string, error) { - return nil, nil + payload []byte + cert *x509.Certificate + bundle *bundle.RekorBundle } -func (s noCertSignature) Payload() ([]byte, error) { +func (s signature) Payload() ([]byte, error) { + return s.payload, nil +} + +func (s signature) Cert() (*x509.Certificate, error) { + return s.cert, nil +} + +func (s signature) Bundle() (*bundle.RekorBundle, error) { + return s.bundle, nil +} + +type noPayloadSignature signature + +func (noPayloadSignature) Payload() ([]byte, error) { + return nil, errors.New("no payload test") +} + +type noBundleSignature signature + +func (s noBundleSignature) Payload() ([]byte, error) { return s.payload, nil } -func (noCertSignature) Base64Signature() (string, error) { - return "", nil +func (s noBundleSignature) Cert() (*x509.Certificate, error) { + return s.cert, nil +} + +func (s noBundleSignature) Bundle() (*bundle.RekorBundle, error) { + return nil, fmt.Errorf("no bundle test") +} + +type noCertSignature signature + +func (s noCertSignature) Payload() ([]byte, error) { + return s.payload, nil } func (noCertSignature) Cert() (*x509.Certificate, error) { return nil, errors.New("no cert test") } -func (noCertSignature) Chain() ([]*x509.Certificate, error) { - return nil, nil +type verifyFunctionArguments struct { + called bool + context context.Context + ref name.Reference + options *cosign.CheckOpts +} +type verifyFunction func(context.Context, name.Reference, *cosign.CheckOpts) ([]oci.Signature, bool, error) +type verifyFunctionBinding func(require.TestingT, *verifyFunctionArguments) verifyFunction + +func createVerifyFunction(returnSignatures []oci.Signature, returnBundleVerified bool, returnError error) verifyFunctionBinding { + bindVerifyArgumentsFunction := func(t require.TestingT, verifyArguments *verifyFunctionArguments) verifyFunction { + newVerifyFunction := func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) { + verifyArguments.called = true + verifyArguments.context = context + verifyArguments.ref = ref + verifyArguments.options = co + return returnSignatures, returnBundleVerified, returnError + } + return newVerifyFunction + } + return bindVerifyArgumentsFunction +} + +func createNilVerifyFunction() verifyFunctionBinding { + bindVerifyArgumentsFunction := func(t require.TestingT, verifyArguments *verifyFunctionArguments) verifyFunction { + failFunction := func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) { + require.FailNow(t, "nil verify function should not be called") + return nil, false, nil + } + return failFunction + } + return bindVerifyArgumentsFunction +} + +type fetchFunctionArguments struct { + called bool + ref name.Reference + options []remote.Option +} +type fetchFunction func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) +type fetchFunctionBinding func(require.TestingT, *fetchFunctionArguments) fetchFunction + +func createFetchFunction(returnDescriptor *remote.Descriptor, returnError error) fetchFunctionBinding { + bindFetchArgumentsFunction := func(t require.TestingT, fetchArguments *fetchFunctionArguments) fetchFunction { + newFetchFunction := func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { + fetchArguments.called = true + fetchArguments.ref = ref + fetchArguments.options = options + return returnDescriptor, returnError + } + return newFetchFunction + } + return bindFetchArgumentsFunction +} + +func createNilFetchFunction() fetchFunctionBinding { + bindFetchArgumentsFunction := func(t require.TestingT, fetchArguments *fetchFunctionArguments) fetchFunction { + failFunction := func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { + require.FailNow(t, "nil fetch function should not be called") + return nil, nil + } + return failFunction + } + return bindFetchArgumentsFunction } -func (noCertSignature) Bundle() (*bundle.RekorBundle, error) { - return nil, nil +func createEmptyCheckOptsFunction(co *cosign.CheckOpts) func(url.URL) *cosign.CheckOpts { + emptyCheckOptsFunction := func(url.URL) *cosign.CheckOpts { + co.RekorClient = new(rekor.Rekor) + rootCert, _, _ := GenerateRootCa() + rootPool := x509.NewCertPool() + rootPool.AddCert(rootCert) + co.RootCerts = rootPool + + return co + } + return emptyCheckOptsFunction } From e022699da5f710975b239b350a6ecda24b30262c Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Thu, 22 Sep 2022 11:40:28 -0300 Subject: [PATCH 115/257] Refactor hook struct (#122) * refactor: refactored external function hooks into single field Signed-off-by: Rodrigo Lopes * tests: added checkOpts argument checking to TestSigstoreimpl_FetchImageSignatures refactor: moved functions to hook struct in TestSigstoreimpl_FetchImageSignatures Signed-off-by: Rodrigo Lopes Signed-off-by: Rodrigo Lopes Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- .../workloadattestor/k8s/sigstore/sigstore.go | 42 ++- .../k8s/sigstore/sigstore_test.go | 350 ++++++++++++------ 2 files changed, 265 insertions(+), 127 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index 2dc54d8bb5..755768e8cf 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -72,9 +72,11 @@ type SelectorsFromSignatures struct { func New(cache Cache, logger hclog.Logger) Sigstore { return &sigstoreImpl{ - verifyFunction: cosign.VerifyImageSignatures, - fetchImageManifestFunction: remote.Get, - checkOptsFunction: DefaultCheckOpts, + functionHooks: sigstoreFunctionHooks{ + verifyFunction: cosign.VerifyImageSignatures, + fetchImageManifestFunction: remote.Get, + checkOptsFunction: DefaultCheckOpts, + }, rekorURL: url.URL{ Scheme: rekor.DefaultSchemes[0], @@ -98,15 +100,13 @@ func DefaultCheckOpts(rekorURL url.URL) *cosign.CheckOpts { } type sigstoreImpl struct { - verifyFunction func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) - fetchImageManifestFunction func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) - skippedImages map[string]bool - allowListEnabled bool - subjectAllowList map[string]bool - rekorURL url.URL - checkOptsFunction func(url.URL) *cosign.CheckOpts - logger hclog.Logger - sigstorecache Cache + functionHooks sigstoreFunctionHooks + skippedImages map[string]bool + allowListEnabled bool + subjectAllowList map[string]bool + rekorURL url.URL + logger hclog.Logger + sigstorecache Cache } func (s *sigstoreImpl) SetLogger(logger hclog.Logger) { @@ -125,8 +125,8 @@ func (s *sigstoreImpl) FetchImageSignatures(ctx context.Context, imageName strin return nil, fmt.Errorf("could not validate image reference digest: %w", err) } - co := s.checkOptsFunction(s.rekorURL) - sigs, ok, err := s.verifyFunction(ctx, ref, co) + co := s.functionHooks.checkOptsFunction(s.rekorURL) + sigs, ok, err := s.functionHooks.verifyFunction(ctx, ref, co) if err != nil { return nil, fmt.Errorf("error verifying signature: %w", err) } @@ -233,7 +233,7 @@ func (s *sigstoreImpl) ValidateImage(ref name.Reference) (bool, error) { if !ok { return false, fmt.Errorf("reference %T is not a digest", ref) } - desc, err := s.fetchImageManifestFunction(dgst) + desc, err := s.functionHooks.fetchImageManifestFunction(dgst) if err != nil { return false, err } @@ -413,3 +413,15 @@ func validateRefDigest(dgst name.Digest, digest string) (bool, error) { } return false, fmt.Errorf("digest %s does not match %s", digest, dgst.DigestStr()) } + +type verifyFunctionType func(context.Context, name.Reference, *cosign.CheckOpts) ([]oci.Signature, bool, error) + +type fetchImageManifestFunctionType func(name.Reference, ...remote.Option) (*remote.Descriptor, error) + +type checkOptsFunctionType func(url.URL) *cosign.CheckOpts + +type sigstoreFunctionHooks struct { + verifyFunction verifyFunctionType + fetchImageManifestFunction fetchImageManifestFunctionType + checkOptsFunction checkOptsFunctionType +} diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index fdce015bbc..9931e5e02e 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -66,28 +66,30 @@ func GenerateRootCa() (*x509.Certificate, *ecdsa.PrivateKey, error) { func TestNew(t *testing.T) { newcache := NewCache(maximumAmountCache) want := &sigstoreImpl{ - verifyFunction: cosign.VerifyImageSignatures, - fetchImageManifestFunction: remote.Get, - skippedImages: nil, - allowListEnabled: false, - subjectAllowList: nil, - rekorURL: url.URL{Scheme: rekor.DefaultSchemes[0], Host: rekor.DefaultHost, Path: rekor.DefaultBasePath}, - sigstorecache: newcache, - checkOptsFunction: DefaultCheckOpts, - logger: nil, + functionHooks: sigstoreFunctionHooks{ + verifyFunction: cosign.VerifyImageSignatures, + fetchImageManifestFunction: remote.Get, + checkOptsFunction: DefaultCheckOpts, + }, + skippedImages: nil, + allowListEnabled: false, + subjectAllowList: nil, + rekorURL: url.URL{Scheme: rekor.DefaultSchemes[0], Host: rekor.DefaultHost, Path: rekor.DefaultBasePath}, + sigstorecache: newcache, + logger: nil, } sigstore := New(newcache, nil) if sigImpObj, ok := sigstore.(*sigstoreImpl); !ok { t.Errorf("object type does not match") } else { // test each field manually since require.Equal does not work on function pointers - if &(sigImpObj.verifyFunction) == &(want.verifyFunction) { + if &(sigImpObj.functionHooks.verifyFunction) == &(want.functionHooks.verifyFunction) { t.Errorf("verify functions do not match") } - if &(sigImpObj.fetchImageManifestFunction) == &(want.fetchImageManifestFunction) { + if &(sigImpObj.functionHooks.fetchImageManifestFunction) == &(want.functionHooks.fetchImageManifestFunction) { t.Errorf("fetchImageManifest functions do not match") } - if &(sigImpObj.checkOptsFunction) == &(want.checkOptsFunction) { + if &(sigImpObj.functionHooks.checkOptsFunction) == &(want.functionHooks.checkOptsFunction) { t.Errorf("checkOptsFunction functions do not match") } require.Equal(t, want.skippedImages, sigImpObj.skippedImages, "skippedImages array is not empty") @@ -99,35 +101,48 @@ func TestNew(t *testing.T) { } } +type sigstoreFunctionBindings struct { + verifyBinding verifyFunctionBinding + fetchBinding fetchFunctionBinding + checkOptsBinding checkOptsFunctionBinding +} + func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { type fields struct { - verifyFunction verifyFunctionBinding - fetchImageManifestFunction fetchFunctionBinding + functionBindings sigstoreFunctionBindings + rekorURL url.URL } type args struct { imageName string } - emptyCheckOpts := &cosign.CheckOpts{} + + defaultCheckOpts := DefaultCheckOpts(rekorDefaultUrl()) + emptyURLCheckOpts := DefaultCheckOpts(url.URL{}) tests := []struct { - name string - fields fields - args args - wantedFetchArguments fetchFunctionArguments - wantedVerifyArguments verifyFunctionArguments - want []oci.Signature - wantErr bool - wantedErr error + name string + fields fields + args args + wantedFetchArguments fetchFunctionArguments + wantedVerifyArguments verifyFunctionArguments + wantedCheckOptsArguments checkOptsFunctionArguments + want []oci.Signature + wantErr bool + wantedErr error }{ { name: "fetch image with signature", fields: fields{ - verifyFunction: createVerifyFunction([]oci.Signature{ - signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - }, - }, true, nil), - fetchImageManifestFunction: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), + functionBindings: sigstoreFunctionBindings{ + verifyBinding: createVerifyFunction([]oci.Signature{ + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + }, + }, true, nil), + fetchBinding: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), + checkOptsBinding: createCheckOptsFunction(defaultCheckOpts), + }, + rekorURL: rekorDefaultUrl(), }, args: args{ imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", @@ -141,7 +156,11 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { called: true, context: context.Background(), ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), - options: emptyCheckOpts, + options: defaultCheckOpts, + }, + wantedCheckOptsArguments: checkOptsFunctionArguments{ + called: true, + url: rekorDefaultUrl(), }, want: []oci.Signature{ signature{ @@ -153,15 +172,19 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { { name: "fetch image with 2 signatures", fields: fields{ - verifyFunction: createVerifyFunction([]oci.Signature{ - signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - }, - signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 4","key3": "value 5"}}`), - }, - }, true, nil), - fetchImageManifestFunction: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), + functionBindings: sigstoreFunctionBindings{ + verifyBinding: createVerifyFunction([]oci.Signature{ + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + }, + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 4","key3": "value 5"}}`), + }, + }, true, nil), + fetchBinding: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), + checkOptsBinding: createCheckOptsFunction(defaultCheckOpts), + }, + rekorURL: rekorDefaultUrl(), }, args: args{ imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", @@ -175,7 +198,11 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { called: true, context: context.Background(), ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), - options: emptyCheckOpts, + options: defaultCheckOpts, + }, + wantedCheckOptsArguments: checkOptsFunctionArguments{ + called: true, + url: rekorDefaultUrl(), }, want: []oci.Signature{ signature{ @@ -190,8 +217,12 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { { name: "fetch image with no signature", fields: fields{ - verifyFunction: createVerifyFunction(nil, true, errors.New("no matching signatures 2")), - fetchImageManifestFunction: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), + functionBindings: sigstoreFunctionBindings{ + verifyBinding: createVerifyFunction(nil, true, errors.New("no matching signatures 2")), + fetchBinding: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), + checkOptsBinding: createCheckOptsFunction(defaultCheckOpts), + }, + rekorURL: rekorDefaultUrl(), }, args: args{ imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", @@ -205,7 +236,11 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { called: true, context: context.Background(), ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), - options: emptyCheckOpts, + options: defaultCheckOpts, + }, + wantedCheckOptsArguments: checkOptsFunctionArguments{ + called: true, + url: rekorDefaultUrl(), }, want: nil, wantErr: true, @@ -214,8 +249,12 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { { // TODO: check again, same as above test. should never happen, since the verify function returns an error on empty verified signature list name: "fetch image with no signature and no error", fields: fields{ - verifyFunction: createVerifyFunction(nil, true, nil), - fetchImageManifestFunction: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), + functionBindings: sigstoreFunctionBindings{ + verifyBinding: createVerifyFunction(nil, true, nil), + fetchBinding: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), + checkOptsBinding: createCheckOptsFunction(defaultCheckOpts), + }, + rekorURL: rekorDefaultUrl(), }, args: args{ imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", @@ -229,7 +268,11 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { called: true, context: context.Background(), ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), - options: emptyCheckOpts, + options: defaultCheckOpts, + }, + wantedCheckOptsArguments: checkOptsFunctionArguments{ + called: true, + url: rekorDefaultUrl(), }, want: nil, wantErr: false, @@ -238,12 +281,16 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { { name: "fetch image with signature and error", fields: fields{ - verifyFunction: createVerifyFunction([]oci.Signature{ - signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - }, - }, true, errors.New("unexpected error")), - fetchImageManifestFunction: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), + functionBindings: sigstoreFunctionBindings{ + verifyBinding: createVerifyFunction([]oci.Signature{ + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + }, + }, true, errors.New("unexpected error")), + fetchBinding: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), + checkOptsBinding: createCheckOptsFunction(defaultCheckOpts), + }, + rekorURL: rekorDefaultUrl(), }, args: args{ imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", @@ -257,7 +304,11 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { called: true, context: context.Background(), ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), - options: emptyCheckOpts, + options: defaultCheckOpts, + }, + wantedCheckOptsArguments: checkOptsFunctionArguments{ + called: true, + url: rekorDefaultUrl(), }, want: nil, wantErr: true, @@ -266,13 +317,16 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { { name: "fetch image with signature no error, bundle not verified", fields: fields{ - verifyFunction: createVerifyFunction( - []oci.Signature{ + functionBindings: sigstoreFunctionBindings{ + verifyBinding: createVerifyFunction([]oci.Signature{ signature{ payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), }, }, false, nil), - fetchImageManifestFunction: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), + fetchBinding: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), + checkOptsBinding: createCheckOptsFunction(defaultCheckOpts), + }, + rekorURL: rekorDefaultUrl(), }, args: args{ imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", @@ -286,7 +340,11 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { called: true, context: context.Background(), ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), - options: emptyCheckOpts, + options: defaultCheckOpts, + }, + wantedCheckOptsArguments: checkOptsFunctionArguments{ + called: true, + url: rekorDefaultUrl(), }, want: nil, wantErr: true, @@ -295,8 +353,12 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { { name: "fetch image with invalid image reference", fields: fields{ - verifyFunction: createNilVerifyFunction(), - fetchImageManifestFunction: createNilFetchFunction(), + functionBindings: sigstoreFunctionBindings{ + verifyBinding: createNilVerifyFunction(), + fetchBinding: createNilFetchFunction(), + checkOptsBinding: createNilCheckOptsFunction(), + }, + rekorURL: rekorDefaultUrl(), }, args: args{ imageName: "invali|].url.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", @@ -308,13 +370,17 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { { name: "fetch image with signature, empty rekor url", fields: fields{ - verifyFunction: createVerifyFunction( - []oci.Signature{ - signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - }, - }, true, nil), - fetchImageManifestFunction: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), + functionBindings: sigstoreFunctionBindings{ + verifyBinding: createVerifyFunction( + []oci.Signature{ + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + }, + }, true, nil), + fetchBinding: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), + checkOptsBinding: createCheckOptsFunction(emptyURLCheckOpts), + }, + rekorURL: url.URL{}, }, args: args{ imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", @@ -328,7 +394,11 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { called: true, context: context.Background(), ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), - options: emptyCheckOpts, + options: emptyURLCheckOpts, + }, + wantedCheckOptsArguments: checkOptsFunctionArguments{ + called: true, + url: url.URL{}, }, want: []oci.Signature{ signature{ @@ -340,8 +410,12 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { { name: "fetch image with wrong image hash", fields: fields{ - verifyFunction: createNilVerifyFunction(), - fetchImageManifestFunction: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), + functionBindings: sigstoreFunctionBindings{ + verifyBinding: createNilVerifyFunction(), + fetchBinding: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), + checkOptsBinding: createNilCheckOptsFunction(), + }, + rekorURL: rekorDefaultUrl(), }, args: args{ imageName: "docker-registry.com/some/image@sha256:4fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", @@ -351,26 +425,27 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { ref: name.MustParseReference("docker-registry.com/some/image@sha256:4fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: nil, }, - wantedVerifyArguments: verifyFunctionArguments{}, - want: nil, - wantErr: true, - wantedErr: fmt.Errorf("could not validate image reference digest: %w", errors.New("digest sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505 does not match sha256:4fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505")), + wantedVerifyArguments: verifyFunctionArguments{}, + wantedCheckOptsArguments: checkOptsFunctionArguments{}, + want: nil, + wantErr: true, + wantedErr: fmt.Errorf("could not validate image reference digest: %w", errors.New("digest sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505 does not match sha256:4fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505")), }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - co := &cosign.CheckOpts{} - emptyCheckOptsFunction := createEmptyCheckOptsFunction(co) - if tt.wantedVerifyArguments.options == emptyCheckOpts { - tt.wantedVerifyArguments.options = emptyCheckOptsFunction(url.URL{}) - } - fetchArguments := fetchFunctionArguments{} - verifyArguments := verifyFunctionArguments{} + + fetchArguments := &fetchFunctionArguments{} + verifyArguments := &verifyFunctionArguments{} + checkOptsArguments := &checkOptsFunctionArguments{} sigstore := sigstoreImpl{ - verifyFunction: tt.fields.verifyFunction(t, &verifyArguments), - fetchImageManifestFunction: tt.fields.fetchImageManifestFunction(t, &fetchArguments), - sigstorecache: NewCache(maximumAmountCache), - checkOptsFunction: emptyCheckOptsFunction, + functionHooks: sigstoreFunctionHooks{ + verifyFunction: tt.fields.functionBindings.verifyBinding(t, verifyArguments), + fetchImageManifestFunction: tt.fields.functionBindings.fetchBinding(t, fetchArguments), + checkOptsFunction: tt.fields.functionBindings.checkOptsBinding(t, checkOptsArguments), + }, + sigstorecache: NewCache(maximumAmountCache), + rekorURL: tt.fields.rekorURL, } got, err := sigstore.FetchImageSignatures(context.Background(), tt.args.imageName) @@ -385,9 +460,12 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { require.Equal(t, tt.want, got, "sigstoreImpl.FetchImageSignatures() = %v, want %v", got, tt.want) - require.Equal(t, tt.wantedFetchArguments, fetchArguments, "sigstoreImpl.FetchImageSignatures() fetchArguments = %v, want %v", fetchArguments, tt.wantedFetchArguments) + require.Equal(t, tt.wantedFetchArguments, *fetchArguments, "sigstoreImpl.FetchImageSignatures() fetchArguments = %v, want %v", *fetchArguments, tt.wantedFetchArguments) + + require.Equal(t, tt.wantedCheckOptsArguments, *checkOptsArguments, "sigstoreImpl.FetchImageSignatures() checkOptsArguments = %v, want %v", *checkOptsArguments, tt.wantedCheckOptsArguments) + + require.Equal(t, tt.wantedVerifyArguments, *verifyArguments, "sigstoreImpl.FetchImageSignatures() verifyArguments = %v, want %v", *verifyArguments, tt.wantedVerifyArguments) - require.Equal(t, tt.wantedVerifyArguments, verifyArguments, "sigstoreImpl.FetchImageSignatures() verifyArguments = %v, want %v", verifyArguments, tt.wantedVerifyArguments) }) } } @@ -600,8 +678,10 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { s := sigstoreImpl{ - verifyFunction: tt.fields.verifyFunction, - logger: hclog.Default(), + functionHooks: sigstoreFunctionHooks{ + verifyFunction: tt.fields.verifyFunction, + }, + logger: hclog.Default(), } got := s.ExtractSelectorsFromSignatures(tt.args.signatures, tt.containerID) require.Equal(t, got, tt.want, "sigstoreImpl.ExtractSelectorsFromSignatures() = %v, want %v", got, tt.want) @@ -915,9 +995,11 @@ func TestSigstoreimpl_AddSkippedImage(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { sigstore := sigstoreImpl{ - verifyFunction: tt.fields.verifyFunction, - fetchImageManifestFunction: tt.fields.fetchImageManifestFunction, - skippedImages: tt.fields.skippedImages, + functionHooks: sigstoreFunctionHooks{ + verifyFunction: tt.fields.verifyFunction, + fetchImageManifestFunction: tt.fields.fetchImageManifestFunction, + }, + skippedImages: tt.fields.skippedImages, } sigstore.AddSkippedImage(tt.args.imageID) require.Equal(t, sigstore.skippedImages, tt.want, "sigstore.skippedImages = %v, want %v", sigstore.skippedImages, tt.want) @@ -982,9 +1064,11 @@ func TestSigstoreimpl_ClearSkipList(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { sigstore := &sigstoreImpl{ - verifyFunction: tt.fields.verifyFunction, - fetchImageManifestFunction: tt.fields.fetchImageManifestFunction, - skippedImages: tt.fields.skippedImages, + functionHooks: sigstoreFunctionHooks{ + verifyFunction: tt.fields.verifyFunction, + fetchImageManifestFunction: tt.fields.fetchImageManifestFunction, + }, + skippedImages: tt.fields.skippedImages, } sigstore.ClearSkipList() if !reflect.DeepEqual(sigstore.skippedImages, tt.want) { @@ -1077,9 +1161,11 @@ func TestSigstoreimpl_ValidateImage(t *testing.T) { fetchArguments := fetchFunctionArguments{} verifyArguments := verifyFunctionArguments{} sigstore := &sigstoreImpl{ - verifyFunction: tt.fields.verifyFunction(t, &verifyArguments), - fetchImageManifestFunction: tt.fields.fetchImageManifestFunction(t, &fetchArguments), - skippedImages: tt.fields.skippedImages, + functionHooks: sigstoreFunctionHooks{ + verifyFunction: tt.fields.verifyFunction(t, &verifyArguments), + fetchImageManifestFunction: tt.fields.fetchImageManifestFunction(t, &fetchArguments), + }, + skippedImages: tt.fields.skippedImages, } got, err := sigstore.ValidateImage(tt.args.ref) @@ -1678,13 +1764,15 @@ func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { fetchArguments := fetchFunctionArguments{} verifyArguments := verifyFunctionArguments{} sigstore := &sigstoreImpl{ - verifyFunction: tt.fields.verifyFunction(t, &verifyArguments), - fetchImageManifestFunction: tt.fields.fetchImageManifestFunction(t, &fetchArguments), - skippedImages: tt.fields.skippedImages, - rekorURL: tt.fields.rekorURL, - sigstorecache: NewCache(maximumAmountCache), - checkOptsFunction: emptyCheckOptsFunction, - logger: hclog.Default(), + functionHooks: sigstoreFunctionHooks{ + verifyFunction: tt.fields.verifyFunction(t, &verifyArguments), + fetchImageManifestFunction: tt.fields.fetchImageManifestFunction(t, &fetchArguments), + checkOptsFunction: emptyCheckOptsFunction, + }, + skippedImages: tt.fields.skippedImages, + rekorURL: tt.fields.rekorURL, + sigstorecache: NewCache(maximumAmountCache), + logger: hclog.Default(), } got, err := sigstore.AttestContainerSignatures(context.Background(), &tt.status) @@ -1863,11 +1951,11 @@ type verifyFunctionArguments struct { ref name.Reference options *cosign.CheckOpts } -type verifyFunction func(context.Context, name.Reference, *cosign.CheckOpts) ([]oci.Signature, bool, error) -type verifyFunctionBinding func(require.TestingT, *verifyFunctionArguments) verifyFunction + +type verifyFunctionBinding func(require.TestingT, *verifyFunctionArguments) verifyFunctionType func createVerifyFunction(returnSignatures []oci.Signature, returnBundleVerified bool, returnError error) verifyFunctionBinding { - bindVerifyArgumentsFunction := func(t require.TestingT, verifyArguments *verifyFunctionArguments) verifyFunction { + bindVerifyArgumentsFunction := func(t require.TestingT, verifyArguments *verifyFunctionArguments) verifyFunctionType { newVerifyFunction := func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) { verifyArguments.called = true verifyArguments.context = context @@ -1881,7 +1969,7 @@ func createVerifyFunction(returnSignatures []oci.Signature, returnBundleVerified } func createNilVerifyFunction() verifyFunctionBinding { - bindVerifyArgumentsFunction := func(t require.TestingT, verifyArguments *verifyFunctionArguments) verifyFunction { + bindVerifyArgumentsFunction := func(t require.TestingT, verifyArguments *verifyFunctionArguments) verifyFunctionType { failFunction := func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) { require.FailNow(t, "nil verify function should not be called") return nil, false, nil @@ -1896,11 +1984,11 @@ type fetchFunctionArguments struct { ref name.Reference options []remote.Option } -type fetchFunction func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) -type fetchFunctionBinding func(require.TestingT, *fetchFunctionArguments) fetchFunction + +type fetchFunctionBinding func(require.TestingT, *fetchFunctionArguments) fetchImageManifestFunctionType func createFetchFunction(returnDescriptor *remote.Descriptor, returnError error) fetchFunctionBinding { - bindFetchArgumentsFunction := func(t require.TestingT, fetchArguments *fetchFunctionArguments) fetchFunction { + bindFetchArgumentsFunction := func(t require.TestingT, fetchArguments *fetchFunctionArguments) fetchImageManifestFunctionType { newFetchFunction := func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { fetchArguments.called = true fetchArguments.ref = ref @@ -1913,7 +2001,7 @@ func createFetchFunction(returnDescriptor *remote.Descriptor, returnError error) } func createNilFetchFunction() fetchFunctionBinding { - bindFetchArgumentsFunction := func(t require.TestingT, fetchArguments *fetchFunctionArguments) fetchFunction { + bindFetchArgumentsFunction := func(t require.TestingT, fetchArguments *fetchFunctionArguments) fetchImageManifestFunctionType { failFunction := func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { require.FailNow(t, "nil fetch function should not be called") return nil, nil @@ -1923,6 +2011,36 @@ func createNilFetchFunction() fetchFunctionBinding { return bindFetchArgumentsFunction } +type checkOptsFunctionArguments struct { + called bool + url url.URL +} + +type checkOptsFunctionBinding func(require.TestingT, *checkOptsFunctionArguments) checkOptsFunctionType + +func createCheckOptsFunction(returnCheckOpts *cosign.CheckOpts) checkOptsFunctionBinding { + bindCheckOptsArgumentsFunction := func(t require.TestingT, checkOptsArguments *checkOptsFunctionArguments) checkOptsFunctionType { + newCheckOptsFunction := func(url url.URL) *cosign.CheckOpts { + checkOptsArguments.called = true + checkOptsArguments.url = url + return returnCheckOpts + } + return newCheckOptsFunction + } + return bindCheckOptsArgumentsFunction +} + +func createNilCheckOptsFunction() checkOptsFunctionBinding { + bindCheckOptsArgumentsFunction := func(t require.TestingT, checkOptsArguments *checkOptsFunctionArguments) checkOptsFunctionType { + failFunction := func(url url.URL) *cosign.CheckOpts { + require.FailNow(t, "nil check opts function should not be called") + return nil + } + return failFunction + } + return bindCheckOptsArgumentsFunction +} + func createEmptyCheckOptsFunction(co *cosign.CheckOpts) func(url.URL) *cosign.CheckOpts { emptyCheckOptsFunction := func(url.URL) *cosign.CheckOpts { co.RekorClient = new(rekor.Rekor) @@ -1935,3 +2053,11 @@ func createEmptyCheckOptsFunction(co *cosign.CheckOpts) func(url.URL) *cosign.Ch } return emptyCheckOptsFunction } + +func rekorDefaultUrl() url.URL { + return url.URL{ + Scheme: rekor.DefaultSchemes[0], + Host: rekor.DefaultHost, + Path: rekor.DefaultBasePath, + } +} From 1f933d70d74b12c92ff2bc9dc45794752bcd3d62 Mon Sep 17 00:00:00 2001 From: Willian Alves Date: Wed, 21 Sep 2022 22:06:52 -0300 Subject: [PATCH 116/257] Fixed shorts comments (#114) Signed-off-by: Willian Alves Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- pkg/agent/plugin/workloadattestor/k8s/k8s.go | 2 - .../workloadattestor/k8s/k8s_posix_test.go | 20 ++-- .../plugin/workloadattestor/k8s/k8s_test.go | 95 ++++++++++--------- .../k8s/sigstore/sigstore_test.go | 34 ++++--- 4 files changed, 75 insertions(+), 76 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s.go b/pkg/agent/plugin/workloadattestor/k8s/k8s.go index 02df29b874..d57f748376 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s.go @@ -134,14 +134,12 @@ type HCLConfig struct { } type ExperimentalK8SConfig struct { - // Sigstore contains sigstore specific configs. Sigstore *SigstoreHCLConfig `hcl:"sigstore,omitempty"` } // SigstoreHCLConfig holds the sigstore configuration parsed from HCL type SigstoreHCLConfig struct { - // RekorURL is the URL for the rekor server to use to verify signatures and public keys RekorURL string `hcl:"rekor_url"` diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go index 05359511c0..dd4f32303d 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go @@ -204,13 +204,6 @@ func (s *Suite) TestAttestAgainstNodeOverride() { s.Require().Empty(selectors) } -type signature struct { - oci.Signature - - payload []byte - cert *x509.Certificate -} - func (s signature) Payload() ([]byte, error) { return s.payload, nil } @@ -580,9 +573,6 @@ func TestGetPodUIDAndContainerIDFromCGroupPath(t *testing.T) { } } -type osConfig struct { -} - func (o *osConfig) getContainerHelper() ContainerHelper { return nil } @@ -613,3 +603,13 @@ func (s *Suite) loadInsecurePluginWithSigstore() workloadattestor.WorkloadAttest } `, s.kubeletPort())) } + +type signature struct { + oci.Signature + + payload []byte + cert *x509.Certificate +} + +type osConfig struct { +} diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go index 12d0738425..fc67d15e6e 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go @@ -130,38 +130,10 @@ FwOGLt+I3+9beT0vo+pn9Rq0squewFYe3aJbwpkyfP2xOovQCdm4PC8y } ) -type attestResult struct { - selectors []*common.Selector - err error -} - func TestPlugin(t *testing.T) { spiretest.Run(t, new(Suite)) } -type Suite struct { - spiretest.Suite - - dir string - clock *clock.Mock - - podList [][]byte - env map[string]string - - // kubelet stuff - server *httptest.Server - kubeletCert *x509.Certificate - clientCert *x509.Certificate - - oc *osConfig - sigstoreSelectors []sigstore.SelectorsFromSignatures - sigstoreSigs []oci.Signature - sigstoreSkipSigs bool - sigstoreSkippedSigSelectors []string - sigstoreReturnError error - sigstoreMock *sigstoreMock -} - func (s *Suite) SetupTest() { s.dir = s.TempDir() s.writeFile(defaultTokenPath, "default-token") @@ -750,21 +722,6 @@ func (s *Suite) TestConfigure() { } } -type sigstoreMock struct { - selectors []sigstore.SelectorsFromSignatures - - sigs []oci.Signature - skipSigs bool - skippedSigSelectors []string - returnError error - skippedImages map[string]bool - allowedSubjects map[string]bool - allowedSubjectListEnabled bool - log hclog.Logger - - rekorURL string -} - // SetLogger implements sigstore.Sigstore func (s *sigstoreMock) SetLogger(logger hclog.Logger) { s.log = logger @@ -778,7 +735,10 @@ func (s *sigstoreMock) FetchImageSignatures(ctx context.Context, imageName strin } func (s *sigstoreMock) SelectorValuesFromSignature(signatures oci.Signature, containerID string) *sigstore.SelectorsFromSignatures { - return &s.selectors[0] + if len(s.selectors) != 0 { + return &s.selectors[0] + } + return nil } func (s *sigstoreMock) ExtractSelectorsFromSignatures(signatures []oci.Signature, containerID string) []sigstore.SelectorsFromSignatures { @@ -1108,8 +1068,6 @@ func (s *Suite) addPodListResponse(fixturePath string) { s.podList = append(s.podList, podList) } -type testFS string - func (fs testFS) Open(path string) (io.ReadCloser, error) { return os.Open(filepath.Join(string(fs), path)) } @@ -1129,3 +1087,48 @@ func (s *sigstoreMock) AddSkippedImage(images []string) { s.skippedImages[imageID] = true } } + +type Suite struct { + spiretest.Suite + + dir string + clock *clock.Mock + + podList [][]byte + env map[string]string + + // kubelet stuff + server *httptest.Server + kubeletCert *x509.Certificate + clientCert *x509.Certificate + + oc *osConfig + sigstoreSelectors []sigstore.SelectorsFromSignatures + sigstoreSigs []oci.Signature + sigstoreSkipSigs bool + sigstoreSkippedSigSelectors []string + sigstoreReturnError error + sigstoreMock *sigstoreMock +} + +type sigstoreMock struct { + selectors []sigstore.SelectorsFromSignatures + + sigs []oci.Signature + skipSigs bool + skippedSigSelectors []string + returnError error + skippedImages map[string]bool + allowedSubjects map[string]bool + allowedSubjectListEnabled bool + log hclog.Logger + + rekorURL string +} + +type attestResult struct { + selectors []*common.Selector + err error +} + +type testFS string diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index 9931e5e02e..395199a720 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -116,7 +116,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { imageName string } - defaultCheckOpts := DefaultCheckOpts(rekorDefaultUrl()) + defaultCheckOpts := DefaultCheckOpts(rekorDefaultURL()) emptyURLCheckOpts := DefaultCheckOpts(url.URL{}) tests := []struct { @@ -142,7 +142,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { fetchBinding: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), checkOptsBinding: createCheckOptsFunction(defaultCheckOpts), }, - rekorURL: rekorDefaultUrl(), + rekorURL: rekorDefaultURL(), }, args: args{ imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", @@ -160,7 +160,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { }, wantedCheckOptsArguments: checkOptsFunctionArguments{ called: true, - url: rekorDefaultUrl(), + url: rekorDefaultURL(), }, want: []oci.Signature{ signature{ @@ -184,7 +184,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { fetchBinding: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), checkOptsBinding: createCheckOptsFunction(defaultCheckOpts), }, - rekorURL: rekorDefaultUrl(), + rekorURL: rekorDefaultURL(), }, args: args{ imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", @@ -202,7 +202,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { }, wantedCheckOptsArguments: checkOptsFunctionArguments{ called: true, - url: rekorDefaultUrl(), + url: rekorDefaultURL(), }, want: []oci.Signature{ signature{ @@ -222,7 +222,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { fetchBinding: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), checkOptsBinding: createCheckOptsFunction(defaultCheckOpts), }, - rekorURL: rekorDefaultUrl(), + rekorURL: rekorDefaultURL(), }, args: args{ imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", @@ -240,7 +240,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { }, wantedCheckOptsArguments: checkOptsFunctionArguments{ called: true, - url: rekorDefaultUrl(), + url: rekorDefaultURL(), }, want: nil, wantErr: true, @@ -254,7 +254,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { fetchBinding: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), checkOptsBinding: createCheckOptsFunction(defaultCheckOpts), }, - rekorURL: rekorDefaultUrl(), + rekorURL: rekorDefaultURL(), }, args: args{ imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", @@ -272,7 +272,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { }, wantedCheckOptsArguments: checkOptsFunctionArguments{ called: true, - url: rekorDefaultUrl(), + url: rekorDefaultURL(), }, want: nil, wantErr: false, @@ -290,7 +290,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { fetchBinding: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), checkOptsBinding: createCheckOptsFunction(defaultCheckOpts), }, - rekorURL: rekorDefaultUrl(), + rekorURL: rekorDefaultURL(), }, args: args{ imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", @@ -308,7 +308,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { }, wantedCheckOptsArguments: checkOptsFunctionArguments{ called: true, - url: rekorDefaultUrl(), + url: rekorDefaultURL(), }, want: nil, wantErr: true, @@ -326,7 +326,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { fetchBinding: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), checkOptsBinding: createCheckOptsFunction(defaultCheckOpts), }, - rekorURL: rekorDefaultUrl(), + rekorURL: rekorDefaultURL(), }, args: args{ imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", @@ -344,7 +344,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { }, wantedCheckOptsArguments: checkOptsFunctionArguments{ called: true, - url: rekorDefaultUrl(), + url: rekorDefaultURL(), }, want: nil, wantErr: true, @@ -358,7 +358,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { fetchBinding: createNilFetchFunction(), checkOptsBinding: createNilCheckOptsFunction(), }, - rekorURL: rekorDefaultUrl(), + rekorURL: rekorDefaultURL(), }, args: args{ imageName: "invali|].url.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", @@ -415,7 +415,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { fetchBinding: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), checkOptsBinding: createNilCheckOptsFunction(), }, - rekorURL: rekorDefaultUrl(), + rekorURL: rekorDefaultURL(), }, args: args{ imageName: "docker-registry.com/some/image@sha256:4fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", @@ -434,7 +434,6 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - fetchArguments := &fetchFunctionArguments{} verifyArguments := &verifyFunctionArguments{} checkOptsArguments := &checkOptsFunctionArguments{} @@ -465,7 +464,6 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { require.Equal(t, tt.wantedCheckOptsArguments, *checkOptsArguments, "sigstoreImpl.FetchImageSignatures() checkOptsArguments = %v, want %v", *checkOptsArguments, tt.wantedCheckOptsArguments) require.Equal(t, tt.wantedVerifyArguments, *verifyArguments, "sigstoreImpl.FetchImageSignatures() verifyArguments = %v, want %v", *verifyArguments, tt.wantedVerifyArguments) - }) } } @@ -2054,7 +2052,7 @@ func createEmptyCheckOptsFunction(co *cosign.CheckOpts) func(url.URL) *cosign.Ch return emptyCheckOptsFunction } -func rekorDefaultUrl() url.URL { +func rekorDefaultURL() url.URL { return url.URL{ Scheme: rekor.DefaultSchemes[0], Host: rekor.DefaultHost, From c484d0fc89b386a194949f0c30d104abd1e0b2d7 Mon Sep 17 00:00:00 2001 From: Guazzelli Date: Thu, 22 Sep 2022 09:54:56 -0300 Subject: [PATCH 117/257] Refactor: made requested changes in the sigstore.go file (#94) * fix: added error return to AttestContainerSignatures method * fix: changed variable from camel to snake case * fix: add returned type to error message in getBundleSignatureContent method * fix: changed log from camel to snake case * fix: fixed nil payload test case * fix: fix import order * fix: sync with remote * fix: change import order Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- .../workloadattestor/k8s/sigstore/sigstore.go | 12 +- .../k8s/sigstore/sigstore_test.go | 103 +++++++++--------- 2 files changed, 58 insertions(+), 57 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index 755768e8cf..20bd4c1fd3 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -264,7 +264,10 @@ func (s *sigstoreImpl) EnableAllowSubjectList(flag bool) { } func (s *sigstoreImpl) AttestContainerSignatures(ctx context.Context, status *corev1.ContainerStatus) ([]string, error) { - skip, _ := s.ShouldSkipImage(status.ImageID) + skip, err := s.ShouldSkipImage(status.ImageID) + if err != nil { + return nil, fmt.Errorf("failed attesting container signature: %w", err) + } if skip { return []string{signatureVerifiedSelector}, nil } @@ -273,7 +276,7 @@ func (s *sigstoreImpl) AttestContainerSignatures(ctx context.Context, status *co cachedSignature := s.sigstorecache.GetSignature(imageID) if cachedSignature != nil { - s.logger.Debug("Found cached signature", "imageId", imageID) + s.logger.Debug("Found cached signature", "image_id", imageID) } else { signatures, err := s.FetchImageSignatures(ctx, imageID) if err != nil { @@ -287,7 +290,7 @@ func (s *sigstoreImpl) AttestContainerSignatures(ctx context.Context, status *co Value: selectors, } - s.logger.Debug("Caching signature", "imageID", imageID) + s.logger.Debug("Caching signature", "image_id", imageID) s.sigstorecache.PutSignature(*cachedSignature) } @@ -358,7 +361,8 @@ func getBundleSignatureContent(bundle *bundle.RekorBundle) (string, error) { } body64, ok := bundle.Payload.Body.(string) if !ok { - return "", errors.New("payload body is not a string") + returnedType := fmt.Sprintf("Expected payload body to be a string but got %T instead", body64) + return "", errors.New(returnedType) } body, err := base64.StdEncoding.DecodeString(body64) if err != nil { diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index 395199a720..4d13ce3809 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -101,12 +101,6 @@ func TestNew(t *testing.T) { } } -type sigstoreFunctionBindings struct { - verifyBinding verifyFunctionBinding - fetchBinding fetchFunctionBinding - checkOptsBinding checkOptsFunctionBinding -} - func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { type fields struct { functionBindings sigstoreFunctionBindings @@ -481,13 +475,9 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { args args containerID string want []SelectorsFromSignatures - wantError bool }{ { name: "extract selector from single image signature array", - fields: fields{ - verifyFunction: nil, - }, args: args{ signatures: []oci.Signature{ signature{ @@ -514,9 +504,6 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { }, { name: "extract selector from image signature array with multiple entries", - fields: fields{ - verifyFunction: nil, - }, args: args{ signatures: []oci.Signature{ signature{ @@ -558,14 +545,11 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { }, }, { - name: "with invalid payload", - fields: fields{ - verifyFunction: nil, - }, + name: "with nil payload", args: args{ signatures: []oci.Signature{ signature{ - payload: []byte{}, + payload: nil, }, }, }, @@ -574,9 +558,6 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { }, { name: "extract selector from image signature with subject certificate", - fields: fields{ - verifyFunction: nil, - }, args: args{ signatures: []oci.Signature{ signature{ @@ -609,9 +590,6 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { }, { name: "extract selector from image signature with URI certificate", - fields: fields{ - verifyFunction: nil, - }, args: args{ signatures: []oci.Signature{ signature{ @@ -652,9 +630,6 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { }, { name: "extract selector from empty array", - fields: fields{ - verifyFunction: nil, - }, args: args{ signatures: []oci.Signature{}, }, @@ -663,15 +638,31 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { }, { name: "extract selector from nil array", - fields: fields{ - verifyFunction: nil, - }, args: args{ signatures: nil, }, containerID: "666666", want: nil, }, + { + name: "invalid payload", + args: args{ + signatures: []oci.Signature{ + signature{ + payload: []byte(`{"critical": {}}`), + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", + LogID: "samplelogID", + IntegratedTime: 12345, + }, + }, + }, + }, + }, + containerID: "777777", + want: nil, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { @@ -1893,14 +1884,6 @@ func TestSigstoreimpl_SetRekorURL(t *testing.T) { } } -type signature struct { - oci.Signature - - payload []byte - cert *x509.Certificate - bundle *bundle.RekorBundle -} - func (s signature) Payload() ([]byte, error) { return s.payload, nil } @@ -1977,14 +1960,6 @@ func createNilVerifyFunction() verifyFunctionBinding { return bindVerifyArgumentsFunction } -type fetchFunctionArguments struct { - called bool - ref name.Reference - options []remote.Option -} - -type fetchFunctionBinding func(require.TestingT, *fetchFunctionArguments) fetchImageManifestFunctionType - func createFetchFunction(returnDescriptor *remote.Descriptor, returnError error) fetchFunctionBinding { bindFetchArgumentsFunction := func(t require.TestingT, fetchArguments *fetchFunctionArguments) fetchImageManifestFunctionType { newFetchFunction := func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { @@ -2009,13 +1984,6 @@ func createNilFetchFunction() fetchFunctionBinding { return bindFetchArgumentsFunction } -type checkOptsFunctionArguments struct { - called bool - url url.URL -} - -type checkOptsFunctionBinding func(require.TestingT, *checkOptsFunctionArguments) checkOptsFunctionType - func createCheckOptsFunction(returnCheckOpts *cosign.CheckOpts) checkOptsFunctionBinding { bindCheckOptsArgumentsFunction := func(t require.TestingT, checkOptsArguments *checkOptsFunctionArguments) checkOptsFunctionType { newCheckOptsFunction := func(url url.URL) *cosign.CheckOpts { @@ -2059,3 +2027,32 @@ func rekorDefaultURL() url.URL { Path: rekor.DefaultBasePath, } } + +type signature struct { + oci.Signature + + payload []byte + cert *x509.Certificate + bundle *bundle.RekorBundle +} + +type sigstoreFunctionBindings struct { + verifyBinding verifyFunctionBinding + fetchBinding fetchFunctionBinding + checkOptsBinding checkOptsFunctionBinding +} + +type checkOptsFunctionArguments struct { + called bool + url url.URL +} + +type checkOptsFunctionBinding func(require.TestingT, *checkOptsFunctionArguments) checkOptsFunctionType + +type fetchFunctionArguments struct { + called bool + ref name.Reference + options []remote.Option +} + +type fetchFunctionBinding func(require.TestingT, *fetchFunctionArguments) fetchImageManifestFunctionType From 8446994479c112a63abfbecaa213f4c3fd9d16cf Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Thu, 22 Sep 2022 23:53:52 -0300 Subject: [PATCH 118/257] Fix check empty rekorURL (#128) * refactor: added error checking on checkOpts handling tests: added checkOpts checking to TestSigstoreimpl_AttestContainerSignatures Signed-off-by: Rodrigo Lopes * tests: added empty rekorURL test case to TestSigstoreimpl_AttestContainerSignatures Signed-off-by: Rodrigo Lopes * fix:removed unused function Signed-off-by: Rodrigo Lopes Signed-off-by: Rodrigo Lopes Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- .../workloadattestor/k8s/sigstore/sigstore.go | 23 +- .../k8s/sigstore/sigstore_test.go | 201 ++++++++++-------- 2 files changed, 128 insertions(+), 96 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index 20bd4c1fd3..cc0336dc24 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -75,7 +75,7 @@ func New(cache Cache, logger hclog.Logger) Sigstore { functionHooks: sigstoreFunctionHooks{ verifyFunction: cosign.VerifyImageSignatures, fetchImageManifestFunction: remote.Get, - checkOptsFunction: DefaultCheckOpts, + checkOptsFunction: defaultCheckOptsFunction, }, rekorURL: url.URL{ @@ -88,7 +88,17 @@ func New(cache Cache, logger hclog.Logger) Sigstore { } } -func DefaultCheckOpts(rekorURL url.URL) *cosign.CheckOpts { +func defaultCheckOptsFunction(rekorURL url.URL) (*cosign.CheckOpts, error) { + if rekorURL.Host == "" { + return nil, errors.New("rekor URL host is empty") + } + if rekorURL.Scheme == "" { + return nil, errors.New("rekor URL scheme is empty") + } + if rekorURL.Path == "" { + return nil, errors.New("rekor URL path is empty") + } + co := &cosign.CheckOpts{} // Set the rekor client @@ -96,7 +106,7 @@ func DefaultCheckOpts(rekorURL url.URL) *cosign.CheckOpts { co.RootCerts = fulcio.GetRoots() - return co + return co, nil } type sigstoreImpl struct { @@ -125,7 +135,10 @@ func (s *sigstoreImpl) FetchImageSignatures(ctx context.Context, imageName strin return nil, fmt.Errorf("could not validate image reference digest: %w", err) } - co := s.functionHooks.checkOptsFunction(s.rekorURL) + co, err := s.functionHooks.checkOptsFunction(s.rekorURL) + if err != nil { + return nil, fmt.Errorf("could not create cosign check options: %w", err) + } sigs, ok, err := s.functionHooks.verifyFunction(ctx, ref, co) if err != nil { return nil, fmt.Errorf("error verifying signature: %w", err) @@ -422,7 +435,7 @@ type verifyFunctionType func(context.Context, name.Reference, *cosign.CheckOpts) type fetchImageManifestFunctionType func(name.Reference, ...remote.Option) (*remote.Descriptor, error) -type checkOptsFunctionType func(url.URL) *cosign.CheckOpts +type checkOptsFunctionType func(url.URL) (*cosign.CheckOpts, error) type sigstoreFunctionHooks struct { verifyFunction verifyFunctionType diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index 4d13ce3809..b45f508ec2 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -69,7 +69,7 @@ func TestNew(t *testing.T) { functionHooks: sigstoreFunctionHooks{ verifyFunction: cosign.VerifyImageSignatures, fetchImageManifestFunction: remote.Get, - checkOptsFunction: DefaultCheckOpts, + checkOptsFunction: defaultCheckOptsFunction, }, skippedImages: nil, allowListEnabled: false, @@ -110,8 +110,8 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { imageName string } - defaultCheckOpts := DefaultCheckOpts(rekorDefaultURL()) - emptyURLCheckOpts := DefaultCheckOpts(url.URL{}) + defaultCheckOpts, _ := defaultCheckOptsFunction(rekorDefaultURL()) + emptyURLCheckOpts, emptyError := defaultCheckOptsFunction(url.URL{}) tests := []struct { name string @@ -134,7 +134,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { }, }, true, nil), fetchBinding: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), - checkOptsBinding: createCheckOptsFunction(defaultCheckOpts), + checkOptsBinding: createCheckOptsFunction(defaultCheckOpts, nil), }, rekorURL: rekorDefaultURL(), }, @@ -176,7 +176,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { }, }, true, nil), fetchBinding: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), - checkOptsBinding: createCheckOptsFunction(defaultCheckOpts), + checkOptsBinding: createCheckOptsFunction(defaultCheckOpts, nil), }, rekorURL: rekorDefaultURL(), }, @@ -214,7 +214,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { functionBindings: sigstoreFunctionBindings{ verifyBinding: createVerifyFunction(nil, true, errors.New("no matching signatures 2")), fetchBinding: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), - checkOptsBinding: createCheckOptsFunction(defaultCheckOpts), + checkOptsBinding: createCheckOptsFunction(defaultCheckOpts, nil), }, rekorURL: rekorDefaultURL(), }, @@ -246,7 +246,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { functionBindings: sigstoreFunctionBindings{ verifyBinding: createVerifyFunction(nil, true, nil), fetchBinding: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), - checkOptsBinding: createCheckOptsFunction(defaultCheckOpts), + checkOptsBinding: createCheckOptsFunction(defaultCheckOpts, nil), }, rekorURL: rekorDefaultURL(), }, @@ -282,7 +282,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { }, }, true, errors.New("unexpected error")), fetchBinding: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), - checkOptsBinding: createCheckOptsFunction(defaultCheckOpts), + checkOptsBinding: createCheckOptsFunction(defaultCheckOpts, nil), }, rekorURL: rekorDefaultURL(), }, @@ -318,7 +318,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { }, }, false, nil), fetchBinding: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), - checkOptsBinding: createCheckOptsFunction(defaultCheckOpts), + checkOptsBinding: createCheckOptsFunction(defaultCheckOpts, nil), }, rekorURL: rekorDefaultURL(), }, @@ -365,14 +365,9 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { name: "fetch image with signature, empty rekor url", fields: fields{ functionBindings: sigstoreFunctionBindings{ - verifyBinding: createVerifyFunction( - []oci.Signature{ - signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - }, - }, true, nil), + verifyBinding: createNilVerifyFunction(), fetchBinding: createFetchFunction(&remote.Descriptor{Manifest: []byte("sometext")}, nil), - checkOptsBinding: createCheckOptsFunction(emptyURLCheckOpts), + checkOptsBinding: createCheckOptsFunction(emptyURLCheckOpts, emptyError), }, rekorURL: url.URL{}, }, @@ -384,22 +379,14 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: nil, }, - wantedVerifyArguments: verifyFunctionArguments{ - called: true, - context: context.Background(), - ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), - options: emptyURLCheckOpts, - }, + wantedVerifyArguments: verifyFunctionArguments{}, wantedCheckOptsArguments: checkOptsFunctionArguments{ called: true, url: url.URL{}, }, - want: []oci.Signature{ - signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - }, - }, - wantErr: false, + want: nil, + wantErr: true, + wantedErr: fmt.Errorf("could not create cosign check options: %w", emptyError), }, { name: "fetch image with wrong image hash", @@ -1635,42 +1622,46 @@ func Test_getBundleSignatureContent(t *testing.T) { func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { type fields struct { - verifyFunction verifyFunctionBinding - fetchImageManifestFunction fetchFunctionBinding - skippedImages map[string]bool - rekorURL url.URL + functionBindings sigstoreFunctionBindings + skippedImages map[string]bool + rekorURL url.URL } - emptyCheckOpts := &cosign.CheckOpts{} - + defaultCheckOpts, _ := defaultCheckOptsFunction(rekorDefaultURL()) + emptyURLCheckOpts, emptyError := defaultCheckOptsFunction(url.URL{}) tests := []struct { - name string - fields fields - status corev1.ContainerStatus - wantedFetchArguments fetchFunctionArguments - wantedVerifyArguments verifyFunctionArguments - want []string - wantErr bool - wantedErr error + name string + fields fields + status corev1.ContainerStatus + wantedFetchArguments fetchFunctionArguments + wantedVerifyArguments verifyFunctionArguments + wantedCheckOptsArguments checkOptsFunctionArguments + want []string + wantErr bool + wantedErr error }{ { name: "Attest image with signature", fields: fields{ - verifyFunction: createVerifyFunction([]oci.Signature{ - signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - bundle: &bundle.RekorBundle{ - Payload: bundle.RekorPayload{ - Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", - LogID: "samplelogID", - IntegratedTime: 12345, + functionBindings: sigstoreFunctionBindings{ + verifyBinding: createVerifyFunction([]oci.Signature{ + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", + LogID: "samplelogID", + IntegratedTime: 12345, + }, }, }, - }, - }, true, nil), - fetchImageManifestFunction: createFetchFunction(&remote.Descriptor{ - Manifest: []byte("sometext"), - }, nil), + }, true, nil), + fetchBinding: createFetchFunction(&remote.Descriptor{ + Manifest: []byte("sometext"), + }, nil), + checkOptsBinding: createCheckOptsFunction(defaultCheckOpts, nil), + }, + rekorURL: rekorDefaultURL(), }, status: corev1.ContainerStatus{ Image: "spire-agent-sigstore-1", @@ -1686,7 +1677,11 @@ func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { called: true, context: context.Background(), ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), - options: emptyCheckOpts, + options: defaultCheckOpts, + }, + wantedCheckOptsArguments: checkOptsFunctionArguments{ + called: true, + url: rekorDefaultURL(), }, want: []string{ "000000:image-signature-subject:spirex@example.com", "000000:image-signature-content:MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smA=", "000000:image-signature-logid:samplelogID", "000000:image-signature-integrated-time:12345", "sigstore-validation:passed", @@ -1696,13 +1691,15 @@ func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { { name: "Attest skipped image", fields: fields{ - verifyFunction: createNilVerifyFunction(), - fetchImageManifestFunction: createFetchFunction(&remote.Descriptor{ - Manifest: []byte("sometext"), - }, nil), + functionBindings: sigstoreFunctionBindings{ + verifyBinding: createNilVerifyFunction(), + fetchBinding: createNilFetchFunction(), + checkOptsBinding: createNilCheckOptsFunction(), + }, skippedImages: map[string]bool{ "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505": true, }, + rekorURL: rekorDefaultURL(), }, status: corev1.ContainerStatus{ Image: "spire-agent-sigstore-2", @@ -1717,10 +1714,14 @@ func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { { name: "Attest image with no signature", fields: fields{ - verifyFunction: createVerifyFunction(nil, true, fmt.Errorf("no signature found")), - fetchImageManifestFunction: createFetchFunction(&remote.Descriptor{ - Manifest: []byte("sometext"), - }, nil), + functionBindings: sigstoreFunctionBindings{ + verifyBinding: createVerifyFunction(nil, true, fmt.Errorf("no signature found")), + fetchBinding: createFetchFunction(&remote.Descriptor{ + Manifest: []byte("sometext"), + }, nil), + checkOptsBinding: createCheckOptsFunction(defaultCheckOpts, nil), + }, + rekorURL: rekorDefaultURL(), }, status: corev1.ContainerStatus{ Image: "spire-agent-sigstore-3", @@ -1736,27 +1737,57 @@ func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { called: true, context: context.Background(), ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), - options: emptyCheckOpts, + options: defaultCheckOpts, + }, + wantedCheckOptsArguments: checkOptsFunctionArguments{ + called: true, + url: rekorDefaultURL(), }, want: nil, wantErr: true, wantedErr: fmt.Errorf("error verifying signature: %w", errors.New("no signature found")), }, + { + name: "Attest image with empty rekorURL", + fields: fields{ + functionBindings: sigstoreFunctionBindings{ + verifyBinding: createNilVerifyFunction(), + fetchBinding: createFetchFunction(&remote.Descriptor{ + Manifest: []byte("sometext"), + }, nil), + checkOptsBinding: createCheckOptsFunction(emptyURLCheckOpts, emptyError), + }, + rekorURL: url.URL{}, + }, + status: corev1.ContainerStatus{ + Image: "spire-agent-sigstore-3", + ImageID: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", + ContainerID: "222222", + }, + wantedFetchArguments: fetchFunctionArguments{ + called: true, + ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), + options: nil, + }, + wantedCheckOptsArguments: checkOptsFunctionArguments{ + called: true, + url: url.URL{}, + }, + want: nil, + wantErr: true, + wantedErr: fmt.Errorf("could not create cosign check options: %w", emptyError), + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - co := &cosign.CheckOpts{} - emptyCheckOptsFunction := createEmptyCheckOptsFunction(co) - if tt.wantedVerifyArguments.options == emptyCheckOpts { - tt.wantedVerifyArguments.options = emptyCheckOptsFunction(url.URL{}) - } fetchArguments := fetchFunctionArguments{} verifyArguments := verifyFunctionArguments{} + checkOptsArguments := checkOptsFunctionArguments{} sigstore := &sigstoreImpl{ functionHooks: sigstoreFunctionHooks{ - verifyFunction: tt.fields.verifyFunction(t, &verifyArguments), - fetchImageManifestFunction: tt.fields.fetchImageManifestFunction(t, &fetchArguments), - checkOptsFunction: emptyCheckOptsFunction, + verifyFunction: tt.fields.functionBindings.verifyBinding(t, &verifyArguments), + fetchImageManifestFunction: tt.fields.functionBindings.fetchBinding(t, &fetchArguments), + checkOptsFunction: tt.fields.functionBindings.checkOptsBinding(t, &checkOptsArguments), }, skippedImages: tt.fields.skippedImages, rekorURL: tt.fields.rekorURL, @@ -1777,6 +1808,7 @@ func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { require.Equal(t, tt.want, got, "sigstoreImpl.AttestContainerSignatures() = %v, want %v", got, tt.want) require.Equal(t, tt.wantedFetchArguments, fetchArguments, "sigstoreImpl.AttestContainerSignatures() fetchArguments = %v, wantedFetchArguments = %v", fetchArguments, tt.wantedFetchArguments) require.Equal(t, tt.wantedVerifyArguments, verifyArguments, "sigstoreImpl.AttestContainerSignatures() verifyArguments = %v, wantedVerifyArguments = %v", verifyArguments, tt.wantedVerifyArguments) + require.Equal(t, tt.wantedCheckOptsArguments, checkOptsArguments, "sigstoreImpl.AttestContainerSignatures() checkOptsArguments = %v, wantedCheckOptsArguments = %v", checkOptsArguments, tt.wantedCheckOptsArguments) }) } } @@ -1984,12 +2016,12 @@ func createNilFetchFunction() fetchFunctionBinding { return bindFetchArgumentsFunction } -func createCheckOptsFunction(returnCheckOpts *cosign.CheckOpts) checkOptsFunctionBinding { +func createCheckOptsFunction(returnCheckOpts *cosign.CheckOpts, returnErr error) checkOptsFunctionBinding { bindCheckOptsArgumentsFunction := func(t require.TestingT, checkOptsArguments *checkOptsFunctionArguments) checkOptsFunctionType { - newCheckOptsFunction := func(url url.URL) *cosign.CheckOpts { + newCheckOptsFunction := func(url url.URL) (*cosign.CheckOpts, error) { checkOptsArguments.called = true checkOptsArguments.url = url - return returnCheckOpts + return returnCheckOpts, returnErr } return newCheckOptsFunction } @@ -1998,28 +2030,15 @@ func createCheckOptsFunction(returnCheckOpts *cosign.CheckOpts) checkOptsFunctio func createNilCheckOptsFunction() checkOptsFunctionBinding { bindCheckOptsArgumentsFunction := func(t require.TestingT, checkOptsArguments *checkOptsFunctionArguments) checkOptsFunctionType { - failFunction := func(url url.URL) *cosign.CheckOpts { + failFunction := func(url url.URL) (*cosign.CheckOpts, error) { require.FailNow(t, "nil check opts function should not be called") - return nil + return nil, fmt.Errorf("nil check opts function should not be called") } return failFunction } return bindCheckOptsArgumentsFunction } -func createEmptyCheckOptsFunction(co *cosign.CheckOpts) func(url.URL) *cosign.CheckOpts { - emptyCheckOptsFunction := func(url.URL) *cosign.CheckOpts { - co.RekorClient = new(rekor.Rekor) - rootCert, _, _ := GenerateRootCa() - rootPool := x509.NewCertPool() - rootPool.AddCert(rootCert) - co.RootCerts = rootPool - - return co - } - return emptyCheckOptsFunction -} - func rekorDefaultURL() url.URL { return url.URL{ Scheme: rekor.DefaultSchemes[0], From e08825d9150c57e9a5e20ee45c9f9a5d3007f114 Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Fri, 23 Sep 2022 08:53:17 -0300 Subject: [PATCH 119/257] refactor: refactored SelectorValuesFromSignature to error out on all errors (#121) * logs: added container id to SelectorValuesFromSignature log lines Signed-off-by: Rodrigo Lopes * refactor: refactored SelectorValuesFromSignature to error out on all errors Signed-off-by: Rodrigo Lopes Signed-off-by: Rodrigo Lopes Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- .../workloadattestor/k8s/sigstore/sigstore.go | 27 ++++++++++++------- .../k8s/sigstore/sigstore_test.go | 9 ++----- 2 files changed, 19 insertions(+), 17 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index cc0336dc24..f6dcb2d888 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -22,6 +22,7 @@ import ( "github.com/sigstore/cosign/pkg/oci" rekor "github.com/sigstore/rekor/pkg/generated/client" "github.com/sigstore/sigstore/pkg/signature/payload" + "github.com/spiffe/spire/pkg/common/telemetry" corev1 "k8s.io/api/core/v1" ) @@ -173,18 +174,18 @@ func (s *sigstoreImpl) ExtractSelectorsFromSignatures(signatures []oci.Signature func (s *sigstoreImpl) SelectorValuesFromSignature(signature oci.Signature, containerID string) *SelectorsFromSignatures { subject, err := getSignatureSubject(signature) if err != nil { - s.logger.Error("Error getting signature subject", "error", err) + s.logger.Error("Error getting signature subject", "error", err, telemetry.ContainerID, containerID) return nil } if subject == "" { - s.logger.Error("Error getting signature subject", "error", errors.New("empty subject")) + s.logger.Error("Error getting signature subject", "error", errors.New("empty subject"), telemetry.ContainerID, containerID) return nil } if s.allowListEnabled { if _, ok := s.subjectAllowList[subject]; !ok { - s.logger.Debug("Subject not in allow-list", "subject", subject) + s.logger.Debug("Subject not in allow-list", "subject", subject, telemetry.ContainerID, containerID) return nil } } @@ -193,21 +194,27 @@ func (s *sigstoreImpl) SelectorValuesFromSignature(signature oci.Signature, cont bundle, err := signature.Bundle() if err != nil { - s.logger.Error("Error getting signature bundle", "error", err) - return selectorsFromSignatures + s.logger.Error("Error getting signature bundle", "error", err, telemetry.ContainerID, containerID) + return nil } sigContent, err := getBundleSignatureContent(bundle) if err != nil { - s.logger.Error("Error getting signature content", "error", err) + s.logger.Error("Error getting signature content", "error", err, telemetry.ContainerID, containerID) + return nil } selectorsFromSignatures.Content = sigContent - if bundle.Payload.LogID != "" { - selectorsFromSignatures.LogID = bundle.Payload.LogID + if bundle.Payload.LogID == "" { + s.logger.Error("Error getting signature log ID", "error", errors.New("empty log ID"), telemetry.ContainerID, containerID) + return nil } - if bundle.Payload.IntegratedTime != 0 { - selectorsFromSignatures.IntegratedTime = strconv.FormatInt(bundle.Payload.IntegratedTime, 10) + selectorsFromSignatures.LogID = bundle.Payload.LogID + + if bundle.Payload.IntegratedTime == 0 { + s.logger.Error("Error getting signature integrated time", "error", errors.New("integrated time is 0"), telemetry.ContainerID, containerID) + return nil } + selectorsFromSignatures.IntegratedTime = strconv.FormatInt(bundle.Payload.IntegratedTime, 10) return selectorsFromSignatures } diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index b45f508ec2..982a7a611c 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -1478,10 +1478,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, }, containerID: "444444", - want: &SelectorsFromSignatures{ - Subject: "spirex@example.com", - LogID: "samplelogID", - IntegratedTime: "12345"}, + want: nil, }, { name: "selector from signature, no bundle", @@ -1495,9 +1492,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, }, containerID: "555555", - want: &SelectorsFromSignatures{ - Subject: "spirex@example.com", - }, + want: nil, }, } for _, tt := range tests { From c2ea801feb6b7f03b9581347c13693e939dec06b Mon Sep 17 00:00:00 2001 From: Willian Alves Date: Sun, 25 Sep 2022 20:32:12 -0400 Subject: [PATCH 120/257] Removed private functions on tests (#135) * draft private functions Signed-off-by: Willian Alves * Refactory getBundle private Signed-off-by: Willian Alves * Refactory getSubject private Signed-off-by: Willian Alves * remove test case repeat Signed-off-by: Willian Alves Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- .../k8s/sigstore/sigstore_test.go | 379 +++++++----------- 1 file changed, 145 insertions(+), 234 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index 982a7a611c..10e6c4c810 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -665,87 +665,6 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { } } -func Test_certSubject(t *testing.T) { - type args struct { - c *x509.Certificate - } - tests := []struct { - name string - args args - want string - }{ - { - name: "certSubject_single_email", - args: args{ - c: &x509.Certificate{ - EmailAddresses: []string{"example@example.com"}, - }, - }, - want: "example@example.com", - }, - { - name: "certSubject_multiple_email", - args: args{ - c: &x509.Certificate{ - EmailAddresses: []string{"example1@example1.com", "example2@example1.com"}, - }, - }, - want: "example1@example1.com", - }, - { - name: "certSubject_from_single_URI", - args: args{ - c: &x509.Certificate{ - URIs: []*url.URL{ - { - User: url.User("example"), Host: "example2.com"}, - }, - }, - }, - want: "example@example2.com", - }, - { - name: "certSubject_from_multiple_URIs", - args: args{ - c: &x509.Certificate{ - URIs: []*url.URL{ - { - User: url.User("example1"), - Host: "example2.com", - }, - { - User: url.User("example2"), - Host: "example2.com", - }, - }, - }, - }, - want: "example1@example2.com", - }, - { - name: "certSubject_empty_certificate", - args: args{ - c: &x509.Certificate{}, - }, - want: "", - }, - { - name: "certSubject_nil_certificate", - args: args{ - c: nil, - }, - want: "", - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - if got := certSubject(tt.args.c); got != tt.want { - t.Errorf("certSubject() = %v, want %v", got, tt.want) - } - }) - } -} - func TestSigstoreimpl_ShouldSkipImage(t *testing.T) { type fields struct { skippedImages map[string](bool) @@ -844,64 +763,6 @@ func TestSigstoreimpl_ShouldSkipImage(t *testing.T) { } } -func Test_getSignatureSubject(t *testing.T) { - type args struct { - signature oci.Signature - } - tests := []struct { - name string - args args - want string - }{ - { - name: "single image signature", - args: args{ - signature: signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - }, - }, - want: "spirex@example.com", - }, - { - name: "empty signature array", - args: args{signature: nil}, - want: "", - }, - { - name: "single image signature, no payload", - args: args{ - signature: noPayloadSignature{}, - }, - want: "", - }, - { - name: "single image signature, no certs", - args: args{ - signature: &noCertSignature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - }, - }, - want: "", - }, - { - name: "single image signature,garbled subject in signature", - args: args{ - signature: &signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "s\\\\||as\0\0aasdasd/....???/.>wd12<><,,,><{}{pirex@example.com","key2": "value 2","key3": "value 3"}}`), - }, - }, - want: "", - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - if got, _ := getSignatureSubject(tt.args.signature); got != tt.want { - t.Errorf("getSignatureSubject() = %v, want %v", got, tt.want) - } - }) - } -} - func TestSigstoreimpl_AddSkippedImage(t *testing.T) { type fields struct { verifyFunction func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) @@ -1481,136 +1342,186 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { want: nil, }, { - name: "selector from signature, no bundle", + name: "selector from signature, nil bundle", fields: fields{ allowListEnabled: false, subjectAllowList: nil, }, args: args{ - signature: noBundleSignature{ + signature: nilBundleSignature{ payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), }, }, containerID: "555555", want: nil, }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - sigstore := &sigstoreImpl{ - allowListEnabled: tt.fields.allowListEnabled, - subjectAllowList: tt.fields.subjectAllowList, - logger: hclog.Default(), - } - got := sigstore.SelectorValuesFromSignature(tt.args.signature, tt.containerID) - require.Equal(t, got, tt.want, "sigstoreImpl.SelectorValuesFromSignature() = %v, want %v", got, tt.want) - }) - } -} - -func Test_getBundleSignatureContent(t *testing.T) { - type args struct { - bundle *bundle.RekorBundle - } - tests := []struct { - name string - args args - want string - wantErr bool - }{ { - name: "nil bundle", + name: "selector from signature, bundle payload body is not a string", + fields: fields{ + allowListEnabled: false, + subjectAllowList: nil, + }, args: args{ - bundle: nil, + signature: signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: 42, + LogID: "samplelogID", + IntegratedTime: 12345, + }, + }, + }, }, - want: "", - wantErr: true, + containerID: "000000", + want: nil, }, { - name: "Bundle payload body is not a string", + name: "selector from signature, bundle payload body is not valid base64", + fields: fields{ + allowListEnabled: false, + subjectAllowList: nil, + }, args: args{ - bundle: &bundle.RekorBundle{ - Payload: bundle.RekorPayload{ - Body: 42, + signature: signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: "abc..........def", + LogID: "samplelogID", + IntegratedTime: 12345, + }, }, }, }, - want: "", - wantErr: true, + containerID: "000000", + want: nil, }, { - name: "Bundle payload body is not valid base64", + name: "selector from signature, bundle payload body has no signature content", + fields: fields{ + allowListEnabled: false, + subjectAllowList: nil, + }, args: args{ - bundle: &bundle.RekorBundle{ - Payload: bundle.RekorPayload{ - Body: "abc..........def", + signature: signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: "ewogICAgInNwZWMiOiB7CiAgICAgICJzaWduYXR1cmUiOiB7CiAgICAgIH0KICAgIH0KfQ==", + LogID: "samplelogID", + IntegratedTime: 12345, + }, }, }, }, - want: "", - wantErr: true, + containerID: "000000", + want: nil, }, { - name: "Bundle payload body has no signature content", + name: "selector from signature, bundle payload body signature content is empty", + fields: fields{ + allowListEnabled: false, + subjectAllowList: nil, + }, args: args{ - bundle: &bundle.RekorBundle{ - Payload: bundle.RekorPayload{ - Body: "ewogICAgInNwZWMiOiB7CiAgICAgICJzaWduYXR1cmUiOiB7CiAgICAgIH0KICAgIH0KfQ==", + signature: signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: "ewogICAgInNwZWMiOiB7CiAgICAgICAgInNpZ25hdHVyZSI6IHsKICAgICAgICAiY29udGVudCI6ICIiCiAgICAgICAgfQogICAgfQp9", + LogID: "samplelogID", + IntegratedTime: 12345, + }, }, }, }, - want: "", - wantErr: true, + containerID: "000000", + want: nil, }, { - name: "Bundle payload body signature content is empty", + name: "selector from signature, bundle payload body is not a valid JSON", + fields: fields{ + allowListEnabled: false, + subjectAllowList: nil, + }, args: args{ - bundle: &bundle.RekorBundle{ - Payload: bundle.RekorPayload{ - Body: "ewogICAgInNwZWMiOiB7CiAgICAgICAgInNpZ25hdHVyZSI6IHsKICAgICAgICAiY29udGVudCI6ICIiCiAgICAgICAgfQogICAgfQp9", + signature: signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: "ewogICJzcGVjIjosLCB7CiAgICAic2lnbmF0dXJlIjogewogICAgICAiY29udGVudCI6ICJNRVVDSVFDeWVtOEdjcjBzUEZNUDdmVFhhekNONTdOY041K01qeEp3OU9vMHgyZU0rQUlnZGdCUDk2Qk8xVGUvTmRiakhiVWViMEJVeWU2ZGVSZ1Z0UUV2NU5vNXNtQT0iCiAgICB9CiAgfQp9", + LogID: "samplelogID", + IntegratedTime: 12345, + }, }, }, }, - want: "", - wantErr: true, + containerID: "000000", + want: nil, }, { - name: "Bundle payload body is not a valid JSON", + name: "selector from signature, empty signature array", + fields: fields{ + allowListEnabled: false, + subjectAllowList: nil, + }, args: args{ - bundle: &bundle.RekorBundle{ - Payload: bundle.RekorPayload{ - Body: "ewogICJzcGVjIjosLCB7CiAgICAic2lnbmF0dXJlIjogewogICAgICAiY29udGVudCI6ICJNRVVDSVFDeWVtOEdjcjBzUEZNUDdmVFhhekNONTdOY041K01qeEp3OU9vMHgyZU0rQUlnZGdCUDk2Qk8xVGUvTmRiakhiVWViMEJVeWU2ZGVSZ1Z0UUV2NU5vNXNtQT0iCiAgICB9CiAgfQp9", - }, + signature: nil, + }, + containerID: "000000", + want: nil, + }, + { + name: "selector from signature, single image signature, no payload", + fields: fields{ + allowListEnabled: false, + subjectAllowList: nil, + }, + args: args{ + signature: noPayloadSignature{}, + }, + containerID: "000000", + want: nil, + }, + { + name: "selector from signature, single image signature, no certs", + fields: fields{ + allowListEnabled: false, + subjectAllowList: nil, + }, + args: args{ + signature: &noCertSignature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), }, }, - want: "", - wantErr: true, + containerID: "000000", + want: nil, }, { - name: "Bundle payload body signature content is correct", + name: "selector from signature, single image signature,garbled subject in signature", + fields: fields{ + allowListEnabled: false, + subjectAllowList: nil, + }, args: args{ - bundle: &bundle.RekorBundle{ - Payload: bundle.RekorPayload{ - Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", - LogID: "samplelogID", - IntegratedTime: 12345, - }, + signature: &signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "s\\\\||as\0\0aasdasd/....???/.>wd12<><,,,><{}{pirex@example.com","key2": "value 2","key3": "value 3"}}`), }, }, - want: "MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smA=", - wantErr: false, + containerID: "000000", + want: nil, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - got, err := getBundleSignatureContent(tt.args.bundle) - if (err != nil) != tt.wantErr { - t.Errorf("getBundleSignatureContent() error = %v, wantErr %v", err, tt.wantErr) - return - } - if got != tt.want { - t.Errorf("getBundleSignatureContent() = %v, want %v", got, tt.want) + sigstore := &sigstoreImpl{ + allowListEnabled: tt.fields.allowListEnabled, + subjectAllowList: tt.fields.subjectAllowList, + logger: hclog.Default(), } + got := sigstore.SelectorValuesFromSignature(tt.args.signature, tt.containerID) + require.Equal(t, got, tt.want, "sigstoreImpl.SelectorValuesFromSignature() = %v, want %v", got, tt.want) }) } } @@ -1923,28 +1834,22 @@ func (s signature) Bundle() (*bundle.RekorBundle, error) { return s.bundle, nil } -type noPayloadSignature signature - func (noPayloadSignature) Payload() ([]byte, error) { return nil, errors.New("no payload test") } -type noBundleSignature signature - -func (s noBundleSignature) Payload() ([]byte, error) { +func (s nilBundleSignature) Payload() ([]byte, error) { return s.payload, nil } -func (s noBundleSignature) Cert() (*x509.Certificate, error) { +func (s nilBundleSignature) Cert() (*x509.Certificate, error) { return s.cert, nil } -func (s noBundleSignature) Bundle() (*bundle.RekorBundle, error) { +func (s nilBundleSignature) Bundle() (*bundle.RekorBundle, error) { return nil, fmt.Errorf("no bundle test") } -type noCertSignature signature - func (s noCertSignature) Payload() ([]byte, error) { return s.payload, nil } @@ -1953,15 +1858,6 @@ func (noCertSignature) Cert() (*x509.Certificate, error) { return nil, errors.New("no cert test") } -type verifyFunctionArguments struct { - called bool - context context.Context - ref name.Reference - options *cosign.CheckOpts -} - -type verifyFunctionBinding func(require.TestingT, *verifyFunctionArguments) verifyFunctionType - func createVerifyFunction(returnSignatures []oci.Signature, returnBundleVerified bool, returnError error) verifyFunctionBinding { bindVerifyArgumentsFunction := func(t require.TestingT, verifyArguments *verifyFunctionArguments) verifyFunctionType { newVerifyFunction := func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) { @@ -2070,3 +1966,18 @@ type fetchFunctionArguments struct { } type fetchFunctionBinding func(require.TestingT, *fetchFunctionArguments) fetchImageManifestFunctionType + +type verifyFunctionArguments struct { + called bool + context context.Context + ref name.Reference + options *cosign.CheckOpts +} + +type verifyFunctionBinding func(require.TestingT, *verifyFunctionArguments) verifyFunctionType + +type noCertSignature signature + +type nilBundleSignature signature + +type noPayloadSignature signature From 28d9a09592e66d7eb2a1b8a72fa985444ba5896a Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Sun, 25 Sep 2022 22:39:36 -0300 Subject: [PATCH 121/257] Refactor contains usage (#129) * tests: removed typecast usage for sigstoreMock Signed-off-by: Rodrigo Lopes * tests:removed usage of contains on skipped and allowed lists Signed-off-by: Rodrigo Lopes * tests: fixed TestConfigure for skippedImages and AllowedSubjects lists Signed-off-by: Rodrigo Lopes Signed-off-by: Rodrigo Lopes Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- .../plugin/workloadattestor/k8s/k8s_test.go | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go index fc67d15e6e..d70fd96d4f 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go @@ -703,17 +703,25 @@ func (s *Suite) TestConfigure() { assert.NotNil(t, c.sigstoreConfig) assert.Equal(t, testCase.config.SkippedImages, c.sigstoreConfig.SkippedImages) + skippedImagesMap := make(map[string]bool) for _, sImage := range testCase.config.SkippedImages { - assert.Contains(t, p.sigstore.(*sigstoreMock).skippedImages, sImage) + skippedImagesMap[sImage] = true } + assert.Equal(t, skippedImagesMap, s.sigstoreMock.skippedImages) assert.Equal(t, testCase.config.AllowedSubjectListEnabled, c.sigstoreConfig.AllowedSubjectListEnabled) - assert.Equal(t, testCase.config.AllowedSubjectListEnabled, p.sigstore.(*sigstoreMock).allowedSubjectListEnabled) + assert.Equal(t, testCase.config.AllowedSubjectListEnabled, s.sigstoreMock.allowedSubjectListEnabled) assert.Equal(t, testCase.config.AllowedSubjects, c.sigstoreConfig.AllowedSubjects) - for _, sSubject := range testCase.config.AllowedSubjects { - assert.Contains(t, p.sigstore.(*sigstoreMock).allowedSubjects, sSubject) + var allowedSubjectsMap map[string]bool = nil + if len(testCase.config.AllowedSubjects) > 0 { + allowedSubjectsMap = make(map[string]bool) + for _, subject := range testCase.config.AllowedSubjects { + allowedSubjectsMap[subject] = true + } } + assert.Equal(t, allowedSubjectsMap, s.sigstoreMock.allowedSubjects) + assert.Equal(t, testCase.config.RekorURL, c.sigstoreConfig.RekorURL) } else { assert.Nil(t, c.sigstoreConfig) From 6a7143c95b825c34503deb915a78261a034a0575 Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Mon, 26 Sep 2022 08:53:27 -0300 Subject: [PATCH 122/257] Adding error SelectorsFromSignatures (#136) * draft private functions Signed-off-by: Willian Alves * Refactory getBundle private Signed-off-by: Willian Alves * Refactory getSubject private Signed-off-by: Willian Alves * remove test case repeat Signed-off-by: Willian Alves * refactor: refactored SelectorValuesFromSignature to return errors instead of logging tests: added error checking to SelectorValuesFromSignature testinng Signed-off-by: Rodrigo Lopes Signed-off-by: Willian Alves Signed-off-by: Rodrigo Lopes Co-authored-by: Willian Alves Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- .../plugin/workloadattestor/k8s/k8s_test.go | 6 +- .../workloadattestor/k8s/sigstore/sigstore.go | 35 ++-- .../k8s/sigstore/sigstore_test.go | 198 +++++++++++++++++- 3 files changed, 215 insertions(+), 24 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go index d70fd96d4f..077aa2d417 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go @@ -742,11 +742,11 @@ func (s *sigstoreMock) FetchImageSignatures(ctx context.Context, imageName strin return s.sigs, nil } -func (s *sigstoreMock) SelectorValuesFromSignature(signatures oci.Signature, containerID string) *sigstore.SelectorsFromSignatures { +func (s *sigstoreMock) SelectorValuesFromSignature(signatures oci.Signature, containerID string) (*sigstore.SelectorsFromSignatures, error) { if len(s.selectors) != 0 { - return &s.selectors[0] + return &s.selectors[0], nil } - return nil + return nil, s.returnError } func (s *sigstoreMock) ExtractSelectorsFromSignatures(signatures []oci.Signature, containerID string) []sigstore.SelectorsFromSignatures { diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index f6dcb2d888..b44911d74e 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -22,7 +22,6 @@ import ( "github.com/sigstore/cosign/pkg/oci" rekor "github.com/sigstore/rekor/pkg/generated/client" "github.com/sigstore/sigstore/pkg/signature/payload" - "github.com/spiffe/spire/pkg/common/telemetry" corev1 "k8s.io/api/core/v1" ) @@ -34,7 +33,7 @@ const ( type Sigstore interface { AttestContainerSignatures(ctx context.Context, status *corev1.ContainerStatus) ([]string, error) FetchImageSignatures(ctx context.Context, imageName string) ([]oci.Signature, error) - SelectorValuesFromSignature(oci.Signature, string) *SelectorsFromSignatures + SelectorValuesFromSignature(oci.Signature, string) (*SelectorsFromSignatures, error) ExtractSelectorsFromSignatures(signatures []oci.Signature, containerID string) []SelectorsFromSignatures ShouldSkipImage(imageID string) (bool, error) AddSkippedImage(imageID []string) @@ -161,7 +160,10 @@ func (s *sigstoreImpl) ExtractSelectorsFromSignatures(signatures []oci.Signature var selectors []SelectorsFromSignatures for _, sig := range signatures { // verify which subject - sigSelectors := s.SelectorValuesFromSignature(sig, containerID) + sigSelectors, err := s.SelectorValuesFromSignature(sig, containerID) + if err != nil { + s.logger.Error("error extracting selectors from signature", "error", err) + } if sigSelectors != nil { selectors = append(selectors, *sigSelectors) } @@ -171,22 +173,19 @@ func (s *sigstoreImpl) ExtractSelectorsFromSignatures(signatures []oci.Signature // SelectorValuesFromSignature extracts selectors from a signature. // returns a list of selectors. -func (s *sigstoreImpl) SelectorValuesFromSignature(signature oci.Signature, containerID string) *SelectorsFromSignatures { +func (s *sigstoreImpl) SelectorValuesFromSignature(signature oci.Signature, containerID string) (*SelectorsFromSignatures, error) { subject, err := getSignatureSubject(signature) if err != nil { - s.logger.Error("Error getting signature subject", "error", err, telemetry.ContainerID, containerID) - return nil + return nil, fmt.Errorf("error getting signature subject: %w", err) } if subject == "" { - s.logger.Error("Error getting signature subject", "error", errors.New("empty subject"), telemetry.ContainerID, containerID) - return nil + return nil, fmt.Errorf("error getting signature subject: %w", errors.New("empty subject")) } if s.allowListEnabled { if _, ok := s.subjectAllowList[subject]; !ok { - s.logger.Debug("Subject not in allow-list", "subject", subject, telemetry.ContainerID, containerID) - return nil + return nil, fmt.Errorf("subject %q not in allow-list", subject) } } @@ -194,28 +193,24 @@ func (s *sigstoreImpl) SelectorValuesFromSignature(signature oci.Signature, cont bundle, err := signature.Bundle() if err != nil { - s.logger.Error("Error getting signature bundle", "error", err, telemetry.ContainerID, containerID) - return nil + return nil, fmt.Errorf("error getting signature bundle: %w", err) } sigContent, err := getBundleSignatureContent(bundle) if err != nil { - s.logger.Error("Error getting signature content", "error", err, telemetry.ContainerID, containerID) - return nil + return nil, fmt.Errorf("error getting signature content: %w", err) } selectorsFromSignatures.Content = sigContent if bundle.Payload.LogID == "" { - s.logger.Error("Error getting signature log ID", "error", errors.New("empty log ID"), telemetry.ContainerID, containerID) - return nil + return nil, fmt.Errorf("error getting signature log ID: %w", errors.New("empty log ID")) } selectorsFromSignatures.LogID = bundle.Payload.LogID if bundle.Payload.IntegratedTime == 0 { - s.logger.Error("Error getting signature integrated time", "error", errors.New("integrated time is 0"), telemetry.ContainerID, containerID) - return nil + return nil, fmt.Errorf("error getting signature integrated time: %w", errors.New("integrated time is 0")) } selectorsFromSignatures.IntegratedTime = strconv.FormatInt(bundle.Payload.IntegratedTime, 10) - return selectorsFromSignatures + return selectorsFromSignatures, nil } // ShouldSkipImage checks the skip list for the image ID in the container status. @@ -381,7 +376,7 @@ func getBundleSignatureContent(bundle *bundle.RekorBundle) (string, error) { } body64, ok := bundle.Payload.Body.(string) if !ok { - returnedType := fmt.Sprintf("Expected payload body to be a string but got %T instead", body64) + returnedType := fmt.Sprintf("expected payload body to be a string but got %T instead", bundle.Payload.Body) return "", errors.New(returnedType) } body, err := base64.StdEncoding.DecodeString(body64) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index 10e6c4c810..ea793f4e99 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -1226,6 +1226,8 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { args args containerID string want *SelectorsFromSignatures + wantErr bool + wantedErr error }{ { name: "selector from signature", @@ -1252,6 +1254,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { LogID: "samplelogID", IntegratedTime: "12345", }, + wantErr: false, }, { name: "selector from signature, empty subject", @@ -1273,6 +1276,8 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, containerID: "111111", want: nil, + wantErr: true, + wantedErr: fmt.Errorf("error getting signature subject: empty subject"), }, { name: "selector from signature, not in allowlist", @@ -1289,6 +1294,8 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, containerID: "222222", want: nil, + wantErr: true, + wantedErr: fmt.Errorf("subject %q not in allow-list", "spirex1@example.com"), }, { name: "selector from signature, allowedlist enabled, in allowlist", @@ -1317,6 +1324,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { LogID: "samplelogID", IntegratedTime: "12345", }, + wantErr: false, }, { name: "selector from signature, allowedlist enabled, in allowlist, empty content", @@ -1340,6 +1348,8 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, containerID: "444444", want: nil, + wantErr: true, + wantedErr: fmt.Errorf("error getting signature content: bundle payload body has no signature content"), }, { name: "selector from signature, nil bundle", @@ -1354,6 +1364,183 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, containerID: "555555", want: nil, + wantErr: true, + wantedErr: fmt.Errorf("error getting signature bundle: no bundle test"), + }, + { + name: "selector from signature, bundle payload body is not a string", + fields: fields{ + allowListEnabled: false, + subjectAllowList: nil, + }, + args: args{ + signature: signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: 42, + LogID: "samplelogID", + IntegratedTime: 12345, + }, + }, + }, + }, + containerID: "000000", + want: nil, + wantErr: true, + wantedErr: fmt.Errorf("error getting signature content: expected payload body to be a string but got int instead"), + }, + { + name: "selector from signature, bundle payload body is not valid base64", + fields: fields{ + allowListEnabled: false, + subjectAllowList: nil, + }, + args: args{ + signature: signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: "abc..........def", + LogID: "samplelogID", + IntegratedTime: 12345, + }, + }, + }, + }, + containerID: "000000", + want: nil, + wantErr: true, + wantedErr: fmt.Errorf("error getting signature content: illegal base64 data at input byte 3"), + }, + { + name: "selector from signature, bundle payload body has no signature content", + fields: fields{ + allowListEnabled: false, + subjectAllowList: nil, + }, + args: args{ + signature: signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: "ewogICAgInNwZWMiOiB7CiAgICAgICJzaWduYXR1cmUiOiB7CiAgICAgIH0KICAgIH0KfQ==", + LogID: "samplelogID", + IntegratedTime: 12345, + }, + }, + }, + }, + containerID: "000000", + want: nil, + wantErr: true, + wantedErr: fmt.Errorf("error getting signature content: bundle payload body has no signature content"), + }, + { + name: "selector from signature, bundle payload body signature content is empty", + fields: fields{ + allowListEnabled: false, + subjectAllowList: nil, + }, + args: args{ + signature: signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: "ewogICAgInNwZWMiOiB7CiAgICAgICAgInNpZ25hdHVyZSI6IHsKICAgICAgICAiY29udGVudCI6ICIiCiAgICAgICAgfQogICAgfQp9", + LogID: "samplelogID", + IntegratedTime: 12345, + }, + }, + }, + }, + containerID: "000000", + want: nil, + wantErr: true, + wantedErr: fmt.Errorf("error getting signature content: bundle payload body has no signature content"), + }, + { + name: "selector from signature, bundle payload body is not a valid JSON", + fields: fields{ + allowListEnabled: false, + subjectAllowList: nil, + }, + args: args{ + signature: signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: "ewogICJzcGVjIjosLCB7CiAgICAic2lnbmF0dXJlIjogewogICAgICAiY29udGVudCI6ICJNRVVDSVFDeWVtOEdjcjBzUEZNUDdmVFhhekNONTdOY041K01qeEp3OU9vMHgyZU0rQUlnZGdCUDk2Qk8xVGUvTmRiakhiVWViMEJVeWU2ZGVSZ1Z0UUV2NU5vNXNtQT0iCiAgICB9CiAgfQp9", + LogID: "samplelogID", + IntegratedTime: 12345, + }, + }, + }, + }, + containerID: "000000", + want: nil, + wantErr: true, + wantedErr: fmt.Errorf("error getting signature content: failed to parse bundle body: invalid character ',' looking for beginning of value"), + }, + { + name: "selector from signature, empty signature array", + fields: fields{ + allowListEnabled: false, + subjectAllowList: nil, + }, + args: args{ + signature: nil, + }, + containerID: "000000", + want: nil, + wantErr: true, + wantedErr: fmt.Errorf("error getting signature subject: signature is nil"), + }, + { + name: "selector from signature, single image signature, no payload", + fields: fields{ + allowListEnabled: false, + subjectAllowList: nil, + }, + args: args{ + signature: noPayloadSignature{}, + }, + containerID: "000000", + want: nil, + wantErr: true, + wantedErr: fmt.Errorf("error getting signature subject: no payload test"), + }, + { + name: "selector from signature, single image signature, no certs", + fields: fields{ + allowListEnabled: false, + subjectAllowList: nil, + }, + args: args{ + signature: &noCertSignature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + }, + }, + containerID: "000000", + want: nil, + wantErr: true, + wantedErr: fmt.Errorf("error getting signature subject: failed to access signature certificate: no cert test"), + }, + { + name: "selector from signature, single image signature,garbled subject in signature", + fields: fields{ + allowListEnabled: false, + subjectAllowList: nil, + }, + args: args{ + signature: &signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "s\\\\||as\0\0aasdasd/....???/.>wd12<><,,,><{}{pirex@example.com","key2": "value 2","key3": "value 3"}}`), + }, + }, + containerID: "000000", + want: nil, + wantErr: true, + wantedErr: fmt.Errorf("error getting signature subject: invalid character '0' in string escape code"), }, { name: "selector from signature, bundle payload body is not a string", @@ -1513,6 +1700,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { want: nil, }, } + for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { sigstore := &sigstoreImpl{ @@ -1520,7 +1708,15 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { subjectAllowList: tt.fields.subjectAllowList, logger: hclog.Default(), } - got := sigstore.SelectorValuesFromSignature(tt.args.signature, tt.containerID) + got, err := sigstore.SelectorValuesFromSignature(tt.args.signature, tt.containerID) + if err != nil { + if !tt.wantErr { + t.Errorf("sigstoreImpl.SelectorValuesFromSignature() has error, wantErr %v", tt.wantErr) + } + require.EqualError(t, err, tt.wantedErr.Error(), "sigstoreImpl.SelectorValuesFromSignature() error = %v, wantedErr = %v", err, tt.wantedErr) + } else if tt.wantErr { + t.Errorf("sigstoreImpl.SelectorValuesFromSignature() no error, wantErr = %v, wantedErr %v", tt.wantErr, tt.wantedErr) + } require.Equal(t, got, tt.want, "sigstoreImpl.SelectorValuesFromSignature() = %v, want %v", got, tt.want) }) } From 65fd90bb190bb8bb0e011f1cf229ea3eae73f9b9 Mon Sep 17 00:00:00 2001 From: Guazzelli Date: Mon, 26 Sep 2022 21:58:25 -0300 Subject: [PATCH 123/257] test: add hashed manifest test case (#137) * test: add hashed manifest test case Signed-off-by: joaoguazzelli * fix: fixed lint error Signed-off-by: joaoguazzelli * fix: removed duplicated test cases Signed-off-by: joaoguazzelli Signed-off-by: joaoguazzelli Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- .../k8s/sigstore/sigstore_test.go | 177 ++---------------- 1 file changed, 20 insertions(+), 157 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index ea793f4e99..0410dd2f3d 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -992,6 +992,26 @@ func TestSigstoreimpl_ValidateImage(t *testing.T) { wantErr: true, wantedErr: errors.New("manifest is empty"), }, + { + name: "validate hash manifest", + fields: fields{ + verifyFunction: createNilVerifyFunction(), + fetchImageManifestFunction: createFetchFunction(&remote.Descriptor{ + Manifest: []byte("f0c62edf734ff52ee830c9eeef2ceefad94f7f089706d170f8d9dc64befb57cc"), + }, nil), + }, + args: args{ + ref: name.MustParseReference("example.com/sampleimage@sha256:f037cc8ec4cd38f95478773741fdecd48d721a527d19013031692edbf95fae69"), + }, + wantedFetchArguments: fetchFunctionArguments{ + called: true, + ref: name.MustParseReference("example.com/sampleimage@sha256:f037cc8ec4cd38f95478773741fdecd48d721a527d19013031692edbf95fae69"), + options: nil, + }, + wantedVerifyArguments: verifyFunctionArguments{}, + want: true, + wantErr: false, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { @@ -1542,163 +1562,6 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { wantErr: true, wantedErr: fmt.Errorf("error getting signature subject: invalid character '0' in string escape code"), }, - { - name: "selector from signature, bundle payload body is not a string", - fields: fields{ - allowListEnabled: false, - subjectAllowList: nil, - }, - args: args{ - signature: signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - bundle: &bundle.RekorBundle{ - Payload: bundle.RekorPayload{ - Body: 42, - LogID: "samplelogID", - IntegratedTime: 12345, - }, - }, - }, - }, - containerID: "000000", - want: nil, - }, - { - name: "selector from signature, bundle payload body is not valid base64", - fields: fields{ - allowListEnabled: false, - subjectAllowList: nil, - }, - args: args{ - signature: signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - bundle: &bundle.RekorBundle{ - Payload: bundle.RekorPayload{ - Body: "abc..........def", - LogID: "samplelogID", - IntegratedTime: 12345, - }, - }, - }, - }, - containerID: "000000", - want: nil, - }, - { - name: "selector from signature, bundle payload body has no signature content", - fields: fields{ - allowListEnabled: false, - subjectAllowList: nil, - }, - args: args{ - signature: signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - bundle: &bundle.RekorBundle{ - Payload: bundle.RekorPayload{ - Body: "ewogICAgInNwZWMiOiB7CiAgICAgICJzaWduYXR1cmUiOiB7CiAgICAgIH0KICAgIH0KfQ==", - LogID: "samplelogID", - IntegratedTime: 12345, - }, - }, - }, - }, - containerID: "000000", - want: nil, - }, - { - name: "selector from signature, bundle payload body signature content is empty", - fields: fields{ - allowListEnabled: false, - subjectAllowList: nil, - }, - args: args{ - signature: signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - bundle: &bundle.RekorBundle{ - Payload: bundle.RekorPayload{ - Body: "ewogICAgInNwZWMiOiB7CiAgICAgICAgInNpZ25hdHVyZSI6IHsKICAgICAgICAiY29udGVudCI6ICIiCiAgICAgICAgfQogICAgfQp9", - LogID: "samplelogID", - IntegratedTime: 12345, - }, - }, - }, - }, - containerID: "000000", - want: nil, - }, - { - name: "selector from signature, bundle payload body is not a valid JSON", - fields: fields{ - allowListEnabled: false, - subjectAllowList: nil, - }, - args: args{ - signature: signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - bundle: &bundle.RekorBundle{ - Payload: bundle.RekorPayload{ - Body: "ewogICJzcGVjIjosLCB7CiAgICAic2lnbmF0dXJlIjogewogICAgICAiY29udGVudCI6ICJNRVVDSVFDeWVtOEdjcjBzUEZNUDdmVFhhekNONTdOY041K01qeEp3OU9vMHgyZU0rQUlnZGdCUDk2Qk8xVGUvTmRiakhiVWViMEJVeWU2ZGVSZ1Z0UUV2NU5vNXNtQT0iCiAgICB9CiAgfQp9", - LogID: "samplelogID", - IntegratedTime: 12345, - }, - }, - }, - }, - containerID: "000000", - want: nil, - }, - { - name: "selector from signature, empty signature array", - fields: fields{ - allowListEnabled: false, - subjectAllowList: nil, - }, - args: args{ - signature: nil, - }, - containerID: "000000", - want: nil, - }, - { - name: "selector from signature, single image signature, no payload", - fields: fields{ - allowListEnabled: false, - subjectAllowList: nil, - }, - args: args{ - signature: noPayloadSignature{}, - }, - containerID: "000000", - want: nil, - }, - { - name: "selector from signature, single image signature, no certs", - fields: fields{ - allowListEnabled: false, - subjectAllowList: nil, - }, - args: args{ - signature: &noCertSignature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - }, - }, - containerID: "000000", - want: nil, - }, - { - name: "selector from signature, single image signature,garbled subject in signature", - fields: fields{ - allowListEnabled: false, - subjectAllowList: nil, - }, - args: args{ - signature: &signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "s\\\\||as\0\0aasdasd/....???/.>wd12<><,,,><{}{pirex@example.com","key2": "value 2","key3": "value 3"}}`), - }, - }, - containerID: "000000", - want: nil, - }, } for _, tt := range tests { From 7322b8c24b8a78304c097e69c9500f66a447552c Mon Sep 17 00:00:00 2001 From: Willian Alves Date: Wed, 28 Sep 2022 14:02:17 -0300 Subject: [PATCH 124/257] fix: fixed lint errors Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- pkg/agent/plugin/workloadattestor/k8s/k8s_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go index 077aa2d417..b755a2fc73 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go @@ -713,7 +713,7 @@ func (s *Suite) TestConfigure() { assert.Equal(t, testCase.config.AllowedSubjectListEnabled, s.sigstoreMock.allowedSubjectListEnabled) assert.Equal(t, testCase.config.AllowedSubjects, c.sigstoreConfig.AllowedSubjects) - var allowedSubjectsMap map[string]bool = nil + var allowedSubjectsMap map[string]bool if len(testCase.config.AllowedSubjects) > 0 { allowedSubjectsMap = make(map[string]bool) for _, subject := range testCase.config.AllowedSubjects { From d7a6c759fd91781f1c31eb5c52095bf31e387a59 Mon Sep 17 00:00:00 2001 From: Willian Alves Date: Wed, 28 Sep 2022 23:57:54 -0300 Subject: [PATCH 125/257] cosign v1.9.0 for v1.12.1 Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- doc/plugin_agent_nodeattestor_k8s_sat.md | 4 - go.mod | 178 +-- go.sum | 1101 ++++------------- pkg/agent/plugin/workloadattestor/k8s/k8s.go | 89 +- .../plugin/workloadattestor/k8s/k8s_posix.go | 4 - .../plugin/workloadattestor/k8s/k8s_test.go | 85 +- .../workloadattestor/k8s/sigstore/sigstore.go | 14 +- 7 files changed, 403 insertions(+), 1072 deletions(-) diff --git a/doc/plugin_agent_nodeattestor_k8s_sat.md b/doc/plugin_agent_nodeattestor_k8s_sat.md index 74ee2b4d32..a8083222c8 100644 --- a/doc/plugin_agent_nodeattestor_k8s_sat.md +++ b/doc/plugin_agent_nodeattestor_k8s_sat.md @@ -21,11 +21,7 @@ The main configuration accepts the following values: | `cluster` | Name of the cluster. It must correspond to a cluster configured in the server plugin. | | `token_path` | Path to the service account token on disk | "/var/run/secrets/kubernetes.io/serviceaccount/token" | -<<<<<<< HEAD -The token path defaults to the default location Kubernetes uses to place the token and should not need to be overridden in most cases. -======= The token path defaults to the default location kubernetes uses to place the token and should not need to be overriden in most cases. ->>>>>>> Added Sigstore workload attestor for SPIRE A sample configuration with the default token path: diff --git a/go.mod b/go.mod index 99e65ed32c..55ef981e16 100644 --- a/go.mod +++ b/go.mod @@ -16,13 +16,13 @@ require ( github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129 github.com/armon/go-metrics v0.4.1 github.com/aws/aws-sdk-go-v2 v1.17.1 - github.com/aws/aws-sdk-go-v2/config v1.17.4 - github.com/aws/aws-sdk-go-v2/credentials v1.12.17 - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.14 + github.com/aws/aws-sdk-go-v2/config v1.17.7 + github.com/aws/aws-sdk-go-v2/credentials v1.12.20 + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.17 github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0 github.com/aws/aws-sdk-go-v2/service/ec2 v1.63.0 github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 - github.com/aws/aws-sdk-go-v2/service/kms v1.18.8 + github.com/aws/aws-sdk-go-v2/service/kms v1.18.10 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.0 github.com/aws/aws-sdk-go-v2/service/sts v1.17.0 github.com/blang/semver/v4 v4.0.0 @@ -35,7 +35,7 @@ require ( github.com/golang/mock v1.6.0 github.com/golang/protobuf v1.5.2 github.com/google/go-cmp v0.5.9 - github.com/google/go-containerregistry v0.8.1-0.20220209165246-a44adc326839 + github.com/google/go-containerregistry v0.11.0 github.com/google/go-tpm v0.3.3 github.com/google/go-tpm-tools v0.3.9 github.com/googleapis/gax-go/v2 v2.6.0 @@ -54,20 +54,20 @@ require ( github.com/open-policy-agent/opa v0.45.0 github.com/prometheus/client_golang v1.13.0 github.com/shirou/gopsutil/v3 v3.22.9 - github.com/sigstore/cosign v1.9.0 - github.com/sigstore/rekor v0.4.1-0.20220114213500-23f583409af3 - github.com/sigstore/sigstore v1.2.1-0.20220424143412-3d41663116d5 + github.com/sigstore/cosign v1.12.1 + github.com/sigstore/rekor v0.12.1-0.20220915152154-4bb6f441c1b2 + github.com/sigstore/sigstore v1.4.2 github.com/sirupsen/logrus v1.9.0 - github.com/spiffe/go-spiffe/v2 v2.1.0 + github.com/spiffe/go-spiffe/v2 v2.1.1 github.com/spiffe/spire-api-sdk v1.2.5-0.20220608195902-84fd618158c9 github.com/spiffe/spire-plugin-sdk v1.4.1-0.20220912221658-c42ab2d657f6 github.com/stretchr/testify v1.8.1 github.com/uber-go/tally/v4 v4.1.3 github.com/zeebo/errs v1.3.0 - golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa + golang.org/x/crypto v0.0.0-20220919173607-35f4265a4bc0 golang.org/x/net v0.0.0-20221014081412-f15817d10f9b golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0 - golang.org/x/sys v0.0.0-20220907062415-87db552b00fd + golang.org/x/sys v0.0.0-20220919091848-fb04ddd9f9c8 golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 google.golang.org/api v0.100.0 google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a @@ -87,10 +87,11 @@ require ( cloud.google.com/go v0.104.0 // indirect cloud.google.com/go/compute v1.10.0 // indirect cloud.google.com/go/iam v0.3.0 // indirect - github.com/Azure/azure-sdk-for-go v63.3.0+incompatible // indirect + github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 // indirect + github.com/Azure/azure-sdk-for-go v66.0.0+incompatible // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect - github.com/Azure/go-autorest/autorest v0.11.27 // indirect + github.com/Azure/go-autorest/autorest v0.11.28 // indirect github.com/Azure/go-autorest/autorest/adal v0.9.20 // indirect github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 // indirect github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 // indirect @@ -103,35 +104,45 @@ require ( github.com/Masterminds/semver/v3 v3.1.1 // indirect github.com/Masterminds/sprig/v3 v3.2.2 // indirect github.com/OneOfOne/xxhash v1.2.8 // indirect - github.com/PaesslerAG/gval v1.0.0 // indirect - github.com/PaesslerAG/jsonpath v0.1.1 // indirect - github.com/PuerkitoBio/purell v1.1.1 // indirect - github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect github.com/ThalesIgnite/crypto11 v1.2.5 // indirect + github.com/agnivade/levenshtein v1.1.1 // indirect + github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 // indirect + github.com/alibabacloud-go/cr-20160607 v1.0.1 // indirect + github.com/alibabacloud-go/cr-20181201 v1.0.10 // indirect + github.com/alibabacloud-go/darabonba-openapi v0.1.18 // indirect + github.com/alibabacloud-go/debug v0.0.0-20190504072949-9472017b5c68 // indirect + github.com/alibabacloud-go/endpoint-util v1.1.1 // indirect + github.com/alibabacloud-go/openapi-util v0.0.11 // indirect + github.com/alibabacloud-go/tea v1.1.18 // indirect + github.com/alibabacloud-go/tea-utils v1.4.4 // indirect + github.com/alibabacloud-go/tea-xml v1.1.2 // indirect + github.com/aliyun/credentials-go v1.2.3 // indirect github.com/armon/go-radix v1.0.0 // indirect github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25 // indirect github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19 // indirect - github.com/aws/aws-sdk-go-v2/internal/ini v1.3.21 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.3.24 // indirect github.com/aws/aws-sdk-go-v2/service/ecr v1.15.0 // indirect github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.12.0 // indirect github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.18 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.11.20 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.2 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.11.23 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.5 // indirect github.com/aws/smithy-go v1.13.4 // indirect github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20220228164355-396b2034c795 // indirect github.com/benbjohnson/clock v1.1.0 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/bgentry/speakeasy v0.1.0 // indirect github.com/blang/semver v3.5.1+incompatible // indirect + github.com/cenkalti/backoff/v4 v4.1.3 // indirect github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect github.com/cespare/xxhash/v2 v2.1.2 // indirect github.com/chrismellard/docker-credential-acr-env v0.0.0-20220119192733-fe33c00cee21 // indirect + github.com/clbanning/mxj/v2 v2.5.6 // indirect github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe // indirect github.com/cncf/xds/go v0.0.0-20220520190051-1e77728a1eaa // indirect github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect - github.com/containerd/stargz-snapshotter/estargz v0.10.1 // indirect - github.com/coreos/go-oidc/v3 v3.1.0 // indirect + github.com/containerd/stargz-snapshotter/estargz v0.12.0 // indirect + github.com/coreos/go-oidc/v3 v3.4.0 // indirect github.com/coreos/go-semver v0.3.0 // indirect github.com/coreos/go-systemd/v22 v22.3.2 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect @@ -139,7 +150,7 @@ require ( github.com/davecgh/go-spew v1.1.1 // indirect github.com/dimchansky/utfbom v1.1.1 // indirect github.com/docker/cli v20.10.17+incompatible // indirect - github.com/docker/distribution v2.8.0+incompatible // indirect + github.com/docker/distribution v2.8.1+incompatible // indirect github.com/docker/docker-credential-helpers v0.6.4 // indirect github.com/docker/go-connections v0.4.0 // indirect github.com/docker/go-units v0.4.0 // indirect @@ -150,47 +161,47 @@ require ( github.com/evanphx/json-patch/v5 v5.6.0 // indirect github.com/fatih/color v1.13.0 // indirect github.com/felixge/httpsnoop v1.0.2 // indirect - github.com/form3tech-oss/jwt-go v3.2.5+incompatible // indirect github.com/fsnotify/fsnotify v1.5.4 // indirect - github.com/fullstorydev/grpcurl v1.8.6 // indirect + github.com/fullstorydev/grpcurl v1.8.7 // indirect github.com/ghodss/yaml v1.0.0 // indirect github.com/go-chi/chi v4.1.2+incompatible // indirect + github.com/go-logr/stdr v1.2.2 // indirect github.com/go-logr/zapr v1.2.3 // indirect github.com/go-ole/go-ole v1.2.6 // indirect - github.com/go-openapi/analysis v0.21.2 // indirect - github.com/go-openapi/errors v0.20.2 // indirect + github.com/go-openapi/analysis v0.21.4 // indirect + github.com/go-openapi/errors v0.20.3 // indirect github.com/go-openapi/jsonpointer v0.19.5 // indirect - github.com/go-openapi/jsonreference v0.19.6 // indirect - github.com/go-openapi/loads v0.21.1 // indirect + github.com/go-openapi/jsonreference v0.20.0 // indirect + github.com/go-openapi/loads v0.21.2 // indirect github.com/go-openapi/runtime v0.24.1 // indirect - github.com/go-openapi/spec v0.20.4 // indirect - github.com/go-openapi/strfmt v0.21.2 // indirect - github.com/go-openapi/swag v0.21.1 // indirect - github.com/go-openapi/validate v0.21.0 // indirect + github.com/go-openapi/spec v0.20.7 // indirect + github.com/go-openapi/strfmt v0.21.3 // indirect + github.com/go-openapi/swag v0.22.3 // indirect + github.com/go-openapi/validate v0.22.0 // indirect github.com/go-playground/locales v0.14.0 // indirect github.com/go-playground/universal-translator v0.18.0 // indirect - github.com/go-playground/validator/v10 v10.10.0 // indirect - github.com/go-stack/stack v1.8.1 // indirect + github.com/go-playground/validator/v10 v10.11.0 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect - github.com/golang-jwt/jwt v3.2.1+incompatible // indirect - github.com/golang-jwt/jwt/v4 v4.3.0 // indirect + github.com/golang-jwt/jwt v3.2.2+incompatible // indirect + github.com/golang-jwt/jwt/v4 v4.4.2 // indirect github.com/golang/glog v1.0.0 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/snappy v0.0.4 // indirect github.com/google/btree v1.1.2 // indirect - github.com/google/certificate-transparency-go v1.1.2 // indirect + github.com/google/certificate-transparency-go v1.1.3 // indirect github.com/google/gnostic v0.5.7-v3refs // indirect - github.com/google/go-github/v42 v42.0.0 // indirect + github.com/google/go-github/v45 v45.2.0 // indirect github.com/google/go-querystring v1.1.0 // indirect github.com/google/gofuzz v1.2.0 // indirect - github.com/google/trillian v1.4.1 // indirect + github.com/google/trillian v1.5.0 // indirect github.com/google/uuid v1.3.0 // indirect github.com/googleapis/enterprise-certificate-proxy v0.2.0 // indirect github.com/gorilla/websocket v1.4.2 // indirect github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect + github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.2 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/hashicorp/go-immutable-radix v1.3.1 // indirect @@ -198,27 +209,27 @@ require ( github.com/hashicorp/go-retryablehttp v0.7.1 // indirect github.com/hashicorp/go-rootcerts v1.0.2 // indirect github.com/hashicorp/go-secure-stdlib/mlock v0.1.2 // indirect - github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 // indirect + github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 // indirect github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect github.com/hashicorp/go-sockaddr v1.0.2 // indirect github.com/hashicorp/go-uuid v1.0.3 // indirect - github.com/hashicorp/go-version v1.5.0 // indirect + github.com/hashicorp/go-version v1.6.0 // indirect github.com/hashicorp/golang-lru v0.5.4 // indirect - github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87 // indirect + github.com/hashicorp/yamux v0.1.0 // indirect github.com/huandu/xstrings v1.3.2 // indirect - github.com/in-toto/in-toto-golang v0.3.4-0.20211211042327-af1f9fb822bf // indirect + github.com/in-toto/in-toto-golang v0.3.4-0.20220709202702-fa494aaa0add // indirect github.com/inconshreveable/mousetrap v1.0.0 // indirect - github.com/jedisct1/go-minisign v0.0.0-20210703085342-c1f07ee84431 // indirect - github.com/jhump/protoreflect v1.10.3 // indirect + github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b // indirect + github.com/jhump/protoreflect v1.12.0 // indirect github.com/jinzhu/inflection v1.0.0 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/jonboulle/clockwork v0.3.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect - github.com/klauspost/compress v1.14.2 // indirect + github.com/klauspost/compress v1.15.8 // indirect github.com/kylelemons/godebug v1.1.0 // indirect github.com/leodido/go-urn v1.2.1 // indirect - github.com/letsencrypt/boulder v0.0.0-20220331220046-b23ab962616e // indirect + github.com/letsencrypt/boulder v0.0.0-20220723181115-27de4befb95e // indirect github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect github.com/magiconair/properties v1.8.6 // indirect github.com/mailru/easyjson v0.7.7 // indirect @@ -234,6 +245,7 @@ require ( github.com/mitchellh/reflectwalk v1.0.2 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect + github.com/mozillazg/docker-credential-acr-helper v0.3.0 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/oklog/run v1.1.0 // indirect github.com/oklog/ulid v1.3.1 // indirect @@ -242,7 +254,7 @@ require ( github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198 // indirect github.com/opentracing/opentracing-go v1.2.0 // indirect github.com/pelletier/go-toml v1.9.5 // indirect - github.com/pelletier/go-toml/v2 v2.0.1 // indirect + github.com/pelletier/go-toml/v2 v2.0.5 // indirect github.com/pierrec/lz4 v2.6.1+incompatible // indirect github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect github.com/pkg/errors v0.9.1 // indirect @@ -261,7 +273,7 @@ require ( github.com/segmentio/ksuid v1.0.4 // indirect github.com/shibumi/go-pathspec v1.3.0 // indirect github.com/shopspring/decimal v1.2.0 // indirect - github.com/sigstore/fulcio v0.1.2-0.20220114150912-86a2036f9bc7 // indirect + github.com/sigstore/fulcio v0.5.3 // indirect github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect github.com/soheilhy/cmux v0.1.5 // indirect github.com/spf13/afero v1.8.2 // indirect @@ -269,13 +281,15 @@ require ( github.com/spf13/cobra v1.5.0 // indirect github.com/spf13/jwalterweatherman v1.1.0 // indirect github.com/spf13/pflag v1.0.5 // indirect - github.com/spf13/viper v1.12.0 // indirect - github.com/subosito/gotenv v1.3.0 // indirect - github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7 // indirect + github.com/spf13/viper v1.13.0 // indirect + github.com/subosito/gotenv v1.4.1 // indirect + github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect + github.com/tchap/go-patricia/v2 v2.3.1 // indirect github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613 // indirect github.com/thales-e-security/pool v0.0.2 // indirect - github.com/theupdateframework/go-tuf v0.3.0 // indirect + github.com/theupdateframework/go-tuf v0.5.1-0.20220920170306-f237d7ca5b42 // indirect github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect + github.com/tjfoc/gmsm v1.3.2 // indirect github.com/tklauser/go-sysconf v0.3.10 // indirect github.com/tklauser/numcpus v0.4.0 // indirect github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 // indirect @@ -283,50 +297,49 @@ require ( github.com/twmb/murmur3 v1.1.6 // indirect github.com/urfave/cli v1.22.9 // indirect github.com/vbatts/tar-split v0.11.2 // indirect - github.com/xanzy/go-gitlab v0.68.0 // indirect + github.com/xanzy/go-gitlab v0.73.1 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 // indirect github.com/yashtewari/glob-intersection v0.1.0 // indirect github.com/yusufpapurcu/wmi v1.2.2 // indirect go.etcd.io/bbolt v1.3.6 // indirect - go.etcd.io/etcd/api/v3 v3.5.4 // indirect - go.etcd.io/etcd/client/pkg/v3 v3.5.4 // indirect - go.etcd.io/etcd/client/v2 v2.305.4 // indirect - go.etcd.io/etcd/client/v3 v3.5.4 // indirect - go.etcd.io/etcd/etcdctl/v3 v3.5.4 // indirect - go.etcd.io/etcd/etcdutl/v3 v3.5.4 // indirect - go.etcd.io/etcd/pkg/v3 v3.5.4 // indirect - go.etcd.io/etcd/raft/v3 v3.5.4 // indirect - go.etcd.io/etcd/server/v3 v3.5.4 // indirect - go.etcd.io/etcd/tests/v3 v3.5.4 // indirect - go.etcd.io/etcd/v3 v3.5.4 // indirect - go.mongodb.org/mongo-driver v1.8.3 // indirect + go.etcd.io/etcd/api/v3 v3.6.0-alpha.0 // indirect + go.etcd.io/etcd/client/pkg/v3 v3.6.0-alpha.0 // indirect + go.etcd.io/etcd/client/v2 v2.306.0-alpha.0 // indirect + go.etcd.io/etcd/client/v3 v3.6.0-alpha.0 // indirect + go.etcd.io/etcd/etcdctl/v3 v3.6.0-alpha.0 // indirect + go.etcd.io/etcd/etcdutl/v3 v3.6.0-alpha.0 // indirect + go.etcd.io/etcd/pkg/v3 v3.6.0-alpha.0 // indirect + go.etcd.io/etcd/raft/v3 v3.6.0-alpha.0 // indirect + go.etcd.io/etcd/server/v3 v3.6.0-alpha.0 // indirect + go.etcd.io/etcd/tests/v3 v3.6.0-alpha.0 // indirect + go.etcd.io/etcd/v3 v3.6.0-alpha.0 // indirect + go.mongodb.org/mongo-driver v1.10.0 // indirect go.opencensus.io v0.23.0 // indirect - go.opentelemetry.io/contrib v1.6.0 // indirect - go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0 // indirect - go.opentelemetry.io/otel v0.20.0 // indirect - go.opentelemetry.io/otel/exporters/otlp v0.20.0 // indirect - go.opentelemetry.io/otel/metric v0.20.0 // indirect - go.opentelemetry.io/otel/sdk v0.20.0 // indirect - go.opentelemetry.io/otel/sdk/export/metric v0.20.0 // indirect - go.opentelemetry.io/otel/sdk/metric v0.20.0 // indirect - go.opentelemetry.io/otel/trace v0.20.0 // indirect - go.opentelemetry.io/proto/otlp v0.12.0 // indirect + go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.28.0 // indirect + go.opentelemetry.io/otel v1.7.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.7.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.7.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.7.0 // indirect + go.opentelemetry.io/otel/sdk v1.7.0 // indirect + go.opentelemetry.io/otel/trace v1.7.0 // indirect + go.opentelemetry.io/proto/otlp v0.16.0 // indirect go.uber.org/atomic v1.10.0 // indirect go.uber.org/multierr v1.8.0 // indirect go.uber.org/zap v1.23.0 // indirect + golang.org/x/exp v0.0.0-20220823124025-807a23277127 // indirect golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783 // indirect - golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect - golang.org/x/text v0.3.7 // indirect + golang.org/x/term v0.0.0-20220526004731-065cf7ba2467 // indirect + golang.org/x/text v0.3.8-0.20211004125949-5bd84dd9b33b // indirect golang.org/x/tools v0.1.12 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect google.golang.org/appengine v1.6.7 // indirect gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect gopkg.in/inf.v0 v0.9.1 // indirect - gopkg.in/ini.v1 v1.66.4 // indirect + gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect @@ -334,11 +347,8 @@ require ( k8s.io/component-base v0.25.2 // indirect k8s.io/klog/v2 v2.70.1 // indirect k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 // indirect - knative.dev/pkg v0.0.0-20220325200448-1f7514acd0c2 // indirect sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect - sigs.k8s.io/release-utils v0.6.0 // indirect + sigs.k8s.io/release-utils v0.7.3 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect sigs.k8s.io/yaml v1.3.0 // indirect ) - -replace github.com/open-policy-agent/opa => github.com/open-policy-agent/opa v0.35.0 diff --git a/go.sum b/go.sum index bb0c8c936d..1e9bc89473 100644 --- a/go.sum +++ b/go.sum @@ -1,10 +1,8 @@ 4d63.com/gochecknoglobals v0.1.0/go.mod h1:wfdC5ZjKSPr7CybKEcgJhUOgeAQW1+7WcyK8OvUilfo= -bazil.org/fuse v0.0.0-20160811212531-371fbbdaa898/go.mod h1:Xbm+BRKSBEpa4q4hTSxohYNQpsxXPbPry4JJWOB3LB8= bazil.org/fuse v0.0.0-20180421153158-65cc252bf669/go.mod h1:Xbm+BRKSBEpa4q4hTSxohYNQpsxXPbPry4JJWOB3LB8= bitbucket.org/creachadair/shell v0.0.6/go.mod h1:8Qqi/cYk7vPnsOePHroKXDJYmb5x7ENhtiFtfZq8K+M= bitbucket.org/creachadair/shell v0.0.7 h1:Z96pB6DkSb7F3Y3BBnJeOZH2gazyMTWlvecSD4vDqfk= bitbucket.org/creachadair/shell v0.0.7/go.mod h1:oqtXSSvSYr4624lnnabXHaBsYW6RD80caLi2b3hJk0U= -bou.ke/monkey v1.0.2/go.mod h1:OqickVX3tNx6t33n1xvtTtu85YN5s6cKwVug+oHMaIA= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= @@ -29,17 +27,13 @@ cloud.google.com/go v0.75.0/go.mod h1:VGuuCn7PG0dwsd5XPVm2Mm3wlh3EL55/79EKB6hlPT cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg= cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8= cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0= -cloud.google.com/go v0.82.0/go.mod h1:vlKccHJGuFBFufnAnuB08dfEH9Y3H7dzDzRECFdC2TA= cloud.google.com/go v0.83.0/go.mod h1:Z7MJUsANfY0pYPdw0lbnivPx4/vhy/e2FEkSkF7vAVY= cloud.google.com/go v0.84.0/go.mod h1:RazrYuxIK6Kb7YrzzhPoLmCVzl7Sup4NrbKPg8KHSUM= cloud.google.com/go v0.87.0/go.mod h1:TpDYlFy7vuLzZMMZ+B6iRiELaY7z/gJPaqbMx6mlWcY= cloud.google.com/go v0.90.0/go.mod h1:kRX0mNRHe0e2rC6oNakvwQqzyDmg57xJ+SZU1eT2aDQ= -cloud.google.com/go v0.92.2/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI= -cloud.google.com/go v0.92.3/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI= cloud.google.com/go v0.93.3/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI= cloud.google.com/go v0.94.1/go.mod h1:qAlAugsXlC+JWO+Bke5vCtc9ONxjQT3drlTTnAplMW4= cloud.google.com/go v0.97.0/go.mod h1:GF7l59pYBVlXQIBLx3a761cZ41F9bBH3JUlihCt2Udc= -cloud.google.com/go v0.98.0/go.mod h1:ua6Ush4NALrHk5QXDWnjvZHN93OuF0HfuEPq9I1X0cM= cloud.google.com/go v0.99.0/go.mod h1:w0Xx2nLzqWJPuozYQX+hFfCSI8WioryfRDzkoI/Y2ZA= cloud.google.com/go v0.100.1/go.mod h1:fs4QogzfH5n2pBXBP9vRiU+eCny7lD2vmFZy79Iuw1U= cloud.google.com/go v0.100.2/go.mod h1:4Xra9TjzAeYHrl5+oeLlzbM2k3mjVhZh4UqTZ//w99A= @@ -68,14 +62,9 @@ cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1 cloud.google.com/go/datastore v1.5.0/go.mod h1:RGUNM0FFAVkYA94BLTxoXBgfIyY1Riq67TwaBXH0lwc= cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk= cloud.google.com/go/firestore v1.6.0/go.mod h1:afJwI0vaXwAG54kI7A//lP/lSPDkQORQuMkv56TxEPU= -cloud.google.com/go/firestore v1.6.1/go.mod h1:asNXNOzBdyVQmEU+ggO8UPodTkEVFW5Qx+rwHnAz+EY= cloud.google.com/go/iam v0.1.1/go.mod h1:CKqrcnI/suGpybEHxZ7BMehL0oA4LpdyJdUlTl9jVMw= cloud.google.com/go/iam v0.3.0 h1:exkAomrVUuzx9kWFI1wm3KI0uoDeUFPB4kKGzx6x+Gc= cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY= -cloud.google.com/go/kms v1.0.0/go.mod h1:nhUehi+w7zht2XrUfvTRNpxrfayBHqP4lu2NSywui/0= -cloud.google.com/go/kms v1.1.0/go.mod h1:WdbppnCDMDpOvoYBMn1+gNmOeEoZYqAv+HeuKARGCXI= -cloud.google.com/go/kms v1.4.0 h1:iElbfoE61VeLhnZcGOltqL8HIly8Nhbe5t6JlH9GXjo= -cloud.google.com/go/monitoring v0.1.0/go.mod h1:Hpm3XfzJv+UTiXzCG5Ffp0wijzHTC7Cv4eR7o3x/fEE= cloud.google.com/go/monitoring v1.1.0/go.mod h1:L81pzz7HKn14QCMaCs6NTQkdBnE87TElyanS95vIcl4= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= @@ -83,17 +72,13 @@ cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIA cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= cloud.google.com/go/pubsub v1.5.0/go.mod h1:ZEwJccE3z93Z2HWvstpri00jOg7oO4UZDtKhwDwqF0w= cloud.google.com/go/pubsub v1.11.0-beta.schemas/go.mod h1:llNLsvx+RnsZJoY481TzC1XcdB2hWdR6gSWM5O4vgfs= -cloud.google.com/go/pubsub v1.17.1/go.mod h1:4qDxMr1WsM9+aQAz36ltDwCIM+R0QdlseyFjBuNvnss= -cloud.google.com/go/secretmanager v1.0.0/go.mod h1:+Qkm5qxIJ5mk74xxIXA+87fseaY1JLYBcFPQoc/GQxg= cloud.google.com/go/secretmanager v1.7.0 h1:EAPaaxMs1gtdyxK5UN8KfD5tnDBZiFoSroRfjV3EgQU= cloud.google.com/go/secretmanager v1.7.0/go.mod h1:20dYAPbj+H4+pXdBRN2z77yugQJJ30UF2kL9OWPs+L0= -cloud.google.com/go/security v1.1.1/go.mod h1:QZd0wTwNJNKnl0H4/wAFD10TSX8kI4nk8V6ie6fyc9w= cloud.google.com/go/security v1.8.0 h1:linnRc3/gJYDfKbAtNixVQ52+66DpOx5MmCz0NNxal8= cloud.google.com/go/security v1.8.0/go.mod h1:hAQOwgmaHhztFhiQ41CjDODdWP0+AE1B3sX4OFlq+GU= cloud.google.com/go/spanner v1.7.0/go.mod h1:sd3K2gZ9Fd0vMPLXzeCrF6fq4i63Q7aTLW/lBIfBkIk= cloud.google.com/go/spanner v1.17.0/go.mod h1:+17t2ixFwRG4lWRwE+5kipDR9Ef07Jkmc8z0IbMDKUs= cloud.google.com/go/spanner v1.18.0/go.mod h1:LvAjUXPeJRGNuGpikMULjhLj/t9cRvdc+fxRoLiugXA= -cloud.google.com/go/spanner v1.25.0/go.mod h1:kQUft3x355hzzaeFbObjsvkzZDgpDkesp3v75WBnI8w= cloud.google.com/go/spanner v1.31.0/go.mod h1:ztDJVUZgEA2xc7HjSNQG+d+2L0bOSsw876/5Hnr78U8= cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= @@ -102,45 +87,31 @@ cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RX cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3fOKtUw0Xmo= cloud.google.com/go/storage v1.15.0/go.mod h1:mjjQMoxxyGH7Jr8K5qrx6N2O0AHsczI61sMNn03GIZI= -cloud.google.com/go/storage v1.18.2/go.mod h1:AiIj7BWXyhO5gGVmYJ+S8tbkCx3yb0IMjua8Aw4naVM= cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y= cloud.google.com/go/storage v1.27.0 h1:YOO045NZI9RKfCj1c5A/ZtuuENUc8OAW+gHdGnDgyMQ= cloud.google.com/go/storage v1.27.0/go.mod h1:x9DOL8TK/ygDUMieqwfhdpQryTeEkhGKMi80i/iqR2s= -cloud.google.com/go/trace v0.1.0/go.mod h1:wxEwsoeRVPbeSkt7ZC9nWCgmoKQRAoySN7XHW2AmI7g= cloud.google.com/go/trace v1.0.0/go.mod h1:4iErSByzxkyHWzzlAj63/Gmjz0NH1ASqhJguHpGcr6A= code.gitea.io/sdk/gitea v0.11.3/go.mod h1:z3uwDV/b9Ls47NGukYM9XhnHtqPh/J+t40lsUrR6JDY= contrib.go.opencensus.io/exporter/aws v0.0.0-20181029163544-2befc13012d0/go.mod h1:uu1P0UCM/6RbsMrgPa98ll8ZcHM858i/AD06a9aLRCA= -contrib.go.opencensus.io/exporter/aws v0.0.0-20200617204711-c478e41e60e9/go.mod h1:uu1P0UCM/6RbsMrgPa98ll8ZcHM858i/AD06a9aLRCA= contrib.go.opencensus.io/exporter/ocagent v0.5.0/go.mod h1:ImxhfLRpxoYiSq891pBrLVhN+qmP8BTVvdH2YLs7Gl0= contrib.go.opencensus.io/exporter/stackdriver v0.12.1/go.mod h1:iwB6wGarfphGGe/e5CWqyUk/cLzKnWsOKPVW3no6OTw= contrib.go.opencensus.io/exporter/stackdriver v0.13.4/go.mod h1:aXENhDJ1Y4lIg4EUaVTwzvYETVNZk10Pu26tevFKLUc= contrib.go.opencensus.io/exporter/stackdriver v0.13.5/go.mod h1:aXENhDJ1Y4lIg4EUaVTwzvYETVNZk10Pu26tevFKLUc= -contrib.go.opencensus.io/exporter/stackdriver v0.13.8/go.mod h1:huNtlWx75MwO7qMs0KrMxPZXzNNWebav1Sq/pm02JdQ= -contrib.go.opencensus.io/exporter/stackdriver v0.13.10/go.mod h1:I5htMbyta491eUxufwwZPQdcKvvgzMB4O9ni41YnIM8= contrib.go.opencensus.io/exporter/stackdriver v0.13.12/go.mod h1:mmxnWlrvrFdpiOHOhxBaVi1rkc0WOqhgfknj4Yg0SeQ= contrib.go.opencensus.io/integrations/ocsql v0.1.4/go.mod h1:8DsSdjz3F+APR+0z0WkU1aRorQCFfRxvqjUUPMbF3fE= -contrib.go.opencensus.io/integrations/ocsql v0.1.7/go.mod h1:8DsSdjz3F+APR+0z0WkU1aRorQCFfRxvqjUUPMbF3fE= contrib.go.opencensus.io/resource v0.1.1/go.mod h1:F361eGI91LCmW1I/Saf+rX0+OFcigGlFvXwEGEnkRLA= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= -filippo.io/edwards25519 v1.0.0-rc.1/go.mod h1:N1IkdkCkiLB6tki+MYJoSx2JTY9NUlxZE7eHn5EwJns= -github.com/AdaLogics/go-fuzz-headers v0.0.0-20211102141018-f7be0cbad29c/go.mod h1:WpB7kf89yJUETZxQnP1kgYPNwlT2jjdDYUCoxVggM3g= +github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 h1:8+4G8JaejP8Xa6W46PzJEwisNgBXMvFcz78N6zG/ARw= +github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0/go.mod h1:GgeIE+1be8Ivm7Sh4RgwI42aTtC9qrcj+Y9Y6CjJhJs= github.com/Antonboom/errname v0.1.5/go.mod h1:DugbBstvPFQbv/5uLcRRzfrNqKE9tVdVCqWCLp6Cifo= github.com/Antonboom/nilnil v0.1.0/go.mod h1:PhHLvRPSghY5Y7mX4TW+BHZQYo1A8flE5H20D3IPZBo= github.com/Azure/azure-amqp-common-go/v2 v2.1.0/go.mod h1:R8rea+gJRuJR6QxTir/XuEd+YuKoUiazDC/N96FiDEU= -github.com/Azure/azure-amqp-common-go/v3 v3.2.1/go.mod h1:O6X1iYHP7s2x7NjUKsXVhkwWrQhxrd+d8/3rRadj4CI= -github.com/Azure/azure-amqp-common-go/v3 v3.2.2/go.mod h1:O6X1iYHP7s2x7NjUKsXVhkwWrQhxrd+d8/3rRadj4CI= github.com/Azure/azure-pipeline-go v0.2.1/go.mod h1:UGSo8XybXnIGZ3epmeBw7Jdz+HiUVpqIlpz/HKHylF4= -github.com/Azure/azure-pipeline-go v0.2.3/go.mod h1:x841ezTBIMG6O3lAcl8ATHnsOPVl2bqk7S3ta6S6u4k= -github.com/Azure/azure-sdk-for-go v16.2.1+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v29.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v30.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v46.4.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go v51.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go v59.3.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go v60.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go v60.3.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go v63.3.0+incompatible h1:INepVujzUrmArRZjDLHbtER+FkvCoEwyRCXGqOlmDII= -github.com/Azure/azure-sdk-for-go v63.3.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v66.0.0+incompatible h1:bmmC38SlE8/E81nNADlgmVGurPWMHDX2YNXVQMrBpEE= +github.com/Azure/azure-sdk-for-go v66.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go/sdk/azcore v0.19.0/go.mod h1:h6H6c8enJmmocHUbLiiGY6sx7f9i+X3m1CHdd5c6Rdw= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.4 h1:pqrAR74b6EoR4kcxF7L7Wg2B8Jgil9UUZtMvxhEFqWo= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.4/go.mod h1:uGG2W01BaETf0Ozp+QxxKJdMBNRWPdstHG0Fmdwn1/U= @@ -158,56 +129,37 @@ github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork v1.1.0/ github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0 h1:ECsQtyERDVz3NP3kvDOTLvbQhqWp/x9EsGKtb4ogUr8= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0/go.mod h1:s1tW/At+xHqjNFvWU4G0c0Qv33KOhvbGNj0RCTQDV8s= github.com/Azure/azure-service-bus-go v0.9.1/go.mod h1:yzBx6/BUGfjfeqbRZny9AQIbIe3AcV9WZbAdpkoXOa0= -github.com/Azure/azure-service-bus-go v0.11.5/go.mod h1:MI6ge2CuQWBVq+ly456MY7XqNLJip5LO1iSFodbNLbU= github.com/Azure/azure-storage-blob-go v0.8.0/go.mod h1:lPI3aLPpuLTeUwh1sViKXFxwl2B6teiRqI0deQUvsw0= -github.com/Azure/azure-storage-blob-go v0.14.0/go.mod h1:SMqIBi+SuiQH32bvyjngEewEeXoPfKMgWlBDaYf6fck= -github.com/Azure/go-amqp v0.16.0/go.mod h1:9YJ3RhxRT1gquYnzpZO1vcYMMpAdJT+QEg6fwmw9Zlg= -github.com/Azure/go-amqp v0.16.4/go.mod h1:9YJ3RhxRT1gquYnzpZO1vcYMMpAdJT+QEg6fwmw9Zlg= -github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= github.com/Azure/go-ansiterm v0.0.0-20210608223527-2377c96fe795/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8= github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= -github.com/Azure/go-autorest v10.8.1+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= github.com/Azure/go-autorest v12.0.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= -github.com/Azure/go-autorest/autorest v0.11.1/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw= github.com/Azure/go-autorest/autorest v0.11.6/go.mod h1:V6p3pKZx1KKkJubbxnDWrzNhEIfOy/pTGasLqzHIPHs= github.com/Azure/go-autorest/autorest v0.11.8/go.mod h1:V6p3pKZx1KKkJubbxnDWrzNhEIfOy/pTGasLqzHIPHs= github.com/Azure/go-autorest/autorest v0.11.18/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA= -github.com/Azure/go-autorest/autorest v0.11.19/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA= -github.com/Azure/go-autorest/autorest v0.11.22/go.mod h1:BAWYUWGPEtKPzjVkp0Q6an0MJcJDsoh5Z1BFAEFs4Xs= github.com/Azure/go-autorest/autorest v0.11.24/go.mod h1:G6kyRlFnTuSbEYkQGawPfsCswgme4iYf6rfSKUDzbCc= -github.com/Azure/go-autorest/autorest v0.11.27 h1:F3R3q42aWytozkV8ihzcgMO4OA4cuqr3bNlsEuF6//A= -github.com/Azure/go-autorest/autorest v0.11.27/go.mod h1:7l8ybrIdUmGqZMTD0sRtAr8NvbHjfofbf8RSP2q7w7U= -github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg= +github.com/Azure/go-autorest/autorest v0.11.28 h1:ndAExarwr5Y+GaHE6VCaY1kyS/HwwGGyuimVhWsHOEM= +github.com/Azure/go-autorest/autorest v0.11.28/go.mod h1:MrkzG3Y3AH668QyF9KRk5neJnGgmhQ6krbhR8Q5eMvA= github.com/Azure/go-autorest/autorest/adal v0.9.4/go.mod h1:/3SMAM86bP6wC9Ev35peQDUeqFZBMH07vvUOmg4z/fE= -github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A= github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M= -github.com/Azure/go-autorest/autorest/adal v0.9.14/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M= -github.com/Azure/go-autorest/autorest/adal v0.9.17/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= github.com/Azure/go-autorest/autorest/adal v0.9.20 h1:gJ3E98kMpFB1MFqQCvA1yFab8vthOeD4VlFRQULxahg= github.com/Azure/go-autorest/autorest/adal v0.9.20/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= github.com/Azure/go-autorest/autorest/azure/auth v0.5.2/go.mod h1:q98IH4qgc3eWM4/WOeR5+YPmBuy8Lq0jNRDwSM0CuFk= -github.com/Azure/go-autorest/autorest/azure/auth v0.5.9/go.mod h1:hg3/1yw0Bq87O3KvvnJoAh34/0zbP7SFizX/qN5JvjU= github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 h1:P6bYXFoao05z5uhOQzbC3Qd8JqF3jUoocoTeIxkp2cA= github.com/Azure/go-autorest/autorest/azure/auth v0.5.11/go.mod h1:84w/uV8E37feW2NCJ08uT9VBfjfUHpgLVnG2InYD6cg= github.com/Azure/go-autorest/autorest/azure/cli v0.4.1/go.mod h1:JfDgiIO1/RPu6z42AdQTyjOoCM2MFhLqSBDvMEkDgcg= -github.com/Azure/go-autorest/autorest/azure/cli v0.4.2/go.mod h1:7qkJkT+j6b+hIpzMOwPChJhTqS8VbsqqgULzMNRugoM= -github.com/Azure/go-autorest/autorest/azure/cli v0.4.4/go.mod h1:yAQ2b6eP/CmLPnmLvxtT1ALIY3OR1oFcCqVBi8vHiTc= github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 h1:0W/yGmFdTIT77fvdlGZ0LMISoLHFJ7Tx4U0yeB+uFs4= github.com/Azure/go-autorest/autorest/azure/cli v0.4.5/go.mod h1:ADQAXrkgm7acgWVUNamOgh8YNrv4p27l3Wc55oVfpzg= github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw= github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= -github.com/Azure/go-autorest/autorest/mocks v0.4.0/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= github.com/Azure/go-autorest/autorest/mocks v0.4.2 h1:PGN4EDXnuQbojHbU0UWoNvmu9AGVwYHG9/fkDYhtAfw= github.com/Azure/go-autorest/autorest/mocks v0.4.2/go.mod h1:Vy7OitM9Kei0i1Oj+LvyAWMXJHeKH1MVlzFugfVrmyU= github.com/Azure/go-autorest/autorest/to v0.4.0 h1:oXVqrxakqqV1UZdSazDOPOLvOIz+XA683u8EctwboHk= -github.com/Azure/go-autorest/autorest/to v0.4.0/go.mod h1:fE8iZBn7LQR7zH/9XU2NcPR4o9jEImooCeWJcYV/zLE= github.com/Azure/go-autorest/autorest/validation v0.3.1 h1:AgyqjAd94fwNAoTjl/WQXg4VvFeRFpO+UhNyRXqF1ac= -github.com/Azure/go-autorest/autorest/validation v0.3.1/go.mod h1:yhLgjC0Wda5DYXl6JAsWyUe4KVNffhoDhG0zVzUMo3E= github.com/Azure/go-autorest/logger v0.2.0/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg= github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= @@ -223,7 +175,6 @@ github.com/DataDog/datadog-go v3.2.0+incompatible h1:qSG2N4FghB1He/r2mFrWKCaL7dX github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs= github.com/GoogleCloudPlatform/cloudsql-proxy v0.0.0-20191009163259-e802c2cb94ae/go.mod h1:mjwGPas4yKduTyubHvD1Atl9r1rUq8DfVy+gkVvZ+oo= -github.com/GoogleCloudPlatform/cloudsql-proxy v1.27.0/go.mod h1:bn9iHmAjogMoIPkqBGyJ9R1m9cXGCjBE/cuhBs3oEsQ= github.com/GoogleCloudPlatform/cloudsql-proxy v1.32.0 h1:647YHw0ZJ3Uu5xlkytf1li7dqJ9mHg9zabuKdZP0vYU= github.com/GoogleCloudPlatform/cloudsql-proxy v1.32.0/go.mod h1:FjoDxLvxFAbnXFuUKkzM7rY66YaU/YHezlau786y9hs= github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0= @@ -241,49 +192,18 @@ github.com/Masterminds/sprig v2.22.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuN github.com/Masterminds/sprig/v3 v3.2.0/go.mod h1:tWhwTbUTndesPNeF0C900vKoq283u6zp4APT9vaF3SI= github.com/Masterminds/sprig/v3 v3.2.2 h1:17jRggJu518dr3QaafizSXOjKYp94wKfABxUmyxvxX8= github.com/Masterminds/sprig/v3 v3.2.2/go.mod h1:UoaO7Yp8KlPnJIYWTFkMaqPUYKTfGFPhxNuwnnxkKlk= -github.com/Microsoft/go-winio v0.4.11/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA= -github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA= -github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw= -github.com/Microsoft/go-winio v0.4.16-0.20201130162521-d1ffc52c7331/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugXOPRXwdLnMv0= -github.com/Microsoft/go-winio v0.4.16/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugXOPRXwdLnMv0= -github.com/Microsoft/go-winio v0.4.17-0.20210211115548-6eac466e5fa3/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84= -github.com/Microsoft/go-winio v0.4.17-0.20210324224401-5516f17a5958/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84= -github.com/Microsoft/go-winio v0.4.17/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84= -github.com/Microsoft/go-winio v0.5.1/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84= github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= github.com/Microsoft/go-winio v0.6.0 h1:slsWYD/zyx7lCXoZVlvQrj0hPTM1HI4+v1sIda2yDvg= github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE= -github.com/Microsoft/hcsshim v0.8.6/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg= -github.com/Microsoft/hcsshim v0.8.7-0.20190325164909-8abdbb8205e4/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg= -github.com/Microsoft/hcsshim v0.8.7/go.mod h1:OHd7sQqRFrYd3RmSgbgji+ctCwkbq2wbEYNSzOYtcBQ= -github.com/Microsoft/hcsshim v0.8.9/go.mod h1:5692vkUqntj1idxauYlpoINNKeqCiG6Sg38RRsjT5y8= -github.com/Microsoft/hcsshim v0.8.14/go.mod h1:NtVKoYxQuTLx6gEq0L96c9Ju4JbRJ4nY2ow3VK6a9Lg= -github.com/Microsoft/hcsshim v0.8.15/go.mod h1:x38A4YbHbdxJtc0sF6oIz+RG0npwSCAvn69iY6URG00= -github.com/Microsoft/hcsshim v0.8.16/go.mod h1:o5/SZqmR7x9JNKsW3pu+nqHm0MF8vbA+VxGOoXdC600= -github.com/Microsoft/hcsshim v0.8.23/go.mod h1:4zegtUJth7lAvFyc6cH2gGQ5B3OFQim01nnU2M8jKDg= -github.com/Microsoft/hcsshim/test v0.0.0-20201218223536-d3e5debf77da/go.mod h1:5hlzMzRKMLyo42nCZ9oml8AdTlq/0cvIaBv6tK1RehU= -github.com/Microsoft/hcsshim/test v0.0.0-20210227013316-43a75bb4edd3/go.mod h1:mw7qgWloBUl75W/gVH3cQszUg1+gUITj7D6NY7ywVnY= github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8= github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q= github.com/OpenPeeDeeP/depguard v1.0.1/go.mod h1:xsIw86fROiiwelg+jB2uM9PiKihMMmUx/1V+TNhjQvM= -github.com/PaesslerAG/gval v1.0.0 h1:GEKnRwkWDdf9dOmKcNrar9EA1bz1z9DqPIO1+iLzhd8= -github.com/PaesslerAG/gval v1.0.0/go.mod h1:y/nm5yEyTeX6av0OfKJNp9rBNj2XrGhAf5+v24IBN1I= -github.com/PaesslerAG/jsonpath v0.1.0/go.mod h1:4BzmtoM/PI8fPO4aQGIusjGxGir2BzcV0grWtFzq1Y8= -github.com/PaesslerAG/jsonpath v0.1.1 h1:c1/AToHQMVsduPAa4Vh6xp2U0evy4t8SWp8imEsylIk= -github.com/PaesslerAG/jsonpath v0.1.1/go.mod h1:lVboNxFGal/VwW6d9JzIy56bUsYAP6tH/x80vjnCseY= github.com/PuerkitoBio/goquery v1.5.1/go.mod h1:GsLWisAFVj4WgDibEWF4pvYnkVQBpKBKeU+7zCJoLcc= -github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= -github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI= github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= -github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= -github.com/ReneKroon/ttlcache/v2 v2.10.0/go.mod h1:mBxvsNY+BT8qLLd6CuAJubbKo6r0jh3nb5et22bbfGY= -github.com/ReneKroon/ttlcache/v2 v2.11.0 h1:OvlcYFYi941SBN3v9dsDcC2N8vRxyHcCmJb3Vl4QMoM= -github.com/ReneKroon/ttlcache/v2 v2.11.0/go.mod h1:mBxvsNY+BT8qLLd6CuAJubbKo6r0jh3nb5et22bbfGY= -github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ= github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo= github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI= github.com/StackExchange/wmi v1.2.1/go.mod h1:rcmrprowKIVzvc+NUiLncP2uuArMWLCbu9SBzvHz7e8= @@ -291,7 +211,8 @@ github.com/ThalesIgnite/crypto11 v1.2.5 h1:1IiIIEqYmBvUYFeMnHqRft4bwf/O36jryEUpY github.com/ThalesIgnite/crypto11 v1.2.5/go.mod h1:ILDKtnCKiQ7zRoNxcp36Y1ZR8LBPmR2E23+wTQe/MlE= github.com/VividCortex/gohistogram v1.0.0/go.mod h1:Pf5mBqqDxYaXu3hDrrU+w6nw50o/4+TcAqDqk/vUH7g= github.com/afex/hystrix-go v0.0.0-20180502004556-fa1af6a1f4f5/go.mod h1:SkGFH1ia65gfNATL8TAiHDNxPzPdmEL5uirI2Uyuz6c= -github.com/agnivade/levenshtein v1.0.1/go.mod h1:CURSv5d9Uaml+FovSIICkLbAUZ9S4RqaHDIsdSBg7lM= +github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8= +github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo= github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7/go.mod h1:6zEj6s6u/ghQa61ZWa/C2Aw3RkjiTBOix7dkqa1VLIs= github.com/alecthomas/kingpin v2.2.6+incompatible/go.mod h1:59OFYbFVLKQKq+mqrL6Rw5bR0c3ACQaawgXx0QYndlE= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= @@ -299,11 +220,47 @@ github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuy github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= -github.com/alexflint/go-filemutex v0.0.0-20171022225611-72bdc8eae2ae/go.mod h1:CgnQgUtFrFz9mxFNtED3jI5tLDjKlOM+oUF/sTk6ps0= github.com/alexkohler/prealloc v1.0.0/go.mod h1:VetnK3dIgFBBKmg0YnD9F9x6Icjd+9cvfHR56wJVlKE= +github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.2/go.mod h1:sCavSAvdzOjul4cEqeVtvlSaSScfNsTQ+46HwlTL1hc= +github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 h1:iC9YFYKDGEy3n/FtqJnOkZsene9olVspKmkX5A2YBEo= +github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4/go.mod h1:sCavSAvdzOjul4cEqeVtvlSaSScfNsTQ+46HwlTL1hc= +github.com/alibabacloud-go/cr-20160607 v1.0.1 h1:WEnP1iPFKJU74ryUKh/YDPHoxMZawqlPajOymyNAkts= +github.com/alibabacloud-go/cr-20160607 v1.0.1/go.mod h1:QHeKZtZ3F3FOE+/uIXCBAp8POwnUYekpLwr1dtQa5r0= +github.com/alibabacloud-go/cr-20181201 v1.0.10 h1:B60f6S1imsgn2fgC6X6FrVNrONDrbCT0NwYhsJ0C9/c= +github.com/alibabacloud-go/cr-20181201 v1.0.10/go.mod h1:VN9orB/w5G20FjytoSpZROqu9ZqxwycASmGqYUJSoDc= +github.com/alibabacloud-go/darabonba-openapi v0.1.12/go.mod h1:sTAjsFJmVsmcVeklL9d9uDBlFsgl43wZ6jhI6BHqHqU= +github.com/alibabacloud-go/darabonba-openapi v0.1.14/go.mod h1:w4CosR7O/kapCtEEMBm3JsQqWBU/CnZ2o0pHorsTWDI= +github.com/alibabacloud-go/darabonba-openapi v0.1.18 h1:3eUVmAr7WCJp7fgIvmCd9ZUyuwtJYbtUqJIed5eXCmk= +github.com/alibabacloud-go/darabonba-openapi v0.1.18/go.mod h1:PB4HffMhJVmAgNKNq3wYbTUlFvPgxJpTzd1F5pTuUsc= +github.com/alibabacloud-go/darabonba-string v1.0.0/go.mod h1:93cTfV3vuPhhEwGGpKKqhVW4jLe7tDpo3LUM0i0g6mA= +github.com/alibabacloud-go/debug v0.0.0-20190504072949-9472017b5c68 h1:NqugFkGxx1TXSh/pBcU00Y6bljgDPaFdh5MUSeJ7e50= +github.com/alibabacloud-go/debug v0.0.0-20190504072949-9472017b5c68/go.mod h1:6pb/Qy8c+lqua8cFpEy7g39NRRqOWc3rOwAy8m5Y2BY= +github.com/alibabacloud-go/endpoint-util v1.1.0/go.mod h1:O5FuCALmCKs2Ff7JFJMudHs0I5EBgecXXxZRyswlEjE= +github.com/alibabacloud-go/endpoint-util v1.1.1 h1:ZkBv2/jnghxtU0p+upSU0GGzW1VL9GQdZO3mcSUTUy8= +github.com/alibabacloud-go/endpoint-util v1.1.1/go.mod h1:O5FuCALmCKs2Ff7JFJMudHs0I5EBgecXXxZRyswlEjE= +github.com/alibabacloud-go/openapi-util v0.0.9/go.mod h1:sQuElr4ywwFRlCCberQwKRFhRzIyG4QTP/P4y1CJ6Ws= +github.com/alibabacloud-go/openapi-util v0.0.10/go.mod h1:sQuElr4ywwFRlCCberQwKRFhRzIyG4QTP/P4y1CJ6Ws= +github.com/alibabacloud-go/openapi-util v0.0.11 h1:iYnqOPR5hyEEnNZmebGyRMkkEJRWUEjDiiaOHZ5aNhA= +github.com/alibabacloud-go/openapi-util v0.0.11/go.mod h1:sQuElr4ywwFRlCCberQwKRFhRzIyG4QTP/P4y1CJ6Ws= +github.com/alibabacloud-go/tea v1.1.0/go.mod h1:IkGyUSX4Ba1V+k4pCtJUc6jDpZLFph9QMy2VUPTwukg= +github.com/alibabacloud-go/tea v1.1.7/go.mod h1:/tmnEaQMyb4Ky1/5D+SE1BAsa5zj/KeGOFfwYm3N/p4= +github.com/alibabacloud-go/tea v1.1.8/go.mod h1:/tmnEaQMyb4Ky1/5D+SE1BAsa5zj/KeGOFfwYm3N/p4= +github.com/alibabacloud-go/tea v1.1.11/go.mod h1:/tmnEaQMyb4Ky1/5D+SE1BAsa5zj/KeGOFfwYm3N/p4= +github.com/alibabacloud-go/tea v1.1.17/go.mod h1:nXxjm6CIFkBhwW4FQkNrolwbfon8Svy6cujmKFUq98A= +github.com/alibabacloud-go/tea v1.1.18 h1:+6GJ06eu5Cr/Mkj09vWrf6QAfrPepctY2OxcWNclRC0= +github.com/alibabacloud-go/tea v1.1.18/go.mod h1:nXxjm6CIFkBhwW4FQkNrolwbfon8Svy6cujmKFUq98A= +github.com/alibabacloud-go/tea-utils v1.3.1/go.mod h1:EI/o33aBfj3hETm4RLiAxF/ThQdSngxrpF8rKUDJjPE= +github.com/alibabacloud-go/tea-utils v1.3.9/go.mod h1:EI/o33aBfj3hETm4RLiAxF/ThQdSngxrpF8rKUDJjPE= +github.com/alibabacloud-go/tea-utils v1.4.3/go.mod h1:KNcT0oXlZZxOXINnZBs6YvgOd5aYp9U67G+E3R8fcQw= +github.com/alibabacloud-go/tea-utils v1.4.4 h1:lxCDvNCdTo9FaXKKq45+4vGETQUKNOW/qKTcX9Sk53o= +github.com/alibabacloud-go/tea-utils v1.4.4/go.mod h1:KNcT0oXlZZxOXINnZBs6YvgOd5aYp9U67G+E3R8fcQw= +github.com/alibabacloud-go/tea-xml v1.1.2 h1:oLxa7JUXm2EDFzMg+7oRsYc+kutgCVwm+bZlhhmvW5M= +github.com/alibabacloud-go/tea-xml v1.1.2/go.mod h1:Rq08vgCcCAjHyRi/M7xlHKUykZCEtyBy9+DPF6GgEu8= +github.com/aliyun/credentials-go v1.1.2/go.mod h1:ozcZaMR5kLM7pwtCMEpVmQ242suV6qTJya2bDq4X1Tw= +github.com/aliyun/credentials-go v1.2.3 h1:Vmodnr52Rz1mcbwn0kzMhLRKb6soizewuKXdfZiNemU= +github.com/aliyun/credentials-go v1.2.3/go.mod h1:/KowD1cfGSLrLsH28Jr8W+xwoId0ywIy5lNzDz6O1vw= github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129 h1:MzBOUgng9orim59UnfUTLRjMpd09C5uEVQ6RPGeCaVI= github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129/go.mod h1:rFgpPQZYZ8vdbc+48xibu8ALc3yeyd64IhHS+PU6Yyg= -github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= github.com/andybalholm/brotli v1.0.2/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y= github.com/andybalholm/brotli v1.0.3/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig= github.com/andybalholm/cascadia v1.1.0/go.mod h1:GsXiBklL0woXo1j/WYWtSYYC4ouU9PqHO0sqidkEA4Y= @@ -312,7 +269,6 @@ github.com/antihax/optional v0.0.0-20180407024304-ca021399b1a6/go.mod h1:V8iCPQY github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/aokoli/goutils v1.0.1/go.mod h1:SijmP0QR8LtwsmDs8Yii5Z/S4trXFGFC2oO5g9DP+DQ= github.com/apache/beam v2.28.0+incompatible/go.mod h1:/8NX3Qi8vGstDLLaeaU7+lzVEu/ACaQhYjeefzQ0y1o= -github.com/apache/beam v2.32.0+incompatible/go.mod h1:/8NX3Qi8vGstDLLaeaU7+lzVEu/ACaQhYjeefzQ0y1o= github.com/apache/beam/sdks/v2 v2.0.0-20211012030016-ef4364519c94/go.mod h1:/kOom7hCyHVzAC/Z7HbZywkZZv6ywF+wb4CvgDVdcB8= github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= github.com/apache/thrift v0.13.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= @@ -320,11 +276,11 @@ github.com/apex/log v1.1.4/go.mod h1:AlpoD9aScyQfJDVHmLMEcx4oU6LqzkWp4Mg9GdAcEvQ github.com/apex/logs v0.0.4/go.mod h1:XzxuLZ5myVHDy9SAmYpamKKRNApGj54PfYLcFrXqDwo= github.com/aphistic/golf v0.0.0-20180712155816-02c07f170c5a/go.mod h1:3NqKYiepwy8kCu4PNA+aP7WUV72eXWJeP9/r3/K9aLE= github.com/aphistic/sweet v0.2.0/go.mod h1:fWDlIh/isSE9n6EPsRmC0det+whmX6dJid3stzu0Xys= +github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q= +github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE= github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= -github.com/armon/go-metrics v0.3.9/go.mod h1:4O98XIr/9W0sxpJ8UaYkvjk10Iff7SnFrb4QAOwNTFc= -github.com/armon/go-metrics v0.3.10/go.mod h1:4O98XIr/9W0sxpJ8UaYkvjk10Iff7SnFrb4QAOwNTFc= github.com/armon/go-metrics v0.4.1 h1:hR91U9KYmb6bLBYLQjyM+3j+rcd/UhE+G78SFnF8gJA= github.com/armon/go-metrics v0.4.1/go.mod h1:E6amYzXo6aW1tqzoZGT755KkbgrJsSdpwZ+3JqfkOG4= github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= @@ -332,17 +288,13 @@ github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI= github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= github.com/aryann/difflib v0.0.0-20170710044230-e206f873d14a/go.mod h1:DAHtR1m6lCRdSC2Tm3DSWRPvIPr6xNKyeHdqDQSQT+A= -github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= -github.com/asaskevich/govalidator v0.0.0-20200108200545-475eaeb16496/go.mod h1:oGkLhpf+kjZl6xBf758TQhh5XrAeiJv/7FRz/2spLIg= -github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535/go.mod h1:oGkLhpf+kjZl6xBf758TQhh5XrAeiJv/7FRz/2spLIg= github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d h1:Byv0BzEl3/e6D5CLfI0j/7hiIEtvGVFPCZ7Ei2oq8iQ= github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/ashanbrown/forbidigo v1.2.0/go.mod h1:vVW7PEdqEFqapJe95xHkTfB1+XvZXBFg8t0sG2FIxmI= github.com/ashanbrown/makezero v0.0.0-20210520155254-b6261585ddde/go.mod h1:oG9Dnez7/ESBqc4EdrdNlryeo7d0KcW1ftXHm7nU/UU= github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQwij/eHl5CU= -github.com/aws/aws-sdk-go v1.15.11/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZoCYDt7FT0= github.com/aws/aws-sdk-go v1.15.27/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZoCYDt7FT0= github.com/aws/aws-sdk-go v1.19.18/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.19.45/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= @@ -351,16 +303,10 @@ github.com/aws/aws-sdk-go v1.23.20/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpi github.com/aws/aws-sdk-go v1.25.11/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.25.37/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= -github.com/aws/aws-sdk-go v1.34.28/go.mod h1:H7NKnBqNVzoTJpGfLrQkkD+ytBA93eiDYi/+8rV9s48= github.com/aws/aws-sdk-go v1.36.30/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= github.com/aws/aws-sdk-go v1.37.0/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= -github.com/aws/aws-sdk-go v1.42.8/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q= -github.com/aws/aws-sdk-go v1.42.22/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q= -github.com/aws/aws-sdk-go v1.42.25/go.mod h1:gyRszuZ/icHmHAVE4gc/r+cfCmhA1AD+vqfWbgI+eHs= -github.com/aws/aws-sdk-go v1.43.45 h1:2708Bj4uV+ym62MOtBnErm/CDX61C4mFe9V2gXy1caE= github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g= github.com/aws/aws-sdk-go-v2 v1.7.1/go.mod h1:L5LuPC1ZgDr2xQS7AmIec/Jlc7O/Y1u2KxJyNVab250= -github.com/aws/aws-sdk-go-v2 v1.11.0/go.mod h1:SQfA+m2ltnu1cA0soUkj4dRSsmITiVQUJvBIZjzfPyQ= github.com/aws/aws-sdk-go-v2 v1.14.0/go.mod h1:ZA3Y8V0LrlWj63MQAnRHgKf/5QB//LSZCPNWlWrNGLU= github.com/aws/aws-sdk-go-v2 v1.16.13/go.mod h1:xSyvSnzh0KLs5H4HJGeIEsNYemUWdNIl0b/rP6SIsLU= github.com/aws/aws-sdk-go-v2 v1.16.15/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k= @@ -368,21 +314,15 @@ github.com/aws/aws-sdk-go-v2 v1.16.16/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUY github.com/aws/aws-sdk-go-v2 v1.17.0/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k= github.com/aws/aws-sdk-go-v2 v1.17.1 h1:02c72fDJr87N8RAC2s3Qu0YuvMRZKNZJ9F+lAehCazk= github.com/aws/aws-sdk-go-v2 v1.17.1/go.mod h1:JLnGeGONAyi2lWXI1p0PCIOIy333JMVK1U7Hf0aRFLw= -github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.0.0/go.mod h1:Xn6sxgRuIDflLRJFj5Ev7UxABIkNbccFPV/p8itDReM= github.com/aws/aws-sdk-go-v2/config v1.5.0/go.mod h1:RWlPOAW3E3tbtNAqTwvSW54Of/yP3oiZXMI0xfUdjyA= -github.com/aws/aws-sdk-go-v2/config v1.10.1/go.mod h1:auIv5pIIn3jIBHNRcVQcsczn6Pfa6Dyv80Fai0ueoJU= -github.com/aws/aws-sdk-go-v2/config v1.17.4 h1:9HY1wbShqObySCHP2Z07blfrSWVX+nVxCZmUuLZKcG8= -github.com/aws/aws-sdk-go-v2/config v1.17.4/go.mod h1:ul+ru+huVpfduF9XRmGUq82T8T3K+nIFQuF6F+L+548= +github.com/aws/aws-sdk-go-v2/config v1.17.7 h1:odVM52tFHhpqZBKNjVW5h+Zt1tKHbhdTQRb+0WHrNtw= +github.com/aws/aws-sdk-go-v2/config v1.17.7/go.mod h1:dN2gja/QXxFF15hQreyrqYhLBaQo1d9ZKe/v/uplQoI= github.com/aws/aws-sdk-go-v2/credentials v1.3.1/go.mod h1:r0n73xwsIVagq8RsxmZbGSRQFj9As3je72C2WzUIToc= -github.com/aws/aws-sdk-go-v2/credentials v1.6.1/go.mod h1:QyvQk1IYTqBWSi1T6UgT/W8DMxBVa5pVuLFSRLLhGf8= -github.com/aws/aws-sdk-go-v2/credentials v1.12.17 h1:htUjIJOQcvIUR0jC4eLkdis1DfaLL4EUbIKUFqh2WFA= -github.com/aws/aws-sdk-go-v2/credentials v1.12.17/go.mod h1:jd1mvJulXY7ccHvcSiJceYhv06yWIIRkJnwWEA4IX+g= +github.com/aws/aws-sdk-go-v2/credentials v1.12.20 h1:9+ZhlDY7N9dPnUmf7CDfW9In4sW5Ff3bh7oy4DzS1IE= +github.com/aws/aws-sdk-go-v2/credentials v1.12.20/go.mod h1:UKY5HyIux08bbNA7Blv4PcXQ8cTkGh7ghHMFklaviR4= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.3.0/go.mod h1:2LAuqPx1I6jNfaGDucWfA2zqQCYCOMCDHiCOciALyNw= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.8.0/go.mod h1:5E1J3/TTYy6z909QNR0QnXGBpfESYGDqd3O0zqONghU= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.14 h1:NZwZFtxXGOEIiCd8jWN55lexakug543CaO68bTpoLwg= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.14/go.mod h1:5CU57SyF5jZLSIw4OOll0PG83ThXwNdkRFOc0EltD/0= -github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.7.1/go.mod h1:wN/mvkow08GauDwJ70jnzJ1e+hE+Q3Q7TwpYLXOe9oI= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.0/go.mod h1:NO3Q5ZTTQtO2xIg2+xTXYDiT7knSejfeDm7WGDaOo0U= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.17 h1:r08j4sbZu/RVi+BNxkBJwPMUYY3P8mgSDuKkZ/ZN1lE= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.17/go.mod h1:yIkQcCDYNsZfXpd5UX2Cy+sWA1jPgIhGTw9cOBzfVnQ= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.5/go.mod h1:2hXc8ooJqF2nAznsbJQIn+7h851/bu8GVC80OVTTqf8= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.20/go.mod h1:gdZ5gRUaxThXIZyZQ8MTtgYBk2jbHgp05BO3GcD9Cwc= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.22/go.mod h1:/vNv5Al0bpiF8YdX2Ov6Xy05VTiXsql94yUqJMYaj0w= @@ -390,7 +330,6 @@ github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.23/go.mod h1:2DFxAQ9pfI github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.24/go.mod h1:ghMzB/j2wRbPx5/4jPYxJdOtCG2ggrtY01j8K7FMBDA= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25 h1:nBO/RFxeq/IS5G9Of+ZrgucRciie2qpLy++3UGZ+q2E= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25/go.mod h1:Zb29PYkf42vVYQY6pvSyJCJcFHlPIiY+YKdPtwnvMkY= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.0.0/go.mod h1:anlUzBoEWglcUxUQwZA7HQOEVEnQALVZsizAapB2hq8= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.3.0/go.mod h1:miRSv9l093jX/t/j+mBCaLqFHo9xKYzJ7DGm1BsGoJM= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.14/go.mod h1:GEV9jaDPIgayiU+uevxwozcvUOjc+P4aHE2BeSjm2vE= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.16/go.mod h1:62dsXI0BqTIGomDl8Hpm33dv0OntGaVblri3ZRParVQ= @@ -399,9 +338,8 @@ github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.18/go.mod h1:fkQKYK/jUhC github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19 h1:oRHDrwCTVT8ZXi4sr9Ld+EXk7N/KGssOr2ygNeojEhw= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19/go.mod h1:6Q0546uHDp421okhmmGfbxzq2hBqbXFNpi4k+Q1JnQA= github.com/aws/aws-sdk-go-v2/internal/ini v1.1.1/go.mod h1:Zy8smImhTdOETZqfyn01iNOe0CNggVbPjCajyaz6Gvg= -github.com/aws/aws-sdk-go-v2/internal/ini v1.3.0/go.mod h1:6oXGy4GLpypD3uCh8wcqztigGgmhLToMfjavgh+VySg= -github.com/aws/aws-sdk-go-v2/internal/ini v1.3.21 h1:lpwSbLKYTuABo6SyUoC25xAmfO3/TehGS2SmD1EtOL0= -github.com/aws/aws-sdk-go-v2/internal/ini v1.3.21/go.mod h1:Q0pktZjvRZk77TBto6yAvUAi7fcse1bdcMctBDVGgBw= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.24 h1:wj5Rwc05hvUSvKuOF29IYb9QrCLjU+rHAy/x/o0DK2c= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.24/go.mod h1:jULHjqqjDlbyTa7pfM7WICATnOv+iOhjletM3N0Xbu8= github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0 h1:2f0kb+39miQPRp0b7Sqq06+TpxI0Nfcra41QxzJPME8= github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0/go.mod h1:AVLIBQ9V7mcHd5uZT1+wUbBt4QaI/XcOens85Ib0W1o= github.com/aws/aws-sdk-go-v2/service/ec2 v1.63.0 h1:9ailn+011zwUJdS8RuamANJVAyX+aoUyTaBrw0CHRdE= @@ -414,37 +352,24 @@ github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.12.0 h1:LsqBpyRofMG6eDs6YGud6F github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.12.0/go.mod h1:IArQ3IBR00FkuraKwudKZZU32OxJfdTdwV+W5iZh3Y4= github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 h1:m/WtVqEvgwDiUPIW2dtnF2hDE1O62MEflz9ClOlCXAs= github.com/aws/aws-sdk-go-v2/service/iam v1.18.16/go.mod h1:w8wndcRxwILFQAzwkUKyEDz4LDHEBSR78KRdaNjUKQA= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.5.0/go.mod h1:80NaCIH9YU3rzTTs/J/ECATjXuRqzo/wB6ukO6MZ0XY= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.2.1/go.mod h1:zceowr5Z1Nh2WVP8bf/3ikB41IZW59E4yIYbg+pC6mw= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.5.0/go.mod h1:Mq6AEc+oEjCUlBuLiK5YwW4shSOAKCQ3tXN0sQeYoBA= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.14/go.mod h1:8qOLjqMzY/S1kh3myDXA1yxK5eD4uN8aOJgKpgvc4OM= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.17/go.mod h1:4nYOrY41Lrbk2170/BGkcJKBhws9Pfn8MG3aGqjjeFI= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.18 h1:5oiCDEOHnYkk7uTVI8Wv6ftdFfb6YlUUNzkeePVIPjY= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.18/go.mod h1:QtCDHDOXunxeihz7iU15e09u9gRIeaa5WeE6FZVnGUo= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.9.0/go.mod h1:xKCZ4YFSF2s4Hnb/J0TLeOsKuGzICzcElaOKNGrVnx4= -github.com/aws/aws-sdk-go-v2/service/kms v1.10.0/go.mod h1:ZkHWL8m5Nw1g9yMXqpCjnIJtSDToAmNbXXZ9gj0bO7s= -github.com/aws/aws-sdk-go-v2/service/kms v1.18.8 h1:0YzDYm5rFuwzqwhBg94OYa2TKbdd5dUsf9+uPHwoYns= -github.com/aws/aws-sdk-go-v2/service/kms v1.18.8/go.mod h1:NjgXnn0pk5rLSWZIgtx0BCwoCugRXzKZ7cDNsl98W7U= -github.com/aws/aws-sdk-go-v2/service/s3 v1.19.0/go.mod h1:Gwz3aVctJe6mUY9T//bcALArPUaFmNAy2rTB9qN4No8= -github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.10.0/go.mod h1:qAgsrzF3Z2vvV01j79fs7D75ofCMQe81/OKBJx0rjFY= +github.com/aws/aws-sdk-go-v2/service/kms v1.18.10 h1:rl0vxqQ/DFZZMLk9+FLgIuiE/GwMPoI5BeoCkkM2DA4= +github.com/aws/aws-sdk-go-v2/service/kms v1.18.10/go.mod h1:45pB2oUV71tilooilIi3dC1KVWWJHHhc7JnyqByuheo= github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.0 h1:Lh1yssM4dinNZuESsXnbi+pID8hoviejLZdLmT175i8= github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.0/go.mod h1:z0y2iDaghoq7uv6kndhrJCTzgVckv8Aak8kpnu2kYjs= -github.com/aws/aws-sdk-go-v2/service/sns v1.11.0/go.mod h1:LIPf3BTbSY5UeVli+x/1y2Qw1w8T9DYyp7p18Qt8Zc8= -github.com/aws/aws-sdk-go-v2/service/sqs v1.12.0/go.mod h1:TDqDmQnsbgL2ZMIGUf3z9xTzCMqFX7FP1geAgIlYqvA= -github.com/aws/aws-sdk-go-v2/service/ssm v1.15.0/go.mod h1:kJa2uHklY03rKsNSbEsToeUgWJ1PambXBtRNacorRhg= github.com/aws/aws-sdk-go-v2/service/sso v1.3.1/go.mod h1:J3A3RGUvuCZjvSuZEcOpHDnzZP/sKbhDWV2T1EOzFIM= -github.com/aws/aws-sdk-go-v2/service/sso v1.6.0/go.mod h1:Q/l0ON1annSU+mc0JybDy1Gy6dnJxIcWjphO6qJPzvM= -github.com/aws/aws-sdk-go-v2/service/sso v1.11.20 h1:3raP0UC9rvRyY4/cc4o4F3jTrNo94AYiarNUGNnq6dU= -github.com/aws/aws-sdk-go-v2/service/sso v1.11.20/go.mod h1:hPsROgDdgY/NQ1gPt7VJWG0GjSnalDC0DkkMfGEw2gc= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.2 h1:/SYpdjjAtraymql+/r719OgjxezdanAQiLb/NMxDb04= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.2/go.mod h1:5cxfDYtY2mDOlmesy4yycb6lwyy1U/iAUOHKhQLKw/E= +github.com/aws/aws-sdk-go-v2/service/sso v1.11.23 h1:pwvCchFUEnlceKIgPUouBJwK81aCkQ8UDMORfeFtW10= +github.com/aws/aws-sdk-go-v2/service/sso v1.11.23/go.mod h1:/w0eg9IhFGjGyyncHIQrXtU8wvNsTJOP0R6PPj0wf80= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.5 h1:GUnZ62TevLqIoDyHeiWj2P7EqaosgakBKVvWriIdLQY= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.5/go.mod h1:csZuQY65DAdFBt1oIjO5hhBR49kQqop4+lcuCjf2arA= github.com/aws/aws-sdk-go-v2/service/sts v1.6.0/go.mod h1:q7o0j7d7HrJk/vr9uUt3BVRASvcU7gYZB9PUgPiByXg= -github.com/aws/aws-sdk-go-v2/service/sts v1.10.0/go.mod h1:jLKCFqS+1T4i7HDqCP9GM4Uk75YW1cS0o82LdxpMyOE= -github.com/aws/aws-sdk-go-v2/service/sts v1.16.16/go.mod h1:Y9iBgT1w2vHtYzJEkwD6FqILjDSsvbxcW/+wIYxyse4= +github.com/aws/aws-sdk-go-v2/service/sts v1.16.19/go.mod h1:h4J3oPZQbxLhzGnk+j9dfYHi5qIOVJ5kczZd658/ydM= github.com/aws/aws-sdk-go-v2/service/sts v1.17.0 h1:9S0HcZUxKcU3HdN+M6GgLIvdbg9as5aOoHrvwRsPNYU= github.com/aws/aws-sdk-go-v2/service/sts v1.17.0/go.mod h1:9pZN58zQc5a4Dkdnhu/rI1lNBui1vP5B0giGCuUt2b0= github.com/aws/smithy-go v1.6.0/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAmR5n+E= -github.com/aws/smithy-go v1.9.0/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAmR5n+E= github.com/aws/smithy-go v1.11.0/go.mod h1:3xHYmszWVx2c0kIwQeEVf9uSm4fYZt67FBJnwub1bgM= github.com/aws/smithy-go v1.13.1/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/aws/smithy-go v1.13.3/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= @@ -457,49 +382,36 @@ github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62 github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM= github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= -github.com/beorn7/perks v0.0.0-20160804104726-4c0e84591b9a/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/bgentry/speakeasy v0.1.0 h1:ByYyxL9InA1OWqxJqqp2A5pYHUrCiAL6K3J+LKSsQkY= github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= -github.com/bitly/go-simplejson v0.5.0/go.mod h1:cXHtHw4XUPsvGaxgjIAn8PhEWG9NfngEKAMDJEczWVA= -github.com/bits-and-blooms/bitset v1.2.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA= github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84= github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM= github.com/bkielbasa/cyclop v1.2.0/go.mod h1:qOI0yy6A7dYC4Zgsa72Ppm9kONl0RoIlPbzot9mhmeI= github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb/go.mod h1:PkYb9DJNAwrSvRx5DYA+gUcOIgTGVMNkfSCbZM8cWpI= -github.com/blang/semver v3.1.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ= github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= github.com/blizzy78/varnamelen v0.3.0/go.mod h1:hbwRdBvoBqxk34XyQ6HA0UH3G0/1TKuv5AC4eaBT0Ec= -github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4= github.com/bombsimon/wsl/v3 v3.3.0/go.mod h1:st10JtZYLE4D5sC7b8xV4zTKZwAQjCH/Hy2Pm1FNZIc= github.com/bradfitz/gomemcache v0.0.0-20190913173617-a41fca850d0b/go.mod h1:H0wQNHz2YrLsuXOZozoeDmnHXkNCRmMW0gwFWDfEZDA= github.com/breml/bidichk v0.1.1/go.mod h1:zbfeitpevDUGI7V91Uzzuwrn4Vls8MoBMrwtt78jmso= -github.com/bshuster-repo/logrus-logstash-hook v0.4.1/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk= -github.com/buger/jsonparser v0.0.0-20180808090653-f4dd9f5a6b44/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s= -github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd/go.mod h1:2oa8nejYd4cQ/b0hMIopN0lCRxU0bueqREvZLWFrtK8= -github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b/go.mod h1:obH5gd0BsqsP2LwDJ9aOkm/6J86V6lyAXCoQWGw3K50= -github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0/go.mod h1:D/8v3kj0zr8ZAKg1AQ6crr+5VwKN5eIywRkfhyM/+dE= github.com/butuzov/ireturn v0.1.1/go.mod h1:Wh6Zl3IMtTpaIKbmwzqi6olnM9ptYQxxVacMsOEFPoc= -github.com/bytecodealliance/wasmtime-go v0.31.0/go.mod h1:q320gUxqyI8yB+ZqRuaJOEnGkAnHh6WtJjMaT2CW4wI= -github.com/bytecodealliance/wasmtime-go v0.33.1 h1:TFep11LiqCy1B6QUIAtqH3KZTbZcKasm89/AF9sqLnA= +github.com/bytecodealliance/wasmtime-go v1.0.0 h1:9u9gqaUiaJeN5IoD1L7egD8atOnTGyJcNp8BhkL9cUU= github.com/caarlos0/ctrlc v1.0.0/go.mod h1:CdXpj4rmq0q/1Eb44M9zi2nKB0QraNKuRGYGrrHhcQw= github.com/cactus/go-statsd-client/statsd v0.0.0-20200423205355-cb0885a1018c/go.mod h1:l/bIBLeOl9eX+wxJAzxS4TveKRtAqlyDpHjhkfO0MEI= github.com/campoy/unique v0.0.0-20180121183637-88950e537e7e/go.mod h1:9IOqJGCPMSc6E5ydlp5NIonxObaeu/Iub/X03EKPVYo= github.com/casbin/casbin/v2 v2.1.2/go.mod h1:YcPU1XXisHhLzuxH9coDNf2FbKpjGlbCg3n9yuLkIJQ= -github.com/cavaliercoder/badio v0.0.0-20160213150051-ce5280129e9e/go.mod h1:V284PjgVwSk4ETmz84rpu9ehpGg7swlIH8npP9k2bGw= github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e/go.mod h1:oDpT4efm8tSYHXV5tHSdRvBet/b/QzxZ+XyyPehvm3A= -github.com/cavaliercoder/go-rpm v0.0.0-20200122174316-8cb9fd9c31a8/go.mod h1:AZIh1CCnMrcVm6afFf96PBvE2MRpWFco91z8ObJtgDY= github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM= -github.com/cenkalti/backoff/v3 v3.0.0/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs= github.com/cenkalti/backoff/v3 v3.2.2 h1:cfUAAO3yvKMYKPrvhDuHSwQnhZNk/RMHKdZqKTxfm6M= github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs= -github.com/cenkalti/backoff/v4 v4.1.1/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw= +github.com/cenkalti/backoff/v4 v4.1.3 h1:cFAlzYUlVYDysBEH2T5hyJZMh3+5+WCBvSnK6Q8UtC4= +github.com/cenkalti/backoff/v4 v4.1.3/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw= github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/census-instrumentation/opencensus-proto v0.3.0 h1:t/LhUZLVitR1Ow2YOnduCsavhwFUklBMoGVYUCqmCqk= @@ -514,20 +426,15 @@ github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cb github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/charithe/durationcheck v0.0.9/go.mod h1:SSbRIBVfMjCi/kEB6K65XEA83D6prSM8ap1UCpNKtgg= github.com/chavacava/garif v0.0.0-20210405164556-e8a0a408d6af/go.mod h1:Qjyv4H3//PWVzTeCezG2b9IRn6myJxJSr4TD/xo6ojU= -github.com/checkpoint-restore/go-criu/v4 v4.1.0/go.mod h1:xUQBLp4RLc5zJtWY++yjOoMoB5lihDt7fai+75m+rGw= -github.com/checkpoint-restore/go-criu/v5 v5.0.0/go.mod h1:cfwC0EG7HMUenopBsUf9d89JlCLQIfgVcNsNN0t6T2M= github.com/chrismellard/docker-credential-acr-env v0.0.0-20220119192733-fe33c00cee21 h1:XlpL9EHrPOBJMLDDOf35/G4t5rGAFNNAZQ3cDcWavtc= github.com/chrismellard/docker-credential-acr-env v0.0.0-20220119192733-fe33c00cee21/go.mod h1:Zlre/PVxuSI9y6/UV4NwGixQ48RHQDSPiUkofr6rbMU= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= -github.com/cilium/ebpf v0.0.0-20200110133405-4032b1d8aae3/go.mod h1:MA5e5Lr8slmEg9bt0VpxxWqJlO4iwu3FBdHUzV7wQVg= -github.com/cilium/ebpf v0.0.0-20200702112145-1c8d4c9ef775/go.mod h1:7cR51M8ViRLIdUjrmSXlK9pkrsDlLHbO8jiB8X8JnOc= -github.com/cilium/ebpf v0.2.0/go.mod h1:To2CFviqOWL/M0gIMsvSMlqe7em/l1ALkX1PyjrX2Qs= -github.com/cilium/ebpf v0.4.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs= -github.com/cilium/ebpf v0.6.2/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs= github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag= github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I= +github.com/clbanning/mxj/v2 v2.5.6 h1:Jm4VaCI/+Ug5Q57IzEoZbwx4iQFA6wkXv72juUSeK+g= +github.com/clbanning/mxj/v2 v2.5.6/go.mod h1:hNiWqW14h+kc+MdF9C6/YoRfjEJoR3ou6tn/Qo+ve2s= github.com/clbanning/x2j v0.0.0-20191024224557-825249438eec/go.mod h1:jMjuTZXRI4dUb/I5gc9Hdhagfvm9+RyrPryS/auMzxE= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= @@ -541,7 +448,6 @@ github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWH github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20220520190051-1e77728a1eaa h1:B/lvg4tQ5hfFZd4V2hcSfFVfUvAK6GSFKxIIzwnkv8g= github.com/cncf/xds/go v0.0.0-20220520190051-1e77728a1eaa/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ= @@ -554,113 +460,24 @@ github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f h1:o/kfcElHqOi github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f/go.mod h1:i/u985jwjWRlyHXQbwatDASoW0RMlZ/3i9yJHE2xLkI= github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE/e/2PUdi/liOCUjSTXgM1o87ZssimdTWN964YiIeI= github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUoc7Ik9EfrFqcylYqgPZ9ANSbTAntnE= -github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb/go.mod h1:ZjrT6AXHbDs86ZSdt/osfBi5qfexBrKUdONk989Wnk4= github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be h1:J5BL2kskAlV9ckgEsNQXscjIaLiOYiZ75d4e94E6dcQ= github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be/go.mod h1:mk5IQ+Y0ZeO87b858TlA645sVcEcbiX6YqP98kt+7+w= -github.com/containerd/aufs v0.0.0-20200908144142-dab0cbea06f4/go.mod h1:nukgQABAEopAHvB6j7cnP5zJ+/3aVcE7hCYqvIwAHyE= -github.com/containerd/aufs v0.0.0-20201003224125-76a6863f2989/go.mod h1:AkGGQs9NM2vtYHaUen+NljV0/baGCAPELGm2q9ZXpWU= -github.com/containerd/aufs v0.0.0-20210316121734-20793ff83c97/go.mod h1:kL5kd6KM5TzQjR79jljyi4olc1Vrx6XBlcyj3gNv2PU= -github.com/containerd/aufs v1.0.0/go.mod h1:kL5kd6KM5TzQjR79jljyi4olc1Vrx6XBlcyj3gNv2PU= -github.com/containerd/btrfs v0.0.0-20201111183144-404b9149801e/go.mod h1:jg2QkJcsabfHugurUvvPhS3E08Oxiuh5W/g1ybB4e0E= -github.com/containerd/btrfs v0.0.0-20210316141732-918d888fb676/go.mod h1:zMcX3qkXTAi9GI50+0HOeuV8LU2ryCE/V2vG/ZBiTss= -github.com/containerd/btrfs v1.0.0/go.mod h1:zMcX3qkXTAi9GI50+0HOeuV8LU2ryCE/V2vG/ZBiTss= -github.com/containerd/cgroups v0.0.0-20190717030353-c4b9ac5c7601/go.mod h1:X9rLEHIqSf/wfK8NsPqxJmeZgW4pcfzdXITDrUSJ6uI= -github.com/containerd/cgroups v0.0.0-20190919134610-bf292b21730f/go.mod h1:OApqhQ4XNSNC13gXIwDjhOQxjWa/NxkwZXJ1EvqT0ko= -github.com/containerd/cgroups v0.0.0-20200531161412-0dbf7f05ba59/go.mod h1:pA0z1pT8KYB3TCXK/ocprsh7MAkoW8bZVzPdih9snmM= -github.com/containerd/cgroups v0.0.0-20200710171044-318312a37340/go.mod h1:s5q4SojHctfxANBDvMeIaIovkq29IP48TKAxnhYRxvo= -github.com/containerd/cgroups v0.0.0-20200824123100-0b889c03f102/go.mod h1:s5q4SojHctfxANBDvMeIaIovkq29IP48TKAxnhYRxvo= -github.com/containerd/cgroups v0.0.0-20210114181951-8a68de567b68/go.mod h1:ZJeTFisyysqgcCdecO57Dj79RfL0LNeGiFUqLYQRYLE= -github.com/containerd/cgroups v1.0.1/go.mod h1:0SJrPIenamHDcZhEcJMNBB85rHcUsw4f25ZfBiPYRkU= -github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw= -github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw= -github.com/containerd/console v0.0.0-20191206165004-02ecf6a7291e/go.mod h1:8Pf4gM6VEbTNRIT26AyyU7hxdQU3MvAvxVI0sc00XBE= -github.com/containerd/console v1.0.1/go.mod h1:XUsP6YE/mKtz6bxc+I8UiKKTP04qjQL4qcS3XoQ5xkw= -github.com/containerd/console v1.0.2/go.mod h1:ytZPjGgY2oeTkAONYafi2kSj0aYggsf8acV1PGKCbzQ= -github.com/containerd/containerd v1.2.10/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= -github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= -github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= -github.com/containerd/containerd v1.3.1-0.20191213020239-082f7e3aed57/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= -github.com/containerd/containerd v1.3.2/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= -github.com/containerd/containerd v1.4.0-beta.2.0.20200729163537-40b22ef07410/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= -github.com/containerd/containerd v1.4.1/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= -github.com/containerd/containerd v1.4.3/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= -github.com/containerd/containerd v1.4.9/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= -github.com/containerd/containerd v1.5.0-beta.1/go.mod h1:5HfvG1V2FsKesEGQ17k5/T7V960Tmcumvqn8Mc+pCYQ= -github.com/containerd/containerd v1.5.0-beta.3/go.mod h1:/wr9AVtEM7x9c+n0+stptlo/uBBoBORwEx6ardVcmKU= -github.com/containerd/containerd v1.5.0-beta.4/go.mod h1:GmdgZd2zA2GYIBZ0w09ZvgqEq8EfBp/m3lcVZIvPHhI= -github.com/containerd/containerd v1.5.0-rc.0/go.mod h1:V/IXoMqNGgBlabz3tHD2TWDoTJseu1FGOKuoA4nNb2s= -github.com/containerd/containerd v1.5.8/go.mod h1:YdFSv5bTFLpG2HIYmfqDpSYYTDX+mc5qtSuYx1YUb/s= -github.com/containerd/containerd v1.5.9/go.mod h1:fvQqCfadDGga5HZyn3j4+dx56qj2I9YwBrlSdalvJYQ= -github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= -github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= -github.com/containerd/continuity v0.0.0-20191127005431-f65d91d395eb/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= -github.com/containerd/continuity v0.0.0-20200710164510-efbc4488d8fe/go.mod h1:cECdGN1O8G9bgKTlLhuPJimka6Xb/Gg7vYzCTNVxhvo= -github.com/containerd/continuity v0.0.0-20201208142359-180525291bb7/go.mod h1:kR3BEg7bDFaEddKm54WSmrol1fKWDU1nKYkgrcgZT7Y= -github.com/containerd/continuity v0.0.0-20210208174643-50096c924a4e/go.mod h1:EXlVlkqNba9rJe3j7w3Xa924itAMLgZH4UD/Q4PExuQ= -github.com/containerd/continuity v0.1.0/go.mod h1:ICJu0PwR54nI0yPEnJ6jcS+J7CZAUXrLh8lPo2knzsM= -github.com/containerd/fifo v0.0.0-20180307165137-3d5202aec260/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI= -github.com/containerd/fifo v0.0.0-20190226154929-a9fb20d87448/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI= -github.com/containerd/fifo v0.0.0-20200410184934-f15a3290365b/go.mod h1:jPQ2IAeZRCYxpS/Cm1495vGFww6ecHmMk1YJH2Q5ln0= -github.com/containerd/fifo v0.0.0-20201026212402-0724c46b320c/go.mod h1:jPQ2IAeZRCYxpS/Cm1495vGFww6ecHmMk1YJH2Q5ln0= -github.com/containerd/fifo v0.0.0-20210316144830-115abcc95a1d/go.mod h1:ocF/ME1SX5b1AOlWi9r677YJmCPSwwWnQ9O123vzpE4= -github.com/containerd/fifo v1.0.0/go.mod h1:ocF/ME1SX5b1AOlWi9r677YJmCPSwwWnQ9O123vzpE4= -github.com/containerd/go-cni v1.0.1/go.mod h1:+vUpYxKvAF72G9i1WoDOiPGRtQpqsNW/ZHtSlv++smU= -github.com/containerd/go-cni v1.0.2/go.mod h1:nrNABBHzu0ZwCug9Ije8hL2xBCYh/pjfMb1aZGrrohk= -github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0= -github.com/containerd/go-runc v0.0.0-20190911050354-e029b79d8cda/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0= -github.com/containerd/go-runc v0.0.0-20200220073739-7016d3ce2328/go.mod h1:PpyHrqVs8FTi9vpyHwPwiNEGaACDxT/N/pLcvMSRA9g= -github.com/containerd/go-runc v0.0.0-20201020171139-16b287bc67d0/go.mod h1:cNU0ZbCgCQVZK4lgG3P+9tn9/PaJNmoDXPpoJhDR+Ok= -github.com/containerd/go-runc v1.0.0/go.mod h1:cNU0ZbCgCQVZK4lgG3P+9tn9/PaJNmoDXPpoJhDR+Ok= -github.com/containerd/imgcrypt v1.0.1/go.mod h1:mdd8cEPW7TPgNG4FpuP3sGBiQ7Yi/zak9TYCG3juvb0= -github.com/containerd/imgcrypt v1.0.4-0.20210301171431-0ae5c75f59ba/go.mod h1:6TNsg0ctmizkrOgXRNQjAPFWpMYRWuiB6dSF4Pfa5SA= -github.com/containerd/imgcrypt v1.1.1-0.20210312161619-7ed62a527887/go.mod h1:5AZJNI6sLHJljKuI9IHnw1pWqo/F0nGDOuR9zgTs7ow= -github.com/containerd/imgcrypt v1.1.1/go.mod h1:xpLnwiQmEUJPvQoAapeb2SNCxz7Xr6PJrXQb0Dpc4ms= -github.com/containerd/nri v0.0.0-20201007170849-eb1350a75164/go.mod h1:+2wGSDGFYfE5+So4M5syatU0N0f0LbWpuqyMi4/BE8c= -github.com/containerd/nri v0.0.0-20210316161719-dbaa18c31c14/go.mod h1:lmxnXF6oMkbqs39FiCt1s0R2HSMhcLel9vNL3m4AaeY= -github.com/containerd/nri v0.1.0/go.mod h1:lmxnXF6oMkbqs39FiCt1s0R2HSMhcLel9vNL3m4AaeY= -github.com/containerd/stargz-snapshotter/estargz v0.10.1 h1:hd1EoVjI2Ax8Cr64tdYqnJ4i4pZU49FkEf5kU8KxQng= -github.com/containerd/stargz-snapshotter/estargz v0.10.1/go.mod h1:aE5PCyhFMwR8sbrErO5eM2GcvkyXTTJremG883D4qF0= -github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o= -github.com/containerd/ttrpc v0.0.0-20190828172938-92c8520ef9f8/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o= -github.com/containerd/ttrpc v0.0.0-20191028202541-4f1b8fe65a5c/go.mod h1:LPm1u0xBw8r8NOKoOdNMeVHSawSsltak+Ihv+etqsE8= -github.com/containerd/ttrpc v1.0.1/go.mod h1:UAxOpgT9ziI0gJrmKvgcZivgxOp8iFPSk8httJEt98Y= -github.com/containerd/ttrpc v1.0.2/go.mod h1:UAxOpgT9ziI0gJrmKvgcZivgxOp8iFPSk8httJEt98Y= -github.com/containerd/ttrpc v1.1.0/go.mod h1:XX4ZTnoOId4HklF4edwc4DcqskFZuvXB1Evzy5KFQpQ= -github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc= -github.com/containerd/typeurl v0.0.0-20190911142611-5eb25027c9fd/go.mod h1:GeKYzf2pQcqv7tJ0AoCuuhtnqhva5LNU3U+OyKxxJpk= -github.com/containerd/typeurl v1.0.1/go.mod h1:TB1hUtrpaiO88KEK56ijojHS1+NeF0izUACaJW2mdXg= -github.com/containerd/typeurl v1.0.2/go.mod h1:9trJWW2sRlGub4wZJRTW83VtbOLS6hwcDZXTn6oPz9s= -github.com/containerd/zfs v0.0.0-20200918131355-0a33824f23a2/go.mod h1:8IgZOBdv8fAgXddBT4dBXJPtxyRsejFIpXoklgxgEjw= -github.com/containerd/zfs v0.0.0-20210301145711-11e8f1707f62/go.mod h1:A9zfAbMlQwE+/is6hi0Xw8ktpL+6glmqZYtevJgaB8Y= -github.com/containerd/zfs v0.0.0-20210315114300-dde8f0fda960/go.mod h1:m+m51S1DvAP6r3FcmYCp54bQ34pyOwTieQDNRIRHsFY= -github.com/containerd/zfs v0.0.0-20210324211415-d5c4544f0433/go.mod h1:m+m51S1DvAP6r3FcmYCp54bQ34pyOwTieQDNRIRHsFY= -github.com/containerd/zfs v1.0.0/go.mod h1:m+m51S1DvAP6r3FcmYCp54bQ34pyOwTieQDNRIRHsFY= -github.com/containernetworking/cni v0.7.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY= -github.com/containernetworking/cni v0.8.0/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY= -github.com/containernetworking/cni v0.8.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY= -github.com/containernetworking/plugins v0.8.6/go.mod h1:qnw5mN19D8fIwkqW7oHHYDHVlzhJpcY6TQxn/fUyDDM= -github.com/containernetworking/plugins v0.9.1/go.mod h1:xP/idU2ldlzN6m4p5LmGiwRDjeJr6FLK6vuiUwoH7P8= -github.com/containers/ocicrypt v1.0.1/go.mod h1:MeJDzk1RJHv89LjsH0Sp5KTY3ZYkjXO/C+bKAeWFIrc= -github.com/containers/ocicrypt v1.1.0/go.mod h1:b8AOe0YR67uU8OqfVNcznfFpAzu3rdgUV4GP9qXPfu4= -github.com/containers/ocicrypt v1.1.1/go.mod h1:Dm55fwWm1YZAjYRaJ94z2mfZikIyIN4B0oB3dj3jFxY= +github.com/containerd/stargz-snapshotter/estargz v0.12.0 h1:idtwRTLjk2erqiYhPWy2L844By8NRFYEwYHcXhoIWPM= +github.com/containerd/stargz-snapshotter/estargz v0.12.0/go.mod h1:AIQ59TewBFJ4GOPEQXujcrJ/EKxh5xXZegW1rkR1P/M= github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= -github.com/coreos/go-iptables v0.4.5/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU= -github.com/coreos/go-iptables v0.5.0/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU= github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= -github.com/coreos/go-oidc/v3 v3.1.0 h1:6avEvcdvTa1qYsOZ6I5PRkSYHzpTNWgKYmaJfaYbrRw= -github.com/coreos/go-oidc/v3 v3.1.0/go.mod h1:rEJ/idjfUyfkBit1eI1fvyr+64/g9dcKpAm8MJMesvo= +github.com/coreos/go-oidc/v3 v3.4.0 h1:xz7elHb/LDwm/ERpwHd+5nb7wFHL32rsr6bBOgaeu6g= +github.com/coreos/go-oidc/v3 v3.4.0/go.mod h1:eHUXhZtXPQLgEaDrOVTgwbgmz1xGOkJNye6h3zkD2Pw= github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-semver v0.3.0 h1:wkHLiw0WNATZnSG7epLsujiMCgPAc9xhjJ4tgnAxmfM= github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= -github.com/coreos/go-systemd v0.0.0-20161114122254-48702e0da86b/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20190620071333-e64a0ec8b42a/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= -github.com/coreos/go-systemd/v22 v22.0.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk= github.com/coreos/go-systemd/v22 v22.1.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk= github.com/coreos/go-systemd/v22 v22.3.2 h1:D9/bQk5vlXQFZ6Kwuu6zaiXJ9oTPe68++AzAJc1DzSI= github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= @@ -675,56 +492,36 @@ github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46t github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= -github.com/cyberphone/json-canonicalization v0.0.0-20210303052042-6bc126869bf4/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw= github.com/cyberphone/json-canonicalization v0.0.0-20210823021906-dc406ceaf94b h1:lMzA7yYThpwx7iYNpTeiQnRH6h5JSfSYMJdz+pxZOW8= github.com/cyberphone/json-canonicalization v0.0.0-20210823021906-dc406ceaf94b/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw= -github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4= -github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= -github.com/d2g/dhcp4 v0.0.0-20170904100407-a1d1b6c41b1c/go.mod h1:Ct2BUK8SB0YC1SMSibvLzxjeJLnrYEVLULFNiHY9YfQ= -github.com/d2g/dhcp4client v1.0.0/go.mod h1:j0hNfjhrt2SxUOw55nL0ATM/z4Yt3t2Kd1mW34z5W5s= -github.com/d2g/dhcp4server v0.0.0-20181031114812-7d4a0a7f59a5/go.mod h1:Eo87+Kg/IX2hfWJfwxMzLyuSZyxSoAug2nGa1G2QAi8= -github.com/d2g/hardwareaddr v0.0.0-20190221164911-e7d9fbe030e4/go.mod h1:bMl4RjIciD2oAxI7DmWRx6gbeqrkoLqv3MV0vzNad+I= github.com/daixiang0/gci v0.2.9/go.mod h1:+4dZ7TISfSmqfAGv59ePaHfNzgGtIkHAhhdKggP1JAc= github.com/danieljoos/wincred v1.0.2/go.mod h1:SnuYRW9lp1oJrZX/dXJqr0cPK5gYXqx3EJbmjhLdK9U= github.com/danieljoos/wincred v1.1.0/go.mod h1:XYlo+eRTsVA9aHGp7NGjFkPla4m+DCL7hqDjlFjiygg= -github.com/danieljoos/wincred v1.1.1/go.mod h1:gSBQmTx6G0VmLowygiA7ZD0p0E09HJ68vta8z/RT2d0= github.com/davecgh/go-spew v0.0.0-20161028175848-04cdfd42973b/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/denis-tingajkin/go-header v0.4.2/go.mod h1:eLRHAVXzE5atsKAnNRDB90WHCFFnBUn4RN0nRcs1LJA= github.com/denisenkom/go-mssqldb v0.0.0-20191124224453-732737034ffd/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU= -github.com/denisenkom/go-mssqldb v0.11.0/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU= github.com/denisenkom/go-mssqldb v0.12.2 h1:1OcPn5GBIobjWNd+8yjfHNIaFX14B1pWI3F9HZy5KXw= github.com/denisenkom/go-mssqldb v0.12.2/go.mod h1:lnIw1mZukFRZDJYQ0Pb833QS2IaC3l5HkEfra2LJ+sk= -github.com/denverdino/aliyungo v0.0.0-20190125010748-a747050bb1ba/go.mod h1:dV8lFg6daOBZbT6/BDGIz6Y3WFGn8juu6G+CQ6LHtl0= +github.com/depcheck-test/depcheck-test v0.0.0-20220607135614-199033aaa936 h1:foGzavPWwtoyBvjWyKJYDYsyzy+23iBV7NKTwdk+LRY= github.com/devigned/tab v0.1.1/go.mod h1:XG9mPq0dFghrYvoBF3xdRrJzSTX1b7IQrvaL9mzjeJY= github.com/dgraph-io/badger/v3 v3.2103.2 h1:dpyM5eCJAtQCBcMCZcT4UBZchuTJgCywerHHgmxfxM8= -github.com/dgraph-io/badger/v3 v3.2103.2/go.mod h1:RHo4/GmYcKKh5Lxu63wLEMHJ70Pac2JqZRYGhlyAo2M= github.com/dgraph-io/ristretto v0.1.0 h1:Jv3CGQHp9OjuMBSne1485aDpUkTKEcUqF+jm/LuerPI= -github.com/dgraph-io/ristretto v0.1.0/go.mod h1:fux0lOrBhrVCJd3lcTHsIJhq1T2rokOu6v9Vcb3Q9ug= -github.com/dgrijalva/jwt-go v0.0.0-20170104182250-a601269ab70c/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= -github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw= -github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw= github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= +github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48 h1:fRzb/w+pyskVMQ+UbP35JkH8yB7MYb4q/qhBarqZE6g= +github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA= github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi/U= github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE= -github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E= github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ= -github.com/docker/cli v20.10.11+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= -github.com/docker/cli v20.10.12+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/cli v20.10.17+incompatible h1:eO2KS7ZFeov5UJeaDmIs1NFEDRf32PaqRpvoEkKBy5M= github.com/docker/cli v20.10.17+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= -github.com/docker/distribution v0.0.0-20190905152932-14b96e55d84c/go.mod h1:0+TTO4EOBfRPhZXAeF1Vu+W3hHZ8eLp8PgKVZlcvtFY= -github.com/docker/distribution v2.7.1-0.20190205005809-0d3efadf0154+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/distribution v2.8.0+incompatible h1:l9EaZDICImO1ngI+uTifW+ZYvvz7fKISBAKpg+MbWbY= -github.com/docker/distribution v2.8.0+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v20.10.11+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker v20.10.12+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6bk8XXApsHjKukMl68= +github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v20.10.20+incompatible h1:kH9tx6XO+359d+iAkumyKDc5Q1kOwPuAUaeri48nD6E= github.com/docker/docker v20.10.20+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y= @@ -732,20 +529,12 @@ github.com/docker/docker-credential-helpers v0.6.4 h1:axCks+yV+2MR3/kZhAmy07yC56 github.com/docker/docker-credential-helpers v0.6.4/go.mod h1:ofX3UI0Gz1TteYBjtgs07O36Pyasyp66D2uKT7H8W1c= github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= -github.com/docker/go-events v0.0.0-20170721190031-9461782956ad/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA= -github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA= -github.com/docker/go-metrics v0.0.0-20180209012529-399ea8c73916/go.mod h1:/u0gXw0Gay3ceNrsHubL3BtdOL2fHf93USgMTe0W5dI= -github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw= -github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw= github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= -github.com/docker/libtrust v0.0.0-20150114040149-fa567046d9b1/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE= -github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= -github.com/dvyukov/go-fuzz v0.0.0-20210914135545-4980593459a1/go.mod h1:11Gm+ccJnvAhCNLlf5+cS9KjtbaD5I5zaZpFMsTHWTw= github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs= github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU= github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I= @@ -765,13 +554,11 @@ github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.m github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ= github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= -github.com/envoyproxy/go-control-plane v0.10.1/go.mod h1:AY7fTTXNdv/aJ2O5jwpxAPOWUZ7hQAEvzN5Pf27BkQQ= github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1 h1:xvqufLtNVwAhN8NMyWklVgxnWohi+wtMGQMhtxexlm0= github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE= github.com/envoyproxy/protoc-gen-validate v0.0.14/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v0.3.0-java/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= -github.com/envoyproxy/protoc-gen-validate v0.6.2/go.mod h1:2t7qjJNvHPx8IjnBOzl9E9/baC+qXE/TeeyBRzgJDws= github.com/envoyproxy/protoc-gen-validate v0.6.7 h1:qcZcULcd/abmQg6dwigimCNEyi4gg31M/xaciQlDml8= github.com/envoyproxy/protoc-gen-validate v0.6.7/go.mod h1:dyJXwwfPK2VSqiB9Klm1J6romD608Ba7Hij42vrOBCo= github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5 h1:Yzb9+7DPaBjB8zlTR87/ElzFsnQfuHnVUVqpZZIcV5Y= @@ -780,10 +567,8 @@ github.com/esimonov/ifshort v1.0.3/go.mod h1:yZqNJUrNn20K8Q9n2CrjTKYyVEmX209Hgu+ github.com/etcd-io/gofail v0.0.0-20190801230047-ad7f989257ca/go.mod h1:49H/RkXP8pKaZy4h0d+NW16rSLhyVBt4o6VLJbmOqDE= github.com/ettle/strcase v0.1.1/go.mod h1:hzDLsPC7/lwKyBOywSHEP89nt2pDgdy+No1NBA9o9VY= github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ= -github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84= github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= -github.com/evanphx/json-patch/v5 v5.5.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww= github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= github.com/facebookgo/clock v0.0.0-20150410010913-600d898af40a h1:yDWHCSQ40h88yih2JAcL6Ls/kVkSE8GFACTGVnMPruw= @@ -795,56 +580,39 @@ github.com/fatih/color v1.10.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGE github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w= github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo= -github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M= github.com/fatih/structtag v1.2.0/go.mod h1:mBJUNpUnHmRKrKlQQlmCrh5PuhftFbNv8Ys4/aAZl94= github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/felixge/httpsnoop v1.0.2 h1:+nS9g82KMXccJ/wp0zyRW9ZBHFETmMGtkk+2CTTrW4o= github.com/felixge/httpsnoop v1.0.2/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= -github.com/flynn/go-docopt v0.0.0-20140912013429-f6dd2ebbb31e/go.mod h1:HyVoz1Mz5Co8TFO8EupIdlcpwShBmY98dkT2xeHkvEI= github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc= github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= -github.com/form3tech-oss/jwt-go v3.2.5+incompatible h1:/l4kBbb4/vGSsdtB5nUe8L7B9mImVMaBPw9L/0TBHU8= github.com/form3tech-oss/jwt-go v3.2.5+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/fortytw2/leaktest v1.2.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g= github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw= github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g= github.com/foxcpp/go-mockdns v0.0.0-20210729171921-fb145fc6f897 h1:E52jfcE64UG42SwLmrW0QByONfGynWuzBvm86BoB9z8= -github.com/foxcpp/go-mockdns v0.0.0-20210729171921-fb145fc6f897/go.mod h1:lgRN6+KxQBawyIghpnl5CezHFGS9VLzvtVlwxvzXTQ4= github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVBjqR7JHJk0brhHOZYGmfBYOrK0ZhYMEtBr4= github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8/go.mod h1:ZhphrRTfi2rbfLwlschooIH4+wKKDR4Pdxhh+TRoA20= -github.com/frankban/quicktest v1.10.0/go.mod h1:ui7WezCLWMWxVWr1GETZY3smRy0G4KWq9vcPtJmFl7Y= -github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k= -github.com/frankban/quicktest v1.13.0/go.mod h1:qLE0fzW0VuyUAJgPU19zByoIr0HtCHN/r/VLSOOIySU= github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5Ai1i3InKU= github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI= github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU= -github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA= github.com/fullstorydev/grpcurl v1.6.0/go.mod h1:ZQ+ayqbKMJNhzLmbpCiurTVlaK2M/3nqZCxaQ2Ze/sM= github.com/fullstorydev/grpcurl v1.8.0/go.mod h1:Mn2jWbdMrQGJQ8UD62uNyMumT2acsZUCkZIqFxsQf1o= github.com/fullstorydev/grpcurl v1.8.1/go.mod h1:3BWhvHZwNO7iLXaQlojdg5NA6SxUDePli4ecpK1N7gw= -github.com/fullstorydev/grpcurl v1.8.2/go.mod h1:YvWNT3xRp2KIRuvCphFodG0fKkMXwaxA9CJgKCcyzUQ= -github.com/fullstorydev/grpcurl v1.8.6 h1:WylAwnPauJIofYSHqqMTC1eEfUIzqzevXyogBxnQquo= github.com/fullstorydev/grpcurl v1.8.6/go.mod h1:WhP7fRQdhxz2TkL97u+TCb505sxfH78W1usyoB3tepw= +github.com/fullstorydev/grpcurl v1.8.7 h1:xJWosq3BQovQ4QrdPO72OrPiWuGgEsxY8ldYsJbPrqI= +github.com/fullstorydev/grpcurl v1.8.7/go.mod h1:pVtM4qe3CMoLaIzYS8uvTuDj2jVYmXqMUkZeijnXp/E= github.com/fzipp/gocyclo v0.3.1/go.mod h1:DJHO6AUmbdqj2ET4Z9iArSuwWgYDRryYt2wASxc7x3E= -github.com/garyburd/redigo v0.0.0-20150301180006-535138d7bcd7/go.mod h1:NR3MbYisc3/PwhQ00EMzDiPmrwpPxAn5GI05/YaO1SY= github.com/getkin/kin-openapi v0.76.0/go.mod h1:660oXbgy5JFMKreazJaQTw7o+X00qeSyhcnluiMv+Xg= github.com/getsentry/raven-go v0.2.0 h1:no+xWJRb5ZI7eE8TWgIq1jLulQiIoLG0IfYxv5JYMGs= github.com/getsentry/raven-go v0.2.0/go.mod h1:KungGk8q33+aIAZUIVWZDr2OfAEBsO49PX4NzFV5kcQ= -github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI= -github.com/gin-gonic/gin v1.5.0/go.mod h1:Nd6IXA8m5kNZdNEHMBd93KT+mdY3+bewLgRvmCsR2Do= -github.com/gin-gonic/gin v1.6.3/go.mod h1:75u5sXoLsGZoRN5Sgbi1eraJ4GU3++wFwWzhwvtwp4M= -github.com/gin-gonic/gin v1.7.3/go.mod h1:jD2toBW3GZUr5UMcdrwQA10I7RuaFOl/SGeDjXkfUtY= github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0= -github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q= -github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q= -github.com/go-asn1-ber/asn1-ber v1.3.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= github.com/go-chi/chi v4.1.2+incompatible h1:fGFk2Gmi/YKXk0OmGfBh0WgmN3XB8lVnEyNz34tQRec= github.com/go-chi/chi v4.1.2+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ= github.com/go-critic/go-critic v0.6.1/go.mod h1:SdNCfU0yF3UBjtaZGw6586/WocupMOJuiqgom5DsQxM= @@ -857,7 +625,6 @@ github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2 github.com/go-kit/kit v0.10.0/go.mod h1:xUsJbQ/Fp4kEt7AFgCuvyX4a71u8h9jB8tj/ORgOZ7o= github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY= github.com/go-kit/log v0.2.0/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0= -github.com/go-ldap/ldap/v3 v3.1.10/go.mod h1:5Zun81jBTabRaI8lzN7E1JjyEl1g6zI6u9pd8luAK4Q= github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= @@ -865,151 +632,78 @@ github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KE github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.2.1/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0= github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/stdr v1.2.0/go.mod h1:YkVgnZu1ZjjL7xTxrfm/LLZBfkhTqSR1ydtm6jTKKwI= +github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-logr/zapr v1.2.0/go.mod h1:Qa4Bsj2Vb+FAVeAKsLD8RLQ+YRJB8YDmOAKxaBQf7Ro= github.com/go-logr/zapr v1.2.3 h1:a9vnzlIBPQBBkeaR9IuMUfmVOrQlkoC4YfPoFkX3T7A= github.com/go-logr/zapr v1.2.3/go.mod h1:eIauM6P8qSvTw5o2ez6UEAfGjQKrxQTl5EoK+Qa2oG4= github.com/go-ole/go-ole v1.2.5/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY= github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= -github.com/go-openapi/analysis v0.0.0-20180825180245-b006789cd277/go.mod h1:k70tL6pCuVxPJOHXQ+wIac1FUrvNkHolPie/cLEU6hI= -github.com/go-openapi/analysis v0.17.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik= -github.com/go-openapi/analysis v0.18.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik= -github.com/go-openapi/analysis v0.19.2/go.mod h1:3P1osvZa9jKjb8ed2TPng3f0i/UY9snX6gxi44djMjk= -github.com/go-openapi/analysis v0.19.4/go.mod h1:3P1osvZa9jKjb8ed2TPng3f0i/UY9snX6gxi44djMjk= -github.com/go-openapi/analysis v0.19.5/go.mod h1:hkEAkxagaIvIP7VTn8ygJNkd4kAYON2rCu0v0ObL0AU= -github.com/go-openapi/analysis v0.19.10/go.mod h1:qmhS3VNFxBlquFJ0RGoDtylO9y4pgTAUNE9AEEMdlJQ= -github.com/go-openapi/analysis v0.19.16/go.mod h1:GLInF007N83Ad3m8a/CbQ5TPzdnGT7workfHwuVjNVk= -github.com/go-openapi/analysis v0.20.0/go.mod h1:BMchjvaHDykmRMsK40iPtvyOfFdMMxlOmQr9FBZk+Og= -github.com/go-openapi/analysis v0.20.1/go.mod h1:BMchjvaHDykmRMsK40iPtvyOfFdMMxlOmQr9FBZk+Og= -github.com/go-openapi/analysis v0.21.2 h1:hXFrOYFHUAMQdu6zwAiKKJHJQ8kqZs1ux/ru1P1wLJU= github.com/go-openapi/analysis v0.21.2/go.mod h1:HZwRk4RRisyG8vx2Oe6aqeSQcoxRp47Xkp3+K6q+LdY= -github.com/go-openapi/errors v0.17.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0= -github.com/go-openapi/errors v0.18.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0= -github.com/go-openapi/errors v0.19.2/go.mod h1:qX0BLWsyaKfvhluLejVpVNwNRdXZhEbTA4kxxpKBC94= -github.com/go-openapi/errors v0.19.3/go.mod h1:qX0BLWsyaKfvhluLejVpVNwNRdXZhEbTA4kxxpKBC94= -github.com/go-openapi/errors v0.19.6/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= -github.com/go-openapi/errors v0.19.7/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= +github.com/go-openapi/analysis v0.21.4 h1:ZDFLvSNxpDaomuCueM0BlSXxpANBlFYiBvr+GXrvIHc= +github.com/go-openapi/analysis v0.21.4/go.mod h1:4zQ35W4neeZTqh3ol0rv/O8JBbka9QyAgQRPp9y3pfo= github.com/go-openapi/errors v0.19.8/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= github.com/go-openapi/errors v0.19.9/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= -github.com/go-openapi/errors v0.20.1/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= -github.com/go-openapi/errors v0.20.2 h1:dxy7PGTqEh94zj2E3h1cUmQQWiM1+aeCROfAr02EmK8= github.com/go-openapi/errors v0.20.2/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= -github.com/go-openapi/jsonpointer v0.17.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M= -github.com/go-openapi/jsonpointer v0.18.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M= -github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= +github.com/go-openapi/errors v0.20.3 h1:rz6kiC84sqNQoqrtulzaL/VERgkoCyB6WdEkc2ujzUc= +github.com/go-openapi/errors v0.20.3/go.mod h1:Z3FlZ4I8jEGxjUK+bugx3on2mIAk4txuAOhlsB1FSgk= github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY= github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= -github.com/go-openapi/jsonreference v0.17.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I= -github.com/go-openapi/jsonreference v0.18.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I= -github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg= -github.com/go-openapi/jsonreference v0.19.6 h1:UBIxjkht+AWIgYzCDSv2GN+E/togfwXUJFRTWhl2Jjs= github.com/go-openapi/jsonreference v0.19.6/go.mod h1:diGHMEHg2IqXZGKxqyvWdfWU/aim5Dprw5bqpKkTvns= -github.com/go-openapi/loads v0.17.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU= -github.com/go-openapi/loads v0.18.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU= -github.com/go-openapi/loads v0.19.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU= -github.com/go-openapi/loads v0.19.2/go.mod h1:QAskZPMX5V0C2gvfkGZzJlINuP7Hx/4+ix5jWFxsNPs= -github.com/go-openapi/loads v0.19.3/go.mod h1:YVfqhUCdahYwR3f3iiwQLhicVRvLlU/WO5WPaZvcvSI= -github.com/go-openapi/loads v0.19.5/go.mod h1:dswLCAdonkRufe/gSUC3gN8nTSaB9uaS2es0x5/IbjY= -github.com/go-openapi/loads v0.19.6/go.mod h1:brCsvE6j8mnbmGBh103PT/QLHfbyDxA4hsKvYBNEGVc= -github.com/go-openapi/loads v0.19.7/go.mod h1:brCsvE6j8mnbmGBh103PT/QLHfbyDxA4hsKvYBNEGVc= -github.com/go-openapi/loads v0.20.0/go.mod h1:2LhKquiE513rN5xC6Aan6lYOSddlL8Mp20AW9kpviM4= -github.com/go-openapi/loads v0.20.2/go.mod h1:hTVUotJ+UonAMMZsvakEgmWKgtulweO9vYP2bQYKA/o= -github.com/go-openapi/loads v0.21.0/go.mod h1:rHYve9nZrQ4CJhyeIIFJINGCg1tQpx2yJrrNo8sf1ws= -github.com/go-openapi/loads v0.21.1 h1:Wb3nVZpdEzDTcly8S4HMkey6fjARRzb7iEaySimlDW0= +github.com/go-openapi/jsonreference v0.20.0 h1:MYlu0sBgChmCfJxxUKZ8g1cPWFOB37YSZqewK7OKeyA= +github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXymS4zJbYVCZmcgkasdo= github.com/go-openapi/loads v0.21.1/go.mod h1:/DtAMXXneXFjbQMGEtbamCZb+4x7eGwkvZCvBmwUG+g= -github.com/go-openapi/runtime v0.0.0-20180920151709-4f900dc2ade9/go.mod h1:6v9a6LTXWQCdL8k1AO3cvqx5OtZY/Y9wKTgaoP6YRfA= -github.com/go-openapi/runtime v0.19.0/go.mod h1:OwNfisksmmaZse4+gpV3Ne9AyMOlP1lt4sK4FXt0O64= -github.com/go-openapi/runtime v0.19.4/go.mod h1:X277bwSUBxVlCYR3r7xgZZGKVvBd/29gLDlFGtJ8NL4= -github.com/go-openapi/runtime v0.19.15/go.mod h1:dhGWCTKRXlAfGnQG0ONViOZpjfg0m2gUt9nTQPQZuoo= -github.com/go-openapi/runtime v0.19.16/go.mod h1:5P9104EJgYcizotuXhEuUrzVc+j1RiSjahULvYmlv98= -github.com/go-openapi/runtime v0.19.24/go.mod h1:Lm9YGCeecBnUUkFTxPC4s1+lwrkJ0pthx8YvyjCfkgk= -github.com/go-openapi/runtime v0.21.0/go.mod h1:aQg+kaIQEn+A2CRSY1TxbM8+sT9g2V3aLc1FbIAnbbs= +github.com/go-openapi/loads v0.21.2 h1:r2a/xFIYeZ4Qd2TnGpWDIQNcP80dIaZgf704za8enro= +github.com/go-openapi/loads v0.21.2/go.mod h1:Jq58Os6SSGz0rzh62ptiu8Z31I+OTHqmULx5e/gJbNw= github.com/go-openapi/runtime v0.24.1 h1:Sml5cgQKGYQHF+M7yYSHaH1eOjvTykrddTE/KtQVjqo= github.com/go-openapi/runtime v0.24.1/go.mod h1:AKurw9fNre+h3ELZfk6ILsfvPN+bvvlaU/M9q/r9hpk= -github.com/go-openapi/spec v0.17.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI= -github.com/go-openapi/spec v0.18.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI= -github.com/go-openapi/spec v0.19.2/go.mod h1:sCxk3jxKgioEJikev4fgkNmwS+3kuYdJtcsZsD5zxMY= -github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo= -github.com/go-openapi/spec v0.19.6/go.mod h1:Hm2Jr4jv8G1ciIAo+frC/Ft+rR2kQDh8JHKHb3gWUSk= -github.com/go-openapi/spec v0.19.8/go.mod h1:Hm2Jr4jv8G1ciIAo+frC/Ft+rR2kQDh8JHKHb3gWUSk= -github.com/go-openapi/spec v0.19.15/go.mod h1:+81FIL1JwC5P3/Iuuozq3pPE9dXdIEGxFutcFKaVbmU= -github.com/go-openapi/spec v0.20.0/go.mod h1:+81FIL1JwC5P3/Iuuozq3pPE9dXdIEGxFutcFKaVbmU= -github.com/go-openapi/spec v0.20.1/go.mod h1:93x7oh+d+FQsmsieroS4cmR3u0p/ywH649a3qwC9OsQ= -github.com/go-openapi/spec v0.20.3/go.mod h1:gG4F8wdEDN+YPBMVnzE85Rbhf+Th2DTvA9nFPQ5AYEg= -github.com/go-openapi/spec v0.20.4 h1:O8hJrt0UMnhHcluhIdUgCLRWyM2x7QkBXRvOs7m+O1M= github.com/go-openapi/spec v0.20.4/go.mod h1:faYFR1CvsJZ0mNsmsphTMSoRrNV3TEDoAM7FOEWeq8I= -github.com/go-openapi/strfmt v0.17.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU= -github.com/go-openapi/strfmt v0.18.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU= -github.com/go-openapi/strfmt v0.19.0/go.mod h1:+uW+93UVvGGq2qGaZxdDeJqSAqBqBdl+ZPMF/cC8nDY= -github.com/go-openapi/strfmt v0.19.2/go.mod h1:0yX7dbo8mKIvc3XSKp7MNfxw4JytCfCD6+bY1AVL9LU= -github.com/go-openapi/strfmt v0.19.3/go.mod h1:0yX7dbo8mKIvc3XSKp7MNfxw4JytCfCD6+bY1AVL9LU= -github.com/go-openapi/strfmt v0.19.4/go.mod h1:eftuHTlB/dI8Uq8JJOyRlieZf+WkkxUuk0dgdHXr2Qk= -github.com/go-openapi/strfmt v0.19.5/go.mod h1:eftuHTlB/dI8Uq8JJOyRlieZf+WkkxUuk0dgdHXr2Qk= -github.com/go-openapi/strfmt v0.19.11/go.mod h1:UukAYgTaQfqJuAFlNxxMWNvMYiwiXtLsF2VwmoFtbtc= -github.com/go-openapi/strfmt v0.20.0/go.mod h1:UukAYgTaQfqJuAFlNxxMWNvMYiwiXtLsF2VwmoFtbtc= -github.com/go-openapi/strfmt v0.20.2/go.mod h1:43urheQI9dNtE5lTZQfuFJvjYJKPrxicATpEfZwHUNk= +github.com/go-openapi/spec v0.20.6/go.mod h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6VaaBKcWA= +github.com/go-openapi/spec v0.20.7 h1:1Rlu/ZrOCCob0n+JKKJAWhNWMPW8bOZRg8FJaY+0SKI= +github.com/go-openapi/spec v0.20.7/go.mod h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6VaaBKcWA= github.com/go-openapi/strfmt v0.21.0/go.mod h1:ZRQ409bWMj+SOgXofQAGTIo2Ebu72Gs+WaRADcS5iNg= github.com/go-openapi/strfmt v0.21.1/go.mod h1:I/XVKeLc5+MM5oPNN7P6urMOpuLXEcNrCX/rPGuWb0k= -github.com/go-openapi/strfmt v0.21.2 h1:5NDNgadiX1Vhemth/TH4gCGopWSTdDjxl60H3B7f+os= github.com/go-openapi/strfmt v0.21.2/go.mod h1:I/XVKeLc5+MM5oPNN7P6urMOpuLXEcNrCX/rPGuWb0k= -github.com/go-openapi/swag v0.17.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg= -github.com/go-openapi/swag v0.18.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg= -github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-openapi/strfmt v0.21.3 h1:xwhj5X6CjXEZZHMWy1zKJxvW9AfHC9pkyUjLvHtKG7o= +github.com/go-openapi/strfmt v0.21.3/go.mod h1:k+RzNO0Da+k3FrrynSNN8F7n/peCmQQqbbXjtDfvmGg= github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= -github.com/go-openapi/swag v0.19.7/go.mod h1:ao+8BpOPyKdpQz3AOJfbeEVpLmWAvlT1IfTe5McPyhY= -github.com/go-openapi/swag v0.19.9/go.mod h1:ao+8BpOPyKdpQz3AOJfbeEVpLmWAvlT1IfTe5McPyhY= -github.com/go-openapi/swag v0.19.12/go.mod h1:eFdyEBkTdoAf/9RXBvj4cr1nH7GD8Kzo5HTt47gr72M= -github.com/go-openapi/swag v0.19.13/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= github.com/go-openapi/swag v0.19.15/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= -github.com/go-openapi/swag v0.21.1 h1:wm0rhTb5z7qpJRHBdPOMuY4QjVUMbF6/kwoYeRAOrKU= github.com/go-openapi/swag v0.21.1/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= -github.com/go-openapi/validate v0.18.0/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+MYsct2VUrAJ4= -github.com/go-openapi/validate v0.19.2/go.mod h1:1tRCw7m3jtI8eNWEEliiAqUIcBztB2KDnRCRMUi7GTA= -github.com/go-openapi/validate v0.19.3/go.mod h1:90Vh6jjkTn+OT1Eefm0ZixWNFjhtOH7vS9k0lo6zwJo= -github.com/go-openapi/validate v0.19.10/go.mod h1:RKEZTUWDkxKQxN2jDT7ZnZi2bhZlbNMAuKvKB+IaGx8= -github.com/go-openapi/validate v0.19.12/go.mod h1:Rzou8hA/CBw8donlS6WNEUQupNvUZ0waH08tGe6kAQ4= -github.com/go-openapi/validate v0.19.15/go.mod h1:tbn/fdOwYHgrhPBzidZfJC2MIVvs9GA7monOmWBbeCI= -github.com/go-openapi/validate v0.20.1/go.mod h1:b60iJT+xNNLfaQJUqLI7946tYiFEOuE9E4k54HpKcJ0= -github.com/go-openapi/validate v0.20.3/go.mod h1:goDdqVGiigM3jChcrYJxD2joalke3ZXeftD16byIjA4= -github.com/go-openapi/validate v0.21.0 h1:+Wqk39yKOhfpLqNLEC0/eViCkzM5FVXVqrvt526+wcI= +github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= +github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= github.com/go-openapi/validate v0.21.0/go.mod h1:rjnrwK57VJ7A8xqfpAOEKRH8yQSGUriMu5/zuPSQ1hg= +github.com/go-openapi/validate v0.22.0 h1:b0QecH6VslW/TxtpKgzpO1SNG7GU2FsaqKdP1E2T50Y= +github.com/go-openapi/validate v0.22.0/go.mod h1:rjnrwK57VJ7A8xqfpAOEKRH8yQSGUriMu5/zuPSQ1hg= github.com/go-playground/assert/v2 v2.0.1 h1:MsBgLAaY856+nPRTKrp3/OZK38U/wa0CcBYNjji3q3A= github.com/go-playground/assert/v2 v2.0.1/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4= -github.com/go-playground/locales v0.12.1/go.mod h1:IUMDtCfWo/w/mtMfIE/IG2K+Ey3ygWanZIBtBW0W2TM= -github.com/go-playground/locales v0.13.0/go.mod h1:taPMhCMXrRLJO55olJkUXHZBHCxTMfnGwq/HNwmWNS8= github.com/go-playground/locales v0.14.0 h1:u50s323jtVGugKlcYeyzC0etD1HifMjqmJqb8WugfUU= github.com/go-playground/locales v0.14.0/go.mod h1:sawfccIbzZTqEDETgFXqTho0QybSa7l++s0DH+LDiLs= -github.com/go-playground/universal-translator v0.16.0/go.mod h1:1AnU7NaIRDWWzGEKwgtJRd2xk99HeFyHw3yid4rvQIY= -github.com/go-playground/universal-translator v0.17.0/go.mod h1:UkSxE5sNxxRwHyU+Scu5vgOQjsIJAF8j9muTVoKLVtA= github.com/go-playground/universal-translator v0.18.0 h1:82dyy6p4OuJq4/CByFNOn/jYrnRPArHwAcmLoJZxyho= github.com/go-playground/universal-translator v0.18.0/go.mod h1:UvRDBj+xPUEGrFYl+lu/H90nyDXpg0fqeB/AQUGNTVA= -github.com/go-playground/validator/v10 v10.2.0/go.mod h1:uOYAAleCW8F/7oMFd6aG0GOhaH6EGOAJShg8Id5JGkI= -github.com/go-playground/validator/v10 v10.4.1/go.mod h1:nlOn6nFhuKACm19sB/8EGNn9GlaMV7XkbRSipzJ0Ii4= -github.com/go-playground/validator/v10 v10.10.0 h1:I7mrTYv78z8k8VXa/qJlOlEXn/nBh+BF8dHX5nt/dr0= -github.com/go-playground/validator/v10 v10.10.0/go.mod h1:74x4gJWsvQexRdW8Pn3dXSGrTK4nAUsbPlLADvpJkos= +github.com/go-playground/validator/v10 v10.11.0 h1:0W+xRM511GY47Yy3bZUbJVitCNg2BOGlCyvTqsp/xIw= +github.com/go-playground/validator/v10 v10.11.0/go.mod h1:i+3WkQ1FvaUjjxh1kSvIA4dMGDBiPU55YFDl0WbKdWU= github.com/go-redis/redis v6.15.8+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA= github.com/go-redis/redis v6.15.9+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA= -github.com/go-rod/rod v0.101.8/go.mod h1:N/zlT53CfSpq74nb6rOR0K8UF0SPUPBmzBnArrms+mY= -github.com/go-rod/rod v0.106.1 h1:+9YdoTT56KI3KrFfWVr3I13wh0qbhm/Aq+7JvCBA6AQ= +github.com/go-rod/rod v0.109.3 h1:MxuSJGK9lEUq07K+QPfnxnuvQpsQT+YI4SoQjSE0LVg= github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfCHuOE= github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= -github.com/go-stack/stack v1.8.1 h1:ntEHSVwIt7PNXNpgPmVfMrNhLtgjlmnZha2kOpuRiDw= github.com/go-stack/stack v1.8.1/go.mod h1:dcoOX6HbPZSZptuspn9bctJ+N/CnF5gGygcUP3XYfe4= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= -github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= github.com/go-test/deep v1.0.8 h1:TDsG77qcSprGbC6vTN8OuXp5g+J+b5Pcguhf7Zt61VM= -github.com/go-test/deep v1.0.8/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE= github.com/go-toolsmith/astcast v1.0.0/go.mod h1:mt2OdQTeAQcY4DQgPSArJjHCcOwlX+Wl/kwN+LbLGQ4= github.com/go-toolsmith/astcopy v1.0.0/go.mod h1:vrgyG+5Bxrnz4MZWPF+pI4R8h3qKRjjyvV/DSez4WVQ= github.com/go-toolsmith/astequal v1.0.0/go.mod h1:H+xSiq0+LtiDC11+h1G32h7Of5O3CYFJ99GVbS5lDKY= @@ -1048,12 +742,6 @@ github.com/gobuffalo/packr/v2 v2.2.0/go.mod h1:CaAwI0GPIAv+5wKLtv8Afwl+Cm78K/I/V github.com/gobuffalo/syncx v0.0.0-20190224160051-33c29581e754/go.mod h1:HhnNqWY95UYwwW3uSASeV7vtgYkT2t16hJgV3AEPUpw= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= -github.com/gobwas/httphead v0.0.0-20180130184737-2c6c146eadee/go.mod h1:L0fX3K22YWvt/FAX9NnzrNzcI4wNYi9Yku4O0LKYflo= -github.com/gobwas/pool v0.2.0/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw= -github.com/gobwas/ws v1.0.2/go.mod h1:szmBTxLgaFppYjEmNtny/v3w89xOydFnnZMcgRRu/EM= -github.com/godbus/dbus v0.0.0-20151105175453-c7fdd8b5cd55/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw= -github.com/godbus/dbus v0.0.0-20180201030542-885f9cc04c9c/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw= -github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4= github.com/godbus/dbus v4.1.0+incompatible/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw= github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= @@ -1062,29 +750,25 @@ github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRx github.com/gofrs/uuid v4.3.0+incompatible h1:CaSVZxm5B+7o45rtab4jC2G37WGYX1zQfuU2i6DSvnc= github.com/gofrs/uuid v4.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= github.com/gogo/googleapis v1.1.0/go.mod h1:gf4bu3Q80BeJ6H1S1vYPm8/ELATdvryBaNFGgqEef3s= -github.com/gogo/googleapis v1.2.0/go.mod h1:Njal3psf3qN6dwBtQfUmBZh2ybovJ0tlu3o/AC7HYjU= -github.com/gogo/googleapis v1.4.0/go.mod h1:5YRNX2z1oM5gXdAkurHa942MDgEJyk02w4OecKY87+c= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= -github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/gogo/protobuf v1.3.0/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/golang-jwt/jwt v3.2.1+incompatible h1:73Z+4BJcrTC+KczS6WvTPvRGOp1WmfEP4Q1lOd9Z/+c= github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= +github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY= +github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= -github.com/golang-jwt/jwt/v4 v4.1.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= -github.com/golang-jwt/jwt/v4 v4.3.0 h1:kHL1vqdqWNfATmA0FNMdmZNMyZI1U6O31X4rlIPoBog= -github.com/golang-jwt/jwt/v4 v4.3.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= +github.com/golang-jwt/jwt/v4 v4.4.2 h1:rcc4lwaZgFMCZ5jxF9ABolDcIHdBytAFgqFPbSJQAYs= +github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= github.com/golang-sql/sqlexp v0.1.0 h1:ZCD6MBpcuOVfGVqsEmY5/4FtYiKz6tSyUv9LPEDei6A= github.com/golang-sql/sqlexp v0.1.0/go.mod h1:J4ad9Vo8ZCWQ2GMrC4UCQy1JpCbwU9m3EOqtpKwwwHI= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= -github.com/golang/glog v0.0.0-20210429001901-424d2337a529/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/glog v1.0.0 h1:nfP3RFugxnNRyKgeWd4oI1nYvXpxrx8ck8ZrcizshdQ= github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4= github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -1148,10 +832,9 @@ github.com/google/certificate-transparency-go v1.0.21/go.mod h1:QeJfpSbVSfYc7RgB github.com/google/certificate-transparency-go v1.1.1/go.mod h1:FDKqPvSXawb2ecErVRrD+nfy23RCzyl7eqVCEmlT1Zs= github.com/google/certificate-transparency-go v1.1.2-0.20210422104406-9f33727a7a18/go.mod h1:6CKh9dscIRoqc2kC6YUFICHZMT9NrClyPrRVFrdw1QQ= github.com/google/certificate-transparency-go v1.1.2-0.20210512142713-bed466244fa6/go.mod h1:aF2dp7Dh81mY8Y/zpzyXps4fQW5zQbDu2CxfpJB6NkI= -github.com/google/certificate-transparency-go v1.1.2 h1:4hE0GEId6NAW28dFpC+LrRGwQX5dtmXQGDbg8+/MZOM= -github.com/google/certificate-transparency-go v1.1.2/go.mod h1:3OL+HKDqHPUfdKrHVQxO6T8nDLO0HF7LRTlkIWXaWvQ= +github.com/google/certificate-transparency-go v1.1.3 h1:WEb38wcTe0EuAvg7USzgklnOjjnlMaahYO3faaqnCn8= +github.com/google/certificate-transparency-go v1.1.3/go.mod h1:S9FT/VzOUzhOGG0iLrzDs+f5Ml/zm7IYY/w+IlHz01M= github.com/google/flatbuffers v1.12.1 h1:MVlul7pQNoDzWRLTw5imwYsl+usrS1TXG2H4jg6ImGw= -github.com/google/flatbuffers v1.12.1/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= github.com/google/gnostic v0.5.7-v3refs h1:FhTMOKj2VhjpouxvWJAV1TL304uMlb9zcDqkl6cEI54= github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ= github.com/google/go-attestation v0.4.4-0.20220404204839-8820d49b18d9 h1:uspQ6yStR6DVxLT7UomcSc/cKEOtM3z6MOslXeXH1Gg= @@ -1171,20 +854,17 @@ github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-containerregistry v0.7.1-0.20211118220127-abdc633f8305/go.mod h1:6cMIl1RfryEiPzBE67OgtZdEiLWz4myqCQIiBMy3CsM= -github.com/google/go-containerregistry v0.8.1-0.20220209165246-a44adc326839 h1:7PunQZxMao2q43If8gKj1JFRzapmhgny9NWwXY4PGa4= -github.com/google/go-containerregistry v0.8.1-0.20220209165246-a44adc326839/go.mod h1:cwx3SjrH84Rh9VFJSIhPh43ovyOp3DCWgY3h8nWmdGQ= +github.com/google/go-containerregistry v0.11.0 h1:Xt8x1adcREjFcmDoDK8OdOsjxu90PHkGuwNP8GiHMLM= +github.com/google/go-containerregistry v0.11.0/go.mod h1:BBaYtsHPHA42uEgAvd/NejvAfPSlz281sJWqupjSxfk= github.com/google/go-github/v28 v28.1.1/go.mod h1:bsqJWQX05omyWVmc00nEUql9mhQyv38lDZ8kPZcQVoM= -github.com/google/go-github/v42 v42.0.0 h1:YNT0FwjPrEysRkLIiKuEfSvBPCGKphW5aS5PxwaoLec= -github.com/google/go-github/v42 v42.0.0/go.mod h1:jgg/jvyI0YlDOM1/ps6XYh04HNQ3vKf0CVko62/EhRg= +github.com/google/go-github/v45 v45.2.0 h1:5oRLszbrkvxDDqBCNj2hjDZMKmvexaZ1xw/FCD+K3FI= +github.com/google/go-github/v45 v45.2.0/go.mod h1:FObaZJEDSTa/WGCzZ2Z3eoCDXWJKMenWWTrd8jrta28= github.com/google/go-licenses v0.0.0-20210329231322-ce1d9163b77d/go.mod h1:+TYOmkVoJOpwnS0wfdsJCV9CoD5nJYsHoFk/0CrTK4M= github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8= github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU= github.com/google/go-replayers/grpcreplay v0.1.0/go.mod h1:8Ig2Idjpr6gifRd6pNVggX6TC1Zw6Jx74AKp7QNH2QE= -github.com/google/go-replayers/grpcreplay v1.1.0/go.mod h1:qzAvJ8/wi57zq7gWqaE6AwLM6miiXUQwP1S+I9icmhk= github.com/google/go-replayers/httpreplay v0.1.0/go.mod h1:YKZViNhiGgqdBlUbI2MwGpq4pXxNmhJLPHQ7cv2b5no= -github.com/google/go-replayers/httpreplay v1.0.0/go.mod h1:LJhKoTwS5Wy5Ld/peq8dFFG5OfJyHEz7ft+DsTUv25M= github.com/google/go-tpm v0.1.2-0.20190725015402-ae6dd98980d4/go.mod h1:H9HbmUG2YgV/PHITkO7p6wxEEj/v5nlsVWIwumwH2NI= github.com/google/go-tpm v0.3.0/go.mod h1:iVLWvrPp/bHeEkxTFi9WG6K9w0iy2yIszHwZGHPbzAw= github.com/google/go-tpm v0.3.3 h1:P/ZFNBZYXRxc+z7i5uyd8VP7MaDteuLZInzrH2idRGo= @@ -1204,8 +884,8 @@ github.com/google/martian v2.1.1-0.20190517191504-25dcb96d9e51+incompatible h1:x github.com/google/martian v2.1.1-0.20190517191504-25dcb96d9e51+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= -github.com/google/martian/v3 v3.2.1 h1:d8MncMlErDFTwQGBK1xhv026j9kqhvw1Qv9IbWT1VLQ= github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= +github.com/google/martian/v3 v3.3.2 h1:IqNFLAmvJOgVlpdEBiQbDc2EwKW77amAycfTuWKdfvw= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= @@ -1220,29 +900,25 @@ github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLe github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20210506205249-923b5ab0fc1a/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/rpmpack v0.0.0-20191226140753-aa36bfddb3a0/go.mod h1:RaTPr0KUf2K7fnZYLNDrr8rxAamWs3iNywJLtQ2AzBg= -github.com/google/rpmpack v0.0.0-20210518075352-dc539ef4f2ea/go.mod h1:+y9lKiqDhR4zkLl+V9h4q0rdyrYVsWWm6LLCQP33DIk= github.com/google/subcommands v1.0.1/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk= github.com/google/trillian v1.3.11/go.mod h1:0tPraVHrSDkA3BO6vKX67zgLXs6SsOAbHEivX+9mPgw= github.com/google/trillian v1.3.14-0.20210409160123-c5ea3abd4a41/go.mod h1:1dPv0CUjNQVFEDuAUFhZql16pw/VlPgaX8qj+g5pVzQ= github.com/google/trillian v1.3.14-0.20210511103300-67b5f349eefa/go.mod h1:s4jO3Ai4NSvxucdvqUHON0bCqJyoya32eNw6XJwsmNc= -github.com/google/trillian v1.4.0/go.mod h1:1Bja2nEgMDlEJWWRXBUemSPG9qYw84ZYX2gHRVHlR+g= -github.com/google/trillian v1.4.1 h1:r/LV2L6uq6ijSSQNSyxnLXFU/JY7DaT6AILx1sOx2+8= github.com/google/trillian v1.4.1/go.mod h1:43IVCsGXxP5mZK9yFkTQdQrMQm/wryNBV2GNEdqzVz8= +github.com/google/trillian v1.5.0 h1:I5pIN18bKlXtlj1Tk919rQ3mWBU2BzNNR6JhLISGMB4= +github.com/google/trillian v1.5.0/go.mod h1:2/gAIc+G1MUcErOPc+cSwHAQHZlGy+RYHjVGnhUQ3e8= github.com/google/uuid v0.0.0-20161128191214-064e2069ce9c/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/wire v0.3.0/go.mod h1:i1DMg/Lu8Sz5yYl25iOdmc5CT5qusaa+zmRWs16741s= -github.com/google/wire v0.5.0/go.mod h1:ngWDr9Qvq3yZA10YrxfyGELY/AFWGVpy9c1LTRi1EoU= github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8= github.com/googleapis/enterprise-certificate-proxy v0.1.0/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8= github.com/googleapis/enterprise-certificate-proxy v0.2.0 h1:y8Yozv7SZtlU//QXbezB6QkpuE6jMD2/gfzk4AftXjs= @@ -1258,24 +934,22 @@ github.com/googleapis/gax-go/v2 v2.4.0/go.mod h1:XOTVJ59hdnfJLIP/dh8n5CGryZR2LxK github.com/googleapis/gax-go/v2 v2.5.1/go.mod h1:h6B0KMMFNtI2ddbGJn3T3ZbwkeT6yqEF02fYlzkUCyo= github.com/googleapis/gax-go/v2 v2.6.0 h1:SXk3ABtQYDT/OH8jAyvEOQ58mgawq5C4o/4/89qN2ZU= github.com/googleapis/gax-go/v2 v2.6.0/go.mod h1:1mjbznJAPHFpesgE5ucqfYEscaz5kMdcIDwU/6+DDoY= -github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg= github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU= github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA= github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4= github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g= github.com/gookit/color v1.4.2/go.mod h1:fqRyamkC1W8uxl+lxCQxOT09l/vYfZ+QeiX3rKQHCoQ= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= +github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gordonklaus/ineffassign v0.0.0-20200309095847-7953dde2c7bf/go.mod h1:cuNKsD1zp2v6XfE/orVX2QE1LC+i254ceGcVeDT3pTU= github.com/gordonklaus/ineffassign v0.0.0-20210225214923-2e10b2664254/go.mod h1:M9mZEtGIsR1oDaZagNPNG9iq9n2HrhZ17dsXk73V3Lw= github.com/goreleaser/goreleaser v0.134.0/go.mod h1:ZT6Y2rSYa6NxQzIsdfWWNWAlYGXGbreo66NmE+3X3WQ= github.com/goreleaser/nfpm v1.2.1/go.mod h1:TtWrABZozuLOttX2uDlYyECfQX7x5XYkVxhjYcR6G9w= github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75/go.mod h1:g2644b03hfBX9Ov0ZBDgXXens4rxSxmqFBbhvKv2yVA= github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg= -github.com/gorilla/handlers v0.0.0-20150720190736-60c7bfde3e33/go.mod h1:Qkdc/uu4tH4g6mTK6auzZ766c4CA0Ng8+o/OAirnOIQ= github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4= github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q= github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= -github.com/gorilla/mux v1.7.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= @@ -1312,17 +986,17 @@ github.com/grpc-ecosystem/grpc-gateway v1.12.1/go.mod h1:8XEsbTttt/W+VvjtQhLACqC github.com/grpc-ecosystem/grpc-gateway v1.14.6/go.mod h1:zdiPV4Yse/1gnckTHtghG4GkDEdKCRJduHpTxT3/jcw= github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0/go.mod h1:hgWBS7lorOAVIJEQMi4ZsPv9hVvWI6+ch50m39Pf2Ks= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.2 h1:BqHID5W5qnMkug0Z8UmL8tN0gAy4jQ+B4WFt8cCgluU= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.2/go.mod h1:ZbS3MZTZq/apAfAEHGoB5HbsQQstoqP92SjAqtQ9zeg= github.com/hanwen/go-fuse v1.0.0/go.mod h1:unqXarDXqzAk0rt98O2tVndEPIpUgLD9+rwFisZH3Ok= github.com/hanwen/go-fuse/v2 v2.1.0/go.mod h1:oRyA5eK+pvJyv5otpO/DgccS8y/RvYMaO00GgRLGryc= github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= github.com/hashicorp/consul/api v1.3.0/go.mod h1:MmDNSzIMUjNpY/mQ398R4bk2FnqQLoPndWW5VkKPlCE= github.com/hashicorp/consul/api v1.10.1/go.mod h1:XjsvQN+RJGWI2TWy1/kqaE16HrR2J/FWgkYjdZQsX9M= -github.com/hashicorp/consul/api v1.11.0/go.mod h1:XjsvQN+RJGWI2TWy1/kqaE16HrR2J/FWgkYjdZQsX9M= -github.com/hashicorp/consul/api v1.12.0/go.mod h1:6pVBMo0ebnYdt2S3H87XhekM/HHrUoTD2XXb/VrZVy0= github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= github.com/hashicorp/consul/sdk v0.3.0/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= github.com/hashicorp/consul/sdk v0.8.0/go.mod h1:GBvyrGALthsZObzUGsfgHZQDXjg4lOjagTIwIR1vPms= -github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -1334,60 +1008,45 @@ github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrj github.com/hashicorp/go-hclog v0.12.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= github.com/hashicorp/go-hclog v0.14.1/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= github.com/hashicorp/go-hclog v0.15.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= -github.com/hashicorp/go-hclog v0.16.2/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= -github.com/hashicorp/go-hclog v1.0.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= github.com/hashicorp/go-hclog v1.3.1 h1:vDwF1DFNZhntP4DAjuTpOw3uEgMUpXh1pB5fW9DqHpo= github.com/hashicorp/go-hclog v1.3.1/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc= github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= -github.com/hashicorp/go-kms-wrapping/entropy v0.1.0/go.mod h1:d1g9WGtAunDNpek8jUIEJnBlbgKS1N2Q61QkHiZyR1g= github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= -github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:JMRHfdO9jKNzS/+BTlxCjKNQHg/jZAft8U7LloJvN7I= github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA= github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= github.com/hashicorp/go-plugin v1.4.0/go.mod h1:5fGEH17QVwTTcR0zV7yhDPLLmFX9YSZ38b18Udy6vYQ= -github.com/hashicorp/go-plugin v1.4.3/go.mod h1:5fGEH17QVwTTcR0zV7yhDPLLmFX9YSZ38b18Udy6vYQ= github.com/hashicorp/go-plugin v1.4.5 h1:oTE/oQR4eghggRg8VY7PAz3dr++VwDNBGCcOfIvHpBo= github.com/hashicorp/go-plugin v1.4.5/go.mod h1:viDMjcLJuDui6pXb8U4HVfb8AamCWhHGUjr2IrTF67s= github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= github.com/hashicorp/go-retryablehttp v0.6.4/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= -github.com/hashicorp/go-retryablehttp v0.6.6/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= -github.com/hashicorp/go-retryablehttp v0.7.0/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= github.com/hashicorp/go-retryablehttp v0.7.1 h1:sUiuQAnLlbvmExtFQs72iFW/HXeUn8Z1aJLQ4LJJbTQ= github.com/hashicorp/go-retryablehttp v0.7.1/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU= github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc= github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= -github.com/hashicorp/go-secure-stdlib/base62 v0.1.1/go.mod h1:EdWO6czbmthiwZ3/PUsDV+UD1D5IRU4ActiaWGwt0Yw= -github.com/hashicorp/go-secure-stdlib/mlock v0.1.1/go.mod h1:zq93CJChV6L9QTfGKtfBxKqD7BqqXx5O04A/ns2p5+I= github.com/hashicorp/go-secure-stdlib/mlock v0.1.2 h1:p4AKXPPS24tO8Wc8i1gLvSKdmkiSY5xuju57czJ/IJQ= github.com/hashicorp/go-secure-stdlib/mlock v0.1.2/go.mod h1:zq93CJChV6L9QTfGKtfBxKqD7BqqXx5O04A/ns2p5+I= -github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= -github.com/hashicorp/go-secure-stdlib/parseutil v0.1.2/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= -github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 h1:om4Al8Oy7kCm/B86rLCLah4Dt5Aa0Fr5rYBG60OzwHQ= -github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= -github.com/hashicorp/go-secure-stdlib/password v0.1.1/go.mod h1:9hH302QllNwu1o2TGYtSk8I8kTAN0ca1EHpwhm5Mmzo= +github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 h1:UpiO20jno/eV1eVZcxqWnUohyKRe1g8FPV/xH1s/2qs= +github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= github.com/hashicorp/go-secure-stdlib/strutil v0.1.1/go.mod h1:gKOamz3EwoIoJq7mlMIRBpVTAUn8qPCrEclOKKWhD3U= github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts= github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4= -github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.1/go.mod h1:l8slYwnJA26yBz+ErHpp2IRCLr0vuOMGBORIz4rRiAs= github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU= github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc= github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A= github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4= github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= -github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8= github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= github.com/hashicorp/go-version v1.2.1/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= -github.com/hashicorp/go-version v1.3.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= -github.com/hashicorp/go-version v1.5.0 h1:O293SZ2Eg+AAYijkVK3jR786Am1bhDEh2GHT0tIVE5E= -github.com/hashicorp/go-version v1.5.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek= +github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= @@ -1399,23 +1058,17 @@ github.com/hashicorp/hcl v1.0.1-0.20190430135223-99e2f22d1c94/go.mod h1:E5yfLk+7 github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= github.com/hashicorp/mdns v1.0.1/go.mod h1:4gW7WsVCke5TE7EPeYliwHlRUyBtfCwuFwuMg2DmyNY= -github.com/hashicorp/mdns v1.0.4/go.mod h1:mtBihi+LeNXGtG8L9dX59gAEa12BDtBQSp4v/YAJqrc= github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= github.com/hashicorp/memberlist v0.2.2/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE= -github.com/hashicorp/memberlist v0.3.0/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE= github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= github.com/hashicorp/serf v0.9.5/go.mod h1:UWDWwZeL5cuWDJdl0C6wrvrUwEqtQ4ZKBKKENpqIUyk= -github.com/hashicorp/serf v0.9.6/go.mod h1:TXZNMjZQijwlDvp+r0b63xZ45H7JmCmgg4gpTwn9UV4= -github.com/hashicorp/vault/api v1.3.0/go.mod h1:EabNQLI0VWbWoGlA+oBLC8PXmR9D60aUVgQGvangFWQ= -github.com/hashicorp/vault/api v1.3.1/go.mod h1:QeJoWxMFt+MsuWcYhmwRLwKEXrjwAFFywzhptMsTIUw= github.com/hashicorp/vault/api v1.8.1 h1:bMieWIe6dAlqAAPReZO/8zYtXaWUg/21umwqGZpEjCI= github.com/hashicorp/vault/api v1.8.1/go.mod h1:uJrw6D3y9Rv7hhmS17JQC50jbPDAZdjZoTtrCCxxs7E= -github.com/hashicorp/vault/sdk v0.3.0/go.mod h1:aZ3fNuL5VNydQk8GcLJ2TV8YCRVvyaakYkhZRoVuhj0= github.com/hashicorp/vault/sdk v0.6.0 h1:6Z+In5DXHiUfZvIZdMx7e2loL1PPyDjA4bVh9ZTIAhs= github.com/hashicorp/vault/sdk v0.6.0/go.mod h1:+DRpzoXIdMvKc88R4qxr+edwy/RvH5QK8itmxLiDHLc= github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= -github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87 h1:xixZ2bWeofWV68J+x6AzmKuVM/JWCQwkWm6GW/MUR6I= -github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ= +github.com/hashicorp/yamux v0.1.0 h1:DzDIF6Sd7GD2sX0kDFpHAsJMY4L+OfTvtuaQsOYXxzk= +github.com/hashicorp/yamux v0.1.0/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ= github.com/honeycombio/beeline-go v1.1.1 h1:sU8r4ae34uEL3/CguSl8Mr+Asz9DL1nfH9Wwk85Pc7U= github.com/honeycombio/libhoney-go v1.15.2 h1:5NGcjOxZZma13dmzNcl3OtGbF1hECA0XHJNHEb2t2ck= github.com/howeyc/gopass v0.0.0-20190910152052-7cb4b85ec19c/go.mod h1:lADxMC39cJJqL93Duh1xhAs4I2Zs8mKS89XWXFGp9cs= @@ -1433,19 +1086,16 @@ github.com/imdario/mergo v0.3.4/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJ github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/imdario/mergo v0.3.9/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= -github.com/imdario/mergo v0.3.10/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= -github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk= github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg= github.com/imkira/go-observer v1.0.3 h1:l45TYAEeAB4L2xF6PR2gRLn2NE5tYhudh33MLmC7B80= github.com/imkira/go-observer v1.0.3/go.mod h1:zLzElv2cGTHufQG17IEILJMPDg32TD85fFgKyFv00wU= -github.com/in-toto/in-toto-golang v0.3.4-0.20211211042327-af1f9fb822bf h1:FU8tuL4IWx/Hq55AO4+13AZn3Kd6uk3Z44OCIZ9coTw= -github.com/in-toto/in-toto-golang v0.3.4-0.20211211042327-af1f9fb822bf/go.mod h1:twl9XmClqj6/h/HANQQYaJZVKPPW/Mz53bd2t6UXGQA= +github.com/in-toto/in-toto-golang v0.3.4-0.20220709202702-fa494aaa0add h1:DAh7mHiRT7wc6kKepYdCpH16ElPciMPQWJaJ7H3l/ng= +github.com/in-toto/in-toto-golang v0.3.4-0.20220709202702-fa494aaa0add/go.mod h1:DQI8vlV6h6qSY/tCOoYKtxjWrkyiNpJ3WTV/WoBllmQ= github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d/go.mod h1:qj24IKcXYK6Iy9ceXlo3Tc+vtHo9lIhSX5JddghvEPo= -github.com/j-keck/arping v0.0.0-20160618110441-2cf9dc699c56/go.mod h1:ymszkNOg6tORTn+6F6j+Jc8TOr5osrynvN6ivFWZ2GA= github.com/jackc/chunkreader v1.0.0/go.mod h1:RT6O25fNZIuasFJRyZ4R/Y2BbhasbmZXF9QQ7T3kePo= github.com/jackc/chunkreader/v2 v2.0.0/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk= github.com/jackc/chunkreader/v2 v2.0.1/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk= @@ -1486,16 +1136,21 @@ github.com/jackc/puddle v1.1.3/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dv github.com/jackc/puddle v1.2.1/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= github.com/jarcoal/httpmock v1.0.5/go.mod h1:ATjnClrvW/3tijVmpL/va5Z3aAyGvqU3gCT8nX0Txik= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= -github.com/jedisct1/go-minisign v0.0.0-20210703085342-c1f07ee84431 h1:zqyV5j9xEuPQw2ma4RzzS9O74UwTq3vcMmpoHyL6xlI= -github.com/jedisct1/go-minisign v0.0.0-20210703085342-c1f07ee84431/go.mod h1:3VIJLjlf5Iako82IX/5KOoCzDmogK5mO+bl+DRItnR8= +github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b h1:ZGiXF8sz7PDk6RgkP+A/SFfUD0ZR/AgG6SpRNEDKZy8= +github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b/go.mod h1:hQmNrgofl+IY/8L+n20H6E6PWBBTokdsv+q49j0QhsU= +github.com/jellydator/ttlcache/v2 v2.11.1 h1:AZGME43Eh2Vv3giG6GeqeLeFXxwxn1/qHItqWZl6U64= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/jgautheron/goconst v1.5.1/go.mod h1:aAosetZ5zaeC/2EfMeRswtxUFBpe2Hr7HzkgX4fanO4= +github.com/jhump/gopoet v0.0.0-20190322174617-17282ff210b3/go.mod h1:me9yfT6IJSlOL3FCfrg+L6yzUEZ+5jW6WHt4Sk+UPUI= +github.com/jhump/gopoet v0.1.0/go.mod h1:me9yfT6IJSlOL3FCfrg+L6yzUEZ+5jW6WHt4Sk+UPUI= +github.com/jhump/goprotoc v0.5.0/go.mod h1:VrbvcYrQOrTi3i0Vf+m+oqQWk9l72mjkJCYo7UvLHRQ= github.com/jhump/protoreflect v1.6.0/go.mod h1:eaTn3RZAmMBcV0fifFvlm6VHNz3wSkYyXYWUh7ymB74= github.com/jhump/protoreflect v1.6.1/go.mod h1:RZQ/lnuN+zqeRVpQigTwO6o0AJUkxbnSnpuG7toUTG4= github.com/jhump/protoreflect v1.8.2/go.mod h1:7GcYQDdMU/O/BBrl/cX6PNHpXh6cenjd8pneu5yW7Tg= -github.com/jhump/protoreflect v1.9.0/go.mod h1:7GcYQDdMU/O/BBrl/cX6PNHpXh6cenjd8pneu5yW7Tg= -github.com/jhump/protoreflect v1.10.3 h1:8ogeubpKh2TiulA0apmGlW5YAH4U1Vi4TINIP+gpNfQ= github.com/jhump/protoreflect v1.10.3/go.mod h1:7GcYQDdMU/O/BBrl/cX6PNHpXh6cenjd8pneu5yW7Tg= +github.com/jhump/protoreflect v1.11.0/go.mod h1:U7aMIjN0NWq9swDP7xDdoMfRHb35uiuTd3Z9nFXJf5E= +github.com/jhump/protoreflect v1.12.0 h1:1NQ4FpWMgn3by/n1X0fbeKEUxP1wBt7+Oitpv01HR10= +github.com/jhump/protoreflect v1.12.0/go.mod h1:JytZfP5d0r8pVNLZvai7U/MCuTWITgrI4tTg7puQFKI= github.com/jingyugao/rowserrcheck v1.1.1/go.mod h1:4yvlZSDb3IyDTUZJUmpZfm2Hwok+Dtp+nu2qOq+er9c= github.com/jinzhu/gorm v1.9.16 h1:+IyIjPEABKRpsu/F8OvDPy9fyQlgsg2luMV2ZIH5i5o= github.com/jinzhu/gorm v1.9.16/go.mod h1:G3LB3wezTOWM2ITLzPxEXgSkOXAntiLHS7UdBefADcs= @@ -1505,7 +1160,6 @@ github.com/jinzhu/now v1.0.1 h1:HjfetcXq097iXP0uoPCdnM4Efp5/9MsM0/M+XOTeR3M= github.com/jinzhu/now v1.0.1/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8= github.com/jirfag/go-printf-func-name v0.0.0-20200119135958-7558a9eaa5af/go.mod h1:HEWGJkRDzjJY2sqdDwxccsGicWEf9BQOZsq2tV+xzM0= github.com/jmespath/go-jmespath v0.0.0-20160202185014-0b12d6b521d8/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= -github.com/jmespath/go-jmespath v0.0.0-20160803190731-bd40a432e4c7/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= @@ -1548,16 +1202,12 @@ github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQL github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/errcheck v1.6.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.9.5/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= -github.com/klauspost/compress v1.10.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= -github.com/klauspost/compress v1.11.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= -github.com/klauspost/compress v1.11.13/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= -github.com/klauspost/compress v1.12.3/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg= github.com/klauspost/compress v1.13.4/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg= github.com/klauspost/compress v1.13.5/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= -github.com/klauspost/compress v1.14.2 h1:S0OHlFk/Gbon/yauFJ4FfJJF5V0fc5HbBTJazi28pRw= -github.com/klauspost/compress v1.14.2/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= +github.com/klauspost/compress v1.15.7/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU= +github.com/klauspost/compress v1.15.8 h1:JahtItbkWjf2jzm/T+qgMxkP9EMHsqEUA6vCMGmXvhA= +github.com/klauspost/compress v1.15.8/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= @@ -1569,7 +1219,6 @@ github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfn github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0= github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= -github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA= github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -1582,12 +1231,10 @@ github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+ github.com/kyoh86/exportloopref v0.1.8/go.mod h1:1tUcJeiioIs7VWe5gcOObrux3lb66+sBqGZrRkMwPgg= github.com/ldez/gomoddirectives v0.2.2/go.mod h1:cpgBogWITnCfRq2qGoDkKMEVSaarhdBr6g8G04uz6d0= github.com/ldez/tagliatelle v0.2.0/go.mod h1:8s6WJQwEYHbKZDsp/LjArytKOG8qaMrKQQ3mFukHs88= -github.com/leodido/go-urn v1.1.0/go.mod h1:+cyI34gQWZcE1eQU7NVgKkkzdXDQHr1dBMtdAPozLkw= -github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII= github.com/leodido/go-urn v1.2.1 h1:BqpAaACuzVSgi/VLzGZIobT2z4v53pjosyNd9Yv6n/w= github.com/leodido/go-urn v1.2.1/go.mod h1:zt4jvISO2HfUBqxjfIshjdMTYS56ZS/qv49ictyFfxY= -github.com/letsencrypt/boulder v0.0.0-20220331220046-b23ab962616e h1:1aV3EJ4ZMsc63MFU4rB+ccSEhZvvVD71T9RA4Rqd3hI= -github.com/letsencrypt/boulder v0.0.0-20220331220046-b23ab962616e/go.mod h1:Bl3mfF2LHYepsU2XfzMceIglyByfPe1IFAXtO+p37Qk= +github.com/letsencrypt/boulder v0.0.0-20220723181115-27de4befb95e h1:2ba+yBBeT8ZFyZjRLPDKvkqVrWX4CCYAuR6nuJGojD0= +github.com/letsencrypt/boulder v0.0.0-20220723181115-27de4befb95e/go.mod h1:54WQpg5QI0mpRhxoj9bxysLqA5WJylVsLtXOrb3zAiU= github.com/letsencrypt/pkcs11key/v4 v4.0.0/go.mod h1:EFUvBDay26dErnNb70Nd0/VW3tJiIbETBPTl9ATXQag= github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.1.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= @@ -1597,7 +1244,6 @@ github.com/lib/pq v1.8.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/lib/pq v1.9.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/lib/pq v1.10.3/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= -github.com/lib/pq v1.10.4/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/lib/pq v1.10.7 h1:p7ZhMD+KsSRozJr34udlUrhboJwWAgCg34+/ZZNvZZw= github.com/lib/pq v1.10.7/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/lightstep/lightstep-tracer-common/golang/gogo v0.0.0-20190605223551-bc2310a04743/go.mod h1:qklhhLq1aX+mtWk9cPHPzaBjWImj5ULL6C7HFJtXQMM= @@ -1606,7 +1252,6 @@ github.com/linkedin/goavro v2.1.0+incompatible/go.mod h1:bBCwI2eGYpUI/4820s67MEl github.com/logrusorgru/aurora v0.0.0-20181002194514-a7b3b318ed4e/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4= github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ81pIr0yLvtUWk2if982qA3F3QD6H4= github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I= -github.com/lyft/protoc-gen-star v0.5.3/go.mod h1:V0xaHgaf5oCCqmcxYcWiDfTiKsZsRc87/1qhoTACD8w= github.com/lyft/protoc-gen-star v0.6.0/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA= github.com/lyft/protoc-gen-validate v0.0.13/go.mod h1:XbGvPuh87YZc5TdIa2/I4pLk0QoUACkjt2znoq26NVQ= github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= @@ -1615,19 +1260,14 @@ github.com/magiconair/properties v1.8.4/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPK github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60= github.com/magiconair/properties v1.8.6 h1:5ibWZ6iY0NctNGWo87LalDlEZ6R41TqbbDamhfG/Qzo= github.com/magiconair/properties v1.8.6/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60= -github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs= -github.com/mailru/easyjson v0.7.1/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs= github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/maratori/testpackage v1.0.1/go.mod h1:ddKdw+XG0Phzhx8BFDTKgpWP4i7MpApTE5fXSKAqwDU= github.com/markbates/oncer v0.0.0-20181203154359-bf2de49a0be2/go.mod h1:Ld9puTsIW75CHf65OeIOkyKbteujpZVXDpWK6YGZbxE= github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0= -github.com/marstr/guid v1.1.0/go.mod h1:74gB1z2wpxxInTG6yaqA7KrtM0NZ+RbrcqDvYHefzho= github.com/matoous/godox v0.0.0-20210227103229-6504466cf951/go.mod h1:1BELzlh859Sh1c6+90blK8lbYy0kwQf1bYlBhBysy1s= github.com/matryer/is v1.4.0/go.mod h1:8I/i5uYgLzgsgEloJE1U6xx5HkBQpAZvepWuujKwMRU= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= @@ -1641,13 +1281,11 @@ github.com/mattn/go-colorable v0.1.11/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb github.com/mattn/go-colorable v0.1.12 h1:jF+Du6AlPIjs2BiUiQlKOX0rt3SujHxPnksPKZbaA40= github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4= github.com/mattn/go-ieproxy v0.0.0-20190610004146-91bb50d98149/go.mod h1:31jz6HNzdxOmlERGGEc4v/dMssOfmp2p5bT/okiKFFc= -github.com/mattn/go-ieproxy v0.0.1/go.mod h1:pYabZ6IHcRpFh7vIaLfK7rdcWgFEb3SFJ6/gNWuh88E= github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= github.com/mattn/go-isatty v0.0.7/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= -github.com/mattn/go-isatty v0.0.9/go.mod h1:YNRxwqDuOph6SZLI9vUUz6OYw3QyUt7WiY2yME+cCiQ= github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84= github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE= github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= @@ -1660,10 +1298,10 @@ github.com/mattn/go-runewidth v0.0.7/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= github.com/mattn/go-runewidth v0.0.13 h1:lTGmDsbAYt5DmK6OnoV7EuIF1wEIFAcxld6ypU4OSgU= github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= -github.com/mattn/go-shellwords v1.0.3/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o= github.com/mattn/go-shellwords v1.0.10/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y= github.com/mattn/go-sqlite3 v1.9.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= github.com/mattn/go-sqlite3 v1.14.0/go.mod h1:JIl7NbARA7phWnGvh0LKTyg7S9BA+6gx71ShQilpsus= +github.com/mattn/go-sqlite3 v1.14.10/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU= github.com/mattn/go-sqlite3 v1.14.15 h1:vfoHhTN1af61xCRSWzFIWzx2YskyMTwHLrExkBOjvxI= github.com/mattn/go-sqlite3 v1.14.15/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg= github.com/mattn/go-zglob v0.0.1/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo= @@ -1672,23 +1310,18 @@ github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5 github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= github.com/mbilski/exhaustivestruct v1.2.0/go.mod h1:OeTBVxQWoEmB2J2JCHmXWPJ0aksxSUOUy+nvtVEfzXc= -github.com/mediocregopher/radix/v4 v4.0.0/go.mod h1:ajchozX/6ELmydxWeWM6xCFHVpZ4+67LXHOTOVR0nCE= github.com/mgechev/dots v0.0.0-20210922191527-e955255bf517/go.mod h1:KQ7+USdGKfpPjXk4Ga+5XxQM4Lm4e3gAogrreFAYpOg= github.com/mgechev/revive v1.1.2/go.mod h1:bnXsMr+ZTH09V5rssEI+jHAZ4z+ZdyhgO/zsy3EhK+0= github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE= github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= -github.com/miekg/dns v1.1.25/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso= github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso= github.com/miekg/dns v1.1.35/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM= -github.com/miekg/dns v1.1.41/go.mod h1:p6aan82bvRIyn+zDIv9xYNUpwa73JcSh9BKwknJysuI= -github.com/miekg/dns v1.1.43/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4= -github.com/miekg/dns v1.1.45 h1:g5fRIhm9nx7g8osrAvgb16QJfmyMsyOCb+J7LSv+Qzk= +github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA= github.com/miekg/pkcs11 v1.0.2/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= github.com/miekg/pkcs11 v1.0.3-0.20190429190417-a667d056470f/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= github.com/miekg/pkcs11 v1.0.3/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= github.com/miekg/pkcs11 v1.1.1 h1:Ugu9pdy6vAYku5DEpVWVFPYnzV+bxB+iRdbuFSu7TvU= github.com/miekg/pkcs11 v1.1.1/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= -github.com/mistifyio/go-zfs v2.1.2-0.20190413222219-f784269be439+incompatible/go.mod h1:8AuVvqP/mXw1px98n46wfvcGfQ4ci2FwoAjKYxuo3Z4= github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= github.com/mitchellh/cli v1.1.0/go.mod h1:xcISNoH86gajksDmfB23e/pu+B+GeFRMYmoHXxx3xhI= github.com/mitchellh/cli v1.1.4 h1:qj8czE26AU4PbiaPXK5uVmMSM+V5BYsFBiM9HhGRLUA= @@ -1709,26 +1342,17 @@ github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS4 github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY= github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= -github.com/mitchellh/mapstructure v1.3.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/mapstructure v1.3.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= -github.com/mitchellh/mapstructure v1.4.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/mapstructure v1.4.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/mapstructure v1.4.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= -github.com/mitchellh/osext v0.0.0-20151018003038-5e2d6d41470f/go.mod h1:OkQIRizQZAeMln+1tSwduZz7+Af5oFlKirV/MSYes2A= github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/mitchellh/reflectwalk v1.0.1/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= -github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc= github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= -github.com/moby/sys/mountinfo v0.4.0/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A= -github.com/moby/sys/mountinfo v0.4.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A= -github.com/moby/sys/symlink v0.1.0/go.mod h1:GGDODQmbFOjFsXvfLVn3+ZRxkch54RkSiGqsZeMYowQ= -github.com/moby/term v0.0.0-20200312100748-672ec06f55cd/go.mod h1:DdlQx2hp0Ss5/fLikoLlEeIYiATotOjgB//nb973jeo= -github.com/moby/term v0.0.0-20201216013528-df9cb8a40635/go.mod h1:FBS0z0QWA44HXygs7VXDUOGoN/1TV3RuWkLO04am3wc= github.com/moby/term v0.0.0-20210610120745-9d4ed1856297/go.mod h1:vgPCkQMyxTZ7IDy8SXRufE172gr8+K/JE/7hHFxHW3A= github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 h1:dcztxKSvZ4Id8iPpHERQBbIJfabdt4wUm5qy3wOL2Zc= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= @@ -1744,10 +1368,10 @@ github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJ github.com/montanaflynn/stats v0.6.6/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow= github.com/moricho/tparallel v0.2.1/go.mod h1:fXEIZxG2vdfl0ZF8b42f5a78EhjjD5mX8qUplsoSU4k= github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= -github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= github.com/mozilla/scribe v0.0.0-20180711195314-fb71baf557c1/go.mod h1:FIczTrinKo8VaLxe6PWTPEXRXDIHz2QAwiaBaP5/4a8= github.com/mozilla/tls-observatory v0.0.0-20210609171429-7bc42856d2e5/go.mod h1:FUqVoUPHSEdDR0MnFM3Dh8AU0pZHLXUD127SAJGER/s= -github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= +github.com/mozillazg/docker-credential-acr-helper v0.3.0 h1:DVWFZ3/O8BP6Ue3iS/Olw+G07u1hCq1EOVCDZZjCIBI= +github.com/mozillazg/docker-credential-acr-helper v0.3.0/go.mod h1:cZlu3tof523ujmLuiNUb6JsjtHcNA70u1jitrrdnuyA= github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= @@ -1765,7 +1389,6 @@ github.com/nats-io/nkeys v0.1.0/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxzi github.com/nats-io/nkeys v0.1.3/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w= github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c= github.com/nbutton23/zxcvbn-go v0.0.0-20210217022336-fa2cb2858354/go.mod h1:KSVJerMDfblTH7p5MZaTt+8zaT2iEk3AkVb9PQdZuE8= -github.com/ncw/swift v1.0.47/go.mod h1:23YIA4yWVnGwv2dQlN4bB7egfYX6YLn0Yo/S6zZO/ZM= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= github.com/nightlyone/lockfile v1.0.0/go.mod h1:rywoIealpdNse2r832aiD9jRk8ErCatROs6LzC841CI= github.com/nishanths/exhaustive v0.2.3/go.mod h1:bhIX678Nx8inLM9PbpvK1yv6oGtoP8BfaIeMzgBNKvc= @@ -1787,62 +1410,33 @@ github.com/olekukonko/tablewriter v0.0.2/go.mod h1:rSAaSIOAGT9odnlyGlUfAJaoc5w2f github.com/olekukonko/tablewriter v0.0.4/go.mod h1:zq6QwlOf5SlnkVbMSr5EoBv3636FWnp+qbPhuoO21uA= github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec= github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY= -github.com/onsi/ginkgo v0.0.0-20151202141238-7f8ab55aaf3b/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.10.3/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= -github.com/onsi/ginkgo/v2 v2.0.0/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c= +github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= +github.com/onsi/ginkgo/v2 v2.1.3/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c= github.com/onsi/ginkgo/v2 v2.1.6 h1:Fx2POJZfKRQcM1pH49qSZiYeu319wji004qX+GDovrU= -github.com/onsi/gomega v0.0.0-20151007035656-2152b45fa28a/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= -github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= -github.com/onsi/gomega v1.10.3/go.mod h1:V9xEwhxec5O8UDM77eCW8vLymOMltsqPVYWrpDsH8xc= github.com/onsi/gomega v1.16.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= -github.com/onsi/gomega v1.18.1/go.mod h1:0q+aL8jAiMXy9hbwj2mr5GziHiwhAIQpFmmtT5hitRs= +github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro= github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q= github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk= -github.com/open-policy-agent/opa v0.35.0 h1:wsXkq/3JJucRUN4h46pn9Zv6cC6fnHWrVxjgoykxM7o= -github.com/open-policy-agent/opa v0.35.0/go.mod h1:xEmekKlk6/c+so5HF9wtPnGPXDfBuBsrMGhSHOHEF+U= -github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= -github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= -github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= -github.com/opencontainers/go-digest v1.0.0-rc1.0.20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= +github.com/open-policy-agent/opa v0.45.0 h1:P5nuhVRtR+e58fk3CMMbiqr6ZFyWQPNOC3otsorGsFs= +github.com/open-policy-agent/opa v0.45.0/go.mod h1:/OnsYljNEWJ6DXeFOOnoGn8CvwZGMUS4iRqzYdJvmBI= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= -github.com/opencontainers/image-spec v1.0.0/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= -github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= -github.com/opencontainers/image-spec v1.0.2-0.20211117181255-693428a734f5/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= -github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198 h1:+czc/J8SlhPKLOtVLMQc+xDCFBT73ZStMsRhSsUhsSg= github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198/go.mod h1:j4h1pJW6ZcJTgMZWP3+7RlG3zTaP02aDZ/Qw0sppK7Q= -github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= -github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= -github.com/opencontainers/runc v1.0.0-rc8.0.20190926000215-3e425f80a8c9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= -github.com/opencontainers/runc v1.0.0-rc9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= -github.com/opencontainers/runc v1.0.0-rc93/go.mod h1:3NOsor4w32B2tC0Zbl8Knk4Wg84SM2ImC1fxBuqJ/H0= -github.com/opencontainers/runc v1.0.2/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0= -github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= -github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= -github.com/opencontainers/runtime-spec v1.0.2-0.20190207185410-29686dbc5559/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= -github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= -github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= -github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= -github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs= -github.com/opencontainers/selinux v1.6.0/go.mod h1:VVGKuOLlE7v4PJyT6h7mNWvq1rzqiriPsEqVhc+svHE= -github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo= -github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8= github.com/opentracing-contrib/go-observer v0.0.0-20170622124052-a52f23424492/go.mod h1:Ngi6UdF0k5OKD5t5wlmGhe/EDKPoUM3BXZSSfIuJbis= github.com/opentracing/basictracer-go v1.0.0/go.mod h1:QfBfYuafItcjQuMwinw9GhYKwFXS9KnPs5lxoYwgW74= github.com/opentracing/opentracing-go v1.0.2/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= @@ -1865,22 +1459,19 @@ github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144T github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= github.com/pelletier/go-buffruneio v0.2.0/go.mod h1:JkE26KsDizTr40EUHkXVtNPvgGtbSNq5BcowyYOWdKo= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= -github.com/pelletier/go-toml v1.4.0/go.mod h1:PN7xzY2wHTK0K9p34ErDQMlFxa51Fk0OUruD3k1mMwo= github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE= github.com/pelletier/go-toml v1.8.1/go.mod h1:T2/BmBdy8dvIRq1a/8aqjN41wvWlN4lrapLU/GW4pbc= github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= github.com/pelletier/go-toml v1.9.4/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8= github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= -github.com/pelletier/go-toml/v2 v2.0.1 h1:8e3L2cCQzLFi2CR4g7vGFuFxX7Jl1kKX8gW+iV0GUKU= -github.com/pelletier/go-toml/v2 v2.0.1/go.mod h1:r9LEWfGN8R5k0VXJ+0BkIe7MYkRdwZOjgMj2KwnJFUo= +github.com/pelletier/go-toml/v2 v2.0.5 h1:ipoSadvV8oGUjnUbMub59IDPPwfxF694nG/jwbMiyQg= +github.com/pelletier/go-toml/v2 v2.0.5/go.mod h1:OMHamSCAODeSsVrwwvcJOaoN0LIUIaFVNZzmWyNfXas= github.com/performancecopilot/speed v3.0.0+incompatible/go.mod h1:/CLtqpZ5gBg1M9iaPbIdPPGyKcA8hKdoy6hAWba7Yac= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= -github.com/peterh/liner v0.0.0-20170211195444-bf27d3ba8e1d/go.mod h1:xIteQHvHuaLYG9IFj6mSxM0fCKrs34IrEQUhOYuGPHc= github.com/phayes/checkstyle v0.0.0-20170904204023-bfd46e6a821d/go.mod h1:3OzsM7FXDQlpCiw2j81fOmAwQLnZnLGXVKUzeKQXIAw= github.com/pierrec/lz4 v1.0.2-0.20190131084431-473cd7ce01a1/go.mod h1:3/3N9NVKO0jef7pBehbT1qWhCMrIgbYNnFAZCqQ5LRc= github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= -github.com/pierrec/lz4 v2.5.2+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= github.com/pierrec/lz4 v2.6.1+incompatible h1:9UY3+iC23yxF0UfGaYrGplQ+79Rg+h/q9FV9ix19jjM= github.com/pierrec/lz4 v2.6.1+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4/go.mod h1:4OwLy04Bl9Ef3GJJCoec+30X3LQs/0/m4HFRt/2LUSA= @@ -1889,7 +1480,6 @@ github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9 github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI= github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pkg/errors v0.8.1-0.20171018195549-f15c970de5b7/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= @@ -1906,12 +1496,10 @@ github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSg github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c h1:ncq/mPwQF4JjgDlrVEn3C11VoGHZN7m8qihwgMEtzYw= github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE= github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= -github.com/prometheus/client_golang v0.0.0-20180209125602-c332b6f63c06/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs= github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= -github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g= github.com/prometheus/client_golang v1.3.0/go.mod h1:hJaj2vgQTGQmVCsAACORcieXFeDPbaTKGT+JTgUa3og= github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU= github.com/prometheus/client_golang v1.5.1/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU= @@ -1922,7 +1510,6 @@ github.com/prometheus/client_golang v1.11.1/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqr github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY= github.com/prometheus/client_golang v1.13.0 h1:b71QUfeo5M8gq2+evJdTPfZhYMAU0uKPkyPJ7TPsloU= github.com/prometheus/client_golang v1.13.0/go.mod h1:vTeo+zgvILHsnnj/39Ou/1fPN5nJFOEMgftOUOmlvYQ= -github.com/prometheus/client_model v0.0.0-20171117100541-99fa1f4be8e5/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= @@ -1930,38 +1517,28 @@ github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1: github.com/prometheus/client_model v0.1.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.2.0 h1:uq5h0d+GuxiXLJLNABMgp2qUWDPiLvgCzz2dUR+/W/M= github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/common v0.0.0-20180110214958-89604d197083/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= -github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc= github.com/prometheus/common v0.7.0/go.mod h1:DjGbpBbp5NYNiECxcL/VnbXCCaQpKd3tt26CguLLsqA= github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8bs7vj7HSQ4= github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= github.com/prometheus/common v0.18.0/go.mod h1:U+gB1OBLb1lF3O42bTCL+FK18tX9Oar16Clt/msog/s= github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc= github.com/prometheus/common v0.28.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= -github.com/prometheus/common v0.29.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= -github.com/prometheus/common v0.30.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= github.com/prometheus/common v0.34.0/go.mod h1:gB3sOl7P0TvJabZpLY5uQMpUqRCPPCyRLCZYc7JZTNE= github.com/prometheus/common v0.37.0 h1:ccBbHCgIiT9uSoFY0vX8H3zsNR5eLt17/RQLUvn8pXE= github.com/prometheus/common v0.37.0/go.mod h1:phzohg0JFMnBEFGxTDbfu3QyL5GI8gTQJFhYO5B3mfA= -github.com/prometheus/procfs v0.0.0-20180125133057-cb4147076ac7/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= -github.com/prometheus/procfs v0.0.0-20190522114515-bc1a522cf7b1/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= -github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ= -github.com/prometheus/procfs v0.0.5/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ= github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A= github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= github.com/prometheus/procfs v0.2.0/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= -github.com/prometheus/procfs v0.7.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= -github.com/prometheus/procfs v0.7.1/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= github.com/prometheus/procfs v0.8.0 h1:ODq8ZFEaYeCaZOJlZZdJA2AbQR98dSHSM1KW/You5mo= github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4= @@ -1969,7 +1546,6 @@ github.com/prometheus/prometheus v2.5.0+incompatible/go.mod h1:oAIUtOny2rjMX0OWN github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= github.com/pseudomuto/protoc-gen-doc v1.3.2/go.mod h1:y5+P6n3iGrbKG+9O04V5ld71in3v/bX88wUwgt+U8EA= github.com/pseudomuto/protoc-gen-doc v1.4.1/go.mod h1:exDTOVwqpp30eV/EDPFLZy3Pwr2sn6hBC1WIYH/UbIg= -github.com/pseudomuto/protoc-gen-doc v1.5.0/go.mod h1:exDTOVwqpp30eV/EDPFLZy3Pwr2sn6hBC1WIYH/UbIg= github.com/pseudomuto/protoc-gen-doc v1.5.1/go.mod h1:XpMKYg6zkcpgfpCfQ8GcWBDRtRxOmMR5w7pz4Xo+dYM= github.com/pseudomuto/protokit v0.2.0/go.mod h1:2PdH30hxVHsup8KpBTOXTBeMVhJZVio3Q8ViKSAXT0Q= github.com/quasilyte/go-consistent v0.0.0-20190521200055-c6f3937de18c/go.mod h1:5STLWrekHfjyYwxBRVRXNOSewLJ3PWfDJd1VyTS21fI= @@ -1982,7 +1558,6 @@ github.com/quasilyte/go-ruleguard/rules v0.0.0-20210428214800-545e0d2e0bf7/go.mo github.com/quasilyte/regex/syntax v0.0.0-20200407221936-30656e2c4a95/go.mod h1:rlzQ04UMyJXu/aOvhd8qT+hvDrFpiwqp8MRXDY9szc0= github.com/qur/ar v0.0.0-20130629153254-282534b91770/go.mod h1:SjlYv2m9lpV0UW6K7lDqVJwEIIvSjaHbGk7nIfY8Hxw= github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= -github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY= @@ -1998,7 +1573,6 @@ github.com/rogpeppe/go-internal v1.6.2/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTE github.com/rogpeppe/go-internal v1.8.0 h1:FCbCCtXNOY3UtUuHUYaghJg4y7Fd14rXifAYUAtL9R8= github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE= github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU= -github.com/rs/cors v1.8.0/go.mod h1:EBwu+T5AvHOcXwvZIkQFjUN6s8Czyqw12GL/Y0tUyRM= github.com/rs/cors v1.8.2/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU= github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ= github.com/rs/zerolog v1.13.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU= @@ -2014,10 +1588,7 @@ github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= -github.com/safchain/ethtool v0.0.0-20190326074333-42ed695e3de8/go.mod h1:Z0q5wiBQGYcxhMZ6gUqHn6pYNLypFAvaL3UvgZLR0U4= github.com/sagikazarmark/crypt v0.1.0/go.mod h1:B/mN0msZuINBtQ1zZLEQcegFJJf9vnYIR88KRMEuODE= -github.com/sagikazarmark/crypt v0.3.0/go.mod h1:uD/D+6UF4SrIR1uGEv7bBNkNqLGqUr43MRiaGWX1Nig= -github.com/sagikazarmark/crypt v0.4.0/go.mod h1:ALv2SRj7GxYV4HO9elxH9nS6M9gW+xDNxqmyJ6RfDFM= github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E= github.com/sanposhiho/wastedassign/v2 v2.0.6/go.mod h1:KyZ0MWTwxxBmfwn33zh3k1dmsbF2ud9pAAGfoLfjhtI= github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b/go.mod h1:am+Fp8Bt506lA3Rk3QCmSqmYmLMnPDhdDUcosQCAx+I= @@ -2026,10 +1597,6 @@ github.com/sassoftware/relic v0.0.0-20210427151427-dfb082b79b74 h1:sUNzanSKA9z/h github.com/sassoftware/relic v0.0.0-20210427151427-dfb082b79b74/go.mod h1:YlB8wFIZmFLZ1JllNBfSURzz52fBxbliNgYALk1UDmk= github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= -github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo= -github.com/secure-systems-lab/go-securesystemslib v0.2.0/go.mod h1:eIjBmIP8LD2MLBL/DkQWayLiz006Q4p+hCu79rvWleY= -github.com/secure-systems-lab/go-securesystemslib v0.3.0/go.mod h1:o8hhjkbNl2gOamKUA/eNW3xUrntHT9L4W89W1nfj43U= -github.com/secure-systems-lab/go-securesystemslib v0.3.1/go.mod h1:o8hhjkbNl2gOamKUA/eNW3xUrntHT9L4W89W1nfj43U= github.com/secure-systems-lab/go-securesystemslib v0.4.0 h1:b23VGrQhTA8cN2CbBw7/FulN9fTtqYUdS5+Oxzt+DUE= github.com/secure-systems-lab/go-securesystemslib v0.4.0/go.mod h1:FGBZgq2tXWICsxWQW1msNf49F0Pf2Op5Htayx335Qbs= github.com/securego/gosec/v2 v2.9.1/go.mod h1:oDcDLcatOJxkCGaCaq8lua1jTnYf6Sou4wdiJ1n4iHc= @@ -2050,18 +1617,14 @@ github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFR github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk= github.com/shurcooL/go-goon v0.0.0-20170922171312-37c2f522c041/go.mod h1:N5mDOmsrJOB+vfqUK+7DmDyjhSLIIBnXo9lvZJj3MWQ= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= -github.com/sigstore/cosign v1.9.0 h1:E1Kkc6I99dNCGfjwU0B7XTJNEpltNi2GUVEQcswY2Ow= -github.com/sigstore/cosign v1.9.0/go.mod h1:AkVaXopS0Z/3h/hVOyvIwKrXMOilKmlLgUlr8FkrKQM= -github.com/sigstore/fulcio v0.1.2-0.20220114150912-86a2036f9bc7 h1:XE7A9lJ+wYhmUFBWYTaw3Ph943zHB4iBYd5R0SX0ZOA= -github.com/sigstore/fulcio v0.1.2-0.20220114150912-86a2036f9bc7/go.mod h1:ANQivY/lfOp9hN92S813LEthkm/kit96hzeIF3SNoZA= -github.com/sigstore/rekor v0.4.1-0.20220114213500-23f583409af3 h1:mbqXrm8YZXN/cJMGeBkgPnswtfrOxDE1f7QZdJ+POQE= -github.com/sigstore/rekor v0.4.1-0.20220114213500-23f583409af3/go.mod h1:u9clLqaVjqV9pExVL1XkM37dGyMCOX/LMocS9nsnWDY= -github.com/sigstore/sigstore v1.0.2-0.20211210190220-04746d994282/go.mod h1:SuM+QIHtnnR9eGsURRLv5JfxM6KeaU0XKA1O7FmLs4Q= -github.com/sigstore/sigstore v1.1.0/go.mod h1:gDpcHw4VwpoL5C6N1Ud1YtBsc+ikRDwDelDlWRyYoE8= -github.com/sigstore/sigstore v1.2.1-0.20220424143412-3d41663116d5 h1:8OL06Knchax4CMtdfquC3ASWQPtYMJgyeQImWQPw6XE= -github.com/sigstore/sigstore v1.2.1-0.20220424143412-3d41663116d5/go.mod h1:OvpZniSE9oRPnW7+mhxljRt2RAQU+TwcnhYbqQsPwPc= -github.com/sirupsen/logrus v1.0.4-0.20170822132746-89742aefa4b2/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc= -github.com/sirupsen/logrus v1.0.6/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc= +github.com/sigstore/cosign v1.12.1 h1:GgzIS+Ikdyx1MTh8S2pREUcaD/bSxYXxLeyY6Dl+I9Q= +github.com/sigstore/cosign v1.12.1/go.mod h1:8sOfWG332VGdFJBud/LPgwC/HGx6eoKr8LIFRDKcUk0= +github.com/sigstore/fulcio v0.5.3 h1:fwdl2BHv1RjL3GJJ44T+tPsvmQ028zv54psxVhSwUGA= +github.com/sigstore/fulcio v0.5.3/go.mod h1:4yzMqOao6r9Nul1Dgt4LL7loKdkkgbDemLYrXUuAc+Y= +github.com/sigstore/rekor v0.12.1-0.20220915152154-4bb6f441c1b2 h1:LD8LcwygdD2DxaINWwbkaUEBAknr205wmn66/N05s7c= +github.com/sigstore/rekor v0.12.1-0.20220915152154-4bb6f441c1b2/go.mod h1:C/jZ3EZywl/Kew48fGMWQoh+1LxOMk0BkP3DHmtB+8M= +github.com/sigstore/sigstore v1.4.2 h1:fTppzuZBAmQ/skgl7FWJRLyby70pxCqJGKyWfkSuMR8= +github.com/sigstore/sigstore v1.4.2/go.mod h1:wCv58Fia7u1snVJyPcxdgIh/3uw1XdOLhxPExTwwyt4= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= @@ -2074,11 +1637,10 @@ github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVs github.com/sivchari/tenv v1.4.7/go.mod h1:5nF+bITvkebQVanjU6IuMbvIot/7ReNsUV7I5NbprB0= github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA= github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog= -github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262/go.mod h1:MyOHs9Po2fbM1LHej6sBUT8ozbxmMOFG+E+rx/GSGuc= github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= github.com/smartystreets/assertions v1.0.0/go.mod h1:kHHU4qYBaI3q23Pp3VPrmWhuIUrLW/7eUrw0BU5VaoM= +github.com/smartystreets/assertions v1.1.0/go.mod h1:tcbTF8ujkAEcZ8TElKY+i30BzYlVhC/LOxJk7iOWnoo= github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9/go.mod h1:SnhjPscd9TpLiy1LpzGSKh3bXCfxxXuqd9xmQJy3slM= -github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= github.com/smartystreets/gunit v1.0.0/go.mod h1:qwPWnhz6pn0NnRBP++URONOVyNkPyr4SauJk4cUOwJs= github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= @@ -2089,7 +1651,6 @@ github.com/sonatard/noctx v0.0.1/go.mod h1:9D2D/EoULe8Yy2joDHJj7bv3sZoq9AaSb8B4l github.com/sony/gobreaker v0.4.1/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY= github.com/sourcegraph/go-diff v0.6.1/go.mod h1:iBszgVvyxdc8SFZ7gm69go2KDdt3ag071iBaWPF6cjs= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= -github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4= @@ -2102,22 +1663,18 @@ github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkU github.com/spf13/cast v1.4.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w= github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU= -github.com/spf13/cobra v0.0.2-0.20171109065643-2da4a54c5cee/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE= github.com/spf13/cobra v1.1.1/go.mod h1:WnodtKOvamDL/PwE2M4iKs8aMDBZ5Q5klgD3qfVJQMI= github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo= github.com/spf13/cobra v1.2.1/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t68Nk= -github.com/spf13/cobra v1.3.0/go.mod h1:BrRVncBjOJa/eUcVVm9CE+oC6as8k+VYr4NY7WCi9V4= github.com/spf13/cobra v1.4.0/go.mod h1:Wo4iy3BUC+X2Fybo0PDqwJIv3dNRiZLHQymsfxlB84g= github.com/spf13/cobra v1.5.0 h1:X+jTBEBqF0bHN+9cSMgmfuvv2VHJ9ezmFNf9Y/XstYU= github.com/spf13/cobra v1.5.0/go.mod h1:dWXEIy2H428czQCjInthrTRUg7yKbok+2Qi/yBIJoUM= github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk= github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= -github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= -github.com/spf13/pflag v1.0.1-0.20171106142849-4c012f6dcd95/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= @@ -2128,34 +1685,28 @@ github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5q github.com/spf13/viper v1.7.1/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns= github.com/spf13/viper v1.9.0/go.mod h1:+i6ajR7OX2XaiBkrcZJFK21htRk7eDeLg7+O6bhUPP4= -github.com/spf13/viper v1.10.0/go.mod h1:SoyBPwAtKDzypXNDFKN5kzH7ppppbGZtls1UpIy5AsM= -github.com/spf13/viper v1.10.1/go.mod h1:IGlFPqhNAPKRxohIzWpI5QEy4kuI7tcl5WvR+8qy1rU= -github.com/spf13/viper v1.12.0 h1:CZ7eSOd3kZoaYDLbXnmzgQI5RlciuXBMA+18HwHRfZQ= -github.com/spf13/viper v1.12.0/go.mod h1:b6COn30jlNxbm/V2IqWiNWkJ+vZNiMNksliPCiuKtSI= -github.com/spiffe/go-spiffe/v2 v2.1.0 h1:IZRlWhyFpPbJOiK8K+MwEFPU/QCdaW4Zf5bmIKBd3XM= -github.com/spiffe/go-spiffe/v2 v2.1.0/go.mod h1:5qg6rpqlwIub0JAiF1UK9IMD6BpPTmvG6yfSgDBs5lg= +github.com/spf13/viper v1.13.0 h1:BWSJ/M+f+3nmdz9bxB+bWX28kkALN2ok11D0rSo8EJU= +github.com/spf13/viper v1.13.0/go.mod h1:Icm2xNL3/8uyh/wFuB1jI7TiTNKp8632Nwegu+zgdYw= +github.com/spiffe/go-spiffe/v2 v2.1.1 h1:RT9kM8MZLZIsPTH+HKQEP5yaAk3yd/VBzlINaRjXs8k= +github.com/spiffe/go-spiffe/v2 v2.1.1/go.mod h1:5qg6rpqlwIub0JAiF1UK9IMD6BpPTmvG6yfSgDBs5lg= github.com/spiffe/spire-api-sdk v1.2.5-0.20220608195902-84fd618158c9 h1:RmpSpUHOboDvGhxLW/32DAlV/DsvUURjojPVDMPDkwM= github.com/spiffe/spire-api-sdk v1.2.5-0.20220608195902-84fd618158c9/go.mod h1:73BC0cOGkqRQrqoB1Djk7etxN+bE1ypmzZMkhCQs6kY= github.com/spiffe/spire-plugin-sdk v1.4.1-0.20220912221658-c42ab2d657f6 h1:QViYo6JR+v2lTMV/w9Py1mWJEXTrLn1Hb6ZsCWSVVek= github.com/spiffe/spire-plugin-sdk v1.4.1-0.20220912221658-c42ab2d657f6/go.mod h1:4KW5J6abGIAyUS8IL7Fi0NOfoWR6jA5LufKPnIdm9FE= github.com/src-d/gcfg v1.4.0/go.mod h1:p/UMsR43ujA89BJY9duynAwIpvqEujIH/jFlfL7jWoI= github.com/ssgreg/nlreturn/v2 v2.2.1/go.mod h1:E/iiPB78hV7Szg2YfRgyIrk1AD6JVMTRkkxBiELzh2I= -github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980/go.mod h1:AO3tvPzVZ/ayst6UlUKUv6rcPQInYe3IknH3jYhAKu8= github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= github.com/streadway/amqp v0.0.0-20190404075320-75d898a42a94/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= github.com/streadway/amqp v0.0.0-20190827072141-edfb9018d271/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= github.com/streadway/amqp v1.0.0/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= github.com/streadway/handy v0.0.0-20190108123426-d5acb3125c2a/go.mod h1:qNTQ5P5JnDBl6z3cMAg/SywNDC5ABu5ApDIw6lUbRmI= -github.com/stretchr/objx v0.0.0-20180129172003-8a3f7159479f/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= -github.com/stretchr/objx v0.3.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v0.0.0-20170130113145-4d4bfba8f1d1/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= -github.com/stretchr/testify v0.0.0-20180303142811-b89eecf5ca5d/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.1.4/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= @@ -2169,16 +1720,13 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= -github.com/subosito/gotenv v1.3.0 h1:mjC+YW8QpAdXibNi+vNWgzmgBH4+5l5dCXv8cNysBLI= -github.com/subosito/gotenv v1.3.0/go.mod h1:YzJjq/33h7nrwdY+iHMhEOEEbW0ovIz0tB6t6PwAXzs= +github.com/subosito/gotenv v1.4.1 h1:jyEFiXpy21Wm81FBN71l9VoMMV8H8jG+qIK3GCpY6Qs= +github.com/subosito/gotenv v1.4.1/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0= github.com/sylvia7788/contextcheck v1.0.4/go.mod h1:vuPKJMQ7MQ91ZTqfdyreNKwZjyUg6KO+IebVyQDedZQ= -github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= -github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= -github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= -github.com/syndtr/goleveldb v1.0.0/go.mod h1:ZVVdQEZoIme9iO1Ch2Jdy24qqXrMMOU6lpPAyBWyWuQ= -github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7 h1:epCh84lMvA70Z7CTTCmYQn2CKbY8j86K7/FAIr141uY= -github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7/go.mod h1:q4W45IWZaF22tdD+VEXcAWRA037jwmWEB5VWYORlTpc= -github.com/tchap/go-patricia v2.2.6+incompatible/go.mod h1:bmLyhP68RS6kStMGxByiQ23RP/odRBOTVjwp2cDyi6I= +github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d h1:vfofYNRScrDdvS342BElfbETmL1Aiz3i2t0zfRj16Hs= +github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d/go.mod h1:RRCYJbIwD5jmqPI9XoAFR0OcDxqUctll6zUj/+B4S48= +github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes= +github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k= github.com/tdakkota/asciicheck v0.0.0-20200416200610-e657995f937b/go.mod h1:yHp0ai0Z9gUljN3o0xMhYJnH/IcvkdTBOX2fmJ93JEM= github.com/tenntenn/modver v1.0.1/go.mod h1:bePIyQPb7UeioSRkw3Q0XeMhYZSMx9B8ePqg6SAMGH0= github.com/tenntenn/text/transform v0.0.0-20200319021203-7eef512accb3/go.mod h1:ON8b8w4BN/kE1EOhwT0o+d62W65a6aPw1nouo9LMgyY= @@ -2187,14 +1735,10 @@ github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613/go.mod h1:g github.com/tetafro/godot v1.4.11/go.mod h1:LR3CJpxDVGlYOWn3ZZg1PgNZdTUvzsZWu8xaEohUpn8= github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gtvVDbmPg= github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU= -github.com/theupdateframework/go-tuf v0.0.0-20211203210025-7ded50136bf9/go.mod h1:n2n6wwC9BEnYS/C/APAtNln0eM5zYAYOkOTx6VEG/mA= -github.com/theupdateframework/go-tuf v0.3.0 h1:od2sc5+BSkKZhmUG2o2rmruy0BGSmhrbDhCnpxh87X8= -github.com/theupdateframework/go-tuf v0.3.0/go.mod h1:E5XP0wXitrFUHe4b8cUcAAdxBW4LbfnqF4WXXGLgWNo= +github.com/theupdateframework/go-tuf v0.5.1-0.20220920170306-f237d7ca5b42 h1:6XOcL5aU3UGndqoDyG/NM2y0/Piin2x5zt/pew4tR1w= +github.com/theupdateframework/go-tuf v0.5.1-0.20220920170306-f237d7ca5b42/go.mod h1:vAqWV3zEs89byeFsAYoh/Q14vJTgJkHwnnRCWBBBINY= github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk= github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs= -github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= -github.com/tilinna/clock v1.0.2/go.mod h1:ZsP7BcY7sEEz7ktc0IVy8Us6boDrK8VradlKRUGfOao= -github.com/tilinna/clock v1.1.0/go.mod h1:ZsP7BcY7sEEz7ktc0IVy8Us6boDrK8VradlKRUGfOao= github.com/timakin/bodyclose v0.0.0-20200424151742-cb6215831a94/go.mod h1:Qimiffbc6q9tBWlVV6x0P9sat/ao1xEkREYPPj9hphk= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs= @@ -2202,6 +1746,8 @@ github.com/tj/assert v0.0.0-20171129193455-018094318fb0/go.mod h1:mZ9/Rh9oLWpLLD github.com/tj/go-elastic v0.0.0-20171221160941-36157cbbebc2/go.mod h1:WjeM0Oo1eNAjXGDx2yma7uG2XoyRZTq1uv3M/o7imD0= github.com/tj/go-kinesis v0.0.0-20171128231115-08b17f58cb1b/go.mod h1:/yhzCV0xPfx6jb1bBgRFjl5lytqVqZXEaeqWP8lTEao= github.com/tj/go-spin v1.1.0/go.mod h1:Mg1mzmePZm4dva8Qz60H2lHwmJ2loum4VIrLgVnKwh4= +github.com/tjfoc/gmsm v1.3.2 h1:7JVkAn5bvUJ7HtU08iW6UiD+UTmJTIToHCfeFzkcCxM= +github.com/tjfoc/gmsm v1.3.2/go.mod h1:HaUcFuY0auTiaHB9MHFGCPx5IaLhTUd2atbCFBQXn9w= github.com/tklauser/go-sysconf v0.3.9/go.mod h1:11DU/5sG7UexIrp/O6g35hrWzu0JxlwQ3LSFUzyeuhs= github.com/tklauser/go-sysconf v0.3.10 h1:IJ1AZGZRWbY8T5Vfk04D9WOA5WSejdflXxP03OUqALw= github.com/tklauser/go-sysconf v0.3.10/go.mod h1:C8XykCvCb+Gn0oNCWPIlcb0RuglQTYaQ2hGm7jmxEFk= @@ -2226,23 +1772,17 @@ github.com/twmb/murmur3 v1.1.6/go.mod h1:Qq/R7NUyOfr65zD+6Q5IHKsJLwP7exErjN6lyyq github.com/uber-go/tally/v4 v4.1.3 h1:dKhkrkVSSJK0AxZCv/MmK5JrWmH+MPG3dgZCbxWk2Yc= github.com/uber-go/tally/v4 v4.1.3/go.mod h1:aXeSTDMl4tNosyf6rdU8jlgScHyjEGGtfJ/uwCIf/vM= github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= -github.com/ugorji/go v1.1.7/go.mod h1:kZn38zHttfInRq0xu/PH0az30d+z6vm202qpg1oXVMw= github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= -github.com/ugorji/go/codec v1.1.7/go.mod h1:Ax+UKWsSmolVDwsd+7N3ZtXu+yMGCf907BLYF3GoBXY= github.com/ulikunitz/xz v0.5.6/go.mod h1:2bypXElzHzzJZwzH67Y6wb67pO62Rzfn7BSiF4ABRW8= github.com/ulikunitz/xz v0.5.7/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= -github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= github.com/ultraware/funlen v0.0.3/go.mod h1:Dp4UiAus7Wdb9KUZsYWZEWiRzGuM2kXM1lPbfaF6xhA= github.com/ultraware/whitespace v0.0.4/go.mod h1:aVMh/gQve5Maj9hQ/hg+F75lr/X5A89uZnzAmWSineA= -github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= -github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= github.com/urfave/cli v1.22.4/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= github.com/urfave/cli v1.22.7/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= github.com/urfave/cli v1.22.9 h1:cv3/KhXGBGjEXLC4bH0sLuJ9BewaAbpk5oyMOveu4pw= github.com/urfave/cli v1.22.9/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= -github.com/urfave/negroni v1.0.0/go.mod h1:Meg73S6kFm/4PpbYdq35yYWoCZ9mS/YSx+lKnmiohz4= github.com/uudashr/gocognit v1.0.5/go.mod h1:wgYz0mitoKOTysqxTDMOUXg+Jb5SvtihkfmugIZYpEA= github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= github.com/valyala/fasthttp v1.30.0/go.mod h1:2rsYD01CKFrjjsvFxx75KlEUNpWNBY9JWD3K/7o2Cus= @@ -2250,57 +1790,42 @@ github.com/valyala/quicktemplate v1.7.0/go.mod h1:sqKJnoaOF88V07vkO+9FL8fb9uZg/V github.com/valyala/tcplisten v1.0.0/go.mod h1:T0xQ8SeCZGxckz9qRXTfG43PvQ/mcWh7FwZEA7Ioqkc= github.com/vbatts/tar-split v0.11.2 h1:Via6XqJr0hceW4wff3QRzD5gAk/tatMw/4ZA7cTlIME= github.com/vbatts/tar-split v0.11.2/go.mod h1:vV3ZuO2yWSVsz+pfFzDG/upWH1JhjOiEaWq6kXyQ3VI= -github.com/vektah/gqlparser v1.1.2/go.mod h1:1ycwN7Ij5njmMkPPAOaRFY4rET2Enx7IkVv3vaXspKw= github.com/viki-org/dnscache v0.0.0-20130720023526-c70c1f23c5d8/go.mod h1:dniwbG03GafCjFohMDmz6Zc6oCuiqgH6tGNyXTkHzXE= -github.com/vishvananda/netlink v0.0.0-20181108222139-023a6dafdcdf/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk= -github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE= -github.com/vishvananda/netlink v1.1.1-0.20201029203352-d40f9887b852/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho= -github.com/vishvananda/netns v0.0.0-20180720170159-13995c7128cc/go.mod h1:ZjcWmFBXmLKZu9Nxj3WKYEafiSqer2rnvPr0en9UNpI= -github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU= -github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0= github.com/vmihailenco/msgpack/v4 v4.3.12 h1:07s4sz9IReOgdikxLTKNbBdqDMLsjPKXwvCazn8G65U= github.com/vmihailenco/tagparser v0.1.1 h1:quXMXlA39OCbd2wAdTsGDlK9RkOk6Wuw+x37wVyIuWY= -github.com/willf/bitset v1.1.11-0.20200630133818-d5bec3311243/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4= -github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr3+MjI= github.com/xanzy/go-gitlab v0.31.0/go.mod h1:sPLojNBn68fMUWSxIJtdVVIP8uSBYqesTfDUseX11Ug= -github.com/xanzy/go-gitlab v0.68.0 h1:b2iMQHgZ1V+NyRqLRJVv6RFfr4xnd/AASeS/PETYL0Y= -github.com/xanzy/go-gitlab v0.68.0/go.mod h1:o4yExCtdaqlM8YGdDJWuZoBmfxBsmA9TPEjs9mx1UO4= +github.com/xanzy/go-gitlab v0.73.1 h1:UMagqUZLJdjss1SovIC+kJCH4k2AZWXl58gJd38Y/hI= +github.com/xanzy/go-gitlab v0.73.1/go.mod h1:d/a0vswScO7Agg1CZNz15Ic6SSvBG9vfw8egL99t4kA= github.com/xanzy/ssh-agent v0.2.1/go.mod h1:mLlQY/MoOhWBj+gOGMQkOeiEvkx+8pJSI+0Bx9h2kr4= github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI= github.com/xdg-go/scram v1.0.2/go.mod h1:1WAq6h33pAW+iRreB34OORO2Nf7qel3VV3fjBj+hCSs= +github.com/xdg-go/scram v1.1.1/go.mod h1:RaEWvsqvNKKvBPvcKeFjrG2cJqOkHTiyTpzz23ni57g= github.com/xdg-go/stringprep v1.0.2/go.mod h1:8F9zXuvzgwmyT5DUm4GUfZGDdT3W+LCvS6+da4O5kxM= -github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c/go.mod h1:lB8K/P019DLNhemzwFU4jHLhdvlE6uDZjXFejJXr49I= -github.com/xdg/stringprep v0.0.0-20180714160509-73f8eece6fdc/go.mod h1:Jhud4/sHMO4oL310DaZAKk9ZaJ08SJfe+sJh0HrGL1Y= +github.com/xdg-go/stringprep v1.0.3/go.mod h1:W3f5j4i+9rC0kuIEJL0ky1VpHXQU3ocBgklLGvcBnW8= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0= github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= -github.com/xeipuuv/gojsonschema v0.0.0-20180618132009-1d523034197f/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs= github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8/go.mod h1:HUYIGzjTL3rfEspMxjDjgmT5uz5wzYJKVo23qUhYTos= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 h1:eY9dn8+vbi4tKz5Qo6v2eYzo7kUS51QINcR5jNpbZS8= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778/go.mod h1:2MuV+tbUrU1zIOPMxZ5EncGwgmMJsa+9ucAQZXxsObs= github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= -github.com/yashtewari/glob-intersection v0.0.0-20180916065949-5c77d914dd0b/go.mod h1:HptNXiXVDcJjXe9SqMd0v2FsL9f8dz4GnXgltU6q/co= github.com/yashtewari/glob-intersection v0.1.0 h1:6gJvMYQlTDOL3dMsPF6J0+26vwX9MB8/1q3uAdhmTrg= github.com/yashtewari/glob-intersection v0.1.0/go.mod h1:LK7pIC3piUjovexikBbJ26Yml7g8xa5bsjfx2v1fwok= github.com/yeya24/promlinter v0.1.0/go.mod h1:rs5vtZzeBHqqMwXqFScncpCF6u06lezhZepno9AB1Oc= github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA= -github.com/ysmood/goob v0.3.0/go.mod h1:S3lq113Y91y1UBf1wj1pFOxeahvfKkCk6mTWTWbDdWs= github.com/ysmood/goob v0.4.0 h1:HsxXhyLBeGzWXnqVKtmT9qM7EuVs/XOgkX7T6r1o1AQ= -github.com/ysmood/got v0.15.1/go.mod h1:pE1l4LOwOBhQg6A/8IAatkGp7uZjnalzrZolnlhhMgY= -github.com/ysmood/gotrace v0.2.2/go.mod h1:TzhIG7nHDry5//eYZDYcTzuJLYQIkykJzCRIo4/dzQM= -github.com/ysmood/gson v0.6.4/go.mod h1:3Kzs5zDl21g5F/BlLTNcuAGAYLKt2lV5G8D1zF3RNmg= -github.com/ysmood/gson v0.7.1 h1:zKL2MTGtynxdBdlZjyGsvEOZ7dkxaY5TH6QhAbTgz0Q= -github.com/ysmood/leakless v0.7.0 h1:XCGdaPExyoreoQd+H5qgxM3ReNbSPFsEXpSKwbXbwQw= -github.com/ysmood/leakless v0.7.0/go.mod h1:R8iAXPRaG97QJwqxs74RdwzcRHT1SWCGTNqY8q0JvMQ= +github.com/ysmood/gson v0.7.2 h1:1iWUvpi5DPvd2j59W7ifRPR9DiAZ3Ga+fmMl1mJrRbM= +github.com/ysmood/leakless v0.8.0 h1:BzLrVoiwxikpgEQR0Lk8NyBN5Cit2b1z+u0mgL4ZJak= github.com/yudai/gojsondiff v1.0.0/go.mod h1:AY32+k2cwILAkW1fbgxQ5mUmMiZFgLIV+FBNExI05xg= github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82/go.mod h1:lgjkn3NuSvDfVJdfcVVdX+jpBxNmX4rDAzaS45IcYoM= github.com/yudai/pp v2.0.1+incompatible/go.mod h1:PuxR/8QJ7cyCkFp/aUDS+JY727OFEZkTdatxwunjIkc= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.1.30/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= @@ -2308,11 +1833,7 @@ github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1 github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yusufpapurcu/wmi v1.2.2 h1:KBNDSne4vP5mbSWnJbO+51IMOXJB67QiYCSBrubbPRg= github.com/yusufpapurcu/wmi v1.2.2/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= -github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43/go.mod h1:aX5oPXxHm3bOH+xeAttToC8pqch2ScQN/JoXYupl6xs= -github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50/go.mod h1:NUSPSUX/bi6SeDMUh6brw0nXpxHnc96TguQh0+r/ssA= -github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f/go.mod h1:GlGEuHIJweS1mbCqG+7vt2nvWLzLLnRHbXz5JKd/Qbg= github.com/zalando/go-keyring v0.1.0/go.mod h1:RaxNwUITJaHVdQ0VC7pELPZ3tOWn13nr0gZMZEhpVU0= -github.com/zalando/go-keyring v0.1.1/go.mod h1:OIC+OZ28XbmwFxU/Rp9V7eKzZjamBJwRzC8UFJH9+L8= github.com/zeebo/errs v1.2.2/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= github.com/zeebo/errs v1.3.0 h1:hmiaKqgYZzcVgRL1Vkc1Mn2914BbzB0IBxs+ebeutGs= github.com/zeebo/errs v1.3.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= @@ -2325,66 +1846,61 @@ go.etcd.io/bbolt v1.3.6 h1:/ecaJf0sk1l4l6V4awd65v2C3ILy7MSj+s/x1ADCIMU= go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4= go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= go.etcd.io/etcd v0.0.0-20200513171258-e048e166ab9c/go.mod h1:xCI7ZzBfRuGgBXyXO6yfWfDmlWd35khcWpUa4L0xI/k= -go.etcd.io/etcd v0.5.0-alpha.5.0.20200910180754-dd1b699fc489/go.mod h1:yVHk9ub3CSBatqGNg7GRmsnfLWtoW60w4eDYfh7vHDg= go.etcd.io/etcd/api/v3 v3.5.0-alpha.0/go.mod h1:mPcW6aZJukV6Aa81LSKpBjQXTWlXB5r74ymPoSWa3Sw= go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs= -go.etcd.io/etcd/api/v3 v3.5.1/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs= -go.etcd.io/etcd/api/v3 v3.5.4 h1:OHVyt3TopwtUQ2GKdd5wu3PmmipR4FTwCqoEjSyRdIc= go.etcd.io/etcd/api/v3 v3.5.4/go.mod h1:5GB2vv4A4AOn3yk7MftYGHkUfGtDHnEraIjym4dYz5A= +go.etcd.io/etcd/api/v3 v3.6.0-alpha.0 h1:se+XckWlVTTfwjZSsAZJ2zGPzmIMq3j7fKBCmHoB9UA= +go.etcd.io/etcd/api/v3 v3.6.0-alpha.0/go.mod h1:z13pg39zewDLZeXIKeM0xELOeFKcqjLocfwl5M820+w= go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g= -go.etcd.io/etcd/client/pkg/v3 v3.5.1/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g= -go.etcd.io/etcd/client/pkg/v3 v3.5.4 h1:lrneYvz923dvC14R54XcA7FXoZ3mlGZAgmwhfm7HqOg= go.etcd.io/etcd/client/pkg/v3 v3.5.4/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g= +go.etcd.io/etcd/client/pkg/v3 v3.6.0-alpha.0 h1:2UyRzFWbZZzgu/xzxoRukgixvafiJtGyxO+3IKUyJ6c= +go.etcd.io/etcd/client/pkg/v3 v3.6.0-alpha.0/go.mod h1:Vl/FkH40bHqmBFwhr8WVKtV47neyts36zl1voccRq8s= go.etcd.io/etcd/client/v2 v2.305.0-alpha.0/go.mod h1:kdV+xzCJ3luEBSIeQyB/OEKkWKd8Zkux4sbDeANrosU= go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ= -go.etcd.io/etcd/client/v2 v2.305.1/go.mod h1:pMEacxZW7o8pg4CrFE7pquyCJJzZvkvdD2RibOCCCGs= -go.etcd.io/etcd/client/v2 v2.305.4 h1:Dcx3/MYyfKcPNLpR4VVQUP5KgYrBeJtktBwEKkw08Ao= go.etcd.io/etcd/client/v2 v2.305.4/go.mod h1:Ud+VUwIi9/uQHOMA+4ekToJ12lTxlv0zB/+DHwTGEbU= +go.etcd.io/etcd/client/v2 v2.306.0-alpha.0 h1:9VRJ698EFIMfjOQtcjKMM7CWXOIxp9R4I8JA1mk+WT4= +go.etcd.io/etcd/client/v2 v2.306.0-alpha.0/go.mod h1:eW78BCfOzS1HJgTNzDrb2E6xV1p6kqlpLpKkz7ErzCs= go.etcd.io/etcd/client/v3 v3.5.0-alpha.0/go.mod h1:wKt7jgDgf/OfKiYmCq5WFGxOFAkVMLxiiXgLDFhECr8= go.etcd.io/etcd/client/v3 v3.5.0/go.mod h1:AIKXXVX/DQXtfTEqBryiLTUXwON+GuvO6Z7lLS/oTh0= -go.etcd.io/etcd/client/v3 v3.5.4 h1:p83BUL3tAYS0OT/r0qglgc3M1JjhM0diV8DSWAhVXv4= go.etcd.io/etcd/client/v3 v3.5.4/go.mod h1:ZaRkVgBZC+L+dLCjTcF1hRXpgZXQPOvnA/Ak/gq3kiY= +go.etcd.io/etcd/client/v3 v3.6.0-alpha.0 h1:hHaJ8CvTPJ9iv7xPz3G0gxt3csEqJW8evgty/kYICwo= +go.etcd.io/etcd/client/v3 v3.6.0-alpha.0/go.mod h1:a9JuChoQBDnw7WclHYBYCtTOIC12Wwj+Fw0LX4TI/Gs= go.etcd.io/etcd/etcdctl/v3 v3.5.0-alpha.0/go.mod h1:YPwSaBciV5G6Gpt435AasAG3ROetZsKNUzibRa/++oo= -go.etcd.io/etcd/etcdctl/v3 v3.5.0/go.mod h1:vGTfKdsh87RI7kA2JHFBEGxjQEYx+pi299wqEOdi34M= -go.etcd.io/etcd/etcdctl/v3 v3.5.4 h1:LVFzhocId7Vb8SqK3YanpW0rKjlvtkN80ShJpcBDDZk= go.etcd.io/etcd/etcdctl/v3 v3.5.4/go.mod h1:SMZep1Aj7sUmMSBCHTjkZL/Yw36Vx5Ux61fKbopbb5U= -go.etcd.io/etcd/etcdutl/v3 v3.5.0/go.mod h1:o98rKMCibbFAG8QS9KmvlYDGDShmmIbmRE8vSofzYNg= -go.etcd.io/etcd/etcdutl/v3 v3.5.4 h1:TeQGkpXMGnQ+Tgn/dB5yuADyeSZatehBBy6XXSxnO7U= +go.etcd.io/etcd/etcdctl/v3 v3.6.0-alpha.0 h1:3J+c4Av+pF7dBMAnxZVMrfCCMTaBz4CGJ8En3sZMNME= +go.etcd.io/etcd/etcdctl/v3 v3.6.0-alpha.0/go.mod h1:0ugckElRKx3OrV15/WAylLv2Ji67QxXKTh9lytkOh8s= go.etcd.io/etcd/etcdutl/v3 v3.5.4/go.mod h1:eK9eZfI/BxDQCztpuaJ1E/ufYpMw2Y16dPX1azGWrBU= +go.etcd.io/etcd/etcdutl/v3 v3.6.0-alpha.0 h1:DZwDkrq/z5nHxXtovJMk9fyR6Nc+pwCJt25ptlFta24= +go.etcd.io/etcd/etcdutl/v3 v3.6.0-alpha.0/go.mod h1:0ILo94EKC+jgp/IMfxePlfJD1OVtMVfgTQ/xM8+joOA= go.etcd.io/etcd/pkg/v3 v3.5.0-alpha.0/go.mod h1:tV31atvwzcybuqejDoY3oaNRTtlD2l/Ot78Pc9w7DMY= go.etcd.io/etcd/pkg/v3 v3.5.0/go.mod h1:UzJGatBQ1lXChBkQF0AuAtkRQMYnHubxAEYIrC3MSsE= -go.etcd.io/etcd/pkg/v3 v3.5.4 h1:V5Dvl7S39ZDwjkKqJG2BfXgxZ3QREqqKifWQgIw5IM0= go.etcd.io/etcd/pkg/v3 v3.5.4/go.mod h1:OI+TtO+Aa3nhQSppMbwE4ld3uF1/fqqwbpfndbbrEe0= +go.etcd.io/etcd/pkg/v3 v3.6.0-alpha.0 h1:cV/VsaYde/tcc2G9aHN5DQwx6CtUsWSEW4UqYzXuyyk= +go.etcd.io/etcd/pkg/v3 v3.6.0-alpha.0/go.mod h1:tXqWms0MpOJAS6L0B9nhFqZr0C/WEYzj/OtN90G8xzo= go.etcd.io/etcd/raft/v3 v3.5.0-alpha.0/go.mod h1:FAwse6Zlm5v4tEWZaTjmNhe17Int4Oxbu7+2r0DiD3w= go.etcd.io/etcd/raft/v3 v3.5.0/go.mod h1:UFOHSIvO/nKwd4lhkwabrTD3cqW5yVyYYf/KlD00Szc= -go.etcd.io/etcd/raft/v3 v3.5.4 h1:YGrnAgRfgXloBNuqa+oBI/aRZMcK/1GS6trJePJ/Gqc= go.etcd.io/etcd/raft/v3 v3.5.4/go.mod h1:SCuunjYvZFC0fBX0vxMSPjuZmpcSk+XaAcMrD6Do03w= +go.etcd.io/etcd/raft/v3 v3.6.0-alpha.0 h1:BQ6CnNP4pIpy5rusFlTBxAacDgPXhuiHFwoTsBNsVpI= +go.etcd.io/etcd/raft/v3 v3.6.0-alpha.0/go.mod h1:/kZdrBXlc5fUgYXfIEQ0B5sb7ejXPKbtF4jWzF1exiQ= go.etcd.io/etcd/server/v3 v3.5.0-alpha.0/go.mod h1:tsKetYpt980ZTpzl/gb+UOJj9RkIyCb1u4wjzMg90BQ= go.etcd.io/etcd/server/v3 v3.5.0/go.mod h1:3Ah5ruV+M+7RZr0+Y/5mNLwC+eQlni+mQmOVdCRJoS4= -go.etcd.io/etcd/server/v3 v3.5.4 h1:CMAZd0g8Bn5NRhynW6pKhc4FRg41/0QYy3d7aNm9874= go.etcd.io/etcd/server/v3 v3.5.4/go.mod h1:S5/YTU15KxymM5l3T6b09sNOHPXqGYIZStpuuGbb65c= +go.etcd.io/etcd/server/v3 v3.6.0-alpha.0 h1:BQUVqBqNFZZyrRbfydrRLzq9hYvCcRj97SsX1YwD7CA= +go.etcd.io/etcd/server/v3 v3.6.0-alpha.0/go.mod h1:3QM2rLq3B3hSXmVEvgVt3vEEbG/AumSs0Is7EgrlKzU= go.etcd.io/etcd/tests/v3 v3.5.0-alpha.0/go.mod h1:HnrHxjyCuZ8YDt8PYVyQQ5d1ZQfzJVEtQWllr5Vp/30= -go.etcd.io/etcd/tests/v3 v3.5.0/go.mod h1:f+mtZ1bE1YPvgKdOJV2BKy4JQW0nAFnQehgOE7+WyJE= -go.etcd.io/etcd/tests/v3 v3.5.4 h1:wiYG8vbDwZO2UatQE9Z3GIv2z52jGg5DvEkTDXm090c= go.etcd.io/etcd/tests/v3 v3.5.4/go.mod h1:ymig8LjkI1zqAxxMsl+nntzG21dND2hh0UQXl9BaJP8= +go.etcd.io/etcd/tests/v3 v3.6.0-alpha.0 h1:3qrZ3p/E7CxdV1kKtAU75hHOcUoXcSTwC7ELKWyzMJo= +go.etcd.io/etcd/tests/v3 v3.6.0-alpha.0/go.mod h1:hFQkP/cTsZIXXvUv+BsGHZ3TK+76XZMi5GToYA94iac= go.etcd.io/etcd/v3 v3.5.0-alpha.0/go.mod h1:JZ79d3LV6NUfPjUxXrpiFAYcjhT+06qqw+i28snx8To= -go.etcd.io/etcd/v3 v3.5.0/go.mod h1:FldM0/VzcxYWLvWx1sdA7ghKw7C3L2DvUTzGrcEtsC4= -go.etcd.io/etcd/v3 v3.5.4 h1:IWyDYI27KTWKGv1OS0Hzysr6514E6e7qfRUVpzr4YFQ= go.etcd.io/etcd/v3 v3.5.4/go.mod h1:c6jK4IfuWwJU26FD9SeI4cAtvlfu9Iacaxu0vRses1k= -go.mongodb.org/mongo-driver v1.0.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= -go.mongodb.org/mongo-driver v1.1.1/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= -go.mongodb.org/mongo-driver v1.3.0/go.mod h1:MSWZXKOynuguX+JSvwP8i+58jYCXxbia8HS3gZBapIE= -go.mongodb.org/mongo-driver v1.3.4/go.mod h1:MSWZXKOynuguX+JSvwP8i+58jYCXxbia8HS3gZBapIE= -go.mongodb.org/mongo-driver v1.4.3/go.mod h1:WcMNYLx/IlOxLe6JRJiv2uXuCz6zBLndR4SoGjYphSc= -go.mongodb.org/mongo-driver v1.4.4/go.mod h1:WcMNYLx/IlOxLe6JRJiv2uXuCz6zBLndR4SoGjYphSc= -go.mongodb.org/mongo-driver v1.4.6/go.mod h1:WcMNYLx/IlOxLe6JRJiv2uXuCz6zBLndR4SoGjYphSc= -go.mongodb.org/mongo-driver v1.5.1/go.mod h1:gRXCHX4Jo7J0IJ1oDQyUxF7jfy19UfxniMS4xxMmUqw= +go.etcd.io/etcd/v3 v3.6.0-alpha.0 h1:c4c3xHs9tG097KtpLfBQJSD6c70xgEZbwkoj3gF6As4= +go.etcd.io/etcd/v3 v3.6.0-alpha.0/go.mod h1:9ERPHHuSr8Ho66trD/4f3+vSeqI/hk4loUSFUwj6Zcg= go.mongodb.org/mongo-driver v1.7.3/go.mod h1:NqaYOwnXWr5Pm7AOpO5QFxKJ503nbMse/R79oO62zWg= go.mongodb.org/mongo-driver v1.7.5/go.mod h1:VXEWRZ6URJIkUq2SCAyapmhH0ZLRBP+FT4xhp5Zvxng= -go.mongodb.org/mongo-driver v1.8.3 h1:TDKlTkGDKm9kkJVUOAXDK5/fkqKHJVwYQSpoRfB43R4= go.mongodb.org/mongo-driver v1.8.3/go.mod h1:0sQWfOeY63QTntERDJJ/0SuKK0T1uVSgKCuAROlKEPY= +go.mongodb.org/mongo-driver v1.10.0 h1:UtV6N5k14upNp4LTduX0QCufG124fSu25Wz9tu94GLg= +go.mongodb.org/mongo-driver v1.10.0/go.mod h1:wsihk0Kdgv8Kqu1Anit4sfK+22vSFbUrAVEYRhCXrA8= go.mozilla.org/mozlog v0.0.0-20170222151521-4bb13139d403/go.mod h1:jHoPAGnDrCy6kaI2tAze5Prf0Nr0w/oNkROt2lw3n3o= -go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk= go.opencensus.io v0.15.0/go.mod h1:UffZAU+4sDEINUGP/B7UfBBkq4fqLu9zXAX7ke6CHW0= go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= go.opencensus.io v0.20.2/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= @@ -2394,36 +1910,41 @@ go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= -go.opencensus.io v0.22.6/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M= go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= go.opentelemetry.io/contrib v0.20.0/go.mod h1:G/EtFaa6qaN7+LxqfIAT3GiZa7Wv5DTBUzl5H4LY0Kc= go.opentelemetry.io/contrib v1.6.0 h1:xJawAzMuR3s4Au5p/ABHqYFychHjK2AHB9JvkBuBbTA= go.opentelemetry.io/contrib v1.6.0/go.mod h1:FlyPNX9s4U6MCsWEc5YAK4KzKNHFDsjrDUZijJiXvy8= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0 h1:sO4WKdPAudZGKPcpZT4MJn6JaDmpyLrMPDGGyA1SttE= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0/go.mod h1:oVGt1LRbBOBq1A5BQLlUg9UaU/54aiHw8cgjV3aWZ/E= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.28.0 h1:Ky1MObd188aGbgb5OgNnwGuEEwI9MVIcc7rBW6zk5Ak= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.28.0/go.mod h1:vEhqr0m4eTc+DWxfsXoXue2GBgV2uUwVznkGIHW/e5w= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.20.0/go.mod h1:2AboqHi0CiIZU0qwhtUfCYD1GeUzvvIXWNkhDt7ZMG4= go.opentelemetry.io/contrib/propagators v0.19.0 h1:HrixVNZYFjUl/Db+Tr3DhqzLsVW9GeVf/Gye+C5dNUY= -go.opentelemetry.io/otel v0.20.0 h1:eaP0Fqu7SXHwvjiqDq83zImeehOHX8doTvU9AwXON8g= go.opentelemetry.io/otel v0.20.0/go.mod h1:Y3ugLH2oa81t5QO+Lty+zXf8zC9L26ax4Nzoxm/dooo= -go.opentelemetry.io/otel/exporters/otlp v0.20.0 h1:PTNgq9MRmQqqJY0REVbZFvwkYOA85vbdQU/nVfxDyqg= +go.opentelemetry.io/otel v1.3.0/go.mod h1:PWIKzi6JCp7sM0k9yZ43VX+T345uNbAkDKwHVjb2PTs= +go.opentelemetry.io/otel v1.7.0 h1:Z2lA3Tdch0iDcrhJXDIlC94XE+bxok1F9B+4Lz/lGsM= +go.opentelemetry.io/otel v1.7.0/go.mod h1:5BdUoMIz5WEs0vt0CUEMtSSaTSHBBVwrhnz7+nrD5xk= go.opentelemetry.io/otel/exporters/otlp v0.20.0/go.mod h1:YIieizyaN77rtLJra0buKiNBOm9XQfkPEKBeuhoMwAM= -go.opentelemetry.io/otel/metric v0.20.0 h1:4kzhXFP+btKm4jwxpjIqjs41A7MakRFUS86bqLHTIw8= +go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.7.0 h1:7Yxsak1q4XrJ5y7XBnNwqWx9amMZvoidCctv62XOQ6Y= +go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.7.0/go.mod h1:M1hVZHNxcbkAlcvrOMlpQ4YOO3Awf+4N2dxkZL3xm04= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.7.0 h1:cMDtmgJ5FpRvqx9x2Aq+Mm0O6K/zcUkH73SFz20TuBw= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.7.0/go.mod h1:ceUgdyfNv4h4gLxHR0WNfDiiVmZFodZhZSbOLhpxqXE= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.7.0 h1:MFAyzUPrTwLOwCi+cltN0ZVyy4phU41lwH+lyMyQTS4= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.7.0/go.mod h1:E+/KKhwOSw8yoPxSSuUHG6vKppkvhN+S1Jc7Nib3k3o= go.opentelemetry.io/otel/metric v0.20.0/go.mod h1:598I5tYlH1vzBjn+BTuhzTCSb/9debfNp6R3s7Pr1eU= -go.opentelemetry.io/otel/oteltest v0.20.0 h1:HiITxCawalo5vQzdHfKeZurV8x7ljcqAgiWzF6Vaeaw= go.opentelemetry.io/otel/oteltest v0.20.0/go.mod h1:L7bgKf9ZB7qCwT9Up7i9/pn0PWIa9FqQ2IQ8LoxiGnw= -go.opentelemetry.io/otel/sdk v0.20.0 h1:JsxtGXd06J8jrnya7fdI/U/MR6yXA5DtbZy+qoHQlr8= go.opentelemetry.io/otel/sdk v0.20.0/go.mod h1:g/IcepuwNsoiX5Byy2nNV0ySUF1em498m7hBWC279Yc= -go.opentelemetry.io/otel/sdk/export/metric v0.20.0 h1:c5VRjxCXdQlx1HjzwGdQHzZaVI82b5EbBgOu2ljD92g= +go.opentelemetry.io/otel/sdk v1.7.0 h1:4OmStpcKVOfvDOgCt7UriAPtKolwIhxpnSNI/yK+1B0= +go.opentelemetry.io/otel/sdk v1.7.0/go.mod h1:uTEOTwaqIVuTGiJN7ii13Ibp75wJmYUDe374q6cZwUU= go.opentelemetry.io/otel/sdk/export/metric v0.20.0/go.mod h1:h7RBNMsDJ5pmI1zExLi+bJK+Dr8NQCh0qGhm1KDnNlE= -go.opentelemetry.io/otel/sdk/metric v0.20.0 h1:7ao1wpzHRVKf0OQ7GIxiQJA6X7DLX9o14gmVon7mMK8= go.opentelemetry.io/otel/sdk/metric v0.20.0/go.mod h1:knxiS8Xd4E/N+ZqKmUPf3gTTZ4/0TjTXukfxjzSTpHE= -go.opentelemetry.io/otel/trace v0.20.0 h1:1DL6EXUdcg95gukhuRRvLDO/4X5THh/5dIV52lqtnbw= go.opentelemetry.io/otel/trace v0.20.0/go.mod h1:6GjCW8zgDjwGHGa6GkyeB8+/5vjT16gUEi0Nf1iBdgw= +go.opentelemetry.io/otel/trace v1.3.0/go.mod h1:c/VDhno8888bvQYmbYLqe41/Ldmr/KKunbvWM4/fEjk= +go.opentelemetry.io/otel/trace v1.7.0 h1:O37Iogk1lEkMRXewVtZ1BBTVn5JEp8GrJvP92bJqC6o= +go.opentelemetry.io/otel/trace v1.7.0/go.mod h1:fzLSB9nqR2eXzxPXb2JW9IKE+ScyXA48yyE4TNvoHqU= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= -go.opentelemetry.io/proto/otlp v0.12.0 h1:CMJ/3Wp7iOWES+CYLfnBv+DVmPbB+kmy9PJ92XvlR6c= -go.opentelemetry.io/proto/otlp v0.12.0/go.mod h1:TsIjwGWIx5VFYv9KGVlOpxoBl5Dy+63SUguV7GGvlSQ= -go.step.sm/crypto v0.14.0/go.mod h1:3G0yQr5lQqfEG0CMYz8apC/qMtjLRQlzflL2AxkcN+g= +go.opentelemetry.io/proto/otlp v0.16.0 h1:WHzDWdXUvbc5bG2ObdrGfaNpQz7ft7QN9HHmJlbiB1E= +go.opentelemetry.io/proto/otlp v0.16.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U= go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= @@ -2432,18 +1953,15 @@ go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/atomic v1.10.0 h1:9qC72Qh0+3MqyJbAn8YU5xVq1frD8bn3JtD2oXtafVQ= go.uber.org/atomic v1.10.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= -go.uber.org/automaxprocs v1.4.0/go.mod h1:/mTEdr7LvHhs0v7mjdxDreTz1OG5zdZGqgOnhWiR/+Q= go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= -go.uber.org/goleak v1.1.11-0.20210813005559-691160354723/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= -go.uber.org/goleak v1.1.12 h1:gZAh5/EyT/HQwlpkCy6wTpqfH9H8Lz8zbm3dZh+OyzA= go.uber.org/goleak v1.1.12/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= +go.uber.org/goleak v1.2.0 h1:xqgm/S+aQvhWFTtR0XK3Jvg7z8kGV8P4X14IzwN3Eqk= go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4= go.uber.org/multierr v1.4.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4= go.uber.org/multierr v1.5.0/go.mod h1:FeouvMocqHpRaaGuG9EjoKcStLC43Zu/fmqdUMPcKYU= go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= -go.uber.org/multierr v1.7.0/go.mod h1:7EAYxJLBy9rStEaz58O2t4Uvip6FSURkq8/ppBp95ak= go.uber.org/multierr v1.8.0 h1:dg6GjLku4EH+249NNmoIciG9N/jURbDG+pFlTkhzIC8= go.uber.org/multierr v1.8.0/go.mod h1:7EAYxJLBy9rStEaz58O2t4Uvip6FSURkq8/ppBp95ak= go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA= @@ -2453,31 +1971,22 @@ go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM= go.uber.org/zap v1.16.0/go.mod h1:MA8QOfq0BHJwdXa996Y4dYkAqRKB8/1K1QMMZVaNZjQ= go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo= go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI= -go.uber.org/zap v1.19.1/go.mod h1:j3DNczoxDZroyBnOT1L/Q79cfUMGZxlv/9dzN7SM1rI= -go.uber.org/zap v1.20.0/go.mod h1:wjWOCqI0f2ZZrJF/UufIOkiC8ii6tm1iqIsLo76RfJw= go.uber.org/zap v1.21.0/go.mod h1:wjWOCqI0f2ZZrJF/UufIOkiC8ii6tm1iqIsLo76RfJw= go.uber.org/zap v1.23.0 h1:OjGQ5KQDEUawVHxNwQgPpiypGHOxo2mNZsOqTak4fFY= go.uber.org/zap v1.23.0/go.mod h1:D+nX8jyLsMHMYrln8A0rJjFt/T/9/bGgIhAqxv5URuY= gocloud.dev v0.19.0/go.mod h1:SmKwiR8YwIMMJvQBKLsC3fHNyMwXLw3PMDO+VVteJMI= -gocloud.dev v0.24.1-0.20211119014450-028788aaaa4c/go.mod h1:EIJSlY7nvfeoWaV2GauF6es27gZfqtTVon47QFueoyE= -golang.org/x/crypto v0.0.0-20171113213409-9f005a07e0d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20180501155221-613d6eafa307/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= -golang.org/x/crypto v0.0.0-20181009213950-7c1a557ab941/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20190320223903-b7391e95e576/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190411191339-88737f569e3a/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE= golang.org/x/crypto v0.0.0-20190422162423-af44ce270edf/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE= golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190530122614-20be4c3c3ed5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190617133340-57b3e21c3d56/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY= @@ -2485,11 +1994,12 @@ golang.org/x/crypto v0.0.0-20191002192127-34f69633bfdc/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191117063200-497ca9f6d64f/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20191205180655-e7c4368fe9dd/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20191219195013-becbf705a915/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200414173820-0848c9571904/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200930160638-afb6bcd081ae/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= @@ -2497,7 +2007,6 @@ golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20201203163018-be400aefbc4c/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= golang.org/x/crypto v0.0.0-20201216223049-8b5274cf687f/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= -golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8= golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= @@ -2505,15 +2014,13 @@ golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20211115234514-b4de73f9ece8/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.0.0-20211202192323-5770296d904e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.0.0-20211209193657-4570a0811e8b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220131195533-30dcbda58838/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa h1:zuSxTR4o9y82ebqCUJYNGJbGPo6sKVl54f/TVDObg1c= +golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220919173607-35f4265a4bc0 h1:a5Yg6ylndHHYJqIPrdq0AhvR6KTvDTAvgBtaidhEevY= +golang.org/x/crypto v0.0.0-20220919173607-35f4265a4bc0/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -2525,6 +2032,8 @@ golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u0 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= golang.org/x/exp v0.0.0-20200331195152-e8c3332aa8e5/go.mod h1:4M0jN8W1tt0AVLNr8HDosyJCDCDuyL9N9+3m7wDWgKw= +golang.org/x/exp v0.0.0-20220823124025-807a23277127 h1:S4NrSKDfihhl3+4jSTgwoIevKxX9p7Iv9x++OEIptDo= +golang.org/x/exp v0.0.0-20220823124025-807a23277127/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -2551,7 +2060,6 @@ golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= -golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 h1:6zppjxzCulZykYSLyVDYbneBfbaBIQPYMevg0bEwv2s= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= @@ -2560,8 +2068,6 @@ golang.org/x/net v0.0.0-20180530234432-1e491301e022/go.mod h1:mL1N/T3taQHkDXs73r golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20181005035420-146acd28ed58/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20181011144130-49bb7cea24b1/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181108082009-03003ca0c849/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -2571,7 +2077,6 @@ golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73r golang.org/x/net v0.0.0-20190125091013-d26f9f9a57f3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190320064053-1272bf9dcd53/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= @@ -2586,8 +2091,6 @@ golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191002035440-2ec189313ef0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20191112182307-2180aed22343/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191119073136-fc4aabc6c914/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -2598,18 +2101,14 @@ golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200421231249-e086a090c8fd/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200505041828-1ed23360d12c/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200602114024-627f9648deb9/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= -golang.org/x/net v0.0.0-20200813134508-3edf25e44fcc/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200930145003-4acb6c075d10/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= -golang.org/x/net v0.0.0-20201006153459-a7d1128ccaa0/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= @@ -2620,7 +2119,6 @@ golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= -golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8= golang.org/x/net v0.0.0-20210421230115-4e50805a0758/go.mod h1:72T/g9IO56b78aLF+1Kcs5dz7/ng1VjMUvfKvpfy+jM= golang.org/x/net v0.0.0-20210423184538-5f58ad60dda6/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk= golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk= @@ -2628,19 +2126,12 @@ golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qx golang.org/x/net v0.0.0-20210510120150-4163338589ed/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210610132358-84b48f89b13b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20211020060615-d418f374d309/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20211111083644-e5c967477495/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20211118161319-6a13c67c3ce4/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211123203042-d83791d6bcd9/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20211208012354-db4efeb81f4b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20211216030914-fe4d6282115f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20220127074510-2fabfed7e28f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= @@ -2649,6 +2140,7 @@ golang.org/x/net v0.0.0-20220421235706-1d1ef9303861/go.mod h1:CfG3xpIq0wQ8r1q4Su golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/net v0.0.0-20220907135653-1e95f45603a7/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/net v0.0.0-20221014081412-f15817d10f9b h1:tvrvnPFcdzp294diPnrdZZZ8XUt2Tyj7svb7X52iDuU= golang.org/x/net v0.0.0-20221014081412-f15817d10f9b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= @@ -2662,7 +2154,6 @@ golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4Iltr golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210126194326-f9ce19ea3013/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= @@ -2712,25 +2203,17 @@ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5h golang.org/x/sys v0.0.0-20190221075227-b4e8571b14e0/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190321052220-f7bb7a8bee54/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190419153524-e8e3143a4f4a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190514135907-3a4b5fb9f71f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190522044717-8097e1b27ff5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190531175056-4c3a928424d2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190602015325-4c4f7f33c9ed/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190620070143-6f217b454f45/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190812073006-9eafafc0a87e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -2740,57 +2223,41 @@ golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191112214154-59a1497f0cea/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191119060738-e882bf8e40c2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191210023423-ac6580df4449/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191220142924-d4481acd189f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200120151820-655fe14d7479/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200420163511-1957bb5e6d1f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200509044756-6aff5f38e54f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200814200057-3d37ad5750ed/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200817155316-9781c653f443/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200828194041-157a740278f4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200909081042-eff7692f9009/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200916030750-2334cc1a136f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200922070232-aee5d888a860/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200923182605-d9f96fdee20d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201005172224-997123666555/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201117170446-d9b008d0a637/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201202213521-69691e467435/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -2798,19 +2265,16 @@ golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210309074719-68d13333faf2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210324051608-47abb6519492/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210412220455-f1c623a9e750/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210420072515-93ed5bcd2bfe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210503080704-8803ae5d1324/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -2834,12 +2298,7 @@ golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211013075003-97ac67df715c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211110154304-99a53858aa08/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211117180635-dee7805ff2e1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211205182925-97ca703d548d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -2856,13 +2315,15 @@ golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220624220833-87e55d714810/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220907062415-87db552b00fd h1:AZeIEzg+8RCELJYq8w+ODLVxFgLMMigSwO/ffKPEd9U= golang.org/x/sys v0.0.0-20220907062415-87db552b00fd/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220919091848-fb04ddd9f9c8 h1:h+EGohizhe9XlX18rfpa8k8RAc5XyaeamM+0VHRd4lc= +golang.org/x/sys v0.0.0-20220919091848-fb04ddd9f9c8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.0.0-20220526004731-065cf7ba2467 h1:CBpWXWQpIRjzmkkA+M7q9Fqnwd2mZr3AFqexg8YTfoM= +golang.org/x/term v0.0.0-20220526004731-065cf7ba2467/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -2871,8 +2332,9 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.3.8-0.20211004125949-5bd84dd9b33b h1:NXqSWXSRUSCaFuvitrWtU169I3876zRTalMRbfd6LL0= +golang.org/x/text v0.3.8-0.20211004125949-5bd84dd9b33b/go.mod h1:EFNZuWvGYxIRUEX+K8UmCFwYmZjqcrnq15ZuVldZkZ0= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -2881,7 +2343,6 @@ golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxb golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20220411224347-583f2d630306/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 h1:ftMN5LMiBFjbzleLqtoBZk7KdJwhuybIU+FckUHgoyQ= golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -2892,7 +2353,6 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190110163146-51295c7ec13a/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190125232054-d66bd3c5d5a6/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= golang.org/x/tools v0.0.0-20190307163923-6a08e3108db3/go.mod h1:25r3+/G6/xytQM8iWZKq3Hn0kr0rgFKPUNVEL/dr3z4= golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= @@ -2912,8 +2372,6 @@ golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBn golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190531172133-b3315ee88b7d/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/tools v0.0.0-20190617190820-da514acc4774/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190624222133-a101b041ded4/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= @@ -2959,6 +2417,7 @@ golang.org/x/tools v0.0.0-20200422022333-3d57cf2e726e/go.mod h1:EkVYQZoAsY45+roY golang.org/x/tools v0.0.0-20200426102838-f3a5411a4c3b/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200509030707-2212a7e161a5/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200522201501-cb1345f3a375/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= @@ -2996,7 +2455,6 @@ golang.org/x/tools v0.0.0-20210104081019-d8d6ddbec6ee/go.mod h1:emZCQorbCU4vsT4f golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20210112230658-8b4aab62c064/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= golang.org/x/tools v0.1.1-0.20210205202024-ef80cdb6ec6d/go.mod h1:9bzcO0MWcOuT0tm1iBGzDVPshzfwoVvREIui8C+MHqU= golang.org/x/tools v0.1.1-0.20210302220138-2ac05c832e1a/go.mod h1:9bzcO0MWcOuT0tm1iBGzDVPshzfwoVvREIui8C+MHqU= @@ -3008,7 +2466,6 @@ golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.6-0.20210820212750-d4cc65f0b2ff/go.mod h1:YD9qOF0M9xpSpdWTBbzEl5e/RnCefISl8E5Noe10jFM= golang.org/x/tools v0.1.6/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo= golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo= -golang.org/x/tools v0.1.8/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU= golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E= golang.org/x/tools v0.1.12 h1:VveCTK38A2rkS8ZqFY25HIDFscX5X9OoEhJd3quQmXU= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= @@ -3025,7 +2482,6 @@ golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3j golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= gomodules.xyz/jsonpatch/v2 v2.2.0 h1:4pT439QV83L+G9FkcCriY6EkpcK6r6bK+A5FBUMI7qY= gomodules.xyz/jsonpatch/v2 v2.2.0/go.mod h1:WXp+iVDkoLQqPudfQ9GBlwB2eZ5DKOnjQZCYdOS8GPY= -google.golang.org/api v0.0.0-20160322025152-9bf6e6e569ff/go.mod h1:4mhQ8q/RsB7i+udVvVy5NUi08OU8ZlA0gRVgrF7VFY0= google.golang.org/api v0.3.1/go.mod h1:6wY9I6uQWHQ8EM57III9mq/AjF+i8G65rmVagqKMtkk= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= google.golang.org/api v0.5.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= @@ -3048,7 +2504,6 @@ google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSr google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc= google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg= google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE= -google.golang.org/api v0.37.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU= google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94= @@ -3065,12 +2520,9 @@ google.golang.org/api v0.56.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqiv google.golang.org/api v0.57.0/go.mod h1:dVPlbZyBo2/OjBpmvNdpn2GRm6rPy75jyU7bmhdrMgI= google.golang.org/api v0.58.0/go.mod h1:cAbP2FsxoGVNwtgNAmmn3y5G1TWAiVYRmg4yku3lv+E= google.golang.org/api v0.59.0/go.mod h1:sT2boj7M9YJxZzgeZqXogmhfmRWDtPzT31xkieUbuZU= -google.golang.org/api v0.60.0/go.mod h1:d7rl65NZAkEQ90JFzqBjcRq1TVeG5ZoGV3sSpEnnVb4= google.golang.org/api v0.61.0/go.mod h1:xQRti5UdCmoCEqFxcz93fTl338AVqDgyaDRuOZ3hg9I= -google.golang.org/api v0.62.0/go.mod h1:dKmwPCydfsad4qCH08MSdgWjfHOyfpd4VtDGgRFdavw= google.golang.org/api v0.63.0/go.mod h1:gs4ij2ffTRXwuzzgJl/56BdwJaA194ijkfn++9tDuPo= google.golang.org/api v0.64.0/go.mod h1:931CdxA8Rm4t6zqTFGSsgwbAEZ2+GMYurbndwSimebM= -google.golang.org/api v0.65.0/go.mod h1:ArYhxgGadlWmqO1IqVujw6Cs8IdD33bTmzKo2Sh+cbg= google.golang.org/api v0.67.0/go.mod h1:ShHKP8E60yPsKNw/w8w+VYaj9H6buA5UqDp8dhbQZ6g= google.golang.org/api v0.70.0/go.mod h1:Bs4ZM2HGifEvXwd50TtW70ovgJffJYw2oRCOFU/SkfA= google.golang.org/api v0.71.0/go.mod h1:4PyU6e6JogV1f9eA4voyrTY2batOLdgZ5qZ5HOCc4j8= @@ -3096,7 +2548,6 @@ google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCID google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/cloud v0.0.0-20151119220103-975617b05ea8/go.mod h1:0H1ncTHf11KCFhTc/+EFRbzSCOZx+VUbRMk55Yv5MYk= google.golang.org/genproto v0.0.0-20170818010345-ee236bd376b0/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20181107211654-5fc9ac540362/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= @@ -3105,7 +2556,6 @@ google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRn google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190508193815-b515fa19cec8/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190522204451-c2c4e71fbf69/go.mod h1:z3L6/3dTEVtUr6QSP8miRzeRqwQOioJ9I66odjN4I7s= google.golang.org/genproto v0.0.0-20190530194941-fb225487d101/go.mod h1:z3L6/3dTEVtUr6QSP8miRzeRqwQOioJ9I66odjN4I7s= google.golang.org/genproto v0.0.0-20190620144150-6af8c5fc6601/go.mod h1:z3L6/3dTEVtUr6QSP8miRzeRqwQOioJ9I66odjN4I7s= google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= @@ -3117,7 +2567,6 @@ google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvx google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20200117163144-32f20d992d24/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA= google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= @@ -3142,12 +2591,10 @@ google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201110150050-8816d57aaa9a/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210126160654-44e461bb6506/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= @@ -3163,7 +2610,6 @@ google.golang.org/genproto v0.0.0-20210420162539-3c870d7478d2/go.mod h1:P3QM42oQ google.golang.org/genproto v0.0.0-20210427215850-f767ed18ee4d/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= google.golang.org/genproto v0.0.0-20210429181445-86c259c2b4ab/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= google.golang.org/genproto v0.0.0-20210513213006-bf773b8c8384/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= -google.golang.org/genproto v0.0.0-20210517163617-5e0236093d7a/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= google.golang.org/genproto v0.0.0-20210604141403-392c879c8b08/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= google.golang.org/genproto v0.0.0-20210608205507-b6d2f5bf0d7d/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= @@ -3182,20 +2628,12 @@ google.golang.org/genproto v0.0.0-20210917145530-b395a37504d4/go.mod h1:eFjDcFEc google.golang.org/genproto v0.0.0-20210921142501-181ce0d877f6/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20210924002016-3dee208752a0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211008145708-270636b82663/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20211016002631-37fc39342514/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211018162055-cf77aa76bad2/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20211019152133-63b7e35f4404/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20211021150943-2b146023228c/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20211028162531-8db9c33dc351/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20211129164237-f09f9a12af12/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20211203200212-54befc351ae9/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20211207154714-918901c715cf/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211221195035-429b39de9b1c/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211223182754-3ac035c7e7cb/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20220111164026-67b88f271998/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20220126215142-9970aeb2e350/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20220207164111-0872dc986b00/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= @@ -3209,6 +2647,7 @@ google.golang.org/genproto v0.0.0-20220413183235-5e96e2839df9/go.mod h1:8w6bsBMX google.golang.org/genproto v0.0.0-20220414192740-2d67ff6cf2b4/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= google.golang.org/genproto v0.0.0-20220421151946-72621c1f0bd3/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= google.golang.org/genproto v0.0.0-20220422154200-b37d22cd5731/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= +google.golang.org/genproto v0.0.0-20220426171045-31bebdecfb46/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= google.golang.org/genproto v0.0.0-20220429170224-98d788798c3e/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= google.golang.org/genproto v0.0.0-20220505152158-f39f71e6c8f3/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= google.golang.org/genproto v0.0.0-20220518221133-4f43b3371335/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= @@ -3222,7 +2661,6 @@ google.golang.org/genproto v0.0.0-20220804142021-4e6b2dfa6612/go.mod h1:iHe1svFL google.golang.org/genproto v0.0.0-20220902135211-223410557253/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk= google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a h1:GH6UPn3ixhWcKDhpnEC55S75cerLPdpp3hrhfKYjZgw= google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM= -google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= @@ -3258,9 +2696,7 @@ google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnD google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= -google.golang.org/grpc v1.41.0/go.mod h1:U3l9uK9J0sini8mHphKoXyaqDA/8VyGnDee1zzIUK6k= google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= -google.golang.org/grpc v1.43.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= google.golang.org/grpc v1.44.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ= google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= @@ -3290,11 +2726,9 @@ google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQ google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w= google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= -gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/alexcesaro/statsd.v2 v2.0.0 h1:FXkZSCZIH17vLCO5sO2UucTHsH9pc+17F6pl3JVCwMc= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20141024133853-64131543e789/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -3306,26 +2740,21 @@ gopkg.in/cheggaaa/pb.v1 v1.0.28/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qS gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= gopkg.in/gcfg.v1 v1.2.3/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o= -gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo= -gopkg.in/go-playground/assert.v1 v1.2.1/go.mod h1:9RXL0bg/zibRAgZUYszZSwO/z8Y/a8bDuhia5mkpMnE= -gopkg.in/go-playground/validator.v9 v9.29.1/go.mod h1:+c9/zcJMFNgbLvly1L1V+PpxWdVbfP1avr/N00E2vyQ= gopkg.in/inconshreveable/log15.v2 v2.0.0-20180818164646-67afb5ed74ec/go.mod h1:aPpfJ7XW+gOuirDoZ8gHhLh3kZ1B08FtV2bbmy7Jv3s= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/ini.v1 v1.56.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/ini.v1 v1.63.2/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= -gopkg.in/ini.v1 v1.66.2/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= -gopkg.in/ini.v1 v1.66.4 h1:SsAcf+mM7mRZo2nJNGt8mZCjG8ZRaNGMURJw7BsIST4= -gopkg.in/ini.v1 v1.66.4/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA= +gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/linkedin/goavro.v1 v1.0.5/go.mod h1:Aw5GdAbizjOEl0kAMHV9iHmA8reZzW/OKuJAl4Hb9F0= gopkg.in/natefinch/lumberjack.v2 v2.0.0 h1:1Lc07Kr7qY4U2YPouBjpCLxpiyxIVoxqXgkXLknAOE8= gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= -gopkg.in/square/go-jose.v2 v2.3.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/square/go-jose.v2 v2.4.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= -gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI= gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/src-d/go-billy.v4 v4.3.2/go.mod h1:nDjArDMp+XMs1aFAESLRjfGSgfvoYN0hDfzEk0GjC98= @@ -3353,11 +2782,9 @@ gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo= -gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk= -gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= +gotest.tools/v3 v3.1.0 h1:rVV8Tcg/8jHUkPUorwjaMTtemIMVXfIPKiOqnhEhakk= honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= @@ -3368,84 +2795,54 @@ honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.5/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.2.1/go.mod h1:lPVVZ2BS5TfnjLyizF7o7hv7j9/L+8cZY2hLyjP9cGY= -k8s.io/api v0.20.1/go.mod h1:KqwcCVogGxQY3nBlRpwt+wpAMF/KjaCc7RpywacvqUo= -k8s.io/api v0.20.4/go.mod h1:++lNL1AJMkDymriNniQsWRkMDzRaX2Y/POTUi8yvqYQ= -k8s.io/api v0.20.6/go.mod h1:X9e8Qag6JV/bL5G6bU8sdVRltWKmdHsFUGS3eVndqE8= k8s.io/api v0.23.3/go.mod h1:w258XdGyvCmnBj/vGzQMj6kzdufJZVUwEM1U2fRJwSQ= k8s.io/api v0.25.3 h1:Q1v5UFfYe87vi5H7NU0p4RXC26PPMT8KOpr1TLQbCMQ= k8s.io/api v0.25.3/go.mod h1:o42gKscFrEVjHdQnyRenACrMtbuJsVdP+WVjqejfzmI= k8s.io/apiextensions-apiserver v0.25.0 h1:CJ9zlyXAbq0FIW8CD7HHyozCMBpDSiH7EdrSTCZcZFY= k8s.io/apiextensions-apiserver v0.25.0/go.mod h1:3pAjZiN4zw7R8aZC5gR0y3/vCkGlAjCazcg1me8iB/E= -k8s.io/apimachinery v0.20.1/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= -k8s.io/apimachinery v0.20.4/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= -k8s.io/apimachinery v0.20.6/go.mod h1:ejZXtW1Ra6V1O5H8xPBGz+T3+4gfkTCeExAHKU57MAc= k8s.io/apimachinery v0.23.3/go.mod h1:BEuFMMBaIbcOqVIJqNZJXGFTP4W6AycEpb5+m/97hrM= k8s.io/apimachinery v0.25.3 h1:7o9ium4uyUOM76t6aunP0nZuex7gDf8VGwkR5RcJnQc= k8s.io/apimachinery v0.25.3/go.mod h1:jaF9C/iPNM1FuLl7Zuy5b9v+n35HGSh6AQ4HYRkCqwo= -k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU= -k8s.io/apiserver v0.20.4/go.mod h1:Mc80thBKOyy7tbvFtB4kJv1kbdD0eIH8k8vianJcbFM= -k8s.io/apiserver v0.20.6/go.mod h1:QIJXNt6i6JB+0YQRNcS0hdRHJlMhflFmsBDeSgT1r8Q= k8s.io/apiserver v0.23.3/go.mod h1:3HhsTmC+Pn+Jctw+Ow0LHA4dQ4oXrQ4XJDzrVDG64T4= -k8s.io/client-go v0.20.1/go.mod h1:/zcHdt1TeWSd5HoUe6elJmHSQ6uLLgp4bIJHVEuy+/Y= -k8s.io/client-go v0.20.4/go.mod h1:LiMv25ND1gLUdBeYxBIwKpkSC5IsozMMmOOeSJboP+k= -k8s.io/client-go v0.20.6/go.mod h1:nNQMnOvEUEsOzRRFIIkdmYOjAZrC8bgq0ExboWSU1I0= k8s.io/client-go v0.23.3/go.mod h1:47oMd+YvAOqZM7pcQ6neJtBiFH7alOyfunYN48VsmwE= k8s.io/client-go v0.25.3 h1:oB4Dyl8d6UbfDHD8Bv8evKylzs3BXzzufLiO27xuPs0= k8s.io/client-go v0.25.3/go.mod h1:t39LPczAIMwycjcXkVc+CB+PZV69jQuNx4um5ORDjQA= k8s.io/code-generator v0.23.3/go.mod h1:S0Q1JVA+kSzTI1oUvbKAxZY/DYbA/ZUb4Uknog12ETk= -k8s.io/component-base v0.20.1/go.mod h1:guxkoJnNoh8LNrbtiQOlyp2Y2XFCZQmrcg2n/DeYNLk= -k8s.io/component-base v0.20.4/go.mod h1:t4p9EdiagbVCJKrQ1RsA5/V4rFQNDfRlevJajlGwgjI= -k8s.io/component-base v0.20.6/go.mod h1:6f1MPBAeI+mvuts3sIdtpjljHWBQ2cIy38oBIWMYnrM= k8s.io/component-base v0.23.3/go.mod h1:1Smc4C60rWG7d3HjSYpIwEbySQ3YWg0uzH5a2AtaTLg= k8s.io/component-base v0.25.2 h1:Nve/ZyHLUBHz1rqwkjXm/Re6IniNa5k7KgzxZpTfSQY= k8s.io/component-base v0.25.2/go.mod h1:90W21YMr+Yjg7MX+DohmZLzjsBtaxQDDwaX4YxDkl60= -k8s.io/cri-api v0.17.3/go.mod h1:X1sbHmuXhwaHs9xxYffLqJogVsnI+f6cPRcgPel7ywM= -k8s.io/cri-api v0.20.1/go.mod h1:2JRbKt+BFLTjtrILYVqQK5jqhI+XNdF6UiGMgczeBCI= -k8s.io/cri-api v0.20.4/go.mod h1:2JRbKt+BFLTjtrILYVqQK5jqhI+XNdF6UiGMgczeBCI= -k8s.io/cri-api v0.20.6/go.mod h1:ew44AjNXwyn1s0U4xCKGodU7J1HzBeZ1MpGrpa5r8Yc= -k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= -k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/klog/v2 v2.30.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/klog/v2 v2.70.1 h1:7aaoSdahviPmR+XkS7FyxlkkXs6tHISSG03RxleQAVQ= k8s.io/klog/v2 v2.70.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/kube-aggregator v0.23.3 h1:9IP+D+YzIbGor/TArN3pYf9Thj19wYhzLRGRrFaKFSs= k8s.io/kube-aggregator v0.23.3/go.mod h1:pt5QJ3QaIdhZzNlUvN5wndbM0LNT4BvhszGkzy2QdFo= -k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM= k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65/go.mod h1:sX9MT8g7NVZM5lVL/j8QyCCJe8YSMW30QvGZWaCIDIk= k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 h1:MQ8BAZPZlWk3S9K4a9NCkIFQtZShWqoha7snGixVgEA= k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1/go.mod h1:C/N6wCaBHeBHkHUesQOQy2/MZqGgMAFPqGsGQLdbZBU= -k8s.io/kubernetes v1.13.0/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk= -k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20211116205334-6203023598ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed h1:jAne/RjBTyawwAy0utX5eqigAwz/lQhTmy+Hr/Cpue4= k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -knative.dev/pkg v0.0.0-20220325200448-1f7514acd0c2 h1:dJ1YKQ1IvCfxtYqS1dHm18VT153ntHi5uJsFVv7oxfc= -knative.dev/pkg v0.0.0-20220325200448-1f7514acd0c2/go.mod h1:5xt0nzCwxvQ2N4w71smY7pYm5nVrQ8qnRsMinSLVpio= mvdan.cc/gofumpt v0.1.1/go.mod h1:yXG1r1WqZVKWbVRtBWKWX9+CxGYfA51nSomhM0woR48= mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed/go.mod h1:Xkxe497xwlCKkIaQYRfC7CSLworTXY9RMqwhhCm+8Nc= mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b/go.mod h1:2odslEg/xrtNQqCYg2/jCoyKnw3vv5biOc3JnIcYfL4= mvdan.cc/unparam v0.0.0-20210104141923-aac4ce9116a7/go.mod h1:hBpJkZE8H/sb+VRFvw2+rBpHNsTBcvSpk61hr8mzXZE= -nhooyr.io/websocket v1.8.7/go.mod h1:B70DZP8IakI65RVQ51MsWP/8jndNma26DVA/nFSCgW0= pack.ag/amqp v0.11.2/go.mod h1:4/cbmt4EJXSKlG6LCfWHoqmN0uFdy5i/+YFz+fTfhV4= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= -sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.14/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg= -sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.15/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.27/go.mod h1:tq2nT0Kx7W+/f2JVE+zxYtUhdjuELJkVpNz+x/QN5R4= sigs.k8s.io/controller-runtime v0.13.0 h1:iqa5RNciy7ADWnIc8QxCbOX5FEKVR3uxVxKHRMc2WIQ= sigs.k8s.io/controller-runtime v0.13.0/go.mod h1:Zbz+el8Yg31jubvAEyglRZGdLAjplZl+PgtYNI6WNTI= sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/release-utils v0.6.0 h1:wJDuzWJqPH4a5FAxAXE2aBvbB6UMIW7iYMhsKnIMQkA= -sigs.k8s.io/release-utils v0.6.0/go.mod h1:kR1/DuYCJ4covppUasYNcA11OixC9O37B/E0ejRfb+c= +sigs.k8s.io/release-utils v0.7.3 h1:6pS8x6c5RmdUgR9qcg1LO6hjUzuE4Yo9TGZ3DemrZdM= +sigs.k8s.io/release-utils v0.7.3/go.mod h1:n0mVez/1PZYZaZUTJmxewxH3RJ/Lf7JUDh7TG1CASOE= sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= -sigs.k8s.io/structured-merge-diff/v4 v4.0.3/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= sigs.k8s.io/structured-merge-diff/v4 v4.2.1/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4= sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s.go b/pkg/agent/plugin/workloadattestor/k8s/k8s.go index d57f748376..0568e5cf24 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s.go @@ -48,13 +48,6 @@ func BuiltIn() catalog.BuiltIn { return builtin(New()) } -type containerLookup int - -const ( - containerInPod = iota - containerNotInPod -) - func builtin(p *Plugin) catalog.BuiltIn { return catalog.MakeBuiltIn(pluginName, workloadattestorv1.WorkloadAttestorPluginServer(p), @@ -167,6 +160,7 @@ type k8sConfig struct { KubeletCAPath string NodeName string ReloadInterval time.Duration + DisableContainerSelectors bool sigstoreConfig *sigstoreConfig @@ -228,6 +222,7 @@ func (p *Plugin) Attest(ctx context.Context, req *workloadattestorv1.AttestReque if err != nil { return nil, err } + podKnown := podUID != "" // Not a Kubernetes pod if containerID == "" { @@ -252,32 +247,45 @@ func (p *Plugin) Attest(ctx context.Context, req *workloadattestorv1.AttestReque var attestResponse *workloadattestorv1.AttestResponse for _, item := range list.Items { item := item - if isNotPod(item.UID, podUID) { + if podKnown && item.UID != podUID { + // The pod holding the container is known. Skip unrelated pods. continue } - lookupStatus, lookup := lookUpContainerInPod(containerID, item.Status, log) - switch lookup { - case containerInPod: - if attestResponse != nil { - log.Warn("Two pods found with same container Id") - return nil, status.Error(codes.Internal, "two pods found with same container Id") + var selectorValues []string + + containerStatus, containerFound := lookUpContainerInPod(containerID, item.Status, log) + switch { + case containerFound: + // The workload container was found in this pod. Add pod + // selectors. Only add workload container selectors if + // container selectors have not been disabled. + selectorValues = append(selectorValues, getSelectorValuesFromPodInfo(&item, containerStatus)...) + if !config.DisableContainerSelectors { + selectorValues = append(selectorValues, getSelectorValuesFromWorkloadContainerStatus(containerStatus)...) } - selectors := getSelectorValuesFromPodInfo(&item, lookupStatus) - if p.config.sigstoreConfig != nil { - log.Debug("Attemping to get signature info for container", telemetry.ContainerName, lookupStatus.Name) - sigstoreSelectors, err := p.sigstore.AttestContainerSignatures(ctx, lookupStatus) + log.Debug("Attemping to get signature info for container", telemetry.ContainerName, containerStatus.Name) + sigstoreSelectors, err := p.sigstore.AttestContainerSignatures(ctx, containerStatus) if err != nil { log.Error("Error retrieving signature payload", "error", err) return nil, status.Errorf(codes.Internal, "error retrieving signature payload: %v", err) } - selectors = append(selectors, sigstoreSelectors...) + selectorValues = append(selectorValues, sigstoreSelectors...) } - attestResponse = &workloadattestorv1.AttestResponse{ - SelectorValues: selectors, + case podKnown && config.DisableContainerSelectors: + // The workload container was not found (i.e. not ready yet?) + // but the pod is known. If container selectors have been + // disabled, then allow the pod selectors to be used. + selectorValues = append(selectorValues, getSelectorValuesFromPodInfo(&item, containerStatus)...) + } + + if len(selectorValues) > 0 { + if attestResponse != nil { + log.Warn("Two pods found with same container Id") + return nil, status.Error(codes.Internal, "two pods found with same container Id") } - case containerNotInPod: + attestResponse = &workloadattestorv1.AttestResponse{SelectorValues: selectorValues} } } @@ -670,7 +678,7 @@ func (c *kubeletClient) GetPodList() (*corev1.PodList, error) { return out, nil } -func lookUpContainerInPod(containerID string, status corev1.PodStatus, log hclog.Logger) (*corev1.ContainerStatus, containerLookup) { +func lookUpContainerInPod(containerID string, status corev1.PodStatus, log hclog.Logger) (*corev1.ContainerStatus, bool) { for _, status := range status.ContainerStatuses { // TODO: should we be keying off of the status or is the lack of a // container id sufficient to know the container is not ready? @@ -687,7 +695,7 @@ func lookUpContainerInPod(containerID string, status corev1.PodStatus, log hclog } if containerID == containerURL.Host { - return &status, containerInPod + return &status, true } } @@ -707,16 +715,16 @@ func lookUpContainerInPod(containerID string, status corev1.PodStatus, log hclog } if containerID == containerURL.Host { - return &status, containerInPod + return &status, true } } - return nil, containerNotInPod + return nil, false } -func getPodImageIdentifiers(containerStatusArray []corev1.ContainerStatus) map[string]bool { +func getPodImageIdentifiers(containerStatuses ...corev1.ContainerStatus) map[string]struct{} { // Map is used purely to exclude duplicate selectors, value is unused. - podImages := make(map[string]bool) + podImages := make(map[string]struct{}) // Note that for each pod image we generate *2* matching selectors. // This is to support matching against ImageID, which has a SHA // docker.io/envoyproxy/envoy-alpine@sha256:bf862e5f5eca0a73e7e538224578c5cf867ce2be91b5eaed22afc153c00363eb @@ -725,18 +733,14 @@ func getPodImageIdentifiers(containerStatusArray []corev1.ContainerStatus) map[s // while also maintaining backwards compatibility and allowing for dynamic workload registration (k8s operator) // when the SHA is not yet known (e.g. before the image pull is initiated at workload creation time) // More info here: https://github.com/spiffe/spire/issues/2026 - for _, status := range containerStatusArray { - podImages[status.ImageID] = true - podImages[status.Image] = true + for _, containerStatus := range containerStatuses { + podImages[containerStatus.ImageID] = struct{}{} + podImages[containerStatus.Image] = struct{}{} } return podImages } func getSelectorValuesFromPodInfo(pod *corev1.Pod, status *corev1.ContainerStatus) []string { - podImageIdentifiers := getPodImageIdentifiers(pod.Status.ContainerStatuses) - podInitImageIdentifiers := getPodImageIdentifiers(pod.Status.InitContainerStatuses) - containerImageIdentifiers := getPodImageIdentifiers([]corev1.ContainerStatus{*status}) - selectorValues := []string{ fmt.Sprintf("sa:%s", pod.Spec.ServiceAccountName), fmt.Sprintf("ns:%s", pod.Namespace), @@ -748,13 +752,10 @@ func getSelectorValuesFromPodInfo(pod *corev1.Pod, status *corev1.ContainerStatu fmt.Sprintf("pod-init-image-count:%s", strconv.Itoa(len(pod.Status.InitContainerStatuses))), } - for containerImage := range containerImageIdentifiers { - selectorValues = append(selectorValues, fmt.Sprintf("container-image:%s", containerImage)) - } - for podImage := range podImageIdentifiers { + for podImage := range getPodImageIdentifiers(pod.Status.ContainerStatuses...) { selectorValues = append(selectorValues, fmt.Sprintf("pod-image:%s", podImage)) } - for podInitImage := range podInitImageIdentifiers { + for podInitImage := range getPodImageIdentifiers(pod.Status.InitContainerStatuses...) { selectorValues = append(selectorValues, fmt.Sprintf("pod-init-image:%s", podInitImage)) } @@ -769,6 +770,14 @@ func getSelectorValuesFromPodInfo(pod *corev1.Pod, status *corev1.ContainerStatu return selectorValues } +func getSelectorValuesFromWorkloadContainerStatus(status *corev1.ContainerStatus) []string { + selectorValues := []string{fmt.Sprintf("container-name:%s", status.Name)} + for containerImage := range getPodImageIdentifiers(*status) { + selectorValues = append(selectorValues, fmt.Sprintf("container-image:%s", containerImage)) + } + return selectorValues +} + func tryRead(r io.Reader) string { buf := make([]byte, 1024) n, _ := r.Read(buf) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go index 15e2fade92..a81555e8ba 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go @@ -175,7 +175,3 @@ func canonicalizePodUID(uid string) types.UID { return r }, uid)) } - -func isNotPod(itemPodUID, podUID types.UID) bool { - return podUID != "" && itemPodUID != podUID -} diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go index b755a2fc73..fd89c6744d 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go @@ -83,51 +83,6 @@ FwOGLt+I3+9beT0vo+pn9Rq0squewFYe3aJbwpkyfP2xOovQCdm4PC8y {Type: "k8s", Value: "container-name:blog"}, } testPodAndContainerSelectors = append(testPodSelectors, testContainerSelectors...) - - testSigstoreSelectors = []*common.Selector{ - {Type: "k8s", Value: "container-image:docker-pullable://localhost/spiffe/blog@sha256:0cfdaced91cb46dd7af48309799a3c351e4ca2d5e1ee9737ca0cbd932cb79898"}, - {Type: "k8s", Value: "container-image:localhost/spiffe/blog:latest"}, - {Type: "k8s", Value: "container-name:blog"}, - {Type: "k8s", Value: "docker://9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961:image-signature-subject:sigstore-subject"}, - {Type: "k8s", Value: "node-name:k8s-node-1"}, - {Type: "k8s", Value: "ns:default"}, - {Type: "k8s", Value: "pod-image-count:2"}, - {Type: "k8s", Value: "pod-image:docker-pullable://localhost/spiffe/blog@sha256:0cfdaced91cb46dd7af48309799a3c351e4ca2d5e1ee9737ca0cbd932cb79898"}, - {Type: "k8s", Value: "pod-image:docker-pullable://localhost/spiffe/ghostunnel@sha256:b2fc20676c92a433b9a91f3f4535faddec0c2c3613849ac12f02c1d5cfcd4c3a"}, - {Type: "k8s", Value: "pod-image:localhost/spiffe/blog:latest"}, - {Type: "k8s", Value: "pod-image:localhost/spiffe/ghostunnel:latest"}, - {Type: "k8s", Value: "pod-init-image-count:0"}, - {Type: "k8s", Value: "pod-label:k8s-app:blog"}, - {Type: "k8s", Value: "pod-label:version:v0"}, - {Type: "k8s", Value: "pod-name:blog-24ck7"}, - {Type: "k8s", Value: "pod-owner-uid:ReplicationController:2c401175-b29f-11e7-9350-020968147796"}, - {Type: "k8s", Value: "pod-owner:ReplicationController:blog"}, - {Type: "k8s", Value: "pod-uid:2c48913c-b29f-11e7-9350-020968147796"}, - {Type: "k8s", Value: "sa:default"}, - {Type: "k8s", Value: "sigstore-validation:passed"}, - } - - testSigstoreSkippedSelectors = []*common.Selector{ - {Type: "k8s", Value: "container-image:docker-pullable://localhost/spiffe/blog@sha256:0cfdaced91cb46dd7af48309799a3c351e4ca2d5e1ee9737ca0cbd932cb79898"}, - {Type: "k8s", Value: "container-image:localhost/spiffe/blog:latest"}, - {Type: "k8s", Value: "container-name:blog"}, - {Type: "k8s", Value: "node-name:k8s-node-1"}, - {Type: "k8s", Value: "ns:default"}, - {Type: "k8s", Value: "pod-image-count:2"}, - {Type: "k8s", Value: "pod-image:docker-pullable://localhost/spiffe/blog@sha256:0cfdaced91cb46dd7af48309799a3c351e4ca2d5e1ee9737ca0cbd932cb79898"}, - {Type: "k8s", Value: "pod-image:docker-pullable://localhost/spiffe/ghostunnel@sha256:b2fc20676c92a433b9a91f3f4535faddec0c2c3613849ac12f02c1d5cfcd4c3a"}, - {Type: "k8s", Value: "pod-image:localhost/spiffe/blog:latest"}, - {Type: "k8s", Value: "pod-image:localhost/spiffe/ghostunnel:latest"}, - {Type: "k8s", Value: "pod-init-image-count:0"}, - {Type: "k8s", Value: "pod-label:k8s-app:blog"}, - {Type: "k8s", Value: "pod-label:version:v0"}, - {Type: "k8s", Value: "pod-name:blog-24ck7"}, - {Type: "k8s", Value: "pod-owner-uid:ReplicationController:2c401175-b29f-11e7-9350-020968147796"}, - {Type: "k8s", Value: "pod-owner:ReplicationController:blog"}, - {Type: "k8s", Value: "pod-uid:2c48913c-b29f-11e7-9350-020968147796"}, - {Type: "k8s", Value: "sa:default"}, - {Type: "k8s", Value: "sigstore-validation:passed"}, - } ) func TestPlugin(t *testing.T) { @@ -307,32 +262,6 @@ func (s *Suite) TestAttestWhenContainerReadyButContainerSelectorsDisabled() { s.requireAttestSuccess(p, testPodSelectors) } -func (s *Suite) TestAttestAgainstNodeOverride() { - s.startInsecureKubelet() - p := s.loadInsecurePlugin() - s.addCgroupsResponse(cgPidNotInPodFilePath) - - selectors, err := p.Attest(context.Background(), pid) - s.Require().NoError(err) - s.Require().Empty(selectors) -} - -func (s *Suite) TestLogger() { - s.startInsecureKubelet() - - p := s.newPlugin() - plugintest.Load(s.T(), builtin(p), nil) - - newLog := hclog.New(&hclog.LoggerOptions{ - Name: "new_test_logger", - }) - p.SetLogger(newLog) - - s.Require().Same(newLog, p.log) - s.Require().Contains(p.log.Name(), newLog.Name()) - s.Require().Contains(p.log.Name(), "new_test_log") -} - func (s *Suite) TestConfigure() { s.generateCerts("") @@ -884,17 +813,6 @@ func (s *Suite) loadInsecurePluginWithExtra(extraConfig string) workloadattestor `, s.kubeletPort(), extraConfig)) } -func (s *Suite) loadInsecurePluginWithSigstore() workloadattestor.WorkloadAttestor { - return s.loadPlugin(fmt.Sprintf(` - kubelet_read_only_port = %d - max_poll_attempts = 5 - poll_retry_interval = "1s" - experimental { - sigstore {} - } -`, s.kubeletPort())) -} - func (s *Suite) startInsecureKubelet() { s.setServer(httptest.NewServer(http.HandlerFunc(s.serveHTTP))) } @@ -1033,7 +951,8 @@ func (s *Suite) writeKey(path string, key *ecdsa.PrivateKey) { func (s *Suite) requireAttestSuccessWithPod(p workloadattestor.WorkloadAttestor) { s.addPodListResponse(podListFilePath) - s.addCgroupsResponse(cgPidInPodFilePath) + s.addGetContainerResponsePidInPod() + s.requireAttestSuccess(p, testPodAndContainerSelectors) } func (s *Suite) requireAttestSuccess(p workloadattestor.WorkloadAttestor, expectedSelectors []*common.Selector) { diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index b44911d74e..05a7a17987 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -99,12 +99,16 @@ func defaultCheckOptsFunction(rekorURL url.URL) (*cosign.CheckOpts, error) { return nil, errors.New("rekor URL path is empty") } - co := &cosign.CheckOpts{} - - // Set the rekor client - co.RekorClient = rekor.NewHTTPClientWithConfig(nil, rekor.DefaultTransportConfig().WithBasePath(rekorURL.Path).WithHost(rekorURL.Host)) + rootCerts, err := fulcio.GetRoots() + if err != nil { + return nil, fmt.Errorf("failed to get fulcio root certificates: %w", err) + } - co.RootCerts = fulcio.GetRoots() + co := &cosign.CheckOpts{ + // Set the rekor client + RekorClient: rekor.NewHTTPClientWithConfig(nil, rekor.DefaultTransportConfig().WithBasePath(rekorURL.Path).WithHost(rekorURL.Host)), + RootCerts: rootCerts, + } return co, nil } From 382eb842c879f41e0d39ec79db3fbbeae27939e4 Mon Sep 17 00:00:00 2001 From: Marcos Yacob Date: Tue, 4 Oct 2022 14:44:38 -0300 Subject: [PATCH 126/257] Move sigstore out of windows build (#150) Signed-off-by: Marcos Yacob Signed-off-by: Marcos Yacob Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- pkg/agent/plugin/workloadattestor/k8s/k8s.go | 98 ++---- .../plugin/workloadattestor/k8s/k8s_posix.go | 62 +++- .../workloadattestor/k8s/k8s_posix_test.go | 286 ++++++++++++++---- .../plugin/workloadattestor/k8s/k8s_test.go | 263 +--------------- .../workloadattestor/k8s/k8s_windows.go | 18 +- .../workloadattestor/k8s/k8s_windows_test.go | 57 +++- .../workloadattestor/k8s/sigstore/sigstore.go | 3 + .../k8s/sigstore/sigstore_test.go | 3 + .../k8s/sigstore/sigstorecache.go | 3 + .../k8s/sigstore/sigstorecache_test.go | 3 + 10 files changed, 398 insertions(+), 398 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s.go b/pkg/agent/plugin/workloadattestor/k8s/k8s.go index 0568e5cf24..2906f4e3d8 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s.go @@ -22,7 +22,6 @@ import ( workloadattestorv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/agent/workloadattestor/v1" configv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/service/common/config/v1" "github.com/spiffe/spire/pkg/agent/common/cgroups" - "github.com/spiffe/spire/pkg/agent/plugin/workloadattestor/k8s/sigstore" "github.com/spiffe/spire/pkg/common/catalog" "github.com/spiffe/spire/pkg/common/pemutil" "github.com/spiffe/spire/pkg/common/telemetry" @@ -162,21 +161,13 @@ type k8sConfig struct { ReloadInterval time.Duration DisableContainerSelectors bool - sigstoreConfig *sigstoreConfig - Client *kubeletClient LastReload time.Time } -// sigstoreConfig holds the sigstore configuration distilled from HCL -type sigstoreConfig struct { - RekorURL string - SkippedImages []string - AllowedSubjectListEnabled bool - AllowedSubjects []string -} - type ContainerHelper interface { + Configure(config *HCLConfig, log hclog.Logger) error + GetOSSelectors(ctx context.Context, log hclog.Logger, containerStatus *corev1.ContainerStatus) ([]string, error) GetPodUIDAndContainerID(pID int32, log hclog.Logger) (types.UID, string, error) } @@ -192,24 +183,18 @@ type Plugin struct { mu sync.RWMutex config *k8sConfig - - sigstore sigstore.Sigstore } func New() *Plugin { return &Plugin{ - fs: cgroups.OSFileSystem{}, - clock: clock.New(), - getenv: os.Getenv, - sigstore: nil, + fs: cgroups.OSFileSystem{}, + clock: clock.New(), + getenv: os.Getenv, } } func (p *Plugin) SetLogger(log hclog.Logger) { p.log = log - if p.sigstore != nil { - p.sigstore.SetLogger(log) - } } func (p *Plugin) Attest(ctx context.Context, req *workloadattestorv1.AttestRequest) (*workloadattestorv1.AttestResponse, error) { @@ -260,24 +245,24 @@ func (p *Plugin) Attest(ctx context.Context, req *workloadattestorv1.AttestReque // The workload container was found in this pod. Add pod // selectors. Only add workload container selectors if // container selectors have not been disabled. - selectorValues = append(selectorValues, getSelectorValuesFromPodInfo(&item, containerStatus)...) + selectorValues = append(selectorValues, getSelectorValuesFromPodInfo(&item)...) if !config.DisableContainerSelectors { selectorValues = append(selectorValues, getSelectorValuesFromWorkloadContainerStatus(containerStatus)...) - } - if p.config.sigstoreConfig != nil { - log.Debug("Attemping to get signature info for container", telemetry.ContainerName, containerStatus.Name) - sigstoreSelectors, err := p.sigstore.AttestContainerSignatures(ctx, containerStatus) - if err != nil { - log.Error("Error retrieving signature payload", "error", err) - return nil, status.Errorf(codes.Internal, "error retrieving signature payload: %v", err) + + osSelector, err := p.c.GetOSSelectors(ctx, log, containerStatus) + switch { + case err != nil: + return nil, err + case len(osSelector) > 0: + selectorValues = append(selectorValues, osSelector...) } - selectorValues = append(selectorValues, sigstoreSelectors...) } + case podKnown && config.DisableContainerSelectors: // The workload container was not found (i.e. not ready yet?) // but the pod is known. If container selectors have been // disabled, then allow the pod selectors to be used. - selectorValues = append(selectorValues, getSelectorValuesFromPodInfo(&item, containerStatus)...) + selectorValues = append(selectorValues, getSelectorValuesFromPodInfo(&item)...) } if len(selectorValues) > 0 { @@ -355,8 +340,8 @@ func (p *Plugin) Configure(ctx context.Context, req *configv1.ConfigureRequest) return nil, status.Error(codes.InvalidArgument, "cannot use both the read-only and secure port") } - containerHelper, err := createHelper(p) - if err != nil { + containerHelper := createHelper(p) + if err := containerHelper.Configure(config, p.log); err != nil { return nil, err } @@ -388,63 +373,19 @@ func (p *Plugin) Configure(ctx context.Context, req *configv1.ConfigureRequest) KubeletCAPath: config.KubeletCAPath, NodeName: nodeName, ReloadInterval: reloadInterval, - } - - // set experimental flags - if config.Experimental != nil && config.Experimental.Sigstore != nil { - c.sigstoreConfig = &sigstoreConfig{ - RekorURL: config.Experimental.Sigstore.RekorURL, - SkippedImages: config.Experimental.Sigstore.SkippedImages, - AllowedSubjectListEnabled: config.Experimental.Sigstore.AllowedSubjectListEnabled, - AllowedSubjects: config.Experimental.Sigstore.AllowedSubjects, - } + DisableContainerSelectors: config.DisableContainerSelectors, } if err := p.reloadKubeletClient(c); err != nil { return nil, err } - if c.sigstoreConfig != nil { - if p.sigstore == nil { - newcache := sigstore.NewCache(maximumAmountCache) - p.sigstore = sigstore.New(newcache, nil) - p.sigstore.SetLogger(p.log) - } - if err := p.configureSigstore(c, p.sigstore); err != nil { - return nil, err - } - } - // Set the config p.setConfig(c) p.setContainerHelper(containerHelper) return &configv1.ConfigureResponse{}, nil } -func (p *Plugin) configureSigstore(config *k8sConfig, sigstore sigstore.Sigstore) error { - p.mu.Lock() - defer p.mu.Unlock() - - // Configure sigstore settings - sigstore.ClearSkipList() - imageIDList := []string{} - if config.sigstoreConfig.SkippedImages != nil { - imageIDList = append(imageIDList, config.sigstoreConfig.SkippedImages...) - } - sigstore.AddSkippedImage(imageIDList) - sigstore.EnableAllowSubjectList(config.sigstoreConfig.AllowedSubjectListEnabled) - sigstore.ClearAllowedSubjects() - if config.sigstoreConfig.AllowedSubjects != nil { - for _, subject := range config.sigstoreConfig.AllowedSubjects { - sigstore.AddAllowedSubject(subject) - } - } - if err := p.sigstore.SetRekorURL(config.sigstoreConfig.RekorURL); err != nil { - return status.Errorf(codes.InvalidArgument, "failed to parse Rekor URL: %v", err) - } - return nil -} - func (p *Plugin) setConfig(config *k8sConfig) { p.mu.Lock() defer p.mu.Unlock() @@ -740,14 +681,13 @@ func getPodImageIdentifiers(containerStatuses ...corev1.ContainerStatus) map[str return podImages } -func getSelectorValuesFromPodInfo(pod *corev1.Pod, status *corev1.ContainerStatus) []string { +func getSelectorValuesFromPodInfo(pod *corev1.Pod) []string { selectorValues := []string{ fmt.Sprintf("sa:%s", pod.Spec.ServiceAccountName), fmt.Sprintf("ns:%s", pod.Namespace), fmt.Sprintf("node-name:%s", pod.Spec.NodeName), fmt.Sprintf("pod-uid:%s", pod.UID), fmt.Sprintf("pod-name:%s", pod.Name), - fmt.Sprintf("container-name:%s", status.Name), fmt.Sprintf("pod-image-count:%s", strconv.Itoa(len(pod.Status.ContainerStatuses))), fmt.Sprintf("pod-init-image-count:%s", strconv.Itoa(len(pod.Status.InitContainerStatuses))), } diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go index a81555e8ba..fbae9819e1 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go @@ -4,6 +4,7 @@ package k8s import ( + "context" "log" "regexp" "strings" @@ -11,8 +12,11 @@ import ( "github.com/hashicorp/go-hclog" "github.com/spiffe/spire/pkg/agent/common/cgroups" + "github.com/spiffe/spire/pkg/agent/plugin/workloadattestor/k8s/sigstore" + "github.com/spiffe/spire/pkg/common/telemetry" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" + corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" ) @@ -24,14 +28,46 @@ func (p *Plugin) defaultTokenPath() string { return defaultTokenPath } -func createHelper(c *Plugin) (ContainerHelper, error) { +func createHelper(c *Plugin) ContainerHelper { return &containerHelper{ fs: c.fs, - }, nil + } } type containerHelper struct { - fs cgroups.FileSystem + fs cgroups.FileSystem + sigstoreClient sigstore.Sigstore +} + +func (h *containerHelper) Configure(config *HCLConfig, log hclog.Logger) error { + // set experimental flags + if config.Experimental != nil && config.Experimental.Sigstore != nil { + if h.sigstoreClient == nil { + newcache := sigstore.NewCache(maximumAmountCache) + h.sigstoreClient = sigstore.New(newcache, nil) + } + + if err := configureSigstoreClient(h.sigstoreClient, config.Experimental.Sigstore, log); err != nil { + return err + } + } + + return nil +} + +func (h *containerHelper) GetOSSelectors(ctx context.Context, log hclog.Logger, containerStatus *corev1.ContainerStatus) ([]string, error) { + var selectors []string + if h.sigstoreClient != nil { + log.Debug("Attemping to get signature info for container", telemetry.ContainerName, containerStatus.Name) + sigstoreSelectors, err := h.sigstoreClient.AttestContainerSignatures(ctx, containerStatus) + if err != nil { + log.Error("Error retrieving signature payload", "error", err) + return nil, status.Errorf(codes.Internal, "error retrieving signature payload: %v", err) + } + selectors = append(selectors, sigstoreSelectors...) + } + + return selectors, nil } func (h *containerHelper) GetPodUIDAndContainerID(pID int32, _ hclog.Logger) (types.UID, string, error) { @@ -175,3 +211,23 @@ func canonicalizePodUID(uid string) types.UID { return r }, uid)) } + +func configureSigstoreClient(client sigstore.Sigstore, c *SigstoreHCLConfig, log hclog.Logger) error { + // Configure sigstore settings + client.ClearSkipList() + if c.SkippedImages != nil { + client.AddSkippedImage(c.SkippedImages) + } + client.EnableAllowSubjectList(c.AllowedSubjectListEnabled) + client.SetLogger(log) + client.ClearAllowedSubjects() + if c.AllowedSubjects != nil { + for _, subject := range c.AllowedSubjects { + client.AddAllowedSubject(subject) + } + } + if err := client.SetRekorURL(c.RekorURL); err != nil { + return status.Errorf(codes.InvalidArgument, "failed to parse Rekor URL: %v", err) + } + return nil +} diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go index dd4f32303d..b622b8c9b6 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go @@ -6,7 +6,6 @@ package k8s import ( "bytes" "context" - "crypto/x509" "errors" "fmt" "os" @@ -22,7 +21,9 @@ import ( "github.com/spiffe/spire/test/plugintest" "github.com/spiffe/spire/test/spiretest" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "google.golang.org/grpc/codes" + corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" ) @@ -204,56 +205,128 @@ func (s *Suite) TestAttestAgainstNodeOverride() { s.Require().Empty(selectors) } -func (s signature) Payload() ([]byte, error) { - return s.payload, nil -} +func (s *Suite) TestFailedToCreateHelperFormConfigure() { + t := s.T() + p := s.newPlugin() -func (signature) Base64Signature() (string, error) { - return "", nil + var err error + plugintest.Load(t, builtin(p), nil, + plugintest.Configure(` + experimental = { + sigstore = { + rekor_url = "inva{{{lid}" + } + } + `), + plugintest.CaptureConfigureError(&err)) + spiretest.RequireGRPCStatus(t, err, codes.InvalidArgument, "failed to parse Rekor URL: host is required on rekor URL") } -func (s signature) Cert() (*x509.Certificate, error) { - return s.cert, nil +func (s *Suite) TestHelperConfigure() { + for _, tt := range []struct { + name string + config *HCLConfig + errCode codes.Code + errMsg string + clientErr error + + expectSkippedImages map[string]struct{} + expectRekoURL string + expectSubjectsEnabled bool + expectSubjects map[string]struct{} + }{ + { + name: "sigstore is configured", + config: &HCLConfig{ + Experimental: &ExperimentalK8SConfig{ + Sigstore: &SigstoreHCLConfig{ + RekorURL: "https://rekor.example.com", + SkippedImages: []string{"sha:image1hash", "sha:image2hash"}, + AllowedSubjectListEnabled: true, + AllowedSubjects: []string{"spirex@example.com", "spirex1@example.com"}, + }, + }, + }, + expectRekoURL: "https://rekor.example.com", + expectSkippedImages: map[string]struct{}{ + "sha:image1hash": {}, + "sha:image2hash": {}, + }, + expectSubjectsEnabled: true, + expectSubjects: map[string]struct{}{ + "spirex@example.com": {}, + "spirex1@example.com": {}, + }, + }, + { + name: "only reko url", + config: &HCLConfig{ + Experimental: &ExperimentalK8SConfig{ + Sigstore: &SigstoreHCLConfig{ + RekorURL: "https://rekor.example.com", + }, + }, + }, + expectRekoURL: "https://rekor.example.com", + }, + { + name: "failed to set url", + config: &HCLConfig{ + Experimental: &ExperimentalK8SConfig{ + Sigstore: &SigstoreHCLConfig{ + RekorURL: "invalid url", + }, + }, + }, + clientErr: errors.New("oh no"), + errCode: codes.InvalidArgument, + errMsg: "failed to parse Rekor URL: oh no", + }, + } { + s.T().Run(tt.name, func(t *testing.T) { + fakeClient := &sigstoreMock{ + returnError: tt.clientErr, + } + h := &containerHelper{ + sigstoreClient: fakeClient, + } + + err := h.Configure(tt.config, hclog.NewNullLogger()) + + if tt.errMsg != "" { + spiretest.RequireGRPCStatus(t, err, tt.errCode, tt.errMsg) + return + } + + require.NoError(t, err) + require.NotNil(t, h.sigstoreClient) + + require.Equal(t, tt.expectSkippedImages, fakeClient.skippedImages) + require.Equal(t, tt.expectRekoURL, fakeClient.rekorURL) + require.Equal(t, tt.expectSubjectsEnabled, fakeClient.allowedSubjectListEnabled) + require.Equal(t, tt.expectSubjects, fakeClient.allowedSubjects) + }) + } } func (s *Suite) TestAttestWithSigstoreSignatures() { s.startInsecureKubelet() - s.setSigstoreSelectors([]sigstore.SelectorsFromSignatures{ + s.oc.fakeClient.selectors = []sigstore.SelectorsFromSignatures{ { Subject: "sigstore-subject", }, - }) - p := s.loadInsecurePluginWithSigstore() - s.requireAttestSuccessWithPodAndSignature(p) -} - -func (s *Suite) setSigstoreSkipSigs(skip bool) { - s.sigstoreSkipSigs = skip -} - -func (s *Suite) setSigstoreSkippedSigSelectors(selectors []string) { - s.sigstoreSkippedSigSelectors = selectors -} - -func (s *Suite) setSigstoreSelectors(selectors []sigstore.SelectorsFromSignatures) { - s.sigstoreSelectors = selectors - s.sigstoreSigs = nil - if s.sigstoreSelectors != nil { - s.sigstoreSigs = []oci.Signature{ - signature{ - payload: []byte("payload"), - cert: &x509.Certificate{}, - }, - } } + p := s.loadInsecurePlugin() + s.requireAttestSuccessWithPodAndSignature(p) } func (s *Suite) TestAttestWithSigstoreSkippedImage() { s.startInsecureKubelet() // Skip the image - s.setSigstoreSkipSigs(true) - s.setSigstoreSkippedSigSelectors([]string{"sigstore-validation:passed"}) - p := s.loadInsecurePluginWithSigstore() + s.oc.fakeClient.rekorURL = "reo" + s.oc.fakeClient.skipSigs = true + s.oc.fakeClient.skippedSigSelectors = []string{"sigstore-validation:passed"} + p := s.loadInsecurePlugin() s.requireAttestSuccessWithPodAndSkippedImage(p) } @@ -268,12 +341,13 @@ func (s *Suite) TestAttestWithFailedSigstoreSignatures() { kubelet_read_only_port = %d max_poll_attempts = 5 poll_retry_interval = "1s" - experimental { - sigstore {} - } `, s.kubeletPort())), ) + if cHelper := s.oc.getContainerHelper(p); cHelper != nil { + p.setContainerHelper(cHelper) + } + buf := bytes.Buffer{} newLog := hclog.New(&hclog.LoggerOptions{ Output: &buf, @@ -281,7 +355,7 @@ func (s *Suite) TestAttestWithFailedSigstoreSignatures() { p.SetLogger(newLog) - s.sigstoreMock.returnError = errors.New("sigstore error 123") + s.oc.fakeClient.returnError = errors.New("sigstore error 123") s.requireAttestFailureWithPod(v1, codes.Internal, fmt.Sprintf("error retrieving signature payload: %v", "sigstore error 123")) s.Require().Contains(buf.String(), "Error retrieving signature payload") @@ -573,14 +647,6 @@ func TestGetPodUIDAndContainerIDFromCGroupPath(t *testing.T) { } } -func (o *osConfig) getContainerHelper() ContainerHelper { - return nil -} - -func createOSConfig() *osConfig { - return &osConfig{} -} - func (s *Suite) requireAttestSuccessWithPodAndSignature(p workloadattestor.WorkloadAttestor) { s.addPodListResponse(podListFilePath) s.addCgroupsResponse(cgPidInPodFilePath) @@ -593,23 +659,123 @@ func (s *Suite) requireAttestSuccessWithPodAndSkippedImage(p workloadattestor.Wo s.requireAttestSuccess(p, testSigstoreSkippedSelectors) } -func (s *Suite) loadInsecurePluginWithSigstore() workloadattestor.WorkloadAttestor { - return s.loadPlugin(fmt.Sprintf(` - kubelet_read_only_port = %d - max_poll_attempts = 5 - poll_retry_interval = "1s" - experimental { - sigstore {} +type osConfig struct { + fakeClient *sigstoreMock +} + +func (o *osConfig) getContainerHelper(p *Plugin) ContainerHelper { + return &containerHelper{ + fs: p.fs, + sigstoreClient: o.fakeClient, + } +} + +func createOSConfig() *osConfig { + return &osConfig{ + fakeClient: &sigstoreMock{}, + } +} + +type sigstoreMock struct { + selectors []sigstore.SelectorsFromSignatures + + sigs []oci.Signature + skipSigs bool + skippedSigSelectors []string + returnError error + skippedImages map[string]struct{} + allowedSubjects map[string]struct{} + allowedSubjectListEnabled bool + log hclog.Logger + + rekorURL string +} + +// SetLogger implements sigstore.Sigstore +func (s *sigstoreMock) SetLogger(logger hclog.Logger) { + s.log = logger +} + +func (s *sigstoreMock) FetchImageSignatures(ctx context.Context, imageName string) ([]oci.Signature, error) { + if s.returnError != nil { + return nil, s.returnError + } + return s.sigs, nil +} + +func (s *sigstoreMock) SelectorValuesFromSignature(signatures oci.Signature, containerID string) (*sigstore.SelectorsFromSignatures, error) { + if len(s.selectors) != 0 { + return &s.selectors[0], nil + } + return nil, s.returnError +} + +func (s *sigstoreMock) ExtractSelectorsFromSignatures(signatures []oci.Signature, containerID string) []sigstore.SelectorsFromSignatures { + return s.selectors +} + +func (s *sigstoreMock) ShouldSkipImage(imageID string) (bool, error) { + return s.skipSigs, s.returnError +} + +func (s *sigstoreMock) ClearSkipList() { + s.skippedImages = nil +} + +func (s *sigstoreMock) ClearAllowedSubjects() { + s.allowedSubjects = nil +} + +func (s *sigstoreMock) EnableAllowSubjectList(flag bool) { + s.allowedSubjectListEnabled = flag +} + +func (s *sigstoreMock) AttestContainerSignatures(ctx context.Context, status *corev1.ContainerStatus) ([]string, error) { + if s.skipSigs { + return s.skippedSigSelectors, nil + } + if s.returnError != nil { + return nil, s.returnError + } + var selectorsString []string + for _, selector := range s.selectors { + if selector.Subject != "" { + selectorsString = append(selectorsString, fmt.Sprintf("%s:image-signature-subject:%s", status.ContainerID, selector.Subject)) + } + if selector.Content != "" { + selectorsString = append(selectorsString, fmt.Sprintf("%s:image-signature-content:%s", status.ContainerID, selector.Content)) + } + if selector.LogID != "" { + selectorsString = append(selectorsString, fmt.Sprintf("%s:image-signature-logid:%s", status.ContainerID, selector.LogID)) } -`, s.kubeletPort())) + if selector.IntegratedTime != "" { + selectorsString = append(selectorsString, fmt.Sprintf("%s:image-signature-integrated-time:%s", status.ContainerID, selector.IntegratedTime)) + } + selectorsString = append(selectorsString, "sigstore-validation:passed") + } + return selectorsString, nil } -type signature struct { - oci.Signature +func (s *sigstoreMock) SetRekorURL(url string) error { + if s.returnError != nil { + return s.returnError + } + s.rekorURL = url + return s.returnError +} - payload []byte - cert *x509.Certificate +func (s *sigstoreMock) AddAllowedSubject(subject string) { + if s.allowedSubjects == nil { + s.allowedSubjects = make(map[string]struct{}) + } + s.allowedSubjects[subject] = struct{}{} } -type osConfig struct { +func (s *sigstoreMock) AddSkippedImage(images []string) { + if s.skippedImages == nil { + s.skippedImages = make(map[string]struct{}) + } + for _, imageID := range images { + s.skippedImages[imageID] = struct{}{} + } } diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go index fd89c6744d..2805427996 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go @@ -7,7 +7,6 @@ import ( "crypto/tls" "crypto/x509" "crypto/x509/pkix" - "errors" "fmt" "io" "math/big" @@ -19,10 +18,7 @@ import ( "testing" "time" - "github.com/hashicorp/go-hclog" - "github.com/sigstore/cosign/pkg/oci" "github.com/spiffe/spire/pkg/agent/plugin/workloadattestor" - "github.com/spiffe/spire/pkg/agent/plugin/workloadattestor/k8s/sigstore" "github.com/spiffe/spire/pkg/common/pemutil" "github.com/spiffe/spire/pkg/common/util" "github.com/spiffe/spire/proto/spire/common" @@ -32,7 +28,6 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "google.golang.org/grpc/codes" - corev1 "k8s.io/api/core/v1" ) const ( @@ -99,11 +94,6 @@ func (s *Suite) SetupTest() { s.podList = nil s.env = map[string]string{} - s.sigstoreSelectors = nil - s.sigstoreSigs = nil - s.sigstoreReturnError = nil - s.sigstoreSkipSigs = false - s.sigstoreSkippedSigSelectors = nil s.oc = createOSConfig() } @@ -289,14 +279,12 @@ func (s *Suite) TestConfigure() { } testCases := []struct { - name string - raw string - hcl string - config *config - errCode codes.Code - errMsg string - sigstoreError error - sigstoreEnabled bool + name string + raw string + hcl string + config *config + errCode codes.Code + errMsg string }{ { name: "insecure defaults", @@ -502,92 +490,12 @@ func (s *Suite) TestConfigure() { errCode: codes.InvalidArgument, errMsg: "unable to load private key", }, - { - name: "secure defaults with skipped images for sigstore", - hcl: ` - experimental = { - sigstore = { - skip_signature_verification_image_list = ["sha:image1hash","sha:image2hash"] - } - } - `, - config: &config{ - VerifyKubelet: true, - Token: "default-token", - KubeletURL: "https://127.0.0.1:10250", - MaxPollAttempts: defaultMaxPollAttempts, - PollRetryInterval: defaultPollRetryInterval, - ReloadInterval: defaultReloadInterval, - SkippedImages: []string{ - "sha:image1hash", - "sha:image2hash", - }, - }, - sigstoreEnabled: true, - }, - { - name: "secure defaults with allowed subjects for sigstore", - hcl: ` - experimental = { - sigstore { - enable_allowed_subjects_list = true, - allowed_subjects_list = ["spirex@example.com","spirex1@example.com"] - } - } - `, - config: &config{ - VerifyKubelet: true, - Token: "default-token", - KubeletURL: "https://127.0.0.1:10250", - MaxPollAttempts: defaultMaxPollAttempts, - PollRetryInterval: defaultPollRetryInterval, - ReloadInterval: defaultReloadInterval, - AllowedSubjectListEnabled: true, - AllowedSubjects: []string{"spirex@example.com", "spirex1@example.com"}, - }, - sigstoreEnabled: true, - }, - { - name: "secure defaults with rekor URL", - hcl: ` - experimental = { - sigstore = { - rekor_url = "https://rekor.example.com" - } - } - `, - config: &config{ - VerifyKubelet: true, - Token: "default-token", - KubeletURL: "https://127.0.0.1:10250", - MaxPollAttempts: defaultMaxPollAttempts, - PollRetryInterval: defaultPollRetryInterval, - ReloadInterval: defaultReloadInterval, - RekorURL: "https://rekor.example.com", - }, - sigstoreEnabled: true, - }, - { - name: "secure defaults, failed parsing rekor URI", - hcl: ` - experimental = { - sigstore = { - rekor_url = "inva{{{lid}" - } - } - `, - sigstoreError: errors.New("failed parsing rekor URI"), - config: nil, - errCode: codes.InvalidArgument, - errMsg: "failed to parse Rekor URL: failed parsing rekor URI", - }, } for _, testCase := range testCases { testCase := testCase // alias loop variable as it is used in the closure s.T().Run(testCase.name, func(t *testing.T) { p := s.newPlugin() - s.sigstoreMock.returnError = testCase.sigstoreError var err error plugintest.Load(s.T(), builtin(p), nil, @@ -627,111 +535,10 @@ func (s *Suite) TestConfigure() { assert.Equal(t, testCase.config.MaxPollAttempts, c.MaxPollAttempts) assert.Equal(t, testCase.config.PollRetryInterval, c.PollRetryInterval) assert.Equal(t, testCase.config.ReloadInterval, c.ReloadInterval) - - if testCase.sigstoreEnabled { - assert.NotNil(t, c.sigstoreConfig) - - assert.Equal(t, testCase.config.SkippedImages, c.sigstoreConfig.SkippedImages) - skippedImagesMap := make(map[string]bool) - for _, sImage := range testCase.config.SkippedImages { - skippedImagesMap[sImage] = true - } - assert.Equal(t, skippedImagesMap, s.sigstoreMock.skippedImages) - - assert.Equal(t, testCase.config.AllowedSubjectListEnabled, c.sigstoreConfig.AllowedSubjectListEnabled) - assert.Equal(t, testCase.config.AllowedSubjectListEnabled, s.sigstoreMock.allowedSubjectListEnabled) - - assert.Equal(t, testCase.config.AllowedSubjects, c.sigstoreConfig.AllowedSubjects) - var allowedSubjectsMap map[string]bool - if len(testCase.config.AllowedSubjects) > 0 { - allowedSubjectsMap = make(map[string]bool) - for _, subject := range testCase.config.AllowedSubjects { - allowedSubjectsMap[subject] = true - } - } - assert.Equal(t, allowedSubjectsMap, s.sigstoreMock.allowedSubjects) - - assert.Equal(t, testCase.config.RekorURL, c.sigstoreConfig.RekorURL) - } else { - assert.Nil(t, c.sigstoreConfig) - } }) } } -// SetLogger implements sigstore.Sigstore -func (s *sigstoreMock) SetLogger(logger hclog.Logger) { - s.log = logger -} - -func (s *sigstoreMock) FetchImageSignatures(ctx context.Context, imageName string) ([]oci.Signature, error) { - if s.returnError != nil { - return nil, s.returnError - } - return s.sigs, nil -} - -func (s *sigstoreMock) SelectorValuesFromSignature(signatures oci.Signature, containerID string) (*sigstore.SelectorsFromSignatures, error) { - if len(s.selectors) != 0 { - return &s.selectors[0], nil - } - return nil, s.returnError -} - -func (s *sigstoreMock) ExtractSelectorsFromSignatures(signatures []oci.Signature, containerID string) []sigstore.SelectorsFromSignatures { - return s.selectors -} - -func (s *sigstoreMock) ShouldSkipImage(imageID string) (bool, error) { - return s.skipSigs, s.returnError -} - -func (s *sigstoreMock) ClearSkipList() { - s.skippedImages = nil -} - -func (s *sigstoreMock) ClearAllowedSubjects() { - s.allowedSubjects = nil -} - -func (s *sigstoreMock) EnableAllowSubjectList(flag bool) { - s.allowedSubjectListEnabled = flag -} - -func (s *sigstoreMock) AttestContainerSignatures(ctx context.Context, status *corev1.ContainerStatus) ([]string, error) { - if s.skipSigs { - return s.skippedSigSelectors, nil - } - if s.returnError != nil { - return nil, s.returnError - } - var selectorsString []string - for _, selector := range s.selectors { - if selector.Subject != "" { - selectorsString = append(selectorsString, fmt.Sprintf("%s:image-signature-subject:%s", status.ContainerID, selector.Subject)) - } - if selector.Content != "" { - selectorsString = append(selectorsString, fmt.Sprintf("%s:image-signature-content:%s", status.ContainerID, selector.Content)) - } - if selector.LogID != "" { - selectorsString = append(selectorsString, fmt.Sprintf("%s:image-signature-logid:%s", status.ContainerID, selector.LogID)) - } - if selector.IntegratedTime != "" { - selectorsString = append(selectorsString, fmt.Sprintf("%s:image-signature-integrated-time:%s", status.ContainerID, selector.IntegratedTime)) - } - selectorsString = append(selectorsString, "sigstore-validation:passed") - } - return selectorsString, nil -} - -func (s *sigstoreMock) SetRekorURL(url string) error { - if s.returnError != nil { - return s.returnError - } - s.rekorURL = url - return s.returnError -} - func (s *Suite) newPlugin() *Plugin { p := New() p.fs = testFS(s.dir) @@ -740,15 +547,6 @@ func (s *Suite) newPlugin() *Plugin { return s.env[key] } - s.sigstoreMock = &sigstoreMock{ - selectors: s.sigstoreSelectors, - sigs: s.sigstoreSigs, - skipSigs: s.sigstoreSkipSigs, - skippedSigSelectors: s.sigstoreSkippedSigSelectors, - returnError: s.sigstoreReturnError, - } - - p.sigstore = s.sigstoreMock return p } @@ -790,7 +588,7 @@ func (s *Suite) loadPlugin(configuration string) workloadattestor.WorkloadAttest plugintest.Configure(configuration), ) - if cHelper := s.oc.getContainerHelper(); cHelper != nil { + if cHelper := s.oc.getContainerHelper(p); cHelper != nil { p.setContainerHelper(cHelper) } return v1 @@ -995,26 +793,6 @@ func (s *Suite) addPodListResponse(fixturePath string) { s.podList = append(s.podList, podList) } -func (fs testFS) Open(path string) (io.ReadCloser, error) { - return os.Open(filepath.Join(string(fs), path)) -} - -func (s *sigstoreMock) AddAllowedSubject(subject string) { - if s.allowedSubjects == nil { - s.allowedSubjects = make(map[string]bool) - } - s.allowedSubjects[subject] = true -} - -func (s *sigstoreMock) AddSkippedImage(images []string) { - if s.skippedImages == nil { - s.skippedImages = make(map[string]bool) - } - for _, imageID := range images { - s.skippedImages[imageID] = true - } -} - type Suite struct { spiretest.Suite @@ -1029,28 +807,7 @@ type Suite struct { kubeletCert *x509.Certificate clientCert *x509.Certificate - oc *osConfig - sigstoreSelectors []sigstore.SelectorsFromSignatures - sigstoreSigs []oci.Signature - sigstoreSkipSigs bool - sigstoreSkippedSigSelectors []string - sigstoreReturnError error - sigstoreMock *sigstoreMock -} - -type sigstoreMock struct { - selectors []sigstore.SelectorsFromSignatures - - sigs []oci.Signature - skipSigs bool - skippedSigSelectors []string - returnError error - skippedImages map[string]bool - allowedSubjects map[string]bool - allowedSubjectListEnabled bool - log hclog.Logger - - rekorURL string + oc *osConfig } type attestResult struct { @@ -1059,3 +816,7 @@ type attestResult struct { } type testFS string + +func (fs testFS) Open(path string) (io.ReadCloser, error) { + return os.Open(filepath.Join(string(fs), path)) +} diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_windows.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_windows.go index e18be5f5f6..c3d83a5d39 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_windows.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_windows.go @@ -4,12 +4,14 @@ package k8s import ( + "context" "path/filepath" "github.com/hashicorp/go-hclog" "github.com/spiffe/spire/pkg/common/container/process" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" + corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" ) @@ -17,16 +19,28 @@ const ( containerMountPointEnvVar = "CONTAINER_SANDBOX_MOUNT_POINT" ) -func createHelper(c *Plugin) (ContainerHelper, error) { +func createHelper(p *Plugin) ContainerHelper { return &containerHelper{ ph: process.CreateHelper(), - }, nil + } } type containerHelper struct { ph process.Helper } +func (h *containerHelper) Configure(config *HCLConfig, log hclog.Logger) error { + if config.Experimental != nil && config.Experimental.Sigstore != nil { + return status.Error(codes.InvalidArgument, "sigstore configuration is not supported on windows environment") + } + return nil +} + +func (h *containerHelper) GetOSSelectors(ctx context.Context, log hclog.Logger, containerStatus *corev1.ContainerStatus) ([]string, error) { + // No additional selectors on windows + return nil, nil +} + func (h *containerHelper) GetPodUIDAndContainerID(pID int32, log hclog.Logger) (types.UID, string, error) { containerID, err := h.ph.GetContainerIDByProcess(pID, log) if err != nil { diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_windows_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_windows_test.go index a0532e7583..8b5d99ddf6 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_windows_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_windows_test.go @@ -4,14 +4,17 @@ package k8s import ( + "context" "errors" "testing" "github.com/hashicorp/go-hclog" + "github.com/spiffe/spire/test/plugintest" "github.com/spiffe/spire/test/spiretest" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "google.golang.org/grpc/codes" + corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" ) @@ -19,7 +22,7 @@ type osConfig struct { cHelper *fakeContainerHelper } -func (o *osConfig) getContainerHelper() ContainerHelper { +func (o *osConfig) getContainerHelper(_ *Plugin) ContainerHelper { return o.cHelper } @@ -30,8 +33,21 @@ func createOSConfig() *osConfig { } type fakeContainerHelper struct { - cIDs map[int32]string - err error + cIDs map[int32]string + err error + osSelectors []string + osError error +} + +func (h *fakeContainerHelper) Configure(config *HCLConfig, log hclog.Logger) error { + return h.err +} + +func (h *fakeContainerHelper) GetOSSelectors(ctx context.Context, log hclog.Logger, containerStatus *corev1.ContainerStatus) ([]string, error) { + if h.osError != nil { + return nil, h.osError + } + return h.osSelectors, nil } func (h *fakeContainerHelper) GetPodUIDAndContainerID(pID int32, _ hclog.Logger) (types.UID, string, error) { @@ -53,6 +69,23 @@ func (s *Suite) addGetContainerResponsePidInPod() { } } +func (s *Suite) TestFailedToStartWhenUsingSigstore() { + t := s.T() + p := s.newPlugin() + + var err error + plugintest.Load(t, builtin(p), nil, + plugintest.Configure(` + experimental = { + sigstore = { + rekor_url = "https://rekor.org" + } + } + `), + plugintest.CaptureConfigureError(&err)) + spiretest.RequireGRPCStatus(t, err, codes.InvalidArgument, "sigstore configuration is not supported on windows environment") +} + func TestContainerHelper(t *testing.T) { fakeHelper := &fakeProcessHelper{} cHelper := &containerHelper{ @@ -76,6 +109,24 @@ func TestContainerHelper(t *testing.T) { assert.Empty(t, podID) assert.Equal(t, "", containerID) }) + + t.Run("configure fails when sigstore is enabled", func(t *testing.T) { + config := &HCLConfig{ + Experimental: &ExperimentalK8SConfig{ + Sigstore: &SigstoreHCLConfig{RekorURL: "https://test.org"}, + }, + } + err := cHelper.Configure(config, hclog.NewNullLogger()) + spiretest.RequireGRPCStatus(t, err, codes.InvalidArgument, "sigstore configuration is not supported on windows environment") + }) + + t.Run("get os selectors returns empty list", func(t *testing.T) { + selectors, err := cHelper.GetOSSelectors(context.Background(), hclog.NewNullLogger(), &corev1.ContainerStatus{ + ContainerID: "cID", + }) + assert.NoError(t, err) + assert.Empty(t, selectors) + }) } type fakeProcessHelper struct { diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index 05a7a17987..d19d96ad1d 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -1,3 +1,6 @@ +//go:build !windows +// +build !windows + package sigstore import ( diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index 0410dd2f3d..c2469249de 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -1,3 +1,6 @@ +//go:build !windows +// +build !windows + package sigstore import ( diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache.go index 566c735f88..4d556a679d 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache.go @@ -1,3 +1,6 @@ +//go:build !windows +// +build !windows + package sigstore import ( diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go index 18c3f2ff1d..d2c0654715 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go @@ -1,3 +1,6 @@ +//go:build !windows +// +build !windows + package sigstore import ( From ddd0d6dd2ef1eec66720357fd18379a0db395c31 Mon Sep 17 00:00:00 2001 From: Willian Alves Date: Mon, 10 Oct 2022 11:10:10 -0300 Subject: [PATCH 127/257] Update pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go Co-authored-by: Marcos Yacob Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go index b622b8c9b6..81486dfb69 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go @@ -205,7 +205,7 @@ func (s *Suite) TestAttestAgainstNodeOverride() { s.Require().Empty(selectors) } -func (s *Suite) TestFailedToCreateHelperFormConfigure() { +func (s *Suite) TestFailedToCreateHelperFromConfigure() { t := s.T() p := s.newPlugin() From abef8bd4593fd0d322b762e615bcc1cd8604a844 Mon Sep 17 00:00:00 2001 From: Willian Alves Date: Mon, 10 Oct 2022 11:10:59 -0300 Subject: [PATCH 128/257] Update pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go Co-authored-by: Marcos Yacob Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go index 81486dfb69..ddb983ea25 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go @@ -357,7 +357,7 @@ func (s *Suite) TestAttestWithFailedSigstoreSignatures() { s.oc.fakeClient.returnError = errors.New("sigstore error 123") - s.requireAttestFailureWithPod(v1, codes.Internal, fmt.Sprintf("error retrieving signature payload: %v", "sigstore error 123")) + s.requireAttestFailureWithPod(v1, codes.Internal, "error retrieving signature payload: sigstore error 123") s.Require().Contains(buf.String(), "Error retrieving signature payload") s.Require().Contains(buf.String(), fmt.Sprintf("error=%q", "sigstore error 123")) } From 27cfc532cf4635973d49664792c361c04eb69633 Mon Sep 17 00:00:00 2001 From: Willian Alves Date: Mon, 10 Oct 2022 11:11:26 -0300 Subject: [PATCH 129/257] Update pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go Co-authored-by: Marcos Yacob Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go index ddb983ea25..d75fb2c246 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go @@ -359,7 +359,7 @@ func (s *Suite) TestAttestWithFailedSigstoreSignatures() { s.requireAttestFailureWithPod(v1, codes.Internal, "error retrieving signature payload: sigstore error 123") s.Require().Contains(buf.String(), "Error retrieving signature payload") - s.Require().Contains(buf.String(), fmt.Sprintf("error=%q", "sigstore error 123")) + s.Require().Contains(buf.String(), "error=\"sigstore error 123\"") } func (s *Suite) TestLogger() { From db723071053855e2e2d9673b0bdbaa349283dc93 Mon Sep 17 00:00:00 2001 From: Willian Alves Date: Mon, 17 Oct 2022 14:25:56 -0400 Subject: [PATCH 130/257] fixed: tables md (#156) * fixed: tables md Signed-off-by: Willian Alves * docs: adding clarifications on image tag vs digest Signed-off-by: Rodrigo Lopes Signed-off-by: Willian Alves Signed-off-by: Rodrigo Lopes Co-authored-by: Rodrigo Lopes Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- doc/plugin_agent_workloadattestor_k8s.md | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/doc/plugin_agent_workloadattestor_k8s.md b/doc/plugin_agent_workloadattestor_k8s.md index e50e6afb43..36b186bc47 100644 --- a/doc/plugin_agent_workloadattestor_k8s.md +++ b/doc/plugin_agent_workloadattestor_k8s.md @@ -56,17 +56,21 @@ since [hostprocess](https://kubernetes.io/docs/tasks/configure-pod-container/cre | `experimental` | The experimental options that are subject to change or removal. | | Experimental options | Description | -| ------------- | ----------- | -| `sigstore`| Sigstore options. Options described below. | +| -------------------- | ----------- | +| `sigstore` | Sigstore options. Options described below. | | Sigstore options | Description | -| ------------- | ----------- | -| `skip_signature_verification_image_list`| The list of images, described as digest hashes, that should be skipped in signature verification. Defaults to empty list. | -| `enable_allowed_subjects_list`| Enables a list of allowed subjects that are trusted and are allowed to sign container images artificats. Defaults to 'false'. If true and `allowed_subjects_list` is empty, no workload will pass signature validation. | -| `allowed_subjects_list`| The list of allowed subjects enabled by `enable_allowed_subjects_list` each entry represents subject e-mail. Defaults to empty list. | -| `rekor_url` | The URL for the rekor STL Server to use with cosign. Defaults to 'rekor.sigstore.dev', Rekor's public instance. | +| ---------------- | ----------- | +| `skip_signature_verification_image_list` | The list of images, described as digest hashes, that should be skipped in signature verification. Defaults to empty list. | +| `enable_allowed_subjects_list` | Enables a list of allowed subjects that are trusted and are allowed to sign container images artificats. Defaults to 'false'. If true and `allowed_subjects_list` is empty, no workload will pass signature validation. | +| `allowed_subjects_list` | The list of allowed subjects enabled by `enable_allowed_subjects_list` each entry represents subject e-mail. Defaults to empty list. | +| `rekor_url` | The URL for the rekor STL Server to use with cosign. Defaults to 'http://rekor.sigstore.dev/', Rekor's public instance. | + +> **Note** Cosign discourages the use of image tags for referencing docker images, and this plugin does not support attestation of sigstore selectors for workloads running on containers using tag-referenced images, which will then fail attestation for both sigstore and k8s selectors. In cases where this is necessary, add the digest string for the image in the `skip_signature_verification_image_list` setting (eg. `"sha256:abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789"`). Note that sigstore signature attestation will still not be performed, but this will allow k8s selectors to be returned, along with the `"k8s:sigstore-validation:passed"` selector. + +> **Note** Since the Spire Agent can also go through workload attestation, it will also need to be included in the skip list if either its image is not signed or has a digest reference string. -**Note** The sigstore project contains a transparency log called Rekor that provides an immutable, tamper-resistant ledger to record signed metadata to an immutable record. While it is possible to run your own instance, a public instance of rekor is available at rekor.sigstore.dev, cosign defaults to using the public instance. +> **Note** The sigstore project contains a transparency log called Rekor that provides an immutable, tamper-resistant ledger to record signed metadata to an immutable record. While it is possible to run your own instance, a public instance of rekor is available at rekor.sigstore.dev, and cosign defaults to using the public instance. ### Sigstore workload attestor for SPIRE From 834ab88a8f3f20c5f6990ca28adb5c22243db4eb Mon Sep 17 00:00:00 2001 From: Willian Alves Date: Mon, 17 Oct 2022 14:27:27 -0400 Subject: [PATCH 131/257] Validation changed if key present (#158) Changed validation if present key Signed-off-by: Willian Alves Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- .../workloadattestor/k8s/sigstore/sigstorecache_test.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go index d2c0654715..1fad92cc0f 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go @@ -192,9 +192,7 @@ func TestCacheimpl_PutSignature(t *testing.T) { t.Errorf("Item count should be %v in test case %q", tt.wantLength, tt.name) } gotItem, present := m[tt.wantKey] - if !present { - t.Errorf("Key put but not found: %v", tt.wantKey) - } + require.True(t, present, "key not found") require.Equal(t, gotItem.item, tt.wantValue, "Value different than expected. \nGot: %v \nWant:%v", gotItem.item, tt.wantValue) } } From 72888003791759c74ef604b36ea0ca4323b20f3d Mon Sep 17 00:00:00 2001 From: Willian Alves Date: Mon, 17 Oct 2022 14:27:54 -0400 Subject: [PATCH 132/257] Added more a test case (#160) Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- .../k8s/sigstore/sigstorecache_test.go | 39 +++++++++++++++++-- 1 file changed, 35 insertions(+), 4 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go index 1fad92cc0f..74156b3c44 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go @@ -104,29 +104,60 @@ func TestCacheimpl_GetSignature(t *testing.T) { itemsMap: m, } + caseInOrderList := list.New() + caseInOrderList.PushFront(selectors1.Key) + caseInOrderList.PushFront(selectors2.Key) + + caseReorderList := list.New() + caseReorderList.PushFront(selectors2.Key) + caseReorderList.PushFront(selectors1.Key) + tests := []struct { name string want *Item key string errorMessage string + wantedMap map[string]MapItem + wantedList *list.List }{ { name: "Non existing entry", want: nil, key: selectors3.Key, errorMessage: "A non-existing item's key should return a nil item.", + wantedMap: map[string]MapItem{ + "signature1": {item: &selectors1, element: m[selectors1.Key].element}, + "signature2": {item: &selectors2, element: m[selectors2.Key].element}, + }, + wantedList: caseInOrderList, }, { - name: "Existing entry", - want: &selectors1, - key: selectors1.Key, - errorMessage: "An existing items key's should return the existing item", + name: "Existing entry", + want: &selectors2, + key: selectors2.Key, + wantedMap: map[string]MapItem{ + "signature1": {item: &selectors1, element: m[selectors1.Key].element}, + "signature2": {item: &selectors2, element: m[selectors2.Key].element}, + }, + wantedList: caseInOrderList, + }, + { + name: "Existing entry, reorder on get", + want: &selectors1, + key: selectors1.Key, + wantedMap: map[string]MapItem{ + "signature1": {item: &selectors1, element: m[selectors1.Key].element}, + "signature2": {item: &selectors2, element: m[selectors2.Key].element}, + }, + wantedList: caseReorderList, }, } for _, tt := range tests { got := cacheInstance.GetSignature(tt.key) require.Equal(t, got, tt.want, "%v Got: %v Want: %v", tt.errorMessage, got, tt.want) + require.Equal(t, tt.wantedList, cacheInstance.items, "Lists are different Got: %v Want: %v", cacheInstance.items, tt.wantedList) + require.Equal(t, tt.wantedMap, cacheInstance.itemsMap, "Maps are different Got: %v Want: %v", cacheInstance.itemsMap, tt.wantedMap) } } From 37386f8f1baa6b7010fabc7f7f553d05eb4cc5bf Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Mon, 17 Oct 2022 17:27:56 -0300 Subject: [PATCH 133/257] fixing rekorUrl handling (#163) * fix: fixed rekorUrl handling tests: added default rekorUrl test case Signed-off-by: Rodrigo Lopes * fix: windows test rekorURL string pointer Signed-off-by: Rodrigo Lopes * lint: fix lint complaint on var names Signed-off-by: Rodrigo Lopes Signed-off-by: Rodrigo Lopes Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- pkg/agent/plugin/workloadattestor/k8s/k8s.go | 2 +- .../plugin/workloadattestor/k8s/k8s_posix.go | 6 ++++- .../workloadattestor/k8s/k8s_posix_test.go | 24 +++++++++++++++---- .../workloadattestor/k8s/k8s_windows_test.go | 3 ++- .../workloadattestor/k8s/sigstore/sigstore.go | 2 +- 5 files changed, 28 insertions(+), 9 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s.go b/pkg/agent/plugin/workloadattestor/k8s/k8s.go index 2906f4e3d8..3167aeb72b 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s.go @@ -133,7 +133,7 @@ type ExperimentalK8SConfig struct { // SigstoreHCLConfig holds the sigstore configuration parsed from HCL type SigstoreHCLConfig struct { // RekorURL is the URL for the rekor server to use to verify signatures and public keys - RekorURL string `hcl:"rekor_url"` + RekorURL *string `hcl:"rekor_url,omitempty"` // SkippedImages is a list of images that should skip sigstore verification SkippedImages []string `hcl:"skip_signature_verification_image_list"` diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go index fbae9819e1..5fd0cc5121 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go @@ -226,7 +226,11 @@ func configureSigstoreClient(client sigstore.Sigstore, c *SigstoreHCLConfig, log client.AddAllowedSubject(subject) } } - if err := client.SetRekorURL(c.RekorURL); err != nil { + rekorURL := "http://rekor.sigstore.dev/" // default rekor url + if c.RekorURL != nil { + rekorURL = (*c.RekorURL) + } + if err := client.SetRekorURL(rekorURL); err != nil { return status.Errorf(codes.InvalidArgument, "failed to parse Rekor URL: %v", err) } return nil diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go index d75fb2c246..0ced85bbd5 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go @@ -223,6 +223,9 @@ func (s *Suite) TestFailedToCreateHelperFromConfigure() { } func (s *Suite) TestHelperConfigure() { + rekorURL := "https://rekor.example.com/" + invalidURL := "invalid url" + defaultRekorURL := "http://rekor.sigstore.dev/" for _, tt := range []struct { name string config *HCLConfig @@ -240,14 +243,14 @@ func (s *Suite) TestHelperConfigure() { config: &HCLConfig{ Experimental: &ExperimentalK8SConfig{ Sigstore: &SigstoreHCLConfig{ - RekorURL: "https://rekor.example.com", + RekorURL: &rekorURL, SkippedImages: []string{"sha:image1hash", "sha:image2hash"}, AllowedSubjectListEnabled: true, AllowedSubjects: []string{"spirex@example.com", "spirex1@example.com"}, }, }, }, - expectRekoURL: "https://rekor.example.com", + expectRekoURL: rekorURL, expectSkippedImages: map[string]struct{}{ "sha:image1hash": {}, "sha:image2hash": {}, @@ -263,18 +266,29 @@ func (s *Suite) TestHelperConfigure() { config: &HCLConfig{ Experimental: &ExperimentalK8SConfig{ Sigstore: &SigstoreHCLConfig{ - RekorURL: "https://rekor.example.com", + RekorURL: &rekorURL, }, }, }, - expectRekoURL: "https://rekor.example.com", + expectRekoURL: rekorURL, + }, + { + name: "missing url, use default", + config: &HCLConfig{ + Experimental: &ExperimentalK8SConfig{ + Sigstore: &SigstoreHCLConfig{ + RekorURL: nil, + }, + }, + }, + expectRekoURL: defaultRekorURL, }, { name: "failed to set url", config: &HCLConfig{ Experimental: &ExperimentalK8SConfig{ Sigstore: &SigstoreHCLConfig{ - RekorURL: "invalid url", + RekorURL: &invalidURL, }, }, }, diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_windows_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_windows_test.go index 8b5d99ddf6..9da254ef79 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_windows_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_windows_test.go @@ -111,9 +111,10 @@ func TestContainerHelper(t *testing.T) { }) t.Run("configure fails when sigstore is enabled", func(t *testing.T) { + rekorURL := "https://test.org" config := &HCLConfig{ Experimental: &ExperimentalK8SConfig{ - Sigstore: &SigstoreHCLConfig{RekorURL: "https://test.org"}, + Sigstore: &SigstoreHCLConfig{RekorURL: &rekorURL}, }, } err := cHelper.Configure(config, hclog.NewNullLogger()) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index d19d96ad1d..5f911daa2f 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -336,7 +336,7 @@ func (s *sigstoreImpl) SetRekorURL(rekorURL string) error { if err != nil { return fmt.Errorf("failed parsing rekor URI: %w", err) } - if rekorURI.Scheme != "" && rekorURI.Scheme != "https" { + if rekorURI.Scheme != "" && rekorURI.Scheme != "https" && rekorURI.Scheme != "http" { return fmt.Errorf("invalid rekor URL Scheme %q", rekorURI.Scheme) } if rekorURI.Host == "" { From c1986c0fc49b20abb73c23f7ab1122e214123199 Mon Sep 17 00:00:00 2001 From: Matheus de Farias Cavalcanti Santos Date: Mon, 17 Oct 2022 18:04:42 -0300 Subject: [PATCH 134/257] feat: implementation of sigstore cache check overflow test function (#165) * feat: implementation of sigstore cache check overflow test function Signed-off-by: Matheus Santos * fix: removed a tab detected by lint Signed-off-by: Matheus Santos * fix: removed blank line detected by lint Signed-off-by: Matheus Santos * fix: fix lint Signed-off-by: Matheus Santos * fix: fix lint Signed-off-by: Matheus Santos Signed-off-by: Matheus Santos Co-authored-by: Matheus Santos Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- .../k8s/sigstore/sigstorecache_test.go | 94 +++++++++++++++++++ 1 file changed, 94 insertions(+) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go index 74156b3c44..51fdbe5a74 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go @@ -471,3 +471,97 @@ func TestCacheimpl_CheckOverflowAndUpdates(t *testing.T) { require.Equal(t, items.Front().Value, step.wantHeadKey, "First element is %v should be %v after step %q", items.Front().Value, step.wantHeadKey, step.name) } } + +func TestCacheimpl_CheckOverflow(t *testing.T) { + listNoOverflow := list.New() + mapNoOverflow := make(map[string]MapItem) + mapNoOverflow[selectors1.Key] = MapItem{ + item: &selectors1, + element: listNoOverflow.PushFront(selectors1.Key), + } + mapNoOverflow[selectors2.Key] = MapItem{ + item: &selectors2, + element: listNoOverflow.PushFront(selectors2.Key), + } + mapNoOverflow[selectors3.Key] = MapItem{ + item: &selectors3, + element: listNoOverflow.PushFront(selectors3.Key), + } + + listOverflow := list.New() + mapOverflow := make(map[string]MapItem) + mapOverflow[selectors2.Key] = MapItem{ + item: &selectors2, + element: listOverflow.PushFront(selectors2.Key), + } + mapOverflow[selectors3.Key] = MapItem{ + item: &selectors3, + element: listOverflow.PushFront(selectors3.Key), + } + + listReorder := list.New() + mapReorder := make(map[string]MapItem) + mapReorder[selectors2.Key] = MapItem{ + item: &selectors2, + element: listReorder.PushFront(selectors2.Key), + } + mapReorder[selectors1.Key] = MapItem{ + item: &selectors1, + element: listReorder.PushFront(selectors1.Key), + } + + testCases := []struct { + name string + item *Item + wantLength int + wantedList *list.List + wantedMap map[string]MapItem + maxLength int + }{ + { + name: "Put third element, no overflow", + item: &selectors3, + wantedList: listNoOverflow, + wantedMap: mapNoOverflow, + maxLength: 3, + }, + { + name: "Put existing element no overflow", + item: &selectors1, + wantedList: listReorder, + wantedMap: mapReorder, + maxLength: 2, + }, + { + name: "Put third element, overflow", + item: &selectors3, + wantedList: listOverflow, + wantedMap: mapOverflow, + maxLength: 2, + }, + } + for _, testCase := range testCases { + testCase := testCase + t.Run(testCase.name, func(t *testing.T) { + m := make(map[string]MapItem) + items := list.New() + m[selectors1.Key] = MapItem{ + item: &selectors1, + element: items.PushFront(selectors1.Key), + } + m[selectors2.Key] = MapItem{ + item: &selectors2, + element: items.PushFront(selectors2.Key), + } + cacheInstance := &cacheImpl{ + size: testCase.maxLength, + items: items, + mutex: sync.RWMutex{}, + itemsMap: m, + } + cacheInstance.PutSignature(*testCase.item) + require.Equal(t, testCase.wantedList, cacheInstance.items, "List different than expected. \nGot: %v \nWant:%v", cacheInstance.items, testCase.wantedList) + require.Equal(t, testCase.wantedMap, cacheInstance.itemsMap, "Map different than expected. \nGot: %v \nWant:%v", cacheInstance.itemsMap, testCase.wantedMap) + }) + } +} From d2c1f643c46e2d69952ceb744036c7502705d017 Mon Sep 17 00:00:00 2001 From: Guazzelli Date: Tue, 18 Oct 2022 13:23:19 -0300 Subject: [PATCH 135/257] fix: removed unnecessary if statement (#166) Signed-off-by: joaoguazzelli Signed-off-by: joaoguazzelli Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go index 5fd0cc5121..ce948565fa 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go @@ -221,10 +221,8 @@ func configureSigstoreClient(client sigstore.Sigstore, c *SigstoreHCLConfig, log client.EnableAllowSubjectList(c.AllowedSubjectListEnabled) client.SetLogger(log) client.ClearAllowedSubjects() - if c.AllowedSubjects != nil { - for _, subject := range c.AllowedSubjects { - client.AddAllowedSubject(subject) - } + for _, subject := range c.AllowedSubjects { + client.AddAllowedSubject(subject) } rekorURL := "http://rekor.sigstore.dev/" // default rekor url if c.RekorURL != nil { From 13735753a906e869d7403c3f9285a26662e92a92 Mon Sep 17 00:00:00 2001 From: joaoguazzelli Date: Tue, 18 Oct 2022 16:15:04 -0300 Subject: [PATCH 136/257] =?UTF-8?q?fix:=20added=20independent=20cache=20fo?= =?UTF-8?q?r=20each=20test=20in=20TestCacheimpl=5FPutSignat=E2=80=A6=20(#1?= =?UTF-8?q?67)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix: added independent cache for each test in TestCacheimpl_PutSignature test case * tests: fixed put tests Signed-off-by: Rodrigo Lopes * tests: refactored older tests to use helper func Signed-off-by: Rodrigo Lopes Signed-off-by: Rodrigo Lopes Co-authored-by: Rodrigo Lopes Signed-off-by: Willian Alves Signed-off-by: Matheus Santos --- .../k8s/sigstore/sigstorecache_test.go | 143 ++++++++---------- 1 file changed, 59 insertions(+), 84 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go index 51fdbe5a74..cf50ef6aeb 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstorecache_test.go @@ -85,18 +85,7 @@ func TestNewCache(t *testing.T) { } func TestCacheimpl_GetSignature(t *testing.T) { - m := make(map[string]MapItem) - items := list.New() - - m[selectors1.Key] = MapItem{ - item: &selectors1, - element: items.PushFront(selectors1.Key), - } - m[selectors2.Key] = MapItem{ - item: &selectors2, - element: items.PushFront(selectors2.Key), - } - + m, items := makeMapAndList(&selectors1, &selectors2) cacheInstance := &cacheImpl{ size: 3, items: items, @@ -162,69 +151,76 @@ func TestCacheimpl_GetSignature(t *testing.T) { } func TestCacheimpl_PutSignature(t *testing.T) { - m := make(map[string]MapItem) - items := list.New() - - cacheInstance := &cacheImpl{ - size: 2, - items: items, - mutex: sync.RWMutex{}, - itemsMap: m, - } - + mapReorder, listReorder := makeMapAndList(&selectors2, &selectors3) + mapAddNew, listAddNew := makeMapAndList(&selectors3, &selectors2, &selectors1) + mapUpdate, listUpdate := makeMapAndList(&selectors3, &selectors2Updated) + mapReorderUpdate, listReorderUpdate := makeMapAndList(&selectors2, &selectors3Updated) tests := []struct { name string item *Item wantLength int wantKey string wantValue *Item + wantMap map[string]MapItem + wantList *list.List }{ { - name: "Put first element", - item: &selectors1, - wantLength: 1, - wantKey: selectors1.Key, - wantValue: &selectors1, + name: "Put existing element", + item: &selectors3, + wantLength: 2, + wantKey: selectors3.Key, + wantValue: &selectors3, + wantMap: mapReorder, + wantList: listReorder, }, { - name: "Put first element again", + name: "Put new element", item: &selectors1, - wantLength: 1, + wantLength: 3, wantKey: selectors1.Key, wantValue: &selectors1, + wantMap: mapAddNew, + wantList: listAddNew, }, { - name: "Put second element", - item: &selectors2, + name: "Update entry", + item: &selectors2Updated, wantLength: 2, wantKey: selectors2.Key, - wantValue: &selectors2, + wantValue: &selectors2Updated, + wantMap: mapUpdate, + wantList: listUpdate, }, { - name: "Overflow cache", - item: &selectors3, - wantLength: 2, - wantKey: selectors3.Key, - wantValue: &selectors3, - }, - { - name: "Update entry", + name: "Update entry, reorder", item: &selectors3Updated, wantLength: 2, wantKey: selectors3.Key, wantValue: &selectors3Updated, + wantMap: mapReorderUpdate, + wantList: listReorderUpdate, }, } for _, tt := range tests { - cacheInstance.PutSignature(*tt.item) - gotLen := cacheInstance.items.Len() - if gotLen != tt.wantLength { - t.Errorf("Item count should be %v in test case %q", tt.wantLength, tt.name) - } - gotItem, present := m[tt.wantKey] - require.True(t, present, "key not found") - require.Equal(t, gotItem.item, tt.wantValue, "Value different than expected. \nGot: %v \nWant:%v", gotItem.item, tt.wantValue) + tt := tt + t.Run(tt.name, func(t *testing.T) { + testMap, testItems := makeMapAndList(&selectors3, &selectors2) + cacheInstance := cacheImpl{ + size: 10, + items: testItems, + mutex: sync.RWMutex{}, + itemsMap: testMap, + } + cacheInstance.PutSignature(*tt.item) + + gotItem, present := testMap[tt.wantKey] + require.True(t, present, "key not found") + require.Equal(t, tt.wantValue, gotItem.item, "Value different than expected. \nGot: %v \nWant:%v", gotItem.item, tt.wantValue) + require.Equal(t, tt.wantLength, testItems.Len(), "List length different than expected. \nGot: %v \nWant:%v", testItems.Len(), tt.wantLength) + require.Equal(t, tt.wantList, testItems, "Lists are different Got: %v Want: %v", testItems, tt.wantList) + require.Equal(t, tt.wantMap, testMap, "Maps are different Got: %v Want: %v", testMap, tt.wantMap) + }) } } @@ -473,42 +469,9 @@ func TestCacheimpl_CheckOverflowAndUpdates(t *testing.T) { } func TestCacheimpl_CheckOverflow(t *testing.T) { - listNoOverflow := list.New() - mapNoOverflow := make(map[string]MapItem) - mapNoOverflow[selectors1.Key] = MapItem{ - item: &selectors1, - element: listNoOverflow.PushFront(selectors1.Key), - } - mapNoOverflow[selectors2.Key] = MapItem{ - item: &selectors2, - element: listNoOverflow.PushFront(selectors2.Key), - } - mapNoOverflow[selectors3.Key] = MapItem{ - item: &selectors3, - element: listNoOverflow.PushFront(selectors3.Key), - } - - listOverflow := list.New() - mapOverflow := make(map[string]MapItem) - mapOverflow[selectors2.Key] = MapItem{ - item: &selectors2, - element: listOverflow.PushFront(selectors2.Key), - } - mapOverflow[selectors3.Key] = MapItem{ - item: &selectors3, - element: listOverflow.PushFront(selectors3.Key), - } - - listReorder := list.New() - mapReorder := make(map[string]MapItem) - mapReorder[selectors2.Key] = MapItem{ - item: &selectors2, - element: listReorder.PushFront(selectors2.Key), - } - mapReorder[selectors1.Key] = MapItem{ - item: &selectors1, - element: listReorder.PushFront(selectors1.Key), - } + mapNoOverflow, listNoOverflow := makeMapAndList(&selectors1, &selectors2, &selectors3) + mapOverflow, listOverflow := makeMapAndList(&selectors2, &selectors3) + mapReorder, listReorder := makeMapAndList(&selectors2, &selectors1) testCases := []struct { name string @@ -565,3 +528,15 @@ func TestCacheimpl_CheckOverflow(t *testing.T) { }) } } + +func makeMapAndList(items ...*Item) (map[string]MapItem, *list.List) { + mp := make(map[string]MapItem) + ls := list.New() + for _, item := range items { + mp[item.Key] = MapItem{ + item: item, + element: ls.PushFront(item.Key), + } + } + return mp, ls +} From 0e8bcf880f8f20b750917782ddd0d994d9292345 Mon Sep 17 00:00:00 2001 From: Matheus de Farias Cavalcanti Santos Date: Thu, 10 Nov 2022 10:26:39 -0300 Subject: [PATCH 137/257] Adding sigstore cosign pr adjustments 01112022 (#169) * refactor: changed rekor url from http to https and is not allowed http is SetRekorURL function Signed-off-by: Matheus Santos * refactor: pr adjustments in sigstore.go and plugin_agent_workloadattestor_k8s.md files Signed-off-by: Matheus Santos * fix: fixed unit test in k8s_posix_test.go file Signed-off-by: Matheus Santos * fix: fixed lint Signed-off-by: Matheus Santos * refactor: modified plugin_agent_workloadattestor_k8s.md file removing STL Server Signed-off-by: Matheus Santos Signed-off-by: Matheus Santos --- doc/plugin_agent_workloadattestor_k8s.md | 14 +++++++++----- pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go | 2 +- .../plugin/workloadattestor/k8s/k8s_posix_test.go | 2 +- .../workloadattestor/k8s/sigstore/sigstore.go | 5 +++-- 4 files changed, 14 insertions(+), 9 deletions(-) diff --git a/doc/plugin_agent_workloadattestor_k8s.md b/doc/plugin_agent_workloadattestor_k8s.md index 36b186bc47..0b195e1f69 100644 --- a/doc/plugin_agent_workloadattestor_k8s.md +++ b/doc/plugin_agent_workloadattestor_k8s.md @@ -57,24 +57,28 @@ since [hostprocess](https://kubernetes.io/docs/tasks/configure-pod-container/cre | Experimental options | Description | | -------------------- | ----------- | -| `sigstore` | Sigstore options. Options described below. | +| `sigstore` | Sigstore options. Options described below. See [Sigstore workload attestor for SPIRE](#sigstore-workload-attestor-for-spire)| | Sigstore options | Description | | ---------------- | ----------- | | `skip_signature_verification_image_list` | The list of images, described as digest hashes, that should be skipped in signature verification. Defaults to empty list. | | `enable_allowed_subjects_list` | Enables a list of allowed subjects that are trusted and are allowed to sign container images artificats. Defaults to 'false'. If true and `allowed_subjects_list` is empty, no workload will pass signature validation. | | `allowed_subjects_list` | The list of allowed subjects enabled by `enable_allowed_subjects_list` each entry represents subject e-mail. Defaults to empty list. | -| `rekor_url` | The URL for the rekor STL Server to use with cosign. Defaults to 'http://rekor.sigstore.dev/', Rekor's public instance. | +| `rekor_url` | The rekor URL to use with cosign. Defaults to 'https://rekor.sigstore.dev/', Rekor's public instance. | > **Note** Cosign discourages the use of image tags for referencing docker images, and this plugin does not support attestation of sigstore selectors for workloads running on containers using tag-referenced images, which will then fail attestation for both sigstore and k8s selectors. In cases where this is necessary, add the digest string for the image in the `skip_signature_verification_image_list` setting (eg. `"sha256:abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789"`). Note that sigstore signature attestation will still not be performed, but this will allow k8s selectors to be returned, along with the `"k8s:sigstore-validation:passed"` selector. -> **Note** Since the Spire Agent can also go through workload attestation, it will also need to be included in the skip list if either its image is not signed or has a digest reference string. +> **Note** Since the SPIRE Agent can also go through workload attestation, it will also need to be included in the skip list if either its image is not signed or has a digest reference string. > **Note** The sigstore project contains a transparency log called Rekor that provides an immutable, tamper-resistant ledger to record signed metadata to an immutable record. While it is possible to run your own instance, a public instance of rekor is available at rekor.sigstore.dev, and cosign defaults to using the public instance. ### Sigstore workload attestor for SPIRE -The k8s workload attestor plugin also has capabilities to validate images signatures through [sigstore](https://www.sigstore.dev/) +#### Platform support + +This capability is only supported on Unix systems. + +The k8s workload attestor plugin also has capabilities to validate container images signatures through [sigstore](https://www.sigstore.dev/) Cosign supports container signing, verification, and storage in an OCI registry. Cosign aims to make signatures invisible infrastructure. For this, we’ve chosen the Sigstore ecosystem and artifacts. Digging deeper, we are using: Rekor (signature transparency log), Fulcio (signing certificate issuer and certificate transparency log) and Cosign (container image signing tool) to guarantee the authenticity of the running workload. @@ -104,7 +108,7 @@ Sigstore enabled selectors (available when configured to use sigstore) | Selector | Value | | -------- | ----- | -| k8s:${containerID}:image-signature-content | The value of the signature itself in a hash (eg. "k8s:000000:image-signature-content:MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smA=")| +| k8s:${containerID}:image-signature-content | A containerID is an unique alphanumeric number for each container. The value of the signature itself in a hash (eg. "k8s:000000:image-signature-content:MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smA=")| | k8s:${containerID}:image-signature-subject | OIDC principal that signed it​ (eg. "k8s:000000:image-signature-subject:spirex@example.com")| | k8s:${containerID}:image-signature-logid | A unique LogID for the Rekor transparency log​ (eg. "k8s:000000:image-signature-logid:samplelogID") | | k8s:${containerID}:image-signature-integrated-time | The time (in Unix timestamp format) when the image signature was integrated into the signature transparency log​ (eg. "k8s:000000:image-signature-integrated-time:12345") | diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go index ce948565fa..9fd9895625 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go @@ -224,7 +224,7 @@ func configureSigstoreClient(client sigstore.Sigstore, c *SigstoreHCLConfig, log for _, subject := range c.AllowedSubjects { client.AddAllowedSubject(subject) } - rekorURL := "http://rekor.sigstore.dev/" // default rekor url + rekorURL := "https://rekor.sigstore.dev/" // default rekor url if c.RekorURL != nil { rekorURL = (*c.RekorURL) } diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go index 0ced85bbd5..0bcc5ad687 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go @@ -225,7 +225,7 @@ func (s *Suite) TestFailedToCreateHelperFromConfigure() { func (s *Suite) TestHelperConfigure() { rekorURL := "https://rekor.example.com/" invalidURL := "invalid url" - defaultRekorURL := "http://rekor.sigstore.dev/" + defaultRekorURL := "https://rekor.sigstore.dev/" for _, tt := range []struct { name string config *HCLConfig diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index 5f911daa2f..588e6388c2 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -112,8 +112,9 @@ func defaultCheckOptsFunction(rekorURL url.URL) (*cosign.CheckOpts, error) { RekorClient: rekor.NewHTTPClientWithConfig(nil, rekor.DefaultTransportConfig().WithBasePath(rekorURL.Path).WithHost(rekorURL.Host)), RootCerts: rootCerts, } + co.IntermediateCerts, err = fulcio.GetIntermediates() - return co, nil + return co, err } type sigstoreImpl struct { @@ -336,7 +337,7 @@ func (s *sigstoreImpl) SetRekorURL(rekorURL string) error { if err != nil { return fmt.Errorf("failed parsing rekor URI: %w", err) } - if rekorURI.Scheme != "" && rekorURI.Scheme != "https" && rekorURI.Scheme != "http" { + if rekorURI.Scheme != "" && rekorURI.Scheme != "https" { return fmt.Errorf("invalid rekor URL Scheme %q", rekorURI.Scheme) } if rekorURI.Host == "" { From e400cfb96eeefeb1b1ac2b2f57c878d34ac41e3b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 16 Nov 2022 15:02:33 -0300 Subject: [PATCH 138/257] Bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.68.0 to 1.70.0 (#3603) Bumps [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2) from 1.68.0 to 1.70.0. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.68.0...service/ec2/v1.70.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index d70cc3efea..c96ee4bb15 100644 --- a/go.mod +++ b/go.mod @@ -22,7 +22,7 @@ require ( github.com/aws/aws-sdk-go-v2/credentials v1.12.17 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.14 github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0 - github.com/aws/aws-sdk-go-v2/service/ec2 v1.68.0 + github.com/aws/aws-sdk-go-v2/service/ec2 v1.70.0 github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 github.com/aws/aws-sdk-go-v2/service/kms v1.18.8 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.0 diff --git a/go.sum b/go.sum index 8a066b003a..601d046308 100644 --- a/go.sum +++ b/go.sum @@ -298,8 +298,8 @@ github.com/aws/aws-sdk-go-v2/internal/ini v1.3.21 h1:lpwSbLKYTuABo6SyUoC25xAmfO3 github.com/aws/aws-sdk-go-v2/internal/ini v1.3.21/go.mod h1:Q0pktZjvRZk77TBto6yAvUAi7fcse1bdcMctBDVGgBw= github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0 h1:2f0kb+39miQPRp0b7Sqq06+TpxI0Nfcra41QxzJPME8= github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0/go.mod h1:AVLIBQ9V7mcHd5uZT1+wUbBt4QaI/XcOens85Ib0W1o= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.68.0 h1:YV+y7FyJuT5krPhCMon9GvY9EJYgznY2nhzcicNYR3Q= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.68.0/go.mod h1:zul71QqzR4D1a90/5FloZiAnZ1CtuIjVH7R9MP997+A= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.70.0 h1:09PzSKQbPSMSK26JwjdpqhNsUEsaC8IPAZQslhR3HHg= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.70.0/go.mod h1:zul71QqzR4D1a90/5FloZiAnZ1CtuIjVH7R9MP997+A= github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 h1:m/WtVqEvgwDiUPIW2dtnF2hDE1O62MEflz9ClOlCXAs= github.com/aws/aws-sdk-go-v2/service/iam v1.18.16/go.mod h1:w8wndcRxwILFQAzwkUKyEDz4LDHEBSR78KRdaNjUKQA= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.14/go.mod h1:8qOLjqMzY/S1kh3myDXA1yxK5eD4uN8aOJgKpgvc4OM= From e79d6cab346ff27dfcbc54df00b1e5990e78ca07 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?= Date: Wed, 16 Nov 2022 17:32:56 -0300 Subject: [PATCH 139/257] Fix race in TestDisposeActiveCryptoKeys accessing the stored fake CryptoKeys through the use of locks (#3616) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Agustín Martínez Fayó --- pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go b/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go index 99c1d2b0e7..ab722d5d2a 100644 --- a/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go +++ b/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go @@ -548,13 +548,12 @@ func TestDisposeActiveCryptoKeys(t *testing.T) { // The CryptoKeys are not stale yet. Assert that they are active and the // CryptoKeyVersions enabled. - storedFakeCryptoKeys := ts.fakeKMSClient.store.fetchFakeCryptoKeys() for _, fck := range storedFakeCryptoKeys { require.Equal(t, "true", fck.getLabelValue(labelNameActive)) storedFakeCryptoKeyVersions := fck.fetchFakeCryptoKeyVersions() for _, fckv := range storedFakeCryptoKeyVersions { - require.Equal(t, kmspb.CryptoKeyVersion_ENABLED, fckv.State, fckv.Name) + require.Equal(t, kmspb.CryptoKeyVersion_ENABLED, fckv.GetState(), fckv.GetName()) } } } From 9e633765b78608702e68a9ae22197fdbf76140a2 Mon Sep 17 00:00:00 2001 From: Guilherme Oliveira do Carmo Carvalho <33766735+guilhermocc@users.noreply.github.com> Date: Wed, 16 Nov 2022 19:09:59 -0300 Subject: [PATCH 140/257] Enable output format definition for spire-server agent commands (#3523) * Use cliprinter to enable more output format options in list agent command * Use cliprinter to enable more output format options in count and show agents commands * Use cliprinter to enable more output format options in evict and ban agents commands Signed-off-by: Guilherme Carvalho --- cmd/spire-agent/cli/api/fetch_jwt.go | 17 +- .../cli/agent/agent_posix_test.go | 32 ++ cmd/spire-server/cli/agent/agent_test.go | 348 ++++++++++-------- .../cli/agent/agent_windows_test.go | 32 ++ cmd/spire-server/cli/agent/ban.go | 26 +- cmd/spire-server/cli/agent/count.go | 41 ++- cmd/spire-server/cli/agent/evict.go | 27 +- cmd/spire-server/cli/agent/list.go | 50 ++- cmd/spire-server/cli/agent/show.go | 37 +- pkg/common/cliprinter/cliprinter.go | 74 ++-- pkg/common/cliprinter/cliprinter_test.go | 7 +- pkg/common/cliprinter/flag.go | 14 +- pkg/common/cliprinter/flag_test.go | 9 +- .../internal/protojson/protojson.go | 3 +- .../internal/protojson/protojson_test.go | 14 + 15 files changed, 449 insertions(+), 282 deletions(-) diff --git a/cmd/spire-agent/cli/api/fetch_jwt.go b/cmd/spire-agent/cli/api/fetch_jwt.go index 019fa38b27..7e7654f9c6 100644 --- a/cmd/spire-agent/cli/api/fetch_jwt.go +++ b/cmd/spire-agent/cli/api/fetch_jwt.go @@ -8,20 +8,20 @@ import ( "github.com/mitchellh/cli" "github.com/spiffe/go-spiffe/v2/proto/spiffe/workload" - common_cli "github.com/spiffe/spire/pkg/common/cli" + commoncli "github.com/spiffe/spire/pkg/common/cli" "github.com/spiffe/spire/pkg/common/cliprinter" ) func NewFetchJWTCommand() cli.Command { - return newFetchJWTCommand(common_cli.DefaultEnv, newWorkloadClient) + return newFetchJWTCommand(commoncli.DefaultEnv, newWorkloadClient) } -func newFetchJWTCommand(env *common_cli.Env, clientMaker workloadClientMaker) cli.Command { +func newFetchJWTCommand(env *commoncli.Env, clientMaker workloadClientMaker) cli.Command { return adaptCommand(env, clientMaker, new(fetchJWTCommand)) } type fetchJWTCommand struct { - audience common_cli.CommaStringsFlag + audience commoncli.CommaStringsFlag spiffeID string printer cliprinter.Printer } @@ -34,7 +34,7 @@ func (c *fetchJWTCommand) synopsis() string { return "Fetches a JWT SVID from the Workload API" } -func (c *fetchJWTCommand) run(ctx context.Context, env *common_cli.Env, client *workloadClient) error { +func (c *fetchJWTCommand) run(ctx context.Context, env *commoncli.Env, client *workloadClient) error { if len(c.audience) == 0 { return errors.New("audience must be specified") } @@ -48,14 +48,13 @@ func (c *fetchJWTCommand) run(ctx context.Context, env *common_cli.Env, client * return err } - c.printer.MustPrintProto(svidResp, bundlesResp) - return nil + return c.printer.PrintProto(svidResp, bundlesResp) } func (c *fetchJWTCommand) appendFlags(fs *flag.FlagSet) { fs.Var(&c.audience, "audience", "comma separated list of audience values") fs.StringVar(&c.spiffeID, "spiffeID", "", "SPIFFE ID subject (optional)") - outputValue := cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, printPrettyResult) + outputValue := cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, nil, printPrettyResult) fs.Var(outputValue, "format", "deprecated; use -output") } @@ -78,7 +77,7 @@ func (c *fetchJWTCommand) fetchJWTBundles(ctx context.Context, client *workloadC return stream.Recv() } -func printPrettyResult(results ...interface{}) error { +func printPrettyResult(_ *commoncli.Env, results ...interface{}) error { errMsg := "internal error: cli printer; please report this bug" svidResp, ok := results[0].(*workload.JWTSVIDResponse) diff --git a/cmd/spire-server/cli/agent/agent_posix_test.go b/cmd/spire-server/cli/agent/agent_posix_test.go index 5cda6991d0..b6275c7ecc 100644 --- a/cmd/spire-server/cli/agent/agent_posix_test.go +++ b/cmd/spire-server/cli/agent/agent_posix_test.go @@ -7,9 +7,41 @@ var ( listUsage = `Usage of agent list: -matchSelectorsOn string The match mode used when filtering by selectors. Options: exact, any, superset and subset (default "superset") + -output value + Desired output format (pretty, json) -selector value A colon-delimited type:value selector. Can be used more than once -socketPath string Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") +` + banUsage = `Usage of agent ban: + -output value + Desired output format (pretty, json) + -socketPath string + Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") + -spiffeID string + The SPIFFE ID of the agent to ban (agent identity) +` + evictUsage = `Usage of agent evict: + -output value + Desired output format (pretty, json) + -socketPath string + Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") + -spiffeID string + The SPIFFE ID of the agent to evict (agent identity) +` + countUsage = `Usage of agent count: + -output value + Desired output format (pretty, json) + -socketPath string + Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") +` + showUsage = `Usage of agent show: + -output value + Desired output format (pretty, json) + -socketPath string + Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") + -spiffeID string + The SPIFFE ID of the agent to show (agent identity) ` ) diff --git a/cmd/spire-server/cli/agent/agent_test.go b/cmd/spire-server/cli/agent/agent_test.go index de9dbd27c2..f491c3500c 100644 --- a/cmd/spire-server/cli/agent/agent_test.go +++ b/cmd/spire-server/cli/agent/agent_test.go @@ -3,20 +3,20 @@ package agent_test import ( "bytes" "context" + "fmt" "testing" - "google.golang.org/grpc/codes" - "google.golang.org/grpc/status" - "github.com/mitchellh/cli" agentv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/agent/v1" "github.com/spiffe/spire-api-sdk/proto/spire/api/types" "github.com/spiffe/spire/cmd/spire-server/cli/agent" "github.com/spiffe/spire/cmd/spire-server/cli/common" - common_cli "github.com/spiffe/spire/pkg/common/cli" + commoncli "github.com/spiffe/spire/pkg/common/cli" "github.com/spiffe/spire/test/spiretest" "github.com/stretchr/testify/require" "google.golang.org/grpc" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" "google.golang.org/protobuf/types/known/emptypb" ) @@ -40,16 +40,15 @@ var ( }, }, } + availableFormats = []string{"pretty", "json"} ) type agentTest struct { stdin *bytes.Buffer stdout *bytes.Buffer stderr *bytes.Buffer - args []string server *fakeAgentServer - client cli.Command } @@ -64,26 +63,25 @@ func TestBanHelp(t *testing.T) { test := setupTest(t, agent.NewBanCommandWithEnv) test.client.Help() - require.Equal(t, `Usage of agent ban:`+common.AddrUsage+ - ` -spiffeID string - The SPIFFE ID of the agent to ban (agent identity) -`, test.stderr.String()) + require.Equal(t, banUsage, test.stderr.String()) } func TestBan(t *testing.T) { for _, tt := range []struct { - name string - args []string - expectReturnCode int - expectStdout string - expectStderr string - serverErr error + name string + args []string + expectReturnCode int + expectStdoutPretty string + expectStdoutJSON string + expectStderr string + serverErr error }{ { - name: "success", - args: []string{"-spiffeID", "spiffe://example.org/spire/agent/agent1"}, - expectReturnCode: 0, - expectStdout: "Agent banned successfully\n", + name: "success", + args: []string{"-spiffeID", "spiffe://example.org/spire/agent/agent1"}, + expectReturnCode: 0, + expectStdoutPretty: "Agent banned successfully\n", + expectStdoutJSON: "{}", }, { name: "no spiffe id", @@ -104,16 +102,20 @@ func TestBan(t *testing.T) { expectStderr: "Error: rpc error: code = Internal desc = internal server error\n", }, } { - tt := tt - t.Run(tt.name, func(t *testing.T) { - test := setupTest(t, agent.NewBanCommandWithEnv) - test.server.err = tt.serverErr - - returnCode := test.client.Run(append(test.args, tt.args...)) - require.Equal(t, tt.expectStdout, test.stdout.String()) - require.Equal(t, tt.expectStderr, test.stderr.String()) - require.Equal(t, tt.expectReturnCode, returnCode) - }) + for _, format := range availableFormats { + t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) { + test := setupTest(t, agent.NewBanCommandWithEnv) + test.server.err = tt.serverErr + args := tt.args + args = append(args, "-output", format) + + returnCode := test.client.Run(append(test.args, args...)) + + requireOutputBasedOnFormat(t, format, test.stdout.String(), tt.expectStdoutPretty, tt.expectStdoutJSON) + require.Equal(t, tt.expectStderr, test.stderr.String()) + require.Equal(t, tt.expectReturnCode, returnCode) + }) + } } } @@ -121,26 +123,25 @@ func TestEvictHelp(t *testing.T) { test := setupTest(t, agent.NewEvictCommandWithEnv) test.client.Help() - require.Equal(t, `Usage of agent evict:`+common.AddrUsage+ - ` -spiffeID string - The SPIFFE ID of the agent to evict (agent identity) -`, test.stderr.String()) + require.Equal(t, evictUsage, test.stderr.String()) } func TestEvict(t *testing.T) { for _, tt := range []struct { - name string - args []string - expectedReturnCode int - expectedStdout string - expectedStderr string - serverErr error + name string + args []string + expectedReturnCode int + expectedStdoutPretty string + expectedStdoutJSON string + expectedStderr string + serverErr error }{ { - name: "success", - args: []string{"-spiffeID", "spiffe://example.org/spire/agent/agent1"}, - expectedReturnCode: 0, - expectedStdout: "Agent evicted successfully\n", + name: "success", + args: []string{"-spiffeID", "spiffe://example.org/spire/agent/agent1"}, + expectedReturnCode: 0, + expectedStdoutPretty: "Agent evicted successfully\n", + expectedStdoutJSON: "{}", }, { name: "no spiffe id", @@ -161,16 +162,20 @@ func TestEvict(t *testing.T) { expectedStderr: "Error: rpc error: code = Internal desc = internal server error\n", }, } { - tt := tt - t.Run(tt.name, func(t *testing.T) { - test := setupTest(t, agent.NewEvictCommandWithEnv) - test.server.err = tt.serverErr - - returnCode := test.client.Run(append(test.args, tt.args...)) - require.Equal(t, tt.expectedStdout, test.stdout.String()) - require.Equal(t, tt.expectedStderr, test.stderr.String()) - require.Equal(t, tt.expectedReturnCode, returnCode) - }) + for _, format := range availableFormats { + t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) { + test := setupTest(t, agent.NewEvictCommandWithEnv) + test.server.err = tt.serverErr + args := tt.args + args = append(args, "-output", format) + + returnCode := test.client.Run(append(test.args, args...)) + + requireOutputBasedOnFormat(t, format, test.stdout.String(), tt.expectedStdoutPretty, tt.expectedStdoutJSON) + require.Equal(t, tt.expectedStderr, test.stderr.String()) + require.Equal(t, tt.expectedReturnCode, returnCode) + }) + } } } @@ -178,29 +183,32 @@ func TestCountHelp(t *testing.T) { test := setupTest(t, agent.NewCountCommandWithEnv) test.client.Help() - require.Equal(t, `Usage of agent count:`+common.AddrUsage, test.stderr.String()) + require.Equal(t, countUsage, test.stderr.String()) } func TestCount(t *testing.T) { for _, tt := range []struct { - name string - args []string - expectedReturnCode int - expectedStdout string - expectedStderr string - existentAgents []*types.Agent - serverErr error + name string + args []string + expectedReturnCode int + expectedStdoutPretty string + expectedStdoutJSON string + expectedStderr string + existentAgents []*types.Agent + serverErr error }{ { - name: "0 agents", - expectedReturnCode: 0, - expectedStdout: "0 attested agents", + name: "0 agents", + expectedReturnCode: 0, + expectedStdoutPretty: "0 attested agents", + expectedStdoutJSON: `{"count":0}`, }, { - name: "count 1 agent", - expectedReturnCode: 0, - expectedStdout: "1 attested agent", - existentAgents: testAgents, + name: "count 1 agent", + expectedReturnCode: 0, + expectedStdoutPretty: "1 attested agent", + expectedStdoutJSON: `{"count":1}`, + existentAgents: testAgents, }, { name: "server error", @@ -215,16 +223,21 @@ func TestCount(t *testing.T) { expectedStderr: common.AddrError, }, } { - tt := tt - t.Run(tt.name, func(t *testing.T) { - test := setupTest(t, agent.NewCountCommandWithEnv) - test.server.agents = tt.existentAgents - test.server.err = tt.serverErr - returnCode := test.client.Run(append(test.args, tt.args...)) - require.Contains(t, test.stdout.String(), tt.expectedStdout) - require.Equal(t, tt.expectedStderr, test.stderr.String()) - require.Equal(t, tt.expectedReturnCode, returnCode) - }) + for _, format := range availableFormats { + t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) { + test := setupTest(t, agent.NewCountCommandWithEnv) + test.server.agents = tt.existentAgents + test.server.err = tt.serverErr + args := tt.args + args = append(args, "-output", format) + + returnCode := test.client.Run(append(test.args, args...)) + + requireOutputBasedOnFormat(t, format, test.stdout.String(), tt.expectedStdoutPretty, tt.expectedStdoutJSON) + require.Equal(t, tt.expectedStderr, test.stderr.String()) + require.Equal(t, tt.expectedReturnCode, returnCode) + }) + } } } @@ -237,20 +250,23 @@ func TestListHelp(t *testing.T) { func TestList(t *testing.T) { for _, tt := range []struct { - name string - args []string - expectedReturnCode int - expectedStdout string - expectedStderr string - expectReq *agentv1.ListAgentsRequest - existentAgents []*types.Agent - serverErr error + name string + args []string + expectedReturnCode int + expectedStdoutPretty string + expectedStdoutJSON string + expectedStderr string + expectReq *agentv1.ListAgentsRequest + existentAgents []*types.Agent + expectedFormat string + serverErr error }{ { - name: "1 agent", - expectedReturnCode: 0, - existentAgents: testAgents, - expectedStdout: "Found 1 attested agent:\n\nSPIFFE ID : spiffe://example.org/spire/agent/agent1", + name: "1 agent", + expectedReturnCode: 0, + existentAgents: testAgents, + expectedStdoutPretty: "Found 1 attested agent:\n\nSPIFFE ID : spiffe://example.org/spire/agent/agent1", + expectedStdoutJSON: `{"agents":[{"id":{"trust_domain":"example.org","path":"/spire/agent/agent1"},"attestation_type":"","x509svid_serial_number":"","x509svid_expires_at":"0","selectors":[],"banned":false}],"next_page_token":""}`, expectReq: &agentv1.ListAgentsRequest{ Filter: &agentv1.ListAgentsRequest_Filter{}, PageSize: 1000, @@ -259,6 +275,7 @@ func TestList(t *testing.T) { { name: "no agents", expectedReturnCode: 0, + expectedStdoutJSON: `{"agents":[],"next_page_token":""}`, expectReq: &agentv1.ListAgentsRequest{ Filter: &agentv1.ListAgentsRequest_Filter{}, PageSize: 1000, @@ -289,8 +306,9 @@ func TestList(t *testing.T) { }, PageSize: 1000, }, - existentAgents: testAgents, - expectedStdout: "Found 1 attested agent:\n\nSPIFFE ID : spiffe://example.org/spire/agent/agent1", + existentAgents: testAgents, + expectedStdoutPretty: "Found 1 attested agent:\n\nSPIFFE ID : spiffe://example.org/spire/agent/agent1", + expectedStdoutJSON: `{"agents":[{"id":{"trust_domain":"example.org","path":"/spire/agent/agent1"},"attestation_type":"","x509svid_serial_number":"","x509svid_expires_at":"0","selectors":[],"banned":false}],"next_page_token":""}`, }, { name: "by selector: any matcher", @@ -307,8 +325,9 @@ func TestList(t *testing.T) { }, PageSize: 1000, }, - existentAgents: testAgents, - expectedStdout: "Found 1 attested agent:\n\nSPIFFE ID : spiffe://example.org/spire/agent/agent1", + existentAgents: testAgents, + expectedStdoutPretty: "Found 1 attested agent:\n\nSPIFFE ID : spiffe://example.org/spire/agent/agent1", + expectedStdoutJSON: `{"agents":[{"id":{"trust_domain":"example.org","path":"/spire/agent/agent1"},"attestation_type":"","x509svid_serial_number":"","x509svid_expires_at":"0","selectors":[],"banned":false}],"next_page_token":""}`, }, { name: "by selector: exact matcher", @@ -325,8 +344,9 @@ func TestList(t *testing.T) { }, PageSize: 1000, }, - existentAgents: testAgents, - expectedStdout: "Found 1 attested agent:\n\nSPIFFE ID : spiffe://example.org/spire/agent/agent1", + existentAgents: testAgents, + expectedStdoutPretty: "Found 1 attested agent:\n\nSPIFFE ID : spiffe://example.org/spire/agent/agent1", + expectedStdoutJSON: `{"agents":[{"id":{"trust_domain":"example.org","path":"/spire/agent/agent1"},"attestation_type":"","x509svid_serial_number":"","x509svid_expires_at":"0","selectors":[],"banned":false}],"next_page_token":""}`, }, { name: "by selector: superset matcher", @@ -343,8 +363,9 @@ func TestList(t *testing.T) { }, PageSize: 1000, }, - existentAgents: testAgents, - expectedStdout: "Found 1 attested agent:\n\nSPIFFE ID : spiffe://example.org/spire/agent/agent1", + existentAgents: testAgents, + expectedStdoutPretty: "Found 1 attested agent:\n\nSPIFFE ID : spiffe://example.org/spire/agent/agent1", + expectedStdoutJSON: `{"agents":[{"id":{"trust_domain":"example.org","path":"/spire/agent/agent1"},"attestation_type":"","x509svid_serial_number":"","x509svid_expires_at":"0","selectors":[],"banned":false}],"next_page_token":""}`, }, { name: "by selector: subset matcher", @@ -361,8 +382,9 @@ func TestList(t *testing.T) { }, PageSize: 1000, }, - existentAgents: testAgents, - expectedStdout: "Found 1 attested agent:\n\nSPIFFE ID : spiffe://example.org/spire/agent/agent1", + existentAgents: testAgents, + expectedStdoutPretty: "Found 1 attested agent:\n\nSPIFFE ID : spiffe://example.org/spire/agent/agent1", + expectedStdoutJSON: `{"agents":[{"id":{"trust_domain":"example.org","path":"/spire/agent/agent1"},"attestation_type":"","x509svid_serial_number":"","x509svid_expires_at":"0","selectors":[],"banned":false}],"next_page_token":""}`, }, { name: "List by selectors: Invalid matcher", @@ -383,18 +405,22 @@ func TestList(t *testing.T) { expectedStderr: common.AddrError, }, } { - tt := tt - t.Run(tt.name, func(t *testing.T) { - test := setupTest(t, agent.NewListCommandWithEnv) - test.server.agents = tt.existentAgents - test.server.err = tt.serverErr - returnCode := test.client.Run(append(test.args, tt.args...)) - - spiretest.RequireProtoEqual(t, tt.expectReq, test.server.gotListAgentRequest) - require.Contains(t, test.stdout.String(), tt.expectedStdout) - require.Equal(t, tt.expectedStderr, test.stderr.String()) - require.Equal(t, tt.expectedReturnCode, returnCode) - }) + for _, format := range availableFormats { + t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) { + test := setupTest(t, agent.NewListCommandWithEnv) + test.server.agents = tt.existentAgents + test.server.err = tt.serverErr + args := tt.args + args = append(args, "-output", format) + + returnCode := test.client.Run(append(test.args, args...)) + + requireOutputBasedOnFormat(t, format, test.stdout.String(), tt.expectedStdoutPretty, tt.expectedStdoutJSON) + spiretest.RequireProtoEqual(t, tt.expectReq, test.server.gotListAgentRequest) + require.Equal(t, tt.expectedStderr, test.stderr.String()) + require.Equal(t, tt.expectedReturnCode, returnCode) + }) + } } } @@ -402,28 +428,27 @@ func TestShowHelp(t *testing.T) { test := setupTest(t, agent.NewShowCommandWithEnv) test.client.Help() - require.Equal(t, `Usage of agent show:`+common.AddrUsage+ - ` -spiffeID string - The SPIFFE ID of the agent to show (agent identity) -`, test.stderr.String()) + require.Equal(t, showUsage, test.stderr.String()) } func TestShow(t *testing.T) { for _, tt := range []struct { - name string - args []string - expectedReturnCode int - expectedStdout string - expectedStderr string - existentAgents []*types.Agent - serverErr error + name string + args []string + expectedReturnCode int + expectedStdoutPretty string + expectedStdoutJSON string + expectedStderr string + existentAgents []*types.Agent + serverErr error }{ { - name: "success", - args: []string{"-spiffeID", "spiffe://example.org/spire/agent/agent1"}, - expectedReturnCode: 0, - existentAgents: testAgents, - expectedStdout: "Found an attested agent given its SPIFFE ID\n\nSPIFFE ID : spiffe://example.org/spire/agent/agent1", + name: "success", + args: []string{"-spiffeID", "spiffe://example.org/spire/agent/agent1"}, + expectedReturnCode: 0, + existentAgents: testAgents, + expectedStdoutPretty: "Found an attested agent given its SPIFFE ID\n\nSPIFFE ID : spiffe://example.org/spire/agent/agent1", + expectedStdoutJSON: `{"id":{"trust_domain":"example.org","path":"/spire/agent/agent1"},"attestation_type":"","x509svid_serial_number":"","x509svid_expires_at":"0","selectors":[],"banned":false}`, }, { name: "no spiffe id", @@ -445,35 +470,41 @@ func TestShow(t *testing.T) { expectedStderr: common.AddrError, }, { - name: "show selectors", - args: []string{"-spiffeID", "spiffe://example.org/spire/agent/agent2"}, - existentAgents: testAgentsWithSelectors, - expectedReturnCode: 0, - expectedStdout: "Selectors : k8s_psat:agent_ns:spire\nSelectors : k8s_psat:agent_sa:spire-agent\nSelectors : k8s_psat:cluster:demo-cluster", + name: "show selectors", + args: []string{"-spiffeID", "spiffe://example.org/spire/agent/agent2"}, + existentAgents: testAgentsWithSelectors, + expectedReturnCode: 0, + expectedStdoutPretty: "Selectors : k8s_psat:agent_ns:spire\nSelectors : k8s_psat:agent_sa:spire-agent\nSelectors : k8s_psat:cluster:demo-cluster", + expectedStdoutJSON: `{"id":{"trust_domain":"example.org","path":"/spire/agent/agent2"},"attestation_type":"","x509svid_serial_number":"","x509svid_expires_at":"0","selectors":[{"type":"k8s_psat","value":"agent_ns:spire"},{"type":"k8s_psat","value":"agent_sa:spire-agent"},{"type":"k8s_psat","value":"cluster:demo-cluster"}],"banned":false}`, }, { - name: "show banned", - args: []string{"-spiffeID", "spiffe://example.org/spire/agent/banned"}, - existentAgents: testAgentsWithBanned, - expectedReturnCode: 0, - expectedStdout: "Banned : true", + name: "show banned", + args: []string{"-spiffeID", "spiffe://example.org/spire/agent/banned"}, + existentAgents: testAgentsWithBanned, + expectedReturnCode: 0, + expectedStdoutPretty: "Banned : true", + expectedStdoutJSON: `{"id":{"trust_domain":"example.org","path":"/spire/agent/banned"},"attestation_type":"","x509svid_serial_number":"","x509svid_expires_at":"0","selectors":[],"banned":true}`, }, } { - tt := tt - t.Run(tt.name, func(t *testing.T) { - test := setupTest(t, agent.NewShowCommandWithEnv) - test.server.err = tt.serverErr - test.server.agents = tt.existentAgents - - returnCode := test.client.Run(append(test.args, tt.args...)) - require.Contains(t, test.stdout.String(), tt.expectedStdout) - require.Equal(t, tt.expectedStderr, test.stderr.String()) - require.Equal(t, tt.expectedReturnCode, returnCode) - }) + for _, format := range availableFormats { + t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) { + test := setupTest(t, agent.NewShowCommandWithEnv) + test.server.err = tt.serverErr + test.server.agents = tt.existentAgents + args := tt.args + args = append(args, "-output", format) + + returnCode := test.client.Run(append(test.args, args...)) + + requireOutputBasedOnFormat(t, format, test.stdout.String(), tt.expectedStdoutPretty, tt.expectedStdoutJSON) + require.Equal(t, tt.expectedStderr, test.stderr.String()) + require.Equal(t, tt.expectedReturnCode, returnCode) + }) + } } } -func setupTest(t *testing.T, newClient func(*common_cli.Env) cli.Command) *agentTest { +func setupTest(t *testing.T, newClient func(*commoncli.Env) cli.Command) *agentTest { server := &fakeAgentServer{} addr := spiretest.StartGRPCServer(t, func(s *grpc.Server) { @@ -484,7 +515,7 @@ func setupTest(t *testing.T, newClient func(*common_cli.Env) cli.Command) *agent stdout := new(bytes.Buffer) stderr := new(bytes.Buffer) - client := newClient(&common_cli.Env{ + client := newClient(&commoncli.Env{ Stdin: stdin, Stdout: stdout, Stderr: stderr, @@ -542,3 +573,16 @@ func (s *fakeAgentServer) GetAgent(ctx context.Context, req *agentv1.GetAgentReq return nil, s.err } + +func requireOutputBasedOnFormat(t *testing.T, format, stdoutString string, expectedStdoutPretty, expectedStdoutJSON string) { + switch format { + case "pretty": + require.Contains(t, stdoutString, expectedStdoutPretty) + case "json": + if expectedStdoutJSON != "" { + require.JSONEq(t, expectedStdoutJSON, stdoutString) + } else { + require.Empty(t, stdoutString) + } + } +} diff --git a/cmd/spire-server/cli/agent/agent_windows_test.go b/cmd/spire-server/cli/agent/agent_windows_test.go index 07e0561819..bb1fc856c2 100644 --- a/cmd/spire-server/cli/agent/agent_windows_test.go +++ b/cmd/spire-server/cli/agent/agent_windows_test.go @@ -9,7 +9,39 @@ var ( The match mode used when filtering by selectors. Options: exact, any, superset and subset (default "superset") -namedPipeName string Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") + -output value + Desired output format (pretty, json) -selector value A colon-delimited type:value selector. Can be used more than once +` + banUsage = `Usage of agent ban: + -namedPipeName string + Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") + -output value + Desired output format (pretty, json) + -spiffeID string + The SPIFFE ID of the agent to ban (agent identity) +` + evictUsage = `Usage of agent evict: + -namedPipeName string + Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") + -output value + Desired output format (pretty, json) + -spiffeID string + The SPIFFE ID of the agent to evict (agent identity) +` + countUsage = `Usage of agent count: + -namedPipeName string + Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") + -output value + Desired output format (pretty, json) +` + showUsage = `Usage of agent show: + -namedPipeName string + Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") + -output value + Desired output format (pretty, json) + -spiffeID string + The SPIFFE ID of the agent to show (agent identity) ` ) diff --git a/cmd/spire-server/cli/agent/ban.go b/cmd/spire-server/cli/agent/ban.go index 6fc8a08b40..43fa6a22cb 100644 --- a/cmd/spire-server/cli/agent/ban.go +++ b/cmd/spire-server/cli/agent/ban.go @@ -9,24 +9,27 @@ import ( "github.com/spiffe/go-spiffe/v2/spiffeid" agentv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/agent/v1" "github.com/spiffe/spire/cmd/spire-server/util" - common_cli "github.com/spiffe/spire/pkg/common/cli" + commoncli "github.com/spiffe/spire/pkg/common/cli" + "github.com/spiffe/spire/pkg/common/cliprinter" "github.com/spiffe/spire/pkg/server/api" ) type banCommand struct { + env *commoncli.Env // SPIFFE ID of agent being banned spiffeID string + printer cliprinter.Printer } // NewBanCommand creates a new "ban" subcommand for "agent" command. func NewBanCommand() cli.Command { - return NewBanCommandWithEnv(common_cli.DefaultEnv) + return NewBanCommandWithEnv(commoncli.DefaultEnv) } // NewBanCommandWithEnv creates a new "ban" subcommand for "agent" command // using the environment specified -func NewBanCommandWithEnv(env *common_cli.Env) cli.Command { - return util.AdaptCommand(env, new(banCommand)) +func NewBanCommandWithEnv(env *commoncli.Env) cli.Command { + return util.AdaptCommand(env, &banCommand{env: env}) } func (*banCommand) Name() string { @@ -38,7 +41,7 @@ func (*banCommand) Synopsis() string { } // Run ban an agent given its SPIFFE ID -func (c *banCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error { +func (c *banCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error { if c.spiffeID == "" { return errors.New("a SPIFFE ID is required") } @@ -49,15 +52,22 @@ func (c *banCommand) Run(ctx context.Context, env *common_cli.Env, serverClient } agentClient := serverClient.NewAgentClient() - if _, err := agentClient.BanAgent(ctx, &agentv1.BanAgentRequest{ + banResponse, err := agentClient.BanAgent(ctx, &agentv1.BanAgentRequest{ Id: api.ProtoFromID(id), - }); err != nil { + }) + if err != nil { return err } - return env.Println("Agent banned successfully") + return c.printer.PrintProto(banResponse) } func (c *banCommand) AppendFlags(fs *flag.FlagSet) { fs.StringVar(&c.spiffeID, "spiffeID", "", "The SPIFFE ID of the agent to ban (agent identity)") + cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, prettyPrintBanResult) +} + +func prettyPrintBanResult(env *commoncli.Env, _ ...interface{}) error { + env.Println("Agent banned successfully") + return nil } diff --git a/cmd/spire-server/cli/agent/count.go b/cmd/spire-server/cli/agent/count.go index d4ac843f6d..f55000544d 100644 --- a/cmd/spire-server/cli/agent/count.go +++ b/cmd/spire-server/cli/agent/count.go @@ -1,54 +1,65 @@ package agent import ( + "errors" "flag" "fmt" "github.com/mitchellh/cli" - agentv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/agent/v1" "github.com/spiffe/spire/cmd/spire-server/util" - common_cli "github.com/spiffe/spire/pkg/common/cli" - + commoncli "github.com/spiffe/spire/pkg/common/cli" + "github.com/spiffe/spire/pkg/common/cliprinter" "golang.org/x/net/context" ) -type countCommand struct{} +type countCommand struct { + env *commoncli.Env + printer cliprinter.Printer +} // NewCountCommand creates a new "count" subcommand for "agent" command. func NewCountCommand() cli.Command { - return NewCountCommandWithEnv(common_cli.DefaultEnv) + return NewCountCommandWithEnv(commoncli.DefaultEnv) } // NewCountCommandWithEnv creates a new "count" subcommand for "agent" command // using the environment specified. -func NewCountCommandWithEnv(env *common_cli.Env) cli.Command { - return util.AdaptCommand(env, new(countCommand)) +func NewCountCommandWithEnv(env *commoncli.Env) cli.Command { + return util.AdaptCommand(env, &countCommand{env: env}) } func (*countCommand) Name() string { return "agent count" } -func (countCommand) Synopsis() string { +func (*countCommand) Synopsis() string { return "Count attested agents" } // Run counts attested agents -func (c *countCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error { +func (c *countCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error { agentClient := serverClient.NewAgentClient() countResponse, err := agentClient.CountAgents(ctx, &agentv1.CountAgentsRequest{}) if err != nil { return err } - count := int(countResponse.Count) - msg := fmt.Sprintf("%d attested ", count) - msg = util.Pluralizer(msg, "agent", "agents", count) - _ = env.Println(msg) - - return nil + return c.printer.PrintProto(countResponse) } func (c *countCommand) AppendFlags(fs *flag.FlagSet) { + cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, prettyPrintCount) +} + +func prettyPrintCount(env *commoncli.Env, results ...interface{}) error { + countResp, ok := results[0].(*agentv1.CountAgentsResponse) + if !ok { + return errors.New("internal error: cli printer; please report this bug") + } + count := int(countResp.Count) + msg := fmt.Sprintf("%d attested ", count) + msg = util.Pluralizer(msg, "agent", "agents", count) + env.Println(msg) + return nil } diff --git a/cmd/spire-server/cli/agent/evict.go b/cmd/spire-server/cli/agent/evict.go index 1de8552a4d..0df60ef764 100644 --- a/cmd/spire-server/cli/agent/evict.go +++ b/cmd/spire-server/cli/agent/evict.go @@ -6,41 +6,42 @@ import ( "github.com/mitchellh/cli" "github.com/spiffe/go-spiffe/v2/spiffeid" - agentv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/agent/v1" "github.com/spiffe/spire/cmd/spire-server/util" - common_cli "github.com/spiffe/spire/pkg/common/cli" + commoncli "github.com/spiffe/spire/pkg/common/cli" + "github.com/spiffe/spire/pkg/common/cliprinter" "github.com/spiffe/spire/pkg/server/api" - "golang.org/x/net/context" ) type evictCommand struct { + env *commoncli.Env // SPIFFE ID of the agent being evicted spiffeID string + printer cliprinter.Printer } // NewEvictCommand creates a new "evict" subcommand for "agent" command. func NewEvictCommand() cli.Command { - return NewEvictCommandWithEnv(common_cli.DefaultEnv) + return NewEvictCommandWithEnv(commoncli.DefaultEnv) } // NewEvictCommandWithEnv creates a new "evict" subcommand for "agent" command // using the environment specified -func NewEvictCommandWithEnv(env *common_cli.Env) cli.Command { - return util.AdaptCommand(env, new(evictCommand)) +func NewEvictCommandWithEnv(env *commoncli.Env) cli.Command { + return util.AdaptCommand(env, &evictCommand{env: env}) } func (*evictCommand) Name() string { return "agent evict" } -func (evictCommand) Synopsis() string { +func (*evictCommand) Synopsis() string { return "Evicts an attested agent given its SPIFFE ID" } // Run evicts an agent given its SPIFFE ID -func (c *evictCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error { +func (c *evictCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error { if c.spiffeID == "" { return errors.New("a SPIFFE ID is required") } @@ -51,14 +52,20 @@ func (c *evictCommand) Run(ctx context.Context, env *common_cli.Env, serverClien } agentClient := serverClient.NewAgentClient() - _, err = agentClient.DeleteAgent(ctx, &agentv1.DeleteAgentRequest{Id: api.ProtoFromID(id)}) + delAgentResponse, err := agentClient.DeleteAgent(ctx, &agentv1.DeleteAgentRequest{Id: api.ProtoFromID(id)}) if err != nil { return err } - return env.Println("Agent evicted successfully") + return c.printer.PrintProto(delAgentResponse) } func (c *evictCommand) AppendFlags(fs *flag.FlagSet) { fs.StringVar(&c.spiffeID, "spiffeID", "", "The SPIFFE ID of the agent to evict (agent identity)") + cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, prettyPrintEvictResult) +} + +func prettyPrintEvictResult(env *commoncli.Env, _ ...interface{}) error { + env.Println("Agent evicted successfully") + return nil } diff --git a/cmd/spire-server/cli/agent/list.go b/cmd/spire-server/cli/agent/list.go index 957d06d98a..cab154de8c 100644 --- a/cmd/spire-server/cli/agent/list.go +++ b/cmd/spire-server/cli/agent/list.go @@ -7,46 +7,46 @@ import ( "time" "github.com/mitchellh/cli" - agentv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/agent/v1" "github.com/spiffe/spire-api-sdk/proto/spire/api/types" "github.com/spiffe/spire/cmd/spire-server/util" - common_cli "github.com/spiffe/spire/pkg/common/cli" + commoncli "github.com/spiffe/spire/pkg/common/cli" + "github.com/spiffe/spire/pkg/common/cliprinter" "github.com/spiffe/spire/pkg/common/idutil" - "golang.org/x/net/context" ) type listCommand struct { + env *commoncli.Env // Type and value are delimited by a colon (:) // ex. "unix:uid:1000" or "spiffe_id:spiffe://example.org/foo" - selectors common_cli.StringsFlag - + selectors commoncli.StringsFlag // Match used when filtering agents by selectors matchSelectorsOn string + printer cliprinter.Printer } // NewListCommand creates a new "list" subcommand for "agent" command. func NewListCommand() cli.Command { - return NewListCommandWithEnv(common_cli.DefaultEnv) + return NewListCommandWithEnv(commoncli.DefaultEnv) } // NewListCommandWithEnv creates a new "list" subcommand for "agent" command // using the environment specified -func NewListCommandWithEnv(env *common_cli.Env) cli.Command { - return util.AdaptCommand(env, new(listCommand)) +func NewListCommandWithEnv(env *commoncli.Env) cli.Command { + return util.AdaptCommand(env, &listCommand{env: env}) } func (*listCommand) Name() string { return "agent list" } -func (listCommand) Synopsis() string { +func (*listCommand) Synopsis() string { return "Lists attested agents and their SPIFFE IDs" } // Run lists attested agents -func (c *listCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error { +func (c *listCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error { filter := &agentv1.ListAgentsRequest_Filter{} if len(c.selectors) > 0 { matchBehavior, err := parseToSelectorMatch(c.matchSelectorsOn) @@ -71,7 +71,7 @@ func (c *listCommand) Run(ctx context.Context, env *common_cli.Env, serverClient agentClient := serverClient.NewAgentClient() pageToken := "" - var agents []*types.Agent + response := new(agentv1.ListAgentsResponse) for { listResponse, err := agentClient.ListAgents(ctx, &agentv1.ListAgentsRequest{ PageSize: 1000, // comfortably under the (4 MB/theoretical maximum size of 1 agent in MB) @@ -81,29 +81,39 @@ func (c *listCommand) Run(ctx context.Context, env *common_cli.Env, serverClient if err != nil { return err } - agents = append(agents, listResponse.Agents...) + response.Agents = append(response.Agents, listResponse.Agents...) if pageToken = listResponse.NextPageToken; pageToken == "" { break } } + return c.printer.PrintProto(response) +} + +func (c *listCommand) AppendFlags(fs *flag.FlagSet) { + fs.StringVar(&c.matchSelectorsOn, "matchSelectorsOn", "superset", "The match mode used when filtering by selectors. Options: exact, any, superset and subset") + fs.Var(&c.selectors, "selector", "A colon-delimited type:value selector. Can be used more than once") + cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, prettyPrintAgents) +} + +func prettyPrintAgents(env *commoncli.Env, results ...interface{}) error { + listResp, ok := results[0].(*agentv1.ListAgentsResponse) + if !ok { + return errors.New("internal error: cli printer; please report this bug") + } + agents := listResp.Agents + if len(agents) == 0 { return env.Printf("No attested agents found\n") } msg := fmt.Sprintf("Found %d attested ", len(agents)) msg = util.Pluralizer(msg, "agent", "agents", len(agents)) - env.Printf(msg + ":\n\n") - + env.Printf("%s:\n\n", msg) return printAgents(env, agents...) } -func (c *listCommand) AppendFlags(fs *flag.FlagSet) { - fs.StringVar(&c.matchSelectorsOn, "matchSelectorsOn", "superset", "The match mode used when filtering by selectors. Options: exact, any, superset and subset") - fs.Var(&c.selectors, "selector", "A colon-delimited type:value selector. Can be used more than once") -} - -func printAgents(env *common_cli.Env, agents ...*types.Agent) error { +func printAgents(env *commoncli.Env, agents ...*types.Agent) error { for _, agent := range agents { id, err := idutil.IDFromProto(agent.Id) if err != nil { diff --git a/cmd/spire-server/cli/agent/show.go b/cmd/spire-server/cli/agent/show.go index 5c8147a35e..9d440482cc 100644 --- a/cmd/spire-server/cli/agent/show.go +++ b/cmd/spire-server/cli/agent/show.go @@ -6,41 +6,43 @@ import ( "github.com/mitchellh/cli" "github.com/spiffe/go-spiffe/v2/spiffeid" - agentv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/agent/v1" + "github.com/spiffe/spire-api-sdk/proto/spire/api/types" "github.com/spiffe/spire/cmd/spire-server/util" - common_cli "github.com/spiffe/spire/pkg/common/cli" + commoncli "github.com/spiffe/spire/pkg/common/cli" + "github.com/spiffe/spire/pkg/common/cliprinter" "github.com/spiffe/spire/pkg/server/api" - "golang.org/x/net/context" ) type showCommand struct { + env *commoncli.Env // SPIFFE ID of the agent being showed spiffeID string + printer cliprinter.Printer } // NewShowCommand creates a new "show" subcommand for "agent" command. func NewShowCommand() cli.Command { - return NewShowCommandWithEnv(common_cli.DefaultEnv) + return NewShowCommandWithEnv(commoncli.DefaultEnv) } // NewShowCommandWithEnv creates a new "show" subcommand for "agent" command // using the environment specified -func NewShowCommandWithEnv(env *common_cli.Env) cli.Command { - return util.AdaptCommand(env, new(showCommand)) +func NewShowCommandWithEnv(env *commoncli.Env) cli.Command { + return util.AdaptCommand(env, &showCommand{env: env}) } func (*showCommand) Name() string { return "agent show" } -func (showCommand) Synopsis() string { +func (*showCommand) Synopsis() string { return "Shows the details of an attested agent given its SPIFFE ID" } // Run shows an agent given its SPIFFE ID -func (c *showCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error { +func (c *showCommand) Run(ctx context.Context, env *commoncli.Env, serverClient util.ServerClient) error { if c.spiffeID == "" { return errors.New("a SPIFFE ID is required") } @@ -56,8 +58,21 @@ func (c *showCommand) Run(ctx context.Context, env *common_cli.Env, serverClient return err } - env.Printf("Found an attested agent given its SPIFFE ID\n\n") + return c.printer.PrintProto(agent) +} + +func (c *showCommand) AppendFlags(fs *flag.FlagSet) { + fs.StringVar(&c.spiffeID, "spiffeID", "", "The SPIFFE ID of the agent to show (agent identity)") + cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, prettyPrintAgent) +} +func prettyPrintAgent(env *commoncli.Env, results ...interface{}) error { + agent, ok := results[0].(*types.Agent) + if !ok { + return errors.New("internal error: cli printer; please report this bug") + } + + env.Printf("Found an attested agent given its SPIFFE ID\n\n") if err := printAgents(env, agent); err != nil { return err } @@ -67,7 +82,3 @@ func (c *showCommand) Run(ctx context.Context, env *common_cli.Env, serverClient } return nil } - -func (c *showCommand) AppendFlags(fs *flag.FlagSet) { - fs.StringVar(&c.spiffeID, "spiffeID", "", "The SPIFFE ID of the agent to show (agent identity)") -} diff --git a/pkg/common/cliprinter/cliprinter.go b/pkg/common/cliprinter/cliprinter.go index 272613005c..0b2c2e3f50 100644 --- a/pkg/common/cliprinter/cliprinter.go +++ b/pkg/common/cliprinter/cliprinter.go @@ -2,8 +2,8 @@ package cliprinter import ( "io" - "os" + commoncli "github.com/spiffe/spire/pkg/common/cli" "github.com/spiffe/spire/pkg/common/cliprinter/internal/errorjson" "github.com/spiffe/spire/pkg/common/cliprinter/internal/errorpretty" "github.com/spiffe/spire/pkg/common/cliprinter/internal/protojson" @@ -16,9 +16,9 @@ import ( // Printer is an interface for providing a printer implementation to // a CLI utility. type Printer interface { - MustPrintError(error) - MustPrintProto(...proto.Message) - MustPrintStruct(...interface{}) + PrintError(error) error + PrintProto(...proto.Message) error + PrintStruct(...interface{}) error } // CustomPrettyFunc is used to provide a custom function for pretty @@ -26,77 +26,63 @@ type Printer interface { // for pre-existing CLI code, such that this code can supply a // custom pretty printer that mirrors its current behavior, but // still be able to gain formatter functionality for other outputs. -type CustomPrettyFunc func(...interface{}) error +type CustomPrettyFunc func(*commoncli.Env, ...interface{}) error type printer struct { format formatType - - stdout io.Writer - stderr io.Writer - - cp CustomPrettyFunc -} - -func newPrinter(f formatType) *printer { - return newPrinterWithWriters(f, os.Stdout, os.Stderr) + env *commoncli.Env + cp CustomPrettyFunc } -func newPrinterWithWriters(f formatType, stdout, stderr io.Writer) *printer { +func newPrinter(f formatType, env *commoncli.Env) *printer { + if env == nil { + env = commoncli.DefaultEnv + } return &printer{ format: f, - stdout: stdout, - stderr: stderr, + env: env, } } -// MustPrintError prints an error and applies the configured formatting. If -// an error is encountered while printing, MustPrintError will call os.Exit(2). -func (p *printer) MustPrintError(err error) { - if err := p.printError(err); err != nil { - os.Exit(2) - } +// PrintError prints an error and applies the configured formatting. +func (p *printer) PrintError(err error) error { + return p.printError(err) } -// PrintProto prints a protobuf message and applies the configured formatting. If -// an error is encountered while printing, MustPrintProto will call os.Exit(2). -func (p *printer) MustPrintProto(msg ...proto.Message) { - if err := p.printProto(msg...); err != nil { - os.Exit(2) - } +// PrintProto prints a protobuf message and applies the configured formatting. +func (p *printer) PrintProto(msg ...proto.Message) error { + return p.printProto(msg...) } -// PrintStruct prints a struct and applies the configured formatting. If -// an error is encountered while printing, MustPrintStruct will call os.Exit(2). -func (p *printer) MustPrintStruct(msg ...interface{}) { - if err := p.printStruct(msg); err != nil { - os.Exit(2) - } +// PrintStruct prints a struct and applies the configured formatting. +func (p *printer) PrintStruct(msg ...interface{}) error { + return p.printStruct(msg) } func (p *printer) printError(err error) error { switch p.format { case json: - return errorjson.Print(err, p.stdout, p.stderr) + return errorjson.Print(err, p.env.Stdout, p.env.Stderr) default: - return p.printPrettyError(err, p.stdout, p.stderr) + return p.printPrettyError(err, p.env.Stdout, p.env.Stderr) } } func (p *printer) printProto(msg ...proto.Message) error { switch p.format { case json: - return protojson.Print(msg, p.stdout, p.stderr) + return protojson.Print(msg, p.env.Stdout, p.env.Stderr) default: - return p.printPrettyProto(msg, p.stdout, p.stderr) + return p.printPrettyProto(msg, p.env.Stdout, p.env.Stderr) } } func (p *printer) printStruct(msg ...interface{}) error { switch p.format { case json: - return structjson.Print(msg, p.stdout, p.stderr) + return structjson.Print(msg, p.env.Stdout, p.env.Stderr) default: - return p.printPrettyStruct(msg, p.stdout, p.stderr) + return p.printPrettyStruct(msg, p.env.Stdout, p.env.Stderr) } } @@ -110,7 +96,7 @@ func (p *printer) setCustomPrettyPrinter(cp CustomPrettyFunc) { func (p *printer) printPrettyError(err error, stdout, stderr io.Writer) error { if p.cp != nil { - return p.cp(err) + return p.cp(p.env, err) } return errorpretty.Print(err, stdout, stderr) @@ -122,14 +108,14 @@ func (p *printer) printPrettyProto(msgs []proto.Message, stdout, stderr io.Write m = append(m, msg.(interface{})) } - return p.cp(m...) + return p.cp(p.env, m...) } return protopretty.Print(msgs, stdout, stderr) } func (p *printer) printPrettyStruct(msg []interface{}, stdout, stderr io.Writer) error { if p.cp != nil { - return p.cp(msg...) + return p.cp(p.env, msg...) } return structpretty.Print(msg, stdout, stderr) diff --git a/pkg/common/cliprinter/cliprinter_test.go b/pkg/common/cliprinter/cliprinter_test.go index 77b3142485..55576240c9 100644 --- a/pkg/common/cliprinter/cliprinter_test.go +++ b/pkg/common/cliprinter/cliprinter_test.go @@ -7,6 +7,7 @@ import ( "testing" agentapi "github.com/spiffe/spire-api-sdk/proto/spire/api/server/agent/v1" + commoncli "github.com/spiffe/spire/pkg/common/cli" ) func TestPrintError(t *testing.T) { @@ -97,8 +98,12 @@ func newTestPrinterWithWriter(stdout, stderr io.Writer) *printer { if stderr == nil { stderr = new(bytes.Buffer) } + env := &commoncli.Env{ + Stdout: stdout, + Stderr: stderr, + } - return newPrinterWithWriters(defaultFormatType, stdout, stderr) + return newPrinter(defaultFormatType, env) } type badWriter struct{} diff --git a/pkg/common/cliprinter/flag.go b/pkg/common/cliprinter/flag.go index 9f1d08d71d..5711cc60e9 100644 --- a/pkg/common/cliprinter/flag.go +++ b/pkg/common/cliprinter/flag.go @@ -4,14 +4,16 @@ import ( "errors" "flag" "fmt" + + commoncli "github.com/spiffe/spire/pkg/common/cli" ) const defaultFlagName = "output" // AppendFlag adds the -format flag to the provided flagset, and populates // the referenced Printer interface with a properly configured printer. -func AppendFlag(p *Printer, fs *flag.FlagSet) *FormatterFlag { - return AppendFlagWithCustomPretty(p, fs, nil) +func AppendFlag(p *Printer, fs *flag.FlagSet, env *commoncli.Env) *FormatterFlag { + return AppendFlagWithCustomPretty(p, fs, env, nil) } // AppendFlagWithCustomPretty is the same as AppendFlag, however it also allows @@ -19,15 +21,16 @@ func AppendFlag(p *Printer, fs *flag.FlagSet) *FormatterFlag { // to override the pretty print logic that normally ships with this package. Its // intended use is to allow for the adoption of cliprinter while still retaining // backwards compatibility with the legacy/bespoke pretty print output. -func AppendFlagWithCustomPretty(p *Printer, fs *flag.FlagSet, cp CustomPrettyFunc) *FormatterFlag { +func AppendFlagWithCustomPretty(p *Printer, fs *flag.FlagSet, env *commoncli.Env, cp CustomPrettyFunc) *FormatterFlag { // Set the default - np := newPrinter(defaultFormatType) + np := newPrinter(defaultFormatType, env) np.setCustomPrettyPrinter(cp) *p = np f := &FormatterFlag{ p: p, f: defaultFormatType, + env: env, customPretty: cp, } @@ -42,6 +45,7 @@ type FormatterFlag struct { // its format type p *Printer f formatType + env *commoncli.Env isSet bool } @@ -66,7 +70,7 @@ func (f *FormatterFlag) Set(formatStr string) error { return fmt.Errorf("bad formatter flag: %w", err) } - np := newPrinter(format) + np := newPrinter(format, f.env) np.setCustomPrettyPrinter(f.customPretty) *f.p = np diff --git a/pkg/common/cliprinter/flag_test.go b/pkg/common/cliprinter/flag_test.go index 2b0b8b7488..5f4471addf 100644 --- a/pkg/common/cliprinter/flag_test.go +++ b/pkg/common/cliprinter/flag_test.go @@ -6,6 +6,7 @@ import ( "testing" agentapi "github.com/spiffe/spire-api-sdk/proto/spire/api/server/agent/v1" + commoncli "github.com/spiffe/spire/pkg/common/cli" ) func TestAppendFlag(t *testing.T) { @@ -67,7 +68,7 @@ func TestAppendFlag(t *testing.T) { fs := flag.NewFlagSet("testy", flag.ContinueOnError) fs.SetOutput(new(bytes.Buffer)) - defaultFlagValue := AppendFlag(&p, fs) + defaultFlagValue := AppendFlag(&p, fs, nil) for _, flagName := range c.extraFlags { fs.Var(defaultFlagValue, flagName, "") } @@ -103,7 +104,7 @@ func TestAppendFlagWithCustomPretty(t *testing.T) { var p Printer fs := flag.NewFlagSet("testy", flag.ContinueOnError) - AppendFlagWithCustomPretty(&p, fs, nil) + AppendFlagWithCustomPretty(&p, fs, nil, nil) err := fs.Parse([]string{""}) if err != nil { t.Fatalf("error when configured with nil pretty func: %v", err) @@ -112,11 +113,11 @@ func TestAppendFlagWithCustomPretty(t *testing.T) { p = nil fs = flag.NewFlagSet("testy", flag.ContinueOnError) invoked := make(chan struct{}, 1) - cp := func(_ ...interface{}) error { + cp := func(_ *commoncli.Env, _ ...interface{}) error { invoked <- struct{}{} return nil } - AppendFlagWithCustomPretty(&p, fs, cp) + AppendFlagWithCustomPretty(&p, fs, nil, cp) err = fs.Parse([]string{"-output", "pretty"}) if err != nil { t.Fatalf("unexpected error: %v", err) diff --git a/pkg/common/cliprinter/internal/protojson/protojson.go b/pkg/common/cliprinter/internal/protojson/protojson.go index c115264182..ec40d1fdb1 100644 --- a/pkg/common/cliprinter/internal/protojson/protojson.go +++ b/pkg/common/cliprinter/internal/protojson/protojson.go @@ -17,7 +17,8 @@ func Print(msgs []proto.Message, stdout, stderr io.Writer) error { jms := []json.RawMessage{} m := &protojson.MarshalOptions{ - UseProtoNames: true, + UseProtoNames: true, + EmitUnpopulated: true, } // Unfortunately, we can only marshal one message at a time, so diff --git a/pkg/common/cliprinter/internal/protojson/protojson_test.go b/pkg/common/cliprinter/internal/protojson/protojson_test.go index fe86239c82..3ae736bd7b 100644 --- a/pkg/common/cliprinter/internal/protojson/protojson_test.go +++ b/pkg/common/cliprinter/internal/protojson/protojson_test.go @@ -40,6 +40,12 @@ func TestPrint(t *testing.T) { stdout: "", stderr: "", }, + { + name: "message_with_unpopulated_fields", + protoFunc: unpopulatedFieldsMessage, + stdout: "{\"count\":0}\n", + stderr: "", + }, } for _, c := range cases { @@ -63,6 +69,14 @@ func normalCountAgentsResponseMessage(_ *testing.T) []proto.Message { } } +func unpopulatedFieldsMessage(_ *testing.T) []proto.Message { + return []proto.Message{ + &agentapi.CountAgentsResponse{ + Count: int32(0), + }, + } +} + func doubleCountAgentsResponseMessage(t *testing.T) []proto.Message { return []proto.Message{ normalCountAgentsResponseMessage(t)[0], From 62d1c14e383329de3d4746bdcff06d907261d5d3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Nov 2022 10:47:30 -0700 Subject: [PATCH 141/257] Bump github.com/aws/aws-sdk-go-v2/config from 1.17.4 to 1.18.2 (#3623) Bumps [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) from 1.17.4 to 1.18.2. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.17.4...config/v1.18.2) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 14 +++++++------- go.sum | 34 ++++++++++++++-------------------- 2 files changed, 21 insertions(+), 27 deletions(-) diff --git a/go.mod b/go.mod index c96ee4bb15..c527ab3974 100644 --- a/go.mod +++ b/go.mod @@ -18,15 +18,15 @@ require ( github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129 github.com/armon/go-metrics v0.4.1 github.com/aws/aws-sdk-go-v2 v1.17.1 - github.com/aws/aws-sdk-go-v2/config v1.17.4 - github.com/aws/aws-sdk-go-v2/credentials v1.12.17 - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.14 + github.com/aws/aws-sdk-go-v2/config v1.18.2 + github.com/aws/aws-sdk-go-v2/credentials v1.13.2 + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.19 github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0 github.com/aws/aws-sdk-go-v2/service/ec2 v1.70.0 github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 github.com/aws/aws-sdk-go-v2/service/kms v1.18.8 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.0 - github.com/aws/aws-sdk-go-v2/service/sts v1.17.0 + github.com/aws/aws-sdk-go-v2/service/sts v1.17.4 github.com/blang/semver/v4 v4.0.0 github.com/cenkalti/backoff/v3 v3.2.2 github.com/docker/docker v20.10.21+incompatible @@ -104,10 +104,10 @@ require ( github.com/armon/go-radix v1.0.0 // indirect github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25 // indirect github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19 // indirect - github.com/aws/aws-sdk-go-v2/internal/ini v1.3.21 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.3.26 // indirect github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.19 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.11.20 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.2 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.11.25 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.8 // indirect github.com/aws/smithy-go v1.13.4 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/bgentry/speakeasy v0.1.0 // indirect diff --git a/go.sum b/go.sum index 601d046308..196e1c19e3 100644 --- a/go.sum +++ b/go.sum @@ -275,48 +275,42 @@ github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgI github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= github.com/aws/aws-sdk-go-v2 v1.16.13/go.mod h1:xSyvSnzh0KLs5H4HJGeIEsNYemUWdNIl0b/rP6SIsLU= github.com/aws/aws-sdk-go-v2 v1.16.15/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k= -github.com/aws/aws-sdk-go-v2 v1.17.0/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k= github.com/aws/aws-sdk-go-v2 v1.17.1 h1:02c72fDJr87N8RAC2s3Qu0YuvMRZKNZJ9F+lAehCazk= github.com/aws/aws-sdk-go-v2 v1.17.1/go.mod h1:JLnGeGONAyi2lWXI1p0PCIOIy333JMVK1U7Hf0aRFLw= -github.com/aws/aws-sdk-go-v2/config v1.17.4 h1:9HY1wbShqObySCHP2Z07blfrSWVX+nVxCZmUuLZKcG8= -github.com/aws/aws-sdk-go-v2/config v1.17.4/go.mod h1:ul+ru+huVpfduF9XRmGUq82T8T3K+nIFQuF6F+L+548= -github.com/aws/aws-sdk-go-v2/credentials v1.12.17 h1:htUjIJOQcvIUR0jC4eLkdis1DfaLL4EUbIKUFqh2WFA= -github.com/aws/aws-sdk-go-v2/credentials v1.12.17/go.mod h1:jd1mvJulXY7ccHvcSiJceYhv06yWIIRkJnwWEA4IX+g= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.14 h1:NZwZFtxXGOEIiCd8jWN55lexakug543CaO68bTpoLwg= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.14/go.mod h1:5CU57SyF5jZLSIw4OOll0PG83ThXwNdkRFOc0EltD/0= +github.com/aws/aws-sdk-go-v2/config v1.18.2 h1:tRhTb3xMZsB0gW0sXWpqs9FeIP8iQp5SvnvwiPXzHwo= +github.com/aws/aws-sdk-go-v2/config v1.18.2/go.mod h1:9XVoZTdD8ICjrgI5ddb8j918q6lEZkFYpb7uohgvU6c= +github.com/aws/aws-sdk-go-v2/credentials v1.13.2 h1:F/v1w0XcFDZjL0bCdi9XWJenoPKjGbzljBhDKcryzEQ= +github.com/aws/aws-sdk-go-v2/credentials v1.13.2/go.mod h1:eAT5aj/WJ2UDIA0IVNFc2byQLeD89SDEi4cjzH/MKoQ= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.19 h1:E3PXZSI3F2bzyj6XxUXdTIfvp425HHhwKsFvmzBwHgs= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.19/go.mod h1:VihW95zQpeKQWVPGkwT+2+WJNQV8UXFfMTWdU6VErL8= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.20/go.mod h1:gdZ5gRUaxThXIZyZQ8MTtgYBk2jbHgp05BO3GcD9Cwc= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.22/go.mod h1:/vNv5Al0bpiF8YdX2Ov6Xy05VTiXsql94yUqJMYaj0w= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.24/go.mod h1:ghMzB/j2wRbPx5/4jPYxJdOtCG2ggrtY01j8K7FMBDA= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25 h1:nBO/RFxeq/IS5G9Of+ZrgucRciie2qpLy++3UGZ+q2E= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25/go.mod h1:Zb29PYkf42vVYQY6pvSyJCJcFHlPIiY+YKdPtwnvMkY= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.14/go.mod h1:GEV9jaDPIgayiU+uevxwozcvUOjc+P4aHE2BeSjm2vE= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.16/go.mod h1:62dsXI0BqTIGomDl8Hpm33dv0OntGaVblri3ZRParVQ= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.18/go.mod h1:fkQKYK/jUhCL/wNS1tOPrlYhr9vqutjCz4zZC1wBE1s= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19 h1:oRHDrwCTVT8ZXi4sr9Ld+EXk7N/KGssOr2ygNeojEhw= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19/go.mod h1:6Q0546uHDp421okhmmGfbxzq2hBqbXFNpi4k+Q1JnQA= -github.com/aws/aws-sdk-go-v2/internal/ini v1.3.21 h1:lpwSbLKYTuABo6SyUoC25xAmfO3/TehGS2SmD1EtOL0= -github.com/aws/aws-sdk-go-v2/internal/ini v1.3.21/go.mod h1:Q0pktZjvRZk77TBto6yAvUAi7fcse1bdcMctBDVGgBw= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.26 h1:Mza+vlnZr+fPKFKRq/lKGVvM6B/8ZZmNdEopOwSQLms= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.26/go.mod h1:Y2OJ+P+MC1u1VKnavT+PshiEuGPyh/7DqxoDNij4/bg= github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0 h1:2f0kb+39miQPRp0b7Sqq06+TpxI0Nfcra41QxzJPME8= github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0/go.mod h1:AVLIBQ9V7mcHd5uZT1+wUbBt4QaI/XcOens85Ib0W1o= github.com/aws/aws-sdk-go-v2/service/ec2 v1.70.0 h1:09PzSKQbPSMSK26JwjdpqhNsUEsaC8IPAZQslhR3HHg= github.com/aws/aws-sdk-go-v2/service/ec2 v1.70.0/go.mod h1:zul71QqzR4D1a90/5FloZiAnZ1CtuIjVH7R9MP997+A= github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 h1:m/WtVqEvgwDiUPIW2dtnF2hDE1O62MEflz9ClOlCXAs= github.com/aws/aws-sdk-go-v2/service/iam v1.18.16/go.mod h1:w8wndcRxwILFQAzwkUKyEDz4LDHEBSR78KRdaNjUKQA= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.14/go.mod h1:8qOLjqMzY/S1kh3myDXA1yxK5eD4uN8aOJgKpgvc4OM= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.18/go.mod h1:QtCDHDOXunxeihz7iU15e09u9gRIeaa5WeE6FZVnGUo= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.19 h1:GE25AWCdNUPh9AOJzI9KIJnja7IwUc1WyUqz/JTyJ/I= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.19/go.mod h1:02CP6iuYP+IVnBX5HULVdSAku/85eHB2Y9EsFhrkEwU= github.com/aws/aws-sdk-go-v2/service/kms v1.18.8 h1:0YzDYm5rFuwzqwhBg94OYa2TKbdd5dUsf9+uPHwoYns= github.com/aws/aws-sdk-go-v2/service/kms v1.18.8/go.mod h1:NjgXnn0pk5rLSWZIgtx0BCwoCugRXzKZ7cDNsl98W7U= github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.0 h1:Lh1yssM4dinNZuESsXnbi+pID8hoviejLZdLmT175i8= github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.0/go.mod h1:z0y2iDaghoq7uv6kndhrJCTzgVckv8Aak8kpnu2kYjs= -github.com/aws/aws-sdk-go-v2/service/sso v1.11.20 h1:3raP0UC9rvRyY4/cc4o4F3jTrNo94AYiarNUGNnq6dU= -github.com/aws/aws-sdk-go-v2/service/sso v1.11.20/go.mod h1:hPsROgDdgY/NQ1gPt7VJWG0GjSnalDC0DkkMfGEw2gc= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.2 h1:/SYpdjjAtraymql+/r719OgjxezdanAQiLb/NMxDb04= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.2/go.mod h1:5cxfDYtY2mDOlmesy4yycb6lwyy1U/iAUOHKhQLKw/E= -github.com/aws/aws-sdk-go-v2/service/sts v1.16.16/go.mod h1:Y9iBgT1w2vHtYzJEkwD6FqILjDSsvbxcW/+wIYxyse4= -github.com/aws/aws-sdk-go-v2/service/sts v1.17.0 h1:9S0HcZUxKcU3HdN+M6GgLIvdbg9as5aOoHrvwRsPNYU= -github.com/aws/aws-sdk-go-v2/service/sts v1.17.0/go.mod h1:9pZN58zQc5a4Dkdnhu/rI1lNBui1vP5B0giGCuUt2b0= +github.com/aws/aws-sdk-go-v2/service/sso v1.11.25 h1:GFZitO48N/7EsFDt8fMa5iYdmWqkUDDB3Eje6z3kbG0= +github.com/aws/aws-sdk-go-v2/service/sso v1.11.25/go.mod h1:IARHuzTXmj1C0KS35vboR0FeJ89OkEy1M9mWbK2ifCI= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.8 h1:jcw6kKZrtNfBPJkaHrscDOZoe5gvi9wjudnxvozYFJo= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.8/go.mod h1:er2JHN+kBY6FcMfcBBKNGCT3CarImmdFzishsqBmSRI= +github.com/aws/aws-sdk-go-v2/service/sts v1.17.4 h1:YNncBj5dVYd05i4ZQ+YicOotSXo0ufc9P8kTioi13EM= +github.com/aws/aws-sdk-go-v2/service/sts v1.17.4/go.mod h1:bXcN3koeVYiJcdDU89n3kCYILob7Y34AeLopUbZgLT4= github.com/aws/smithy-go v1.13.1/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/aws/smithy-go v1.13.3/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/aws/smithy-go v1.13.4 h1:/RN2z1txIJWeXeOkzX+Hk/4Uuvv7dWtCjbmVJcrskyk= From 22ab6c7396e5e879ff8b3c53d6d5d195a3331ebd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Nov 2022 12:44:22 -0700 Subject: [PATCH 142/257] Bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.70.0 to 1.72.0 (#3626) Bumps [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2) from 1.70.0 to 1.72.0. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.70.0...service/ec2/v1.72.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index c527ab3974..84395a9d1c 100644 --- a/go.mod +++ b/go.mod @@ -22,7 +22,7 @@ require ( github.com/aws/aws-sdk-go-v2/credentials v1.13.2 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.19 github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0 - github.com/aws/aws-sdk-go-v2/service/ec2 v1.70.0 + github.com/aws/aws-sdk-go-v2/service/ec2 v1.72.0 github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 github.com/aws/aws-sdk-go-v2/service/kms v1.18.8 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.0 diff --git a/go.sum b/go.sum index 196e1c19e3..6818a80fba 100644 --- a/go.sum +++ b/go.sum @@ -295,8 +295,8 @@ github.com/aws/aws-sdk-go-v2/internal/ini v1.3.26 h1:Mza+vlnZr+fPKFKRq/lKGVvM6B/ github.com/aws/aws-sdk-go-v2/internal/ini v1.3.26/go.mod h1:Y2OJ+P+MC1u1VKnavT+PshiEuGPyh/7DqxoDNij4/bg= github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0 h1:2f0kb+39miQPRp0b7Sqq06+TpxI0Nfcra41QxzJPME8= github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0/go.mod h1:AVLIBQ9V7mcHd5uZT1+wUbBt4QaI/XcOens85Ib0W1o= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.70.0 h1:09PzSKQbPSMSK26JwjdpqhNsUEsaC8IPAZQslhR3HHg= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.70.0/go.mod h1:zul71QqzR4D1a90/5FloZiAnZ1CtuIjVH7R9MP997+A= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.72.0 h1:bCFJL8mahOZJa3+t8+uWHL1JzuCICZCSb50FCljz9hE= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.72.0/go.mod h1:zul71QqzR4D1a90/5FloZiAnZ1CtuIjVH7R9MP997+A= github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 h1:m/WtVqEvgwDiUPIW2dtnF2hDE1O62MEflz9ClOlCXAs= github.com/aws/aws-sdk-go-v2/service/iam v1.18.16/go.mod h1:w8wndcRxwILFQAzwkUKyEDz4LDHEBSR78KRdaNjUKQA= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.19 h1:GE25AWCdNUPh9AOJzI9KIJnja7IwUc1WyUqz/JTyJ/I= From 0d0a9e7c9c4c3d482368485058039ebe6d6f6a0c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Nov 2022 15:52:13 -0700 Subject: [PATCH 143/257] Bump github.com/GoogleCloudPlatform/cloudsql-proxy from 1.33.0 to 1.33.1 (#3615) Bumps [github.com/GoogleCloudPlatform/cloudsql-proxy](https://github.com/GoogleCloudPlatform/cloudsql-proxy) from 1.33.0 to 1.33.1. - [Release notes](https://github.com/GoogleCloudPlatform/cloudsql-proxy/releases) - [Changelog](https://github.com/GoogleCloudPlatform/cloud-sql-proxy/blob/v1.33.1/CHANGELOG.md) - [Commits](https://github.com/GoogleCloudPlatform/cloudsql-proxy/compare/v1.33.0...v1.33.1) --- updated-dependencies: - dependency-name: github.com/GoogleCloudPlatform/cloudsql-proxy dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 116 +++++++++++++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 113 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index 84395a9d1c..e1d30cb526 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute v1.0.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork v1.1.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0 - github.com/GoogleCloudPlatform/cloudsql-proxy v1.33.0 + github.com/GoogleCloudPlatform/cloudsql-proxy v1.33.1 github.com/Microsoft/go-winio v0.6.0 github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129 github.com/armon/go-metrics v0.4.1 diff --git a/go.sum b/go.sum index 6818a80fba..2799bb0f40 100644 --- a/go.sum +++ b/go.sum @@ -32,20 +32,34 @@ cloud.google.com/go v0.102.1/go.mod h1:XZ77E9qnTEnrgEOvr4xzfdX5TRo7fB4T2F4O6+34h cloud.google.com/go v0.104.0/go.mod h1:OO6xxXdJyvuJPcEPBLN9BJPD+jep5G1+2U5B5gkRYtA= cloud.google.com/go v0.105.0 h1:DNtEKRBAAzeS4KyIory52wWHuClNaXJ5x1F7xa4q+5Y= cloud.google.com/go v0.105.0/go.mod h1:PrLgOJNe5nfE9UMxKxgXj4mD3voiP+YQ6gdt6KMFOKM= +cloud.google.com/go/accessapproval v1.4.0/go.mod h1:zybIuC3KpDOvotz59lFe5qxRZx6C75OtwbisN56xYB4= +cloud.google.com/go/accesscontextmanager v1.3.0/go.mod h1:TgCBehyr5gNMz7ZaH9xubp+CE8dkrszb4oK9CWyvD4o= cloud.google.com/go/aiplatform v1.22.0/go.mod h1:ig5Nct50bZlzV6NvKaTwmplLLddFx0YReh9WfTO5jKw= cloud.google.com/go/aiplatform v1.24.0/go.mod h1:67UUvRBKG6GTayHKV8DBv2RtR1t93YRu5B1P3x99mYY= cloud.google.com/go/analytics v0.11.0/go.mod h1:DjEWCu41bVbYcKyvlws9Er60YE4a//bK6mnhWvQeFNI= cloud.google.com/go/analytics v0.12.0/go.mod h1:gkfj9h6XRf9+TS4bmuhPEShsh3hH8PAZzm/41OOhQd4= +cloud.google.com/go/apigateway v1.3.0/go.mod h1:89Z8Bhpmxu6AmUxuVRg/ECRGReEdiP3vQtk4Z1J9rJk= +cloud.google.com/go/apigeeconnect v1.3.0/go.mod h1:G/AwXFAKo0gIXkPTVfZDd2qA1TxBXJ3MgMRBQkIi9jc= +cloud.google.com/go/appengine v1.4.0/go.mod h1:CS2NhuBuDXM9f+qscZ6V86m1MIIqPj3WC/UoEuR1Sno= cloud.google.com/go/area120 v0.5.0/go.mod h1:DE/n4mp+iqVyvxHN41Vf1CR602GiHQjFPusMFW6bGR4= cloud.google.com/go/area120 v0.6.0/go.mod h1:39yFJqWVgm0UZqWTOdqkLhjoC7uFfgXRC8g/ZegeAh0= cloud.google.com/go/artifactregistry v1.6.0/go.mod h1:IYt0oBPSAGYj/kprzsBjZ/4LnG/zOcHyFHjWPCi6SAQ= cloud.google.com/go/artifactregistry v1.7.0/go.mod h1:mqTOFOnGZx8EtSqK/ZWcsm/4U8B77rbcLP6ruDU2Ixk= +cloud.google.com/go/artifactregistry v1.8.0/go.mod h1:w3GQXkJX8hiKN0v+at4b0qotwijQbYUqF2GWkZzAhC0= cloud.google.com/go/asset v1.5.0/go.mod h1:5mfs8UvcM5wHhqtSv8J1CtxxaQq3AdBxxQi2jGW/K4o= cloud.google.com/go/asset v1.7.0/go.mod h1:YbENsRK4+xTiL+Ofoj5Ckf+O17kJtgp3Y3nn4uzZz5s= +cloud.google.com/go/asset v1.8.0/go.mod h1:mUNGKhiqIdbr8X7KNayoYvyc4HbbFO9URsjbytpUaW0= +cloud.google.com/go/asset v1.9.0/go.mod h1:83MOE6jEJBMqFKadM9NLRcs80Gdw76qGuHn8m3h8oHQ= cloud.google.com/go/assuredworkloads v1.5.0/go.mod h1:n8HOZ6pff6re5KYfBXcFvSViQjDwxFkAkmUFffJRbbY= cloud.google.com/go/assuredworkloads v1.6.0/go.mod h1:yo2YOk37Yc89Rsd5QMVECvjaMKymF9OP+QXWlKXUkXw= +cloud.google.com/go/assuredworkloads v1.7.0/go.mod h1:z/736/oNmtGAyU47reJgGN+KVoYoxeLBoj4XkKYscNI= +cloud.google.com/go/assuredworkloads v1.8.0/go.mod h1:AsX2cqyNCOvEQC8RMPnoc0yEarXQk6WEKkxYfL6kGIo= cloud.google.com/go/automl v1.5.0/go.mod h1:34EjfoFGMZ5sgJ9EoLsRtdPSNZLcfflJR39VbVNS2M0= cloud.google.com/go/automl v1.6.0/go.mod h1:ugf8a6Fx+zP0D59WLhqgTDsQI9w07o64uf/Is3Nh5p8= +cloud.google.com/go/automl v1.7.0/go.mod h1:RL9MYCCsJEOmt0Wf3z9uzG0a7adTT1fe+aObgSpkCt8= +cloud.google.com/go/baremetalsolution v0.3.0/go.mod h1:XOrocE+pvK1xFfleEnShBlNAXf+j5blPPxrhjKgnIFc= +cloud.google.com/go/batch v0.3.0/go.mod h1:TR18ZoAekj1GuirsUsR1ZTKN3FC/4UDnScjT8NXImFE= +cloud.google.com/go/beyondcorp v0.2.0/go.mod h1:TB7Bd+EEtcw9PCPQhCJtJGjk/7TC6ckmnSFS+xwTfm4= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= @@ -55,10 +69,17 @@ cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM7 cloud.google.com/go/bigquery v1.42.0/go.mod h1:8dRTJxhtG+vwBKzE5OseQn/hiydoQN3EedCaOdYmxRA= cloud.google.com/go/billing v1.4.0/go.mod h1:g9IdKBEFlItS8bTtlrZdVLWSSdSyFUZKXNS02zKMOZY= cloud.google.com/go/billing v1.5.0/go.mod h1:mztb1tBc3QekhjSgmpf/CV4LzWXLzCArwpLmP2Gm88s= +cloud.google.com/go/billing v1.6.0/go.mod h1:WoXzguj+BeHXPbKfNWkqVtDdzORazmCjraY+vrxcyvI= cloud.google.com/go/binaryauthorization v1.1.0/go.mod h1:xwnoWu3Y84jbuHa0zd526MJYmtnVXn0syOjaJgy4+dM= cloud.google.com/go/binaryauthorization v1.2.0/go.mod h1:86WKkJHtRcv5ViNABtYMhhNWRrD1Vpi//uKEy7aYEfI= +cloud.google.com/go/binaryauthorization v1.3.0/go.mod h1:lRZbKgjDIIQvzYQS1p99A7/U1JqvqeZg0wiI5tp6tg0= +cloud.google.com/go/certificatemanager v1.3.0/go.mod h1:n6twGDvcUBFu9uBgt4eYvvf3sQ6My8jADcOVwHmzadg= +cloud.google.com/go/channel v1.8.0/go.mod h1:W5SwCXDJsq/rg3tn3oG0LOxpAo6IMxNa09ngphpSlnk= +cloud.google.com/go/cloudbuild v1.3.0/go.mod h1:WequR4ULxlqvMsjDEEEFnOG5ZSRSgWOywXYDb1vPE6U= +cloud.google.com/go/clouddms v1.3.0/go.mod h1:oK6XsCDdW4Ib3jCCBugx+gVjevp2TMXFtgxvPSee3OM= cloud.google.com/go/cloudtasks v1.5.0/go.mod h1:fD92REy1x5woxkKEkLdvavGnPJGEn8Uic9nWuLzqCpY= cloud.google.com/go/cloudtasks v1.6.0/go.mod h1:C6Io+sxuke9/KNRkbQpihnW93SWDU3uXt92nu85HkYI= +cloud.google.com/go/cloudtasks v1.7.0/go.mod h1:ImsfdYWwlWNJbdgPIIGJWC+gemEGTBK/SunNQQNCAb4= cloud.google.com/go/compute v0.1.0/go.mod h1:GAesmwr110a34z04OlxYkATPBEfVhkymfTBXtfbBFow= cloud.google.com/go/compute v1.3.0/go.mod h1:cCZiE1NHEtai4wiufUhW8I8S1JKkAnhnQJWM7YD99wM= cloud.google.com/go/compute v1.5.0/go.mod h1:9SMHyhJlzhlkJqrPAc839t2BZFTSk6Jdj6mkzQJeu0M= @@ -66,73 +87,116 @@ cloud.google.com/go/compute v1.6.0/go.mod h1:T29tfhtVbq1wvAPo0E3+7vhgmkOYeXjhFvz cloud.google.com/go/compute v1.6.1/go.mod h1:g85FgpzFvNULZ+S8AYq87axRKuf2Kh7deLqV/jJ3thU= cloud.google.com/go/compute v1.7.0/go.mod h1:435lt8av5oL9P3fv1OEzSbSUe+ybHXGMPQHHZWZxy9U= cloud.google.com/go/compute v1.10.0/go.mod h1:ER5CLbMxl90o2jtNbGSbtfOpQKR0t15FOtRsugnLrlU= +cloud.google.com/go/compute v1.12.0/go.mod h1:e8yNOBcBONZU1vJKCvCoDw/4JQsA0dpM4x/6PIIOocU= cloud.google.com/go/compute v1.12.1 h1:gKVJMEyqV5c/UnpzjjQbo3Rjvvqpr9B1DFSbJC4OXr0= cloud.google.com/go/compute v1.12.1/go.mod h1:e8yNOBcBONZU1vJKCvCoDw/4JQsA0dpM4x/6PIIOocU= +cloud.google.com/go/compute/metadata v0.1.0/go.mod h1:Z1VN+bulIf6bt4P/C37K4DyZYZEXYonfTBHHFPO/4UU= cloud.google.com/go/compute/metadata v0.2.1 h1:efOwf5ymceDhK6PKMnnrTHP4pppY5L22mle96M1yP48= cloud.google.com/go/compute/metadata v0.2.1/go.mod h1:jgHgmJd2RKBGzXqF5LR2EZMGxBkeanZ9wwa75XHJgOM= +cloud.google.com/go/contactcenterinsights v1.3.0/go.mod h1:Eu2oemoePuEFc/xKFPjbTuPSj0fYJcPls9TFlPNnHHY= +cloud.google.com/go/container v1.6.0/go.mod h1:Xazp7GjJSeUYo688S+6J5V+n/t+G5sKBTFkKNudGRxg= cloud.google.com/go/containeranalysis v0.5.1/go.mod h1:1D92jd8gRR/c0fGMlymRgxWD3Qw9C1ff6/T7mLgVL8I= cloud.google.com/go/containeranalysis v0.6.0/go.mod h1:HEJoiEIu+lEXM+k7+qLCci0h33lX3ZqoYFdmPcoO7s4= cloud.google.com/go/datacatalog v1.3.0/go.mod h1:g9svFY6tuR+j+hrTw3J2dNcmI0dzmSiyOzm8kpLq0a0= cloud.google.com/go/datacatalog v1.5.0/go.mod h1:M7GPLNQeLfWqeIm3iuiruhPzkt65+Bx8dAKvScX8jvs= cloud.google.com/go/datacatalog v1.6.0/go.mod h1:+aEyF8JKg+uXcIdAmmaMUmZ3q1b/lKLtXCmXdnc0lbc= +cloud.google.com/go/datacatalog v1.7.0/go.mod h1:9mEl4AuDYWw81UGc41HonIHH7/sn52H0/tc8f8ZbZIE= cloud.google.com/go/dataflow v0.6.0/go.mod h1:9QwV89cGoxjjSR9/r7eFDqqjtvbKxAK2BaYU6PVk9UM= cloud.google.com/go/dataflow v0.7.0/go.mod h1:PX526vb4ijFMesO1o202EaUmouZKBpjHsTlCtB4parQ= cloud.google.com/go/dataform v0.3.0/go.mod h1:cj8uNliRlHpa6L3yVhDOBrUXH+BPAO1+KFMQQNSThKo= cloud.google.com/go/dataform v0.4.0/go.mod h1:fwV6Y4Ty2yIFL89huYlEkwUPtS7YZinZbzzj5S9FzCE= +cloud.google.com/go/datafusion v1.4.0/go.mod h1:1Zb6VN+W6ALo85cXnM1IKiPw+yQMKMhB9TsTSRDo/38= cloud.google.com/go/datalabeling v0.5.0/go.mod h1:TGcJ0G2NzcsXSE/97yWjIZO0bXj0KbVlINXMG9ud42I= cloud.google.com/go/datalabeling v0.6.0/go.mod h1:WqdISuk/+WIGeMkpw/1q7bK/tFEZxsrFJOJdY2bXvTQ= +cloud.google.com/go/dataplex v1.3.0/go.mod h1:hQuRtDg+fCiFgC8j0zV222HvzFQdRd+SVX8gdmFcZzA= +cloud.google.com/go/dataproc v1.7.0/go.mod h1:CKAlMjII9H90RXaMpSxQ8EU6dQx6iAYNPcYPOkSbi8s= cloud.google.com/go/dataqna v0.5.0/go.mod h1:90Hyk596ft3zUQ8NkFfvICSIfHFh1Bc7C4cK3vbhkeo= cloud.google.com/go/dataqna v0.6.0/go.mod h1:1lqNpM7rqNLVgWBJyk5NF6Uen2PHym0jtVJonplVsDA= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= cloud.google.com/go/datastream v1.2.0/go.mod h1:i/uTP8/fZwgATHS/XFu0TcNUhuA0twZxxQ3EyCUQMwo= cloud.google.com/go/datastream v1.3.0/go.mod h1:cqlOX8xlyYF/uxhiKn6Hbv6WjwPPuI9W2M9SAXwaLLQ= +cloud.google.com/go/datastream v1.4.0/go.mod h1:h9dpzScPhDTs5noEMQVWP8Wx8AFBRyS0s8KWPx/9r0g= +cloud.google.com/go/deploy v1.4.0/go.mod h1:5Xghikd4VrmMLNaF6FiRFDlHb59VM59YoDQnOUdsH/c= cloud.google.com/go/dialogflow v1.15.0/go.mod h1:HbHDWs33WOGJgn6rfzBW1Kv807BE3O1+xGbn59zZWI4= cloud.google.com/go/dialogflow v1.16.1/go.mod h1:po6LlzGfK+smoSmTBnbkIZY2w8ffjz/RcGSS+sh1el0= +cloud.google.com/go/dialogflow v1.17.0/go.mod h1:YNP09C/kXA1aZdBgC/VtXX74G/TKn7XVCcVumTflA+8= +cloud.google.com/go/dialogflow v1.18.0/go.mod h1:trO7Zu5YdyEuR+BhSNOqJezyFQ3aUzz0njv7sMx/iek= +cloud.google.com/go/dlp v1.6.0/go.mod h1:9eyB2xIhpU0sVwUixfBubDoRwP+GjeUoxxeueZmqvmM= cloud.google.com/go/documentai v1.7.0/go.mod h1:lJvftZB5NRiFSX4moiye1SMxHx0Bc3x1+p9e/RfXYiU= cloud.google.com/go/documentai v1.8.0/go.mod h1:xGHNEB7CtsnySCNrCFdCyyMz44RhFEEX2Q7UD0c5IhU= +cloud.google.com/go/documentai v1.9.0/go.mod h1:FS5485S8R00U10GhgBC0aNGrJxBP8ZVpEeJ7PQDZd6k= cloud.google.com/go/domains v0.6.0/go.mod h1:T9Rz3GasrpYk6mEGHh4rymIhjlnIuB4ofT1wTxDeT4Y= cloud.google.com/go/domains v0.7.0/go.mod h1:PtZeqS1xjnXuRPKE/88Iru/LdfoRyEHYA9nFQf4UKpg= cloud.google.com/go/edgecontainer v0.1.0/go.mod h1:WgkZ9tp10bFxqO8BLPqv2LlfmQF1X8lZqwW4r1BTajk= +cloud.google.com/go/edgecontainer v0.2.0/go.mod h1:RTmLijy+lGpQ7BXuTDa4C4ssxyXT34NIuHIgKuP4s5w= +cloud.google.com/go/essentialcontacts v1.3.0/go.mod h1:r+OnHa5jfj90qIfZDO/VztSFqbQan7HV75p8sA+mdGI= +cloud.google.com/go/eventarc v1.7.0/go.mod h1:6ctpF3zTnaQCxUjHUdcfgcA1A2T309+omHZth7gDfmc= +cloud.google.com/go/filestore v1.3.0/go.mod h1:+qbvHGvXU1HaKX2nD0WEPo92TP/8AQuCVEBXNY9z0+w= cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk= cloud.google.com/go/functions v1.6.0/go.mod h1:3H1UA3qiIPRWD7PeZKLvHZ9SaQhR26XIJcC0A5GbvAk= cloud.google.com/go/functions v1.7.0/go.mod h1:+d+QBcWM+RsrgZfV9xo6KfA1GlzJfxcfZcRPEhDDfzg= +cloud.google.com/go/functions v1.8.0/go.mod h1:RTZ4/HsQjIqIYP9a9YPbU+QFoQsAlYgrwOXJWHn1POY= cloud.google.com/go/gaming v1.5.0/go.mod h1:ol7rGcxP/qHTRQE/RO4bxkXq+Fix0j6D4LFPzYTIrDM= cloud.google.com/go/gaming v1.6.0/go.mod h1:YMU1GEvA39Qt3zWGyAVA9bpYz/yAhTvaQ1t2sK4KPUA= +cloud.google.com/go/gaming v1.7.0/go.mod h1:LrB8U7MHdGgFG851iHAfqUdLcKBdQ55hzXy9xBJz0+w= +cloud.google.com/go/gkebackup v0.2.0/go.mod h1:XKvv/4LfG829/B8B7xRkk8zRrOEbKtEam6yNfuQNH60= cloud.google.com/go/gkeconnect v0.5.0/go.mod h1:c5lsNAg5EwAy7fkqX/+goqFsU1Da/jQFqArp+wGNr/o= cloud.google.com/go/gkeconnect v0.6.0/go.mod h1:Mln67KyU/sHJEBY8kFZ0xTeyPtzbq9StAVvEULYK16A= cloud.google.com/go/gkehub v0.9.0/go.mod h1:WYHN6WG8w9bXU0hqNxt8rm5uxnk8IH+lPY9J2TV7BK0= cloud.google.com/go/gkehub v0.10.0/go.mod h1:UIPwxI0DsrpsVoWpLB0stwKCP+WFVG9+y977wO+hBH0= +cloud.google.com/go/gkemulticloud v0.3.0/go.mod h1:7orzy7O0S+5kq95e4Hpn7RysVA7dPs8W/GgfUtsPbrA= cloud.google.com/go/grafeas v0.2.0/go.mod h1:KhxgtF2hb0P191HlY5besjYm6MqTSTj3LSI+M+ByZHc= +cloud.google.com/go/gsuiteaddons v1.3.0/go.mod h1:EUNK/J1lZEZO8yPtykKxLXI6JSVN2rg9bN8SXOa0bgM= cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY= +cloud.google.com/go/iam v0.5.0/go.mod h1:wPU9Vt0P4UmCux7mqtRu6jcpPAb74cP1fh50J3QpkUc= +cloud.google.com/go/iam v0.6.0/go.mod h1:+1AH33ueBne5MzYccyMHtEKqLE4/kJOibtffMHDMFMc= cloud.google.com/go/iam v0.7.0 h1:k4MuwOsS7zGJJ+QfZ5vBK8SgHBAvYN/23BWsiihJ1vs= cloud.google.com/go/iam v0.7.0/go.mod h1:H5Br8wRaDGNc8XP3keLc4unfUUZeyH3Sfl9XpQEYOeg= +cloud.google.com/go/iap v1.4.0/go.mod h1:RGFwRJdihTINIe4wZ2iCP0zF/qu18ZwyKxrhMhygBEc= +cloud.google.com/go/ids v1.1.0/go.mod h1:WIuwCaYVOzHIj2OhN9HAwvW+DBdmUAdcWlFxRl+KubM= +cloud.google.com/go/iot v1.3.0/go.mod h1:r7RGh2B61+B8oz0AGE+J72AhA0G7tdXItODWsaA2oLs= +cloud.google.com/go/kms v1.5.0/go.mod h1:QJS2YY0eJGBg3mnDfuaCyLauWwBJiHRboYxJ++1xJNg= cloud.google.com/go/kms v1.6.0 h1:OWRZzrPmOZUzurjI2FBGtgY2mB1WaJkqhw6oIwSj0Yg= cloud.google.com/go/kms v1.6.0/go.mod h1:Jjy850yySiasBUDi6KFUwUv2n1+o7QZFyuUJg6OgjA0= cloud.google.com/go/language v1.4.0/go.mod h1:F9dRpNFQmJbkaop6g0JhSBXCNlO90e1KWx5iDdxbWic= cloud.google.com/go/language v1.6.0/go.mod h1:6dJ8t3B+lUYfStgls25GusK04NLh3eDLQnWM3mdEbhI= +cloud.google.com/go/language v1.7.0/go.mod h1:DJ6dYN/W+SQOjF8e1hLQXMF21AkH2w9wiPzPCJa2MIE= cloud.google.com/go/lifesciences v0.5.0/go.mod h1:3oIKy8ycWGPUyZDR/8RNnTOYevhaMLqh5vLUXs9zvT8= cloud.google.com/go/lifesciences v0.6.0/go.mod h1:ddj6tSX/7BOnhxCSd3ZcETvtNr8NZ6t/iPhY2Tyfu08= cloud.google.com/go/longrunning v0.1.1 h1:y50CXG4j0+qvEukslYFBCrzaXX0qpFbBzc3PchSu/LE= cloud.google.com/go/longrunning v0.1.1/go.mod h1:UUFxuDWkv22EuY93jjmDMFT5GPQKeFVJBIF6QlTqdsE= +cloud.google.com/go/managedidentities v1.3.0/go.mod h1:UzlW3cBOiPrzucO5qWkNkh0w33KFtBJU281hacNvsdE= cloud.google.com/go/mediatranslation v0.5.0/go.mod h1:jGPUhGTybqsPQn91pNXw0xVHfuJ3leR1wj37oU3y1f4= cloud.google.com/go/mediatranslation v0.6.0/go.mod h1:hHdBCTYNigsBxshbznuIMFNe5QXEowAuNmmC7h8pu5w= cloud.google.com/go/memcache v1.4.0/go.mod h1:rTOfiGZtJX1AaFUrOgsMHX5kAzaTQ8azHiuDoTPzNsE= cloud.google.com/go/memcache v1.5.0/go.mod h1:dk3fCK7dVo0cUU2c36jKb4VqKPS22BTkf81Xq617aWM= +cloud.google.com/go/memcache v1.6.0/go.mod h1:XS5xB0eQZdHtTuTF9Hf8eJkKtR3pVRCcvJwtm68T3rA= cloud.google.com/go/metastore v1.5.0/go.mod h1:2ZNrDcQwghfdtCwJ33nM0+GrBGlVuh8rakL3vdPY3XY= cloud.google.com/go/metastore v1.6.0/go.mod h1:6cyQTls8CWXzk45G55x57DVQ9gWg7RiH65+YgPsNh9s= +cloud.google.com/go/metastore v1.7.0/go.mod h1:s45D0B4IlsINu87/AsWiEVYbLaIMeUSoxlKKDqBGFS8= +cloud.google.com/go/monitoring v1.7.0/go.mod h1:HpYse6kkGo//7p6sT0wsIC6IBDET0RhIsnmlA53dvEk= cloud.google.com/go/networkconnectivity v1.4.0/go.mod h1:nOl7YL8odKyAOtzNX73/M5/mGZgqqMeryi6UPZTk/rA= cloud.google.com/go/networkconnectivity v1.5.0/go.mod h1:3GzqJx7uhtlM3kln0+x5wyFvuVH1pIBJjhCpjzSt75o= +cloud.google.com/go/networkconnectivity v1.6.0/go.mod h1:OJOoEXW+0LAxHh89nXd64uGG+FbQoeH8DtxCHVOMlaM= +cloud.google.com/go/networkmanagement v1.4.0/go.mod h1:Q9mdLLRn60AsOrPc8rs8iNV6OHXaGcDdsIQe1ohekq8= cloud.google.com/go/networksecurity v0.5.0/go.mod h1:xS6fOCoqpVC5zx15Z/MqkfDwH4+m/61A3ODiDV1xmiQ= cloud.google.com/go/networksecurity v0.6.0/go.mod h1:Q5fjhTr9WMI5mbpRYEbiexTzROf7ZbDzvzCrNl14nyU= cloud.google.com/go/notebooks v1.2.0/go.mod h1:9+wtppMfVPUeJ8fIWPOq1UnATHISkGXGqTkxeieQ6UY= cloud.google.com/go/notebooks v1.3.0/go.mod h1:bFR5lj07DtCPC7YAAJ//vHskFBxA5JzYlH68kXVdk34= +cloud.google.com/go/notebooks v1.4.0/go.mod h1:4QPMngcwmgb6uw7Po99B2xv5ufVoIQ7nOGDyL4P8AgA= +cloud.google.com/go/optimization v1.1.0/go.mod h1:5po+wfvX5AQlPznyVEZjGJTMr4+CAkJf2XSTQOOl9l4= +cloud.google.com/go/orchestration v1.3.0/go.mod h1:Sj5tq/JpWiB//X/q3Ngwdl5K7B7Y0KZ7bfv0wL6fqVA= +cloud.google.com/go/orgpolicy v1.4.0/go.mod h1:xrSLIV4RePWmP9P3tBl8S93lTmlAxjm06NSm2UTmKvE= cloud.google.com/go/osconfig v1.7.0/go.mod h1:oVHeCeZELfJP7XLxcBGTMBvRO+1nQ5tFG9VQTmYS2Fs= cloud.google.com/go/osconfig v1.8.0/go.mod h1:EQqZLu5w5XA7eKizepumcvWx+m8mJUhEwiPqWiZeEdg= +cloud.google.com/go/osconfig v1.9.0/go.mod h1:Yx+IeIZJ3bdWmzbQU4fxNl8xsZ4amB+dygAwFPlvnNo= cloud.google.com/go/oslogin v1.4.0/go.mod h1:YdgMXWRaElXz/lDk1Na6Fh5orF7gvmJ0FGLIs9LId4E= cloud.google.com/go/oslogin v1.5.0/go.mod h1:D260Qj11W2qx/HVF29zBg+0fd6YCSjSqLUkY/qEenQU= +cloud.google.com/go/oslogin v1.6.0/go.mod h1:zOJ1O3+dTU8WPlGEkFSh7qeHPPSoxrcMbbK1Nm2iX70= cloud.google.com/go/phishingprotection v0.5.0/go.mod h1:Y3HZknsK9bc9dMi+oE8Bim0lczMU6hrX0UpADuMefr0= cloud.google.com/go/phishingprotection v0.6.0/go.mod h1:9Y3LBLgy0kDTcYET8ZH3bq/7qni15yVUoAxiFxnlSUA= +cloud.google.com/go/policytroubleshooter v1.3.0/go.mod h1:qy0+VwANja+kKrjlQuOzmlvscn4RNsAc0e15GGqfMxg= cloud.google.com/go/privatecatalog v0.5.0/go.mod h1:XgosMUvvPyxDjAVNDYxJ7wBW8//hLDDYmnsNcMGq1K0= cloud.google.com/go/privatecatalog v0.6.0/go.mod h1:i/fbkZR0hLN29eEWiiwue8Pb+GforiEIBnV9yrRUOKI= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= @@ -142,30 +206,48 @@ cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjp cloud.google.com/go/recaptchaenterprise v1.3.1/go.mod h1:OdD+q+y4XGeAlxRaMn1Y7/GveP6zmq76byL6tjPE7d4= cloud.google.com/go/recaptchaenterprise/v2 v2.1.0/go.mod h1:w9yVqajwroDNTfGuhmOjPDN//rZGySaf6PtFVcSCa7o= cloud.google.com/go/recaptchaenterprise/v2 v2.2.0/go.mod h1:/Zu5jisWGeERrd5HnlS3EUGb/D335f9k51B/FVil0jk= +cloud.google.com/go/recaptchaenterprise/v2 v2.3.0/go.mod h1:O9LwGCjrhGHBQET5CA7dd5NwwNQUErSgEDit1DLNTdo= +cloud.google.com/go/recaptchaenterprise/v2 v2.4.0/go.mod h1:Am3LHfOuBstrLrNCBrlI5sbwx9LBg3te2N6hGvHn2mE= cloud.google.com/go/recommendationengine v0.5.0/go.mod h1:E5756pJcVFeVgaQv3WNpImkFP8a+RptV6dDLGPILjvg= cloud.google.com/go/recommendationengine v0.6.0/go.mod h1:08mq2umu9oIqc7tDy8sx+MNJdLG0fUi3vaSVbztHgJ4= cloud.google.com/go/recommender v1.5.0/go.mod h1:jdoeiBIVrJe9gQjwd759ecLJbxCDED4A6p+mqoqDvTg= cloud.google.com/go/recommender v1.6.0/go.mod h1:+yETpm25mcoiECKh9DEScGzIRyDKpZ0cEhWGo+8bo+c= +cloud.google.com/go/recommender v1.7.0/go.mod h1:XLHs/W+T8olwlGOgfQenXBTbIseGclClff6lhFVe9Bs= cloud.google.com/go/redis v1.7.0/go.mod h1:V3x5Jq1jzUcg+UNsRvdmsfuFnit1cfe3Z/PGyq/lm4Y= cloud.google.com/go/redis v1.8.0/go.mod h1:Fm2szCDavWzBk2cDKxrkmWBqoCiL1+Ctwq7EyqBCA/A= +cloud.google.com/go/redis v1.9.0/go.mod h1:HMYQuajvb2D0LvMgZmLDZW8V5aOC/WxstZHiy4g8OiA= +cloud.google.com/go/resourcemanager v1.3.0/go.mod h1:bAtrTjZQFJkiWTPDb1WBjzvc6/kifjj4QBYuKCCoqKA= +cloud.google.com/go/resourcesettings v1.3.0/go.mod h1:lzew8VfESA5DQ8gdlHwMrqZs1S9V87v3oCnKCWoOuQU= cloud.google.com/go/retail v1.8.0/go.mod h1:QblKS8waDmNUhghY2TI9O3JLlFk8jybHeV4BF19FrE4= cloud.google.com/go/retail v1.9.0/go.mod h1:g6jb6mKuCS1QKnH/dpu7isX253absFl6iE92nHwlBUY= +cloud.google.com/go/retail v1.10.0/go.mod h1:2gDk9HsL4HMS4oZwz6daui2/jmKvqShXKQuB2RZ+cCc= +cloud.google.com/go/run v0.2.0/go.mod h1:CNtKsTA1sDcnqqIFR3Pb5Tq0usWxJJvsWOCPldRU3Do= cloud.google.com/go/scheduler v1.4.0/go.mod h1:drcJBmxF3aqZJRhmkHQ9b3uSSpQoltBPGPxGAWROx6s= cloud.google.com/go/scheduler v1.5.0/go.mod h1:ri073ym49NW3AfT6DZi21vLZrG07GXr5p3H1KxN5QlI= +cloud.google.com/go/scheduler v1.6.0/go.mod h1:SgeKVM7MIwPn3BqtcBntpLyrIJftQISRrYB5ZtT+KOk= cloud.google.com/go/secretmanager v1.6.0/go.mod h1:awVa/OXF6IiyaU1wQ34inzQNc4ISIDIrId8qE5QGgKA= +cloud.google.com/go/secretmanager v1.8.0/go.mod h1:hnVgi/bN5MYHd3Gt0SPuTPPp5ENina1/LxM+2W9U9J4= cloud.google.com/go/secretmanager v1.9.0 h1:xE6uXljAC1kCR8iadt9+/blg1fvSbmenlsDN4fT9gqw= cloud.google.com/go/secretmanager v1.9.0/go.mod h1:b71qH2l1yHmWQHt9LC80akm86mX8AL6X1MA01dW8ht4= cloud.google.com/go/security v1.5.0/go.mod h1:lgxGdyOKKjHL4YG3/YwIL2zLqMFCKs0UbQwgyZmfJl4= cloud.google.com/go/security v1.7.0/go.mod h1:mZklORHl6Bg7CNnnjLH//0UlAlaXqiG7Lb9PsPXLfD0= cloud.google.com/go/security v1.8.0/go.mod h1:hAQOwgmaHhztFhiQ41CjDODdWP0+AE1B3sX4OFlq+GU= +cloud.google.com/go/security v1.9.0/go.mod h1:6Ta1bO8LXI89nZnmnsZGp9lVoVWXqsVbIq/t9dzI+2Q= cloud.google.com/go/security v1.10.0 h1:KSKzzJMyUoMRQzcz7azIgqAUqxo7rmQ5rYvimMhikqg= cloud.google.com/go/security v1.10.0/go.mod h1:QtOMZByJVlibUT2h9afNDWRZ1G96gVywH8T5GUSb9IA= cloud.google.com/go/securitycenter v1.13.0/go.mod h1:cv5qNAqjY84FCN6Y9z28WlkKXyWsgLO832YiWwkCWcU= cloud.google.com/go/securitycenter v1.14.0/go.mod h1:gZLAhtyKv85n52XYWt6RmeBdydyxfPeTrpToDPw4Auc= +cloud.google.com/go/securitycenter v1.15.0/go.mod h1:PeKJ0t8MoFmmXLXWm41JidyzI3PJjd8sXWaVqg43WWk= +cloud.google.com/go/servicecontrol v1.4.0/go.mod h1:o0hUSJ1TXJAmi/7fLJAedOovnujSEvjKCAFNXPQ1RaU= cloud.google.com/go/servicedirectory v1.4.0/go.mod h1:gH1MUaZCgtP7qQiI+F+A+OpeKF/HQWgtAddhTbhL2bs= cloud.google.com/go/servicedirectory v1.5.0/go.mod h1:QMKFL0NUySbpZJ1UZs3oFAmdvVxhhxB6eJ/Vlp73dfg= +cloud.google.com/go/servicedirectory v1.6.0/go.mod h1:pUlbnWsLH9c13yGkxCmfumWEPjsRs1RlmJ4pqiNjVL4= +cloud.google.com/go/servicemanagement v1.4.0/go.mod h1:d8t8MDbezI7Z2R1O/wu8oTggo3BI2GKYbdG4y/SJTco= +cloud.google.com/go/serviceusage v1.3.0/go.mod h1:Hya1cozXM4SeSKTAgGXgj97GlqUvF5JaoXacR1JTP/E= +cloud.google.com/go/shell v1.3.0/go.mod h1:VZ9HmRjZBsjLGXusm7K5Q5lzzByZmJHf1d0IWHEN5X4= cloud.google.com/go/speech v1.6.0/go.mod h1:79tcr4FHCimOp56lwC01xnt/WPJZc4v3gzyT7FoBkCM= cloud.google.com/go/speech v1.7.0/go.mod h1:KptqL+BAQIhMsj1kOP2la5DSEEerPDuOP/2mmkhHhZQ= +cloud.google.com/go/speech v1.8.0/go.mod h1:9bYIl1/tjsAnMgKGHKmBZzXKEkGgtU+MpdDPTE9f7y0= cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= @@ -173,19 +255,34 @@ cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RX cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y= cloud.google.com/go/storage v1.23.0/go.mod h1:vOEEDNFnciUMhBeT6hsJIn3ieU5cFRmzeLgDvXzfIXc= +cloud.google.com/go/storage v1.27.0/go.mod h1:x9DOL8TK/ygDUMieqwfhdpQryTeEkhGKMi80i/iqR2s= cloud.google.com/go/storage v1.28.0 h1:DLrIZ6xkeZX6K70fU/boWx5INJumt6f+nwwWSHXzzGY= cloud.google.com/go/storage v1.28.0/go.mod h1:qlgZML35PXA3zoEnIkiPLY4/TOkUleufRlu6qmcf7sI= +cloud.google.com/go/storagetransfer v1.5.0/go.mod h1:dxNzUopWy7RQevYFHewchb29POFv3/AaBgnhqzqiK0w= cloud.google.com/go/talent v1.1.0/go.mod h1:Vl4pt9jiHKvOgF9KoZo6Kob9oV4lwd/ZD5Cto54zDRw= cloud.google.com/go/talent v1.2.0/go.mod h1:MoNF9bhFQbiJ6eFD3uSsg0uBALw4n4gaCaEjBw9zo8g= +cloud.google.com/go/talent v1.3.0/go.mod h1:CmcxwJ/PKfRgd1pBjQgU6W3YBwiewmUzQYH5HHmSCmM= +cloud.google.com/go/texttospeech v1.4.0/go.mod h1:FX8HQHA6sEpJ7rCMSfXuzBcysDAuWusNNNvN9FELDd8= +cloud.google.com/go/tpu v1.3.0/go.mod h1:aJIManG0o20tfDQlRIej44FcwGGl/cD0oiRyMKG19IQ= +cloud.google.com/go/trace v1.3.0/go.mod h1:FFUE83d9Ca57C+K8rDl/Ih8LwOzWIV1krKgxg6N0G28= +cloud.google.com/go/translate v1.3.0/go.mod h1:gzMUwRjvOqj5i69y/LYLd8RrNQk+hOmIXTi9+nb3Djs= +cloud.google.com/go/video v1.8.0/go.mod h1:sTzKFc0bUSByE8Yoh8X0mn8bMymItVGPfTuUBUyRgxk= cloud.google.com/go/videointelligence v1.6.0/go.mod h1:w0DIDlVRKtwPCn/C4iwZIJdvC69yInhW0cfi+p546uU= cloud.google.com/go/videointelligence v1.7.0/go.mod h1:k8pI/1wAhjznARtVT9U1llUaFNPh7muw8QyOUpavru4= +cloud.google.com/go/videointelligence v1.8.0/go.mod h1:dIcCn4gVDdS7yte/w+koiXn5dWVplOZkE+xwG9FgK+M= cloud.google.com/go/vision v1.2.0/go.mod h1:SmNwgObm5DpFBme2xpyOyasvBc1aPdjvMk2bBk0tKD0= cloud.google.com/go/vision/v2 v2.2.0/go.mod h1:uCdV4PpN1S0jyCyq8sIM42v2Y6zOLkZs+4R9LrGYwFo= cloud.google.com/go/vision/v2 v2.3.0/go.mod h1:UO61abBx9QRMFkNBbf1D8B1LXdS2cGiiCRx0vSpZoUo= +cloud.google.com/go/vision/v2 v2.4.0/go.mod h1:VtI579ll9RpVTrdKdkMzckdnwMyX2JILb+MhPqRbPsY= +cloud.google.com/go/vmmigration v1.2.0/go.mod h1:IRf0o7myyWFSmVR1ItrBSFLFD/rJkfDCUTO4vLlJvsE= +cloud.google.com/go/vpcaccess v1.4.0/go.mod h1:aQHVbTWDYUR1EbTApSVvMq1EnT57ppDmQzZ3imqIk4w= cloud.google.com/go/webrisk v1.4.0/go.mod h1:Hn8X6Zr+ziE2aNd8SliSDWpEnSS1u4R9+xXZmFiHmGE= cloud.google.com/go/webrisk v1.5.0/go.mod h1:iPG6fr52Tv7sGk0H6qUFzmL3HHZev1htXuWDEEsqMTg= +cloud.google.com/go/webrisk v1.6.0/go.mod h1:65sW9V9rOosnc9ZY7A7jsy1zoHS5W9IAXv6dGqhMQMc= +cloud.google.com/go/websecurityscanner v1.3.0/go.mod h1:uImdKm2wyeXQevQJXeh8Uun/Ym1VqworNDlBXQevGMo= cloud.google.com/go/workflows v1.6.0/go.mod h1:6t9F5h/unJz41YqfBmqSASJSXccBLtD1Vwf+KmJENM0= cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoISEXH2bcHC3M= +cloud.google.com/go/workflows v1.8.0/go.mod h1:ysGhmEajwZxGn1OhGOGKsTXc5PyxOc0vfKf5Af+to4M= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.0.0/go.mod h1:uGG2W01BaETf0Ozp+QxxKJdMBNRWPdstHG0Fmdwn1/U= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.2.0 h1:sVW/AFBTGyJxDaMYlq0ct3jUXTtj12tQ6zE2GZUgVQw= @@ -230,8 +327,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/DataDog/datadog-go v3.2.0+incompatible h1:qSG2N4FghB1He/r2mFrWKCaL7dXCilEuNEeAn20fdD4= github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= -github.com/GoogleCloudPlatform/cloudsql-proxy v1.33.0 h1:yVfnW2IL8ta7g5q7cPh6CHH5ukyP+Jfk1XCAGo7uF20= -github.com/GoogleCloudPlatform/cloudsql-proxy v1.33.0/go.mod h1:zidPvCHZ3cYESz8ghadYeGOSRJFjcU9k43vUJLvQIcI= +github.com/GoogleCloudPlatform/cloudsql-proxy v1.33.1 h1:h1qByrLm6Q80nfvIGE5FHdJbvGloDOagO6o0N6QGPkk= +github.com/GoogleCloudPlatform/cloudsql-proxy v1.33.1/go.mod h1:n3KDPrdaY2p9Nr0B1allAdjYArwIpXQcitNbsS/Qiok= github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI= github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= github.com/Masterminds/semver/v3 v3.1.1 h1:hLg3sBzpNErnxhQtUy/mmLR2I9foDujNK030IGemrRc= @@ -372,7 +469,7 @@ github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3Ee github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= -github.com/coreos/go-systemd/v22 v22.4.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= +github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= @@ -1083,6 +1180,7 @@ github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= github.com/yusufpapurcu/wmi v1.2.2 h1:KBNDSne4vP5mbSWnJbO+51IMOXJB67QiYCSBrubbPRg= github.com/yusufpapurcu/wmi v1.2.2/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= github.com/zeebo/errs v1.2.2/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= @@ -1267,7 +1365,9 @@ golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220617184016-355a448f1bc9/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= +golang.org/x/net v0.0.0-20221012135044-0b7e1fb9d458/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/net v0.0.0-20221014081412-f15817d10f9b h1:tvrvnPFcdzp294diPnrdZZZ8XUt2Tyj7svb7X52iDuU= golang.org/x/net v0.0.0-20221014081412-f15817d10f9b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -1294,6 +1394,7 @@ golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb/go.mod h1:jaDAt6Dkxork7Lm golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE= golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= +golang.org/x/oauth2 v0.0.0-20221006150949-b44042a4b9c1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783 h1:nt+Q6cXKz4MosCSpnbMtqiQ8Oz0pxTef2B4Vca2lvfk= golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -1308,6 +1409,7 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -1408,6 +1510,7 @@ golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220624220833-87e55d714810/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220731174439-a90be440212d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -1427,6 +1530,7 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -1434,7 +1538,6 @@ golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxb golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.1.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.2.0 h1:52I/1L54xyEQAYdtcSuxtiT84KGYTBGXwayxmIpNJhE= golang.org/x/time v0.2.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -1568,7 +1671,9 @@ google.golang.org/api v0.95.0/go.mod h1:eADj+UBuxkh5zlrSntJghuNeg8HwQ1w5lTKkuqaE google.golang.org/api v0.96.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s= google.golang.org/api v0.97.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s= google.golang.org/api v0.98.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s= +google.golang.org/api v0.99.0/go.mod h1:1YOf74vkVndF7pG6hIHuINsM7eWwpVTAfNMNiL91A08= google.golang.org/api v0.100.0/go.mod h1:ZE3Z2+ZOr87Rx7dqFsdRQkRBk36kDtp/h+QpHbB7a70= +google.golang.org/api v0.102.0/go.mod h1:3VFl6/fzoA+qNuS1N1/VfXY4LjoXN/wzeIp7TweWwGo= google.golang.org/api v0.103.0 h1:9yuVqlu2JCvcLg9p8S3fcFLZij8EPSyvODIY1rkMizQ= google.golang.org/api v0.103.0/go.mod h1:hGtW6nK1AC+d9si/UBhw8Xli+QMOf6xyNAyJw4qU9w0= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= @@ -1681,7 +1786,10 @@ google.golang.org/genproto v0.0.0-20220920201722-2b89144ce006/go.mod h1:ht8XFiar google.golang.org/genproto v0.0.0-20220926165614-551eb538f295/go.mod h1:woMGP53BroOrRY3xTxlbr8Y3eB/nzAvvFM83q7kG2OI= google.golang.org/genproto v0.0.0-20220926220553-6981cbe3cfce/go.mod h1:woMGP53BroOrRY3xTxlbr8Y3eB/nzAvvFM83q7kG2OI= google.golang.org/genproto v0.0.0-20221010155953-15ba04fc1c0e/go.mod h1:3526vdqwhZAwq4wsRUaVG555sVgsNmIjRtO7t/JH29U= +google.golang.org/genproto v0.0.0-20221014173430-6e2ab493f96b/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM= google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM= +google.golang.org/genproto v0.0.0-20221024153911-1573dae28c9c/go.mod h1:9qHF0xnpdSfF6knlcsnpzUu5y+rpwgbvsyGAZPBMg4s= +google.golang.org/genproto v0.0.0-20221024183307-1bc688fe9f3e/go.mod h1:9qHF0xnpdSfF6knlcsnpzUu5y+rpwgbvsyGAZPBMg4s= google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c h1:QgY/XxIAIeccR+Ca/rDdKubLIU9rcJ3xfy1DC/Wd2Oo= google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c/go.mod h1:CGI5F/G+E5bKwmfYo09AXuVN4dD894kIKUFmVbP2/Fo= google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= From 97112fb6522bfd60a5a2c54df3d3f59affa5136a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Nov 2022 16:46:06 -0700 Subject: [PATCH 144/257] Bump google.golang.org/grpc from 1.50.1 to 1.51.0 (#3627) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.50.1 to 1.51.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.50.1...v1.51.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index e1d30cb526..8dee97996c 100644 --- a/go.mod +++ b/go.mod @@ -69,7 +69,7 @@ require ( golang.org/x/time v0.2.0 google.golang.org/api v0.103.0 google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c - google.golang.org/grpc v1.50.1 + google.golang.org/grpc v1.51.0 google.golang.org/protobuf v1.28.1 gopkg.in/square/go-jose.v2 v2.6.0 k8s.io/api v0.25.4 diff --git a/go.sum b/go.sum index 2799bb0f40..9eec3dcefb 100644 --- a/go.sum +++ b/go.sum @@ -1828,8 +1828,9 @@ google.golang.org/grpc v1.47.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACu google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= google.golang.org/grpc v1.50.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= -google.golang.org/grpc v1.50.1 h1:DS/BukOZWp8s6p4Dt/tOaJaTQyPyOoCcrjroHuCeLzY= google.golang.org/grpc v1.50.1/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= +google.golang.org/grpc v1.51.0 h1:E1eGv1FTqoLIdnBCZufiSHgKjlqG6fKFf6pPWtMTh8U= +google.golang.org/grpc v1.51.0/go.mod h1:wgNDFcnuBGmxLKI/qn4T+m5BtEBYXJPvibbUPsAIPww= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/grpc/examples v0.0.0-20201130180447-c456688b1860/go.mod h1:Ly7ZA/ARzg8fnPU9TyZIxoz33sEUuWX7txiqs8lPTgE= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= From 6875464f227cb0036e81632a0556454317d73b96 Mon Sep 17 00:00:00 2001 From: Marcos Yacob Date: Tue, 22 Nov 2022 16:39:30 -0300 Subject: [PATCH 145/257] Add markdown lint (#3494) Signed-off-by: Marcos Yacob --- .github/workflows/pr_build.yaml | 2 +- .github/workflows/release_build.yaml | 2 +- .markdownlint.yaml | 7 + ADOPTERS.md | 102 ++++----- CHANGELOG.md | 123 +++++++++- CODE-OF-CONDUCT.md | 8 +- CONTRIBUTING.md | 68 +++--- MAINTAINERS.md | 29 ++- Makefile | 7 +- README.md | 7 +- ROADMAP.md | 18 +- conf/agent/agent.conf | 9 - conf/server/server.conf | 5 - doc/SPIRE101.md | 215 ++++++++++-------- doc/auditlog.md | 4 +- doc/authorization_policy_engine.md | 99 ++++---- doc/changelog_guidelines.md | 7 + doc/plugin_agent_keymanager_disk.md | 12 +- doc/plugin_agent_nodeattestor_aws_iid.md | 7 +- doc/plugin_agent_nodeattestor_azure_msi.md | 12 +- doc/plugin_agent_nodeattestor_gcp_iit.md | 4 +- doc/plugin_agent_nodeattestor_k8s_psat.md | 14 +- doc/plugin_agent_nodeattestor_k8s_sat.md | 6 +- doc/plugin_agent_nodeattestor_sshpop.md | 6 +- doc/plugin_agent_nodeattestor_tpm_devid.md | 42 ++-- doc/plugin_agent_nodeattestor_x509pop.md | 18 +- ...ugin_agent_svidstore_aws_secretsmanager.md | 31 ++- ...lugin_agent_svidstore_gcp_secretmanager.md | 45 ++-- doc/plugin_agent_workloadattestor_docker.md | 33 +-- doc/plugin_agent_workloadattestor_k8s.md | 24 +- doc/plugin_agent_workloadattestor_unix.md | 10 +- doc/plugin_agent_workloadattestor_windows.md | 15 +- doc/plugin_server_datastore_sql.md | 26 ++- doc/plugin_server_keymanager_aws_kms.md | 48 ++-- doc/plugin_server_keymanager_disk.md | 12 +- doc/plugin_server_nodeattestor_aws_iid.md | 18 +- doc/plugin_server_nodeattestor_azure_msi.md | 28 +-- doc/plugin_server_nodeattestor_gcp_iit.md | 7 +- doc/plugin_server_nodeattestor_jointoken.md | 4 +- doc/plugin_server_nodeattestor_k8s_psat.md | 9 +- doc/plugin_server_nodeattestor_k8s_sat.md | 15 +- doc/plugin_server_nodeattestor_sshpop.md | 14 +- doc/plugin_server_nodeattestor_tpm_devid.md | 48 ++-- doc/plugin_server_nodeattestor_x509pop.md | 25 +- doc/plugin_server_notifier_gcs_bundle.md | 4 +- doc/plugin_server_notifier_k8sbundle.md | 17 +- ...plugin_server_upstreamauthority_aws_pca.md | 2 +- ...ugin_server_upstreamauthority_awssecret.md | 8 +- ...n_server_upstreamauthority_cert_manager.md | 9 +- doc/plugin_server_upstreamauthority_disk.md | 2 +- ...plugin_server_upstreamauthority_gcp_cas.md | 16 +- doc/plugin_server_upstreamauthority_spire.md | 4 +- doc/plugin_server_upstreamauthority_vault.md | 32 +-- doc/scaling_spire.md | 31 +-- doc/spire_agent.md | 18 +- doc/spire_server.md | 12 +- doc/telemetry.md | 60 ++--- doc/telemetry_config.md | 21 +- doc/upgrading.md | 13 ++ examples/README.md | 2 +- release/posix/spire-extras/README.md | 4 +- release/posix/spire/README.md | 6 +- release/windows/spire-extras/README.md | 4 +- release/windows/spire/README.md | 6 +- support/k8s/k8s-workload-registrar/README.md | 14 +- .../k8s-workload-registrar/mode-crd/README.md | 118 ++++++---- support/oidc-discovery-provider/README.md | 18 +- .../windows-workload-attestor/README.md | 1 - .../suites/envoy-sds-v3-spiffe-auth/README.md | 2 - .../suites/node-attestation/README.md | 1 - .../upstream-authority-cert-manager/README.md | 1 - 71 files changed, 958 insertions(+), 713 deletions(-) create mode 100644 .markdownlint.yaml diff --git a/.github/workflows/pr_build.yaml b/.github/workflows/pr_build.yaml index 8d928aecb5..eaa3d9ee5b 100644 --- a/.github/workflows/pr_build.yaml +++ b/.github/workflows/pr_build.yaml @@ -379,7 +379,7 @@ jobs: mingw-w64-x86_64-toolchain unzip - name: Lint - run: make lint + run: make lint-code - name: Tidy check run: make tidy-check - name: Generate check diff --git a/.github/workflows/release_build.yaml b/.github/workflows/release_build.yaml index db6b3f4c9b..fc9555679f 100644 --- a/.github/workflows/release_build.yaml +++ b/.github/workflows/release_build.yaml @@ -388,7 +388,7 @@ jobs: mingw-w64-x86_64-toolchain unzip - name: Lint - run: make lint + run: make lint-code - name: Tidy check run: make tidy-check - name: Generate check diff --git a/.markdownlint.yaml b/.markdownlint.yaml new file mode 100644 index 0000000000..b6f65f9276 --- /dev/null +++ b/.markdownlint.yaml @@ -0,0 +1,7 @@ +MD013: false +# We are not interested on requesting output when using "$" on shell documentation +MD014: false +MD024: + siblings_only: true +# we use emphasis on all node attestors +MD036: false diff --git a/ADOPTERS.md b/ADOPTERS.md index f5d6f3cd54..4f449106b1 100644 --- a/ADOPTERS.md +++ b/ADOPTERS.md @@ -1,35 +1,37 @@ +# Adopters + ## End users -Known end users with notable contributions to the advancement of the project include: +Known end users with notable contributions to the advancement of the project include: * Anthem -* Bloomberg -* ByteDance +* Bloomberg +* ByteDance * Duke Energy * GitHub * Netflix * Niantic -* Pinterest +* Pinterest * Square -* Twilio +* Twilio * Uber * Unity Technologies * Z Lab Corporation -SPIFFE and SPIRE are being used by numerous other companies, both large and small, to build higher layer products and services. The list includes but is not limited to: +SPIFFE and SPIRE are being used by numerous other companies, both large and small, to build higher layer products and services. The list includes but is not limited to: * Amazon * Arm -* Cisco -* Decipher Technology Studios -* F5 Networks -* HashiCorp +* Cisco +* Decipher Technology Studios +* F5 Networks +* HashiCorp * Hewlett Packard Enterprise -* Intel -* Google -* IBM +* Intel +* Google +* IBM * SAP -* Tigera +* Tigera * TestifySec * Transferwise * VMware @@ -38,70 +40,64 @@ SPIFFE and SPIRE are being used by numerous other companies, both large and smal SPIFFE and SPIRE have integrations available with a number of open-source projects. The list includes but is not limited to: -* [App Mesh Controller](https://github.com/aws/aws-app-mesh-controller-for-k8s) +* [App Mesh Controller](https://github.com/aws/aws-app-mesh-controller-for-k8s) * [Athenz](https://github.com/yahoo/athenz) -* [Cert-Manager](https://github.com/cert-manager/csi-driver-spiffe) -* [Consul](https://github.com/hashicorp/consul) -* [Dapr](https://github.com/dapr) -* [Docker](https://github.com/containerd/containerd) -* [Emissary](https://github.com/github/emissary) -* [Envoy](https://github.com/envoyproxy/envoy) -* [Ghostunnel](https://github.com/square/ghostunnel) -* [gRPC](https://pkg.go.dev/github.com/spiffe/go-spiffe/v2/examples/spiffe-grpc) -* [Hamlet](https://github.com/vmware/hamlet) -* [Istio](https://github.com/istio/istio) -* [Knox](https://github.com/pinterest/knox) -* [Kubernetes](https://github.com/kubernetes/kubernetes) -* [NGINX](http://hg.nginx.org/nginx/) -* [Parsec](https://github.com/parallaxsecond/parsec) -* [Sigstore](https://github.com/sigstore/fulcio) -* [Tekton](https://github.com/tektoncd/chains) -* [Tornjak](https://github.com/spiffe/tornjak) - +* [Cert-Manager](https://github.com/cert-manager/csi-driver-spiffe) +* [Consul](https://github.com/hashicorp/consul) +* [Dapr](https://github.com/dapr) +* [Docker](https://github.com/containerd/containerd) +* [Emissary](https://github.com/github/emissary) +* [Envoy](https://github.com/envoyproxy/envoy) +* [Ghostunnel](https://github.com/square/ghostunnel) +* [gRPC](https://pkg.go.dev/github.com/spiffe/go-spiffe/v2/examples/spiffe-grpc) +* [Hamlet](https://github.com/vmware/hamlet) +* [Istio](https://github.com/istio/istio) +* [Knox](https://github.com/pinterest/knox) +* [Kubernetes](https://github.com/kubernetes/kubernetes) +* [NGINX](http://hg.nginx.org/nginx/) +* [Parsec](https://github.com/parallaxsecond/parsec) +* [Sigstore](https://github.com/sigstore/fulcio) +* [Tekton](https://github.com/tektoncd/chains) +* [Tornjak](https://github.com/spiffe/tornjak) ## Case Studies/User Stories * Amazon Web Services blogs about using mTLS with SPIFFE/SPIRE in AWS App Mesh on Amazon EKS -https://aws.amazon.com/blogs/containers/using-mtls-with-spiffe-spire-in-app-mesh-on-eks/ + * Anthem writes about developing a zero trust framework at Anthem Using SPIFFE and SPIRE: -https://upshotstories.com/stories/developing-a-zero-trust-framework-at-anthem-using-spiffe-and-spire + * ARM and VMware showcase hardware backed security for multi-tenancy at the Edge with SPIFFE & PARSEC -https://www.youtube.com/watch?v=-I_rCKMyY7Y + * Bloomberg talks about TPM node attestation with SPIRE: -https://youtu.be/30S0sKRxzjM + * Coinbase details Container Technologies part of their stack: -https://blog.coinbase.com/container-technologies-at-coinbase-d4ae118dcb6c + -* Duke Energy describes securing the Microgrid using SPIFFE and SPIRE with TPMs -https://www.distributech.com/distributech-international-2022-conference-sessions/achieving-the-promise-of-grid-security-with-openfmb-and-cybersecurity-zero-trust-best-practices +* Duke Energy describes securing the Microgrid using SPIFFE and SPIRE with TPMs + * NGINX/F5 on how NGINX service mesh leverages SPIFFE and SPIRE -https://youtu.be/plRkDK5xFpM + * Styra demonstrates fortifying microservices with SPIRE and OPA -https://www.youtube.com/watch?v=iQ5ctLQswUc + * Square talks about how Square uses SPIFFE and SPIRE to secure communications across hybrid infrastructure services: -https://youtu.be/H5IlmYmEDKk?t=2585 + * Square describes how they provide mTLS identities to Lambdas using SPIFFE and SPIRE -https://developer.squareup.com/blog/providing-mtls-identities-to-lambdas/ + * Tigera demonstrates how Calico, Envoy and SPIRE are used to deliver unified Layer 4 and Layer 7 authorization policies: -https://youtu.be/H5IlmYmEDKk?t=7812 - -* Uber talks about integrating SPIRE with workload schedulers: -https://youtu.be/H5IlmYmEDKk?t=4703 - - + +* Uber talks about integrating SPIRE with workload schedulers: + ## Adding a name -If you would like to add your name to this file, submit a pull request with your change. - - +If you would like to add your name to this file, submit a pull request with your change. diff --git a/CHANGELOG.md b/CHANGELOG.md index 6ec6405e67..797e72a2ae 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,23 +3,27 @@ ## [1.5.1] - 2022-11-08 ### Fixed + - The deprecated `default_svid_ttl` configurable is now correctly observed after fixing a regression introduced in 1.5.0 (#3583) ## [1.5.0] - 2022-11-02 ### Added + - X.509-SVID and JWT-SVID TTLs can now be configured separately at both the entry-level and Server default level (#3445) - Entry protobuf type in `/v1/entry` API includes new `jwt_svid_ttl` field (#3445) - `k8s-workload-registrar` and `oidc-discovery-provider` CLIs now print their version when the `-version` flag is set (#3475) - Support for customizing SPIFFE ID paths of SPIRE Agents attested with the `azure_msi` NodeAttestor plugin (#3488) -### Changed +### Changed + - Entry `ttl` protobuf field in `/v1/entry` API is renamed to `x509_ttl` (#3445) - External plugins can no longer be named `join_token` to avoid conflicts with the builtin plugin (#3469) - `spire-server run` command now supports DNS names for the configured bind address (#3421) - Documentation improvements (#3468, #3472, #3473, #3474, #3515) ### Deprecated + - `k8s-workload-registrar` is deprecated in favor of [SPIRE Controller Manager](https://github.com/spiffe/spire-controller-manager) (#3526) - Server `default_svid_ttl` configuration field is deprecated in favor of `default_x509_svid_ttl` and `default_jwt_svid_ttl` fields (#3445) - `-ttl` flag in `spire-server entry create` and `spire-server entry update` commands is deprecated in favor of `-x509SVIDTTL` and `-jwtSVIDTTL` flags (#3445) @@ -27,20 +31,24 @@ - `InMem` telemetry collector is deprecated and no longer enabled by default (#3492) ### Removed + - NodeResolver plugin type and `azure_msi` builtin NodeResolver plugin (#3470) ## [1.4.5] - 2022-11-01 ### Security + - Updated to Go 1.19.3 to address CVE-2022-41716. This vulnerability only affects users configuring external Server or Agent plugins on Windows. ## [1.4.4] - 2022-10-05 ### Added + - Experimental support for limiting the number of SVIDs in the agent's cache (#3181) - Support for attesting Envoy proxy workloads when Istio is configured with holdApplicationUntilProxyStarts (#3460) ### Changed + - Improved bundle endpoint misconfiguration diagnostics (#3395) - OIDC Discovery Provider endpoint now has a timeout to read request headers (#3435) - Small documentation improvements (#3443) @@ -48,37 +56,45 @@ ## [1.4.3] - 2022-10-04 ### Security + - Updated minimum TLS version to 1.2 for the k8s-workload-registrar CRD mode webhook and the oidc-discovery-provider when using ACME ## [1.4.2] - 2022-09-07 ### Added + - The X509-SVID Subject field now contains a unique ID to satisfy RFC 5280 requirements (#3367) - Agents now shut down when banned (#3308) ### Changed + - Small documentation improvements (#3309, #3377) ## [1.4.1] - 2022-09-06 ### Security + - Updated to Go 1.18.6 to address CVE-2022-27664 ## [1.4.0] - 2022-08-08 -### Added +### Added + - Support for Windows workload attestation on Kubernetes (#3191) - Support for using RSA keys with Workload X509-SVIDs (#3237) - Support for anonymous authentication to the Kubelet secure port when performing workload attestation on Kubernetes (#3273) ### Deprecated + - The Node Resolver plugin type (#3272) ### Fixed + - Persistence of the can_reattest flag during agent SVID renewal (#3292) - A regression in behavior preventing an agent from re-attesting when it has been evicted (#3269) ### Changed + - The Azure Node Attestor to optionally provide selectors (#3272) - The Docker Workload Attestor now fails when configured with unknown options (#3243) - Improved CRI-O support with Kubernetes workload attestation (#3242) @@ -88,54 +104,65 @@ - Small documentation improvements (#3264) ### Removed + - The deprecated webhook mode from the k8s-workload-registrar (#3235) - Support for the configmap leader election lock type from the k8s-workload-registrar (#3241) ## [1.3.6] - 2022-11-01 ### Security + - Updated to Go 1.18.8 to address CVE-2022-41716. This vulnerability only affects users configuring external Server or Agent plugins on Windows. ## [1.3.5] - 2022-10-04 ### Security + - Updated minimum TLS version to 1.2 for the k8s-workload-registrar CRD mode webhook and the oidc-discovery-provider when using ACME ## [1.3.4] - 2022-09-06 ### Security + - Updated to Go 1.18.6 to address CVE-2022-27664 ## [1.3.3] - 2022-07-13 ### Security + - Updated to Go 1.18.4 to address CVE-2022-1705, CVE-2022-32148, CVE-2022-30631, CVE-2022-30633, CVE-2022-28131, CVE-2022-30635, CVE-2022-30632, CVE-2022-30630, and CVE-2022-1962. ## [1.3.2] - 2022-07-08 ### Added + - Support for K8s workload attestation when the Kubelet is run as a standalone component (#3163) - Optional health check endpoints to the OIDC Discovery Provider (#3151) - Pagination support to the server `entry show` command (#3135) ### Fixed + - A regression in workload SVID minting that caused DNS names not to be set in the SVID (#3215) - A regression in the server that caused a panic instead of a clean shutdown if a plugin was misconfigured (#3166) ### Changed + - Directories for UDS endpoints are no longer created by SPIRE on Windows (#3192) ## [1.3.1] - 2022-06-09 ### Added + - The `windows` workload attestor gained a new `sha256` selector that can attest the SHA256 digest of the workload binary (#3100) ### Fixed + - Database rows related to registration entries are now properly removed (#3127, #3132) - Agent reduces bandwidth use by requesting only required information when syncing with the server (#3123) - Issue with read-modify-write operations when using PostgreSQL datastore in hot standby mode (#3103) ### Changed + - FetchX509Bundles RPC no longer sends spurious updates that contain no changes (#3102) - Warn if the built-in `join_token` node attestor is attempted to be overridden by an external plugin (#3045) - Database connections are now proactively closed when SPIRE server is shut down (#3047) @@ -143,16 +170,19 @@ ## [1.3.0] - 2022-05-12 ### Added -- Experimental Windows support (https://github.com/spiffe/spire/projects/12) + +- Experimental Windows support () - Ability to revert SPIFFE cert validation to standard X.509 validation in Envoy (#3009, #3014, #3020, #3034) - Configurable leader election resource lock type for the K8s Workload Registrar (#3030) - Ability to fetch JWT SVIDs and JWT Bundles on behalf of workloads via the Delegated Identity API (#2789) - CanReattest flag to NodeAttestor responses to facilitate future features (#2646) ### Fixed + - Spurious message to STDOUT when there is no plugin_data section configured for a plugin (#2927) ### Changed + - SPIRE entries with malformed parent or SPIFFE IDs are removed on server startup (#2965) - SPIRE no longer prepends slashes to paths passed to the API when missing (#2963) - K8s Workload Registrar retries up to 5 seconds to connect to SPIRE Server (#2921) @@ -160,49 +190,59 @@ - Small documentation improvements (#2934, #2947, #3013) ### Deprecated + - The webhook mode for the K8s Workload Register has been deprecated (#2964) ## [1.2.5] - 2022-07-13 ### Security + - Updated to Go 1.17.12 to address CVE-2022-1705, CVE-2022-32148, CVE-2022-30631, CVE-2022-30633, CVE-2022-28131, CVE-2022-30635, CVE-2022-30632, CVE-2022-30630, and CVE-2022-1962. ## [1.2.4] - 2022-05-12 ### Added + - Ability to revert SPIFFE cert validation to standard X.509 validation in Envoy (#3009,#3014,#3020,#3034) ## [1.2.3] - 2022-04-12 ### Security + - Updated to Go 1.17.9 to address CVE-2022-24675, CVE-2022-28327, CVE-2022-27536 ## [1.2.2] - 2022-04-07 ### Added + - SPIRE Server and Agent log files can be rotated by sending the `SIGUSR2` signal to the process (#2703) - K8s Workload Registrar CRD mode now supports registering "downstream" workloads (#2885) - SPIRE can now be compiled on macOS machines with an Apple Silicon CPU (#2876) - Small documentation improvements (#2851) ### Changed + - SPIRE Server no longer sets the `DigitalSignature` KeyUsage bit in its CA certificate (#2896) ### Fixed + - The `k8sbundle` Notifier plugin in SPIRE Server no longer consumes excessive CPU cycles (#2857) ## [1.2.1] - 2022-03-16 ### Added + - The SPIRE Agent `fetch jwt` CLI command now supports JSON output (#2650) ### Changed + - OIDC Discovery Provider now includes the `alg` parameter in JWKs to increase compatibility (#2771) - SPIRE Server now gracefully stops plugin servers, allowing outstanding RPCs a chance to complete (#2722) - SPIRE Server logs additional authorization information with RPC requests (#2776) - Small documentation improvements (#2746, #2792) ### Fixed + - SPIRE Server now properly rotates signing keys when prepared or activated keys are lost from the database (#2770) - The AWS IID node attestor now works with instance profiles which have paths (#2825) - Fixed a crash in SPIRE Agent caused by a race on the agent cache (#2699) @@ -210,10 +250,12 @@ ## [1.2.0] - 2022-01-28 ### Added + - SPIRE Server can now be configured to mint agent SVIDs with a specific TTL (#2667) - A set of fixed admin SPIFFE IDs can now be configured in SPIRE Server (#2677) ### Changed + - Upstream signed CA chain is now validated to prevent misconfigurations (#2644) - Improved SVID signing logs to include more context (#2678) - The deprecated agent key file (`svid.key`) is no longer proactively removed by the agent (#2671) @@ -221,49 +263,58 @@ - SPIRE now consumes the SVIDStore V1 interface published in the SPIRE Plugin SDK (#2688) ### Deprecated + - API support for paths without leading slashes in `spire.api.types.SPIFFEID` messages has been deprecated (#2686, #2692) -- The SVIDStore V1 interface published in SPIRE repository has been renamed to `svidstore.V1Unofficial` and is now deprecated in favor of the interface published in the SPIRE Plugin SDK (#2688) +- The SVIDStore V1 interface published in SPIRE repository has been renamed to `svidstore.V1Unofficial` and is now deprecated in favor of the interface published in the SPIRE Plugin SDK (#2688) ### Removed + - The deprecated `domain` configurable has been removed from the SPIRE OIDC Discovery Provider (#2672) - The deprecated `allow_unsafe_ids` configurable has been removed from SPIRE Server (#2685) ## [1.1.5] - 2022-05-12 ### Added -- Ability to revert SPIFFE cert validation to standard X.509 validation in Envoy (#3009,#3014,#3020,#3034) +- Ability to revert SPIFFE cert validation to standard X.509 validation in Envoy (#3009,#3014,#3020,#3034) ## [1.1.4] - 2022-04-13 ### Security + - Updated to Go 1.17.9 to address CVE-2022-24675, CVE-2022-28327, CVE-2022-27536 ## [1.1.3] - 2022-01-07 ### Security + - Fixed CVE-2021-44716 ## [1.1.2] - 2021-12-15 ### Added + - SPIRE Agent now supports the Delegated Identity API for delegating SVID management to trusted platform components (#2481) - The K8s Workload Registrar now supports configuring DNS name templates (#2643) - SPIRE Server now logs a message when expired registration entries are pruned (#2637) - OIDC Discovery Provider now supports setting the `use` property on the JWKs it serves (#2634) ### Fixed + - SPIRE Agent now provides reason for failure during certain kinds of attestation errors (#2628) ## [1.1.1] - 2021-11-17 ### Added + - SPIRE Agent can now store SVIDs with Google Cloud Secrets Manager (#2595) ### Changed + - SPIRE Server downloads federated bundles a little sooner when federated relationships are added or updated (#2585) ### Fixed + - Fixed a regression in Percona XTRA DB Cluster support introduced in 0.12.2 (#2605) - Kubernetes Workload Attestation fixed for Kubernetes 1.21+ (#2600) - SPIRE Agent now retries failed removals of SVIDs stored by SVIDStore plugins (#2620) @@ -271,8 +322,9 @@ ## [1.1.0] - 2021-10-10 ### Added + - SPIRE images are now published to GitHub Container Registry. They will continue to be published to Google Container Registry over the course of the next release (#2576,#2580) -- SPIRE Server now implements the [TrustDomain API](https://github.com/spiffe/spire-api-sdk/blob/main/proto/spire/api/server/trustdomain/v1/trustdomain.proto) and related CLI commands (https://github.com/spiffe/spire/projects/11) +- SPIRE Server now implements the [TrustDomain API](https://github.com/spiffe/spire-api-sdk/blob/main/proto/spire/api/server/trustdomain/v1/trustdomain.proto) and related CLI commands () - The SVIDStore plugin type has been introduced to enable, amongst other things, agentless workload scenarios (#2176,#2483) - The TPM DevID Node Attestor emits a new `issuer:cn` selector with the common name of the issuing certificate (#2581) - The K8s Bundle Notifier plugin now supports pushing the bundle to resources in multiple clusters (#2531) @@ -281,13 +333,15 @@ - The GCP CAS UpstreamAuthority has a new `ca_pool` configurable to identify which CA pool the signing CA resides in (#2569) ### Changed + - With the GA release of GCP CAS, the UpstreamAuthority plugin now needs to know which pool the CA belongs to. If not configured, it will do a pessimistic scan of all pools to locate the correct CA. This scan will be removed in a future release (#2569) -- The K8s Workload Registrar now supports Kubernetes 1.22 (#2515,#2540) +- The K8s Workload Registrar now supports Kubernetes 1.22 (#2515,#2540) - Self-signed CA certificates serial numbers are now conformant to RFC 5280 (#2494) - The AWS KMS Key Manager plugin now creates keys with a very strict policy by default (#2424) - The deprecated agent key file (`svid.key`) is proactively removed by the agent. It was only maintained to accomodate rollback from v1.0 to v0.12 (#2493) ### Removed + - Support for the deprecated Registration API has been removed (#2487) - Legacy (v0) plugin support has been removed. All plugins must now be authored using the plugin SDK. - The deprecated `service_account_whitelist` configurables have been removed from the SAT and PSAT Node Attestor plugins (#2543) @@ -295,6 +349,7 @@ - The deprecated `bundle_endpoint` and `registration_uds_path` configurables have been removed from SPIRE Server (#2486,#2519) ### Fixed + - The GCP CAS UpstreamAuthority now works with the GA release of GCP CAS (#2569) - Fixed a variety of issues with the scratch image, preparatory to publishing as the official image on GitHub Container Registry (#2582) - Kubernetes Workload Attestor now uses the canonical path for the service account token (#2583) @@ -305,16 +360,19 @@ ## [1.0.4] - 2022-05-13 ### Added + - Ability to revert SPIFFE cert validation to standard X.509 validation in Envoy (#3009,#3014,#3020,#3034) ## [1.0.3] - 2022-01-07 ### Security + - Fixed CVE-2021-44716 ## [1.0.2] - 2021-09-02 ### Added + - Experimental support for custom authorization policies based on Open Policy Agent (OPA) (#2416) - SPIRE Server can now be configured to emit audit logs (#2297, #2391, #2394, #2396, #2442, #2458) - Envoy SDS v3 API in agent now supports the SPIFFE Certificate Validator for federated SPIFFE authentication (#2435, #2460) @@ -326,18 +384,22 @@ - Improvements in logging of errors in peertracker (#2469) ### Changed + - CRD mode of the `k8s-workload-registrar` now uses SPIRE certificates for the validating webhook (#2321) - The `vault` UpstreamAuthority plugin now continues retrying to renew tokens on failures until the lease time is exceeded (#2445) ### Fixed + - Fixed a nil pointer dereference when the deprecated `allow_unsafe_ids` setting was configured (#2477) ### Deprecated + - The SPIRE OIDC Discovery Provider `domain` configurable has been deprecated in favor of `domains` (#2404) ## [1.0.1] - 2021-08-05 ### Added + - LDevID-based TPM attestation can now be performed via a new `tpm_devid` NodeAttestor plugin (#2111, #2427) - Caller details are now logged for unauthorized Server API calls (#2399) - The `aws_iid` NodeAttestor plugin now supports attesting nodes across multiple AWS accounts via AWS IAM role assumption (#2387) @@ -346,9 +408,11 @@ - SPIRE Server now logs a message on startup when configured TTL values may result in SVIDs with a shorter lifetime than expected (#2284) ### Changed + - Updated a trust domain validation error message to mention that underscores are valid trust domain characters (#2392) ### Fixed + - Fixed bugs that broke the ACME bundle endpoint when using the `aws_kms` KeyManager plugin (#2390, #2397) - Fixed a bug that resulted in SPIRE Agent sending unnecessary updates over the Workload API (#2305) - Fixed a bug in the `k8s_psat` NodeAttestor plugin that prevented it from being configured with kubeconfig files (#2421) @@ -356,6 +420,7 @@ ## [1.0.0] - 2021-07-08 ### Added + - The `vault` UpstreamAuthority plugin now supports Kubernetes service account authentication (#2356) - A new `cert-manager` UpstreamAuthority plugin is now available (#2274) - SPIRE Server CLI can now be used to ban agents (#2374) @@ -368,6 +433,7 @@ - Registration entries can now be queried/filtered by `federates_with` when calling the entry API (#1967) ### Changed + - SPIRE Server's SVID now uses the key type configured as `ca_key_type` (#2269) - Caller address is now logged for agent API calls resulting in an error (#2281) - Agent SVID renewals are now logged by the server at the INFO level (#2309) @@ -378,12 +444,14 @@ - SPIRE Agent default socket path is now `/tmp/spire-agent/public/api.sock` (#2075) ### Deprecated + - SPIRE Server federation configuration in the `federates_with` `bundle_endpoint` block is now deprecated (#2340) - SPIRE Server `gcp_iit` NodeAttestor configurable `projectid_whitelist` is deprecated in favor of `projectid_allow_list` (#2253) - SPIRE Server `k8s_sat` and `k8s_psat` NodeAttestor configurable `service_account_whitelist` is deprecated in favor of `service_account_allow_list` (#2253) - SPIRE Server `registration_uds_path`/`-registrationUDSPath` configurable and flag has been deprecated in favor of `socket_path`/`-socketPath` (#2075) ### Removed + - SPIRE Server no longer supports SPIFFE IDs with UTF-8 (#2368) - SPIRE Server no longer supports the legacy Node API (#2093) - SPIRE Server experimental configurable `allow_agentless_node_attestors` has been removed (#2098) @@ -396,6 +464,7 @@ - SPIRE Server bundle endpoint no longer supports TLS signature schemes utilizing non-SHA256 hashes when ACME is enabled (#2397) ### Fixed + - Fixed a bug that caused health check failures in agents that have registration entries describing them (#2370) - SPIRE Agent no longer logs a message when invoking a healthcheck via the CLI (#2058) - Fixed a bug that caused federation to fail when using ACME in conjunction with the `aws_kms` KeyManager plugin (#2390) @@ -403,21 +472,25 @@ ## [0.12.3] - 2021-05-17 ### Added + - The `k8s-workload-registrar` now supports federation (#2160) - The `k8s_bundle` notifier plugin can now keep API service CA bundles up to date (#2193) - SPIRE Server internal cache reload timing can now be tuned (experimental) (#2169) ### Changed + - Prometheus metrics that are emitted infrequently will no longer disappear after emission (#2239) - The `k8s-workload-registrar` now uses paging to support very large deployments of 10,000+ pods (#2227) ### Fixed + - Fixed a bug that sometimes caused newly attested agents to not receive their full set of selectors (#2242) - Fixed several bugs related to the handling of SPIRE Server API paging (#2251) ## [0.12.2] - 2021-04-14 ### Added + - Added `aws_kms` server KeyManager plugin that uses the AWS Key Management Service (KMS) (#2066) - Added `gcp_cas` UpstreamAuthority plugin that uses the Certificate Authority Service from Google Cloud Platform (#2172) - Improved error returned during attestation of agents (#2159) @@ -429,12 +502,14 @@ - Added logging when lookup of user by uid or group by gid fails in the `unix` WorkloadAttestor plugin (#2048) ### Changed + - The `k8s` WorkloadAttestor plugin now emits selectors for both image and image ID (#2116) - HTTP readiness endpoint on agent now checks the health of the Workload API (#2015, #2087) - SDS API in agent now returns an error if an SDS client requests resource names that don't exist (#2020) - Bundle and k8s-workload-registrar endpoints now only accept clients using TLS v1.2+ (#2025) ### Fixed + - Registration entry update handling in CRD mode of the k8s-workload-registrar to prevent unnecessary issuance of new SVIDs (#2155) - Failure to update CA bundle due to improper MySQL isolation level for read-modify-write operations (#2150) - Regression preventing agent selectors from showing in `spire-server agent show` command (#2133) @@ -445,6 +520,7 @@ ## [0.12.1] - 2021-03-04 ### Security + - Fixed CVE-2021-27098 - Fixed CVE-2021-27099 - Fixed file descriptor leak in peertracker @@ -452,6 +528,7 @@ ## [0.12.0] - 2020-12-17 ### Added + - Debug endpoints (#1792) - Agent support for SDS v3 API (#1906) - Improved metrics handling (#1885, #1925, #1932) @@ -466,19 +543,23 @@ - Added `k8s_psat:agent_node_ip` selector (#1979) ### Changed + - The agent now shuts down when it is no longer attested (#1797) - Internals now rely on new server APIs (#1849, #1878, #1907, #1908, #1909, #1913, #1947, #1982, #1998, #2001) - Workload API now returns a standardized JWKS object (#1904) - Log message casing and punctuation are more consistent with project guidelines (#1950, #1952) ### Deprecated + - The Registration and Node APIs are deprecated, and a warning is logged on use (#1997) - The `registration_api` configuration section is deprecated in favor of `server_api` in the k8s-workload-registrar (#2001) ### Removed + - Removed some superfluous or otherwise unusable metrics and labels (#1881, #1946, #2004) ### Fixed + - Fixed CLI exit codes when entry create or update fails (#1990) - Fixed a bug that could cause external plugins to become orphaned processes after agent/server shutdown (#1962) - Fixed handling of the Vault PKI certificate chain (#2012, #2017) @@ -486,11 +567,13 @@ - Fixed Registration API to validate selector syntax (#1919) ### Security + - JWT-SVIDs that fail validation are no longer logged (#1953) ## [0.11.3] - 2021-03-04 ### Security + - Fixed CVE-2021-27098 - Fixed CVE-2021-27099 - Fixed file descriptor leak in peertracker @@ -498,9 +581,11 @@ ## [0.11.2] - 2020-10-29 ### What's New - - Error messages related to a specific class of software bugs are now rate limited (#1901) + +- Error messages related to a specific class of software bugs are now rate limited (#1901) ### What's Changed + - Fixed an issue in the Upstream Authority plugin that could result in a delay in the propagation of bundle updates/changes (#1917) - Fixed error messages when attestation is disabled (#1899) - Fixed some incorrectly-formatted log messages (#1920) @@ -508,24 +593,27 @@ ## [0.11.1] - 2020-09-29 ### What's New + - Added AWS PCA configurable allowing operators to provide additional CA certificates for inclusion in the bundle (#1574) - Added a configurable to server for disabling rate limiting of node attestation requests (#1794, #1870) ### What's Changed + - Fixed Kubernetes Workload Registrar issues (#1814, #1818, #1823) - Fixed BatchCreateEntry return value to match docs, returning the contents of an entry if it already exists (#1824) - Fixed issue preventing brand new deployments from downgrading successfully (#1829) - Fixed a regression introduced in 0.11.0 that caused external node attestor plugins that rely on binary data to fail (#1863) - ## [0.11.0] - 2020-08-28 ### What's New + - Introduced refactored server APIs (#1533, #1548, #1563, #1567, #1568, #1571, #1575, #1576, #1577, #1578, #1582, #1585, #1586, #1587, #1588, #1589, #1590, #1591, #1592, #1593, #1594, #1595, #1597, #1604, #1606, #1607, #1613, #1615, #1617, #1622, #1623, #1628, #1630, #1633, #1641, #1643, #1646, #1647, #1654, #1659, #1667, #1673, #1674, #1683, #1684, #1689, #1690, #1692, #1693, #1694, #1701, #1708, #1727, #1728, #1730, #1733, #1734, #1739, #1749, #1753, #1768, #1772, #1779, #1783, #1787, #1788, #1789, #1790, #1791) - Unix workloads can now be attested using auxiliary group membership (#1771) - The Kubernetes Workload Registrar now supports two new registration modes (`crd` and `reconcile`) ### What's Changed + - Federation is now a stable feature (#1656, #1737, #1777) - Removed support for the `UpstreamCA` plugin, which was deprecated in favor of the `UpstreamAuthority` plugin in v0.10.0 (#1699) - Removed deprecated `upstream_bundle` server configurable. The server now always use the upstream bundle as the trust bundle (#1702) @@ -538,22 +626,26 @@ ## [0.10.2] - 2021-03-04 ### Security + - Fixed CVE-2021-27098 - Fixed file descriptor leak in peertracker ## [0.10.1] - 2020-06-23 ### What's New + - `vault` as Upstream Authority built-in plugin (#1611, #1632) - Improved configuration file docs to list all possible configuration settings (#1608, #1618) ### What's Changed + - Improved container ID parsing from cgroup path in the `docker` workload attestor plugin (#1605) - Improved container ID parsing from cgroup path in the `k8s` workload attestor plugin (#1649) - Envoy SDS support is now always on (#1579) - Errors on agent SVID rotation are now fatal if the agent's current SVID has expired, forcing an agent restart (#1584) ## [0.10.0] - 2020-04-22 + - Added support for JWT-SVID in nested SPIRE topologies (#1388, #1394, #1396, #1406, #1409, #1410, #1411, #1415, #1416, #1417, #1423, #1440, #1455, #1458, #1469, #1476) - Reduced database load under certain configurations (#1439) - Agent now proactively rotates workload SVIDs in response to registration updates (#1441, #1477) @@ -578,10 +670,12 @@ ## [0.9.4] - 2021-03-04 ### Security + - Fixed CVE-2021-27098 - Fixed file descriptor leak in peertracker ## [0.9.3] - 2020-03-05 + - Significantly reduced the server's database load (#1350, #1355, #1397) - Improved consistency in SVID propagation time for some cases (#1352) - AWS IID node attestor now supports the v2 metadata service (#1369) @@ -592,11 +686,13 @@ - Registration API now has an RPC for listing entries that supports paging (#1392) ## [0.9.2] - 2020-01-14 + - Fixed a crash when a key protecting the bundle endpoint is removed (#1326) - Bundle endpoint client now supports Web-PKI authenticated endpoints (#1327) - SPIRE now warns if the CA TTL will result in shorter-than-expected SVID lifetimes (#1294) ## [0.9.1] - 2019-12-19 + - Agent cache file writes are now atomic, more resilient (#1267) - Introduced Google Cloud Storage bundle notifier plugin for server (#1227) - Server and agent now detect unknown configuration options in supported blocks (#1289, #1299, #1306, #1307) @@ -608,6 +704,7 @@ - KeyManager "disk" now emits a friendly error when directory option is missing (#1313) ## [0.9.0] - 2019-11-14 + - Users can now opt-out of workload executable hashing when enabling the workload path as a selector (#1078) - Added M3 support to telemetry and other telemetry and logging improvements (#1059, #1085, #1086, #1094, #1102, #1122,#1138,#1160,#1186,#1208) - SQL auto-migration can be disabled (#1089) @@ -629,19 +726,23 @@ ## [0.8.5] - 2021-03-04 ### Security + - Fixed CVE-2021-27098 - Fixed file descriptor leak in peertracker ## [0.8.4] - 2019-10-28 + - Fixed spurious agent synchronization failures during agent SVID rotation (#1084) - Added support for [Kind](https://kind.sigs.k8s.io) to the Kubernetes Workload Attestor (#1133) - Added support for ACME v2 to the bundle endpoint (#1187) - Fixed a bug that could result in agent crashes after upgrading to 0.8.2 or newer (#1194) ## [0.8.3] - 2019-10-18 + - Upgrade to Go 1.12.12 in response to CVE-2019-17596 (#1204) ## [0.8.2] - 2019-10-10 + - Connection pool details in SQL DataStore plugin are now configurable (#1028) - SQL DataStore plugin now emits telemetry (#998) - The SPIFFE bundle endpoint now supports serving Web PKI via ACME (#1029) @@ -655,6 +756,7 @@ - Fix bug that resulted in authorized workloads being denied SVIDs (#1103) ## [0.8.1] - 2019-07-19 + - Failure to obtain peer information from a Workload API connection no longer brings down the agent (#946) - Agent now detects expired cached SVID when it starts and will attempt to re-attest instead of failing (#1000) - GCP IIT-based node attestation produces selectors for the project, zone, instance name, tags, service accounts, metadata and labels (#969, #1006, #1012) @@ -683,6 +785,7 @@ - Logs can now be emitted in JSON format (#866) ## [0.8.0] - 2019-05-20 + - Fix a bug in which the agent periodically logged connection errors (#906) - Kubernetes SAT node attestor now supports the TokenReview API (#904) - Agent cache refactored to improve memory management and fix a leak (#863) @@ -713,6 +816,7 @@ - UpstreamCA "disk" now supports loading multiple key types (#717) ## [0.7.3] - 2019-02-11 + - Agent can now expose Envoy SDS API for TLS certificate installation rotation (#667) - Agent now automatically creates its configured data dir if it doesn't exist (#678) - Agent panic fixed in the event that rotation is attempted from non-attested node (#684) @@ -787,7 +891,6 @@ - Config file updates so spire commands can be run from any CWD (#541) - Minor doc/example fixes (#535) - ## [0.6.0] - 2018-06-26 - Added GCP Instance Identity Token (IIT) node attestation. diff --git a/CODE-OF-CONDUCT.md b/CODE-OF-CONDUCT.md index b4a0371d7e..6ef132aba5 100644 --- a/CODE-OF-CONDUCT.md +++ b/CODE-OF-CONDUCT.md @@ -1,8 +1,10 @@ -### Contributor Code of Conduct +# Code of Conduct + +## Contributor Code of Conduct We follow the [CNCF Contributor Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md). Additionally, we commit to the following guidelines as detailed on the [SPIFFE Code of Conduct](https://github.com/spiffe/spiffe/blob/main/CODE-OF-CONDUCT.md): -### Community Guidelines +## Community Guidelines - Our goal is to foster an inclusive and diverse community of technology enthusiasts. @@ -14,6 +16,6 @@ We follow the [CNCF Contributor Code of Conduct](https://github.com/cncf/foundat - We do our best to avoid [subtle-isms](https://www.recurse.com/manual#sub-sec-social-rules): small actions that make others feel uncomfortable. If you witness a subtle-ism, you may respectfully point it out to the person publicly or privately, or you may ask a moderator to say something. Accidentally saying something biased is common, expected, and readily forgiven. It is not in and of itself a bannable offense. -### Moderation +## Moderation - If you feel any of SPIFFE's Slack channels require moderation, please e-mail [SPIFFE's Technical Steering Committee (TSC)](mailto:tsc@spiffe.io). The TSC will issue a warning to users who don't follow this code of conduct. A second offense results in a temporary ban. A third offense warrants a permanent ban. It is at the moderator's discretion to un-ban offending users, or to immediately ban a toxic user without warning. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 14b489e3e2..fb95a345ca 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,4 +1,6 @@ -# Contributor guidelines and Governance +# Contributing + +## Contributor guidelines and Governance Please see [CONTRIBUTING](https://github.com/spiffe/spiffe/blob/main/CONTRIBUTING.md) @@ -6,20 +8,19 @@ and [GOVERNANCE](https://github.com/spiffe/spiffe/blob/main/GOVERNANCE.md) from the SPIFFE project. -# Prerequisites +## Prerequisites For basic development you will need: -* **Go 1.11** or higher (https://golang.org/dl/) +* **Go 1.11** or higher () For development that requires changes to the gRPC interfaces you will need: -* The protobuf compiler (https://github.com/google/protobuf) -* The protobuf documentation generator (https://github.com/pseudomuto/protoc-gen-doc) +* The protobuf compiler () +* The protobuf documentation generator () * protoc-gen-go and protoc-gen-spireplugin (`make utils`) - -# Building +## Building Since go modules are used, this repository can live in any folder on your local disk (it is not required to be in GOPATH). @@ -38,20 +39,20 @@ The Makefile takes care of installing the required toolchain as needed. The toolchain and other build related files are cached under the `.build` folder (ignored by git). -## Development in Docker +### Development in Docker You can either build SPIRE on your host or in a Ubuntu docker container. In both cases you will use the same Makefile commands. To build SPIRE within a container, first build the development image: -``` +```shell $ make dev-image ``` Then launch a shell inside of development container: -``` +```shell $ make dev-shell ``` @@ -59,17 +60,17 @@ Because the docker container shares the `.build` cache and `$GOPATH/pkg/mod` you will not have to re-install the toolchain or go dependencies every time you run the container. -# Conventions +## Conventions In addition to the conventions covered in the SPIFFE project's [CONTRIBUTING](https://github.com/spiffe/spiffe/blob/main/CONTRIBUTING.md), the following conventions apply to the SPIRE repository: -## SQL Plugin Changes +### SQL Plugin Changes Datastore changes must be present in at least one full minor release cycle prior to introducing code changes that depend on them. -## Directory layout +### Directory layout `/cmd/{spire-server,spire-agent}/` @@ -94,7 +95,7 @@ gRPC .proto files, their generated .pb.go, and README_pb.md. The protobuf package names should be `spire.{server,agent,api,common}.` and the go package name should be specified with `option go_package = "";` -## Interfaces +### Interfaces Packages should be exported through interfaces. Interaction with packages must be done through these interfaces @@ -102,7 +103,7 @@ interfaces Interfaces should be defined in their own file, named (in lowercase) after the name of the interface. eg. `foodata.go` implements `type FooData interface{}` -## Metrics +### Metrics As much as possible, label names should be constants defined in the `telemetry` package. Additionally, specific metrics should be centrally defined in the `telemetry` package or its subpackages. Functions @@ -111,13 +112,13 @@ The metrics emitted by SPIRE are listed in the [telemetry document](doc/telemetr In addition, metrics should be unit-tested where reasonable. -### Count in Aggregate +#### Count in Aggregate Event count metrics should aggregate where possible to reduce burden on metric sinks, infrastructure, and consumers. That is, instead of: -``` +```go for ... { if ... { foo.Bar = X @@ -130,7 +131,7 @@ for ... { Change to this instead: -``` +```go updateCount := 0 notUpdatedCount := 0 for ... { @@ -149,16 +150,18 @@ telemetry.FooNotUpdatedCount(notUpdatedCount) Labels added to metrics must be singular only; that is: -- the value of a metrics label must not be an array or slice, and a label of some name must only be added +* the value of a metrics label must not be an array or slice, and a label of some name must only be added once. Failure to follow this will make metrics less usable for non-tagging metrics libraries such as `statsd`. As counter examples, DO NOT do the following: -``` + +```go []telemetry.Label{ {Name: "someName", "val1"}, {Name: "someName", "val2"}, } ``` -``` + +```go var callCounter telemetry.CallCounter ... callCounter.AddLabel("someName", "val1") @@ -166,12 +169,13 @@ callCounter.AddLabel("someName", "val1") callCounter.AddLabel("someName", "val2") ``` -- the existence of a metrics label is constant for all instances of a given metric. For some given metric A with +* the existence of a metrics label is constant for all instances of a given metric. For some given metric A with label X, label X must appear in every instance of metric A rather than conditionally. Failure to follow this will make metrics less usable for non-tagging metrics libraries such as `statsd`, and potentially break aggregation for tagging metrics libraries. As a counter example, DO NOT do the following: -``` + +```go var callCounter telemetry.CallCounter ... if caller != "" { @@ -182,8 +186,10 @@ if x > 5000 { callCounter.AddLabel("big_load", "true") } ``` + Instead, the following would be more acceptable: -``` + +```go var callCounter telemetry.CallCounter ... if caller != "" { @@ -199,7 +205,7 @@ if x > 5000 { } ``` -## Logs and Errors +### Logs and Errors Errors should start with lower case, and logged messages should follow standard casing. @@ -209,7 +215,7 @@ look for and hinders aggregation. Log messages and error messages should not end with periods. -## Mocks v.s. Fakes +### Mocks v.s. Fakes Unit tests should avoid mocks (e.g. those generated via go-mock) and instead prefer fake implementations. Mocks tend to be brittle as they encode specific @@ -223,13 +229,15 @@ implementation can easily serve the needs for an entire suite of tests and the behavior is in a centralized location when it needs to be updated. Fakes are also less inclined to be impacted by changes to usage patterns. -# Git hooks +## Git hooks We have checked in a pre-commit hook which enforces `go fmt` styling. Please install it before sending a pull request. From the project root: +```shell +$ ln -s .githooks/pre-commit .git/hooks/pre-commit ``` -ln -s .githooks/pre-commit .git/hooks/pre-commit -``` -# Reporting security vulnerabilities + +## Reporting security vulnerabilities + If you've found a vulnerability or a potential vulnerability in SPIRE please let us know at security@spiffe.io. We'll send a confirmation email to acknowledge your report, and we'll send an additional email when we've identified the issue positively or negatively. diff --git a/MAINTAINERS.md b/MAINTAINERS.md index a7c8d6f1d3..516ed0250e 100644 --- a/MAINTAINERS.md +++ b/MAINTAINERS.md @@ -1,4 +1,5 @@ # SPIRE Maintainership Guidelines and Processes + This document captures the values, guidelines, and processes that the SPIRE project and its maintainers adhere to. All SPIRE maintainers, in their independent and individual capacity, agree to uphold and abide by the text contained herein. This process can be changed, either permanently or as a one-time exception, through an 80% supermajority maintainer vote. @@ -6,18 +7,22 @@ This process can be changed, either permanently or as a one-time exception, thro For a list of active SPIRE maintainers, please see the [CODEOWNERS](CODEOWNERS) file. ## General Governance + The SPIRE project abides by the same [governance procedures][1] as the SPIFFE project, and ultimately reports to the SPIFFE TSC the same way that the SPIFFE project and associated maintainers do. TSC members do not track day-to-day activity in the SPIFFE/SPIRE projects, and this should be considered when deciding to raise issues to them. While the SPIFFE TSC has the ultimate say, in practice they are only engaged upon serious maintainer disagreement. To say that this would be unprecedented is an understatement. ### Maintainer Responsibility + SPIRE maintainers adhere to the [requirements and responsibilities][2] set forth in the SPIFFE governance document. They further pledge the following: + * To act in the best interest of the project at all times. * To ensure that project development and direction is a function of community needs. * To never take any action while hesitant that it is the right action to take. * To fulfill the responsibilities outlined in this document and its dependents. ### Number of Maintainers + The SPIRE project keeps a total of five maintainer seats. This number was chosen because 1) it results in a healthy distribution of responsibility/load given the current volume of project activity, and 2) an odd number is highly desirable for dispute resolution. We strive to keep the number of maintainers as low as is reasonably possible, given the fact that maintainers carry powerful privileges. @@ -25,6 +30,7 @@ We strive to keep the number of maintainers as low as is reasonably possible, gi This section of the document can and should be updated as the above considerations fluctuate. Changes to this section of the document fall under the same requirements as other sections. When changing this section, maintainers must re-review and agree with the document in its entirety, as other guidelines (e.g. voting requirements) will likely change as a result. ### Changes in Maintainership + SPIRE maintainers are appointed according to the [process described in the governance document][2]. Maintainers may voluntarily step down at any time. Unseating a maintainer against their will requires a unanimous vote with the exception of the unseated. Unseating a maintainer is an extraordinary circumstance. A process to do so is necessary, but its use is not intended. Careful consideration should be made when voting in a new maintainer, particularly in validating that they pledge to uphold the terms of this document. To ensure that these decisions are not taken lightly, and to maintain long term project stability and foresight, no more than one maintainer can be involuntarily unseated in any given nine month period. @@ -32,11 +38,13 @@ Unseating a maintainer is an extraordinary circumstance. A process to do so is n The CNCF MUST be notified of any changes in maintainership via the CNCF Service Desk. #### Onboarding a New Maintainer + New SPIRE maintainers participate in an onboarding period during which they fulfill all code review and issue management responsibilities that are required for their role. The length of this onboarding period is variable, and is considered complete once both the existing maintainers and the candidate maintainer are comfortable with the candidate's competency in the responsibilities of maintainership. This process MUST be completed prior to the candidate being named an official SPIRE maintainer. The onboarding period is intended to ensure that the to-be-appointed maintainer is able/willing to take on the time requirements, familiar with SPIRE core logic and concepts, understands the overall system architecture and interactions that comprise it, and is able to work well with both the existing maintainers and the community. ## Change Review and Disagreements + The SPIRE project abides by the same [change review process][3] as the SPIFFE project, unless otherwise specified. The exact definition/difference between "major" and "minor" changes is left to maintainer's discretion. Changes to particularly sensitive areas like the agent's cache manager, or the server's CA, are always good candidates for additional review. If in doubt, always ask for another review. @@ -44,6 +52,7 @@ The exact definition/difference between "major" and "minor" changes is left to m If there is a disagreement amongst maintainers over a contribution or proposal, a vote may be called in which a simple majority wins. If any maintainer feels that the result of this vote critically endangers the project or its users, they have the right to raise the matter to the SPIFFE TSC. If this occurs, the contribution or proposal in question MUST be frozen until the SPIFFE TSC has made a decision. Do not take this route lightly (see [General Governance](#general-governance)). ### Security and Usability + SPIRE solves a complicated problem, and is developed and maintained by people with deep expertise. SPIRE maintainers must ensure that new features, log and error messages, documentation and naming choices, are all easily accessible by those who may not be very familiar with SPIFFE or authentication systems in general. Decisions should favor "secure by default" and "it just works" anywhere possible, and in that order. The number of configurables should be minimized as much as possible, especially in cases where it's believed that many users would need to invoke it, or when their values (and extremes) could significantly affect SPIRE performance, reliability, or security. @@ -51,9 +60,11 @@ Decisions should favor "secure by default" and "it just works" anywhere possible A good measure is the "beginner" measure. A beginner should be able to easily and quickly understand the configurable/feature, and its potential uses/impacts. They should also be able to easily and quickly troubleshoot a problem when something important goes wrong - and not to mention, be clearly informed of such a condition! ### Review Guidelines + The SPIFFE [governance document][1], its section on [review process][3], and the SPIRE [contribution guidelines][4], must all be applied for any SPIRE review. While reviewing, SPIRE maintainers should ask questions similar to the following: + * Do I clearly understand the use case that this change is addressing? * Does the proposed change break any current user's expectations of behavior (i.e. regression)? * Is it possible for this change to be misconfigured? If it is, what is the impact? @@ -65,9 +76,11 @@ While reviewing, SPIRE maintainers should ask questions similar to the following The above list is advisory, and is meant only to get the mind going. ## Release and Branch Management + The SPIRE project maintains active support for both the current and the previous major versions. All active development occurs in the `main` branch. Version branches are used for minor releases of the previous major version when necessary. ### Version Branches + When a bug is discovered in the latest release that also affects releases of the prior major version, it is necessary to backport the fix. If it is the first time that the prior major version is receiving a backported patch, then a version branch is created to track it. The version branch is named `vX.Y` where X and Y are the two most significant digits in the semantic version number. Its base is the last tag present in main for the release in question. For example, if SPIRE is on version 0.9.3, and the last 0.8 release was 0.8.4, then a `v0.8` branch is created with its base being the main commit tagged with `v0.8.4`. @@ -77,6 +90,7 @@ Once the version branch is created, the patch is either cherry picked or backpor Releases for the previous major version are made directly from its version branch. Ensure that the CHANGELOG is updated in both the main and the version branch to reflect the new release. ### Releasing + The SPIRE release machinery is tag-driven. When the maintainers are ready to release, a tag is pushed referencing the release commit. While the CI/CD pipeline takes care of the rest, it is important to keep an eye on its progress. If an error is encountered during this process, the release is aborted. The first two releases that a new maintainer performs must be performed under the supervision of maintainer that has already satisfied this requirement. @@ -86,9 +100,11 @@ SPIRE releases are authorized by its maintainers. When doing so, they should car A simple majority vote is required to authorize a SPIRE release at a specific commit hash. If any maintainer feels that the result of this vote critically endangers the project or its users, they have the right to raise the matter to the SPIFFE TSC. If this occurs, the release in question MUST be frozen until the SPIFFE TSC has made a decision. Do not take this route lightly (see [General Governance](#general-governance)). #### Checklist + This section summarizes the steps necessary to execute a SPIRE release. Unless explicitly stated, the below steps must be executed in order. The following steps must be completed one week prior to release: + * Ensure all changes intended to be included in the release are fully merged. * Identify a specific commit as the release candidate. * Create a draft pull request against the main branch with the updates to the CHANGELOG following [these guidelines](doc/changelog_guidelines.md). This allows those tracking the project to have early visibility into what will be included in the upcoming release and an opportunity to provide feedback. The release date can be set as "TBD" while it is a draft. @@ -100,12 +116,14 @@ The following steps must be completed one week prior to release: * Cherry-pick into the version branch the commits for all the changes that must be included in the release. **If this is a major release**, the following steps must be completed before releasing: + * Review and exercise all examples in spiffe.io and spire-examples repo against the release candidate hash. * Raise a PR for every example that updates included text and configuration to reflect current state and best practice. * Do not merge this PR yet. It will be updated later to use the real version pin rather than the commit hash. * If anything unusual is encountered during this process, a comment MUST be left on the release issue describing what was observed. The following steps must be completed to perform a release: + * Mark the pull request to update the CHANGELOG as "Ready for review". Make sure that it is updated with the final release date. **At least two approvals from maintainers are required in order to be able to merge it**. If a version branch was created for the realease, cherry-pick the final CHANGELOG changes into the version branch once they are merged. * If releasing from main and the current state of the main branch has diverged from the candidate commit due to just the CHANGELOG changes, the candidate commit is now the one that includes the updated CHANGELOG. If releasing from a version branch, the candidate commit is now the one that has the CHANGELOG changes cherry-picked in the branch. * Cut an annotated tag against the release candidate named `vX.X.X`, where `X.X.X` is the semantic version number of SPIRE. @@ -120,21 +138,25 @@ The following steps must be completed to perform a release: * Ideally, this is the first commit merged following the release. **If this is a major release**, the following steps must be completed no later than one week after the release: + * PRs to update spiffe.io and spire-examples repo to the latest major version must be merged. * Ensure that the PRs have been updated to use the version tag instead of the commit sha. * Broadcast news of release to the community via available means: SPIFFE Slack, Twitter, etc. ## Community Interaction and Presence + Maintainers represent the front line of SPIFFE and SPIRE community engagement. They are the ones interacting with end users on issues, and with contributors on their PRs. SPIRE maintainers must make themselves available to the community. It is critical that maintainers engage in this capacity - for understanding user needs and pains, for ensuring success in project adoption and deployment, and to close feedback loops on recently-introduced changes or features... to name a few. PR and Issue management/response is a critical responsibility for all SPIRE maintainers. In addition, maintainers should, whenever possible: + * Be generally available on the SPIFFE Slack, and engage in questions/conversations raised in the #help and #spire channels. * Attend SPIFFE/SPIRE community events (physically or virtually). * Present SPIFFE/SPIRE at meetups and industry conferences. ### Communication Values + SPIRE maintainers always engage in a respectful and constructive manner, and always follow the [SPIFFE Code of Conduct][6]. It is very important for maintainers to understand that contributions are generally acts of generosity, whether it be creating an issue or sending a pull request. It takes time to do these things. In the vast majority of cases, the motivating factor for taking the time to do this is either to improve the quality of the project for others, or to enable the project to (more easily?) solve a problem that it could not previously. Both of these factors are positive. @@ -165,17 +187,16 @@ The product manager must: The product manager makes the same pledge as maintainers do to act in the best interest at all times and its seat follows the same change guidelines as maintainer seats as described in the governance document. Unseating a product manager against their will requires a unanimous vote by the maintainers. - ## Community Facilitation and Outreach -The project designates a community chair to work with the product manager seat to focus on growing awareness of the project and increasing community engagement. In this role, the community chair is responsible for community outreach and outbound communication. +The project designates a community chair to work with the product manager seat to focus on growing awareness of the project and increasing community engagement. In this role, the community chair is responsible for community outreach and outbound communication. The responsibilities of the community chair are as follows: * Maintain, share with the community and execute a plan for proposed marketing and community outreach activities every release cycle. * Coordinate and facilitate community events (online and in-person). * Maintain and manage the spiffe.io website, ensuring that it stays available and up-to-date. -* Coordinate social media communications. +* Coordinate social media communications. * Ensure that all community events and meetings are recorded, and make the recordings available and discoverable on YouTube. * Ensure that all community meeting notes, discussions, and designs are easily discoverable on Google Docs. * Encourage use of project official channels for all technical and non-technical discussions. @@ -183,8 +204,6 @@ The responsibilities of the community chair are as follows: * Protect the privacy and confidentiality of non-public community information, including personal contact information such as email addresses and phone numbers. * Onboard contributors and welcome them into the community. - - [1]: https://github.com/spiffe/spiffe/blob/main/GOVERNANCE.md [2]: https://github.com/spiffe/spiffe/blob/main/GOVERNANCE.md#maintainers [3]: https://github.com/spiffe/spiffe/blob/main/GOVERNANCE.md#change-review-process diff --git a/Makefile b/Makefile index 2460aefe85..79c885c96e 100644 --- a/Makefile +++ b/Makefile @@ -129,6 +129,9 @@ golangci_lint_dir = $(build_dir)/golangci_lint/$(golangci_lint_version) golangci_lint_bin = $(golangci_lint_dir)/golangci-lint golangci_lint_cache = $(golangci_lint_dir)/cache +markdown_lint_version = v0.32.2 +markdown_lint_image = ghcr.io/igorshubovych/markdownlint-cli:$(markdown_lint_version) + protoc_version = 3.20.1 ifeq ($(os1),windows) protoc_url = https://github.com/protocolbuffers/protobuf/releases/download/v$(protoc_version)/protoc-$(protoc_version)-win64.zip @@ -417,11 +420,13 @@ endif @echo "Ensuring git repository is clean..." $(E)$(MAKE) git-clean-check -lint: lint-code +lint: lint-code lint-md lint-code: $(golangci_lint_bin) $(E)PATH="$(go_bin_dir):$(PATH)" GOLANGCI_LINT_CACHE="$(golangci_lint_cache)" $(golangci_lint_bin) run ./... +lint-md: + $(E)docker run -v "$(DIR):/workdir" $(markdown_lint_image) "**/*.md" ############################################################################# # Code Generation diff --git a/README.md b/README.md index 2047f2cd37..33cb7ebb98 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,6 @@ SPIRE (the [SPIFFE](https://github.com/spiffe/spiffe) Runtime Environment) is a toolchain of APIs for establishing trust between software systems across a wide variety of hosting platforms. SPIRE exposes the [SPIFFE Workload API](https://github.com/spiffe/go-spiffe/blob/main/v2/proto/spiffe/workload/workload.proto), which can attest running software systems and issue [SPIFFE IDs](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md) and [SVID](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md)s to them. This in turn allows two workloads to establish trust between each other, for example by establishing an mTLS connection or by signing and verifying a JWT token. SPIRE can also enable workloads to securely authenticate to a secret store, a database, or a cloud provider service. - - [Get SPIRE](#get-spire) - [Learn about SPIRE](#learn-about-spire) - [Integrate with SPIRE](#integrate-with-spire) @@ -16,8 +15,6 @@ SPIRE (the [SPIFFE](https://github.com/spiffe/spiffe) Runtime Environment) is a - [Further Reading](#further-reading) - [Security](#security) - - SPIRE is a [graduated](https://www.cncf.io/projects/spire/) project of the [Cloud Native Computing Foundation](https://cncf.io) (CNCF). If you are an organization that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF. ## Get SPIRE @@ -46,7 +43,7 @@ For supported integration versions, see [Supported Integrations](/doc/supported_ ## Contribute to SPIRE The SPIFFE community maintains the SPIRE project. Information on the various SIGs and relevant standards can be found in -https://github.com/spiffe/spiffe. +. - See [CONTRIBUTING](https://github.com/spiffe/spire/blob/main/CONTRIBUTING.md) to get started. - Use [GitHub Issues](https://github.com/spiffe/spire/issues) to request features or file bugs. @@ -71,3 +68,5 @@ A third party security firm ([Cure53](https://cure53.de/)) completed a security ### Reporting Security Vulnerabilities If you've found a vulnerability or a potential vulnerability in SPIRE please let us know at security@spiffe.io. We'll send a confirmation email to acknowledge your report, and we'll send an additional email when we've identified the issue positively or negatively. + + diff --git a/ROADMAP.md b/ROADMAP.md index 160dbc196a..033907e91d 100644 --- a/ROADMAP.md +++ b/ROADMAP.md @@ -1,4 +1,7 @@ -**Recently completed** +# Roadmap + +## Recently completed + * Use SPIRE on workloads [running on platforms where installing an agent is not possible](https://github.com/spiffe/spire/projects/9) (New!) * Provide an [API](https://github.com/spiffe/spire-api-sdk/blob/main/proto/spire/api/server/trustdomain/v1/trustdomain.proto) on SPIRE Server to allow programmatic configuration of federation relationships (New!) * [API](https://github.com/spiffe/spire-api-sdk) and [Plugin](https://github.com/spiffe/spire-plugin-sdk) SDKs for Integration authors @@ -7,19 +10,22 @@ * AWS Support: Support for using [AWS KMS to store signing keys](https://github.com/spiffe/spire/pull/2066), [Support for internet-restricted environments](https://github.com/spiffe/spire/pull/2119) * Support for using [GCP Certificate Authority Service as an upstream authority](https://github.com/spiffe/spire/pull/2172) -**Near-Term and Medium-Term** +## Near-Term and Medium-Term + * Provide a turn-key Kubernetes experience that adheres to security best practices (In Progress) * Provide a privileged API on SPIRE Agent to delegate SVID management to platform integrators (In Progress) * Support for supply chain provenance attestation by verification of binary signing (e.g. TUF/notary/in-toto metadata validation) * Secretless authentication to Google Compute Platform by expanding OIDC Federation integration support -**Long-Term** +## Long-Term + * Key Revocation and Forced Rotation * Ensure error messages are indicative of a direction towards resolution * Improve health-check subsystem * Secretless authentication to Microsoft Azure by expanding OIDC Federation integration support *** - -**Credits** -Thank you to [@anjaltelang](https://github.com/anjaltelang) for helping the SPIRE team keep this roadmap accurate and up-to-date 🎉 \ No newline at end of file + +## Credits + +Thank you to [@anjaltelang](https://github.com/anjaltelang) for helping the SPIRE team keep this roadmap accurate and up-to-date 🎉 diff --git a/conf/agent/agent.conf b/conf/agent/agent.conf index 6926baf7b8..cf1fcb353a 100644 --- a/conf/agent/agent.conf +++ b/conf/agent/agent.conf @@ -18,17 +18,8 @@ plugins { directory = "./.data" } } - WorkloadAttestor "k8s" { - plugin_data { - kubelet_read_only_port = "10255" - } - } WorkloadAttestor "unix" { plugin_data { } } - WorkloadAttestor "docker" { - plugin_data { - } - } } diff --git a/conf/server/server.conf b/conf/server/server.conf index 0195aaeae4..a21d53b93a 100644 --- a/conf/server/server.conf +++ b/conf/server/server.conf @@ -5,11 +5,6 @@ server { trust_domain = "example.org" data_dir = "./.data" log_level = "DEBUG" - ca_subject { - country = ["US"] - organization = ["SPIFFE"] - common_name = "" - } } plugins { diff --git a/doc/SPIRE101.md b/doc/SPIRE101.md index 79e50533e8..2f0bdcc8d0 100644 --- a/doc/SPIRE101.md +++ b/doc/SPIRE101.md @@ -1,10 +1,9 @@ - +# SPIRE ## Overview This walkthrough will guide you through the steps needed to setup a running example of a SPIRE Server and SPIRE Agent. Interaction with the [Workload API](https://github.com/spiffe/go-spiffe/blob/main/v2/proto/spiffe/workload/workload.proto) will be simulated via a command line tool. - ![SPIRE101](images/SPIRE101.png) ## Requirement(s) @@ -13,7 +12,9 @@ This walkthrough will guide you through the steps needed to setup a running exam Clone the SPIRE github repo. - git clone https://github.com/spiffe/spire +```shell +$ git clone https://github.com/spiffe/spire +``` ### Docker Setup @@ -29,147 +30,159 @@ If you don't already have Docker installed, please follow these [installation in | Join Token | Nonce generated by the SPIRE Server to attest SPIRE Agents | | selector | A native property of a node or workload | - - ## Walkthrough -1. Build the development Docker image. +1. Build the development Docker image. - make dev-image + ```shell + $ make dev-image + ``` -2. Run a shell in the development Docker container. +2. Run a shell in the development Docker container. - make dev-shell + ```shell + $ make dev-shell + ``` -3. Create a user with uid 1000. The uid will be registered as a selector of the workload's SPIFFE ID. During kernel based attestation the workload process will be interrogated for the registered uid. +3. Create a user with uid 1000. The uid will be registered as a selector of the workload's SPIFFE ID. During kernel based attestation the workload process will be interrogated for the registered uid. - useradd -u 1000 workload + ```shell + (in dev shell) # useradd -u 1000 workload + ``` -4. Build SPIRE by running the **build** target. The build target builds all the SPIRE binaries. +4. Build SPIRE by running the **build** target. The build target builds all the SPIRE binaries. - make build + ```shell + (in dev shell) # make build + ``` -5. Try running `help` for `entry` sub command. The **spire-server** and **spire-agent** executables have `-—help` option that give details of respective cli options. +5. Try running `help` for `entry` sub command. The **spire-server** and **spire-agent** executables have `-—help` option that give details of respective cli options. - ./bin/spire-server entry --help + ```shell + (in dev shell) # ./bin/spire-server entry --help + ``` - 6. View the SPIRE Server configuration file. +6. View the SPIRE Server configuration file. - cat conf/server/server.conf + ```shell + $(in dev shell) # cat conf/server/server.conf + ``` - The default SPIRE Server configurations are shown below. A detailed description of each of the SPIRE Server configuration options is in [the Server documentation](/doc/spire_server.md). + The default SPIRE Server configurations are shown below. A detailed description of each of the SPIRE Server configuration options is in [the Server documentation](/doc/spire_server.md). - ```hcl - server { - bind_address = "127.0.0.1" - bind_port = "8081" - trust_domain = "example.org" - data_dir = "./.data" - log_level = "DEBUG" - ca_subject { - country = ["US"] - organization = ["SPIFFE"] - common_name = "" - } - } + ```hcl + server { + bind_address = "127.0.0.1" + bind_port = "8081" + trust_domain = "example.org" + data_dir = "./.data" + log_level = "DEBUG" + } - plugins { - DataStore "sql" { - plugin_data { - database_type = "sqlite3" - connection_string = "./.data/datastore.sqlite3" - } + plugins { + DataStore "sql" { + plugin_data { + database_type = "sqlite3" + connection_string = "./.data/datastore.sqlite3" } + } - NodeAttestor "join_token" { - plugin_data { - } + NodeAttestor "join_token" { + plugin_data { } + } - KeyManager "memory" { - plugin_data = {} - } + KeyManager "memory" { + plugin_data = {} + } - UpstreamAuthority "disk" { - plugin_data { - key_file_path = "./conf/server/dummy_upstream_ca.key" - cert_file_path = "./conf/server/dummy_upstream_ca.crt" - } + UpstreamAuthority "disk" { + plugin_data { + key_file_path = "./conf/server/dummy_upstream_ca.key" + cert_file_path = "./conf/server/dummy_upstream_ca.crt" } } - ``` + } + ``` 7. Start the SPIRE Server as a background process by running the following command. - ./bin/spire-server run & + ```shell + (in dev shell) # ./bin/spire-server run & + ``` 8. Generate a one time Join Token via **spire-server token generate** sub command. Use the **-spiffeID** option to associate the Join Token with **spiffe://example.org/host** SPIFFE ID. Save the generated join token in your copy buffer. - ./bin/spire-server token generate -spiffeID spiffe://example.org/host + ```shell + (in dev shell) # ./bin/spire-server token generate -spiffeID spiffe://example.org/host + ``` - The Join Token will be used as a form of node attestation and the associated SPIFFE ID will be assigned to the node. + The Join Token will be used as a form of node attestation and the associated SPIFFE ID will be assigned to the node. - The default ttl of the Join Token is 600 seconds. We can overwrite the default value through **-ttl** option. + The default ttl of the Join Token is 600 seconds. We can overwrite the default value through **-ttl** option. 9. View the configuration file of the SPIRE Agent - cat conf/agent/agent.conf - - The default SPIRE Agent configurations are shown below. A detailed description of each of the SPIRE Agent configuration options is in [the Agent documentation](/doc/spire_agent.md). - ```hcl - agent { - data_dir = "./.data" - log_level = "DEBUG" - server_address = "127.0.0.1" - server_port = "8081" - socket_path ="/tmp/spire-agent/public/api.sock" - trust_bundle_path = "./conf/agent/dummy_root_ca.crt" - trust_domain = "example.org" - } - - plugins { - NodeAttestor "join_token" { - plugin_data { - } - } - KeyManager "disk" { - plugin_data { - directory = "./.data" - } - } - WorkloadAttestor "k8s" { - plugin_data { - kubelet_read_only_port = "10255" - } - } - WorkloadAttestor "unix" { - plugin_data { - } - } - WorkloadAttestor "docker" { - plugin_data { - } - } - } - ``` + ```shell + (in dev shell) # cat conf/agent/agent.conf + ``` + + The default SPIRE Agent configurations are shown below. A detailed description of each of the SPIRE Agent configuration options is in [the Agent documentation](/doc/spire_agent.md). + + ```hcl + agent { + data_dir = "./.data" + log_level = "DEBUG" + server_address = "127.0.0.1" + server_port = "8081" + socket_path ="/tmp/spire-agent/public/api.sock" + trust_bundle_path = "./conf/agent/dummy_root_ca.crt" + trust_domain = "example.org" + } + + plugins { + NodeAttestor "join_token" { + plugin_data { + } + } + KeyManager "disk" { + plugin_data { + directory = "./.data" + } + } + WorkloadAttestor "unix" { + plugin_data { + } + } + } + ``` -10. Start the SPIRE Agent as a background process. Replace with the saved value from step #8 in the following command. +10. Start the SPIRE Agent as a background process. Replace `` with the saved value from step #8 in the following command. - ./bin/spire-agent run -joinToken & + ```shell + (in dev shell) # ./bin/spire-agent run -joinToken & + ``` 11. The next step is to register a SPIFFE ID with a set of selectors. For the example we will use unix kernel selectors that will be mapped to a target SPIFFE ID. - ./bin/spire-server entry create \ - -parentID spiffe://example.org/host \ - -spiffeID spiffe://example.org/workload \ - -selector unix:uid:1000 + ```shell + (in dev shell) # ./bin/spire-server entry create \ + -parentID spiffe://example.org/host \ + -spiffeID spiffe://example.org/workload \ + -selector unix:uid:1000 + ``` + At this point, the target workload has been registered with the SPIRE Server. We can now call the Workload API using a command line program to request the workload SVID from the SPIRE Agent. 12. Simulate the Workload API interaction and retrieve the workload SVID bundle by running the `api` subcommand in the agent. Run the command as user **_workload_** created in step #3 with uid 1000 - su -c "./bin/spire-agent api fetch x509 " workload + ```shell + (in dev shell) # su -c "./bin/spire-agent api fetch x509 " workload + ``` 13. Examine the output. Optionally, you may write the SVID and key to disk with `-write` in order to examine them in detail. - su -c "./bin/spire-agent api fetch x509 -write ./" workload - openssl x509 -in ./svid.0.pem -text -noout + ```shell + (in dev shell) # su -c "./bin/spire-agent api fetch x509 -write ./" workload + (in dev shell) # openssl x509 -in ./svid.0.pem -text -noout + ``` diff --git a/doc/auditlog.md b/doc/auditlog.md index 30535b86c0..94a2e74da7 100644 --- a/doc/auditlog.md +++ b/doc/auditlog.md @@ -10,13 +10,14 @@ Each entry contains fields related with the provided request to each endpoint. I |----------------|----------------------------------------------------------------------------------------------------------------------------------------------------|------------------| | type | Constant value that is used to identify that the current entry is an audit log. | audit | | request_id | A uuid that identifies the current call. It is useful for batch operations that can emit multiple audit logs, one per each operation that is done. | | -| status | Indicates if the call was successful or not. | [error, success] | +| status | Indicates if the call was successful or not. | [error, success] | | status_code | In case of an error, contains the gRPC status code. | | | status_message | In case of an error, contains the error returned to the caller. | | The following fields are provided to identify the caller. ### Endpoints listening on UDS + > **_NOTE:_** In order to enable audit log in Kubernetes for calls done on UDS endpoints, `hostPID: true` is required in the SPIRE Server node. | Key | Description | @@ -26,6 +27,7 @@ The following fields are provided to identify the caller. | caller_path | Caller binary file path. | ### Endpoints listening on TLS ports + | Key | Description | |-------------|-------------------------------------------------------------------------------| | caller_addr | Caller IP address. | diff --git a/doc/authorization_policy_engine.md b/doc/authorization_policy_engine.md index 92c46ccb94..6cf1a9d0b1 100644 --- a/doc/authorization_policy_engine.md +++ b/doc/authorization_policy_engine.md @@ -1,17 +1,17 @@ # Authorization policy engine **Warning**: Use of custom authorization policies is experimental and can -result in security degradation if not configured correctly. Please refer to +result in security degredation if not configured correctly. Please refer to [this section](#extending-the-policy) for more details on extending the default policy. The authorization decisions in SPIRE are determined by a policy engine which bases its decision on a rego policy and databindings with Open Policy Agent -(OPA). +(OPA). This is a sample configuration of the policy. -``` +```hcl server { experimental { auth_opa_policy_engine { @@ -27,11 +27,11 @@ server { If the policy engine configuration is not set, it defaults to the [default SPIRE authorization policy](#default-configurations). -# Details of the policy engine +## Details of the policy engine The policy engine is based on the [Open Policy Agent (OPA)](https://www.openpolicyagent.org/). This is configured via two -components, the rego policy, and the policy data path (or databindings as +components, the rego policy, and the policy data path (or databindings as referred to in OPA). - The rego policy is a rego policy file defining how to authorize the API calls. @@ -43,12 +43,13 @@ part of the rego and databindings. However, the general rule is "How it is done" is part of the rego policy, and the "What does this apply to" is part of the databindings file. -## Rego policy +### Rego policy The rego policy defines how input to the policy engine is evaluated to produce the result used by SPIRE server for authorization decisions. This is defined by the result object: -``` + +```rego result = { "allow": true/false, "allow_if_admin": true/false, @@ -59,12 +60,13 @@ result = { ``` The fields of the result are the following: + - `allow`: a boolean that if true, will authorize the call - `allow_if_local`: a boolean that if true, will authorize the call only if the caller is a local UNIX socket call - `allow_if_admin`: a boolean that if true, will authorize the call only if the caller is a SPIFFE ID with the Admin flag set -- `allow_if_downstream`: a boolean that if true, will authorize the call +- `allow_if_downstream`: a boolean that if true, will authorize the call only if the caller is a SPIFFE ID that is downstream - `allow_if_agent`: a boolean that is true, will authorize the call only if the caller is an agent. @@ -72,13 +74,14 @@ The fields of the result are the following: The results are evaluated by the following semantics where `isX()` is an evaluation of whether the caller has property `X`. -``` +```rego admit_request = allow || (allow_if_local && isLocal()) || (allow_if_admin && isAdmin()) || (allow_if_downstream && isDownstream()) || (allow_if_agent && isAgent()) ``` The inputs that are passed into the policy are: + - `input`: the input from the SPIRE server for the authorization call - `data`: the databinding from the policy data file @@ -92,7 +95,7 @@ The request (`req`) is the marshalled JSON object from the [SPIRE api sdk](https://github.com/spiffe/spire-api-sdk/). Note that it is not available on client or bidirectional streaming RPC API calls. -## Policy data file (databinding) +### Policy data file (databinding) The policy data file consists of a JSON blob which represents the data that is used in the evaluation of the policy. This is generally free-form and can be @@ -104,7 +107,7 @@ optimized by the policy engine. These data objects can be accessed via the `data` field in the rego policy. For example, a JSON data object may look like this: -``` +```rego { "apis": [ { "full_method": "/spire.api.server.svid.v1.SVID/MintJWTSVID" }, @@ -114,26 +117,26 @@ example, a JSON data object may look like this: } ``` -With the example data object above, we could construct a policy in rego to -check that if the input's full method is equal to one of the objects defined in +With the example data object above, we could construct a policy in rego to +check that if the input's full method is equal to one of the objects defined in the `apis` fields' `full_method` sub-field, then `allow` should be set to true. -``` + +```rego allow = true { input.full_method == data.apis[_].full_method } ``` -### Default configurations +#### Default configurations Here are the default rego policy and policy data values. These are what is required to carry out the default SPIRE authorization decisions. - -#### Default policy.rego +##### Default policy.rego The default rego policy is located [here](/pkg/server/authpolicy/policy.rego). -#### Default policy\_data.json (databindings) +##### Default policy\_data.json (databindings) The default policy\_data.json is located [here](/pkg/server/authpolicy/policy_data.json). @@ -153,37 +156,36 @@ The fields of each object are as follows: | allow_downstream | if true, sets result.allow_if_downstream to true | | | allow_agent | if true, sets result.allow_if_agent to true | | -# Extending the policy +## Extending the policy This section contains examples of how the authorization policy can be extended. -## OPA Warning +### OPA Warning -It is important when implementing custom policies that one understands the +It is important when implementing custom policies that one understands the evaluation semantics and details of OPA rego. An example of subtleties of OPA -rego policy is the evaluation of a variable is taken as a logical OR of all -the clauses. Therefore, creating an additional rule that sets `allow = false` +rego policy is the evaluation of a variable is taken as a logical OR of all +the clauses. Therefore, creating an additional rule that sets `allow = false` will not be an effective addition to the policy. -It is recommended to familiarize yourself with the +It is recommended to familiarize yourself with the [OPA rego language](https://www.openpolicyagent.org/docs/latest/) before implementing custom policies. - -## Example 1a: Entry creation namespacing restrictions +### Example 1a: Entry creation namespacing restrictions In this example, we want to ensure that entries created are namespaced, so we can create namespaces within the trust domain to determine the type of entries that can be created by each client. This would be a scenario of having two departments where one would not be able to create entries for the other. -Note that this example is specifically for calls through the TCP endpoint, where +Note that this example is specifically for calls through the TCP endpoint, where the user corresponds to the SPIFFE ID in the x509 certificate presented during invocation of the API. This can be defined by creating some additional objects in the data binding: -``` +```rego { "entry_create_namespaces": [ { @@ -200,7 +202,8 @@ This can be defined by creating some additional objects in the data binding: The rego policy can then be updated to compare against the dataset of namespaces of users and path prefixes to compare against the entry create input request. -``` + +```rego check_entry_create_namespace { input.full_method == "/spire.api.server.entry.v1.Entry/BatchCreateEntry" @@ -217,22 +220,23 @@ The rego policy can then be updated to check for this, an example of an allow clause would look like the following. Note that it is important to check to see how this fits in with the other parts of the rego policy. -``` +```rego # Any allow check allow = true { check_entry_create_namespace } ``` -## Example 1b: Sub-department namespacing with exclusions +### Example 1b: Sub-department namespacing with exclusions Building on top of the previous example, let's say we want to have sub departments, having schedulers for a subset of paths within the trust domain. This can be done by building on top of the previous example, with the addition -of an exclusion list. +of an exclusion list. In this example, we have two schedulers: -- `schedulers/finance` is able to create paths starting with `/finance` + +- `schedulers/finance` is able to create paths starting with `/finance` - `schedulers/finance/EMEA` is able to create paths starting with `/finance/EMEA` - `schedulers/finance` should not be able to create paths starting with `/finance/EMEA` @@ -240,7 +244,7 @@ In this example, we have two schedulers: To do this, we can use the same policy as the above, adding on an exclusion list. We will use the following policy data: -``` +```rego { "entry_create_namespaces": [ { @@ -259,7 +263,8 @@ list. We will use the following policy data: ``` We can then add a couple lines to check for the exclusion list: -``` + +```rego check_entry_create_namespace { input.full_method == "/spire.api.server.entry.v1.Entry/BatchCreateEntry" @@ -284,13 +289,13 @@ check_entry_create_namespace { This will result in the desired boolean outcome to be stored in `check_entry_create_namespace`. -## Example 2: Disallow admin flag in entry creation +### Example 2: Disallow admin flag in entry creation In this second example, we want to restrict it so that we prevent any entries created with an admin flag. This can be done by modifying the rego policy allow clauses with the following check: -``` +```rego check_entry_create_admin_flag { input.full_method == "/spire.api.server.entry.v1.Entry/BatchCreateEntry" admin_entries := { entry | entry := input.req.entries[_]; entry.admin == true} @@ -305,23 +310,24 @@ flag. The rego policy can then be updated to check for this, an example of an allow clause would look like the following. Note that it is important to check to see how this fits in with the other parts of the rego policy. -``` + +```rego # Any allow check allow = true { check_entry_create_admin_flag } ``` -## Example 3a: Restrict calls from local UNIX socket +### Example 3a: Restrict calls from local UNIX socket In this example, we want to restrict deletion of entries. For the first part of -this example, we will fully lock down the ability to delete entries. +this example, we will fully lock down the ability to delete entries. This can be easily done by leveraging the set of default rules. In the default policy data file, there are general allow restrictions for APIs. For example, for the batch deletion of entries, here is the exerpt: -``` +```rego { "full_method": "/spire.api.server.entry.v1.Entry/BatchDeleteEntry", "allow_admin": true, @@ -332,13 +338,13 @@ for the batch deletion of entries, here is the exerpt: If we want to disallow deletion of entries from the local or from admin users, we can easily do this by deleting the `allow*` lines, resulting in: -``` +```rego { "full_method": "/spire.api.server.entry.v1.Entry/BatchDeleteEntry", } ``` -## Example 3b: Allow deletion from specific user +### Example 3b: Allow deletion from specific user In this example, we want to now relax our previous restriction by allowing a single SPIFFE ID to perform deletions via the TCP endpoint. @@ -346,7 +352,7 @@ single SPIFFE ID to perform deletions via the TCP endpoint. We can first define the data binding to provide the list of users able to delete entries: -``` +```rego { "entry_delete_users": [ "spiffe://example.org/finance/super-admin-deleter", @@ -355,12 +361,11 @@ entries: } ``` - We can then define the following rego policy to check the calls to the entry delete endpoint, and add checks that the caller SPIFFE ID is in the list of users defined. -``` +```rego check_entry_delete_users { input.full_method == "/spire.api.server.entry.v1.Entry/BatchDeleteEntry" @@ -373,7 +378,7 @@ The rego policy can then be updated to check for this, an example of an allow clause would look like the following. Note that it is important to check to see how this fits in with the other parts of the rego policy. -``` +```rego # Any allow check allow = true { check_entry_delete_users diff --git a/doc/changelog_guidelines.md b/doc/changelog_guidelines.md index 30311ec4ad..359d5f2974 100644 --- a/doc/changelog_guidelines.md +++ b/doc/changelog_guidelines.md @@ -1,6 +1,7 @@ # CHANGELOG Guidelines The following guidelines should be followed when updating the CHANGELOG: + - There should be an entry for every version, that includes the version number and release date. - Entries should be focused on communicating user-facing changes, considering that the main consumers of the CHANGELOG are the end users of SPIRE. - The types of changes should be grouped using the following categories: @@ -18,19 +19,25 @@ The following is an example that includes all the categories: ## [a.b.c] - YYYY-MM-DD ### Added + - AWS PCA now has a configurable allowing operators to provide additional CA certificates for inclusion in the bundle (#1574) ### Changed + - Envoy SDS support is now always on (#1579) ### Deprecated + - The UpstreamCA plugin type is now marked as deprecated in favor of the UpstreamAuthority plugin type (#1406) ### Removed + - The deprecated `upstream_bundle` server configurable has been removed. The server always uses the upstream bundle as the trust bundle (#1702) ### Fixed + - Issue in the Upstream Authority plugin that could result in a delay in the propagation of bundle updates/changes (#1917) ### Security + - Node API now ratelimits expensive calls (#577) diff --git a/doc/plugin_agent_keymanager_disk.md b/doc/plugin_agent_keymanager_disk.md index 3e9bda45c3..04bac75a6e 100644 --- a/doc/plugin_agent_keymanager_disk.md +++ b/doc/plugin_agent_keymanager_disk.md @@ -10,10 +10,10 @@ for long enough for its certificate to expire, attestation will need to be re-pe A sample configuration: -``` - KeyManager "disk" { - plugin_data { - directory = "/opt/spire/data/agent" - } - } +```hcl + KeyManager "disk" { + plugin_data = { + keys_path = "/opt/spire/data/server/keys.json" + } + } ``` diff --git a/doc/plugin_agent_nodeattestor_aws_iid.md b/doc/plugin_agent_nodeattestor_aws_iid.md index 925ef54990..fbb4390df3 100644 --- a/doc/plugin_agent_nodeattestor_aws_iid.md +++ b/doc/plugin_agent_nodeattestor_aws_iid.md @@ -2,13 +2,13 @@ *Must be used in conjunction with the server-side aws_iid plugin* -The `aws_iid` plugin automatically attests instances using the AWS Instance +The `aws_iid` plugin automatically attests instances using the AWS Instance Metadata API and the AWS Instance Identity document. It also allows an operator to use AWS Instance IDs when defining SPIFFE ID attestation policies. Generally no plugin data is needed in AWS, and this configuration should be used: -``` +```hcl NodeAttestor "aws_iid" { plugin_data {} } @@ -18,11 +18,10 @@ Generally no plugin data is needed in AWS, and this configuration should be used |-----------------------|----------------------------------------------------| | ec2_metadata_endpoint | Endpoint for AWS SDK to retrieve instance metadata | - For testing or non-standard AWS environments, you may need to specify the Metadata endpoint. For more information, see [the AWS SDK documentation](https://docs.aws.amazon.com/sdk-for-go/api/aws/ec2metadata/) -``` +```hcl NodeAttestor "aws_iid" { plugin_data { ec2_metadata_endpoint = "http://169.264.169.254/latest" diff --git a/doc/plugin_agent_nodeattestor_azure_msi.md b/doc/plugin_agent_nodeattestor_azure_msi.md index f648485466..c5935bd04a 100644 --- a/doc/plugin_agent_nodeattestor_azure_msi.md +++ b/doc/plugin_agent_nodeattestor_azure_msi.md @@ -2,14 +2,14 @@ *Must be used in conjunction with the server-side azure_msi plugin* -The `azure_msi` plugin attests nodes running in Microsoft Azure that have +The `azure_msi` plugin attests nodes running in Microsoft Azure that have Managed Service Identity (MSI) enabled. Agent nodes acquire a signed MSI token which is passed to the server. The server validates the signed MSI token and extracts the Tenant ID and Principal ID to form the agent SPIFFE ID. The SPIFFE ID has the form: -``` -spiffe:///spire/agent/azure_msi// +```xml +spiffe:///spire/agent/azure_msi// ``` The agent needs to be running in Azure, in a VM with MSI enabled, in order to @@ -17,7 +17,7 @@ use this method of node attestation. | Configuration | Description | Default | |---------------|-----------------------------------------------------------------------------------------------------------------------------------|-------------------------------| -| `resource_id` | The resource ID (or audience) to request for the MSI token. The server will reject tokens with resource IDs it does not recognize | https://management.azure.com/ | +| `resource_id` | The resource ID (or audience) to request for the MSI token. The server will reject tokens with resource IDs it does not recognize | | It is important to note that the resource ID MUST be for a well known Azure service, or an app ID for a registered app in Azure AD. Azure will not issue an @@ -31,7 +31,7 @@ URI that you can use as a resource instead to limit the scope of replay-ability. A sample configuration with the default resource ID (i.e. resource manager): -``` +```hcl NodeAttestor "azure_msi" { plugin_data { } @@ -40,7 +40,7 @@ A sample configuration with the default resource ID (i.e. resource manager): A sample configuration with a custom resource ID: -``` +```hcl NodeAttestor "azure_msi" { plugin_data { resource_id = "http://example.org/app/" diff --git a/doc/plugin_agent_nodeattestor_gcp_iit.md b/doc/plugin_agent_nodeattestor_gcp_iit.md index 43ca53a11f..71f0efdbf3 100644 --- a/doc/plugin_agent_nodeattestor_gcp_iit.md +++ b/doc/plugin_agent_nodeattestor_gcp_iit.md @@ -4,7 +4,6 @@ The `gcp_iit` plugin automatically attests instances using the [GCP Instance Identity Token](https://cloud.google.com/compute/docs/instances/verifying-instance-identity). It also allows an operator to use GCP Instance IDs when defining SPIFFE ID attestation policies. - | Configuration | Description | Default | |---------------------|-----------------------------------------------------------------------------------------------------------------------------------|----------------------------| | identity_token_host | Host where an [identity token](https://cloud.google.com/compute/docs/instances/verifying-instance-identity) can be retrieved from | `metadata.google.internal` | @@ -12,10 +11,11 @@ The `gcp_iit` plugin automatically attests instances using the [GCP Instance Ide A sample configuration: -``` +```hcl NodeAttestor "gcp_iit" { plugin_data { identity_token_host = "metadata.google.internal" service_account = "XXX@developer.gserviceaccount.com" } } +``` diff --git a/doc/plugin_agent_nodeattestor_k8s_psat.md b/doc/plugin_agent_nodeattestor_k8s_psat.md index 91ab12f910..8d5dfccc6a 100644 --- a/doc/plugin_agent_nodeattestor_k8s_psat.md +++ b/doc/plugin_agent_nodeattestor_k8s_psat.md @@ -9,8 +9,8 @@ SPIRE to create more fine-grained attestation policies for agents. The server-side `k8s_psat` plugin will generate a SPIFFE ID on behalf of the agent of the form: -``` -spiffe:///spire/agent/k8s_psat// +```xml +spiffe:///spire/agent/k8s_psat// ``` The main configuration accepts the following values: @@ -20,10 +20,9 @@ The main configuration accepts the following values: | `cluster` | Name of the cluster. It must correspond to a cluster configured in the server plugin. | | | `token_path` | Path to the projected service account token on disk | "/var/run/secrets/tokens/spire-agent" | - A sample configuration with the default token path: -``` +```hcl NodeAttestor "k8s_psat" { plugin_data { cluster = "MyCluster" @@ -32,7 +31,8 @@ A sample configuration with the default token path: ``` Its k8s volume definition: -``` + +```yaml volumes: - name: spire-agent projected: @@ -44,7 +44,8 @@ volumes: ``` And volume mount: -``` + +```yaml volumeMounts: - mountPath: /var/run/secrets/tokens name: spire-agent @@ -52,7 +53,6 @@ volumeMounts: A full example of this attestor is provided in [the SPIRE examples repository](https://github.com/spiffe/spire-examples/tree/main/examples/k8s/simple_psat). - ## Considerations This attestor is based on two Kubernetes beta features (since k8s v1.12): TokenRequest and TokenRequestProjection. TokenRequest exposes the ability to obtain finely scoped service account tokens from the Kubernetes API Server. TokenRequestProjection facilitates the automatic creation and mounting of such a token into a container. diff --git a/doc/plugin_agent_nodeattestor_k8s_sat.md b/doc/plugin_agent_nodeattestor_k8s_sat.md index 3a6270eb6e..1ecbe7b8d4 100644 --- a/doc/plugin_agent_nodeattestor_k8s_sat.md +++ b/doc/plugin_agent_nodeattestor_k8s_sat.md @@ -10,8 +10,8 @@ you should instead consider using the `k8s_psat` attestor due to the [security c The server-side `k8s_sat` plugin generates a one-time UUID and generates a SPIFFE ID with the form: -``` -spiffe:///spire/agent/k8s_sat// +```xml +spiffe:///spire/agent/k8s_sat// ``` The main configuration accepts the following values: @@ -25,7 +25,7 @@ The token path defaults to the default location Kubernetes uses to place the tok A sample configuration with the default token path: -``` +```hcl NodeAttestor "k8s_sat" { plugin_data { cluster = "MyCluster" diff --git a/doc/plugin_agent_nodeattestor_sshpop.md b/doc/plugin_agent_nodeattestor_sshpop.md index 69c4ebf8a8..3cddfc7e13 100644 --- a/doc/plugin_agent_nodeattestor_sshpop.md +++ b/doc/plugin_agent_nodeattestor_sshpop.md @@ -10,8 +10,8 @@ plugin. The SPIFFE ID produced by the server-side `sshpop` plugin is based on the certificate fingerprint, which is an unpadded url-safe base64 encoded sha256 hash of the certificate in openssh format. -``` -spiffe:///spire/agent/sshpop/ +```xml +spiffe:///spire/agent/sshpop/ ``` | Configuration | Description | Default | @@ -21,7 +21,7 @@ spiffe:///spire/agent/sshpop/ A sample configuration: -``` +```hcl NodeAttestor "sshpop" { plugin_data { host_cert_path = "./conf/agent/dummy_agent_ssh_key-cert.pub" diff --git a/doc/plugin_agent_nodeattestor_tpm_devid.md b/doc/plugin_agent_nodeattestor_tpm_devid.md index d592fa7777..90c2a30c07 100644 --- a/doc/plugin_agent_nodeattestor_tpm_devid.md +++ b/doc/plugin_agent_nodeattestor_tpm_devid.md @@ -20,40 +20,40 @@ The proof-of-residency verification involves the creation of a temporary attestation key. Currently, this attestation key is always an RSA key independent of whether the DevID is using an ECC or RSA key type. -The SPIFFE ID produced by the server-side `tpm_devid` plugin is based on the +The SPIFFE ID produced by the server-side `tpm_devid` plugin is based on the LDevID certificate fingerprint, where the fingerprint is defined as the SHA1 hash of the ASN.1 DER encoding of the identity certificate. The SPIFFE ID has the form: -``` -spiffe:///spire/agent/tpm_devid/ +```xml +spiffe:///spire/agent/tpm_devid/ ``` -| Configuration | Description | Default | +| Configuration | Description | Default | |----------------------------------|--------------------------------------------------------------------------------------|-----------------------------------------------------------| -| `tpm_device_path` | The path to a TPM 2.0 device. It is not used when running on windows. | If unset, the plugin will try to autodetect the TPM path | -| `devid_cert_path` | The path to the DevID certificate on disk in PEM format. | | -| `devid_priv_path` | The path to the private key blob generated by the TPM. | | -| `devid_pub_path` | The path to the public key blob generated by the TPM. | | -| `endorsement_hierarchy_password` | TPM endorsement hierarchy password. | "" | -| `owner_hierarchy_password` | TPM owner hierarchy password. | "" | -| `devid_password` | DevID keys password (must be the same than the one used in the provisioning process) | "" | +| `tpm_device_path` | The path to a TPM 2.0 device. It is not used when running on windows. | If unset, the plugin will try to autodetect the TPM path | +| `devid_cert_path` | The path to the DevID certificate on disk in PEM format. | | +| `devid_priv_path` | The path to the private key blob generated by the TPM. | | +| `devid_pub_path` | The path to the public key blob generated by the TPM. | | +| `endorsement_hierarchy_password` | TPM endorsement hierarchy password. | "" | +| `owner_hierarchy_password` | TPM owner hierarchy password. | "" | +| `devid_password` | DevID keys password (must be the same than the one used in the provisioning process) | "" | A sample configuration: -``` - NodeAttestor "tpm_devid" { - plugin_data { - devid_cert_path = "/opt/spire/conf/agent/devid.crt.pem" - devid_priv_path = "/opt/spire/conf/agent/devid.priv.blob" - devid_pub_path = "/opt/spire/conf/agent/devid.pub.blob" - } - } +```hcl + NodeAttestor "tpm_devid" { + plugin_data { + devid_cert_path = "/opt/spire/conf/agent/devid.crt.pem" + devid_priv_path = "/opt/spire/conf/agent/devid.priv.blob" + devid_pub_path = "/opt/spire/conf/agent/devid.pub.blob" + } + } ``` -### Compatibility considerations +## Compatibility considerations + This plugin is designed to work with TPM 2.0, TPM 1.2 is not supported. -+ Only local device identities (LDevIDs) are supported. Attestation using ++ Only local device identities (LDevIDs) are supported. Attestation using IDevIDs is not supported. diff --git a/doc/plugin_agent_nodeattestor_x509pop.md b/doc/plugin_agent_nodeattestor_x509pop.md index 76f343c0e1..3b30d1d856 100644 --- a/doc/plugin_agent_nodeattestor_x509pop.md +++ b/doc/plugin_agent_nodeattestor_x509pop.md @@ -10,8 +10,8 @@ plugin. The SPIFFE ID produced by the server-side `x509pop` plugin is based on the certificate fingerprint, where the fingerprint is defined as the SHA1 hash of the ASN.1 DER encoding of the identity certificate. The SPIFFE ID has the form: -``` -spiffe:///spire/agent/x509pop/ +```xml +spiffe:///spire/agent/x509pop/ ``` | Configuration | Description | Default | @@ -22,11 +22,11 @@ spiffe:///spire/agent/x509pop/ A sample configuration: -``` - NodeAttestor "x509pop" { - plugin_data { - private_key_path = "/opt/spire/conf/agent/agent.key.pem" - certificate_path = "/opt/spire/conf/agent/agent.crt.pem" - } - } +```hcl + NodeAttestor "x509pop" { + plugin_data { + private_key_path = "/opt/spire/conf/agent/agent.key.pem" + certificate_path = "/opt/spire/conf/agent/agent.crt.pem" + } + } ``` diff --git a/doc/plugin_agent_svidstore_aws_secretsmanager.md b/doc/plugin_agent_svidstore_aws_secretsmanager.md index 73927e2d3c..2456f4a87b 100644 --- a/doc/plugin_agent_svidstore_aws_secretsmanager.md +++ b/doc/plugin_agent_svidstore_aws_secretsmanager.md @@ -1,28 +1,28 @@ # Agent plugin: SVIDStore "aws_secretsmanager" -The `aws_secretsmanager` plugin stores in [AWS Secrets Manager](https://aws.amazon.com/es/secrets-manager/) the resulting X509-SVIDs of the entries that the agent is entitled to. +The `aws_secretsmanager` plugin stores in [AWS Secrets Manager](https://aws.amazon.com/es/secrets-manager/) the resulting X509-SVIDs of the entries that the agent is entitled to. -### Secret format +## Secret format The format that is used to store in a secret the issued identity is the following: -``` +```json { - "spiffeId": "spiffe://example.org", - "x509Svid": "X509_CERT_CHAIN_PEM", - "x509SvidKey": "PRIVATE_KET_PEM", - "bundle": "X509_BUNDLE_PEM", - "federatedBundles": { - "spiffe://federated.org": "X509_FEDERATED_BUNDLE_PEM" - } + "spiffeId": "spiffe://example.org", + "x509Svid": "X509_CERT_CHAIN_PEM", + "x509SvidKey": "PRIVATE_KET_PEM", + "bundle": "X509_BUNDLE_PEM", + "federatedBundles": { + "spiffe://federated.org": "X509_FEDERATED_BUNDLE_PEM" + } } ``` -### Required AWS IAM permissions +## Required AWS IAM permissions This plugin requires the following IAM permissions in order to function: -``` +```text secretsmanager:DescribeSecret secretsmanager:CreateSecret secretsmanager:RestoreSecret @@ -34,7 +34,7 @@ kms:Encrypt Please note that this plugin does not read secrets it has stored and therefore does not require read permissions. -### Configuration +## Configuration When the SVIDs are updated, the plugin takes care of updating them in AWS Secrets Manager. @@ -46,7 +46,7 @@ When the SVIDs are updated, the plugin takes care of updating them in AWS Secret A sample configuration: -``` +```hcl SVIDStore "aws_secretsmanager" { plugin_data { access_key_id = "ACCESS_KEY_ID" @@ -56,7 +56,7 @@ A sample configuration: } ``` -### Selectors +## Selectors The selectors of the type `aws_secretsmanager` are used to describe metadata that is needed by the plugin in order to store secret values in AWS Secrets Manager. @@ -65,4 +65,3 @@ The selectors of the type `aws_secretsmanager` are used to describe metadata tha | `aws_secretsmanager:secretname` | `aws_secretsmanager:secretname:some-name` | Friendly name of the secret where the SVID is stored. If not specified `aws_secretsmanager:arn` must be defined | | `aws_secretsmanager:arn` | `aws_secretsmanager:arn:some-arn` | The Amazon Resource Name (ARN) of the secret where the SVID is stored. If not specified, `aws_secretsmanager:secretname` must be defined | | `aws_secretsmanager:kmskeyid` | `aws_secretmanager:kmskeyid` | Specifies the ARN, Key ID, or alias of the AWS KMS customer master key (CMK) to be used to encrypt the secrets. Any of the supported ways to identify a AWS KMS key ID can be used. If a CMK in a different account needs to be referenced, only the key ARN or the alias ARN can be used. If not specified, the AWS account's default CMK is used | - diff --git a/doc/plugin_agent_svidstore_gcp_secretmanager.md b/doc/plugin_agent_svidstore_gcp_secretmanager.md index f7936f333b..90bc5ce015 100644 --- a/doc/plugin_agent_svidstore_gcp_secretmanager.md +++ b/doc/plugin_agent_svidstore_gcp_secretmanager.md @@ -1,44 +1,46 @@ # Agent plugin: SVIDStore "gcp_secretmanager" -The `gcp_secretmanager` plugin stores in [Google cloud Secret Manager](https://cloud.google.com/secret-manager) the resulting X509-SVIDs of the entries that the agent is entitled to. +The `gcp_secretmanager` plugin stores in [Google cloud Secret Manager](https://cloud.google.com/secret-manager) the resulting X509-SVIDs of the entries that the agent is entitled to. -### Secret format +## Secret format The format that is used to store in a secret the issued identity is the following: -``` +```json { - "spiffeId": "spiffe://example.org", - "x509Svid": "X509_CERT_CHAIN_PEM", - "x509SvidKey": "PRIVATE_KET_PEM", - "bundle": "X509_BUNDLE_PEM", - "federatedBundles": { - "spiffe://federated.org": "X509_FEDERATED_BUNDLE_PEM" - } + "spiffeId": "spiffe://example.org", + "x509Svid": "X509_CERT_CHAIN_PEM", + "x509SvidKey": "PRIVATE_KET_PEM", + "bundle": "X509_BUNDLE_PEM", + "federatedBundles": { + "spiffe://federated.org": "X509_FEDERATED_BUNDLE_PEM" + } } ``` -### Required GCP permissions +## Required GCP permissions This plugin requires the following IAM permissions in order to function: -``` + +```text secretmanager.secrets.create secretmanager.secrets.delete secretmanager.secrets.get secretmanager.secrets.update secretmanager.versions.add ``` + Please note that this plugin does not require permission to read secret payloads stored on secret version. -### Configuration +## Configuration -| Configuration | Description | DEFAULT | -|----------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------| -| service_account_file | (Optional) Path to the service account file used to authenticate with the Google Compute Engine API. By default credentials are retrieved from environment. | Value of `GOOGLE_APPLICATION_CREDENTIALS ` environment variable | +| Configuration | Description | DEFAULT | +|----------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------| +| service_account_file | (Optional) Path to the service account file used to authenticate with the Google Compute Engine API. By default credentials are retrieved from environment. | Value of `GOOGLE_APPLICATION_CREDENTIALS` environment variable | A sample configuration: -``` +```hcl SVIDStore "gcp_secretmanager" { plugin_data { service_account_file = "/opt/token" @@ -46,22 +48,22 @@ A sample configuration: } ``` -### IAM Policy +## IAM Policy It is possible to add an IAM Policy when creating a new secret. This is done using the `role` and `serviceaccount` selectors, which must be configured together. The secret will have the inherited IAM Policy together with the new policy, with a single Binding created. The Binding will use the provided role together with service account as unique member. In case that a role/serviceaccount is not set, the secret will use inherited policies from Secret Manager. -``` +```yaml bindings: - members: - serviceAccount:test-secret@project-id.iam.gserviceaccount.com role: roles/secretmanager.viewer ``` -### Store selectors +## Store selectors -Selectors are used on `storable` entries to describe metadata that is needed by `gcp_secretmanager` in order to store secrets in Google Cloud Secret manager. In case that a `required` selector is not provided, the plugin will return an error at execution time. +Selectors are used on `storable` entries to describe metadata that is needed by `gcp_secretmanager` in order to store secrets in Google Cloud Secret manager. In case that a `required` selector is not provided, the plugin will return an error at execution time. | Selector | Example | Required | Description | |------------------------------------|----------------------------------------------------------------------------------|----------|----------------------------------------------------------------------------| @@ -69,4 +71,3 @@ Selectors are used on `storable` entries to describe metadata that is needed by | `gcp_secretmanager:projectid` | `gcp_secretmanager:projectid:some-project` | x | The Google Cloud project ID which the plugin will use Secret Manager | | `gcp_secretmanager:role` | `gcp_secretmanager:role:roles/secretmanager.viewer` | - | The Google Cloud role id for IAM policy (serviceaccount required when set) | | `gcp_secretmanager:serviceaccount` | `gcp_secretmanager:serviceaccount:test-secret@test-proj.iam.gserviceaccount.com` | - | The Google Cloud Service account for IAM policy (role required when set) | - diff --git a/doc/plugin_agent_workloadattestor_docker.md b/doc/plugin_agent_workloadattestor_docker.md index c5843b8e5d..5086453799 100644 --- a/doc/plugin_agent_workloadattestor_docker.md +++ b/doc/plugin_agent_workloadattestor_docker.md @@ -1,7 +1,7 @@ # Agent plugin: WorkloadAttestor "docker" The `docker` plugin generates selectors based on docker labels for workloads calling the agent. -It does so by retrieving the workload's container ID from its cgroup membership on Unix systems or Job Object names on Windows, +It does so by retrieving the workload's container ID from its cgroup membership on Unix systems or Job Object names on Windows, then querying the docker daemon for the container's labels. | Configuration | Description | Default | @@ -9,18 +9,18 @@ then querying the docker daemon for the container's labels. | docker_socket_path | The location of the docker daemon socket (Unix) | "unix:///var/run/docker.sock" | | docker_version | The API version of the docker daemon. If not specified | | | container_id_cgroup_matchers | A list of patterns used to discover container IDs from cgroup entries (Unix) | -| docker_host | The location of the Docker Engine API endpoint (Windows only) | "npipe:////./pipe/docker_engine" | +| docker_host | The location of the Docker Engine API endpoint (Windows only) | "npipe:////./pipe/docker_engine" | A sample configuration: -``` +```hcl WorkloadAttestor "docker" { plugin_data { } } ``` -### Workload Selectors +## Workload Selectors Since selectors are created dynamically based on the container's docker labels, there isn't a list of known selectors. Instead, each of the container's labels are used in creating the list of selectors. @@ -31,7 +31,7 @@ Instead, each of the container's labels are used in creating the list of selecto | `docker:env` | `docker:env:VAR=val` | The raw string value of each of the container's environment variables. | | `docker:image_id` | `docker:image_id:77af4d6b9913` | The image id of the container. | -### Container ID CGroup Matchers +## Container ID CGroup Matchers The patterns provided should use the wildcard `*` matching token and `` capture token to describe how a container id should be extracted from a cgroup entry. The @@ -39,7 +39,8 @@ given patterns MUST NOT be ambiguous and an error will be returned if multiple patterns can match the same input. Valid Example: -``` + +```hcl container_id_cgroup_matchers = [ "/docker/", "/my.slice/*//*" @@ -47,7 +48,8 @@ Valid Example: ``` Invalid Example: -``` + +```hcl container_id_cgroup_matchers = [ "/a/b/", "/*/b/" @@ -58,18 +60,22 @@ Note: The pattern provided is *not* a regular expression. It is a simplified mat language that enforces a forward slash-delimited schema. ## Example + ### Labels + If a workload container is started with `docker run --label com.example.name=foo [...]`, then workload registration would occur as: -``` -spire-server entry create \ + +```shell +$ spire-server entry create \ -parentID spiffe://example.org/host \ -spiffeID spiffe://example.org/host/foo \ -selector docker:label:com.example.name:foo ``` You can compose multiple labels as selectors. -``` -spire-server entry create \ + +```shell +$ spire-server entry create \ -parentID spiffe://example.org/host \ -spiffeID spiffe://example.org/host/foo \ -selector docker:label:com.example.name:foo @@ -80,8 +86,9 @@ spire-server entry create \ Example of an environment variable selector for the variable `ENVIRONMENT` matching a value of `prod`: -``` -spire-server entry create \ + +```shell +$ spire-server entry create \ -parentID spiffe://example.org/host \ -spiffeID spiffe://example.org/host/foo \ -selector docker:env:ENVIRONMENT=prod diff --git a/doc/plugin_agent_workloadattestor_k8s.md b/doc/plugin_agent_workloadattestor_k8s.md index 8ad81b8b8d..5cd6e58c0b 100644 --- a/doc/plugin_agent_workloadattestor_k8s.md +++ b/doc/plugin_agent_workloadattestor_k8s.md @@ -20,23 +20,29 @@ enabled). In the latter case, the hostname is used to perform certificate server name validation against the kubelet certificate. > **Note** kubelet authentication via bearer token requires that the kubelet be -> started with the `--authentication-token-webhook` flag. +> started with the `--authentication-token-webhook` flag. > See [Kubelet authentication/authorization](https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/) > for details. -> **Note** The kubelet uses the TokenReview API to validate bearer tokens. + + +> **Note** The kubelet uses the TokenReview API to validate bearer tokens. > This requires reachability to the Kubernetes API server. Therefore API server downtime can > interrupt workload attestation. The `--authentication-token-webhook-cache-ttl` kubelet flag > controls how long the kubelet caches TokenReview responses and may help to > mitigate this issue. A large cache ttl value is not recommended however, as > that can impact permission revocation. + + > **Note** Anonymous authentication with the kubelet requires that the > kubelet be started with the `--anonymous-auth` flag. It is discouraged to use anonymous > auth mode in production as it requires authorizing anonymous users to the `nodes/proxy` > resource that maps to some privileged operations, such as executing commands in > containers and reading pod logs. + + **Note** To run on Windows containers, Kubernetes v1.24+ and containerd v1.6+ are required, since [hostprocess](https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/) container is required on the agent container. @@ -71,15 +77,15 @@ since [hostprocess](https://kubernetes.io/docs/tasks/configure-pod-container/cre | k8s:pod-init-image | An Image OR ImageID of any init container in the workload's pod, [as reported by K8S](https://pkg.go.dev/k8s.io/api/core/v1#ContainerStatus). Selector value may be an image tag, such as: `docker.io/envoyproxy/envoy-alpine:v1.16.0`, or a resolved SHA256 image digest, such as `docker.io/envoyproxy/envoy-alpine@sha256:bf862e5f5eca0a73e7e538224578c5cf867ce2be91b5eaed22afc153c00363eb` | | k8s:pod-init-image-count | The number of init container images in workload's pod | -> **Note** `container-image` will ONLY match against the specific container in the pod that is contacting SPIRE on behalf of -> the pod, whereas `pod-image` and `pod-init-image` will match against ANY container or init container in the Pod, +> **Note** `container-image` will ONLY match against the specific container in the pod that is contacting SPIRE on behalf of +> the pod, whereas `pod-image` and `pod-init-image` will match against ANY container or init container in the Pod, > respectively. ## Examples To use the kubelet read-only port: -``` +```hcl WorkloadAttestor "k8s" { plugin_data { kubelet_read_only_port = 10255 @@ -89,7 +95,7 @@ WorkloadAttestor "k8s" { To use the secure kubelet port, verify via `/run/secrets/kubernetes.io/serviceaccount/ca.crt`, and authenticate via the default service account token: -``` +```hcl WorkloadAttestor "k8s" { plugin_data { } @@ -98,7 +104,7 @@ WorkloadAttestor "k8s" { To use the secure kubelet port, skip verification, and authenticate via the default service account token: -``` +```hcl WorkloadAttestor "k8s" { plugin_data { skip_kubelet_verification = true @@ -108,7 +114,7 @@ WorkloadAttestor "k8s" { To use the secure kubelet port, skip verification, and authenticate via some other token: -``` +```hcl WorkloadAttestor "k8s" { plugin_data { skip_kubelet_verification = true @@ -119,7 +125,7 @@ WorkloadAttestor "k8s" { To use the secure kubelet port, verify the kubelet certificate, and authenticate via an X509 client certificate: -``` +```hcl WorkloadAttestor "k8s" { plugin_data { kubelet_ca_path = "/path/to/kubelet-ca.pem" diff --git a/doc/plugin_agent_workloadattestor_unix.md b/doc/plugin_agent_workloadattestor_unix.md index 8ef8decffe..57b99adeb8 100644 --- a/doc/plugin_agent_workloadattestor_unix.md +++ b/doc/plugin_agent_workloadattestor_unix.md @@ -50,13 +50,11 @@ Defenses against this are: A sample configuration: -``` - WorkloadAttestor "unix" { - plugin_data { - } - } +```hcl + WorkloadAttestor "unix" { + } ``` -### Platform support +## Platform support This plugin is only supported on Unix systems. diff --git a/doc/plugin_agent_workloadattestor_windows.md b/doc/plugin_agent_workloadattestor_windows.md index 23fb70b242..5cd8c85228 100644 --- a/doc/plugin_agent_workloadattestor_windows.md +++ b/doc/plugin_agent_workloadattestor_windows.md @@ -8,7 +8,7 @@ It does so by opening an access token associated with the workload process. The | `discover_workload_path` | If true, the workload path will be discovered by the plugin and used to provide additional selectors | false | | `workload_size_limit` | The limit of workload binary sizes when calculating certain selectors (e.g. sha256). If zero, no limit is enforced. If negative, never calculate the hash. | 0 | -### Workload Selectors +## Workload Selectors | Selector | Value | |---------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| @@ -39,20 +39,21 @@ Defenses against this are: The workload API does not yet support rate limiting, but when it does, this attack can be mitigated by using rate limiting in conjunction with non-negative `workload_size_limit`. -#### Notes +### Notes + - An enabled group in a token is a group that has the [SE_GROUP_ENABLED](https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-attributes-in-an-access-token) attribute. - User and group account names are expressed using the [down-level logon name format](https://docs.microsoft.com/en-us/windows/win32/secauthn/user-name-formats#down-level-logon-name). -### Configuration +## Configuration This plugin does not require any configuration setting. It can be added in the following way in the agent configuration file: -``` - WorkloadAttestor "windows" { - } +```hcl + WorkloadAttestor "windows" { + } ``` -### Platform support +## Platform support This plugin is only supported on Windows. diff --git a/doc/plugin_server_datastore_sql.md b/doc/plugin_server_datastore_sql.md index 46dd007036..a4430d7b0f 100644 --- a/doc/plugin_server_datastore_sql.md +++ b/doc/plugin_server_datastore_sql.md @@ -15,8 +15,6 @@ The `sql` plugin implements SQL based data storage for the SPIRE server using SQ | conn_max_lifetime | The maximum amount of time a connection may be reused (default: unlimited) | | disable_migration | True to disable auto-migration functionality. Use of this flag allows finer control over when datastore migrations occur and coordination of the migration of a datastore shared with a SPIRE Server cluster. Only available for databases from SPIRE Code version 0.9.0 or later. | - - For more information on the `max_open_conns`, `max_idle_conns`, and `conn_max_lifetime`, refer to the documentation for the Go [`database/sql`](https://golang.org/pkg/database/sql/#DB) package. @@ -25,12 +23,14 @@ documentation for the Go [`database/sql`](https://golang.org/pkg/database/sql/#D ### `database_type = "sqlite3"` Save database in file: -``` + +```hcl connection_string="DATABASE_FILE.db" ``` Save database in memory: -``` + +```hcl connection_string="file:memdb?mode=memory&cache=shared" ``` @@ -38,7 +38,7 @@ If you are compiling SPIRE from source, please see [SQLite and CGO](#sqlite-and- #### Sample configuration -``` +```hcl DataStore "sql" { plugin_data { database_type = "sqlite3" @@ -53,11 +53,12 @@ The `connection_string` for the PostreSQL database connection consists of the nu For example: -``` +```hcl connection_string="dbname=postgres user=postgres password=password host=localhost sslmode=disable" ``` #### Configuration Options + * dbname - The name of the database to connect to * user - The user to sign in as * password - The user's password @@ -75,6 +76,7 @@ connection_string="dbname=postgres user=postgres password=password host=localhos must contain PEM encoded data. #### Valid sslmode configurations + * disable - No SSL * require - Always SSL (skip verification) * verify-ca - Always SSL (verify that the certificate presented by the @@ -85,7 +87,7 @@ connection_string="dbname=postgres user=postgres password=password host=localhos #### Sample configuration -``` +```hcl DataStore "sql" { plugin_data { database_type = "postgres" @@ -98,19 +100,20 @@ connection_string="dbname=postgres user=postgres password=password host=localhos The `connection_string` for the MySQL database connection consists of the number of configuration options (optional parts marked by square brackets): -```` +```text username[:password]@][protocol[(address)]]/dbname[?param1=value1&...¶mN=valueN] -```` +``` For example: -``` +```hcl connection_string="username:password@tcp(localhost:3306)/dbname?parseTime=true" ``` Consult the [MySQL driver repository](https://github.com/go-sql-driver/mysql#usage) for more `connection_string` options. #### Configuration Options + * dbname - The name of the database to connect to * username - The user to sign in as * password - The user's password @@ -121,7 +124,7 @@ If you need to use custom Root CA, just specify `root_ca_path` in the plugin con #### Sample configuration -``` +```hcl DataStore "sql" { plugin_data { database_type = "mysql" @@ -131,6 +134,7 @@ If you need to use custom Root CA, just specify `root_ca_path` in the plugin con ``` #### Read Only connection + Read Only connection will be used when the optional `ro_connection_string` is set. The formatted string takes the same form as connection_string. This option is not applicable for SQLite3. ## SQLite and CGO diff --git a/doc/plugin_server_keymanager_aws_kms.md b/doc/plugin_server_keymanager_aws_kms.md index 669f98e9b4..d76086e432 100644 --- a/doc/plugin_server_keymanager_aws_kms.md +++ b/doc/plugin_server_keymanager_aws_kms.md @@ -14,7 +14,6 @@ The plugin accepts the following configuration options: | key_metadata_file | string | yes | A file path location where information about generated keys will be persisted | | | key_policy_file | string | no | A file path location to a custom key policy in JSON format | "" | - ### Alias and Key Management The plugin assigns [aliases](https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html) to the Customer Master Keys that manages. The aliases are used to identify and name keys that are managed by the plugin. @@ -44,55 +43,56 @@ The IAM role must have an attached policy with the following permissions: - `kms:UpdateAlias` - `kms:DeleteAlias` - ### Key policy + The plugin can generate keys using a default key policy or it can load and use a user defined policy. #### Default key policy + The default key policy relies on the SPIRE Server's assumed role. Therefore, it is mandatory for SPIRE server to assume a role in order to use the default policy. ```json { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "Allow full access to the SPIRE Server role", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::111122223333:role/example-assumed-role-name" - }, - "Action": "kms:*", - "Resource": "*" - }, + "Version": "2012-10-17", + "Statement": [ { - "Sid": "Allow KMS console to display the key and policy", + "Sid": "Allow full access to the SPIRE Server role", "Effect": "Allow", "Principal": { - "AWS": "arn:aws:iam::111122223333:root" + "AWS": "arn:aws:iam::111122223333:role/example-assumed-role-name" }, - "Action": [ - "kms:Describe*", - "kms:List*", - "kms:Get*" - ], + "Action": "kms:*", "Resource": "*" - } - ] + }, + { + "Sid": "Allow KMS console to display the key and policy", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:root" + }, + "Action": [ + "kms:Describe*", + "kms:List*", + "kms:Get*" + ], + "Resource": "*" + } + ] } ``` - The first statement of the policy gives the current SPIRE server assumed role full access to the CMK. - The second statement allows the keys and policy to be displayed in the KMS console. - #### Custom key policy It is also possible for the user to define a custom key policy. If the configurable `key_policy_file` is set, the plugin uses the policy defined in the file instead of the default policy. + ## Sample Plugin Configuration -``` +```hcl KeyManager "aws_kms" { plugin_data { region = "us-east-2" diff --git a/doc/plugin_server_keymanager_disk.md b/doc/plugin_server_keymanager_disk.md index 25bd6890d4..b5b3e67026 100644 --- a/doc/plugin_server_keymanager_disk.md +++ b/doc/plugin_server_keymanager_disk.md @@ -11,10 +11,10 @@ The plugin accepts the following configuration options: A sample configuration: -``` - KeyManager "disk" { - plugin_data = { - keys_path = "/opt/spire/data/server/keys.json" - } - } +```hcl + KeyManager "disk" { + plugin_data = { + keys_path = "/opt/spire/data/server/keys.json" + } + } ``` diff --git a/doc/plugin_server_nodeattestor_aws_iid.md b/doc/plugin_server_nodeattestor_aws_iid.md index 1b7019187c..c53f7c1c2a 100644 --- a/doc/plugin_server_nodeattestor_aws_iid.md +++ b/doc/plugin_server_nodeattestor_aws_iid.md @@ -1,4 +1,5 @@ # Server plugin: NodeAttestor "aws_iid" + *Must be used in conjunction with the agent-side aws_iid plugin* The `aws_iid` plugin automatically attests instances using the AWS Instance @@ -9,6 +10,7 @@ attested by the aws_iid attestor will be issued a SPIFFE ID like this plugin resolves the agent's AWS IID-based SPIFFE ID into a set of selectors. ## Configuration + | Configuration | Description | Default | |--------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------| | `access_key_id` | AWS access key id | Value of `AWS_ACCESS_KEY_ID` environment variable | @@ -19,11 +21,11 @@ this plugin resolves the agent's AWS IID-based SPIFFE ID into a set of selectors A sample configuration: -``` +```hcl NodeAttestor "aws_iid" { plugin_data { - access_key_id = "ACCESS_KEY_ID" - secret_access_key = "SECRET_ACCESS_KEY" + access_key_id = "ACCESS_KEY_ID" + secret_access_key = "SECRET_ACCESS_KEY" } } ``` @@ -31,21 +33,25 @@ A sample configuration: If `assume_role` is set, the spire server will assume the role as specified by the template `arn:aws:iam::{{AccountID}}:role/{{AssumeRole}}` where `AccountID` is taken from the AWS IID document sent by the spire agent to the spire server and `AssumeRole` comes from the AWS NodeAttestor plugin configuration. In the following configuration, -``` + +```hcl NodeAttestor "aws_iid" { plugin_data { assume_role = "spire-server-delegate" } } ``` + assuming AWS IID document sent from the spire agent contains `accountId : 12345678`, the spire server will assume "arn:aws:iam::12345678:role/spire-server-delegate" role before making any AWS call for the node attestation. If `assume_role` is configured, the spire server will always assume the role even if the both the spire-server and the spire agent is deployed in the same account. ## Disabling Instance Profile Selectors + In cases where spire-server is running in a location with no public internet access available, setting `disable_instance_profile_selectors = true` will prevent the server from making requests to `iam.amazonaws.com`. This is needed as spire-server will fail to attest nodes as it cannot retrieve the metadata information. When this is enabled, `IAM Role` selector information will no longer be available for use. ## AWS IAM Permissions + The user or role identified by the configured credentials must have permissions for `ec2:DescribeInstances`. The following is an example for a IAM policy needed to get instance's info from AWS. @@ -67,9 +73,10 @@ The following is an example for a IAM policy needed to get instance's info from } ``` -For more information on security credentials, see https://docs.aws.amazon.com/general/latest/gr/aws-security-credentials.html. +For more information on security credentials, see . ## Supported Selectors + This plugin generates the following selectors related to the instance where the agent is running: | Selector | Example | Description | @@ -84,6 +91,7 @@ All of the selectors have the type `aws_iid`. The `IAM role` selector is included in the generated set of selectors only if the instance has an IAM Instance Profile associated and `disable_instance_profile_selectors = false` ## Security Considerations + The AWS Instance Identity Document, which this attestor leverages to prove node identity, is available to any process running on the node by default. As a result, it is possible for non-agent code running on a node to attest to the SPIRE Server, allowing it to obtain any workload identity that the node is authorized to run. While many operators choose to configure their systems to block access to the Instance Identity Document, the SPIRE project cannot guarantee this posture. To mitigate the associated risk, the `aws_iid` node attestor implements Trust On First Use (or TOFU) semantics. For any given node, attestation may occur only once. Subsequent attestation attempts will be rejected. diff --git a/doc/plugin_server_nodeattestor_azure_msi.md b/doc/plugin_server_nodeattestor_azure_msi.md index 969887be38..c64b50bdf9 100644 --- a/doc/plugin_server_nodeattestor_azure_msi.md +++ b/doc/plugin_server_nodeattestor_azure_msi.md @@ -8,12 +8,12 @@ which is passed to the server. The server validates the signed MSI token and extracts the Tenant ID and Principal ID to form the agent SPIFFE ID. The SPIFFE ID has the form: -``` -spiffe:///spire/agent/azure_msi// +```xml +spiffe:///spire/agent/azure_msi// ``` The server does not need to be running in Azure in order to perform node -attestation or to resolve selectors. +attestation or to resolve selectors. ## Configuration @@ -22,17 +22,15 @@ attestation or to resolve selectors. | `tenants` | Required | A map of tenants, keyed by tenant ID, that are authorized for attestation. Tokens for unspecified tenants are rejected. | | | `agent_path_template` | Optional | A URL path portion format of Agent's SPIFFE ID. Describe in text/template format. | `"/{{ .PluginName }}/{{ .TenantID }}/{{ .PrincipalID }}"` | - - Each tenant in the main configuration supports the following -| Configuration | Required | Description | Default | -|-------------------|--------------------------------------|-----------------------------------------------------------------------------------------------------------|-------------------------------| -| `resource_id` | Optional | The resource ID (or audience) for the tenant's MSI token. Tokens for a different resource ID are rejected | https://management.azure.com/ | -| `use_msi` | [Optional](#authenticating-to-azure) | Whether or not to use MSI to authenticate to Azure services for selector resolution. | false | -| `subscription_id` | [Optional](#authenticating-to-azure) | The subscription the tenant resides in | | -| `app_id` | [Optional](#authenticating-to-azure) | The application id | | -| `app_secret` | [Optional](#authenticating-to-azure) | The application secret | | +| Configuration | Required | Description | Default | +|-------------------|--------------------------------------|-----------------------------------------------------------------------------------------------------------|---------------------------------| +| `resource_id` | Optional | The resource ID (or audience) for the tenant's MSI token. Tokens for a different resource ID are rejected | | +| `use_msi` | [Optional](#authenticating-to-azure) | Whether or not to use MSI to authenticate to Azure services for selector resolution. | false | +| `subscription_id` | [Optional](#authenticating-to-azure) | The subscription the tenant resides in | | +| `app_id` | [Optional](#authenticating-to-azure) | The application id | | +| `app_secret` | [Optional](#authenticating-to-azure) | The application secret | | It is important to note that the resource ID MUST be for a well known Azure service, or an app ID for a registered app in Azure AD. Azure will not issue an @@ -55,7 +53,7 @@ required, however, it will be in a future release. #### Default Resource ID and App Authentication -``` +```hcl NodeAttestor "azure_msi" { plugin_data { tenants = { @@ -72,7 +70,7 @@ required, however, it will be in a future release. #### Custom Resource ID and MSI Authentication -``` +```hcl NodeAttestor "azure_msi" { plugin_data { tenants = { @@ -100,6 +98,7 @@ The plugin produces the following selectors. All of the selectors have the type `azure_msi`. ## Agent Path Template + The agent path template is a way of customizing the format of generated SPIFFE IDs for agents. The template formatter is using Golang text/template conventions, it can reference values provided by the plugin or in a [MSI access token](https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens#payload-claims). @@ -112,6 +111,7 @@ Some useful values are: | .PrincipalID | A identifier that is unique to a particular application ID | ## Security Considerations + The Azure Managed Service Identity token, which this attestor leverages to prove node identity, is available to any process running on the node by default. As a result, it is possible for non-agent code running on a node to attest to the SPIRE Server, allowing it to obtain any workload identity that the node is authorized to run. While many operators choose to configure their systems to block access to the Managed Service Identity token, the SPIRE project cannot guarantee this posture. To mitigate the associated risk, the `azure_msi` node attestor implements Trust On First Use (or TOFU) semantics. For any given node, attestation may occur only once. Subsequent attestation attempts will be rejected. diff --git a/doc/plugin_server_nodeattestor_gcp_iit.md b/doc/plugin_server_nodeattestor_gcp_iit.md index 7dad8bc449..3a2d2756b1 100644 --- a/doc/plugin_server_nodeattestor_gcp_iit.md +++ b/doc/plugin_server_nodeattestor_gcp_iit.md @@ -20,7 +20,7 @@ This plugin requires an allow list of ProjectID from which nodes can be attested A sample configuration: -``` +```hcl NodeAttestor "gcp_iit" { plugin_data { projectid_allow_list = ["project-123"] @@ -63,12 +63,15 @@ corresponding selector will still have a trailing colon (i.e. `gcp_iit:label::`, `gcp_iit:metadata::`) ## Authenticating with the Google Compute Engine API + The plugin uses the Application Default Credentials to authenticate with the Google Compute Engine API, as documented by [Setting Up Authentication For Server to Server](https://cloud.google.com/docs/authentication/production). When SPIRE Server is running inside GCP, it will use the default service account credentials available to the instance it is running under. When running outside GCP, or if non-default credentials are needed, the path to the service account file containing the credentials may be specified using the `GOOGLE_APPLICATION_CREDENTIALS` environment variable or the `service_account_file` configurable (see Configuration). The service account must have IAM permissions and Authorization Scopes granting access to the following APIs: + * [compute.instances.get](https://cloud.google.com/compute/docs/reference/rest/v1/instances/get) ## Agent Path Template + The agent path template is a way of customizing the format of generated SPIFFE IDs for agents. The template formatter is using Golang text/template conventions, it can reference values provided by the plugin or in a [Compute Engine identity token](https://cloud.google.com/compute/docs/instances/verifying-instance-identity#payload). @@ -83,8 +86,8 @@ Some useful values are: | .Zone | The zone where the instance is located | | .InstanceCreationTimestamp | A Unix timestamp indicating when you created the instance. | - ## Security Considerations + The Instance Identity Token, which this attestor leverages to prove node identity, is available to any process running on the node by default. As a result, it is possible for non-agent code running on a node to attest to the SPIRE Server, allowing it to obtain any workload identity that the node is authorized to run. While many operators choose to configure their systems to block access to the Instance Identity Token, the SPIRE project cannot guarantee this posture. To mitigate the associated risk, the `gcp_iit` node attestor implements Trust On First Use (or TOFU) semantics. For any given node, attestation may occur only once. Subsequent attestation attempts will be rejected. diff --git a/doc/plugin_server_nodeattestor_jointoken.md b/doc/plugin_server_nodeattestor_jointoken.md index 88d030bdc5..8e26f82fc5 100644 --- a/doc/plugin_server_nodeattestor_jointoken.md +++ b/doc/plugin_server_nodeattestor_jointoken.md @@ -7,8 +7,8 @@ token must be generated by the server before it can be used to attest a node. The server uses the token to generate a SPIFFE ID with the form: -``` -spiffe:///spire/agent/join_token/ +```xml +spiffe:///spire/agent/join_token/ ``` This plugin has no configuration options. Tokens may be generated through the diff --git a/doc/plugin_server_nodeattestor_k8s_psat.md b/doc/plugin_server_nodeattestor_k8s_psat.md index 8ee81beeda..7dcd68cd95 100644 --- a/doc/plugin_server_nodeattestor_k8s_psat.md +++ b/doc/plugin_server_nodeattestor_k8s_psat.md @@ -7,8 +7,8 @@ validates the signed projected service account token provided by the agent. This validation is performed using Kubernetes [Token Review API](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#tokenreview-v1-authentication-k8s-io). In addition to validation, this API provides other useful information (namespace, service account name and pod name) that SPIRE server uses to build selectors. Kubernetes API server is also queried to get extra data like node UID, which is used to generate a SPIFFE ID with the form: -``` -spiffe:///spire/agent/k8s_psat// +```xml +spiffe:///spire/agent/k8s_psat// ``` The server does not need to be running in Kubernetes in order to perform node @@ -33,7 +33,7 @@ Each cluster in the main configuration requires the following configuration: A sample configuration for SPIRE server running inside of a Kubernetes cluster: -``` +```hcl NodeAttestor "k8s_psat" { plugin_data { clusters = { @@ -46,7 +46,7 @@ A sample configuration for SPIRE server running inside of a Kubernetes cluster: A sample configuration for SPIRE server running outside of a Kubernetes cluster: -``` +```hcl NodeAttestor "k8s_psat" { plugin_data { clusters = { @@ -75,5 +75,4 @@ This plugin generates the following selectors: The node and pod selectors are only provided for label keys in the `allowed_node_label_keys` and `allowed_pod_label_keys` configurables. - A full example of this attestor is provided in [the SPIRE examples repository](https://github.com/spiffe/spire-examples/tree/main/examples/k8s/simple_psat) diff --git a/doc/plugin_server_nodeattestor_k8s_sat.md b/doc/plugin_server_nodeattestor_k8s_sat.md index dcf59d8921..7daa1c166c 100644 --- a/doc/plugin_server_nodeattestor_k8s_sat.md +++ b/doc/plugin_server_nodeattestor_k8s_sat.md @@ -5,6 +5,7 @@ The `k8s_sat` plugin attests nodes running in inside of Kubernetes. The server validates the signed service account token provided by the agent. This validation can be done in two different ways depending on the value of the `use_token_review_api_validation` flag: + + If this value is set to `false` (default behavior), the attestor validates the token locally using the key provided in `service_account_key_file`. + If this value is set to `true`, the validation is performed using the Kubernetes [Token Review API](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1/). @@ -13,8 +14,8 @@ you should instead consider using the `k8s_psat` attestor due to the [security c The server uses a one-time UUID provided by the agent to generate a SPIFFE ID with the form: -``` -spiffe:///spire/agent/k8s_sat// +```xml +spiffe:///spire/agent/k8s_sat// ``` The server does not need to be running in Kubernetes in order to perform node @@ -36,9 +37,9 @@ Each cluster in the main configuration requires the following configuration: | `service_account_key_file` | It is only used if `use_token_review_api_validation` is set to `false`. Path on disk to a PEM encoded file containing public keys used in validating tokens for that cluster. RSA and ECDSA keys are supported. For RSA, X509 certificates, PKCS1, and PKIX encoded public keys are accepted. For ECDSA, X509 certificates, and PKIX encoded public keys are accepted. | | | `kube_config_file` | It is only used if `use_token_review_api_validation` is set to `true`. Path to a k8s configuration file for API Server authentication. A Kubernetes configuration file must be specified if SPIRE server runs outside of the k8s cluster. If empty, SPIRE server is assumed to be running inside the cluster and in-cluster configuration is used. | "" | - A sample configuration for SPIRE server running inside or outside of a Kubernetes cluster and validating the service account token with a key file located at `"/run/k8s-certs/sa.pub"`: -``` + +```hcl NodeAttestor "k8s_sat" { plugin_data { clusters = { @@ -51,7 +52,8 @@ A sample configuration for SPIRE server running inside or outside of a Kubernete ``` A sample configuration for SPIRE server running inside of a Kubernetes cluster and validating the service account token with the kubernetes token review API: -``` + +```hcl NodeAttestor "k8s_sat" { plugin_data { clusters = { @@ -64,7 +66,8 @@ A sample configuration for SPIRE server running inside of a Kubernetes cluster a ``` A sample configuration for SPIRE server running outside of a Kubernetes cluster and validating the service account token with the kubernetes token review API: -``` + +```hcl NodeAttestor "k8s_sat" { plugin_data { clusters = { diff --git a/doc/plugin_server_nodeattestor_sshpop.md b/doc/plugin_server_nodeattestor_sshpop.md index d7915f8b76..b79bae1aa8 100644 --- a/doc/plugin_server_nodeattestor_sshpop.md +++ b/doc/plugin_server_nodeattestor_sshpop.md @@ -11,8 +11,8 @@ private key. The SPIFFE ID produced by the plugin is based on the certificate fingerprint, which is an unpadded url-safe base64 encoded sha256 hash of the certificate in openssh format. -``` -spiffe:///spire/agent/sshpop/ +```xml +spiffe:///spire/agent/sshpop/ ``` | Configuration | Description | Default | @@ -24,11 +24,11 @@ spiffe:///spire/agent/sshpop/ If both `cert_authorities` and `cert_authorities_path` are configured, the resulting set of authorized keys is the union of both sets. -### Example Config +## Example Config -##### agent.conf +### agent.conf -``` +```hcl NodeAttestor "sshpop" { plugin_data { host_cert_path = "./conf/agent/dummy_agent_ssh_key-cert.pub" @@ -37,9 +37,9 @@ If both `cert_authorities` and `cert_authorities_path` are configured, the resul } ``` -##### server.conf +### server.conf -``` +```hcl NodeAttestor "sshpop" { plugin_data { cert_authorities = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEAWPAsKJ/qMYUIBeH7BLMRCE/bkUvMHX+7OZhANk45S"] diff --git a/doc/plugin_server_nodeattestor_tpm_devid.md b/doc/plugin_server_nodeattestor_tpm_devid.md index 4e9372e485..db5614f756 100644 --- a/doc/plugin_server_nodeattestor_tpm_devid.md +++ b/doc/plugin_server_nodeattestor_tpm_devid.md @@ -3,53 +3,51 @@ *Must be used in conjunction with the agent-side tpm_devid plugin* The `tpm_devid` plugin attests nodes that own a TPM -and that have been provisioned with a DevID certificate through an out-of-band -mechanism. +and that have been provisioned with a DevID certificate through an out-of-band +mechanism. The plugin issues two challenges to the agent: -1. A proof-of-possession challenge: This is required to verify the node is in -possession of the private key that corresponds to the DevID certificate. +1. A proof-of-possession challenge: This is required to verify the node is in +possession of the private key that corresponds to the DevID certificate. Additionally, the server verifies that the DevID certificate is rooted to a trusted set of CAs. -2. A proof-of-residency challenge: This is required to prove that the DevID -key pair was generated and resides in a TPM. Additionally, the server verifies +2. A proof-of-residency challenge: This is required to prove that the DevID +key pair was generated and resides in a TPM. Additionally, the server verifies that the TPM is authentic by verifying that the endorsement certificate is rooted to a trusted set of manufacturer CAs. - The SPIFFE ID produced by the plugin is based on the certificate fingerprint, where the fingerprint is defined as the SHA1 hash of the ASN.1 DER encoding of -the identity certificate. +the identity certificate. The SPIFFE ID has the form: -``` -spiffe:///spire/agent/tpm_devid/ +```xml +spiffe:///spire/agent/tpm_devid/ ``` - -| Configuration | Description | Default | +| Configuration | Description | Default | |-------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------| -| `devid_ca_path` | The path to the trusted CA certificate(s) on disk to use for DevID validation. The file must contain one or more PEM blocks forming the set of trusted root CA's for chain-of-trust verification. | | -| `endorsement_ca_path` | The path to the trusted manufacturer CA certificate(s) on disk. The file must contain one or more PEM blocks forming the set of trusted manufacturer CA's for chain-of-trust verification. | | +| `devid_ca_path` | The path to the trusted CA certificate(s) on disk to use for DevID validation. The file must contain one or more PEM blocks forming the set of trusted root CA's for chain-of-trust verification. | | +| `endorsement_ca_path` | The path to the trusted manufacturer CA certificate(s) on disk. The file must contain one or more PEM blocks forming the set of trusted manufacturer CA's for chain-of-trust verification. | | A sample configuration: -``` - NodeAttestor "tpm_devid" { - plugin_data { - devid_ca_path = "/opt/spire/conf/server/devid-cacert.pem" - endorsement_ca_path = "/opt/spire/conf/server/endorsement-cacert.pem" - } - } +```hcl + NodeAttestor "tpm_devid" { + plugin_data { + devid_ca_path = "/opt/spire/conf/server/devid-cacert.pem" + endorsement_ca_path = "/opt/spire/conf/server/endorsement-cacert.pem" + } + } ``` ## Selectors -| Selector | Example | Description | +| Selector | Example | Description | |-----------------------------|-------------------------------------------------------------------|------------------------------------------------------------------------------------------| -| Subject common name | `tpm_devid:subject:cn:example.org` | The subject's common name. | -| Issuer common name | `tpm_devid:issuer:cn:authority.org` | The issuer's common name. | -| SHA1 fingerprint | `tpm_devid:fingerprint:9ba51e2643bea24e91d24bdec3a1aaf8e967b6e5` | The SHA1 fingerprint as a hex string for each cert in the PoP chain, excluding the leaf. | +| Subject common name | `tpm_devid:subject:cn:example.org` | The subject's common name. | +| Issuer common name | `tpm_devid:issuer:cn:authority.org` | The issuer's common name. | +| SHA1 fingerprint | `tpm_devid:fingerprint:9ba51e2643bea24e91d24bdec3a1aaf8e967b6e5` | The SHA1 fingerprint as a hex string for each cert in the PoP chain, excluding the leaf. | diff --git a/doc/plugin_server_nodeattestor_x509pop.md b/doc/plugin_server_nodeattestor_x509pop.md index 3dd3c31e7f..7ca860ef7d 100644 --- a/doc/plugin_server_nodeattestor_x509pop.md +++ b/doc/plugin_server_nodeattestor_x509pop.md @@ -12,8 +12,8 @@ The SPIFFE ID produced by the plugin is based on the certificate fingerprint, where the fingerprint is defined as the SHA1 hash of the ASN.1 DER encoding of the identity certificate. The SPIFFE ID has the form: -``` -spiffe:///spire/agent/x509pop/ +```xml +spiffe:///spire/agent/x509pop/ ``` | Configuration | Description | Default | @@ -24,15 +24,15 @@ spiffe:///spire/agent/x509pop/ A sample configuration: -``` - NodeAttestor "x509pop" { - plugin_data { - ca_bundle_path = "/opt/spire/conf/server/agent-cacert.pem" - - # Change the agent's SPIFFE ID format - # agent_path_template = "/cn/{{ .Subject.CommonName }}" - } - } +```hcl + NodeAttestor "x509pop" { + plugin_data { + ca_bundle_path = "/opt/spire/conf/server/agent-cacert.pem" + + # Change the agent's SPIFFE ID format + # agent_path_template = "/cn/{{ .Subject.CommonName }}" + } + } ``` ## Selectors @@ -43,6 +43,7 @@ A sample configuration: | SHA1 Fingerprint | `x509pop:ca:fingerprint:0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33` | The SHA1 fingerprint as a hex string for each cert in the PoP chain, excluding the leaf. | ## Agent Path Template + The agent path template is a way of customizing the format of generated SPIFFE IDs for agents. The template formatter is using Golang text/template conventions, it can reference values provided by the plugin or in a [golang x509.Certificate](https://pkg.go.dev/crypto/x509#Certificate) @@ -54,4 +55,4 @@ Some useful values are: | .Fingerprint | The SHA1 fingerprint of the agent's x509 certificate | | .TrustDomain | The configured trust domain | | .Subject.CommonName | The common name field of the agent's x509 certificate | -| .Subject.SerialNumber | The serial number field of the agent's x509 certificate | \ No newline at end of file +| .Subject.SerialNumber | The serial number field of the agent's x509 certificate | diff --git a/doc/plugin_server_notifier_gcs_bundle.md b/doc/plugin_server_notifier_gcs_bundle.md index 591aa52077..eb262194e1 100644 --- a/doc/plugin_server_notifier_gcs_bundle.md +++ b/doc/plugin_server_notifier_gcs_bundle.md @@ -30,7 +30,7 @@ The following configuration uploads bundle contents to the `spire-bundle.pem` object in the `my-bucket` bucket. The bundle is uploaded using Application Default Credentials available in the environment SPIRE server is running in. -``` +```hcl Notifier "gcs_bundle" { plugin_data { bucket = "my-bucket" @@ -45,7 +45,7 @@ The following configuration uploads bundle contents to the `spire-bundle.pem` object in the `my-bucket` bucket. The bundle is uploaded using Service Account credentials found in the `/path/to/service/account/file` file. -``` +```hcl Notifier "gcs_bundle" { plugin_data { bucket = "my-bucket" diff --git a/doc/plugin_server_notifier_k8sbundle.md b/doc/plugin_server_notifier_k8sbundle.md index f34f568052..ed0c6e262f 100644 --- a/doc/plugin_server_notifier_k8sbundle.md +++ b/doc/plugin_server_notifier_k8sbundle.md @@ -23,10 +23,10 @@ The plugin accepts the following configuration options: The following actions are required to set up the plugin. - Bind ClusterRole or Role that can `get` and `patch` the ConfigMap to Service Account - - In the case of in-cluster SPIRE server, it is Service Account that runs the SPIRE server - - In the case of out-of-cluster SPIRE server, it is Service Account that interacts with the Kubernetes API server - - In the case of setting `webhook_label`, the ClusterRole or Role additionally needs permissions to `get`, `list`, `patch`, and `watch` `mutatingwebhookconfigurations` and `validatingwebhookconfigurations`. - - In the case of setting `api_service_label`, the ClusterRole or Role additionally needs permissions to `get`, `list`, `patch`, and `watch` `apiservices`. + - In the case of in-cluster SPIRE server, it is Service Account that runs the SPIRE server + - In the case of out-of-cluster SPIRE server, it is Service Account that interacts with the Kubernetes API server + - In the case of setting `webhook_label`, the ClusterRole or Role additionally needs permissions to `get`, `list`, `patch`, and `watch` `mutatingwebhookconfigurations` and `validatingwebhookconfigurations`. + - In the case of setting `api_service_label`, the ClusterRole or Role additionally needs permissions to `get`, `list`, `patch`, and `watch` `apiservices`. - Create the ConfigMap that the plugin pushes For example: @@ -95,7 +95,7 @@ rules: The following configuration pushes bundle contents from an in-cluster SPIRE server to the `bundle.crt` key in the `spire:spire-bundle` ConfigMap. -``` +```hcl Notifier "k8sbundle" { plugin_data { } @@ -108,7 +108,7 @@ The following configuration pushes bundle contents from an out-of-cluster SPIRE server to the `boostrap.crt` key in the `infra:agents` ConfigMap using the credentials found in the `/path/to/kubeconfig` file. -``` +```hcl Notifier "k8sbundle" { plugin_data { namespace = "infra" @@ -123,11 +123,12 @@ the credentials found in the `/path/to/kubeconfig` file. The following configuration pushes bundle contents from an in-cluster SPIRE server to + - The `bundle.crt` key in the `spire:spire-bundle` ConfigMap - Validating and mutating webhooks with a label of `spiffe.io/webhook: true` - API services with a label of `spiffe.io/api_service: true` -``` +```hcl Notifier "k8sbundle" { plugin_data { webhook_label = "spiffe.io/webhook" @@ -138,7 +139,7 @@ server to ### Multiple clusters -``` +```hcl Notifier "k8sbundle" { plugin_data { # local cluster diff --git a/doc/plugin_server_upstreamauthority_aws_pca.md b/doc/plugin_server_upstreamauthority_aws_pca.md index d3636c7b77..860861162a 100644 --- a/doc/plugin_server_upstreamauthority_aws_pca.md +++ b/doc/plugin_server_upstreamauthority_aws_pca.md @@ -23,7 +23,7 @@ See [AWS Certificate Manager Private Certificate Authority](https://aws.amazon.c Sample configuration: -``` +```hcl UpstreamAuthority "aws_pca" { plugin_data { region = "us-west-2" diff --git a/doc/plugin_server_upstreamauthority_awssecret.md b/doc/plugin_server_upstreamauthority_awssecret.md index 69c77a2ed5..22c589442f 100644 --- a/doc/plugin_server_upstreamauthority_awssecret.md +++ b/doc/plugin_server_upstreamauthority_awssecret.md @@ -19,7 +19,7 @@ The plugin accepts the following configuration options: Only the region, cert_file_arn, and key_file_arn must be configured. You optionally configure the remaining fields depending on how you choose to give SPIRE Server access to the ARNs. -| If SPIRE Server Accesses the ARNs | then these additional fields are mandatory | +| If SPIRE Server Accesses the ARNs | then these additional fields are mandatory | |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------| | by providing an access key id and secret access key | `access_key_id`, `secret_access_key` | | by using temporary credentials for an IAM account (*NOTE:* It is the server user's responsibility to provide a new valid token whenever the server is started) | `access_key_id`, `secret_access_key`, `secret_token` | @@ -28,13 +28,13 @@ Only the region, cert_file_arn, and key_file_arn must be configured. You optiona Because the plugin fetches the secrets from the AWS secrets manager only at startup, automatic rotation of secrets is not advised. -SPIRE Server requires that you employ a distinct Amazon Resource Name (ARN) for the CA certificate and the CA key. +SPIRE Server requires that you employ a distinct Amazon Resource Name (ARN) for the CA certificate and the CA key. -For more information on the AWS Secrets Manager, see the [AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html) documentation.  +For more information on the AWS Secrets Manager, see the [AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html) documentation. A sample configuration: -``` +```hcl UpstreamAuthority "awssecret" { plugin_data { region = "us-west-2", diff --git a/doc/plugin_server_upstreamauthority_cert_manager.md b/doc/plugin_server_upstreamauthority_cert_manager.md index c653a518d5..74feae02cd 100644 --- a/doc/plugin_server_upstreamauthority_cert_manager.md +++ b/doc/plugin_server_upstreamauthority_cert_manager.md @@ -9,13 +9,14 @@ This plugin will request a signing certificate from cert-manager via a resource. Once the referenced issuer has signed the request, the intermediate and CA bundle is retrieved by SPIRE. -# Considerations +## Considerations + This plugin requires access to a Kubernetes cluster running cert-manager and create CertificateRequests. Only issuers that have support for providing signing certificates are supported. -# Permissions +## Permissions The provided kubeconfig must include a Kubernetes client that has [create permissions for CertificateRequests](https://cert-manager.io/docs/concepts/certificaterequest/) @@ -24,7 +25,8 @@ Kubernetes client is, as this may have implications on the [approval flow](https://cert-manager.io/docs/concepts/certificaterequest/#userinfo) if running a custom approver. -# Configuration +## Configuration + This plugin requests certificates from the configured [cert-manager](https://cert-manager.io/docs/configuration/) issuer. @@ -36,7 +38,6 @@ This plugin requests certificates from the configured | issuer_kind | (Optional) The kind of the issuer to reference in CertificateRequests. Defaults to "Issuer" if empty. | | issuer_group | (Optional) The group of the issuer to reference in CertificateRequests. Defaults to "cert-manager.io" if empty. | - ```hcl UpstreamAuthority "cert-manager" { plugin_data { diff --git a/doc/plugin_server_upstreamauthority_disk.md b/doc/plugin_server_upstreamauthority_disk.md index 6ebc965f9b..4e4335af57 100644 --- a/doc/plugin_server_upstreamauthority_disk.md +++ b/doc/plugin_server_upstreamauthority_disk.md @@ -36,7 +36,7 @@ Key files must contain a single PEM encoded key. The supported key types are EC A sample configuration: -``` +```hcl UpstreamAuthority "disk" { plugin_data { cert_file_path = "conf/server/dummy_upstream_ca.crt" diff --git a/doc/plugin_server_upstreamauthority_gcp_cas.md b/doc/plugin_server_upstreamauthority_gcp_cas.md index 2ae335ab78..1939c56223 100644 --- a/doc/plugin_server_upstreamauthority_gcp_cas.md +++ b/doc/plugin_server_upstreamauthority_gcp_cas.md @@ -3,7 +3,8 @@ The `gcp_cas` plugin uses the Certificate Authority from Google Cloud Platform, known as "Certificate Authority Service" (CAS), to generate intermediate signing certificates for SPIRE Server. -# Configuration +## Configuration + The plugin has a mandatory root_cert_spec section. It is used to specify which CAs are used for signing intermediate CAs as well as being part of the trusted root bundle. If it matches multiple CAs, the earliest expiring CA is used for signing. @@ -18,7 +19,7 @@ The plugin has a mandatory root_cert_spec section. It is used to specify which C | label_key | Label key - value pair is used to filter and select the relevant certificate | | label_value | Label key - value pair is used to filter and select the relevant certificate | -##Sample configuration: +### Sample configuration ```yaml UpstreamAuthority "gcp_cas" { @@ -33,24 +34,29 @@ UpstreamAuthority "gcp_cas" { } } ``` -# What does the plugin do + +## What does the plugin do + The plugin retrieves the CAs in GCPs that are in ENABLED state and match the root cert spec parameters specified in the plugin configuration. Among the matching certificates, the CA with the earliest expiry time is selected and used to create and sign an intermediate CA. The trust bundle contains the root CAs of all the CAs in GCP that matched the root_cert_spec label -# CA Rotation +## CA Rotation + * Steady state: Config label matches CA X and CA Y in CAS; plugin has been signing with CA X and all agents are trusting CA X and CA Y. * Now create CA Z with the same label in CAS. * Disable and optionally delete CA X in CAS. * The plugin returns Y and Z's root certificates as UpstreamX509Roots. It also signs the issuing CA with Y which is now the earliest expiring CA. * This doesn't impact existing workloads because they have been trusting Y even before SPIRE started to sign with Y. -# Authentication with Google Cloud Platform +## Authentication with Google Cloud Platform + This plugin connects and authenticates with Google Cloud Platform's CAS implicitly using Application Default Credentials (ADC). The ADC mechanism is documented at . >ADC looks for service account credentials in the following order: +> >1. If the environment variable GOOGLE_APPLICATION_CREDENTIALS is set, ADC uses the service account file that the variable points to. >1. If the environment variable GOOGLE_APPLICATION_CREDENTIALS isn't set, ADC uses the service account that is attached to the resource that is running your code. >1. If the environment variable GOOGLE_APPLICATION_CREDENTIALS isn't set, and there is no service account attached to the resource that is running your code, ADC uses the default service account that Compute Engine, Google Kubernetes Engine, App Engine, Cloud Run, and Cloud Functions provide. diff --git a/doc/plugin_server_upstreamauthority_spire.md b/doc/plugin_server_upstreamauthority_spire.md index ec3780f8a3..83bdb6140a 100644 --- a/doc/plugin_server_upstreamauthority_spire.md +++ b/doc/plugin_server_upstreamauthority_spire.md @@ -23,7 +23,7 @@ These are the current experimental configurations: Sample configuration (Unix): -``` +```hcl UpstreamAuthority "spire" { plugin_data { server_address = "upstream-spire-server", @@ -35,7 +35,7 @@ Sample configuration (Unix): Sample configuration (Windows): -``` +```hcl UpstreamAuthority "spire" { plugin_data { server_address = "upstream-spire-server", diff --git a/doc/plugin_server_upstreamauthority_vault.md b/doc/plugin_server_upstreamauthority_vault.md index 74d82f5bb5..b8d3a00c1e 100644 --- a/doc/plugin_server_upstreamauthority_vault.md +++ b/doc/plugin_server_upstreamauthority_vault.md @@ -1,4 +1,4 @@ -# Upstream Authority "vault" Plugin +# Upstream Authority "vault" Plugin The vault plugin signs intermediate CA certificates for SPIRE using the Vault PKI Engine. The plugin does not support the `PublishJWTKey` RPC and is therefore not appropriate for use in nested SPIRE topologies where JWT-SVIDs are in use. @@ -7,17 +7,17 @@ The plugin does not support the `PublishJWTKey` RPC and is therefore not appropr The plugin accepts the following configuration options: -| key | type | required | description | default | -|:---------------------|:-------|:---------|:---------------------------------------------------------------------------------------------------------|:---------------------| -| vault_addr | string | | The URL of the Vault server. (e.g., https://vault.example.com:8443/) | `${VAULT_ADDR}` | -| namespace | string | | Name of the Vault namespace. This is only available in the Vault Enterprise. | `${VAULT_NAMESPACE}` | -| pki_mount_point | string | | Name of the mount point where PKI secret engine is mounted | pki | -| ca_cert_path | string | | Path to a CA certificate file used to verify the Vault server certificate. Only PEM format is supported. | `${VAULT_CACERT}` | -| insecure_skip_verify | bool | | If true, vault client accepts any server certificates | false | -| cert_auth | struct | | Configuration for the Client Certificate authentication method | | -| token_auth | struct | | Configuration for the Token authentication method | | -| approle_auth | struct | | Configuration for the AppRole authentication method | | -| k8s_auth | struct | | Configuration for the Kubernetes authentication method | | +| key | type | required | description | default | +|:---------------------|:-------|:---------|:-----------------------------------------------------------------------------------------------------------|:---------------------| +| vault_addr | string | | The URL of the Vault server. (e.g., ) | `${VAULT_ADDR}` | +| namespace | string | | Name of the Vault namespace. This is only available in the Vault Enterprise. | `${VAULT_NAMESPACE}` | +| pki_mount_point | string | | Name of the mount point where PKI secret engine is mounted | pki | +| ca_cert_path | string | | Path to a CA certificate file used to verify the Vault server certificate. Only PEM format is supported. | `${VAULT_CACERT}` | +| insecure_skip_verify | bool | | If true, vault client accepts any server certificates | false | +| cert_auth | struct | | Configuration for the Client Certificate authentication method | | +| token_auth | struct | | Configuration for the Token authentication method | | +| approle_auth | struct | | Configuration for the AppRole authentication method | | +| k8s_auth | struct | | Configuration for the Kubernetes authentication method | | The plugin supports **Client Certificate**, **Token** and **AppRole** authentication methods. @@ -29,7 +29,8 @@ The [`ca_ttl` SPIRE Server configurable](https://github.com/spiffe/spire/blob/ma To configure the TTL value, tune the engine. e.g. -``` + +```shell $ vault secrets tune -max-lease-ttl=8760h pki ``` @@ -79,13 +80,13 @@ path "pki/root/sign-intermediate" { } } ``` + ## Token Authentication | key | type | required | description | default | |:------|:-------|:---------|:------------------------------------------------|:-----------------| | token | string | | Token string to set into "X-Vault-Token" header | `${VAULT_TOKEN}` | - ```hcl UpstreamAuthority "vault" { plugin_data { @@ -100,6 +101,7 @@ path "pki/root/sign-intermediate" { } } ``` + ## AppRole Authentication | key | type | required | description | default | @@ -136,7 +138,7 @@ path "pki/root/sign-intermediate" { |:---------------------|:-------|:---------|:----------------------------------------------------------------------------------|:-----------| | k8s_auth_mount_point | string | | Name of the mount point where the Kubernetes auth method is mounted | kubernetes | | k8s_auth_role_name | string | ✔ | Name of the Vault role. The plugin authenticates against the named role | | -| token_path | string | ✔ | Path to the Kubernetes Service Account Token to use authentication with the Vault | | +| token_path | string | ✔ | Path to the Kubernetes Service Account Token to use authentication with the Vault | | ```hcl UpstreamAuthority "vault" { diff --git a/doc/scaling_spire.md b/doc/scaling_spire.md index be8a1b83c7..e3e681c2c1 100644 --- a/doc/scaling_spire.md +++ b/doc/scaling_spire.md @@ -1,4 +1,6 @@ -# Scalability +# Scaling SPIRE + +## Scalability A SPIRE deployment has the capacity to be changed in size or scale to accommodate a growing amount of workloads. A SPIRE deployment is composed of a number of one or more SPIRE Servers that share a replicated datastore, or conversely, a set of SPIRE servers in the same trust domain, and at least one SPIRE Agent, but typically more than one. @@ -6,7 +8,7 @@ Deployments range in size. A single SPIRE Server may accommodate a number of Age To support larger numbers of Agents and Workloads within a given deployment (tens of thousands or hundreds of thousands of nodes), the number of SPIRE Servers can be scaled horizontally. With multiple servers, the amount of computational work that a SPIRE Server performs is distributed between all SPIRE Server instances. In addition to additional capacity, the use of more than one SPIRE Server instance eliminates single points of failure to achieve high availability. -## SPIRE Servers in High Availability Mode +### SPIRE Servers in High Availability Mode ![Diagram of High Availability](/doc/images/ha_mode.png) @@ -16,7 +18,7 @@ The datastore is where SPIRE Server persists dynamic configuration information s In High Availability mode, each server maintains its own Certificate Authority, which may be either self-signed certificates or an intermediate certificate off of a shared root authority (i.e. when configured with an UpstreamAuthority). -# Choosing a SPIRE Deployment Topology +## Choosing a SPIRE Deployment Topology There are three main SPIRE deployment topologies: @@ -26,7 +28,7 @@ There are three main SPIRE deployment topologies: Factors such as administrative domain boundaries, number of workloads, availability requirements, number of cloud vendors, and authentication requirements determine the appropriate topology for your environment, as explained below. -## Single Trust Domain +### Single Trust Domain ![Diagram of Single Trust Domain](/doc/images/single_trust_domain.png) @@ -34,8 +36,7 @@ A single trust domain is best suited for individual environments or environments However, when deploying a single SPIRE trust domain to span regions, platforms, and cloud provider environments, there is a level of complexity associated with managing a shared datastore across geographically dispersed locations or across cloud provider boundaries. Under these circumstances when a deployment grows to span multiple environments, a solution to address the use of a shared datastore over a single trust domain is to configure SPIRE Servers in a nested topology. -## Nested SPIRE - +### Nested SPIRE ![Diagram of Nested SPIRE](/doc/images/nested_spire.png) @@ -51,7 +52,7 @@ The Nested topology is well suited for multi-cloud deployments. Due to the abili Complementary to scaling SPIRE Servers horizontally for high availability and load-balancing, a nested topology may be used as a containment strategy to segment failure domains. -## Federated SPIRE +### Federated SPIRE ![Diagram of Federated SPIRE](/doc/images/federated_spire.png) @@ -61,13 +62,13 @@ Another use case is SPIFFE interoperability between organizations, such as betwe These multiple trust domain and interoperability use cases both require a well-defined, interoperable method for a Workload in one trust domain to authenticate a Workload in a different trust domain. Trust between the different trust domains is established by first authenticating the respective bundle endpoint, followed by retrieval of the foreign trust domain bundle via the authenticated endpoint. -For additional detail on how this is achieved, refer to the following SPIFFE spec that describes the mechanism: https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Trust_Domain_and_Bundle.md#5-spiffe-bundle-endpoint +For additional detail on how this is achieved, refer to the following SPIFFE spec that describes the mechanism: -For a tutorial on configuring Federated SPIRE, refer to: https://github.com/spiffe/spire-tutorials/tree/main/docker-compose/federation +For a tutorial on configuring Federated SPIRE, refer to: -# Interaction with External Systems +## Interaction with External Systems -## Federation with "SPIFFE-Compatible" Systems +### Federation with "SPIFFE-Compatible" Systems ![Diagram of Federated with SPIFFE-Compatible Systems](/doc/images/spiffe_compatible.png) @@ -75,7 +76,7 @@ SPIFFE identity issuers can federate with other SPIFFE identity issuers that exp For example, in current Istio, all applications on the service mesh are in the same trust domain thus share a common root of trust. There may be more than one service mesh, or applications in the service mesh communicating to external services that need to be authenticated. The use of Federation enables SPIFFE-compatible systems such as multiple Istio service meshes to securely establish trust for secure cross-mesh and off-mesh communications. -## Federation with OIDC-Provider Systems +### Federation with OIDC-Provider Systems ![Diagram of Federated with SPIFFE-Compatible Systems](/doc/images/oidc_federation.png) @@ -84,11 +85,11 @@ SPIRE has a feature to programmatically authenticate on behalf of identified wor The SPIRE OIDC Discovery Provider retrieves a WebPKI certificate using the ACME protocol, which it uses to secure an endpoint that serves an OIDC compatible JWKS bundle and a standard OIDC discovery document. The remote OIDC authenticated service needs then to be configured to locate the endpoint and qualify the WebPKI service. Once this configuration is in place, the remote system’s IAM policies and roles can be set to map to specific SPIFFE IDs. The workload, in turn, will talk to the OIDC-authenticated system by sending a JWT-SVID. The target system then fetches a JWKS from the pre-defined URI which is served by the OIDC Discovery Provider. The target system uses the JWKS file to validate the JWT-SVID, and if the SPIFFE ID contained within the JWT-SVID is authorized to access the requested resource, it serves the request. The workload is then able to access the foreign remote service without possessing any credentials provided by it. For a configuration reference on the OIDC Discovery Provider, see: -https://github.com/spiffe/spire/tree/main/support/oidc-discovery-provider + -For a detailed tutorial on configuring OIDC Federation to Amazon Web Services, refer to: https://spiffe.io/spire/try/oidc-federation-aws/ +For a detailed tutorial on configuring OIDC Federation to Amazon Web Services, refer to: -# Deployment Sizing Considerations +## Deployment Sizing Considerations Factors to consider when sizing a SPIRE deployment for optimum performance include, but are not limited to, the following: diff --git a/doc/spire_agent.md b/doc/spire_agent.md index bf2eb84939..728439f573 100644 --- a/doc/spire_agent.md +++ b/doc/spire_agent.md @@ -71,14 +71,15 @@ This may be useful for templating configuration files, for example across differ | `named_pipe_name` | Pipe name to bind the SPIRE Agent API named pipe (Windows only) | \spire-agent\public\api | ### Initial trust bundle configuration + The agent needs an initial trust bundle in order to connect securely to the SPIRE server. There are three options: + 1. If the `trust_bundle_path` option is used, the agent will read the initial trust bundle from the file at that path. You need to copy or share the file before starting the SPIRE agent. 2. If the `trust_bundle_url` option is used, the agent will read the initial trust bundle from the specified URL. **The URL must start with `https://` for security, and the server must have a valid certificate (verified with the system trust store).** This can be used to rapidly deploy SPIRE agents without having to manually share a file. Keep in mind the contents of the URL need to be kept up to date. 3. If the `insecure_bootstrap` option is set to `true`, then the agent will not use an initial trust bundle. It will connect to the SPIRE server without authenticating it. This is not a secure configuration, because a man-in-the-middle attacker could control the SPIRE infrastructure. It is included because it is a useful option for testing and development. Only one of these three options may be set at a time. - ### SDS Configuration | Configuration | Description | Default | @@ -89,7 +90,9 @@ Only one of these three options may be set at a time. | `disable_spiffe_cert_validation` | Disable Envoy SDS custom validation | false | ### Profiling Names + These are the available profiles that can be set in the `profiling_freq` configuration value: + - `goroutine` - `threadcreate` - `heap` @@ -280,6 +283,7 @@ plugins { } } ``` + ## Delegated Identity API The Delegated Identity API allows an authorized (i.e. delegated) workload to obtain SVIDs and bundles on behalf of workloads that cannot be attested by SPIRE Agent directly. The authorized workload does so by providing SPIRE Agent the selectors that would normally be obtained during workload attestation. The Delegated Identity API is served over the admin API endpoint. @@ -287,6 +291,7 @@ The Delegated Identity API allows an authorized (i.e. delegated) workload to obt To enable the Delegated Identity API, configure the admin API endpoint address and the list of SPIFFE IDs for authorized delegates. For example: Unix systems: + ```hcl agent { trust_domain = "example.org" @@ -300,6 +305,7 @@ agent { ``` Windows: + ```hcl agent { trust_domain = "example.org" @@ -351,7 +357,7 @@ _Note: A user with `cluster-admin` privileges is required in order to apply thes Actions performed by pods are controlled by Security Context Constraints (SCC's) and every pod that is admitted is assigned a particular SCC depending on range of conditions. The following custom SCC with the name `spire` can be used to enable the necessary host level access needed by the Spire Agent -``` +```yaml allowHostDirVolumePlugin: true allowHostIPC: true allowHostNetwork: true @@ -402,7 +408,7 @@ Workloads can be granted access to Security Context Constraints through Role Bas In order to leverage the `spire` SCC, a _ClusterRole_ leveraging `use` verb referencing the SCC must be created: -``` +```yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -425,7 +431,7 @@ Finally, associate the `system:openshift:scc:spire` _ClusterRole_ to the `spire- _Note:_ Create the `spire` namespace if it does exist prior to applying the following policy. -``` +```yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -445,5 +451,5 @@ As SCC's are applied at pod admission time, remove any existing Spire Agent pods ## Further reading -* [SPIFFE Reference Implementation Architecture](https://docs.google.com/document/d/1nV8ZbYEATycdFhgjTB619pwIvamzOjU6l0SyBGbzbo4/edit#) -* [Design Document: SPIFFE Reference Implementation (SRI)](https://docs.google.com/document/d/1RZnBfj8I5xs8Yi_BPEKBRp0K3UnIJYTDg_31rfTt4j8/edit#) +- [SPIFFE Reference Implementation Architecture](https://docs.google.com/document/d/1nV8ZbYEATycdFhgjTB619pwIvamzOjU6l0SyBGbzbo4/edit#) +- [Design Document: SPIFFE Reference Implementation (SRI)](https://docs.google.com/document/d/1RZnBfj8I5xs8Yi_BPEKBRp0K3UnIJYTDg_31rfTt4j8/edit#) diff --git a/doc/spire_server.md b/doc/spire_server.md index 192d65a03a..6c3c4cdac0 100644 --- a/doc/spire_server.md +++ b/doc/spire_server.md @@ -104,9 +104,10 @@ This may be useful for templating configuration files, for example across differ | `rego_path` | File to retrieve OPA rego policy for authorization. | | | `policy_data_path` | File to retrieve databindings for policy evaluation. | | - ### Profiling Names + These are the available profiles that can be set in the `profiling_freq` configuration value: + - `goroutine` - `threadcreate` - `heap` @@ -149,6 +150,7 @@ _Note: static relationships override dynamic relationships. If you need to confi Configuring a federated trust domain allows a trust domain to authenticate identities issued by other SPIFFE authorities, allowing workloads in one trust domain to securely authenticate workloads in a foreign trust domain. A key element to achieve federation is the use of SPIFFE bundle endpoints, these are resources (represented by URLs) that serve a copy of a trust bundle for a trust domain. Using the `federation` section you will be able to set up SPIRE as a SPIFFE bundle endpoint server and also configure the federated trust domains that this SPIRE Server will fetch bundles from. + ```hcl server { . @@ -176,10 +178,12 @@ server { } } ``` + The `federation.bundle_endpoint` section is optional and is used to set up a SPIFFE bundle endpoint server in SPIRE Server. The `federation.federates_with` section is also optional and is used to configure the federation relationships with foreign trust domains. This section is used for each federated trust domain that SPIRE Server will periodically fetch the bundle. ### Configuration options for `federation.bundle_endpoint` + This optional section contains the configurables used by SPIRE Server to expose a bundle endpoint. | Configuration | Description | @@ -192,7 +196,7 @@ This optional section contains the configurables used by SPIRE Server to expose | Configuration | Description | Default | |---------------|---------------------------------------------------------------------------------------------------------------------------|------------------------------------------------| -| directory_url | Directory endpoint URL | https://acme-v02.api.letsencrypt.org/directory | +| directory_url | Directory endpoint URL | | | domain_name | Domain for which the certificate manager tries to retrieve new certificates | | | email | Contact email address. This is used by CAs, such as Let's Encrypt, to notify about problems with issued certificates | | | tos_accepted | ACME Terms of Service acceptance. If not true, and the provider requires acceptance, then certificate retrieval will fail | false | @@ -602,5 +606,5 @@ plugins { ## Further reading -* [SPIFFE Reference Implementation Architecture](https://docs.google.com/document/d/1nV8ZbYEATycdFhgjTB619pwIvamzOjU6l0SyBGbzbo4/edit#) -* [Design Document: SPIFFE Reference Implementation (SRI)](https://docs.google.com/document/d/1RZnBfj8I5xs8Yi_BPEKBRp0K3UnIJYTDg_31rfTt4j8/edit#) +- [SPIFFE Reference Implementation Architecture](https://docs.google.com/document/d/1nV8ZbYEATycdFhgjTB619pwIvamzOjU6l0SyBGbzbo4/edit#) +- [Design Document: SPIFFE Reference Implementation (SRI)](https://docs.google.com/document/d/1RZnBfj8I5xs8Yi_BPEKBRp0K3UnIJYTDg_31rfTt4j8/edit#) diff --git a/doc/telemetry.md b/doc/telemetry.md index 86fea89fe6..e2275fa7a9 100644 --- a/doc/telemetry.md +++ b/doc/telemetry.md @@ -19,12 +19,12 @@ The following metrics are emitted: | Call Counter | `datastore`, `bundle`, `create` | | The Datastore is creating a bundle. | | Call Counter | `datastore`, `bundle`, `delete` | | The Datastore is deleting a bundle. | | Call Counter | `datastore`, `bundle`, `fetch` | | The Datastore is fetching a bundle. | -| Call Counter | `datastore`, `bundle`, `list` | | The Datastore is listing bundles. | -| Call Counter | `datastore`, `bundle`, `prune` | | The Datastore is pruning a bundle. | -| Call Counter | `datastore`, `bundle`, `set` | | The Datastore is setting a bundle. | -| Call Counter | `datastore`, `bundle`, `update` | | The Datastore is updating a bundle. | -| Call Counter | `datastore`, `join_token`, `create` | | The Datastore is creating a join token. | -| Call Counter | `datastore`, `join_token`, `delete` | | The Datastore is deleting a join token. | +| Call Counter | `datastore`, `bundle`, `list` | | The Datastore is listing bundles. | +| Call Counter | `datastore`, `bundle`, `prune` | | The Datastore is pruning a bundle. | +| Call Counter | `datastore`, `bundle`, `set` | | The Datastore is setting a bundle. | +| Call Counter | `datastore`, `bundle`, `update` | | The Datastore is updating a bundle. | +| Call Counter | `datastore`, `join_token`, `create` | | The Datastore is creating a join token. | +| Call Counter | `datastore`, `join_token`, `delete` | | The Datastore is deleting a join token. | | Call Counter | `datastore`, `join_token`, `fetch` | | The Datastore is fetching a join token. | | | Call Counter | `datastore`, `join_token`, `prune` | | The Datastore is pruning join tokens. | | | Call Counter | `datastore`, `node`, `count` | | The Datastore is counting nodes. | @@ -56,28 +56,28 @@ The following metrics are emitted: ## SPIRE Agent -| Type | Keys | Labels | Description | -|--------------|--------------------------------------------|------------|-------------------------------------------------------------------------------------| -| Call Counter | `rpc`, ``, `` | | Call counters over the [SPIRE Agent RPCs](https://github.com/spiffe/spire-api-sdk). | -| Call Counter | `agent_key_manager`, `generate_key_pair` | | The KeyManager is generating a key pair. | -| Call Counter | `agent_key_manager`, `fetch_private_key` | | The KeyManager is fetching a private key. | -| Call Counter | `agent_key_manager`, `store_private_key` | | The KeyManager is storing a private key. | -| Call Counter | `agent_svid`, `rotate` | | The Agent's SVID is being rotated. | -| Sample | `cache_manager`, `expiring_svids` | | The number of expiring SVIDs that the Cache Manager has. | -| Sample | `cache_manager`, `outdated_svids` | | The number of outdated SVIDs that the Cache Manager has. | -| Call Counter | `manager`, `sync`, `fetch_entries_updates` | | The Sync Manager is fetching entries updates. | -| Call Counter | `manager`, `sync`, `fetch_svids_updates` | | The Sync Manager is fetching SVIDs updates. | -| Call Counter | `node`, `attestor`, `new_svid` | | The Node Attestor is calling to get an SVID. | -| Counter | `sds_api`, `connections` | | The SDS API has successfully established a connection. | -| Gauge | `sds_api`, `connections` | | The number of active connection that the SDS API has. | -| Counter | `workload_api`, `bundles_update`, `jwt` | | The Workload API has successfully updated a JWT bundle. | -| Counter | `workload_api`, `connection` | | The Workload API has successfully established a new connection. | -| Gauge | `workload_api`, `connections` | | The number of active connections that the Workload API has. | -| Sample | `workload_api`, `discovered_selectors` | | The number of selectors discovered during a workload attestation process. | -| Call Counter | `workload_api`, `workload_attestation` | | The Workload API is performing a workload attestation. | -| Call Counter | `workload_api`, `workload_attestor` | `attestor` | The Workload API is invoking a given attestor. | -| Gauge | `started` | `version` | The version of the Agent. | -| Gauge | `uptime_in_ms` | | The uptime of the Agent in milliseconds. | +| Type | Keys | Labels | Description | +|--------------|--------------------------------------------|------------|---------------------------------------------------------------------------------------| +| Call Counter | `rpc`, ``, `` | | Call counters over the [SPIRE Agent RPCs](). | +| Call Counter | `agent_key_manager`, `generate_key_pair` | | The KeyManager is generating a key pair. | +| Call Counter | `agent_key_manager`, `fetch_private_key` | | The KeyManager is fetching a private key. | +| Call Counter | `agent_key_manager`, `store_private_key` | | The KeyManager is storing a private key. | +| Call Counter | `agent_svid`, `rotate` | | The Agent's SVID is being rotated. | +| Sample | `cache_manager`, `expiring_svids` | | The number of expiring SVIDs that the Cache Manager has. | +| Sample | `cache_manager`, `outdated_svids` | | The number of outdated SVIDs that the Cache Manager has. | +| Call Counter | `manager`, `sync`, `fetch_entries_updates` | | The Sync Manager is fetching entries updates. | +| Call Counter | `manager`, `sync`, `fetch_svids_updates` | | The Sync Manager is fetching SVIDs updates. | +| Call Counter | `node`, `attestor`, `new_svid` | | The Node Attestor is calling to get an SVID. | +| Counter | `sds_api`, `connections` | | The SDS API has successfully established a connection. | +| Gauge | `sds_api`, `connections` | | The number of active connection that the SDS API has. | +| Counter | `workload_api`, `bundles_update`, `jwt` | | The Workload API has successfully updated a JWT bundle. | +| Counter | `workload_api`, `connection` | | The Workload API has successfully established a new connection. | +| Gauge | `workload_api`, `connections` | | The number of active connections that the Workload API has. | +| Sample | `workload_api`, `discovered_selectors` | | The number of selectors discovered during a workload attestation process. | +| Call Counter | `workload_api`, `workload_attestation` | | The Workload API is performing a workload attestation. | +| Call Counter | `workload_api`, `workload_attestor` | `attestor` | The Workload API is invoking a given attestor. | +| Gauge | `started` | `version` | The version of the Agent. | +| Gauge | `uptime_in_ms` | | The uptime of the Agent in milliseconds. | Note: These are the keys and labels that SPIRE emits, but the format of the metric once ingested could vary depending on the metric collector. For example, @@ -91,6 +91,7 @@ the hostname and `spire-agent` is the service name. Call counters are aggregate metric types that emit several metrics related to the issuance of a "call" to a method or RPC. The following metrics are produced for a call counter: + - A counter representing the number of calls using the call counter key - A sample of the elapsed time for the call using the call counter key+`".elapsed_time"` @@ -102,7 +103,8 @@ of the call. For example, a successful invocation of the SPIRE Server `AttestAgent` RPC would produce the following metrics: -``` + +```text spire_server.rpc.agent.v1.agent.attest_agent:1|c|#status:OK spire_server.rpc.agent.v1.agent.attest_agent.elapsed_time:1.045773|ms|#status:OK ``` diff --git a/doc/telemetry_config.md b/doc/telemetry_config.md index 00a4df924e..d934875d73 100644 --- a/doc/telemetry_config.md +++ b/doc/telemetry_config.md @@ -1,6 +1,7 @@ -## Telemetry configuration +# Telemetry configuration If telemetry is desired, it may be configured by using a dedicated `telemetry { ... }` section. The following metrics collectors are currently supported: + - Prometheus - Statsd - DogStatsd @@ -13,7 +14,7 @@ You may use all, some, or none of the collectors. The following collectors suppo - DogStatsd - M3 -### Telemetry configuration syntax +## Telemetry configuration syntax | Configuration | Type | Description | Default | |-------------------|---------------|---------------------------------------------------------------|---------| @@ -27,30 +28,34 @@ You may use all, some, or none of the collectors. The following collectors suppo | `AllowedLabels` | `[]string` | A list of metric labels to allow, with '.' as the separator | | | `BlockedLabels` | `[]string` | A list of metric labels to block, with '.' as the separator | | -#### `Prometheus` +### `Prometheus` | Configuration | Type | Description | |---------------|----------|------------------------| | `host` | `string` | Prometheus server host | | `port` | `int` | Prometheus server port | -#### `DogStatsd` +### `DogStatsd` + | Configuration | Type | Description | |---------------|----------|-------------------| | `address` | `string` | DogStatsd address | -#### `Statsd` +### `Statsd` + | Configuration | Type | Description | |---------------|----------|----------------| | `address` | `string` | Statsd address | -#### `M3` +### `M3` + | Configuration | Type | Description | |---------------|----------|----------------------------------------------| | `address` | `string` | M3 address | | `env` | `string` | M3 environment, e.g. `production`, `staging` | -#### `In-Mem` +### `In-Mem` + | Configuration | Type | Description | Default | |---------------|--------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------| | `enabled` | `bool` | Enable this collector. This flag is deprecated and will be removed in a future release. To disable in-memory telemetry collection omit the InMem configuration block entirely. | `false` | @@ -85,6 +90,6 @@ telemetry { } ``` -### Supported metrics +## Supported metrics See the [Telemetry document](telemetry.md) for a list of all the supported metrics. diff --git a/doc/upgrading.md b/doc/upgrading.md index 9388a06848..4123bda90c 100644 --- a/doc/upgrading.md +++ b/doc/upgrading.md @@ -1,39 +1,50 @@ # Managing Upgrades/Downgrades + This guide describes how to upgrade your SPIRE deployment, as well as the compatibility guarantees that SPIRE users can expect. ## SPIRE Versioning + SPIRE versions are expressed as **x.y.z**, where **x** is the major version, **y** is the minor version, and **z** is the patch version, following Semantic Versioning terminology. The last pre-1.0 versions are 0.12.x, which as an exception have compatibility warranties with 1.0.x. Versions prior to 0.12.0 are not compatible with 1.0.x. ### SPIRE Server Compatibility + Version skew within a SPIRE Server cluster is supported within +/- 1 minor version. In other words, the newest and oldest SPIRE Server instances in any given cluster must be within one minor version of each other. As an exception, versions 0.12.x are compatible with 1.0.x versions. Example 1 (0.12.x exception): + * Newest SPIRE Server instance is at 1.0.3 * Other SPIRE Server instances are supported at 1.0.x and 0.12.x Example 2: + * Newest SPIRE Server instance is at 1.2.3 * Other SPIRE Server instances are supported at 1.2.x and 1.1.x ### SPIRE Agent Compatibility + SPIRE Agents must not be newer than the oldest SPIRE Server that they communicate with, and may be up to one minor version older. As an exception, SPIRE Agent versions 0.12.x are compatible with SPIRE Server versions 1.0.x. Example 1 (0.12.x exception): + * SPIRE Servers are at both 1.0.3 and 1.0.2 * SPIRE Agents are supported at 0.12.0 through 1.0.2 Example 2: + * SPIRE Servers are at both 1.2.3 and 1.2.2 * SPIRE Agents are supported at 1.1.0 through 1.2.2 ### SPIRE Plugin Compatibility + SPIRE plugins generally follow the same overall guarantees as all other SPIRE components with small exception for changes made to external plugins outside of SPIRE's control. #### Configuration and Behavior Compatibility + A built-in plugin undergoing a backwards incompatible change (e.g. change to configuration semantics, change to selectors produced, etc.) will log a warning but otherwise maintain backwards compatibility for one minor version after the change is introduced, giving operators time to adopt requisite changes. SPIRE cannot make any guarantees around configuration or behavior compatibility for external plugins. #### Interface Compatibility + When a breaking change is introduced to a plugin interface, existing plugins compiled against the old interface will still continue to function for one minor version release cycle to give operators time to adopt requisite changes. SPIRE will log warnings to make operators aware of the change. ## Supported Upgrade Paths @@ -43,6 +54,7 @@ The supported version skew between SPIRE Servers and agents has implications on SPIRE Server and agent instances may be upgraded in a rolling fashion. For example, if upgrading from 1.1.1 to 1.2.3: + * Upgrade SPIRE Server instances from 1.1.1 to 1.2.3 one instance at a time * Ensure that the SPIRE Server cluster is operating as expected * Upgrade SPIRE Agent instances from 1.1.1 to 1.2.3 one instance at a time or in batches @@ -54,6 +66,7 @@ Note that while a rolling upgrade is highly recommended, it is not strictly requ SPIRE supports downgrading in the event that a problem is encountered while rolling out an upgrade. Since agents can't be newer than the oldest server they communicate with, it is necessary to first downgrade agents before downgrading servers, assuming that the agents have already been upgraded. For this reason, it is a good idea to ensure that the upgraded SPIRE Servers are operating as expected prior to upgrading the agents. For example, if downgrading from version 1.2.3 to 1.1.1: + * Downgrade SPIRE Agent instances from 1.2.3 to 1.1.1 one at a time or in batches * Downgrade SPIRE Server instances from 1.2.3 to 1.1.1 one at a time diff --git a/examples/README.md b/examples/README.md index 91664a2b54..9e43371260 100644 --- a/examples/README.md +++ b/examples/README.md @@ -1,3 +1,3 @@ # Examples have been moved -The examples that lived here have moved to a dedicated repository. Please visit https://github.com/spiffe/spire-examples for maintained SPIRE integration and deployment examples. +The examples that lived here have moved to a dedicated repository. Please visit for maintained SPIRE integration and deployment examples. diff --git a/release/posix/spire-extras/README.md b/release/posix/spire-extras/README.md index b9f629e7d2..096d924cf8 100644 --- a/release/posix/spire-extras/README.md +++ b/release/posix/spire-extras/README.md @@ -1,4 +1,4 @@ -= SPIRE Extras +# SPIRE Extras - [SPIRE Kubernetes Workload Registrar](https://github.com/spiffe/spire/blob/main/support/k8s/k8s-workload-registrar/README.md) - [SPIRE OIDC Discovery Provider](https://github.com/spiffe/spire/blob/main/support/oidc-discovery-provider/README.md) @@ -6,7 +6,7 @@ The configuration files included in this release are intended for evaluation purposes only and are **NOT** production ready. -== Contents +## Contents | Path | Description | |-------------------------------------------------------------|----------------------------------------------------------| diff --git a/release/posix/spire/README.md b/release/posix/spire/README.md index 2a65eb2d0b..cfb510f100 100644 --- a/release/posix/spire/README.md +++ b/release/posix/spire/README.md @@ -1,13 +1,13 @@ -= SPIRE +# SPIRE -[SPIRE](https://github.com/spiffe/spire) (the [SPIFFE](https://github.com/spiffe/spiffe) Runtime Environment) is a tool-chain for establishing trust between software systems across a wide variety of hosting platforms. +[SPIRE](https://github.com/spiffe/spire) (the [SPIFFE](https://github.com/spiffe/spiffe) Runtime Environment) is a tool-chain for establishing trust between software systems across a wide variety of hosting platforms. The configuration files included in this release are intended for evaluation purposes only and are **NOT** production ready. You can find additional example configurations for SPIRE [here](https://github.com/spiffe/spire-examples). -== Contents +## Contents | Path | Description | |---------------------------|-----------------------------------| diff --git a/release/windows/spire-extras/README.md b/release/windows/spire-extras/README.md index d2b40af276..aa5d799278 100644 --- a/release/windows/spire-extras/README.md +++ b/release/windows/spire-extras/README.md @@ -1,11 +1,11 @@ -= SPIRE Extras +# SPIRE Extras - [SPIRE OIDC Discovery Provider](https://github.com/spiffe/spire/blob/main/support/oidc-discovery-provider/README.md) The configuration files included in this release are intended for evaluation purposes only and are **NOT** production ready. -== Contents +## Contents | Path | Description | |-------------------------------------------------------------|----------------------------------------------------| diff --git a/release/windows/spire/README.md b/release/windows/spire/README.md index 7b6018de5c..09a4a87c4f 100644 --- a/release/windows/spire/README.md +++ b/release/windows/spire/README.md @@ -1,13 +1,13 @@ -= SPIRE +# SPIRE -[SPIRE](https://github.com/spiffe/spire) (the [SPIFFE](https://github.com/spiffe/spiffe) Runtime Environment) is a tool-chain for establishing trust between software systems across a wide variety of hosting platforms. +[SPIRE](https://github.com/spiffe/spire) (the [SPIFFE](https://github.com/spiffe/spiffe) Runtime Environment) is a tool-chain for establishing trust between software systems across a wide variety of hosting platforms. The configuration files included in this release are intended for evaluation purposes only and are **NOT** production ready. You can find additional example configurations for SPIRE [here](https://github.com/spiffe/spire-examples). -== Contents +## Contents | Path | Description | |---------------------------|-----------------------------------| diff --git a/support/k8s/k8s-workload-registrar/README.md b/support/k8s/k8s-workload-registrar/README.md index 7b13364a1e..aeeac1263c 100644 --- a/support/k8s/k8s-workload-registrar/README.md +++ b/support/k8s/k8s-workload-registrar/README.md @@ -1,6 +1,6 @@ # SPIRE Kubernetes Workload Registrar -** The SPIRE Kubernetes Workload Registrar is deprecated and no longer maintained. Please migrate to the [SPIRE Controller Manager](https://github.com/spiffe/spire-controller-manager). ** +**The SPIRE Kubernetes Workload Registrar is deprecated and no longer maintained. Please migrate to the [SPIRE Controller Manager](https://github.com/spiffe/spire-controller-manager).** The SPIRE Kubernetes Workload Registrar implements a Kubernetes ValidatingAdmissionWebhook that facilitates automatic workload registration @@ -16,7 +16,6 @@ The registrar has the following command line flags: |-----------|------------------------------------------------------------------|-------------------------------| | `-config` | Path on disk to the [HCL Configuration](#hcl-configuration) file | `k8s-workload-registrar.conf` | - ### HCL Configuration The configuration file is a **required** by the registrar. It contains @@ -51,7 +50,7 @@ For CRD configuration directives see [CRD Mode Configuration](mode-crd/README.md ### Example -``` +```hcl log_level = "debug" trust_domain = "domain.test" server_socket_path = "/tmp/spire-server/private/api.sock" @@ -59,6 +58,7 @@ cluster = "production" ``` ## Workload Registration + When running in reconcile or crd mode with `pod_controller=true` entries will be automatically created for Pods. The available workload registration modes are: @@ -74,7 +74,6 @@ workload registration mode is selected, `identity_template` is used with a default configuration: `ns/{{.Pod.Namespace}}/sa/{{.Pod.ServiceAccount}}` - It may take several seconds for newly created SVIDs to become available to workloads. ### Federated Entry Registration @@ -108,7 +107,7 @@ SPIFFE ID of the form pod came in with the service account `blog` in the `production` namespace, the following registration entry would be created: -``` +```shell Entry ID : 200d8b19-8334-443d-9494-f65d0ad64eb5 SPIFFE ID : spiffe://example.org/ns/production/sa/blog Parent ID : ... @@ -125,7 +124,7 @@ was configured with the `spire-workload` label and a pod came in with `spire-workload=example-workload`, the following registration entry would be created: -``` +```shell Entry ID : 200d8b19-8334-443d-9494-f65d0ad64eb5 SPIFFE ID : spiffe://example.org/example-workload Parent ID : ... @@ -145,7 +144,7 @@ was configured with the `spiffe.io/spiffe-id` annotation and a pod came in with `spiffe.io/spiffe-id: production/example-workload`, the following registration entry would be created: -``` +```shell Entry ID : 200d8b19-8334-443d-9494-f65d0ad64eb5 SPIFFE ID : spiffe://example.org/production/example-workload Parent ID : ... @@ -169,7 +168,6 @@ the registrar deployment. If it is deployed as a container within the SPIRE server pod then it talks to SPIRE server via a Unix domain socket. It will need access to a shared volume containing the socket file. - ### Reconcile Mode Configuration To use reconcile mode you need to create appropriate roles and bind them to the ServiceAccount you intend to run the controller as. diff --git a/support/k8s/k8s-workload-registrar/mode-crd/README.md b/support/k8s/k8s-workload-registrar/mode-crd/README.md index 5c6dd064f2..76745967c0 100644 --- a/support/k8s/k8s-workload-registrar/mode-crd/README.md +++ b/support/k8s/k8s-workload-registrar/mode-crd/README.md @@ -1,6 +1,6 @@ # SPIRE Kubernetes Workload Registrar (CRD Mode) -** The SPIRE Kubernetes Workload Registrar is deprecated and no longer maintained. Please migrate to the [SPIRE Controller Manager](https://github.com/spiffe/spire-controller-manager). ** +**The SPIRE Kubernetes Workload Registrar is deprecated and no longer maintained. Please migrate to the [SPIRE Controller Manager](https://github.com/spiffe/spire-controller-manager).** The CRD mode of the SPIRE Kubernetes Workload Registrar uses a Kubernetes Custom Resource Definition (CRD) to integrate SPIRE and Kubernetes. This enables auto and manual generation of SPIFFE IDs from with Kubernetes and the `kubectl` CLI. @@ -23,7 +23,6 @@ The registrar has the following command line flags: |-----------|------------------------------------------------------------------|-------------------------------| | `-config` | Path on disk to the [HCL Configuration](#hcl-configuration) file | `k8s-workload-registrar.conf` | - ### HCL Configuration The configuration file is a **required** by the registrar. It contains @@ -60,14 +59,16 @@ The configuration file is a **required** by the registrar. It contains This quick start sets up the SPIRE Server, SPIRE Agent, and CRD Kubernetes Workload Registrar. 1. Deploy SPIRE Server, Kubernetes Workload Registrar, SPIRE Agent, and CRD. SPIRE Server and Kubernetes Workload Registrar will be deployed in the same Pod. - ``` - kubectl apply -f https://raw.githubusercontent.com/spiffe/spire/main/support/k8s/k8s-workload-registrar/mode-crd/config/spiffeid.spiffe.io_spiffeids.yaml \ + + ```shell + $ kubectl apply -f https://raw.githubusercontent.com/spiffe/spire/main/support/k8s/k8s-workload-registrar/mode-crd/config/spiffeid.spiffe.io_spiffeids.yaml \ -f https://raw.githubusercontent.com/spiffe/spire/main/support/k8s/k8s-workload-registrar/mode-crd/config/spire-server-registrar.yaml \ -f https://raw.githubusercontent.com/spiffe/spire/main/support/k8s/k8s-workload-registrar/mode-crd/config/spire-agent.yaml ``` 1. Verify the deployment succeeded. - ``` + + ```shell $ kubectl get pods -n spire NAME READY STATUS RESTARTS AGE spire-agent-4wdxx 1/1 Running 0 5m59s @@ -85,12 +86,14 @@ Here are some examples of things you can do once the CRD Kubernetes Workload Reg ### Create a SpiffeID Resource using kubectl 1. Create a SpiffeID resource. - ``` - kubectl apply -f https://raw.githubusercontent.com/spiffe/spire/main/support/k8s/k8s-workload-registrar/mode-crd/samples/test_spiffeid.yaml + + ```shell + $ kubectl apply -f https://raw.githubusercontent.com/spiffe/spire/main/support/k8s/k8s-workload-registrar/mode-crd/samples/test_spiffeid.yaml ``` 1. Check that the SpiffeID resource was created. - ``` + + ```shell $ kubectl get spiffeids NAME AGE my-test-spiffeid 85s @@ -121,7 +124,8 @@ Here are some examples of things you can do once the CRD Kubernetes Workload Reg ``` 1. Verify the SPIFFE ID was created on the SPIRE Server - ``` + + ```shell $ kubectl exec spire-server-0 -n spire -c spire-server -- ./bin/spire-server entry show -spiffeID spiffe://example.org/test Found 1 entry Entry ID : ad49519e-37a1-4de5-a661-c091d3652b9c @@ -134,14 +138,16 @@ Here are some examples of things you can do once the CRD Kubernetes Workload Reg ``` 1. Delete the SpiffeID resource, the corresponding entry on the SPIRE Server will be removed. - ``` - kubectl delete -f https://raw.githubusercontent.com/spiffe/spire/main/support/k8s/k8s-workload-registrar/mode-crd/samples/test_spiffeid.yaml + + ```shell + $ kubectl delete -f https://raw.githubusercontent.com/spiffe/spire/main/support/k8s/k8s-workload-registrar/mode-crd/samples/test_spiffeid.yaml ``` ### Attempt to Deploy an Invalid SpiffeID Resource 1. Apply deploy an invalid SpiffeID. - ``` + + ```shell $ kubectl apply -f https://raw.githubusercontent.com/spiffe/spire/main/support/k8s/k8s-workload-registrar/mode-crd/samples/test_spiffeid_bad.yaml Error from server (spec.Selector.Namespace must match namespace of resource): error when creating "test_spiffeid_bad.yaml": admission webhook "k8s-workload-registrar.nginx-mesh.svc" denied the request: spec.Selector.Namespace must match namespace of resource ``` @@ -152,24 +158,27 @@ Here are some examples of things you can do once the CRD Kubernetes Workload Reg To test auto-generation of SPIFFE IDs add the following label to a Pod Spec and then apply it. The format for the auto-generated SPIFFE ID in this example is `ns//pod/`. - ``` + ```yaml spiffe.io/spiffe-id: true ``` We can test this using the NGINX example deployment: 1. Deploy the example NGINX deployment - ``` - kubectl apply -f https://raw.githubusercontent.com/kubernetes/website/master/content/en/examples/application/simple_deployment.yaml + + ```shell + $ kubectl apply -f https://raw.githubusercontent.com/kubernetes/website/master/content/en/examples/application/simple_deployment.yaml ``` 1. Add the label to the Deployment Template. This will reroll the deployment - ``` - kubectl patch deployment nginx-deployment -p '{"spec":{"template":{"metadata":{"labels":{"spiffe.io/spiffe-id": "true"}}}}}' + + ```shell + $ kubectl patch deployment nginx-deployment -p '{"spec":{"template":{"metadata":{"labels":{"spiffe.io/spiffe-id": "true"}}}}}' ``` 1. Verify the SpiffeID resource was created. The name of the SpiffeID resource will be the same as the name of the Pod. - ``` + + ```shell $ kubectl get spiffeids NAME AGE nginx-deployment-7ffbd8bd54-rcnt8 4s @@ -246,20 +255,23 @@ We can test this using the NGINX example deployment: ``` 1. Delete the NGINX deployment, this will automatically delete the SpiffeID resource - ``` - kubectl delete -f https://raw.githubusercontent.com/kubernetes/website/master/content/en/examples/application/simple_deployment.yaml + + ```shell + $ kubectl delete -f https://raw.githubusercontent.com/kubernetes/website/master/content/en/examples/application/simple_deployment.yaml ``` ## Deleting the Quick Start 1. Delete the CRD. This needs to be done before remove the Kubernetes Workload Registrar to give the finalizers a chance to complete. - ``` - kubectl delete -f https://raw.githubusercontent.com/spiffe/spire/main/support/k8s/k8s-workload-registrar/mode-crd/config/spiffeid.spiffe.io_spiffeids.yaml + + ```shell + $ kubectl delete -f https://raw.githubusercontent.com/spiffe/spire/main/support/k8s/k8s-workload-registrar/mode-crd/config/spiffeid.spiffe.io_spiffeids.yaml ``` 1. Delete the remaining previously applied yaml files. - ``` - kubectl delete -f https://raw.githubusercontent.com/spiffe/spire/main/support/k8s/k8s-workload-registrar/mode-crd/config/spire-server-registrar.yaml \ + + ```shell + $ kubectl delete -f https://raw.githubusercontent.com/spiffe/spire/main/support/k8s/k8s-workload-registrar/mode-crd/config/spire-server-registrar.yaml \ -f https://raw.githubusercontent.com/spiffe/spire/main/support/k8s/k8s-workload-registrar/mode-crd/config/spire-agent.yaml ``` @@ -280,6 +292,7 @@ The template formatter is using Golang [text/template](https://pkg.go.dev/text/template) conventions, and it can reference arbitrary values provided in the `context` map of strings in addition to the following Pod-specific arguments: + * Pod.Name * Pod.UID * Pod.Namespace @@ -288,15 +301,18 @@ in addition to the following Pod-specific arguments: * Pod.NodeName For example if the registrar was configured with the following: -``` + +```hcl identity_template = "region/{{.Context.Region}}/cluster/{{.Context.ClusterName}}/sa/{{.Pod.ServiceAccount}}/pod_name/{{.Pod.Name}}" context { Region = "US-NORTH" ClusterName = "MYCLUSTER" } ``` + and the _example-workload_ pod was deployed in _production_ namespace and _myserviceacct_ service account, the following registration entry would be created: -``` + +```shell Entry ID : 200d8b19-8334-443d-9494-f65d0ad64eb5 SPIFFE ID : spiffe://example.org/region/US-NORTH/cluster/MYCLUSTER/sa/myserviceacct/pod_name/example-workload Parent ID : ... @@ -307,7 +323,7 @@ Selector : k8s:pod-name:example-workload-98b6b79fd-jnv5m If `identity_template_label` is defined in the registrar configuration: -``` +```hcl identity_template_label = "enable_identity_template" ``` @@ -323,6 +339,7 @@ spec: containers: ... ``` + Pods that don't contain the pod label are ignored. If `identity_template_label` is empty or omitted, all the pods will receive the identity. @@ -335,7 +352,7 @@ was configured with the `spire-workload` label and a pod came in with `spire-workload=example-workload`, the following registration entry would be created: -``` +```shell Entry ID : 200d8b19-8334-443d-9494-f65d0ad64eb5 SPIFFE ID : spiffe://example.org/example-workload Parent ID : ... @@ -355,7 +372,7 @@ was configured with the `spiffe.io/spiffe-id` annotation and a pod came in with `spiffe.io/spiffe-id: production/example-workload`, the following registration entry would be created: -``` +```shell Entry ID : 200d8b19-8334-443d-9494-f65d0ad64eb5 SPIFFE ID : spiffe://example.org/production/example-workload Parent ID : ... @@ -395,6 +412,7 @@ spec: If DNS names are desired for your workload, they can be specified using the `dns_name_templates` configuration option. Similar to the `identity_template` field, `dns_name_templates` uses Golang [text/template](https://pkg.go.dev/text/template) conventions. It can reference arbitrary values provided in the `context` map of strings, in addition to the following Pod-specific arguments: + * Pod.Name * Pod.UID * Pod.Namespace @@ -405,18 +423,20 @@ If DNS names are desired for your workload, they can be specified using the `dns `dns_name_templates` is a list of strings, and gets added to the `dnsNames` list in the SpiffeID CRD. For example if the registrar was configured with the following: -``` + +```hcl dns_name_templates = ["{{.Pod.ServiceAccount}}.{{.Pod.Namespace}}.svc", "{{.Context.Domain}}.{{.Pod.Name}}.svc"] context { Domain = "my-domain" } ``` + and the _example-workload_ pod was deployed in _production_ namespace and _myserviceacct_ service account, the following DNS names will be added to the SpiffeID CRD: -- myserviceacct.production.svc -- my-domain.example-workload.svc +* myserviceacct.production.svc +* my-domain.example-workload.svc -
Note: The first template in the list will also populate the Common Name (CN) field of the SVID.
+_Note: The first template in the list will also populate the Common Name (CN) field of the SVID._ ## How it Works @@ -442,9 +462,10 @@ A Validating Webhook is used to ensure SpiffeID resources are properly formatted The certificates for the webhook are generated by the SPIRE Server and managed by the Kubernetes Workload Registrar. ## SPIFFE ID Custom Resource Example + An example SPIFFE ID custom resource is below: -``` +```yaml apiVersion: spiffeid.spiffe.io/v1beta1 kind: SpiffeID metadata: @@ -464,22 +485,25 @@ spec: ``` The supported selectors are: -- arbitrary -- Arbitrary selectors -- containerName -- Name of the container -- containerImage -- Container image used -- namespace -- Namespace to match for this SPIFFE ID -- nodeName -- Node name to match for this SPIFFE ID -- podLabel -- Pod label name/value to match for this SPIFFE ID -- podName -- Pod name to match for this SPIFFE ID -- podUID -- Pod UID to match for this SPIFFE ID -- serviceAccount -- ServiceAccount to match for this SPIFFE ID - -Notes: + +* arbitrary -- Arbitrary selectors +* containerName -- Name of the container +* containerImage -- Container image used +* namespace -- Namespace to match for this SPIFFE ID +* nodeName -- Node name to match for this SPIFFE ID +* podLabel -- Pod label name/value to match for this SPIFFE ID +* podName -- Pod name to match for this SPIFFE ID +* podUID -- Pod UID to match for this SPIFFE ID +* serviceAccount -- ServiceAccount to match for this SPIFFE ID + +Notes: + * Specifying DNS Names is optional * Specifying downstream is optional * The metadata.namespace and selector.namespace must match ## CRD Security Considerations + It is imperative to only grant trusted users access to manually create SpiffeID custom resources. Users with access have the ability to issue any SpiffeID to any pod in the namespace. @@ -494,6 +518,6 @@ entries can only be consumed by workloads within that namespace. The k8s ValidatingWebhookConfiguration will need to be removed or pods may fail admission. If you used the default configuration this can be done with: -``` -kubectl validatingwebhookconfiguration delete k8s-workload-registrar-webhook +```shell +$ kubectl validatingwebhookconfiguration delete k8s-workload-registrar-webhook ``` diff --git a/support/oidc-discovery-provider/README.md b/support/oidc-discovery-provider/README.md index 5bf0bf4463..730cfa61cf 100644 --- a/support/oidc-discovery-provider/README.md +++ b/support/oidc-discovery-provider/README.md @@ -52,6 +52,8 @@ The configuration file is **required** by the provider. It contains |--------------------------|--------|----------------|------------------------------------------------------|---------| | `listen_named_pipe_name` | string | required[1][3] | Pipe name to listen with a named pipe. Windows only. | | + + #### Considerations for Unix platforms [1]: One of `acme` or `listen_socket_path` must be defined. @@ -88,7 +90,7 @@ will terminate if another domain is requested. | Key | Type | Required? | Description | Default | |-----------------|----------|-----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|---------| -| `address` | string | required | SPIRE Server API gRPC target address. Only the unix name system is supported. See https://github.com/grpc/grpc/blob/master/doc/naming.md. Unix platforms only. | | +| `address` | string | required | SPIRE Server API gRPC target address. Only the unix name system is supported. See . Unix platforms only. | | | `experimental` | section | optional | The experimental options that are subject to change or removal. | | | `poll_interval` | duration | optional | How often to poll for changes to the public key material. | `"10s"` | @@ -130,7 +132,7 @@ Both states respond with a 200 OK status code for success or 500 Internal Server #### Server API -``` +```hcl log_level = "debug" domains = ["mypublicdomain.test"] acme { @@ -145,7 +147,7 @@ server_api { #### Workload API -``` +```hcl log_level = "debug" domains = ["mypublicdomain.test"] acme { @@ -165,7 +167,7 @@ The following configuration has the OIDC Discovery Provider listen for requests on the given socket. This can be used in conjunction with a webserver like Nginx, Apache, or Envoy which supports reverse proxying to a unix socket. -``` +```hcl log_level = "debug" domains = ["mypublicdomain.test"] listen_socket_path = "/run/oidc-discovery-provider/server.sock" @@ -179,7 +181,7 @@ workload_api { A minimal Nginx configuration that proxies all traffic to the OIDC Discovery Provider's socket might look like this. -``` +```nginx daemon off; events {} http { @@ -200,7 +202,7 @@ daemon off; #### Server API -``` +```hcl log_level = "debug" domains = ["mypublicdomain.test"] acme { @@ -217,7 +219,7 @@ server_api { #### Workload API -``` +```hcl log_level = "debug" domains = ["mypublicdomain.test"] acme { @@ -239,7 +241,7 @@ The following configuration has the OIDC Discovery Provider listen for requests on the given named pipe. This can be used in conjunction with a webserver that supports reverse proxying to a named pipe. -``` +```hcl log_level = "debug" domains = ["mypublicdomain.test"] experimental { diff --git a/test/integration/suites-windows/windows-workload-attestor/README.md b/test/integration/suites-windows/windows-workload-attestor/README.md index 2413bf4ea3..91900d3325 100644 --- a/test/integration/suites-windows/windows-workload-attestor/README.md +++ b/test/integration/suites-windows/windows-workload-attestor/README.md @@ -3,4 +3,3 @@ ## Description Basic tests of the Windows workload attestor - diff --git a/test/integration/suites/envoy-sds-v3-spiffe-auth/README.md b/test/integration/suites/envoy-sds-v3-spiffe-auth/README.md index edc2daeccc..ef76b278ee 100644 --- a/test/integration/suites/envoy-sds-v3-spiffe-auth/README.md +++ b/test/integration/suites/envoy-sds-v3-spiffe-auth/README.md @@ -13,7 +13,6 @@ A customer container image is used that runs both Envoy and the SPIRE Agent. Soc The test ensures both TLS and mTLS connectivity between the workload. This is exercised with a federated workload and also with a not federated workload. - upstream-spire-server downtream-federated-spire-server / \ | / \ | @@ -21,4 +20,3 @@ The test ensures both TLS and mTLS connectivity between the workload. This is ex / \ | / \ | | | | | downtream-socat-mtls downstream-socat-tls upstream-socat downstream-federated-socat-mtls downstream-federated-socat-tls - diff --git a/test/integration/suites/node-attestation/README.md b/test/integration/suites/node-attestation/README.md index 58e7e8d6eb..d56982ee88 100644 --- a/test/integration/suites/node-attestation/README.md +++ b/test/integration/suites/node-attestation/README.md @@ -4,4 +4,3 @@ Basic tests of the node attestation APIs using a simple fake agent The agent runs in a separate Docker container, but nothing from the real SPIRE agent is used - diff --git a/test/integration/suites/upstream-authority-cert-manager/README.md b/test/integration/suites/upstream-authority-cert-manager/README.md index cea9550fa5..efc3b55257 100644 --- a/test/integration/suites/upstream-authority-cert-manager/README.md +++ b/test/integration/suites/upstream-authority-cert-manager/README.md @@ -1,6 +1,5 @@ # Upstream Authority cert-manager Suite - ## Description This suite sets up a Kubernetes cluster using [Kind](https://kind.sigs.k8s.io), From 77f12b7a5c63dc0753915d3f512096f0463d2a17 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?= Date: Tue, 22 Nov 2022 22:05:44 -0300 Subject: [PATCH 146/257] Update the `k8sbundle` plugin documentation to clarify when `kube_config_file_path` is required (#3630) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Update the `k8sbundle` plugin documentation to clarify when `kube_config_file_path` is required Signed-off-by: Agustín Martínez Fayó --- conf/server/server_full.conf | 11 +++++++++++ doc/plugin_server_notifier_k8sbundle.md | 14 +++++++------- 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/conf/server/server_full.conf b/conf/server/server_full.conf index d20b7d7836..e5c0e41cbb 100644 --- a/conf/server/server_full.conf +++ b/conf/server/server_full.conf @@ -566,7 +566,18 @@ plugins { # # containing configuration to enable interaction with the # # Kubernetes API server. If unset, it is assumed the notifier # # is in-cluster and in-cluster credentials will be used. + # # Required for remote clusters. # # kube_config_file_path = "" + + # # clusters: Extra remote clusters. + # # clusters = [ + # # { + # # namespace = "infra" + # # config_map = "agents" + # # config_map_key = "bootstrap.crt" + # # kube_config_file_path = "/path/to/kubeconfig" + # # } + # # ] # } # } diff --git a/doc/plugin_server_notifier_k8sbundle.md b/doc/plugin_server_notifier_k8sbundle.md index ed0c6e262f..70dabd05e7 100644 --- a/doc/plugin_server_notifier_k8sbundle.md +++ b/doc/plugin_server_notifier_k8sbundle.md @@ -13,21 +13,21 @@ The plugin accepts the following configuration options: | namespace | The namespace containing the ConfigMap | `spire` | | config_map | The name of the ConfigMap | `spire-bundle` | | config_map_key | The key within the ConfigMap for the bundle | `bundle.crt` | -| kube_config_file_path | The path on disk to the kubeconfig containing configuration to enable interaction with the Kubernetes API server. If unset, it is assumed the notifier is in-cluster and in-cluster credentials will be used. | | +| kube_config_file_path | The path on disk to the kubeconfig containing configuration to enable interaction with the Kubernetes API server. If unset, it is assumed the notifier is in-cluster and in-cluster credentials will be used. Required when configuring a remote cluster. See the `clusters` setting to configure multiple remote clusters. | | | api_service_label | If set, rotate the CA Bundle in API services with this label set to `true`. | | | webhook_label | If set, rotate the CA Bundle in validating and mutating webhooks with this label set to `true`. | | -| clusters | A list of cluster configurations. If set it can be used to configure multiple. Each cluster allows the same values as the root configuration. | | +| clusters | A list of remote cluster configurations. If set it can be used to configure multiple. Each cluster allows the same values as the root configuration. | | ## Configuring Kubernetes -The following actions are required to set up the plugin. +The following actions are required to set up the plugin: -- Bind ClusterRole or Role that can `get` and `patch` the ConfigMap to Service Account - - In the case of in-cluster SPIRE server, it is Service Account that runs the SPIRE server - - In the case of out-of-cluster SPIRE server, it is Service Account that interacts with the Kubernetes API server +- Bind ClusterRole or Role that can `get` and `patch` the ConfigMap to Service Account. + - In the case of in-cluster SPIRE server, it is Service Account that runs the SPIRE Server. + - In the case of out-of-cluster SPIRE Server, it is Service Account that interacts with the Kubernetes API server. - In the case of setting `webhook_label`, the ClusterRole or Role additionally needs permissions to `get`, `list`, `patch`, and `watch` `mutatingwebhookconfigurations` and `validatingwebhookconfigurations`. - In the case of setting `api_service_label`, the ClusterRole or Role additionally needs permissions to `get`, `list`, `patch`, and `watch` `apiservices`. -- Create the ConfigMap that the plugin pushes +- Create the ConfigMap that the plugin pushes. For example: From 9ec4d35d5ad2196a2e2b48b458b8f123845f8f0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?= Date: Wed, 23 Nov 2022 16:36:20 -0300 Subject: [PATCH 147/257] Update help in Makefile to include lint commands (#3631) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Agustín Martínez Fayó Signed-off-by: Agustín Martínez Fayó --- Makefile | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 79c885c96e..7afaebcdfc 100644 --- a/Makefile +++ b/Makefile @@ -38,8 +38,13 @@ help: @echo " support 'SUITES' variable for executing specific tests" @echo " e.g. SUITES='windows-suites/windows-workload-attestor' make integration-windows" @echo - @echo "$(bold)Build and test:$(reset)" - @echo " $(cyan)all$(reset) - build all SPIRE binaries, lint the code, and run unit tests" + @echo "$(bold)Lint:$(reset)" + @echo " $(cyan)lint$(reset) - lint the code and markdown files" + @echo " $(cyan)lint-code$(reset) - lint the code" + @echo " $(cyan)lint-md$(reset) - lint markdown files" + @echo + @echo "$(bold)Build, lint and test:$(reset)" + @echo " $(cyan)all$(reset) - build all SPIRE binaries, run linters and unit tests" @echo @echo "$(bold)Docker image:$(reset)" @echo " $(cyan)images$(reset) - build all SPIRE Docker images" From edf3589ec631507e67fb2428891a01b43c486f1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?= Date: Wed, 23 Nov 2022 17:10:58 -0300 Subject: [PATCH 148/257] Fixes in documentation for "gcp_kms" plugin (#3632) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Agustín Martínez Fayó --- doc/plugin_server_keymanager_gcp_kms.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/doc/plugin_server_keymanager_gcp_kms.md b/doc/plugin_server_keymanager_gcp_kms.md index e81f2a82c1..43cb6a8c71 100644 --- a/doc/plugin_server_keymanager_gcp_kms.md +++ b/doc/plugin_server_keymanager_gcp_kms.md @@ -53,8 +53,7 @@ following table is provided for informational purposes only: | ----- | ----------- | | spire-server-td | SHA-1 checksum of the trust domain name of the server. | | spire-server-id | Auto-generated ID that is unique to the server and is persisted in the _Key Metadata File_ (see the `key_metadata_file` configurable). | -| spire-last-update | Unix time of the last time that the plugin updated the -CryptoKey to keep it active. | +| spire-last-update | Unix time of the last time that the plugin updated the CryptoKey to keep it active. | | spire-active | Indicates if the CryptoKey is still in use by the plugin. | If the _Key Metadata File_ is not found during server startup, the file is @@ -67,7 +66,7 @@ CryptoKey detection, the plugin actively updates the `spire-last-update` label on all CryptoKeys managed by the server every 6 hours. The plugin periodically scans the CryptoKeys looking for active CryptoKeys within the trust domain that have a `spire-last-update` value older than two weeks and don't belong to the -server. The corresponding CryptoKeyVersion of those stale CryptoKeys are +server. The corresponding CryptoKeyVersions of those stale CryptoKeys are scheduled for destruction, and the `spire-active` label in the CryptoKey is updated to indicate that the CryptoKey is no longer active. Additionally, if the plugin detects that a CryptoKey doesn't have any enabled CryptoKeyVersions, @@ -91,7 +90,7 @@ cloudkms.cryptoKeyVersions.viewPublicKey ### IAM policy Google Cloud resources are organized hierarchically, and resources inherit the -allow policies of the parent resource. The plugin set a default IAM policy to +allow policies of the parent resource. The plugin sets a default IAM policy to CryptoKeys that it creates. Alternatively, a user defined IAM policy can be defined. The effective allow policy for a CryptoKey is the union of the allow policy set From 6c4cec1737a0493c61ae9a2d5249a45daa987576 Mon Sep 17 00:00:00 2001 From: Willian Alves Date: Wed, 23 Nov 2022 17:32:56 -0400 Subject: [PATCH 149/257] Adjusting Marcos's comments (#174) Signed-off-by: Willian Alves Signed-off-by: Willian Alves --- .../plugin/workloadattestor/k8s/k8s_test.go | 2 - .../workloadattestor/k8s/sigstore/sigstore.go | 31 +- .../k8s/sigstore/sigstore_test.go | 292 +++++++++--------- 3 files changed, 156 insertions(+), 169 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go index 2805427996..232ba63e18 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go @@ -87,10 +87,8 @@ func TestPlugin(t *testing.T) { func (s *Suite) SetupTest() { s.dir = s.TempDir() s.writeFile(defaultTokenPath, "default-token") - s.clock = clock.NewMock(s.T()) s.server = nil - s.podList = nil s.env = map[string]string{} diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index 588e6388c2..5b22d2b2b7 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -92,13 +92,12 @@ func New(cache Cache, logger hclog.Logger) Sigstore { } func defaultCheckOptsFunction(rekorURL url.URL) (*cosign.CheckOpts, error) { - if rekorURL.Host == "" { + switch { + case rekorURL.Host == "": return nil, errors.New("rekor URL host is empty") - } - if rekorURL.Scheme == "" { + case rekorURL.Scheme == "": return nil, errors.New("rekor URL scheme is empty") - } - if rekorURL.Path == "" { + case rekorURL.Path == "": return nil, errors.New("rekor URL path is empty") } @@ -119,9 +118,9 @@ func defaultCheckOptsFunction(rekorURL url.URL) (*cosign.CheckOpts, error) { type sigstoreImpl struct { functionHooks sigstoreFunctionHooks - skippedImages map[string]bool + skippedImages map[string]struct{} allowListEnabled bool - subjectAllowList map[string]bool + subjectAllowList map[string]struct{} rekorURL url.URL logger hclog.Logger sigstorecache Cache @@ -148,14 +147,14 @@ func (s *sigstoreImpl) FetchImageSignatures(ctx context.Context, imageName strin return nil, fmt.Errorf("could not create cosign check options: %w", err) } sigs, ok, err := s.functionHooks.verifyFunction(ctx, ref, co) - if err != nil { + switch { + case err != nil: return nil, fmt.Errorf("error verifying signature: %w", err) - } - if !ok { + case !ok: return nil, fmt.Errorf("bundle not verified for %q", imageName) + default: + return sigs, nil } - - return sigs, nil } // ExtractSelectorsFromSignatures extracts selectors from a list of image signatures. @@ -238,10 +237,10 @@ func (s *sigstoreImpl) ShouldSkipImage(imageID string) (bool, error) { // AddSkippedImage adds the image ID and selectors to the skip list. func (s *sigstoreImpl) AddSkippedImage(imageIDList []string) { if s.skippedImages == nil { - s.skippedImages = make(map[string]bool) + s.skippedImages = make(map[string]struct{}) } for _, imageID := range imageIDList { - s.skippedImages[imageID] = true + s.skippedImages[imageID] = struct{}{} } } @@ -273,9 +272,9 @@ func (s *sigstoreImpl) ValidateImage(ref name.Reference) (bool, error) { func (s *sigstoreImpl) AddAllowedSubject(subject string) { if s.subjectAllowList == nil { - s.subjectAllowList = make(map[string]bool) + s.subjectAllowList = make(map[string]struct{}) } - s.subjectAllowList[subject] = true + s.subjectAllowList[subject] = struct{}{} } func (s *sigstoreImpl) ClearAllowedSubjects() { diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index c2469249de..6dea36fc76 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -26,6 +26,7 @@ import ( "github.com/sigstore/cosign/pkg/cosign/bundle" "github.com/sigstore/cosign/pkg/oci" rekor "github.com/sigstore/rekor/pkg/generated/client" + "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" ) @@ -83,25 +84,25 @@ func TestNew(t *testing.T) { } sigstore := New(newcache, nil) - if sigImpObj, ok := sigstore.(*sigstoreImpl); !ok { - t.Errorf("object type does not match") - } else { // test each field manually since require.Equal does not work on function pointers - if &(sigImpObj.functionHooks.verifyFunction) == &(want.functionHooks.verifyFunction) { - t.Errorf("verify functions do not match") - } - if &(sigImpObj.functionHooks.fetchImageManifestFunction) == &(want.functionHooks.fetchImageManifestFunction) { - t.Errorf("fetchImageManifest functions do not match") - } - if &(sigImpObj.functionHooks.checkOptsFunction) == &(want.functionHooks.checkOptsFunction) { - t.Errorf("checkOptsFunction functions do not match") - } - require.Equal(t, want.skippedImages, sigImpObj.skippedImages, "skippedImages array is not empty") - require.Equal(t, want.allowListEnabled, sigImpObj.allowListEnabled, "allowListEnabled has wrong value") - require.Equal(t, want.subjectAllowList, sigImpObj.subjectAllowList, "subjectAllowList array is not empty") - require.Equal(t, want.rekorURL, sigImpObj.rekorURL, "rekorURL is different from rekor default") - require.Equal(t, want.sigstorecache, sigImpObj.sigstorecache, "sigstorecache is different from fresh object") - require.Equal(t, want.logger, sigImpObj.logger, "new logger is not nil") + require.IsType(t, &sigstoreImpl{}, sigstore) + sigImpObj, _ := sigstore.(*sigstoreImpl) + + // test each field manually since require.Equal does not work on function pointers + if &(sigImpObj.functionHooks.verifyFunction) == &(want.functionHooks.verifyFunction) { + t.Errorf("verify functions do not match") } + if &(sigImpObj.functionHooks.fetchImageManifestFunction) == &(want.functionHooks.fetchImageManifestFunction) { + t.Errorf("fetchImageManifest functions do not match") + } + if &(sigImpObj.functionHooks.checkOptsFunction) == &(want.functionHooks.checkOptsFunction) { + t.Errorf("checkOptsFunction functions do not match") + } + require.Equal(t, want.skippedImages, sigImpObj.skippedImages, "skippedImages array is not empty") + require.Equal(t, want.allowListEnabled, sigImpObj.allowListEnabled, "allowListEnabled has wrong value") + require.Equal(t, want.subjectAllowList, sigImpObj.subjectAllowList, "subjectAllowList array is not empty") + require.Equal(t, want.rekorURL, sigImpObj.rekorURL, "rekorURL is different from rekor default") + require.Equal(t, want.sigstorecache, sigImpObj.sigstorecache, "sigstorecache is different from fresh object") + require.Equal(t, want.logger, sigImpObj.logger, "new logger is not nil") } func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { @@ -115,6 +116,8 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { defaultCheckOpts, _ := defaultCheckOptsFunction(rekorDefaultURL()) emptyURLCheckOpts, emptyError := defaultCheckOptsFunction(url.URL{}) + require.Nil(t, emptyURLCheckOpts) + require.EqualError(t, emptyError, "rekor URL host is empty") tests := []struct { name string @@ -431,14 +434,10 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { rekorURL: tt.fields.rekorURL, } got, err := sigstore.FetchImageSignatures(context.Background(), tt.args.imageName) - - if err != nil { - if !tt.wantErr { - t.Errorf("sigstoreImpl.FetchImageSignatures() has error, wantErr %v", tt.wantErr) - } - require.EqualError(t, err, tt.wantedErr.Error(), "sigstoreImpl.FetchImageSignatures() error = %v, wantedErr = %v", err, tt.wantedErr) - } else if tt.wantErr { - t.Errorf("sigstoreImpl.FetchImageSignatures() no error, wantErr = %v, wantedErr %v", tt.wantErr, tt.wantedErr) + if tt.wantErr { + require.EqualError(t, err, tt.wantedErr.Error()) + } else { + require.NoError(t, err) } require.Equal(t, tt.want, got, "sigstoreImpl.FetchImageSignatures() = %v, want %v", got, tt.want) @@ -670,7 +669,7 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { func TestSigstoreimpl_ShouldSkipImage(t *testing.T) { type fields struct { - skippedImages map[string](bool) + skippedImages map[string]struct{} } type args struct { imageID string @@ -685,8 +684,8 @@ func TestSigstoreimpl_ShouldSkipImage(t *testing.T) { { name: "skipping only image in list", fields: fields{ - skippedImages: map[string]bool{ - "sha256:sampleimagehash": true, + skippedImages: map[string]struct{}{ + "sha256:sampleimagehash": struct{}{}, }, }, args: args{ @@ -698,10 +697,10 @@ func TestSigstoreimpl_ShouldSkipImage(t *testing.T) { { name: "skipping image in list", fields: fields{ - skippedImages: map[string]bool{ - "sha256:sampleimagehash": true, - "sha256:sampleimagehash2": true, - "sha256:sampleimagehash3": true, + skippedImages: map[string]struct{}{ + "sha256:sampleimagehash": struct{}{}, + "sha256:sampleimagehash2": struct{}{}, + "sha256:sampleimagehash3": struct{}{}, }, }, args: args{ @@ -713,9 +712,9 @@ func TestSigstoreimpl_ShouldSkipImage(t *testing.T) { { name: "image not in list", fields: fields{ - skippedImages: map[string]bool{ - "sha256:sampleimagehash": true, - "sha256:sampleimagehash3": true, + skippedImages: map[string]struct{}{ + "sha256:sampleimagehash": struct{}{}, + "sha256:sampleimagehash3": struct{}{}, }, }, args: args{ @@ -738,10 +737,10 @@ func TestSigstoreimpl_ShouldSkipImage(t *testing.T) { { name: "empty imageID", fields: fields{ - skippedImages: map[string]bool{ - "sha256:sampleimagehash": true, - "sha256:sampleimagehash2": true, - "sha256:sampleimagehash3": true, + skippedImages: map[string]struct{}{ + "sha256:sampleimagehash": struct{}{}, + "sha256:sampleimagehash2": struct{}{}, + "sha256:sampleimagehash3": struct{}{}, }, }, args: args{ @@ -770,7 +769,7 @@ func TestSigstoreimpl_AddSkippedImage(t *testing.T) { type fields struct { verifyFunction func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) fetchImageManifestFunction func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) - skippedImages map[string]bool + skippedImages map[string]struct{} } type args struct { imageID []string @@ -779,30 +778,30 @@ func TestSigstoreimpl_AddSkippedImage(t *testing.T) { name string fields fields args args - want map[string]bool + want map[string]struct{} }{ { name: "add skipped image to empty map", args: args{ imageID: []string{"sha256:sampleimagehash"}, }, - want: map[string]bool{ - "sha256:sampleimagehash": true, + want: map[string]struct{}{ + "sha256:sampleimagehash": struct{}{}, }, }, { name: "add skipped image", fields: fields{ - skippedImages: map[string]bool{ - "sha256:sampleimagehash1": true, + skippedImages: map[string]struct{}{ + "sha256:sampleimagehash1": struct{}{}, }, }, args: args{ imageID: []string{"sha256:sampleimagehash"}, }, - want: map[string]bool{ - "sha256:sampleimagehash": true, - "sha256:sampleimagehash1": true, + want: map[string]struct{}{ + "sha256:sampleimagehash": struct{}{}, + "sha256:sampleimagehash1": struct{}{}, }, }, { @@ -810,25 +809,25 @@ func TestSigstoreimpl_AddSkippedImage(t *testing.T) { args: args{ imageID: []string{"sha256:sampleimagehash", "sha256:sampleimagehash1"}, }, - want: map[string]bool{ - "sha256:sampleimagehash": true, - "sha256:sampleimagehash1": true, + want: map[string]struct{}{ + "sha256:sampleimagehash": struct{}{}, + "sha256:sampleimagehash1": struct{}{}, }, }, { name: "add a list of skipped images to a existing map", fields: fields{ - skippedImages: map[string]bool{ - "sha256:sampleimagehash": true, + skippedImages: map[string]struct{}{ + "sha256:sampleimagehash": struct{}{}, }, }, args: args{ imageID: []string{"sha256:sampleimagehash1", "sha256:sampleimagehash2"}, }, - want: map[string]bool{ - "sha256:sampleimagehash": true, - "sha256:sampleimagehash1": true, - "sha256:sampleimagehash2": true, + want: map[string]struct{}{ + "sha256:sampleimagehash": struct{}{}, + "sha256:sampleimagehash1": struct{}{}, + "sha256:sampleimagehash2": struct{}{}, }, }, } @@ -851,12 +850,12 @@ func TestSigstoreimpl_ClearSkipList(t *testing.T) { type fields struct { verifyFunction func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) fetchImageManifestFunction func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) - skippedImages map[string]bool + skippedImages map[string]struct{} } tests := []struct { name string fields fields - want map[string]bool + want map[string]struct{} }{ { name: "clear single image in map", @@ -864,8 +863,8 @@ func TestSigstoreimpl_ClearSkipList(t *testing.T) { verifyFunction: nil, fetchImageManifestFunction: nil, - skippedImages: map[string]bool{ - "sha256:sampleimagehash": true, + skippedImages: map[string]struct{}{ + "sha256:sampleimagehash": struct{}{}, }, }, want: nil, @@ -875,9 +874,9 @@ func TestSigstoreimpl_ClearSkipList(t *testing.T) { fields: fields{ verifyFunction: nil, fetchImageManifestFunction: nil, - skippedImages: map[string]bool{ - "sha256:sampleimagehash": true, - "sha256:sampleimagehash1": true, + skippedImages: map[string]struct{}{ + "sha256:sampleimagehash": struct{}{}, + "sha256:sampleimagehash1": struct{}{}, }, }, want: nil, @@ -887,7 +886,7 @@ func TestSigstoreimpl_ClearSkipList(t *testing.T) { fields: fields{ verifyFunction: nil, fetchImageManifestFunction: nil, - skippedImages: map[string]bool{}, + skippedImages: map[string]struct{}{}, }, want: nil, }, @@ -922,7 +921,7 @@ func TestSigstoreimpl_ValidateImage(t *testing.T) { type fields struct { verifyFunction verifyFunctionBinding fetchImageManifestFunction fetchFunctionBinding - skippedImages map[string]bool + skippedImages map[string]struct{} } type args struct { ref name.Reference @@ -1027,15 +1026,12 @@ func TestSigstoreimpl_ValidateImage(t *testing.T) { }, skippedImages: tt.fields.skippedImages, } - got, err := sigstore.ValidateImage(tt.args.ref) - if err != nil { - if !tt.wantErr { - t.Errorf("sigstoreImpl.ValidateImage() has error, wantErr %v", tt.wantErr) - } - require.EqualError(t, err, tt.wantedErr.Error(), "sigstoreImpl.ValidateImage() error = %v, wantedErr = %v", err, tt.wantedErr) - } else if tt.wantErr { - t.Errorf("sigstoreImpl.ValidateImage() no error, wantErr = %v, wantedErr %v", tt.wantErr, tt.wantedErr) + got, err := sigstore.ValidateImage(tt.args.ref) + if tt.wantedErr != nil { + require.EqualError(t, err, tt.wantedErr.Error()) + } else { + require.NoError(t, err) } require.Equal(t, tt.want, got, "sigstoreImpl.ValidateImage() = %v, want %v", got, tt.want) @@ -1047,7 +1043,7 @@ func TestSigstoreimpl_ValidateImage(t *testing.T) { func TestSigstoreimpl_AddAllowedSubject(t *testing.T) { type fields struct { - subjectAllowList map[string]bool + subjectAllowList map[string]struct{} } type args struct { subject string @@ -1056,7 +1052,7 @@ func TestSigstoreimpl_AddAllowedSubject(t *testing.T) { name string fields fields args args - want map[string]bool + want map[string]struct{} }{ { name: "add allowed subject to nil map", @@ -1066,63 +1062,63 @@ func TestSigstoreimpl_AddAllowedSubject(t *testing.T) { args: args{ subject: "spirex@example.com", }, - want: map[string]bool{ - "spirex@example.com": true, + want: map[string]struct{}{ + "spirex@example.com": struct{}{}, }, }, { name: "add allowed subject to empty map", fields: fields{ - subjectAllowList: map[string]bool{}, + subjectAllowList: map[string]struct{}{}, }, args: args{ subject: "spirex@example.com", }, - want: map[string]bool{ - "spirex@example.com": true, + want: map[string]struct{}{ + "spirex@example.com": struct{}{}, }, }, { name: "add allowed subject to existing map", fields: fields{ - subjectAllowList: map[string]bool{ - "spirex1@example.com": true, - "spirex2@example.com": true, - "spirex3@example.com": true, - "spirex5@example.com": true, + subjectAllowList: map[string]struct{}{ + "spirex1@example.com": struct{}{}, + "spirex2@example.com": struct{}{}, + "spirex3@example.com": struct{}{}, + "spirex5@example.com": struct{}{}, }, }, args: args{ subject: "spirex4@example.com", }, - want: map[string]bool{ - "spirex1@example.com": true, - "spirex2@example.com": true, - "spirex3@example.com": true, - "spirex4@example.com": true, - "spirex5@example.com": true, + want: map[string]struct{}{ + "spirex1@example.com": struct{}{}, + "spirex2@example.com": struct{}{}, + "spirex3@example.com": struct{}{}, + "spirex4@example.com": struct{}{}, + "spirex5@example.com": struct{}{}, }, }, { name: "add existing allowed subject to existing map", fields: fields{ - subjectAllowList: map[string]bool{ - "spirex1@example.com": true, - "spirex2@example.com": true, - "spirex3@example.com": true, - "spirex4@example.com": true, - "spirex5@example.com": true, + subjectAllowList: map[string]struct{}{ + "spirex1@example.com": struct{}{}, + "spirex2@example.com": struct{}{}, + "spirex3@example.com": struct{}{}, + "spirex4@example.com": struct{}{}, + "spirex5@example.com": struct{}{}, }, }, args: args{ subject: "spirex4@example.com", }, - want: map[string]bool{ - "spirex1@example.com": true, - "spirex2@example.com": true, - "spirex3@example.com": true, - "spirex4@example.com": true, - "spirex5@example.com": true, + want: map[string]struct{}{ + "spirex1@example.com": struct{}{}, + "spirex2@example.com": struct{}{}, + "spirex3@example.com": struct{}{}, + "spirex4@example.com": struct{}{}, + "spirex5@example.com": struct{}{}, }, }, } @@ -1139,23 +1135,23 @@ func TestSigstoreimpl_AddAllowedSubject(t *testing.T) { func TestSigstoreimpl_ClearAllowedSubjects(t *testing.T) { type fields struct { - subjectAllowList map[string]bool + subjectAllowList map[string]struct{} } tests := []struct { name string fields fields - want map[string]bool + want map[string]struct{} }{ { name: "clear existing map", fields: fields{ - subjectAllowList: map[string]bool{ - "spirex1@example.com": true, - "spirex2@example.com": true, - "spirex3@example.com": true, - "spirex4@example.com": true, - "spirex5@example.com": true, + subjectAllowList: map[string]struct{}{ + "spirex1@example.com": struct{}{}, + "spirex2@example.com": struct{}{}, + "spirex3@example.com": struct{}{}, + "spirex4@example.com": struct{}{}, + "spirex5@example.com": struct{}{}, }, }, want: nil, @@ -1163,7 +1159,7 @@ func TestSigstoreimpl_ClearAllowedSubjects(t *testing.T) { { name: "clear empty map", fields: fields{ - subjectAllowList: map[string]bool{}, + subjectAllowList: map[string]struct{}{}, }, want: nil, }, @@ -1238,7 +1234,7 @@ func TestSigstoreimpl_EnableAllowSubjectList(t *testing.T) { func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { type fields struct { allowListEnabled bool - subjectAllowList map[string]bool + subjectAllowList map[string]struct{} } type args struct { signature oci.Signature @@ -1306,8 +1302,8 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { name: "selector from signature, not in allowlist", fields: fields{ allowListEnabled: true, - subjectAllowList: map[string]bool{ - "spirex2@example.com": true, + subjectAllowList: map[string]struct{}{ + "spirex2@example.com": struct{}{}, }, }, args: args{ @@ -1324,8 +1320,8 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { name: "selector from signature, allowedlist enabled, in allowlist", fields: fields{ allowListEnabled: true, - subjectAllowList: map[string]bool{ - "spirex@example.com": true, + subjectAllowList: map[string]struct{}{ + "spirex@example.com": struct{}{}, }, }, args: args{ @@ -1353,8 +1349,8 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { name: "selector from signature, allowedlist enabled, in allowlist, empty content", fields: fields{ allowListEnabled: true, - subjectAllowList: map[string]bool{ - "spirex@example.com": true, + subjectAllowList: map[string]struct{}{ + "spirex@example.com": struct{}{}, }, }, args: args{ @@ -1575,15 +1571,12 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { logger: hclog.Default(), } got, err := sigstore.SelectorValuesFromSignature(tt.args.signature, tt.containerID) - if err != nil { - if !tt.wantErr { - t.Errorf("sigstoreImpl.SelectorValuesFromSignature() has error, wantErr %v", tt.wantErr) - } + assert.Equal(t, got, tt.want, "sigstoreImpl.SelectorValuesFromSignature() = %v, want %v", got, tt.want) + if tt.wantedErr != nil { require.EqualError(t, err, tt.wantedErr.Error(), "sigstoreImpl.SelectorValuesFromSignature() error = %v, wantedErr = %v", err, tt.wantedErr) - } else if tt.wantErr { - t.Errorf("sigstoreImpl.SelectorValuesFromSignature() no error, wantErr = %v, wantedErr %v", tt.wantErr, tt.wantedErr) + return } - require.Equal(t, got, tt.want, "sigstoreImpl.SelectorValuesFromSignature() = %v, want %v", got, tt.want) + require.NoError(t, err) }) } } @@ -1591,7 +1584,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { type fields struct { functionBindings sigstoreFunctionBindings - skippedImages map[string]bool + skippedImages map[string]struct{} rekorURL url.URL } @@ -1664,8 +1657,8 @@ func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { fetchBinding: createNilFetchFunction(), checkOptsBinding: createNilCheckOptsFunction(), }, - skippedImages: map[string]bool{ - "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505": true, + skippedImages: map[string]struct{}{ + "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505": struct{}{}, }, rekorURL: rekorDefaultURL(), }, @@ -1871,19 +1864,24 @@ func TestSigstoreimpl_SetRekorURL(t *testing.T) { rekorURL: tt.fields.rekorURL, } err := sigstore.SetRekorURL(tt.args.rekorURL) - if err != nil { - if !tt.wantErr { - t.Errorf("sigstoreImpl.SetRekorURL() has error, wantErr %v", tt.wantErr) - } + if tt.wantedErr != nil { require.EqualError(t, err, tt.wantedErr.Error(), "sigstoreImpl.SetRekorURL() error = %v, wantedErr = %v", err, tt.wantedErr) - } else if tt.wantErr { - t.Errorf("sigstoreImpl.SetRekorURL() no error, wantErr = %v, wantedErr %v", tt.wantErr, tt.wantedErr) + } else { + require.NoError(t, err) } require.Equal(t, sigstore.rekorURL, tt.want, "sigstoreImpl.SetRekorURL() = %v, want %v", sigstore.rekorURL, tt.want) }) } } +type signature struct { + oci.Signature + + payload []byte + cert *x509.Certificate + bundle *bundle.RekorBundle +} + func (s signature) Payload() ([]byte, error) { return s.payload, nil } @@ -1896,10 +1894,14 @@ func (s signature) Bundle() (*bundle.RekorBundle, error) { return s.bundle, nil } +type noPayloadSignature signature + func (noPayloadSignature) Payload() ([]byte, error) { return nil, errors.New("no payload test") } +type nilBundleSignature signature + func (s nilBundleSignature) Payload() ([]byte, error) { return s.payload, nil } @@ -1912,6 +1914,8 @@ func (s nilBundleSignature) Bundle() (*bundle.RekorBundle, error) { return nil, fmt.Errorf("no bundle test") } +type noCertSignature signature + func (s noCertSignature) Payload() ([]byte, error) { return s.payload, nil } @@ -2000,14 +2004,6 @@ func rekorDefaultURL() url.URL { } } -type signature struct { - oci.Signature - - payload []byte - cert *x509.Certificate - bundle *bundle.RekorBundle -} - type sigstoreFunctionBindings struct { verifyBinding verifyFunctionBinding fetchBinding fetchFunctionBinding @@ -2037,9 +2033,3 @@ type verifyFunctionArguments struct { } type verifyFunctionBinding func(require.TestingT, *verifyFunctionArguments) verifyFunctionType - -type noCertSignature signature - -type nilBundleSignature signature - -type noPayloadSignature signature From 3d4c8a2da0f05463c163ef2df39388a3b263924b Mon Sep 17 00:00:00 2001 From: Guilherme Oliveira do Carmo Carvalho <33766735+guilhermocc@users.noreply.github.com> Date: Thu, 24 Nov 2022 15:58:05 -0300 Subject: [PATCH 150/257] Use cli printer server entry commands (#3628) * Use cliprinter to enable more output format options in list agent command Signed-off-by: Guilherme Carvalho --- cmd/spire-server/cli/entry/count.go | 35 +- cmd/spire-server/cli/entry/count_test.go | 49 +-- cmd/spire-server/cli/entry/create.go | 85 ++-- cmd/spire-server/cli/entry/create_test.go | 351 +++++++++++++--- cmd/spire-server/cli/entry/delete.go | 39 +- cmd/spire-server/cli/entry/delete_test.go | 88 +++-- cmd/spire-server/cli/entry/show.go | 45 ++- cmd/spire-server/cli/entry/show_test.go | 261 +++++++++--- cmd/spire-server/cli/entry/update.go | 82 ++-- cmd/spire-server/cli/entry/update_test.go | 373 +++++++++++++++--- cmd/spire-server/cli/entry/util_posix_test.go | 20 + cmd/spire-server/cli/entry/util_test.go | 15 + .../cli/entry/util_windows_test.go | 20 + pkg/common/cliprinter/cliprinter.go | 4 + 14 files changed, 1147 insertions(+), 320 deletions(-) diff --git a/cmd/spire-server/cli/entry/count.go b/cmd/spire-server/cli/entry/count.go index 102b67aeaf..646cbe80a2 100644 --- a/cmd/spire-server/cli/entry/count.go +++ b/cmd/spire-server/cli/entry/count.go @@ -5,50 +5,63 @@ import ( "fmt" "github.com/mitchellh/cli" + "github.com/spiffe/spire/pkg/common/cliprinter" entryv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/entry/v1" "github.com/spiffe/spire/cmd/spire-server/util" - common_cli "github.com/spiffe/spire/pkg/common/cli" + commoncli "github.com/spiffe/spire/pkg/common/cli" "golang.org/x/net/context" ) -type countCommand struct{} +type countCommand struct { + printer cliprinter.Printer + env *commoncli.Env +} // NewCountCommand creates a new "count" subcommand for "entry" command. func NewCountCommand() cli.Command { - return NewCountCommandWithEnv(common_cli.DefaultEnv) + return NewCountCommandWithEnv(commoncli.DefaultEnv) } // NewCountCommandWithEnv creates a new "count" subcommand for "entry" command // using the environment specified. -func NewCountCommandWithEnv(env *common_cli.Env) cli.Command { - return util.AdaptCommand(env, new(countCommand)) +func NewCountCommandWithEnv(env *commoncli.Env) cli.Command { + return util.AdaptCommand(env, &countCommand{env: env}) } func (*countCommand) Name() string { return "entry count" } -func (countCommand) Synopsis() string { +func (*countCommand) Synopsis() string { return "Count registration entries" } // Run counts attested entries -func (c *countCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error { +func (c *countCommand) Run(ctx context.Context, env *commoncli.Env, serverClient util.ServerClient) error { entryClient := serverClient.NewEntryClient() countResponse, err := entryClient.CountEntries(ctx, &entryv1.CountEntriesRequest{}) if err != nil { return err } - count := int(countResponse.Count) + return c.printer.PrintProto(countResponse) +} + +func (c *countCommand) AppendFlags(fs *flag.FlagSet) { + cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, c.prettyPrintCount) +} + +func (c *countCommand) prettyPrintCount(env *commoncli.Env, results ...interface{}) error { + countResp, ok := results[0].(*entryv1.CountEntriesResponse) + if !ok { + return cliprinter.ErrInternalCustomPrettyFunc + } + count := int(countResp.Count) msg := fmt.Sprintf("%d registration ", count) msg = util.Pluralizer(msg, "entry", "entries", count) env.Println(msg) return nil } - -func (c *countCommand) AppendFlags(fs *flag.FlagSet) { -} diff --git a/cmd/spire-server/cli/entry/count_test.go b/cmd/spire-server/cli/entry/count_test.go index 0e2036071b..cfff9ca6f7 100644 --- a/cmd/spire-server/cli/entry/count_test.go +++ b/cmd/spire-server/cli/entry/count_test.go @@ -1,10 +1,10 @@ package entry import ( + "fmt" "testing" entryv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/entry/v1" - "github.com/spiffe/spire/cmd/spire-server/cli/common" "github.com/stretchr/testify/require" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" @@ -14,7 +14,7 @@ func TestCountHelp(t *testing.T) { test := setupTest(t, NewCountCommandWithEnv) test.client.Help() - require.Equal(t, `Usage of entry count:`+common.AddrUsage, test.stderr.String()) + require.Equal(t, countUsage, test.stderr.String()) } func TestCountSynopsis(t *testing.T) { @@ -33,28 +33,33 @@ func TestCount(t *testing.T) { args []string fakeCountResp *entryv1.CountEntriesResponse serverErr error - expOut string + expOutPretty string + expOutJSON string expErr string }{ { name: "4 entries", fakeCountResp: fakeResp4, - expOut: "4 registration entries\n", + expOutPretty: "4 registration entries\n", + expOutJSON: `{"count":4}`, }, { name: "2 entries", fakeCountResp: fakeResp2, - expOut: "2 registration entries\n", + expOutPretty: "2 registration entries\n", + expOutJSON: `{"count":2}`, }, { name: "1 entry", fakeCountResp: fakeResp1, - expOut: "1 registration entry\n", + expOutPretty: "1 registration entry\n", + expOutJSON: `{"count":1}`, }, { name: "0 entries", fakeCountResp: fakeResp0, - expOut: "0 registration entries\n", + expOutPretty: "0 registration entries\n", + expOutJSON: `{"count":0}`, }, { name: "Server error", @@ -62,21 +67,21 @@ func TestCount(t *testing.T) { expErr: "Error: rpc error: code = Internal desc = internal server error\n", }, } { - tt := tt - t.Run(tt.name, func(t *testing.T) { - test := setupTest(t, NewCountCommandWithEnv) - test.server.err = tt.serverErr - test.server.countEntriesResp = tt.fakeCountResp + for _, format := range availableFormats { + t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) { + test := setupTest(t, NewCountCommandWithEnv) + test.server.err = tt.serverErr + test.server.countEntriesResp = tt.fakeCountResp - rc := test.client.Run(test.args(tt.args...)) - if tt.expErr != "" { - require.Equal(t, 1, rc) - require.Equal(t, tt.expErr, test.stderr.String()) - return - } - - require.Equal(t, 0, rc) - require.Equal(t, tt.expOut, test.stdout.String()) - }) + rc := test.client.Run(test.args(tt.args...)) + if tt.expErr != "" { + require.Equal(t, 1, rc) + require.Equal(t, tt.expErr, test.stderr.String()) + return + } + requireOutputBasedOnFormat(t, test.stdout.String(), format, tt.expOutPretty, tt.expOutJSON) + require.Equal(t, 0, rc) + }) + } } } diff --git a/cmd/spire-server/cli/entry/create.go b/cmd/spire-server/cli/entry/create.go index dd517de04e..483edc690b 100644 --- a/cmd/spire-server/cli/entry/create.go +++ b/cmd/spire-server/cli/entry/create.go @@ -8,7 +8,8 @@ import ( entryv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/entry/v1" "github.com/spiffe/spire-api-sdk/proto/spire/api/types" "github.com/spiffe/spire/cmd/spire-server/util" - common_cli "github.com/spiffe/spire/pkg/common/cli" + commoncli "github.com/spiffe/spire/pkg/common/cli" + "github.com/spiffe/spire/pkg/common/cliprinter" "github.com/spiffe/spire/pkg/common/idutil" "google.golang.org/grpc/codes" @@ -17,11 +18,11 @@ import ( // NewCreateCommand creates a new "create" subcommand for "entry" command. func NewCreateCommand() cli.Command { - return newCreateCommand(common_cli.DefaultEnv) + return newCreateCommand(commoncli.DefaultEnv) } -func newCreateCommand(env *common_cli.Env) cli.Command { - return util.AdaptCommand(env, new(createCommand)) +func newCreateCommand(env *commoncli.Env) cli.Command { + return util.AdaptCommand(env, &createCommand{env: env}) } type createCommand struct { @@ -70,6 +71,10 @@ type createCommand struct { // storeSVID determines if the issued SVID must be stored through an SVIDStore plugin storeSVID bool + + printer cliprinter.Printer + + env *commoncli.Env } func (*createCommand) Name() string { @@ -95,9 +100,10 @@ func (c *createCommand) AppendFlags(f *flag.FlagSet) { f.BoolVar(&c.downstream, "downstream", false, "A boolean value that, when set, indicates that the entry describes a downstream SPIRE server") f.Int64Var(&c.entryExpiry, "entryExpiry", 0, "An expiry, from epoch in seconds, for the resulting registration entry to be pruned") f.Var(&c.dnsNames, "dns", "A DNS name that will be included in SVIDs issued based on this entry, where appropriate. Can be used more than once") + cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, prettyPrintCreate) } -func (c *createCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error { +func (c *createCommand) Run(ctx context.Context, env *commoncli.Env, serverClient util.ServerClient) error { if err := c.validate(); err != nil { return err } @@ -113,29 +119,12 @@ func (c *createCommand) Run(ctx context.Context, env *common_cli.Env, serverClie return err } - succeeded, failed, err := createEntries(ctx, serverClient.NewEntryClient(), entries) + resp, err := createEntries(ctx, serverClient.NewEntryClient(), entries) if err != nil { return err } - // Print entries that succeeded to be created - for _, r := range succeeded { - printEntry(r.Entry, env.Printf) - } - - // Print entries that failed to be created - for _, r := range failed { - env.ErrPrintf("Failed to create the following entry (code: %s, msg: %q):\n", - codes.Code(r.Status.Code), - r.Status.Message) - printEntry(r.Entry, env.ErrPrintf) - } - - if len(failed) > 0 { - return errors.New("failed to create one or more entries") - } - - return nil + return c.printer.PrintProto(resp) } // validate performs basic validation, even on fields that we @@ -232,25 +221,21 @@ func (c *createCommand) parseConfig() ([]*types.Entry, error) { return []*types.Entry{e}, nil } -func createEntries(ctx context.Context, c entryv1.EntryClient, entries []*types.Entry) (succeeded, failed []*entryv1.BatchCreateEntryResponse_Result, err error) { - resp, err := c.BatchCreateEntry(ctx, &entryv1.BatchCreateEntryRequest{Entries: entries}) +func createEntries(ctx context.Context, c entryv1.EntryClient, entries []*types.Entry) (resp *entryv1.BatchCreateEntryResponse, err error) { + resp, err = c.BatchCreateEntry(ctx, &entryv1.BatchCreateEntryRequest{Entries: entries}) if err != nil { - return nil, nil, err + return } for i, r := range resp.Results { - switch r.Status.Code { - case int32(codes.OK): - succeeded = append(succeeded, r) - default: + if r.Status.Code != int32(codes.OK) { // The Entry API does not include in the results the entries that // failed to be created, so we populate them from the request data. r.Entry = entries[i] - failed = append(failed, r) } } - return succeeded, failed, nil + return } func getParentID(config *createCommand, td string) (*types.SPIFFEID, error) { @@ -263,3 +248,37 @@ func getParentID(config *createCommand, td string) (*types.SPIFFEID, error) { } return idStringToProto(config.parentID) } + +func prettyPrintCreate(env *commoncli.Env, results ...interface{}) error { + var succeeded, failed []*entryv1.BatchCreateEntryResponse_Result + createResp, ok := results[0].(*entryv1.BatchCreateEntryResponse) + if !ok { + return cliprinter.ErrInternalCustomPrettyFunc + } + + for _, r := range createResp.Results { + switch r.Status.Code { + case int32(codes.OK): + succeeded = append(succeeded, r) + default: + failed = append(failed, r) + } + } + + for _, r := range succeeded { + printEntry(r.Entry, env.Printf) + } + + for _, r := range failed { + env.ErrPrintf("Failed to create the following entry (code: %s, msg: %q):\n", + codes.Code(r.Status.Code), + r.Status.Message) + printEntry(r.Entry, env.ErrPrintf) + } + + if len(failed) > 0 { + return errors.New("failed to create one or more entries") + } + + return nil +} diff --git a/cmd/spire-server/cli/entry/create_test.go b/cmd/spire-server/cli/entry/create_test.go index 270d4d9118..2769ea39c1 100644 --- a/cmd/spire-server/cli/entry/create_test.go +++ b/cmd/spire-server/cli/entry/create_test.go @@ -151,52 +151,63 @@ func TestCreate(t *testing.T) { fakeResp *entryv1.BatchCreateEntryResponse serverErr error - expOut string - expErr string + expOutPretty string + expOutJSON string + expErrJSON string + expErrPretty string }{ { - name: "Missing selectors", - expErr: "Error: at least one selector is required\n", + name: "Missing selectors", + expErrPretty: "Error: at least one selector is required\n", + expErrJSON: "Error: at least one selector is required\n", }, { - name: "Missing parent SPIFFE ID", - args: []string{"-selector", "unix:uid:1"}, - expErr: "Error: a parent ID is required if the node flag is not set\n", + name: "Missing parent SPIFFE ID", + args: []string{"-selector", "unix:uid:1"}, + expErrPretty: "Error: a parent ID is required if the node flag is not set\n", + expErrJSON: "Error: a parent ID is required if the node flag is not set\n", }, { - name: "Missing SPIFFE ID", - args: []string{"-selector", "unix:uid:1", "-parentID", "spiffe://example.org/parent"}, - expErr: "Error: a SPIFFE ID is required\n", + name: "Missing SPIFFE ID", + args: []string{"-selector", "unix:uid:1", "-parentID", "spiffe://example.org/parent"}, + expErrPretty: "Error: a SPIFFE ID is required\n", + expErrJSON: "Error: a SPIFFE ID is required\n", }, { - name: "Wrong selectors", - args: []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload"}, - expErr: "Error: selector \"unix\" must be formatted as type:value\n", + name: "Wrong selectors", + args: []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload"}, + expErrPretty: "Error: selector \"unix\" must be formatted as type:value\n", + expErrJSON: "Error: selector \"unix\" must be formatted as type:value\n", }, { - name: "Negative TTL", - args: []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "-10"}, - expErr: "Error: a positive TTL is required\n", + name: "Negative TTL", + args: []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "-10"}, + expErrPretty: "Error: a positive TTL is required\n", + expErrJSON: "Error: a positive TTL is required\n", }, { - name: "Invalid TTL and X509SvidTtl", - args: []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-x509SVIDTTL", "20"}, - expErr: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", + name: "Invalid TTL and X509SvidTtl", + args: []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-x509SVIDTTL", "20"}, + expErrPretty: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", + expErrJSON: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", }, { - name: "Invalid TTL and JwtSvidTtl", - args: []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-jwtSVIDTTL", "20"}, - expErr: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", + name: "Invalid TTL and JwtSvidTtl", + args: []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-jwtSVIDTTL", "20"}, + expErrPretty: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", + expErrJSON: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", }, { - name: "Invalid TTL and both X509SvidTtl and JwtSvidTtl", - args: []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-x509SVIDTTL", "20", "-jwtSVIDTTL", "30"}, - expErr: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", + name: "Invalid TTL and both X509SvidTtl and JwtSvidTtl", + args: []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-x509SVIDTTL", "20", "-jwtSVIDTTL", "30"}, + expErrPretty: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", + expErrJSON: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", }, { - name: "Federated node entries", - args: []string{"-selector", "unix", "-spiffeID", "spiffe://example.org/workload", "-node", "-federatesWith", "spiffe://another.org"}, - expErr: "Error: node entries can not federate\n", + name: "Federated node entries", + args: []string{"-selector", "unix", "-spiffeID", "spiffe://example.org/workload", "-node", "-federatesWith", "spiffe://another.org"}, + expErrPretty: "Error: node entries can not federate\n", + expErrJSON: "Error: node entries can not federate\n", }, { name: "Server error", @@ -208,8 +219,9 @@ func TestCreate(t *testing.T) { Selectors: []*types.Selector{{Type: "unix", Value: "uid:1"}}, }, }}, - serverErr: errors.New("server-error"), - expErr: "Error: rpc error: code = Unknown desc = server-error\n", + serverErr: errors.New("server-error"), + expErrPretty: "Error: rpc error: code = Unknown desc = server-error\n", + expErrJSON: "Error: rpc error: code = Unknown desc = server-error\n", }, { name: "Create succeeds using command line arguments", @@ -250,7 +262,7 @@ func TestCreate(t *testing.T) { }, }, fakeResp: fakeRespOKFromCmd, - expOut: fmt.Sprintf(`Entry ID : entry-id + expOutPretty: fmt.Sprintf(`Entry ID : entry-id SPIFFE ID : spiffe://example.org/workload Parent ID : spiffe://example.org/parent Revision : 0 @@ -268,6 +280,53 @@ Admin : true StoreSvid : true `, time.Unix(1552410266, 0).UTC()), + expOutJSON: `{ + "results": [ + { + "status": { + "code": 0, + "message": "OK" + }, + "entry": { + "id": "entry-id", + "spiffe_id": { + "trust_domain": "example.org", + "path": "/workload" + }, + "parent_id": { + "trust_domain": "example.org", + "path": "/parent" + }, + "selectors": [ + { + "type": "zebra", + "value": "zebra:2000" + }, + { + "type": "alpha", + "value": "alpha:2000" + } + ], + "x509_svid_ttl": 60, + "federates_with": [ + "spiffe://domaina.test", + "spiffe://domainb.test" + ], + "admin": true, + "downstream": true, + "expires_at": "1552410266", + "dns_names": [ + "unu1000", + "ung1000" + ], + "revision_number": "0", + "store_svid": true, + "jwt_svid_ttl": 30 + } + } + ] +} +`, }, { name: "Create succeeds using deprecated command line arguments", @@ -306,7 +365,7 @@ StoreSvid : true }, }, fakeResp: fakeRespOKFromCmd2, - expOut: fmt.Sprintf(`Entry ID : entry-id + expOutPretty: fmt.Sprintf(`Entry ID : entry-id SPIFFE ID : spiffe://example.org/workload Parent ID : spiffe://example.org/parent Revision : 0 @@ -324,6 +383,52 @@ Admin : true StoreSvid : true `, time.Unix(1552410266, 0).UTC()), + expOutJSON: `{ + "results": [ + { + "status": { + "code": 0, + "message": "OK" + }, + "entry": { + "id": "entry-id", + "spiffe_id": { + "trust_domain": "example.org", + "path": "/workload" + }, + "parent_id": { + "trust_domain": "example.org", + "path": "/parent" + }, + "selectors": [ + { + "type": "zebra", + "value": "zebra:2000" + }, + { + "type": "alpha", + "value": "alpha:2000" + } + ], + "x509_svid_ttl": 60, + "federates_with": [ + "spiffe://domaina.test", + "spiffe://domainb.test" + ], + "admin": true, + "downstream": true, + "expires_at": "1552410266", + "dns_names": [ + "unu1000", + "ung1000" + ], + "revision_number": "0", + "store_svid": true, + "jwt_svid_ttl": 0 + } + } + ] +}`, }, { name: "Create succeeds using data file", @@ -361,7 +466,7 @@ StoreSvid : true }, }, fakeResp: fakeRespOKFromFile, - expOut: `Entry ID : entry-id-1 + expOutPretty: `Entry ID : entry-id-1 SPIFFE ID : spiffe://example.org/Blog Parent ID : spiffe://example.org/spire/agent/join_token/TokenBlog Revision : 0 @@ -389,6 +494,110 @@ Selector : type:key2:value StoreSvid : true `, + expOutJSON: `{ + "results": [ + { + "status": { + "code": 0, + "message": "OK" + }, + "entry": { + "id": "entry-id-1", + "spiffe_id": { + "trust_domain": "example.org", + "path": "/Blog" + }, + "parent_id": { + "trust_domain": "example.org", + "path": "/spire/agent/join_token/TokenBlog" + }, + "selectors": [ + { + "type": "unix", + "value": "uid:1111" + } + ], + "x509_svid_ttl": 200, + "federates_with": [], + "admin": true, + "downstream": false, + "expires_at": "0", + "dns_names": [], + "revision_number": "0", + "store_svid": false, + "jwt_svid_ttl": 30 + } + }, + { + "status": { + "code": 0, + "message": "OK" + }, + "entry": { + "id": "entry-id-2", + "spiffe_id": { + "trust_domain": "example.org", + "path": "/Database" + }, + "parent_id": { + "trust_domain": "example.org", + "path": "/spire/agent/join_token/TokenDatabase" + }, + "selectors": [ + { + "type": "unix", + "value": "uid:1111" + } + ], + "x509_svid_ttl": 200, + "federates_with": [], + "admin": false, + "downstream": false, + "expires_at": "0", + "dns_names": [], + "revision_number": "0", + "store_svid": false, + "jwt_svid_ttl": 30 + } + }, + { + "status": { + "code": 0, + "message": "OK" + }, + "entry": { + "id": "entry-id-3", + "spiffe_id": { + "trust_domain": "example.org", + "path": "/storesvid" + }, + "parent_id": { + "trust_domain": "example.org", + "path": "/spire/agent/join_token/TokenDatabase" + }, + "selectors": [ + { + "type": "type", + "value": "key1:value" + }, + { + "type": "type", + "value": "key2:value" + } + ], + "x509_svid_ttl": 200, + "federates_with": [], + "admin": false, + "downstream": false, + "expires_at": "0", + "dns_names": [], + "revision_number": "0", + "store_svid": true, + "jwt_svid_ttl": 30 + } + } + ] +}`, }, { name: "Entry already exist", @@ -401,7 +610,7 @@ StoreSvid : true }, }}, fakeResp: fakeRespErr, - expErr: `Failed to create the following entry (code: AlreadyExists, msg: "similar entry already exists"): + expErrPretty: `Failed to create the following entry (code: AlreadyExists, msg: "similar entry already exists"): Entry ID : (none) SPIFFE ID : spiffe://example.org/already-exist Parent ID : spiffe://example.org/spire/server @@ -412,24 +621,68 @@ Selector : unix:uid:1 Error: failed to create one or more entries `, + expOutJSON: `{ + "results": [ + { + "status": { + "code": 6, + "message": "similar entry already exists" + }, + "entry": { + "id": "", + "spiffe_id": { + "trust_domain": "example.org", + "path": "/already-exist" + }, + "parent_id": { + "trust_domain": "example.org", + "path": "/spire/server" + }, + "selectors": [ + { + "type": "unix", + "value": "uid:1" + } + ], + "x509_svid_ttl": 0, + "federates_with": [], + "admin": false, + "downstream": false, + "expires_at": "0", + "dns_names": [], + "revision_number": "0", + "store_svid": false, + "jwt_svid_ttl": 0 + } + } + ] +}`, }, } { - tt := tt - t.Run(tt.name, func(t *testing.T) { - test := setupTest(t, newCreateCommand) - test.server.err = tt.serverErr - test.server.expBatchCreateEntryReq = tt.expReq - test.server.batchCreateEntryResp = tt.fakeResp + for _, format := range availableFormats { + t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) { + test := setupTest(t, newCreateCommand) + test.server.err = tt.serverErr + test.server.expBatchCreateEntryReq = tt.expReq + test.server.batchCreateEntryResp = tt.fakeResp + args := tt.args + args = append(args, "-output", format) - rc := test.client.Run(test.args(tt.args...)) - if tt.expErr != "" { - require.Equal(t, 1, rc) - require.Equal(t, tt.expErr, test.stderr.String()) - return - } + rc := test.client.Run(test.args(args...)) - require.Equal(t, 0, rc) - require.Equal(t, tt.expOut, test.stdout.String()) - }) + if tt.expErrJSON != "" && format == "json" { + require.Equal(t, 1, rc) + require.Equal(t, tt.expErrJSON, test.stderr.String()) + return + } + if tt.expErrPretty != "" && format == "pretty" { + require.Equal(t, 1, rc) + require.Equal(t, tt.expErrPretty, test.stderr.String()) + return + } + require.Equal(t, 0, rc) + requireOutputBasedOnFormat(t, format, test.stdout.String(), tt.expOutPretty, tt.expOutJSON) + }) + } } } diff --git a/cmd/spire-server/cli/entry/delete.go b/cmd/spire-server/cli/entry/delete.go index f7c1051876..03e3d711fb 100644 --- a/cmd/spire-server/cli/entry/delete.go +++ b/cmd/spire-server/cli/entry/delete.go @@ -8,7 +8,8 @@ import ( "github.com/mitchellh/cli" entryv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/entry/v1" "github.com/spiffe/spire/cmd/spire-server/util" - common_cli "github.com/spiffe/spire/pkg/common/cli" + commoncli "github.com/spiffe/spire/pkg/common/cli" + "github.com/spiffe/spire/pkg/common/cliprinter" "google.golang.org/grpc/codes" "golang.org/x/net/context" @@ -16,16 +17,18 @@ import ( // NewDeleteCommand creates a new "delete" subcommand for "entry" command. func NewDeleteCommand() cli.Command { - return newDeleteCommand(common_cli.DefaultEnv) + return newDeleteCommand(commoncli.DefaultEnv) } -func newDeleteCommand(env *common_cli.Env) cli.Command { - return util.AdaptCommand(env, new(deleteCommand)) +func newDeleteCommand(env *commoncli.Env) cli.Command { + return util.AdaptCommand(env, &deleteCommand{env: env}) } type deleteCommand struct { // ID of the record to delete entryID string + env *commoncli.Env + printer cliprinter.Printer } func (*deleteCommand) Name() string { @@ -38,9 +41,10 @@ func (*deleteCommand) Synopsis() string { func (c *deleteCommand) AppendFlags(f *flag.FlagSet) { f.StringVar(&c.entryID, "entryID", "", "The Registration Entry ID of the record to delete") + cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, c.prettyPrintDelete) } -func (c *deleteCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error { +func (c *deleteCommand) Run(ctx context.Context, env *commoncli.Env, serverClient util.ServerClient) error { if err := c.validate(); err != nil { return err } @@ -51,14 +55,7 @@ func (c *deleteCommand) Run(ctx context.Context, env *common_cli.Env, serverClie return err } - sts := resp.Results[0].Status - switch sts.Code { - case int32(codes.OK): - env.Printf("Deleted entry with ID: %s\n", c.entryID) - return nil - default: - return fmt.Errorf("failed to delete entry: %s", sts.Message) - } + return c.printer.PrintProto(resp) } // Perform basic validation. @@ -69,3 +66,19 @@ func (c *deleteCommand) validate() error { return nil } + +func (c *deleteCommand) prettyPrintDelete(env *commoncli.Env, results ...interface{}) error { + deleteResp, ok := results[0].(*entryv1.BatchDeleteEntryResponse) + if !ok { + return cliprinter.ErrInternalCustomPrettyFunc + } + + sts := deleteResp.Results[0].Status + switch sts.Code { + case int32(codes.OK): + env.Printf("Deleted entry with ID: %s\n", c.entryID) + return nil + default: + return fmt.Errorf("failed to delete entry: %s", sts.Message) + } +} diff --git a/cmd/spire-server/cli/entry/delete_test.go b/cmd/spire-server/cli/entry/delete_test.go index 77853ce788..c721abef85 100644 --- a/cmd/spire-server/cli/entry/delete_test.go +++ b/cmd/spire-server/cli/entry/delete_test.go @@ -2,11 +2,11 @@ package entry import ( "errors" + "fmt" "testing" entryv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/entry/v1" "github.com/spiffe/spire-api-sdk/proto/spire/api/types" - "github.com/spiffe/spire/cmd/spire-server/cli/common" "github.com/stretchr/testify/require" "google.golang.org/grpc/codes" ) @@ -15,9 +15,7 @@ func TestDeleteHelp(t *testing.T) { test := setupTest(t, newDeleteCommand) test.client.Help() - require.Equal(t, `Usage of entry delete: - -entryID string - The Registration Entry ID of the record to delete`+common.AddrUsage, test.stderr.String()) + require.Equal(t, deleteUsage, test.stderr.String()) } func TestDeleteSynopsis(t *testing.T) { @@ -58,51 +56,65 @@ func TestDelete(t *testing.T) { fakeResp *entryv1.BatchDeleteEntryResponse serverErr error - expOut string - expErr string + expOutPretty string + expOutJSON string + expErrPretty string + expErrJSON string }{ { - name: "Empty entry ID", - expErr: "Error: an entry ID is required\n", + name: "Empty entry ID", + expErrPretty: "Error: an entry ID is required\n", + expErrJSON: "Error: an entry ID is required\n", }, { - name: "Entry not found", - args: []string{"-entryID", "entry-id"}, - expReq: &entryv1.BatchDeleteEntryRequest{Ids: []string{"entry-id"}}, - fakeResp: fakeRespErr, - expErr: "Error: failed to delete entry: entry not found\n", + name: "Entry not found", + args: []string{"-entryID", "entry-id"}, + expReq: &entryv1.BatchDeleteEntryRequest{Ids: []string{"entry-id"}}, + fakeResp: fakeRespErr, + expErrPretty: "Error: failed to delete entry: entry not found\n", + expOutJSON: `{"results":[{"status":{"code":5,"message":"entry not found"},"id":"entry-id"}]}`, }, { - name: "Server error", - args: []string{"-entryID", "entry-id"}, - expReq: &entryv1.BatchDeleteEntryRequest{Ids: []string{"entry-id"}}, - serverErr: errors.New("server-error"), - expErr: "Error: rpc error: code = Unknown desc = server-error\n", + name: "Server error", + args: []string{"-entryID", "entry-id"}, + expReq: &entryv1.BatchDeleteEntryRequest{Ids: []string{"entry-id"}}, + serverErr: errors.New("server-error"), + expErrPretty: "Error: rpc error: code = Unknown desc = server-error\n", + expErrJSON: "Error: rpc error: code = Unknown desc = server-error\n", }, { - name: "Delete succeeds", - args: []string{"-entryID", "entry-id"}, - expReq: &entryv1.BatchDeleteEntryRequest{Ids: []string{"entry-id"}}, - fakeResp: fakeRespOK, - expOut: "Deleted entry with ID: entry-id\n", + name: "Delete succeeds", + args: []string{"-entryID", "entry-id"}, + expReq: &entryv1.BatchDeleteEntryRequest{Ids: []string{"entry-id"}}, + fakeResp: fakeRespOK, + expOutPretty: "Deleted entry with ID: entry-id\n", + expOutJSON: `{"results":[{"status":{"code":0,"message":"OK"},"id":"entry-id"}]}`, }, } { - tt := tt - t.Run(tt.name, func(t *testing.T) { - test := setupTest(t, newDeleteCommand) - test.server.err = tt.serverErr - test.server.expBatchDeleteEntryReq = tt.expReq - test.server.batchDeleteEntryResp = tt.fakeResp + for _, format := range availableFormats { + t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) { + test := setupTest(t, newDeleteCommand) + test.server.err = tt.serverErr + test.server.expBatchDeleteEntryReq = tt.expReq + test.server.batchDeleteEntryResp = tt.fakeResp + args := tt.args + args = append(args, "-output", format) - rc := test.client.Run(test.args(tt.args...)) - if tt.expErr != "" { - require.Equal(t, 1, rc) - require.Equal(t, tt.expErr, test.stderr.String()) - return - } + rc := test.client.Run(test.args(args...)) - require.Equal(t, 0, rc) - require.Equal(t, tt.expOut, test.stdout.String()) - }) + if tt.expErrJSON != "" && format == "json" { + require.Equal(t, 1, rc) + require.Equal(t, tt.expErrJSON, test.stderr.String()) + return + } + if tt.expErrPretty != "" && format == "pretty" { + require.Equal(t, 1, rc) + require.Equal(t, tt.expErrPretty, test.stderr.String()) + return + } + requireOutputBasedOnFormat(t, format, test.stdout.String(), tt.expOutPretty, tt.expOutJSON) + require.Equal(t, 0, rc) + }) + } } } diff --git a/cmd/spire-server/cli/entry/show.go b/cmd/spire-server/cli/entry/show.go index aa55da30cf..284e05dd92 100644 --- a/cmd/spire-server/cli/entry/show.go +++ b/cmd/spire-server/cli/entry/show.go @@ -9,7 +9,8 @@ import ( entryv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/entry/v1" "github.com/spiffe/spire-api-sdk/proto/spire/api/types" "github.com/spiffe/spire/cmd/spire-server/util" - common_cli "github.com/spiffe/spire/pkg/common/cli" + commoncli "github.com/spiffe/spire/pkg/common/cli" + "github.com/spiffe/spire/pkg/common/cliprinter" commonutil "github.com/spiffe/spire/pkg/common/util" "golang.org/x/net/context" @@ -19,11 +20,11 @@ const listEntriesRequestPageSize = 500 // NewShowCommand creates a new "show" subcommand for "entry" command. func NewShowCommand() cli.Command { - return newShowCommand(common_cli.DefaultEnv) + return newShowCommand(commoncli.DefaultEnv) } -func newShowCommand(env *common_cli.Env) cli.Command { - return util.AdaptCommand(env, new(showCommand)) +func newShowCommand(env *commoncli.Env) cli.Command { + return util.AdaptCommand(env, &showCommand{env: env}) } type showCommand struct { @@ -51,6 +52,10 @@ type showCommand struct { // Match used when filtering by selectors matchSelectorsOn string + + printer cliprinter.Printer + + env *commoncli.Env } func (c *showCommand) Name() string { @@ -70,23 +75,23 @@ func (c *showCommand) AppendFlags(f *flag.FlagSet) { f.Var(&c.federatesWith, "federatesWith", "SPIFFE ID of a trust domain an entry is federate with. Can be used more than once") f.StringVar(&c.matchFederatesWithOn, "matchFederatesWithOn", "superset", "The match mode used when filtering by federates with. Options: exact, any, superset and subset") f.StringVar(&c.matchSelectorsOn, "matchSelectorsOn", "superset", "The match mode used when filtering by selectors. Options: exact, any, superset and subset") + cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, prettyPrintShow) } // Run executes all logic associated with a single invocation of the // `spire-server entry show` CLI command -func (c *showCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error { +func (c *showCommand) Run(ctx context.Context, env *commoncli.Env, serverClient util.ServerClient) error { if err := c.validate(); err != nil { return err } - entries, err := c.fetchEntries(ctx, serverClient.NewEntryClient()) + resp, err := c.fetchEntries(ctx, serverClient.NewEntryClient()) if err != nil { return err } - commonutil.SortTypesEntries(entries) - printEntries(entries, env) - return nil + commonutil.SortTypesEntries(resp.Entries) + return c.printer.PrintProto(resp) } // validate ensures that the values in showCommand are valid @@ -101,14 +106,16 @@ func (c *showCommand) validate() error { return nil } -func (c *showCommand) fetchEntries(ctx context.Context, client entryv1.EntryClient) ([]*types.Entry, error) { +func (c *showCommand) fetchEntries(ctx context.Context, client entryv1.EntryClient) (*entryv1.ListEntriesResponse, error) { + listResp := &entryv1.ListEntriesResponse{} // If an Entry ID was specified, look it up directly if c.entryID != "" { entry, err := c.fetchByEntryID(ctx, c.entryID, client) if err != nil { return nil, fmt.Errorf("error fetching entry ID %s: %w", c.entryID, err) } - return []*types.Entry{entry}, nil + listResp.Entries = append(listResp.Entries, entry) + return listResp, nil } filter := &entryv1.ListEntriesRequest_Filter{} @@ -161,7 +168,6 @@ func (c *showCommand) fetchEntries(ctx context.Context, client entryv1.EntryClie } pageToken := "" - var entries []*types.Entry for { resp, err := client.ListEntries(ctx, &entryv1.ListEntriesRequest{ @@ -172,13 +178,13 @@ func (c *showCommand) fetchEntries(ctx context.Context, client entryv1.EntryClie if err != nil { return nil, fmt.Errorf("error fetching entries: %w", err) } - entries = append(entries, resp.Entries...) + listResp.Entries = append(listResp.Entries, resp.Entries...) if pageToken = resp.NextPageToken; pageToken == "" { break } } - return entries, nil + return listResp, nil } // fetchByEntryID uses the configured EntryID to fetch the appropriate registration entry @@ -191,7 +197,7 @@ func (c *showCommand) fetchByEntryID(ctx context.Context, id string, client entr return entry, nil } -func printEntries(entries []*types.Entry, env *common_cli.Env) { +func printEntries(entries []*types.Entry, env *commoncli.Env) { msg := fmt.Sprintf("Found %v ", len(entries)) msg = util.Pluralizer(msg, "entry", "entries", len(entries)) @@ -230,3 +236,12 @@ func parseToFederatesWithMatch(match string) (types.FederatesWithMatch_MatchBeha return types.FederatesWithMatch_MATCH_SUPERSET, fmt.Errorf("match behavior %q unknown", match) } } + +func prettyPrintShow(env *commoncli.Env, results ...interface{}) error { + listResp, ok := results[0].(*entryv1.ListEntriesResponse) + if !ok { + return cliprinter.ErrInternalCustomPrettyFunc + } + printEntries(listResp.Entries, env) + return nil +} diff --git a/cmd/spire-server/cli/entry/show_test.go b/cmd/spire-server/cli/entry/show_test.go index 55b689fc7e..272997e42c 100644 --- a/cmd/spire-server/cli/entry/show_test.go +++ b/cmd/spire-server/cli/entry/show_test.go @@ -53,8 +53,9 @@ func TestShow(t *testing.T) { serverErr error - expOut string - expErr string + expOutPretty string + expOutJSON string + expErr string }{ { name: "List all entries (empty filter)", @@ -63,19 +64,26 @@ func TestShow(t *testing.T) { Filter: &entryv1.ListEntriesRequest_Filter{}, }, fakeListResp: fakeRespAll, - expOut: fmt.Sprintf("Found 4 entries\n%s%s%s%s", - getPrintedEntry(1), - getPrintedEntry(2), - getPrintedEntry(0), - getPrintedEntry(3), + expOutPretty: fmt.Sprintf("Found 4 entries\n%s%s%s%s", + getPrettyPrintedEntry(1), + getPrettyPrintedEntry(2), + getPrettyPrintedEntry(0), + getPrettyPrintedEntry(3), + ), + expOutJSON: fmt.Sprintf(`{"entries": [%s,%s,%s,%s],"next_page_token": ""}`, + getJSONPrintedEntry(1), + getJSONPrintedEntry(2), + getJSONPrintedEntry(0), + getJSONPrintedEntry(3), ), }, { - name: "List by entry ID", - args: []string{"-entryID", getEntries(1)[0].Id}, - expGetReq: &entryv1.GetEntryRequest{Id: getEntries(1)[0].Id}, - fakeGetResp: getEntries(1)[0], - expOut: fmt.Sprintf("Found 1 entry\n%s", getPrintedEntry(0)), + name: "List by entry ID", + args: []string{"-entryID", getEntries(1)[0].Id}, + expGetReq: &entryv1.GetEntryRequest{Id: getEntries(1)[0].Id}, + fakeGetResp: getEntries(1)[0], + expOutPretty: fmt.Sprintf("Found 1 entry\n%s", getPrettyPrintedEntry(0)), + expOutJSON: fmt.Sprintf(`{"entries": [%s],"next_page_token": ""}`, getJSONPrintedEntry(0)), }, { name: "List by entry ID not found", @@ -99,10 +107,11 @@ func TestShow(t *testing.T) { }, }, fakeListResp: fakeRespFather, - expOut: fmt.Sprintf("Found 2 entries\n%s%s", - getPrintedEntry(1), - getPrintedEntry(0), + expOutPretty: fmt.Sprintf("Found 2 entries\n%s%s", + getPrettyPrintedEntry(1), + getPrettyPrintedEntry(0), ), + expOutJSON: fmt.Sprintf(`{"entries": [%s,%s],"next_page_token": ""}`, getJSONPrintedEntry(1), getJSONPrintedEntry(0)), }, { name: "List by parent ID using invalid ID", @@ -119,10 +128,11 @@ func TestShow(t *testing.T) { }, }, fakeListResp: fakeRespDaughter, - expOut: fmt.Sprintf("Found 2 entries\n%s%s", - getPrintedEntry(1), - getPrintedEntry(2), + expOutPretty: fmt.Sprintf("Found 2 entries\n%s%s", + getPrettyPrintedEntry(1), + getPrettyPrintedEntry(2), ), + expOutJSON: fmt.Sprintf(`{"entries": [%s, %s],"next_page_token": ""}`, getJSONPrintedEntry(1), getJSONPrintedEntry(2)), }, { name: "List by SPIFFE ID using invalid ID", @@ -145,9 +155,10 @@ func TestShow(t *testing.T) { }, }, fakeListResp: fakeRespFatherDaughter, - expOut: fmt.Sprintf("Found 1 entry\n%s", - getPrintedEntry(1), + expOutPretty: fmt.Sprintf("Found 1 entry\n%s", + getPrettyPrintedEntry(1), ), + expOutJSON: fmt.Sprintf(`{"entries": [%s],"next_page_token": ""}`, getJSONPrintedEntry(1)), }, { name: "List by selectors: exact matcher", @@ -165,9 +176,10 @@ func TestShow(t *testing.T) { }, }, fakeListResp: fakeRespFatherDaughter, - expOut: fmt.Sprintf("Found 1 entry\n%s", - getPrintedEntry(1), + expOutPretty: fmt.Sprintf("Found 1 entry\n%s", + getPrettyPrintedEntry(1), ), + expOutJSON: fmt.Sprintf(`{"entries": [%s],"next_page_token": ""}`, getJSONPrintedEntry(1)), }, { name: "List by selectors: superset matcher", @@ -185,9 +197,10 @@ func TestShow(t *testing.T) { }, }, fakeListResp: fakeRespFatherDaughter, - expOut: fmt.Sprintf("Found 1 entry\n%s", - getPrintedEntry(1), + expOutPretty: fmt.Sprintf("Found 1 entry\n%s", + getPrettyPrintedEntry(1), ), + expOutJSON: fmt.Sprintf(`{"entries": [%s],"next_page_token": ""}`, getJSONPrintedEntry(1)), }, { name: "List by selectors: subset matcher", @@ -205,9 +218,10 @@ func TestShow(t *testing.T) { }, }, fakeListResp: fakeRespFatherDaughter, - expOut: fmt.Sprintf("Found 1 entry\n%s", - getPrintedEntry(1), + expOutPretty: fmt.Sprintf("Found 1 entry\n%s", + getPrettyPrintedEntry(1), ), + expOutJSON: fmt.Sprintf(`{"entries": [%s],"next_page_token": ""}`, getJSONPrintedEntry(1)), }, { name: "List by selectors: Any matcher", @@ -225,9 +239,10 @@ func TestShow(t *testing.T) { }, }, fakeListResp: fakeRespFatherDaughter, - expOut: fmt.Sprintf("Found 1 entry\n%s", - getPrintedEntry(1), + expOutPretty: fmt.Sprintf("Found 1 entry\n%s", + getPrettyPrintedEntry(1), ), + expOutJSON: fmt.Sprintf(`{"entries": [%s],"next_page_token": ""}`, getJSONPrintedEntry(1)), }, { name: "List by selectors: Invalid matcher", @@ -264,9 +279,10 @@ func TestShow(t *testing.T) { }, }, fakeListResp: fakeRespMotherDaughter, - expOut: fmt.Sprintf("Found 1 entry\n%s", - getPrintedEntry(2), + expOutPretty: fmt.Sprintf("Found 1 entry\n%s", + getPrettyPrintedEntry(2), ), + expOutJSON: fmt.Sprintf(`{"entries": [%s],"next_page_token": ""}`, getJSONPrintedEntry(2)), }, { name: "List by Federates With: exact matcher", @@ -281,9 +297,10 @@ func TestShow(t *testing.T) { }, }, fakeListResp: fakeRespMotherDaughter, - expOut: fmt.Sprintf("Found 1 entry\n%s", - getPrintedEntry(2), + expOutPretty: fmt.Sprintf("Found 1 entry\n%s", + getPrettyPrintedEntry(2), ), + expOutJSON: fmt.Sprintf(`{"entries": [%s],"next_page_token": ""}`, getJSONPrintedEntry(2)), }, { name: "List by Federates With: Any matcher", @@ -298,9 +315,10 @@ func TestShow(t *testing.T) { }, }, fakeListResp: fakeRespMotherDaughter, - expOut: fmt.Sprintf("Found 1 entry\n%s", - getPrintedEntry(2), + expOutPretty: fmt.Sprintf("Found 1 entry\n%s", + getPrettyPrintedEntry(2), ), + expOutJSON: fmt.Sprintf(`{"entries": [%s],"next_page_token": ""}`, getJSONPrintedEntry(2)), }, { name: "List by Federates With: superset matcher", @@ -315,9 +333,10 @@ func TestShow(t *testing.T) { }, }, fakeListResp: fakeRespMotherDaughter, - expOut: fmt.Sprintf("Found 1 entry\n%s", - getPrintedEntry(2), + expOutPretty: fmt.Sprintf("Found 1 entry\n%s", + getPrettyPrintedEntry(2), ), + expOutJSON: fmt.Sprintf(`{"entries": [%s],"next_page_token": ""}`, getJSONPrintedEntry(2)), }, { name: "List by Federates With: subset matcher", @@ -332,9 +351,10 @@ func TestShow(t *testing.T) { }, }, fakeListResp: fakeRespMotherDaughter, - expOut: fmt.Sprintf("Found 1 entry\n%s", - getPrintedEntry(2), + expOutPretty: fmt.Sprintf("Found 1 entry\n%s", + getPrettyPrintedEntry(2), ), + expOutJSON: fmt.Sprintf(`{"entries": [%s],"next_page_token": ""}`, getJSONPrintedEntry(2)), }, { name: "List by Federates With: Invalid matcher", @@ -342,25 +362,27 @@ func TestShow(t *testing.T) { expErr: "Error: match behavior \"NO-MATCHER\" unknown\n", }, } { - tt := tt - t.Run(tt.name, func(t *testing.T) { - test := setupTest(t, newShowCommand) - test.server.err = tt.serverErr - test.server.expListEntriesReq = tt.expListReq - test.server.listEntriesResp = tt.fakeListResp - test.server.expGetEntryReq = tt.expGetReq - test.server.getEntryResp = tt.fakeGetResp - - rc := test.client.Run(test.args(tt.args...)) - if tt.expErr != "" { - require.Equal(t, 1, rc) - require.Equal(t, tt.expErr, test.stderr.String()) - return - } + for _, format := range availableFormats { + t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) { + test := setupTest(t, newShowCommand) + test.server.err = tt.serverErr + test.server.expListEntriesReq = tt.expListReq + test.server.listEntriesResp = tt.fakeListResp + test.server.expGetEntryReq = tt.expGetReq + test.server.getEntryResp = tt.fakeGetResp + args := tt.args + args = append(args, "-output", format) - require.Equal(t, 0, rc) - require.Equal(t, tt.expOut, test.stdout.String()) - }) + rc := test.client.Run(test.args(args...)) + if tt.expErr != "" { + require.Equal(t, 1, rc) + require.Equal(t, tt.expErr, test.stderr.String()) + return + } + requireOutputBasedOnFormat(t, format, test.stdout.String(), tt.expOutPretty, tt.expOutJSON) + require.Equal(t, 0, rc) + }) + } } } @@ -408,7 +430,7 @@ func getEntries(count int) []*types.Entry { return e } -func getPrintedEntry(idx int) string { +func getPrettyPrintedEntry(idx int) string { switch idx { case 0: return `Entry ID : 00000000-0000-0000-0000-000000000000 @@ -458,3 +480,128 @@ Selector : baz:bat return "index should be lower than 4" } } + +func getJSONPrintedEntry(idx int) string { + switch idx { + case 0: + return `{ + "id": "00000000-0000-0000-0000-000000000000", + "spiffe_id": { + "trust_domain": "example.org", + "path": "/son" + }, + "parent_id": { + "trust_domain": "example.org", + "path": "/father" + }, + "selectors": [ + { + "type": "foo", + "value": "bar" + } + ], + "x509_svid_ttl": 0, + "federates_with": [], + "admin": false, + "downstream": false, + "expires_at": "0", + "dns_names": [], + "revision_number": "0", + "store_svid": false, + "jwt_svid_ttl": 0 + }` + case 1: + return `{ + "id": "00000000-0000-0000-0000-000000000001", + "spiffe_id": { + "trust_domain": "example.org", + "path": "/daughter" + }, + "parent_id": { + "trust_domain": "example.org", + "path": "/father" + }, + "selectors": [ + { + "type": "bar", + "value": "baz" + }, + { + "type": "foo", + "value": "bar" + } + ], + "x509_svid_ttl": 0, + "federates_with": [], + "admin": false, + "downstream": false, + "expires_at": "0", + "dns_names": [], + "revision_number": "0", + "store_svid": false, + "jwt_svid_ttl": 0 + }` + case 2: + return `{ + "id": "00000000-0000-0000-0000-000000000002", + "spiffe_id": { + "trust_domain": "example.org", + "path": "/daughter" + }, + "parent_id": { + "trust_domain": "example.org", + "path": "/mother" + }, + "selectors": [ + { + "type": "bar", + "value": "baz" + }, + { + "type": "baz", + "value": "bat" + } + ], + "x509_svid_ttl": 0, + "federates_with": [ + "spiffe://domain.test" + ], + "admin": false, + "downstream": false, + "expires_at": "0", + "dns_names": [], + "revision_number": "0", + "store_svid": false, + "jwt_svid_ttl": 0 + }` + case 3: + return `{ + "id": "00000000-0000-0000-0000-000000000003", + "spiffe_id": { + "trust_domain": "example.org", + "path": "/son" + }, + "parent_id": { + "trust_domain": "example.org", + "path": "/mother" + }, + "selectors": [ + { + "type": "baz", + "value": "bat" + } + ], + "x509_svid_ttl": 0, + "federates_with": [], + "admin": false, + "downstream": false, + "expires_at": "1552410266", + "dns_names": [], + "revision_number": "0", + "store_svid": false, + "jwt_svid_ttl": 0 + }` + default: + return "index should be lower than 4" + } +} diff --git a/cmd/spire-server/cli/entry/update.go b/cmd/spire-server/cli/entry/update.go index 16097c192b..f4faa04599 100644 --- a/cmd/spire-server/cli/entry/update.go +++ b/cmd/spire-server/cli/entry/update.go @@ -8,7 +8,8 @@ import ( entryv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/entry/v1" "github.com/spiffe/spire-api-sdk/proto/spire/api/types" "github.com/spiffe/spire/cmd/spire-server/util" - common_cli "github.com/spiffe/spire/pkg/common/cli" + commoncli "github.com/spiffe/spire/pkg/common/cli" + "github.com/spiffe/spire/pkg/common/cliprinter" "google.golang.org/grpc/codes" "golang.org/x/net/context" @@ -16,11 +17,11 @@ import ( // NewUpdateCommand creates a new "update" subcommand for "entry" command. func NewUpdateCommand() cli.Command { - return newUpdateCommand(common_cli.DefaultEnv) + return newUpdateCommand(commoncli.DefaultEnv) } -func newUpdateCommand(env *common_cli.Env) cli.Command { - return util.AdaptCommand(env, new(updateCommand)) +func newUpdateCommand(env *commoncli.Env) cli.Command { + return util.AdaptCommand(env, &updateCommand{env: env}) } type updateCommand struct { @@ -67,6 +68,10 @@ type updateCommand struct { // storeSVID determines if the issued SVID must be stored through an SVIDStore plugin storeSVID bool + + printer cliprinter.Printer + + env *commoncli.Env } func (*updateCommand) Name() string { @@ -92,9 +97,10 @@ func (c *updateCommand) AppendFlags(f *flag.FlagSet) { f.BoolVar(&c.storeSVID, "storeSVID", false, "A boolean value that, when set, indicates that the resulting issued SVID from this entry must be stored through an SVIDStore plugin") f.Int64Var(&c.entryExpiry, "entryExpiry", 0, "An expiry, from epoch in seconds, for the resulting registration entry to be pruned") f.Var(&c.dnsNames, "dns", "A DNS name that will be included in SVIDs issued based on this entry, where appropriate. Can be used more than once") + cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, prettyPrintUpdate) } -func (c *updateCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error { +func (c *updateCommand) Run(ctx context.Context, env *commoncli.Env, serverClient util.ServerClient) error { if err := c.validate(); err != nil { return err } @@ -110,29 +116,12 @@ func (c *updateCommand) Run(ctx context.Context, env *common_cli.Env, serverClie return err } - succeeded, failed, err := updateEntries(ctx, serverClient.NewEntryClient(), entries) + resp, err := updateEntries(ctx, serverClient.NewEntryClient(), entries) if err != nil { return err } - // Print entries that succeeded to be updated - for _, e := range succeeded { - printEntry(e.Entry, env.Printf) - } - - // Print entries that failed to be updated - for _, r := range failed { - env.ErrPrintf("Failed to update the following entry (code: %s, msg: %q):\n", - codes.Code(r.Status.Code), - r.Status.Message) - printEntry(r.Entry, env.ErrPrintf) - } - - if len(failed) > 0 { - return errors.New("failed to update one or more entries") - } - - return nil + return c.printer.PrintProto(resp) } // validate performs basic validation, even on fields that we @@ -229,25 +218,56 @@ func (c *updateCommand) parseConfig() ([]*types.Entry, error) { return []*types.Entry{e}, nil } -func updateEntries(ctx context.Context, c entryv1.EntryClient, entries []*types.Entry) (succeeded, failed []*entryv1.BatchUpdateEntryResponse_Result, err error) { - resp, err := c.BatchUpdateEntry(ctx, &entryv1.BatchUpdateEntryRequest{ +func updateEntries(ctx context.Context, c entryv1.EntryClient, entries []*types.Entry) (resp *entryv1.BatchUpdateEntryResponse, err error) { + resp, err = c.BatchUpdateEntry(ctx, &entryv1.BatchUpdateEntryRequest{ Entries: entries, }) if err != nil { - return nil, nil, err + return } for i, r := range resp.Results { + if r.Status.Code != int32(codes.OK) { + // The Entry API does not include in the results the entries that + // failed to be updated, so we populate them from the request data. + r.Entry = entries[i] + } + } + + return +} + +func prettyPrintUpdate(env *commoncli.Env, results ...interface{}) error { + var succeeded, failed []*entryv1.BatchUpdateEntryResponse_Result + updateResp, ok := results[0].(*entryv1.BatchUpdateEntryResponse) + if !ok { + return cliprinter.ErrInternalCustomPrettyFunc + } + + for _, r := range updateResp.Results { switch r.Status.Code { case int32(codes.OK): succeeded = append(succeeded, r) default: - // The Entry API does not include in the results the entries that - // failed to be updated, so we populate them from the request data. - r.Entry = entries[i] failed = append(failed, r) } } + // Print entries that succeeded to be updated + for _, e := range succeeded { + printEntry(e.Entry, env.Printf) + } - return succeeded, failed, nil + // Print entries that failed to be updated + for _, r := range failed { + env.ErrPrintf("Failed to update the following entry (code: %s, msg: %q):\n", + codes.Code(r.Status.Code), + r.Status.Message) + printEntry(r.Entry, env.ErrPrintf) + } + + if len(failed) > 0 { + return errors.New("failed to update one or more entries") + } + + return nil } diff --git a/cmd/spire-server/cli/entry/update_test.go b/cmd/spire-server/cli/entry/update_test.go index 5fe52d86e3..07761a785f 100644 --- a/cmd/spire-server/cli/entry/update_test.go +++ b/cmd/spire-server/cli/entry/update_test.go @@ -15,7 +15,6 @@ import ( func TestUpdateHelp(t *testing.T) { test := setupTest(t, newUpdateCommand) test.client.Help() - require.Equal(t, updateUsage, test.stderr.String()) } @@ -25,6 +24,189 @@ func TestUpdateSynopsis(t *testing.T) { } func TestUpdate(t *testing.T) { + entry0JSON := `{ + "id": "entry-id", + "spiffe_id": { + "trust_domain": "example.org", + "path": "/workload" + }, + "parent_id": { + "trust_domain": "example.org", + "path": "/parent" + }, + "selectors": [ + { + "type": "type", + "value": "key1:value" + }, + { + "type": "type", + "value": "key2:value" + } + ], + "x509_svid_ttl": 60, + "federates_with": [ + "spiffe://domaina.test", + "spiffe://domainb.test" + ], + "admin": false, + "downstream": false, + "expires_at": "1552410266", + "dns_names": [ + "unu1000", + "ung1000" + ], + "revision_number": "0", + "store_svid": true, + "jwt_svid_ttl":30 + }` + entry0AdminJSON := `{ + "id": "entry-id", + "spiffe_id": { + "trust_domain": "example.org", + "path": "/workload" + }, + "parent_id": { + "trust_domain": "example.org", + "path": "/parent" + }, + "selectors": [ + { + "type": "zebra", + "value": "zebra:2000" + }, + { + "type": "alpha", + "value": "alpha:2000" + } + ], + "x509_svid_ttl": 60, + "federates_with": [ + "spiffe://domaina.test", + "spiffe://domainb.test" + ], + "admin": true, + "downstream": true, + "expires_at": "1552410266", + "dns_names": [ + "unu1000", + "ung1000" + ], + "revision_number": "0", + "store_svid": false, + "jwt_svid_ttl":30 + }` + entry1JSON := `{ + "id": "entry-id-1", + "spiffe_id": { + "trust_domain": "example.org", + "path": "/Blog" + }, + "parent_id": { + "trust_domain": "example.org", + "path": "/spire/agent/join_token/TokenBlog" + }, + "selectors": [ + { + "type": "unix", + "value": "uid:1111" + } + ], + "x509_svid_ttl": 200, + "federates_with": [], + "admin": true, + "downstream": false, + "expires_at": "0", + "dns_names": [], + "revision_number": "0", + "store_svid": false, + "jwt_svid_ttl": 300 + } + }` + entry2JSON := `{ + "id": "entry-id-2", + "spiffe_id": { + "trust_domain": "example.org", + "path": "/Database" + }, + "parent_id": { + "trust_domain": "example.org", + "path": "/spire/agent/join_token/TokenDatabase" + }, + "selectors": [ + { + "type": "unix", + "value": "uid:1111" + } + ], + "x509_svid_ttl": 200, + "federates_with": [], + "admin": false, + "downstream": false, + "expires_at": "0", + "dns_names": [], + "revision_number": "0", + "store_svid": false, + "jwt_svid_ttl":300 + } + }` + entry3JSON := `{ + "id": "entry-id-3", + "spiffe_id": { + "trust_domain": "example.org", + "path": "/Storesvid" + }, + "parent_id": { + "trust_domain": "example.org", + "path": "/spire/agent/join_token/TokenDatabase" + }, + "selectors": [ + { + "type": "type", + "value": "key1:value" + }, + { + "type": "type", + "value": "key2:value" + } + ], + "x509_svid_ttl": 200, + "federates_with": [], + "admin": false, + "downstream": false, + "expires_at": "0", + "dns_names": [], + "revision_number": "0", + "store_svid": true, + "jwt_svid_ttl":300 + }` + nonExistentEntryJSON := `{ + "id": "non-existent-id", + "spiffe_id": { + "trust_domain": "example.org", + "path": "/workload" + }, + "jwt_svid_ttl": 0, + "parent_id": { + "trust_domain": "example.org", + "path": "/parent" + }, + "selectors": [ + { + "type": "unix", + "value": "uid:1" + } + ], + "federates_with": [], + "admin": false, + "downstream": false, + "expires_at": "0", + "dns_names": [], + "revision_number": "0", + "store_svid": false, + "x509_svid_ttl": 0 + }` + entry1 := &types.Entry{ Id: "entry-id", SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/workload"}, @@ -154,52 +336,63 @@ func TestUpdate(t *testing.T) { fakeResp *entryv1.BatchUpdateEntryResponse serverErr error - expOut string - expErr string + expOutPretty string + expOutJSON string + expErrPretty string + expErrJSON string }{ { - name: "Missing Entry ID", - expErr: "Error: entry ID is required\n", + name: "Missing Entry ID", + expErrPretty: "Error: entry ID is required\n", + expErrJSON: "Error: entry ID is required\n", }, { - name: "Missing selectors", - args: []string{"-entryID", "entry-id"}, - expErr: "Error: at least one selector is required\n", + name: "Missing selectors", + args: []string{"-entryID", "entry-id"}, + expErrPretty: "Error: at least one selector is required\n", + expErrJSON: "Error: at least one selector is required\n", }, { - name: "Missing parent SPIFFE ID", - args: []string{"-entryID", "entry-id", "-selector", "unix:uid:1"}, - expErr: "Error: a parent ID is required\n", + name: "Missing parent SPIFFE ID", + args: []string{"-entryID", "entry-id", "-selector", "unix:uid:1"}, + expErrPretty: "Error: a parent ID is required\n", + expErrJSON: "Error: a parent ID is required\n", }, { - name: "Missing SPIFFE ID", - args: []string{"-entryID", "entry-id", "-selector", "unix:uid:1", "-parentID", "spiffe://example.org/parent"}, - expErr: "Error: a SPIFFE ID is required\n", + name: "Missing SPIFFE ID", + args: []string{"-entryID", "entry-id", "-selector", "unix:uid:1", "-parentID", "spiffe://example.org/parent"}, + expErrPretty: "Error: a SPIFFE ID is required\n", + expErrJSON: "Error: a SPIFFE ID is required\n", }, { - name: "Wrong selectors", - args: []string{"-entryID", "entry-id", "-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload"}, - expErr: "Error: selector \"unix\" must be formatted as type:value\n", + name: "Wrong selectors", + args: []string{"-entryID", "entry-id", "-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload"}, + expErrPretty: "Error: selector \"unix\" must be formatted as type:value\n", + expErrJSON: "Error: selector \"unix\" must be formatted as type:value\n", }, { - name: "Negative TTL", - args: []string{"-entryID", "entry-id", "-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "-10"}, - expErr: "Error: a positive TTL is required\n", + name: "Negative TTL", + args: []string{"-entryID", "entry-id", "-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "-10"}, + expErrPretty: "Error: a positive TTL is required\n", + expErrJSON: "Error: a positive TTL is required\n", }, { - name: "Invalid TTL and X509SvidTtl", - args: []string{"-entryID", "entry-id", "-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-x509SVIDTTL", "20"}, - expErr: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", + name: "Invalid TTL and X509SvidTtl", + args: []string{"-entryID", "entry-id", "-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-x509SVIDTTL", "20"}, + expErrPretty: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", + expErrJSON: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", }, { - name: "Invalid TTL and JwtSvidTtl", - args: []string{"-entryID", "entry-id", "-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-jwtSVIDTTL", "20"}, - expErr: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", + name: "Invalid TTL and JwtSvidTtl", + args: []string{"-entryID", "entry-id", "-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-jwtSVIDTTL", "20"}, + expErrPretty: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", + expErrJSON: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", }, { - name: "Invalid TTL and both X509SvidTtl and JwtSvidTtl", - args: []string{"-entryID", "entry-id", "-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-x509SVIDTTL", "20", "-jwtSVIDTTL", "30"}, - expErr: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", + name: "Invalid TTL and both X509SvidTtl and JwtSvidTtl", + args: []string{"-entryID", "entry-id", "-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-x509SVIDTTL", "20", "-jwtSVIDTTL", "30"}, + expErrPretty: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", + expErrJSON: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", }, { name: "Server error", @@ -212,8 +405,9 @@ func TestUpdate(t *testing.T) { Selectors: []*types.Selector{{Type: "unix", Value: "uid:1"}}, }, }}, - serverErr: errors.New("server-error"), - expErr: "Error: rpc error: code = Unknown desc = server-error\n", + serverErr: errors.New("server-error"), + expErrPretty: "Error: rpc error: code = Unknown desc = server-error\n", + expErrJSON: "Error: rpc error: code = Unknown desc = server-error\n", }, { name: "Update succeeds using command line arguments", @@ -237,7 +431,7 @@ func TestUpdate(t *testing.T) { Entries: []*types.Entry{entry1}, }, fakeResp: fakeRespOKFromCmd, - expOut: fmt.Sprintf(`Entry ID : entry-id + expOutPretty: fmt.Sprintf(`Entry ID : entry-id SPIFFE ID : spiffe://example.org/workload Parent ID : spiffe://example.org/parent Revision : 0 @@ -254,6 +448,17 @@ DNS name : ung1000 Admin : true `, time.Unix(1552410266, 0).UTC()), + expOutJSON: fmt.Sprintf(`{ + "results": [ + { + "status": { + "code": 0, + "message": "OK" + }, + "entry": %s + } + ] +}`, entry0AdminJSON), }, { name: "Update succeeds using deprecated command line arguments", @@ -276,7 +481,7 @@ Admin : true Entries: []*types.Entry{entry5}, }, fakeResp: fakeRespOKFromCmd, - expOut: fmt.Sprintf(`Entry ID : entry-id + expOutPretty: fmt.Sprintf(`Entry ID : entry-id SPIFFE ID : spiffe://example.org/workload Parent ID : spiffe://example.org/parent Revision : 0 @@ -293,6 +498,17 @@ DNS name : ung1000 Admin : true `, time.Unix(1552410266, 0).UTC()), + expOutJSON: fmt.Sprintf(`{ + "results": [ + { + "status": { + "code": 0, + "message": "OK" + }, + "entry": %s + } + ] +}`, entry0AdminJSON), }, { name: "Update succeeds using command line arguments Store Svid", @@ -325,7 +541,7 @@ Admin : true }, }, }, - expOut: fmt.Sprintf(`Entry ID : entry-id + expOutPretty: fmt.Sprintf(`Entry ID : entry-id SPIFFE ID : spiffe://example.org/workload Parent ID : spiffe://example.org/parent Revision : 0 @@ -341,6 +557,17 @@ DNS name : ung1000 StoreSvid : true `, time.Unix(1552410266, 0).UTC()), + expOutJSON: fmt.Sprintf(`{ + "results": [ + { + "status": { + "code": 0, + "message": "OK" + }, + "entry": %s + } + ] +}`, entry0JSON), }, { name: "Update succeeds using data file", @@ -351,7 +578,7 @@ StoreSvid : true Entries: []*types.Entry{entry2, entry3, entry4}, }, fakeResp: fakeRespOKFromFile, - expOut: `Entry ID : entry-id-1 + expOutPretty: `Entry ID : entry-id-1 SPIFFE ID : spiffe://example.org/Blog Parent ID : spiffe://example.org/spire/agent/join_token/TokenBlog Revision : 0 @@ -379,6 +606,30 @@ Selector : type:key2:value StoreSvid : true `, + expOutJSON: fmt.Sprintf(` +{ + "results": [ + { + "status": { + "code": 0, + "message": "OK" + }, + "entry": %s, + { + "status": { + "code": 0, + "message": "OK" + }, + "entry": %s, + { + "status": { + "code": 0, + "message": "OK" + }, + "entry": %s + } + ] +}`, entry1JSON, entry2JSON, entry3JSON), }, { name: "Entry not found", @@ -392,7 +643,7 @@ StoreSvid : true }, }}, fakeResp: fakeRespErr, - expErr: `Failed to update the following entry (code: NotFound, msg: "failed to update entry: datastore-sql: record not found"): + expErrPretty: `Failed to update the following entry (code: NotFound, msg: "failed to update entry: datastore-sql: record not found"): Entry ID : non-existent-id SPIFFE ID : spiffe://example.org/workload Parent ID : spiffe://example.org/parent @@ -403,24 +654,44 @@ Selector : unix:uid:1 Error: failed to update one or more entries `, + expOutJSON: fmt.Sprintf(`{ + "results": [ + { + "status": { + "code": 5, + "message": "failed to update entry: datastore-sql: record not found" + }, + "entry": %s + } + ] +}`, nonExistentEntryJSON), }, } { - tt := tt - t.Run(tt.name, func(t *testing.T) { - test := setupTest(t, newUpdateCommand) - test.server.err = tt.serverErr - test.server.expBatchUpdateEntryReq = tt.expReq - test.server.batchUpdateEntryResp = tt.fakeResp + for _, format := range availableFormats { + t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) { + test := setupTest(t, newUpdateCommand) + test.server.err = tt.serverErr + test.server.expBatchUpdateEntryReq = tt.expReq + test.server.batchUpdateEntryResp = tt.fakeResp + args := tt.args + args = append(args, "-output", format) + + rc := test.client.Run(test.args(args...)) - rc := test.client.Run(test.args(tt.args...)) - if tt.expErr != "" { - require.Equal(t, 1, rc) - require.Equal(t, tt.expErr, test.stderr.String()) - return - } + if tt.expErrJSON != "" && format == "json" { + require.Equal(t, 1, rc) + require.Equal(t, tt.expErrJSON, test.stderr.String()) + return + } + if tt.expErrPretty != "" && format == "pretty" { + require.Equal(t, 1, rc) + require.Equal(t, tt.expErrPretty, test.stderr.String()) + return + } - require.Equal(t, 0, rc) - require.Equal(t, tt.expOut, test.stdout.String()) - }) + requireOutputBasedOnFormat(t, format, test.stdout.String(), tt.expOutPretty, tt.expOutJSON) + require.Equal(t, 0, rc) + }) + } } } diff --git a/cmd/spire-server/cli/entry/util_posix_test.go b/cmd/spire-server/cli/entry/util_posix_test.go index f0346f3fad..d055fc2d77 100644 --- a/cmd/spire-server/cli/entry/util_posix_test.go +++ b/cmd/spire-server/cli/entry/util_posix_test.go @@ -21,6 +21,8 @@ const ( The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry. Overrides ttl flag -node If set, this entry will be applied to matching nodes rather than workloads + -output value + Desired output format (pretty, json) -parentID string The SPIFFE ID of this record's parent -selector value @@ -47,6 +49,8 @@ const ( The match mode used when filtering by federates with. Options: exact, any, superset and subset (default "superset") -matchSelectorsOn string The match mode used when filtering by selectors. Options: exact, any, superset and subset (default "superset") + -output value + Desired output format (pretty, json) -parentID string The Parent ID of the records to show -selector value @@ -73,6 +77,8 @@ const ( SPIFFE ID of a trust domain to federate with. Can be used more than once -jwtSVIDTTL int The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry. Overrides ttl flag + -output value + Desired output format (pretty, json) -parentID string The SPIFFE ID of this record's parent -selector value @@ -87,5 +93,19 @@ const ( The lifetime, in seconds, for SVIDs issued based on this registration entry. This flag is deprecated in favor of x509SVIDTTL and jwtSVIDTTL and will be removed in a future version -x509SVIDTTL int The lifetime, in seconds, for x509-SVIDs issued based on this registration entry. Overrides ttl flag +` + deleteUsage = `Usage of entry delete: + -entryID string + The Registration Entry ID of the record to delete + -output value + Desired output format (pretty, json) + -socketPath string + Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") +` + countUsage = `Usage of entry count: + -output value + Desired output format (pretty, json) + -socketPath string + Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") ` ) diff --git a/cmd/spire-server/cli/entry/util_test.go b/cmd/spire-server/cli/entry/util_test.go index ead0d84168..617bca4ad6 100644 --- a/cmd/spire-server/cli/entry/util_test.go +++ b/cmd/spire-server/cli/entry/util_test.go @@ -19,6 +19,8 @@ import ( "google.golang.org/grpc" ) +var availableFormats = []string{"pretty", "json"} + func TestParseEntryJSON(t *testing.T) { testCases := []struct { name string @@ -253,3 +255,16 @@ func setupTest(t *testing.T, newClient func(*common_cli.Env) cli.Command) *entry return test } + +func requireOutputBasedOnFormat(t *testing.T, format, stdoutString string, expectedStdoutPretty, expectedStdoutJSON string) { + switch format { + case "pretty": + require.Contains(t, stdoutString, expectedStdoutPretty) + case "json": + if expectedStdoutJSON != "" { + require.JSONEq(t, expectedStdoutJSON, stdoutString) + } else { + require.Empty(t, stdoutString) + } + } +} diff --git a/cmd/spire-server/cli/entry/util_windows_test.go b/cmd/spire-server/cli/entry/util_windows_test.go index fba038c055..945f0d354c 100644 --- a/cmd/spire-server/cli/entry/util_windows_test.go +++ b/cmd/spire-server/cli/entry/util_windows_test.go @@ -23,6 +23,8 @@ const ( Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") -node If set, this entry will be applied to matching nodes rather than workloads + -output value + Desired output format (pretty, json) -parentID string The SPIFFE ID of this record's parent -selector value @@ -49,6 +51,8 @@ const ( The match mode used when filtering by selectors. Options: exact, any, superset and subset (default "superset") -namedPipeName string Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") + -output value + Desired output format (pretty, json) -parentID string The Parent ID of the records to show -selector value @@ -75,6 +79,8 @@ const ( The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry. Overrides ttl flag -namedPipeName string Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") + -output value + Desired output format (pretty, json) -parentID string The SPIFFE ID of this record's parent -selector value @@ -87,5 +93,19 @@ const ( The lifetime, in seconds, for SVIDs issued based on this registration entry. This flag is deprecated in favor of x509SVIDTTL and jwtSVIDTTL and will be removed in a future version -x509SVIDTTL int The lifetime, in seconds, for x509-SVIDs issued based on this registration entry. Overrides ttl flag +` + deleteUsage = `Usage of entry delete: + -entryID string + The Registration Entry ID of the record to delete + -namedPipeName string + Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") + -output value + Desired output format (pretty, json) +` + countUsage = `Usage of entry count: + -namedPipeName string + Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") + -output value + Desired output format (pretty, json) ` ) diff --git a/pkg/common/cliprinter/cliprinter.go b/pkg/common/cliprinter/cliprinter.go index 0b2c2e3f50..bee58dad4a 100644 --- a/pkg/common/cliprinter/cliprinter.go +++ b/pkg/common/cliprinter/cliprinter.go @@ -1,6 +1,7 @@ package cliprinter import ( + "errors" "io" commoncli "github.com/spiffe/spire/pkg/common/cli" @@ -28,6 +29,9 @@ type Printer interface { // still be able to gain formatter functionality for other outputs. type CustomPrettyFunc func(*commoncli.Env, ...interface{}) error +// ErrInternalCustomPrettyFunc should be returned by a CustomPrettyFunc when some internal error occurs. +var ErrInternalCustomPrettyFunc = errors.New("internal error: cli printer; please report this bug") + type printer struct { format formatType env *commoncli.Env From dedb04b767432aaf3573be4daf67ea3bfa9f8c1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?= Date: Fri, 25 Nov 2022 16:26:13 -0300 Subject: [PATCH 151/257] Do not try to close client if not initialized (#3638) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Agustín Martínez Fayó --- pkg/server/plugin/keymanager/gcpkms/gcpkms.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkg/server/plugin/keymanager/gcpkms/gcpkms.go b/pkg/server/plugin/keymanager/gcpkms/gcpkms.go index 5115531e63..fca1888293 100644 --- a/pkg/server/plugin/keymanager/gcpkms/gcpkms.go +++ b/pkg/server/plugin/keymanager/gcpkms/gcpkms.go @@ -151,6 +151,9 @@ func newPlugin( } func (p *Plugin) Close() error { + if p.kmsClient == nil { + return nil + } p.log.Debug("Closing the connection to the Cloud KMS API service") return p.kmsClient.Close() } From 4e4e5cd3c1bf741cecd8d20f45915031d3c602d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?= Date: Fri, 25 Nov 2022 17:02:01 -0300 Subject: [PATCH 152/257] Update list of required permissions (#3639) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Agustín Martínez Fayó --- doc/plugin_server_keymanager_gcp_kms.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/doc/plugin_server_keymanager_gcp_kms.md b/doc/plugin_server_keymanager_gcp_kms.md index 43cb6a8c71..da2e9fa673 100644 --- a/doc/plugin_server_keymanager_gcp_kms.md +++ b/doc/plugin_server_keymanager_gcp_kms.md @@ -78,7 +78,11 @@ The plugin requires the following IAM permissions be granted to the authenticated service account in the configured key ring: ```text -cloudkms.cryptoKeys.* +cloudkms.cryptoKeys.create +cloudkms.cryptoKeys.getIamPolicy +cloudkms.cryptoKeys.list +cloudkms.cryptoKeys.setIamPolicy +cloudkms.cryptoKeys.update cloudkms.cryptoKeyVersions.create cloudkms.cryptoKeyVersions.destroy cloudkms.cryptoKeyVersions.get From 2b14e804cf975554d6a7cb4c6d69111a9eaa6554 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 29 Nov 2022 14:38:05 -0300 Subject: [PATCH 153/257] Bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.72.0 to 1.73.0 (#3644) Bumps [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2) from 1.72.0 to 1.73.0. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.72.0...service/ec2/v1.73.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 8dee97996c..6c79242c8a 100644 --- a/go.mod +++ b/go.mod @@ -22,7 +22,7 @@ require ( github.com/aws/aws-sdk-go-v2/credentials v1.13.2 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.19 github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0 - github.com/aws/aws-sdk-go-v2/service/ec2 v1.72.0 + github.com/aws/aws-sdk-go-v2/service/ec2 v1.73.0 github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 github.com/aws/aws-sdk-go-v2/service/kms v1.18.8 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.0 diff --git a/go.sum b/go.sum index 9eec3dcefb..5895c902cd 100644 --- a/go.sum +++ b/go.sum @@ -392,8 +392,8 @@ github.com/aws/aws-sdk-go-v2/internal/ini v1.3.26 h1:Mza+vlnZr+fPKFKRq/lKGVvM6B/ github.com/aws/aws-sdk-go-v2/internal/ini v1.3.26/go.mod h1:Y2OJ+P+MC1u1VKnavT+PshiEuGPyh/7DqxoDNij4/bg= github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0 h1:2f0kb+39miQPRp0b7Sqq06+TpxI0Nfcra41QxzJPME8= github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0/go.mod h1:AVLIBQ9V7mcHd5uZT1+wUbBt4QaI/XcOens85Ib0W1o= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.72.0 h1:bCFJL8mahOZJa3+t8+uWHL1JzuCICZCSb50FCljz9hE= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.72.0/go.mod h1:zul71QqzR4D1a90/5FloZiAnZ1CtuIjVH7R9MP997+A= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.73.0 h1:3AXOhjvPxEMWw5RItV47NRLuzqwlLly5GbS5aB3sXh4= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.73.0/go.mod h1:zul71QqzR4D1a90/5FloZiAnZ1CtuIjVH7R9MP997+A= github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 h1:m/WtVqEvgwDiUPIW2dtnF2hDE1O62MEflz9ClOlCXAs= github.com/aws/aws-sdk-go-v2/service/iam v1.18.16/go.mod h1:w8wndcRxwILFQAzwkUKyEDz4LDHEBSR78KRdaNjUKQA= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.19 h1:GE25AWCdNUPh9AOJzI9KIJnja7IwUc1WyUqz/JTyJ/I= From bc71caa89d6a70bb27d1009258fec1cb16c40954 Mon Sep 17 00:00:00 2001 From: Guilherme Oliveira do Carmo Carvalho <33766735+guilhermocc@users.noreply.github.com> Date: Tue, 29 Nov 2022 16:00:16 -0300 Subject: [PATCH 154/257] Auto remove markdown lint container (#3643) Signed-off-by: Guilherme Carvalho --- Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 7afaebcdfc..9df5e7346a 100644 --- a/Makefile +++ b/Makefile @@ -176,7 +176,7 @@ protos := \ api-protos := \ plugin-protos := \ - proto/spire/common/plugin/plugin.proto + proto/spire/common/plugin/plugin.proto service-protos := \ @@ -209,7 +209,7 @@ endif ############################################################################ # Flags passed to all invocations of go test -go_test_flags := +go_test_flags := ifeq ($(NIGHTLY),) # Cap unit-test timout to 60s unless we're running nightlies. go_test_flags += -timeout=60s @@ -431,7 +431,7 @@ lint-code: $(golangci_lint_bin) $(E)PATH="$(go_bin_dir):$(PATH)" GOLANGCI_LINT_CACHE="$(golangci_lint_cache)" $(golangci_lint_bin) run ./... lint-md: - $(E)docker run -v "$(DIR):/workdir" $(markdown_lint_image) "**/*.md" + $(E)docker run --rm -v "$(DIR):/workdir" $(markdown_lint_image) "**/*.md" ############################################################################# # Code Generation From b395b9f6a8270c992410ed88e85040603a3a27b5 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Wed, 30 Nov 2022 17:49:41 +0100 Subject: [PATCH 155/257] Reduce duplication in docker build (#3635) Signed-off-by: Marco Franssen --- Makefile | 88 ++++++++++++++++++-------------------------------------- 1 file changed, 28 insertions(+), 60 deletions(-) diff --git a/Makefile b/Makefile index 9df5e7346a..34d7e54b82 100644 --- a/Makefile +++ b/Makefile @@ -330,28 +330,26 @@ artifact: build # Docker Images ############################################################################# -.PHONY: images -images: spire-server-image spire-agent-image k8s-workload-registrar-image oidc-discovery-provider-image - -.PHONY: spire-server-image -spire-server-image: Dockerfile - docker build --build-arg goversion=$(go_version_full) --target spire-server -t spire-server . - docker tag spire-server:latest spire-server:latest-local +define image_rule +.PHONY: $1 +$1: $3 + echo Building docker image $2 $(PLATFORM)… + $(E)docker build \ + --build-arg goversion=$(go_version_full) \ + --target $2 \ + -t $2 -t $2:latest-local \ + -f $3 \ + . -.PHONY: spire-agent-image -spire-agent-image: Dockerfile - docker build --build-arg goversion=$(go_version_full) --target spire-agent -t spire-agent . - docker tag spire-agent:latest spire-agent:latest-local +endef -.PHONY: k8s-workload-registrar-image -k8s-workload-registrar-image: Dockerfile - docker build --build-arg goversion=$(go_version_full) --target k8s-workload-registrar -t k8s-workload-registrar . - docker tag k8s-workload-registrar:latest k8s-workload-registrar:latest-local +.PHONY: images +images: spire-server-image spire-agent-image k8s-workload-registrar-image oidc-discovery-provider-image -.PHONY: oidc-discovery-provider-image -oidc-discovery-provider-image: Dockerfile - docker build --build-arg goversion=$(go_version_full) --target oidc-discovery-provider -t oidc-discovery-provider . - docker tag oidc-discovery-provider:latest oidc-discovery-provider:latest-local +$(eval $(call image_rule,spire-server-image,spire-server,Dockerfile)) +$(eval $(call image_rule,spire-agent-image,spire-agent,Dockerfile)) +$(eval $(call image_rule,k8s-workload-registrar-image,k8s-workload-registrar,Dockerfile)) +$(eval $(call image_rule,oidc-discovery-provider-image,oidc-discovery-provider,Dockerfile)) ############################################################################# # Docker Images FROM scratch @@ -360,52 +358,22 @@ oidc-discovery-provider-image: Dockerfile .PHONY: scratch-images scratch-images: spire-server-scratch-image spire-agent-scratch-image k8s-workload-registrar-scratch-image oidc-discovery-provider-scratch-image -.PHONY: spire-server-scratch-image -spire-server-scratch-image: Dockerfile - docker build --build-arg goversion=$(go_version_full) --target spire-server-scratch -t spire-server-scratch -f Dockerfile.scratch . - docker tag spire-server-scratch:latest spire-server-scratch:latest-local - -.PHONY: spire-agent-scratch-image -spire-agent-scratch-image: Dockerfile - docker build --build-arg goversion=$(go_version_full) --target spire-agent-scratch -t spire-agent-scratch -f Dockerfile.scratch . - docker tag spire-agent-scratch:latest spire-agent-scratch:latest-local - -.PHONY: k8s-workload-registrar-scratch-image -k8s-workload-registrar-scratch-image: Dockerfile - docker build --build-arg goversion=$(go_version_full) --target k8s-workload-registrar-scratch -t k8s-workload-registrar-scratch -f Dockerfile.scratch . - docker tag k8s-workload-registrar-scratch:latest k8s-workload-registrar-scratch:latest-local - -.PHONY: oidc-discovery-provider-scratch-image -oidc-discovery-provider-scratch-image: Dockerfile - docker build --build-arg goversion=$(go_version_full) --target oidc-discovery-provider-scratch -t oidc-discovery-provider-scratch -f Dockerfile.scratch . - docker tag oidc-discovery-provider-scratch:latest oidc-discovery-provider-scratch:latest-local +$(eval $(call image_rule,spire-server-scratch-image,spire-server-scratch,Dockerfile.scratch)) +$(eval $(call image_rule,spire-agent-scratch-image,spire-agent-scratch,Dockerfile.scratch)) +$(eval $(call image_rule,k8s-workload-registrar-scratch-image,k8s-workload-registrar-scratch,Dockerfile.scratch)) +$(eval $(call image_rule,oidc-discovery-provider-scratch-image,oidc-discovery-provider-scratch,Dockerfile.scratch)) ############################################################################# -# Docker Images +# Windows Docker Images ############################################################################# .PHONY: images-windows -images-windows: spire-server-image-windows spire-agent-image-windows oidc-discovery-provider-image-windows - -.PHONY: spire-server-image-windows -spire-server-image-windows: Dockerfile - docker build -f Dockerfile.windows --target spire-server-windows -t spire-server-windows . - docker tag spire-server-windows:latest spire-server-windows:latest-local - -.PHONY: spire-agent-image-windows -spire-agent-image-windows: Dockerfile - docker build -f Dockerfile.windows --target spire-agent-windows -t spire-agent-windows . - docker tag spire-agent-windows:latest spire-agent-windows:latest-local - -.PHONY: k8s-workload-registrar-image-windows -k8s-workload-registrar-image-windows: Dockerfile - docker build -f Dockerfile.windows --target k8s-workload-registrar-windows -t k8s-workload-registrar-windows . - docker tag k8s-workload-registrar-windows:latest k8s-workload-registrar-windows:latest-local - -.PHONY: oidc-discovery-provider-image-windows -oidc-discovery-provider-image-windows: Dockerfile - docker build -f Dockerfile.windows --target oidc-discovery-provider-windows -t oidc-discovery-provider-windows . - docker tag oidc-discovery-provider-windows:latest oidc-discovery-provider-windows:latest-local +images-windows: spire-server-windows-image spire-agent-windows-image k8s-workload-registrar-windows-image oidc-discovery-provider-windows-image + +$(eval $(call image_rule,spire-server-windows-image,spire-server-windows,Dockerfile.windows)) +$(eval $(call image_rule,spire-agent-windows-image,spire-agent-windows,Dockerfile.windows)) +$(eval $(call image_rule,k8s-workload-registrar-windows-image,k8s-workload-registrar-windows,Dockerfile.windows)) +$(eval $(call image_rule,oidc-discovery-provider-windows-image,oidc-discovery-provider-windows,Dockerfile.windows)) ############################################################################# # Code cleanliness From 7a26883b97762f4a3a124f5006f6790eab6157f3 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Wed, 30 Nov 2022 23:41:17 +0100 Subject: [PATCH 156/257] Improve image layers (#3633) This will reduce the amount of layers that need a rebuild by moving the most static layers first. As a benefit builds will be faster and pushes and pulls will only require the last layer of the image to be pushed and pulled. Signed-off-by: Marco Franssen --- Dockerfile | 30 ++++++------- Dockerfile.dev | 4 +- Dockerfile.scratch | 43 ++++++++----------- Dockerfile.windows | 19 +++----- .../suites/ghostunnel-federation/Dockerfile | 8 ++-- .../suites/k8s-crd-mode/Dockerfile | 3 +- .../suites/nested-rotation/Dockerfile | 3 +- .../suites/spire-server-cli/02-bundle | 2 +- 8 files changed, 43 insertions(+), 69 deletions(-) diff --git a/Dockerfile b/Dockerfile index ba6564eaf7..d6156d2447 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,43 +1,37 @@ # Build stage ARG goversion FROM golang:${goversion}-alpine as builder -RUN apk add build-base git mercurial -ADD go.mod /spire/go.mod -RUN cd /spire && go mod download -ADD . /spire WORKDIR /spire +RUN apk --no-cache --update add build-base git mercurial +ADD go.* ./ +RUN go mod download +ADD . . RUN make build # Common base FROM alpine AS spire-base -RUN apk --no-cache add dumb-init -RUN apk --no-cache add ca-certificates +WORKDIR /opt/spire RUN mkdir -p /opt/spire/bin +CMD [] +RUN apk --no-cache --update add dumb-init +RUN apk --no-cache --update add ca-certificates # SPIRE Server FROM spire-base AS spire-server -COPY --from=builder /spire/bin/spire-server /opt/spire/bin/spire-server -WORKDIR /opt/spire ENTRYPOINT ["/usr/bin/dumb-init", "/opt/spire/bin/spire-server", "run"] -CMD [] +COPY --from=builder /spire/bin/spire-server bin/spire-server # SPIRE Agent FROM spire-base AS spire-agent -COPY --from=builder /spire/bin/spire-agent /opt/spire/bin/spire-agent -WORKDIR /opt/spire ENTRYPOINT ["/usr/bin/dumb-init", "/opt/spire/bin/spire-agent", "run"] -CMD [] +COPY --from=builder /spire/bin/spire-agent bin/spire-agent # K8S Workload Registrar FROM spire-base AS k8s-workload-registrar -COPY --from=builder /spire/bin/k8s-workload-registrar /opt/spire/bin/k8s-workload-registrar -WORKDIR /opt/spire ENTRYPOINT ["/usr/bin/dumb-init", "/opt/spire/bin/k8s-workload-registrar"] -CMD [] +COPY --from=builder /spire/bin/k8s-workload-registrar bin/k8s-workload-registrar # OIDC Discovery Provider FROM spire-base AS oidc-discovery-provider -COPY --from=builder /spire/bin/oidc-discovery-provider /opt/spire/bin/oidc-discovery-provider -WORKDIR /opt/spire ENTRYPOINT ["/usr/bin/dumb-init", "/opt/spire/bin/oidc-discovery-provider"] -CMD [] +COPY --from=builder /spire/bin/oidc-discovery-provider bin/oidc-discovery-provider diff --git a/Dockerfile.dev b/Dockerfile.dev index 4b1fd91a07..72099782fd 100644 --- a/Dockerfile.dev +++ b/Dockerfile.dev @@ -1,6 +1,4 @@ FROM ubuntu:xenial - +WORKDIR /spire RUN apt-get update && apt-get -y install \ curl unzip git build-essential ca-certificates libssl-dev - -WORKDIR /spire diff --git a/Dockerfile.scratch b/Dockerfile.scratch index 420c3df3e0..684e7470d0 100644 --- a/Dockerfile.scratch +++ b/Dockerfile.scratch @@ -1,42 +1,33 @@ # Build stage ARG goversion FROM golang:${goversion}-alpine as builder -RUN apk add build-base git mercurial ca-certificates -RUN apk add --update gcc musl-dev -ADD go.mod /spire/go.mod -RUN cd /spire && go mod download -ADD . /spire WORKDIR /spire +RUN apk add --no-cache --update build-base musl-dev git mercurial ca-certificates +ADD go.* ./ +RUN go mod download +ADD . . RUN make build-static -# SPIRE Server -FROM scratch AS spire-server-scratch -COPY --from=builder /spire/bin/spire-server-static /opt/spire/bin/spire-server -COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ +FROM scratch AS spire-base WORKDIR /opt/spire -ENTRYPOINT ["/opt/spire/bin/spire-server", "run"] CMD [] - -FROM scratch AS spire-agent-scratch -COPY --from=builder /spire/bin/spire-agent-static /opt/spire/bin/spire-agent COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ -WORKDIR /opt/spire -EXPOSE 8080 8443 + +# SPIRE Server +FROM spire-base AS spire-server-scratch +ENTRYPOINT ["/opt/spire/bin/spire-server", "run"] +COPY --from=builder /spire/bin/spire-server-static bin/spire-server + +FROM spire-base AS spire-agent-scratch ENTRYPOINT ["/opt/spire/bin/spire-agent", "run"] -CMD [] +COPY --from=builder /spire/bin/spire-agent-static bin/spire-agent # K8S Workload Registrar -FROM scratch AS k8s-workload-registrar-scratch -COPY --from=builder /spire/bin/k8s-workload-registrar-static /opt/spire/bin/k8s-workload-registrar -COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ -WORKDIR /opt/spire +FROM spire-base AS k8s-workload-registrar-scratch ENTRYPOINT ["/opt/spire/bin/k8s-workload-registrar"] -CMD [] +COPY --from=builder /spire/bin/k8s-workload-registrar-static bin/k8s-workload-registrar # OIDC Discovery Provider -FROM scratch AS oidc-discovery-provider-scratch -COPY --from=builder /spire/bin/oidc-discovery-provider-static /opt/spire/bin/oidc-discovery-provider -COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ -WORKDIR /opt/spire +FROM spire-base AS oidc-discovery-provider-scratch ENTRYPOINT ["/opt/spire/bin/oidc-discovery-provider"] -CMD [] +COPY --from=builder /spire/bin/oidc-discovery-provider-static bin/oidc-discovery-provider diff --git a/Dockerfile.windows b/Dockerfile.windows index 16748ab50e..bed4c9e314 100644 --- a/Dockerfile.windows +++ b/Dockerfile.windows @@ -4,32 +4,25 @@ FROM mcr.microsoft.com/windows/nanoserver:ltsc2022 AS spire-base-windows RUN mkdir c:\\spire\\bin RUN mkdir c:\\spire\\data +WORKDIR C:/spire +CMD [] # SPIRE Server FROM spire-base-windows AS spire-server-windows -COPY bin/spire-server.exe C:/spire/bin/spire-server.exe -WORKDIR C:/spire ENTRYPOINT ["c:/spire/bin/spire-server.exe", "run"] -CMD [] +COPY bin/spire-server.exe C:/spire/bin/spire-server.exe # SPIRE Agent FROM spire-base-windows AS spire-agent-windows -COPY ./bin/spire-agent.exe C:/spire/bin/spire-agent.exe -WORKDIR C:/spire ENTRYPOINT ["c:/spire/bin/spire-agent.exe", "run"] -CMD [] +COPY ./bin/spire-agent.exe C:/spire/bin/spire-agent.exe # K8S Workload Registrar FROM spire-base-windows AS k8s-workload-registrar-windows -COPY ./bin/k8s-workload-registrar.exe C:/spire/bin/k8s-workload-registrar.exe -WORKDIR c:/spire ENTRYPOINT ["c:/spire/bin/k8s-workload-registrar.exe"] -CMD [] +COPY ./bin/k8s-workload-registrar.exe C:/spire/bin/k8s-workload-registrar.exe # OIDC Discovery Provider FROM spire-base-windows AS oidc-discovery-provider-windows -COPY ./bin/oidc-discovery-provider.exe c:/spire/bin/oidc-discovery-provider.exe -WORKDIR c:/spire ENTRYPOINT ["c:/spire/bin/oidc-discovery-provider.exe"] -CMD [] - +COPY ./bin/oidc-discovery-provider.exe c:/spire/bin/oidc-discovery-provider.exe diff --git a/test/integration/suites/ghostunnel-federation/Dockerfile b/test/integration/suites/ghostunnel-federation/Dockerfile index 08d71be888..fe7188cf5a 100644 --- a/test/integration/suites/ghostunnel-federation/Dockerfile +++ b/test/integration/suites/ghostunnel-federation/Dockerfile @@ -3,9 +3,9 @@ FROM spire-agent:latest-local as spire-agent FROM ghostunnel/ghostunnel:latest AS ghostunnel-latest FROM alpine/socat:latest AS socat-ghostunnel-agent-mashup -COPY --from=spire-agent /opt/spire/bin/spire-agent /opt/spire/bin/spire-agent -COPY --from=ghostunnel-latest /usr/bin/ghostunnel /usr/bin/ghostunnel -RUN apk --no-cache add dumb-init -RUN apk --no-cache add supervisor ENTRYPOINT ["/usr/bin/dumb-init", "supervisord", "--nodaemon", "--configuration", "/opt/supervisord/supervisord.conf"] CMD [] +COPY --from=spire-agent /opt/spire/bin/spire-agent /opt/spire/bin/spire-agent +COPY --from=ghostunnel-latest /usr/bin/ghostunnel /usr/bin/ghostunnel +RUN apk --no-cache --update add dumb-init +RUN apk --no-cache --update add supervisor diff --git a/test/integration/suites/k8s-crd-mode/Dockerfile b/test/integration/suites/k8s-crd-mode/Dockerfile index bc76a647c4..d1e5437a43 100644 --- a/test/integration/suites/k8s-crd-mode/Dockerfile +++ b/test/integration/suites/k8s-crd-mode/Dockerfile @@ -1,4 +1,3 @@ FROM spire-agent:latest-local AS example-crd-agent -RUN apk add --update openssl && \ - rm -rf /var/cache/apk/* CMD [] +RUN apk add --no-cache --update openssl diff --git a/test/integration/suites/nested-rotation/Dockerfile b/test/integration/suites/nested-rotation/Dockerfile index 9f8efdca87..ab6bb339d9 100644 --- a/test/integration/suites/nested-rotation/Dockerfile +++ b/test/integration/suites/nested-rotation/Dockerfile @@ -1,4 +1,3 @@ FROM spire-agent:latest-local AS nested-agent -RUN apk add --update openssl && \ - rm -rf /var/cache/apk/* CMD [] +RUN apk add --no-cache --update openssl diff --git a/test/integration/suites/spire-server-cli/02-bundle b/test/integration/suites/spire-server-cli/02-bundle index 79e2b5ac0d..c1cac754b9 100755 --- a/test/integration/suites/spire-server-cli/02-bundle +++ b/test/integration/suites/spire-server-cli/02-bundle @@ -2,7 +2,7 @@ # Install openssl docker-compose exec -T spire-server \ - apk add --update openssl && rm -rf /var/cache/apk/* + apk add --no-cache --update openssl # Verify 'bundle count' correctly indicates a single bundle (the server bundle) docker-compose exec -T spire-server /opt/spire/bin/spire-server bundle count | grep 1 || fail-now "failed to count 1 bundle" From 4aa9b7e5033049843693f4a970124e78655bcb43 Mon Sep 17 00:00:00 2001 From: Tomoya Usami Date: Thu, 1 Dec 2022 11:50:48 +0900 Subject: [PATCH 157/257] Add note for static building (#3646) Signed-off-by: Tomoya Usami --- Makefile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Makefile b/Makefile index 34d7e54b82..9e041cd493 100644 --- a/Makefile +++ b/Makefile @@ -270,6 +270,8 @@ bin/: .PHONY: build-static +# The build-static is intended to statically link to musl libc. +# There are possibilities of unexpected errors when statically link to GLIBC. build-static: tidy bin/spire-server-static bin/spire-agent-static bin/k8s-workload-registrar-static bin/oidc-discovery-provider-static # https://7thzero.com/blog/golang-w-sqlite3-docker-scratch-image From a2c1f06c8d3d85fd75ce5ac99408b01239ec17e7 Mon Sep 17 00:00:00 2001 From: Ryan Turner Date: Wed, 30 Nov 2022 20:31:32 -0800 Subject: [PATCH 158/257] Document existence of release container images (#3641) Signed-off-by: Ryan Turner --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 33cb7ebb98..2a2bc2c98e 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,7 @@ SPIRE is a [graduated](https://www.cncf.io/projects/spire/) project of the [Clou ## Get SPIRE - Pre-built releases of SPIRE can be found at [https://github.com/spiffe/spire/releases](https://github.com/spiffe/spire/releases). These releases contain both SPIRE Server and SPIRE Agent binaries. +- Container images are published for [spire-server](https://ghcr.io/spiffe/spire-server), [spire-agent](https://ghcr.io/spiffe/spire-agent), and [oidc-discovery-provider](https://ghcr.io/spiffe/spire-oidc-provider). - Alternatively, you can [build SPIRE from source](/CONTRIBUTING.md). ## Learn about SPIRE From d65f4779caaa308f59c12d126d4946b2b6d6a0f4 Mon Sep 17 00:00:00 2001 From: Keegan Witt Date: Thu, 1 Dec 2022 04:46:58 -0500 Subject: [PATCH 159/257] Fix election RBAC YAML (#3617) * Fix apiGroup for lease RBAC Signed-off-by: Keegan Witt --- .../k8s-workload-registrar/mode-crd/README.md | 4 +- .../mode-crd/config/roles.yaml | 53 +++++++++++++++++++ .../config/spire-server-registrar.yaml | 1 + .../mode-reconcile/config/roles.yaml | 6 +-- 4 files changed, 60 insertions(+), 4 deletions(-) create mode 100644 support/k8s/k8s-workload-registrar/mode-crd/config/roles.yaml diff --git a/support/k8s/k8s-workload-registrar/mode-crd/README.md b/support/k8s/k8s-workload-registrar/mode-crd/README.md index 76745967c0..223c8d63d0 100644 --- a/support/k8s/k8s-workload-registrar/mode-crd/README.md +++ b/support/k8s/k8s-workload-registrar/mode-crd/README.md @@ -62,6 +62,7 @@ This quick start sets up the SPIRE Server, SPIRE Agent, and CRD Kubernetes Workl ```shell $ kubectl apply -f https://raw.githubusercontent.com/spiffe/spire/main/support/k8s/k8s-workload-registrar/mode-crd/config/spiffeid.spiffe.io_spiffeids.yaml \ + -f https://raw.githubusercontent.com/spiffe/spire/main/support/k8s/k8s-workload-registrar/mode-crd/config/roles.yaml \ -f https://raw.githubusercontent.com/spiffe/spire/main/support/k8s/k8s-workload-registrar/mode-crd/config/spire-server-registrar.yaml \ -f https://raw.githubusercontent.com/spiffe/spire/main/support/k8s/k8s-workload-registrar/mode-crd/config/spire-agent.yaml ``` @@ -272,7 +273,8 @@ We can test this using the NGINX example deployment: ```shell $ kubectl delete -f https://raw.githubusercontent.com/spiffe/spire/main/support/k8s/k8s-workload-registrar/mode-crd/config/spire-server-registrar.yaml \ - -f https://raw.githubusercontent.com/spiffe/spire/main/support/k8s/k8s-workload-registrar/mode-crd/config/spire-agent.yaml + -f https://raw.githubusercontent.com/spiffe/spire/main/support/k8s/k8s-workload-registrar/mode-crd/config/spire-agent.yaml \ + -f https://raw.githubusercontent.com/spiffe/spire/main/support/k8s/k8s-workload-registrar/mode-crd/config/roles.yaml ``` ## Workload Registration diff --git a/support/k8s/k8s-workload-registrar/mode-crd/config/roles.yaml b/support/k8s/k8s-workload-registrar/mode-crd/config/roles.yaml new file mode 100644 index 0000000000..6639030d40 --- /dev/null +++ b/support/k8s/k8s-workload-registrar/mode-crd/config/roles.yaml @@ -0,0 +1,53 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: spire-k8s-registrar-cluster-role +rules: + - apiGroups: [""] + resources: ["pods", "nodes", "endpoints"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: spire-k8s-registrar-cluster-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: spire-k8s-registrar-cluster-role +subjects: + - kind: ServiceAccount + name: spire-k8s-registrar + namespace: spire +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: spire-k8s-registrar-role + namespace: spire +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + resourceNames: ["spire-k8s-registrar-leader-election"] + verbs: ["update", "get"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: spire-k8s-registrar-role-binding + namespace: spire +subjects: + - kind: ServiceAccount + name: spire-k8s-registrar + namespace: spire +roleRef: + kind: Role + name: spire-k8s-registrar-role + apiGroup: rbac.authorization.k8s.io diff --git a/support/k8s/k8s-workload-registrar/mode-crd/config/spire-server-registrar.yaml b/support/k8s/k8s-workload-registrar/mode-crd/config/spire-server-registrar.yaml index 5e452e46ca..f7294a5522 100644 --- a/support/k8s/k8s-workload-registrar/mode-crd/config/spire-server-registrar.yaml +++ b/support/k8s/k8s-workload-registrar/mode-crd/config/spire-server-registrar.yaml @@ -158,6 +158,7 @@ data: pod_controller = true add_svc_dns_names = true mode = "crd" + leader_election = true webhook_enabled = true identity_template = "ns/{{.Pod.Namespace}}/pod/{{.Pod.Name}}" identity_template_label = "spiffe.io/spiffe-id" diff --git a/support/k8s/k8s-workload-registrar/mode-reconcile/config/roles.yaml b/support/k8s/k8s-workload-registrar/mode-reconcile/config/roles.yaml index 2c4153dfd2..6639030d40 100644 --- a/support/k8s/k8s-workload-registrar/mode-reconcile/config/roles.yaml +++ b/support/k8s/k8s-workload-registrar/mode-reconcile/config/roles.yaml @@ -27,12 +27,12 @@ metadata: name: spire-k8s-registrar-role namespace: spire rules: - - apiGroups: [""] + - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["create"] - - apiGroups: [""] + - apiGroups: ["coordination.k8s.io"] resources: ["leases"] - resourceNames: ["controller-leader-election-helper"] + resourceNames: ["spire-k8s-registrar-leader-election"] verbs: ["update", "get"] - apiGroups: [""] resources: ["events"] From e99d25f3b713a688eba936a1f956dabcb91fcae7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 1 Dec 2022 07:26:51 -0300 Subject: [PATCH 160/257] Bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.73.0 to 1.74.0 (#3650) Bumps [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2) from 1.73.0 to 1.74.0. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.73.0...service/ec2/v1.74.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 6c79242c8a..721920150f 100644 --- a/go.mod +++ b/go.mod @@ -22,7 +22,7 @@ require ( github.com/aws/aws-sdk-go-v2/credentials v1.13.2 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.19 github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0 - github.com/aws/aws-sdk-go-v2/service/ec2 v1.73.0 + github.com/aws/aws-sdk-go-v2/service/ec2 v1.74.0 github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 github.com/aws/aws-sdk-go-v2/service/kms v1.18.8 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.0 diff --git a/go.sum b/go.sum index 5895c902cd..7b9b64ed7c 100644 --- a/go.sum +++ b/go.sum @@ -392,8 +392,8 @@ github.com/aws/aws-sdk-go-v2/internal/ini v1.3.26 h1:Mza+vlnZr+fPKFKRq/lKGVvM6B/ github.com/aws/aws-sdk-go-v2/internal/ini v1.3.26/go.mod h1:Y2OJ+P+MC1u1VKnavT+PshiEuGPyh/7DqxoDNij4/bg= github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0 h1:2f0kb+39miQPRp0b7Sqq06+TpxI0Nfcra41QxzJPME8= github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0/go.mod h1:AVLIBQ9V7mcHd5uZT1+wUbBt4QaI/XcOens85Ib0W1o= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.73.0 h1:3AXOhjvPxEMWw5RItV47NRLuzqwlLly5GbS5aB3sXh4= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.73.0/go.mod h1:zul71QqzR4D1a90/5FloZiAnZ1CtuIjVH7R9MP997+A= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.74.0 h1:5MCRd9q1yrGoRdYZDxK6y048VNmQ6gKLdCFr+TZsvTY= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.74.0/go.mod h1:zul71QqzR4D1a90/5FloZiAnZ1CtuIjVH7R9MP997+A= github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 h1:m/WtVqEvgwDiUPIW2dtnF2hDE1O62MEflz9ClOlCXAs= github.com/aws/aws-sdk-go-v2/service/iam v1.18.16/go.mod h1:w8wndcRxwILFQAzwkUKyEDz4LDHEBSR78KRdaNjUKQA= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.19 h1:GE25AWCdNUPh9AOJzI9KIJnja7IwUc1WyUqz/JTyJ/I= From 2c69556374b9b6ed09c87acad2c28098fb8d8453 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 1 Dec 2022 08:16:26 -0300 Subject: [PATCH 161/257] Bump github.com/aws/aws-sdk-go-v2/service/kms from 1.18.8 to 1.19.0 (#3649) Bumps [github.com/aws/aws-sdk-go-v2/service/kms](https://github.com/aws/aws-sdk-go-v2) from 1.18.8 to 1.19.0. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ecs/v1.18.8...service/s3/v1.19.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/kms dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 721920150f..b6a274d428 100644 --- a/go.mod +++ b/go.mod @@ -24,7 +24,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0 github.com/aws/aws-sdk-go-v2/service/ec2 v1.74.0 github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 - github.com/aws/aws-sdk-go-v2/service/kms v1.18.8 + github.com/aws/aws-sdk-go-v2/service/kms v1.19.0 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.0 github.com/aws/aws-sdk-go-v2/service/sts v1.17.4 github.com/blang/semver/v4 v4.0.0 diff --git a/go.sum b/go.sum index 7b9b64ed7c..cd2c79dd1f 100644 --- a/go.sum +++ b/go.sum @@ -398,8 +398,8 @@ github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 h1:m/WtVqEvgwDiUPIW2dtnF2hDE1O github.com/aws/aws-sdk-go-v2/service/iam v1.18.16/go.mod h1:w8wndcRxwILFQAzwkUKyEDz4LDHEBSR78KRdaNjUKQA= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.19 h1:GE25AWCdNUPh9AOJzI9KIJnja7IwUc1WyUqz/JTyJ/I= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.19/go.mod h1:02CP6iuYP+IVnBX5HULVdSAku/85eHB2Y9EsFhrkEwU= -github.com/aws/aws-sdk-go-v2/service/kms v1.18.8 h1:0YzDYm5rFuwzqwhBg94OYa2TKbdd5dUsf9+uPHwoYns= -github.com/aws/aws-sdk-go-v2/service/kms v1.18.8/go.mod h1:NjgXnn0pk5rLSWZIgtx0BCwoCugRXzKZ7cDNsl98W7U= +github.com/aws/aws-sdk-go-v2/service/kms v1.19.0 h1:ycl4Z01HQyprcfOFMAVwWTNaUm29qHRPZyJunDZZVXg= +github.com/aws/aws-sdk-go-v2/service/kms v1.19.0/go.mod h1:kZodDPTQjSH/qM6/OvyTfM5mms5JHB/EKYp5dhn/vI4= github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.0 h1:Lh1yssM4dinNZuESsXnbi+pID8hoviejLZdLmT175i8= github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.0/go.mod h1:z0y2iDaghoq7uv6kndhrJCTzgVckv8Aak8kpnu2kYjs= github.com/aws/aws-sdk-go-v2/service/sso v1.11.25 h1:GFZitO48N/7EsFDt8fMa5iYdmWqkUDDB3Eje6z3kbG0= From ac9bc300f7da2cc12e843e5c18271fa8f6866025 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 1 Dec 2022 09:14:20 -0300 Subject: [PATCH 162/257] Bump github.com/shirou/gopsutil/v3 from 3.22.10 to 3.22.11 (#3651) Bumps [github.com/shirou/gopsutil/v3](https://github.com/shirou/gopsutil) from 3.22.10 to 3.22.11. - [Release notes](https://github.com/shirou/gopsutil/releases) - [Commits](https://github.com/shirou/gopsutil/compare/v3.22.10...v3.22.11) --- updated-dependencies: - dependency-name: github.com/shirou/gopsutil/v3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 8 ++++---- go.sum | 16 ++++++++-------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/go.mod b/go.mod index b6a274d428..33a18fbeef 100644 --- a/go.mod +++ b/go.mod @@ -54,7 +54,7 @@ require ( github.com/mitchellh/cli v1.1.5 github.com/open-policy-agent/opa v0.46.1 github.com/prometheus/client_golang v1.14.0 - github.com/shirou/gopsutil/v3 v3.22.10 + github.com/shirou/gopsutil/v3 v3.22.11 github.com/sirupsen/logrus v1.9.0 github.com/spiffe/go-spiffe/v2 v2.0.1-0.20220414143532-2ed460a8b9d3 github.com/spiffe/spire-api-sdk v1.2.5-0.20221020001527-5895a0279944 @@ -65,7 +65,7 @@ require ( golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa golang.org/x/net v0.0.0-20221014081412-f15817d10f9b golang.org/x/sync v0.1.0 - golang.org/x/sys v0.0.0-20221010170243-090e33056c14 + golang.org/x/sys v0.2.0 golang.org/x/time v0.2.0 google.golang.org/api v0.103.0 google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c @@ -191,8 +191,8 @@ require ( github.com/spf13/cast v1.3.1 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/tchap/go-patricia/v2 v2.3.1 // indirect - github.com/tklauser/go-sysconf v0.3.10 // indirect - github.com/tklauser/numcpus v0.4.0 // indirect + github.com/tklauser/go-sysconf v0.3.11 // indirect + github.com/tklauser/numcpus v0.6.0 // indirect github.com/twmb/murmur3 v1.1.6 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect diff --git a/go.sum b/go.sum index cd2c79dd1f..750962f176 100644 --- a/go.sum +++ b/go.sum @@ -1086,8 +1086,8 @@ github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkB github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= -github.com/shirou/gopsutil/v3 v3.22.10 h1:4KMHdfBRYXGF9skjDWiL4RA2N+E8dRdodU/bOZpPoVg= -github.com/shirou/gopsutil/v3 v3.22.10/go.mod h1:QNza6r4YQoydyCfo6rH0blGfKahgibh4dQmV5xdFkQk= +github.com/shirou/gopsutil/v3 v3.22.11 h1:kxsPKS+Eeo+VnEQ2XCaGJepeP6KY53QoRTETx3+1ndM= +github.com/shirou/gopsutil/v3 v3.22.11/go.mod h1:xl0EeL4vXJ+hQMAGN8B9VFpxukEMA0XdevQOe5MZ1oY= github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24/go.mod h1:M+9NzErvs504Cn4c5DxATwIqPbtswREoFCre64PpcG4= github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ= github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= @@ -1152,10 +1152,10 @@ github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes= github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k= -github.com/tklauser/go-sysconf v0.3.10 h1:IJ1AZGZRWbY8T5Vfk04D9WOA5WSejdflXxP03OUqALw= -github.com/tklauser/go-sysconf v0.3.10/go.mod h1:C8XykCvCb+Gn0oNCWPIlcb0RuglQTYaQ2hGm7jmxEFk= -github.com/tklauser/numcpus v0.4.0 h1:E53Dm1HjH1/R2/aoCtXtPgzmElmn51aOkhCFSuZq//o= -github.com/tklauser/numcpus v0.4.0/go.mod h1:1+UI3pD8NW14VMwdgJNJ1ESk2UnwhAnz5hMwiKKqXCQ= +github.com/tklauser/go-sysconf v0.3.11 h1:89WgdJhk5SNwJfu+GKyYveZ4IaJ7xAkecBo+KdJV0CM= +github.com/tklauser/go-sysconf v0.3.11/go.mod h1:GqXfhXY3kiPa0nAXPDIQIWzJbMCB7AmcWpGR8lSZfqI= +github.com/tklauser/numcpus v0.6.0 h1:kebhY2Qt+3U6RNK7UqpYNA+tJ23IBEGKkB7JQBfDYms= +github.com/tklauser/numcpus v0.6.0/go.mod h1:FEZLMke0lhOUG6w2JadTzp0a+Nl8PF/GFkQ5UVIcaL4= github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM= @@ -1514,8 +1514,8 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220731174439-a90be440212d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20221010170243-090e33056c14 h1:k5II8e6QD8mITdi+okbbmR/cIyEbeXLBhy5Ha4nevyc= -golang.org/x/sys v0.0.0-20221010170243-090e33056c14/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A= +golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= From d59bde3b8e15abe41df515aa8d397283b426e828 Mon Sep 17 00:00:00 2001 From: Guilherme Oliveira do Carmo Carvalho <33766735+guilhermocc@users.noreply.github.com> Date: Thu, 1 Dec 2022 09:54:04 -0300 Subject: [PATCH 163/257] Use cli printer server bundle commands (#3624) * Use cliprinter to enable more output format options in list agent command Signed-off-by: Guilherme Carvalho --- .../cli/bundle/bundle_posix_test.go | 36 + cmd/spire-server/cli/bundle/bundle_test.go | 738 +++++++++++------- .../cli/bundle/bundle_windows_test.go | 36 + cmd/spire-server/cli/bundle/count.go | 39 +- cmd/spire-server/cli/bundle/delete.go | 27 +- cmd/spire-server/cli/bundle/list.go | 50 +- cmd/spire-server/cli/bundle/set.go | 28 +- cmd/spire-server/cli/bundle/show.go | 21 +- 8 files changed, 639 insertions(+), 336 deletions(-) diff --git a/cmd/spire-server/cli/bundle/bundle_posix_test.go b/cmd/spire-server/cli/bundle/bundle_posix_test.go index 8500e78766..9bcaefd90e 100644 --- a/cmd/spire-server/cli/bundle/bundle_posix_test.go +++ b/cmd/spire-server/cli/bundle/bundle_posix_test.go @@ -9,9 +9,45 @@ var ( The format of the bundle data. Either "pem" or "spiffe". (default "pem") -id string SPIFFE ID of the trust domain + -output value + Desired output format (pretty, json) -path string Path to the bundle data -socketPath string Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") +` + countUsage = `Usage of bundle count: + -output value + Desired output format (pretty, json) + -socketPath string + Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") +` + deleteUsage = `Usage of bundle delete: + -id string + SPIFFE ID of the trust domain + -mode string + Deletion mode: one of restrict, delete, or dissociate (default "restrict") + -output value + Desired output format (pretty, json) + -socketPath string + Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") +` + listUsage = `Usage of bundle list: + -format string + The format to list federated bundles (only pretty output format supports this flag). Either "pem" or "spiffe". (default "pem") + -id string + SPIFFE ID of the trust domain + -output value + Desired output format (pretty, json) + -socketPath string + Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") +` + showUsage = `Usage of bundle show: + -format string + The format to show the bundle (only pretty output format supports this flag). Either "pem" or "spiffe". (default "pem") + -output value + Desired output format (pretty, json) + -socketPath string + Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") ` ) diff --git a/cmd/spire-server/cli/bundle/bundle_test.go b/cmd/spire-server/cli/bundle/bundle_test.go index 885a3c790a..a16a575100 100644 --- a/cmd/spire-server/cli/bundle/bundle_test.go +++ b/cmd/spire-server/cli/bundle/bundle_test.go @@ -10,7 +10,6 @@ import ( bundlev1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/bundle/v1" "github.com/spiffe/spire-api-sdk/proto/spire/api/types" - "github.com/spiffe/spire/cmd/spire-server/cli/common" "github.com/spiffe/spire/cmd/spire-server/util" "github.com/spiffe/spire/pkg/common/pemutil" "github.com/spiffe/spire/test/spiretest" @@ -19,13 +18,13 @@ import ( "google.golang.org/grpc/status" ) +var availableFormats = []string{"pretty", "json"} + func TestShowHelp(t *testing.T) { test := setupTest(t, newShowCommand) test.client.Help() - require.Equal(t, `Usage of bundle show: - -format string - The format to show the bundle. Either "pem" or "spiffe". (default "pem")`+common.AddrUsage, test.stderr.String()) + require.Equal(t, showUsage, test.stderr.String()) } func TestShowSynopsis(t *testing.T) { @@ -34,26 +33,41 @@ func TestShowSynopsis(t *testing.T) { } func TestShow(t *testing.T) { + expectedShowResultJSON := `{ + "trust_domain": "spiffe://example.test", + "x509_authorities": [ + { + "asn1": "MIIBKjCB0aADAgECAgEBMAoGCCqGSM49BAMCMAAwIhgPMDAwMTAxMDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHyvsCk5yi+yhSzNu5aquQwvm8a1Wh+qw1fiHAkhDni+wq+g3TQWxYlV51TCPH030yXsRxvujD4hUUaIQrXk4KKjODA2MA8GA1UdEwEB/wQFMAMBAf8wIwYDVR0RAQH/BBkwF4YVc3BpZmZlOi8vZG9tYWluMS50ZXN0MAoGCCqGSM49BAMCA0gAMEUCIA2dO09Xmakw2ekuHKWC4hBhCkpr5qY4bI8YUcXfxg/1AiEA67kMyH7bQnr7OVLUrL+b9ylAdZglS5kKnYigmwDh+/U=" + } + ], + "jwt_authorities": [], + "refresh_hint": "60", + "sequence_number": "0" +}` for _, tt := range []struct { - name string - args []string - expectedOut string - serverErr error - expectedError string + name string + args []string + expectedStdoutPretty string + expectedStdoutJSON string + serverErr error + expectedError string }{ { - name: "default", - expectedOut: cert1PEM, + name: "default", + expectedStdoutPretty: cert1PEM, + expectedStdoutJSON: expectedShowResultJSON, }, { - name: "pem", - args: []string{"-format", util.FormatPEM}, - expectedOut: cert1PEM, + name: "pem", + args: []string{"-format", util.FormatPEM}, + expectedStdoutPretty: cert1PEM, + expectedStdoutJSON: expectedShowResultJSON, }, { - name: "spiffe", - args: []string{"-format", util.FormatSPIFFE}, - expectedOut: cert1JWKS, + name: "spiffe", + args: []string{"-format", util.FormatSPIFFE}, + expectedStdoutPretty: cert1JWKS, + expectedStdoutJSON: expectedShowResultJSON, }, { name: "server fails", @@ -61,29 +75,31 @@ func TestShow(t *testing.T) { expectedError: "Error: rpc error: code = Unknown desc = some error\n", }, } { - tt := tt - t.Run(tt.name, func(t *testing.T) { - test := setupTest(t, newShowCommand) - test.server.err = tt.serverErr - test.server.bundles = []*types.Bundle{{ - TrustDomain: "spiffe://example.test", - X509Authorities: []*types.X509Certificate{ - {Asn1: test.cert1.Raw}, + for _, format := range availableFormats { + t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) { + test := setupTest(t, newShowCommand) + test.server.err = tt.serverErr + test.server.bundles = []*types.Bundle{{ + TrustDomain: "spiffe://example.test", + X509Authorities: []*types.X509Certificate{ + {Asn1: test.cert1.Raw}, + }, + RefreshHint: 60, }, - RefreshHint: 60, - }, - } - - rc := test.client.Run(test.args(tt.args...)) - if tt.expectedError != "" { - require.Equal(t, 1, rc) - require.Equal(t, tt.expectedError, test.stderr.String()) - return - } - - require.Equal(t, 0, rc) - require.Equal(t, test.stdout.String(), tt.expectedOut) - }) + } + args := tt.args + args = append(args, "-output", format) + + rc := test.client.Run(test.args(args...)) + if tt.expectedError != "" { + require.Equal(t, 1, rc) + require.Equal(t, tt.expectedError, test.stderr.String()) + return + } + assertOutputBasedOnFormat(t, format, test.stdout.String(), tt.expectedStdoutPretty, tt.expectedStdoutJSON) + require.Equal(t, 0, rc) + }) + } } } @@ -99,6 +115,23 @@ func TestSetSynopsis(t *testing.T) { } func TestSet(t *testing.T) { + expectedSetResultJSON := `{ + "results": [ + { + "status": { + "code": 0, + "message": "" + }, + "bundle": { + "trust_domain": "spiffe://otherdomain.test", + "x509_authorities": [], + "jwt_authorities": [], + "refresh_hint": "0", + "sequence_number": "0" + } + } + ] +}` cert1, err := pemutil.ParseCertificate([]byte(cert1PEM)) require.NoError(t, err) @@ -106,54 +139,64 @@ func TestSet(t *testing.T) { require.NoError(t, err) for _, tt := range []struct { - name string - args []string - expectedStderr string - stdin string - fileData string - serverErr error - toSet *types.Bundle - setResponse *bundlev1.BatchSetFederatedBundleResponse + name string + args []string + expectedStderrPretty string + expectedStderrJSON string + expectedStdoutPretty string + expectedStdoutJSON string + stdin string + fileData string + serverErr error + toSet *types.Bundle + setResponse *bundlev1.BatchSetFederatedBundleResponse }{ { - name: "no id", - expectedStderr: "Error: id flag is required\n", + name: "no id", + expectedStderrPretty: "Error: id flag is required\n", + expectedStderrJSON: "Error: id flag is required\n", }, { - name: "invalid trust domain ID", - expectedStderr: "Error: unable to parse bundle data: no PEM blocks\n", - args: []string{"-id", "spiffe://otherdomain.test"}, + name: "invalid trust domain ID", + expectedStderrPretty: "Error: unable to parse bundle data: no PEM blocks\n", + expectedStderrJSON: "Error: unable to parse bundle data: no PEM blocks\n", + args: []string{"-id", "spiffe://otherdomain.test"}, }, { - name: "invalid output format", - stdin: cert1PEM, - args: []string{"-id", "spiffe://otherdomain.test", "-format", "invalidFormat"}, - expectedStderr: "Error: invalid format: \"invalidformat\"\n", + name: "invalid output format", + stdin: cert1PEM, + args: []string{"-id", "spiffe://otherdomain.test", "-format", "invalidFormat"}, + expectedStderrPretty: "Error: invalid format: \"invalidformat\"\n", + expectedStderrJSON: "Error: invalid format: \"invalidformat\"\n", }, { - name: "invalid bundle (pem)", - stdin: "invalid bundle", - args: []string{"-id", "spiffe://otherdomain.test"}, - expectedStderr: "Error: unable to parse bundle data: no PEM blocks\n", + name: "invalid bundle (pem)", + stdin: "invalid bundle", + args: []string{"-id", "spiffe://otherdomain.test"}, + expectedStderrPretty: "Error: unable to parse bundle data: no PEM blocks\n", + expectedStderrJSON: "Error: unable to parse bundle data: no PEM blocks\n", }, { - name: "invalid bundle (spiffe)", - stdin: "invalid bundle", - args: []string{"-id", "spiffe://otherdomain.test", "-format", util.FormatSPIFFE}, - expectedStderr: "Error: unable to parse to spiffe bundle: spiffebundle: unable to parse JWKS: invalid character 'i' looking for beginning of value\n", + name: "invalid bundle (spiffe)", + stdin: "invalid bundle", + args: []string{"-id", "spiffe://otherdomain.test", "-format", util.FormatSPIFFE}, + expectedStderrPretty: "Error: unable to parse to spiffe bundle: spiffebundle: unable to parse JWKS: invalid character 'i' looking for beginning of value\n", + expectedStderrJSON: "Error: unable to parse to spiffe bundle: spiffebundle: unable to parse JWKS: invalid character 'i' looking for beginning of value\n", }, { - name: "server fails", - stdin: cert1PEM, - args: []string{"-id", "spiffe://otherdomain.test"}, - serverErr: status.New(codes.Internal, "some error").Err(), - expectedStderr: "Error: failed to set federated bundle: rpc error: code = Internal desc = some error\n", + name: "server fails", + stdin: cert1PEM, + args: []string{"-id", "spiffe://otherdomain.test"}, + serverErr: status.New(codes.Internal, "some error").Err(), + expectedStderrPretty: "Error: failed to set federated bundle: rpc error: code = Internal desc = some error\n", + expectedStderrJSON: "Error: failed to set federated bundle: rpc error: code = Internal desc = some error\n", }, { - name: "failed to set", - stdin: cert1PEM, - args: []string{"-id", "spiffe://otherdomain.test"}, - expectedStderr: "Error: failed to set federated bundle: failed to set\n", + name: "failed to set", + stdin: cert1PEM, + args: []string{"-id", "spiffe://otherdomain.test"}, + expectedStderrPretty: "Error: failed to set federated bundle: failed to set\n", + expectedStdoutJSON: `{"results":[{"status":{"code":13,"message":"failed to set"},"bundle":null}]}`, toSet: &types.Bundle{ TrustDomain: "spiffe://otherdomain.test", X509Authorities: []*types.X509Certificate{ @@ -192,6 +235,8 @@ func TestSet(t *testing.T) { }, }, }, + expectedStdoutPretty: "bundle set.", + expectedStdoutJSON: expectedSetResultJSON, }, { name: "set bundle (pem)", @@ -215,6 +260,8 @@ func TestSet(t *testing.T) { }, }, }, + expectedStdoutPretty: "bundle set.", + expectedStdoutJSON: expectedSetResultJSON, }, { name: "set bundle (jwks)", @@ -244,11 +291,14 @@ func TestSet(t *testing.T) { }, }, }, + expectedStdoutPretty: "bundle set.", + expectedStdoutJSON: expectedSetResultJSON, }, { - name: "invalid file name", - expectedStderr: fmt.Sprintf("Error: unable to load bundle data: open /not/a/real/path/to/a/bundle: %s\n", spiretest.PathNotFound()), - args: []string{"-id", "spiffe://otherdomain.test", "-path", "/not/a/real/path/to/a/bundle"}, + name: "invalid file name", + expectedStderrPretty: fmt.Sprintf("Error: unable to load bundle data: open /not/a/real/path/to/a/bundle: %s\n", spiretest.PathNotFound()), + expectedStderrJSON: fmt.Sprintf("Error: unable to load bundle data: open /not/a/real/path/to/a/bundle: %s\n", spiretest.PathNotFound()), + args: []string{"-id", "spiffe://otherdomain.test", "-path", "/not/a/real/path/to/a/bundle"}, }, { name: "set from file (default)", @@ -272,6 +322,8 @@ func TestSet(t *testing.T) { }, }, }, + expectedStdoutPretty: "bundle set.", + expectedStdoutJSON: expectedSetResultJSON, }, { name: "set from file (pem)", @@ -295,6 +347,8 @@ func TestSet(t *testing.T) { }, }, }, + expectedStdoutPretty: "bundle set.", + expectedStdoutJSON: expectedSetResultJSON, }, { name: "set from file (jwks)", @@ -324,36 +378,44 @@ func TestSet(t *testing.T) { }, }, }, + expectedStdoutPretty: "bundle set.", + expectedStdoutJSON: expectedSetResultJSON, }, } { - tt := tt - t.Run(tt.name, func(t *testing.T) { - test := setupTest(t, newSetCommand) - test.server.expectedSetBundle = tt.toSet - test.server.setResponse = tt.setResponse - test.server.err = tt.serverErr - - test.stdin.WriteString(tt.stdin) - var extraArgs []string - if tt.fileData != "" { - tmpDir := spiretest.TempDir(t) - bundlePath := filepath.Join(tmpDir, "bundle_data") - require.NoError(t, os.WriteFile(bundlePath, []byte(tt.fileData), 0600)) - extraArgs = append(extraArgs, "-path", bundlePath) - } - - rc := test.client.Run(test.args(append(tt.args, extraArgs...)...)) - - if tt.expectedStderr != "" { - require.Equal(t, 1, rc) - require.Equal(t, tt.expectedStderr, test.stderr.String()) - return - } - - require.Empty(t, test.stderr.String()) - require.Equal(t, 0, rc) - require.Equal(t, "bundle set.\n", test.stdout.String()) - }) + for _, format := range availableFormats { + t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) { + test := setupTest(t, newSetCommand) + test.server.expectedSetBundle = tt.toSet + test.server.setResponse = tt.setResponse + test.server.err = tt.serverErr + test.stdin.WriteString(tt.stdin) + var extraArgs []string + if tt.fileData != "" { + tmpDir := spiretest.TempDir(t) + bundlePath := filepath.Join(tmpDir, "bundle_data") + require.NoError(t, os.WriteFile(bundlePath, []byte(tt.fileData), 0600)) + extraArgs = append(extraArgs, "-path", bundlePath) + } + args := tt.args + args = append(args, "-output", format) + + rc := test.client.Run(test.args(append(args, extraArgs...)...)) + + if tt.expectedStderrPretty != "" && format == "pretty" { + require.Equal(t, 1, rc) + require.Equal(t, tt.expectedStderrPretty, test.stderr.String()) + return + } + if tt.expectedStderrJSON != "" && format == "json" { + require.Equal(t, 1, rc) + require.Equal(t, tt.expectedStderrJSON, test.stderr.String()) + return + } + assertOutputBasedOnFormat(t, format, test.stdout.String(), tt.expectedStdoutPretty, tt.expectedStdoutJSON) + require.Empty(t, test.stderr.String()) + require.Equal(t, 0, rc) + }) + } } } @@ -361,7 +423,7 @@ func TestCountHelp(t *testing.T) { test := setupTest(t, NewCountCommandWithEnv) test.client.Help() - require.Equal(t, `Usage of bundle count:`+common.AddrUsage, test.stderr.String()) + require.Equal(t, countUsage, test.stderr.String()) } func TestCountSynopsis(t *testing.T) { @@ -371,17 +433,19 @@ func TestCountSynopsis(t *testing.T) { func TestCount(t *testing.T) { for _, tt := range []struct { - name string - args []string - count int - expectedStdout string - expectedStderr string - serverErr error + name string + args []string + count int + expectedStdoutPretty string + expectedStdoutJSON string + expectedStderr string + serverErr error }{ { - name: "all bundles", - count: 2, - expectedStdout: "2 bundles\n", + name: "all bundles", + count: 2, + expectedStdoutPretty: "2 bundles\n", + expectedStdoutJSON: `{"count":2}`, }, { name: "all bundles server fails", @@ -390,9 +454,10 @@ func TestCount(t *testing.T) { serverErr: status.Error(codes.Internal, "some error"), }, { - name: "one bundle", - count: 1, - expectedStdout: "1 bundle\n", + name: "one bundle", + count: 1, + expectedStdoutPretty: "1 bundle\n", + expectedStdoutJSON: `{"count":1}`, }, { name: "one bundle server fails", @@ -401,45 +466,49 @@ func TestCount(t *testing.T) { serverErr: status.Error(codes.Internal, "some error"), }, { - name: "no bundles", - count: 0, - expectedStdout: "0 bundles\n", + name: "no bundles", + count: 0, + expectedStdoutPretty: "0 bundles\n", + expectedStdoutJSON: `{"count":0}`, }, } { - tt := tt - t.Run(tt.name, func(t *testing.T) { - test := setupTest(t, NewCountCommandWithEnv) - test.server.err = tt.serverErr - bundles := []*types.Bundle{ - { - TrustDomain: "spiffe://domain1.test", - X509Authorities: []*types.X509Certificate{ - {Asn1: test.cert1.Raw}, - }, - JwtAuthorities: []*types.JWTKey{ - {KeyId: "KID", PublicKey: test.key1Pkix}, + for _, format := range availableFormats { + t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) { + test := setupTest(t, NewCountCommandWithEnv) + test.server.err = tt.serverErr + bundles := []*types.Bundle{ + { + TrustDomain: "spiffe://domain1.test", + X509Authorities: []*types.X509Certificate{ + {Asn1: test.cert1.Raw}, + }, + JwtAuthorities: []*types.JWTKey{ + {KeyId: "KID", PublicKey: test.key1Pkix}, + }, }, - }, - { - TrustDomain: "spiffe://domain2.test", - X509Authorities: []*types.X509Certificate{ - {Asn1: test.cert2.Raw}, + { + TrustDomain: "spiffe://domain2.test", + X509Authorities: []*types.X509Certificate{ + {Asn1: test.cert2.Raw}, + }, }, - }, - } - - test.server.bundles = bundles[0:tt.count] - rc := test.client.Run(test.args(tt.args...)) - if tt.expectedStderr != "" { - require.Equal(t, tt.expectedStderr, test.stderr.String()) - require.Equal(t, 1, rc) - return - } - - require.Equal(t, 0, rc) - require.Empty(t, test.stderr.String()) - require.Equal(t, tt.expectedStdout, test.stdout.String()) - }) + } + test.server.bundles = bundles[0:tt.count] + args := tt.args + args = append(args, "-output", format) + + rc := test.client.Run(test.args(args...)) + + if tt.expectedStderr != "" { + require.Equal(t, tt.expectedStderr, test.stderr.String()) + require.Equal(t, 1, rc) + return + } + assertOutputBasedOnFormat(t, format, test.stdout.String(), tt.expectedStdoutPretty, tt.expectedStdoutJSON) + require.Equal(t, 0, rc) + require.Empty(t, test.stderr.String()) + }) + } } } @@ -447,11 +516,7 @@ func TestListHelp(t *testing.T) { test := setupTest(t, newListCommand) test.client.Help() - require.Equal(t, `Usage of bundle list: - -format string - The format to list federated bundles. Either "pem" or "spiffe". (default "pem") - -id string - SPIFFE ID of the trust domain`+common.AddrUsage, test.stderr.String()) + require.Equal(t, listUsage, test.stderr.String()) } func TestListSynopsis(t *testing.T) { @@ -460,108 +525,168 @@ func TestListSynopsis(t *testing.T) { } func TestList(t *testing.T) { + allBundlesResultJSON := `{ + "bundles": [ + { + "trust_domain": "spiffe://domain1.test", + "x509_authorities": [ + { + "asn1": "MIIBKjCB0aADAgECAgEBMAoGCCqGSM49BAMCMAAwIhgPMDAwMTAxMDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHyvsCk5yi+yhSzNu5aquQwvm8a1Wh+qw1fiHAkhDni+wq+g3TQWxYlV51TCPH030yXsRxvujD4hUUaIQrXk4KKjODA2MA8GA1UdEwEB/wQFMAMBAf8wIwYDVR0RAQH/BBkwF4YVc3BpZmZlOi8vZG9tYWluMS50ZXN0MAoGCCqGSM49BAMCA0gAMEUCIA2dO09Xmakw2ekuHKWC4hBhCkpr5qY4bI8YUcXfxg/1AiEA67kMyH7bQnr7OVLUrL+b9ylAdZglS5kKnYigmwDh+/U=" + } + ], + "jwt_authorities": [ + { + "public_key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfK+wKTnKL7KFLM27lqq5DC+bxrVaH6rDV+IcCSEOeL7Cr6DdNBbFiVXnVMI8fTfTJexHG+6MPiFRRohCteTgog==", + "key_id": "KID", + "expires_at": "0" + } + ], + "refresh_hint": "0", + "sequence_number": "0" + }, + { + "trust_domain": "spiffe://domain2.test", + "x509_authorities": [ + { + "asn1": "MIIBKjCB0aADAgECAgEBMAoGCCqGSM49BAMCMAAwIhgPMDAwMTAxMDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABB8VbmlJ8YIuN9RuQ94PYanmkIRG7MkGV5mmrO6rFAv3SFd/uVlwYNkXrh0219eHUSD4o+4RGXoiMFJKysw5GK6jODA2MA8GA1UdEwEB/wQFMAMBAf8wIwYDVR0RAQH/BBkwF4YVc3BpZmZlOi8vZG9tYWluMi50ZXN0MAoGCCqGSM49BAMCA0gAMEUCIQDMKwYtq+2ZoNyl4udPj7IMYIGX8yuCNRmh7m3d9tvoDgIgbS26wSwDjngGqdiHHL8fTcggdiIqWtxAqBLFrx8zNS4=" + } + ], + "jwt_authorities": [], + "refresh_hint": "0", + "sequence_number": "0" + } + ], + "next_page_token": "" +}` + oneBundleResultJSON := `{ + "trust_domain": "spiffe://domain2.test", + "x509_authorities": [ + { + "asn1": "MIIBKjCB0aADAgECAgEBMAoGCCqGSM49BAMCMAAwIhgPMDAwMTAxMDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABB8VbmlJ8YIuN9RuQ94PYanmkIRG7MkGV5mmrO6rFAv3SFd/uVlwYNkXrh0219eHUSD4o+4RGXoiMFJKysw5GK6jODA2MA8GA1UdEwEB/wQFMAMBAf8wIwYDVR0RAQH/BBkwF4YVc3BpZmZlOi8vZG9tYWluMi50ZXN0MAoGCCqGSM49BAMCA0gAMEUCIQDMKwYtq+2ZoNyl4udPj7IMYIGX8yuCNRmh7m3d9tvoDgIgbS26wSwDjngGqdiHHL8fTcggdiIqWtxAqBLFrx8zNS4=" + } + ], + "jwt_authorities": [], + "refresh_hint": "0", + "sequence_number": "0" +}` for _, tt := range []struct { - name string - args []string - expectedStdout string - expectedStderr string - serverErr error + name string + args []string + expectedStdoutPretty string + expectedStdoutJSON string + expectedStderrPretty string + expectedStderrJSON string + serverErr error }{ { - name: "all bundles (default)", - expectedStdout: allBundlesPEM, + name: "all bundles (default)", + expectedStdoutPretty: allBundlesPEM, + expectedStdoutJSON: allBundlesResultJSON, }, { - name: "all bundles server fails", - expectedStderr: "Error: rpc error: code = Internal desc = some error\n", - serverErr: status.New(codes.Internal, "some error").Err(), + name: "all bundles server fails", + expectedStderrPretty: "Error: rpc error: code = Internal desc = some error\n", + expectedStderrJSON: "Error: rpc error: code = Internal desc = some error\n", + serverErr: status.New(codes.Internal, "some error").Err(), }, { - name: "all bundles invalid format", - args: []string{"-format", "invalid"}, - expectedStderr: "Error: invalid format: \"invalid\"\n", + name: "all bundles invalid bundle format", + args: []string{"-format", "invalid"}, + expectedStderrPretty: "Error: invalid format: \"invalid\"\n", + expectedStdoutJSON: allBundlesResultJSON, }, { - name: "all bundles (pem)", - args: []string{"-format", util.FormatPEM}, - expectedStdout: allBundlesPEM, + name: "all bundles (pem)", + args: []string{"-format", util.FormatPEM}, + expectedStdoutPretty: allBundlesPEM, + expectedStdoutJSON: allBundlesResultJSON, }, { - name: "all bundles (jwks)", - args: []string{"-format", util.FormatSPIFFE}, - expectedStdout: allBundlesJWKS, + name: "all bundles (jwks)", + args: []string{"-format", util.FormatSPIFFE}, + expectedStdoutPretty: allBundlesJWKS, + expectedStdoutJSON: allBundlesResultJSON, }, { - name: "one bundle (default)", - args: []string{"-id", "spiffe://domain2.test"}, - expectedStdout: cert2PEM, + name: "one bundle (default)", + args: []string{"-id", "spiffe://domain2.test"}, + expectedStdoutPretty: cert2PEM, + expectedStdoutJSON: oneBundleResultJSON, }, { - name: "one bundle server fails", - args: []string{"-id", "spiffe://domain2.test"}, - expectedStderr: "Error: rpc error: code = Internal desc = some error\n", - serverErr: status.New(codes.Internal, "some error").Err(), + name: "one bundle server fails", + args: []string{"-id", "spiffe://domain2.test"}, + expectedStderrPretty: "Error: rpc error: code = Internal desc = some error\n", + expectedStderrJSON: "Error: rpc error: code = Internal desc = some error\n", + serverErr: status.New(codes.Internal, "some error").Err(), }, { - name: "one bundle invalid format", - args: []string{"-id", "spiffe://domain2.test", "-format", "invalid"}, - expectedStderr: "Error: invalid format: \"invalid\"\n", + name: "one bundle invalid bundle format", + args: []string{"-id", "spiffe://domain2.test", "-format", "invalid"}, + expectedStderrPretty: "Error: invalid format: \"invalid\"\n", + expectedStdoutJSON: oneBundleResultJSON, }, { - name: "one bundle (pem)", - args: []string{"-id", "spiffe://domain2.test", "-format", util.FormatPEM}, - expectedStdout: cert2PEM, + name: "one bundle (pem)", + args: []string{"-id", "spiffe://domain2.test", "-format", util.FormatPEM}, + expectedStdoutPretty: cert2PEM, + expectedStdoutJSON: oneBundleResultJSON, }, { - name: "one bundle (jwks)", - args: []string{"-id", "spiffe://domain2.test", "-format", util.FormatSPIFFE}, - expectedStdout: cert2JWKS, + name: "one bundle (jwks)", + args: []string{"-id", "spiffe://domain2.test", "-format", util.FormatSPIFFE}, + expectedStdoutPretty: cert2JWKS, + expectedStdoutJSON: oneBundleResultJSON, }, } { - tt := tt - t.Run(tt.name, func(t *testing.T) { - test := setupTest(t, newListCommand) - test.server.err = tt.serverErr - test.server.bundles = []*types.Bundle{ - { - TrustDomain: "spiffe://domain1.test", - X509Authorities: []*types.X509Certificate{ - {Asn1: test.cert1.Raw}, - }, - JwtAuthorities: []*types.JWTKey{ - {KeyId: "KID", PublicKey: test.key1Pkix}, + for _, format := range availableFormats { + t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) { + test := setupTest(t, newListCommand) + test.server.err = tt.serverErr + test.server.bundles = []*types.Bundle{ + { + TrustDomain: "spiffe://domain1.test", + X509Authorities: []*types.X509Certificate{ + {Asn1: test.cert1.Raw}, + }, + JwtAuthorities: []*types.JWTKey{ + {KeyId: "KID", PublicKey: test.key1Pkix}, + }, }, - }, - { - TrustDomain: "spiffe://domain2.test", - X509Authorities: []*types.X509Certificate{ - {Asn1: test.cert2.Raw}, + { + TrustDomain: "spiffe://domain2.test", + X509Authorities: []*types.X509Certificate{ + {Asn1: test.cert2.Raw}, + }, }, - }, - } - - rc := test.client.Run(test.args(tt.args...)) - if tt.expectedStderr != "" { - require.Equal(t, tt.expectedStderr, test.stderr.String()) - require.Equal(t, 1, rc) - return - } - - require.Equal(t, 0, rc) - require.Empty(t, test.stderr.String()) - require.Equal(t, tt.expectedStdout, test.stdout.String()) - }) + } + args := tt.args + args = append(args, "-output", format) + + rc := test.client.Run(test.args(args...)) + + if tt.expectedStderrPretty != "" && format == "pretty" { + require.Equal(t, tt.expectedStderrPretty, test.stderr.String()) + require.Equal(t, 1, rc) + return + } + if tt.expectedStderrJSON != "" && format == "json" { + require.Equal(t, tt.expectedStderrJSON, test.stderr.String()) + require.Equal(t, 1, rc) + return + } + assertOutputBasedOnFormat(t, format, test.stdout.String(), tt.expectedStdoutPretty, tt.expectedStdoutJSON) + require.Equal(t, 0, rc) + require.Empty(t, test.stderr.String()) + }) + } } } func TestDeleteHelp(t *testing.T) { test := setupTest(t, newDeleteCommand) test.client.Help() - require.Equal(t, `Usage of bundle delete: - -id string - SPIFFE ID of the trust domain - -mode string - Deletion mode: one of restrict, delete, or dissociate (default "restrict")`+common.AddrUsage, test.stderr.String()) + require.Equal(t, deleteUsage, test.stderr.String()) } func TestDeleteSynopsis(t *testing.T) { @@ -570,21 +695,35 @@ func TestDeleteSynopsis(t *testing.T) { } func TestDelete(t *testing.T) { + deleteResultJSON := `{ + "results": [ + { + "status": { + "code": 0, + "message": "ok" + }, + "trust_domain": "domain1.test" + } + ] +}` for _, tt := range []struct { - name string - args []string - expectedStderr string - expectedStdout string - deleteResults []*bundlev1.BatchDeleteFederatedBundleResponse_Result - mode bundlev1.BatchDeleteFederatedBundleRequest_Mode - toDelete []string - serverErr error + name string + args []string + expectedStderrPretty string + expectedStderrJSON string + expectedStdoutPretty string + expectedStdoutJSON string + deleteResults []*bundlev1.BatchDeleteFederatedBundleResponse_Result + mode bundlev1.BatchDeleteFederatedBundleRequest_Mode + toDelete []string + serverErr error }{ { - name: "success default mode", - args: []string{"-id", "spiffe://domain1.test"}, - expectedStdout: "bundle deleted.\n", - toDelete: []string{"spiffe://domain1.test"}, + name: "success default mode", + args: []string{"-id", "spiffe://domain1.test"}, + expectedStdoutPretty: "bundle deleted.\n", + expectedStdoutJSON: deleteResultJSON, + toDelete: []string{"spiffe://domain1.test"}, deleteResults: []*bundlev1.BatchDeleteFederatedBundleResponse_Result{ { Status: &types.Status{ @@ -597,15 +736,17 @@ func TestDelete(t *testing.T) { }, }, { - name: "no id", - expectedStderr: "Error: id is required\n", + name: "no id", + expectedStderrPretty: "Error: id is required\n", + expectedStderrJSON: "Error: id is required\n", }, { - name: "success RESTRICT mode", - args: []string{"-id", "spiffe://domain1.test", "-mode", "restrict"}, - expectedStdout: "bundle deleted.\n", - mode: bundlev1.BatchDeleteFederatedBundleRequest_RESTRICT, - toDelete: []string{"spiffe://domain1.test"}, + name: "success RESTRICT mode", + args: []string{"-id", "spiffe://domain1.test", "-mode", "restrict"}, + expectedStdoutPretty: "bundle deleted.\n", + expectedStdoutJSON: deleteResultJSON, + mode: bundlev1.BatchDeleteFederatedBundleRequest_RESTRICT, + toDelete: []string{"spiffe://domain1.test"}, deleteResults: []*bundlev1.BatchDeleteFederatedBundleResponse_Result{ { Status: &types.Status{ @@ -618,11 +759,12 @@ func TestDelete(t *testing.T) { }, }, { - name: "success DISSOCIATE mode", - args: []string{"-id", "spiffe://domain1.test", "-mode", "dissociate"}, - expectedStdout: "bundle deleted.\n", - mode: bundlev1.BatchDeleteFederatedBundleRequest_DISSOCIATE, - toDelete: []string{"spiffe://domain1.test"}, + name: "success DISSOCIATE mode", + args: []string{"-id", "spiffe://domain1.test", "-mode", "dissociate"}, + expectedStdoutPretty: "bundle deleted.\n", + expectedStdoutJSON: deleteResultJSON, + mode: bundlev1.BatchDeleteFederatedBundleRequest_DISSOCIATE, + toDelete: []string{"spiffe://domain1.test"}, deleteResults: []*bundlev1.BatchDeleteFederatedBundleResponse_Result{ { Status: &types.Status{ @@ -635,11 +777,12 @@ func TestDelete(t *testing.T) { }, }, { - name: "success DELETE mode", - args: []string{"-id", "spiffe://domain1.test", "-mode", "delete"}, - expectedStdout: "bundle deleted.\n", - mode: bundlev1.BatchDeleteFederatedBundleRequest_DELETE, - toDelete: []string{"spiffe://domain1.test"}, + name: "success DELETE mode", + args: []string{"-id", "spiffe://domain1.test", "-mode", "delete"}, + expectedStdoutPretty: "bundle deleted.\n", + expectedStdoutJSON: deleteResultJSON, + mode: bundlev1.BatchDeleteFederatedBundleRequest_DELETE, + toDelete: []string{"spiffe://domain1.test"}, deleteResults: []*bundlev1.BatchDeleteFederatedBundleResponse_Result{ { Status: &types.Status{ @@ -652,15 +795,17 @@ func TestDelete(t *testing.T) { }, }, { - name: "invalid mode", - args: []string{"-id", "spiffe://domain1.test", "-mode", "invalid"}, - expectedStderr: "Error: unsupported mode \"invalid\"\n", + name: "invalid mode", + args: []string{"-id", "spiffe://domain1.test", "-mode", "invalid"}, + expectedStderrPretty: "Error: unsupported mode \"invalid\"\n", + expectedStderrJSON: "Error: unsupported mode \"invalid\"\n", }, { - name: "server fails", - args: []string{"-id", "spiffe://domain1.test"}, - expectedStderr: "Error: failed to delete federated bundle: rpc error: code = Internal desc = some error\n", - serverErr: status.New(codes.Internal, "some error").Err(), + name: "server fails", + args: []string{"-id", "spiffe://domain1.test"}, + expectedStderrPretty: "Error: failed to delete federated bundle: rpc error: code = Internal desc = some error\n", + expectedStderrJSON: "Error: failed to delete federated bundle: rpc error: code = Internal desc = some error\n", + serverErr: status.New(codes.Internal, "some error").Err(), }, { name: "fails to delete", @@ -676,28 +821,51 @@ func TestDelete(t *testing.T) { TrustDomain: "domain1.test", }, }, - expectedStderr: "Error: failed to delete federated bundle \"domain1.test\": some error\n", + expectedStderrPretty: "Error: failed to delete federated bundle \"domain1.test\": some error\n", + expectedStdoutJSON: `{"results":[{"status":{"code":13,"message":"some error"},"trust_domain":"domain1.test"}]}`, }, } { - tt := tt - t.Run(tt.name, func(t *testing.T) { - test := setupTest(t, newDeleteCommand) - test.server.deleteResults = tt.deleteResults - test.server.err = tt.serverErr - test.server.mode = tt.mode - test.server.toDelete = tt.toDelete - - rc := test.client.Run(test.args(tt.args...)) - if tt.expectedStderr != "" { - require.Equal(t, 1, rc) - require.Equal(t, tt.expectedStderr, test.stderr.String()) - - return - } - - require.Empty(t, test.stderr.String()) - require.Equal(t, 0, rc) - require.Equal(t, tt.expectedStdout, test.stdout.String()) - }) + for _, format := range availableFormats { + t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) { + test := setupTest(t, newDeleteCommand) + test.server.deleteResults = tt.deleteResults + test.server.err = tt.serverErr + test.server.mode = tt.mode + test.server.toDelete = tt.toDelete + args := tt.args + args = append(args, "-output", format) + + rc := test.client.Run(test.args(args...)) + + if tt.expectedStderrPretty != "" && format == "pretty" { + require.Equal(t, 1, rc) + require.Equal(t, tt.expectedStderrPretty, test.stderr.String()) + + return + } + if tt.expectedStderrJSON != "" && format == "json" { + require.Equal(t, 1, rc) + require.Equal(t, tt.expectedStderrJSON, test.stderr.String()) + + return + } + assertOutputBasedOnFormat(t, format, test.stdout.String(), tt.expectedStdoutPretty, tt.expectedStdoutJSON) + require.Empty(t, test.stderr.String()) + require.Equal(t, 0, rc) + }) + } + } +} + +func assertOutputBasedOnFormat(t *testing.T, format, stdoutString string, expectedStdoutPretty, expectedStdoutJSON string) { + switch format { + case "pretty": + require.Contains(t, stdoutString, expectedStdoutPretty) + case "json": + if expectedStdoutJSON != "" { + require.JSONEq(t, expectedStdoutJSON, stdoutString) + } else { + require.Empty(t, stdoutString) + } } } diff --git a/cmd/spire-server/cli/bundle/bundle_windows_test.go b/cmd/spire-server/cli/bundle/bundle_windows_test.go index a10a5a8501..6f5d235f5d 100644 --- a/cmd/spire-server/cli/bundle/bundle_windows_test.go +++ b/cmd/spire-server/cli/bundle/bundle_windows_test.go @@ -11,7 +11,43 @@ var ( SPIFFE ID of the trust domain -namedPipeName string Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") + -output value + Desired output format (pretty, json) -path string Path to the bundle data +` + showUsage = `Usage of bundle show: + -format string + The format to show the bundle (only pretty output format supports this flag). Either "pem" or "spiffe". (default "pem") + -namedPipeName string + Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") + -output value + Desired output format (pretty, json) +` + countUsage = `Usage of bundle count: + -namedPipeName string + Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") + -output value + Desired output format (pretty, json) +` + listUsage = `Usage of bundle list: + -format string + The format to list federated bundles (only pretty output format supports this flag). Either "pem" or "spiffe". (default "pem") + -id string + SPIFFE ID of the trust domain + -namedPipeName string + Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") + -output value + Desired output format (pretty, json) +` + deleteUsage = `Usage of bundle delete: + -id string + SPIFFE ID of the trust domain + -mode string + Deletion mode: one of restrict, delete, or dissociate (default "restrict") + -namedPipeName string + Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") + -output value + Desired output format (pretty, json) ` ) diff --git a/cmd/spire-server/cli/bundle/count.go b/cmd/spire-server/cli/bundle/count.go index fb6933358f..82fba385bf 100644 --- a/cmd/spire-server/cli/bundle/count.go +++ b/cmd/spire-server/cli/bundle/count.go @@ -5,50 +5,61 @@ import ( "fmt" "github.com/mitchellh/cli" + "github.com/spiffe/spire/pkg/common/cliprinter" bundlev1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/bundle/v1" "github.com/spiffe/spire/cmd/spire-server/util" - common_cli "github.com/spiffe/spire/pkg/common/cli" + commoncli "github.com/spiffe/spire/pkg/common/cli" "golang.org/x/net/context" ) -type countCommand struct{} +type countCommand struct { + env *commoncli.Env + printer cliprinter.Printer +} // NewCountCommand creates a new "count" subcommand for "bundle" command. func NewCountCommand() cli.Command { - return NewCountCommandWithEnv(common_cli.DefaultEnv) + return NewCountCommandWithEnv(commoncli.DefaultEnv) } // NewCountCommandWithEnv creates a new "count" subcommand for "bundle" command // using the environment specified. -func NewCountCommandWithEnv(env *common_cli.Env) cli.Command { - return util.AdaptCommand(env, new(countCommand)) +func NewCountCommandWithEnv(env *commoncli.Env) cli.Command { + return util.AdaptCommand(env, &countCommand{env: env}) } func (*countCommand) Name() string { return "bundle count" } -func (countCommand) Synopsis() string { +func (*countCommand) Synopsis() string { return "Count bundles" } // Run counts attested bundles -func (c *countCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error { +func (c *countCommand) Run(ctx context.Context, env *commoncli.Env, serverClient util.ServerClient) error { bundleClient := serverClient.NewBundleClient() - countResponse, err := bundleClient.CountBundles(ctx, &bundlev1.CountBundlesRequest{}) + countResp, err := bundleClient.CountBundles(ctx, &bundlev1.CountBundlesRequest{}) if err != nil { return err } - count := int(countResponse.Count) - msg := fmt.Sprintf("%d ", count) - msg = util.Pluralizer(msg, "bundle", "bundles", count) - env.Println(msg) - - return nil + return c.printer.PrintProto(countResp) } func (c *countCommand) AppendFlags(fs *flag.FlagSet) { + cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, prettyPrintCount) +} + +func prettyPrintCount(env *commoncli.Env, results ...interface{}) error { + countResp, ok := results[0].(*bundlev1.CountBundlesResponse) + if !ok { + return cliprinter.ErrInternalCustomPrettyFunc + } + count := int(countResp.Count) + msg := fmt.Sprintf("%d ", count) + msg = util.Pluralizer(msg, "bundle", "bundles", count) + return env.Println(msg) } diff --git a/cmd/spire-server/cli/bundle/delete.go b/cmd/spire-server/cli/bundle/delete.go index 4ebc0c2646..7f24e8fc99 100644 --- a/cmd/spire-server/cli/bundle/delete.go +++ b/cmd/spire-server/cli/bundle/delete.go @@ -9,7 +9,8 @@ import ( "github.com/mitchellh/cli" bundlev1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/bundle/v1" "github.com/spiffe/spire/cmd/spire-server/util" - common_cli "github.com/spiffe/spire/pkg/common/cli" + commoncli "github.com/spiffe/spire/pkg/common/cli" + "github.com/spiffe/spire/pkg/common/cliprinter" "google.golang.org/grpc/codes" ) @@ -21,19 +22,21 @@ const ( // NewDeleteCommand creates a new "delete" subcommand for "bundle" command. func NewDeleteCommand() cli.Command { - return newDeleteCommand(common_cli.DefaultEnv) + return newDeleteCommand(commoncli.DefaultEnv) } -func newDeleteCommand(env *common_cli.Env) cli.Command { - return util.AdaptCommand(env, new(deleteCommand)) +func newDeleteCommand(env *commoncli.Env) cli.Command { + return util.AdaptCommand(env, &deleteCommand{env: env}) } type deleteCommand struct { + env *commoncli.Env // SPIFFE ID of the trust domain bundle id string - // Deletion mode mode string + // Command printer + printer cliprinter.Printer } func (c *deleteCommand) Name() string { @@ -47,9 +50,10 @@ func (c *deleteCommand) Synopsis() string { func (c *deleteCommand) AppendFlags(fs *flag.FlagSet) { fs.StringVar(&c.id, "id", "", "SPIFFE ID of the trust domain") fs.StringVar(&c.mode, "mode", deleteBundleRestrict, fmt.Sprintf("Deletion mode: one of %s, %s, or %s", deleteBundleRestrict, deleteBundleDelete, deleteBundleDissociate)) + cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, prettyPrintDelete) } -func (c *deleteCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error { +func (c *deleteCommand) Run(ctx context.Context, env *commoncli.Env, serverClient util.ServerClient) error { if c.id == "" { return errors.New("id is required") } @@ -69,7 +73,16 @@ func (c *deleteCommand) Run(ctx context.Context, env *common_cli.Env, serverClie if err != nil { return fmt.Errorf("failed to delete federated bundle: %w", err) } - result := resp.Results[0] + + return c.printer.PrintProto(resp) +} + +func prettyPrintDelete(env *commoncli.Env, results ...interface{}) error { + deleteResp, ok := results[0].(*bundlev1.BatchDeleteFederatedBundleResponse) + if !ok { + return cliprinter.ErrInternalCustomPrettyFunc + } + result := deleteResp.Results[0] switch result.Status.Code { case int32(codes.OK): env.Println("bundle deleted.") diff --git a/cmd/spire-server/cli/bundle/list.go b/cmd/spire-server/cli/bundle/list.go index b6c1565671..a3c671b81b 100644 --- a/cmd/spire-server/cli/bundle/list.go +++ b/cmd/spire-server/cli/bundle/list.go @@ -7,22 +7,26 @@ import ( "github.com/mitchellh/cli" bundlev1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/bundle/v1" + "github.com/spiffe/spire-api-sdk/proto/spire/api/types" "github.com/spiffe/spire/cmd/spire-server/util" - common_cli "github.com/spiffe/spire/pkg/common/cli" + commoncli "github.com/spiffe/spire/pkg/common/cli" + "github.com/spiffe/spire/pkg/common/cliprinter" ) // NewListCommand creates a new "list" subcommand for "bundle" command. func NewListCommand() cli.Command { - return newListCommand(common_cli.DefaultEnv) + return newListCommand(commoncli.DefaultEnv) } -func newListCommand(env *common_cli.Env) cli.Command { - return util.AdaptCommand(env, new(listCommand)) +func newListCommand(env *commoncli.Env) cli.Command { + return util.AdaptCommand(env, &listCommand{env: env}) } type listCommand struct { - id string // SPIFFE ID of the trust bundle - format string + env *commoncli.Env + id string // SPIFFE ID of the trust bundle + bundleFormat string + printer cliprinter.Printer } func (c *listCommand) Name() string { @@ -35,10 +39,11 @@ func (c *listCommand) Synopsis() string { func (c *listCommand) AppendFlags(fs *flag.FlagSet) { fs.StringVar(&c.id, "id", "", "SPIFFE ID of the trust domain") - fs.StringVar(&c.format, "format", util.FormatPEM, fmt.Sprintf("The format to list federated bundles. Either %q or %q.", util.FormatPEM, util.FormatSPIFFE)) + fs.StringVar(&c.bundleFormat, "format", util.FormatPEM, fmt.Sprintf("The format to list federated bundles (only pretty output format supports this flag). Either %q or %q.", util.FormatPEM, util.FormatSPIFFE)) + cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, c.prettyPrintList) } -func (c *listCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error { +func (c *listCommand) Run(ctx context.Context, env *commoncli.Env, serverClient util.ServerClient) error { bundleClient := serverClient.NewBundleClient() if c.id != "" { resp, err := bundleClient.GetFederatedBundle(ctx, &bundlev1.GetFederatedBundleRequest{ @@ -47,7 +52,7 @@ func (c *listCommand) Run(ctx context.Context, env *common_cli.Env, serverClient if err != nil { return err } - return printBundleWithFormat(env.Stdout, resp, c.format, false) + return c.printer.PrintProto(resp) } resp, err := bundleClient.ListFederatedBundles(ctx, &bundlev1.ListFederatedBundlesRequest{}) @@ -55,16 +60,27 @@ func (c *listCommand) Run(ctx context.Context, env *common_cli.Env, serverClient return err } - for i, b := range resp.Bundles { - if i != 0 { - if err := env.Println(); err != nil { - return err + return c.printer.PrintProto(resp) +} + +func (c *listCommand) prettyPrintList(env *commoncli.Env, results ...interface{}) error { + if listResp, ok := results[0].(*bundlev1.ListFederatedBundlesResponse); ok { + for i, bundle := range listResp.Bundles { + if i != 0 { + if err := env.Println(); err != nil { + return err + } } - } - if err := printBundleWithFormat(env.Stdout, b, c.format, true); err != nil { - return err + if err := printBundleWithFormat(env.Stdout, bundle, c.bundleFormat, true); err != nil { + return err + } } + return nil } - return nil + if resp, ok := results[0].(*types.Bundle); ok { + return printBundleWithFormat(env.Stdout, resp, c.bundleFormat, false) + } + + return cliprinter.ErrInternalCustomPrettyFunc } diff --git a/cmd/spire-server/cli/bundle/set.go b/cmd/spire-server/cli/bundle/set.go index ad80c210b7..3ae9c010f9 100644 --- a/cmd/spire-server/cli/bundle/set.go +++ b/cmd/spire-server/cli/bundle/set.go @@ -11,6 +11,7 @@ import ( "github.com/spiffe/spire-api-sdk/proto/spire/api/types" "github.com/spiffe/spire/cmd/spire-server/util" common_cli "github.com/spiffe/spire/pkg/common/cli" + "github.com/spiffe/spire/pkg/common/cliprinter" "google.golang.org/grpc/codes" ) @@ -20,17 +21,17 @@ func NewSetCommand() cli.Command { } func newSetCommand(env *common_cli.Env) cli.Command { - return util.AdaptCommand(env, new(setCommand)) + return util.AdaptCommand(env, &setCommand{env: env}) } type setCommand struct { + env *common_cli.Env // SPIFFE ID of the trust bundle id string - // Path to the bundle on disk (optional). If empty, reads from stdin. - path string - - format string + path string + bundleFormat string + printer cliprinter.Printer } func (c *setCommand) Name() string { @@ -44,7 +45,8 @@ func (c *setCommand) Synopsis() string { func (c *setCommand) AppendFlags(fs *flag.FlagSet) { fs.StringVar(&c.id, "id", "", "SPIFFE ID of the trust domain") fs.StringVar(&c.path, "path", "", "Path to the bundle data") - fs.StringVar(&c.format, "format", util.FormatPEM, fmt.Sprintf("The format of the bundle data. Either %q or %q.", util.FormatPEM, util.FormatSPIFFE)) + fs.StringVar(&c.bundleFormat, "format", util.FormatPEM, fmt.Sprintf("The format of the bundle data. Either %q or %q.", util.FormatPEM, util.FormatSPIFFE)) + cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, prettyPrintSet) } func (c *setCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error { @@ -52,7 +54,7 @@ func (c *setCommand) Run(ctx context.Context, env *common_cli.Env, serverClient return errors.New("id flag is required") } - format, err := validateFormat(c.format) + bundleFormat, err := validateFormat(c.bundleFormat) if err != nil { return err } @@ -62,7 +64,7 @@ func (c *setCommand) Run(ctx context.Context, env *common_cli.Env, serverClient return fmt.Errorf("unable to load bundle data: %w", err) } - bundle, err := util.ParseBundle(bundleBytes, format, c.id) + bundle, err := util.ParseBundle(bundleBytes, bundleFormat, c.id) if err != nil { return err } @@ -75,7 +77,15 @@ func (c *setCommand) Run(ctx context.Context, env *common_cli.Env, serverClient return fmt.Errorf("failed to set federated bundle: %w", err) } - result := resp.Results[0] + return c.printer.PrintProto(resp) +} + +func prettyPrintSet(env *common_cli.Env, results ...interface{}) error { + setResp, ok := results[0].(*bundlev1.BatchSetFederatedBundleResponse) + if !ok { + return cliprinter.ErrInternalCustomPrettyFunc + } + result := setResp.Results[0] switch result.Status.Code { case int32(codes.OK): env.Println("bundle set.") diff --git a/cmd/spire-server/cli/bundle/show.go b/cmd/spire-server/cli/bundle/show.go index ab0a337fc5..b36f3777a6 100644 --- a/cmd/spire-server/cli/bundle/show.go +++ b/cmd/spire-server/cli/bundle/show.go @@ -7,8 +7,10 @@ import ( "github.com/mitchellh/cli" bundlev1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/bundle/v1" + "github.com/spiffe/spire-api-sdk/proto/spire/api/types" "github.com/spiffe/spire/cmd/spire-server/util" common_cli "github.com/spiffe/spire/pkg/common/cli" + "github.com/spiffe/spire/pkg/common/cliprinter" ) // NewShowCommand creates a new "show" subcommand for "bundle" command. @@ -17,11 +19,13 @@ func NewShowCommand() cli.Command { } func newShowCommand(env *common_cli.Env) cli.Command { - return util.AdaptCommand(env, new(showCommand)) + return util.AdaptCommand(env, &showCommand{env: env}) } type showCommand struct { - format string + env *common_cli.Env + bundleFormat string + printer cliprinter.Printer } func (c *showCommand) Name() string { @@ -33,7 +37,8 @@ func (c *showCommand) Synopsis() string { } func (c *showCommand) AppendFlags(fs *flag.FlagSet) { - fs.StringVar(&c.format, "format", util.FormatPEM, fmt.Sprintf("The format to show the bundle. Either %q or %q.", util.FormatPEM, util.FormatSPIFFE)) + fs.StringVar(&c.bundleFormat, "format", util.FormatPEM, fmt.Sprintf("The format to show the bundle (only pretty output format supports this flag). Either %q or %q.", util.FormatPEM, util.FormatSPIFFE)) + cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, c.prettyPrintBundle) } func (c *showCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error { @@ -43,5 +48,13 @@ func (c *showCommand) Run(ctx context.Context, env *common_cli.Env, serverClient return err } - return printBundleWithFormat(env.Stdout, resp, c.format, false) + return c.printer.PrintProto(resp) +} + +func (c *showCommand) prettyPrintBundle(env *common_cli.Env, results ...interface{}) error { + showResp, ok := results[0].(*types.Bundle) + if !ok { + return cliprinter.ErrInternalCustomPrettyFunc + } + return printBundleWithFormat(env.Stdout, showResp, c.bundleFormat, false) } From e6634a9793cda9bd327bc8ba98487e2a683d69d7 Mon Sep 17 00:00:00 2001 From: Matheus Santos Date: Thu, 1 Dec 2022 11:44:27 -0300 Subject: [PATCH 164/257] refactor: added a comment to verifyFunction in sigstore.go file (#179) Signed-off-by: Matheus Santos (cherry picked from commit 5eac8bc623ad0aae6876ab9c7c3cd99414f62f0b) Signed-off-by: Rodrigo Lopes Signed-off-by: Matheus Santos Signed-off-by: Rodrigo Lopes Co-authored-by: Rodrigo Lopes --- pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index 5b22d2b2b7..3bf34ff24b 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -76,6 +76,7 @@ type SelectorsFromSignatures struct { func New(cache Cache, logger hclog.Logger) Sigstore { return &sigstoreImpl{ functionHooks: sigstoreFunctionHooks{ + // verifyFunction does all the images signatures checks, returning the verified signatures. If there were no valid signatures, it returns an error. verifyFunction: cosign.VerifyImageSignatures, fetchImageManifestFunction: remote.Get, checkOptsFunction: defaultCheckOptsFunction, From b1c7fb7ecf05365f168d926e523feb36029b87a9 Mon Sep 17 00:00:00 2001 From: Matheus Santos Date: Thu, 1 Dec 2022 11:49:05 -0300 Subject: [PATCH 165/257] Adding sigstore cosign pr adjustments 24112022 (#180) * refactor: removed certSubject function from sigstore.go and started using CertSubject function from cosign/pkg/signature/keys.go as suggested in pr review Signed-off-by: Matheus Santos * fix: lint adjustment in sigstore.go file Signed-off-by: Matheus Santos Signed-off-by: Matheus Santos --- .../workloadattestor/k8s/sigstore/sigstore.go | 19 ++----------------- 1 file changed, 2 insertions(+), 17 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index 3bf34ff24b..3e08623988 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -6,14 +6,12 @@ package sigstore import ( "bytes" "context" - "crypto/x509" "encoding/base64" "encoding/json" "errors" "fmt" "net/url" "strconv" - "strings" "github.com/google/go-containerregistry/pkg/name" v1 "github.com/google/go-containerregistry/pkg/v1" @@ -23,6 +21,7 @@ import ( "github.com/sigstore/cosign/pkg/cosign" "github.com/sigstore/cosign/pkg/cosign/bundle" "github.com/sigstore/cosign/pkg/oci" + sig "github.com/sigstore/cosign/pkg/signature" rekor "github.com/sigstore/rekor/pkg/generated/client" "github.com/sigstore/sigstore/pkg/signature/payload" corev1 "k8s.io/api/core/v1" @@ -365,7 +364,7 @@ func getSignatureSubject(signature oci.Signature) (string, error) { } if cert != nil { - return certSubject(cert), nil + return sig.CertSubject(cert), nil } if len(ss.Optional) > 0 { if subjString, ok := ss.Optional["subject"]; ok { @@ -420,20 +419,6 @@ func selectorsToString(selectors SelectorsFromSignatures, containerID string) [] return selectorsString } -func certSubject(c *x509.Certificate) string { - switch { - case c == nil: - return "" - case len(c.EmailAddresses) > 0: - return c.EmailAddresses[0] - case len(c.URIs) > 0: - // removing leading '//' from c.URIs[0].String() - return strings.TrimPrefix(c.URIs[0].String(), "//") - default: - return "" - } -} - func validateRefDigest(dgst name.Digest, digest string) (bool, error) { if dgst.DigestStr() == digest { return true, nil From 5b8d3653b54a805a0646557e7538331d561e9681 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Thu, 1 Dec 2022 16:25:41 +0100 Subject: [PATCH 166/257] Remove strategy from Windows jobs (#3652) strategy required matrix and only has effect on matrix builds. My vscode has linting against the scheme and showed a squigly at this element in the yaml Signed-off-by: Marco Franssen --- .github/workflows/pr_build.yaml | 2 -- .github/workflows/release_build.yaml | 2 -- 2 files changed, 4 deletions(-) diff --git a/.github/workflows/pr_build.yaml b/.github/workflows/pr_build.yaml index eaa3d9ee5b..c8dbe6d23a 100644 --- a/.github/workflows/pr_build.yaml +++ b/.github/workflows/pr_build.yaml @@ -278,8 +278,6 @@ jobs: name: integration (windows) runs-on: windows-2022 needs: images-windows - strategy: - fail-fast: false defaults: run: shell: msys2 {0} diff --git a/.github/workflows/release_build.yaml b/.github/workflows/release_build.yaml index fc9555679f..c87af95450 100644 --- a/.github/workflows/release_build.yaml +++ b/.github/workflows/release_build.yaml @@ -287,8 +287,6 @@ jobs: name: integration (windows) runs-on: windows-2022 needs: images-windows - strategy: - fail-fast: false defaults: run: shell: msys2 {0} From 4488f2c93f7ec1b04e5651f090d8a21852fdb1b9 Mon Sep 17 00:00:00 2001 From: joaoguazzelli Date: Thu, 1 Dec 2022 13:56:32 -0300 Subject: [PATCH 167/257] Fix error declaration (#182) * fix: fixed errors declaration Signed-off-by: joaoguazzelli * fix: removed wantErr in favor of wantedErr not nil Signed-off-by: joaoguazzelli * fix: removed wantErr in favor of wantedErr not nil Signed-off-by: joaoguazzelli Signed-off-by: joaoguazzelli --- .../k8s/sigstore/sigstore_test.go | 79 ++++--------------- 1 file changed, 17 insertions(+), 62 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index 6dea36fc76..938411c09e 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -127,7 +127,6 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { wantedVerifyArguments verifyFunctionArguments wantedCheckOptsArguments checkOptsFunctionArguments want []oci.Signature - wantErr bool wantedErr error }{ { @@ -167,7 +166,6 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), }, }, - wantErr: false, }, { name: "fetch image with 2 signatures", @@ -212,7 +210,6 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 4","key3": "value 5"}}`), }, }, - wantErr: false, }, { name: "fetch image with no signature", @@ -243,7 +240,6 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { url: rekorDefaultURL(), }, want: nil, - wantErr: true, wantedErr: fmt.Errorf("error verifying signature: %w", errors.New("no matching signatures 2")), }, { // TODO: check again, same as above test. should never happen, since the verify function returns an error on empty verified signature list @@ -275,7 +271,6 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { url: rekorDefaultURL(), }, want: nil, - wantErr: false, wantedErr: nil, }, { @@ -311,7 +306,6 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { url: rekorDefaultURL(), }, want: nil, - wantErr: true, wantedErr: fmt.Errorf("error verifying signature: %w", errors.New("unexpected error")), }, { @@ -347,7 +341,6 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { url: rekorDefaultURL(), }, want: nil, - wantErr: true, wantedErr: fmt.Errorf("bundle not verified for %q", "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), }, { @@ -364,7 +357,6 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { imageName: "invali|].url.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", }, want: nil, - wantErr: true, wantedErr: fmt.Errorf("error parsing image reference: %w", errors.New("could not parse reference: invali|].url.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505")), }, { @@ -391,7 +383,6 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { url: url.URL{}, }, want: nil, - wantErr: true, wantedErr: fmt.Errorf("could not create cosign check options: %w", emptyError), }, { @@ -415,7 +406,6 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { wantedVerifyArguments: verifyFunctionArguments{}, wantedCheckOptsArguments: checkOptsFunctionArguments{}, want: nil, - wantErr: true, wantedErr: fmt.Errorf("could not validate image reference digest: %w", errors.New("digest sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505 does not match sha256:4fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505")), }, } @@ -434,7 +424,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { rekorURL: tt.fields.rekorURL, } got, err := sigstore.FetchImageSignatures(context.Background(), tt.args.imageName) - if tt.wantErr { + if tt.wantedErr != nil { require.EqualError(t, err, tt.wantedErr.Error()) } else { require.NoError(t, err) @@ -933,7 +923,6 @@ func TestSigstoreimpl_ValidateImage(t *testing.T) { wantedFetchArguments fetchFunctionArguments wantedVerifyArguments verifyFunctionArguments want bool - wantErr bool wantedErr error }{ { @@ -954,7 +943,6 @@ func TestSigstoreimpl_ValidateImage(t *testing.T) { }, wantedVerifyArguments: verifyFunctionArguments{}, want: true, - wantErr: false, }, { name: "error on image manifest fetch", @@ -971,7 +959,6 @@ func TestSigstoreimpl_ValidateImage(t *testing.T) { options: nil, }, want: false, - wantErr: true, wantedErr: errors.New("fetch error 123"), }, { @@ -991,7 +978,6 @@ func TestSigstoreimpl_ValidateImage(t *testing.T) { options: nil, }, want: false, - wantErr: true, wantedErr: errors.New("manifest is empty"), }, { @@ -1012,7 +998,6 @@ func TestSigstoreimpl_ValidateImage(t *testing.T) { }, wantedVerifyArguments: verifyFunctionArguments{}, want: true, - wantErr: false, }, } for _, tt := range tests { @@ -1245,7 +1230,6 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { args args containerID string want *SelectorsFromSignatures - wantErr bool wantedErr error }{ { @@ -1273,7 +1257,6 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { LogID: "samplelogID", IntegratedTime: "12345", }, - wantErr: false, }, { name: "selector from signature, empty subject", @@ -1295,8 +1278,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, containerID: "111111", want: nil, - wantErr: true, - wantedErr: fmt.Errorf("error getting signature subject: empty subject"), + wantedErr: errors.New("error getting signature subject: empty subject"), }, { name: "selector from signature, not in allowlist", @@ -1313,8 +1295,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, containerID: "222222", want: nil, - wantErr: true, - wantedErr: fmt.Errorf("subject %q not in allow-list", "spirex1@example.com"), + wantedErr: errors.New("subject \"spirex1@example.com\" not in allow-list"), }, { name: "selector from signature, allowedlist enabled, in allowlist", @@ -1343,7 +1324,6 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { LogID: "samplelogID", IntegratedTime: "12345", }, - wantErr: false, }, { name: "selector from signature, allowedlist enabled, in allowlist, empty content", @@ -1367,8 +1347,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, containerID: "444444", want: nil, - wantErr: true, - wantedErr: fmt.Errorf("error getting signature content: bundle payload body has no signature content"), + wantedErr: errors.New("error getting signature content: bundle payload body has no signature content"), }, { name: "selector from signature, nil bundle", @@ -1383,8 +1362,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, containerID: "555555", want: nil, - wantErr: true, - wantedErr: fmt.Errorf("error getting signature bundle: no bundle test"), + wantedErr: errors.New("error getting signature bundle: no bundle test"), }, { name: "selector from signature, bundle payload body is not a string", @@ -1406,8 +1384,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, containerID: "000000", want: nil, - wantErr: true, - wantedErr: fmt.Errorf("error getting signature content: expected payload body to be a string but got int instead"), + wantedErr: errors.New("error getting signature content: expected payload body to be a string but got int instead"), }, { name: "selector from signature, bundle payload body is not valid base64", @@ -1429,8 +1406,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, containerID: "000000", want: nil, - wantErr: true, - wantedErr: fmt.Errorf("error getting signature content: illegal base64 data at input byte 3"), + wantedErr: errors.New("error getting signature content: illegal base64 data at input byte 3"), }, { name: "selector from signature, bundle payload body has no signature content", @@ -1452,8 +1428,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, containerID: "000000", want: nil, - wantErr: true, - wantedErr: fmt.Errorf("error getting signature content: bundle payload body has no signature content"), + wantedErr: errors.New("error getting signature content: bundle payload body has no signature content"), }, { name: "selector from signature, bundle payload body signature content is empty", @@ -1475,8 +1450,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, containerID: "000000", want: nil, - wantErr: true, - wantedErr: fmt.Errorf("error getting signature content: bundle payload body has no signature content"), + wantedErr: errors.New("error getting signature content: bundle payload body has no signature content"), }, { name: "selector from signature, bundle payload body is not a valid JSON", @@ -1498,8 +1472,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, containerID: "000000", want: nil, - wantErr: true, - wantedErr: fmt.Errorf("error getting signature content: failed to parse bundle body: invalid character ',' looking for beginning of value"), + wantedErr: errors.New("error getting signature content: failed to parse bundle body: invalid character ',' looking for beginning of value"), }, { name: "selector from signature, empty signature array", @@ -1512,8 +1485,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, containerID: "000000", want: nil, - wantErr: true, - wantedErr: fmt.Errorf("error getting signature subject: signature is nil"), + wantedErr: errors.New("error getting signature subject: signature is nil"), }, { name: "selector from signature, single image signature, no payload", @@ -1526,8 +1498,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, containerID: "000000", want: nil, - wantErr: true, - wantedErr: fmt.Errorf("error getting signature subject: no payload test"), + wantedErr: errors.New("error getting signature subject: no payload test"), }, { name: "selector from signature, single image signature, no certs", @@ -1542,8 +1513,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, containerID: "000000", want: nil, - wantErr: true, - wantedErr: fmt.Errorf("error getting signature subject: failed to access signature certificate: no cert test"), + wantedErr: errors.New("error getting signature subject: failed to access signature certificate: no cert test"), }, { name: "selector from signature, single image signature,garbled subject in signature", @@ -1558,8 +1528,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, containerID: "000000", want: nil, - wantErr: true, - wantedErr: fmt.Errorf("error getting signature subject: invalid character '0' in string escape code"), + wantedErr: errors.New("error getting signature subject: invalid character '0' in string escape code"), }, } @@ -1598,7 +1567,6 @@ func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { wantedVerifyArguments verifyFunctionArguments wantedCheckOptsArguments checkOptsFunctionArguments want []string - wantErr bool wantedErr error }{ { @@ -1647,7 +1615,6 @@ func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { want: []string{ "000000:image-signature-subject:spirex@example.com", "000000:image-signature-content:MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smA=", "000000:image-signature-logid:samplelogID", "000000:image-signature-integrated-time:12345", "sigstore-validation:passed", }, - wantErr: false, }, { name: "Attest skipped image", @@ -1670,7 +1637,6 @@ func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { want: []string{ "sigstore-validation:passed", }, - wantErr: false, }, { name: "Attest image with no signature", @@ -1705,7 +1671,6 @@ func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { url: rekorDefaultURL(), }, want: nil, - wantErr: true, wantedErr: fmt.Errorf("error verifying signature: %w", errors.New("no signature found")), }, { @@ -1735,7 +1700,6 @@ func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { url: url.URL{}, }, want: nil, - wantErr: true, wantedErr: fmt.Errorf("could not create cosign check options: %w", emptyError), }, } @@ -1757,13 +1721,10 @@ func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { } got, err := sigstore.AttestContainerSignatures(context.Background(), &tt.status) - if err != nil { - if !tt.wantErr { - t.Errorf("sigstoreImpl.AttestContainerSignatures() has error, wantErr %v", tt.wantErr) - } + if tt.wantedErr != nil { require.EqualError(t, err, tt.wantedErr.Error(), "sigstoreImpl.AttestContainerSignatures() error = %v, wantedErr = %v", err, tt.wantedErr) - } else if tt.wantErr { - t.Errorf("sigstoreImpl.AttestContainerSignatures() no error, wantErr = %v, wantedErr %v", tt.wantErr, tt.wantedErr) + } else { + require.NoError(t, err) } require.Equal(t, tt.want, got, "sigstoreImpl.AttestContainerSignatures() = %v, want %v", got, tt.want) @@ -1786,7 +1747,6 @@ func TestSigstoreimpl_SetRekorURL(t *testing.T) { fields fields args args want url.URL - wantErr bool wantedErr error }{ { @@ -1801,7 +1761,6 @@ func TestSigstoreimpl_SetRekorURL(t *testing.T) { Scheme: "https", Host: "rekor.com", }, - wantErr: false, }, { name: "SetRekorURL with empty url", @@ -1818,7 +1777,6 @@ func TestSigstoreimpl_SetRekorURL(t *testing.T) { Scheme: "https", Host: "non.empty.url", }, - wantErr: true, wantedErr: fmt.Errorf("rekor URL is empty"), }, { @@ -1830,7 +1788,6 @@ func TestSigstoreimpl_SetRekorURL(t *testing.T) { rekorURL: "http://invalid.{{}))}.url.com", // invalid url }, want: url.URL{}, - wantErr: true, wantedErr: fmt.Errorf("failed parsing rekor URI: parse %q: invalid character %q in host name", "http://invalid.{{}))}.url.com", "{"), }, { @@ -1842,7 +1799,6 @@ func TestSigstoreimpl_SetRekorURL(t *testing.T) { rekorURL: "path-no-host", // URI parser uses this as path, not host }, want: url.URL{}, - wantErr: true, wantedErr: fmt.Errorf("host is required on rekor URL"), }, { @@ -1854,7 +1810,6 @@ func TestSigstoreimpl_SetRekorURL(t *testing.T) { rekorURL: "abc://invalid.url.com", // invalid scheme }, want: url.URL{}, - wantErr: true, wantedErr: fmt.Errorf("invalid rekor URL Scheme %q", "abc"), }, } From b0cc07b2d959aa25361f7adfa687eee5a9546cf0 Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Thu, 1 Dec 2022 16:32:41 -0300 Subject: [PATCH 168/257] fix: per marcos' comments (#181) Signed-off-by: Rodrigo Lopes Signed-off-by: Rodrigo Lopes --- .../workloadattestor/k8s/k8s_posix_test.go | 21 +++---------------- 1 file changed, 3 insertions(+), 18 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go index 0bcc5ad687..af8461e47a 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go @@ -372,24 +372,9 @@ func (s *Suite) TestAttestWithFailedSigstoreSignatures() { s.oc.fakeClient.returnError = errors.New("sigstore error 123") s.requireAttestFailureWithPod(v1, codes.Internal, "error retrieving signature payload: sigstore error 123") - s.Require().Contains(buf.String(), "Error retrieving signature payload") - s.Require().Contains(buf.String(), "error=\"sigstore error 123\"") -} - -func (s *Suite) TestLogger() { - s.startInsecureKubelet() - - p := s.newPlugin() - plugintest.Load(s.T(), builtin(p), nil) - - newLog := hclog.New(&hclog.LoggerOptions{ - Name: "new_test_logger", - }) - p.SetLogger(newLog) - - s.Require().Same(newLog, p.log) - s.Require().Contains(p.log.Name(), newLog.Name()) - s.Require().Contains(p.log.Name(), "new_test_log") + logString := buf.String() + s.Require().Contains(logString, "Error retrieving signature payload") + s.Require().Contains(logString, "error=\"sigstore error 123\"") } func (s *Suite) TestAttestWhenContainerNotReadyButContainerSelectorsDisabled() { From 764ed3c5c15ae6d958622c2bc7a79f6265561ca2 Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Thu, 1 Dec 2022 16:33:33 -0300 Subject: [PATCH 169/257] Moving functions and declarations (#183) misc: moving functions and declarations Signed-off-by: Rodrigo Lopes Signed-off-by: Rodrigo Lopes --- .../workloadattestor/k8s/k8s_posix_test.go | 12 ++--- .../plugin/workloadattestor/k8s/k8s_test.go | 44 ++++++++-------- .../workloadattestor/k8s/sigstore/sigstore.go | 50 +++++++++---------- 3 files changed, 53 insertions(+), 53 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go index af8461e47a..3526b48479 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go @@ -430,12 +430,6 @@ func (s *Suite) requireAttestSuccessWithPodSystemdCgroups(p workloadattestor.Wor s.requireAttestSuccess(p, testPodAndContainerSelectors) } -func (s *Suite) requireAttestFailureWithPod(p workloadattestor.WorkloadAttestor, code codes.Code, contains string) { - s.addPodListResponse(podListFilePath) - s.addGetContainerResponsePidInPod() - s.requireAttestFailure(p, code, contains) -} - func TestGetContainerIDFromCGroups(t *testing.T) { makeCGroups := func(groupPaths []string) []cgroups.Cgroup { var out []cgroups.Cgroup @@ -658,6 +652,12 @@ func (s *Suite) requireAttestSuccessWithPodAndSkippedImage(p workloadattestor.Wo s.requireAttestSuccess(p, testSigstoreSkippedSelectors) } +func (s *Suite) requireAttestFailureWithPod(p workloadattestor.WorkloadAttestor, code codes.Code, contains string) { + s.addPodListResponse(podListFilePath) + s.addGetContainerResponsePidInPod() + s.requireAttestFailure(p, code, contains) +} + type osConfig struct { fakeClient *sigstoreMock } diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go index 232ba63e18..fc1acb94f3 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go @@ -80,10 +80,32 @@ FwOGLt+I3+9beT0vo+pn9Rq0squewFYe3aJbwpkyfP2xOovQCdm4PC8y testPodAndContainerSelectors = append(testPodSelectors, testContainerSelectors...) ) +type attestResult struct { + selectors []*common.Selector + err error +} + func TestPlugin(t *testing.T) { spiretest.Run(t, new(Suite)) } +type Suite struct { + spiretest.Suite + + dir string + clock *clock.Mock + + podList [][]byte + env map[string]string + + // kubelet stuff + server *httptest.Server + kubeletCert *x509.Certificate + clientCert *x509.Certificate + + oc *osConfig +} + func (s *Suite) SetupTest() { s.dir = s.TempDir() s.writeFile(defaultTokenPath, "default-token") @@ -791,28 +813,6 @@ func (s *Suite) addPodListResponse(fixturePath string) { s.podList = append(s.podList, podList) } -type Suite struct { - spiretest.Suite - - dir string - clock *clock.Mock - - podList [][]byte - env map[string]string - - // kubelet stuff - server *httptest.Server - kubeletCert *x509.Certificate - clientCert *x509.Certificate - - oc *osConfig -} - -type attestResult struct { - selectors []*common.Selector - err error -} - type testFS string func (fs testFS) Open(path string) (io.ReadCloser, error) { diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index 3e08623988..4d7a9f4c58 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -91,31 +91,6 @@ func New(cache Cache, logger hclog.Logger) Sigstore { } } -func defaultCheckOptsFunction(rekorURL url.URL) (*cosign.CheckOpts, error) { - switch { - case rekorURL.Host == "": - return nil, errors.New("rekor URL host is empty") - case rekorURL.Scheme == "": - return nil, errors.New("rekor URL scheme is empty") - case rekorURL.Path == "": - return nil, errors.New("rekor URL path is empty") - } - - rootCerts, err := fulcio.GetRoots() - if err != nil { - return nil, fmt.Errorf("failed to get fulcio root certificates: %w", err) - } - - co := &cosign.CheckOpts{ - // Set the rekor client - RekorClient: rekor.NewHTTPClientWithConfig(nil, rekor.DefaultTransportConfig().WithBasePath(rekorURL.Path).WithHost(rekorURL.Host)), - RootCerts: rootCerts, - } - co.IntermediateCerts, err = fulcio.GetIntermediates() - - return co, err -} - type sigstoreImpl struct { functionHooks sigstoreFunctionHooks skippedImages map[string]struct{} @@ -437,3 +412,28 @@ type sigstoreFunctionHooks struct { fetchImageManifestFunction fetchImageManifestFunctionType checkOptsFunction checkOptsFunctionType } + +func defaultCheckOptsFunction(rekorURL url.URL) (*cosign.CheckOpts, error) { + switch { + case rekorURL.Host == "": + return nil, errors.New("rekor URL host is empty") + case rekorURL.Scheme == "": + return nil, errors.New("rekor URL scheme is empty") + case rekorURL.Path == "": + return nil, errors.New("rekor URL path is empty") + } + + rootCerts, err := fulcio.GetRoots() + if err != nil { + return nil, fmt.Errorf("failed to get fulcio root certificates: %w", err) + } + + co := &cosign.CheckOpts{ + // Set the rekor client + RekorClient: rekor.NewHTTPClientWithConfig(nil, rekor.DefaultTransportConfig().WithBasePath(rekorURL.Path).WithHost(rekorURL.Host)), + RootCerts: rootCerts, + } + co.IntermediateCerts, err = fulcio.GetIntermediates() + + return co, err +} From f41fb65a5d93bcc323f89f2890423be424e190e9 Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Thu, 1 Dec 2022 16:44:58 -0300 Subject: [PATCH 170/257] Empty scheme not allowed anymore (#184) * fix: empty scheme not allowed anymore Signed-off-by: Rodrigo Lopes * tests: fixed url testing Signed-off-by: Rodrigo Lopes Signed-off-by: Rodrigo Lopes --- .../workloadattestor/k8s/sigstore/sigstore.go | 6 +++--- .../workloadattestor/k8s/sigstore/sigstore_test.go | 13 ++++++++++++- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index 4d7a9f4c58..c016073f2b 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -311,12 +311,12 @@ func (s *sigstoreImpl) SetRekorURL(rekorURL string) error { if err != nil { return fmt.Errorf("failed parsing rekor URI: %w", err) } - if rekorURI.Scheme != "" && rekorURI.Scheme != "https" { - return fmt.Errorf("invalid rekor URL Scheme %q", rekorURI.Scheme) - } if rekorURI.Host == "" { return fmt.Errorf("host is required on rekor URL") } + if rekorURI.Scheme != "https" { + return fmt.Errorf("invalid rekor URL Scheme %q", rekorURI.Scheme) + } s.rekorURL = *rekorURI return nil } diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index 938411c09e..21394c42b2 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -1807,11 +1807,22 @@ func TestSigstoreimpl_SetRekorURL(t *testing.T) { rekorURL: url.URL{}, }, args: args{ - rekorURL: "abc://invalid.url.com", // invalid scheme + rekorURL: "abc://invalid.scheme.com", // invalid scheme }, want: url.URL{}, wantedErr: fmt.Errorf("invalid rekor URL Scheme %q", "abc"), }, + { + name: "SetRekorURL with empty URL scheme", + fields: fields{ + rekorURL: url.URL{}, + }, + args: args{ + rekorURL: "//no.scheme.com/path", // empty scheme + }, + want: url.URL{}, + wantedErr: fmt.Errorf("invalid rekor URL Scheme \"\""), + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { From 4fe4258ac03fd15fdfd61d8f5181629b050bee18 Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Thu, 1 Dec 2022 16:45:10 -0300 Subject: [PATCH 171/257] cleanup test structs (#185) tests: removed unused fields from config test struct Signed-off-by: Rodrigo Lopes Signed-off-by: Rodrigo Lopes --- .../plugin/workloadattestor/k8s/k8s_test.go | 20 ++++++++----------- 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go index fc1acb94f3..f8ed846167 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go @@ -284,18 +284,14 @@ func (s *Suite) TestConfigure() { s.writeCert("some-other-ca", s.kubeletCert) type config struct { - Insecure bool - VerifyKubelet bool - HasNodeName bool - Token string - KubeletURL string - MaxPollAttempts int - PollRetryInterval time.Duration - ReloadInterval time.Duration - SkippedImages []string - AllowedSubjectListEnabled bool - AllowedSubjects []string - RekorURL string + Insecure bool + VerifyKubelet bool + HasNodeName bool + Token string + KubeletURL string + MaxPollAttempts int + PollRetryInterval time.Duration + ReloadInterval time.Duration } testCases := []struct { From 36e05dc2e9e562258a9445b864ec47c3ca9fd261 Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Thu, 1 Dec 2022 16:45:30 -0300 Subject: [PATCH 172/257] misc: simplified errors and code flow (#186) * misc: simplified errors and code flow Signed-off-by: Rodrigo Lopes * lint: removed newline Signed-off-by: Rodrigo Lopes Signed-off-by: Rodrigo Lopes --- .../workloadattestor/k8s/sigstore/sigstore.go | 28 +++++++++---------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index c016073f2b..12d75ae273 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -162,7 +162,7 @@ func (s *sigstoreImpl) SelectorValuesFromSignature(signature oci.Signature, cont } if subject == "" { - return nil, fmt.Errorf("error getting signature subject: %w", errors.New("empty subject")) + return nil, errors.New("error getting signature subject: empty subject") } if s.allowListEnabled { @@ -171,28 +171,26 @@ func (s *sigstoreImpl) SelectorValuesFromSignature(signature oci.Signature, cont } } - selectorsFromSignatures := &SelectorsFromSignatures{Subject: subject} - bundle, err := signature.Bundle() - if err != nil { + switch { + case err != nil: return nil, fmt.Errorf("error getting signature bundle: %w", err) + case bundle.Payload.LogID == "": + return nil, errors.New("error getting signature log ID: empty log ID") + case bundle.Payload.IntegratedTime == 0: + return nil, errors.New("error getting signature integrated time: integrated time is 0") } sigContent, err := getBundleSignatureContent(bundle) if err != nil { return nil, fmt.Errorf("error getting signature content: %w", err) } - selectorsFromSignatures.Content = sigContent - if bundle.Payload.LogID == "" { - return nil, fmt.Errorf("error getting signature log ID: %w", errors.New("empty log ID")) - } - selectorsFromSignatures.LogID = bundle.Payload.LogID - - if bundle.Payload.IntegratedTime == 0 { - return nil, fmt.Errorf("error getting signature integrated time: %w", errors.New("integrated time is 0")) - } - selectorsFromSignatures.IntegratedTime = strconv.FormatInt(bundle.Payload.IntegratedTime, 10) - return selectorsFromSignatures, nil + return &SelectorsFromSignatures{ + Subject: subject, + Content: sigContent, + LogID: bundle.Payload.LogID, + IntegratedTime: strconv.FormatInt(bundle.Payload.IntegratedTime, 10), + }, nil } // ShouldSkipImage checks the skip list for the image ID in the container status. From 5ff4f7f3b115fca84fb182f23d88e44e9781cbf7 Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Thu, 1 Dec 2022 16:45:45 -0300 Subject: [PATCH 173/257] fix: removed noop false early return (#187) Signed-off-by: Rodrigo Lopes Signed-off-by: Rodrigo Lopes --- pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go | 4 ---- 1 file changed, 4 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index 12d75ae273..8fcfc60056 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -135,10 +135,6 @@ func (s *sigstoreImpl) FetchImageSignatures(ctx context.Context, imageName strin // ExtractSelectorsFromSignatures extracts selectors from a list of image signatures. // returns a list of selector strings. func (s *sigstoreImpl) ExtractSelectorsFromSignatures(signatures []oci.Signature, containerID string) []SelectorsFromSignatures { - // Payload can be empty if the attestor fails to retrieve it - if signatures == nil { - return nil - } var selectors []SelectorsFromSignatures for _, sig := range signatures { // verify which subject From a93dc2b04b1c8e27ac710e1836d10678ada64ce8 Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Thu, 1 Dec 2022 16:46:07 -0300 Subject: [PATCH 174/257] misc: reordered shouldSkipImage returns so images with empty IDs are logged (#188) Signed-off-by: Rodrigo Lopes Signed-off-by: Rodrigo Lopes --- pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index 8fcfc60056..b461a32bda 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -193,12 +193,12 @@ func (s *sigstoreImpl) SelectorValuesFromSignature(signature oci.Signature, cont // If the image ID is found in the skip list, it returns true. // If the image ID is not found in the skip list, it returns false. func (s *sigstoreImpl) ShouldSkipImage(imageID string) (bool, error) { - if len(s.skippedImages) == 0 { - return false, nil - } if imageID == "" { return false, errors.New("image ID is empty") } + if len(s.skippedImages) == 0 { + return false, nil + } _, ok := s.skippedImages[imageID] return ok, nil } From 2858b2f506a0dad9db96e508e2b8c79eef22b3de Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Thu, 1 Dec 2022 16:46:19 -0300 Subject: [PATCH 175/257] misc: removed unused "verified" bool (#189) Signed-off-by: Rodrigo Lopes Signed-off-by: Rodrigo Lopes --- .../workloadattestor/k8s/sigstore/sigstore.go | 18 +++++++++--------- .../k8s/sigstore/sigstore_test.go | 8 +------- 2 files changed, 10 insertions(+), 16 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index b461a32bda..c13d4cff5e 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -113,7 +113,7 @@ func (s *sigstoreImpl) FetchImageSignatures(ctx context.Context, imageName strin return nil, fmt.Errorf("error parsing image reference: %w", err) } - if _, err := s.ValidateImage(ref); err != nil { + if err := s.ValidateImage(ref); err != nil { return nil, fmt.Errorf("could not validate image reference digest: %w", err) } @@ -219,21 +219,21 @@ func (s *sigstoreImpl) ClearSkipList() { } // ValidateImage validates if the image manifest hash matches the digest in the image reference -func (s *sigstoreImpl) ValidateImage(ref name.Reference) (bool, error) { +func (s *sigstoreImpl) ValidateImage(ref name.Reference) error { dgst, ok := ref.(name.Digest) if !ok { - return false, fmt.Errorf("reference %T is not a digest", ref) + return fmt.Errorf("reference %T is not a digest", ref) } desc, err := s.functionHooks.fetchImageManifestFunction(dgst) if err != nil { - return false, err + return err } if len(desc.Manifest) == 0 { - return false, errors.New("manifest is empty") + return errors.New("manifest is empty") } hash, _, err := v1.SHA256(bytes.NewReader(desc.Manifest)) if err != nil { - return false, err + return err } return validateRefDigest(dgst, hash.String()) @@ -388,11 +388,11 @@ func selectorsToString(selectors SelectorsFromSignatures, containerID string) [] return selectorsString } -func validateRefDigest(dgst name.Digest, digest string) (bool, error) { +func validateRefDigest(dgst name.Digest, digest string) error { if dgst.DigestStr() == digest { - return true, nil + return nil } - return false, fmt.Errorf("digest %s does not match %s", digest, dgst.DigestStr()) + return fmt.Errorf("digest %s does not match %s", digest, dgst.DigestStr()) } type verifyFunctionType func(context.Context, name.Reference, *cosign.CheckOpts) ([]oci.Signature, bool, error) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index 21394c42b2..63a0f327c0 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -922,7 +922,6 @@ func TestSigstoreimpl_ValidateImage(t *testing.T) { args args wantedFetchArguments fetchFunctionArguments wantedVerifyArguments verifyFunctionArguments - want bool wantedErr error }{ { @@ -942,7 +941,6 @@ func TestSigstoreimpl_ValidateImage(t *testing.T) { options: nil, }, wantedVerifyArguments: verifyFunctionArguments{}, - want: true, }, { name: "error on image manifest fetch", @@ -958,7 +956,6 @@ func TestSigstoreimpl_ValidateImage(t *testing.T) { ref: name.MustParseReference("example.com/sampleimage@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: nil, }, - want: false, wantedErr: errors.New("fetch error 123"), }, { @@ -977,7 +974,6 @@ func TestSigstoreimpl_ValidateImage(t *testing.T) { ref: name.MustParseReference("example.com/sampleimage@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: nil, }, - want: false, wantedErr: errors.New("manifest is empty"), }, { @@ -997,7 +993,6 @@ func TestSigstoreimpl_ValidateImage(t *testing.T) { options: nil, }, wantedVerifyArguments: verifyFunctionArguments{}, - want: true, }, } for _, tt := range tests { @@ -1012,14 +1007,13 @@ func TestSigstoreimpl_ValidateImage(t *testing.T) { skippedImages: tt.fields.skippedImages, } - got, err := sigstore.ValidateImage(tt.args.ref) + err := sigstore.ValidateImage(tt.args.ref) if tt.wantedErr != nil { require.EqualError(t, err, tt.wantedErr.Error()) } else { require.NoError(t, err) } - require.Equal(t, tt.want, got, "sigstoreImpl.ValidateImage() = %v, want %v", got, tt.want) require.Equal(t, tt.wantedFetchArguments, fetchArguments, "sigstoreImpl.ValidateImage() fetchArguments = %v, want %v", fetchArguments, tt.wantedFetchArguments) require.Equal(t, tt.wantedVerifyArguments, verifyArguments, "sigstoreImpl.ValidateImage() verifyArguments = %v, want %v", verifyArguments, tt.wantedVerifyArguments) }) From 7c06461dfbd4ec1b475320b698c8f805b2aa8669 Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Thu, 1 Dec 2022 16:50:38 -0300 Subject: [PATCH 176/257] Add OIDC issuer to allowed subject list (#175) * feat: removed allow list toggle Signed-off-by: Rodrigo Lopes * tests: updated unit-tests to remove allow-list toggle Signed-off-by: Rodrigo Lopes * refactor: removed references to allowedSubjects toggle Signed-off-by: Rodrigo Lopes * tests: updated tests, removing references to allowedSubjects toggle Signed-off-by: Rodrigo Lopes * docs: updated docs removing references to enable_allowed_subjects_list Signed-off-by: Rodrigo Lopes * feat: added issuer handling refactor: added issuer to allow list Signed-off-by: Rodrigo Lopes * tests: updated sigstore_test.go Signed-off-by: Rodrigo Lopes * refactor: updated k8s.go to add signature issuer handling Signed-off-by: Rodrigo Lopes * tests: updated k8s_posix_test.go Signed-off-by: Rodrigo Lopes * refactor: fixed OIDC Provider retrieval and logging Signed-off-by: Rodrigo Lopes * tests: updated unit tests with OIDC provider in OIDC token issuer extension Signed-off-by: Rodrigo Lopes * ci: fixing lint Signed-off-by: Rodrigo Lopes * docs: updated docs with new allowed subject list format Signed-off-by: Rodrigo Lopes Signed-off-by: Rodrigo Lopes --- conf/agent/agent_full.conf | 15 +- doc/plugin_agent_workloadattestor_k8s.md | 3 +- pkg/agent/plugin/workloadattestor/k8s/k8s.go | 5 +- .../plugin/workloadattestor/k8s/k8s_posix.go | 7 +- .../workloadattestor/k8s/k8s_posix_test.go | 52 +- .../workloadattestor/k8s/sigstore/sigstore.go | 68 ++- .../k8s/sigstore/sigstore_test.go | 533 +++++++++++------- 7 files changed, 430 insertions(+), 253 deletions(-) diff --git a/conf/agent/agent_full.conf b/conf/agent/agent_full.conf index 97a06de287..0e063eb6a7 100644 --- a/conf/agent/agent_full.conf +++ b/conf/agent/agent_full.conf @@ -372,15 +372,12 @@ plugins { # sigstore-validation:passed selector, but no other sigstore related selectors. # skip_signature_verification_image_list = ["sha:image1hash","sha:image2hash"] - # enable_allowed_subjects_list: Boolean indicating whether image - # signatures will be checked against a list of subjects. - # enable_allowed_subjects_list = false - - # allowed_subjects_list: List of subjects that image signatures - # will be checked against, if enabled through the above option. - # signatures from subjects outside this list will receive - # no sigstore-related selectors. These should be email addresses. - # allowed_subjects_list = ["subject1@example.com","subject2@example.com"] + # allowed_subjects_list: Map of subjects that image signatures + # will be checked against, keyed by OIDC Provider URI. + # Signatures from subjects outside this list will be ignored. These should be email addresses. + # allowed_subjects_list { + # "https://accounts.google.com" = ["subject1@example.com","subject2@example.com"] + # } # } } } diff --git a/doc/plugin_agent_workloadattestor_k8s.md b/doc/plugin_agent_workloadattestor_k8s.md index 0b195e1f69..9a7971bcd7 100644 --- a/doc/plugin_agent_workloadattestor_k8s.md +++ b/doc/plugin_agent_workloadattestor_k8s.md @@ -62,8 +62,7 @@ since [hostprocess](https://kubernetes.io/docs/tasks/configure-pod-container/cre | Sigstore options | Description | | ---------------- | ----------- | | `skip_signature_verification_image_list` | The list of images, described as digest hashes, that should be skipped in signature verification. Defaults to empty list. | -| `enable_allowed_subjects_list` | Enables a list of allowed subjects that are trusted and are allowed to sign container images artificats. Defaults to 'false'. If true and `allowed_subjects_list` is empty, no workload will pass signature validation. | -| `allowed_subjects_list` | The list of allowed subjects enabled by `enable_allowed_subjects_list` each entry represents subject e-mail. Defaults to empty list. | +| `allowed_subjects_list` | A map of allowed subject strings, keyed by the OIDC Provider URI, that are trusted and are allowed to sign container images artifacts. Defaults to empty. If empty, no workload will pass signature validation, unless listed on `skip_signature_verification_image_list`. (eg. `"https://accounts.google.com" = ["subject1@example.com","subject2@example.com"]`). | | `rekor_url` | The rekor URL to use with cosign. Defaults to 'https://rekor.sigstore.dev/', Rekor's public instance. | > **Note** Cosign discourages the use of image tags for referencing docker images, and this plugin does not support attestation of sigstore selectors for workloads running on containers using tag-referenced images, which will then fail attestation for both sigstore and k8s selectors. In cases where this is necessary, add the digest string for the image in the `skip_signature_verification_image_list` setting (eg. `"sha256:abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789"`). Note that sigstore signature attestation will still not be performed, but this will allow k8s selectors to be returned, along with the `"k8s:sigstore-validation:passed"` selector. diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s.go b/pkg/agent/plugin/workloadattestor/k8s/k8s.go index 3167aeb72b..c2292a6f15 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s.go @@ -138,11 +138,8 @@ type SigstoreHCLConfig struct { // SkippedImages is a list of images that should skip sigstore verification SkippedImages []string `hcl:"skip_signature_verification_image_list"` - // AllowedSubjectListEnabled is a flag indicating whether signature subjects should be compared against AllowedSubjects - AllowedSubjectListEnabled bool `hcl:"enable_allowed_subjects_list"` - // AllowedSubjects is a list of subjects that should be allowed after verification - AllowedSubjects []string `hcl:"allowed_subjects_list"` + AllowedSubjects map[string][]string `hcl:"allowed_subjects_list"` } // k8sConfig holds the configuration distilled from HCL diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go index 9fd9895625..a581edcf74 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go @@ -218,11 +218,12 @@ func configureSigstoreClient(client sigstore.Sigstore, c *SigstoreHCLConfig, log if c.SkippedImages != nil { client.AddSkippedImage(c.SkippedImages) } - client.EnableAllowSubjectList(c.AllowedSubjectListEnabled) client.SetLogger(log) client.ClearAllowedSubjects() - for _, subject := range c.AllowedSubjects { - client.AddAllowedSubject(subject) + for issuer, subjects := range c.AllowedSubjects { + for _, subject := range subjects { + client.AddAllowedSubject(issuer, subject) + } } rekorURL := "https://rekor.sigstore.dev/" // default rekor url if c.RekorURL != nil { diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go index 3526b48479..06ce2dd067 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go @@ -233,20 +233,18 @@ func (s *Suite) TestHelperConfigure() { errMsg string clientErr error - expectSkippedImages map[string]struct{} - expectRekoURL string - expectSubjectsEnabled bool - expectSubjects map[string]struct{} + expectSkippedImages map[string]struct{} + expectRekoURL string + expectSubjects map[string]map[string]struct{} }{ { name: "sigstore is configured", config: &HCLConfig{ Experimental: &ExperimentalK8SConfig{ Sigstore: &SigstoreHCLConfig{ - RekorURL: &rekorURL, - SkippedImages: []string{"sha:image1hash", "sha:image2hash"}, - AllowedSubjectListEnabled: true, - AllowedSubjects: []string{"spirex@example.com", "spirex1@example.com"}, + RekorURL: &rekorURL, + SkippedImages: []string{"sha:image1hash", "sha:image2hash"}, + AllowedSubjects: map[string][]string{"issuer": {"spirex@example.com", "spirex1@example.com"}}, }, }, }, @@ -255,10 +253,11 @@ func (s *Suite) TestHelperConfigure() { "sha:image1hash": {}, "sha:image2hash": {}, }, - expectSubjectsEnabled: true, - expectSubjects: map[string]struct{}{ - "spirex@example.com": {}, - "spirex1@example.com": {}, + expectSubjects: map[string]map[string]struct{}{ + "issuer": { + "spirex@example.com": {}, + "spirex1@example.com": {}, + }, }, }, { @@ -317,7 +316,6 @@ func (s *Suite) TestHelperConfigure() { require.Equal(t, tt.expectSkippedImages, fakeClient.skippedImages) require.Equal(t, tt.expectRekoURL, fakeClient.rekorURL) - require.Equal(t, tt.expectSubjectsEnabled, fakeClient.allowedSubjectListEnabled) require.Equal(t, tt.expectSubjects, fakeClient.allowedSubjects) }) } @@ -678,14 +676,13 @@ func createOSConfig() *osConfig { type sigstoreMock struct { selectors []sigstore.SelectorsFromSignatures - sigs []oci.Signature - skipSigs bool - skippedSigSelectors []string - returnError error - skippedImages map[string]struct{} - allowedSubjects map[string]struct{} - allowedSubjectListEnabled bool - log hclog.Logger + sigs []oci.Signature + skipSigs bool + skippedSigSelectors []string + returnError error + skippedImages map[string]struct{} + allowedSubjects map[string]map[string]struct{} + log hclog.Logger rekorURL string } @@ -725,10 +722,6 @@ func (s *sigstoreMock) ClearAllowedSubjects() { s.allowedSubjects = nil } -func (s *sigstoreMock) EnableAllowSubjectList(flag bool) { - s.allowedSubjectListEnabled = flag -} - func (s *sigstoreMock) AttestContainerSignatures(ctx context.Context, status *corev1.ContainerStatus) ([]string, error) { if s.skipSigs { return s.skippedSigSelectors, nil @@ -763,11 +756,14 @@ func (s *sigstoreMock) SetRekorURL(url string) error { return s.returnError } -func (s *sigstoreMock) AddAllowedSubject(subject string) { +func (s *sigstoreMock) AddAllowedSubject(issuer string, subject string) { if s.allowedSubjects == nil { - s.allowedSubjects = make(map[string]struct{}) + s.allowedSubjects = make(map[string]map[string]struct{}) + } + if _, ok := s.allowedSubjects[issuer]; !ok { + s.allowedSubjects[issuer] = make(map[string]struct{}) } - s.allowedSubjects[subject] = struct{}{} + s.allowedSubjects[issuer][subject] = struct{}{} } func (s *sigstoreMock) AddSkippedImage(images []string) { diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index c13d4cff5e..2ec5ae7c7a 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -6,6 +6,8 @@ package sigstore import ( "bytes" "context" + "crypto/x509" + "encoding/asn1" "encoding/base64" "encoding/json" "errors" @@ -40,8 +42,7 @@ type Sigstore interface { ShouldSkipImage(imageID string) (bool, error) AddSkippedImage(imageID []string) ClearSkipList() - AddAllowedSubject(subject string) - EnableAllowSubjectList(bool) + AddAllowedSubject(issuer string, subject string) ClearAllowedSubjects() SetRekorURL(rekorURL string) error SetLogger(logger hclog.Logger) @@ -94,8 +95,7 @@ func New(cache Cache, logger hclog.Logger) Sigstore { type sigstoreImpl struct { functionHooks sigstoreFunctionHooks skippedImages map[string]struct{} - allowListEnabled bool - subjectAllowList map[string]struct{} + subjectAllowList map[string]map[string]struct{} rekorURL url.URL logger hclog.Logger sigstorecache Cache @@ -156,15 +156,23 @@ func (s *sigstoreImpl) SelectorValuesFromSignature(signature oci.Signature, cont if err != nil { return nil, fmt.Errorf("error getting signature subject: %w", err) } - if subject == "" { return nil, errors.New("error getting signature subject: empty subject") } - if s.allowListEnabled { - if _, ok := s.subjectAllowList[subject]; !ok { - return nil, fmt.Errorf("subject %q not in allow-list", subject) - } + issuer, err := getSignatureProvider(signature) + + if err != nil { + return nil, fmt.Errorf("error getting signature issuer: %w", err) + } + if issuer == "" { + return nil, fmt.Errorf("error getting signature issuer: %w", errors.New("empty issuer")) + } + + if issuerSubjects, ok := s.subjectAllowList[issuer]; !ok { + return nil, fmt.Errorf("signature issuer %q not in allow-list", issuer) + } else if _, ok := issuerSubjects[subject]; !ok { + return nil, fmt.Errorf("subject %q not allowed for issuer %q", subject, issuer) } bundle, err := signature.Bundle() @@ -239,21 +247,20 @@ func (s *sigstoreImpl) ValidateImage(ref name.Reference) error { return validateRefDigest(dgst, hash.String()) } -func (s *sigstoreImpl) AddAllowedSubject(subject string) { +func (s *sigstoreImpl) AddAllowedSubject(issuer string, subject string) { if s.subjectAllowList == nil { - s.subjectAllowList = make(map[string]struct{}) + s.subjectAllowList = make(map[string]map[string]struct{}) } - s.subjectAllowList[subject] = struct{}{} + if _, ok := s.subjectAllowList[issuer]; !ok { + s.subjectAllowList[issuer] = make(map[string]struct{}) + } + s.subjectAllowList[issuer][subject] = struct{}{} } func (s *sigstoreImpl) ClearAllowedSubjects() { s.subjectAllowList = nil } -func (s *sigstoreImpl) EnableAllowSubjectList(flag bool) { - s.allowListEnabled = flag -} - func (s *sigstoreImpl) AttestContainerSignatures(ctx context.Context, status *corev1.ContainerStatus) ([]string, error) { skip, err := s.ShouldSkipImage(status.ImageID) if err != nil { @@ -346,6 +353,35 @@ func getSignatureSubject(signature oci.Signature) (string, error) { return "", errors.New("no subject found in signature") } +func getSignatureProvider(signature oci.Signature) (string, error) { + if signature == nil { + return "", errors.New("signature is nil") + } + cert, err := signature.Cert() + if err != nil { + return "", fmt.Errorf("failed to access signature certificate: %w", err) + } + if cert == nil { + return "", errors.New("no certificate found in signature") + } + return certOIDCProvider(cert) +} + +func certOIDCProvider(cert *x509.Certificate) (string, error) { + if cert == nil { + return "", errors.New("certificate is nil") + } + // OIDC token issuer Object Identifier + objectIdentifier := asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 1} + for _, ext := range cert.Extensions { + if ext.Id.Equal(objectIdentifier) { + return string(ext.Value), nil + } + } + + return "", errors.New("no OIDC issuer found in certificate extensions") +} + func getBundleSignatureContent(bundle *bundle.RekorBundle) (string, error) { if bundle == nil { return "", errors.New("bundle is nil") diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index 63a0f327c0..a077916c22 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -11,6 +11,7 @@ import ( "crypto/rand" "crypto/x509" "crypto/x509/pkix" + "encoding/asn1" "errors" "fmt" "math/big" @@ -35,6 +36,10 @@ const ( maximumAmountCache = 10 ) +var ( + OIDCIssuerOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 1} +) + func createCertificate(template *x509.Certificate, parent *x509.Certificate, pub interface{}, priv crypto.Signer) (*x509.Certificate, error) { certBytes, err := x509.CreateCertificate(rand.Reader, template, parent, pub, priv) if err != nil { @@ -76,7 +81,6 @@ func TestNew(t *testing.T) { checkOptsFunction: defaultCheckOptsFunction, }, skippedImages: nil, - allowListEnabled: false, subjectAllowList: nil, rekorURL: url.URL{Scheme: rekor.DefaultSchemes[0], Host: rekor.DefaultHost, Path: rekor.DefaultBasePath}, sigstorecache: newcache, @@ -98,7 +102,6 @@ func TestNew(t *testing.T) { t.Errorf("checkOptsFunction functions do not match") } require.Equal(t, want.skippedImages, sigImpObj.skippedImages, "skippedImages array is not empty") - require.Equal(t, want.allowListEnabled, sigImpObj.allowListEnabled, "allowListEnabled has wrong value") require.Equal(t, want.subjectAllowList, sigImpObj.subjectAllowList, "subjectAllowList array is not empty") require.Equal(t, want.rekorURL, sigImpObj.rekorURL, "rekorURL is different from rekor default") require.Equal(t, want.sigstorecache, sigImpObj.sigstorecache, "sigstorecache is different from fresh object") @@ -442,18 +445,15 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { } func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { - type fields struct { - verifyFunction func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) - } type args struct { signatures []oci.Signature } tests := []struct { - name string - fields fields - args args - containerID string - want []SelectorsFromSignatures + name string + args args + containerID string + subjectAllowList map[string]map[string]struct{} + want []SelectorsFromSignatures }{ { name: "extract selector from single image signature array", @@ -468,10 +468,20 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { IntegratedTime: 12345, }, }, + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex@example.com"}, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, + }, }, }, }, containerID: "000000", + subjectAllowList: map[string]map[string]struct{}{ + "issuer1": {"spirex@example.com": struct{}{}}, + }, want: []SelectorsFromSignatures{ { Subject: "spirex@example.com", @@ -494,6 +504,13 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { IntegratedTime: 12345, }, }, + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex1@example.com"}, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, + }, }, signature{ payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex2@example.com","key2": "value 2","key3": "value 3"}}`), @@ -504,10 +521,20 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { IntegratedTime: 12346, }, }, + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex2@example.com"}, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, + }, }, }, }, containerID: "111111", + subjectAllowList: map[string]map[string]struct{}{ + "issuer1": {"spirex1@example.com": struct{}{}, "spirex2@example.com": struct{}{}}, + }, want: []SelectorsFromSignatures{ { Subject: "spirex1@example.com", @@ -546,6 +573,10 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { "spirex@example.com", "spirex2@example.com", }, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, }, bundle: &bundle.RekorBundle{ Payload: bundle.RekorPayload{ @@ -558,6 +589,9 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { }, }, containerID: "333333", + subjectAllowList: map[string]map[string]struct{}{ + "issuer1": {"spirex@example.com": struct{}{}, "spirex2@example.com": struct{}{}}, + }, want: []SelectorsFromSignatures{ { Subject: "spirex@example.com", @@ -586,6 +620,10 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { Path: "somepath2", }, }, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, }, bundle: &bundle.RekorBundle{ Payload: bundle.RekorPayload{ @@ -598,6 +636,9 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { }, }, containerID: "444444", + subjectAllowList: map[string]map[string]struct{}{ + "issuer1": {"https://www.example.com/somepath1": struct{}{}}, + }, want: []SelectorsFromSignatures{ { Subject: "https://www.example.com/somepath1", @@ -646,13 +687,11 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { s := sigstoreImpl{ - functionHooks: sigstoreFunctionHooks{ - verifyFunction: tt.fields.verifyFunction, - }, - logger: hclog.Default(), + logger: hclog.Default(), + subjectAllowList: tt.subjectAllowList, } got := s.ExtractSelectorsFromSignatures(tt.args.signatures, tt.containerID) - require.Equal(t, got, tt.want, "sigstoreImpl.ExtractSelectorsFromSignatures() = %v, want %v", got, tt.want) + require.Equal(t, tt.want, got, "sigstoreImpl.ExtractSelectorsFromSignatures() = %v, want %v", got, tt.want) }) } } @@ -1022,16 +1061,17 @@ func TestSigstoreimpl_ValidateImage(t *testing.T) { func TestSigstoreimpl_AddAllowedSubject(t *testing.T) { type fields struct { - subjectAllowList map[string]struct{} + subjectAllowList map[string]map[string]struct{} } type args struct { + issuer string subject string } tests := []struct { name string fields fields args args - want map[string]struct{} + want map[string]map[string]struct{} }{ { name: "add allowed subject to nil map", @@ -1039,65 +1079,135 @@ func TestSigstoreimpl_AddAllowedSubject(t *testing.T) { subjectAllowList: nil, }, args: args{ + issuer: "issuer1", subject: "spirex@example.com", }, - want: map[string]struct{}{ - "spirex@example.com": struct{}{}, + want: map[string]map[string]struct{}{ + "issuer1": {"spirex@example.com": struct{}{}}, }, }, { name: "add allowed subject to empty map", fields: fields{ - subjectAllowList: map[string]struct{}{}, + subjectAllowList: map[string]map[string]struct{}{}, }, args: args{ + issuer: "issuer1", subject: "spirex@example.com", }, - want: map[string]struct{}{ - "spirex@example.com": struct{}{}, + want: map[string]map[string]struct{}{ + "issuer1": {"spirex@example.com": struct{}{}}, }, }, { name: "add allowed subject to existing map", fields: fields{ - subjectAllowList: map[string]struct{}{ + subjectAllowList: map[string]map[string]struct{}{ + "issuer1": { + "spirex1@example.com": struct{}{}, + "spirex2@example.com": struct{}{}, + "spirex3@example.com": struct{}{}, + "spirex5@example.com": struct{}{}, + }, + }, + }, + args: args{ + issuer: "issuer1", + subject: "spirex4@example.com", + }, + want: map[string]map[string]struct{}{ + "issuer1": { "spirex1@example.com": struct{}{}, "spirex2@example.com": struct{}{}, "spirex3@example.com": struct{}{}, + "spirex4@example.com": struct{}{}, "spirex5@example.com": struct{}{}, }, }, + }, + { + name: "add allowed subject to existing map with new issuer", + fields: fields{ + subjectAllowList: map[string]map[string]struct{}{ + "issuer1": { + "spirex1@example.com": struct{}{}, + "spirex2@example.com": struct{}{}, + "spirex3@example.com": struct{}{}, + "spirex5@example.com": struct{}{}, + }, + }, + }, args: args{ + issuer: "issuer2", subject: "spirex4@example.com", }, - want: map[string]struct{}{ - "spirex1@example.com": struct{}{}, - "spirex2@example.com": struct{}{}, - "spirex3@example.com": struct{}{}, - "spirex4@example.com": struct{}{}, - "spirex5@example.com": struct{}{}, + want: map[string]map[string]struct{}{ + "issuer1": { + "spirex1@example.com": struct{}{}, + "spirex2@example.com": struct{}{}, + "spirex3@example.com": struct{}{}, + "spirex5@example.com": struct{}{}, + }, + "issuer2": { + "spirex4@example.com": struct{}{}, + }, }, }, { - name: "add existing allowed subject to existing map", + name: "add existing allowed subject to existing map with new issuer", fields: fields{ - subjectAllowList: map[string]struct{}{ + subjectAllowList: map[string]map[string]struct{}{ + "issuer1": { + "spirex1@example.com": struct{}{}, + "spirex2@example.com": struct{}{}, + "spirex3@example.com": struct{}{}, + "spirex4@example.com": struct{}{}, + "spirex5@example.com": struct{}{}, + }, + }, + }, + args: args{ + issuer: "issuer2", + subject: "spirex4@example.com", + }, + want: map[string]map[string]struct{}{ + "issuer1": { "spirex1@example.com": struct{}{}, "spirex2@example.com": struct{}{}, "spirex3@example.com": struct{}{}, "spirex4@example.com": struct{}{}, "spirex5@example.com": struct{}{}, }, + "issuer2": { + "spirex4@example.com": struct{}{}, + }, + }, + }, + { + name: "add existing allowed subject to existing map with same issuer", + fields: fields{ + subjectAllowList: map[string]map[string]struct{}{ + "issuer1": { + "spirex1@example.com": struct{}{}, + "spirex2@example.com": struct{}{}, + "spirex3@example.com": struct{}{}, + "spirex4@example.com": struct{}{}, + "spirex5@example.com": struct{}{}, + }, + }, }, args: args{ + issuer: "issuer1", subject: "spirex4@example.com", }, - want: map[string]struct{}{ - "spirex1@example.com": struct{}{}, - "spirex2@example.com": struct{}{}, - "spirex3@example.com": struct{}{}, - "spirex4@example.com": struct{}{}, - "spirex5@example.com": struct{}{}, + want: map[string]map[string]struct{}{ + "issuer1": { + "spirex1@example.com": struct{}{}, + "spirex2@example.com": struct{}{}, + "spirex3@example.com": struct{}{}, + "spirex4@example.com": struct{}{}, + "spirex5@example.com": struct{}{}, + }, }, }, } @@ -1106,7 +1216,7 @@ func TestSigstoreimpl_AddAllowedSubject(t *testing.T) { sigstore := &sigstoreImpl{ subjectAllowList: tt.fields.subjectAllowList, } - sigstore.AddAllowedSubject(tt.args.subject) + sigstore.AddAllowedSubject(tt.args.issuer, tt.args.subject) require.Equal(t, sigstore.subjectAllowList, tt.want, "sigstore.subjectAllowList = %v, want %v", sigstore.subjectAllowList, tt.want) }) } @@ -1114,23 +1224,44 @@ func TestSigstoreimpl_AddAllowedSubject(t *testing.T) { func TestSigstoreimpl_ClearAllowedSubjects(t *testing.T) { type fields struct { - subjectAllowList map[string]struct{} + subjectAllowList map[string]map[string]struct{} } tests := []struct { name string fields fields - want map[string]struct{} + want map[string]map[string]struct{} }{ { name: "clear existing map", fields: fields{ - subjectAllowList: map[string]struct{}{ - "spirex1@example.com": struct{}{}, - "spirex2@example.com": struct{}{}, - "spirex3@example.com": struct{}{}, - "spirex4@example.com": struct{}{}, - "spirex5@example.com": struct{}{}, + subjectAllowList: map[string]map[string]struct{}{ + "issuer1": { + "spirex1@example.com": struct{}{}, + "spirex2@example.com": struct{}{}, + "spirex3@example.com": struct{}{}, + "spirex4@example.com": struct{}{}, + "spirex5@example.com": struct{}{}, + }, + }, + }, + want: nil, + }, + { + name: "clear map with multiple issuers", + fields: fields{ + subjectAllowList: map[string]map[string]struct{}{ + "issuer1": { + "spirex1@example.com": struct{}{}, + "spirex2@example.com": struct{}{}, + "spirex3@example.com": struct{}{}, + "spirex4@example.com": struct{}{}, + "spirex5@example.com": struct{}{}, + }, + "issuer2": { + "spirex1@example.com": struct{}{}, + "spirex6@example.com": struct{}{}, + }, }, }, want: nil, @@ -1138,7 +1269,7 @@ func TestSigstoreimpl_ClearAllowedSubjects(t *testing.T) { { name: "clear empty map", fields: fields{ - subjectAllowList: map[string]struct{}{}, + subjectAllowList: map[string]map[string]struct{}{}, }, want: nil, }, @@ -1163,75 +1294,20 @@ func TestSigstoreimpl_ClearAllowedSubjects(t *testing.T) { } } -func TestSigstoreimpl_EnableAllowSubjectList(t *testing.T) { - type fields struct { - allowListEnabled bool - } - type args struct { - flag bool - } - tests := []struct { - name string - fields fields - args args - want bool - }{ - { - name: "disabling subject allow list", - fields: fields{ - allowListEnabled: true, - }, - args: args{ - flag: false, - }, - want: false, - }, - { - name: "enabling subject allow list", - fields: fields{ - allowListEnabled: false, - }, - args: args{ - flag: true, - }, - want: true, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - sigstore := &sigstoreImpl{ - allowListEnabled: tt.fields.allowListEnabled, - } - sigstore.EnableAllowSubjectList(tt.args.flag) - if sigstore.allowListEnabled != tt.want { - t.Errorf("sigstore.allowListEnabled = %v, want %v", sigstore.allowListEnabled, tt.want) - } - }) - } -} - func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { - type fields struct { - allowListEnabled bool - subjectAllowList map[string]struct{} - } type args struct { signature oci.Signature } tests := []struct { - name string - fields fields - args args - containerID string - want *SelectorsFromSignatures - wantedErr error + name string + args args + containerID string + subjectAllowList map[string][]string + want *SelectorsFromSignatures + wantedErr error }{ { name: "selector from signature", - fields: fields{ - allowListEnabled: false, - subjectAllowList: nil, - }, args: args{ signature: signature{ payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), @@ -1242,9 +1318,19 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { IntegratedTime: 12345, }, }, + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex@example.com"}, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, + }, }, }, containerID: "000000", + subjectAllowList: map[string][]string{ + "issuer1": {"spirex@example.com"}, + }, want: &SelectorsFromSignatures{ Subject: "spirex@example.com", Content: "MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smA=", @@ -1254,10 +1340,6 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, { name: "selector from signature, empty subject", - fields: fields{ - allowListEnabled: false, - subjectAllowList: nil, - }, args: args{ signature: signature{ payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "","key2": "value 2","key3": "value 3"}}`), @@ -1268,37 +1350,43 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { IntegratedTime: 12345, }, }, + cert: &x509.Certificate{ + EmailAddresses: nil, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, + }, }, }, - containerID: "111111", - want: nil, - wantedErr: errors.New("error getting signature subject: empty subject"), + containerID: "111111", + subjectAllowList: nil, + want: nil, + wantedErr: fmt.Errorf("error getting signature subject: empty subject"), }, { name: "selector from signature, not in allowlist", - fields: fields{ - allowListEnabled: true, - subjectAllowList: map[string]struct{}{ - "spirex2@example.com": struct{}{}, - }, - }, args: args{ signature: signature{ payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex1@example.com","key2": "value 2","key3": "value 3"}}`), + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex1@example.com"}, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, + }, }, }, containerID: "222222", - want: nil, - wantedErr: errors.New("subject \"spirex1@example.com\" not in allow-list"), + subjectAllowList: map[string][]string{ + "issuer1": {"spirex2@example.com"}, + }, + want: nil, + wantedErr: fmt.Errorf("subject %q not allowed for issuer %q", "spirex1@example.com", "issuer1"), }, { name: "selector from signature, allowedlist enabled, in allowlist", - fields: fields{ - allowListEnabled: true, - subjectAllowList: map[string]struct{}{ - "spirex@example.com": struct{}{}, - }, - }, args: args{ signature: signature{ payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), @@ -1309,9 +1397,19 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { IntegratedTime: 12345, }, }, + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex@example.com"}, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, + }, }, }, containerID: "333333", + subjectAllowList: map[string][]string{ + "issuer1": {"spirex@example.com"}, + }, want: &SelectorsFromSignatures{ Subject: "spirex@example.com", Content: "MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smA=", @@ -1321,12 +1419,6 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, { name: "selector from signature, allowedlist enabled, in allowlist, empty content", - fields: fields{ - allowListEnabled: true, - subjectAllowList: map[string]struct{}{ - "spirex@example.com": struct{}{}, - }, - }, args: args{ signature: signature{ payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), @@ -1337,33 +1429,45 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { IntegratedTime: 12345, }, }, + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex@example.com"}, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, + }, }, }, containerID: "444444", - want: nil, - wantedErr: errors.New("error getting signature content: bundle payload body has no signature content"), + subjectAllowList: map[string][]string{ + "issuer1": {"spirex@example.com"}, + }, + want: nil, + wantedErr: fmt.Errorf("error getting signature content: bundle payload body has no signature content"), }, { name: "selector from signature, nil bundle", - fields: fields{ - allowListEnabled: false, - subjectAllowList: nil, - }, args: args{ signature: nilBundleSignature{ payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex@example.com"}, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, + }, }, }, containerID: "555555", - want: nil, - wantedErr: errors.New("error getting signature bundle: no bundle test"), + subjectAllowList: map[string][]string{ + "issuer1": {"spirex@example.com"}, + }, + want: nil, + wantedErr: fmt.Errorf("error getting signature bundle: no bundle test"), }, { name: "selector from signature, bundle payload body is not a string", - fields: fields{ - allowListEnabled: false, - subjectAllowList: nil, - }, args: args{ signature: signature{ payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), @@ -1374,18 +1478,24 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { IntegratedTime: 12345, }, }, + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex@example.com"}, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, + }, }, }, containerID: "000000", - want: nil, - wantedErr: errors.New("error getting signature content: expected payload body to be a string but got int instead"), + subjectAllowList: map[string][]string{ + "issuer1": {"spirex@example.com"}, + }, + want: nil, + wantedErr: fmt.Errorf("error getting signature content: expected payload body to be a string but got int instead"), }, { name: "selector from signature, bundle payload body is not valid base64", - fields: fields{ - allowListEnabled: false, - subjectAllowList: nil, - }, args: args{ signature: signature{ payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), @@ -1396,18 +1506,24 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { IntegratedTime: 12345, }, }, + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex@example.com"}, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, + }, }, }, containerID: "000000", - want: nil, - wantedErr: errors.New("error getting signature content: illegal base64 data at input byte 3"), + subjectAllowList: map[string][]string{ + "issuer1": {"spirex@example.com"}, + }, + want: nil, + wantedErr: fmt.Errorf("error getting signature content: illegal base64 data at input byte 3"), }, { name: "selector from signature, bundle payload body has no signature content", - fields: fields{ - allowListEnabled: false, - subjectAllowList: nil, - }, args: args{ signature: signature{ payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), @@ -1418,18 +1534,24 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { IntegratedTime: 12345, }, }, + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex@example.com"}, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, + }, }, }, containerID: "000000", - want: nil, - wantedErr: errors.New("error getting signature content: bundle payload body has no signature content"), + subjectAllowList: map[string][]string{ + "issuer1": {"spirex@example.com"}, + }, + want: nil, + wantedErr: fmt.Errorf("error getting signature content: bundle payload body has no signature content"), }, { name: "selector from signature, bundle payload body signature content is empty", - fields: fields{ - allowListEnabled: false, - subjectAllowList: nil, - }, args: args{ signature: signature{ payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), @@ -1440,18 +1562,24 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { IntegratedTime: 12345, }, }, + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex@example.com"}, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, + }, }, }, containerID: "000000", - want: nil, - wantedErr: errors.New("error getting signature content: bundle payload body has no signature content"), + subjectAllowList: map[string][]string{ + "issuer1": {"spirex@example.com"}, + }, + want: nil, + wantedErr: fmt.Errorf("error getting signature content: bundle payload body has no signature content"), }, { name: "selector from signature, bundle payload body is not a valid JSON", - fields: fields{ - allowListEnabled: false, - subjectAllowList: nil, - }, args: args{ signature: signature{ payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), @@ -1462,18 +1590,24 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { IntegratedTime: 12345, }, }, + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex@example.com"}, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, + }, }, }, containerID: "000000", - want: nil, - wantedErr: errors.New("error getting signature content: failed to parse bundle body: invalid character ',' looking for beginning of value"), + subjectAllowList: map[string][]string{ + "issuer1": {"spirex@example.com"}, + }, + want: nil, + wantedErr: fmt.Errorf("error getting signature content: failed to parse bundle body: invalid character ',' looking for beginning of value"), }, { name: "selector from signature, empty signature array", - fields: fields{ - allowListEnabled: false, - subjectAllowList: nil, - }, args: args{ signature: nil, }, @@ -1483,10 +1617,6 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, { name: "selector from signature, single image signature, no payload", - fields: fields{ - allowListEnabled: false, - subjectAllowList: nil, - }, args: args{ signature: noPayloadSignature{}, }, @@ -1496,10 +1626,6 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, { name: "selector from signature, single image signature, no certs", - fields: fields{ - allowListEnabled: false, - subjectAllowList: nil, - }, args: args{ signature: &noCertSignature{ payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), @@ -1511,13 +1637,16 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, { name: "selector from signature, single image signature,garbled subject in signature", - fields: fields{ - allowListEnabled: false, - subjectAllowList: nil, - }, args: args{ signature: &signature{ payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "s\\\\||as\0\0aasdasd/....???/.>wd12<><,,,><{}{pirex@example.com","key2": "value 2","key3": "value 3"}}`), + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex@example.com"}, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, + }, }, }, containerID: "000000", @@ -1529,10 +1658,14 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { sigstore := &sigstoreImpl{ - allowListEnabled: tt.fields.allowListEnabled, - subjectAllowList: tt.fields.subjectAllowList, + subjectAllowList: nil, logger: hclog.Default(), } + for issuer, subjects := range tt.subjectAllowList { + for _, subject := range subjects { + sigstore.AddAllowedSubject(issuer, subject) + } + } got, err := sigstore.SelectorValuesFromSignature(tt.args.signature, tt.containerID) assert.Equal(t, got, tt.want, "sigstoreImpl.SelectorValuesFromSignature() = %v, want %v", got, tt.want) if tt.wantedErr != nil { @@ -1549,6 +1682,7 @@ func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { functionBindings sigstoreFunctionBindings skippedImages map[string]struct{} rekorURL url.URL + subjectAllowList map[string][]string } defaultCheckOpts, _ := defaultCheckOptsFunction(rekorDefaultURL()) @@ -1577,6 +1711,13 @@ func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { IntegratedTime: 12345, }, }, + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex@example.com"}, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, + }, }, }, true, nil), fetchBinding: createFetchFunction(&remote.Descriptor{ @@ -1585,6 +1726,9 @@ func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { checkOptsBinding: createCheckOptsFunction(defaultCheckOpts, nil), }, rekorURL: rekorDefaultURL(), + subjectAllowList: map[string][]string{ + "issuer1": {"spirex@example.com"}, + }, }, status: corev1.ContainerStatus{ Image: "spire-agent-sigstore-1", @@ -1713,6 +1857,13 @@ func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { sigstorecache: NewCache(maximumAmountCache), logger: hclog.Default(), } + + for issuer, subjects := range tt.fields.subjectAllowList { + for _, subject := range subjects { + sigstore.AddAllowedSubject(issuer, subject) + } + } + got, err := sigstore.AttestContainerSignatures(context.Background(), &tt.status) if tt.wantedErr != nil { From 9dc2206feaa77a3644ddbff982fc96573e69d8ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?= Date: Thu, 1 Dec 2022 17:15:41 -0300 Subject: [PATCH 177/257] Use the UpdateMask field when calling UpdateCryptoKey (#3653) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Agustín Martínez Fayó --- pkg/server/plugin/keymanager/gcpkms/gcpkms.go | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/pkg/server/plugin/keymanager/gcpkms/gcpkms.go b/pkg/server/plugin/keymanager/gcpkms/gcpkms.go index fca1888293..ab59db1ed4 100644 --- a/pkg/server/plugin/keymanager/gcpkms/gcpkms.go +++ b/pkg/server/plugin/keymanager/gcpkms/gcpkms.go @@ -440,15 +440,21 @@ func (p *Plugin) addCryptoKeyVersionToCachedEntry(ctx context.Context, entry key return nil, err } + log := p.log.With(cryptoKeyNameTag, entry.cryptoKey.Name) + // Check if the algorithm has changed and update if needed. if entry.cryptoKey.VersionTemplate.Algorithm != algorithm { entry.cryptoKey.VersionTemplate.Algorithm = algorithm _, err := p.kmsClient.UpdateCryptoKey(ctx, &kmspb.UpdateCryptoKeyRequest{ CryptoKey: entry.cryptoKey, + UpdateMask: &fieldmaskpb.FieldMask{ + Paths: []string{"version_template.algorithm"}, + }, }) if err != nil { return nil, fmt.Errorf("failed to update CryptoKey with updated algorithm: %w", err) } + log.Debug("CryptoKey updated", algorithmTag, algorithm) } cryptoKeyVersion, err := p.kmsClient.CreateCryptoKeyVersion(ctx, &kmspb.CreateCryptoKeyVersionRequest{ Parent: entry.cryptoKey.Name, @@ -459,7 +465,7 @@ func (p *Plugin) addCryptoKeyVersionToCachedEntry(ctx context.Context, entry key if err != nil { return nil, fmt.Errorf("failed to create CryptoKeyVersion: %w", err) } - p.log.Debug("CryptoKeyVersion added", cryptoKeyNameTag, entry.cryptoKey.Name, cryptoKeyVersionNameTag, cryptoKeyVersion.Name) + log.Debug("CryptoKeyVersion added", cryptoKeyVersionNameTag, cryptoKeyVersion.Name) pubKey, err := getPublicKeyFromCryptoKeyVersion(ctx, p.kmsClient, cryptoKeyVersion.Name) if err != nil { @@ -480,7 +486,7 @@ func (p *Plugin) addCryptoKeyVersionToCachedEntry(ctx context.Context, entry key p.setKeyEntry(spireKeyID, newKeyEntry) if err := p.enqueueDestruction(entry.cryptoKeyVersionName); err != nil { - p.log.Error("Failed to enqueue CryptoKeyVersion for destruction", reasonTag, err) + log.Error("Failed to enqueue CryptoKeyVersion for destruction", reasonTag, err) } return newKeyEntry.publicKey, nil From fde87a667d2fdab7086db70c3c3a5041c6bc0099 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Fri, 2 Dec 2022 12:04:37 +0100 Subject: [PATCH 178/257] Refactor push-images script to reduce duplication (#3656) Can be used for both scratch and non-scratch images. Signed-off-by: Marco Franssen --- .github/workflows/nightly_build.yaml | 2 +- .github/workflows/release_build.yaml | 6 +- .github/workflows/scripts/push-images.sh | 72 +++++++++++++++---- .../workflows/scripts/push-scratch-images.sh | 32 --------- 4 files changed, 62 insertions(+), 50 deletions(-) delete mode 100755 .github/workflows/scripts/push-scratch-images.sh diff --git a/.github/workflows/nightly_build.yaml b/.github/workflows/nightly_build.yaml index 8bbf606cbe..e253eab737 100644 --- a/.github/workflows/nightly_build.yaml +++ b/.github/workflows/nightly_build.yaml @@ -34,4 +34,4 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Push images - run: ./.github/workflows/scripts/push-scratch-images.sh nightly + run: ./.github/workflows/scripts/push-images.sh nightly -scratch diff --git a/.github/workflows/release_build.yaml b/.github/workflows/release_build.yaml index c87af95450..156120ffce 100644 --- a/.github/workflows/release_build.yaml +++ b/.github/workflows/release_build.yaml @@ -524,15 +524,13 @@ jobs: registry: gcr.io username: _json_key password: ${{ secrets.GCR_JSON_KEY }} - # Push the images to GCR using the version number (without the "v" prefix). - name: Push images - run: ./.github/workflows/scripts/push-images.sh "${GITHUB_REF#refs/tags/v}" + run: ./.github/workflows/scripts/push-images.sh "${GITHUB_REF}" - name: Log in to GHCR uses: docker/login-action@v2 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - # Push the images to GHCR using the version number (without the "v" prefix). - name: Push images - run: ./.github/workflows/scripts/push-scratch-images.sh "${GITHUB_REF#refs/tags/v}" + run: ./.github/workflows/scripts/push-images.sh "${GITHUB_REF}" -scratch diff --git a/.github/workflows/scripts/push-images.sh b/.github/workflows/scripts/push-images.sh index 60e859c63b..08eafb4075 100755 --- a/.github/workflows/scripts/push-images.sh +++ b/.github/workflows/scripts/push-images.sh @@ -1,20 +1,66 @@ -#!/bin/bash +#!/usr/bin/env bash +# shellcheck shell=bash +## +## USAGE: __PROG__ +## +## "__PROG__" publishes images to a registry. +## +## Usage example(s): +## ./__PROG__ 1.5.2 +## ./__PROG__ v1.5.2 +## ./__PROG__ v1.5.2 -scratch +## ./__PROG__ refs/tags/v1.5.2 +## ./__PROG__ refs/tags/v1.5.2 -scratch +## +## Commands +## - ./__PROG__ [image-variant] pushes images to the registry using given version. set -e -IMAGETAG="$1" -if [ -z "$IMAGETAG" ]; then - echo "IMAGETAG not provided!" 1>&2 - echo "Usage: push-images.sh IMAGETAG" 1>&2 - exit 1 +function usage { + grep '^##' "$0" | sed -e 's/^##//' -e "s/__PROG__/$me/" >&2 +} + +me=$(basename "$0") + +version="$1" +if [ -z "${version}" ]; then + usage + echo -e "\n Errors:\n * the version must be provided." >&2 + exit 1 fi -echo "Pushing images tagged as $IMAGETAG..." +# remove the git tag prefix +# Push the images using the version tag (without the "v" prefix). +# Also strips the refs/tags part if the GITHUB_REF variable is used. +version="${version#refs/tags/v}" +version="${version#v}" + +variant="$2" +if [ -n "${variant}" ] && [ "${variant}" != "-scratch" ]; then + usage + echo -e "\n Errors:\n * The only supported variant is '-scratch'." >&2 + exit 1 +fi + +OCI_IMAGES=( + spire-server spire-agent k8s-workload-registrar oidc-discovery-provider +) + +registry=gcr.io/spiffe-io +if [ "${variant}" = "-scratch" ] ; then + org_name=$(echo "$GITHUB_REPOSITORY" | tr '/' "\n" | head -1 | tr -d "\n") + org_name="${org_name:-spiffe}" # default to spiffe in case ran on local + registry=ghcr.io/${org_name} +fi -for img in spire-server spire-agent k8s-workload-registrar oidc-discovery-provider; do - gcrimg=gcr.io/spiffe-io/"$img":"${IMAGETAG}" - echo "Executing: docker tag $img:latest-local $gcrimg" - docker tag "$img":latest-local "$gcrimg" - echo "Executing: docker push $gcrimg" - docker push "$gcrimg" +echo "Pushing images ${OCI_IMAGES[*]} to ${registry} with tag ${version}". +for img in "${OCI_IMAGES[@]}"; do + image_variant="${img}${variant}" + image_to_push="${registry}/${img}:${version}" + if [ "${variant}" = "-scratch" ] && [ "${img}" == "oidc-discovery-provider" ] ; then + image_to_push="${registry}/spire-oidc-provider:${version}" + fi + docker tag "${image_variant}:latest-local" "${image_to_push}" + docker push "${image_to_push}" done diff --git a/.github/workflows/scripts/push-scratch-images.sh b/.github/workflows/scripts/push-scratch-images.sh deleted file mode 100755 index a532740c6f..0000000000 --- a/.github/workflows/scripts/push-scratch-images.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/bash - -set -e - -IMAGETAG="$1" -if [ -z "$IMAGETAG" ]; then - echo "IMAGETAG not provided!" 1>&2 - echo "Usage: push-images.sh IMAGETAG" 1>&2 - exit 1 -fi - -# Extracting org name rather than hardcoding allows this -# action to be portable across forks -ORGNAME=$(echo "$GITHUB_REPOSITORY" | tr '/' "\n" | head -1 | tr -d "\n") - -echo "Pushing images tagged as $IMAGETAG..." - -for img in spire-server spire-agent oidc-discovery-provider; do - ghcrimg="ghcr.io/${ORGNAME}/${img}:${IMAGETAG}" - - # Detect the oidc image and give it a different name for GHCR - # TODO: Remove this hack and fully rename the image once we move - # off of GCR. - if [ "$img" == "oidc-discovery-provider" ]; then - ghcrimg="ghcr.io/${ORGNAME}/spire-oidc-provider:${IMAGETAG}" - fi - - echo "Executing: docker tag $img-scratch:latest-local $ghcrimg" - docker tag "$img"-scratch:latest-local "$ghcrimg" - echo "Executing: docker push $ghcrimg" - docker push "$ghcrimg" -done From 0b171a2803dbc4bd99a8d1dfa06b58c5fac2c5a3 Mon Sep 17 00:00:00 2001 From: joaoguazzelli Date: Fri, 2 Dec 2022 09:51:39 -0300 Subject: [PATCH 179/257] fix: added error message validation (#195) Signed-off-by: joaoguazzelli Signed-off-by: joaoguazzelli --- .../k8s/sigstore/sigstore_test.go | 33 +++++++++---------- 1 file changed, 15 insertions(+), 18 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index a077916c22..8fbe15b033 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -704,11 +704,11 @@ func TestSigstoreimpl_ShouldSkipImage(t *testing.T) { imageID string } tests := []struct { - name string - fields fields - args args - want bool - wantErr bool + name string + fields fields + args args + want bool + wantedErr error }{ { name: "skipping only image in list", @@ -720,8 +720,7 @@ func TestSigstoreimpl_ShouldSkipImage(t *testing.T) { args: args{ imageID: "sha256:sampleimagehash", }, - want: true, - wantErr: false, + want: true, }, { name: "skipping image in list", @@ -735,8 +734,7 @@ func TestSigstoreimpl_ShouldSkipImage(t *testing.T) { args: args{ imageID: "sha256:sampleimagehash2", }, - want: true, - wantErr: false, + want: true, }, { name: "image not in list", @@ -749,8 +747,7 @@ func TestSigstoreimpl_ShouldSkipImage(t *testing.T) { args: args{ imageID: "sha256:sampleimagehash2", }, - want: false, - wantErr: false, + want: false, }, { name: "empty skip list", @@ -760,8 +757,7 @@ func TestSigstoreimpl_ShouldSkipImage(t *testing.T) { args: args{ imageID: "sha256:sampleimagehash", }, - want: false, - wantErr: false, + want: false, }, { name: "empty imageID", @@ -775,8 +771,8 @@ func TestSigstoreimpl_ShouldSkipImage(t *testing.T) { args: args{ imageID: "", }, - want: false, - wantErr: true, + want: false, + wantedErr: errors.New("image ID is empty"), }, } for _, tt := range tests { @@ -785,9 +781,10 @@ func TestSigstoreimpl_ShouldSkipImage(t *testing.T) { skippedImages: tt.fields.skippedImages, } got, err := sigstore.ShouldSkipImage(tt.args.imageID) - if (err != nil) != tt.wantErr { - t.Errorf("sigstoreImpl.SkipImage() error = %v, wantErr %v", err, tt.wantErr) - return + if tt.wantedErr != nil { + require.EqualError(t, err, tt.wantedErr.Error()) + } else { + require.NoError(t, err) } require.Equal(t, got, tt.want, "sigstoreImpl.SkipImage() = %v, want %v", got, tt.want) }) From a30f06ec8221dd7c2c6a6915c974bf52f3aa0177 Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Fri, 2 Dec 2022 10:00:32 -0300 Subject: [PATCH 180/257] Removing default rekor url (#178) * refactor: removed default rekor URL and reintroduced Scheme setting Signed-off-by: Rodrigo Lopes * tests: updated tests Signed-off-by: Rodrigo Lopes * docs: updated docs about Rekor URL Signed-off-by: Rodrigo Lopes Signed-off-by: Rodrigo Lopes --- conf/agent/agent_full.conf | 2 +- doc/plugin_agent_workloadattestor_k8s.md | 4 ++-- pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go | 7 +++---- pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go | 4 ++-- .../plugin/workloadattestor/k8s/sigstore/sigstore.go | 8 +------- .../plugin/workloadattestor/k8s/sigstore/sigstore_test.go | 2 +- 6 files changed, 10 insertions(+), 17 deletions(-) diff --git a/conf/agent/agent_full.conf b/conf/agent/agent_full.conf index 0e063eb6a7..d7dd3b7472 100644 --- a/conf/agent/agent_full.conf +++ b/conf/agent/agent_full.conf @@ -364,7 +364,7 @@ plugins { experimental { # sigstore: sigstore options. Enables signature checking. # sigstore { - # rekor_url: The URL for the rekor STL Server to use with cosign. + # rekor_url: The URL for the rekor STL Server to use with cosign. Required. # rekor_url = "https://rekor.sigstore.dev" # skip_signature_verification_image_list: List of images that should diff --git a/doc/plugin_agent_workloadattestor_k8s.md b/doc/plugin_agent_workloadattestor_k8s.md index 9a7971bcd7..ab50c06e91 100644 --- a/doc/plugin_agent_workloadattestor_k8s.md +++ b/doc/plugin_agent_workloadattestor_k8s.md @@ -63,13 +63,13 @@ since [hostprocess](https://kubernetes.io/docs/tasks/configure-pod-container/cre | ---------------- | ----------- | | `skip_signature_verification_image_list` | The list of images, described as digest hashes, that should be skipped in signature verification. Defaults to empty list. | | `allowed_subjects_list` | A map of allowed subject strings, keyed by the OIDC Provider URI, that are trusted and are allowed to sign container images artifacts. Defaults to empty. If empty, no workload will pass signature validation, unless listed on `skip_signature_verification_image_list`. (eg. `"https://accounts.google.com" = ["subject1@example.com","subject2@example.com"]`). | -| `rekor_url` | The rekor URL to use with cosign. Defaults to 'https://rekor.sigstore.dev/', Rekor's public instance. | +| `rekor_url` | The rekor URL to use with cosign. Required. See notes below. | > **Note** Cosign discourages the use of image tags for referencing docker images, and this plugin does not support attestation of sigstore selectors for workloads running on containers using tag-referenced images, which will then fail attestation for both sigstore and k8s selectors. In cases where this is necessary, add the digest string for the image in the `skip_signature_verification_image_list` setting (eg. `"sha256:abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789"`). Note that sigstore signature attestation will still not be performed, but this will allow k8s selectors to be returned, along with the `"k8s:sigstore-validation:passed"` selector. > **Note** Since the SPIRE Agent can also go through workload attestation, it will also need to be included in the skip list if either its image is not signed or has a digest reference string. -> **Note** The sigstore project contains a transparency log called Rekor that provides an immutable, tamper-resistant ledger to record signed metadata to an immutable record. While it is possible to run your own instance, a public instance of rekor is available at rekor.sigstore.dev, and cosign defaults to using the public instance. +> **Note** The sigstore project contains a transparency log called Rekor that provides an immutable, tamper-resistant ledger to record signed metadata to an immutable record. While it is possible to run your own instance, a public instance of rekor is available at `https://rekor.sigstore.dev/`. ### Sigstore workload attestor for SPIRE diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go index a581edcf74..7a03cd5138 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go @@ -225,11 +225,10 @@ func configureSigstoreClient(client sigstore.Sigstore, c *SigstoreHCLConfig, log client.AddAllowedSubject(issuer, subject) } } - rekorURL := "https://rekor.sigstore.dev/" // default rekor url - if c.RekorURL != nil { - rekorURL = (*c.RekorURL) + if c.RekorURL == nil { + return status.Errorf(codes.InvalidArgument, "missing Rekor URL") } - if err := client.SetRekorURL(rekorURL); err != nil { + if err := client.SetRekorURL(*c.RekorURL); err != nil { return status.Errorf(codes.InvalidArgument, "failed to parse Rekor URL: %v", err) } return nil diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go index 06ce2dd067..559835f75c 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go @@ -225,7 +225,6 @@ func (s *Suite) TestFailedToCreateHelperFromConfigure() { func (s *Suite) TestHelperConfigure() { rekorURL := "https://rekor.example.com/" invalidURL := "invalid url" - defaultRekorURL := "https://rekor.sigstore.dev/" for _, tt := range []struct { name string config *HCLConfig @@ -280,7 +279,8 @@ func (s *Suite) TestHelperConfigure() { }, }, }, - expectRekoURL: defaultRekorURL, + errCode: codes.InvalidArgument, + errMsg: "missing Rekor URL", }, { name: "failed to set url", diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index 2ec5ae7c7a..8fc57f9526 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -81,12 +81,6 @@ func New(cache Cache, logger hclog.Logger) Sigstore { fetchImageManifestFunction: remote.Get, checkOptsFunction: defaultCheckOptsFunction, }, - - rekorURL: url.URL{ - Scheme: rekor.DefaultSchemes[0], - Host: rekor.DefaultHost, - Path: rekor.DefaultBasePath, - }, logger: logger, sigstorecache: cache, } @@ -460,7 +454,7 @@ func defaultCheckOptsFunction(rekorURL url.URL) (*cosign.CheckOpts, error) { co := &cosign.CheckOpts{ // Set the rekor client - RekorClient: rekor.NewHTTPClientWithConfig(nil, rekor.DefaultTransportConfig().WithBasePath(rekorURL.Path).WithHost(rekorURL.Host)), + RekorClient: rekor.NewHTTPClientWithConfig(nil, rekor.DefaultTransportConfig().WithBasePath(rekorURL.Path).WithHost(rekorURL.Host).WithSchemes([]string{rekorURL.Scheme})), RootCerts: rootCerts, } co.IntermediateCerts, err = fulcio.GetIntermediates() diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index 8fbe15b033..757994f414 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -82,7 +82,7 @@ func TestNew(t *testing.T) { }, skippedImages: nil, subjectAllowList: nil, - rekorURL: url.URL{Scheme: rekor.DefaultSchemes[0], Host: rekor.DefaultHost, Path: rekor.DefaultBasePath}, + rekorURL: url.URL{}, sigstorecache: newcache, logger: nil, } From 37bcb4f9f79bf182020cff554431b9169ac0c10c Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Fri, 2 Dec 2022 10:46:24 -0300 Subject: [PATCH 181/257] misc: removed ineffective called boolean (#191) Signed-off-by: Rodrigo Lopes Signed-off-by: Rodrigo Lopes --- .../k8s/sigstore/sigstore_test.go | 61 ++++--------------- 1 file changed, 11 insertions(+), 50 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index 757994f414..06a2ff4ca2 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -150,19 +150,16 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", }, wantedFetchArguments: fetchFunctionArguments{ - called: true, ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: nil, }, wantedVerifyArguments: verifyFunctionArguments{ - called: true, context: context.Background(), ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: defaultCheckOpts, }, wantedCheckOptsArguments: checkOptsFunctionArguments{ - called: true, - url: rekorDefaultURL(), + url: rekorDefaultURL(), }, want: []oci.Signature{ signature{ @@ -191,19 +188,16 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", }, wantedFetchArguments: fetchFunctionArguments{ - called: true, ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: nil, }, wantedVerifyArguments: verifyFunctionArguments{ - called: true, context: context.Background(), ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: defaultCheckOpts, }, wantedCheckOptsArguments: checkOptsFunctionArguments{ - called: true, - url: rekorDefaultURL(), + url: rekorDefaultURL(), }, want: []oci.Signature{ signature{ @@ -228,19 +222,16 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", }, wantedFetchArguments: fetchFunctionArguments{ - called: true, ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: nil, }, wantedVerifyArguments: verifyFunctionArguments{ - called: true, context: context.Background(), ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: defaultCheckOpts, }, wantedCheckOptsArguments: checkOptsFunctionArguments{ - called: true, - url: rekorDefaultURL(), + url: rekorDefaultURL(), }, want: nil, wantedErr: fmt.Errorf("error verifying signature: %w", errors.New("no matching signatures 2")), @@ -259,19 +250,16 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", }, wantedFetchArguments: fetchFunctionArguments{ - called: true, ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: nil, }, wantedVerifyArguments: verifyFunctionArguments{ - called: true, context: context.Background(), ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: defaultCheckOpts, }, wantedCheckOptsArguments: checkOptsFunctionArguments{ - called: true, - url: rekorDefaultURL(), + url: rekorDefaultURL(), }, want: nil, wantedErr: nil, @@ -294,19 +282,16 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", }, wantedFetchArguments: fetchFunctionArguments{ - called: true, ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: nil, }, wantedVerifyArguments: verifyFunctionArguments{ - called: true, context: context.Background(), ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: defaultCheckOpts, }, wantedCheckOptsArguments: checkOptsFunctionArguments{ - called: true, - url: rekorDefaultURL(), + url: rekorDefaultURL(), }, want: nil, wantedErr: fmt.Errorf("error verifying signature: %w", errors.New("unexpected error")), @@ -329,19 +314,16 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", }, wantedFetchArguments: fetchFunctionArguments{ - called: true, ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: nil, }, wantedVerifyArguments: verifyFunctionArguments{ - called: true, context: context.Background(), ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: defaultCheckOpts, }, wantedCheckOptsArguments: checkOptsFunctionArguments{ - called: true, - url: rekorDefaultURL(), + url: rekorDefaultURL(), }, want: nil, wantedErr: fmt.Errorf("bundle not verified for %q", "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), @@ -376,14 +358,12 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", }, wantedFetchArguments: fetchFunctionArguments{ - called: true, ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: nil, }, wantedVerifyArguments: verifyFunctionArguments{}, wantedCheckOptsArguments: checkOptsFunctionArguments{ - called: true, - url: url.URL{}, + url: url.URL{}, }, want: nil, wantedErr: fmt.Errorf("could not create cosign check options: %w", emptyError), @@ -402,7 +382,6 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { imageName: "docker-registry.com/some/image@sha256:4fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", }, wantedFetchArguments: fetchFunctionArguments{ - called: true, ref: name.MustParseReference("docker-registry.com/some/image@sha256:4fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: nil, }, @@ -972,7 +951,6 @@ func TestSigstoreimpl_ValidateImage(t *testing.T) { ref: name.MustParseReference("example.com/sampleimage@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), }, wantedFetchArguments: fetchFunctionArguments{ - called: true, ref: name.MustParseReference("example.com/sampleimage@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: nil, }, @@ -988,7 +966,6 @@ func TestSigstoreimpl_ValidateImage(t *testing.T) { ref: name.MustParseReference("example.com/sampleimage@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), }, wantedFetchArguments: fetchFunctionArguments{ - called: true, ref: name.MustParseReference("example.com/sampleimage@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: nil, }, @@ -1006,7 +983,6 @@ func TestSigstoreimpl_ValidateImage(t *testing.T) { ref: name.MustParseReference("example.com/sampleimage@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), }, wantedFetchArguments: fetchFunctionArguments{ - called: true, ref: name.MustParseReference("example.com/sampleimage@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: nil, }, @@ -1024,7 +1000,6 @@ func TestSigstoreimpl_ValidateImage(t *testing.T) { ref: name.MustParseReference("example.com/sampleimage@sha256:f037cc8ec4cd38f95478773741fdecd48d721a527d19013031692edbf95fae69"), }, wantedFetchArguments: fetchFunctionArguments{ - called: true, ref: name.MustParseReference("example.com/sampleimage@sha256:f037cc8ec4cd38f95478773741fdecd48d721a527d19013031692edbf95fae69"), options: nil, }, @@ -1733,19 +1708,16 @@ func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { ContainerID: "000000", }, wantedFetchArguments: fetchFunctionArguments{ - called: true, ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: nil, }, wantedVerifyArguments: verifyFunctionArguments{ - called: true, context: context.Background(), ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: defaultCheckOpts, }, wantedCheckOptsArguments: checkOptsFunctionArguments{ - called: true, - url: rekorDefaultURL(), + url: rekorDefaultURL(), }, want: []string{ "000000:image-signature-subject:spirex@example.com", "000000:image-signature-content:MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smA=", "000000:image-signature-logid:samplelogID", "000000:image-signature-integrated-time:12345", "sigstore-validation:passed", @@ -1791,19 +1763,16 @@ func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { ContainerID: "222222", }, wantedFetchArguments: fetchFunctionArguments{ - called: true, ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: nil, }, wantedVerifyArguments: verifyFunctionArguments{ - called: true, context: context.Background(), ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: defaultCheckOpts, }, wantedCheckOptsArguments: checkOptsFunctionArguments{ - called: true, - url: rekorDefaultURL(), + url: rekorDefaultURL(), }, want: nil, wantedErr: fmt.Errorf("error verifying signature: %w", errors.New("no signature found")), @@ -1826,13 +1795,11 @@ func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { ContainerID: "222222", }, wantedFetchArguments: fetchFunctionArguments{ - called: true, ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: nil, }, wantedCheckOptsArguments: checkOptsFunctionArguments{ - called: true, - url: url.URL{}, + url: url.URL{}, }, want: nil, wantedErr: fmt.Errorf("could not create cosign check options: %w", emptyError), @@ -2035,7 +2002,6 @@ func (noCertSignature) Cert() (*x509.Certificate, error) { func createVerifyFunction(returnSignatures []oci.Signature, returnBundleVerified bool, returnError error) verifyFunctionBinding { bindVerifyArgumentsFunction := func(t require.TestingT, verifyArguments *verifyFunctionArguments) verifyFunctionType { newVerifyFunction := func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) { - verifyArguments.called = true verifyArguments.context = context verifyArguments.ref = ref verifyArguments.options = co @@ -2060,7 +2026,6 @@ func createNilVerifyFunction() verifyFunctionBinding { func createFetchFunction(returnDescriptor *remote.Descriptor, returnError error) fetchFunctionBinding { bindFetchArgumentsFunction := func(t require.TestingT, fetchArguments *fetchFunctionArguments) fetchImageManifestFunctionType { newFetchFunction := func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) { - fetchArguments.called = true fetchArguments.ref = ref fetchArguments.options = options return returnDescriptor, returnError @@ -2084,7 +2049,6 @@ func createNilFetchFunction() fetchFunctionBinding { func createCheckOptsFunction(returnCheckOpts *cosign.CheckOpts, returnErr error) checkOptsFunctionBinding { bindCheckOptsArgumentsFunction := func(t require.TestingT, checkOptsArguments *checkOptsFunctionArguments) checkOptsFunctionType { newCheckOptsFunction := func(url url.URL) (*cosign.CheckOpts, error) { - checkOptsArguments.called = true checkOptsArguments.url = url return returnCheckOpts, returnErr } @@ -2119,14 +2083,12 @@ type sigstoreFunctionBindings struct { } type checkOptsFunctionArguments struct { - called bool - url url.URL + url url.URL } type checkOptsFunctionBinding func(require.TestingT, *checkOptsFunctionArguments) checkOptsFunctionType type fetchFunctionArguments struct { - called bool ref name.Reference options []remote.Option } @@ -2134,7 +2096,6 @@ type fetchFunctionArguments struct { type fetchFunctionBinding func(require.TestingT, *fetchFunctionArguments) fetchImageManifestFunctionType type verifyFunctionArguments struct { - called bool context context.Context ref name.Reference options *cosign.CheckOpts From 122a16c0823199fc92f2c9f60e54f3e766c8466e Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Fri, 2 Dec 2022 11:45:06 -0300 Subject: [PATCH 182/257] misc: hardcoding AttestContainerSignature reference values (#194) * misc: hardcoding AttestContainerSignature reference values Signed-off-by: Rodrigo Lopes * lint: fixing var declarations Signed-off-by: Rodrigo Lopes Signed-off-by: Rodrigo Lopes --- .../k8s/sigstore/sigstore_test.go | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index 06a2ff4ca2..7eda58422c 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -23,6 +23,7 @@ import ( "github.com/google/go-containerregistry/pkg/name" "github.com/google/go-containerregistry/pkg/v1/remote" "github.com/hashicorp/go-hclog" + "github.com/sigstore/cosign/cmd/cosign/cli/fulcio" "github.com/sigstore/cosign/pkg/cosign" "github.com/sigstore/cosign/pkg/cosign/bundle" "github.com/sigstore/cosign/pkg/oci" @@ -1657,8 +1658,19 @@ func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { subjectAllowList map[string][]string } - defaultCheckOpts, _ := defaultCheckOptsFunction(rekorDefaultURL()) - emptyURLCheckOpts, emptyError := defaultCheckOptsFunction(url.URL{}) + rootCerts, err := fulcio.GetRoots() + require.NoError(t, err) + intermediateCerts, err := fulcio.GetIntermediates() + require.NoError(t, err) + + defaultCheckOpts := &cosign.CheckOpts{ + RekorClient: rekor.NewHTTPClientWithConfig(nil, rekor.DefaultTransportConfig().WithBasePath(rekorDefaultURL().Path).WithHost(rekorDefaultURL().Host)), + RootCerts: rootCerts, + IntermediateCerts: intermediateCerts, + } + var emptyURLCheckOpts *cosign.CheckOpts + emptyError := errors.New("rekor URL host is empty") + tests := []struct { name string fields fields From 7d5069dae1bf162164f8da68bde536cb652b6154 Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Fri, 2 Dec 2022 12:44:06 -0300 Subject: [PATCH 183/257] misc: moved fields from single field struct (#193) Signed-off-by: Rodrigo Lopes Signed-off-by: Rodrigo Lopes --- .../k8s/sigstore/sigstore_test.go | 225 ++++++++---------- 1 file changed, 103 insertions(+), 122 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index 7eda58422c..0c9d913557 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -425,37 +425,32 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { } func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { - type args struct { - signatures []oci.Signature - } tests := []struct { name string - args args + signatures []oci.Signature containerID string subjectAllowList map[string]map[string]struct{} want []SelectorsFromSignatures }{ { name: "extract selector from single image signature array", - args: args{ - signatures: []oci.Signature{ - signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex@example.com"}}`), - bundle: &bundle.RekorBundle{ - Payload: bundle.RekorPayload{ - Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", - LogID: "samplelogID", - IntegratedTime: 12345, - }, - }, - cert: &x509.Certificate{ - EmailAddresses: []string{"spirex@example.com"}, - Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, - Value: []byte(`issuer1`), - }}, + signatures: []oci.Signature{ + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex@example.com"}}`), + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", + LogID: "samplelogID", + IntegratedTime: 12345, }, }, + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex@example.com"}, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, + }, }, }, containerID: "000000", @@ -473,42 +468,40 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { }, { name: "extract selector from image signature array with multiple entries", - args: args{ - signatures: []oci.Signature{ - signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex1@example.com","key2": "value 2","key3": "value 3"}}`), - bundle: &bundle.RekorBundle{ - Payload: bundle.RekorPayload{ - Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", - LogID: "samplelogID1", - IntegratedTime: 12345, - }, - }, - cert: &x509.Certificate{ - EmailAddresses: []string{"spirex1@example.com"}, - Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, - Value: []byte(`issuer1`), - }}, + signatures: []oci.Signature{ + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex1@example.com","key2": "value 2","key3": "value 3"}}`), + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", + LogID: "samplelogID1", + IntegratedTime: 12345, }, }, - signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex2@example.com","key2": "value 2","key3": "value 3"}}`), - bundle: &bundle.RekorBundle{ - Payload: bundle.RekorPayload{ - Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUI9IgogICAgfQogIH0KfQo=", - LogID: "samplelogID2", - IntegratedTime: 12346, - }, - }, - cert: &x509.Certificate{ - EmailAddresses: []string{"spirex2@example.com"}, - Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, - Value: []byte(`issuer1`), - }}, + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex1@example.com"}, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, + }, + }, + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex2@example.com","key2": "value 2","key3": "value 3"}}`), + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUI9IgogICAgfQogIH0KfQo=", + LogID: "samplelogID2", + IntegratedTime: 12346, }, }, + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex2@example.com"}, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, + }, }, }, containerID: "111111", @@ -532,11 +525,9 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { }, { name: "with nil payload", - args: args{ - signatures: []oci.Signature{ - signature{ - payload: nil, - }, + signatures: []oci.Signature{ + signature{ + payload: nil, }, }, containerID: "222222", @@ -544,26 +535,24 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { }, { name: "extract selector from image signature with subject certificate", - args: args{ - signatures: []oci.Signature{ - signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "some reference"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"}}`), - cert: &x509.Certificate{ - EmailAddresses: []string{ - "spirex@example.com", - "spirex2@example.com", - }, - Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, - Value: []byte(`issuer1`), - }}, + signatures: []oci.Signature{ + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "some reference"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"}}`), + cert: &x509.Certificate{ + EmailAddresses: []string{ + "spirex@example.com", + "spirex2@example.com", }, - bundle: &bundle.RekorBundle{ - Payload: bundle.RekorPayload{ - Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", - LogID: "samplelogID", - IntegratedTime: 12345, - }, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, + }, + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", + LogID: "samplelogID", + IntegratedTime: 12345, }, }, }, @@ -583,35 +572,33 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { }, { name: "extract selector from image signature with URI certificate", - args: args{ - signatures: []oci.Signature{ - signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "some reference"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"}}`), - cert: &x509.Certificate{ - URIs: []*url.URL{ - { - Scheme: "https", - Host: "www.example.com", - Path: "somepath1", - }, - { - Scheme: "https", - Host: "www.spirex.com", - Path: "somepath2", - }, + signatures: []oci.Signature{ + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "some reference"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"}}`), + cert: &x509.Certificate{ + URIs: []*url.URL{ + { + Scheme: "https", + Host: "www.example.com", + Path: "somepath1", }, - Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, - Value: []byte(`issuer1`), - }}, - }, - bundle: &bundle.RekorBundle{ - Payload: bundle.RekorPayload{ - Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", - LogID: "samplelogID", - IntegratedTime: 12345, + { + Scheme: "https", + Host: "www.spirex.com", + Path: "somepath2", }, }, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, + }, + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", + LogID: "samplelogID", + IntegratedTime: 12345, + }, }, }, }, @@ -629,33 +616,27 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { }, }, { - name: "extract selector from empty array", - args: args{ - signatures: []oci.Signature{}, - }, + name: "extract selector from empty array", + signatures: []oci.Signature{}, containerID: "555555", want: nil, }, { - name: "extract selector from nil array", - args: args{ - signatures: nil, - }, + name: "extract selector from nil array", + signatures: nil, containerID: "666666", want: nil, }, { name: "invalid payload", - args: args{ - signatures: []oci.Signature{ - signature{ - payload: []byte(`{"critical": {}}`), - bundle: &bundle.RekorBundle{ - Payload: bundle.RekorPayload{ - Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", - LogID: "samplelogID", - IntegratedTime: 12345, - }, + signatures: []oci.Signature{ + signature{ + payload: []byte(`{"critical": {}}`), + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", + LogID: "samplelogID", + IntegratedTime: 12345, }, }, }, @@ -670,7 +651,7 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { logger: hclog.Default(), subjectAllowList: tt.subjectAllowList, } - got := s.ExtractSelectorsFromSignatures(tt.args.signatures, tt.containerID) + got := s.ExtractSelectorsFromSignatures(tt.signatures, tt.containerID) require.Equal(t, tt.want, got, "sigstoreImpl.ExtractSelectorsFromSignatures() = %v, want %v", got, tt.want) }) } From 5e87db13381e74bb5a7860b8a200b3933094b150 Mon Sep 17 00:00:00 2001 From: Matheus Santos Date: Fri, 2 Dec 2022 13:14:29 -0300 Subject: [PATCH 184/257] refactor: changed some sigstore_test.go code as suggested (#190) Signed-off-by: Matheus Santos Signed-off-by: Matheus Santos --- .../k8s/sigstore/sigstore_test.go | 211 +++++++----------- 1 file changed, 85 insertions(+), 126 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index 0c9d913557..2d1ddd1f40 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -16,7 +16,6 @@ import ( "fmt" "math/big" "net/url" - "reflect" "testing" "time" @@ -102,11 +101,11 @@ func TestNew(t *testing.T) { if &(sigImpObj.functionHooks.checkOptsFunction) == &(want.functionHooks.checkOptsFunction) { t.Errorf("checkOptsFunction functions do not match") } - require.Equal(t, want.skippedImages, sigImpObj.skippedImages, "skippedImages array is not empty") - require.Equal(t, want.subjectAllowList, sigImpObj.subjectAllowList, "subjectAllowList array is not empty") + require.Empty(t, sigImpObj.skippedImages, "skippedImages array is not empty") + require.Empty(t, sigImpObj.subjectAllowList, "subjectAllowList array is not empty") require.Equal(t, want.rekorURL, sigImpObj.rekorURL, "rekorURL is different from rekor default") require.Equal(t, want.sigstorecache, sigImpObj.sigstorecache, "sigstorecache is different from fresh object") - require.Equal(t, want.logger, sigImpObj.logger, "new logger is not nil") + require.Nil(t, sigImpObj.logger, "new logger is not nil") } func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { @@ -897,7 +896,7 @@ func TestSigstoreimpl_ClearSkipList(t *testing.T) { skippedImages: tt.fields.skippedImages, } sigstore.ClearSkipList() - if !reflect.DeepEqual(sigstore.skippedImages, tt.want) { + if sigstore.skippedImages != nil { t.Errorf("sigstore.skippedImages = %v, want %v", sigstore.skippedImages, tt.want) } }) @@ -1014,64 +1013,44 @@ func TestSigstoreimpl_ValidateImage(t *testing.T) { } func TestSigstoreimpl_AddAllowedSubject(t *testing.T) { - type fields struct { - subjectAllowList map[string]map[string]struct{} - } - type args struct { - issuer string - subject string - } tests := []struct { - name string - fields fields - args args - want map[string]map[string]struct{} + name string + subjectAllowList map[string]map[string]struct{} + issuer string + subject string + want map[string]map[string]struct{} }{ { - name: "add allowed subject to nil map", - fields: fields{ - subjectAllowList: nil, - }, - args: args{ - issuer: "issuer1", - subject: "spirex@example.com", - }, + name: "add allowed subject to nil map", + subjectAllowList: nil, + issuer: "issuer1", + subject: "spirex@example.com", want: map[string]map[string]struct{}{ "issuer1": {"spirex@example.com": struct{}{}}, }, }, { - name: "add allowed subject to empty map", - fields: fields{ - subjectAllowList: map[string]map[string]struct{}{}, - }, - args: args{ - issuer: "issuer1", - subject: "spirex@example.com", - }, + name: "add allowed subject to empty map", + subjectAllowList: map[string]map[string]struct{}{}, + issuer: "issuer1", + subject: "spirex@example.com", want: map[string]map[string]struct{}{ "issuer1": {"spirex@example.com": struct{}{}}, }, }, { name: "add allowed subject to existing map", - fields: fields{ - subjectAllowList: map[string]map[string]struct{}{ - "issuer1": { - "spirex1@example.com": struct{}{}, - "spirex2@example.com": struct{}{}, - "spirex3@example.com": struct{}{}, - "spirex5@example.com": struct{}{}, - }, + subjectAllowList: map[string]map[string]struct{}{ + "issuer1": {"spirex1@example.com": struct{}{}, + "spirex2@example.com": struct{}{}, + "spirex3@example.com": struct{}{}, + "spirex5@example.com": struct{}{}, }, }, - args: args{ - issuer: "issuer1", - subject: "spirex4@example.com", - }, + issuer: "issuer1", + subject: "spirex4@example.com", want: map[string]map[string]struct{}{ - "issuer1": { - "spirex1@example.com": struct{}{}, + "issuer1": {"spirex1@example.com": struct{}{}, "spirex2@example.com": struct{}{}, "spirex3@example.com": struct{}{}, "spirex4@example.com": struct{}{}, @@ -1081,20 +1060,18 @@ func TestSigstoreimpl_AddAllowedSubject(t *testing.T) { }, { name: "add allowed subject to existing map with new issuer", - fields: fields{ - subjectAllowList: map[string]map[string]struct{}{ - "issuer1": { - "spirex1@example.com": struct{}{}, - "spirex2@example.com": struct{}{}, - "spirex3@example.com": struct{}{}, - "spirex5@example.com": struct{}{}, - }, + subjectAllowList: map[string]map[string]struct{}{ + "issuer1": { + "spirex1@example.com": struct{}{}, + "spirex2@example.com": struct{}{}, + "spirex3@example.com": struct{}{}, + "spirex5@example.com": struct{}{}, }, }, - args: args{ - issuer: "issuer2", - subject: "spirex4@example.com", - }, + + issuer: "issuer2", + subject: "spirex4@example.com", + want: map[string]map[string]struct{}{ "issuer1": { "spirex1@example.com": struct{}{}, @@ -1109,21 +1086,17 @@ func TestSigstoreimpl_AddAllowedSubject(t *testing.T) { }, { name: "add existing allowed subject to existing map with new issuer", - fields: fields{ - subjectAllowList: map[string]map[string]struct{}{ - "issuer1": { - "spirex1@example.com": struct{}{}, - "spirex2@example.com": struct{}{}, - "spirex3@example.com": struct{}{}, - "spirex4@example.com": struct{}{}, - "spirex5@example.com": struct{}{}, - }, + subjectAllowList: map[string]map[string]struct{}{ + "issuer1": { + "spirex1@example.com": struct{}{}, + "spirex2@example.com": struct{}{}, + "spirex3@example.com": struct{}{}, + "spirex4@example.com": struct{}{}, + "spirex5@example.com": struct{}{}, }, }, - args: args{ - issuer: "issuer2", - subject: "spirex4@example.com", - }, + issuer: "issuer2", + subject: "spirex4@example.com", want: map[string]map[string]struct{}{ "issuer1": { "spirex1@example.com": struct{}{}, @@ -1139,21 +1112,17 @@ func TestSigstoreimpl_AddAllowedSubject(t *testing.T) { }, { name: "add existing allowed subject to existing map with same issuer", - fields: fields{ - subjectAllowList: map[string]map[string]struct{}{ - "issuer1": { - "spirex1@example.com": struct{}{}, - "spirex2@example.com": struct{}{}, - "spirex3@example.com": struct{}{}, - "spirex4@example.com": struct{}{}, - "spirex5@example.com": struct{}{}, - }, + subjectAllowList: map[string]map[string]struct{}{ + "issuer1": { + "spirex1@example.com": struct{}{}, + "spirex2@example.com": struct{}{}, + "spirex3@example.com": struct{}{}, + "spirex4@example.com": struct{}{}, + "spirex5@example.com": struct{}{}, }, }, - args: args{ - issuer: "issuer1", - subject: "spirex4@example.com", - }, + issuer: "issuer1", + subject: "spirex4@example.com", want: map[string]map[string]struct{}{ "issuer1": { "spirex1@example.com": struct{}{}, @@ -1168,80 +1137,70 @@ func TestSigstoreimpl_AddAllowedSubject(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { sigstore := &sigstoreImpl{ - subjectAllowList: tt.fields.subjectAllowList, + subjectAllowList: tt.subjectAllowList, } - sigstore.AddAllowedSubject(tt.args.issuer, tt.args.subject) + sigstore.AddAllowedSubject(tt.issuer, tt.subject) require.Equal(t, sigstore.subjectAllowList, tt.want, "sigstore.subjectAllowList = %v, want %v", sigstore.subjectAllowList, tt.want) }) } } func TestSigstoreimpl_ClearAllowedSubjects(t *testing.T) { - type fields struct { - subjectAllowList map[string]map[string]struct{} - } tests := []struct { - name string - fields fields - want map[string]map[string]struct{} + name string + subjectAllowList map[string]map[string]struct{} + want map[string]map[string]struct{} }{ { name: "clear existing map", - fields: fields{ - subjectAllowList: map[string]map[string]struct{}{ - "issuer1": { - "spirex1@example.com": struct{}{}, - "spirex2@example.com": struct{}{}, - "spirex3@example.com": struct{}{}, - "spirex4@example.com": struct{}{}, - "spirex5@example.com": struct{}{}, - }, + subjectAllowList: map[string]map[string]struct{}{ + "issuer1": { + "spirex1@example.com": struct{}{}, + "spirex2@example.com": struct{}{}, + "spirex3@example.com": struct{}{}, + "spirex4@example.com": struct{}{}, + "spirex5@example.com": struct{}{}, }, }, want: nil, }, { name: "clear map with multiple issuers", - fields: fields{ - subjectAllowList: map[string]map[string]struct{}{ - "issuer1": { - "spirex1@example.com": struct{}{}, - "spirex2@example.com": struct{}{}, - "spirex3@example.com": struct{}{}, - "spirex4@example.com": struct{}{}, - "spirex5@example.com": struct{}{}, - }, - "issuer2": { - "spirex1@example.com": struct{}{}, - "spirex6@example.com": struct{}{}, - }, + + subjectAllowList: map[string]map[string]struct{}{ + "issuer1": { + "spirex1@example.com": struct{}{}, + "spirex2@example.com": struct{}{}, + "spirex3@example.com": struct{}{}, + "spirex4@example.com": struct{}{}, + "spirex5@example.com": struct{}{}, + }, + "issuer2": { + "spirex1@example.com": struct{}{}, + "spirex6@example.com": struct{}{}, }, }, want: nil, }, { - name: "clear empty map", - fields: fields{ - subjectAllowList: map[string]map[string]struct{}{}, - }, - want: nil, + name: "clear empty map", + subjectAllowList: map[string]map[string]struct{}{}, + want: nil, }, { - name: "clear nil map", - fields: fields{ - subjectAllowList: nil, - }, - want: nil, + name: "clear nil map", + subjectAllowList: nil, + want: nil, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { sigstore := &sigstoreImpl{ - subjectAllowList: tt.fields.subjectAllowList, + subjectAllowList: tt.subjectAllowList, } sigstore.ClearAllowedSubjects() - if !reflect.DeepEqual(sigstore.subjectAllowList, tt.want) { + if sigstore.subjectAllowList != nil { t.Errorf("sigstore.subjectAllowList = %v, want %v", sigstore.subjectAllowList, tt.want) } }) From 51e071ac90d48185e0f714c8218ab86797f5e81f Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Fri, 2 Dec 2022 14:35:19 -0300 Subject: [PATCH 185/257] misc: removed verbose message from require statements (#192) Signed-off-by: Rodrigo Lopes Signed-off-by: Rodrigo Lopes --- .../k8s/sigstore/sigstore_test.go | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index 2d1ddd1f40..1d19803039 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -412,13 +412,13 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { require.NoError(t, err) } - require.Equal(t, tt.want, got, "sigstoreImpl.FetchImageSignatures() = %v, want %v", got, tt.want) + require.Equal(t, tt.want, got) - require.Equal(t, tt.wantedFetchArguments, *fetchArguments, "sigstoreImpl.FetchImageSignatures() fetchArguments = %v, want %v", *fetchArguments, tt.wantedFetchArguments) + require.Equal(t, tt.wantedFetchArguments, *fetchArguments) - require.Equal(t, tt.wantedCheckOptsArguments, *checkOptsArguments, "sigstoreImpl.FetchImageSignatures() checkOptsArguments = %v, want %v", *checkOptsArguments, tt.wantedCheckOptsArguments) + require.Equal(t, tt.wantedCheckOptsArguments, *checkOptsArguments) - require.Equal(t, tt.wantedVerifyArguments, *verifyArguments, "sigstoreImpl.FetchImageSignatures() verifyArguments = %v, want %v", *verifyArguments, tt.wantedVerifyArguments) + require.Equal(t, tt.wantedVerifyArguments, *verifyArguments) }) } } @@ -651,7 +651,7 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { subjectAllowList: tt.subjectAllowList, } got := s.ExtractSelectorsFromSignatures(tt.signatures, tt.containerID) - require.Equal(t, tt.want, got, "sigstoreImpl.ExtractSelectorsFromSignatures() = %v, want %v", got, tt.want) + require.Equal(t, tt.want, got) }) } } @@ -746,7 +746,7 @@ func TestSigstoreimpl_ShouldSkipImage(t *testing.T) { } else { require.NoError(t, err) } - require.Equal(t, got, tt.want, "sigstoreImpl.SkipImage() = %v, want %v", got, tt.want) + require.Equal(t, got, tt.want) }) } } @@ -827,7 +827,7 @@ func TestSigstoreimpl_AddSkippedImage(t *testing.T) { skippedImages: tt.fields.skippedImages, } sigstore.AddSkippedImage(tt.args.imageID) - require.Equal(t, sigstore.skippedImages, tt.want, "sigstore.skippedImages = %v, want %v", sigstore.skippedImages, tt.want) + require.Equal(t, sigstore.skippedImages, tt.want) }) } } @@ -1006,8 +1006,8 @@ func TestSigstoreimpl_ValidateImage(t *testing.T) { require.NoError(t, err) } - require.Equal(t, tt.wantedFetchArguments, fetchArguments, "sigstoreImpl.ValidateImage() fetchArguments = %v, want %v", fetchArguments, tt.wantedFetchArguments) - require.Equal(t, tt.wantedVerifyArguments, verifyArguments, "sigstoreImpl.ValidateImage() verifyArguments = %v, want %v", verifyArguments, tt.wantedVerifyArguments) + require.Equal(t, tt.wantedFetchArguments, fetchArguments) + require.Equal(t, tt.wantedVerifyArguments, verifyArguments) }) } } @@ -1140,7 +1140,7 @@ func TestSigstoreimpl_AddAllowedSubject(t *testing.T) { subjectAllowList: tt.subjectAllowList, } sigstore.AddAllowedSubject(tt.issuer, tt.subject) - require.Equal(t, sigstore.subjectAllowList, tt.want, "sigstore.subjectAllowList = %v, want %v", sigstore.subjectAllowList, tt.want) + require.Equal(t, tt.want, sigstore.subjectAllowList) }) } } @@ -1580,9 +1580,9 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { } } got, err := sigstore.SelectorValuesFromSignature(tt.args.signature, tt.containerID) - assert.Equal(t, got, tt.want, "sigstoreImpl.SelectorValuesFromSignature() = %v, want %v", got, tt.want) + assert.Equal(t, got, tt.want) if tt.wantedErr != nil { - require.EqualError(t, err, tt.wantedErr.Error(), "sigstoreImpl.SelectorValuesFromSignature() error = %v, wantedErr = %v", err, tt.wantedErr) + require.EqualError(t, err, tt.wantedErr.Error()) return } require.NoError(t, err) @@ -1783,15 +1783,15 @@ func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { got, err := sigstore.AttestContainerSignatures(context.Background(), &tt.status) if tt.wantedErr != nil { - require.EqualError(t, err, tt.wantedErr.Error(), "sigstoreImpl.AttestContainerSignatures() error = %v, wantedErr = %v", err, tt.wantedErr) + require.EqualError(t, err, tt.wantedErr.Error()) } else { require.NoError(t, err) } - require.Equal(t, tt.want, got, "sigstoreImpl.AttestContainerSignatures() = %v, want %v", got, tt.want) - require.Equal(t, tt.wantedFetchArguments, fetchArguments, "sigstoreImpl.AttestContainerSignatures() fetchArguments = %v, wantedFetchArguments = %v", fetchArguments, tt.wantedFetchArguments) - require.Equal(t, tt.wantedVerifyArguments, verifyArguments, "sigstoreImpl.AttestContainerSignatures() verifyArguments = %v, wantedVerifyArguments = %v", verifyArguments, tt.wantedVerifyArguments) - require.Equal(t, tt.wantedCheckOptsArguments, checkOptsArguments, "sigstoreImpl.AttestContainerSignatures() checkOptsArguments = %v, wantedCheckOptsArguments = %v", checkOptsArguments, tt.wantedCheckOptsArguments) + require.Equal(t, tt.want, got) + require.Equal(t, tt.wantedFetchArguments, fetchArguments) + require.Equal(t, tt.wantedVerifyArguments, verifyArguments) + require.Equal(t, tt.wantedCheckOptsArguments, checkOptsArguments) }) } } @@ -1892,11 +1892,11 @@ func TestSigstoreimpl_SetRekorURL(t *testing.T) { } err := sigstore.SetRekorURL(tt.args.rekorURL) if tt.wantedErr != nil { - require.EqualError(t, err, tt.wantedErr.Error(), "sigstoreImpl.SetRekorURL() error = %v, wantedErr = %v", err, tt.wantedErr) + require.EqualError(t, err, tt.wantedErr.Error()) } else { require.NoError(t, err) } - require.Equal(t, sigstore.rekorURL, tt.want, "sigstoreImpl.SetRekorURL() = %v, want %v", sigstore.rekorURL, tt.want) + require.Equal(t, sigstore.rekorURL, tt.want) }) } } From 917443e1224f88b5faf177d765551e03d034f81e Mon Sep 17 00:00:00 2001 From: joaoguazzelli Date: Fri, 2 Dec 2022 14:48:00 -0300 Subject: [PATCH 186/257] feat: add private deployment validator (#170) * feat: add private deployment validator * fix: removed unnecessary parameter in SelectorValuesFromSignature method * fix: fixed lint errors Signed-off-by: joaoguazzelli * fix: fixed unit tests * fix: changed paramether name to a more understandable one Signed-off-by: joaoguazzelli * fix: updated parameter name in test cases Signed-off-by: joaoguazzelli * fix: added configuration method to sigstore interface Signed-off-by: joaoguazzelli * fix: added enforceSCT method to k8s posix test Signed-off-by: joaoguazzelli * fix: add space before comment Signed-off-by: joaoguazzelli * fix: added fallback in case of enforceSCT not being passed Signed-off-by: joaoguazzelli * feat: add enforceSCT parameter to docs Signed-off-by: joaoguazzelli * feat: add enforceSCT parameter to .conf Signed-off-by: joaoguazzelli Signed-off-by: joaoguazzelli --- conf/agent/agent_full.conf | 5 +- doc/plugin_agent_workloadattestor_k8s.md | 11 +-- pkg/agent/plugin/workloadattestor/k8s/k8s.go | 3 + .../plugin/workloadattestor/k8s/k8s_posix.go | 8 ++ .../workloadattestor/k8s/k8s_posix_test.go | 9 ++- .../workloadattestor/k8s/sigstore/sigstore.go | 73 +++++++++++-------- .../k8s/sigstore/sigstore_test.go | 6 +- 7 files changed, 75 insertions(+), 40 deletions(-) diff --git a/conf/agent/agent_full.conf b/conf/agent/agent_full.conf index d7dd3b7472..a6d8a91c47 100644 --- a/conf/agent/agent_full.conf +++ b/conf/agent/agent_full.conf @@ -364,7 +364,7 @@ plugins { experimental { # sigstore: sigstore options. Enables signature checking. # sigstore { - # rekor_url: The URL for the rekor STL Server to use with cosign. Required. + # rekor_url: The URL for the rekor STL Server to use with cosign. Required. # rekor_url = "https://rekor.sigstore.dev" # skip_signature_verification_image_list: List of images that should @@ -377,6 +377,9 @@ plugins { # Signatures from subjects outside this list will be ignored. These should be email addresses. # allowed_subjects_list { # "https://accounts.google.com" = ["subject1@example.com","subject2@example.com"] + + # enforce_sct: to be set as false in case of a private deployment not using the public CT + # enforce_sct = true # } # } } diff --git a/doc/plugin_agent_workloadattestor_k8s.md b/doc/plugin_agent_workloadattestor_k8s.md index ab50c06e91..3c1f7a0217 100644 --- a/doc/plugin_agent_workloadattestor_k8s.md +++ b/doc/plugin_agent_workloadattestor_k8s.md @@ -59,11 +59,12 @@ since [hostprocess](https://kubernetes.io/docs/tasks/configure-pod-container/cre | -------------------- | ----------- | | `sigstore` | Sigstore options. Options described below. See [Sigstore workload attestor for SPIRE](#sigstore-workload-attestor-for-spire)| -| Sigstore options | Description | -| ---------------- | ----------- | -| `skip_signature_verification_image_list` | The list of images, described as digest hashes, that should be skipped in signature verification. Defaults to empty list. | -| `allowed_subjects_list` | A map of allowed subject strings, keyed by the OIDC Provider URI, that are trusted and are allowed to sign container images artifacts. Defaults to empty. If empty, no workload will pass signature validation, unless listed on `skip_signature_verification_image_list`. (eg. `"https://accounts.google.com" = ["subject1@example.com","subject2@example.com"]`). | -| `rekor_url` | The rekor URL to use with cosign. Required. See notes below. | +| Sigstore options | Description | +|------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `skip_signature_verification_image_list` | The list of images, described as digest hashes, that should be skipped in signature verification. Defaults to empty list. | +| `allowed_subjects_list` | A map of allowed subject strings, keyed by the OIDC Provider URI, that are trusted and are allowed to sign container images artifacts. Defaults to empty. If empty, no workload will pass signature validation, unless listed on `skip_signature_verification_image_list`. (eg. `"https://accounts.google.com" = ["subject1@example.com","subject2@example.com"]`). | +| `rekor_url` | The rekor URL to use with cosign. Required. See notes below. | +| `enforce_sct` | A boolean to be set to false in case of a private deployment, not using public CT | > **Note** Cosign discourages the use of image tags for referencing docker images, and this plugin does not support attestation of sigstore selectors for workloads running on containers using tag-referenced images, which will then fail attestation for both sigstore and k8s selectors. In cases where this is necessary, add the digest string for the image in the `skip_signature_verification_image_list` setting (eg. `"sha256:abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789"`). Note that sigstore signature attestation will still not be performed, but this will allow k8s selectors to be returned, along with the `"k8s:sigstore-validation:passed"` selector. diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s.go b/pkg/agent/plugin/workloadattestor/k8s/k8s.go index c2292a6f15..58b9b6c5d2 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s.go @@ -132,6 +132,9 @@ type ExperimentalK8SConfig struct { // SigstoreHCLConfig holds the sigstore configuration parsed from HCL type SigstoreHCLConfig struct { + // EnforceSCT is the parameter to be set as false in case of a private deployment not using the public CT + EnforceSCT *bool `hcl:"enforce_sct, omitempty"` + // RekorURL is the URL for the rekor server to use to verify signatures and public keys RekorURL *string `hcl:"rekor_url,omitempty"` diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go index 7a03cd5138..f530587854 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go @@ -214,6 +214,14 @@ func canonicalizePodUID(uid string) types.UID { func configureSigstoreClient(client sigstore.Sigstore, c *SigstoreHCLConfig, log hclog.Logger) error { // Configure sigstore settings + + enforceSCT := true + if c.EnforceSCT != nil { + enforceSCT = *c.EnforceSCT + } + + client.SetEnforceSCT(enforceSCT) + client.ClearSkipList() if c.SkippedImages != nil { client.AddSkippedImage(c.SkippedImages) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go index 559835f75c..cc4425f1b0 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go @@ -684,7 +684,8 @@ type sigstoreMock struct { allowedSubjects map[string]map[string]struct{} log hclog.Logger - rekorURL string + rekorURL string + enforceSCT bool } // SetLogger implements sigstore.Sigstore @@ -692,6 +693,10 @@ func (s *sigstoreMock) SetLogger(logger hclog.Logger) { s.log = logger } +func (s *sigstoreMock) SetEnforceSCT(enforceSCT bool) { + s.enforceSCT = enforceSCT +} + func (s *sigstoreMock) FetchImageSignatures(ctx context.Context, imageName string) ([]oci.Signature, error) { if s.returnError != nil { return nil, s.returnError @@ -699,7 +704,7 @@ func (s *sigstoreMock) FetchImageSignatures(ctx context.Context, imageName strin return s.sigs, nil } -func (s *sigstoreMock) SelectorValuesFromSignature(signatures oci.Signature, containerID string) (*sigstore.SelectorsFromSignatures, error) { +func (s *sigstoreMock) SelectorValuesFromSignature(signatures oci.Signature) (*sigstore.SelectorsFromSignatures, error) { if len(s.selectors) != 0 { return &s.selectors[0], nil } diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index 8fc57f9526..b03758e9c9 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -37,7 +37,7 @@ const ( type Sigstore interface { AttestContainerSignatures(ctx context.Context, status *corev1.ContainerStatus) ([]string, error) FetchImageSignatures(ctx context.Context, imageName string) ([]oci.Signature, error) - SelectorValuesFromSignature(oci.Signature, string) (*SelectorsFromSignatures, error) + SelectorValuesFromSignature(oci.Signature) (*SelectorsFromSignatures, error) ExtractSelectorsFromSignatures(signatures []oci.Signature, containerID string) []SelectorsFromSignatures ShouldSkipImage(imageID string) (bool, error) AddSkippedImage(imageID []string) @@ -46,6 +46,7 @@ type Sigstore interface { ClearAllowedSubjects() SetRekorURL(rekorURL string) error SetLogger(logger hclog.Logger) + SetEnforceSCT(enforceSCT bool) } // The following structs are used to go through the payload json objects @@ -81,11 +82,45 @@ func New(cache Cache, logger hclog.Logger) Sigstore { fetchImageManifestFunction: remote.Get, checkOptsFunction: defaultCheckOptsFunction, }, + + enforceSCT: true, logger: logger, sigstorecache: cache, } } +func defaultCheckOptsFunction(rekorURL url.URL, enforceSCT ...bool) (*cosign.CheckOpts, error) { + if len(enforceSCT) > 1 { + return nil, errors.New("enforceSCT can be only one value") + } + if len(enforceSCT) == 0 { + enforceSCT = append(enforceSCT, true) + } + switch { + case rekorURL.Host == "": + return nil, errors.New("rekor URL host is empty") + case rekorURL.Scheme == "": + return nil, errors.New("rekor URL scheme is empty") + case rekorURL.Path == "": + return nil, errors.New("rekor URL path is empty") + } + + rootCerts, err := fulcio.GetRoots() + if err != nil { + return nil, fmt.Errorf("failed to get fulcio root certificates: %w", err) + } + + co := &cosign.CheckOpts{ + // Set the rekor client + RekorClient: rekor.NewHTTPClientWithConfig(nil, rekor.DefaultTransportConfig().WithBasePath(rekorURL.Path).WithHost(rekorURL.Host)), + RootCerts: rootCerts, + EnforceSCT: enforceSCT[0], + } + co.IntermediateCerts, err = fulcio.GetIntermediates() + + return co, err +} + type sigstoreImpl struct { functionHooks sigstoreFunctionHooks skippedImages map[string]struct{} @@ -93,6 +128,11 @@ type sigstoreImpl struct { rekorURL url.URL logger hclog.Logger sigstorecache Cache + enforceSCT bool +} + +func (s *sigstoreImpl) SetEnforceSCT(enforceSCT bool) { + s.enforceSCT = enforceSCT } func (s *sigstoreImpl) SetLogger(logger hclog.Logger) { @@ -132,7 +172,7 @@ func (s *sigstoreImpl) ExtractSelectorsFromSignatures(signatures []oci.Signature var selectors []SelectorsFromSignatures for _, sig := range signatures { // verify which subject - sigSelectors, err := s.SelectorValuesFromSignature(sig, containerID) + sigSelectors, err := s.SelectorValuesFromSignature(sig) if err != nil { s.logger.Error("error extracting selectors from signature", "error", err) } @@ -145,7 +185,7 @@ func (s *sigstoreImpl) ExtractSelectorsFromSignatures(signatures []oci.Signature // SelectorValuesFromSignature extracts selectors from a signature. // returns a list of selectors. -func (s *sigstoreImpl) SelectorValuesFromSignature(signature oci.Signature, containerID string) (*SelectorsFromSignatures, error) { +func (s *sigstoreImpl) SelectorValuesFromSignature(signature oci.Signature) (*SelectorsFromSignatures, error) { subject, err := getSignatureSubject(signature) if err != nil { return nil, fmt.Errorf("error getting signature subject: %w", err) @@ -429,35 +469,10 @@ type verifyFunctionType func(context.Context, name.Reference, *cosign.CheckOpts) type fetchImageManifestFunctionType func(name.Reference, ...remote.Option) (*remote.Descriptor, error) -type checkOptsFunctionType func(url.URL) (*cosign.CheckOpts, error) +type checkOptsFunctionType func(url.URL, ...bool) (*cosign.CheckOpts, error) type sigstoreFunctionHooks struct { verifyFunction verifyFunctionType fetchImageManifestFunction fetchImageManifestFunctionType checkOptsFunction checkOptsFunctionType } - -func defaultCheckOptsFunction(rekorURL url.URL) (*cosign.CheckOpts, error) { - switch { - case rekorURL.Host == "": - return nil, errors.New("rekor URL host is empty") - case rekorURL.Scheme == "": - return nil, errors.New("rekor URL scheme is empty") - case rekorURL.Path == "": - return nil, errors.New("rekor URL path is empty") - } - - rootCerts, err := fulcio.GetRoots() - if err != nil { - return nil, fmt.Errorf("failed to get fulcio root certificates: %w", err) - } - - co := &cosign.CheckOpts{ - // Set the rekor client - RekorClient: rekor.NewHTTPClientWithConfig(nil, rekor.DefaultTransportConfig().WithBasePath(rekorURL.Path).WithHost(rekorURL.Host).WithSchemes([]string{rekorURL.Scheme})), - RootCerts: rootCerts, - } - co.IntermediateCerts, err = fulcio.GetIntermediates() - - return co, err -} diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index 1d19803039..528c2a64a9 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -1579,7 +1579,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { sigstore.AddAllowedSubject(issuer, subject) } } - got, err := sigstore.SelectorValuesFromSignature(tt.args.signature, tt.containerID) + got, err := sigstore.SelectorValuesFromSignature(tt.args.signature) assert.Equal(t, got, tt.want) if tt.wantedErr != nil { require.EqualError(t, err, tt.wantedErr.Error()) @@ -2000,7 +2000,7 @@ func createNilFetchFunction() fetchFunctionBinding { func createCheckOptsFunction(returnCheckOpts *cosign.CheckOpts, returnErr error) checkOptsFunctionBinding { bindCheckOptsArgumentsFunction := func(t require.TestingT, checkOptsArguments *checkOptsFunctionArguments) checkOptsFunctionType { - newCheckOptsFunction := func(url url.URL) (*cosign.CheckOpts, error) { + newCheckOptsFunction := func(url url.URL, enforceSCT ...bool) (*cosign.CheckOpts, error) { checkOptsArguments.url = url return returnCheckOpts, returnErr } @@ -2011,7 +2011,7 @@ func createCheckOptsFunction(returnCheckOpts *cosign.CheckOpts, returnErr error) func createNilCheckOptsFunction() checkOptsFunctionBinding { bindCheckOptsArgumentsFunction := func(t require.TestingT, checkOptsArguments *checkOptsFunctionArguments) checkOptsFunctionType { - failFunction := func(url url.URL) (*cosign.CheckOpts, error) { + failFunction := func(url url.URL, enforceSCT ...bool) (*cosign.CheckOpts, error) { require.FailNow(t, "nil check opts function should not be called") return nil, fmt.Errorf("nil check opts function should not be called") } From 101807f2054090214a4c4f0ccec7ceb7243e202b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 2 Dec 2022 13:46:01 -0800 Subject: [PATCH 187/257] Bump cloud.google.com/go/kms from 1.6.0 to 1.7.0 (#3659) Bumps [cloud.google.com/go/kms](https://github.com/googleapis/google-cloud-go) from 1.6.0 to 1.7.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/documentai/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/dlp/v1.6.0...dlp/v1.7.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/kms dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 6 +++--- go.sum | 10 ++++++---- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/go.mod b/go.mod index 33a18fbeef..e43231b79c 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.19 require ( cloud.google.com/go/iam v0.7.0 - cloud.google.com/go/kms v1.6.0 + cloud.google.com/go/kms v1.7.0 cloud.google.com/go/secretmanager v1.9.0 cloud.google.com/go/security v1.10.0 cloud.google.com/go/storage v1.28.0 @@ -68,7 +68,7 @@ require ( golang.org/x/sys v0.2.0 golang.org/x/time v0.2.0 google.golang.org/api v0.103.0 - google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c + google.golang.org/genproto v0.0.0-20221201164419-0e50fba7f41c google.golang.org/grpc v1.51.0 google.golang.org/protobuf v1.28.1 gopkg.in/square/go-jose.v2 v2.6.0 @@ -84,7 +84,7 @@ require ( cloud.google.com/go v0.105.0 // indirect cloud.google.com/go/compute v1.12.1 // indirect cloud.google.com/go/compute/metadata v0.2.1 // indirect - cloud.google.com/go/longrunning v0.1.1 // indirect + cloud.google.com/go/longrunning v0.3.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect github.com/Azure/go-autorest/autorest v0.11.27 // indirect diff --git a/go.sum b/go.sum index 750962f176..eba921c00b 100644 --- a/go.sum +++ b/go.sum @@ -157,15 +157,16 @@ cloud.google.com/go/iap v1.4.0/go.mod h1:RGFwRJdihTINIe4wZ2iCP0zF/qu18ZwyKxrhMhy cloud.google.com/go/ids v1.1.0/go.mod h1:WIuwCaYVOzHIj2OhN9HAwvW+DBdmUAdcWlFxRl+KubM= cloud.google.com/go/iot v1.3.0/go.mod h1:r7RGh2B61+B8oz0AGE+J72AhA0G7tdXItODWsaA2oLs= cloud.google.com/go/kms v1.5.0/go.mod h1:QJS2YY0eJGBg3mnDfuaCyLauWwBJiHRboYxJ++1xJNg= -cloud.google.com/go/kms v1.6.0 h1:OWRZzrPmOZUzurjI2FBGtgY2mB1WaJkqhw6oIwSj0Yg= -cloud.google.com/go/kms v1.6.0/go.mod h1:Jjy850yySiasBUDi6KFUwUv2n1+o7QZFyuUJg6OgjA0= +cloud.google.com/go/kms v1.7.0 h1:8FCf8C7qfOuSr6YzOQ4RGjJvswSRFeOpur3nHOlJbio= +cloud.google.com/go/kms v1.7.0/go.mod h1:k2UdVoNIHLJi/Rnng6dN0vlq7lS3jHSDiZasft+gmYE= cloud.google.com/go/language v1.4.0/go.mod h1:F9dRpNFQmJbkaop6g0JhSBXCNlO90e1KWx5iDdxbWic= cloud.google.com/go/language v1.6.0/go.mod h1:6dJ8t3B+lUYfStgls25GusK04NLh3eDLQnWM3mdEbhI= cloud.google.com/go/language v1.7.0/go.mod h1:DJ6dYN/W+SQOjF8e1hLQXMF21AkH2w9wiPzPCJa2MIE= cloud.google.com/go/lifesciences v0.5.0/go.mod h1:3oIKy8ycWGPUyZDR/8RNnTOYevhaMLqh5vLUXs9zvT8= cloud.google.com/go/lifesciences v0.6.0/go.mod h1:ddj6tSX/7BOnhxCSd3ZcETvtNr8NZ6t/iPhY2Tyfu08= -cloud.google.com/go/longrunning v0.1.1 h1:y50CXG4j0+qvEukslYFBCrzaXX0qpFbBzc3PchSu/LE= cloud.google.com/go/longrunning v0.1.1/go.mod h1:UUFxuDWkv22EuY93jjmDMFT5GPQKeFVJBIF6QlTqdsE= +cloud.google.com/go/longrunning v0.3.0 h1:NjljC+FYPV3uh5/OwWT6pVU+doBqMg2x/rZlE+CamDs= +cloud.google.com/go/longrunning v0.3.0/go.mod h1:qth9Y41RRSUE69rDcOn6DdK3HfQfsUI0YSmW3iIlLJc= cloud.google.com/go/managedidentities v1.3.0/go.mod h1:UzlW3cBOiPrzucO5qWkNkh0w33KFtBJU281hacNvsdE= cloud.google.com/go/mediatranslation v0.5.0/go.mod h1:jGPUhGTybqsPQn91pNXw0xVHfuJ3leR1wj37oU3y1f4= cloud.google.com/go/mediatranslation v0.6.0/go.mod h1:hHdBCTYNigsBxshbznuIMFNe5QXEowAuNmmC7h8pu5w= @@ -1790,8 +1791,9 @@ google.golang.org/genproto v0.0.0-20221014173430-6e2ab493f96b/go.mod h1:1vXfmgAz google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM= google.golang.org/genproto v0.0.0-20221024153911-1573dae28c9c/go.mod h1:9qHF0xnpdSfF6knlcsnpzUu5y+rpwgbvsyGAZPBMg4s= google.golang.org/genproto v0.0.0-20221024183307-1bc688fe9f3e/go.mod h1:9qHF0xnpdSfF6knlcsnpzUu5y+rpwgbvsyGAZPBMg4s= -google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c h1:QgY/XxIAIeccR+Ca/rDdKubLIU9rcJ3xfy1DC/Wd2Oo= google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c/go.mod h1:CGI5F/G+E5bKwmfYo09AXuVN4dD894kIKUFmVbP2/Fo= +google.golang.org/genproto v0.0.0-20221201164419-0e50fba7f41c h1:S34D59DS2GWOEwWNt4fYmTcFrtlOgukG2k9WsomZ7tg= +google.golang.org/genproto v0.0.0-20221201164419-0e50fba7f41c/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg= google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= From ca5394dd691a0bd58b7b9e912f6ae577b09a9030 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 2 Dec 2022 14:41:44 -0800 Subject: [PATCH 188/257] Bump github.com/go-sql-driver/mysql from 1.6.0 to 1.7.0 (#3658) Bumps [github.com/go-sql-driver/mysql](https://github.com/go-sql-driver/mysql) from 1.6.0 to 1.7.0. - [Release notes](https://github.com/go-sql-driver/mysql/releases) - [Changelog](https://github.com/go-sql-driver/mysql/blob/master/CHANGELOG.md) - [Commits](https://github.com/go-sql-driver/mysql/compare/v1.6.0...v1.7.0) --- updated-dependencies: - dependency-name: github.com/go-sql-driver/mysql dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index e43231b79c..774877bd7c 100644 --- a/go.mod +++ b/go.mod @@ -32,7 +32,7 @@ require ( github.com/docker/docker v20.10.21+incompatible github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1 github.com/go-logr/logr v1.2.3 - github.com/go-sql-driver/mysql v1.6.0 + github.com/go-sql-driver/mysql v1.7.0 github.com/gofrs/uuid v4.3.1+incompatible github.com/golang/mock v1.6.0 github.com/golang/protobuf v1.5.2 diff --git a/go.sum b/go.sum index eba921c00b..d20e856b32 100644 --- a/go.sum +++ b/go.sum @@ -579,8 +579,9 @@ github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng= github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= -github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfCHuOE= github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= +github.com/go-sql-driver/mysql v1.7.0 h1:ueSltNNllEqE3qcWBTD0iQd3IpL/6U+mJxLkazJ7YPc= +github.com/go-sql-driver/mysql v1.7.0/go.mod h1:OXbVy3sEdcQ2Doequ6Z5BW6fXNQTmx+9S1MCJN5yJMI= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-test/deep v1.0.2 h1:onZX1rnHT3Wv6cqNgYyFOOlgVKJrksuCMCRvJStbMYw= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= From 43eb3474a99f887c2a5e182c125899c2b587dd23 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 2 Dec 2022 16:40:49 -0800 Subject: [PATCH 189/257] Bump cloud.google.com/go/storage from 1.28.0 to 1.28.1 (#3662) Bumps [cloud.google.com/go/storage](https://github.com/googleapis/google-cloud-go) from 1.28.0 to 1.28.1. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/spanner/v1.28.0...storage/v1.28.1) --- updated-dependencies: - dependency-name: cloud.google.com/go/storage dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 774877bd7c..cfd6318687 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ require ( cloud.google.com/go/kms v1.7.0 cloud.google.com/go/secretmanager v1.9.0 cloud.google.com/go/security v1.10.0 - cloud.google.com/go/storage v1.28.0 + cloud.google.com/go/storage v1.28.1 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.2.0 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.2.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute v1.0.0 diff --git a/go.sum b/go.sum index d20e856b32..8fce6fe1e4 100644 --- a/go.sum +++ b/go.sum @@ -257,8 +257,8 @@ cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9 cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y= cloud.google.com/go/storage v1.23.0/go.mod h1:vOEEDNFnciUMhBeT6hsJIn3ieU5cFRmzeLgDvXzfIXc= cloud.google.com/go/storage v1.27.0/go.mod h1:x9DOL8TK/ygDUMieqwfhdpQryTeEkhGKMi80i/iqR2s= -cloud.google.com/go/storage v1.28.0 h1:DLrIZ6xkeZX6K70fU/boWx5INJumt6f+nwwWSHXzzGY= -cloud.google.com/go/storage v1.28.0/go.mod h1:qlgZML35PXA3zoEnIkiPLY4/TOkUleufRlu6qmcf7sI= +cloud.google.com/go/storage v1.28.1 h1:F5QDG5ChchaAVQhINh24U99OWHURqrW8OmQcGKXcbgI= +cloud.google.com/go/storage v1.28.1/go.mod h1:Qnisd4CqDdo6BGs2AD5LLnEsmSQ80wQ5ogcBBKhU86Y= cloud.google.com/go/storagetransfer v1.5.0/go.mod h1:dxNzUopWy7RQevYFHewchb29POFv3/AaBgnhqzqiK0w= cloud.google.com/go/talent v1.1.0/go.mod h1:Vl4pt9jiHKvOgF9KoZo6Kob9oV4lwd/ZD5Cto54zDRw= cloud.google.com/go/talent v1.2.0/go.mod h1:MoNF9bhFQbiJ6eFD3uSsg0uBALw4n4gaCaEjBw9zo8g= From d15f8de600d03736fc962c185a1f8727786b6ced Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?= Date: Sat, 3 Dec 2022 13:42:33 -0300 Subject: [PATCH 190/257] Retry GetPublicKey if needed (#3655) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Agustín Martínez Fayó --- .../plugin/keymanager/gcpkms/fetcher.go | 2 +- pkg/server/plugin/keymanager/gcpkms/gcpkms.go | 45 ++++++++++++++++--- .../plugin/keymanager/gcpkms/gcpkms_test.go | 2 +- 3 files changed, 41 insertions(+), 8 deletions(-) diff --git a/pkg/server/plugin/keymanager/gcpkms/fetcher.go b/pkg/server/plugin/keymanager/gcpkms/fetcher.go index a418b24f80..4070f49f82 100644 --- a/pkg/server/plugin/keymanager/gcpkms/fetcher.go +++ b/pkg/server/plugin/keymanager/gcpkms/fetcher.go @@ -104,7 +104,7 @@ func (kf *keyFetcher) getKeyEntriesFromCryptoKey(ctx context.Context, cryptoKey return nil, status.Errorf(codes.Internal, "unsupported CryptoKeyVersionAlgorithm: %v", cryptoKeyVersion.Algorithm) } - pubKey, err := getPublicKeyFromCryptoKeyVersion(ctx, kf.kmsClient, cryptoKeyVersion.Name) + pubKey, err := getPublicKeyFromCryptoKeyVersion(ctx, kf.log, kf.kmsClient, cryptoKeyVersion.Name) if err != nil { return nil, status.Errorf(codes.Internal, "error getting public key: %v", err) } diff --git a/pkg/server/plugin/keymanager/gcpkms/gcpkms.go b/pkg/server/plugin/keymanager/gcpkms/gcpkms.go index ab59db1ed4..51d4ef16f8 100644 --- a/pkg/server/plugin/keymanager/gcpkms/gcpkms.go +++ b/pkg/server/plugin/keymanager/gcpkms/gcpkms.go @@ -413,7 +413,7 @@ func (p *Plugin) createKey(ctx context.Context, spireKeyID string, keyType keyma cryptoKeyVersionName := cryptoKey.Name + "/cryptoKeyVersions/1" log.Debug("CryptoKeyVersion version added", cryptoKeyVersionNameTag, cryptoKeyVersionName) - pubKey, err := getPublicKeyFromCryptoKeyVersion(ctx, p.kmsClient, cryptoKeyVersionName) + pubKey, err := getPublicKeyFromCryptoKeyVersion(ctx, p.log, p.kmsClient, cryptoKeyVersionName) if err != nil { return nil, status.Errorf(codes.Internal, "failed to get public key: %v", err) } @@ -467,7 +467,7 @@ func (p *Plugin) addCryptoKeyVersionToCachedEntry(ctx context.Context, entry key } log.Debug("CryptoKeyVersion added", cryptoKeyVersionNameTag, cryptoKeyVersion.Name) - pubKey, err := getPublicKeyFromCryptoKeyVersion(ctx, p.kmsClient, cryptoKeyVersion.Name) + pubKey, err := getPublicKeyFromCryptoKeyVersion(ctx, p.log, p.kmsClient, cryptoKeyVersion.Name) if err != nil { return nil, fmt.Errorf("failed to get public key: %w", err) } @@ -1028,10 +1028,43 @@ func getOrCreateServerID(idPath string) (string, error) { // getPublicKeyFromCryptoKeyVersion requests Cloud KMS to get the public key // of the specified CryptoKeyVersion. -func getPublicKeyFromCryptoKeyVersion(ctx context.Context, kmsClient cloudKeyManagementService, cryptoKeyVersionName string) (pubKey []byte, err error) { - kmsPublicKey, err := kmsClient.GetPublicKey(ctx, &kmspb.GetPublicKeyRequest{Name: cryptoKeyVersionName}) - if err != nil { - return nil, err +func getPublicKeyFromCryptoKeyVersion(ctx context.Context, log hclog.Logger, kmsClient cloudKeyManagementService, cryptoKeyVersionName string) ([]byte, error) { + kmsPublicKey, errGetPublicKey := kmsClient.GetPublicKey(ctx, &kmspb.GetPublicKeyRequest{Name: cryptoKeyVersionName}) + attempts := 1 + const maxAttempts = 10 + + log = log.With(cryptoKeyVersionNameTag, cryptoKeyVersionName) + for errGetPublicKey != nil { + if attempts > maxAttempts { + log.Error("Could not get the public key because the CryptoKeyVersion is still being generated. Maximum number of attempts reached.") + return nil, errGetPublicKey + } + cryptoKeyVersion, errGetCryptoKeyVersion := kmsClient.GetCryptoKeyVersion(ctx, &kmspb.GetCryptoKeyVersionRequest{ + Name: cryptoKeyVersionName, + }) + if errGetCryptoKeyVersion != nil { + return nil, errGetCryptoKeyVersion + } + + // Check if the CryptoKeyVersion is still being generated or + // if it is now enabled. + // Longer generation times can be observed when using algorithms + // with large key sizes. (e.g. when rsa-4096 keys are used). + // One or two additional attempts is usually enough to find the + // CryptoKeyVersion enabled. + switch cryptoKeyVersion.State { + case kmspb.CryptoKeyVersion_PENDING_GENERATION: + // This is a recoverable error. + case kmspb.CryptoKeyVersion_ENABLED: + // The CryptoKeyVersion may be ready to be used now. + default: + // We cannot recover if it's in a different status. + return nil, errGetPublicKey + } + + log.Warn("Could not get the public key because the CryptoKeyVersion is still being generated. Trying again.") + attempts++ + kmsPublicKey, errGetPublicKey = kmsClient.GetPublicKey(ctx, &kmspb.GetPublicKeyRequest{Name: cryptoKeyVersionName}) } // Perform integrity verification. diff --git a/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go b/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go index ab722d5d2a..169dc5806f 100644 --- a/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go +++ b/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go @@ -1222,7 +1222,7 @@ func TestGetPublicKeys(t *testing.T) { for _, fck := range storedFakeCryptoKeys { storedFakeCryptoKeyVersions := fck.fetchFakeCryptoKeyVersions() for _, fckv := range storedFakeCryptoKeyVersions { - pubKey, err := getPublicKeyFromCryptoKeyVersion(ctx, ts.fakeKMSClient, fckv.CryptoKeyVersion.Name) + pubKey, err := getPublicKeyFromCryptoKeyVersion(ctx, ts.plugin.log, ts.fakeKMSClient, fckv.CryptoKeyVersion.Name) require.NoError(t, err) require.Equal(t, pubKey, resp.PublicKeys[0].PkixData) } From 0a8566522582a369c6ea57f98274fe3bec407d31 Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Mon, 5 Dec 2022 09:08:04 -0300 Subject: [PATCH 191/257] missing refactor comments (#196) * misc: removed nil want from clear tests misc: removed nil fields from clearSkipList test misc: moved skip images to test struct on clearSkipList test Signed-off-by: Rodrigo Lopes * misc: removed single field structs from FetchImageSignatures test Signed-off-by: Rodrigo Lopes * misc: removed single field structs from skip list tests Signed-off-by: Rodrigo Lopes * misc: removed single filed struct on ValidateImage tests Signed-off-by: Rodrigo Lopes * misc: removed single filed struct from selectorsfromsignature tests Signed-off-by: Rodrigo Lopes * misc: removed single filed struct from setRekorUrl tests Signed-off-by: Rodrigo Lopes * misc: reordered require.Equal args Signed-off-by: Rodrigo Lopes * misc: fixing lint complaints Signed-off-by: Rodrigo Lopes Signed-off-by: Rodrigo Lopes --- .../k8s/sigstore/sigstore_test.go | 735 +++++++----------- 1 file changed, 274 insertions(+), 461 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index 528c2a64a9..7892df00cb 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -113,9 +113,6 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { functionBindings sigstoreFunctionBindings rekorURL url.URL } - type args struct { - imageName string - } defaultCheckOpts, _ := defaultCheckOptsFunction(rekorDefaultURL()) emptyURLCheckOpts, emptyError := defaultCheckOptsFunction(url.URL{}) @@ -125,7 +122,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { tests := []struct { name string fields fields - args args + imageName string wantedFetchArguments fetchFunctionArguments wantedVerifyArguments verifyFunctionArguments wantedCheckOptsArguments checkOptsFunctionArguments @@ -146,9 +143,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { }, rekorURL: rekorDefaultURL(), }, - args: args{ - imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", - }, + imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", wantedFetchArguments: fetchFunctionArguments{ ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: nil, @@ -184,9 +179,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { }, rekorURL: rekorDefaultURL(), }, - args: args{ - imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", - }, + imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", wantedFetchArguments: fetchFunctionArguments{ ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: nil, @@ -218,9 +211,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { }, rekorURL: rekorDefaultURL(), }, - args: args{ - imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", - }, + imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", wantedFetchArguments: fetchFunctionArguments{ ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: nil, @@ -246,9 +237,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { }, rekorURL: rekorDefaultURL(), }, - args: args{ - imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", - }, + imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", wantedFetchArguments: fetchFunctionArguments{ ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: nil, @@ -278,9 +267,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { }, rekorURL: rekorDefaultURL(), }, - args: args{ - imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", - }, + imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", wantedFetchArguments: fetchFunctionArguments{ ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: nil, @@ -310,9 +297,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { }, rekorURL: rekorDefaultURL(), }, - args: args{ - imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", - }, + imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", wantedFetchArguments: fetchFunctionArguments{ ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: nil, @@ -338,9 +323,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { }, rekorURL: rekorDefaultURL(), }, - args: args{ - imageName: "invali|].url.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", - }, + imageName: "invali|].url.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", want: nil, wantedErr: fmt.Errorf("error parsing image reference: %w", errors.New("could not parse reference: invali|].url.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505")), }, @@ -354,9 +337,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { }, rekorURL: url.URL{}, }, - args: args{ - imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", - }, + imageName: "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", wantedFetchArguments: fetchFunctionArguments{ ref: name.MustParseReference("docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: nil, @@ -378,9 +359,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { }, rekorURL: rekorDefaultURL(), }, - args: args{ - imageName: "docker-registry.com/some/image@sha256:4fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", - }, + imageName: "docker-registry.com/some/image@sha256:4fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505", wantedFetchArguments: fetchFunctionArguments{ ref: name.MustParseReference("docker-registry.com/some/image@sha256:4fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: nil, @@ -405,7 +384,7 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { sigstorecache: NewCache(maximumAmountCache), rekorURL: tt.fields.rekorURL, } - got, err := sigstore.FetchImageSignatures(context.Background(), tt.args.imageName) + got, err := sigstore.FetchImageSignatures(context.Background(), tt.imageName) if tt.wantedErr != nil { require.EqualError(t, err, tt.wantedErr.Error()) } else { @@ -657,80 +636,54 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { } func TestSigstoreimpl_ShouldSkipImage(t *testing.T) { - type fields struct { - skippedImages map[string]struct{} - } - type args struct { - imageID string - } tests := []struct { - name string - fields fields - args args - want bool - wantedErr error + name string + skippedImages map[string]struct{} + imageID string + want bool + wantedErr error }{ { name: "skipping only image in list", - fields: fields{ - skippedImages: map[string]struct{}{ - "sha256:sampleimagehash": struct{}{}, - }, - }, - args: args{ - imageID: "sha256:sampleimagehash", + skippedImages: map[string]struct{}{ + "sha256:sampleimagehash": struct{}{}, }, - want: true, + imageID: "sha256:sampleimagehash", + want: true, }, { name: "skipping image in list", - fields: fields{ - skippedImages: map[string]struct{}{ - "sha256:sampleimagehash": struct{}{}, - "sha256:sampleimagehash2": struct{}{}, - "sha256:sampleimagehash3": struct{}{}, - }, - }, - args: args{ - imageID: "sha256:sampleimagehash2", + skippedImages: map[string]struct{}{ + "sha256:sampleimagehash": struct{}{}, + "sha256:sampleimagehash2": struct{}{}, + "sha256:sampleimagehash3": struct{}{}, }, - want: true, + imageID: "sha256:sampleimagehash2", + want: true, }, { name: "image not in list", - fields: fields{ - skippedImages: map[string]struct{}{ - "sha256:sampleimagehash": struct{}{}, - "sha256:sampleimagehash3": struct{}{}, - }, - }, - args: args{ - imageID: "sha256:sampleimagehash2", + skippedImages: map[string]struct{}{ + "sha256:sampleimagehash": struct{}{}, + "sha256:sampleimagehash3": struct{}{}, }, - want: false, + imageID: "sha256:sampleimagehash2", + want: false, }, { - name: "empty skip list", - fields: fields{ - skippedImages: nil, - }, - args: args{ - imageID: "sha256:sampleimagehash", - }, - want: false, + name: "empty skip list", + skippedImages: nil, + imageID: "sha256:sampleimagehash", + want: false, }, { name: "empty imageID", - fields: fields{ - skippedImages: map[string]struct{}{ - "sha256:sampleimagehash": struct{}{}, - "sha256:sampleimagehash2": struct{}{}, - "sha256:sampleimagehash3": struct{}{}, - }, - }, - args: args{ - imageID: "", + skippedImages: map[string]struct{}{ + "sha256:sampleimagehash": struct{}{}, + "sha256:sampleimagehash2": struct{}{}, + "sha256:sampleimagehash3": struct{}{}, }, + imageID: "", want: false, wantedErr: errors.New("image ID is empty"), }, @@ -738,63 +691,47 @@ func TestSigstoreimpl_ShouldSkipImage(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { sigstore := sigstoreImpl{ - skippedImages: tt.fields.skippedImages, + skippedImages: tt.skippedImages, } - got, err := sigstore.ShouldSkipImage(tt.args.imageID) + got, err := sigstore.ShouldSkipImage(tt.imageID) if tt.wantedErr != nil { require.EqualError(t, err, tt.wantedErr.Error()) } else { require.NoError(t, err) } - require.Equal(t, got, tt.want) + require.Equal(t, tt.want, got) }) } } func TestSigstoreimpl_AddSkippedImage(t *testing.T) { - type fields struct { - verifyFunction func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) - fetchImageManifestFunction func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) - skippedImages map[string]struct{} - } - type args struct { - imageID []string - } tests := []struct { - name string - fields fields - args args - want map[string]struct{} + name string + skippedImages map[string]struct{} + imageID []string + want map[string]struct{} }{ { - name: "add skipped image to empty map", - args: args{ - imageID: []string{"sha256:sampleimagehash"}, - }, + name: "add skipped image to empty map", + imageID: []string{"sha256:sampleimagehash"}, want: map[string]struct{}{ "sha256:sampleimagehash": struct{}{}, }, }, { name: "add skipped image", - fields: fields{ - skippedImages: map[string]struct{}{ - "sha256:sampleimagehash1": struct{}{}, - }, - }, - args: args{ - imageID: []string{"sha256:sampleimagehash"}, + skippedImages: map[string]struct{}{ + "sha256:sampleimagehash1": struct{}{}, }, + imageID: []string{"sha256:sampleimagehash"}, want: map[string]struct{}{ "sha256:sampleimagehash": struct{}{}, "sha256:sampleimagehash1": struct{}{}, }, }, { - name: "add a list of skipped images to empty map", - args: args{ - imageID: []string{"sha256:sampleimagehash", "sha256:sampleimagehash1"}, - }, + name: "add a list of skipped images to empty map", + imageID: []string{"sha256:sampleimagehash", "sha256:sampleimagehash1"}, want: map[string]struct{}{ "sha256:sampleimagehash": struct{}{}, "sha256:sampleimagehash1": struct{}{}, @@ -802,14 +739,10 @@ func TestSigstoreimpl_AddSkippedImage(t *testing.T) { }, { name: "add a list of skipped images to a existing map", - fields: fields{ - skippedImages: map[string]struct{}{ - "sha256:sampleimagehash": struct{}{}, - }, - }, - args: args{ - imageID: []string{"sha256:sampleimagehash1", "sha256:sampleimagehash2"}, + skippedImages: map[string]struct{}{ + "sha256:sampleimagehash": struct{}{}, }, + imageID: []string{"sha256:sampleimagehash1", "sha256:sampleimagehash2"}, want: map[string]struct{}{ "sha256:sampleimagehash": struct{}{}, "sha256:sampleimagehash1": struct{}{}, @@ -820,85 +753,48 @@ func TestSigstoreimpl_AddSkippedImage(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { sigstore := sigstoreImpl{ - functionHooks: sigstoreFunctionHooks{ - verifyFunction: tt.fields.verifyFunction, - fetchImageManifestFunction: tt.fields.fetchImageManifestFunction, - }, - skippedImages: tt.fields.skippedImages, + skippedImages: tt.skippedImages, } - sigstore.AddSkippedImage(tt.args.imageID) - require.Equal(t, sigstore.skippedImages, tt.want) + sigstore.AddSkippedImage(tt.imageID) + require.Equal(t, tt.want, sigstore.skippedImages) }) } } func TestSigstoreimpl_ClearSkipList(t *testing.T) { - type fields struct { - verifyFunction func(context context.Context, ref name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) - fetchImageManifestFunction func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) - skippedImages map[string]struct{} - } tests := []struct { - name string - fields fields - want map[string]struct{} + skippedImages map[string]struct{} + name string }{ { name: "clear single image in map", - fields: fields{ - - verifyFunction: nil, - fetchImageManifestFunction: nil, - skippedImages: map[string]struct{}{ - "sha256:sampleimagehash": struct{}{}, - }, + skippedImages: map[string]struct{}{ + "sha256:sampleimagehash": struct{}{}, }, - want: nil, }, { name: "clear multiple images map", - fields: fields{ - verifyFunction: nil, - fetchImageManifestFunction: nil, - skippedImages: map[string]struct{}{ - "sha256:sampleimagehash": struct{}{}, - "sha256:sampleimagehash1": struct{}{}, - }, + skippedImages: map[string]struct{}{ + "sha256:sampleimagehash": struct{}{}, + "sha256:sampleimagehash1": struct{}{}, }, - want: nil, }, { - name: "clear on empty map", - fields: fields{ - verifyFunction: nil, - fetchImageManifestFunction: nil, - skippedImages: map[string]struct{}{}, - }, - want: nil, + name: "clear on empty map", + skippedImages: map[string]struct{}{}, }, { - name: "clear on nil map", - fields: fields{ - verifyFunction: nil, - fetchImageManifestFunction: nil, - skippedImages: nil, - }, - want: nil, + name: "clear on nil map", + skippedImages: nil, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { sigstore := &sigstoreImpl{ - functionHooks: sigstoreFunctionHooks{ - verifyFunction: tt.fields.verifyFunction, - fetchImageManifestFunction: tt.fields.fetchImageManifestFunction, - }, - skippedImages: tt.fields.skippedImages, + skippedImages: tt.skippedImages, } sigstore.ClearSkipList() - if sigstore.skippedImages != nil { - t.Errorf("sigstore.skippedImages = %v, want %v", sigstore.skippedImages, tt.want) - } + require.Empty(t, sigstore.skippedImages) }) } } @@ -907,15 +803,11 @@ func TestSigstoreimpl_ValidateImage(t *testing.T) { type fields struct { verifyFunction verifyFunctionBinding fetchImageManifestFunction fetchFunctionBinding - skippedImages map[string]struct{} - } - type args struct { - ref name.Reference } tests := []struct { name string fields fields - args args + ref name.Reference wantedFetchArguments fetchFunctionArguments wantedVerifyArguments verifyFunctionArguments wantedErr error @@ -928,9 +820,7 @@ func TestSigstoreimpl_ValidateImage(t *testing.T) { Manifest: []byte(`sometext`), }, nil), }, - args: args{ - ref: name.MustParseReference("example.com/sampleimage@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), - }, + ref: name.MustParseReference("example.com/sampleimage@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), wantedFetchArguments: fetchFunctionArguments{ ref: name.MustParseReference("example.com/sampleimage@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: nil, @@ -943,9 +833,7 @@ func TestSigstoreimpl_ValidateImage(t *testing.T) { verifyFunction: createNilVerifyFunction(), fetchImageManifestFunction: createFetchFunction(nil, errors.New("fetch error 123")), }, - args: args{ - ref: name.MustParseReference("example.com/sampleimage@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), - }, + ref: name.MustParseReference("example.com/sampleimage@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), wantedFetchArguments: fetchFunctionArguments{ ref: name.MustParseReference("example.com/sampleimage@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: nil, @@ -960,9 +848,7 @@ func TestSigstoreimpl_ValidateImage(t *testing.T) { Manifest: nil, }, nil), }, - args: args{ - ref: name.MustParseReference("example.com/sampleimage@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), - }, + ref: name.MustParseReference("example.com/sampleimage@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), wantedFetchArguments: fetchFunctionArguments{ ref: name.MustParseReference("example.com/sampleimage@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505"), options: nil, @@ -977,9 +863,7 @@ func TestSigstoreimpl_ValidateImage(t *testing.T) { Manifest: []byte("f0c62edf734ff52ee830c9eeef2ceefad94f7f089706d170f8d9dc64befb57cc"), }, nil), }, - args: args{ - ref: name.MustParseReference("example.com/sampleimage@sha256:f037cc8ec4cd38f95478773741fdecd48d721a527d19013031692edbf95fae69"), - }, + ref: name.MustParseReference("example.com/sampleimage@sha256:f037cc8ec4cd38f95478773741fdecd48d721a527d19013031692edbf95fae69"), wantedFetchArguments: fetchFunctionArguments{ ref: name.MustParseReference("example.com/sampleimage@sha256:f037cc8ec4cd38f95478773741fdecd48d721a527d19013031692edbf95fae69"), options: nil, @@ -996,10 +880,9 @@ func TestSigstoreimpl_ValidateImage(t *testing.T) { verifyFunction: tt.fields.verifyFunction(t, &verifyArguments), fetchImageManifestFunction: tt.fields.fetchImageManifestFunction(t, &fetchArguments), }, - skippedImages: tt.fields.skippedImages, } - err := sigstore.ValidateImage(tt.args.ref) + err := sigstore.ValidateImage(tt.ref) if tt.wantedErr != nil { require.EqualError(t, err, tt.wantedErr.Error()) } else { @@ -1149,7 +1032,6 @@ func TestSigstoreimpl_ClearAllowedSubjects(t *testing.T) { tests := []struct { name string subjectAllowList map[string]map[string]struct{} - want map[string]map[string]struct{} }{ { @@ -1163,7 +1045,6 @@ func TestSigstoreimpl_ClearAllowedSubjects(t *testing.T) { "spirex5@example.com": struct{}{}, }, }, - want: nil, }, { name: "clear map with multiple issuers", @@ -1181,17 +1062,14 @@ func TestSigstoreimpl_ClearAllowedSubjects(t *testing.T) { "spirex6@example.com": struct{}{}, }, }, - want: nil, }, { name: "clear empty map", subjectAllowList: map[string]map[string]struct{}{}, - want: nil, }, { name: "clear nil map", subjectAllowList: nil, - want: nil, }, } for _, tt := range tests { @@ -1200,20 +1078,15 @@ func TestSigstoreimpl_ClearAllowedSubjects(t *testing.T) { subjectAllowList: tt.subjectAllowList, } sigstore.ClearAllowedSubjects() - if sigstore.subjectAllowList != nil { - t.Errorf("sigstore.subjectAllowList = %v, want %v", sigstore.subjectAllowList, tt.want) - } + require.Empty(t, sigstore.subjectAllowList) }) } } func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { - type args struct { - signature oci.Signature - } tests := []struct { name string - args args + signature oci.Signature containerID string subjectAllowList map[string][]string want *SelectorsFromSignatures @@ -1221,24 +1094,22 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }{ { name: "selector from signature", - args: args{ - signature: signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - bundle: &bundle.RekorBundle{ - Payload: bundle.RekorPayload{ - Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", - LogID: "samplelogID", - IntegratedTime: 12345, - }, - }, - cert: &x509.Certificate{ - EmailAddresses: []string{"spirex@example.com"}, - Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, - Value: []byte(`issuer1`), - }}, + signature: signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", + LogID: "samplelogID", + IntegratedTime: 12345, }, }, + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex@example.com"}, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, + }, }, containerID: "000000", subjectAllowList: map[string][]string{ @@ -1253,24 +1124,22 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, { name: "selector from signature, empty subject", - args: args{ - signature: signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "","key2": "value 2","key3": "value 3"}}`), - bundle: &bundle.RekorBundle{ - Payload: bundle.RekorPayload{ - Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", - LogID: "samplelogID", - IntegratedTime: 12345, - }, - }, - cert: &x509.Certificate{ - EmailAddresses: nil, - Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, - Value: []byte(`issuer1`), - }}, + signature: signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "","key2": "value 2","key3": "value 3"}}`), + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", + LogID: "samplelogID", + IntegratedTime: 12345, }, }, + cert: &x509.Certificate{ + EmailAddresses: nil, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, + }, }, containerID: "111111", subjectAllowList: nil, @@ -1279,16 +1148,14 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, { name: "selector from signature, not in allowlist", - args: args{ - signature: signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex1@example.com","key2": "value 2","key3": "value 3"}}`), - cert: &x509.Certificate{ - EmailAddresses: []string{"spirex1@example.com"}, - Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, - Value: []byte(`issuer1`), - }}, - }, + signature: signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex1@example.com","key2": "value 2","key3": "value 3"}}`), + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex1@example.com"}, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, }, }, containerID: "222222", @@ -1300,24 +1167,22 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, { name: "selector from signature, allowedlist enabled, in allowlist", - args: args{ - signature: signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - bundle: &bundle.RekorBundle{ - Payload: bundle.RekorPayload{ - Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", - LogID: "samplelogID", - IntegratedTime: 12345, - }, - }, - cert: &x509.Certificate{ - EmailAddresses: []string{"spirex@example.com"}, - Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, - Value: []byte(`issuer1`), - }}, + signature: signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", + LogID: "samplelogID", + IntegratedTime: 12345, }, }, + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex@example.com"}, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, + }, }, containerID: "333333", subjectAllowList: map[string][]string{ @@ -1332,24 +1197,22 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, { name: "selector from signature, allowedlist enabled, in allowlist, empty content", - args: args{ - signature: signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - bundle: &bundle.RekorBundle{ - Payload: bundle.RekorPayload{ - Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiIgogICAgfQogIH0KfQ==", - LogID: "samplelogID", - IntegratedTime: 12345, - }, - }, - cert: &x509.Certificate{ - EmailAddresses: []string{"spirex@example.com"}, - Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, - Value: []byte(`issuer1`), - }}, + signature: signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiIgogICAgfQogIH0KfQ==", + LogID: "samplelogID", + IntegratedTime: 12345, }, }, + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex@example.com"}, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, + }, }, containerID: "444444", subjectAllowList: map[string][]string{ @@ -1360,16 +1223,14 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, { name: "selector from signature, nil bundle", - args: args{ - signature: nilBundleSignature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - cert: &x509.Certificate{ - EmailAddresses: []string{"spirex@example.com"}, - Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, - Value: []byte(`issuer1`), - }}, - }, + signature: nilBundleSignature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex@example.com"}, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, }, }, containerID: "555555", @@ -1381,24 +1242,22 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, { name: "selector from signature, bundle payload body is not a string", - args: args{ - signature: signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - bundle: &bundle.RekorBundle{ - Payload: bundle.RekorPayload{ - Body: 42, - LogID: "samplelogID", - IntegratedTime: 12345, - }, - }, - cert: &x509.Certificate{ - EmailAddresses: []string{"spirex@example.com"}, - Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, - Value: []byte(`issuer1`), - }}, + signature: signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: 42, + LogID: "samplelogID", + IntegratedTime: 12345, }, }, + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex@example.com"}, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, + }, }, containerID: "000000", subjectAllowList: map[string][]string{ @@ -1409,24 +1268,22 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, { name: "selector from signature, bundle payload body is not valid base64", - args: args{ - signature: signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - bundle: &bundle.RekorBundle{ - Payload: bundle.RekorPayload{ - Body: "abc..........def", - LogID: "samplelogID", - IntegratedTime: 12345, - }, - }, - cert: &x509.Certificate{ - EmailAddresses: []string{"spirex@example.com"}, - Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, - Value: []byte(`issuer1`), - }}, + signature: signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: "abc..........def", + LogID: "samplelogID", + IntegratedTime: 12345, }, }, + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex@example.com"}, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, + }, }, containerID: "000000", subjectAllowList: map[string][]string{ @@ -1437,24 +1294,22 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, { name: "selector from signature, bundle payload body has no signature content", - args: args{ - signature: signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - bundle: &bundle.RekorBundle{ - Payload: bundle.RekorPayload{ - Body: "ewogICAgInNwZWMiOiB7CiAgICAgICJzaWduYXR1cmUiOiB7CiAgICAgIH0KICAgIH0KfQ==", - LogID: "samplelogID", - IntegratedTime: 12345, - }, - }, - cert: &x509.Certificate{ - EmailAddresses: []string{"spirex@example.com"}, - Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, - Value: []byte(`issuer1`), - }}, + signature: signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: "ewogICAgInNwZWMiOiB7CiAgICAgICJzaWduYXR1cmUiOiB7CiAgICAgIH0KICAgIH0KfQ==", + LogID: "samplelogID", + IntegratedTime: 12345, }, }, + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex@example.com"}, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, + }, }, containerID: "000000", subjectAllowList: map[string][]string{ @@ -1465,24 +1320,22 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, { name: "selector from signature, bundle payload body signature content is empty", - args: args{ - signature: signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - bundle: &bundle.RekorBundle{ - Payload: bundle.RekorPayload{ - Body: "ewogICAgInNwZWMiOiB7CiAgICAgICAgInNpZ25hdHVyZSI6IHsKICAgICAgICAiY29udGVudCI6ICIiCiAgICAgICAgfQogICAgfQp9", - LogID: "samplelogID", - IntegratedTime: 12345, - }, - }, - cert: &x509.Certificate{ - EmailAddresses: []string{"spirex@example.com"}, - Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, - Value: []byte(`issuer1`), - }}, + signature: signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: "ewogICAgInNwZWMiOiB7CiAgICAgICAgInNpZ25hdHVyZSI6IHsKICAgICAgICAiY29udGVudCI6ICIiCiAgICAgICAgfQogICAgfQp9", + LogID: "samplelogID", + IntegratedTime: 12345, }, }, + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex@example.com"}, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, + }, }, containerID: "000000", subjectAllowList: map[string][]string{ @@ -1493,24 +1346,22 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, { name: "selector from signature, bundle payload body is not a valid JSON", - args: args{ - signature: signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - bundle: &bundle.RekorBundle{ - Payload: bundle.RekorPayload{ - Body: "ewogICJzcGVjIjosLCB7CiAgICAic2lnbmF0dXJlIjogewogICAgICAiY29udGVudCI6ICJNRVVDSVFDeWVtOEdjcjBzUEZNUDdmVFhhekNONTdOY041K01qeEp3OU9vMHgyZU0rQUlnZGdCUDk2Qk8xVGUvTmRiakhiVWViMEJVeWU2ZGVSZ1Z0UUV2NU5vNXNtQT0iCiAgICB9CiAgfQp9", - LogID: "samplelogID", - IntegratedTime: 12345, - }, - }, - cert: &x509.Certificate{ - EmailAddresses: []string{"spirex@example.com"}, - Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, - Value: []byte(`issuer1`), - }}, + signature: signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "02c15a8d1735c65bb8ca86c716615d3c0d8beb87dc68ed88bb49192f90b184e2"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: "ewogICJzcGVjIjosLCB7CiAgICAic2lnbmF0dXJlIjogewogICAgICAiY29udGVudCI6ICJNRVVDSVFDeWVtOEdjcjBzUEZNUDdmVFhhekNONTdOY041K01qeEp3OU9vMHgyZU0rQUlnZGdCUDk2Qk8xVGUvTmRiakhiVWViMEJVeWU2ZGVSZ1Z0UUV2NU5vNXNtQT0iCiAgICB9CiAgfQp9", + LogID: "samplelogID", + IntegratedTime: 12345, }, }, + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex@example.com"}, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, + }, }, containerID: "000000", subjectAllowList: map[string][]string{ @@ -1520,29 +1371,23 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { wantedErr: fmt.Errorf("error getting signature content: failed to parse bundle body: invalid character ',' looking for beginning of value"), }, { - name: "selector from signature, empty signature array", - args: args{ - signature: nil, - }, + name: "selector from signature, empty signature array", + signature: nil, containerID: "000000", want: nil, wantedErr: errors.New("error getting signature subject: signature is nil"), }, { - name: "selector from signature, single image signature, no payload", - args: args{ - signature: noPayloadSignature{}, - }, + name: "selector from signature, single image signature, no payload", + signature: noPayloadSignature{}, containerID: "000000", want: nil, wantedErr: errors.New("error getting signature subject: no payload test"), }, { name: "selector from signature, single image signature, no certs", - args: args{ - signature: &noCertSignature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), - }, + signature: &noCertSignature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex@example.com","key2": "value 2","key3": "value 3"}}`), }, containerID: "000000", want: nil, @@ -1550,16 +1395,14 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { }, { name: "selector from signature, single image signature,garbled subject in signature", - args: args{ - signature: &signature{ - payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "s\\\\||as\0\0aasdasd/....???/.>wd12<><,,,><{}{pirex@example.com","key2": "value 2","key3": "value 3"}}`), - cert: &x509.Certificate{ - EmailAddresses: []string{"spirex@example.com"}, - Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, - Value: []byte(`issuer1`), - }}, - }, + signature: &signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "s\\\\||as\0\0aasdasd/....???/.>wd12<><,,,><{}{pirex@example.com","key2": "value 2","key3": "value 3"}}`), + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex@example.com"}, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, }, }, containerID: "000000", @@ -1579,8 +1422,8 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { sigstore.AddAllowedSubject(issuer, subject) } } - got, err := sigstore.SelectorValuesFromSignature(tt.args.signature) - assert.Equal(t, got, tt.want) + got, err := sigstore.SelectorValuesFromSignature(tt.signature) + assert.Equal(t, tt.want, got) if tt.wantedErr != nil { require.EqualError(t, err, tt.wantedErr.Error()) return @@ -1797,27 +1640,17 @@ func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { } func TestSigstoreimpl_SetRekorURL(t *testing.T) { - type fields struct { - rekorURL url.URL - } - type args struct { - rekorURL string - } tests := []struct { - name string - fields fields - args args - want url.URL - wantedErr error + name string + rekorURL url.URL + rekorURLArg string + want url.URL + wantedErr error }{ { - name: "SetRekorURL", - fields: fields{ - rekorURL: url.URL{}, - }, - args: args{ - rekorURL: "https://rekor.com", - }, + name: "SetRekorURL", + rekorURL: url.URL{}, + rekorURLArg: "https://rekor.com", want: url.URL{ Scheme: "https", Host: "rekor.com", @@ -1825,15 +1658,11 @@ func TestSigstoreimpl_SetRekorURL(t *testing.T) { }, { name: "SetRekorURL with empty url", - fields: fields{ - rekorURL: url.URL{ - Scheme: "https", - Host: "non.empty.url", - }, - }, - args: args{ - rekorURL: "", + rekorURL: url.URL{ + Scheme: "https", + Host: "non.empty.url", }, + rekorURLArg: "", want: url.URL{ Scheme: "https", Host: "non.empty.url", @@ -1841,62 +1670,46 @@ func TestSigstoreimpl_SetRekorURL(t *testing.T) { wantedErr: fmt.Errorf("rekor URL is empty"), }, { - name: "SetRekorURL with invalid URL", - fields: fields{ - rekorURL: url.URL{}, - }, - args: args{ - rekorURL: "http://invalid.{{}))}.url.com", // invalid url - }, - want: url.URL{}, - wantedErr: fmt.Errorf("failed parsing rekor URI: parse %q: invalid character %q in host name", "http://invalid.{{}))}.url.com", "{"), + name: "SetRekorURL with invalid URL", + rekorURL: url.URL{}, + rekorURLArg: "http://invalid.{{}))}.url.com", // invalid url + want: url.URL{}, + wantedErr: fmt.Errorf("failed parsing rekor URI: parse %q: invalid character %q in host name", "http://invalid.{{}))}.url.com", "{"), }, { - name: "SetRekorURL with empty host url", - fields: fields{ - rekorURL: url.URL{}, - }, - args: args{ - rekorURL: "path-no-host", // URI parser uses this as path, not host - }, - want: url.URL{}, - wantedErr: fmt.Errorf("host is required on rekor URL"), + name: "SetRekorURL with empty host url", + rekorURL: url.URL{}, + rekorURLArg: "path-no-host", // URI parser uses this as path, not host + want: url.URL{}, + wantedErr: fmt.Errorf("host is required on rekor URL"), }, { - name: "SetRekorURL with invalid URL scheme", - fields: fields{ - rekorURL: url.URL{}, - }, - args: args{ - rekorURL: "abc://invalid.scheme.com", // invalid scheme - }, - want: url.URL{}, - wantedErr: fmt.Errorf("invalid rekor URL Scheme %q", "abc"), + name: "SetRekorURL with invalid URL scheme", + rekorURL: url.URL{}, + rekorURLArg: "abc://invalid.scheme.com", // invalid scheme + want: url.URL{}, + wantedErr: fmt.Errorf("invalid rekor URL Scheme %q", "abc"), }, { - name: "SetRekorURL with empty URL scheme", - fields: fields{ - rekorURL: url.URL{}, - }, - args: args{ - rekorURL: "//no.scheme.com/path", // empty scheme - }, - want: url.URL{}, - wantedErr: fmt.Errorf("invalid rekor URL Scheme \"\""), + name: "SetRekorURL with empty URL scheme", + rekorURL: url.URL{}, + rekorURLArg: "//no.scheme.com/path", // empty scheme + want: url.URL{}, + wantedErr: fmt.Errorf("invalid rekor URL Scheme \"\""), }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { sigstore := &sigstoreImpl{ - rekorURL: tt.fields.rekorURL, + rekorURL: tt.rekorURL, } - err := sigstore.SetRekorURL(tt.args.rekorURL) + err := sigstore.SetRekorURL(tt.rekorURLArg) if tt.wantedErr != nil { require.EqualError(t, err, tt.wantedErr.Error()) } else { require.NoError(t, err) } - require.Equal(t, sigstore.rekorURL, tt.want) + require.Equal(t, tt.want, sigstore.rekorURL) }) } } From 184419216fa80fb2022c53614811721c438f59dd Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Mon, 5 Dec 2022 12:56:06 -0300 Subject: [PATCH 192/257] fix: added missing arg to checkOptsFunction call (#197) Signed-off-by: Rodrigo Lopes Signed-off-by: Rodrigo Lopes --- pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index b03758e9c9..b9351a22fd 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -151,7 +151,7 @@ func (s *sigstoreImpl) FetchImageSignatures(ctx context.Context, imageName strin return nil, fmt.Errorf("could not validate image reference digest: %w", err) } - co, err := s.functionHooks.checkOptsFunction(s.rekorURL) + co, err := s.functionHooks.checkOptsFunction(s.rekorURL, s.enforceSCT) if err != nil { return nil, fmt.Errorf("could not create cosign check options: %w", err) } From fae20d1fd23c67e9ac05349f047aca7e11bf4fd0 Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Mon, 5 Dec 2022 15:50:38 -0300 Subject: [PATCH 193/257] fix: updated loglines and tests (#198) Signed-off-by: Rodrigo Lopes Signed-off-by: Rodrigo Lopes --- .../workloadattestor/k8s/sigstore/sigstore.go | 14 +- .../k8s/sigstore/sigstore_test.go | 174 +++++++++++++++++- 2 files changed, 183 insertions(+), 5 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index b9351a22fd..3aa6367919 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -26,6 +26,7 @@ import ( sig "github.com/sigstore/cosign/pkg/signature" rekor "github.com/sigstore/rekor/pkg/generated/client" "github.com/sigstore/sigstore/pkg/signature/payload" + "github.com/spiffe/spire/pkg/common/telemetry" corev1 "k8s.io/api/core/v1" ) @@ -169,12 +170,16 @@ func (s *sigstoreImpl) FetchImageSignatures(ctx context.Context, imageName strin // ExtractSelectorsFromSignatures extracts selectors from a list of image signatures. // returns a list of selector strings. func (s *sigstoreImpl) ExtractSelectorsFromSignatures(signatures []oci.Signature, containerID string) []SelectorsFromSignatures { + if len(signatures) == 0 { + s.logger.Error("no signatures found for container", telemetry.ContainerID, containerID) + return nil + } var selectors []SelectorsFromSignatures for _, sig := range signatures { // verify which subject sigSelectors, err := s.SelectorValuesFromSignature(sig) if err != nil { - s.logger.Error("error extracting selectors from signature", "error", err) + s.logger.Error("error extracting selectors from signature", "error", err, telemetry.ContainerID, containerID) } if sigSelectors != nil { selectors = append(selectors, *sigSelectors) @@ -197,10 +202,10 @@ func (s *sigstoreImpl) SelectorValuesFromSignature(signature oci.Signature) (*Se issuer, err := getSignatureProvider(signature) if err != nil { - return nil, fmt.Errorf("error getting signature issuer: %w", err) + return nil, fmt.Errorf("error getting signature provider: %w", err) } if issuer == "" { - return nil, fmt.Errorf("error getting signature issuer: %w", errors.New("empty issuer")) + return nil, fmt.Errorf("error getting signature provider: %w", errors.New("empty issuer")) } if issuerSubjects, ok := s.subjectAllowList[issuer]; !ok { @@ -365,6 +370,9 @@ func getSignatureSubject(signature oci.Signature) (string, error) { if err != nil { return "", err } + if pl == nil { + return "", errors.New("signature payload is nil") + } if err := json.Unmarshal(pl, &ss); err != nil { return "", err } diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index 7892df00cb..2d80e605e5 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -4,6 +4,7 @@ package sigstore import ( + "bytes" "context" "crypto" "crypto/ecdsa" @@ -409,6 +410,7 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { containerID string subjectAllowList map[string]map[string]struct{} want []SelectorsFromSignatures + wantLog string }{ { name: "extract selector from single image signature array", @@ -510,6 +512,7 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { }, containerID: "222222", want: nil, + wantLog: "signature payload is nil", }, { name: "extract selector from image signature with subject certificate", @@ -598,18 +601,20 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { signatures: []oci.Signature{}, containerID: "555555", want: nil, + wantLog: "no signatures found for container: container_id=555555", }, { name: "extract selector from nil array", signatures: nil, containerID: "666666", want: nil, + wantLog: "no signatures found for container: container_id=666666", }, { name: "invalid payload", signatures: []oci.Signature{ signature{ - payload: []byte(`{"critical": {}}`), + payload: []byte(`{a"critical": {}}`), bundle: &bundle.RekorBundle{ Payload: bundle.RekorPayload{ Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", @@ -621,16 +626,181 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { }, containerID: "777777", want: nil, + wantLog: "error getting signature subject: invalid character 'a' looking for beginning of object key string", + }, + { + name: "extract selector from single image signature array with error getting provider", + signatures: []oci.Signature{ + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex@example.com"}}`), + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", + LogID: "samplelogID", + IntegratedTime: 12345, + }, + }, + cert: nil, + }, + }, + containerID: "888888", + subjectAllowList: map[string]map[string]struct{}{ + "issuer1": {"spirex@example.com": struct{}{}}, + }, + want: nil, + wantLog: "error extracting selectors from signature: error=\"error getting signature provider: no certificate found in signature\" container_id=888888", + }, + { + name: "extract selector from single image signature array with empty provider", + signatures: []oci.Signature{ + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex@example.com"}}`), + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", + LogID: "samplelogID", + IntegratedTime: 12345, + }, + }, + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex@example.com"}, Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(``), + }}, + }, + }, + }, + containerID: "999999", + subjectAllowList: map[string]map[string]struct{}{ + "issuer1": {"spirex@example.com": struct{}{}}, + }, + want: nil, + wantLog: "error extracting selectors from signature: error=\"error getting signature provider: empty issuer\" container_id=999999", + }, + { + name: "extract selector from single image signature array with no provider extension", + signatures: []oci.Signature{ + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex@example.com"}}`), + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", + LogID: "samplelogID", + IntegratedTime: 12345, + }, + }, + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex@example.com"}, Extensions: []pkix.Extension{}, + }, + }, + }, + containerID: "101010", + subjectAllowList: map[string]map[string]struct{}{ + "issuer1": {"spirex@example.com": struct{}{}}, + }, + want: nil, + wantLog: "error extracting selectors from signature: error=\"error getting signature provider: no OIDC issuer found in certificate extensions\" container_id=101010", + }, + { + name: "extract selector from single image signature array, error no log id", + signatures: []oci.Signature{ + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex@example.com"}}`), + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", + LogID: "", + IntegratedTime: 12345, + }, + }, + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex@example.com"}, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, + }, + }, + }, + containerID: "101101", + subjectAllowList: map[string]map[string]struct{}{ + "issuer1": {"spirex@example.com": struct{}{}}, + }, + want: nil, + wantLog: "error extracting selectors from signature: error=\"error getting signature log ID: empty log ID\" container_id=101101", + }, + { + name: "extract selector from single image signature array, error no integrated time", + signatures: []oci.Signature{ + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex@example.com"}}`), + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", + LogID: "samplelogID", + IntegratedTime: 0, + }, + }, + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex@example.com"}, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer1`), + }}, + }, + }, + }, + containerID: "121212", + subjectAllowList: map[string]map[string]struct{}{ + "issuer1": {"spirex@example.com": struct{}{}}, + }, + want: nil, + wantLog: "error extracting selectors from signature: error=\"error getting signature integrated time: integrated time is 0\" container_id=121212", + }, + { + name: "extract selector from single image signature array, issuer not in allowlist", + signatures: []oci.Signature{ + signature{ + payload: []byte(`{"critical": {"identity": {"docker-reference": "docker-registry.com/some/image"},"image": {"docker-manifest-digest": "some digest"},"type": "some type"},"optional": {"subject": "spirex@example.com"}}`), + bundle: &bundle.RekorBundle{ + Payload: bundle.RekorPayload{ + Body: "ewogICJzcGVjIjogewogICAgInNpZ25hdHVyZSI6IHsKICAgICAgImNvbnRlbnQiOiAiTUVVQ0lRQ3llbThHY3Iwc1BGTVA3ZlRYYXpDTjU3TmNONStNanhKdzlPbzB4MmVNK0FJZ2RnQlA5NkJPMVRlL05kYmpIYlVlYjBCVXllNmRlUmdWdFFFdjVObzVzbUE9IgogICAgfQogIH0KfQ==", + LogID: "samplelogID", + IntegratedTime: 12345, + }, + }, + cert: &x509.Certificate{ + EmailAddresses: []string{"spirex@example.com"}, + Extensions: []pkix.Extension{{ + Id: OIDCIssuerOID, + Value: []byte(`issuer2`), + }}, + }, + }, + }, + containerID: "131313", + subjectAllowList: map[string]map[string]struct{}{ + "issuer1": {"spirex@example.com": struct{}{}}, + }, + want: nil, + wantLog: "error extracting selectors from signature: error=\"signature issuer \\\"issuer2\\\" not in allow-list\" container_id=131313", }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { + buf := bytes.Buffer{} + newLog := hclog.New(&hclog.LoggerOptions{ + Output: &buf, + }) s := sigstoreImpl{ - logger: hclog.Default(), + logger: newLog, subjectAllowList: tt.subjectAllowList, } got := s.ExtractSelectorsFromSignatures(tt.signatures, tt.containerID) require.Equal(t, tt.want, got) + if len(tt.wantLog) > 0 { + require.Contains(t, buf.String(), tt.wantLog) + } }) } } From 2c938035f650adfe23322682bbdd09f64844586e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 5 Dec 2022 11:39:40 -0800 Subject: [PATCH 194/257] Bump golang.org/x/sys from 0.2.0 to 0.3.0 (#3663) Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.2.0 to 0.3.0. - [Release notes](https://github.com/golang/sys/releases) - [Commits](https://github.com/golang/sys/compare/v0.2.0...v0.3.0) --- updated-dependencies: - dependency-name: golang.org/x/sys dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index cfd6318687..2bd3736784 100644 --- a/go.mod +++ b/go.mod @@ -65,7 +65,7 @@ require ( golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa golang.org/x/net v0.0.0-20221014081412-f15817d10f9b golang.org/x/sync v0.1.0 - golang.org/x/sys v0.2.0 + golang.org/x/sys v0.3.0 golang.org/x/time v0.2.0 google.golang.org/api v0.103.0 google.golang.org/genproto v0.0.0-20221201164419-0e50fba7f41c diff --git a/go.sum b/go.sum index 8fce6fe1e4..44f0b9346b 100644 --- a/go.sum +++ b/go.sum @@ -1516,8 +1516,9 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220731174439-a90be440212d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ= +golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= From c10663c0b043c0feb30135fee4135736740fb1ce Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 5 Dec 2022 12:18:43 -0800 Subject: [PATCH 195/257] Bump golang.org/x/time from 0.2.0 to 0.3.0 (#3665) Bumps [golang.org/x/time](https://github.com/golang/time) from 0.2.0 to 0.3.0. - [Release notes](https://github.com/golang/time/releases) - [Commits](https://github.com/golang/time/compare/v0.2.0...v0.3.0) --- updated-dependencies: - dependency-name: golang.org/x/time dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index 2bd3736784..45b6ff79bf 100644 --- a/go.mod +++ b/go.mod @@ -66,7 +66,7 @@ require ( golang.org/x/net v0.0.0-20221014081412-f15817d10f9b golang.org/x/sync v0.1.0 golang.org/x/sys v0.3.0 - golang.org/x/time v0.2.0 + golang.org/x/time v0.3.0 google.golang.org/api v0.103.0 google.golang.org/genproto v0.0.0-20221201164419-0e50fba7f41c google.golang.org/grpc v1.51.0 diff --git a/go.sum b/go.sum index 44f0b9346b..bd0893eefe 100644 --- a/go.sum +++ b/go.sum @@ -1541,8 +1541,9 @@ golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxb golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.2.0 h1:52I/1L54xyEQAYdtcSuxtiT84KGYTBGXwayxmIpNJhE= golang.org/x/time v0.2.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= +golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= From 836ca61b05c4d08db6708bd3b747d386282b2a9c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 5 Dec 2022 13:05:03 -0800 Subject: [PATCH 196/257] Bump github.com/open-policy-agent/opa from 0.46.1 to 0.47.0 (#3664) Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.46.1 to 0.47.0. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-policy-agent/opa/compare/v0.46.1...v0.47.0) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/opa dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index 45b6ff79bf..77ce131ead 100644 --- a/go.mod +++ b/go.mod @@ -52,7 +52,7 @@ require ( github.com/lib/pq v1.10.7 github.com/mattn/go-sqlite3 v1.14.16 github.com/mitchellh/cli v1.1.5 - github.com/open-policy-agent/opa v0.46.1 + github.com/open-policy-agent/opa v0.47.0 github.com/prometheus/client_golang v1.14.0 github.com/shirou/gopsutil/v3 v3.22.11 github.com/sirupsen/logrus v1.9.0 diff --git a/go.sum b/go.sum index bd0893eefe..92f2af10e2 100644 --- a/go.sum +++ b/go.sum @@ -427,7 +427,7 @@ github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqO github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= -github.com/bytecodealliance/wasmtime-go v1.0.0 h1:9u9gqaUiaJeN5IoD1L7egD8atOnTGyJcNp8BhkL9cUU= +github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 h1:3uZCA/BLTIu+DqCfguByNMJa2HVHpXvjfy0Dy7g6fuA= github.com/cactus/go-statsd-client/statsd v0.0.0-20200423205355-cb0885a1018c/go.mod h1:l/bIBLeOl9eX+wxJAzxS4TveKRtAqlyDpHjhkfO0MEI= github.com/cenkalti/backoff/v3 v3.2.2 h1:cfUAAO3yvKMYKPrvhDuHSwQnhZNk/RMHKdZqKTxfm6M= github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs= @@ -482,7 +482,7 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/denisenkom/go-mssqldb v0.0.0-20191124224453-732737034ffd h1:83Wprp6ROGeiHFAP8WJdI2RoxALQYgdllERc3N5N2DM= github.com/denisenkom/go-mssqldb v0.0.0-20191124224453-732737034ffd/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU= -github.com/dgraph-io/badger/v3 v3.2103.3 h1:s63J1pisDhKpzWslXFe+ChuthuZptpwTE6qEKoczPb4= +github.com/dgraph-io/badger/v3 v3.2103.4 h1:WE1B07YNTTJTtG9xjBcSW2wn0RJLyiV99h959RKZqM4= github.com/dgraph-io/ristretto v0.1.1 h1:6CWw5tJNgpegArSHpNHJKldNeq03FQCwYvfMVWajOK8= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= @@ -1006,8 +1006,8 @@ github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGV github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q= -github.com/open-policy-agent/opa v0.46.1 h1:iG998SLK0rzalex7Hyekeq17b9WtUexM0AuyHrQ7fCc= -github.com/open-policy-agent/opa v0.46.1/go.mod h1:DY9ZkCyz+DKoWI5gDuLw5rGC2RSb37QUeEf+9VjsWkI= +github.com/open-policy-agent/opa v0.47.0 h1:d6g0oDNLraIcWl9LXW8cBzRYf2zt7vSbPGEd2+8K3Lg= +github.com/open-policy-agent/opa v0.47.0/go.mod h1:cM7ngEoEdAIfyu9mOHaVcgLAHYkY6amrYfotm+BSkYQ= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 h1:rc3tiVYb5z54aKaDfakKn0dDjIyPpTtszkjuMzyt7ec= From 9b4794a3ee6d2b7d60528488d1fbf493eae19fe2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 5 Dec 2022 13:59:21 -0800 Subject: [PATCH 197/257] Bump cloud.google.com/go/iam from 0.7.0 to 0.8.0 (#3666) Bumps [cloud.google.com/go/iam](https://github.com/googleapis/google-cloud-go) from 0.7.0 to 0.8.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/v0.7.0...v0.8.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/iam dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 77ce131ead..ff0af194eb 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/spiffe/spire go 1.19 require ( - cloud.google.com/go/iam v0.7.0 + cloud.google.com/go/iam v0.8.0 cloud.google.com/go/kms v1.7.0 cloud.google.com/go/secretmanager v1.9.0 cloud.google.com/go/security v1.10.0 diff --git a/go.sum b/go.sum index 92f2af10e2..5392bb8543 100644 --- a/go.sum +++ b/go.sum @@ -151,8 +151,8 @@ cloud.google.com/go/gsuiteaddons v1.3.0/go.mod h1:EUNK/J1lZEZO8yPtykKxLXI6JSVN2r cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY= cloud.google.com/go/iam v0.5.0/go.mod h1:wPU9Vt0P4UmCux7mqtRu6jcpPAb74cP1fh50J3QpkUc= cloud.google.com/go/iam v0.6.0/go.mod h1:+1AH33ueBne5MzYccyMHtEKqLE4/kJOibtffMHDMFMc= -cloud.google.com/go/iam v0.7.0 h1:k4MuwOsS7zGJJ+QfZ5vBK8SgHBAvYN/23BWsiihJ1vs= -cloud.google.com/go/iam v0.7.0/go.mod h1:H5Br8wRaDGNc8XP3keLc4unfUUZeyH3Sfl9XpQEYOeg= +cloud.google.com/go/iam v0.8.0 h1:E2osAkZzxI/+8pZcxVLcDtAQx/u+hZXVryUaYQ5O0Kk= +cloud.google.com/go/iam v0.8.0/go.mod h1:lga0/y3iH6CX7sYqypWJ33hf7kkfXJag67naqGESjkE= cloud.google.com/go/iap v1.4.0/go.mod h1:RGFwRJdihTINIe4wZ2iCP0zF/qu18ZwyKxrhMhygBEc= cloud.google.com/go/ids v1.1.0/go.mod h1:WIuwCaYVOzHIj2OhN9HAwvW+DBdmUAdcWlFxRl+KubM= cloud.google.com/go/iot v1.3.0/go.mod h1:r7RGh2B61+B8oz0AGE+J72AhA0G7tdXItODWsaA2oLs= From a8aad778f27750b9d75fc3702c124d2e5b9e7aed Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 5 Dec 2022 14:41:12 -0800 Subject: [PATCH 198/257] Bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.74.0 to 1.75.0 (#3667) Bumps [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2) from 1.74.0 to 1.75.0. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.74.0...service/ec2/v1.75.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 12 ++++++------ go.sum | 19 ++++++++++++------- 2 files changed, 18 insertions(+), 13 deletions(-) diff --git a/go.mod b/go.mod index ff0af194eb..4ddae5f5a3 100644 --- a/go.mod +++ b/go.mod @@ -17,12 +17,12 @@ require ( github.com/Microsoft/go-winio v0.6.0 github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129 github.com/armon/go-metrics v0.4.1 - github.com/aws/aws-sdk-go-v2 v1.17.1 + github.com/aws/aws-sdk-go-v2 v1.17.2 github.com/aws/aws-sdk-go-v2/config v1.18.2 github.com/aws/aws-sdk-go-v2/credentials v1.13.2 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.19 github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0 - github.com/aws/aws-sdk-go-v2/service/ec2 v1.74.0 + github.com/aws/aws-sdk-go-v2/service/ec2 v1.75.0 github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 github.com/aws/aws-sdk-go-v2/service/kms v1.19.0 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.0 @@ -102,13 +102,13 @@ require ( github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect github.com/agnivade/levenshtein v1.1.1 // indirect github.com/armon/go-radix v1.0.0 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.26 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.20 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.3.26 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.19 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.20 // indirect github.com/aws/aws-sdk-go-v2/service/sso v1.11.25 // indirect github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.8 // indirect - github.com/aws/smithy-go v1.13.4 // indirect + github.com/aws/smithy-go v1.13.5 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/bgentry/speakeasy v0.1.0 // indirect github.com/cespare/xxhash/v2 v2.1.2 // indirect diff --git a/go.sum b/go.sum index 5392bb8543..9fa9d64069 100644 --- a/go.sum +++ b/go.sum @@ -373,8 +373,9 @@ github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgI github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= github.com/aws/aws-sdk-go-v2 v1.16.13/go.mod h1:xSyvSnzh0KLs5H4HJGeIEsNYemUWdNIl0b/rP6SIsLU= github.com/aws/aws-sdk-go-v2 v1.16.15/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k= -github.com/aws/aws-sdk-go-v2 v1.17.1 h1:02c72fDJr87N8RAC2s3Qu0YuvMRZKNZJ9F+lAehCazk= github.com/aws/aws-sdk-go-v2 v1.17.1/go.mod h1:JLnGeGONAyi2lWXI1p0PCIOIy333JMVK1U7Hf0aRFLw= +github.com/aws/aws-sdk-go-v2 v1.17.2 h1:r0yRZInwiPBNpQ4aDy/Ssh3ROWsGtKDwar2JS8Lm+N8= +github.com/aws/aws-sdk-go-v2 v1.17.2/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= github.com/aws/aws-sdk-go-v2/config v1.18.2 h1:tRhTb3xMZsB0gW0sXWpqs9FeIP8iQp5SvnvwiPXzHwo= github.com/aws/aws-sdk-go-v2/config v1.18.2/go.mod h1:9XVoZTdD8ICjrgI5ddb8j918q6lEZkFYpb7uohgvU6c= github.com/aws/aws-sdk-go-v2/credentials v1.13.2 h1:F/v1w0XcFDZjL0bCdi9XWJenoPKjGbzljBhDKcryzEQ= @@ -383,22 +384,25 @@ github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.19 h1:E3PXZSI3F2bzyj6XxUXdTI github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.19/go.mod h1:VihW95zQpeKQWVPGkwT+2+WJNQV8UXFfMTWdU6VErL8= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.20/go.mod h1:gdZ5gRUaxThXIZyZQ8MTtgYBk2jbHgp05BO3GcD9Cwc= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.22/go.mod h1:/vNv5Al0bpiF8YdX2Ov6Xy05VTiXsql94yUqJMYaj0w= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25 h1:nBO/RFxeq/IS5G9Of+ZrgucRciie2qpLy++3UGZ+q2E= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25/go.mod h1:Zb29PYkf42vVYQY6pvSyJCJcFHlPIiY+YKdPtwnvMkY= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.26 h1:5WU31cY7m0tG+AiaXuXGoMzo2GBQ1IixtWa8Yywsgco= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.26/go.mod h1:2E0LdbJW6lbeU4uxjum99GZzI0ZjDpAb0CoSCM0oeEY= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.14/go.mod h1:GEV9jaDPIgayiU+uevxwozcvUOjc+P4aHE2BeSjm2vE= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.16/go.mod h1:62dsXI0BqTIGomDl8Hpm33dv0OntGaVblri3ZRParVQ= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19 h1:oRHDrwCTVT8ZXi4sr9Ld+EXk7N/KGssOr2ygNeojEhw= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19/go.mod h1:6Q0546uHDp421okhmmGfbxzq2hBqbXFNpi4k+Q1JnQA= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.20 h1:WW0qSzDWoiWU2FS5DbKpxGilFVlCEJPwx4YtjdfI0Jw= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.20/go.mod h1:/+6lSiby8TBFpTVXZgKiN/rCfkYXEGvhlM4zCgPpt7w= github.com/aws/aws-sdk-go-v2/internal/ini v1.3.26 h1:Mza+vlnZr+fPKFKRq/lKGVvM6B/8ZZmNdEopOwSQLms= github.com/aws/aws-sdk-go-v2/internal/ini v1.3.26/go.mod h1:Y2OJ+P+MC1u1VKnavT+PshiEuGPyh/7DqxoDNij4/bg= github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0 h1:2f0kb+39miQPRp0b7Sqq06+TpxI0Nfcra41QxzJPME8= github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0/go.mod h1:AVLIBQ9V7mcHd5uZT1+wUbBt4QaI/XcOens85Ib0W1o= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.74.0 h1:5MCRd9q1yrGoRdYZDxK6y048VNmQ6gKLdCFr+TZsvTY= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.74.0/go.mod h1:zul71QqzR4D1a90/5FloZiAnZ1CtuIjVH7R9MP997+A= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.75.0 h1:F0v9HcF7/PSmgG7O7qnVOZLTRb2I2ajrIql+hFSkouU= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.75.0/go.mod h1:/sbgra0egm5fRRlq58Qp+Mrq4mCgWOc4Ug5K6xWCK6M= github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 h1:m/WtVqEvgwDiUPIW2dtnF2hDE1O62MEflz9ClOlCXAs= github.com/aws/aws-sdk-go-v2/service/iam v1.18.16/go.mod h1:w8wndcRxwILFQAzwkUKyEDz4LDHEBSR78KRdaNjUKQA= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.19 h1:GE25AWCdNUPh9AOJzI9KIJnja7IwUc1WyUqz/JTyJ/I= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.19/go.mod h1:02CP6iuYP+IVnBX5HULVdSAku/85eHB2Y9EsFhrkEwU= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.20 h1:jlgyHbkZQAgAc7VIxJDmtouH8eNjOk2REVAQfVhdaiQ= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.20/go.mod h1:Xs52xaLBqDEKRcAfX/hgjmD3YQ7c/W+BEyfamlO/W2E= github.com/aws/aws-sdk-go-v2/service/kms v1.19.0 h1:ycl4Z01HQyprcfOFMAVwWTNaUm29qHRPZyJunDZZVXg= github.com/aws/aws-sdk-go-v2/service/kms v1.19.0/go.mod h1:kZodDPTQjSH/qM6/OvyTfM5mms5JHB/EKYp5dhn/vI4= github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.0 h1:Lh1yssM4dinNZuESsXnbi+pID8hoviejLZdLmT175i8= @@ -411,8 +415,9 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.17.4 h1:YNncBj5dVYd05i4ZQ+YicOotSXo0 github.com/aws/aws-sdk-go-v2/service/sts v1.17.4/go.mod h1:bXcN3koeVYiJcdDU89n3kCYILob7Y34AeLopUbZgLT4= github.com/aws/smithy-go v1.13.1/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/aws/smithy-go v1.13.3/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= -github.com/aws/smithy-go v1.13.4 h1:/RN2z1txIJWeXeOkzX+Hk/4Uuvv7dWtCjbmVJcrskyk= github.com/aws/smithy-go v1.13.4/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= +github.com/aws/smithy-go v1.13.5 h1:hgz0X/DX0dGqTYpGALqXJoRKRj5oQ7150i5FdTePzO8= +github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM= github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= From 04b44cd6558be9ae514bf53f8917e6bacbc42201 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?= Date: Tue, 6 Dec 2022 10:56:57 -0300 Subject: [PATCH 199/257] Fix race in TestGenerateKey (#3645) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Fix race in TestGenerateKey Signed-off-by: Agustín Martínez Fayó --- pkg/server/plugin/keymanager/gcpkms/client_fake.go | 10 +++++----- pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go | 10 ++++++---- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/pkg/server/plugin/keymanager/gcpkms/client_fake.go b/pkg/server/plugin/keymanager/gcpkms/client_fake.go index a10fe611fe..d41613586c 100644 --- a/pkg/server/plugin/keymanager/gcpkms/client_fake.go +++ b/pkg/server/plugin/keymanager/gcpkms/client_fake.go @@ -161,14 +161,14 @@ func (fs *fakeStore) fetchFakeCryptoKeys() map[string]*fakeCryptoKey { return fakeCryptoKeys } -func (fs *fakeStore) fetchFakeCryptoKeyVersion(name string) (*fakeCryptoKeyVersion, error) { +func (fs *fakeStore) fetchFakeCryptoKeyVersion(name string) (fakeCryptoKeyVersion, error) { fs.mu.RLock() defer fs.mu.RUnlock() parent := path.Dir(path.Dir(name)) fakeCryptoKey, ok := fs.fakeCryptoKeys[parent] if !ok { - return nil, fmt.Errorf("could not get parent CryptoKey for %q CryptoKeyVersion", name) + return fakeCryptoKeyVersion{}, fmt.Errorf("could not get parent CryptoKey for %q CryptoKeyVersion", name) } version := path.Base(name) @@ -176,10 +176,10 @@ func (fs *fakeStore) fetchFakeCryptoKeyVersion(name string) (*fakeCryptoKeyVersi defer fakeCryptoKey.mu.RUnlock() fakeCryptokeyVersion, ok := fakeCryptoKey.fakeCryptoKeyVersions[version] if ok { - return fakeCryptokeyVersion, nil + return *fakeCryptokeyVersion, nil } - return nil, fmt.Errorf("could not find CryptoKeyVersion %q", version) + return fakeCryptoKeyVersion{}, fmt.Errorf("could not find CryptoKeyVersion %q", version) } func (fs *fakeStore) putFakeCryptoKey(fck *fakeCryptoKey) { @@ -516,7 +516,7 @@ func (k *fakeKMSClient) DestroyCryptoKeyVersion(ctx context.Context, req *kmspb. } fckv.CryptoKeyVersion = cryptoKeyVersion - fck.putFakeCryptoKeyVersion(fckv) + fck.putFakeCryptoKeyVersion(&fckv) return cryptoKeyVersion, nil } diff --git a/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go b/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go index 169dc5806f..72cf8980fb 100644 --- a/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go +++ b/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go @@ -998,11 +998,13 @@ func TestGenerateKey(t *testing.T) { if tt.testDisabled { // An external system changes the state of the CryptoKeyVersion to be disabled. fckv := &fakeCryptoKeyVersion{ - CryptoKeyVersion: tt.fakeCryptoKeys[0].fakeCryptoKeyVersions["1"].CryptoKeyVersion, - privateKey: tt.fakeCryptoKeys[0].fakeCryptoKeyVersions["1"].privateKey, - publicKey: tt.fakeCryptoKeys[0].fakeCryptoKeyVersions["1"].publicKey, + publicKey: pubKey, + CryptoKeyVersion: &kmspb.CryptoKeyVersion{ + Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256, + Name: fmt.Sprintf("%s/cryptoKeyVersions/1", cryptoKeyName1), + State: kmspb.CryptoKeyVersion_DISABLED, + }, } - fckv.State = kmspb.CryptoKeyVersion_DISABLED fck, ok := ts.fakeKMSClient.store.fetchFakeCryptoKey(tt.fakeCryptoKeys[0].Name) require.True(t, ok) From cd9dad066db695d35f82750c9f4438ed31d6bd6d Mon Sep 17 00:00:00 2001 From: Ryan Turner Date: Wed, 7 Dec 2022 05:59:10 -0800 Subject: [PATCH 200/257] Bump versions (#3668) Signed-off-by: Ryan Turner --- pkg/common/version/version.go | 2 +- test/integration/suites/upgrade/versions.txt | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/common/version/version.go b/pkg/common/version/version.go index e149da409a..dfc9dd50e2 100644 --- a/pkg/common/version/version.go +++ b/pkg/common/version/version.go @@ -8,7 +8,7 @@ const ( // IMPORTANT: When updating, make sure to reconcile the versions list that // is part of the upgrade integration test. See // test/integration/suites/upgrade/README.md for details. - Base = "1.5.2" + Base = "1.5.3" ) var ( diff --git a/test/integration/suites/upgrade/versions.txt b/test/integration/suites/upgrade/versions.txt index 480ab7f81b..c192880926 100644 --- a/test/integration/suites/upgrade/versions.txt +++ b/test/integration/suites/upgrade/versions.txt @@ -6,3 +6,4 @@ 1.4.5 1.5.0 1.5.1 +1.5.2 From 84aa2c1eb9724ab55cb7eb791628b18c57d3ffcd Mon Sep 17 00:00:00 2001 From: Ryan Turner Date: Wed, 7 Dec 2022 07:12:40 -0800 Subject: [PATCH 201/257] Upgrade to Go 1.19.4 (#3669) Signed-off-by: Ryan Turner --- .github/workflows/pr_build.yaml | 2 +- .github/workflows/release_build.yaml | 2 +- .go-version | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pr_build.yaml b/.github/workflows/pr_build.yaml index c8dbe6d23a..5fb102c376 100644 --- a/.github/workflows/pr_build.yaml +++ b/.github/workflows/pr_build.yaml @@ -3,7 +3,7 @@ on: pull_request: {} workflow_dispatch: {} env: - GO_VERSION: 1.19.3 + GO_VERSION: 1.19.4 permissions: contents: read diff --git a/.github/workflows/release_build.yaml b/.github/workflows/release_build.yaml index 156120ffce..a6016e84e3 100644 --- a/.github/workflows/release_build.yaml +++ b/.github/workflows/release_build.yaml @@ -4,7 +4,7 @@ on: tags: - 'v[0-9].[0-9]+.[0-9]+' env: - GO_VERSION: 1.19.3 + GO_VERSION: 1.19.4 jobs: cache-deps: name: cache-deps (linux) diff --git a/.go-version b/.go-version index 1b92e588b7..843f863534 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.19.3 +1.19.4 From 8407f7182614f90c95f1a8bf3571b875ae55b531 Mon Sep 17 00:00:00 2001 From: Ryan Turner Date: Wed, 7 Dec 2022 08:22:03 -0800 Subject: [PATCH 202/257] Update CHANGELOG.md to include latest releases (#3670) Signed-off-by: Ryan Turner --- CHANGELOG.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 797e72a2ae..50c480b8cb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ # Changelog +## [1.5.2] - 2022-12-06 + +### Security + +- Updated to Go 1.19.4 to address CVE-2022-41717. + ## [1.5.1] - 2022-11-08 ### Fixed @@ -34,6 +40,12 @@ - NodeResolver plugin type and `azure_msi` builtin NodeResolver plugin (#3470) +## [1.4.6] - 2022-12-06 + +### Security + +- Updated to Go 1.19.4 to address CVE-2022-41717. + ## [1.4.5] - 2022-11-01 ### Security From d6989be327b5ed156f12534e299465154b91b19f Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Wed, 7 Dec 2022 16:26:47 +0000 Subject: [PATCH 203/257] fixing go.mod and go.sum Signed-off-by: Rodrigo Lopes --- go.mod | 76 +++++------ go.sum | 422 +++++++++++---------------------------------------------- 2 files changed, 119 insertions(+), 379 deletions(-) diff --git a/go.mod b/go.mod index 95473dbfc3..5c6b84ebfa 100644 --- a/go.mod +++ b/go.mod @@ -18,15 +18,15 @@ require ( github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129 github.com/armon/go-metrics v0.4.1 github.com/aws/aws-sdk-go-v2 v1.17.2 - github.com/aws/aws-sdk-go-v2/config v1.18.2 - github.com/aws/aws-sdk-go-v2/credentials v1.13.2 + github.com/aws/aws-sdk-go-v2/config v1.18.3 + github.com/aws/aws-sdk-go-v2/credentials v1.13.3 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.19 github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0 github.com/aws/aws-sdk-go-v2/service/ec2 v1.75.0 github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 github.com/aws/aws-sdk-go-v2/service/kms v1.19.0 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.0 - github.com/aws/aws-sdk-go-v2/service/sts v1.17.4 + github.com/aws/aws-sdk-go-v2/service/sts v1.17.5 github.com/blang/semver/v4 v4.0.0 github.com/cenkalti/backoff/v3 v3.2.2 github.com/docker/docker v20.10.21+incompatible @@ -37,7 +37,7 @@ require ( github.com/golang/mock v1.6.0 github.com/golang/protobuf v1.5.2 github.com/google/go-cmp v0.5.9 - github.com/google/go-containerregistry v0.11.0 + github.com/google/go-containerregistry v0.12.1 github.com/google/go-tpm v0.3.3 github.com/google/go-tpm-tools v0.3.9 github.com/googleapis/gax-go/v2 v2.7.0 @@ -56,9 +56,9 @@ require ( github.com/open-policy-agent/opa v0.47.0 github.com/prometheus/client_golang v1.14.0 github.com/shirou/gopsutil/v3 v3.22.11 - github.com/sigstore/cosign v1.12.1 - github.com/sigstore/rekor v0.12.1-0.20220915152154-4bb6f441c1b2 - github.com/sigstore/sigstore v1.4.2 + github.com/sigstore/cosign v1.13.1 + github.com/sigstore/rekor v1.0.1 + github.com/sigstore/sigstore v1.4.6 github.com/sirupsen/logrus v1.9.0 github.com/spiffe/go-spiffe/v2 v2.1.1 github.com/spiffe/spire-api-sdk v1.2.5-0.20221020001527-5895a0279944 @@ -66,8 +66,8 @@ require ( github.com/stretchr/testify v1.8.1 github.com/uber-go/tally/v4 v4.1.3 github.com/zeebo/errs v1.3.0 - golang.org/x/crypto v0.0.0-20220919173607-35f4265a4bc0 - golang.org/x/net v0.0.0-20221014081412-f15817d10f9b + golang.org/x/crypto v0.3.0 + golang.org/x/net v0.2.0 golang.org/x/sync v0.1.0 golang.org/x/sys v0.3.0 golang.org/x/time v0.3.0 @@ -91,13 +91,13 @@ require ( cloud.google.com/go/compute/metadata v0.2.1 // indirect cloud.google.com/go/longrunning v0.3.0 // indirect github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 // indirect - github.com/Azure/azure-sdk-for-go v66.0.0+incompatible // indirect + github.com/Azure/azure-sdk-for-go v67.1.0+incompatible // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect github.com/Azure/go-autorest/autorest v0.11.28 // indirect - github.com/Azure/go-autorest/autorest/adal v0.9.20 // indirect + github.com/Azure/go-autorest/autorest/adal v0.9.21 // indirect github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 // indirect - github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 // indirect + github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect github.com/Azure/go-autorest/logger v0.2.1 // indirect github.com/Azure/go-autorest/tracing v0.6.0 // indirect @@ -141,10 +141,10 @@ require ( github.com/cespare/xxhash/v2 v2.1.2 // indirect github.com/chrismellard/docker-credential-acr-env v0.0.0-20220119192733-fe33c00cee21 // indirect github.com/clbanning/mxj/v2 v2.5.6 // indirect - github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe // indirect - github.com/cncf/xds/go v0.0.0-20220520190051-1e77728a1eaa // indirect + github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4 // indirect + github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490 // indirect github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect - github.com/containerd/stargz-snapshotter/estargz v0.12.0 // indirect + github.com/containerd/stargz-snapshotter/estargz v0.12.1 // indirect github.com/coreos/go-oidc/v3 v3.4.0 // indirect github.com/coreos/go-semver v0.3.0 // indirect github.com/coreos/go-systemd/v22 v22.5.0 // indirect @@ -152,18 +152,18 @@ require ( github.com/cyberphone/json-canonicalization v0.0.0-20210823021906-dc406ceaf94b // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/dimchansky/utfbom v1.1.1 // indirect - github.com/docker/cli v20.10.17+incompatible // indirect + github.com/docker/cli v20.10.20+incompatible // indirect github.com/docker/distribution v2.8.1+incompatible // indirect - github.com/docker/docker-credential-helpers v0.6.4 // indirect + github.com/docker/docker-credential-helpers v0.7.0 // indirect github.com/docker/go-connections v0.4.0 // indirect - github.com/docker/go-units v0.4.0 // indirect + github.com/docker/go-units v0.5.0 // indirect github.com/dustin/go-humanize v1.0.0 // indirect github.com/emicklei/go-restful/v3 v3.8.0 // indirect - github.com/envoyproxy/protoc-gen-validate v0.6.7 // indirect + github.com/envoyproxy/protoc-gen-validate v0.6.2 // indirect github.com/evanphx/json-patch v4.12.0+incompatible // indirect github.com/evanphx/json-patch/v5 v5.6.0 // indirect github.com/fatih/color v1.13.0 // indirect - github.com/felixge/httpsnoop v1.0.2 // indirect + github.com/felixge/httpsnoop v1.0.3 // indirect github.com/fsnotify/fsnotify v1.6.0 // indirect github.com/fullstorydev/grpcurl v1.8.7 // indirect github.com/ghodss/yaml v1.0.0 // indirect @@ -176,14 +176,14 @@ require ( github.com/go-openapi/jsonpointer v0.19.5 // indirect github.com/go-openapi/jsonreference v0.20.0 // indirect github.com/go-openapi/loads v0.21.2 // indirect - github.com/go-openapi/runtime v0.24.1 // indirect + github.com/go-openapi/runtime v0.24.2 // indirect github.com/go-openapi/spec v0.20.7 // indirect github.com/go-openapi/strfmt v0.21.3 // indirect github.com/go-openapi/swag v0.22.3 // indirect github.com/go-openapi/validate v0.22.0 // indirect github.com/go-playground/locales v0.14.0 // indirect github.com/go-playground/universal-translator v0.18.0 // indirect - github.com/go-playground/validator/v10 v10.11.0 // indirect + github.com/go-playground/validator/v10 v10.11.1 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt v3.2.2+incompatible // indirect @@ -204,7 +204,7 @@ require ( github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect - github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.2 // indirect + github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/hashicorp/go-immutable-radix v1.3.1 // indirect @@ -218,26 +218,26 @@ require ( github.com/hashicorp/go-uuid v1.0.3 // indirect github.com/hashicorp/go-version v1.6.0 // indirect github.com/hashicorp/golang-lru v0.5.4 // indirect - github.com/hashicorp/yamux v0.1.0 // indirect + github.com/hashicorp/yamux v0.1.1 // indirect github.com/huandu/xstrings v1.3.2 // indirect github.com/in-toto/in-toto-golang v0.3.4-0.20220709202702-fa494aaa0add // indirect github.com/inconshreveable/mousetrap v1.0.1 // indirect github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b // indirect - github.com/jhump/protoreflect v1.12.0 // indirect + github.com/jhump/protoreflect v1.14.0 // indirect github.com/jinzhu/inflection v1.0.0 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/jonboulle/clockwork v0.3.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect - github.com/klauspost/compress v1.15.8 // indirect + github.com/klauspost/compress v1.15.11 // indirect github.com/kylelemons/godebug v1.1.0 // indirect github.com/leodido/go-urn v1.2.1 // indirect - github.com/letsencrypt/boulder v0.0.0-20220723181115-27de4befb95e // indirect + github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf // indirect github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect github.com/magiconair/properties v1.8.6 // indirect github.com/mailru/easyjson v0.7.7 // indirect - github.com/mattn/go-colorable v0.1.12 // indirect - github.com/mattn/go-isatty v0.0.14 // indirect + github.com/mattn/go-colorable v0.1.13 // indirect + github.com/mattn/go-isatty v0.0.16 // indirect github.com/mattn/go-runewidth v0.0.13 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect github.com/miekg/pkcs11 v1.1.1 // indirect @@ -254,7 +254,7 @@ require ( github.com/oklog/ulid v1.3.1 // indirect github.com/olekukonko/tablewriter v0.0.5 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect - github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198 // indirect + github.com/opencontainers/image-spec v1.1.0-rc2 // indirect github.com/opentracing/opentracing-go v1.2.0 // indirect github.com/pelletier/go-toml v1.9.5 // indirect github.com/pelletier/go-toml/v2 v2.0.5 // indirect @@ -276,7 +276,7 @@ require ( github.com/segmentio/ksuid v1.0.4 // indirect github.com/shibumi/go-pathspec v1.3.0 // indirect github.com/shopspring/decimal v1.2.0 // indirect - github.com/sigstore/fulcio v0.5.3 // indirect + github.com/sigstore/fulcio v0.6.0 // indirect github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect github.com/soheilhy/cmux v0.1.5 // indirect github.com/spf13/afero v1.8.2 // indirect @@ -290,15 +290,15 @@ require ( github.com/tchap/go-patricia/v2 v2.3.1 // indirect github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613 // indirect github.com/thales-e-security/pool v0.0.2 // indirect - github.com/theupdateframework/go-tuf v0.5.1-0.20220920170306-f237d7ca5b42 // indirect + github.com/theupdateframework/go-tuf v0.5.2-0.20220930112810-3890c1e7ace4 // indirect github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect github.com/tjfoc/gmsm v1.3.2 // indirect github.com/tklauser/go-sysconf v0.3.11 // indirect github.com/tklauser/numcpus v0.6.0 // indirect - github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 // indirect + github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802 // indirect github.com/transparency-dev/merkle v0.0.1 // indirect github.com/twmb/murmur3 v1.1.6 // indirect - github.com/urfave/cli v1.22.9 // indirect + github.com/urfave/cli v1.22.7 // indirect github.com/vbatts/tar-split v0.11.2 // indirect github.com/xanzy/go-gitlab v0.73.1 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect @@ -332,9 +332,9 @@ require ( go.uber.org/multierr v1.8.0 // indirect go.uber.org/zap v1.23.0 // indirect golang.org/x/exp v0.0.0-20220823124025-807a23277127 // indirect - golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect - golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783 // indirect - golang.org/x/term v0.0.0-20220526004731-065cf7ba2467 // indirect + golang.org/x/mod v0.6.0 // indirect + golang.org/x/oauth2 v0.2.0 // indirect + golang.org/x/term v0.2.0 // indirect golang.org/x/text v0.4.0 // indirect golang.org/x/tools v0.1.12 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect @@ -347,7 +347,7 @@ require ( gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/apiextensions-apiserver v0.25.0 // indirect - k8s.io/component-base v0.25.2 // indirect + k8s.io/component-base v0.25.0 // indirect k8s.io/klog/v2 v2.70.1 // indirect k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 // indirect sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect diff --git a/go.sum b/go.sum index 171c582fd3..7b5c7857e5 100644 --- a/go.sum +++ b/go.sum @@ -1,4 +1,3 @@ -4d63.com/gochecknoglobals v0.1.0/go.mod h1:wfdC5ZjKSPr7CybKEcgJhUOgeAQW1+7WcyK8OvUilfo= bazil.org/fuse v0.0.0-20180421153158-65cc252bf669/go.mod h1:Xbm+BRKSBEpa4q4hTSxohYNQpsxXPbPry4JJWOB3LB8= bitbucket.org/creachadair/shell v0.0.6/go.mod h1:8Qqi/cYk7vPnsOePHroKXDJYmb5x7ENhtiFtfZq8K+M= bitbucket.org/creachadair/shell v0.0.7 h1:Z96pB6DkSb7F3Y3BBnJeOZH2gazyMTWlvecSD4vDqfk= @@ -18,7 +17,6 @@ cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6 cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= -cloud.google.com/go v0.60.0/go.mod h1:yw2G51M9IfRboUH61Us8GqCeF1PzPblB823Mn2q2eAU= cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI= @@ -146,7 +144,6 @@ cloud.google.com/go/essentialcontacts v1.3.0/go.mod h1:r+OnHa5jfj90qIfZDO/VztSFq cloud.google.com/go/eventarc v1.7.0/go.mod h1:6ctpF3zTnaQCxUjHUdcfgcA1A2T309+omHZth7gDfmc= cloud.google.com/go/filestore v1.3.0/go.mod h1:+qbvHGvXU1HaKX2nD0WEPo92TP/8AQuCVEBXNY9z0+w= cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk= -cloud.google.com/go/firestore v1.6.0/go.mod h1:afJwI0vaXwAG54kI7A//lP/lSPDkQORQuMkv56TxEPU= cloud.google.com/go/functions v1.6.0/go.mod h1:3H1UA3qiIPRWD7PeZKLvHZ9SaQhR26XIJcC0A5GbvAk= cloud.google.com/go/functions v1.7.0/go.mod h1:+d+QBcWM+RsrgZfV9xo6KfA1GlzJfxcfZcRPEhDDfzg= cloud.google.com/go/functions v1.8.0/go.mod h1:RTZ4/HsQjIqIYP9a9YPbU+QFoQsAlYgrwOXJWHn1POY= @@ -219,7 +216,6 @@ cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2k cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= -cloud.google.com/go/pubsub v1.5.0/go.mod h1:ZEwJccE3z93Z2HWvstpri00jOg7oO4UZDtKhwDwqF0w= cloud.google.com/go/pubsub v1.11.0-beta.schemas/go.mod h1:llNLsvx+RnsZJoY481TzC1XcdB2hWdR6gSWM5O4vgfs= cloud.google.com/go/recaptchaenterprise v1.3.1/go.mod h1:OdD+q+y4XGeAlxRaMn1Y7/GveP6zmq76byL6tjPE7d4= cloud.google.com/go/recaptchaenterprise/v2 v2.1.0/go.mod h1:w9yVqajwroDNTfGuhmOjPDN//rZGySaf6PtFVcSCa7o= @@ -263,7 +259,6 @@ cloud.google.com/go/servicedirectory v1.6.0/go.mod h1:pUlbnWsLH9c13yGkxCmfumWEPj cloud.google.com/go/servicemanagement v1.4.0/go.mod h1:d8t8MDbezI7Z2R1O/wu8oTggo3BI2GKYbdG4y/SJTco= cloud.google.com/go/serviceusage v1.3.0/go.mod h1:Hya1cozXM4SeSKTAgGXgj97GlqUvF5JaoXacR1JTP/E= cloud.google.com/go/shell v1.3.0/go.mod h1:VZ9HmRjZBsjLGXusm7K5Q5lzzByZmJHf1d0IWHEN5X4= -cloud.google.com/go/spanner v1.7.0/go.mod h1:sd3K2gZ9Fd0vMPLXzeCrF6fq4i63Q7aTLW/lBIfBkIk= cloud.google.com/go/spanner v1.17.0/go.mod h1:+17t2ixFwRG4lWRwE+5kipDR9Ef07Jkmc8z0IbMDKUs= cloud.google.com/go/spanner v1.18.0/go.mod h1:LvAjUXPeJRGNuGpikMULjhLj/t9cRvdc+fxRoLiugXA= cloud.google.com/go/spanner v1.31.0/go.mod h1:ztDJVUZgEA2xc7HjSNQG+d+2L0bOSsw876/5Hnr78U8= @@ -312,7 +307,6 @@ code.gitea.io/sdk/gitea v0.11.3/go.mod h1:z3uwDV/b9Ls47NGukYM9XhnHtqPh/J+t40lsUr contrib.go.opencensus.io/exporter/aws v0.0.0-20181029163544-2befc13012d0/go.mod h1:uu1P0UCM/6RbsMrgPa98ll8ZcHM858i/AD06a9aLRCA= contrib.go.opencensus.io/exporter/ocagent v0.5.0/go.mod h1:ImxhfLRpxoYiSq891pBrLVhN+qmP8BTVvdH2YLs7Gl0= contrib.go.opencensus.io/exporter/stackdriver v0.12.1/go.mod h1:iwB6wGarfphGGe/e5CWqyUk/cLzKnWsOKPVW3no6OTw= -contrib.go.opencensus.io/exporter/stackdriver v0.13.4/go.mod h1:aXENhDJ1Y4lIg4EUaVTwzvYETVNZk10Pu26tevFKLUc= contrib.go.opencensus.io/exporter/stackdriver v0.13.5/go.mod h1:aXENhDJ1Y4lIg4EUaVTwzvYETVNZk10Pu26tevFKLUc= contrib.go.opencensus.io/exporter/stackdriver v0.13.12/go.mod h1:mmxnWlrvrFdpiOHOhxBaVi1rkc0WOqhgfknj4Yg0SeQ= contrib.go.opencensus.io/integrations/ocsql v0.1.4/go.mod h1:8DsSdjz3F+APR+0z0WkU1aRorQCFfRxvqjUUPMbF3fE= @@ -320,15 +314,13 @@ contrib.go.opencensus.io/resource v0.1.1/go.mod h1:F361eGI91LCmW1I/Saf+rX0+OFcig dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 h1:8+4G8JaejP8Xa6W46PzJEwisNgBXMvFcz78N6zG/ARw= github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0/go.mod h1:GgeIE+1be8Ivm7Sh4RgwI42aTtC9qrcj+Y9Y6CjJhJs= -github.com/Antonboom/errname v0.1.5/go.mod h1:DugbBstvPFQbv/5uLcRRzfrNqKE9tVdVCqWCLp6Cifo= -github.com/Antonboom/nilnil v0.1.0/go.mod h1:PhHLvRPSghY5Y7mX4TW+BHZQYo1A8flE5H20D3IPZBo= github.com/Azure/azure-amqp-common-go/v2 v2.1.0/go.mod h1:R8rea+gJRuJR6QxTir/XuEd+YuKoUiazDC/N96FiDEU= github.com/Azure/azure-pipeline-go v0.2.1/go.mod h1:UGSo8XybXnIGZ3epmeBw7Jdz+HiUVpqIlpz/HKHylF4= github.com/Azure/azure-sdk-for-go v29.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v30.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v46.4.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go v66.0.0+incompatible h1:bmmC38SlE8/E81nNADlgmVGurPWMHDX2YNXVQMrBpEE= -github.com/Azure/azure-sdk-for-go v66.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v67.1.0+incompatible h1:oziYcaopbnIKfM69DL05wXdypiqfrUKdxUKrKpynJTw= +github.com/Azure/azure-sdk-for-go v67.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.0.0/go.mod h1:uGG2W01BaETf0Ozp+QxxKJdMBNRWPdstHG0Fmdwn1/U= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.2.0 h1:sVW/AFBTGyJxDaMYlq0ct3jUXTtj12tQ6zE2GZUgVQw= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.2.0/go.mod h1:uGG2W01BaETf0Ozp+QxxKJdMBNRWPdstHG0Fmdwn1/U= @@ -361,14 +353,15 @@ github.com/Azure/go-autorest/autorest v0.11.28/go.mod h1:MrkzG3Y3AH668QyF9KRk5ne github.com/Azure/go-autorest/autorest/adal v0.9.4/go.mod h1:/3SMAM86bP6wC9Ev35peQDUeqFZBMH07vvUOmg4z/fE= github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M= github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= -github.com/Azure/go-autorest/autorest/adal v0.9.20 h1:gJ3E98kMpFB1MFqQCvA1yFab8vthOeD4VlFRQULxahg= -github.com/Azure/go-autorest/autorest/adal v0.9.20/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= +github.com/Azure/go-autorest/autorest/adal v0.9.21 h1:jjQnVFXPfekaqb8vIsv2G1lxshoW+oGv4MDlhRtnYZk= +github.com/Azure/go-autorest/autorest/adal v0.9.21/go.mod h1:zua7mBUaCc5YnSLKYgGJR/w5ePdMDA6H56upLsHzA9U= github.com/Azure/go-autorest/autorest/azure/auth v0.5.2/go.mod h1:q98IH4qgc3eWM4/WOeR5+YPmBuy8Lq0jNRDwSM0CuFk= github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 h1:P6bYXFoao05z5uhOQzbC3Qd8JqF3jUoocoTeIxkp2cA= github.com/Azure/go-autorest/autorest/azure/auth v0.5.11/go.mod h1:84w/uV8E37feW2NCJ08uT9VBfjfUHpgLVnG2InYD6cg= github.com/Azure/go-autorest/autorest/azure/cli v0.4.1/go.mod h1:JfDgiIO1/RPu6z42AdQTyjOoCM2MFhLqSBDvMEkDgcg= -github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 h1:0W/yGmFdTIT77fvdlGZ0LMISoLHFJ7Tx4U0yeB+uFs4= github.com/Azure/go-autorest/autorest/azure/cli v0.4.5/go.mod h1:ADQAXrkgm7acgWVUNamOgh8YNrv4p27l3Wc55oVfpzg= +github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 h1:w77/uPk80ZET2F+AfQExZyEWtn+0Rk/uw17m9fv5Ajc= +github.com/Azure/go-autorest/autorest/azure/cli v0.4.6/go.mod h1:piCfgPho7BiIDdEQ1+g4VmKyD5y+p/XtSNqE6Hc4QD0= github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw= github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= @@ -384,13 +377,11 @@ github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBp github.com/AzureAD/microsoft-authentication-library-for-go v0.4.0/go.mod h1:Vt9sXTKwMyGcOxSmLDMnGPgqsUg7m8pe215qMLrDXw4= github.com/AzureAD/microsoft-authentication-library-for-go v0.7.0 h1:VgSJlZH5u0k2qxSpqyghcFQKmvYckj46uymKK5XzkBM= github.com/AzureAD/microsoft-authentication-library-for-go v0.7.0/go.mod h1:BDJ5qMFKx9DugEg3+uQSDCdbYPr5s9vBTrL9P8TpqOU= +github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/BurntSushi/toml v0.4.1 h1:GaI7EiDXDRfa8VshkTj7Fym7ha+y8/XxIgD2okUIjLw= -github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/DataDog/datadog-go v3.2.0+incompatible h1:qSG2N4FghB1He/r2mFrWKCaL7dXCilEuNEeAn20fdD4= github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= -github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs= github.com/GoogleCloudPlatform/cloudsql-proxy v0.0.0-20191009163259-e802c2cb94ae/go.mod h1:mjwGPas4yKduTyubHvD1Atl9r1rUq8DfVy+gkVvZ+oo= github.com/GoogleCloudPlatform/cloudsql-proxy v1.33.1 h1:h1qByrLm6Q80nfvIGE5FHdJbvGloDOagO6o0N6QGPkk= github.com/GoogleCloudPlatform/cloudsql-proxy v1.33.1/go.mod h1:n3KDPrdaY2p9Nr0B1allAdjYArwIpXQcitNbsS/Qiok= @@ -416,13 +407,11 @@ github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMo github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8= github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q= -github.com/OpenPeeDeeP/depguard v1.0.1/go.mod h1:xsIw86fROiiwelg+jB2uM9PiKihMMmUx/1V+TNhjQvM= github.com/PuerkitoBio/goquery v1.5.1/go.mod h1:GsLWisAFVj4WgDibEWF4pvYnkVQBpKBKeU+7zCJoLcc= github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo= github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI= -github.com/StackExchange/wmi v1.2.1/go.mod h1:rcmrprowKIVzvc+NUiLncP2uuArMWLCbu9SBzvHz7e8= github.com/ThalesIgnite/crypto11 v1.2.5 h1:1IiIIEqYmBvUYFeMnHqRft4bwf/O36jryEUpY+9ef8E= github.com/ThalesIgnite/crypto11 v1.2.5/go.mod h1:ILDKtnCKiQ7zRoNxcp36Y1ZR8LBPmR2E23+wTQe/MlE= github.com/VividCortex/gohistogram v1.0.0/go.mod h1:Pf5mBqqDxYaXu3hDrrU+w6nw50o/4+TcAqDqk/vUH7g= @@ -436,7 +425,6 @@ github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuy github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= -github.com/alexkohler/prealloc v1.0.0/go.mod h1:VetnK3dIgFBBKmg0YnD9F9x6Icjd+9cvfHR56wJVlKE= github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.2/go.mod h1:sCavSAvdzOjul4cEqeVtvlSaSScfNsTQ+46HwlTL1hc= github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 h1:iC9YFYKDGEy3n/FtqJnOkZsene9olVspKmkX5A2YBEo= github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4/go.mod h1:sCavSAvdzOjul4cEqeVtvlSaSScfNsTQ+46HwlTL1hc= @@ -477,11 +465,8 @@ github.com/aliyun/credentials-go v1.2.3 h1:Vmodnr52Rz1mcbwn0kzMhLRKb6soizewuKXdf github.com/aliyun/credentials-go v1.2.3/go.mod h1:/KowD1cfGSLrLsH28Jr8W+xwoId0ywIy5lNzDz6O1vw= github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129 h1:MzBOUgng9orim59UnfUTLRjMpd09C5uEVQ6RPGeCaVI= github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129/go.mod h1:rFgpPQZYZ8vdbc+48xibu8ALc3yeyd64IhHS+PU6Yyg= -github.com/andybalholm/brotli v1.0.2/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y= -github.com/andybalholm/brotli v1.0.3/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig= github.com/andybalholm/cascadia v1.1.0/go.mod h1:GsXiBklL0woXo1j/WYWtSYYC4ouU9PqHO0sqidkEA4Y= github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c= -github.com/antihax/optional v0.0.0-20180407024304-ca021399b1a6/go.mod h1:V8iCPQYkqmusNa815XgQio277wI47sdRh1dUOLdyC6Q= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/aokoli/goutils v1.0.1/go.mod h1:SijmP0QR8LtwsmDs8Yii5Z/S4trXFGFC2oO5g9DP+DQ= github.com/apache/beam v2.28.0+incompatible/go.mod h1:/8NX3Qi8vGstDLLaeaU7+lzVEu/ACaQhYjeefzQ0y1o= @@ -508,8 +493,6 @@ github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:l github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d h1:Byv0BzEl3/e6D5CLfI0j/7hiIEtvGVFPCZ7Ei2oq8iQ= github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= -github.com/ashanbrown/forbidigo v1.2.0/go.mod h1:vVW7PEdqEFqapJe95xHkTfB1+XvZXBFg8t0sG2FIxmI= -github.com/ashanbrown/makezero v0.0.0-20210520155254-b6261585ddde/go.mod h1:oG9Dnez7/ESBqc4EdrdNlryeo7d0KcW1ftXHm7nU/UU= github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQwij/eHl5CU= github.com/aws/aws-sdk-go v1.15.27/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZoCYDt7FT0= github.com/aws/aws-sdk-go v1.19.18/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= @@ -517,9 +500,7 @@ github.com/aws/aws-sdk-go v1.19.45/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpi github.com/aws/aws-sdk-go v1.20.6/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.23.20/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.25.11/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= -github.com/aws/aws-sdk-go v1.25.37/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= -github.com/aws/aws-sdk-go v1.36.30/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= github.com/aws/aws-sdk-go v1.37.0/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g= github.com/aws/aws-sdk-go-v2 v1.7.1/go.mod h1:L5LuPC1ZgDr2xQS7AmIec/Jlc7O/Y1u2KxJyNVab250= @@ -530,11 +511,11 @@ github.com/aws/aws-sdk-go-v2 v1.17.1/go.mod h1:JLnGeGONAyi2lWXI1p0PCIOIy333JMVK1 github.com/aws/aws-sdk-go-v2 v1.17.2 h1:r0yRZInwiPBNpQ4aDy/Ssh3ROWsGtKDwar2JS8Lm+N8= github.com/aws/aws-sdk-go-v2 v1.17.2/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= github.com/aws/aws-sdk-go-v2/config v1.5.0/go.mod h1:RWlPOAW3E3tbtNAqTwvSW54Of/yP3oiZXMI0xfUdjyA= -github.com/aws/aws-sdk-go-v2/config v1.18.2 h1:tRhTb3xMZsB0gW0sXWpqs9FeIP8iQp5SvnvwiPXzHwo= -github.com/aws/aws-sdk-go-v2/config v1.18.2/go.mod h1:9XVoZTdD8ICjrgI5ddb8j918q6lEZkFYpb7uohgvU6c= +github.com/aws/aws-sdk-go-v2/config v1.18.3 h1:3kfBKcX3votFX84dm00U8RGA1sCCh3eRMOGzg5dCWfU= +github.com/aws/aws-sdk-go-v2/config v1.18.3/go.mod h1:BYdrbeCse3ZnOD5+2/VE/nATOK8fEUpBtmPMdKSyhMU= github.com/aws/aws-sdk-go-v2/credentials v1.3.1/go.mod h1:r0n73xwsIVagq8RsxmZbGSRQFj9As3je72C2WzUIToc= -github.com/aws/aws-sdk-go-v2/credentials v1.13.2 h1:F/v1w0XcFDZjL0bCdi9XWJenoPKjGbzljBhDKcryzEQ= -github.com/aws/aws-sdk-go-v2/credentials v1.13.2/go.mod h1:eAT5aj/WJ2UDIA0IVNFc2byQLeD89SDEi4cjzH/MKoQ= +github.com/aws/aws-sdk-go-v2/credentials v1.13.3 h1:ur+FHdp4NbVIv/49bUjBW+FE7e57HOo03ELodttmagk= +github.com/aws/aws-sdk-go-v2/credentials v1.13.3/go.mod h1:/rOMmqYBcFfNbRPU0iN9IgGqD5+V2yp3iWNmIlz0wI4= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.3.0/go.mod h1:2LAuqPx1I6jNfaGDucWfA2zqQCYCOMCDHiCOciALyNw= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.19 h1:E3PXZSI3F2bzyj6XxUXdTIfvp425HHhwKsFvmzBwHgs= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.19/go.mod h1:VihW95zQpeKQWVPGkwT+2+WJNQV8UXFfMTWdU6VErL8= @@ -579,8 +560,8 @@ github.com/aws/aws-sdk-go-v2/service/sso v1.11.25/go.mod h1:IARHuzTXmj1C0KS35vbo github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.8 h1:jcw6kKZrtNfBPJkaHrscDOZoe5gvi9wjudnxvozYFJo= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.8/go.mod h1:er2JHN+kBY6FcMfcBBKNGCT3CarImmdFzishsqBmSRI= github.com/aws/aws-sdk-go-v2/service/sts v1.6.0/go.mod h1:q7o0j7d7HrJk/vr9uUt3BVRASvcU7gYZB9PUgPiByXg= -github.com/aws/aws-sdk-go-v2/service/sts v1.17.4 h1:YNncBj5dVYd05i4ZQ+YicOotSXo0ufc9P8kTioi13EM= -github.com/aws/aws-sdk-go-v2/service/sts v1.17.4/go.mod h1:bXcN3koeVYiJcdDU89n3kCYILob7Y34AeLopUbZgLT4= +github.com/aws/aws-sdk-go-v2/service/sts v1.17.5 h1:60SJ4lhvn///8ygCzYy2l53bFW/Q15bVfyjyAWo6zuw= +github.com/aws/aws-sdk-go-v2/service/sts v1.17.5/go.mod h1:bXcN3koeVYiJcdDU89n3kCYILob7Y34AeLopUbZgLT4= github.com/aws/smithy-go v1.6.0/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAmR5n+E= github.com/aws/smithy-go v1.11.0/go.mod h1:3xHYmszWVx2c0kIwQeEVf9uSm4fYZt67FBJnwub1bgM= github.com/aws/smithy-go v1.13.1/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= @@ -603,17 +584,12 @@ github.com/bgentry/speakeasy v0.1.0 h1:ByYyxL9InA1OWqxJqqp2A5pYHUrCiAL6K3J+LKSsQ github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84= github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM= -github.com/bkielbasa/cyclop v1.2.0/go.mod h1:qOI0yy6A7dYC4Zgsa72Ppm9kONl0RoIlPbzot9mhmeI= github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb/go.mod h1:PkYb9DJNAwrSvRx5DYA+gUcOIgTGVMNkfSCbZM8cWpI= github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ= github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= -github.com/blizzy78/varnamelen v0.3.0/go.mod h1:hbwRdBvoBqxk34XyQ6HA0UH3G0/1TKuv5AC4eaBT0Ec= -github.com/bombsimon/wsl/v3 v3.3.0/go.mod h1:st10JtZYLE4D5sC7b8xV4zTKZwAQjCH/Hy2Pm1FNZIc= github.com/bradfitz/gomemcache v0.0.0-20190913173617-a41fca850d0b/go.mod h1:H0wQNHz2YrLsuXOZozoeDmnHXkNCRmMW0gwFWDfEZDA= -github.com/breml/bidichk v0.1.1/go.mod h1:zbfeitpevDUGI7V91Uzzuwrn4Vls8MoBMrwtt78jmso= -github.com/butuzov/ireturn v0.1.1/go.mod h1:Wh6Zl3IMtTpaIKbmwzqi6olnM9ptYQxxVacMsOEFPoc= github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 h1:3uZCA/BLTIu+DqCfguByNMJa2HVHpXvjfy0Dy7g6fuA= github.com/caarlos0/ctrlc v1.0.0/go.mod h1:CdXpj4rmq0q/1Eb44M9zi2nKB0QraNKuRGYGrrHhcQw= github.com/cactus/go-statsd-client/statsd v0.0.0-20200423205355-cb0885a1018c/go.mod h1:l/bIBLeOl9eX+wxJAzxS4TveKRtAqlyDpHjhkfO0MEI= @@ -637,8 +613,6 @@ github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghf github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE= github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/charithe/durationcheck v0.0.9/go.mod h1:SSbRIBVfMjCi/kEB6K65XEA83D6prSM8ap1UCpNKtgg= -github.com/chavacava/garif v0.0.0-20210405164556-e8a0a408d6af/go.mod h1:Qjyv4H3//PWVzTeCezG2b9IRn6myJxJSr4TD/xo6ojU= github.com/chrismellard/docker-credential-acr-env v0.0.0-20220119192733-fe33c00cee21 h1:XlpL9EHrPOBJMLDDOf35/G4t5rGAFNNAZQ3cDcWavtc= github.com/chrismellard/docker-credential-acr-env v0.0.0-20220119192733-fe33c00cee21/go.mod h1:Zlre/PVxuSI9y6/UV4NwGixQ48RHQDSPiUkofr6rbMU= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= @@ -653,16 +627,15 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= +github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4 h1:hzAQntlaYRkVSFEfj9OTWlVV1H155FMD8BTKktLv0QI= github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI= -github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe h1:QQ3GSy+MqSHxm/d8nCtnAiZdYFd45cYZPs8vOOIYKfk= -github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI= github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20220520190051-1e77728a1eaa h1:B/lvg4tQ5hfFZd4V2hcSfFVfUvAK6GSFKxIIzwnkv8g= -github.com/cncf/xds/go v0.0.0-20220520190051-1e77728a1eaa/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490 h1:KwaoQzs/WeUxxJqiJsZ4euOly1Az/IgZXXSxlD/UBNk= +github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ= github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5 h1:xD/lrqdvwsc+O2bjSSi3YqY73Ke3LAiSCx49aCesA0E= @@ -675,8 +648,8 @@ github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUoc7Ik9EfrFqcylYqgPZ9ANSbTAntnE= github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be h1:J5BL2kskAlV9ckgEsNQXscjIaLiOYiZ75d4e94E6dcQ= github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be/go.mod h1:mk5IQ+Y0ZeO87b858TlA645sVcEcbiX6YqP98kt+7+w= -github.com/containerd/stargz-snapshotter/estargz v0.12.0 h1:idtwRTLjk2erqiYhPWy2L844By8NRFYEwYHcXhoIWPM= -github.com/containerd/stargz-snapshotter/estargz v0.12.0/go.mod h1:AIQ59TewBFJ4GOPEQXujcrJ/EKxh5xXZegW1rkR1P/M= +github.com/containerd/stargz-snapshotter/estargz v0.12.1 h1:+7nYmHJb0tEkcRaAW+MHqoKaJYZmkikupxCqVtmPuY0= +github.com/containerd/stargz-snapshotter/estargz v0.12.1/go.mod h1:12VUuCq3qPq4y8yUW+l5w3+oXV3cx2Po3KSe/SmPGqw= github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= @@ -689,7 +662,6 @@ github.com/coreos/go-semver v0.3.0 h1:wkHLiw0WNATZnSG7epLsujiMCgPAc9xhjJ4tgnAxmf github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= -github.com/coreos/go-systemd v0.0.0-20190620071333-e64a0ec8b42a/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd/v22 v22.1.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk= github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= @@ -708,14 +680,11 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3 github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/cyberphone/json-canonicalization v0.0.0-20210823021906-dc406ceaf94b h1:lMzA7yYThpwx7iYNpTeiQnRH6h5JSfSYMJdz+pxZOW8= github.com/cyberphone/json-canonicalization v0.0.0-20210823021906-dc406ceaf94b/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw= -github.com/daixiang0/gci v0.2.9/go.mod h1:+4dZ7TISfSmqfAGv59ePaHfNzgGtIkHAhhdKggP1JAc= github.com/danieljoos/wincred v1.0.2/go.mod h1:SnuYRW9lp1oJrZX/dXJqr0cPK5gYXqx3EJbmjhLdK9U= -github.com/danieljoos/wincred v1.1.0/go.mod h1:XYlo+eRTsVA9aHGp7NGjFkPla4m+DCL7hqDjlFjiygg= github.com/davecgh/go-spew v0.0.0-20161028175848-04cdfd42973b/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/denis-tingajkin/go-header v0.4.2/go.mod h1:eLRHAVXzE5atsKAnNRDB90WHCFFnBUn4RN0nRcs1LJA= github.com/denisenkom/go-mssqldb v0.0.0-20191124224453-732737034ffd h1:83Wprp6ROGeiHFAP8WJdI2RoxALQYgdllERc3N5N2DM= github.com/denisenkom/go-mssqldb v0.0.0-20191124224453-732737034ffd/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU= github.com/depcheck-test/depcheck-test v0.0.0-20220607135614-199033aaa936 h1:foGzavPWwtoyBvjWyKJYDYsyzy+23iBV7NKTwdk+LRY= @@ -732,19 +701,20 @@ github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/ github.com/dnaeon/go-vcr v1.1.0/go.mod h1:M7tiix8f0r6mKKJ3Yq/kqU1OYf3MnfmBWVbPx/yU9ko= github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ= -github.com/docker/cli v20.10.17+incompatible h1:eO2KS7ZFeov5UJeaDmIs1NFEDRf32PaqRpvoEkKBy5M= -github.com/docker/cli v20.10.17+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v20.10.20+incompatible h1:lWQbHSHUFs7KraSN2jOJK7zbMS2jNCHI4mt4xUFUVQ4= +github.com/docker/cli v20.10.20+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6bk8XXApsHjKukMl68= github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v20.10.21+incompatible h1:UTLdBmHk3bEY+w8qeO5KttOhy6OmXWsl/FEet9Uswog= github.com/docker/docker v20.10.21+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y= -github.com/docker/docker-credential-helpers v0.6.4 h1:axCks+yV+2MR3/kZhAmy07yC56WZ2Pwu/fKWtKuZB0o= -github.com/docker/docker-credential-helpers v0.6.4/go.mod h1:ofX3UI0Gz1TteYBjtgs07O36Pyasyp66D2uKT7H8W1c= +github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= +github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0= github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= -github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw= github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= +github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4= +github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo= @@ -770,16 +740,13 @@ github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.m github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1 h1:xvqufLtNVwAhN8NMyWklVgxnWohi+wtMGQMhtxexlm0= github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE= -github.com/envoyproxy/protoc-gen-validate v0.0.14/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v0.3.0-java/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= -github.com/envoyproxy/protoc-gen-validate v0.6.7 h1:qcZcULcd/abmQg6dwigimCNEyi4gg31M/xaciQlDml8= -github.com/envoyproxy/protoc-gen-validate v0.6.7/go.mod h1:dyJXwwfPK2VSqiB9Klm1J6romD608Ba7Hij42vrOBCo= +github.com/envoyproxy/protoc-gen-validate v0.6.2 h1:JiO+kJTpmYGjEodY7O1Zk8oZcNz1+f30UtwtXoFUPzE= +github.com/envoyproxy/protoc-gen-validate v0.6.2/go.mod h1:2t7qjJNvHPx8IjnBOzl9E9/baC+qXE/TeeyBRzgJDws= github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5 h1:Yzb9+7DPaBjB8zlTR87/ElzFsnQfuHnVUVqpZZIcV5Y= github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5/go.mod h1:a2zkGnVExMxdzMo3M0Hi/3sEU+cWnZpSni0O6/Yb/P0= -github.com/esimonov/ifshort v1.0.3/go.mod h1:yZqNJUrNn20K8Q9n2CrjTKYyVEmX209Hgu+M1LBpeZE= github.com/etcd-io/gofail v0.0.0-20190801230047-ad7f989257ca/go.mod h1:49H/RkXP8pKaZy4h0d+NW16rSLhyVBt4o6VLJbmOqDE= -github.com/ettle/strcase v0.1.1/go.mod h1:hzDLsPC7/lwKyBOywSHEP89nt2pDgdy+No1NBA9o9VY= github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ= github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84= github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= @@ -790,14 +757,12 @@ github.com/facebookgo/limitgroup v0.0.0-20150612190941-6abd8d71ec01 h1:IeaD1VDVB github.com/facebookgo/muster v0.0.0-20150708232844-fd3d7953fd52 h1:a4DFiKFJiDRGFD1qIcqGLX/WlUMD9dyLSLDt+9QZgt8= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU= -github.com/fatih/color v1.10.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM= github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w= github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo= -github.com/fatih/structtag v1.2.0/go.mod h1:mBJUNpUnHmRKrKlQQlmCrh5PuhftFbNv8Ys4/aAZl94= github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= -github.com/felixge/httpsnoop v1.0.2 h1:+nS9g82KMXccJ/wp0zyRW9ZBHFETmMGtkk+2CTTrW4o= -github.com/felixge/httpsnoop v1.0.2/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= +github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk= +github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc= github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= @@ -811,17 +776,14 @@ github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8/go.mod h1:ZhphrRTfi2 github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= -github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5Ai1i3InKU= github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU= github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= -github.com/fullstorydev/grpcurl v1.6.0/go.mod h1:ZQ+ayqbKMJNhzLmbpCiurTVlaK2M/3nqZCxaQ2Ze/sM= github.com/fullstorydev/grpcurl v1.8.0/go.mod h1:Mn2jWbdMrQGJQ8UD62uNyMumT2acsZUCkZIqFxsQf1o= github.com/fullstorydev/grpcurl v1.8.1/go.mod h1:3BWhvHZwNO7iLXaQlojdg5NA6SxUDePli4ecpK1N7gw= github.com/fullstorydev/grpcurl v1.8.6/go.mod h1:WhP7fRQdhxz2TkL97u+TCb505sxfH78W1usyoB3tepw= github.com/fullstorydev/grpcurl v1.8.7 h1:xJWosq3BQovQ4QrdPO72OrPiWuGgEsxY8ldYsJbPrqI= github.com/fullstorydev/grpcurl v1.8.7/go.mod h1:pVtM4qe3CMoLaIzYS8uvTuDj2jVYmXqMUkZeijnXp/E= -github.com/fzipp/gocyclo v0.3.1/go.mod h1:DJHO6AUmbdqj2ET4Z9iArSuwWgYDRryYt2wASxc7x3E= github.com/getkin/kin-openapi v0.76.0/go.mod h1:660oXbgy5JFMKreazJaQTw7o+X00qeSyhcnluiMv+Xg= github.com/getsentry/raven-go v0.2.0 h1:no+xWJRb5ZI7eE8TWgIq1jLulQiIoLG0IfYxv5JYMGs= github.com/getsentry/raven-go v0.2.0/go.mod h1:KungGk8q33+aIAZUIVWZDr2OfAEBsO49PX4NzFV5kcQ= @@ -830,7 +792,6 @@ github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeME github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0= github.com/go-chi/chi v4.1.2+incompatible h1:fGFk2Gmi/YKXk0OmGfBh0WgmN3XB8lVnEyNz34tQRec= github.com/go-chi/chi v4.1.2+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ= -github.com/go-critic/go-critic v0.6.1/go.mod h1:SdNCfU0yF3UBjtaZGw6586/WocupMOJuiqgom5DsQxM= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= @@ -857,7 +818,6 @@ github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre github.com/go-logr/zapr v1.2.0/go.mod h1:Qa4Bsj2Vb+FAVeAKsLD8RLQ+YRJB8YDmOAKxaBQf7Ro= github.com/go-logr/zapr v1.2.3 h1:a9vnzlIBPQBBkeaR9IuMUfmVOrQlkoC4YfPoFkX3T7A= github.com/go-logr/zapr v1.2.3/go.mod h1:eIauM6P8qSvTw5o2ez6UEAfGjQKrxQTl5EoK+Qa2oG4= -github.com/go-ole/go-ole v1.2.5/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY= github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= github.com/go-openapi/analysis v0.21.2/go.mod h1:HZwRk4RRisyG8vx2Oe6aqeSQcoxRp47Xkp3+K6q+LdY= @@ -879,8 +839,8 @@ github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXym github.com/go-openapi/loads v0.21.1/go.mod h1:/DtAMXXneXFjbQMGEtbamCZb+4x7eGwkvZCvBmwUG+g= github.com/go-openapi/loads v0.21.2 h1:r2a/xFIYeZ4Qd2TnGpWDIQNcP80dIaZgf704za8enro= github.com/go-openapi/loads v0.21.2/go.mod h1:Jq58Os6SSGz0rzh62ptiu8Z31I+OTHqmULx5e/gJbNw= -github.com/go-openapi/runtime v0.24.1 h1:Sml5cgQKGYQHF+M7yYSHaH1eOjvTykrddTE/KtQVjqo= -github.com/go-openapi/runtime v0.24.1/go.mod h1:AKurw9fNre+h3ELZfk6ILsfvPN+bvvlaU/M9q/r9hpk= +github.com/go-openapi/runtime v0.24.2 h1:yX9HMGQbz32M87ECaAhGpJjBmErO3QLcgdZj9BzGx7c= +github.com/go-openapi/runtime v0.24.2/go.mod h1:AKurw9fNre+h3ELZfk6ILsfvPN+bvvlaU/M9q/r9hpk= github.com/go-openapi/spec v0.20.4/go.mod h1:faYFR1CvsJZ0mNsmsphTMSoRrNV3TEDoAM7FOEWeq8I= github.com/go-openapi/spec v0.20.6/go.mod h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6VaaBKcWA= github.com/go-openapi/spec v0.20.7 h1:1Rlu/ZrOCCob0n+JKKJAWhNWMPW8bOZRg8FJaY+0SKI= @@ -905,11 +865,10 @@ github.com/go-playground/locales v0.14.0 h1:u50s323jtVGugKlcYeyzC0etD1HifMjqmJqb github.com/go-playground/locales v0.14.0/go.mod h1:sawfccIbzZTqEDETgFXqTho0QybSa7l++s0DH+LDiLs= github.com/go-playground/universal-translator v0.18.0 h1:82dyy6p4OuJq4/CByFNOn/jYrnRPArHwAcmLoJZxyho= github.com/go-playground/universal-translator v0.18.0/go.mod h1:UvRDBj+xPUEGrFYl+lu/H90nyDXpg0fqeB/AQUGNTVA= -github.com/go-playground/validator/v10 v10.11.0 h1:0W+xRM511GY47Yy3bZUbJVitCNg2BOGlCyvTqsp/xIw= -github.com/go-playground/validator/v10 v10.11.0/go.mod h1:i+3WkQ1FvaUjjxh1kSvIA4dMGDBiPU55YFDl0WbKdWU= -github.com/go-redis/redis v6.15.8+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA= +github.com/go-playground/validator/v10 v10.11.1 h1:prmOlTVv+YjZjmRmNSF3VmspqJIxJWXmqUsHwfTRRkQ= +github.com/go-playground/validator/v10 v10.11.1/go.mod h1:i+3WkQ1FvaUjjxh1kSvIA4dMGDBiPU55YFDl0WbKdWU= github.com/go-redis/redis v6.15.9+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA= -github.com/go-rod/rod v0.109.3 h1:MxuSJGK9lEUq07K+QPfnxnuvQpsQT+YI4SoQjSE0LVg= +github.com/go-rod/rod v0.112.1 h1:FuItvJ4ysJjKR2JA5UDlyLJwWZpWwA4jcNd3BoU+ioQ= github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= @@ -920,18 +879,6 @@ github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/me github.com/go-stack/stack v1.8.1/go.mod h1:dcoOX6HbPZSZptuspn9bctJ+N/CnF5gGygcUP3XYfe4= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/go-test/deep v1.0.8 h1:TDsG77qcSprGbC6vTN8OuXp5g+J+b5Pcguhf7Zt61VM= -github.com/go-toolsmith/astcast v1.0.0/go.mod h1:mt2OdQTeAQcY4DQgPSArJjHCcOwlX+Wl/kwN+LbLGQ4= -github.com/go-toolsmith/astcopy v1.0.0/go.mod h1:vrgyG+5Bxrnz4MZWPF+pI4R8h3qKRjjyvV/DSez4WVQ= -github.com/go-toolsmith/astequal v1.0.0/go.mod h1:H+xSiq0+LtiDC11+h1G32h7Of5O3CYFJ99GVbS5lDKY= -github.com/go-toolsmith/astequal v1.0.1/go.mod h1:4oGA3EZXTVItV/ipGiOx7NWkY5veFfcsOJVS2YxltLw= -github.com/go-toolsmith/astfmt v1.0.0/go.mod h1:cnWmsOAuq4jJY6Ct5YWlVLmcmLMn1JUPuQIHCY7CJDw= -github.com/go-toolsmith/astinfo v0.0.0-20180906194353-9809ff7efb21/go.mod h1:dDStQCHtmZpYOmjRP/8gHHnCCch3Zz3oEgCdZVdtweU= -github.com/go-toolsmith/astp v1.0.0/go.mod h1:RSyrtpVlfTFGDYRbrjyWP1pYu//tSFcvdYrA8meBmLI= -github.com/go-toolsmith/pkgload v1.0.0/go.mod h1:5eFArkbO80v7Z0kdngIxsRXRMTaX4Ilcwuh3clNrQJc= -github.com/go-toolsmith/strparse v1.0.0/go.mod h1:YI2nUKP9YGZnL/L1/DLFBfixrcjslWct4wyljWhSRy8= -github.com/go-toolsmith/typep v1.0.0/go.mod h1:JSQCQMUPdRlMZFswiq3TGpNp1GMktqkR2Ns5AIQkATU= -github.com/go-toolsmith/typep v1.0.2/go.mod h1:JSQCQMUPdRlMZFswiq3TGpNp1GMktqkR2Ns5AIQkATU= -github.com/go-xmlfmt/xmlfmt v0.0.0-20191208150333-d5b6f63a941b/go.mod h1:aUCEOzzezBEjDBbFBoSiya/gduyIiWYRP6CnSFIV8AM= github.com/gobuffalo/attrs v0.0.0-20190224210810-a9411de4debd/go.mod h1:4duuawTqi2wkkpB4ePgWMaai6/Kc6WEz83bhFwpHzj0= github.com/gobuffalo/depgen v0.0.0-20190329151759-d478694a28d3/go.mod h1:3STtPUQYuzV0gBVOY3vy6CfMm/ljR4pABfrTeHNLHUY= github.com/gobuffalo/depgen v0.1.0/go.mod h1:+ifsuy7fhi15RWncXQQKjWS9JPkdah5sZvtHc2RXGlg= @@ -961,7 +908,6 @@ github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJA github.com/godbus/dbus v4.1.0+incompatible/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw= github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= -github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU= github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= github.com/gofrs/uuid v4.3.1+incompatible h1:0/KbAdpx3UXAx1kEOWHJeOkpbgRFGHVgv+CFIY7dBJI= github.com/gofrs/uuid v4.3.1+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= @@ -1003,7 +949,6 @@ github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71 github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8= github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc= github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs= -github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= @@ -1028,23 +973,12 @@ github.com/golang/snappy v0.0.2/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEW github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= -github.com/golangci/check v0.0.0-20180506172741-cfe4005ccda2/go.mod h1:k9Qvh+8juN+UKMCS/3jFtGICgW8O96FVaZsaxdzDkR4= -github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a/go.mod h1:ryS0uhF+x9jgbj/N71xsEqODy9BN81/GonCZiOzirOk= -github.com/golangci/go-misc v0.0.0-20180628070357-927a3d87b613/go.mod h1:SyvUF2NxV+sN8upjjeVYr5W7tyxaT1JVtvhKhOn2ii8= -github.com/golangci/gofmt v0.0.0-20190930125516-244bba706f1a/go.mod h1:9qCChq59u/eW8im404Q2WWTrnBUQKjpNYKMbU4M7EFU= -github.com/golangci/golangci-lint v1.43.0/go.mod h1:VIFlUqidx5ggxDfQagdvd9E67UjMXtTHBkBQ7sHoC5Q= -github.com/golangci/lint-1 v0.0.0-20191013205115-297bf364a8e0/go.mod h1:66R6K6P6VWk9I95jvqGxkqJxVWGFy9XlDwLwVz1RCFg= -github.com/golangci/maligned v0.0.0-20180506175553-b1d89398deca/go.mod h1:tvlJhZqDe4LMs4ZHD0oMUlt9G2LWuDGoisJTBzLMV9o= -github.com/golangci/misspell v0.3.5/go.mod h1:dEbvlSfYbMQDtrpRMQU675gSDLDNa8sCPPChZ7PhiVA= -github.com/golangci/revgrep v0.0.0-20210930125155-c22e5001d4f2/go.mod h1:LK+zW4MpyytAWQRz0M4xnzEk50lSvqDQKfx304apFkY= -github.com/golangci/unconvert v0.0.0-20180507085042-28b1c447d1f4/go.mod h1:Izgrg8RkN3rCIMLGE9CyYmU9pY2Jer6DgANEnZ/L/cQ= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU= github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= github.com/google/certificate-transparency-go v1.0.21/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg= -github.com/google/certificate-transparency-go v1.1.1/go.mod h1:FDKqPvSXawb2ecErVRrD+nfy23RCzyl7eqVCEmlT1Zs= github.com/google/certificate-transparency-go v1.1.2-0.20210422104406-9f33727a7a18/go.mod h1:6CKh9dscIRoqc2kC6YUFICHZMT9NrClyPrRVFrdw1QQ= github.com/google/certificate-transparency-go v1.1.2-0.20210512142713-bed466244fa6/go.mod h1:aF2dp7Dh81mY8Y/zpzyXps4fQW5zQbDu2CxfpJB6NkI= github.com/google/certificate-transparency-go v1.1.3 h1:WEb38wcTe0EuAvg7USzgklnOjjnlMaahYO3faaqnCn8= @@ -1069,8 +1003,8 @@ github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-containerregistry v0.11.0 h1:Xt8x1adcREjFcmDoDK8OdOsjxu90PHkGuwNP8GiHMLM= -github.com/google/go-containerregistry v0.11.0/go.mod h1:BBaYtsHPHA42uEgAvd/NejvAfPSlz281sJWqupjSxfk= +github.com/google/go-containerregistry v0.12.1 h1:W1mzdNUTx4Zla4JaixCRLhORcR7G6KxE5hHl5fkPsp8= +github.com/google/go-containerregistry v0.12.1/go.mod h1:sdIK+oHQO7B93xI8UweYdl887YhuIwg9vz8BSLH3+8k= github.com/google/go-github/v28 v28.1.1/go.mod h1:bsqJWQX05omyWVmc00nEUql9mhQyv38lDZ8kPZcQVoM= github.com/google/go-github/v45 v45.2.0 h1:5oRLszbrkvxDDqBCNj2hjDZMKmvexaZ1xw/FCD+K3FI= github.com/google/go-github/v45 v45.2.0/go.mod h1:FObaZJEDSTa/WGCzZ2Z3eoCDXWJKMenWWTrd8jrta28= @@ -1107,7 +1041,6 @@ github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hf github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200507031123-427632fa3b1c/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= @@ -1121,7 +1054,6 @@ github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLe github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/rpmpack v0.0.0-20191226140753-aa36bfddb3a0/go.mod h1:RaTPr0KUf2K7fnZYLNDrr8rxAamWs3iNywJLtQ2AzBg= github.com/google/subcommands v1.0.1/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk= -github.com/google/trillian v1.3.11/go.mod h1:0tPraVHrSDkA3BO6vKX67zgLXs6SsOAbHEivX+9mPgw= github.com/google/trillian v1.3.14-0.20210409160123-c5ea3abd4a41/go.mod h1:1dPv0CUjNQVFEDuAUFhZql16pw/VlPgaX8qj+g5pVzQ= github.com/google/trillian v1.3.14-0.20210511103300-67b5f349eefa/go.mod h1:s4jO3Ai4NSvxucdvqUHON0bCqJyoya32eNw6XJwsmNc= github.com/google/trillian v1.4.1/go.mod h1:43IVCsGXxP5mZK9yFkTQdQrMQm/wryNBV2GNEdqzVz8= @@ -1154,14 +1086,11 @@ github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2c github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA= github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4= github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g= -github.com/gookit/color v1.4.2/go.mod h1:fqRyamkC1W8uxl+lxCQxOT09l/vYfZ+QeiX3rKQHCoQ= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gordonklaus/ineffassign v0.0.0-20200309095847-7953dde2c7bf/go.mod h1:cuNKsD1zp2v6XfE/orVX2QE1LC+i254ceGcVeDT3pTU= -github.com/gordonklaus/ineffassign v0.0.0-20210225214923-2e10b2664254/go.mod h1:M9mZEtGIsR1oDaZagNPNG9iq9n2HrhZ17dsXk73V3Lw= github.com/goreleaser/goreleaser v0.134.0/go.mod h1:ZT6Y2rSYa6NxQzIsdfWWNWAlYGXGbreo66NmE+3X3WQ= github.com/goreleaser/nfpm v1.2.1/go.mod h1:TtWrABZozuLOttX2uDlYyECfQX7x5XYkVxhjYcR6G9w= -github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75/go.mod h1:g2644b03hfBX9Ov0ZBDgXXens4rxSxmqFBbhvKv2yVA= github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg= github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4= github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q= @@ -1170,23 +1099,9 @@ github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2z github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= -github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc= github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= -github.com/gostaticanalysis/analysisutil v0.0.0-20190318220348-4088753ea4d3/go.mod h1:eEOZF4jCKGi+aprrirO9e7WKB3beBRtWgqGunKl6pKE= -github.com/gostaticanalysis/analysisutil v0.0.3/go.mod h1:eEOZF4jCKGi+aprrirO9e7WKB3beBRtWgqGunKl6pKE= -github.com/gostaticanalysis/analysisutil v0.1.0/go.mod h1:dMhHRU9KTiDcuLGdy87/2gTR8WruwYZrKdRq9m1O6uw= -github.com/gostaticanalysis/analysisutil v0.4.1/go.mod h1:18U/DLpRgIUd459wGxVHE0fRgmo1UgHDcbw7F5idXu0= -github.com/gostaticanalysis/analysisutil v0.7.1/go.mod h1:v21E3hY37WKMGSnbsw2S/ojApNWb6C1//mXO48CXbVc= -github.com/gostaticanalysis/comment v1.3.0/go.mod h1:xMicKDx7XRXYdVwY9f9wQpDJVnqWxw9wCauCMKp+IBI= -github.com/gostaticanalysis/comment v1.4.1/go.mod h1:ih6ZxzTHLdadaiSnF5WY3dxUoXfXAlTaRzuaNDlSado= -github.com/gostaticanalysis/comment v1.4.2/go.mod h1:KLUTGDv6HOCotCH8h2erHKmpci2ZoR8VPu34YA2uzdM= -github.com/gostaticanalysis/forcetypeassert v0.0.0-20200621232751-01d4955beaa5/go.mod h1:qZEedyP/sY1lTGV1uJ3VhWZ2mqag3IkWsDHVbplHXak= -github.com/gostaticanalysis/nilerr v0.1.1/go.mod h1:wZYb6YI5YAxxq0i1+VJbY0s2YONW0HU0GPE3+5PWN4A= -github.com/gostaticanalysis/testutil v0.3.1-0.20210208050101-bfb5c8eec0e4/go.mod h1:D+FIZ+7OahH3ePw/izIEeH5I06eKs1IKI4Xr64/Am3M= -github.com/gostaticanalysis/testutil v0.4.0/go.mod h1:bLIoPefWXrRi/ssLFWX1dx7Repi5x3CuviD3dgAZaBU= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= -github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-middleware v1.2.2/go.mod h1:EaizFBKfUKtMIF5iaDEhniwNedqGo9FuLFzppDr3uwI= @@ -1198,21 +1113,18 @@ github.com/grpc-ecosystem/grpc-gateway v1.8.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.9.2/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= -github.com/grpc-ecosystem/grpc-gateway v1.12.1/go.mod h1:8XEsbTttt/W+VvjtQhLACqCisSPWTxCZ7sBRjU6iH9c= github.com/grpc-ecosystem/grpc-gateway v1.14.6/go.mod h1:zdiPV4Yse/1gnckTHtghG4GkDEdKCRJduHpTxT3/jcw= github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0/go.mod h1:hgWBS7lorOAVIJEQMi4ZsPv9hVvWI6+ch50m39Pf2Ks= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.2 h1:BqHID5W5qnMkug0Z8UmL8tN0gAy4jQ+B4WFt8cCgluU= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.2/go.mod h1:ZbS3MZTZq/apAfAEHGoB5HbsQQstoqP92SjAqtQ9zeg= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3 h1:lLT7ZLSzGLI08vc9cpd+tYmNWjdKDqyr/2L+f6U12Fk= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3/go.mod h1:o//XUCC/F+yRGJoPO/VU0GSB0f8Nhgmxx0VIRUvaC0w= github.com/hanwen/go-fuse v1.0.0/go.mod h1:unqXarDXqzAk0rt98O2tVndEPIpUgLD9+rwFisZH3Ok= github.com/hanwen/go-fuse/v2 v2.1.0/go.mod h1:oRyA5eK+pvJyv5otpO/DgccS8y/RvYMaO00GgRLGryc= github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= github.com/hashicorp/consul/api v1.3.0/go.mod h1:MmDNSzIMUjNpY/mQ398R4bk2FnqQLoPndWW5VkKPlCE= -github.com/hashicorp/consul/api v1.10.1/go.mod h1:XjsvQN+RJGWI2TWy1/kqaE16HrR2J/FWgkYjdZQsX9M= github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= github.com/hashicorp/consul/sdk v0.3.0/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= -github.com/hashicorp/consul/sdk v0.8.0/go.mod h1:GBvyrGALthsZObzUGsfgHZQDXjg4lOjagTIwIR1vPms= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -1221,7 +1133,6 @@ github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtng github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= -github.com/hashicorp/go-hclog v0.12.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= github.com/hashicorp/go-hclog v0.14.1/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= github.com/hashicorp/go-hclog v0.15.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= github.com/hashicorp/go-hclog v1.3.1 h1:vDwF1DFNZhntP4DAjuTpOw3uEgMUpXh1pB5fW9DqHpo= @@ -1231,7 +1142,6 @@ github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJ github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= -github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA= github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= github.com/hashicorp/go-plugin v1.4.0/go.mod h1:5fGEH17QVwTTcR0zV7yhDPLLmFX9YSZ38b18Udy6vYQ= @@ -1260,7 +1170,6 @@ github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/b github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8= github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= -github.com/hashicorp/go-version v1.2.1/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek= github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90= @@ -1273,20 +1182,17 @@ github.com/hashicorp/hcl v1.0.1-0.20190430135223-99e2f22d1c94 h1:LaH4JWe6Q7ICdxL github.com/hashicorp/hcl v1.0.1-0.20190430135223-99e2f22d1c94/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= -github.com/hashicorp/mdns v1.0.1/go.mod h1:4gW7WsVCke5TE7EPeYliwHlRUyBtfCwuFwuMg2DmyNY= github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= -github.com/hashicorp/memberlist v0.2.2/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE= github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= -github.com/hashicorp/serf v0.9.5/go.mod h1:UWDWwZeL5cuWDJdl0C6wrvrUwEqtQ4ZKBKKENpqIUyk= github.com/hashicorp/vault/api v1.8.2 h1:C7OL9YtOtwQbTKI9ogB0A1wffRbCN+rH/LLCHO3d8HM= github.com/hashicorp/vault/api v1.8.2/go.mod h1:ML8aYzBIhY5m1MD1B2Q0JV89cC85YVH4t5kBaZiyVaE= github.com/hashicorp/vault/sdk v0.6.1 h1:sjZC1z4j5Rh2GXYbkxn5BLK05S1p7+MhW4AgdUmgRUA= github.com/hashicorp/vault/sdk v0.6.1/go.mod h1:Ck4JuAC6usTphfrrRJCRH+7/N7O2ozZzkm/fzQFt4uM= github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= -github.com/hashicorp/yamux v0.1.0 h1:DzDIF6Sd7GD2sX0kDFpHAsJMY4L+OfTvtuaQsOYXxzk= -github.com/hashicorp/yamux v0.1.0/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ= -github.com/honeycombio/beeline-go v1.1.1 h1:sU8r4ae34uEL3/CguSl8Mr+Asz9DL1nfH9Wwk85Pc7U= -github.com/honeycombio/libhoney-go v1.15.2 h1:5NGcjOxZZma13dmzNcl3OtGbF1hECA0XHJNHEb2t2ck= +github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE= +github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ= +github.com/honeycombio/beeline-go v1.10.0 h1:cUDe555oqvw8oD76BQJ8alk7FP0JZ/M/zXpNvOEDLDc= +github.com/honeycombio/libhoney-go v1.16.0 h1:kPpqoz6vbOzgp7jC6SR7SkNj7rua7rgxvznI6M3KdHc= github.com/howeyc/gopass v0.0.0-20190910152052-7cb4b85ec19c/go.mod h1:lADxMC39cJJqL93Duh1xhAs4I2Zs8mKS89XWXFGp9cs= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/huandu/xstrings v1.0.0/go.mod h1:4qWG/gcEcfX4z/mBDHJ++3ReCw9ibxbsNJbcucJdbSo= @@ -1357,7 +1263,6 @@ github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b h1:ZGiXF8sz7P github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b/go.mod h1:hQmNrgofl+IY/8L+n20H6E6PWBBTokdsv+q49j0QhsU= github.com/jellydator/ttlcache/v2 v2.11.1 h1:AZGME43Eh2Vv3giG6GeqeLeFXxwxn1/qHItqWZl6U64= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= -github.com/jgautheron/goconst v1.5.1/go.mod h1:aAosetZ5zaeC/2EfMeRswtxUFBpe2Hr7HzkgX4fanO4= github.com/jhump/gopoet v0.0.0-20190322174617-17282ff210b3/go.mod h1:me9yfT6IJSlOL3FCfrg+L6yzUEZ+5jW6WHt4Sk+UPUI= github.com/jhump/gopoet v0.1.0/go.mod h1:me9yfT6IJSlOL3FCfrg+L6yzUEZ+5jW6WHt4Sk+UPUI= github.com/jhump/goprotoc v0.5.0/go.mod h1:VrbvcYrQOrTi3i0Vf+m+oqQWk9l72mjkJCYo7UvLHRQ= @@ -1366,16 +1271,15 @@ github.com/jhump/protoreflect v1.6.1/go.mod h1:RZQ/lnuN+zqeRVpQigTwO6o0AJUkxbnSn github.com/jhump/protoreflect v1.8.2/go.mod h1:7GcYQDdMU/O/BBrl/cX6PNHpXh6cenjd8pneu5yW7Tg= github.com/jhump/protoreflect v1.10.3/go.mod h1:7GcYQDdMU/O/BBrl/cX6PNHpXh6cenjd8pneu5yW7Tg= github.com/jhump/protoreflect v1.11.0/go.mod h1:U7aMIjN0NWq9swDP7xDdoMfRHb35uiuTd3Z9nFXJf5E= -github.com/jhump/protoreflect v1.12.0 h1:1NQ4FpWMgn3by/n1X0fbeKEUxP1wBt7+Oitpv01HR10= github.com/jhump/protoreflect v1.12.0/go.mod h1:JytZfP5d0r8pVNLZvai7U/MCuTWITgrI4tTg7puQFKI= -github.com/jingyugao/rowserrcheck v1.1.1/go.mod h1:4yvlZSDb3IyDTUZJUmpZfm2Hwok+Dtp+nu2qOq+er9c= +github.com/jhump/protoreflect v1.14.0 h1:MBbQK392K3u8NTLbKOCIi3XdI+y+c6yt5oMq0X3xviw= +github.com/jhump/protoreflect v1.14.0/go.mod h1:JytZfP5d0r8pVNLZvai7U/MCuTWITgrI4tTg7puQFKI= github.com/jinzhu/gorm v1.9.16 h1:+IyIjPEABKRpsu/F8OvDPy9fyQlgsg2luMV2ZIH5i5o= github.com/jinzhu/gorm v1.9.16/go.mod h1:G3LB3wezTOWM2ITLzPxEXgSkOXAntiLHS7UdBefADcs= github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E= github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc= github.com/jinzhu/now v1.0.1 h1:HjfetcXq097iXP0uoPCdnM4Efp5/9MsM0/M+XOTeR3M= github.com/jinzhu/now v1.0.1/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8= -github.com/jirfag/go-printf-func-name v0.0.0-20200119135958-7558a9eaa5af/go.mod h1:HEWGJkRDzjJY2sqdDwxccsGicWEf9BQOZsq2tV+xzM0= github.com/jmespath/go-jmespath v0.0.0-20160202185014-0b12d6b521d8/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= @@ -1383,16 +1287,13 @@ github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHW github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= github.com/jmhodges/clock v0.0.0-20160418191101-880ee4c33548 h1:dYTbLf4m0a5u0KLmPfB6mgxbcV7588bOCx79hxa5Sr4= -github.com/jmoiron/sqlx v1.2.0/go.mod h1:1FEQNm3xlJgrMD+FBdI9+xvCksHtbpVBBw5dYhBSsks= github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg= github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= -github.com/jonboulle/clockwork v0.2.0/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8= github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8= github.com/jonboulle/clockwork v0.3.0 h1:9BSCMi8C+0qdApAp4auwX0RkLGUjs956h0EkuQymUhg= github.com/jonboulle/clockwork v0.3.0/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= -github.com/josharian/txtarfs v0.0.0-20210218200122-0702f000015a/go.mod h1:izVPOvVRsHiKkeGCT6tYBNWyDVuzj9wAaBb5R9qamfw= github.com/jpillora/backoff v0.0.0-20180909062703-3050d21c67d7/go.mod h1:2iMrUgbbvHEiQClaW2NsSzMyGHqN+rDFqY705q49KG0= github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= @@ -1409,22 +1310,16 @@ github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfV github.com/juju/ratelimit v1.0.1/go.mod h1:qapgC/Gy+xNh9UxzV13HGGl/6UXNN+ct+vwSgWNm/qk= github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= -github.com/julz/importas v0.0.0-20210419104244-841f0c0fe66d/go.mod h1:oSFU2R4XK/P7kNBrnL/FEQlDGN1/6WoxXEjSSXO0DV0= -github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88/go.mod h1:3w7q1U84EfirKl04SVQ/s7nPm1ZPhiXd34z40TNz36k= github.com/karrick/godirwalk v1.8.0/go.mod h1:H5KPZjojv4lE+QYImBI8xVtrBRgYrIVsaRPx4tDPEn4= github.com/karrick/godirwalk v1.10.3/go.mod h1:RoGL9dQei4vP9ilrpETWE8CLOZ1kiN0LhBygSwrAsHA= github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= -github.com/kisielk/errcheck v1.6.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.13.4/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg= -github.com/klauspost/compress v1.13.5/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= -github.com/klauspost/compress v1.15.7/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU= -github.com/klauspost/compress v1.15.8 h1:JahtItbkWjf2jzm/T+qgMxkP9EMHsqEUA6vCMGmXvhA= -github.com/klauspost/compress v1.15.8/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU= +github.com/klauspost/compress v1.15.11 h1:Lcadnb3RKGin4FYM/orgq0qde+nc15E5Cbqg4B9Sx9c= +github.com/klauspost/compress v1.15.11/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrDDJnH7hvFVbGM= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= @@ -1440,36 +1335,28 @@ github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/kulti/thelper v0.4.0/go.mod h1:vMu2Cizjy/grP+jmsvOFDx1kYP6+PD1lqg4Yu5exl2U= -github.com/kunwardeep/paralleltest v1.0.3/go.mod h1:vLydzomDFpk7yu5UX02RmP0H8QfRPOV/oFhWN85Mjb4= github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= -github.com/kyoh86/exportloopref v0.1.8/go.mod h1:1tUcJeiioIs7VWe5gcOObrux3lb66+sBqGZrRkMwPgg= -github.com/ldez/gomoddirectives v0.2.2/go.mod h1:cpgBogWITnCfRq2qGoDkKMEVSaarhdBr6g8G04uz6d0= -github.com/ldez/tagliatelle v0.2.0/go.mod h1:8s6WJQwEYHbKZDsp/LjArytKOG8qaMrKQQ3mFukHs88= github.com/leodido/go-urn v1.2.1 h1:BqpAaACuzVSgi/VLzGZIobT2z4v53pjosyNd9Yv6n/w= github.com/leodido/go-urn v1.2.1/go.mod h1:zt4jvISO2HfUBqxjfIshjdMTYS56ZS/qv49ictyFfxY= -github.com/letsencrypt/boulder v0.0.0-20220723181115-27de4befb95e h1:2ba+yBBeT8ZFyZjRLPDKvkqVrWX4CCYAuR6nuJGojD0= -github.com/letsencrypt/boulder v0.0.0-20220723181115-27de4befb95e/go.mod h1:54WQpg5QI0mpRhxoj9bxysLqA5WJylVsLtXOrb3zAiU= +github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf h1:ndns1qx/5dL43g16EQkPV/i8+b3l5bYQwLeoSBe7tS8= +github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf/go.mod h1:aGkAgvWY/IUcVFfuly53REpfv5edu25oij+qHRFaraA= github.com/letsencrypt/pkcs11key/v4 v4.0.0/go.mod h1:EFUvBDay26dErnNb70Nd0/VW3tJiIbETBPTl9ATXQag= github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.1.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.1.1/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.8.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= -github.com/lib/pq v1.9.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= -github.com/lib/pq v1.10.3/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/lib/pq v1.10.7 h1:p7ZhMD+KsSRozJr34udlUrhboJwWAgCg34+/ZZNvZZw= github.com/lib/pq v1.10.7/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/lightstep/lightstep-tracer-common/golang/gogo v0.0.0-20190605223551-bc2310a04743/go.mod h1:qklhhLq1aX+mtWk9cPHPzaBjWImj5ULL6C7HFJtXQMM= github.com/lightstep/lightstep-tracer-go v0.18.1/go.mod h1:jlF1pusYV4pidLvZ+XD0UBX0ZE6WURAspgAczcDHrL4= github.com/linkedin/goavro v2.1.0+incompatible/go.mod h1:bBCwI2eGYpUI/4820s67MElg9tdeLbINjLjiM2xZFYM= -github.com/logrusorgru/aurora v0.0.0-20181002194514-a7b3b318ed4e/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4= github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ81pIr0yLvtUWk2if982qA3F3QD6H4= github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I= -github.com/lyft/protoc-gen-star v0.6.0/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA= +github.com/lyft/protoc-gen-star v0.5.3/go.mod h1:V0xaHgaf5oCCqmcxYcWiDfTiKsZsRc87/1qhoTACD8w= github.com/lyft/protoc-gen-validate v0.0.13/go.mod h1:XbGvPuh87YZc5TdIa2/I4pLk0QoUACkjt2znoq26NVQ= github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= @@ -1482,21 +1369,17 @@ github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= -github.com/maratori/testpackage v1.0.1/go.mod h1:ddKdw+XG0Phzhx8BFDTKgpWP4i7MpApTE5fXSKAqwDU= github.com/markbates/oncer v0.0.0-20181203154359-bf2de49a0be2/go.mod h1:Ld9puTsIW75CHf65OeIOkyKbteujpZVXDpWK6YGZbxE= github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0= -github.com/matoous/godox v0.0.0-20210227103229-6504466cf951/go.mod h1:1BELzlh859Sh1c6+90blK8lbYy0kwQf1bYlBhBysy1s= -github.com/matryer/is v1.4.0/go.mod h1:8I/i5uYgLzgsgEloJE1U6xx5HkBQpAZvepWuujKwMRU= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ= github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= -github.com/mattn/go-colorable v0.1.8/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= -github.com/mattn/go-colorable v0.1.11/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4= -github.com/mattn/go-colorable v0.1.12 h1:jF+Du6AlPIjs2BiUiQlKOX0rt3SujHxPnksPKZbaA40= github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4= +github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= +github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= github.com/mattn/go-ieproxy v0.0.0-20190610004146-91bb50d98149/go.mod h1:31jz6HNzdxOmlERGGEc4v/dMssOfmp2p5bT/okiKFFc= github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= @@ -1506,34 +1389,26 @@ github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hd github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84= github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE= github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= -github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y= github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= +github.com/mattn/go-isatty v0.0.16 h1:bq3VjFmv/sOjHtdEhmkEV4x1AJtvUvOJ2PFAZ5+peKQ= +github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= -github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= -github.com/mattn/go-runewidth v0.0.6/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= github.com/mattn/go-runewidth v0.0.7/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= github.com/mattn/go-runewidth v0.0.13 h1:lTGmDsbAYt5DmK6OnoV7EuIF1wEIFAcxld6ypU4OSgU= github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= github.com/mattn/go-shellwords v1.0.10/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y= -github.com/mattn/go-sqlite3 v1.9.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= github.com/mattn/go-sqlite3 v1.14.0/go.mod h1:JIl7NbARA7phWnGvh0LKTyg7S9BA+6gx71ShQilpsus= github.com/mattn/go-sqlite3 v1.14.10/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU= github.com/mattn/go-sqlite3 v1.14.16 h1:yOQRA0RpS5PFz/oikGwBEqvAWhWg5ufRz4ETLjwpU1Y= github.com/mattn/go-sqlite3 v1.14.16/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg= github.com/mattn/go-zglob v0.0.1/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo= -github.com/mattn/goveralls v0.0.2/go.mod h1:8d1ZMHsd7fW6IRPKQh46F2WRpyib5/X4FOpevwGNQEw= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= -github.com/mbilski/exhaustivestruct v1.2.0/go.mod h1:OeTBVxQWoEmB2J2JCHmXWPJ0aksxSUOUy+nvtVEfzXc= -github.com/mgechev/dots v0.0.0-20210922191527-e955255bf517/go.mod h1:KQ7+USdGKfpPjXk4Ga+5XxQM4Lm4e3gAogrreFAYpOg= -github.com/mgechev/revive v1.1.2/go.mod h1:bnXsMr+ZTH09V5rssEI+jHAZ4z+ZdyhgO/zsy3EhK+0= github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE= github.com/microsoft/go-mssqldb v0.17.0/go.mod h1:OkoNGhGEs8EZqchVTtochlXruEhEOaO4S0d2sB5aeGQ= github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= -github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso= -github.com/miekg/dns v1.1.35/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM= github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA= github.com/miekg/pkcs11 v1.0.2/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= github.com/miekg/pkcs11 v1.0.3-0.20190429190417-a667d056470f/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= @@ -1541,7 +1416,6 @@ github.com/miekg/pkcs11 v1.0.3/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WT github.com/miekg/pkcs11 v1.1.1 h1:Ugu9pdy6vAYku5DEpVWVFPYnzV+bxB+iRdbuFSu7TvU= github.com/miekg/pkcs11 v1.1.1/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= -github.com/mitchellh/cli v1.1.0/go.mod h1:xcISNoH86gajksDmfB23e/pu+B+GeFRMYmoHXxx3xhI= github.com/mitchellh/cli v1.1.5 h1:OxRIeJXpAMztws/XHlN2vu6imG5Dpq+j61AzAX5fLng= github.com/mitchellh/cli v1.1.5/go.mod h1:v8+iFts2sPIKUV1ltktPXMCC8fumSKFItNcD2cLtRR4= github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw= @@ -1550,7 +1424,6 @@ github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HK github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= -github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg= github.com/mitchellh/go-testing-interface v0.0.0-20171004221916-a61a99592b77/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= github.com/mitchellh/go-testing-interface v1.14.1 h1:jrgshOhYAUVNMAJiKbEu7EqAwgJJ2JqpQmpLJOu07cU= @@ -1562,7 +1435,6 @@ github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:F github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.3.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= -github.com/mitchellh/mapstructure v1.4.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/mapstructure v1.4.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= @@ -1584,10 +1456,7 @@ github.com/modocache/gover v0.0.0-20171022184752-b58185e213c5/go.mod h1:caMODM3P github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8= github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc= github.com/montanaflynn/stats v0.6.6/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow= -github.com/moricho/tparallel v0.2.1/go.mod h1:fXEIZxG2vdfl0ZF8b42f5a78EhjjD5mX8qUplsoSU4k= github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= -github.com/mozilla/scribe v0.0.0-20180711195314-fb71baf557c1/go.mod h1:FIczTrinKo8VaLxe6PWTPEXRXDIHz2QAwiaBaP5/4a8= -github.com/mozilla/tls-observatory v0.0.0-20210609171429-7bc42856d2e5/go.mod h1:FUqVoUPHSEdDR0MnFM3Dh8AU0pZHLXUD127SAJGER/s= github.com/mozillazg/docker-credential-acr-helper v0.3.0 h1:DVWFZ3/O8BP6Ue3iS/Olw+G07u1hCq1EOVCDZZjCIBI= github.com/mozillazg/docker-credential-acr-helper v0.3.0/go.mod h1:cZlu3tof523ujmLuiNUb6JsjtHcNA70u1jitrrdnuyA= github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= @@ -1598,7 +1467,6 @@ github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRW github.com/mwitkow/go-proto-validators v0.0.0-20180403085117-0950a7990007/go.mod h1:m2XC9Qq0AlmmVksL6FktJCdTYyLk7V3fKyp0sl1yWQo= github.com/mwitkow/go-proto-validators v0.2.0/go.mod h1:ZfA1hW+UH/2ZHOWvQ3HnQaU0DtnpXu850MZiy+YUgcc= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= -github.com/nakabonne/nestif v0.3.1/go.mod h1:9EtoZochLn5iUprVDmDjqGKPofoUEBL8U4Ngq6aY7OE= github.com/nats-io/jwt v0.3.0/go.mod h1:fRYCDE99xlTsqUzISS1Bi75UBJ6ljOJQOAAu5VglpSg= github.com/nats-io/jwt v0.3.2/go.mod h1:/euKqTS1ZD+zzjYrY7pseZrTtWQSjujC7xjPc8wL6eU= github.com/nats-io/nats-server/v2 v2.1.2/go.mod h1:Afk+wRZqkMQs/p45uXdrVLuab3gwv3Z8C4HTBu8GD/k= @@ -1606,13 +1474,9 @@ github.com/nats-io/nats.go v1.9.1/go.mod h1:ZjDU1L/7fJ09jvUSRVBR2e7+RnLiiIQyqyzE github.com/nats-io/nkeys v0.1.0/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w= github.com/nats-io/nkeys v0.1.3/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w= github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c= -github.com/nbutton23/zxcvbn-go v0.0.0-20210217022336-fa2cb2858354/go.mod h1:KSVJerMDfblTH7p5MZaTt+8zaT2iEk3AkVb9PQdZuE8= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= github.com/nightlyone/lockfile v1.0.0/go.mod h1:rywoIealpdNse2r832aiD9jRk8ErCatROs6LzC841CI= -github.com/nishanths/exhaustive v0.2.3/go.mod h1:bhIX678Nx8inLM9PbpvK1yv6oGtoP8BfaIeMzgBNKvc= -github.com/nishanths/predeclared v0.0.0-20190419143655-18a43bb90ffc/go.mod h1:62PewwiQTlm/7Rj+cxVYqZvDIUc+JjZq6GHAC1fsObQ= github.com/nishanths/predeclared v0.0.0-20200524104333-86fad755b4d3/go.mod h1:nt3d53pc1VYcphSCIaYAJtnPYnr3Zyn8fMq2wvPGPso= -github.com/nishanths/predeclared v0.2.1/go.mod h1:HvkGJcA3naj4lOwnFXFDkFxVtSqQMB9sbB1usJ+xjQE= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= @@ -1623,8 +1487,6 @@ github.com/oklog/run v1.1.0/go.mod h1:sVPdnTZT1zYwAJeCMu2Th4T21pA3FPOQRfWjQlk7DV github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= -github.com/olekukonko/tablewriter v0.0.1/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= -github.com/olekukonko/tablewriter v0.0.2/go.mod h1:rSAaSIOAGT9odnlyGlUfAJaoc5w2fSBUmeGDbRWPxyQ= github.com/olekukonko/tablewriter v0.0.4/go.mod h1:zq6QwlOf5SlnkVbMSr5EoBv3636FWnp+qbPhuoO21uA= github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec= github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY= @@ -1644,7 +1506,6 @@ github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1Cpa github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= -github.com/onsi/gomega v1.16.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro= github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q= @@ -1653,8 +1514,8 @@ github.com/open-policy-agent/opa v0.47.0 h1:d6g0oDNLraIcWl9LXW8cBzRYf2zt7vSbPGEd github.com/open-policy-agent/opa v0.47.0/go.mod h1:cM7ngEoEdAIfyu9mOHaVcgLAHYkY6amrYfotm+BSkYQ= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= -github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198 h1:+czc/J8SlhPKLOtVLMQc+xDCFBT73ZStMsRhSsUhsSg= -github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198/go.mod h1:j4h1pJW6ZcJTgMZWP3+7RlG3zTaP02aDZ/Qw0sppK7Q= +github.com/opencontainers/image-spec v1.1.0-rc2 h1:2zx/Stx4Wc5pIPDvIxHXvXtQFW/7XWJGmnM7r3wg034= +github.com/opencontainers/image-spec v1.1.0-rc2/go.mod h1:3OVijpioIKYWTqjiG0zfF6wvoJ4fAXGbjdZuI2NgsRQ= github.com/opentracing-contrib/go-observer v0.0.0-20170622124052-a52f23424492/go.mod h1:Ngi6UdF0k5OKD5t5wlmGhe/EDKPoUM3BXZSSfIuJbis= github.com/opentracing/basictracer-go v1.0.0/go.mod h1:QfBfYuafItcjQuMwinw9GhYKwFXS9KnPs5lxoYwgW74= github.com/opentracing/opentracing-go v1.0.2/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= @@ -1680,14 +1541,12 @@ github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/9 github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE= github.com/pelletier/go-toml v1.8.1/go.mod h1:T2/BmBdy8dvIRq1a/8aqjN41wvWlN4lrapLU/GW4pbc= github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= -github.com/pelletier/go-toml v1.9.4/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8= github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= github.com/pelletier/go-toml/v2 v2.0.5 h1:ipoSadvV8oGUjnUbMub59IDPPwfxF694nG/jwbMiyQg= github.com/pelletier/go-toml/v2 v2.0.5/go.mod h1:OMHamSCAODeSsVrwwvcJOaoN0LIUIaFVNZzmWyNfXas= github.com/performancecopilot/speed v3.0.0+incompatible/go.mod h1:/CLtqpZ5gBg1M9iaPbIdPPGyKcA8hKdoy6hAWba7Yac= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= -github.com/phayes/checkstyle v0.0.0-20170904204023-bfd46e6a821d/go.mod h1:3OzsM7FXDQlpCiw2j81fOmAwQLnZnLGXVKUzeKQXIAw= github.com/pierrec/lz4 v1.0.2-0.20190131084431-473cd7ce01a1/go.mod h1:3/3N9NVKO0jef7pBehbT1qWhCMrIgbYNnFAZCqQ5LRc= github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= github.com/pierrec/lz4 v2.6.1+incompatible h1:9UY3+iC23yxF0UfGaYrGplQ+79Rg+h/q9FV9ix19jjM= @@ -1706,7 +1565,6 @@ github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qR github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/polyfloyd/go-errorlint v0.0.0-20210722154253-910bb7978349/go.mod h1:wi9BfjxjF/bwiZ701TzmfKu6UKC357IOAtNr0Td0Lvw= github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= github.com/posener/complete v1.2.3 h1:NP0eAhjcjImqslEwo/1hq7gpajME0fTLTezBKDqfXqo= github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSgv7Sy7s/s= @@ -1762,18 +1620,9 @@ github.com/prometheus/procfs v0.8.0 h1:ODq8ZFEaYeCaZOJlZZdJA2AbQR98dSHSM1KW/You5 github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4= github.com/prometheus/prometheus v2.5.0+incompatible/go.mod h1:oAIUtOny2rjMX0OWN5vPR5/q/twIROJvdqnQKDdil/s= github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= -github.com/pseudomuto/protoc-gen-doc v1.3.2/go.mod h1:y5+P6n3iGrbKG+9O04V5ld71in3v/bX88wUwgt+U8EA= github.com/pseudomuto/protoc-gen-doc v1.4.1/go.mod h1:exDTOVwqpp30eV/EDPFLZy3Pwr2sn6hBC1WIYH/UbIg= github.com/pseudomuto/protoc-gen-doc v1.5.1/go.mod h1:XpMKYg6zkcpgfpCfQ8GcWBDRtRxOmMR5w7pz4Xo+dYM= github.com/pseudomuto/protokit v0.2.0/go.mod h1:2PdH30hxVHsup8KpBTOXTBeMVhJZVio3Q8ViKSAXT0Q= -github.com/quasilyte/go-consistent v0.0.0-20190521200055-c6f3937de18c/go.mod h1:5STLWrekHfjyYwxBRVRXNOSewLJ3PWfDJd1VyTS21fI= -github.com/quasilyte/go-ruleguard v0.3.1-0.20210203134552-1b5a410e1cc8/go.mod h1:KsAh3x0e7Fkpgs+Q9pNLS5XpFSvYCEVl5gP9Pp1xp30= -github.com/quasilyte/go-ruleguard v0.3.13/go.mod h1:Ul8wwdqR6kBVOCt2dipDBkE+T6vAV/iixkrKuRTN1oQ= -github.com/quasilyte/go-ruleguard/dsl v0.3.0/go.mod h1:KeCP03KrjuSO0H1kTuZQCWlQPulDV6YMIXmpQss17rU= -github.com/quasilyte/go-ruleguard/dsl v0.3.10/go.mod h1:KeCP03KrjuSO0H1kTuZQCWlQPulDV6YMIXmpQss17rU= -github.com/quasilyte/go-ruleguard/rules v0.0.0-20201231183845-9e62ed36efe1/go.mod h1:7JTjp89EGyU1d6XfBiXihJNG37wB2VRkd125Q1u7Plc= -github.com/quasilyte/go-ruleguard/rules v0.0.0-20210428214800-545e0d2e0bf7/go.mod h1:4cgAphtvu7Ftv7vOT2ZOYhC6CvBxZixcasr8qIOTA50= -github.com/quasilyte/regex/syntax v0.0.0-20200407221936-30656e2c4a95/go.mod h1:rlzQ04UMyJXu/aOvhd8qT+hvDrFpiwqp8MRXDY9szc0= github.com/qur/ar v0.0.0-20130629153254-282534b91770/go.mod h1:SjlYv2m9lpV0UW6K7lDqVJwEIIvSjaHbGk7nIfY8Hxw= github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM= @@ -1787,7 +1636,6 @@ github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= -github.com/rogpeppe/go-internal v1.6.2/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= github.com/rogpeppe/go-internal v1.8.0 h1:FCbCCtXNOY3UtUuHUYaghJg4y7Fd14rXifAYUAtL9R8= github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE= github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU= @@ -1796,19 +1644,14 @@ github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ= github.com/rs/zerolog v1.13.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU= github.com/rs/zerolog v1.15.0/go.mod h1:xYTKnLHcpfU2225ny5qZjxnj9NvkumZYjJHlAThCjNc= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= -github.com/russross/blackfriday v1.6.0/go.mod h1:ti0ldHuxg49ri4ksnFxlkCfN+hvslNlmVHqNRXXJNAY= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/ryancurrah/gomodguard v1.2.3/go.mod h1:rYbA/4Tg5c54mV1sv4sQTP5WOPBcoLtnBZ7/TEhXAbg= -github.com/ryanrolds/sqlclosecheck v0.3.0/go.mod h1:1gREqxyTGR3lVtpngyFo3hZAgk0KCtEdgEkHwDbigdA= github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= -github.com/sagikazarmark/crypt v0.1.0/go.mod h1:B/mN0msZuINBtQ1zZLEQcegFJJf9vnYIR88KRMEuODE= github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E= -github.com/sanposhiho/wastedassign/v2 v2.0.6/go.mod h1:KyZ0MWTwxxBmfwn33zh3k1dmsbF2ud9pAAGfoLfjhtI= github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b/go.mod h1:am+Fp8Bt506lA3Rk3QCmSqmYmLMnPDhdDUcosQCAx+I= github.com/sassoftware/go-rpmutils v0.1.1/go.mod h1:euhXULoBpvAxqrBHEyJS4Tsu3hHxUmQWNymxoJbzgUY= github.com/sassoftware/relic v0.0.0-20210427151427-dfb082b79b74 h1:sUNzanSKA9z/h8xXl+ZJoxIYZL0Qx306MmxqRrvUgr0= @@ -1817,32 +1660,27 @@ github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdh github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= github.com/secure-systems-lab/go-securesystemslib v0.4.0 h1:b23VGrQhTA8cN2CbBw7/FulN9fTtqYUdS5+Oxzt+DUE= github.com/secure-systems-lab/go-securesystemslib v0.4.0/go.mod h1:FGBZgq2tXWICsxWQW1msNf49F0Pf2Op5Htayx335Qbs= -github.com/securego/gosec/v2 v2.9.1/go.mod h1:oDcDLcatOJxkCGaCaq8lua1jTnYf6Sou4wdiJ1n4iHc= github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c= github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE= github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= -github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c/go.mod h1:/PevMnwAxekIXwN8qQyfc5gl2NlkB3CQlkizAbOkeBs= github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh5dkI= github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE= -github.com/shirou/gopsutil/v3 v3.21.10/go.mod h1:t75NhzCZ/dYyPQjyQmrAYP6c8+LCdFANeBMdLPCNnew= github.com/shirou/gopsutil/v3 v3.22.11 h1:kxsPKS+Eeo+VnEQ2XCaGJepeP6KY53QoRTETx3+1ndM= github.com/shirou/gopsutil/v3 v3.22.11/go.mod h1:xl0EeL4vXJ+hQMAGN8B9VFpxukEMA0XdevQOe5MZ1oY= github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24/go.mod h1:M+9NzErvs504Cn4c5DxATwIqPbtswREoFCre64PpcG4= github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ= github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= -github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk= -github.com/shurcooL/go-goon v0.0.0-20170922171312-37c2f522c041/go.mod h1:N5mDOmsrJOB+vfqUK+7DmDyjhSLIIBnXo9lvZJj3MWQ= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= -github.com/sigstore/cosign v1.12.1 h1:GgzIS+Ikdyx1MTh8S2pREUcaD/bSxYXxLeyY6Dl+I9Q= -github.com/sigstore/cosign v1.12.1/go.mod h1:8sOfWG332VGdFJBud/LPgwC/HGx6eoKr8LIFRDKcUk0= -github.com/sigstore/fulcio v0.5.3 h1:fwdl2BHv1RjL3GJJ44T+tPsvmQ028zv54psxVhSwUGA= -github.com/sigstore/fulcio v0.5.3/go.mod h1:4yzMqOao6r9Nul1Dgt4LL7loKdkkgbDemLYrXUuAc+Y= -github.com/sigstore/rekor v0.12.1-0.20220915152154-4bb6f441c1b2 h1:LD8LcwygdD2DxaINWwbkaUEBAknr205wmn66/N05s7c= -github.com/sigstore/rekor v0.12.1-0.20220915152154-4bb6f441c1b2/go.mod h1:C/jZ3EZywl/Kew48fGMWQoh+1LxOMk0BkP3DHmtB+8M= -github.com/sigstore/sigstore v1.4.2 h1:fTppzuZBAmQ/skgl7FWJRLyby70pxCqJGKyWfkSuMR8= -github.com/sigstore/sigstore v1.4.2/go.mod h1:wCv58Fia7u1snVJyPcxdgIh/3uw1XdOLhxPExTwwyt4= +github.com/sigstore/cosign v1.13.1 h1:+5oF8jisEcDw2TuXxCADC1u5//HfdnJhGbpv9Isiwu4= +github.com/sigstore/cosign v1.13.1/go.mod h1:PlfJODkovUOKsLrGI7Su57Ie/Eb/Ks7hRHw3tn5hQS4= +github.com/sigstore/fulcio v0.6.0 h1:YNfnGm9EjYPlzHiPDcIVhslYj846jkPtHQH+FTKNncw= +github.com/sigstore/fulcio v0.6.0/go.mod h1:lwxzHDYYQ0lVVWqaj68ZQNkcP847aoF7AIa7ra9rRqA= +github.com/sigstore/rekor v1.0.1 h1:rcESXSNkAPRWFYZel9rarspdvneET60F2ngNkadi89c= +github.com/sigstore/rekor v1.0.1/go.mod h1:ecTKdZWGWqE1pl3U1m1JebQJLU/hSjD9vYHOmHQ7w4g= +github.com/sigstore/sigstore v1.4.6 h1:2F1LPnQf6h1lRDCyNMoBE0WCPsA+IU5kAEAbGxG8S+U= +github.com/sigstore/sigstore v1.4.6/go.mod h1:jGHEfVTFgpfDpBz7pSY4X+Sd+g36qdAUxGufNk47k7g= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= @@ -1852,7 +1690,6 @@ github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0= github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= -github.com/sivchari/tenv v1.4.7/go.mod h1:5nF+bITvkebQVanjU6IuMbvIot/7ReNsUV7I5NbprB0= github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA= github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog= github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= @@ -1865,9 +1702,7 @@ github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4k github.com/soheilhy/cmux v0.1.5-0.20210205191134-5ec6847320e5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0= github.com/soheilhy/cmux v0.1.5 h1:jjzc5WVemNEDTLwv9tlmemhC73tI08BNOIGwBOo10Js= github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0= -github.com/sonatard/noctx v0.0.1/go.mod h1:9D2D/EoULe8Yy2joDHJj7bv3sZoq9AaSb8B4lqBjiZI= github.com/sony/gobreaker v0.4.1/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY= -github.com/sourcegraph/go-diff v0.6.1/go.mod h1:iBszgVvyxdc8SFZ7gm69go2KDdt3ag071iBaWPF6cjs= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= @@ -1878,7 +1713,6 @@ github.com/spf13/afero v1.8.2 h1:xehSyVa0YnHWsJ49JFljMpg1HX19V6NDZ1fkm1Xznbo= github.com/spf13/afero v1.8.2/go.mod h1:CtAatgMJh6bJEIs48Ay/FOnkljP3WeGUG0MC1RfAqwo= github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= -github.com/spf13/cast v1.4.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w= github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU= github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= @@ -1902,7 +1736,6 @@ github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/y github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= github.com/spf13/viper v1.7.1/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns= -github.com/spf13/viper v1.9.0/go.mod h1:+i6ajR7OX2XaiBkrcZJFK21htRk7eDeLg7+O6bhUPP4= github.com/spf13/viper v1.13.0 h1:BWSJ/M+f+3nmdz9bxB+bWX28kkALN2ok11D0rSo8EJU= github.com/spf13/viper v1.13.0/go.mod h1:Icm2xNL3/8uyh/wFuB1jI7TiTNKp8632Nwegu+zgdYw= github.com/spiffe/go-spiffe/v2 v2.1.1 h1:RT9kM8MZLZIsPTH+HKQEP5yaAk3yd/VBzlINaRjXs8k= @@ -1912,7 +1745,6 @@ github.com/spiffe/spire-api-sdk v1.2.5-0.20221020001527-5895a0279944/go.mod h1:4 github.com/spiffe/spire-plugin-sdk v1.4.1-0.20220912221658-c42ab2d657f6 h1:QViYo6JR+v2lTMV/w9Py1mWJEXTrLn1Hb6ZsCWSVVek= github.com/spiffe/spire-plugin-sdk v1.4.1-0.20220912221658-c42ab2d657f6/go.mod h1:4KW5J6abGIAyUS8IL7Fi0NOfoWR6jA5LufKPnIdm9FE= github.com/src-d/gcfg v1.4.0/go.mod h1:p/UMsR43ujA89BJY9duynAwIpvqEujIH/jFlfL7jWoI= -github.com/ssgreg/nlreturn/v2 v2.2.1/go.mod h1:E/iiPB78hV7Szg2YfRgyIrk1AD6JVMTRkkxBiELzh2I= github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= github.com/streadway/amqp v0.0.0-20190404075320-75d898a42a94/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= github.com/streadway/amqp v0.0.0-20190827072141-edfb9018d271/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= @@ -1925,7 +1757,6 @@ github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSS github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v0.0.0-20170130113145-4d4bfba8f1d1/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= -github.com/stretchr/testify v1.1.4/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= @@ -1940,24 +1771,18 @@ github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= github.com/subosito/gotenv v1.4.1 h1:jyEFiXpy21Wm81FBN71l9VoMMV8H8jG+qIK3GCpY6Qs= github.com/subosito/gotenv v1.4.1/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0= -github.com/sylvia7788/contextcheck v1.0.4/go.mod h1:vuPKJMQ7MQ91ZTqfdyreNKwZjyUg6KO+IebVyQDedZQ= github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d h1:vfofYNRScrDdvS342BElfbETmL1Aiz3i2t0zfRj16Hs= github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d/go.mod h1:RRCYJbIwD5jmqPI9XoAFR0OcDxqUctll6zUj/+B4S48= github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes= github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k= -github.com/tdakkota/asciicheck v0.0.0-20200416200610-e657995f937b/go.mod h1:yHp0ai0Z9gUljN3o0xMhYJnH/IcvkdTBOX2fmJ93JEM= -github.com/tenntenn/modver v1.0.1/go.mod h1:bePIyQPb7UeioSRkw3Q0XeMhYZSMx9B8ePqg6SAMGH0= -github.com/tenntenn/text/transform v0.0.0-20200319021203-7eef512accb3/go.mod h1:ON8b8w4BN/kE1EOhwT0o+d62W65a6aPw1nouo9LMgyY= github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613 h1:iGnD/q9160NWqKZZ5vY4p0dMiYMRknzctfSkqA4nBDw= github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613/go.mod h1:g6AnIpDSYMcphz193otpSIzN+11Rs+AAIIC6rm1enug= -github.com/tetafro/godot v1.4.11/go.mod h1:LR3CJpxDVGlYOWn3ZZg1PgNZdTUvzsZWu8xaEohUpn8= github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gtvVDbmPg= github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU= -github.com/theupdateframework/go-tuf v0.5.1-0.20220920170306-f237d7ca5b42 h1:6XOcL5aU3UGndqoDyG/NM2y0/Piin2x5zt/pew4tR1w= -github.com/theupdateframework/go-tuf v0.5.1-0.20220920170306-f237d7ca5b42/go.mod h1:vAqWV3zEs89byeFsAYoh/Q14vJTgJkHwnnRCWBBBINY= +github.com/theupdateframework/go-tuf v0.5.2-0.20220930112810-3890c1e7ace4 h1:1i/Afw3rmaR1gF3sfVkG2X6ldkikQwA9zY380LrR5YI= +github.com/theupdateframework/go-tuf v0.5.2-0.20220930112810-3890c1e7ace4/go.mod h1:vAqWV3zEs89byeFsAYoh/Q14vJTgJkHwnnRCWBBBINY= github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk= github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs= -github.com/timakin/bodyclose v0.0.0-20200424151742-cb6215831a94/go.mod h1:Qimiffbc6q9tBWlVV6x0P9sat/ao1xEkREYPPj9hphk= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs= github.com/tj/assert v0.0.0-20171129193455-018094318fb0/go.mod h1:mZ9/Rh9oLWpLLDRpvE+3b7gP/C2YyLFYxNmcLnPTMe0= @@ -1966,21 +1791,16 @@ github.com/tj/go-kinesis v0.0.0-20171128231115-08b17f58cb1b/go.mod h1:/yhzCV0xPf github.com/tj/go-spin v1.1.0/go.mod h1:Mg1mzmePZm4dva8Qz60H2lHwmJ2loum4VIrLgVnKwh4= github.com/tjfoc/gmsm v1.3.2 h1:7JVkAn5bvUJ7HtU08iW6UiD+UTmJTIToHCfeFzkcCxM= github.com/tjfoc/gmsm v1.3.2/go.mod h1:HaUcFuY0auTiaHB9MHFGCPx5IaLhTUd2atbCFBQXn9w= -github.com/tklauser/go-sysconf v0.3.9/go.mod h1:11DU/5sG7UexIrp/O6g35hrWzu0JxlwQ3LSFUzyeuhs= github.com/tklauser/go-sysconf v0.3.11 h1:89WgdJhk5SNwJfu+GKyYveZ4IaJ7xAkecBo+KdJV0CM= github.com/tklauser/go-sysconf v0.3.11/go.mod h1:GqXfhXY3kiPa0nAXPDIQIWzJbMCB7AmcWpGR8lSZfqI= -github.com/tklauser/numcpus v0.3.0/go.mod h1:yFGUr7TUHQRAhyqBcEg0Ge34zDBAsIvJJcyE6boqnA8= github.com/tklauser/numcpus v0.6.0 h1:kebhY2Qt+3U6RNK7UqpYNA+tJ23IBEGKkB7JQBfDYms= github.com/tklauser/numcpus v0.6.0/go.mod h1:FEZLMke0lhOUG6w2JadTzp0a+Nl8PF/GFkQ5UVIcaL4= github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20200427203606-3cfed13b9966/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802 h1:uruHq4dN7GR16kFc5fp3d1RIYzJW5onx8Ybykw2YQFA= github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= -github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE= -github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk= -github.com/tomarrell/wrapcheck/v2 v2.4.0/go.mod h1:68bQ/eJg55BROaRTbMjC7vuhL2OgfoG8bLp9ZyoBfyY= github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce/go.mod h1:o8v6yHRoik09Xen7gje4m9ERNah1d1PPsVq1VEx9vE4= -github.com/tommy-muehle/go-mnd/v2 v2.4.0/go.mod h1:WsUAkMJMYww6l/ufffCD3m+P7LEvr8TnZn9lwVDlgzw= github.com/transparency-dev/merkle v0.0.1 h1:T9/9gYB8uZl7VOJIhdwjALeRWlxUxSfDEysjfmx+L9E= github.com/transparency-dev/merkle v0.0.1/go.mod h1:B8FIw5LTq6DaULoHsVFRzYIUDkl8yuSwCdZnOZGKL/A= github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM= @@ -1993,24 +1813,15 @@ github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGr github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= github.com/ulikunitz/xz v0.5.6/go.mod h1:2bypXElzHzzJZwzH67Y6wb67pO62Rzfn7BSiF4ABRW8= github.com/ulikunitz/xz v0.5.7/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= -github.com/ultraware/funlen v0.0.3/go.mod h1:Dp4UiAus7Wdb9KUZsYWZEWiRzGuM2kXM1lPbfaF6xhA= -github.com/ultraware/whitespace v0.0.4/go.mod h1:aVMh/gQve5Maj9hQ/hg+F75lr/X5A89uZnzAmWSineA= github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= github.com/urfave/cli v1.22.4/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/urfave/cli v1.22.7 h1:aXiFAgRugfJ27UFDsGJ9DB2FvTC73hlVXFSqq5bo9eU= github.com/urfave/cli v1.22.7/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= -github.com/urfave/cli v1.22.9 h1:cv3/KhXGBGjEXLC4bH0sLuJ9BewaAbpk5oyMOveu4pw= -github.com/urfave/cli v1.22.9/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= -github.com/uudashr/gocognit v1.0.5/go.mod h1:wgYz0mitoKOTysqxTDMOUXg+Jb5SvtihkfmugIZYpEA= -github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= -github.com/valyala/fasthttp v1.30.0/go.mod h1:2rsYD01CKFrjjsvFxx75KlEUNpWNBY9JWD3K/7o2Cus= -github.com/valyala/quicktemplate v1.7.0/go.mod h1:sqKJnoaOF88V07vkO+9FL8fb9uZg/VPSJnLYn+LmLk8= -github.com/valyala/tcplisten v1.0.0/go.mod h1:T0xQ8SeCZGxckz9qRXTfG43PvQ/mcWh7FwZEA7Ioqkc= github.com/vbatts/tar-split v0.11.2 h1:Via6XqJr0hceW4wff3QRzD5gAk/tatMw/4ZA7cTlIME= github.com/vbatts/tar-split v0.11.2/go.mod h1:vV3ZuO2yWSVsz+pfFzDG/upWH1JhjOiEaWq6kXyQ3VI= -github.com/viki-org/dnscache v0.0.0-20130720023526-c70c1f23c5d8/go.mod h1:dniwbG03GafCjFohMDmz6Zc6oCuiqgH6tGNyXTkHzXE= -github.com/vmihailenco/msgpack/v4 v4.3.12 h1:07s4sz9IReOgdikxLTKNbBdqDMLsjPKXwvCazn8G65U= -github.com/vmihailenco/tagparser v0.1.1 h1:quXMXlA39OCbd2wAdTsGDlK9RkOk6Wuw+x37wVyIuWY= +github.com/vmihailenco/msgpack/v5 v5.3.5 h1:5gO0H1iULLWGhs2H5tbAHIZTV8/cYafcFOr9znI5mJU= +github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g= github.com/xanzy/go-gitlab v0.31.0/go.mod h1:sPLojNBn68fMUWSxIJtdVVIP8uSBYqesTfDUseX11Ug= github.com/xanzy/go-gitlab v0.73.1 h1:UMagqUZLJdjss1SovIC+kJCH4k2AZWXl58gJd38Y/hI= github.com/xanzy/go-gitlab v0.73.1/go.mod h1:d/a0vswScO7Agg1CZNz15Ic6SSvBG9vfw8egL99t4kA= @@ -2020,27 +1831,20 @@ github.com/xdg-go/scram v1.0.2/go.mod h1:1WAq6h33pAW+iRreB34OORO2Nf7qel3VV3fjBj+ github.com/xdg-go/scram v1.1.1/go.mod h1:RaEWvsqvNKKvBPvcKeFjrG2cJqOkHTiyTpzz23ni57g= github.com/xdg-go/stringprep v1.0.2/go.mod h1:8F9zXuvzgwmyT5DUm4GUfZGDdT3W+LCvS6+da4O5kxM= github.com/xdg-go/stringprep v1.0.3/go.mod h1:W3f5j4i+9rC0kuIEJL0ky1VpHXQU3ocBgklLGvcBnW8= -github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0= github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= -github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8/go.mod h1:HUYIGzjTL3rfEspMxjDjgmT5uz5wzYJKVo23qUhYTos= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 h1:eY9dn8+vbi4tKz5Qo6v2eYzo7kUS51QINcR5jNpbZS8= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= -github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778/go.mod h1:2MuV+tbUrU1zIOPMxZ5EncGwgmMJsa+9ucAQZXxsObs= github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= github.com/yashtewari/glob-intersection v0.1.0 h1:6gJvMYQlTDOL3dMsPF6J0+26vwX9MB8/1q3uAdhmTrg= github.com/yashtewari/glob-intersection v0.1.0/go.mod h1:LK7pIC3piUjovexikBbJ26Yml7g8xa5bsjfx2v1fwok= -github.com/yeya24/promlinter v0.1.0/go.mod h1:rs5vtZzeBHqqMwXqFScncpCF6u06lezhZepno9AB1Oc= github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA= github.com/ysmood/goob v0.4.0 h1:HsxXhyLBeGzWXnqVKtmT9qM7EuVs/XOgkX7T6r1o1AQ= github.com/ysmood/gson v0.7.2 h1:1iWUvpi5DPvd2j59W7ifRPR9DiAZ3Ga+fmMl1mJrRbM= github.com/ysmood/leakless v0.8.0 h1:BzLrVoiwxikpgEQR0Lk8NyBN5Cit2b1z+u0mgL4ZJak= -github.com/yudai/gojsondiff v1.0.0/go.mod h1:AY32+k2cwILAkW1fbgxQ5mUmMiZFgLIV+FBNExI05xg= -github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82/go.mod h1:lgjkn3NuSvDfVJdfcVVdX+jpBxNmX4rDAzaS45IcYoM= -github.com/yudai/pp v2.0.1+incompatible/go.mod h1:PuxR/8QJ7cyCkFp/aUDS+JY727OFEZkTdatxwunjIkc= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.30/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= @@ -2059,12 +1863,10 @@ github.com/zeebo/errs v1.3.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtC github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q= go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= -go.etcd.io/bbolt v1.3.4/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ= go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ= go.etcd.io/bbolt v1.3.6 h1:/ecaJf0sk1l4l6V4awd65v2C3ILy7MSj+s/x1ADCIMU= go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4= go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= -go.etcd.io/etcd v0.0.0-20200513171258-e048e166ab9c/go.mod h1:xCI7ZzBfRuGgBXyXO6yfWfDmlWd35khcWpUa4L0xI/k= go.etcd.io/etcd/api/v3 v3.5.0-alpha.0/go.mod h1:mPcW6aZJukV6Aa81LSKpBjQXTWlXB5r74ymPoSWa3Sw= go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs= go.etcd.io/etcd/api/v3 v3.5.4/go.mod h1:5GB2vv4A4AOn3yk7MftYGHkUfGtDHnEraIjym4dYz5A= @@ -2119,7 +1921,6 @@ go.mongodb.org/mongo-driver v1.7.5/go.mod h1:VXEWRZ6URJIkUq2SCAyapmhH0ZLRBP+FT4x go.mongodb.org/mongo-driver v1.8.3/go.mod h1:0sQWfOeY63QTntERDJJ/0SuKK0T1uVSgKCuAROlKEPY= go.mongodb.org/mongo-driver v1.10.0 h1:UtV6N5k14upNp4LTduX0QCufG124fSu25Wz9tu94GLg= go.mongodb.org/mongo-driver v1.10.0/go.mod h1:wsihk0Kdgv8Kqu1Anit4sfK+22vSFbUrAVEYRhCXrA8= -go.mozilla.org/mozlog v0.0.0-20170222151521-4bb13139d403/go.mod h1:jHoPAGnDrCy6kaI2tAze5Prf0Nr0w/oNkROt2lw3n3o= go.opencensus.io v0.15.0/go.mod h1:UffZAU+4sDEINUGP/B7UfBBkq4fqLu9zXAX7ke6CHW0= go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= go.opencensus.io v0.20.2/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= @@ -2133,13 +1934,11 @@ go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= go.opentelemetry.io/contrib v0.20.0/go.mod h1:G/EtFaa6qaN7+LxqfIAT3GiZa7Wv5DTBUzl5H4LY0Kc= -go.opentelemetry.io/contrib v1.6.0 h1:xJawAzMuR3s4Au5p/ABHqYFychHjK2AHB9JvkBuBbTA= go.opentelemetry.io/contrib v1.6.0/go.mod h1:FlyPNX9s4U6MCsWEc5YAK4KzKNHFDsjrDUZijJiXvy8= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0/go.mod h1:oVGt1LRbBOBq1A5BQLlUg9UaU/54aiHw8cgjV3aWZ/E= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.28.0 h1:Ky1MObd188aGbgb5OgNnwGuEEwI9MVIcc7rBW6zk5Ak= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.28.0/go.mod h1:vEhqr0m4eTc+DWxfsXoXue2GBgV2uUwVznkGIHW/e5w= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.20.0/go.mod h1:2AboqHi0CiIZU0qwhtUfCYD1GeUzvvIXWNkhDt7ZMG4= -go.opentelemetry.io/contrib/propagators v0.19.0 h1:HrixVNZYFjUl/Db+Tr3DhqzLsVW9GeVf/Gye+C5dNUY= go.opentelemetry.io/otel v0.20.0/go.mod h1:Y3ugLH2oa81t5QO+Lty+zXf8zC9L26ax4Nzoxm/dooo= go.opentelemetry.io/otel v1.3.0/go.mod h1:PWIKzi6JCp7sM0k9yZ43VX+T345uNbAkDKwHVjb2PTs= go.opentelemetry.io/otel v1.7.0 h1:Z2lA3Tdch0iDcrhJXDIlC94XE+bxok1F9B+4Lz/lGsM= @@ -2179,7 +1978,6 @@ go.uber.org/goleak v1.1.12/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ go.uber.org/goleak v1.2.0 h1:xqgm/S+aQvhWFTtR0XK3Jvg7z8kGV8P4X14IzwN3Eqk= go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4= -go.uber.org/multierr v1.4.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4= go.uber.org/multierr v1.5.0/go.mod h1:FeouvMocqHpRaaGuG9EjoKcStLC43Zu/fmqdUMPcKYU= go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= go.uber.org/multierr v1.8.0 h1:dg6GjLku4EH+249NNmoIciG9N/jURbDG+pFlTkhzIC8= @@ -2209,7 +2007,6 @@ golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY= golang.org/x/crypto v0.0.0-20191002192127-34f69633bfdc/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191117063200-497ca9f6d64f/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= @@ -2225,9 +2022,7 @@ golang.org/x/crypto v0.0.0-20200930160638-afb6bcd081ae/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201203163018-be400aefbc4c/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= golang.org/x/crypto v0.0.0-20201216223049-8b5274cf687f/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= -golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= -golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8= golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= @@ -2239,8 +2034,8 @@ golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4/go.mod h1:IxCIyHEi3zRg3s0 golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.0.0-20220919173607-35f4265a4bc0 h1:a5Yg6ylndHHYJqIPrdq0AhvR6KTvDTAvgBtaidhEevY= -golang.org/x/crypto v0.0.0-20220919173607-35f4265a4bc0/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.3.0 h1:a06MkbcxBrEFc0w0QIZWXrH/9cCX6KJyWbBOIwAn+7A= +golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -2281,8 +2076,9 @@ golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY= -golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 h1:6zppjxzCulZykYSLyVDYbneBfbaBIQPYMevg0bEwv2s= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.6.0 h1:b9gGHsz9/HhJ3HF5DHQytPpuwocVTChQJK3AvoLRD5I= +golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI= golang.org/x/net v0.0.0-20180218175443-cbe0f9307d01/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180530234432-1e491301e022/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -2344,13 +2140,11 @@ golang.org/x/net v0.0.0-20210421230115-4e50805a0758/go.mod h1:72T/g9IO56b78aLF+1 golang.org/x/net v0.0.0-20210423184538-5f58ad60dda6/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk= golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk= golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20210510120150-4163338589ed/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20211123203042-d83791d6bcd9/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= @@ -2365,8 +2159,9 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/net v0.0.0-20221012135044-0b7e1fb9d458/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= -golang.org/x/net v0.0.0-20221014081412-f15817d10f9b h1:tvrvnPFcdzp294diPnrdZZZ8XUt2Tyj7svb7X52iDuU= golang.org/x/net v0.0.0-20221014081412-f15817d10f9b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= +golang.org/x/net v0.2.0 h1:sZfSu1wtKLGlWI4ZZayP0ck9Y73K1ynO6gqzTdBVdPU= +golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20181106182150-f42d05182288/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -2397,8 +2192,9 @@ golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2/go.mod h1:jaDAt6Dkxork7Lm golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= golang.org/x/oauth2 v0.0.0-20221006150949-b44042a4b9c1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= -golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783 h1:nt+Q6cXKz4MosCSpnbMtqiQ8Oz0pxTef2B4Vca2lvfk= golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= +golang.org/x/oauth2 v0.2.0 h1:GtQkldQ9m7yvzCL1V+LrYow3Khe0eJH0w7RbX/VbaIU= +golang.org/x/oauth2 v0.2.0/go.mod h1:Cwn6afJ8jrQwYMxQDTpISoXmXW9I6qF6vDeuuoX3Ibs= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -2445,8 +2241,6 @@ golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -2460,7 +2254,6 @@ golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -2514,16 +2307,13 @@ golang.org/x/sys v0.0.0-20210629170331-7dc0b73dc9fb/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210816074244-15123e1e1f71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210816183151-1e6c022a8912/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210915083310-ed5796bab164/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210917161153-d61c044b1678/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211013075003-97ac67df715c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -2546,6 +2336,7 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220731174439-a90be440212d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ= @@ -2554,8 +2345,8 @@ golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXR golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.0.0-20220526004731-065cf7ba2467 h1:CBpWXWQpIRjzmkkA+M7q9Fqnwd2mZr3AFqexg8YTfoM= -golang.org/x/term v0.0.0-20220526004731-065cf7ba2467/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.2.0 h1:z85xZCsEl7bi/KwbNADeBYoOP0++7W1ipu+aGnpwzRM= +golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -2572,7 +2363,6 @@ golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxb golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -2581,20 +2371,14 @@ golang.org/x/time v0.2.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20180525024113-a5b4c53f6e8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190110163146-51295c7ec13a/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= -golang.org/x/tools v0.0.0-20190307163923-6a08e3108db3/go.mod h1:25r3+/G6/xytQM8iWZKq3Hn0kr0rgFKPUNVEL/dr3z4= golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190311215038-5c2858a9cfe5/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190321232350-e250d351ecad/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190322203728-c1a832b0ad89/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190329151228-23e29df326fe/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190416151739-9c9e1878f421/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= @@ -2612,10 +2396,7 @@ golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgw golang.org/x/tools v0.0.0-20190729092621-ff9f1409240a/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI= golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20190823170909-c4a336ef6a2f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20190907020128-2ca718005c18/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20190910044552-dd2b5c81c578/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20190916130336-e45ffcd953cc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191010075000-0337d82405ff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= @@ -2628,12 +2409,10 @@ golang.org/x/tools v0.0.0-20191118222007-07fc4c7f2b98/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200103221440-774c71fcf114/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200117220505-0cba7a3a9ee9/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= @@ -2643,11 +2422,7 @@ golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapK golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= -golang.org/x/tools v0.0.0-20200324003944-a576cf524670/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= -golang.org/x/tools v0.0.0-20200329025819-fd4102a86c65/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= -golang.org/x/tools v0.0.0-20200414032229-332987a829c3/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200422022333-3d57cf2e726e/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200426102838-f3a5411a4c3b/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= @@ -2657,49 +2432,26 @@ golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roY golang.org/x/tools v0.0.0-20200522201501-cb1345f3a375/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200622203043-20e05c1c8ffa/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200624225443-88f3c62a19ff/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200625211823-6506e20df31f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200626171337-aa94e735be7f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200630154851-b2d8b0336632/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200706234117-b22de6825cf7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200717024301-6ddee64345a6/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= -golang.org/x/tools v0.0.0-20200724022722-7017fd6b1305/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= -golang.org/x/tools v0.0.0-20200812195022-5ae4c3c160a0/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= -golang.org/x/tools v0.0.0-20200820010801-b793a1359eac/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= -golang.org/x/tools v0.0.0-20200831203904-5a2aa26beb65/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= -golang.org/x/tools v0.0.0-20201001104356-43ebab892c4c/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU= -golang.org/x/tools v0.0.0-20201002184944-ecd9fd270d5d/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU= golang.org/x/tools v0.0.0-20201014170642-d1624618ad65/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU= -golang.org/x/tools v0.0.0-20201023174141-c8cfbd0f21e6/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20201028025901-8cd080b735b3/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20201114224030-61ea331ec02b/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20201118003311-bd56c0adb394/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20201230224404-63754364767c/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20210101214203-2dba1e4ea05c/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20210104081019-d8d6ddbec6ee/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= -golang.org/x/tools v0.1.1-0.20210205202024-ef80cdb6ec6d/go.mod h1:9bzcO0MWcOuT0tm1iBGzDVPshzfwoVvREIui8C+MHqU= -golang.org/x/tools v0.1.1-0.20210302220138-2ac05c832e1a/go.mod h1:9bzcO0MWcOuT0tm1iBGzDVPshzfwoVvREIui8C+MHqU= golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.6-0.20210820212750-d4cc65f0b2ff/go.mod h1:YD9qOF0M9xpSpdWTBbzEl5e/RnCefISl8E5Noe10jFM= -golang.org/x/tools v0.1.6/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo= -golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo= golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E= golang.org/x/tools v0.1.12 h1:VveCTK38A2rkS8ZqFY25HIDFscX5X9OoEhJd3quQmXU= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= @@ -2802,7 +2554,6 @@ google.golang.org/genproto v0.0.0-20190620144150-6af8c5fc6601/go.mod h1:z3L6/3dT google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= -google.golang.org/genproto v0.0.0-20190927181202-20e1ac93f88c/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= @@ -2823,8 +2574,6 @@ google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfG google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= -google.golang.org/genproto v0.0.0-20200626011028-ee7919e894b5/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20200707001353-8e8330bf89df/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200806141610-86f49bd18e98/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= @@ -2932,13 +2681,11 @@ google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ij google.golang.org/grpc v1.22.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= -google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60= -google.golang.org/grpc v1.29.0/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= @@ -3009,7 +2756,6 @@ gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/ini.v1 v1.56.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= -gopkg.in/ini.v1 v1.63.2/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA= gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/linkedin/goavro.v1 v1.0.5/go.mod h1:Aw5GdAbizjOEl0kAMHV9iHmA8reZzW/OKuJAl4Hb9F0= @@ -3033,7 +2779,6 @@ gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.6/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= @@ -3057,7 +2802,6 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.5/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -honnef.co/go/tools v0.2.1/go.mod h1:lPVVZ2BS5TfnjLyizF7o7hv7j9/L+8cZY2hLyjP9cGY= k8s.io/api v0.23.3/go.mod h1:w258XdGyvCmnBj/vGzQMj6kzdufJZVUwEM1U2fRJwSQ= k8s.io/api v0.25.4 h1:3YO8J4RtmG7elEgaWMb4HgmpS2CfY1QlaOz9nwB+ZSs= k8s.io/api v0.25.4/go.mod h1:IG2+RzyPQLllQxnhzD8KQNEu4c4YvyDTpSMztf4A0OQ= @@ -3072,8 +2816,8 @@ k8s.io/client-go v0.25.4 h1:3RNRDffAkNU56M/a7gUfXaEzdhZlYhoW8dgViGy5fn8= k8s.io/client-go v0.25.4/go.mod h1:8trHCAC83XKY0wsBIpbirZU4NTUpbuhc2JnI7OruGZw= k8s.io/code-generator v0.23.3/go.mod h1:S0Q1JVA+kSzTI1oUvbKAxZY/DYbA/ZUb4Uknog12ETk= k8s.io/component-base v0.23.3/go.mod h1:1Smc4C60rWG7d3HjSYpIwEbySQ3YWg0uzH5a2AtaTLg= -k8s.io/component-base v0.25.2 h1:Nve/ZyHLUBHz1rqwkjXm/Re6IniNa5k7KgzxZpTfSQY= -k8s.io/component-base v0.25.2/go.mod h1:90W21YMr+Yjg7MX+DohmZLzjsBtaxQDDwaX4YxDkl60= +k8s.io/component-base v0.25.0 h1:haVKlLkPCFZhkcqB6WCvpVxftrg6+FK5x1ZuaIDaQ5Y= +k8s.io/component-base v0.25.0/go.mod h1:F2Sumv9CnbBlqrpdf7rKZTmmd2meJq0HizeyY/yAFxk= k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= @@ -3089,10 +2833,6 @@ k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/ k8s.io/utils v0.0.0-20211116205334-6203023598ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed h1:jAne/RjBTyawwAy0utX5eqigAwz/lQhTmy+Hr/Cpue4= k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -mvdan.cc/gofumpt v0.1.1/go.mod h1:yXG1r1WqZVKWbVRtBWKWX9+CxGYfA51nSomhM0woR48= -mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed/go.mod h1:Xkxe497xwlCKkIaQYRfC7CSLworTXY9RMqwhhCm+8Nc= -mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b/go.mod h1:2odslEg/xrtNQqCYg2/jCoyKnw3vv5biOc3JnIcYfL4= -mvdan.cc/unparam v0.0.0-20210104141923-aac4ce9116a7/go.mod h1:hBpJkZE8H/sb+VRFvw2+rBpHNsTBcvSpk61hr8mzXZE= pack.ag/amqp v0.11.2/go.mod h1:4/cbmt4EJXSKlG6LCfWHoqmN0uFdy5i/+YFz+fTfhV4= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= From 58841eb98e45189b81a2e94f8512f3bc3aa19f99 Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Wed, 7 Dec 2022 16:33:29 +0000 Subject: [PATCH 204/257] misssing typo fix from merge Signed-off-by: Rodrigo Lopes --- doc/plugin_agent_nodeattestor_k8s_sat.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/plugin_agent_nodeattestor_k8s_sat.md b/doc/plugin_agent_nodeattestor_k8s_sat.md index d8c29a08bf..1ecbe7b8d4 100644 --- a/doc/plugin_agent_nodeattestor_k8s_sat.md +++ b/doc/plugin_agent_nodeattestor_k8s_sat.md @@ -21,7 +21,7 @@ The main configuration accepts the following values: | `cluster` | Name of the cluster. It must correspond to a cluster configured in the server plugin. | | `token_path` | Path to the service account token on disk | "/var/run/secrets/kubernetes.io/serviceaccount/token" | -The token path defaults to the default location kubernetes uses to place the token and should not need to be overriden in most cases. +The token path defaults to the default location Kubernetes uses to place the token and should not need to be overridden in most cases. A sample configuration with the default token path: From 5d8a36278b8f2f2ed8d5e7bc0f3366430f52e4c9 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Wed, 7 Dec 2022 23:15:20 +0100 Subject: [PATCH 205/257] Skip k8s-workload-registrar when publishing to ghcr.io (#3678) Signed-off-by: Marco Franssen --- .github/workflows/scripts/push-images.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/scripts/push-images.sh b/.github/workflows/scripts/push-images.sh index 08eafb4075..fab03bf999 100755 --- a/.github/workflows/scripts/push-images.sh +++ b/.github/workflows/scripts/push-images.sh @@ -52,6 +52,9 @@ if [ "${variant}" = "-scratch" ] ; then org_name=$(echo "$GITHUB_REPOSITORY" | tr '/' "\n" | head -1 | tr -d "\n") org_name="${org_name:-spiffe}" # default to spiffe in case ran on local registry=ghcr.io/${org_name} + + # don't publish k8s-workload-registrar for scratch images + OCI_IMAGES=("${OCI_IMAGES[@]/k8s-workload-registrar}") fi echo "Pushing images ${OCI_IMAGES[*]} to ${registry} with tag ${version}". From 08c48976b2050d9ba8d567264be87910d72836ad Mon Sep 17 00:00:00 2001 From: Ryan Turner Date: Wed, 7 Dec 2022 15:25:38 -0800 Subject: [PATCH 206/257] Rename spire-oidc-provider scratch image to oidc-discovery-provider (#3654) In order to preserve the same naming as the alpine-based image published to GCR, rename the spire-oidc-provider image to oidc-discovery-provider to match the name referenced in documentation, examples, and the source code. The rename to spire-oidc-provider was previously done to convey that the service is only usable with SPIRE and does not depend on SPIFFE APIs, since the image is published under the `spiffe` image namespace. Signed-off-by: Ryan Turner --- .github/workflows/scripts/push-images.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/scripts/push-images.sh b/.github/workflows/scripts/push-images.sh index fab03bf999..4442eb6850 100755 --- a/.github/workflows/scripts/push-images.sh +++ b/.github/workflows/scripts/push-images.sh @@ -61,9 +61,6 @@ echo "Pushing images ${OCI_IMAGES[*]} to ${registry} with tag ${version}". for img in "${OCI_IMAGES[@]}"; do image_variant="${img}${variant}" image_to_push="${registry}/${img}:${version}" - if [ "${variant}" = "-scratch" ] && [ "${img}" == "oidc-discovery-provider" ] ; then - image_to_push="${registry}/spire-oidc-provider:${version}" - fi docker tag "${image_variant}:latest-local" "${image_to_push}" docker push "${image_to_push}" done From 33d979c08d8f186a4066b03ce7cec48f0df5abd0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 8 Dec 2022 12:26:30 -0300 Subject: [PATCH 207/257] Bump github.com/uber-go/tally/v4 from 4.1.3 to 4.1.4 (#3672) Bumps [github.com/uber-go/tally/v4](https://github.com/uber-go/tally) from 4.1.3 to 4.1.4. - [Release notes](https://github.com/uber-go/tally/releases) - [Commits](https://github.com/uber-go/tally/compare/v4.1.3...v4.1.4) --- updated-dependencies: - dependency-name: github.com/uber-go/tally/v4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 4ddae5f5a3..7c057a005a 100644 --- a/go.mod +++ b/go.mod @@ -60,7 +60,7 @@ require ( github.com/spiffe/spire-api-sdk v1.2.5-0.20221020001527-5895a0279944 github.com/spiffe/spire-plugin-sdk v1.4.1-0.20220912221658-c42ab2d657f6 github.com/stretchr/testify v1.8.1 - github.com/uber-go/tally/v4 v4.1.3 + github.com/uber-go/tally/v4 v4.1.4 github.com/zeebo/errs v1.3.0 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa golang.org/x/net v0.0.0-20221014081412-f15817d10f9b diff --git a/go.sum b/go.sum index 9fa9d64069..5126806bfe 100644 --- a/go.sum +++ b/go.sum @@ -1169,8 +1169,8 @@ github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqri github.com/twmb/murmur3 v1.1.5/go.mod h1:Qq/R7NUyOfr65zD+6Q5IHKsJLwP7exErjN6lyyq3OSQ= github.com/twmb/murmur3 v1.1.6 h1:mqrRot1BRxm+Yct+vavLMou2/iJt0tNVTTC0QoIjaZg= github.com/twmb/murmur3 v1.1.6/go.mod h1:Qq/R7NUyOfr65zD+6Q5IHKsJLwP7exErjN6lyyq3OSQ= -github.com/uber-go/tally/v4 v4.1.3 h1:dKhkrkVSSJK0AxZCv/MmK5JrWmH+MPG3dgZCbxWk2Yc= -github.com/uber-go/tally/v4 v4.1.3/go.mod h1:aXeSTDMl4tNosyf6rdU8jlgScHyjEGGtfJ/uwCIf/vM= +github.com/uber-go/tally/v4 v4.1.4 h1:LzQyYvWQIp1gYNWU2tDNzVl04H2VchEUvMgabx/7MTI= +github.com/uber-go/tally/v4 v4.1.4/go.mod h1:aXeSTDMl4tNosyf6rdU8jlgScHyjEGGtfJ/uwCIf/vM= github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo= From 593c5e5a150c0f92d5cb423e29cc10c4809ac337 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 8 Dec 2022 10:47:28 -0800 Subject: [PATCH 208/257] Bump github.com/open-policy-agent/opa from 0.47.0 to 0.47.1 (#3673) Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.47.0 to 0.47.1. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-policy-agent/opa/compare/v0.47.0...v0.47.1) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/opa dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 7c057a005a..5ea8f8ea51 100644 --- a/go.mod +++ b/go.mod @@ -52,7 +52,7 @@ require ( github.com/lib/pq v1.10.7 github.com/mattn/go-sqlite3 v1.14.16 github.com/mitchellh/cli v1.1.5 - github.com/open-policy-agent/opa v0.47.0 + github.com/open-policy-agent/opa v0.47.1 github.com/prometheus/client_golang v1.14.0 github.com/shirou/gopsutil/v3 v3.22.11 github.com/sirupsen/logrus v1.9.0 diff --git a/go.sum b/go.sum index 5126806bfe..f0bfea7f7e 100644 --- a/go.sum +++ b/go.sum @@ -1011,8 +1011,8 @@ github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGV github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q= -github.com/open-policy-agent/opa v0.47.0 h1:d6g0oDNLraIcWl9LXW8cBzRYf2zt7vSbPGEd2+8K3Lg= -github.com/open-policy-agent/opa v0.47.0/go.mod h1:cM7ngEoEdAIfyu9mOHaVcgLAHYkY6amrYfotm+BSkYQ= +github.com/open-policy-agent/opa v0.47.1 h1:4Nf8FwguZeE5P83akiwaaoWx1XkmSkRcKmCEskiD/1c= +github.com/open-policy-agent/opa v0.47.1/go.mod h1:cM7ngEoEdAIfyu9mOHaVcgLAHYkY6amrYfotm+BSkYQ= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 h1:rc3tiVYb5z54aKaDfakKn0dDjIyPpTtszkjuMzyt7ec= From 4c8ae1e464ffdbd6debeeb1502faeaa3da3c6efa Mon Sep 17 00:00:00 2001 From: Guilherme Oliveira do Carmo Carvalho <33766735+guilhermocc@users.noreply.github.com> Date: Thu, 8 Dec 2022 21:05:39 -0300 Subject: [PATCH 209/257] Ignore config files from asdf version control manager (#3661) Signed-off-by: Guilherme Carvalho --- .gitignore | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.gitignore b/.gitignore index aa533582c2..f161e7397b 100644 --- a/.gitignore +++ b/.gitignore @@ -29,3 +29,7 @@ tools/spire-plugingen/spire-plugingen # Editor specific configuration .idea .vscode + +# Runtime version manager specific configuration +# asdf config file +.tool-versions From dd2a0389641c6f767bd7f70447cd989859a068f2 Mon Sep 17 00:00:00 2001 From: Marcos Yacob Date: Thu, 8 Dec 2022 21:49:38 -0300 Subject: [PATCH 210/257] Update test to verify disabled keys (#3686) Signed-off-by: Marcos Yacob --- .../plugin/keymanager/gcpkms/client_fake.go | 11 +++++++++++ .../plugin/keymanager/gcpkms/gcpkms_test.go | 17 ++--------------- 2 files changed, 13 insertions(+), 15 deletions(-) diff --git a/pkg/server/plugin/keymanager/gcpkms/client_fake.go b/pkg/server/plugin/keymanager/gcpkms/client_fake.go index d41613586c..c50796fc37 100644 --- a/pkg/server/plugin/keymanager/gcpkms/client_fake.go +++ b/pkg/server/plugin/keymanager/gcpkms/client_fake.go @@ -279,6 +279,7 @@ type fakeKMSClient struct { store fakeStore tokeninfo *oauth2.Tokeninfo updateCryptoKeyErr error + keyIsDisabled bool } func (k *fakeKMSClient) setAsymmetricSignErr(fakeError error) { @@ -316,6 +317,13 @@ func (k *fakeKMSClient) setGetCryptoKeyVersionErr(fakeError error) { k.getCryptoKeyVersionErr = fakeError } +func (k *fakeKMSClient) setIsKeyDisabled(ok bool) { + k.mu.Lock() + defer k.mu.Unlock() + + k.keyIsDisabled = ok +} + func (k *fakeKMSClient) setGetPublicKeyErr(fakeError error) { k.mu.Lock() defer k.mu.Unlock() @@ -534,6 +542,9 @@ func (k *fakeKMSClient) GetCryptoKeyVersion(ctx context.Context, req *kmspb.GetC return nil, err } + if k.keyIsDisabled { + fakeCryptoKeyVersion.CryptoKeyVersion.State = kmspb.CryptoKeyVersion_DISABLED + } return fakeCryptoKeyVersion.CryptoKeyVersion, nil } diff --git a/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go b/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go index 72cf8980fb..72fdf4a2ef 100644 --- a/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go +++ b/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go @@ -958,6 +958,8 @@ func TestGenerateKey(t *testing.T) { ts.fakeKMSClient.setGetTokeninfoErr(tt.getTokenInfoErr) ts.fakeKMSClient.setUpdateCryptoKeyErr(tt.updateCryptoKeyErr) ts.fakeKMSClient.setDestroyCryptoKeyVersionErr(tt.destroyCryptoKeyVersionErr) + ts.fakeKMSClient.setIsKeyDisabled(tt.testDisabled) + ts.plugin.hooks.scheduleDestroySignal = make(chan error) configureReq := tt.configureReq @@ -995,21 +997,6 @@ func TestGenerateKey(t *testing.T) { }) require.NoError(t, err) - if tt.testDisabled { - // An external system changes the state of the CryptoKeyVersion to be disabled. - fckv := &fakeCryptoKeyVersion{ - publicKey: pubKey, - CryptoKeyVersion: &kmspb.CryptoKeyVersion{ - Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256, - Name: fmt.Sprintf("%s/cryptoKeyVersions/1", cryptoKeyName1), - State: kmspb.CryptoKeyVersion_DISABLED, - }, - } - - fck, ok := ts.fakeKMSClient.store.fetchFakeCryptoKey(tt.fakeCryptoKeys[0].Name) - require.True(t, ok) - fck.putFakeCryptoKeyVersion(fckv) - } if !tt.waitForDelete { spiretest.AssertLogsContainEntries(t, ts.logHook.AllEntries(), tt.logs) return From 186af671dd26a3bd4141714abe3423313e16036a Mon Sep 17 00:00:00 2001 From: Ryan Turner Date: Thu, 8 Dec 2022 18:15:46 -0800 Subject: [PATCH 211/257] Update release documentation to reflect more currently followed practices (#3563) * Update release documentation to reflect more currently followed practices Much of the release documentation has fallen out of date. There are some key differences to how we manage the project that are not accounted for in the currently documented process: - Correlation of PRs to releases is tracked with GitHub milestones - Every release has its own dedicated release branch - We are not triggering releases directly off of the HEAD of main branch - We are post-1.0, where the digits of the version strings have different meanings than in pre-1.0 releases. In many cases we were using the term "major" where we should be using "minor", and "minor" when we should be using "patch". - The maintainers follow an on-call style rotation, where duties are distributed across the maintainers depending on when they are on-call. Out-of-scope in this PR is defining a process for major version releases, e.g. 2.x, because we have not defined a conclusive process for this yet post-1.0. Signed-off-by: Ryan Turner --- MAINTAINERS.md | 47 +++++++++++++++++++++++++++-------------------- 1 file changed, 27 insertions(+), 20 deletions(-) diff --git a/MAINTAINERS.md b/MAINTAINERS.md index 516ed0250e..d6cfe5ac3b 100644 --- a/MAINTAINERS.md +++ b/MAINTAINERS.md @@ -81,13 +81,19 @@ The SPIRE project maintains active support for both the current and the previous ### Version Branches -When a bug is discovered in the latest release that also affects releases of the prior major version, it is necessary to backport the fix. +Each release must have its own release branch following the naming convention `release/vX.Y.Z` where `X` is the major version, `Y` is the minor version, and `Z` is patch version. -If it is the first time that the prior major version is receiving a backported patch, then a version branch is created to track it. The version branch is named `vX.Y` where X and Y are the two most significant digits in the semantic version number. Its base is the last tag present in main for the release in question. For example, if SPIRE is on version 0.9.3, and the last 0.8 release was 0.8.4, then a `v0.8` branch is created with its base being the main commit tagged with `v0.8.4`. +The base commit of the release branch is based on the type of release being generated: + +* Patch release for older minor release series. In this case, the new release branch is based off of the previous patch release branch for the same minor release series. Example: the latest release is v1.5.z, and the release being prepared is v1.4.5. The base commit should be the `release/v1.4.4` branch. +* Security release for current minor release series. In this case, the new release branch should be based off of the previous release branch for the same minor release series. Example: the latest release is v1.5.0, and the release being prepared is v1.5.1. The base commit should be the `release/v1.5.0` branch. +* Scheduled patch release for current minor release series OR scheduled minor release. In this case, the new release branch should be based off of a commit on the `main` branch. Example: the latest release is v1.5.0, and the release being prepared is v1.5.1. The base commit should be the candidate commit selected from the `main` branch. + +When a bug is discovered in the latest release that also affects releases of the prior minor version, it is necessary to backport the fix. Once the version branch is created, the patch is either cherry picked or backported into a PR against the version branch. The version branch is maintained via the same process as the main branch, including PR approval process etc. -Releases for the previous major version are made directly from its version branch. Ensure that the CHANGELOG is updated in both the main and the version branch to reflect the new release. +Ensure that the CHANGELOG is updated in both `main` and the version branch to reflect the new release. ### Releasing @@ -103,45 +109,46 @@ A simple majority vote is required to authorize a SPIRE release at a specific co This section summarizes the steps necessary to execute a SPIRE release. Unless explicitly stated, the below steps must be executed in order. -The following steps must be completed one week prior to release: +The following steps must be completed by the primary on-call maintainer one week prior to release: -* Ensure all changes intended to be included in the release are fully merged. +* Ensure all changes intended to be included in the release are fully merged. For the spire-api-sdk and spire-plugin-sdk repositories, ensure that all changes intended for the upcoming release are merged into the main branch from the next branch. * Identify a specific commit as the release candidate. -* Create a draft pull request against the main branch with the updates to the CHANGELOG following [these guidelines](doc/changelog_guidelines.md). This allows those tracking the project to have early visibility into what will be included in the upcoming release and an opportunity to provide feedback. The release date can be set as "TBD" while it is a draft. -* Raise an issue "Release SPIRE X.Y.Z", and include the release candidate commit hash. Reference the pull request with the updates to the CHANGELOG. +* Raise an issue "Release SPIRE X.Y.Z", and include the release candidate commit hash. +* Create the release branch following the guidelines described in [Version branches](#version-branches). * If the current state of the main branch has diverged from the candidate commit due to other changes than the ones from the CHANGELOG: - * If there is not a version branch for this release, create a branch following the guidelines described in [Version branches](#version-branches). - * Create a GitHub project named `Release vX.X.X` to identify the PRs that will be cherry-picked. The project should have two statuses to track the progress: one to identify the PRs to be cherry-picked and one for those that have been merged in the version branch. * Make sure that the [version in the branch](pkg/common/version/version.go) has been bumped to the version that is being released and that the [upgrade integration test is updated](test/integration/suites/upgrade/README.md#maintenance). - * Cherry-pick into the version branch the commits for all the changes that must be included in the release. + * Cherry-pick into the version branch the commits for all the changes that must be included in the release. Ensure the PRs for these commits all target the release milestone in GitHub. +* Create a draft pull request against the release branch with the updates to the CHANGELOG following [these guidelines](doc/changelog_guidelines.md). This allows those tracking the project to have early visibility into what will be included in the upcoming release and an opportunity to provide feedback. The release date can be set as "TBD" while it is a draft. -**If this is a major release**, the following steps must be completed before releasing: +**If this is a major or minor release**, the following steps must be completed by the secondary on-call maintainer at least one day before releasing: * Review and exercise all examples in spiffe.io and spire-examples repo against the release candidate hash. * Raise a PR for every example that updates included text and configuration to reflect current state and best practice. * Do not merge this PR yet. It will be updated later to use the real version pin rather than the commit hash. * If anything unusual is encountered during this process, a comment MUST be left on the release issue describing what was observed. -The following steps must be completed to perform a release: +The following steps must be completed by the primary on-call maintainer to perform a release: -* Mark the pull request to update the CHANGELOG as "Ready for review". Make sure that it is updated with the final release date. **At least two approvals from maintainers are required in order to be able to merge it**. If a version branch was created for the realease, cherry-pick the final CHANGELOG changes into the version branch once they are merged. -* If releasing from main and the current state of the main branch has diverged from the candidate commit due to just the CHANGELOG changes, the candidate commit is now the one that includes the updated CHANGELOG. If releasing from a version branch, the candidate commit is now the one that has the CHANGELOG changes cherry-picked in the branch. -* Cut an annotated tag against the release candidate named `vX.X.X`, where `X.X.X` is the semantic version number of SPIRE. - * The first line of the annotation should be `vX.X.X` followed by the CHANGELOG. **There should be a newline between the version and the CHANGELOG**. +* Mark the pull request to update the CHANGELOG as "Ready for review". Make sure that it is updated with the final release date. **At least two approvals from maintainers are required in order to be able to merge it**. +* Cut an annotated tag against the release candidate named `vX.Y.Z`, where `X.Y.Z` is the semantic version number of SPIRE. + * The first line of the annotation should be `vX.Y.Z` followed by the CHANGELOG. **There should be a newline between the version and the CHANGELOG**. The tag should not contain the Markdown header formatting because the "#" symbol is interpreted as a comment by Git. * Push the annotated tag to SPIRE, and watch the build to completion. * If the build fails, or anything unusual is encountered, abort the release. * Ensure that the GitHub release, container images, and release artifacts are deleted/rolled back if necessary. -* Visit the releases page on GitHub, copy the release notes, click edit and paste them back in. This works around a GitHub rendering bug that you will notice before completing this task. -* Close the GitHub project created to track the release process. +* Visit the releases page on GitHub, copy the release notes, click edit and paste them back in. This works around a GitHub Markdown rendering bug that you will notice before completing this task. +* Create Git tags (not annotated) with the name `vX.Y.Z` in the [spire-api-sdk](https://github.com/spiffe/spire-api-sdk) and [spire-plugin-sdk](https://github.com/spiffe/spire-plugin-sdk) repositories for the HEAD commit of the main branch. +* Open a PR targeted for the main branch that cherry-picks the changelog commit from the latest release so that the changelog on the main branch contains all the release notes. +* Close the GitHub issue created to track the release process. +* Broadcast news of release to the community via available means: SPIFFE Slack, Twitter, etc. * Open and merge a PR to bump the SPIRE version to the next projected version and [update the upgrade integration test](test/integration/suites/upgrade/README.md#maintenance). * For example, after releasing 0.10.0, update the version to 0.10.1, since it is more likely to be released before 0.11.0. * Ideally, this is the first commit merged following the release. +* Create a new GitHub milestone for the next release, if not already created. -**If this is a major release**, the following steps must be completed no later than one week after the release: +**If this is a major or minor release**, the following steps must be completed by the secondary on-call maintainer no later than one week after the release: * PRs to update spiffe.io and spire-examples repo to the latest major version must be merged. * Ensure that the PRs have been updated to use the version tag instead of the commit sha. -* Broadcast news of release to the community via available means: SPIFFE Slack, Twitter, etc. ## Community Interaction and Presence From 314a6d69457f5e9b537ec0577a1af87934cbba9b Mon Sep 17 00:00:00 2001 From: Andrew Harding Date: Fri, 9 Dec 2022 12:44:56 -0700 Subject: [PATCH 212/257] Fix push-images script (#3689) The k8s-workload-registrar element was not removed from the array but rather stripped of the prefix, leaving a blank string element. This caused the suffix -scratch to be passed to docker, which gratefully just failed. Signed-off-by: Andrew Harding --- .github/workflows/scripts/push-images.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/scripts/push-images.sh b/.github/workflows/scripts/push-images.sh index 4442eb6850..4e9ba19150 100755 --- a/.github/workflows/scripts/push-images.sh +++ b/.github/workflows/scripts/push-images.sh @@ -44,7 +44,7 @@ if [ -n "${variant}" ] && [ "${variant}" != "-scratch" ]; then fi OCI_IMAGES=( - spire-server spire-agent k8s-workload-registrar oidc-discovery-provider + spire-server spire-agent oidc-discovery-provider ) registry=gcr.io/spiffe-io @@ -52,9 +52,9 @@ if [ "${variant}" = "-scratch" ] ; then org_name=$(echo "$GITHUB_REPOSITORY" | tr '/' "\n" | head -1 | tr -d "\n") org_name="${org_name:-spiffe}" # default to spiffe in case ran on local registry=ghcr.io/${org_name} - - # don't publish k8s-workload-registrar for scratch images - OCI_IMAGES=("${OCI_IMAGES[@]/k8s-workload-registrar}") +else + # Continue publishing the non-scratch k8s-workload-registrar to GCR + OCI_IMAGES+=( k8s-workload-registrar ) fi echo "Pushing images ${OCI_IMAGES[*]} to ${registry} with tag ${version}". From a7a95a1dfe54613dbd7839c7b254c00b5d631b9f Mon Sep 17 00:00:00 2001 From: Guilherme Oliveira do Carmo Carvalho <33766735+guilhermocc@users.noreply.github.com> Date: Fri, 9 Dec 2022 19:05:45 -0300 Subject: [PATCH 213/257] Update aws node attestor plugin to include new selectors (#3640) * Update aws node attestor plugin to include new selectors from the instance identity document Signed-off-by: Guilherme Carvalho --- doc/plugin_server_nodeattestor_aws_iid.md | 6 +- pkg/server/plugin/nodeattestor/awsiid/iid.go | 31 ++++++-- .../plugin/nodeattestor/awsiid/iid_test.go | 78 +++++++++++++++---- 3 files changed, 92 insertions(+), 23 deletions(-) diff --git a/doc/plugin_server_nodeattestor_aws_iid.md b/doc/plugin_server_nodeattestor_aws_iid.md index c53f7c1c2a..9e50377601 100644 --- a/doc/plugin_server_nodeattestor_aws_iid.md +++ b/doc/plugin_server_nodeattestor_aws_iid.md @@ -81,10 +81,14 @@ This plugin generates the following selectors related to the instance where the | Selector | Example | Description | |---------------------|-------------------------------------------------------|------------------------------------------------------------------| +| Availability Zone | `aws_iid:az:us-west-2b` | The Availability Zone in which the instance is running. | +| IAM role | `aws_iid:iamrole:arn:aws:iam::123456789012:role/Blog` | An IAM role within the instance profile for the instance | +| Image ID | `aws_iid:image:id:ami-5fb8c835` | The ID of the AMI used to launch the instance. | +| Instance ID | `aws_iid:instance:id:i-0b22a22eec53b9321` | The ID of the instance. | | Instance Tag | `aws_iid:tag:name:blog` | The key (e.g. `name`) and value (e.g. `blog`) of an instance tag | +| Region | `aws_iid:region:us-west-2` | The Region in which the instance is running. | | Security Group ID | `aws_iid:sg:id:sg-01234567` | The id of the security group the instance belongs to | | Security Group Name | `aws_iid:sg:name:blog` | The name of the security group the instance belongs to | -| IAM role | `aws_iid:iamrole:arn:aws:iam::123456789012:role/Blog` | An IAM role within the instance profile for the instance | All of the selectors have the type `aws_iid`. diff --git a/pkg/server/plugin/nodeattestor/awsiid/iid.go b/pkg/server/plugin/nodeattestor/awsiid/iid.go index 73e969254a..a1e3402310 100644 --- a/pkg/server/plugin/nodeattestor/awsiid/iid.go +++ b/pkg/server/plugin/nodeattestor/awsiid/iid.go @@ -54,7 +54,15 @@ const ( // accessKeyIDVarName env var name for AWS access key ID accessKeyIDVarName = "AWS_ACCESS_KEY_ID" // secretAccessKeyVarName env car name for AWS secret access key - secretAccessKeyVarName = "AWS_SECRET_ACCESS_KEY" //nolint: gosec // false positive + secretAccessKeyVarName = "AWS_SECRET_ACCESS_KEY" //nolint: gosec // false positive + azSelectorPrefix = "az" + imageIDSelectorPrefix = "image:id" + instanceIDSelectorPrefix = "instance:id" + regionSelectorPrefix = "region" + sgIDSelectorPrefix = "sg:id" + sgNameSelectorPrefix = "sg:name" + tagSelectorPrefix = "tag" + iamRoleSelectorPrefix = "iamrole" ) // BuiltIn creates a new built-in plugin @@ -192,7 +200,7 @@ func (p *IIDAttestorPlugin) Attest(stream nodeattestorv1.NodeAttestor_AttestServ return err } - selectorValues, err := p.resolveSelectors(stream.Context(), instancesDesc, awsClient) + selectorValues, err := p.resolveSelectors(stream.Context(), instancesDesc, attestationData, awsClient) if err != nil { return err } @@ -352,7 +360,7 @@ func unmarshalAndValidateIdentityDocument(data []byte, pubKey *rsa.PublicKey) (i return doc, nil } -func (p *IIDAttestorPlugin) resolveSelectors(parent context.Context, instancesDesc *ec2.DescribeInstancesOutput, client Client) ([]string, error) { +func (p *IIDAttestorPlugin) resolveSelectors(parent context.Context, instancesDesc *ec2.DescribeInstancesOutput, iiDoc imds.InstanceIdentityDocument, client Client) ([]string, error) { selectorSet := map[string]bool{} addSelectors := func(values []string) { for _, value := range values { @@ -386,6 +394,8 @@ func (p *IIDAttestorPlugin) resolveSelectors(parent context.Context, instancesDe } } + resolveIIDocSelectors(selectorSet, iiDoc) + // build and sort selectors selectors := []string{} for value := range selectorSet { @@ -396,10 +406,17 @@ func (p *IIDAttestorPlugin) resolveSelectors(parent context.Context, instancesDe return selectors, nil } +func resolveIIDocSelectors(selectorSet map[string]bool, iiDoc imds.InstanceIdentityDocument) { + selectorSet[fmt.Sprintf("%s:%s", imageIDSelectorPrefix, iiDoc.ImageID)] = true + selectorSet[fmt.Sprintf("%s:%s", instanceIDSelectorPrefix, iiDoc.InstanceID)] = true + selectorSet[fmt.Sprintf("%s:%s", regionSelectorPrefix, iiDoc.Region)] = true + selectorSet[fmt.Sprintf("%s:%s", azSelectorPrefix, iiDoc.AvailabilityZone)] = true +} + func resolveTags(tags []ec2types.Tag) []string { values := make([]string, 0, len(tags)) for _, tag := range tags { - values = append(values, fmt.Sprintf("tag:%s:%s", aws.ToString(tag.Key), aws.ToString(tag.Value))) + values = append(values, fmt.Sprintf("%s:%s:%s", tagSelectorPrefix, aws.ToString(tag.Key), aws.ToString(tag.Value))) } return values } @@ -408,8 +425,8 @@ func resolveSecurityGroups(sgs []ec2types.GroupIdentifier) []string { values := make([]string, 0, len(sgs)*2) for _, sg := range sgs { values = append(values, - fmt.Sprintf("sg:id:%s", aws.ToString(sg.GroupId)), - fmt.Sprintf("sg:name:%s", aws.ToString(sg.GroupName)), + fmt.Sprintf("%s:%s", sgIDSelectorPrefix, aws.ToString(sg.GroupId)), + fmt.Sprintf("%s:%s", sgNameSelectorPrefix, aws.ToString(sg.GroupName)), ) } return values @@ -422,7 +439,7 @@ func resolveInstanceProfile(instanceProfile *iamtypes.InstanceProfile) []string values := make([]string, 0, len(instanceProfile.Roles)) for _, role := range instanceProfile.Roles { if role.Arn != nil { - values = append(values, fmt.Sprintf("iamrole:%s", aws.ToString(role.Arn))) + values = append(values, fmt.Sprintf("%s:%s", iamRoleSelectorPrefix, aws.ToString(role.Arn))) } } return values diff --git a/pkg/server/plugin/nodeattestor/awsiid/iid_test.go b/pkg/server/plugin/nodeattestor/awsiid/iid_test.go index bc33469310..8c3fc564be 100644 --- a/pkg/server/plugin/nodeattestor/awsiid/iid_test.go +++ b/pkg/server/plugin/nodeattestor/awsiid/iid_test.go @@ -43,15 +43,17 @@ const ( ) var ( - testAWSCAKey = testkey.MustRSA2048() - testInstance = "test-instance" - testAccount = "test-account" - testRegion = "test-region" - testProfile = "test-profile" - zeroDeviceIndex = int32(0) - nonzeroDeviceIndex = int32(1) - instanceStoreType = ec2types.DeviceTypeInstanceStore - ebsType = ec2types.DeviceTypeEbs + testAWSCAKey = testkey.MustRSA2048() + testInstance = "test-instance" + testAccount = "test-account" + testRegion = "test-region" + testAvailabilityZone = "test-az" + testImageID = "test-image-id" + testProfile = "test-profile" + zeroDeviceIndex = int32(0) + nonzeroDeviceIndex = int32(1) + instanceStoreType = ec2types.DeviceTypeInstanceStore + ebsType = ec2types.DeviceTypeEbs ) func TestAttest(t *testing.T) { @@ -141,6 +143,12 @@ func TestAttest(t *testing.T) { { name: "success with zero device index", expectID: "spiffe://example.org/spire/agent/aws_iid/test-account/test-region/test-instance", + expectSelectors: []*common.Selector{ + {Type: caws.PluginName, Value: "az:test-az"}, + {Type: caws.PluginName, Value: "image:id:test-image-id"}, + {Type: caws.PluginName, Value: "instance:id:test-instance"}, + {Type: caws.PluginName, Value: "region:test-region"}, + }, }, { name: "success with non-zero device index when check is disabled", @@ -149,6 +157,12 @@ func TestAttest(t *testing.T) { output.Reservations[0].Instances[0].NetworkInterfaces[0].Attachment.DeviceIndex = &nonzeroDeviceIndex }, expectID: "spiffe://example.org/spire/agent/aws_iid/test-account/test-region/test-instance", + expectSelectors: []*common.Selector{ + {Type: caws.PluginName, Value: "az:test-az"}, + {Type: caws.PluginName, Value: "image:id:test-image-id"}, + {Type: caws.PluginName, Value: "instance:id:test-instance"}, + {Type: caws.PluginName, Value: "region:test-region"}, + }, }, { name: "success with non-zero device index when local account is allow-listed", @@ -157,6 +171,12 @@ func TestAttest(t *testing.T) { output.Reservations[0].Instances[0].NetworkInterfaces[0].Attachment.DeviceIndex = &nonzeroDeviceIndex }, expectID: "spiffe://example.org/spire/agent/aws_iid/test-account/test-region/test-instance", + expectSelectors: []*common.Selector{ + {Type: caws.PluginName, Value: "az:test-az"}, + {Type: caws.PluginName, Value: "image:id:test-image-id"}, + {Type: caws.PluginName, Value: "instance:id:test-instance"}, + {Type: caws.PluginName, Value: "region:test-region"}, + }, }, { name: "block device anti-tampering check rejects non-zero network device index", @@ -215,11 +235,23 @@ func TestAttest(t *testing.T) { output.Reservations[0].Instances[0].NetworkInterfaces[0].Attachment.AttachTime = aws.Time(interfaceAttachTime) }, expectID: "spiffe://example.org/spire/agent/aws_iid/test-account/test-region/test-instance", + expectSelectors: []*common.Selector{ + {Type: caws.PluginName, Value: "az:test-az"}, + {Type: caws.PluginName, Value: "image:id:test-image-id"}, + {Type: caws.PluginName, Value: "instance:id:test-instance"}, + {Type: caws.PluginName, Value: "region:test-region"}, + }, }, { name: "success with agent_path_template", config: `agent_path_template = "/{{ .PluginName }}/custom/{{ .AccountID }}/{{ .Region }}/{{ .InstanceID }}"`, expectID: "spiffe://example.org/spire/agent/aws_iid/custom/test-account/test-region/test-instance", + expectSelectors: []*common.Selector{ + {Type: caws.PluginName, Value: "az:test-az"}, + {Type: caws.PluginName, Value: "image:id:test-image-id"}, + {Type: caws.PluginName, Value: "instance:id:test-instance"}, + {Type: caws.PluginName, Value: "region:test-region"}, + }, }, { name: "success with tags in template", @@ -231,9 +263,15 @@ func TestAttest(t *testing.T) { }, } }, - config: `agent_path_template = "/{{ .PluginName }}/zone1/{{ .Tags.Hostname }}"`, - expectID: "spiffe://example.org/spire/agent/aws_iid/zone1/host1", - expectSelectors: []*common.Selector{{Type: "aws_iid", Value: "tag:Hostname:host1"}}, + config: `agent_path_template = "/{{ .PluginName }}/zone1/{{ .Tags.Hostname }}"`, + expectID: "spiffe://example.org/spire/agent/aws_iid/zone1/host1", + expectSelectors: []*common.Selector{ + {Type: caws.PluginName, Value: "az:test-az"}, + {Type: caws.PluginName, Value: "image:id:test-image-id"}, + {Type: caws.PluginName, Value: "instance:id:test-instance"}, + {Type: caws.PluginName, Value: "region:test-region"}, + {Type: caws.PluginName, Value: "tag:Hostname:host1"}, + }, }, { name: "fails with missing tags in template", @@ -270,8 +308,12 @@ func TestAttest(t *testing.T) { }, expectID: "spiffe://example.org/spire/agent/aws_iid/test-account/test-region/test-instance", expectSelectors: []*common.Selector{ + {Type: caws.PluginName, Value: "az:test-az"}, {Type: caws.PluginName, Value: "iamrole:role1"}, {Type: caws.PluginName, Value: "iamrole:role2"}, + {Type: caws.PluginName, Value: "image:id:test-image-id"}, + {Type: caws.PluginName, Value: "instance:id:test-instance"}, + {Type: caws.PluginName, Value: "region:test-region"}, {Type: caws.PluginName, Value: "sg:id:TestGroup"}, {Type: caws.PluginName, Value: "sg:name:Test Group Name"}, {Type: caws.PluginName, Value: "tag:Hostname:host1"}, @@ -307,6 +349,10 @@ func TestAttest(t *testing.T) { }, expectID: "spiffe://example.org/spire/agent/aws_iid/test-account/test-region/test-instance", expectSelectors: []*common.Selector{ + {Type: caws.PluginName, Value: "az:test-az"}, + {Type: caws.PluginName, Value: "image:id:test-image-id"}, + {Type: caws.PluginName, Value: "instance:id:test-instance"}, + {Type: caws.PluginName, Value: "region:test-region"}, {Type: caws.PluginName, Value: "sg:id:TestGroup"}, {Type: caws.PluginName, Value: "sg:name:Test Group Name"}, {Type: caws.PluginName, Value: "tag:Hostname:host1"}, @@ -525,9 +571,11 @@ func (c *fakeClient) GetInstanceProfile(ctx context.Context, input *iam.GetInsta func buildAttestationData(t *testing.T) caws.IIDAttestationData { // doc body doc := imds.InstanceIdentityDocument{ - AccountID: testAccount, - InstanceID: testInstance, - Region: testRegion, + AccountID: testAccount, + InstanceID: testInstance, + Region: testRegion, + AvailabilityZone: testAvailabilityZone, + ImageID: testImageID, } docBytes, err := json.Marshal(doc) require.NoError(t, err) From 1fc7ae60687c43b05cccf1df41c5ae64737dcac4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 12 Dec 2022 15:30:01 -0300 Subject: [PATCH 214/257] Bump github.com/hashicorp/go-hclog from 1.3.1 to 1.4.0 (#3674) * Bump github.com/hashicorp/go-hclog from 1.3.1 to 1.4.0 Bumps [github.com/hashicorp/go-hclog](https://github.com/hashicorp/go-hclog) from 1.3.1 to 1.4.0. - [Release notes](https://github.com/hashicorp/go-hclog/releases) - [Commits](https://github.com/hashicorp/go-hclog/compare/v1.3.1...v1.4.0) --- updated-dependencies: - dependency-name: github.com/hashicorp/go-hclog dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Implement new Logger method GetLevel() in HCLogAdapter Signed-off-by: Ryan Turner Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- pkg/common/log/hclog_adapter.go | 6 ++++++ 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 5ea8f8ea51..6cf6da0676 100644 --- a/go.mod +++ b/go.mod @@ -41,7 +41,7 @@ require ( github.com/google/go-tpm-tools v0.3.9 github.com/googleapis/gax-go/v2 v2.7.0 github.com/gorilla/handlers v1.5.1 - github.com/hashicorp/go-hclog v1.3.1 + github.com/hashicorp/go-hclog v1.4.0 github.com/hashicorp/go-plugin v1.4.6 github.com/hashicorp/hcl v1.0.1-0.20190430135223-99e2f22d1c94 github.com/hashicorp/vault/api v1.8.2 diff --git a/go.sum b/go.sum index f0bfea7f7e..284ac60792 100644 --- a/go.sum +++ b/go.sum @@ -755,8 +755,8 @@ github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/S github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= github.com/hashicorp/go-hclog v0.14.1/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= github.com/hashicorp/go-hclog v0.15.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= -github.com/hashicorp/go-hclog v1.3.1 h1:vDwF1DFNZhntP4DAjuTpOw3uEgMUpXh1pB5fW9DqHpo= -github.com/hashicorp/go-hclog v1.3.1/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= +github.com/hashicorp/go-hclog v1.4.0 h1:ctuWFGrhFha8BnnzxqeRGidlEcQkDyL5u8J8t5eA11I= +github.com/hashicorp/go-hclog v1.4.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc= github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= diff --git a/pkg/common/log/hclog_adapter.go b/pkg/common/log/hclog_adapter.go index 25e908452d..498efade79 100644 --- a/pkg/common/log/hclog_adapter.go +++ b/pkg/common/log/hclog_adapter.go @@ -87,6 +87,12 @@ func (a *HCLogAdapter) SetLevel(hclog.Level) { // we don't currently. } +func (a *HCLogAdapter) GetLevel() hclog.Level { + // We don't support dynamically setting the level with SetLevel(), + // so just return a default value here. + return hclog.NoLevel +} + func (a *HCLogAdapter) With(args ...interface{}) hclog.Logger { e := a.CreateEntry(args) return &HCLogAdapter{ From f707313b14db369eb12e7ea7242cd7f207f078ad Mon Sep 17 00:00:00 2001 From: Marcos Yacob Date: Mon, 12 Dec 2022 17:06:31 -0300 Subject: [PATCH 215/257] resolve flaky test TestDisposeStaleCryptoKeys (#3695) * resolve TestDisposeStaleCryptoKeys flaky test Signed-off-by: Marcos Yacob --- .../plugin/keymanager/gcpkms/gcpkms_test.go | 55 ++++++++++--------- 1 file changed, 30 insertions(+), 25 deletions(-) diff --git a/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go b/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go index 72fdf4a2ef..48a640c2d4 100644 --- a/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go +++ b/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go @@ -456,21 +456,21 @@ func TestDisposeStaleCryptoKeys(t *testing.T) { // Wait for destroy notification of all the CryptoKeyVersions. storedFakeCryptoKeys := ts.fakeKMSClient.store.fetchFakeCryptoKeys() - for _, fck := range storedFakeCryptoKeys { - storedFakeCryptoKeyVersions := fck.fetchFakeCryptoKeyVersions() + for _, fakeKey := range storedFakeCryptoKeys { + storedFakeCryptoKeyVersions := fakeKey.fetchFakeCryptoKeyVersions() for range storedFakeCryptoKeyVersions { _ = waitForSignal(t, ts.plugin.hooks.scheduleDestroySignal) } } - for _, fck := range storedFakeCryptoKeys { + for _, fakeKey := range storedFakeCryptoKeys { // The CryptoKeys should be active until the next run of disposeCryptoKeys. - require.Equal(t, "true", fck.getLabelValue(labelNameActive)) + require.Equal(t, "true", fakeKey.getLabelValue(labelNameActive)) - storedFakeCryptoKeyVersions := fck.fetchFakeCryptoKeyVersions() - for _, fckv := range storedFakeCryptoKeyVersions { + storedFakeCryptoKeyVersions := fakeKey.fetchFakeCryptoKeyVersions() + for _, fakeKeyVersion := range storedFakeCryptoKeyVersions { // The status should be changed to CryptoKeyVersion_DESTROY_SCHEDULED. - require.Equal(t, kmspb.CryptoKeyVersion_DESTROY_SCHEDULED, fckv.State, fmt.Sprintf("state mismatch in CryptokeyVersion %q", fckv.Name)) + require.Equal(t, kmspb.CryptoKeyVersion_DESTROY_SCHEDULED, fakeKeyVersion.State, fmt.Sprintf("state mismatch in CryptokeyVersion %q", fakeKeyVersion.Name)) } } @@ -480,16 +480,21 @@ func TestDisposeStaleCryptoKeys(t *testing.T) { // Wait for dispose disposeCryptoKeysTask to be initialized. _ = waitForSignal(t, ts.plugin.hooks.disposeCryptoKeysSignal) - for _, fck := range storedFakeCryptoKeys { - // Since the CryptoKey doesn't have any enabled CryptoKeyVersions at - // this point, it should be set as inactive. - // Wait for the set inactive signal. - _ = waitForSignal(t, ts.plugin.hooks.setInactiveSignal) + // Since the CryptoKey doesn't have any enabled CryptoKeyVersions at + // this point, it should be set as inactive. + // Wait for the set inactive signal. + // The order is not respected, so verify no error is returned + // and that all signals received + for _, fakeKey := range storedFakeCryptoKeys { + err = waitForSignal(t, ts.plugin.hooks.setInactiveSignal) + require.NoErrorf(t, err, "unexpected error on %v", fakeKey.getName()) + } + for _, fakeKey := range storedFakeCryptoKeys { // The CryptoKey should be inactive now. - fck, ok := ts.fakeKMSClient.store.fetchFakeCryptoKey(fck.getName()) + fakeKey, ok := ts.fakeKMSClient.store.fetchFakeCryptoKey(fakeKey.getName()) require.True(t, ok) - require.Equal(t, "false", fck.getLabelValue(labelNameActive)) + require.Equal(t, "false", fakeKey.getLabelValue(labelNameActive)) } } @@ -549,11 +554,11 @@ func TestDisposeActiveCryptoKeys(t *testing.T) { // The CryptoKeys are not stale yet. Assert that they are active and the // CryptoKeyVersions enabled. storedFakeCryptoKeys := ts.fakeKMSClient.store.fetchFakeCryptoKeys() - for _, fck := range storedFakeCryptoKeys { - require.Equal(t, "true", fck.getLabelValue(labelNameActive)) - storedFakeCryptoKeyVersions := fck.fetchFakeCryptoKeyVersions() - for _, fckv := range storedFakeCryptoKeyVersions { - require.Equal(t, kmspb.CryptoKeyVersion_ENABLED, fckv.GetState(), fckv.GetName()) + for _, fakeKey := range storedFakeCryptoKeys { + require.Equal(t, "true", fakeKey.getLabelValue(labelNameActive)) + storedFakeCryptoKeyVersions := fakeKey.fetchFakeCryptoKeyVersions() + for _, fakeKeyVersion := range storedFakeCryptoKeyVersions { + require.Equal(t, kmspb.CryptoKeyVersion_ENABLED, fakeKeyVersion.GetState(), fakeKeyVersion.GetName()) } } } @@ -1115,8 +1120,8 @@ func TestKeepActiveCryptoKeys(t *testing.T) { require.NoError(t, err) storedFakeCryptoKeys := ts.fakeKMSClient.store.fetchFakeCryptoKeys() - for _, fck := range storedFakeCryptoKeys { - require.EqualValues(t, fck.getLabelValue(labelNameLastUpdate), fmt.Sprint(currentTime.Unix()), fck.CryptoKey.Name) + for _, fakeKey := range storedFakeCryptoKeys { + require.EqualValues(t, fakeKey.getLabelValue(labelNameLastUpdate), fmt.Sprint(currentTime.Unix()), fakeKey.CryptoKey.Name) } }) } @@ -1208,10 +1213,10 @@ func TestGetPublicKeys(t *testing.T) { require.NotNil(t, resp) require.NoError(t, err) storedFakeCryptoKeys := ts.fakeKMSClient.store.fetchFakeCryptoKeys() - for _, fck := range storedFakeCryptoKeys { - storedFakeCryptoKeyVersions := fck.fetchFakeCryptoKeyVersions() - for _, fckv := range storedFakeCryptoKeyVersions { - pubKey, err := getPublicKeyFromCryptoKeyVersion(ctx, ts.plugin.log, ts.fakeKMSClient, fckv.CryptoKeyVersion.Name) + for _, fakeKey := range storedFakeCryptoKeys { + storedFakeCryptoKeyVersions := fakeKey.fetchFakeCryptoKeyVersions() + for _, fakeKeyVersion := range storedFakeCryptoKeyVersions { + pubKey, err := getPublicKeyFromCryptoKeyVersion(ctx, ts.plugin.log, ts.fakeKMSClient, fakeKeyVersion.CryptoKeyVersion.Name) require.NoError(t, err) require.Equal(t, pubKey, resp.PublicKeys[0].PkixData) } From 175437519ddf8a6054972f58c0bb32a931041a2d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 13 Dec 2022 15:41:01 -0300 Subject: [PATCH 216/257] Bump github.com/open-policy-agent/opa from 0.47.1 to 0.47.3 (#3697) Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.47.1 to 0.47.3. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-policy-agent/opa/compare/v0.47.1...v0.47.3) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/opa dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 8 ++++---- go.sum | 13 ++++++++----- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 6cf6da0676..6a94802c1c 100644 --- a/go.mod +++ b/go.mod @@ -52,7 +52,7 @@ require ( github.com/lib/pq v1.10.7 github.com/mattn/go-sqlite3 v1.14.16 github.com/mitchellh/cli v1.1.5 - github.com/open-policy-agent/opa v0.47.1 + github.com/open-policy-agent/opa v0.47.3 github.com/prometheus/client_golang v1.14.0 github.com/shirou/gopsutil/v3 v3.22.11 github.com/sirupsen/logrus v1.9.0 @@ -63,7 +63,7 @@ require ( github.com/uber-go/tally/v4 v4.1.4 github.com/zeebo/errs v1.3.0 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa - golang.org/x/net v0.0.0-20221014081412-f15817d10f9b + golang.org/x/net v0.4.0 golang.org/x/sync v0.1.0 golang.org/x/sys v0.3.0 golang.org/x/time v0.3.0 @@ -204,8 +204,8 @@ require ( go.uber.org/zap v1.23.0 // indirect golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783 // indirect - golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect - golang.org/x/text v0.4.0 // indirect + golang.org/x/term v0.3.0 // indirect + golang.org/x/text v0.5.0 // indirect golang.org/x/tools v0.1.12 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect diff --git a/go.sum b/go.sum index 284ac60792..47f69473e5 100644 --- a/go.sum +++ b/go.sum @@ -1011,8 +1011,8 @@ github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGV github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q= -github.com/open-policy-agent/opa v0.47.1 h1:4Nf8FwguZeE5P83akiwaaoWx1XkmSkRcKmCEskiD/1c= -github.com/open-policy-agent/opa v0.47.1/go.mod h1:cM7ngEoEdAIfyu9mOHaVcgLAHYkY6amrYfotm+BSkYQ= +github.com/open-policy-agent/opa v0.47.3 h1:Uj8zw+q6Cvv1iiQFh704Q6sl3fKVvk35WZNJLsd6mgk= +github.com/open-policy-agent/opa v0.47.3/go.mod h1:I5DbT677OGqfk9gvu5i54oIt0rrVf4B5pedpqDquAXo= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 h1:rc3tiVYb5z54aKaDfakKn0dDjIyPpTtszkjuMzyt7ec= @@ -1375,8 +1375,9 @@ golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/net v0.0.0-20221012135044-0b7e1fb9d458/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= -golang.org/x/net v0.0.0-20221014081412-f15817d10f9b h1:tvrvnPFcdzp294diPnrdZZZ8XUt2Tyj7svb7X52iDuU= golang.org/x/net v0.0.0-20221014081412-f15817d10f9b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= +golang.org/x/net v0.4.0 h1:Q5QPcMlvfxFTAPV0+07Xz/MpK9NTXu2VDUuy0FeMfaU= +golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1527,8 +1528,9 @@ golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.3.0 h1:qoo4akIqOcDME5bhc/NgxUdovd6BSS2uMsVjB56q1xI= +golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1539,8 +1541,9 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= -golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM= +golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From 95800d3caa5a9af362013518af9dbed6bd8118c7 Mon Sep 17 00:00:00 2001 From: Marcos Yacob Date: Thu, 15 Dec 2022 00:32:45 -0300 Subject: [PATCH 217/257] Bump version to 1.5.4 (#3701) Signed-off-by: Marcos Yacob --- CHANGELOG.md | 17 +++++++++++++++++ pkg/common/version/version.go | 2 +- pkg/server/datastore/sqlstore/migration.go | 2 ++ test/integration/suites/upgrade/versions.txt | 1 + 4 files changed, 21 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 50c480b8cb..1dd0e7b993 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,22 @@ # Changelog +## [1.5.3] - 2022-12-14 + +### Added + +- A new `gcp_kms` KeyManager plugin is now available (#3410, #3638, #3653, #3655) +- `spire-server agent`, `spire-server bundle`, and `spire-server entry` CLI commands now support `-output` flag (#3523, #3624, #3628) + +### Changed + +- SPIRE-managed files on Windows no longer inherit permissions from parent directory (#3577, #3604) +- Documentation improvements (#3534, #3546, #3461, #3565, #3630, #3632, #3639,) + +### Fixed + +- oidc-discovery-provider healthcheck HTTP server now binds to all network interfaces for visibility outside containers using virtual IP (#3580) +- k8s-workload-registrar CRD and reconcile modes now have correct example leader election RBAC YAML (#3617) + ## [1.5.2] - 2022-12-06 ### Security diff --git a/pkg/common/version/version.go b/pkg/common/version/version.go index dfc9dd50e2..be476d0edf 100644 --- a/pkg/common/version/version.go +++ b/pkg/common/version/version.go @@ -8,7 +8,7 @@ const ( // IMPORTANT: When updating, make sure to reconcile the versions list that // is part of the upgrade integration test. See // test/integration/suites/upgrade/README.md for details. - Base = "1.5.3" + Base = "1.5.4" ) var ( diff --git a/pkg/server/datastore/sqlstore/migration.go b/pkg/server/datastore/sqlstore/migration.go index e3894de173..67f5c57374 100644 --- a/pkg/server/datastore/sqlstore/migration.go +++ b/pkg/server/datastore/sqlstore/migration.go @@ -155,6 +155,8 @@ import ( // |*********| | | // | v1.5.0 | | | // | v1.5.1 | | | +// | v1.5.2 | | | +// | v1.5.3 | | | // ================================================================================================ const ( diff --git a/test/integration/suites/upgrade/versions.txt b/test/integration/suites/upgrade/versions.txt index c192880926..a07bf05538 100644 --- a/test/integration/suites/upgrade/versions.txt +++ b/test/integration/suites/upgrade/versions.txt @@ -7,3 +7,4 @@ 1.5.0 1.5.1 1.5.2 +1.5.3 From 883a8b7c210760b2e91111e02f72ab9edb1e4cfc Mon Sep 17 00:00:00 2001 From: Ryan Turner Date: Thu, 15 Dec 2022 11:57:06 -0800 Subject: [PATCH 218/257] Replace usage of alpine images with scratch images (#3636) * Replace usage of alpine images with scratch images Also remove usage of wait-for-it image from GCR that doesn't exist in GHCR and shouldn't be required. Signed-off-by: Ryan Turner --- Dockerfile.scratch | 2 + .../mode-crd/config/spire-agent.yaml | 9 +--- .../config/spire-server-registrar.yaml | 4 +- test/integration/common | 26 +++++++++++- .../admin-endpoints/docker-compose.yaml | 4 +- .../debug-endpoints/docker-compose.yaml | 4 +- .../delegatedidentity/docker-compose.yaml | 4 +- .../downstream-endpoints/docker-compose.yaml | 4 +- test/integration/suites/envoy-sds-v2/00-setup | 2 +- .../suites/envoy-sds-v2/docker-compose.yaml | 2 +- .../00-test-envoy-releases.sh | 8 ++++ .../envoy-sds-v3-spiffe-auth/Dockerfile | 2 +- .../docker-compose.yaml | 4 +- .../suites/envoy-sds-v3/docker-compose.yaml | 2 +- .../suites/evict-agent/docker-compose.yaml | 4 +- .../fetch-x509-svids/docker-compose.yaml | 4 +- .../02-bootstrap-federation-and-agents | 8 ++++ .../suites/ghostunnel-federation/Dockerfile | 2 +- .../ghostunnel-federation/docker-compose.yaml | 4 +- .../suites/join-token/docker-compose.yaml | 6 +-- test/integration/suites/k8s-crd-mode/00-setup | 2 +- .../suites/k8s-crd-mode/Dockerfile | 5 ++- .../k8s-crd-mode/conf/agent/spire-agent.yaml | 9 +--- .../conf/server/spire-server.yaml | 2 +- .../k8s-reconcile/conf/agent/spire-agent.yaml | 7 ---- .../suites/nested-rotation/00-setup | 2 +- .../suites/nested-rotation/Dockerfile | 5 ++- .../nested-rotation/docker-compose.yaml | 20 ++++----- .../node-attestation/docker-compose.yaml | 4 +- .../suites/rotation/docker-compose.yaml | 4 +- .../suites/spire-server-cli/01-start-server | 1 + .../suites/spire-server-cli/02-bundle | 4 -- .../suites/spire-server-cli/Dockerfile | 4 ++ .../spire-server-cli/docker-compose.yaml | 8 ++-- test/integration/suites/upgrade/00-setup | 16 ++++++- .../suites/upgrade/01-run-upgrade-tests | 42 ++++++++++++++----- .../suites/upgrade/conf/agent/agent.conf | 2 +- .../suites/upgrade/conf/server/server.conf | 11 ++--- .../00-setup-kind | 2 +- .../03-verify-ca | 16 +++++-- .../conf/server/spire-server.yaml | 2 +- 41 files changed, 172 insertions(+), 101 deletions(-) create mode 100644 test/integration/suites/spire-server-cli/Dockerfile diff --git a/Dockerfile.scratch b/Dockerfile.scratch index 684e7470d0..3d105b8b7a 100644 --- a/Dockerfile.scratch +++ b/Dockerfile.scratch @@ -7,11 +7,13 @@ ADD go.* ./ RUN go mod download ADD . . RUN make build-static +RUN install -d -o root -g root -m 1777 /newtmp FROM scratch AS spire-base WORKDIR /opt/spire CMD [] COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ +COPY --from=builder /newtmp /tmp # SPIRE Server FROM spire-base AS spire-server-scratch diff --git a/support/k8s/k8s-workload-registrar/mode-crd/config/spire-agent.yaml b/support/k8s/k8s-workload-registrar/mode-crd/config/spire-agent.yaml index b6885df42a..29ce4a4b22 100644 --- a/support/k8s/k8s-workload-registrar/mode-crd/config/spire-agent.yaml +++ b/support/k8s/k8s-workload-registrar/mode-crd/config/spire-agent.yaml @@ -108,16 +108,9 @@ spec: hostNetwork: true dnsPolicy: ClusterFirstWithHostNet serviceAccountName: spire-agent - initContainers: - - name: init - # This is a small image with wait-for-it, choose whatever image - # you prefer that waits for a service to be up. This image is built - # from https://github.com/lqhl/wait-for-it - image: gcr.io/spiffe-io/wait-for-it - args: ["-t", "30", "spire-server:8081"] containers: - name: spire-agent - image: gcr.io/spiffe-io/spire-agent:1.3.0 + image: ghcr.io/spiffe/spire-agent:1.5.1 args: ["-config", "/run/spire/config/agent.conf"] volumeMounts: - name: spire-config diff --git a/support/k8s/k8s-workload-registrar/mode-crd/config/spire-server-registrar.yaml b/support/k8s/k8s-workload-registrar/mode-crd/config/spire-server-registrar.yaml index f7294a5522..fdc2d330fc 100644 --- a/support/k8s/k8s-workload-registrar/mode-crd/config/spire-server-registrar.yaml +++ b/support/k8s/k8s-workload-registrar/mode-crd/config/spire-server-registrar.yaml @@ -212,7 +212,7 @@ spec: shareProcessNamespace: true containers: - name: spire-server - image: gcr.io/spiffe-io/spire-server:1.3.0 + image: ghcr.io/spiffe/spire-server:1.5.1 args: - -config - /run/spire/config/server.conf @@ -241,7 +241,7 @@ spec: mountPath: /tmp readOnly: false - name: k8s-workload-registrar - image: gcr.io/spiffe-io/k8s-workload-registrar:1.3.0 + image: gcr.io/spiffe-io/k8s-workload-registrar:1.5.1 args: - -config - /run/spire/config/k8s-workload-registrar.conf diff --git a/test/integration/common b/test/integration/common index 5b70248420..4a007a584a 100644 --- a/test/integration/common +++ b/test/integration/common @@ -40,6 +40,30 @@ docker-up() { docker-compose up -d "$@" || fail-now "failed to bring up services." } +docker-wait-for-healthy() { + if [ $# -ne 3 ]; then + fail-now "docker-wait-for-healthy: " + fi + + local ctr_name=$1 + local maxchecks=$2 + local interval=$3 + for ((i=1;i<=maxchecks;i++)); do + set +e + health_status=$(docker inspect --format '{{.State.Health.Status}}' "${ctr_name}" 2>/dev/null) + if [ "${health_status}" == "healthy" ]; then + return + else + log-debug "waiting for container ${ctr_name} to launch" + fi + set -e + + sleep "${interval}" + done + + fail-now "timed out waiting for ${ctr_name} to start" +} + docker-stop() { if [ $# -eq 0 ]; then log-debug "stopping services..." @@ -108,7 +132,7 @@ build-mashup-image() { ENVOY_IMAGE_TAG="${ENVOY_VERSION}-latest" cat > Dockerfile < Dockerfile < conf/upstream/server/federated-domain.test.bundle + + # On macOS, there can be a delay propagating the file on the bind mount to the other container + sleep 1 + docker-compose exec -T upstream-spire-server \ /opt/spire/bin/spire-server federation create \ -bundleEndpointProfile "https_spiffe" \ @@ -32,6 +36,10 @@ setup-tests() { log-debug "bootstrapping bundle from upstream to downstream federated server..." docker-compose exec -T upstream-spire-server \ /opt/spire/bin/spire-server bundle show -format spiffe > conf/downstream-federated/server/domain.test.bundle + + # On macOS, there can be a delay propagating the file on the bind mount to the other container + sleep 1 + docker-compose exec -T downstream-federated-spire-server \ /opt/spire/bin/spire-server bundle set -format spiffe -id spiffe://domain.test -path /opt/spire/conf/server/domain.test.bundle diff --git a/test/integration/suites/envoy-sds-v3-spiffe-auth/Dockerfile b/test/integration/suites/envoy-sds-v3-spiffe-auth/Dockerfile index 1bf9c313e2..f7a74e6c29 100644 --- a/test/integration/suites/envoy-sds-v3-spiffe-auth/Dockerfile +++ b/test/integration/suites/envoy-sds-v3-spiffe-auth/Dockerfile @@ -1,4 +1,4 @@ -FROM spire-agent:latest-local as spire-agent +FROM spire-agent-scratch:latest-local as spire-agent FROM envoyproxy/envoy-alpine:v1.19.0 AS envoy-agent-mashup COPY --from=spire-agent /opt/spire/bin/spire-agent /opt/spire/bin/spire-agent diff --git a/test/integration/suites/envoy-sds-v3-spiffe-auth/docker-compose.yaml b/test/integration/suites/envoy-sds-v3-spiffe-auth/docker-compose.yaml index 61fa1b752c..4f2c7af485 100644 --- a/test/integration/suites/envoy-sds-v3-spiffe-auth/docker-compose.yaml +++ b/test/integration/suites/envoy-sds-v3-spiffe-auth/docker-compose.yaml @@ -1,13 +1,13 @@ version: '3' services: upstream-spire-server: - image: spire-server:latest-local + image: spire-server-scratch:latest-local hostname: upstream-spire-server volumes: - ./conf/upstream/server:/opt/spire/conf/server command: ["-config", "/opt/spire/conf/server/server.conf"] downstream-federated-spire-server: - image: spire-server:latest-local + image: spire-server-scratch:latest-local hostname: downstream-federated-spire-server volumes: - ./conf/downstream-federated/server:/opt/spire/conf/server diff --git a/test/integration/suites/envoy-sds-v3/docker-compose.yaml b/test/integration/suites/envoy-sds-v3/docker-compose.yaml index 3adb5163b8..c37ca50a9a 100644 --- a/test/integration/suites/envoy-sds-v3/docker-compose.yaml +++ b/test/integration/suites/envoy-sds-v3/docker-compose.yaml @@ -1,7 +1,7 @@ version: '3' services: spire-server: - image: spire-server:latest-local + image: spire-server-scratch:latest-local hostname: spire-server volumes: - ./conf/server:/opt/spire/conf/server diff --git a/test/integration/suites/evict-agent/docker-compose.yaml b/test/integration/suites/evict-agent/docker-compose.yaml index 0e67183c23..0e5b71f908 100644 --- a/test/integration/suites/evict-agent/docker-compose.yaml +++ b/test/integration/suites/evict-agent/docker-compose.yaml @@ -1,13 +1,13 @@ version: '3' services: spire-server: - image: spire-server:latest-local + image: spire-server-scratch:latest-local hostname: spire-server volumes: - ./conf/server:/opt/spire/conf/server command: ["-config", "/opt/spire/conf/server/server.conf"] spire-agent: - image: spire-agent:latest-local + image: spire-agent-scratch:latest-local hostname: spire-agent depends_on: ["spire-server"] volumes: diff --git a/test/integration/suites/fetch-x509-svids/docker-compose.yaml b/test/integration/suites/fetch-x509-svids/docker-compose.yaml index 0e67183c23..0e5b71f908 100644 --- a/test/integration/suites/fetch-x509-svids/docker-compose.yaml +++ b/test/integration/suites/fetch-x509-svids/docker-compose.yaml @@ -1,13 +1,13 @@ version: '3' services: spire-server: - image: spire-server:latest-local + image: spire-server-scratch:latest-local hostname: spire-server volumes: - ./conf/server:/opt/spire/conf/server command: ["-config", "/opt/spire/conf/server/server.conf"] spire-agent: - image: spire-agent:latest-local + image: spire-agent-scratch:latest-local hostname: spire-agent depends_on: ["spire-server"] volumes: diff --git a/test/integration/suites/ghostunnel-federation/02-bootstrap-federation-and-agents b/test/integration/suites/ghostunnel-federation/02-bootstrap-federation-and-agents index af78886ac4..ac5d224c63 100755 --- a/test/integration/suites/ghostunnel-federation/02-bootstrap-federation-and-agents +++ b/test/integration/suites/ghostunnel-federation/02-bootstrap-federation-and-agents @@ -13,11 +13,19 @@ docker-compose exec -T upstream-spire-server \ log-debug "bootstrapping bundle from downstream to upstream server..." docker-compose exec -T downstream-spire-server \ /opt/spire/bin/spire-server bundle show -format spiffe > conf/upstream/server/downstream-domain.test.bundle + +# On macOS, there can be a delay propagating the file on the bind mount to the other container +sleep 1 + docker-compose exec -T upstream-spire-server \ /opt/spire/bin/spire-server bundle set -format spiffe -id spiffe://downstream-domain.test -path /opt/spire/conf/server/downstream-domain.test.bundle log-debug "bootstrapping bundle from upstream to downstream server..." docker-compose exec -T upstream-spire-server \ /opt/spire/bin/spire-server bundle show -format spiffe > conf/downstream/server/upstream-domain.test.bundle + +# On macOS, there can be a delay propagating the file on the bind mount to the other container +sleep 1 + docker-compose exec -T downstream-spire-server \ /opt/spire/bin/spire-server bundle set -format spiffe -id spiffe://upstream-domain.test -path /opt/spire/conf/server/upstream-domain.test.bundle diff --git a/test/integration/suites/ghostunnel-federation/Dockerfile b/test/integration/suites/ghostunnel-federation/Dockerfile index fe7188cf5a..c5a6f66a56 100644 --- a/test/integration/suites/ghostunnel-federation/Dockerfile +++ b/test/integration/suites/ghostunnel-federation/Dockerfile @@ -1,4 +1,4 @@ -FROM spire-agent:latest-local as spire-agent +FROM spire-agent-scratch:latest-local as spire-agent FROM ghostunnel/ghostunnel:latest AS ghostunnel-latest diff --git a/test/integration/suites/ghostunnel-federation/docker-compose.yaml b/test/integration/suites/ghostunnel-federation/docker-compose.yaml index bdb531edae..fc15bb17ea 100644 --- a/test/integration/suites/ghostunnel-federation/docker-compose.yaml +++ b/test/integration/suites/ghostunnel-federation/docker-compose.yaml @@ -1,12 +1,12 @@ version: '3' services: upstream-spire-server: - image: spire-server:latest-local + image: spire-server-scratch:latest-local volumes: - ./conf/upstream/server:/opt/spire/conf/server command: ["-config", "/opt/spire/conf/server/server.conf"] downstream-spire-server: - image: spire-server:latest-local + image: spire-server-scratch:latest-local volumes: - ./conf/downstream/server:/opt/spire/conf/server command: ["-config", "/opt/spire/conf/server/server.conf"] diff --git a/test/integration/suites/join-token/docker-compose.yaml b/test/integration/suites/join-token/docker-compose.yaml index 6e2fc0c222..079cc5156c 100644 --- a/test/integration/suites/join-token/docker-compose.yaml +++ b/test/integration/suites/join-token/docker-compose.yaml @@ -1,17 +1,17 @@ version: '3' services: spire-server: - image: spire-server:latest-local + image: spire-server-scratch:latest-local volumes: - ./conf/server:/opt/spire/conf/server command: ["-config", "/opt/spire/conf/server/server.conf"] spire-agent: - image: spire-agent:latest-local + image: spire-agent-scratch:latest-local volumes: - ./conf/agent:/opt/spire/conf/agent command: ["-config", "/opt/spire/conf/agent/agent.conf"] bad-spire-agent: - image: spire-agent:latest-local + image: spire-agent-scratch:latest-local volumes: - ./conf/bad-agent:/opt/spire/conf/agent command: ["-config", "/opt/spire/conf/agent/agent.conf"] diff --git a/test/integration/suites/k8s-crd-mode/00-setup b/test/integration/suites/k8s-crd-mode/00-setup index fd0e7ed42b..f96e54ba9f 100755 --- a/test/integration/suites/k8s-crd-mode/00-setup +++ b/test/integration/suites/k8s-crd-mode/00-setup @@ -25,7 +25,7 @@ rm conf/kind-config.yaml.bak start-kind-cluster "${KIND_PATH}" k8stest ./conf/kind-config.yaml # Load the given images in the cluster. -container_images=("spire-server:latest-local" "spire-agent:latest-local" "k8s-workload-registrar:latest-local" "example-crd-agent:latest") +container_images=("spire-server-scratch:latest-local" "spire-agent-scratch:latest-local" "k8s-workload-registrar:latest-local" "example-crd-agent:latest") load-images "${KIND_PATH}" k8stest "${container_images[@]}" # Set the kubectl context. diff --git a/test/integration/suites/k8s-crd-mode/Dockerfile b/test/integration/suites/k8s-crd-mode/Dockerfile index d1e5437a43..5c129549d9 100644 --- a/test/integration/suites/k8s-crd-mode/Dockerfile +++ b/test/integration/suites/k8s-crd-mode/Dockerfile @@ -1,3 +1,6 @@ -FROM spire-agent:latest-local AS example-crd-agent +FROM alpine:3.17 AS example-crd-agent CMD [] +RUN apk add --no-cache --update dumb-init RUN apk add --no-cache --update openssl + +COPY --from=spire-agent-scratch:latest-local /opt/spire/bin/spire-agent /opt/spire/bin/spire-agent diff --git a/test/integration/suites/k8s-crd-mode/conf/agent/spire-agent.yaml b/test/integration/suites/k8s-crd-mode/conf/agent/spire-agent.yaml index ca5fa1f1c7..fc900c094c 100644 --- a/test/integration/suites/k8s-crd-mode/conf/agent/spire-agent.yaml +++ b/test/integration/suites/k8s-crd-mode/conf/agent/spire-agent.yaml @@ -107,16 +107,9 @@ spec: hostNetwork: true dnsPolicy: ClusterFirstWithHostNet serviceAccountName: spire-agent - initContainers: - - name: init - # This is a small image with wait-for-it, choose whatever image - # you prefer that waits for a service to be up. This image is built - # from https://github.com/lqhl/wait-for-it - image: gcr.io/spiffe-io/wait-for-it - args: ["-t", "30", "spire-server:8081"] containers: - name: spire-agent - image: spire-agent:latest-local + image: spire-agent-scratch:latest-local imagePullPolicy: Never args: ["-config", "/run/spire/config/agent.conf"] volumeMounts: diff --git a/test/integration/suites/k8s-crd-mode/conf/server/spire-server.yaml b/test/integration/suites/k8s-crd-mode/conf/server/spire-server.yaml index 3ce724d952..bdbaec144d 100644 --- a/test/integration/suites/k8s-crd-mode/conf/server/spire-server.yaml +++ b/test/integration/suites/k8s-crd-mode/conf/server/spire-server.yaml @@ -211,7 +211,7 @@ spec: shareProcessNamespace: true containers: - name: spire-server - image: spire-server:latest-local + image: spire-server-scratch:latest-local imagePullPolicy: Never args: ["-config", "/run/spire/config/server.conf"] ports: diff --git a/test/integration/suites/k8s-reconcile/conf/agent/spire-agent.yaml b/test/integration/suites/k8s-reconcile/conf/agent/spire-agent.yaml index 7d77963bf7..86a830ffbb 100644 --- a/test/integration/suites/k8s-reconcile/conf/agent/spire-agent.yaml +++ b/test/integration/suites/k8s-reconcile/conf/agent/spire-agent.yaml @@ -111,13 +111,6 @@ spec: hostNetwork: true dnsPolicy: ClusterFirstWithHostNet serviceAccountName: spire-agent - initContainers: - - name: init - # This is a small image with wait-for-it, choose whatever image - # you prefer that waits for a service to be up. This image is built - # from https://github.com/lqhl/wait-for-it - image: gcr.io/spiffe-io/wait-for-it - args: ["-t", "30", "spire-server:8081"] containers: - name: spire-agent image: spire-agent-scratch:latest-local diff --git a/test/integration/suites/nested-rotation/00-setup b/test/integration/suites/nested-rotation/00-setup index cb4f4eac10..8d8fb9f846 100755 --- a/test/integration/suites/nested-rotation/00-setup +++ b/test/integration/suites/nested-rotation/00-setup @@ -35,4 +35,4 @@ sed -i.bak "s#CGROUP_MATCHERS#$CGROUP_MATCHERS#" root/agent/agent.conf sed -i.bak "s#CGROUP_MATCHERS#$CGROUP_MATCHERS#" intermediateA/agent/agent.conf sed -i.bak "s#CGROUP_MATCHERS#$CGROUP_MATCHERS#" intermediateB/agent/agent.conf -docker build --target nested-agent -t nested-agent . +docker build --target nested-agent-alpine -t nested-agent-alpine . diff --git a/test/integration/suites/nested-rotation/Dockerfile b/test/integration/suites/nested-rotation/Dockerfile index ab6bb339d9..bf2c0aeaeb 100644 --- a/test/integration/suites/nested-rotation/Dockerfile +++ b/test/integration/suites/nested-rotation/Dockerfile @@ -1,3 +1,4 @@ -FROM spire-agent:latest-local AS nested-agent -CMD [] +FROM alpine:3.17 as nested-agent-alpine RUN apk add --no-cache --update openssl +COPY --from=spire-agent-scratch:latest-local /opt/spire/bin/spire-agent /opt/spire/bin/spire-agent +ENTRYPOINT ["/opt/spire/bin/spire-agent", "run"] diff --git a/test/integration/suites/nested-rotation/docker-compose.yaml b/test/integration/suites/nested-rotation/docker-compose.yaml index 16a75d201c..b89191c51f 100644 --- a/test/integration/suites/nested-rotation/docker-compose.yaml +++ b/test/integration/suites/nested-rotation/docker-compose.yaml @@ -2,7 +2,7 @@ version: '3' services: # Root root-server: - image: spire-server:latest-local + image: spire-server-scratch:latest-local hostname: root-server volumes: - ./root/server:/opt/spire/conf/server @@ -10,7 +10,7 @@ services: root-agent: # Share the host pid namespace so this agent can attest the intermediate servers pid: "host" - image: spire-agent:latest-local + image: spire-agent-scratch:latest-local depends_on: ["root-server"] hostname: root-agent volumes: @@ -23,7 +23,7 @@ services: intermediateA-server: # Share the host pid namespace so this server can be attested by the root agent pid: "host" - image: spire-server:latest-local + image: spire-server-scratch:latest-local hostname: intermediateA-server labels: # label to attest server against root-agent @@ -37,7 +37,7 @@ services: intermediateA-agent: # Share the host pid namespace so this agent can attest the leafA server pid: "host" - image: spire-agent:latest-local + image: nested-agent-alpine hostname: intermediateA-agent depends_on: ["intermediateA-server"] volumes: @@ -50,7 +50,7 @@ services: leafA-server: # Share the host pid namespace so this server can be attested by the intermediateA agent pid: "host" - image: spire-server:latest-local + image: spire-server-scratch:latest-local hostname: leafA-server labels: # Label to attest server against intermediateA-agent @@ -62,7 +62,7 @@ services: - ./leafA/server:/opt/spire/conf/server command: ["-config", "/opt/spire/conf/server/server.conf"] leafA-agent: - image: spire-agent:latest-local + image: nested-agent-alpine hostname: leafA-agent depends_on: ["intermediateA-server"] volumes: @@ -72,7 +72,7 @@ services: intermediateB-server: # Share the host pid namespace so this server can be attested by the root agent pid: "host" - image: spire-server:latest-local + image: spire-server-scratch:latest-local hostname: intermediateB-server depends_on: ["root-server","root-agent"] labels: @@ -86,7 +86,7 @@ services: intermediateB-agent: # Share the host pid namespace so this agent can attest the leafB server pid: "host" - image: nested-agent + image: nested-agent-alpine hostname: intermediateB-agent depends_on: ["intermediateB-server"] volumes: @@ -99,7 +99,7 @@ services: leafB-server: # Share the host pid namespace so this server can be attested by the intermediateB agent pid: "host" - image: spire-server:latest-local + image: spire-server-scratch:latest-local hostname: leafB-server depends_on: ["intermediateB-server","intermediateB-agent"] labels: @@ -111,7 +111,7 @@ services: - ./leafB/server:/opt/spire/conf/server command: ["-config", "/opt/spire/conf/server/server.conf"] leafB-agent: - image: nested-agent + image: nested-agent-alpine hostname: leafB-agent depends_on: ["leafB-server"] volumes: diff --git a/test/integration/suites/node-attestation/docker-compose.yaml b/test/integration/suites/node-attestation/docker-compose.yaml index 0e67183c23..0e5b71f908 100644 --- a/test/integration/suites/node-attestation/docker-compose.yaml +++ b/test/integration/suites/node-attestation/docker-compose.yaml @@ -1,13 +1,13 @@ version: '3' services: spire-server: - image: spire-server:latest-local + image: spire-server-scratch:latest-local hostname: spire-server volumes: - ./conf/server:/opt/spire/conf/server command: ["-config", "/opt/spire/conf/server/server.conf"] spire-agent: - image: spire-agent:latest-local + image: spire-agent-scratch:latest-local hostname: spire-agent depends_on: ["spire-server"] volumes: diff --git a/test/integration/suites/rotation/docker-compose.yaml b/test/integration/suites/rotation/docker-compose.yaml index 0e67183c23..0e5b71f908 100644 --- a/test/integration/suites/rotation/docker-compose.yaml +++ b/test/integration/suites/rotation/docker-compose.yaml @@ -1,13 +1,13 @@ version: '3' services: spire-server: - image: spire-server:latest-local + image: spire-server-scratch:latest-local hostname: spire-server volumes: - ./conf/server:/opt/spire/conf/server command: ["-config", "/opt/spire/conf/server/server.conf"] spire-agent: - image: spire-agent:latest-local + image: spire-agent-scratch:latest-local hostname: spire-agent depends_on: ["spire-server"] volumes: diff --git a/test/integration/suites/spire-server-cli/01-start-server b/test/integration/suites/spire-server-cli/01-start-server index 98d32c1a3d..2de2454a1c 100755 --- a/test/integration/suites/spire-server-cli/01-start-server +++ b/test/integration/suites/spire-server-cli/01-start-server @@ -1,4 +1,5 @@ #!/bin/bash +docker build --target spire-server-alpine -t spire-server-alpine . docker-up spire-server diff --git a/test/integration/suites/spire-server-cli/02-bundle b/test/integration/suites/spire-server-cli/02-bundle index c1cac754b9..3c879b9ab4 100755 --- a/test/integration/suites/spire-server-cli/02-bundle +++ b/test/integration/suites/spire-server-cli/02-bundle @@ -1,9 +1,5 @@ #!/bin/bash -# Install openssl -docker-compose exec -T spire-server \ - apk add --no-cache --update openssl - # Verify 'bundle count' correctly indicates a single bundle (the server bundle) docker-compose exec -T spire-server /opt/spire/bin/spire-server bundle count | grep 1 || fail-now "failed to count 1 bundle" diff --git a/test/integration/suites/spire-server-cli/Dockerfile b/test/integration/suites/spire-server-cli/Dockerfile new file mode 100644 index 0000000000..90e99ff13c --- /dev/null +++ b/test/integration/suites/spire-server-cli/Dockerfile @@ -0,0 +1,4 @@ +FROM alpine:3.17 AS spire-server-alpine +RUN apk add --no-cache --update openssl +COPY --from=spire-server-scratch:latest-local /opt/spire/bin/spire-server /opt/spire/bin/spire-server +ENTRYPOINT ["/opt/spire/bin/spire-server", "run"] diff --git a/test/integration/suites/spire-server-cli/docker-compose.yaml b/test/integration/suites/spire-server-cli/docker-compose.yaml index 701f8db2af..608e03432a 100644 --- a/test/integration/suites/spire-server-cli/docker-compose.yaml +++ b/test/integration/suites/spire-server-cli/docker-compose.yaml @@ -1,24 +1,24 @@ version: '3' services: spire-server: - image: spire-server:latest-local + image: spire-server-alpine hostname: spire-server volumes: - ./conf/server:/opt/spire/conf/server - ./conf/fixture:/opt/spire/conf/fixture command: ["-config", "/opt/spire/conf/server/server.conf"] spire-agent-1: - image: spire-agent:latest-local + image: spire-agent-scratch:latest-local volumes: - ./conf/agent-1:/opt/spire/conf/agent command: ["-config", "/opt/spire/conf/agent/agent.conf"] spire-agent-2: - image: spire-agent:latest-local + image: spire-agent-scratch:latest-local volumes: - ./conf/agent-2:/opt/spire/conf/agent command: ["-config", "/opt/spire/conf/agent/agent.conf"] spire-agent-3: - image: spire-agent:latest-local + image: spire-agent-scratch:latest-local volumes: - ./conf/agent-3:/opt/spire/conf/agent command: ["-config", "/opt/spire/conf/agent/agent.conf"] diff --git a/test/integration/suites/upgrade/00-setup b/test/integration/suites/upgrade/00-setup index a96c14e64d..f2fefdd432 100755 --- a/test/integration/suites/upgrade/00-setup +++ b/test/integration/suites/upgrade/00-setup @@ -13,9 +13,16 @@ make-service() { local _version=$2 cat <> docker-compose.yaml spire-server-${_version}: + container_name: spire-server-${_version} image: ${_registry}spire-server:${_version} hostname: spire-server user: "${UID}" + healthcheck: + # TODO: Use default socket path in 1.7.0 + test: ["CMD", "/opt/spire/bin/spire-server", "healthcheck", "-socketPath", "/opt/spire/data/server/socket/api.sock"] + interval: 1s + timeout: 3s + retries: 15 networks: our-network: aliases: @@ -25,9 +32,16 @@ cat <> docker-compose.yaml - ./conf/server:/opt/spire/conf/server command: ["-config", "/opt/spire/conf/server/server.conf"] spire-agent-${_version}: + container_name: spire-agent-${_version} image: ${_registry}spire-agent:${_version} hostname: spire-agent user: "${UID}" + healthcheck: + # TODO: Use default socket path in 1.7.0 + test: ["CMD", "/opt/spire/bin/spire-agent", "healthcheck", "-socketPath", "/opt/spire/data/agent/socket/api.sock"] + interval: 1s + timeout: 3s + retries: 15 networks: - our-network volumes: @@ -51,5 +65,5 @@ EOF make-service "" latest-local while read -r version; do - make-service gcr.io/spiffe-io/ "${version}" + make-service ghcr.io/spiffe/ "${version}" done < versions.txt diff --git a/test/integration/suites/upgrade/01-run-upgrade-tests b/test/integration/suites/upgrade/01-run-upgrade-tests index bd12fdabaf..449d514b3c 100755 --- a/test/integration/suites/upgrade/01-run-upgrade-tests +++ b/test/integration/suites/upgrade/01-run-upgrade-tests @@ -8,26 +8,36 @@ # something else to create the directory first). start-old-server() { - log-info "bringing up $1 agent..." - docker-up "spire-server-$1" + local _maxchecks=15 + local _interval=1 + log-info "bringing up $1 server..." + local ctr_name="spire-server-$1" + docker-up "${ctr_name}" + docker-wait-for-healthy "${ctr_name}" "${_maxchecks}" "${_interval}" } bootstrap-agent() { - log-debug "bootstrapping $1 agent..." + # TODO: Remove -socketPath argument in 1.7.0 and rely on the default socket path docker-compose exec -T "spire-server-$1" \ /opt/spire/bin/spire-server bundle show \ - > conf/agent/bootstrap.crt + -socketPath /opt/spire/data/server/socket/api.sock > conf/agent/bootstrap.crt } start-old-agent() { + local _maxchecks=15 + local _interval=1 log-info "bringing up $1 agent..." - docker-up "spire-agent-$1" + local ctr_name="spire-agent-$1" + docker-up "${ctr_name}" + docker-wait-for-healthy "${ctr_name}" "${_maxchecks}" "${_interval}" } create-registration-entry() { log-debug "creating registration entry..." + # TODO: Remove -socketPath argument in 1.7.0 and rely on the default socket path docker-compose exec -T "spire-server-$1" \ /opt/spire/bin/spire-server entry create \ + -socketPath /opt/spire/data/server/socket/api.sock \ -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint conf/agent/agent.crt.pem)" \ -spiffeID "spiffe://domain.test/workload" \ -selector "unix:uid:${UID}" \ @@ -52,14 +62,18 @@ check-old-agent-svid() { log-info "checking X509-SVID on $1 agent..." docker-compose exec -T "spire-agent-$1" \ /opt/spire/bin/spire-agent api fetch x509 \ - -socketPath /tmp/agent.sock \ + -socketPath /opt/spire/data/agent/socket/api.sock \ -write /opt/test/before-server-upgrade || fail-now "SVID check failed" } upgrade-server() { + local _maxchecks=15 + local _interval=1 log-info "upgrading $1 server to latest..." docker-stop "spire-server-$1" - docker-up spire-server-latest-local + local new_ctr_name="spire-server-latest-local" + docker-up "${new_ctr_name}" + docker-wait-for-healthy "${new_ctr_name}" "${_maxchecks}" "${_interval}" check-codebase-version-is-ahead "$1" } @@ -84,9 +98,10 @@ check-old-agent-svid-after-upgrade() { for ((i=1;i<=_maxchecks;i++)); do log-info "checking X509-SVID after server upgrade ($i of $_maxchecks max)..." + # TODO: Remove -socketPath argument in 1.7.0 and rely on the default socket path docker-compose exec -T "spire-agent-$1" \ /opt/spire/bin/spire-agent api fetch x509 \ - -socketPath /tmp/agent.sock \ + -socketPath /opt/spire/data/agent/socket/api.sock \ -write /opt/test/after-server-upgrade || fail-now "SVID check failed" if ! cmp --silent svids/before-server-upgrade/svid.0.pem svids/after-server-upgrade/svid.0.pem; then # SVID has rotated @@ -98,9 +113,13 @@ check-old-agent-svid-after-upgrade() { } upgrade-agent() { + local _maxchecks=15 + local _interval=1 log-info "upgrading $1 agent to latest..." docker-stop "spire-agent-$1" - docker-up spire-agent-latest-local + local new_ctr_name="spire-agent-latest-local" + docker-up "${new_ctr_name}" + docker-wait-for-healthy "${new_ctr_name}" "${_maxchecks}" "${_interval}" } stop-and-evict-agent() { @@ -108,8 +127,10 @@ stop-and-evict-agent() { docker-stop "spire-agent-$1" log-info "evicting agent..." + # TODO: Remove -socketPath argument in 1.7.0 and rely on the default socket path docker-compose exec -T "spire-server-$1" \ /opt/spire/bin/spire-server agent evict \ + -socketPath /opt/spire/data/server/socket/api.sock \ -spiffeID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint conf/agent/agent.crt.pem)" rm -rf shared/agent-data/* @@ -117,9 +138,10 @@ stop-and-evict-agent() { check-new-agent-svid-after-upgrade() { log-info "checking X509-SVID after agent upgrade..." + # TODO: Remove -socketPath argument in 1.7.0 and rely on the default socket path docker-compose exec -T spire-agent-latest-local \ /opt/spire/bin/spire-agent api fetch x509 \ - -socketPath /tmp/agent.sock \ + -socketPath /opt/spire/data/agent/socket/api.sock \ -write /opt/test/after-agent-upgrade || fail-now "SVID check failed" # SVIDs are cached in agent memory only. As the agent was restarted, there diff --git a/test/integration/suites/upgrade/conf/agent/agent.conf b/test/integration/suites/upgrade/conf/agent/agent.conf index 65d9b06f0c..a30c89f0ad 100644 --- a/test/integration/suites/upgrade/conf/agent/agent.conf +++ b/test/integration/suites/upgrade/conf/agent/agent.conf @@ -3,7 +3,7 @@ agent { log_level = "DEBUG" server_address = "spire-server" server_port = "8081" - socket_path ="/tmp/agent.sock" + socket_path ="/opt/spire/data/agent/socket/api.sock" # TODO: Use default socket path in 1.7.0 trust_bundle_path = "/opt/spire/conf/agent/bootstrap.crt" trust_domain = "domain.test" } diff --git a/test/integration/suites/upgrade/conf/server/server.conf b/test/integration/suites/upgrade/conf/server/server.conf index 8ba8220f11..b355511770 100644 --- a/test/integration/suites/upgrade/conf/server/server.conf +++ b/test/integration/suites/upgrade/conf/server/server.conf @@ -4,8 +4,9 @@ server { trust_domain = "domain.test" data_dir = "/opt/spire/data/server" log_level = "DEBUG" - ca_ttl = "1m" + ca_ttl = "1m" default_svid_ttl = "10s" # TODO: Update to use default_x509_svid_ttl in 1.6.0. + socket_path = "/opt/spire/data/server/socket/api.sock" # TODO: Remove this in 1.7.0 and rely on the default socket path } plugins { @@ -17,12 +18,12 @@ plugins { } NodeAttestor "x509pop" { plugin_data { - ca_bundle_path = "/opt/spire/conf/server/agent-cacert.pem" - } + ca_bundle_path = "/opt/spire/conf/server/agent-cacert.pem" + } } KeyManager "disk" { plugin_data = { - keys_path = "/opt/spire/data/server/keys.json" - } + keys_path = "/opt/spire/data/server/keys.json" + } } } diff --git a/test/integration/suites/upstream-authority-cert-manager/00-setup-kind b/test/integration/suites/upstream-authority-cert-manager/00-setup-kind index dd9b06d897..d208323e0a 100755 --- a/test/integration/suites/upstream-authority-cert-manager/00-setup-kind +++ b/test/integration/suites/upstream-authority-cert-manager/00-setup-kind @@ -17,7 +17,7 @@ download-kubectl "${KUBECTL_PATH}" start-kind-cluster "${KIND_PATH}" cert-manager-test ./conf/kind-config.yaml # Load the given images in the cluster. -container_images=("spire-server:latest-local") +container_images=("spire-server-scratch:latest-local") load-images "${KIND_PATH}" cert-manager-test "${container_images[@]}" # Set the kubectl context. diff --git a/test/integration/suites/upstream-authority-cert-manager/03-verify-ca b/test/integration/suites/upstream-authority-cert-manager/03-verify-ca index b971f4726e..eae1ebca2c 100755 --- a/test/integration/suites/upstream-authority-cert-manager/03-verify-ca +++ b/test/integration/suites/upstream-authority-cert-manager/03-verify-ca @@ -13,10 +13,18 @@ expLeafURI="URI:spiffe://example.org/ns/foo/sa/bar" log-debug "verifying CA..." -./bin/kubectl exec -n spire $(./bin/kubectl get pod -n spire -o name) -- /opt/spire/bin/spire-server x509 mint -spiffeID spiffe://example.org/ns/foo/sa/bar -write . -leafURIResult=$(./bin/kubectl exec -n spire $(./bin/kubectl get pod -n spire -o name) -- cat svid.pem | openssl x509 -noout -text | grep URI | sed 's/^ *//g') -leafIssuerResult=$(./bin/kubectl exec -n spire $(./bin/kubectl get pod -n spire -o name) -- cat svid.pem | openssl x509 -noout -issuer) -caSubjectResult=$(./bin/kubectl exec -n spire $(./bin/kubectl get pod -n spire -o name) -- cat bundle.pem | openssl x509 -noout -subject) +mintx509svid_out=mintx509svid-out.txt +./bin/kubectl exec -n spire $(./bin/kubectl get pod -n spire -o name) -- /opt/spire/bin/spire-server x509 mint -spiffeID spiffe://example.org/ns/foo/sa/bar > $mintx509svid_out + +svid=svid.pem +sed -n '/-----BEGIN CERTIFICATE-----/,/^$/{/^$/q; p;}' $mintx509svid_out > $svid + +bundle=bundle.pem +sed -n '/Root CAs:/,/^$/p' $mintx509svid_out | sed -n '/-----BEGIN CERTIFICATE-----/,/^$/{/^$/q; p;}' > $bundle + +leafURIResult=$(openssl x509 -noout -text -in $svid | grep URI | sed 's/^ *//g') +leafIssuerResult=$(openssl x509 -noout -issuer -in $svid) +caSubjectResult=$(openssl x509 -noout -subject -in $bundle) if [ $(openssl version | awk '{print $1}') == 'LibreSSL' ]; then expLeafIssuer=$expLeafIssuerLibreSSL diff --git a/test/integration/suites/upstream-authority-cert-manager/conf/server/spire-server.yaml b/test/integration/suites/upstream-authority-cert-manager/conf/server/spire-server.yaml index c8bfa4c394..4311386abf 100644 --- a/test/integration/suites/upstream-authority-cert-manager/conf/server/spire-server.yaml +++ b/test/integration/suites/upstream-authority-cert-manager/conf/server/spire-server.yaml @@ -119,7 +119,7 @@ spec: shareProcessNamespace: true containers: - name: spire-server - image: spire-server:latest-local + image: spire-server-scratch:latest-local imagePullPolicy: Never args: ["-config", "/run/spire/config/server.conf"] ports: From fd38fb011793dc41286ac7500809eeaad4aa456b Mon Sep 17 00:00:00 2001 From: Willian Alves Date: Thu, 15 Dec 2022 21:47:27 -0300 Subject: [PATCH 219/257] fixed go mod Signed-off-by: Willian Alves --- go.mod | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 5c6b84ebfa..3c5f0d55c9 100644 --- a/go.mod +++ b/go.mod @@ -66,8 +66,8 @@ require ( github.com/stretchr/testify v1.8.1 github.com/uber-go/tally/v4 v4.1.3 github.com/zeebo/errs v1.3.0 - golang.org/x/crypto v0.3.0 - golang.org/x/net v0.2.0 + golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa + golang.org/x/net v0.4.0 golang.org/x/sync v0.1.0 golang.org/x/sys v0.3.0 golang.org/x/time v0.3.0 @@ -332,10 +332,10 @@ require ( go.uber.org/multierr v1.8.0 // indirect go.uber.org/zap v1.23.0 // indirect golang.org/x/exp v0.0.0-20220823124025-807a23277127 // indirect - golang.org/x/mod v0.6.0 // indirect - golang.org/x/oauth2 v0.2.0 // indirect - golang.org/x/term v0.2.0 // indirect - golang.org/x/text v0.4.0 // indirect + golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect + golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783 // indirect + golang.org/x/term v0.3.0 // indirect + golang.org/x/text v0.5.0 // indirect golang.org/x/tools v0.1.12 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect From eaf5c50a7d62f829d74620db77a14f627eb382e2 Mon Sep 17 00:00:00 2001 From: Willian Alves Date: Fri, 16 Dec 2022 09:11:32 -0300 Subject: [PATCH 220/257] Adjusting on go.mod Signed-off-by: Willian Alves --- go.mod | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index afd5f3df9e..f383d20184 100644 --- a/go.mod +++ b/go.mod @@ -66,7 +66,7 @@ require ( github.com/stretchr/testify v1.8.1 github.com/uber-go/tally/v4 v4.1.4 github.com/zeebo/errs v1.3.0 - golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa + golang.org/x/crypto v0.3.0 golang.org/x/net v0.4.0 golang.org/x/sync v0.1.0 golang.org/x/sys v0.3.0 @@ -332,8 +332,8 @@ require ( go.uber.org/multierr v1.8.0 // indirect go.uber.org/zap v1.23.0 // indirect golang.org/x/exp v0.0.0-20220823124025-807a23277127 // indirect - golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect - golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783 // indirect + golang.org/x/mod v0.6.0 // indirect + golang.org/x/oauth2 v0.2.0 // indirect golang.org/x/term v0.3.0 // indirect golang.org/x/text v0.5.0 // indirect golang.org/x/tools v0.1.12 // indirect From 66b9b6606c694fd9e36f202be806cc5627e18a4b Mon Sep 17 00:00:00 2001 From: Willian Alves Date: Fri, 16 Dec 2022 11:36:14 -0300 Subject: [PATCH 221/257] adjust *.md Signed-off-by: Willian Alves --- doc/plugin_agent_workloadattestor_k8s.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/plugin_agent_workloadattestor_k8s.md b/doc/plugin_agent_workloadattestor_k8s.md index f0aaa34eaa..5dbf0261e5 100644 --- a/doc/plugin_agent_workloadattestor_k8s.md +++ b/doc/plugin_agent_workloadattestor_k8s.md @@ -78,7 +78,7 @@ since [hostprocess](https://kubernetes.io/docs/tasks/configure-pod-container/cre > **Note** The sigstore project contains a transparency log called Rekor that provides an immutable, tamper-resistant ledger to record signed metadata to an immutable record. While it is possible to run your own instance, a public instance of rekor is available at `https://rekor.sigstore.dev/`. -### Sigstore workload attestor for SPIRE +## Sigstore workload attestor for SPIRE #### Platform support From f81bdcc680f27bfd39e016c688d22d489525e5ea Mon Sep 17 00:00:00 2001 From: Willian Alves Date: Fri, 16 Dec 2022 12:02:04 -0300 Subject: [PATCH 222/257] adjust *.md Signed-off-by: Willian Alves --- doc/plugin_agent_workloadattestor_k8s.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/plugin_agent_workloadattestor_k8s.md b/doc/plugin_agent_workloadattestor_k8s.md index 5dbf0261e5..a496abfd22 100644 --- a/doc/plugin_agent_workloadattestor_k8s.md +++ b/doc/plugin_agent_workloadattestor_k8s.md @@ -80,7 +80,7 @@ since [hostprocess](https://kubernetes.io/docs/tasks/configure-pod-container/cre ## Sigstore workload attestor for SPIRE -#### Platform support +### Platform support This capability is only supported on Unix systems. From 66d3b011ff29e2da8c70579b31f9fa5273d7ea17 Mon Sep 17 00:00:00 2001 From: Willian Alves Date: Fri, 16 Dec 2022 14:39:09 -0300 Subject: [PATCH 223/257] adjust *.md Signed-off-by: Willian Alves --- doc/plugin_agent_workloadattestor_k8s.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/doc/plugin_agent_workloadattestor_k8s.md b/doc/plugin_agent_workloadattestor_k8s.md index a496abfd22..7a13cacc10 100644 --- a/doc/plugin_agent_workloadattestor_k8s.md +++ b/doc/plugin_agent_workloadattestor_k8s.md @@ -72,9 +72,13 @@ since [hostprocess](https://kubernetes.io/docs/tasks/configure-pod-container/cre | `rekor_url` | The rekor URL to use with cosign. Required. See notes below. | | `enforce_sct` | A boolean to be set to false in case of a private deployment, not using public CT | -> **Note** Cosign discourages the use of image tags for referencing docker images, and this plugin does not support attestation of sigstore selectors for workloads running on containers using tag-referenced images, which will then fail attestation for both sigstore and k8s selectors. In cases where this is necessary, add the digest string for the image in the `skip_signature_verification_image_list` setting (eg. `"sha256:abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789"`). Note that sigstore signature attestation will still not be performed, but this will allow k8s selectors to be returned, along with the `"k8s:sigstore-validation:passed"` selector. +> **Note** Cosign discourages the use of image tags for referencing docker images, and this plugin does not support attestation of sigstore selectors for workloads running on containers using tag-referenced images, which will then fail attestation for both sigstore and k8s selectors. In cases where this is necessary, add the digest string for the image in the `skip_signature_verification_image_list` setting (eg. `"sha256:abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789"`). Note that sigstore signature attestation will still not be performed, but this will allow k8s selectors to be returned, along with the `"k8s:sigstore-validation:passed"` selector. -> **Note** Since the SPIRE Agent can also go through workload attestation, it will also need to be included in the skip list if either its image is not signed or has a digest reference string. + + +> **Note** Since the SPIRE Agent can also go through workload attestation, it will also need to be included in the skip list if either its image is not signed or has a digest reference string. + + > **Note** The sigstore project contains a transparency log called Rekor that provides an immutable, tamper-resistant ledger to record signed metadata to an immutable record. While it is possible to run your own instance, a public instance of rekor is available at `https://rekor.sigstore.dev/`. From 265290f3ceedf165caaaed75cb60c28ab701d3e6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 16 Dec 2022 15:52:34 -0300 Subject: [PATCH 224/257] Bump k8s.io/api from 0.25.4 to 0.26.0 (#3692) * Bump k8s.io/api from 0.25.4 to 0.26.0 Bumps [k8s.io/api](https://github.com/kubernetes/api) from 0.25.4 to 0.26.0. - [Release notes](https://github.com/kubernetes/api/releases) - [Commits](https://github.com/kubernetes/api/compare/v0.25.4...v0.26.0) --- updated-dependencies: - dependency-name: k8s.io/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 10 ++++---- go.sum | 24 +++++++++---------- .../mode-crd/controllers/utils.go | 2 +- 3 files changed, 18 insertions(+), 18 deletions(-) diff --git a/go.mod b/go.mod index 6a94802c1c..746213b00f 100644 --- a/go.mod +++ b/go.mod @@ -72,11 +72,11 @@ require ( google.golang.org/grpc v1.51.0 google.golang.org/protobuf v1.28.1 gopkg.in/square/go-jose.v2 v2.6.0 - k8s.io/api v0.25.4 - k8s.io/apimachinery v0.25.4 + k8s.io/api v0.26.0 + k8s.io/apimachinery v0.26.0 k8s.io/client-go v0.25.4 k8s.io/kube-aggregator v0.23.3 - k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed + k8s.io/utils v0.0.0-20221107191617-1a15be271d1d sigs.k8s.io/controller-runtime v0.13.1 ) @@ -215,8 +215,8 @@ require ( gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/apiextensions-apiserver v0.25.0 // indirect k8s.io/component-base v0.25.0 // indirect - k8s.io/klog/v2 v2.70.1 // indirect - k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 // indirect + k8s.io/klog/v2 v2.80.1 // indirect + k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect sigs.k8s.io/yaml v1.3.0 // indirect diff --git a/go.sum b/go.sum index 47f69473e5..3be42e4ff4 100644 --- a/go.sum +++ b/go.sum @@ -1006,11 +1006,11 @@ github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+W github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= -github.com/onsi/ginkgo/v2 v2.1.6 h1:Fx2POJZfKRQcM1pH49qSZiYeu319wji004qX+GDovrU= +github.com/onsi/ginkgo/v2 v2.4.0 h1:+Ig9nvqgS5OBSACXNk15PLdp0U9XPYROt9CFzVdFGIs= github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= -github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q= +github.com/onsi/gomega v1.23.0 h1:/oxKu9c2HVap+F3PfKort2Hw5DEU+HGlW8n+tguWsys= github.com/open-policy-agent/opa v0.47.3 h1:Uj8zw+q6Cvv1iiQFh704Q6sl3fKVvk35WZNJLsd6mgk= github.com/open-policy-agent/opa v0.47.3/go.mod h1:I5DbT677OGqfk9gvu5i54oIt0rrVf4B5pedpqDquAXo= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= @@ -1912,13 +1912,13 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= k8s.io/api v0.23.3/go.mod h1:w258XdGyvCmnBj/vGzQMj6kzdufJZVUwEM1U2fRJwSQ= -k8s.io/api v0.25.4 h1:3YO8J4RtmG7elEgaWMb4HgmpS2CfY1QlaOz9nwB+ZSs= -k8s.io/api v0.25.4/go.mod h1:IG2+RzyPQLllQxnhzD8KQNEu4c4YvyDTpSMztf4A0OQ= +k8s.io/api v0.26.0 h1:IpPlZnxBpV1xl7TGk/X6lFtpgjgntCg8PJ+qrPHAC7I= +k8s.io/api v0.26.0/go.mod h1:k6HDTaIFC8yn1i6pSClSqIwLABIcLV9l5Q4EcngKnQg= k8s.io/apiextensions-apiserver v0.25.0 h1:CJ9zlyXAbq0FIW8CD7HHyozCMBpDSiH7EdrSTCZcZFY= k8s.io/apiextensions-apiserver v0.25.0/go.mod h1:3pAjZiN4zw7R8aZC5gR0y3/vCkGlAjCazcg1me8iB/E= k8s.io/apimachinery v0.23.3/go.mod h1:BEuFMMBaIbcOqVIJqNZJXGFTP4W6AycEpb5+m/97hrM= -k8s.io/apimachinery v0.25.4 h1:CtXsuaitMESSu339tfhVXhQrPET+EiWnIY1rcurKnAc= -k8s.io/apimachinery v0.25.4/go.mod h1:jaF9C/iPNM1FuLl7Zuy5b9v+n35HGSh6AQ4HYRkCqwo= +k8s.io/apimachinery v0.26.0 h1:1feANjElT7MvPqp0JT6F3Ss6TWDwmcjLypwoPpEf7zg= +k8s.io/apimachinery v0.26.0/go.mod h1:tnPmbONNJ7ByJNz9+n9kMjNP8ON+1qoAIIC70lztu74= k8s.io/apiserver v0.23.3/go.mod h1:3HhsTmC+Pn+Jctw+Ow0LHA4dQ4oXrQ4XJDzrVDG64T4= k8s.io/client-go v0.23.3/go.mod h1:47oMd+YvAOqZM7pcQ6neJtBiFH7alOyfunYN48VsmwE= k8s.io/client-go v0.25.4 h1:3RNRDffAkNU56M/a7gUfXaEzdhZlYhoW8dgViGy5fn8= @@ -1931,17 +1931,17 @@ k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAE k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/klog/v2 v2.30.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/klog/v2 v2.70.1 h1:7aaoSdahviPmR+XkS7FyxlkkXs6tHISSG03RxleQAVQ= -k8s.io/klog/v2 v2.70.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/klog/v2 v2.80.1 h1:atnLQ121W371wYYFawwYx1aEY2eUfs4l3J72wtgAwV4= +k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/kube-aggregator v0.23.3 h1:9IP+D+YzIbGor/TArN3pYf9Thj19wYhzLRGRrFaKFSs= k8s.io/kube-aggregator v0.23.3/go.mod h1:pt5QJ3QaIdhZzNlUvN5wndbM0LNT4BvhszGkzy2QdFo= k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65/go.mod h1:sX9MT8g7NVZM5lVL/j8QyCCJe8YSMW30QvGZWaCIDIk= -k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 h1:MQ8BAZPZlWk3S9K4a9NCkIFQtZShWqoha7snGixVgEA= -k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1/go.mod h1:C/N6wCaBHeBHkHUesQOQy2/MZqGgMAFPqGsGQLdbZBU= +k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 h1:+70TFaan3hfJzs+7VK2o+OGxg8HsuBr/5f6tVAjDu6E= +k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4= k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20211116205334-6203023598ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed h1:jAne/RjBTyawwAy0utX5eqigAwz/lQhTmy+Hr/Cpue4= -k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/utils v0.0.0-20221107191617-1a15be271d1d h1:0Smp/HP1OH4Rvhe+4B8nWGERtlqAGSftbSbbmm45oFs= +k8s.io/utils v0.0.0-20221107191617-1a15be271d1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= diff --git a/support/k8s/k8s-workload-registrar/mode-crd/controllers/utils.go b/support/k8s/k8s-workload-registrar/mode-crd/controllers/utils.go index 66b7bf6763..804c539625 100644 --- a/support/k8s/k8s-workload-registrar/mode-crd/controllers/utils.go +++ b/support/k8s/k8s-workload-registrar/mode-crd/controllers/utils.go @@ -77,7 +77,7 @@ func setOwnerRef(owner metav1.Object, spiffeID *spiffeidv1beta1.SpiffeID, scheme if ownerRef == nil { return err } - ownerRef.BlockOwnerDeletion = pointer.BoolPtr(false) + ownerRef.BlockOwnerDeletion = pointer.Bool(false) return nil } From 9ab77cc00e504b6486e655d704c816c7a39f260b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 16 Dec 2022 16:52:46 -0300 Subject: [PATCH 225/257] Bump cloud.google.com/go/iam from 0.8.0 to 0.9.0 (#3703) * Bump cloud.google.com/go/iam from 0.8.0 to 0.9.0 Bumps [cloud.google.com/go/iam](https://github.com/googleapis/google-cloud-go) from 0.8.0 to 0.9.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/v0.8.0...v0.9.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/iam dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 8 ++++---- go.sum | 14 ++++++++------ .../plugin/svidstore/gcpsecretmanager/client.go | 2 +- .../plugin/svidstore/gcpsecretmanager/gcloud.go | 10 +++++----- .../svidstore/gcpsecretmanager/gcloud_test.go | 2 +- pkg/server/plugin/keymanager/gcpkms/client.go | 2 +- pkg/server/plugin/keymanager/gcpkms/client_fake.go | 2 +- pkg/server/plugin/keymanager/gcpkms/gcpkms.go | 2 +- 8 files changed, 22 insertions(+), 20 deletions(-) diff --git a/go.mod b/go.mod index 746213b00f..a3e3f22c76 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/spiffe/spire go 1.19 require ( - cloud.google.com/go/iam v0.8.0 + cloud.google.com/go/iam v0.9.0 cloud.google.com/go/kms v1.7.0 cloud.google.com/go/secretmanager v1.9.0 cloud.google.com/go/security v1.10.0 @@ -68,7 +68,7 @@ require ( golang.org/x/sys v0.3.0 golang.org/x/time v0.3.0 google.golang.org/api v0.103.0 - google.golang.org/genproto v0.0.0-20221201164419-0e50fba7f41c + google.golang.org/genproto v0.0.0-20221205194025-8222ab48f5fc google.golang.org/grpc v1.51.0 google.golang.org/protobuf v1.28.1 gopkg.in/square/go-jose.v2 v2.6.0 @@ -81,8 +81,8 @@ require ( ) require ( - cloud.google.com/go v0.105.0 // indirect - cloud.google.com/go/compute v1.12.1 // indirect + cloud.google.com/go v0.107.0 // indirect + cloud.google.com/go/compute v1.13.0 // indirect cloud.google.com/go/compute/metadata v0.2.1 // indirect cloud.google.com/go/longrunning v0.3.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 // indirect diff --git a/go.sum b/go.sum index 3be42e4ff4..b35665ae5a 100644 --- a/go.sum +++ b/go.sum @@ -30,8 +30,9 @@ cloud.google.com/go v0.100.2/go.mod h1:4Xra9TjzAeYHrl5+oeLlzbM2k3mjVhZh4UqTZ//w9 cloud.google.com/go v0.102.0/go.mod h1:oWcCzKlqJ5zgHQt9YsaeTY9KzIvjyy0ArmiBUgpQ+nc= cloud.google.com/go v0.102.1/go.mod h1:XZ77E9qnTEnrgEOvr4xzfdX5TRo7fB4T2F4O6+34hIU= cloud.google.com/go v0.104.0/go.mod h1:OO6xxXdJyvuJPcEPBLN9BJPD+jep5G1+2U5B5gkRYtA= -cloud.google.com/go v0.105.0 h1:DNtEKRBAAzeS4KyIory52wWHuClNaXJ5x1F7xa4q+5Y= cloud.google.com/go v0.105.0/go.mod h1:PrLgOJNe5nfE9UMxKxgXj4mD3voiP+YQ6gdt6KMFOKM= +cloud.google.com/go v0.107.0 h1:qkj22L7bgkl6vIeZDlOY2po43Mx/TIa2Wsa7VR+PEww= +cloud.google.com/go v0.107.0/go.mod h1:wpc2eNrD7hXUTy8EKS10jkxpZBjASrORK7goS+3YX2I= cloud.google.com/go/accessapproval v1.4.0/go.mod h1:zybIuC3KpDOvotz59lFe5qxRZx6C75OtwbisN56xYB4= cloud.google.com/go/accesscontextmanager v1.3.0/go.mod h1:TgCBehyr5gNMz7ZaH9xubp+CE8dkrszb4oK9CWyvD4o= cloud.google.com/go/aiplatform v1.22.0/go.mod h1:ig5Nct50bZlzV6NvKaTwmplLLddFx0YReh9WfTO5jKw= @@ -88,8 +89,9 @@ cloud.google.com/go/compute v1.6.1/go.mod h1:g85FgpzFvNULZ+S8AYq87axRKuf2Kh7deLq cloud.google.com/go/compute v1.7.0/go.mod h1:435lt8av5oL9P3fv1OEzSbSUe+ybHXGMPQHHZWZxy9U= cloud.google.com/go/compute v1.10.0/go.mod h1:ER5CLbMxl90o2jtNbGSbtfOpQKR0t15FOtRsugnLrlU= cloud.google.com/go/compute v1.12.0/go.mod h1:e8yNOBcBONZU1vJKCvCoDw/4JQsA0dpM4x/6PIIOocU= -cloud.google.com/go/compute v1.12.1 h1:gKVJMEyqV5c/UnpzjjQbo3Rjvvqpr9B1DFSbJC4OXr0= cloud.google.com/go/compute v1.12.1/go.mod h1:e8yNOBcBONZU1vJKCvCoDw/4JQsA0dpM4x/6PIIOocU= +cloud.google.com/go/compute v1.13.0 h1:AYrLkB8NPdDRslNp4Jxmzrhdr03fUAIDbiGFjLWowoU= +cloud.google.com/go/compute v1.13.0/go.mod h1:5aPTS0cUNMIc1CE546K+Th6weJUNQErARyZtRXDJ8GE= cloud.google.com/go/compute/metadata v0.1.0/go.mod h1:Z1VN+bulIf6bt4P/C37K4DyZYZEXYonfTBHHFPO/4UU= cloud.google.com/go/compute/metadata v0.2.1 h1:efOwf5ymceDhK6PKMnnrTHP4pppY5L22mle96M1yP48= cloud.google.com/go/compute/metadata v0.2.1/go.mod h1:jgHgmJd2RKBGzXqF5LR2EZMGxBkeanZ9wwa75XHJgOM= @@ -151,8 +153,8 @@ cloud.google.com/go/gsuiteaddons v1.3.0/go.mod h1:EUNK/J1lZEZO8yPtykKxLXI6JSVN2r cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY= cloud.google.com/go/iam v0.5.0/go.mod h1:wPU9Vt0P4UmCux7mqtRu6jcpPAb74cP1fh50J3QpkUc= cloud.google.com/go/iam v0.6.0/go.mod h1:+1AH33ueBne5MzYccyMHtEKqLE4/kJOibtffMHDMFMc= -cloud.google.com/go/iam v0.8.0 h1:E2osAkZzxI/+8pZcxVLcDtAQx/u+hZXVryUaYQ5O0Kk= -cloud.google.com/go/iam v0.8.0/go.mod h1:lga0/y3iH6CX7sYqypWJ33hf7kkfXJag67naqGESjkE= +cloud.google.com/go/iam v0.9.0 h1:bK6Or6mxhuL8lnj1i9j0yMo2wE/IeTO2cWlfUrf/TZs= +cloud.google.com/go/iam v0.9.0/go.mod h1:nXAECrMt2qHpF6RZUZseteD6QyanL68reN4OXPw0UWM= cloud.google.com/go/iap v1.4.0/go.mod h1:RGFwRJdihTINIe4wZ2iCP0zF/qu18ZwyKxrhMhygBEc= cloud.google.com/go/ids v1.1.0/go.mod h1:WIuwCaYVOzHIj2OhN9HAwvW+DBdmUAdcWlFxRl+KubM= cloud.google.com/go/iot v1.3.0/go.mod h1:r7RGh2B61+B8oz0AGE+J72AhA0G7tdXItODWsaA2oLs= @@ -1803,8 +1805,8 @@ google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a/go.mod h1:1vXfmgAz google.golang.org/genproto v0.0.0-20221024153911-1573dae28c9c/go.mod h1:9qHF0xnpdSfF6knlcsnpzUu5y+rpwgbvsyGAZPBMg4s= google.golang.org/genproto v0.0.0-20221024183307-1bc688fe9f3e/go.mod h1:9qHF0xnpdSfF6knlcsnpzUu5y+rpwgbvsyGAZPBMg4s= google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c/go.mod h1:CGI5F/G+E5bKwmfYo09AXuVN4dD894kIKUFmVbP2/Fo= -google.golang.org/genproto v0.0.0-20221201164419-0e50fba7f41c h1:S34D59DS2GWOEwWNt4fYmTcFrtlOgukG2k9WsomZ7tg= -google.golang.org/genproto v0.0.0-20221201164419-0e50fba7f41c/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg= +google.golang.org/genproto v0.0.0-20221205194025-8222ab48f5fc h1:nUKKji0AarrQKh6XpFEpG3p1TNztxhe7C8TcUvDgXqw= +google.golang.org/genproto v0.0.0-20221205194025-8222ab48f5fc/go.mod h1:1dOng4TWOomJrDGhpXjfCD35wQC6jnC7HpRmOFRqEV0= google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= diff --git a/pkg/agent/plugin/svidstore/gcpsecretmanager/client.go b/pkg/agent/plugin/svidstore/gcpsecretmanager/client.go index fe80d45896..c08097e6ec 100644 --- a/pkg/agent/plugin/svidstore/gcpsecretmanager/client.go +++ b/pkg/agent/plugin/svidstore/gcpsecretmanager/client.go @@ -3,11 +3,11 @@ package gcpsecretmanager import ( "context" + "cloud.google.com/go/iam/apiv1/iampb" secretmanager "cloud.google.com/go/secretmanager/apiv1" "cloud.google.com/go/secretmanager/apiv1/secretmanagerpb" gax "github.com/googleapis/gax-go/v2" "google.golang.org/api/option" - iampb "google.golang.org/genproto/googleapis/iam/v1" ) type secretManagerClient interface { diff --git a/pkg/agent/plugin/svidstore/gcpsecretmanager/gcloud.go b/pkg/agent/plugin/svidstore/gcpsecretmanager/gcloud.go index 1360fd024d..04f2735e82 100644 --- a/pkg/agent/plugin/svidstore/gcpsecretmanager/gcloud.go +++ b/pkg/agent/plugin/svidstore/gcpsecretmanager/gcloud.go @@ -9,6 +9,7 @@ import ( "strings" "sync" + "cloud.google.com/go/iam/apiv1/iampb" "cloud.google.com/go/secretmanager/apiv1/secretmanagerpb" "github.com/hashicorp/go-hclog" "github.com/hashicorp/hcl" @@ -16,7 +17,6 @@ import ( configv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/service/common/config/v1" "github.com/spiffe/spire/pkg/agent/plugin/svidstore" "github.com/spiffe/spire/pkg/common/catalog" - "google.golang.org/genproto/googleapis/iam/v1" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" ) @@ -225,7 +225,7 @@ func (p *SecretManagerPlugin) shouldSetPolicy(ctx context.Context, secretName st if !secretFound { return true, nil } - policy, err := p.secretManagerClient.GetIamPolicy(ctx, &iam.GetIamPolicyRequest{ + policy, err := p.secretManagerClient.GetIamPolicy(ctx, &iampb.GetIamPolicyRequest{ Resource: secretName, }) if err != nil { @@ -251,10 +251,10 @@ func (p *SecretManagerPlugin) shouldSetPolicy(ctx context.Context, secretName st func (p *SecretManagerPlugin) setIamPolicy(ctx context.Context, secretName string, opt *secretOptions) error { // Create a policy without conditions and a single binding - resp, err := p.secretManagerClient.SetIamPolicy(ctx, &iam.SetIamPolicyRequest{ + resp, err := p.secretManagerClient.SetIamPolicy(ctx, &iampb.SetIamPolicyRequest{ Resource: opt.secretName(), - Policy: &iam.Policy{ - Bindings: []*iam.Binding{ + Policy: &iampb.Policy{ + Bindings: []*iampb.Binding{ { Role: opt.roleName, Members: []string{opt.serviceAccount}, diff --git a/pkg/agent/plugin/svidstore/gcpsecretmanager/gcloud_test.go b/pkg/agent/plugin/svidstore/gcpsecretmanager/gcloud_test.go index f53c422c8b..fc8674e190 100644 --- a/pkg/agent/plugin/svidstore/gcpsecretmanager/gcloud_test.go +++ b/pkg/agent/plugin/svidstore/gcpsecretmanager/gcloud_test.go @@ -11,6 +11,7 @@ import ( "testing" "time" + "cloud.google.com/go/iam/apiv1/iampb" "cloud.google.com/go/secretmanager/apiv1/secretmanagerpb" gax "github.com/googleapis/gax-go/v2" "github.com/spiffe/go-spiffe/v2/spiffeid" @@ -21,7 +22,6 @@ import ( "github.com/spiffe/spire/test/spiretest" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - iampb "google.golang.org/genproto/googleapis/iam/v1" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" ) diff --git a/pkg/server/plugin/keymanager/gcpkms/client.go b/pkg/server/plugin/keymanager/gcpkms/client.go index 712d633e59..704ae78400 100644 --- a/pkg/server/plugin/keymanager/gcpkms/client.go +++ b/pkg/server/plugin/keymanager/gcpkms/client.go @@ -4,12 +4,12 @@ import ( "context" "cloud.google.com/go/iam" + "cloud.google.com/go/iam/apiv1/iampb" kms "cloud.google.com/go/kms/apiv1" "cloud.google.com/go/kms/apiv1/kmspb" "github.com/googleapis/gax-go/v2" "google.golang.org/api/oauth2/v2" "google.golang.org/api/option" - iampb "google.golang.org/genproto/googleapis/iam/v1" ) type cloudKeyManagementService interface { diff --git a/pkg/server/plugin/keymanager/gcpkms/client_fake.go b/pkg/server/plugin/keymanager/gcpkms/client_fake.go index c50796fc37..7cd57df98f 100644 --- a/pkg/server/plugin/keymanager/gcpkms/client_fake.go +++ b/pkg/server/plugin/keymanager/gcpkms/client_fake.go @@ -18,6 +18,7 @@ import ( "testing" "cloud.google.com/go/iam" + "cloud.google.com/go/iam/apiv1/iampb" "cloud.google.com/go/kms/apiv1/kmspb" "github.com/googleapis/gax-go/v2" "github.com/spiffe/spire/test/clock" @@ -25,7 +26,6 @@ import ( "google.golang.org/api/iterator" "google.golang.org/api/oauth2/v2" "google.golang.org/api/option" - iampb "google.golang.org/genproto/googleapis/iam/v1" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" "google.golang.org/protobuf/types/known/timestamppb" diff --git a/pkg/server/plugin/keymanager/gcpkms/gcpkms.go b/pkg/server/plugin/keymanager/gcpkms/gcpkms.go index 51d4ef16f8..34e2e250ef 100644 --- a/pkg/server/plugin/keymanager/gcpkms/gcpkms.go +++ b/pkg/server/plugin/keymanager/gcpkms/gcpkms.go @@ -16,6 +16,7 @@ import ( "time" "cloud.google.com/go/iam" + "cloud.google.com/go/iam/apiv1/iampb" "cloud.google.com/go/kms/apiv1/kmspb" "github.com/andres-erbsen/clock" "github.com/gofrs/uuid" @@ -27,7 +28,6 @@ import ( "github.com/spiffe/spire/pkg/common/diskutil" "google.golang.org/api/iterator" "google.golang.org/api/option" - iampb "google.golang.org/genproto/googleapis/iam/v1" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" "google.golang.org/protobuf/types/known/fieldmaskpb" From c875b500bfd86d2e82d924712762b3b14512cd3e Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Tue, 20 Dec 2022 11:04:50 -0300 Subject: [PATCH 226/257] Missing Fixes (#199) * tests: fixed defaultCheckOpts error testing on FetchImageSignatures tests Signed-off-by: Rodrigo Lopes * lint: removed redundant type for empty structs Signed-off-by: Rodrigo Lopes Signed-off-by: Rodrigo Lopes --- .../k8s/sigstore/sigstore_test.go | 87 ++++++------------- 1 file changed, 25 insertions(+), 62 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index 2d80e605e5..ea01d592a7 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -6,19 +6,13 @@ package sigstore import ( "bytes" "context" - "crypto" - "crypto/ecdsa" - "crypto/elliptic" - "crypto/rand" "crypto/x509" "crypto/x509/pkix" "encoding/asn1" "errors" "fmt" - "math/big" "net/url" "testing" - "time" "github.com/google/go-containerregistry/pkg/name" "github.com/google/go-containerregistry/pkg/v1/remote" @@ -41,38 +35,6 @@ var ( OIDCIssuerOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 1} ) -func createCertificate(template *x509.Certificate, parent *x509.Certificate, pub interface{}, priv crypto.Signer) (*x509.Certificate, error) { - certBytes, err := x509.CreateCertificate(rand.Reader, template, parent, pub, priv) - if err != nil { - return nil, err - } - - return x509.ParseCertificate(certBytes) -} - -func GenerateRootCa() (*x509.Certificate, *ecdsa.PrivateKey, error) { - rootTemplate := &x509.Certificate{ - SerialNumber: big.NewInt(1), - Subject: pkix.Name{ - CommonName: "sigstore", - Organization: []string{"sigstore.dev"}, - }, - NotBefore: time.Now().Add(-5 * time.Minute), - NotAfter: time.Now().Add(5 * time.Hour), - KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign, - BasicConstraintsValid: true, - IsCA: true, - } - - priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) - if err != nil { - return nil, nil, err - } - - cert, err := createCertificate(rootTemplate, rootTemplate, &priv.PublicKey, priv) - return cert, priv, err -} - func TestNew(t *testing.T) { newcache := NewCache(maximumAmountCache) want := &sigstoreImpl{ @@ -115,7 +77,8 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { rekorURL url.URL } - defaultCheckOpts, _ := defaultCheckOptsFunction(rekorDefaultURL()) + defaultCheckOpts, err := defaultCheckOptsFunction(rekorDefaultURL()) + require.NoError(t, err) emptyURLCheckOpts, emptyError := defaultCheckOptsFunction(url.URL{}) require.Nil(t, emptyURLCheckOpts) require.EqualError(t, emptyError, "rekor URL host is empty") @@ -816,7 +779,7 @@ func TestSigstoreimpl_ShouldSkipImage(t *testing.T) { { name: "skipping only image in list", skippedImages: map[string]struct{}{ - "sha256:sampleimagehash": struct{}{}, + "sha256:sampleimagehash": {}, }, imageID: "sha256:sampleimagehash", want: true, @@ -824,9 +787,9 @@ func TestSigstoreimpl_ShouldSkipImage(t *testing.T) { { name: "skipping image in list", skippedImages: map[string]struct{}{ - "sha256:sampleimagehash": struct{}{}, - "sha256:sampleimagehash2": struct{}{}, - "sha256:sampleimagehash3": struct{}{}, + "sha256:sampleimagehash": {}, + "sha256:sampleimagehash2": {}, + "sha256:sampleimagehash3": {}, }, imageID: "sha256:sampleimagehash2", want: true, @@ -834,8 +797,8 @@ func TestSigstoreimpl_ShouldSkipImage(t *testing.T) { { name: "image not in list", skippedImages: map[string]struct{}{ - "sha256:sampleimagehash": struct{}{}, - "sha256:sampleimagehash3": struct{}{}, + "sha256:sampleimagehash": {}, + "sha256:sampleimagehash3": {}, }, imageID: "sha256:sampleimagehash2", want: false, @@ -849,9 +812,9 @@ func TestSigstoreimpl_ShouldSkipImage(t *testing.T) { { name: "empty imageID", skippedImages: map[string]struct{}{ - "sha256:sampleimagehash": struct{}{}, - "sha256:sampleimagehash2": struct{}{}, - "sha256:sampleimagehash3": struct{}{}, + "sha256:sampleimagehash": {}, + "sha256:sampleimagehash2": {}, + "sha256:sampleimagehash3": {}, }, imageID: "", want: false, @@ -885,38 +848,38 @@ func TestSigstoreimpl_AddSkippedImage(t *testing.T) { name: "add skipped image to empty map", imageID: []string{"sha256:sampleimagehash"}, want: map[string]struct{}{ - "sha256:sampleimagehash": struct{}{}, + "sha256:sampleimagehash": {}, }, }, { name: "add skipped image", skippedImages: map[string]struct{}{ - "sha256:sampleimagehash1": struct{}{}, + "sha256:sampleimagehash1": {}, }, imageID: []string{"sha256:sampleimagehash"}, want: map[string]struct{}{ - "sha256:sampleimagehash": struct{}{}, - "sha256:sampleimagehash1": struct{}{}, + "sha256:sampleimagehash": {}, + "sha256:sampleimagehash1": {}, }, }, { name: "add a list of skipped images to empty map", imageID: []string{"sha256:sampleimagehash", "sha256:sampleimagehash1"}, want: map[string]struct{}{ - "sha256:sampleimagehash": struct{}{}, - "sha256:sampleimagehash1": struct{}{}, + "sha256:sampleimagehash": {}, + "sha256:sampleimagehash1": {}, }, }, { name: "add a list of skipped images to a existing map", skippedImages: map[string]struct{}{ - "sha256:sampleimagehash": struct{}{}, + "sha256:sampleimagehash": {}, }, imageID: []string{"sha256:sampleimagehash1", "sha256:sampleimagehash2"}, want: map[string]struct{}{ - "sha256:sampleimagehash": struct{}{}, - "sha256:sampleimagehash1": struct{}{}, - "sha256:sampleimagehash2": struct{}{}, + "sha256:sampleimagehash": {}, + "sha256:sampleimagehash1": {}, + "sha256:sampleimagehash2": {}, }, }, } @@ -939,14 +902,14 @@ func TestSigstoreimpl_ClearSkipList(t *testing.T) { { name: "clear single image in map", skippedImages: map[string]struct{}{ - "sha256:sampleimagehash": struct{}{}, + "sha256:sampleimagehash": {}, }, }, { name: "clear multiple images map", skippedImages: map[string]struct{}{ - "sha256:sampleimagehash": struct{}{}, - "sha256:sampleimagehash1": struct{}{}, + "sha256:sampleimagehash": {}, + "sha256:sampleimagehash1": {}, }, }, { @@ -1697,7 +1660,7 @@ func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { checkOptsBinding: createNilCheckOptsFunction(), }, skippedImages: map[string]struct{}{ - "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505": struct{}{}, + "docker-registry.com/some/image@sha256:5fb2054478353fd8d514056d1745b3a9eef066deadda4b90967af7ca65ce6505": {}, }, rekorURL: rekorDefaultURL(), }, From 5b6f29e08196a66813458813129f7d06b55ed885 Mon Sep 17 00:00:00 2001 From: Guilherme Oliveira do Carmo Carvalho <33766735+guilhermocc@users.noreply.github.com> Date: Tue, 20 Dec 2022 16:07:22 -0300 Subject: [PATCH 227/257] Add support for -output flag in spire server federation commands (#3660) * Add -output flag support for spire server federation commands Signed-off-by: Guilherme Carvalho --- .../cli/federation/common_test.go | 15 + cmd/spire-server/cli/federation/create.go | 33 +- .../cli/federation/create_test.go | 302 +++++++++++++----- cmd/spire-server/cli/federation/delete.go | 37 ++- .../cli/federation/delete_test.go | 70 ++-- cmd/spire-server/cli/federation/list.go | 27 +- cmd/spire-server/cli/federation/list_test.go | 105 ++++-- cmd/spire-server/cli/federation/refresh.go | 25 +- .../cli/federation/refresh_test.go | 50 +-- cmd/spire-server/cli/federation/show.go | 23 +- cmd/spire-server/cli/federation/show_test.go | 69 ++-- cmd/spire-server/cli/federation/update.go | 36 ++- .../cli/federation/update_test.go | 302 +++++++++++++----- .../cli/federation/util_posix_test.go | 77 +++++ .../cli/federation/util_windows_test.go | 77 +++++ 15 files changed, 933 insertions(+), 315 deletions(-) create mode 100644 cmd/spire-server/cli/federation/util_posix_test.go create mode 100644 cmd/spire-server/cli/federation/util_windows_test.go diff --git a/cmd/spire-server/cli/federation/common_test.go b/cmd/spire-server/cli/federation/common_test.go index 8a700fa175..e9750f5747 100644 --- a/cmd/spire-server/cli/federation/common_test.go +++ b/cmd/spire-server/cli/federation/common_test.go @@ -103,6 +103,8 @@ const ( }` ) +var availableFormats = []string{"pretty", "json"} + type cmdTest struct { stdin *bytes.Buffer stdout *bytes.Buffer @@ -260,3 +262,16 @@ func createJSONDataFile(t *testing.T, data string) string { require.NoError(t, os.WriteFile(jsonDataFilePath, []byte(data), 0600)) return jsonDataFilePath } + +func requireOutputBasedOnFormat(t *testing.T, format, stdoutString string, expectedStdoutPretty, expectedStdoutJSON string) { + switch format { + case "pretty": + require.Contains(t, stdoutString, expectedStdoutPretty) + case "json": + if expectedStdoutJSON != "" { + require.JSONEq(t, expectedStdoutJSON, stdoutString) + } else { + require.Empty(t, stdoutString) + } + } +} diff --git a/cmd/spire-server/cli/federation/create.go b/cmd/spire-server/cli/federation/create.go index 6b73ace6e3..1d2ff1769b 100644 --- a/cmd/spire-server/cli/federation/create.go +++ b/cmd/spire-server/cli/federation/create.go @@ -8,8 +8,10 @@ import ( "github.com/mitchellh/cli" trustdomainv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/trustdomain/v1" + "github.com/spiffe/spire-api-sdk/proto/spire/api/types" "github.com/spiffe/spire/cmd/spire-server/util" - common_cli "github.com/spiffe/spire/pkg/common/cli" + commoncli "github.com/spiffe/spire/pkg/common/cli" + "github.com/spiffe/spire/pkg/common/cliprinter" "google.golang.org/grpc/codes" ) @@ -20,16 +22,19 @@ const ( // NewCreateCommand creates a new "create" subcommand for "federation" command. func NewCreateCommand() cli.Command { - return newCreateCommand(common_cli.DefaultEnv) + return newCreateCommand(commoncli.DefaultEnv) } -func newCreateCommand(env *common_cli.Env) cli.Command { - return util.AdaptCommand(env, new(createCommand)) +func newCreateCommand(env *commoncli.Env) cli.Command { + return util.AdaptCommand(env, &createCommand{env: env}) } type createCommand struct { - path string - config *federationRelationshipConfig + path string + config *federationRelationshipConfig + env *commoncli.Env + printer cliprinter.Printer + federationRelationships []*types.FederationRelationship } func (*createCommand) Name() string { @@ -44,13 +49,15 @@ func (c *createCommand) AppendFlags(f *flag.FlagSet) { f.StringVar(&c.path, "data", "", "Path to a file containing federation relationships in JSON format (optional). If set to '-', read the JSON from stdin.") c.config = &federationRelationshipConfig{} appendConfigFlags(c.config, f) + cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, c.prettyPrintCreate) } -func (c *createCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error { +func (c *createCommand) Run(ctx context.Context, env *commoncli.Env, serverClient util.ServerClient) error { federationRelationships, err := getRelationships(c.config, c.path) if err != nil { return err } + c.federationRelationships = federationRelationships client := serverClient.NewTrustDomainClient() @@ -61,17 +68,25 @@ func (c *createCommand) Run(ctx context.Context, env *common_cli.Env, serverClie return fmt.Errorf("request failed: %w", err) } + return c.printer.PrintProto(resp) +} + +func (c *createCommand) prettyPrintCreate(env *commoncli.Env, results ...interface{}) error { + createResp, ok := results[0].(*trustdomainv1.BatchCreateFederationRelationshipResponse) + if !ok || len(c.federationRelationships) < len(createResp.Results) { + return cliprinter.ErrInternalCustomPrettyFunc + } // Process results var succeeded []*trustdomainv1.BatchCreateFederationRelationshipResponse_Result var failed []*trustdomainv1.BatchCreateFederationRelationshipResponse_Result - for i, r := range resp.Results { + for i, r := range createResp.Results { switch r.Status.Code { case int32(codes.OK): succeeded = append(succeeded, r) default: // The trust domain API does not include in the results the relationships that // failed to be created, so we populate them from the request data. - r.FederationRelationship = federationRelationships[i] + r.FederationRelationship = c.federationRelationships[i] failed = append(failed, r) } } diff --git a/cmd/spire-server/cli/federation/create_test.go b/cmd/spire-server/cli/federation/create_test.go index f77a70a89b..1211a4d716 100644 --- a/cmd/spire-server/cli/federation/create_test.go +++ b/cmd/spire-server/cli/federation/create_test.go @@ -2,6 +2,7 @@ package federation import ( "crypto/x509" + "encoding/base64" "errors" "fmt" "testing" @@ -10,8 +11,8 @@ import ( "github.com/spiffe/go-spiffe/v2/spiffeid" trustdomainv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/trustdomain/v1" "github.com/spiffe/spire-api-sdk/proto/spire/api/types" - "github.com/spiffe/spire/cmd/spire-server/cli/common" "github.com/spiffe/spire/pkg/common/pemutil" + "github.com/spiffe/spire/pkg/server/api" "github.com/spiffe/spire/test/spiretest" "github.com/stretchr/testify/require" "google.golang.org/grpc/codes" @@ -21,22 +22,7 @@ func TestCreatetHelp(t *testing.T) { test := setupTest(t, newCreateCommand) test.client.Help() - require.Equal(t, `Usage of federation create: - -bundleEndpointProfile string - Endpoint profile type (either "https_web" or "https_spiffe") - -bundleEndpointURL string - URL of the SPIFFE bundle endpoint that provides the trust bundle (must use the HTTPS protocol) - -data string - Path to a file containing federation relationships in JSON format (optional). If set to '-', read the JSON from stdin. - -endpointSpiffeID string - SPIFFE ID of the SPIFFE bundle endpoint server. Only used for 'spiffe' profile.`+common.AddrUsage+ - ` -trustDomain string - Name of the trust domain to federate with (e.g., example.org) - -trustDomainBundleFormat string - The format of the bundle data (optional). Either "pem" or "spiffe". (default "pem") - -trustDomainBundlePath string - Path to the trust domain bundle data (optional). -`, test.stderr.String()) + require.Equal(t, createUsage, test.stderr.String()) } func TestCreateSynopsis(t *testing.T) { @@ -153,48 +139,58 @@ func TestCreate(t *testing.T) { fakeResp *trustdomainv1.BatchCreateFederationRelationshipResponse serverErr error - expOut string - expErr string + expOutPretty string + expOutJSON string + expErrPretty string + expErrJSON string }{ { - name: "Missing trust domain", - expErr: "Error: trust domain is required\n", + name: "Missing trust domain", + expErrPretty: "Error: trust domain is required\n", + expErrJSON: "Error: trust domain is required\n", }, { - name: "Missing bundle endpoint URL", - args: []string{"-trustDomain", "td.org"}, - expErr: "Error: bundle endpoint URL is required\n", + name: "Missing bundle endpoint URL", + args: []string{"-trustDomain", "td.org"}, + expErrPretty: "Error: bundle endpoint URL is required\n", + expErrJSON: "Error: bundle endpoint URL is required\n", }, { - name: "Unknown endpoint profile", - args: []string{"-trustDomain", "td.org", "-bundleEndpointURL", "https://td.org/bundle", "-bundleEndpointProfile", "bad-type"}, - expErr: "Error: unknown bundle endpoint profile type: \"bad-type\"\n", + name: "Unknown endpoint profile", + args: []string{"-trustDomain", "td.org", "-bundleEndpointURL", "https://td.org/bundle", "-bundleEndpointProfile", "bad-type"}, + expErrPretty: "Error: unknown bundle endpoint profile type: \"bad-type\"\n", + expErrJSON: "Error: unknown bundle endpoint profile type: \"bad-type\"\n", }, { - name: "Missing endpoint SPIFFE ID", - args: []string{"-trustDomain", "td.org", "-bundleEndpointURL", "https://td.org/bundle", "-bundleEndpointProfile", profileHTTPSSPIFFE}, - expErr: "Error: endpoint SPIFFE ID is required if 'https_spiffe' endpoint profile is set\n", + name: "Missing endpoint SPIFFE ID", + args: []string{"-trustDomain", "td.org", "-bundleEndpointURL", "https://td.org/bundle", "-bundleEndpointProfile", profileHTTPSSPIFFE}, + expErrPretty: "Error: endpoint SPIFFE ID is required if 'https_spiffe' endpoint profile is set\n", + expErrJSON: "Error: endpoint SPIFFE ID is required if 'https_spiffe' endpoint profile is set\n", }, { - name: "Invalid bundle endpoint SPIFFE ID", - args: []string{"-trustDomain", "td.org", "-bundleEndpointURL", "https://td.org/bundle", "-endpointSpiffeID", "invalid-id", "-trustDomainBundlePath", bundlePath, "-bundleEndpointProfile", profileHTTPSSPIFFE}, - expErr: "Error: cannot parse bundle endpoint SPIFFE ID: scheme is missing or invalid\n", + name: "Invalid bundle endpoint SPIFFE ID", + args: []string{"-trustDomain", "td.org", "-bundleEndpointURL", "https://td.org/bundle", "-endpointSpiffeID", "invalid-id", "-trustDomainBundlePath", bundlePath, "-bundleEndpointProfile", profileHTTPSSPIFFE}, + expErrPretty: "Error: cannot parse bundle endpoint SPIFFE ID: scheme is missing or invalid\n", + expErrJSON: "Error: cannot parse bundle endpoint SPIFFE ID: scheme is missing or invalid\n", }, { - name: "Non-existent bundle file", - args: []string{"-trustDomain", "td.org", "-bundleEndpointURL", "https://td.org/bundle", "-endpointSpiffeID", "spiffe://td.org/bundle", "-trustDomainBundlePath", "non-existent-path", "-bundleEndpointProfile", profileHTTPSWeb}, - expErr: fmt.Sprintf("Error: cannot read bundle file: open non-existent-path: %s\n", spiretest.FileNotFound()), + name: "Non-existent bundle file", + args: []string{"-trustDomain", "td.org", "-bundleEndpointURL", "https://td.org/bundle", "-endpointSpiffeID", "spiffe://td.org/bundle", "-trustDomainBundlePath", "non-existent-path", "-bundleEndpointProfile", profileHTTPSWeb}, + expErrPretty: fmt.Sprintf("Error: cannot read bundle file: open non-existent-path: %s\n", spiretest.FileNotFound()), + expErrJSON: fmt.Sprintf("Error: cannot read bundle file: open non-existent-path: %s\n", spiretest.FileNotFound()), }, { - name: "Corrupted bundle file", - args: []string{"-trustDomain", "td.org", "-bundleEndpointURL", "https://td.org/bundle", "-endpointSpiffeID", "spiffe://td.org/bundle", "-trustDomainBundlePath", corruptedBundlePath, "-bundleEndpointProfile", profileHTTPSWeb}, - expErr: "Error: cannot parse bundle file: unable to parse bundle data: no PEM blocks\n", + name: "Corrupted bundle file", + args: []string{"-trustDomain", "td.org", "-bundleEndpointURL", "https://td.org/bundle", "-endpointSpiffeID", "spiffe://td.org/bundle", "-trustDomainBundlePath", corruptedBundlePath, "-bundleEndpointProfile", profileHTTPSWeb}, + expErrPretty: "Error: cannot parse bundle file: unable to parse bundle data: no PEM blocks\n", + expErrJSON: "Error: cannot parse bundle file: unable to parse bundle data: no PEM blocks\n", }, { - name: "Server error", - args: []string{"-trustDomain", "td.org", "-bundleEndpointURL", "https://td.org/bundle", "-bundleEndpointProfile", "https_web"}, - serverErr: errors.New("server error"), - expErr: "Error: request failed: rpc error: code = Unknown desc = server error\n", + name: "Server error", + args: []string{"-trustDomain", "td.org", "-bundleEndpointURL", "https://td.org/bundle", "-bundleEndpointProfile", "https_web"}, + serverErr: errors.New("server error"), + expErrPretty: "Error: request failed: rpc error: code = Unknown desc = server error\n", + expErrJSON: "Error: request failed: rpc error: code = Unknown desc = server error\n", }, { name: "Succeeds for SPIFFE profile", @@ -205,17 +201,35 @@ func TestCreate(t *testing.T) { fakeResp: &trustdomainv1.BatchCreateFederationRelationshipResponse{ Results: []*trustdomainv1.BatchCreateFederationRelationshipResponse_Result{ { - Status: &types.Status{}, + Status: api.OK(), FederationRelationship: frSPIFFE, }, }, }, - expOut: ` + expOutPretty: ` Trust domain : td-2.org Bundle endpoint URL : https://td-2.org/bundle Bundle endpoint profile : https_spiffe Endpoint SPIFFE ID : spiffe://other.org/bundle `, + expOutJSON: `{ + "results": [ + { + "status": { + "code": 0, + "message": "OK" + }, + "federation_relationship": { + "trust_domain": "td-2.org", + "bundle_endpoint_url": "https://td-2.org/bundle", + "https_spiffe": { + "endpoint_spiffe_id": "spiffe://other.org/bundle" + }, + "trust_domain_bundle": null + } + } + ] +}`, }, { name: "Succeeds for SPIFFE profile and bundle", @@ -226,17 +240,45 @@ Endpoint SPIFFE ID : spiffe://other.org/bundle fakeResp: &trustdomainv1.BatchCreateFederationRelationshipResponse{ Results: []*trustdomainv1.BatchCreateFederationRelationshipResponse_Result{ { - Status: &types.Status{}, + Status: api.OK(), FederationRelationship: frSPIFFEAndBundle, }, }, }, - expOut: ` + expOutPretty: ` Trust domain : td-3.org Bundle endpoint URL : https://td-3.org/bundle Bundle endpoint profile : https_spiffe Endpoint SPIFFE ID : spiffe://td-3.org/bundle `, + expOutJSON: fmt.Sprintf(`{ + "results": [ + { + "status": { + "code": 0, + "message": "OK" + }, + "federation_relationship": { + "trust_domain": "td-3.org", + "bundle_endpoint_url": "https://td-3.org/bundle", + "https_spiffe": { + "endpoint_spiffe_id": "spiffe://td-3.org/bundle" + }, + "trust_domain_bundle": { + "trust_domain": "td-3.org", + "x509_authorities": [ + { + "asn1": "%s" + } + ], + "jwt_authorities": [], + "refresh_hint": "0", + "sequence_number": "0" + } + } + } + ] +}`, base64.StdEncoding.EncodeToString(bundle.X509Authorities[0].Asn1)), }, { name: "Succeeds for web profile", @@ -247,16 +289,32 @@ Endpoint SPIFFE ID : spiffe://td-3.org/bundle fakeResp: &trustdomainv1.BatchCreateFederationRelationshipResponse{ Results: []*trustdomainv1.BatchCreateFederationRelationshipResponse_Result{ { - Status: &types.Status{}, + Status: api.OK(), FederationRelationship: frWeb, }, }, }, - expOut: ` + expOutPretty: ` Trust domain : td-1.org Bundle endpoint URL : https://td-1.org/bundle Bundle endpoint profile : https_web `, + expOutJSON: `{ + "results": [ + { + "status": { + "code": 0, + "message": "OK" + }, + "federation_relationship": { + "trust_domain": "td-1.org", + "bundle_endpoint_url": "https://td-1.org/bundle", + "https_web": {}, + "trust_domain_bundle": null + } + } + ] +}`, }, { name: "Federation relationships that failed to be created are printed", @@ -275,12 +333,28 @@ Bundle endpoint profile : https_web }, }, }, - expErr: `Failed to create the following federation relationship (code: AlreadyExists, msg: "the message"): + expErrPretty: `Failed to create the following federation relationship (code: AlreadyExists, msg: "the message"): Trust domain : td-1.org Bundle endpoint URL : https://td-1.org/bundle Bundle endpoint profile : https_web Error: failed to create one or more federation relationships `, + expOutJSON: `{ + "results": [ + { + "status": { + "code": 6, + "message": "the message" + }, + "federation_relationship": { + "trust_domain": "td-1.org", + "bundle_endpoint_url": "https://td-1.org/bundle", + "https_web": {}, + "trust_domain_bundle": null + } + } + ] +}`, }, { name: "Succeeds loading federation relationships from JSON file", @@ -295,12 +369,12 @@ Error: failed to create one or more federation relationships }, fakeResp: &trustdomainv1.BatchCreateFederationRelationshipResponse{ Results: []*trustdomainv1.BatchCreateFederationRelationshipResponse_Result{ - {FederationRelationship: frWeb, Status: &types.Status{}}, - {FederationRelationship: frSPIFFE, Status: &types.Status{}}, - {FederationRelationship: frPemAuthority, Status: &types.Status{}}, + {FederationRelationship: frWeb, Status: api.OK()}, + {FederationRelationship: frSPIFFE, Status: api.OK()}, + {FederationRelationship: frPemAuthority, Status: api.OK()}, }, }, - expOut: ` + expOutPretty: ` Trust domain : td-1.org Bundle endpoint URL : https://td-1.org/bundle Bundle endpoint profile : https_web @@ -315,44 +389,110 @@ Bundle endpoint URL : https://td-3.org/bundle Bundle endpoint profile : https_spiffe Endpoint SPIFFE ID : spiffe://td-3.org/bundle `, + expOutJSON: `{ + "results": [ + { + "status": { + "code": 0, + "message": "OK" + }, + "federation_relationship": { + "trust_domain": "td-1.org", + "bundle_endpoint_url": "https://td-1.org/bundle", + "https_web": {}, + "trust_domain_bundle": null + } + }, + { + "status": { + "code": 0, + "message": "OK" + }, + "federation_relationship": { + "trust_domain": "td-2.org", + "bundle_endpoint_url": "https://td-2.org/bundle", + "https_spiffe": { + "endpoint_spiffe_id": "spiffe://other.org/bundle" + }, + "trust_domain_bundle": null + } + }, + { + "status": { + "code": 0, + "message": "OK" + }, + "federation_relationship": { + "trust_domain": "td-3.org", + "bundle_endpoint_url": "https://td-3.org/bundle", + "https_spiffe": { + "endpoint_spiffe_id": "spiffe://td-3.org/bundle" + }, + "trust_domain_bundle": { + "trust_domain": "td-3.org", + "x509_authorities": [ + { + "asn1": "MIIBKjCB0aADAgECAgEBMAoGCCqGSM49BAMCMAAwIhgPMDAwMTAxMDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHyvsCk5yi+yhSzNu5aquQwvm8a1Wh+qw1fiHAkhDni+wq+g3TQWxYlV51TCPH030yXsRxvujD4hUUaIQrXk4KKjODA2MA8GA1UdEwEB/wQFMAMBAf8wIwYDVR0RAQH/BBkwF4YVc3BpZmZlOi8vZG9tYWluMS50ZXN0MAoGCCqGSM49BAMCA0gAMEUCIA2dO09Xmakw2ekuHKWC4hBhCkpr5qY4bI8YUcXfxg/1AiEA67kMyH7bQnr7OVLUrL+b9ylAdZglS5kKnYigmwDh+/U=" + } + ], + "jwt_authorities": [], + "refresh_hint": "0", + "sequence_number": "0" + } + } + } + ] +}`, }, { - name: "Loading federation relationships from JSON file: invalid path", - args: []string{"-data", "somePath"}, - expErr: fmt.Sprintf("Error: open somePath: %s\n", spiretest.FileNotFound()), + name: "Loading federation relationships from JSON file: invalid path", + args: []string{"-data", "somePath"}, + expErrPretty: fmt.Sprintf("Error: open somePath: %s\n", spiretest.FileNotFound()), + expErrJSON: fmt.Sprintf("Error: open somePath: %s\n", spiretest.FileNotFound()), }, { - name: "Loading federation relationships from JSON file: no a json", - args: []string{"-data", bundlePath}, - expErr: "Error: failed to parse JSON: invalid character '-' in numeric literal\n", + name: "Loading federation relationships from JSON file: no a json", + args: []string{"-data", bundlePath}, + expErrPretty: "Error: failed to parse JSON: invalid character '-' in numeric literal\n", + expErrJSON: "Error: failed to parse JSON: invalid character '-' in numeric literal\n", }, { - name: "Loading federation relationships from JSON file: invalid relationship", - args: []string{"-data", jsonDataInvalidRelationship}, - expErr: "Error: could not parse item 0: trust domain is required\n", + name: "Loading federation relationships from JSON file: invalid relationship", + args: []string{"-data", jsonDataInvalidRelationship}, + expErrPretty: "Error: could not parse item 0: trust domain is required\n", + expErrJSON: "Error: could not parse item 0: trust domain is required\n", }, { - name: "Loading federation relationships from JSON file: multiple flags", - args: []string{"-data", jsonDataInvalidRelationship, "-bundleEndpointURL", "https://td-1.org/bundle"}, - expErr: "Error: cannot use other flags to specify relationship fields when 'data' flag is set\n", + name: "Loading federation relationships from JSON file: multiple flags", + args: []string{"-data", jsonDataInvalidRelationship, "-bundleEndpointURL", "https://td-1.org/bundle"}, + expErrPretty: "Error: cannot use other flags to specify relationship fields when 'data' flag is set\n", + expErrJSON: "Error: cannot use other flags to specify relationship fields when 'data' flag is set\n", }, } { - tt := tt - t.Run(tt.name, func(t *testing.T) { - test := setupTest(t, newCreateCommand) - test.server.err = tt.serverErr - test.server.expectCreateReq = tt.expReq - test.server.createResp = tt.fakeResp + for _, format := range availableFormats { + t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) { + test := setupTest(t, newCreateCommand) + test.server.err = tt.serverErr + test.server.expectCreateReq = tt.expReq + test.server.createResp = tt.fakeResp + args := tt.args + args = append(args, "-output", format) - rc := test.client.Run(test.args(tt.args...)) - if tt.expErr != "" { - require.Equal(t, 1, rc) - require.Equal(t, tt.expErr, test.stderr.String()) - return - } + rc := test.client.Run(test.args(args...)) + if tt.expErrPretty != "" && format == "pretty" { + require.Equal(t, 1, rc) + require.Equal(t, tt.expErrPretty, test.stderr.String()) + return + } + if tt.expErrJSON != "" && format == "json" { + require.Equal(t, 1, rc) + require.Equal(t, tt.expErrJSON, test.stderr.String()) + return + } - require.Equal(t, 0, rc) - require.Equal(t, tt.expOut, test.stdout.String()) - }) + require.Equal(t, 0, rc) + requireOutputBasedOnFormat(t, format, test.stdout.String(), tt.expOutPretty, tt.expOutJSON) + }) + } } } diff --git a/cmd/spire-server/cli/federation/delete.go b/cmd/spire-server/cli/federation/delete.go index 98a798af2e..c67d68e34f 100644 --- a/cmd/spire-server/cli/federation/delete.go +++ b/cmd/spire-server/cli/federation/delete.go @@ -9,21 +9,24 @@ import ( "github.com/mitchellh/cli" "github.com/spiffe/spire-api-sdk/proto/spire/api/server/trustdomain/v1" "github.com/spiffe/spire/cmd/spire-server/util" - common_cli "github.com/spiffe/spire/pkg/common/cli" + commoncli "github.com/spiffe/spire/pkg/common/cli" + "github.com/spiffe/spire/pkg/common/cliprinter" "google.golang.org/grpc/codes" ) func NewDeleteCommand() cli.Command { - return newDeleteCommand(common_cli.DefaultEnv) + return newDeleteCommand(commoncli.DefaultEnv) } -func newDeleteCommand(env *common_cli.Env) cli.Command { - return util.AdaptCommand(env, new(deleteCommand)) +func newDeleteCommand(env *commoncli.Env) cli.Command { + return util.AdaptCommand(env, &deleteCommand{env: env}) } type deleteCommand struct { // SPIFFE ID of the trust domain to delete - id string + id string + env *commoncli.Env + printer cliprinter.Printer } func (c *deleteCommand) Name() string { @@ -36,9 +39,10 @@ func (c *deleteCommand) Synopsis() string { func (c *deleteCommand) AppendFlags(fs *flag.FlagSet) { fs.StringVar(&c.id, "id", "", "SPIFFE ID of the trust domain") + cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, prettyPrintDelete) } -func (c *deleteCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error { +func (c *deleteCommand) Run(ctx context.Context, env *commoncli.Env, serverClient util.ServerClient) error { if c.id == "" { return errors.New("id is required") } @@ -50,13 +54,20 @@ func (c *deleteCommand) Run(ctx context.Context, env *common_cli.Env, serverClie if err != nil { return fmt.Errorf("failed to delete federation relationship: %w", err) } + return c.printer.PrintProto(resp) +} - result := resp.Results[0] - switch result.Status.Code { - case int32(codes.OK): - env.Println("federation relationship deleted.") - return nil - default: - return fmt.Errorf("failed to delete federation relationship %q: %s", result.TrustDomain, result.Status.Message) +func prettyPrintDelete(env *commoncli.Env, results ...interface{}) error { + if deleteResp, ok := results[0].(*trustdomain.BatchDeleteFederationRelationshipResponse); ok && len(deleteResp.Results) > 0 { + result := deleteResp.Results[0] + switch result.Status.Code { + case int32(codes.OK): + env.Println("federation relationship deleted.") + return nil + default: + return fmt.Errorf("failed to delete federation relationship %q: %s", result.TrustDomain, result.Status.Message) + } } + + return cliprinter.ErrInternalCustomPrettyFunc } diff --git a/cmd/spire-server/cli/federation/delete_test.go b/cmd/spire-server/cli/federation/delete_test.go index b2755ace07..2c7f498a87 100644 --- a/cmd/spire-server/cli/federation/delete_test.go +++ b/cmd/spire-server/cli/federation/delete_test.go @@ -1,11 +1,12 @@ package federation import ( + "fmt" "testing" trustdomainv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/trustdomain/v1" "github.com/spiffe/spire-api-sdk/proto/spire/api/types" - "github.com/spiffe/spire/cmd/spire-server/cli/common" + "github.com/spiffe/spire/pkg/server/api" "github.com/stretchr/testify/require" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" @@ -15,9 +16,7 @@ func TestDeleteHelp(t *testing.T) { test := setupTest(t, newDeleteCommand) test.client.Help() - require.Equal(t, `Usage of federation delete: - -id string - SPIFFE ID of the trust domain`+common.AddrUsage, test.stderr.String()) + require.Equal(t, deleteUsage, test.stderr.String()) } func TestDeleteSynopsis(t *testing.T) { @@ -34,8 +33,10 @@ func TestDelete(t *testing.T) { deleteResp *trustdomainv1.BatchDeleteFederationRelationshipResponse serverErr error - expectOut string - expectErr string + expectOutPretty string + expectOutJSON string + expectErrPretty string + expectErrJSON string }{ { name: "Success", @@ -46,22 +47,26 @@ func TestDelete(t *testing.T) { deleteResp: &trustdomainv1.BatchDeleteFederationRelationshipResponse{ Results: []*trustdomainv1.BatchDeleteFederationRelationshipResponse_Result{ { - Status: &types.Status{Code: int32(codes.OK)}, + Status: api.OK(), TrustDomain: "example.org", }, }, }, - expectOut: "federation relationship deleted.\n", + expectOutPretty: "federation relationship deleted.\n", + expectOutJSON: `{"results":[{"status":{"code":0,"message":"OK"},"trust_domain":"example.org"}]}`, }, { - name: "Empty ID", - expectErr: "Error: id is required\n", + name: "Empty ID", + expectErrPretty: "Error: id is required\n", + expectErrJSON: "Error: id is required\n", }, { name: "Server client fails", args: []string{"-id", "spiffe://example.org"}, serverErr: status.Error(codes.Internal, "oh! no"), - expectErr: `Error: failed to delete federation relationship: rpc error: code = Internal desc = oh! no + expectErrPretty: `Error: failed to delete federation relationship: rpc error: code = Internal desc = oh! no +`, + expectErrJSON: `Error: failed to delete federation relationship: rpc error: code = Internal desc = oh! no `, }, { @@ -81,26 +86,37 @@ func TestDelete(t *testing.T) { }, }, }, - expectErr: `Error: failed to delete federation relationship "example.org": oh! no + expectErrPretty: `Error: failed to delete federation relationship "example.org": oh! no `, + expectOutJSON: `{"results":[{"status":{"code":13,"message":"oh! no"},"trust_domain":"example.org"}]}`, }, } { - t.Run(tt.name, func(t *testing.T) { - test := setupTest(t, newDeleteCommand) - test.server.err = tt.serverErr - test.server.expectDeleteReq = tt.expectReq - test.server.deleteResp = tt.deleteResp + for _, format := range availableFormats { + t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) { + test := setupTest(t, newDeleteCommand) + test.server.err = tt.serverErr + test.server.expectDeleteReq = tt.expectReq + test.server.deleteResp = tt.deleteResp + args := tt.args + args = append(args, "-output", format) + + rc := test.client.Run(test.args(args...)) - rc := test.client.Run(test.args(tt.args...)) - if tt.expectErr != "" { - require.Equal(t, 1, rc) - require.Equal(t, tt.expectErr, test.stderr.String()) - return - } + if tt.expectErrPretty != "" && format == "pretty" { + require.Equal(t, 1, rc) + require.Equal(t, tt.expectErrPretty, test.stderr.String()) + return + } + if tt.expectErrJSON != "" && format == "json" { + require.Equal(t, 1, rc) + require.Equal(t, tt.expectErrJSON, test.stderr.String()) + return + } - require.Equal(t, 0, rc) - require.Equal(t, tt.expectOut, test.stdout.String()) - require.Empty(t, test.stderr.String()) - }) + require.Equal(t, 0, rc) + requireOutputBasedOnFormat(t, format, test.stdout.String(), tt.expectOutPretty, tt.expectOutJSON) + require.Empty(t, test.stderr.String()) + }) + } } } diff --git a/cmd/spire-server/cli/federation/list.go b/cmd/spire-server/cli/federation/list.go index c7893635ce..7fb536bc9c 100644 --- a/cmd/spire-server/cli/federation/list.go +++ b/cmd/spire-server/cli/federation/list.go @@ -8,18 +8,21 @@ import ( "github.com/mitchellh/cli" trustdomainv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/trustdomain/v1" "github.com/spiffe/spire/cmd/spire-server/util" - common_cli "github.com/spiffe/spire/pkg/common/cli" + commoncli "github.com/spiffe/spire/pkg/common/cli" + "github.com/spiffe/spire/pkg/common/cliprinter" ) func NewListCommand() cli.Command { - return newListCommand(common_cli.DefaultEnv) + return newListCommand(commoncli.DefaultEnv) } -func newListCommand(env *common_cli.Env) cli.Command { - return util.AdaptCommand(env, new(listCommand)) +func newListCommand(env *commoncli.Env) cli.Command { + return util.AdaptCommand(env, &listCommand{env: env}) } type listCommand struct { + env *commoncli.Env + printer cliprinter.Printer } func (c *listCommand) Name() string { @@ -31,21 +34,29 @@ func (c *listCommand) Synopsis() string { } func (c *listCommand) AppendFlags(fs *flag.FlagSet) { + cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, prettyPrintList) } -func (c *listCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error { +func (c *listCommand) Run(ctx context.Context, env *commoncli.Env, serverClient util.ServerClient) error { trustDomainClient := serverClient.NewTrustDomainClient() resp, err := trustDomainClient.ListFederationRelationships(ctx, &trustdomainv1.ListFederationRelationshipsRequest{}) if err != nil { return fmt.Errorf("error listing federation relationship: %w", err) } + return c.printer.PrintProto(resp) +} - msg := fmt.Sprintf("Found %v ", len(resp.FederationRelationships)) - msg = util.Pluralizer(msg, "federation relationship", "federation relationships", len(resp.FederationRelationships)) +func prettyPrintList(env *commoncli.Env, results ...interface{}) error { + listResp, ok := results[0].(*trustdomainv1.ListFederationRelationshipsResponse) + if !ok { + return cliprinter.ErrInternalCustomPrettyFunc + } + msg := fmt.Sprintf("Found %v ", len(listResp.FederationRelationships)) + msg = util.Pluralizer(msg, "federation relationship", "federation relationships", len(listResp.FederationRelationships)) env.Println(msg) - for _, fr := range resp.FederationRelationships { + for _, fr := range listResp.FederationRelationships { env.Println() printFederationRelationship(fr, env.Printf) } diff --git a/cmd/spire-server/cli/federation/list_test.go b/cmd/spire-server/cli/federation/list_test.go index e4105db073..9b784a6126 100644 --- a/cmd/spire-server/cli/federation/list_test.go +++ b/cmd/spire-server/cli/federation/list_test.go @@ -1,11 +1,11 @@ package federation import ( + "fmt" "testing" trustdomainv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/trustdomain/v1" "github.com/spiffe/spire-api-sdk/proto/spire/api/types" - "github.com/spiffe/spire/cmd/spire-server/cli/common" "github.com/stretchr/testify/require" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" @@ -15,7 +15,7 @@ func TestListHelp(t *testing.T) { test := setupTest(t, newListCommand) test.client.Help() - require.Equal(t, `Usage of federation list:`+common.AddrUsage, test.stderr.String()) + require.Equal(t, listUsage, test.stderr.String()) } func TestListSynopsis(t *testing.T) { @@ -59,14 +59,19 @@ func TestList(t *testing.T) { serverErr error - expectOut string - expectErr string + expectOutPretty string + expectOutJSON string + expectErr string }{ { - name: "no federations", - expectListReq: &trustdomainv1.ListFederationRelationshipsRequest{}, - listResp: &trustdomainv1.ListFederationRelationshipsResponse{}, - expectOut: "Found 0 federation relationships\n", + name: "no federations", + expectListReq: &trustdomainv1.ListFederationRelationshipsRequest{}, + listResp: &trustdomainv1.ListFederationRelationshipsResponse{}, + expectOutPretty: "Found 0 federation relationships\n", + expectOutJSON: `{ + "federation_relationships": [], + "next_page_token": "" +}`, }, { name: "single federation", @@ -74,12 +79,23 @@ func TestList(t *testing.T) { listResp: &trustdomainv1.ListFederationRelationshipsResponse{ FederationRelationships: []*types.FederationRelationship{federation1}, }, - expectOut: `Found 1 federation relationship + expectOutPretty: `Found 1 federation relationship Trust domain : foh.test Bundle endpoint URL : https://foo.test/endpoint Bundle endpoint profile : https_web `, + expectOutJSON: `{ + "federation_relationships": [ + { + "trust_domain": "foh.test", + "bundle_endpoint_url": "https://foo.test/endpoint", + "https_web": {}, + "trust_domain_bundle": null + } + ], + "next_page_token": "" +}`, }, { name: "multiple federations", @@ -91,7 +107,7 @@ Bundle endpoint profile : https_web federation3, }, }, - expectOut: `Found 3 federation relationships + expectOutPretty: `Found 3 federation relationships Trust domain : foh.test Bundle endpoint URL : https://foo.test/endpoint @@ -107,6 +123,39 @@ Bundle endpoint URL : https://baz.test/endpoint Bundle endpoint profile : https_spiffe Endpoint SPIFFE ID : spiffe://baz.test/id `, + expectOutJSON: `{ + "federation_relationships": [ + { + "trust_domain": "foh.test", + "bundle_endpoint_url": "https://foo.test/endpoint", + "https_web": {}, + "trust_domain_bundle": null + }, + { + "trust_domain": "bar.test", + "bundle_endpoint_url": "https://bar.test/endpoint", + "https_spiffe": { + "endpoint_spiffe_id": "spiffe://bar.test/id" + }, + "trust_domain_bundle": { + "trust_domain": "bar.test", + "x509_authorities": [], + "jwt_authorities": [], + "refresh_hint": "0", + "sequence_number": "0" + } + }, + { + "trust_domain": "baz.test", + "bundle_endpoint_url": "https://baz.test/endpoint", + "https_spiffe": { + "endpoint_spiffe_id": "spiffe://baz.test/id" + }, + "trust_domain_bundle": null + } + ], + "next_page_token": "" +}`, }, { name: "server fails", @@ -114,21 +163,25 @@ Endpoint SPIFFE ID : spiffe://baz.test/id expectErr: "Error: error listing federation relationship: rpc error: code = Internal desc = oh! no\n", }, } { - t.Run(tt.name, func(t *testing.T) { - test := setupTest(t, newListCommand) - test.server.err = tt.serverErr - test.server.expectListReq = tt.expectListReq - test.server.listResp = tt.listResp - - rc := test.client.Run(test.args(tt.args...)) - if tt.expectErr != "" { - require.Equal(t, 1, rc) - require.Equal(t, tt.expectErr, test.stderr.String()) - return - } - - require.Equal(t, 0, rc) - require.Equal(t, tt.expectOut, test.stdout.String()) - }) + for _, format := range availableFormats { + t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) { + test := setupTest(t, newListCommand) + test.server.err = tt.serverErr + test.server.expectListReq = tt.expectListReq + test.server.listResp = tt.listResp + args := tt.args + args = append(args, "-output", format) + + rc := test.client.Run(test.args(args...)) + if tt.expectErr != "" { + require.Equal(t, 1, rc) + require.Equal(t, tt.expectErr, test.stderr.String()) + return + } + + require.Equal(t, 0, rc) + requireOutputBasedOnFormat(t, format, test.stdout.String(), tt.expectOutPretty, tt.expectOutJSON) + }) + } } } diff --git a/cmd/spire-server/cli/federation/refresh.go b/cmd/spire-server/cli/federation/refresh.go index 1fc5a1e344..714fc38ba8 100644 --- a/cmd/spire-server/cli/federation/refresh.go +++ b/cmd/spire-server/cli/federation/refresh.go @@ -9,21 +9,25 @@ import ( "github.com/mitchellh/cli" "github.com/spiffe/spire-api-sdk/proto/spire/api/server/trustdomain/v1" "github.com/spiffe/spire/cmd/spire-server/util" - common_cli "github.com/spiffe/spire/pkg/common/cli" + commoncli "github.com/spiffe/spire/pkg/common/cli" + "github.com/spiffe/spire/pkg/common/cliprinter" + "github.com/spiffe/spire/pkg/server/api" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" ) func NewRefreshCommand() cli.Command { - return newRefreshCommand(common_cli.DefaultEnv) + return newRefreshCommand(commoncli.DefaultEnv) } -func newRefreshCommand(env *common_cli.Env) cli.Command { - return util.AdaptCommand(env, new(refreshCommand)) +func newRefreshCommand(env *commoncli.Env) cli.Command { + return util.AdaptCommand(env, &refreshCommand{env: env}) } type refreshCommand struct { - id string + id string + env *commoncli.Env + printer cliprinter.Printer } func (c *refreshCommand) Name() string { @@ -36,9 +40,10 @@ func (c *refreshCommand) Synopsis() string { func (c *refreshCommand) AppendFlags(fs *flag.FlagSet) { fs.StringVar(&c.id, "id", "", "SPIFFE ID of the trust domain") + cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, prettyPrintRefresh) } -func (c *refreshCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error { +func (c *refreshCommand) Run(ctx context.Context, env *commoncli.Env, serverClient util.ServerClient) error { if c.id == "" { return errors.New("id is required") } @@ -47,13 +52,17 @@ func (c *refreshCommand) Run(ctx context.Context, env *common_cli.Env, serverCli _, err := trustDomainClient.RefreshBundle(ctx, &trustdomain.RefreshBundleRequest{ TrustDomain: c.id, }) + switch status.Code(err) { case codes.OK: - env.Println("Bundle refreshed") - return nil + return c.printer.PrintProto(api.OK()) case codes.NotFound: return fmt.Errorf("there is no federation relationship with trust domain %q", c.id) default: return fmt.Errorf("failed to refresh bundle: %w", err) } } + +func prettyPrintRefresh(env *commoncli.Env, _ ...interface{}) error { + return env.Println("Bundle refreshed") +} diff --git a/cmd/spire-server/cli/federation/refresh_test.go b/cmd/spire-server/cli/federation/refresh_test.go index 058bae573b..87635278d1 100644 --- a/cmd/spire-server/cli/federation/refresh_test.go +++ b/cmd/spire-server/cli/federation/refresh_test.go @@ -1,10 +1,10 @@ package federation import ( + "fmt" "testing" trustdomainv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/trustdomain/v1" - "github.com/spiffe/spire/cmd/spire-server/cli/common" "github.com/stretchr/testify/require" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" @@ -15,9 +15,7 @@ func TestRefreshHelp(t *testing.T) { test := setupTest(t, newRefreshCommand) test.client.Help() - require.Equal(t, `Usage of federation refresh: - -id string - SPIFFE ID of the trust domain`+common.AddrUsage, test.stderr.String()) + require.Equal(t, refreshUsage, test.stderr.String()) } func TestRefreshSynopsis(t *testing.T) { @@ -34,8 +32,9 @@ func TestRefresh(t *testing.T) { refreshResp *emptypb.Empty serverErr error - expectOut string - expectErr string + expectOutPretty string + expectOutJSON string + expectErr string }{ { name: "Success", @@ -43,8 +42,9 @@ func TestRefresh(t *testing.T) { expectReq: &trustdomainv1.RefreshBundleRequest{ TrustDomain: "spiffe://example.org", }, - expectOut: "Bundle refreshed\n", - refreshResp: &emptypb.Empty{}, + expectOutPretty: "Bundle refreshed\n", + expectOutJSON: `{"code":0,"message":"OK"}`, + refreshResp: &emptypb.Empty{}, }, { name: "Empty ID", @@ -65,22 +65,26 @@ func TestRefresh(t *testing.T) { `, }, } { - t.Run(tt.name, func(t *testing.T) { - test := setupTest(t, newRefreshCommand) - test.server.err = tt.serverErr - test.server.expectRefreshReq = tt.expectReq - test.server.refreshResp = tt.refreshResp + for _, format := range availableFormats { + t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) { + test := setupTest(t, newRefreshCommand) + test.server.err = tt.serverErr + test.server.expectRefreshReq = tt.expectReq + test.server.refreshResp = tt.refreshResp + args := tt.args + args = append(args, "-output", format) - rc := test.client.Run(test.args(tt.args...)) - if tt.expectErr != "" { - require.Equal(t, 1, rc) - require.Equal(t, tt.expectErr, test.stderr.String()) - return - } + rc := test.client.Run(test.args(args...)) + if tt.expectErr != "" { + require.Equal(t, 1, rc) + require.Equal(t, tt.expectErr, test.stderr.String()) + return + } - require.Equal(t, 0, rc) - require.Equal(t, tt.expectOut, test.stdout.String()) - require.Empty(t, test.stderr.String()) - }) + require.Equal(t, 0, rc) + requireOutputBasedOnFormat(t, format, test.stdout.String(), tt.expectOutPretty, tt.expectOutJSON) + require.Empty(t, test.stderr.String()) + }) + } } } diff --git a/cmd/spire-server/cli/federation/show.go b/cmd/spire-server/cli/federation/show.go index c5f4502252..40f0af8f3c 100644 --- a/cmd/spire-server/cli/federation/show.go +++ b/cmd/spire-server/cli/federation/show.go @@ -8,21 +8,25 @@ import ( "github.com/mitchellh/cli" trustdomainv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/trustdomain/v1" + prototypes "github.com/spiffe/spire-api-sdk/proto/spire/api/types" "github.com/spiffe/spire/cmd/spire-server/util" - common_cli "github.com/spiffe/spire/pkg/common/cli" + commoncli "github.com/spiffe/spire/pkg/common/cli" + "github.com/spiffe/spire/pkg/common/cliprinter" ) func NewShowCommand() cli.Command { - return newShowCommand(common_cli.DefaultEnv) + return newShowCommand(commoncli.DefaultEnv) } -func newShowCommand(env *common_cli.Env) cli.Command { - return util.AdaptCommand(env, new(showCommand)) +func newShowCommand(env *commoncli.Env) cli.Command { + return util.AdaptCommand(env, &showCommand{env: env}) } type showCommand struct { // Trust domain name of the federation relationship to show trustDomain string + env *commoncli.Env + printer cliprinter.Printer } func (c *showCommand) Name() string { @@ -35,9 +39,10 @@ func (c *showCommand) Synopsis() string { func (c *showCommand) AppendFlags(f *flag.FlagSet) { f.StringVar(&c.trustDomain, "trustDomain", "", "The trust domain name of the federation relationship to show") + cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, c.prettyPrintShow) } -func (c *showCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error { +func (c *showCommand) Run(ctx context.Context, env *commoncli.Env, serverClient util.ServerClient) error { if c.trustDomain == "" { return errors.New("a trust domain name is required") } @@ -51,6 +56,14 @@ func (c *showCommand) Run(ctx context.Context, env *common_cli.Env, serverClient return fmt.Errorf("error showing federation relationship: %w", err) } + return c.printer.PrintProto(fr) +} + +func (c *showCommand) prettyPrintShow(env *commoncli.Env, results ...interface{}) error { + fr, ok := results[0].(*prototypes.FederationRelationship) + if !ok { + return cliprinter.ErrInternalCustomPrettyFunc + } env.Printf("Found a federation relationship with trust domain %s:\n\n", c.trustDomain) printFederationRelationship(fr, env.Printf) diff --git a/cmd/spire-server/cli/federation/show_test.go b/cmd/spire-server/cli/federation/show_test.go index eaf0467aa2..22d1ff0176 100644 --- a/cmd/spire-server/cli/federation/show_test.go +++ b/cmd/spire-server/cli/federation/show_test.go @@ -1,11 +1,11 @@ package federation import ( + "fmt" "testing" trustdomainv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/trustdomain/v1" "github.com/spiffe/spire-api-sdk/proto/spire/api/types" - "github.com/spiffe/spire/cmd/spire-server/cli/common" "github.com/stretchr/testify/require" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" @@ -15,10 +15,7 @@ func TestShowHelp(t *testing.T) { test := setupTest(t, newShowCommand) test.client.Help() - require.Equal(t, `Usage of federation show:`+common.AddrUsage+ - ` -trustDomain string - The trust domain name of the federation relationship to show -`, test.stderr.String()) + require.Equal(t, showUsage, test.stderr.String()) } func TestShowSynopsis(t *testing.T) { @@ -52,33 +49,54 @@ func TestShow(t *testing.T) { resp *types.FederationRelationship serverErr error - expectedStdout string - expectedStderr string + expectedStdoutPretty string + expectedStdoutJSON string + expectedStderr string }{ { name: "succeeds https_web", req: &trustdomainv1.GetFederationRelationshipRequest{}, resp: fr1, args: []string{"-trustDomain", "example-1.test"}, - expectedStdout: `Found a federation relationship with trust domain example-1.test: + expectedStdoutPretty: `Found a federation relationship with trust domain example-1.test: Trust domain : example-1.test Bundle endpoint URL : https://bundle-endpoint-1.test/endpoint Bundle endpoint profile : https_web `, + expectedStdoutJSON: `{ + "trust_domain": "example-1.test", + "bundle_endpoint_url": "https://bundle-endpoint-1.test/endpoint", + "https_web": {}, + "trust_domain_bundle": null +}`, }, { name: "succeeds https_spiffe", req: &trustdomainv1.GetFederationRelationshipRequest{}, resp: fr2, args: []string{"-trustDomain", "example-2.test"}, - expectedStdout: `Found a federation relationship with trust domain example-2.test: + expectedStdoutPretty: `Found a federation relationship with trust domain example-2.test: Trust domain : example-2.test Bundle endpoint URL : https://bundle-endpoint-2.test/endpoint Bundle endpoint profile : https_spiffe Endpoint SPIFFE ID : spiffe://endpoint.test/id `, + expectedStdoutJSON: `{ + "trust_domain": "example-2.test", + "bundle_endpoint_url": "https://bundle-endpoint-2.test/endpoint", + "https_spiffe": { + "endpoint_spiffe_id": "spiffe://endpoint.test/id" + }, + "trust_domain_bundle": { + "trust_domain": "endpoint.test", + "x509_authorities": [], + "jwt_authorities": [], + "refresh_hint": "0", + "sequence_number": "0" + } +}`, }, { name: "server fails", @@ -95,21 +113,24 @@ Endpoint SPIFFE ID : spiffe://endpoint.test/id expectedStderr: "Error: a trust domain name is required\n", }, } { - t.Run(tt.name, func(t *testing.T) { - test := setupTest(t, newShowCommand) - test.server.err = tt.serverErr - test.server.expectShowReq = tt.req - test.server.showResp = tt.resp + for _, format := range availableFormats { + t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) { + test := setupTest(t, newShowCommand) + test.server.err = tt.serverErr + test.server.expectShowReq = tt.req + test.server.showResp = tt.resp + args := tt.args + args = append(args, "-output", format) - rc := test.client.Run(test.args(tt.args...)) - if tt.expectedStderr != "" { - require.Equal(t, 1, rc) - require.Equal(t, tt.expectedStderr, test.stderr.String()) - return - } - - require.Equal(t, 0, rc) - require.Equal(t, tt.expectedStdout, test.stdout.String()) - }) + rc := test.client.Run(test.args(args...)) + if tt.expectedStderr != "" { + require.Equal(t, 1, rc) + require.Equal(t, tt.expectedStderr, test.stderr.String()) + return + } + require.Equal(t, 0, rc) + requireOutputBasedOnFormat(t, format, test.stdout.String(), tt.expectedStdoutPretty, tt.expectedStdoutJSON) + }) + } } } diff --git a/cmd/spire-server/cli/federation/update.go b/cmd/spire-server/cli/federation/update.go index 69c4fa56eb..f86715356c 100644 --- a/cmd/spire-server/cli/federation/update.go +++ b/cmd/spire-server/cli/federation/update.go @@ -8,23 +8,28 @@ import ( "github.com/mitchellh/cli" trustdomainv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/trustdomain/v1" + "github.com/spiffe/spire-api-sdk/proto/spire/api/types" "github.com/spiffe/spire/cmd/spire-server/util" - common_cli "github.com/spiffe/spire/pkg/common/cli" + commoncli "github.com/spiffe/spire/pkg/common/cli" + "github.com/spiffe/spire/pkg/common/cliprinter" "google.golang.org/grpc/codes" ) // NewUpdateCommand creates a new "update" subcommand for "federation" command. func NewUpdateCommand() cli.Command { - return newUpdateCommand(common_cli.DefaultEnv) + return newUpdateCommand(commoncli.DefaultEnv) } -func newUpdateCommand(env *common_cli.Env) cli.Command { - return util.AdaptCommand(env, new(updateCommand)) +func newUpdateCommand(env *commoncli.Env) cli.Command { + return util.AdaptCommand(env, &updateCommand{env: env}) } type updateCommand struct { - path string - config *federationRelationshipConfig + path string + config *federationRelationshipConfig + env *commoncli.Env + printer cliprinter.Printer + federationRelationships []*types.FederationRelationship } func (*updateCommand) Name() string { @@ -39,34 +44,45 @@ func (c *updateCommand) AppendFlags(f *flag.FlagSet) { f.StringVar(&c.path, "data", "", "Path to a file containing federation relationships in JSON format (optional). If set to '-', read the JSON from stdin.") c.config = &federationRelationshipConfig{} appendConfigFlags(c.config, f) + cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, c.prettyPrintUpdate) } -func (c *updateCommand) Run(ctx context.Context, env *common_cli.Env, serverClient util.ServerClient) error { +func (c *updateCommand) Run(ctx context.Context, env *commoncli.Env, serverClient util.ServerClient) error { federationRelationships, err := getRelationships(c.config, c.path) if err != nil { return err } + c.federationRelationships = federationRelationships client := serverClient.NewTrustDomainClient() resp, err := client.BatchUpdateFederationRelationship(ctx, &trustdomainv1.BatchUpdateFederationRelationshipRequest{ - FederationRelationships: federationRelationships, + FederationRelationships: c.federationRelationships, }) if err != nil { return fmt.Errorf("request failed: %w", err) } + return c.printer.PrintProto(resp) +} + +func (c *updateCommand) prettyPrintUpdate(env *commoncli.Env, results ...interface{}) error { + updateResp, ok := results[0].(*trustdomainv1.BatchUpdateFederationRelationshipResponse) + if !ok || len(c.federationRelationships) < len(updateResp.Results) { + return cliprinter.ErrInternalCustomPrettyFunc + } + // Process results var succeeded []*trustdomainv1.BatchUpdateFederationRelationshipResponse_Result var failed []*trustdomainv1.BatchUpdateFederationRelationshipResponse_Result - for i, r := range resp.Results { + for i, r := range updateResp.Results { switch r.Status.Code { case int32(codes.OK): succeeded = append(succeeded, r) default: // The trust domain API does not include in the results the relationships that // failed to be updated, so we populate them from the request data. - r.FederationRelationship = federationRelationships[i] + r.FederationRelationship = c.federationRelationships[i] failed = append(failed, r) } } diff --git a/cmd/spire-server/cli/federation/update_test.go b/cmd/spire-server/cli/federation/update_test.go index d22ab63b8e..58733e5a4e 100644 --- a/cmd/spire-server/cli/federation/update_test.go +++ b/cmd/spire-server/cli/federation/update_test.go @@ -2,6 +2,7 @@ package federation import ( "crypto/x509" + "encoding/base64" "errors" "fmt" "testing" @@ -10,8 +11,8 @@ import ( "github.com/spiffe/go-spiffe/v2/spiffeid" trustdomainv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/trustdomain/v1" "github.com/spiffe/spire-api-sdk/proto/spire/api/types" - "github.com/spiffe/spire/cmd/spire-server/cli/common" "github.com/spiffe/spire/pkg/common/pemutil" + "github.com/spiffe/spire/pkg/server/api" "github.com/spiffe/spire/test/spiretest" "github.com/stretchr/testify/require" "google.golang.org/grpc/codes" @@ -21,22 +22,7 @@ func TestUpdateHelp(t *testing.T) { test := setupTest(t, newUpdateCommand) test.client.Help() - require.Equal(t, `Usage of federation update: - -bundleEndpointProfile string - Endpoint profile type (either "https_web" or "https_spiffe") - -bundleEndpointURL string - URL of the SPIFFE bundle endpoint that provides the trust bundle (must use the HTTPS protocol) - -data string - Path to a file containing federation relationships in JSON format (optional). If set to '-', read the JSON from stdin. - -endpointSpiffeID string - SPIFFE ID of the SPIFFE bundle endpoint server. Only used for 'spiffe' profile.`+common.AddrUsage+ - ` -trustDomain string - Name of the trust domain to federate with (e.g., example.org) - -trustDomainBundleFormat string - The format of the bundle data (optional). Either "pem" or "spiffe". (default "pem") - -trustDomainBundlePath string - Path to the trust domain bundle data (optional). -`, test.stderr.String()) + require.Equal(t, updateUsage, test.stderr.String()) } func TestUpdateSynopsis(t *testing.T) { @@ -153,48 +139,58 @@ func TestUpdate(t *testing.T) { fakeResp *trustdomainv1.BatchUpdateFederationRelationshipResponse serverErr error - expOut string - expErr string + expOutPretty string + expErrPretty string + expOutJSON string + expErrJSON string }{ { - name: "Missing trust domain", - expErr: "Error: trust domain is required\n", + name: "Missing trust domain", + expErrPretty: "Error: trust domain is required\n", + expErrJSON: "Error: trust domain is required\n", }, { - name: "Missing bundle endpoint URL", - args: []string{"-trustDomain", "td.org"}, - expErr: "Error: bundle endpoint URL is required\n", + name: "Missing bundle endpoint URL", + args: []string{"-trustDomain", "td.org"}, + expErrPretty: "Error: bundle endpoint URL is required\n", + expErrJSON: "Error: bundle endpoint URL is required\n", }, { - name: "Unknown endpoint profile", - args: []string{"-trustDomain", "td.org", "-bundleEndpointURL", "https://td.org/bundle", "-bundleEndpointProfile", "bad-type"}, - expErr: "Error: unknown bundle endpoint profile type: \"bad-type\"\n", + name: "Unknown endpoint profile", + args: []string{"-trustDomain", "td.org", "-bundleEndpointURL", "https://td.org/bundle", "-bundleEndpointProfile", "bad-type"}, + expErrPretty: "Error: unknown bundle endpoint profile type: \"bad-type\"\n", + expErrJSON: "Error: unknown bundle endpoint profile type: \"bad-type\"\n", }, { - name: "Missing endpoint SPIFFE ID", - args: []string{"-trustDomain", "td.org", "-bundleEndpointURL", "https://td.org/bundle", "-bundleEndpointProfile", profileHTTPSSPIFFE}, - expErr: "Error: endpoint SPIFFE ID is required if 'https_spiffe' endpoint profile is set\n", + name: "Missing endpoint SPIFFE ID", + args: []string{"-trustDomain", "td.org", "-bundleEndpointURL", "https://td.org/bundle", "-bundleEndpointProfile", profileHTTPSSPIFFE}, + expErrPretty: "Error: endpoint SPIFFE ID is required if 'https_spiffe' endpoint profile is set\n", + expErrJSON: "Error: endpoint SPIFFE ID is required if 'https_spiffe' endpoint profile is set\n", }, { - name: "Invalid bundle endpoint SPIFFE ID", - args: []string{"-trustDomain", "td.org", "-bundleEndpointURL", "https://td.org/bundle", "-endpointSpiffeID", "invalid-id", "-trustDomainBundlePath", bundlePath, "-bundleEndpointProfile", profileHTTPSSPIFFE}, - expErr: "Error: cannot parse bundle endpoint SPIFFE ID: scheme is missing or invalid\n", + name: "Invalid bundle endpoint SPIFFE ID", + args: []string{"-trustDomain", "td.org", "-bundleEndpointURL", "https://td.org/bundle", "-endpointSpiffeID", "invalid-id", "-trustDomainBundlePath", bundlePath, "-bundleEndpointProfile", profileHTTPSSPIFFE}, + expErrPretty: "Error: cannot parse bundle endpoint SPIFFE ID: scheme is missing or invalid\n", + expErrJSON: "Error: cannot parse bundle endpoint SPIFFE ID: scheme is missing or invalid\n", }, { - name: "Non-existent bundle file", - args: []string{"-trustDomain", "td.org", "-bundleEndpointURL", "https://td.org/bundle", "-endpointSpiffeID", "spiffe://td.org/bundle", "-trustDomainBundlePath", "non-existent-path", "-bundleEndpointProfile", profileHTTPSWeb}, - expErr: fmt.Sprintf("Error: cannot read bundle file: open non-existent-path: %s\n", spiretest.FileNotFound()), + name: "Non-existent bundle file", + args: []string{"-trustDomain", "td.org", "-bundleEndpointURL", "https://td.org/bundle", "-endpointSpiffeID", "spiffe://td.org/bundle", "-trustDomainBundlePath", "non-existent-path", "-bundleEndpointProfile", profileHTTPSWeb}, + expErrPretty: fmt.Sprintf("Error: cannot read bundle file: open non-existent-path: %s\n", spiretest.FileNotFound()), + expErrJSON: fmt.Sprintf("Error: cannot read bundle file: open non-existent-path: %s\n", spiretest.FileNotFound()), }, { - name: "Corrupted bundle file", - args: []string{"-trustDomain", "td.org", "-bundleEndpointURL", "https://td.org/bundle", "-endpointSpiffeID", "spiffe://td.org/bundle", "-trustDomainBundlePath", corruptedBundlePath, "-bundleEndpointProfile", profileHTTPSWeb}, - expErr: "Error: cannot parse bundle file: unable to parse bundle data: no PEM blocks\n", + name: "Corrupted bundle file", + args: []string{"-trustDomain", "td.org", "-bundleEndpointURL", "https://td.org/bundle", "-endpointSpiffeID", "spiffe://td.org/bundle", "-trustDomainBundlePath", corruptedBundlePath, "-bundleEndpointProfile", profileHTTPSWeb}, + expErrPretty: "Error: cannot parse bundle file: unable to parse bundle data: no PEM blocks\n", + expErrJSON: "Error: cannot parse bundle file: unable to parse bundle data: no PEM blocks\n", }, { - name: "Server error", - args: []string{"-trustDomain", "td.org", "-bundleEndpointURL", "https://td.org/bundle", "-bundleEndpointProfile", "https_web"}, - serverErr: errors.New("server error"), - expErr: "Error: request failed: rpc error: code = Unknown desc = server error\n", + name: "Server error", + args: []string{"-trustDomain", "td.org", "-bundleEndpointURL", "https://td.org/bundle", "-bundleEndpointProfile", "https_web"}, + serverErr: errors.New("server error"), + expErrPretty: "Error: request failed: rpc error: code = Unknown desc = server error\n", + expErrJSON: "Error: request failed: rpc error: code = Unknown desc = server error\n", }, { name: "Succeeds for SPIFFE profile", @@ -205,17 +201,35 @@ func TestUpdate(t *testing.T) { fakeResp: &trustdomainv1.BatchUpdateFederationRelationshipResponse{ Results: []*trustdomainv1.BatchUpdateFederationRelationshipResponse_Result{ { - Status: &types.Status{}, + Status: api.OK(), FederationRelationship: frSPIFFE, }, }, }, - expOut: ` + expOutPretty: ` Trust domain : td-2.org Bundle endpoint URL : https://td-2.org/bundle Bundle endpoint profile : https_spiffe Endpoint SPIFFE ID : spiffe://other.org/bundle `, + expOutJSON: `{ + "results": [ + { + "status": { + "code": 0, + "message": "OK" + }, + "federation_relationship": { + "trust_domain": "td-2.org", + "bundle_endpoint_url": "https://td-2.org/bundle", + "https_spiffe": { + "endpoint_spiffe_id": "spiffe://other.org/bundle" + }, + "trust_domain_bundle": null + } + } + ] +}`, }, { name: "Succeeds for SPIFFE profile and bundle", @@ -226,17 +240,45 @@ Endpoint SPIFFE ID : spiffe://other.org/bundle fakeResp: &trustdomainv1.BatchUpdateFederationRelationshipResponse{ Results: []*trustdomainv1.BatchUpdateFederationRelationshipResponse_Result{ { - Status: &types.Status{}, + Status: api.OK(), FederationRelationship: frSPIFFEAndBundle, }, }, }, - expOut: ` + expOutPretty: ` Trust domain : td-3.org Bundle endpoint URL : https://td-3.org/bundle Bundle endpoint profile : https_spiffe Endpoint SPIFFE ID : spiffe://td-3.org/bundle `, + expOutJSON: fmt.Sprintf(`{ + "results": [ + { + "status": { + "code": 0, + "message": "OK" + }, + "federation_relationship": { + "trust_domain": "td-3.org", + "bundle_endpoint_url": "https://td-3.org/bundle", + "https_spiffe": { + "endpoint_spiffe_id": "spiffe://td-3.org/bundle" + }, + "trust_domain_bundle": { + "trust_domain": "td-3.org", + "x509_authorities": [ + { + "asn1": "%s" + } + ], + "jwt_authorities": [], + "refresh_hint": "0", + "sequence_number": "0" + } + } + } + ] +}`, base64.StdEncoding.EncodeToString(bundle.X509Authorities[0].Asn1)), }, { name: "Succeeds for web profile", @@ -247,16 +289,32 @@ Endpoint SPIFFE ID : spiffe://td-3.org/bundle fakeResp: &trustdomainv1.BatchUpdateFederationRelationshipResponse{ Results: []*trustdomainv1.BatchUpdateFederationRelationshipResponse_Result{ { - Status: &types.Status{}, + Status: api.OK(), FederationRelationship: frWeb, }, }, }, - expOut: ` + expOutPretty: ` Trust domain : td-1.org Bundle endpoint URL : https://td-1.org/bundle Bundle endpoint profile : https_web `, + expOutJSON: `{ + "results": [ + { + "status": { + "code": 0, + "message": "OK" + }, + "federation_relationship": { + "trust_domain": "td-1.org", + "bundle_endpoint_url": "https://td-1.org/bundle", + "https_web": {}, + "trust_domain_bundle": null + } + } + ] +}`, }, { name: "Federation relationships that failed to be updated are printed", @@ -275,12 +333,28 @@ Bundle endpoint profile : https_web }, }, }, - expErr: `Failed to update the following federation relationship (code: AlreadyExists, msg: "the message"): + expErrPretty: `Failed to update the following federation relationship (code: AlreadyExists, msg: "the message"): Trust domain : td-1.org Bundle endpoint URL : https://td-1.org/bundle Bundle endpoint profile : https_web Error: failed to update one or more federation relationships `, + expOutJSON: `{ + "results": [ + { + "status": { + "code": 6, + "message": "the message" + }, + "federation_relationship": { + "trust_domain": "td-1.org", + "bundle_endpoint_url": "https://td-1.org/bundle", + "https_web": {}, + "trust_domain_bundle": null + } + } + ] +}`, }, { name: "Succeeds loading federation relationships from JSON file", @@ -295,12 +369,12 @@ Error: failed to update one or more federation relationships }, fakeResp: &trustdomainv1.BatchUpdateFederationRelationshipResponse{ Results: []*trustdomainv1.BatchUpdateFederationRelationshipResponse_Result{ - {FederationRelationship: frWeb, Status: &types.Status{}}, - {FederationRelationship: frSPIFFE, Status: &types.Status{}}, - {FederationRelationship: frPemAuthority, Status: &types.Status{}}, + {FederationRelationship: frWeb, Status: api.OK()}, + {FederationRelationship: frSPIFFE, Status: api.OK()}, + {FederationRelationship: frPemAuthority, Status: api.OK()}, }, }, - expOut: ` + expOutPretty: ` Trust domain : td-1.org Bundle endpoint URL : https://td-1.org/bundle Bundle endpoint profile : https_web @@ -315,44 +389,110 @@ Bundle endpoint URL : https://td-3.org/bundle Bundle endpoint profile : https_spiffe Endpoint SPIFFE ID : spiffe://td-3.org/bundle `, + expOutJSON: `{ + "results": [ + { + "status": { + "code": 0, + "message": "OK" + }, + "federation_relationship": { + "trust_domain": "td-1.org", + "bundle_endpoint_url": "https://td-1.org/bundle", + "https_web": {}, + "trust_domain_bundle": null + } + }, + { + "status": { + "code": 0, + "message": "OK" + }, + "federation_relationship": { + "trust_domain": "td-2.org", + "bundle_endpoint_url": "https://td-2.org/bundle", + "https_spiffe": { + "endpoint_spiffe_id": "spiffe://other.org/bundle" + }, + "trust_domain_bundle": null + } + }, + { + "status": { + "code": 0, + "message": "OK" + }, + "federation_relationship": { + "trust_domain": "td-3.org", + "bundle_endpoint_url": "https://td-3.org/bundle", + "https_spiffe": { + "endpoint_spiffe_id": "spiffe://td-3.org/bundle" + }, + "trust_domain_bundle": { + "trust_domain": "td-3.org", + "x509_authorities": [ + { + "asn1": "MIIBKjCB0aADAgECAgEBMAoGCCqGSM49BAMCMAAwIhgPMDAwMTAxMDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHyvsCk5yi+yhSzNu5aquQwvm8a1Wh+qw1fiHAkhDni+wq+g3TQWxYlV51TCPH030yXsRxvujD4hUUaIQrXk4KKjODA2MA8GA1UdEwEB/wQFMAMBAf8wIwYDVR0RAQH/BBkwF4YVc3BpZmZlOi8vZG9tYWluMS50ZXN0MAoGCCqGSM49BAMCA0gAMEUCIA2dO09Xmakw2ekuHKWC4hBhCkpr5qY4bI8YUcXfxg/1AiEA67kMyH7bQnr7OVLUrL+b9ylAdZglS5kKnYigmwDh+/U=" + } + ], + "jwt_authorities": [], + "refresh_hint": "0", + "sequence_number": "0" + } + } + } + ] +}`, }, { - name: "Loading federation relationships from JSON file: invalid path", - args: []string{"-data", "somePath"}, - expErr: fmt.Sprintf("Error: open somePath: %s\n", spiretest.FileNotFound()), + name: "Loading federation relationships from JSON file: invalid path", + args: []string{"-data", "somePath"}, + expErrPretty: fmt.Sprintf("Error: open somePath: %s\n", spiretest.FileNotFound()), + expErrJSON: fmt.Sprintf("Error: open somePath: %s\n", spiretest.FileNotFound()), }, { - name: "Loading federation relationships from JSON file: no a json", - args: []string{"-data", bundlePath}, - expErr: "Error: failed to parse JSON: invalid character '-' in numeric literal\n", + name: "Loading federation relationships from JSON file: no a json", + args: []string{"-data", bundlePath}, + expErrPretty: "Error: failed to parse JSON: invalid character '-' in numeric literal\n", + expErrJSON: "Error: failed to parse JSON: invalid character '-' in numeric literal\n", }, { - name: "Loading federation relationships from JSON file: invalid relationship", - args: []string{"-data", jsonDataInvalidRelationship}, - expErr: "Error: could not parse item 0: trust domain is required\n", + name: "Loading federation relationships from JSON file: invalid relationship", + args: []string{"-data", jsonDataInvalidRelationship}, + expErrPretty: "Error: could not parse item 0: trust domain is required\n", + expErrJSON: "Error: could not parse item 0: trust domain is required\n", }, { - name: "Loading federation relationships from JSON file: multiple flags", - args: []string{"-data", jsonDataInvalidRelationship, "-bundleEndpointURL", "https://td-1.org/bundle"}, - expErr: "Error: cannot use other flags to specify relationship fields when 'data' flag is set\n", + name: "Loading federation relationships from JSON file: multiple flags", + args: []string{"-data", jsonDataInvalidRelationship, "-bundleEndpointURL", "https://td-1.org/bundle"}, + expErrPretty: "Error: cannot use other flags to specify relationship fields when 'data' flag is set\n", + expErrJSON: "Error: cannot use other flags to specify relationship fields when 'data' flag is set\n", }, } { - tt := tt - t.Run(tt.name, func(t *testing.T) { - test := setupTest(t, newUpdateCommand) - test.server.err = tt.serverErr - test.server.expectUpdateReq = tt.expReq - test.server.updateResp = tt.fakeResp + for _, format := range availableFormats { + t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) { + test := setupTest(t, newUpdateCommand) + test.server.err = tt.serverErr + test.server.expectUpdateReq = tt.expReq + test.server.updateResp = tt.fakeResp + args := tt.args + args = append(args, "-output", format) - rc := test.client.Run(test.args(tt.args...)) - if tt.expErr != "" { - require.Equal(t, 1, rc) - require.Equal(t, tt.expErr, test.stderr.String()) - return - } + rc := test.client.Run(test.args(args...)) - require.Equal(t, 0, rc) - require.Equal(t, tt.expOut, test.stdout.String()) - }) + if tt.expErrPretty != "" && format == "pretty" { + require.Equal(t, 1, rc) + require.Equal(t, tt.expErrPretty, test.stderr.String()) + return + } + if tt.expErrJSON != "" && format == "json" { + require.Equal(t, 1, rc) + require.Equal(t, tt.expErrJSON, test.stderr.String()) + return + } + require.Equal(t, 0, rc) + requireOutputBasedOnFormat(t, format, test.stdout.String(), tt.expOutPretty, tt.expOutJSON) + }) + } } } diff --git a/cmd/spire-server/cli/federation/util_posix_test.go b/cmd/spire-server/cli/federation/util_posix_test.go new file mode 100644 index 0000000000..d26d60c545 --- /dev/null +++ b/cmd/spire-server/cli/federation/util_posix_test.go @@ -0,0 +1,77 @@ +//go:build !windows +// +build !windows + +package federation + +const ( + createUsage = `Usage of federation create: + -bundleEndpointProfile string + Endpoint profile type (either "https_web" or "https_spiffe") + -bundleEndpointURL string + URL of the SPIFFE bundle endpoint that provides the trust bundle (must use the HTTPS protocol) + -data string + Path to a file containing federation relationships in JSON format (optional). If set to '-', read the JSON from stdin. + -endpointSpiffeID string + SPIFFE ID of the SPIFFE bundle endpoint server. Only used for 'spiffe' profile. + -output value + Desired output format (pretty, json) + -socketPath string + Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") + -trustDomain string + Name of the trust domain to federate with (e.g., example.org) + -trustDomainBundleFormat string + The format of the bundle data (optional). Either "pem" or "spiffe". (default "pem") + -trustDomainBundlePath string + Path to the trust domain bundle data (optional). +` + deleteUsage = `Usage of federation delete: + -id string + SPIFFE ID of the trust domain + -output value + Desired output format (pretty, json) + -socketPath string + Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") +` + listUsage = `Usage of federation list: + -output value + Desired output format (pretty, json) + -socketPath string + Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") +` + refreshUsage = `Usage of federation refresh: + -id string + SPIFFE ID of the trust domain + -output value + Desired output format (pretty, json) + -socketPath string + Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") +` + showUsage = `Usage of federation show: + -output value + Desired output format (pretty, json) + -socketPath string + Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") + -trustDomain string + The trust domain name of the federation relationship to show +` + updateUsage = `Usage of federation update: + -bundleEndpointProfile string + Endpoint profile type (either "https_web" or "https_spiffe") + -bundleEndpointURL string + URL of the SPIFFE bundle endpoint that provides the trust bundle (must use the HTTPS protocol) + -data string + Path to a file containing federation relationships in JSON format (optional). If set to '-', read the JSON from stdin. + -endpointSpiffeID string + SPIFFE ID of the SPIFFE bundle endpoint server. Only used for 'spiffe' profile. + -output value + Desired output format (pretty, json) + -socketPath string + Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") + -trustDomain string + Name of the trust domain to federate with (e.g., example.org) + -trustDomainBundleFormat string + The format of the bundle data (optional). Either "pem" or "spiffe". (default "pem") + -trustDomainBundlePath string + Path to the trust domain bundle data (optional). +` +) diff --git a/cmd/spire-server/cli/federation/util_windows_test.go b/cmd/spire-server/cli/federation/util_windows_test.go new file mode 100644 index 0000000000..aa190f0344 --- /dev/null +++ b/cmd/spire-server/cli/federation/util_windows_test.go @@ -0,0 +1,77 @@ +//go:build windows +// +build windows + +package federation + +const ( + createUsage = `Usage of federation create: + -bundleEndpointProfile string + Endpoint profile type (either "https_web" or "https_spiffe") + -bundleEndpointURL string + URL of the SPIFFE bundle endpoint that provides the trust bundle (must use the HTTPS protocol) + -data string + Path to a file containing federation relationships in JSON format (optional). If set to '-', read the JSON from stdin. + -endpointSpiffeID string + SPIFFE ID of the SPIFFE bundle endpoint server. Only used for 'spiffe' profile. + -namedPipeName string + Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") + -output value + Desired output format (pretty, json) + -trustDomain string + Name of the trust domain to federate with (e.g., example.org) + -trustDomainBundleFormat string + The format of the bundle data (optional). Either "pem" or "spiffe". (default "pem") + -trustDomainBundlePath string + Path to the trust domain bundle data (optional). +` + deleteUsage = `Usage of federation delete: + -id string + SPIFFE ID of the trust domain + -namedPipeName string + Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") + -output value + Desired output format (pretty, json) +` + listUsage = `Usage of federation list: + -namedPipeName string + Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") + -output value + Desired output format (pretty, json) +` + refreshUsage = `Usage of federation refresh: + -id string + SPIFFE ID of the trust domain + -namedPipeName string + Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") + -output value + Desired output format (pretty, json) +` + showUsage = `Usage of federation show: + -namedPipeName string + Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") + -output value + Desired output format (pretty, json) + -trustDomain string + The trust domain name of the federation relationship to show +` + updateUsage = `Usage of federation update: + -bundleEndpointProfile string + Endpoint profile type (either "https_web" or "https_spiffe") + -bundleEndpointURL string + URL of the SPIFFE bundle endpoint that provides the trust bundle (must use the HTTPS protocol) + -data string + Path to a file containing federation relationships in JSON format (optional). If set to '-', read the JSON from stdin. + -endpointSpiffeID string + SPIFFE ID of the SPIFFE bundle endpoint server. Only used for 'spiffe' profile. + -namedPipeName string + Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") + -output value + Desired output format (pretty, json) + -trustDomain string + Name of the trust domain to federate with (e.g., example.org) + -trustDomainBundleFormat string + The format of the bundle data (optional). Either "pem" or "spiffe". (default "pem") + -trustDomainBundlePath string + Path to the trust domain bundle data (optional). +` +) From 82cbc55c166d1a8c652ad7fb8d775f63eb5127b1 Mon Sep 17 00:00:00 2001 From: Brian J Martin <15804005+bri365@users.noreply.github.com> Date: Tue, 20 Dec 2022 19:50:21 -0500 Subject: [PATCH 228/257] Do not test EOL databases (#3709) Signed-off-by: Brian Martin <15804005+bri365@users.noreply.github.com> --- .../01-test-variants | 47 +------------ .../datastore-mysql-replication/README.md | 2 - .../docker-compose.yaml | 70 ------------------- .../suites/datastore-mysql/01-test-variants | 2 - .../suites/datastore-mysql/README.md | 2 - .../datastore-mysql/docker-compose.yaml | 22 ------ .../01-test-variants | 1 - .../datastore-postgres-replication/README.md | 1 - .../docker-compose.yaml | 26 ------- .../datastore-postgres/01-test-variants | 1 - .../suites/datastore-postgres/README.md | 1 - .../datastore-postgres/docker-compose.yaml | 8 --- 12 files changed, 2 insertions(+), 181 deletions(-) diff --git a/test/integration/suites/datastore-mysql-replication/01-test-variants b/test/integration/suites/datastore-mysql-replication/01-test-variants index 09fbcbd1a8..9e2fc477a5 100755 --- a/test/integration/suites/datastore-mysql-replication/01-test-variants +++ b/test/integration/suites/datastore-mysql-replication/01-test-variants @@ -98,31 +98,6 @@ START GROUP_REPLICATION; docker-compose exec -T "${service}" mysql -uroot "-p$mysql_root_password" -e "${replication_script}" } -# Setup a primary server with regular replication. -configure-readwrite-replication() { - service=$1 - mysql_root_password=$2 - - replication_script=" -CREATE USER '${replication_user}'@'%' IDENTIFIED BY '${replication_user_pass}'; -GRANT REPLICATION SLAVE ON *.* TO ${replication_user}@'%'; -" - docker-compose exec -T "${service}" mysql -uroot "-p$mysql_root_password" -e "${replication_script}" -} - -# Setup a replica server with regular replication. -configure-readonly-replication() { - service=$1 - mysql_root_password=$2 - primary_service=$3 - - replication_script=" -CHANGE MASTER TO MASTER_HOST='${primary_service}', MASTER_USER='${replication_user}', MASTER_PASSWORD='${replication_user_pass}', MASTER_LOG_FILE='mysql-bin-1.000002', MASTER_LOG_POS=0; -start slave; -" - docker-compose exec -T "${service}" mysql -uroot "-p$mysql_root_password" -e "${replication_script}" -} - test-mysql-replication() { service_prefix=$1 readwrite_service_name="${service_prefix}-readwrite" @@ -135,31 +110,13 @@ test-mysql-replication() { readwrite_root_password=$(get_mysql_root_password "${readwrite_service_name}") readonly_root_password=$(get_mysql_root_password "${readonly_service_name}") - # Use: - # - regular replication for MySql 5.5 and 5.6. - # - group replication for MySql 5.7 and 8.0 - case $service_prefix in - mysql-5-5 | mysql-5-6) - configure-readwrite-replication "${readwrite_service_name}" "${readwrite_root_password}" - configure-readonly-replication "${readonly_service_name}" "${readonly_root_password}" "${readwrite_service_name}" - ;; - - mysql-5-7 | mysql-8-0) - configure-readwrite-group-replication "${readwrite_service_name}" "${readwrite_root_password}" - configure-readonly-group-replication "${readonly_service_name}" "${readonly_root_password}" - ;; - - *) - fail-now "unsupported mysql version" - ;; - esac + configure-readwrite-group-replication "${readwrite_service_name}" "${readwrite_root_password}" + configure-readonly-group-replication "${readonly_service_name}" "${readonly_root_password}" log-info "running tests against ${readwrite_service_name} and ${readonly_service_name}..." ./mysql-replicated.test || fail-now "tests failed" docker-stop "${readwrite_service_name}" "${readonly_service_name}" } -test-mysql-replication mysql-5-5 || exit 1 -test-mysql-replication mysql-5-6 || exit 1 test-mysql-replication mysql-5-7 || exit 1 test-mysql-replication mysql-8-0 || exit 1 diff --git a/test/integration/suites/datastore-mysql-replication/README.md b/test/integration/suites/datastore-mysql-replication/README.md index 10b0d3a503..f869d3a257 100644 --- a/test/integration/suites/datastore-mysql-replication/README.md +++ b/test/integration/suites/datastore-mysql-replication/README.md @@ -5,8 +5,6 @@ Test that SPIRE Server is able to run a query in a readonly database that is replicated from a primary server, keeping it updated. The suite runs the following MySQL versions against the SQL datastore unit tests: -- 5.5 -- 5.6 - 5.7 - 8.0 diff --git a/test/integration/suites/datastore-mysql-replication/docker-compose.yaml b/test/integration/suites/datastore-mysql-replication/docker-compose.yaml index a29907a69b..a4e1bd3429 100644 --- a/test/integration/suites/datastore-mysql-replication/docker-compose.yaml +++ b/test/integration/suites/datastore-mysql-replication/docker-compose.yaml @@ -1,75 +1,5 @@ version: '3.5' services: - # MySQL 5.6 containers - mysql-5-5-readwrite: - image: mysql/mysql-server:5.5 - environment: - - MYSQL_PASSWORD=test - - MYSQL_DATABASE=spire - - MYSQL_USER=spire - - MYSQL_RANDOM_ROOT_PASSWORD=yes - ports: - - "9999:3306" - container_name: mysql-5-5-readwrite - command: - - "--server-id=1" - - "--log-bin=mysql-bin-1.log" - - "--binlog-do-db=spire" - - "--innodb-flush-log-at-trx-commit=1" - - "--sync-binlog=1" - mysql-5-5-readonly: - image: mysql/mysql-server:5.5 - environment: - - MYSQL_PASSWORD=test - - MYSQL_DATABASE=spire - - MYSQL_USER=spire - - MYSQL_RANDOM_ROOT_PASSWORD=yes - ports: - - "10000:3306" - container_name: mysql-5-5-readonly - command: - - "--server-id=2" - - "--log-bin=mysql-bin-1.log" - - "--binlog-do-db=spire" - - "--relay-log=/var/lib/mysql/mysql-relay-bin" - - "--log-slave-updates=1" - - "--read-only=1" - - # MySQL 5.6 containers - mysql-5-6-readwrite: - image: mysql/mysql-server:5.6 - environment: - - MYSQL_PASSWORD=test - - MYSQL_DATABASE=spire - - MYSQL_USER=spire - - MYSQL_RANDOM_ROOT_PASSWORD=yes - ports: - - "9999:3306" - container_name: mysql-5-6-readwrite - command: - - "--server-id=1" - - "--log-bin=mysql-bin-1.log" - - "--binlog-do-db=spire" - - "--innodb-flush-log-at-trx-commit=1" - - "--sync-binlog=1" - mysql-5-6-readonly: - image: mysql/mysql-server:5.6 - environment: - - MYSQL_PASSWORD=test - - MYSQL_DATABASE=spire - - MYSQL_USER=spire - - MYSQL_RANDOM_ROOT_PASSWORD=yes - ports: - - "10000:3306" - container_name: mysql-5-6-readonly - command: - - "--server-id=2" - - "--log-bin=mysql-bin-1.log" - - "--binlog-do-db=spire" - - "--relay-log=/var/lib/mysql/mysql-relay-bin" - - "--log-slave-updates=1" - - "--read-only=1" - # MySQL 5.7 containers mysql-5-7-readwrite: image: mysql/mysql-server:5.7 diff --git a/test/integration/suites/datastore-mysql/01-test-variants b/test/integration/suites/datastore-mysql/01-test-variants index d271befe5d..b1cbad8a9f 100755 --- a/test/integration/suites/datastore-mysql/01-test-variants +++ b/test/integration/suites/datastore-mysql/01-test-variants @@ -51,7 +51,5 @@ test-mysql() { docker-stop "${SERVICE}" } -test-mysql mysql-5-5 || exit 1 -test-mysql mysql-5-6 || exit 1 test-mysql mysql-5-7 || exit 1 test-mysql mysql-8-0 || exit 1 diff --git a/test/integration/suites/datastore-mysql/README.md b/test/integration/suites/datastore-mysql/README.md index 331b8d24cd..17f8b997e1 100644 --- a/test/integration/suites/datastore-mysql/README.md +++ b/test/integration/suites/datastore-mysql/README.md @@ -4,8 +4,6 @@ The suite runs the following MySQL versions against the SQL datastore unit tests: -- 5.5 -- 5.6 - 5.7 - 8.0 diff --git a/test/integration/suites/datastore-mysql/docker-compose.yaml b/test/integration/suites/datastore-mysql/docker-compose.yaml index f5c94ae710..27602ac68e 100644 --- a/test/integration/suites/datastore-mysql/docker-compose.yaml +++ b/test/integration/suites/datastore-mysql/docker-compose.yaml @@ -1,27 +1,5 @@ version: '3' services: - mysql-5-5: - image: mysql:5.5 - environment: - - MYSQL_PASSWORD=test - - MYSQL_DATABASE=spire - - MYSQL_USER=spire - - MYSQL_RANDOM_ROOT_PASSWORD=yes - tmpfs: - - /var/lib/mysql - ports: - - "9999:3306" - mysql-5-6: - image: mysql:5.6 - environment: - - MYSQL_PASSWORD=test - - MYSQL_DATABASE=spire - - MYSQL_USER=spire - - MYSQL_RANDOM_ROOT_PASSWORD=yes - tmpfs: - - /var/lib/mysql - ports: - - "9999:3306" mysql-5-7: image: mysql:5.7 environment: diff --git a/test/integration/suites/datastore-postgres-replication/01-test-variants b/test/integration/suites/datastore-postgres-replication/01-test-variants index 356d433387..be52d463f9 100755 --- a/test/integration/suites/datastore-postgres-replication/01-test-variants +++ b/test/integration/suites/datastore-postgres-replication/01-test-variants @@ -35,7 +35,6 @@ test-postgres() { docker-stop "${readwrite_service_name}" "${readonly_service_name}" } -test-postgres postgres-9 || exit 1 test-postgres postgres-10 || exit 1 test-postgres postgres-11 || exit 1 test-postgres postgres-12 || exit 1 diff --git a/test/integration/suites/datastore-postgres-replication/README.md b/test/integration/suites/datastore-postgres-replication/README.md index 2203685b15..5e0f94eb2b 100644 --- a/test/integration/suites/datastore-postgres-replication/README.md +++ b/test/integration/suites/datastore-postgres-replication/README.md @@ -5,7 +5,6 @@ Test that SPIRE Server is able to run a query in a readonly database that is replicated from a primary server, keeping it updated. The suite runs the following PostgreSQL versions against the SQL datastore unit tests: -- 9.x (latest) - 10.x (latest) - 11.x (latest) - 12.x (latest) diff --git a/test/integration/suites/datastore-postgres-replication/docker-compose.yaml b/test/integration/suites/datastore-postgres-replication/docker-compose.yaml index b241feb92a..43b9fd1f62 100644 --- a/test/integration/suites/datastore-postgres-replication/docker-compose.yaml +++ b/test/integration/suites/datastore-postgres-replication/docker-compose.yaml @@ -1,31 +1,5 @@ version: '3' services: - postgres-9-readwrite: - image: postgres:9 - environment: - - POSTGRES_PASSWORD=password - - POSTGRES_USER=postgres - - POSTGRES_DB=spire - - PG_REP_USER=rep - - PG_REP_PASSWORD=pass - volumes: - - ./principal/init.sh:/docker-entrypoint-initdb.d/init.sh - ports: - - "9999:5432" - postgres-9-readonly: - image: postgres:9 - user: postgres - environment: - - POSTGRES_PASSWORD=password - - POSTGRES_USER=postgres - - PG_REP_USER=rep - - PG_REP_PASSWORD=pass - - PRINCIPAL_NAME=postgres-9-readwrite - entrypoint: ["/docker-entrypoint.sh", "postgres"] - volumes: - - ./replica/docker-entrypoint.sh:/docker-entrypoint.sh - ports: - - "10000:5432" postgres-10-readwrite: image: postgres:10 environment: diff --git a/test/integration/suites/datastore-postgres/01-test-variants b/test/integration/suites/datastore-postgres/01-test-variants index d311cf84fd..8cd4ac4d6d 100755 --- a/test/integration/suites/datastore-postgres/01-test-variants +++ b/test/integration/suites/datastore-postgres/01-test-variants @@ -28,7 +28,6 @@ test-postgres() { docker-stop "${SERVICE}" } -test-postgres postgres-9 || exit 1 test-postgres postgres-10 || exit 1 test-postgres postgres-11 || exit 1 test-postgres postgres-12 || exit 1 diff --git a/test/integration/suites/datastore-postgres/README.md b/test/integration/suites/datastore-postgres/README.md index db4f266d2b..db8e26406c 100644 --- a/test/integration/suites/datastore-postgres/README.md +++ b/test/integration/suites/datastore-postgres/README.md @@ -4,7 +4,6 @@ The suite runs the following PostgreSQL versions against the SQL datastore unit tests: -- 9.x (latest) - 10.x (latest) - 11.x (latest) - 12.x (latest) diff --git a/test/integration/suites/datastore-postgres/docker-compose.yaml b/test/integration/suites/datastore-postgres/docker-compose.yaml index 3e174cf9be..6e8c679950 100644 --- a/test/integration/suites/datastore-postgres/docker-compose.yaml +++ b/test/integration/suites/datastore-postgres/docker-compose.yaml @@ -1,13 +1,5 @@ version: '3' services: - postgres-9: - image: postgres:9 - environment: - - POSTGRES_PASSWORD=password - tmpfs: - - /var/lib/postgresql - ports: - - "9999:5432" postgres-10: image: postgres:10 environment: From db16fecd6a163a340df093cb249cfcc4a076f448 Mon Sep 17 00:00:00 2001 From: Guilherme Oliveira do Carmo Carvalho <33766735+guilhermocc@users.noreply.github.com> Date: Wed, 21 Dec 2022 12:14:18 -0300 Subject: [PATCH 229/257] Add default value to output format flag description (#3713) * Add default value to output format flag description Signed-off-by: Guilherme Carvalho --- cmd/spire-server/cli/agent/agent_posix_test.go | 10 +++++----- cmd/spire-server/cli/agent/agent_windows_test.go | 10 +++++----- cmd/spire-server/cli/bundle/bundle_posix_test.go | 10 +++++----- cmd/spire-server/cli/bundle/bundle_windows_test.go | 10 +++++----- cmd/spire-server/cli/entry/util_posix_test.go | 10 +++++----- cmd/spire-server/cli/entry/util_windows_test.go | 10 +++++----- cmd/spire-server/cli/federation/util_posix_test.go | 12 ++++++------ cmd/spire-server/cli/federation/util_windows_test.go | 12 ++++++------ pkg/common/cliprinter/flag.go | 9 ++++++++- 9 files changed, 50 insertions(+), 43 deletions(-) diff --git a/cmd/spire-server/cli/agent/agent_posix_test.go b/cmd/spire-server/cli/agent/agent_posix_test.go index b6275c7ecc..c80fdb0081 100644 --- a/cmd/spire-server/cli/agent/agent_posix_test.go +++ b/cmd/spire-server/cli/agent/agent_posix_test.go @@ -8,7 +8,7 @@ var ( -matchSelectorsOn string The match mode used when filtering by selectors. Options: exact, any, superset and subset (default "superset") -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. -selector value A colon-delimited type:value selector. Can be used more than once -socketPath string @@ -16,7 +16,7 @@ var ( ` banUsage = `Usage of agent ban: -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. -socketPath string Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") -spiffeID string @@ -24,7 +24,7 @@ var ( ` evictUsage = `Usage of agent evict: -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. -socketPath string Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") -spiffeID string @@ -32,13 +32,13 @@ var ( ` countUsage = `Usage of agent count: -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. -socketPath string Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") ` showUsage = `Usage of agent show: -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. -socketPath string Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") -spiffeID string diff --git a/cmd/spire-server/cli/agent/agent_windows_test.go b/cmd/spire-server/cli/agent/agent_windows_test.go index bb1fc856c2..4b63d02443 100644 --- a/cmd/spire-server/cli/agent/agent_windows_test.go +++ b/cmd/spire-server/cli/agent/agent_windows_test.go @@ -10,7 +10,7 @@ var ( -namedPipeName string Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. -selector value A colon-delimited type:value selector. Can be used more than once ` @@ -18,7 +18,7 @@ var ( -namedPipeName string Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. -spiffeID string The SPIFFE ID of the agent to ban (agent identity) ` @@ -26,7 +26,7 @@ var ( -namedPipeName string Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. -spiffeID string The SPIFFE ID of the agent to evict (agent identity) ` @@ -34,13 +34,13 @@ var ( -namedPipeName string Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. ` showUsage = `Usage of agent show: -namedPipeName string Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. -spiffeID string The SPIFFE ID of the agent to show (agent identity) ` diff --git a/cmd/spire-server/cli/bundle/bundle_posix_test.go b/cmd/spire-server/cli/bundle/bundle_posix_test.go index 9bcaefd90e..ab18144c65 100644 --- a/cmd/spire-server/cli/bundle/bundle_posix_test.go +++ b/cmd/spire-server/cli/bundle/bundle_posix_test.go @@ -10,7 +10,7 @@ var ( -id string SPIFFE ID of the trust domain -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. -path string Path to the bundle data -socketPath string @@ -18,7 +18,7 @@ var ( ` countUsage = `Usage of bundle count: -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. -socketPath string Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") ` @@ -28,7 +28,7 @@ var ( -mode string Deletion mode: one of restrict, delete, or dissociate (default "restrict") -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. -socketPath string Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") ` @@ -38,7 +38,7 @@ var ( -id string SPIFFE ID of the trust domain -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. -socketPath string Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") ` @@ -46,7 +46,7 @@ var ( -format string The format to show the bundle (only pretty output format supports this flag). Either "pem" or "spiffe". (default "pem") -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. -socketPath string Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") ` diff --git a/cmd/spire-server/cli/bundle/bundle_windows_test.go b/cmd/spire-server/cli/bundle/bundle_windows_test.go index 6f5d235f5d..c1e002f24d 100644 --- a/cmd/spire-server/cli/bundle/bundle_windows_test.go +++ b/cmd/spire-server/cli/bundle/bundle_windows_test.go @@ -12,7 +12,7 @@ var ( -namedPipeName string Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. -path string Path to the bundle data ` @@ -22,13 +22,13 @@ var ( -namedPipeName string Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. ` countUsage = `Usage of bundle count: -namedPipeName string Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. ` listUsage = `Usage of bundle list: -format string @@ -38,7 +38,7 @@ var ( -namedPipeName string Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. ` deleteUsage = `Usage of bundle delete: -id string @@ -48,6 +48,6 @@ var ( -namedPipeName string Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. ` ) diff --git a/cmd/spire-server/cli/entry/util_posix_test.go b/cmd/spire-server/cli/entry/util_posix_test.go index d055fc2d77..f010b04de4 100644 --- a/cmd/spire-server/cli/entry/util_posix_test.go +++ b/cmd/spire-server/cli/entry/util_posix_test.go @@ -22,7 +22,7 @@ const ( -node If set, this entry will be applied to matching nodes rather than workloads -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. -parentID string The SPIFFE ID of this record's parent -selector value @@ -50,7 +50,7 @@ const ( -matchSelectorsOn string The match mode used when filtering by selectors. Options: exact, any, superset and subset (default "superset") -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. -parentID string The Parent ID of the records to show -selector value @@ -78,7 +78,7 @@ const ( -jwtSVIDTTL int The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry. Overrides ttl flag -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. -parentID string The SPIFFE ID of this record's parent -selector value @@ -98,13 +98,13 @@ const ( -entryID string The Registration Entry ID of the record to delete -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. -socketPath string Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") ` countUsage = `Usage of entry count: -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. -socketPath string Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") ` diff --git a/cmd/spire-server/cli/entry/util_windows_test.go b/cmd/spire-server/cli/entry/util_windows_test.go index 945f0d354c..0f11661160 100644 --- a/cmd/spire-server/cli/entry/util_windows_test.go +++ b/cmd/spire-server/cli/entry/util_windows_test.go @@ -24,7 +24,7 @@ const ( -node If set, this entry will be applied to matching nodes rather than workloads -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. -parentID string The SPIFFE ID of this record's parent -selector value @@ -52,7 +52,7 @@ const ( -namedPipeName string Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. -parentID string The Parent ID of the records to show -selector value @@ -80,7 +80,7 @@ const ( -namedPipeName string Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. -parentID string The SPIFFE ID of this record's parent -selector value @@ -100,12 +100,12 @@ const ( -namedPipeName string Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. ` countUsage = `Usage of entry count: -namedPipeName string Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. ` ) diff --git a/cmd/spire-server/cli/federation/util_posix_test.go b/cmd/spire-server/cli/federation/util_posix_test.go index d26d60c545..61549af1be 100644 --- a/cmd/spire-server/cli/federation/util_posix_test.go +++ b/cmd/spire-server/cli/federation/util_posix_test.go @@ -14,7 +14,7 @@ const ( -endpointSpiffeID string SPIFFE ID of the SPIFFE bundle endpoint server. Only used for 'spiffe' profile. -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. -socketPath string Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") -trustDomain string @@ -28,13 +28,13 @@ const ( -id string SPIFFE ID of the trust domain -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. -socketPath string Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") ` listUsage = `Usage of federation list: -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. -socketPath string Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") ` @@ -42,13 +42,13 @@ const ( -id string SPIFFE ID of the trust domain -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. -socketPath string Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") ` showUsage = `Usage of federation show: -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. -socketPath string Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") -trustDomain string @@ -64,7 +64,7 @@ const ( -endpointSpiffeID string SPIFFE ID of the SPIFFE bundle endpoint server. Only used for 'spiffe' profile. -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. -socketPath string Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") -trustDomain string diff --git a/cmd/spire-server/cli/federation/util_windows_test.go b/cmd/spire-server/cli/federation/util_windows_test.go index aa190f0344..3a694743dc 100644 --- a/cmd/spire-server/cli/federation/util_windows_test.go +++ b/cmd/spire-server/cli/federation/util_windows_test.go @@ -16,7 +16,7 @@ const ( -namedPipeName string Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. -trustDomain string Name of the trust domain to federate with (e.g., example.org) -trustDomainBundleFormat string @@ -30,13 +30,13 @@ const ( -namedPipeName string Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. ` listUsage = `Usage of federation list: -namedPipeName string Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. ` refreshUsage = `Usage of federation refresh: -id string @@ -44,13 +44,13 @@ const ( -namedPipeName string Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. ` showUsage = `Usage of federation show: -namedPipeName string Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. -trustDomain string The trust domain name of the federation relationship to show ` @@ -66,7 +66,7 @@ const ( -namedPipeName string Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api") -output value - Desired output format (pretty, json) + Desired output format (pretty, json); default: pretty. -trustDomain string Name of the trust domain to federate with (e.g., example.org) -trustDomainBundleFormat string diff --git a/pkg/common/cliprinter/flag.go b/pkg/common/cliprinter/flag.go index 5711cc60e9..fc4cf741b1 100644 --- a/pkg/common/cliprinter/flag.go +++ b/pkg/common/cliprinter/flag.go @@ -10,6 +10,13 @@ import ( const defaultFlagName = "output" +var flagDescription = fmt.Sprintf( + "Desired output format (%s, %s); default: %s.", + formatTypeToStr(pretty), + formatTypeToStr(json), + formatTypeToStr(defaultFormatType), +) + // AppendFlag adds the -format flag to the provided flagset, and populates // the referenced Printer interface with a properly configured printer. func AppendFlag(p *Printer, fs *flag.FlagSet, env *commoncli.Env) *FormatterFlag { @@ -34,7 +41,7 @@ func AppendFlagWithCustomPretty(p *Printer, fs *flag.FlagSet, env *commoncli.Env customPretty: cp, } - fs.Var(f, defaultFlagName, "Desired output format (pretty, json)") + fs.Var(f, defaultFlagName, flagDescription) return f } From 3cfae580aaf6e55971301ba0f3b2e3d06531e22b Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Wed, 21 Dec 2022 21:27:39 +0100 Subject: [PATCH 230/257] Utilize more native Make features to reduce duplication (#3679) Signed-off-by: Marco Franssen --- Dockerfile.scratch | 8 +++--- Makefile | 61 ++++++++++++++++++++++------------------------ 2 files changed, 33 insertions(+), 36 deletions(-) diff --git a/Dockerfile.scratch b/Dockerfile.scratch index 3d105b8b7a..9d4a17ef25 100644 --- a/Dockerfile.scratch +++ b/Dockerfile.scratch @@ -18,18 +18,18 @@ COPY --from=builder /newtmp /tmp # SPIRE Server FROM spire-base AS spire-server-scratch ENTRYPOINT ["/opt/spire/bin/spire-server", "run"] -COPY --from=builder /spire/bin/spire-server-static bin/spire-server +COPY --from=builder /spire/bin/static/spire-server bin/ FROM spire-base AS spire-agent-scratch ENTRYPOINT ["/opt/spire/bin/spire-agent", "run"] -COPY --from=builder /spire/bin/spire-agent-static bin/spire-agent +COPY --from=builder /spire/bin/static/spire-agent bin/ # K8S Workload Registrar FROM spire-base AS k8s-workload-registrar-scratch ENTRYPOINT ["/opt/spire/bin/k8s-workload-registrar"] -COPY --from=builder /spire/bin/k8s-workload-registrar-static bin/k8s-workload-registrar +COPY --from=builder /spire/bin/static/k8s-workload-registrar bin/ # OIDC Discovery Provider FROM spire-base AS oidc-discovery-provider-scratch ENTRYPOINT ["/opt/spire/bin/oidc-discovery-provider"] -COPY --from=builder /spire/bin/oidc-discovery-provider-static bin/oidc-discovery-provider +COPY --from=builder /spire/bin/static/oidc-discovery-provider bin/ diff --git a/Makefile b/Makefile index 9e041cd493..af3c17b903 100644 --- a/Makefile +++ b/Makefile @@ -111,6 +111,8 @@ endif # Vars ############################################################################ +binaries := spire-server spire-agent oidc-discovery-provider k8s-workload-registrar + build_dir := $(DIR)/.build/$(os1)-$(arch1) go_version_full := $(shell cat .go-version) @@ -238,56 +240,51 @@ ifeq ($(git_dirty),) go_ldflags += -X github.com/spiffe/spire/pkg/common/version.githash=$(git_hash) endif endif -go_ldflags := '${go_ldflags}' ############################################################################# # Build Targets ############################################################################# .PHONY: build +build: tidy $(addprefix bin/,$(binaries)) -build: tidy bin/spire-server bin/spire-agent bin/k8s-workload-registrar bin/oidc-discovery-provider +go_build := $(go_path) go build $(go_flags) -ldflags '$(go_ldflags)' -o -define binary_rule -.PHONY: $1 -$1: | go-check bin/ - @echo Building $1... - $(E)$(go_path) go build $$(go_flags) -ldflags $$(go_ldflags) -o $1$(exe) $2 -endef +bin/%: cmd/% FORCE | go-check + @echo Building $@… + $(E)$(go_build) $@$(exe) ./$< -# main SPIRE binaries -$(eval $(call binary_rule,bin/spire-server,./cmd/spire-server)) -$(eval $(call binary_rule,bin/spire-agent,./cmd/spire-agent)) -$(eval $(call binary_rule,bin/k8s-workload-registrar,./support/k8s/k8s-workload-registrar)) -$(eval $(call binary_rule,bin/oidc-discovery-provider,./support/oidc-discovery-provider)) +bin/%: support/% FORCE | go-check + @echo Building $@… + $(E)$(go_build) $@$(exe) ./$< -bin/: - @mkdir -p $@ +bin/%: support/k8s/% FORCE | go-check + @echo Building $@… + $(E)$(go_build) $@$(exe) ./$< ############################################################################# # Build Static binaries for scratch docker images ############################################################################# .PHONY: build-static - # The build-static is intended to statically link to musl libc. # There are possibilities of unexpected errors when statically link to GLIBC. -build-static: tidy bin/spire-server-static bin/spire-agent-static bin/k8s-workload-registrar-static bin/oidc-discovery-provider-static - # https://7thzero.com/blog/golang-w-sqlite3-docker-scratch-image -define binary_rule_static -.PHONY: $1 -$1: | go-check bin/ - @echo Building $1... - $(E)$(go_path) CGO_ENABLED=1 go build $$(go_flags) -ldflags '-s -w -linkmode external -extldflags "-static"' -o $1$(exe) $2 +build-static: tidy $(addprefix bin/static/,$(binaries)) -endef +go_build_static := $(go_path) go build $(go_flags) -ldflags '$(go_ldflags) -linkmode external -extldflags "-static"' -o + +bin/static/%: cmd/% FORCE | go-check + @echo Building $@… + $(E)$(go_build_static) $@$(exe) ./$< + +bin/static/%: support/% FORCE | go-check + @echo Building $@… + $(E)$(go_build_static) $@$(exe) ./$< -# static builds -$(eval $(call binary_rule_static,bin/spire-server-static,./cmd/spire-server)) -$(eval $(call binary_rule_static,bin/spire-agent-static,./cmd/spire-agent)) -$(eval $(call binary_rule_static,bin/k8s-workload-registrar-static,./support/k8s/k8s-workload-registrar)) -$(eval $(call binary_rule_static,bin/oidc-discovery-provider-static,./support/oidc-discovery-provider)) +bin/static/%: support/k8s/% FORCE | go-check + @echo Building $@… + $(E)$(go_build_static) $@$(exe) ./$< ############################################################################# # Test Targets @@ -346,7 +343,7 @@ $1: $3 endef .PHONY: images -images: spire-server-image spire-agent-image k8s-workload-registrar-image oidc-discovery-provider-image +images: $(addsuffix -image,$(binaries)) $(eval $(call image_rule,spire-server-image,spire-server,Dockerfile)) $(eval $(call image_rule,spire-agent-image,spire-agent,Dockerfile)) @@ -358,7 +355,7 @@ $(eval $(call image_rule,oidc-discovery-provider-image,oidc-discovery-provider,D ############################################################################# .PHONY: scratch-images -scratch-images: spire-server-scratch-image spire-agent-scratch-image k8s-workload-registrar-scratch-image oidc-discovery-provider-scratch-image +scratch-images: $(addsuffix -scratch-image,$(binaries)) $(eval $(call image_rule,spire-server-scratch-image,spire-server-scratch,Dockerfile.scratch)) $(eval $(call image_rule,spire-agent-scratch-image,spire-agent-scratch,Dockerfile.scratch)) @@ -370,7 +367,7 @@ $(eval $(call image_rule,oidc-discovery-provider-scratch-image,oidc-discovery-pr ############################################################################# .PHONY: images-windows -images-windows: spire-server-windows-image spire-agent-windows-image k8s-workload-registrar-windows-image oidc-discovery-provider-windows-image +images-windows: $(addsuffix -windows-image,$(binaries)) $(eval $(call image_rule,spire-server-windows-image,spire-server-windows,Dockerfile.windows)) $(eval $(call image_rule,spire-agent-windows-image,spire-agent-windows,Dockerfile.windows)) From 1f4a382b01b24b0f4f4510cb1d8b64d848ecebe0 Mon Sep 17 00:00:00 2001 From: Matheus Santos Date: Wed, 21 Dec 2022 21:04:04 -0300 Subject: [PATCH 231/257] =?UTF-8?q?refactor:=20removed=20some=20empty=20li?= =?UTF-8?q?nes=20and=20moved=20unexported=20functions=20and=E2=80=A6=20(#2?= =?UTF-8?q?00)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit refactor: removed some empty lines and moved unexported functions and structs to the end of the file Signed-off-by: Matheus Santos Signed-off-by: Matheus Santos --- .../plugin/workloadattestor/k8s/k8s_posix.go | 1 - .../workloadattestor/k8s/sigstore/sigstore.go | 93 +++++++++---------- 2 files changed, 46 insertions(+), 48 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go index 717c3d7f28..9589b73799 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go @@ -214,7 +214,6 @@ func canonicalizePodUID(uid string) types.UID { func configureSigstoreClient(client sigstore.Sigstore, c *SigstoreHCLConfig, log hclog.Logger) error { // Configure sigstore settings - enforceSCT := true if c.EnforceSCT != nil { enforceSCT = *c.EnforceSCT diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index 3aa6367919..156f4fc3de 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -90,48 +90,6 @@ func New(cache Cache, logger hclog.Logger) Sigstore { } } -func defaultCheckOptsFunction(rekorURL url.URL, enforceSCT ...bool) (*cosign.CheckOpts, error) { - if len(enforceSCT) > 1 { - return nil, errors.New("enforceSCT can be only one value") - } - if len(enforceSCT) == 0 { - enforceSCT = append(enforceSCT, true) - } - switch { - case rekorURL.Host == "": - return nil, errors.New("rekor URL host is empty") - case rekorURL.Scheme == "": - return nil, errors.New("rekor URL scheme is empty") - case rekorURL.Path == "": - return nil, errors.New("rekor URL path is empty") - } - - rootCerts, err := fulcio.GetRoots() - if err != nil { - return nil, fmt.Errorf("failed to get fulcio root certificates: %w", err) - } - - co := &cosign.CheckOpts{ - // Set the rekor client - RekorClient: rekor.NewHTTPClientWithConfig(nil, rekor.DefaultTransportConfig().WithBasePath(rekorURL.Path).WithHost(rekorURL.Host)), - RootCerts: rootCerts, - EnforceSCT: enforceSCT[0], - } - co.IntermediateCerts, err = fulcio.GetIntermediates() - - return co, err -} - -type sigstoreImpl struct { - functionHooks sigstoreFunctionHooks - skippedImages map[string]struct{} - subjectAllowList map[string]map[string]struct{} - rekorURL url.URL - logger hclog.Logger - sigstorecache Cache - enforceSCT bool -} - func (s *sigstoreImpl) SetEnforceSCT(enforceSCT bool) { s.enforceSCT = enforceSCT } @@ -180,10 +138,10 @@ func (s *sigstoreImpl) ExtractSelectorsFromSignatures(signatures []oci.Signature sigSelectors, err := s.SelectorValuesFromSignature(sig) if err != nil { s.logger.Error("error extracting selectors from signature", "error", err, telemetry.ContainerID, containerID) + + continue } - if sigSelectors != nil { - selectors = append(selectors, *sigSelectors) - } + selectors = append(selectors, *sigSelectors) } return selectors } @@ -200,7 +158,6 @@ func (s *sigstoreImpl) SelectorValuesFromSignature(signature oci.Signature) (*Se } issuer, err := getSignatureProvider(signature) - if err != nil { return nil, fmt.Errorf("error getting signature provider: %w", err) } @@ -361,6 +318,38 @@ func (s *sigstoreImpl) SetRekorURL(rekorURL string) error { return nil } +func defaultCheckOptsFunction(rekorURL url.URL, enforceSCT ...bool) (*cosign.CheckOpts, error) { + if len(enforceSCT) > 1 { + return nil, errors.New("enforceSCT can be only one value") + } + if len(enforceSCT) == 0 { + enforceSCT = append(enforceSCT, true) + } + switch { + case rekorURL.Host == "": + return nil, errors.New("rekor URL host is empty") + case rekorURL.Scheme == "": + return nil, errors.New("rekor URL scheme is empty") + case rekorURL.Path == "": + return nil, errors.New("rekor URL path is empty") + } + + rootCerts, err := fulcio.GetRoots() + if err != nil { + return nil, fmt.Errorf("failed to get fulcio root certificates: %w", err) + } + + co := &cosign.CheckOpts{ + // Set the rekor client + RekorClient: rekor.NewHTTPClientWithConfig(nil, rekor.DefaultTransportConfig().WithBasePath(rekorURL.Path).WithHost(rekorURL.Host)), + RootCerts: rootCerts, + EnforceSCT: enforceSCT[0], + } + co.IntermediateCerts, err = fulcio.GetIntermediates() + + return co, err +} + func getSignatureSubject(signature oci.Signature) (string, error) { if signature == nil { return "", errors.New("signature is nil") @@ -431,7 +420,7 @@ func getBundleSignatureContent(bundle *bundle.RekorBundle) (string, error) { body64, ok := bundle.Payload.Body.(string) if !ok { returnedType := fmt.Sprintf("expected payload body to be a string but got %T instead", bundle.Payload.Body) - return "", errors.New(returnedType) + return "", fmt.Errorf(returnedType) } body, err := base64.StdEncoding.DecodeString(body64) if err != nil { @@ -479,6 +468,16 @@ type fetchImageManifestFunctionType func(name.Reference, ...remote.Option) (*rem type checkOptsFunctionType func(url.URL, ...bool) (*cosign.CheckOpts, error) +type sigstoreImpl struct { + functionHooks sigstoreFunctionHooks + skippedImages map[string]struct{} + subjectAllowList map[string]map[string]struct{} + rekorURL url.URL + logger hclog.Logger + sigstorecache Cache + enforceSCT bool +} + type sigstoreFunctionHooks struct { verifyFunction verifyFunctionType fetchImageManifestFunction fetchImageManifestFunctionType From 2e693e34dbfd40109d64959ac8c30a4597535907 Mon Sep 17 00:00:00 2001 From: joaoguazzelli Date: Wed, 21 Dec 2022 22:20:48 -0300 Subject: [PATCH 232/257] Add fixes (#201) * fix: changed optional parameter to pointer Signed-off-by: joaoguazzelli * fix: removed unused parameter Signed-off-by: joaoguazzelli * fix: changed import order Signed-off-by: joaoguazzelli * fix: changed pointer logic Signed-off-by: joaoguazzelli * fix: changed pointer logic in moved function Signed-off-by: joaoguazzelli Signed-off-by: joaoguazzelli --- .../workloadattestor/k8s/sigstore/sigstore.go | 13 +++---------- .../workloadattestor/k8s/sigstore/sigstore_test.go | 9 +++++---- 2 files changed, 8 insertions(+), 14 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index 156f4fc3de..beeb84e5f7 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -84,7 +84,6 @@ func New(cache Cache, logger hclog.Logger) Sigstore { checkOptsFunction: defaultCheckOptsFunction, }, - enforceSCT: true, logger: logger, sigstorecache: cache, } @@ -318,13 +317,7 @@ func (s *sigstoreImpl) SetRekorURL(rekorURL string) error { return nil } -func defaultCheckOptsFunction(rekorURL url.URL, enforceSCT ...bool) (*cosign.CheckOpts, error) { - if len(enforceSCT) > 1 { - return nil, errors.New("enforceSCT can be only one value") - } - if len(enforceSCT) == 0 { - enforceSCT = append(enforceSCT, true) - } +func defaultCheckOptsFunction(rekorURL url.URL, enforceSCT bool) (*cosign.CheckOpts, error) { switch { case rekorURL.Host == "": return nil, errors.New("rekor URL host is empty") @@ -343,7 +336,7 @@ func defaultCheckOptsFunction(rekorURL url.URL, enforceSCT ...bool) (*cosign.Che // Set the rekor client RekorClient: rekor.NewHTTPClientWithConfig(nil, rekor.DefaultTransportConfig().WithBasePath(rekorURL.Path).WithHost(rekorURL.Host)), RootCerts: rootCerts, - EnforceSCT: enforceSCT[0], + EnforceSCT: enforceSCT, } co.IntermediateCerts, err = fulcio.GetIntermediates() @@ -466,7 +459,7 @@ type verifyFunctionType func(context.Context, name.Reference, *cosign.CheckOpts) type fetchImageManifestFunctionType func(name.Reference, ...remote.Option) (*remote.Descriptor, error) -type checkOptsFunctionType func(url.URL, ...bool) (*cosign.CheckOpts, error) +type checkOptsFunctionType func(url.URL, bool) (*cosign.CheckOpts, error) type sigstoreImpl struct { functionHooks sigstoreFunctionHooks diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index ea01d592a7..f40416779e 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -76,10 +76,11 @@ func TestSigstoreimpl_FetchImageSignatures(t *testing.T) { functionBindings sigstoreFunctionBindings rekorURL url.URL } + enforceSCT := true - defaultCheckOpts, err := defaultCheckOptsFunction(rekorDefaultURL()) + defaultCheckOpts, err := defaultCheckOptsFunction(rekorDefaultURL(), enforceSCT) require.NoError(t, err) - emptyURLCheckOpts, emptyError := defaultCheckOptsFunction(url.URL{}) + emptyURLCheckOpts, emptyError := defaultCheckOptsFunction(url.URL{}, enforceSCT) require.Nil(t, emptyURLCheckOpts) require.EqualError(t, emptyError, "rekor URL host is empty") @@ -1946,7 +1947,7 @@ func createNilFetchFunction() fetchFunctionBinding { func createCheckOptsFunction(returnCheckOpts *cosign.CheckOpts, returnErr error) checkOptsFunctionBinding { bindCheckOptsArgumentsFunction := func(t require.TestingT, checkOptsArguments *checkOptsFunctionArguments) checkOptsFunctionType { - newCheckOptsFunction := func(url url.URL, enforceSCT ...bool) (*cosign.CheckOpts, error) { + newCheckOptsFunction := func(url url.URL, enforceSCT bool) (*cosign.CheckOpts, error) { checkOptsArguments.url = url return returnCheckOpts, returnErr } @@ -1957,7 +1958,7 @@ func createCheckOptsFunction(returnCheckOpts *cosign.CheckOpts, returnErr error) func createNilCheckOptsFunction() checkOptsFunctionBinding { bindCheckOptsArgumentsFunction := func(t require.TestingT, checkOptsArguments *checkOptsFunctionArguments) checkOptsFunctionType { - failFunction := func(url url.URL, enforceSCT ...bool) (*cosign.CheckOpts, error) { + failFunction := func(url url.URL, enforceSCT bool) (*cosign.CheckOpts, error) { require.FailNow(t, "nil check opts function should not be called") return nil, fmt.Errorf("nil check opts function should not be called") } From ba9e4248743336af7db44b167cf88802c532d8f7 Mon Sep 17 00:00:00 2001 From: Matheus Santos Date: Wed, 21 Dec 2022 22:21:33 -0300 Subject: [PATCH 233/257] refactor: removed some tests from k8s_windows_test.go file as suggested (#202) Signed-off-by: Matheus Santos Signed-off-by: Matheus Santos --- .../workloadattestor/k8s/k8s_windows_test.go | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_windows_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_windows_test.go index 9da254ef79..31b87593a4 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_windows_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_windows_test.go @@ -109,25 +109,6 @@ func TestContainerHelper(t *testing.T) { assert.Empty(t, podID) assert.Equal(t, "", containerID) }) - - t.Run("configure fails when sigstore is enabled", func(t *testing.T) { - rekorURL := "https://test.org" - config := &HCLConfig{ - Experimental: &ExperimentalK8SConfig{ - Sigstore: &SigstoreHCLConfig{RekorURL: &rekorURL}, - }, - } - err := cHelper.Configure(config, hclog.NewNullLogger()) - spiretest.RequireGRPCStatus(t, err, codes.InvalidArgument, "sigstore configuration is not supported on windows environment") - }) - - t.Run("get os selectors returns empty list", func(t *testing.T) { - selectors, err := cHelper.GetOSSelectors(context.Background(), hclog.NewNullLogger(), &corev1.ContainerStatus{ - ContainerID: "cID", - }) - assert.NoError(t, err) - assert.Empty(t, selectors) - }) } type fakeProcessHelper struct { From feb4f85fa79ed7ee82e501462cecf24cf396eb83 Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Wed, 21 Dec 2022 22:22:13 -0300 Subject: [PATCH 234/257] markdown table fixes (#203) lint: reformatted md tables for compliance Signed-off-by: Rodrigo Lopes Signed-off-by: Rodrigo Lopes --- doc/plugin_agent_workloadattestor_k8s.md | 60 ++++++++++++------------ 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/doc/plugin_agent_workloadattestor_k8s.md b/doc/plugin_agent_workloadattestor_k8s.md index 7a13cacc10..fd51ba8c1f 100644 --- a/doc/plugin_agent_workloadattestor_k8s.md +++ b/doc/plugin_agent_workloadattestor_k8s.md @@ -46,27 +46,27 @@ server name validation against the kubelet certificate. **Note** To run on Windows containers, Kubernetes v1.24+ and containerd v1.6+ are required, since [hostprocess](https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/) container is required on the agent container. -| Configuration | Description | -| ------------- | ----------- | -| `disable_container_selectors` | If true, container selectors are not produced. This can be used to produce pod selectors when the workload pod is known but the workload container is not ready at the time of attestation. | -| `kubelet_read_only_port` | The kubelet read-only port. This is mutually exclusive with `kubelet_secure_port`.| -| `kubelet_secure_port` | The kubelet secure port. It defaults to `10250` unless `kubelet_read_only_port` is set. | -| `kubelet_ca_path` | The path on disk to a file containing CA certificates used to verify the kubelet certificate. Required unless `skip_kubelet_verification` is set. Defaults to the cluster CA bundle `/run/secrets/kubernetes.io/serviceaccount/ca.crt`. | -| `skip_kubelet_verification` | If true, kubelet certificate verification is skipped | -| `token_path` | The path on disk to the bearer token used for kubelet authentication. Defaults to the service account token `/run/secrets/kubernetes.io/serviceaccount/token` | -| `certificate_path` | The path on disk to client certificate used for kubelet authentication | -| `private_key_path` | The path on disk to client key used for kubelet authentication | -| `use_anonymous_authentication` | If true, use anonymous authentication for kubelet communication | -| `node_name_env` | The environment variable used to obtain the node name. Defaults to `MY_NODE_NAME`. | -| `node_name` | The name of the node. Overrides the value obtained by the environment variable specified by `node_name_env`. | -| `experimental` | The experimental options that are subject to change or removal. | - -| Experimental options | Description | -| -------------------- | ----------- | -| `sigstore` | Sigstore options. Options described below. See [Sigstore workload attestor for SPIRE](#sigstore-workload-attestor-for-spire)| +| Configuration | Description | +| ------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `disable_container_selectors` | If true, container selectors are not produced. This can be used to produce pod selectors when the workload pod is known but the workload container is not ready at the time of attestation. | +| `kubelet_read_only_port` | The kubelet read-only port. This is mutually exclusive with `kubelet_secure_port`. | +| `kubelet_secure_port` | The kubelet secure port. It defaults to `10250` unless `kubelet_read_only_port` is set. | +| `kubelet_ca_path` | The path on disk to a file containing CA certificates used to verify the kubelet certificate. Required unless `skip_kubelet_verification` is set. Defaults to the cluster CA bundle `/run/secrets/kubernetes.io/serviceaccount/ca.crt`. | +| `skip_kubelet_verification` | If true, kubelet certificate verification is skipped | +| `token_path` | The path on disk to the bearer token used for kubelet authentication. Defaults to the service account token `/run/secrets/kubernetes.io/serviceaccount/token` | +| `certificate_path` | The path on disk to client certificate used for kubelet authentication | +| `private_key_path` | The path on disk to client key used for kubelet authentication | +| `use_anonymous_authentication` | If true, use anonymous authentication for kubelet communication | +| `node_name_env` | The environment variable used to obtain the node name. Defaults to `MY_NODE_NAME`. | +| `node_name` | The name of the node. Overrides the value obtained by the environment variable specified by `node_name_env`. | +| `experimental` | The experimental options that are subject to change or removal. | + +| Experimental options | Description | +| -------------------- | ---------------------------------------------------------------------------------------------------------------------------- | +| `sigstore` | Sigstore options. Options described below. See [Sigstore workload attestor for SPIRE](#sigstore-workload-attestor-for-spire) | | Sigstore options | Description | -|------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `skip_signature_verification_image_list` | The list of images, described as digest hashes, that should be skipped in signature verification. Defaults to empty list. | | `allowed_subjects_list` | A map of allowed subject strings, keyed by the OIDC Provider URI, that are trusted and are allowed to sign container images artifacts. Defaults to empty. If empty, no workload will pass signature validation, unless listed on `skip_signature_verification_image_list`. (eg. `"https://accounts.google.com" = ["subject1@example.com","subject2@example.com"]`). | | `rekor_url` | The rekor URL to use with cosign. Required. See notes below. | @@ -97,10 +97,10 @@ This effectively securely pins the CA roots. We allow you to also specify truste ### K8s selectors -| Selector | Value | -| -------- | ----- | -| k8s:ns | The workload's namespace | -| k8s:sa | The workload's service account | +| Selector | Value | +| ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| k8s:ns | The workload's namespace | +| k8s:sa | The workload's service account | | k8s:container-image | The Image OR ImageID of the container in the workload's pod which is requesting an SVID, [as reported by K8S](https://pkg.go.dev/k8s.io/api/core/v1#ContainerStatus). Selector value may be an image tag, such as: `docker.io/envoyproxy/envoy-alpine:v1.16.0`, or a resolved SHA256 image digest, such as `docker.io/envoyproxy/envoy-alpine@sha256:bf862e5f5eca0a73e7e538224578c5cf867ce2be91b5eaed22afc153c00363eb` | | k8s:container-name | The name of the workload's container | | k8s:node-name | The name of the workload's node | @@ -116,13 +116,13 @@ This effectively securely pins the CA roots. We allow you to also specify truste Sigstore enabled selectors (available when configured to use sigstore) -| Selector | Value | -| -------- | ----- | -| k8s:${containerID}:image-signature-content | A containerID is an unique alphanumeric number for each container. The value of the signature itself in a hash (eg. "k8s:000000:image-signature-content:MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smA=")| -| k8s:${containerID}:image-signature-subject | OIDC principal that signed it​ (eg. "k8s:000000:image-signature-subject:spirex@example.com")| -| k8s:${containerID}:image-signature-logid | A unique LogID for the Rekor transparency log​ (eg. "k8s:000000:image-signature-logid:samplelogID") | -| k8s:${containerID}:image-signature-integrated-time | The time (in Unix timestamp format) when the image signature was integrated into the signature transparency log​ (eg. "k8s:000000:image-signature-integrated-time:12345") | -| k8s:sigstore-validation | The confirmation if the signature is valid, has value of "passed" (eg. "k8s:sigstore-validation:passed") | +| Selector | Value | +| -------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| k8s:${containerID}:image-signature-content | A containerID is an unique alphanumeric number for each container. The value of the signature itself in a hash (eg. "k8s:000000:image-signature-content:MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smA=") | +| k8s:${containerID}:image-signature-subject | OIDC principal that signed it​ (eg. "k8s:000000:image-signature-subject:spirex@example.com") | +| k8s:${containerID}:image-signature-logid | A unique LogID for the Rekor transparency log​ (eg. "k8s:000000:image-signature-logid:samplelogID") | +| k8s:${containerID}:image-signature-integrated-time | The time (in Unix timestamp format) when the image signature was integrated into the signature transparency log​ (eg. "k8s:000000:image-signature-integrated-time:12345") | +| k8s:sigstore-validation | The confirmation if the signature is valid, has value of "passed" (eg. "k8s:sigstore-validation:passed") | > **Note** `container-image` will ONLY match against the specific container in the pod that is contacting SPIRE on behalf of > the pod, whereas `pod-image` and `pod-init-image` will match against ANY container or init container in the Pod, > respectively. From ef3aa2e1d3f8e996dca720942068de7a00971a72 Mon Sep 17 00:00:00 2001 From: Rodrigo Lopes Date: Wed, 21 Dec 2022 22:23:40 -0300 Subject: [PATCH 235/257] moved OIDC token issuer Object Identifier var to sigstore.go (#204) Signed-off-by: Rodrigo Lopes Signed-off-by: Rodrigo Lopes --- .../plugin/workloadattestor/k8s/sigstore/sigstore.go | 10 +++++++--- .../workloadattestor/k8s/sigstore/sigstore_test.go | 5 ----- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index beeb84e5f7..dc57ff612a 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -35,6 +35,11 @@ const ( signatureVerifiedSelector = "sigstore-validation:passed" ) +var ( + // OIDC token issuer Object Identifier + OIDCIssuerOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 1} +) + type Sigstore interface { AttestContainerSignatures(ctx context.Context, status *corev1.ContainerStatus) ([]string, error) FetchImageSignatures(ctx context.Context, imageName string) ([]oci.Signature, error) @@ -395,10 +400,9 @@ func certOIDCProvider(cert *x509.Certificate) (string, error) { if cert == nil { return "", errors.New("certificate is nil") } - // OIDC token issuer Object Identifier - objectIdentifier := asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 1} + for _, ext := range cert.Extensions { - if ext.Id.Equal(objectIdentifier) { + if ext.Id.Equal(OIDCIssuerOID) { return string(ext.Value), nil } } diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index f40416779e..b303419f1b 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -8,7 +8,6 @@ import ( "context" "crypto/x509" "crypto/x509/pkix" - "encoding/asn1" "errors" "fmt" "net/url" @@ -31,10 +30,6 @@ const ( maximumAmountCache = 10 ) -var ( - OIDCIssuerOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 1} -) - func TestNew(t *testing.T) { newcache := NewCache(maximumAmountCache) want := &sigstoreImpl{ From 9d0b194f4cf98954bb79aed07c3b85c0999462a4 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Thu, 22 Dec 2022 16:58:32 +0100 Subject: [PATCH 236/257] Limit workflow job permissions to bare minimum (#3706) This allows to narrow down workflow permissions in GitHub settings See https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs and https://docs.github.com/en/actions/security-guides/automatic-token-authentication\#permissions-for-the-github_token Signed-off-by: Marco Franssen --- .github/workflows/depsreview.yaml | 7 +-- .github/workflows/nightly_build.yaml | 8 ++-- .github/workflows/pr_build.yaml | 56 ++++++++++++++++++++++++ .github/workflows/release_build.yaml | 65 ++++++++++++++++++++++++++++ 4 files changed, 130 insertions(+), 6 deletions(-) diff --git a/.github/workflows/depsreview.yaml b/.github/workflows/depsreview.yaml index da99d0c548..58da4b9ddd 100644 --- a/.github/workflows/depsreview.yaml +++ b/.github/workflows/depsreview.yaml @@ -1,12 +1,13 @@ name: 'Dependency Review' on: [pull_request] -permissions: - contents: read - jobs: dependency-review: runs-on: ubuntu-latest + + permissions: + contents: read + steps: - name: 'Checkout Repository' uses: actions/checkout@v3 diff --git a/.github/workflows/nightly_build.yaml b/.github/workflows/nightly_build.yaml index e253eab737..7eddbd6b6d 100644 --- a/.github/workflows/nightly_build.yaml +++ b/.github/workflows/nightly_build.yaml @@ -4,9 +4,6 @@ on: # Random minute number to avoid GH scheduler stampede - cron: '37 21 * * *' workflow_dispatch: {} -permissions: - contents: read - packages: write env: NIGHTLY: true @@ -14,6 +11,11 @@ env: jobs: build-and-publish-images: runs-on: ubuntu-20.04 + + permissions: + contents: read + packages: write + steps: - name: Checkout uses: actions/checkout@v3 diff --git a/.github/workflows/pr_build.yaml b/.github/workflows/pr_build.yaml index 5fb102c376..4bed964df6 100644 --- a/.github/workflows/pr_build.yaml +++ b/.github/workflows/pr_build.yaml @@ -11,6 +11,10 @@ jobs: cache-deps: name: cache-deps (linux) runs-on: ubuntu-20.04 + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -30,6 +34,10 @@ jobs: name: lint (linux) runs-on: ubuntu-20.04 needs: cache-deps + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -64,6 +72,10 @@ jobs: OS: [ubuntu-20.04, macos-latest] runs-on: ${{ matrix.OS }} needs: cache-deps + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -83,6 +95,10 @@ jobs: name: unit-test (linux with race detection) runs-on: ubuntu-20.04 needs: cache-deps + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -102,6 +118,10 @@ jobs: name: artifacts (linux) runs-on: ubuntu-20.04 needs: [cache-deps] + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -133,6 +153,10 @@ jobs: name: images (linux) runs-on: ubuntu-20.04 needs: [cache-deps] + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -166,6 +190,10 @@ jobs: name: images (windows) runs-on: windows-2022 needs: artifact-windows + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -189,6 +217,10 @@ jobs: scratch-images: runs-on: ubuntu-20.04 needs: [cache-deps] + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -222,6 +254,10 @@ jobs: name: integration (linux) runs-on: ubuntu-20.04 needs: [cache-deps, images, scratch-images] + + permissions: + contents: read + strategy: fail-fast: false matrix: @@ -278,6 +314,10 @@ jobs: name: integration (windows) runs-on: windows-2022 needs: images-windows + + permissions: + contents: read + defaults: run: shell: msys2 {0} @@ -325,6 +365,10 @@ jobs: cache-deps-windows: name: cache-deps (windows) runs-on: windows-2022 + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -344,6 +388,10 @@ jobs: name: lint (windows) runs-on: windows-2022 needs: cache-deps-windows + + permissions: + contents: read + defaults: run: shell: msys2 {0} @@ -387,6 +435,10 @@ jobs: name: unit-test (windows) runs-on: windows-2022 needs: cache-deps-windows + + permissions: + contents: read + defaults: run: shell: msys2 {0} @@ -419,6 +471,10 @@ jobs: name: artifact (windows) runs-on: windows-2022 needs: cache-deps-windows + + permissions: + contents: read + defaults: run: shell: msys2 {0} diff --git a/.github/workflows/release_build.yaml b/.github/workflows/release_build.yaml index a6016e84e3..447c8e7bce 100644 --- a/.github/workflows/release_build.yaml +++ b/.github/workflows/release_build.yaml @@ -9,6 +9,10 @@ jobs: cache-deps: name: cache-deps (linux) runs-on: ubuntu-20.04 + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -28,6 +32,10 @@ jobs: name: lint (linux) runs-on: ubuntu-20.04 needs: cache-deps + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -62,6 +70,10 @@ jobs: OS: [ubuntu-20.04, macos-latest] runs-on: ${{ matrix.OS }} needs: cache-deps + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -81,6 +93,10 @@ jobs: name: unit-test (linux with race detection) runs-on: ubuntu-20.04 needs: cache-deps + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -100,6 +116,10 @@ jobs: name: artifacts (linux) runs-on: ubuntu-20.04 needs: [cache-deps] + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -131,6 +151,10 @@ jobs: name: images (linux) runs-on: ubuntu-20.04 needs: [cache-deps] + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -164,6 +188,10 @@ jobs: name: images (windows) runs-on: windows-2022 needs: artifact-windows + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -187,6 +215,10 @@ jobs: scratch-images: runs-on: ubuntu-20.04 needs: [cache-deps] + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -220,6 +252,10 @@ jobs: name: integration (linux) runs-on: ubuntu-20.04 needs: [cache-deps, images, scratch-images] + + permissions: + contents: read + strategy: fail-fast: false matrix: @@ -287,6 +323,10 @@ jobs: name: integration (windows) runs-on: windows-2022 needs: images-windows + + permissions: + contents: read + defaults: run: shell: msys2 {0} @@ -334,6 +374,10 @@ jobs: cache-deps-windows: name: cache-deps (windows) runs-on: windows-2022 + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -353,6 +397,10 @@ jobs: name: lint (windows) runs-on: windows-2022 needs: cache-deps-windows + + permissions: + contents: read + defaults: run: shell: msys2 {0} @@ -396,6 +444,10 @@ jobs: name: unit-test (windows) runs-on: windows-2022 needs: cache-deps-windows + + permissions: + contents: read + defaults: run: shell: msys2 {0} @@ -428,6 +480,10 @@ jobs: name: artifact (windows) runs-on: windows-2022 needs: cache-deps-windows + + permissions: + contents: read + defaults: run: shell: msys2 {0} @@ -478,6 +534,10 @@ jobs: runs-on: ubuntu-20.04 needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, lint-windows, unit-test-windows, artifact-windows, integration-windows] + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -501,6 +561,11 @@ jobs: publish-images: runs-on: ubuntu-20.04 needs: [lint, unit-test, unit-test-race-detector, artifacts, integration] + + permissions: + contents: read + packages: write + steps: - name: Checkout uses: actions/checkout@v3 From f6ca2805f7d311f38aa52ec7334bc374588a32b3 Mon Sep 17 00:00:00 2001 From: Marcos Yacob Date: Thu, 22 Dec 2022 13:48:09 -0300 Subject: [PATCH 237/257] Add DS_Store to .gitignore (#3710) Signed-off-by: Marcos Yacob --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index f161e7397b..449485a6a9 100644 --- a/.gitignore +++ b/.gitignore @@ -3,6 +3,7 @@ .data .glide .tmp +.DS_Store *.swp *.log /bin From 2094f5dacf3f466df625fcfcbd8e6e4e0c7a30dd Mon Sep 17 00:00:00 2001 From: Guilherme Oliveira do Carmo Carvalho <33766735+guilhermocc@users.noreply.github.com> Date: Thu, 22 Dec 2022 15:16:50 -0300 Subject: [PATCH 238/257] Disable dynamic service config to ensure default one (#3712) Signed-off-by: Guilherme Carvalho --- pkg/agent/attestor/node/node.go | 1 + pkg/agent/client/dial.go | 1 + 2 files changed, 2 insertions(+) diff --git a/pkg/agent/attestor/node/node.go b/pkg/agent/attestor/node/node.go index 2d5e78c045..be854945d8 100644 --- a/pkg/agent/attestor/node/node.go +++ b/pkg/agent/attestor/node/node.go @@ -259,6 +259,7 @@ func (a *attestor) serverConn(ctx context.Context, bundle *bundleutil.Bundle) (* return grpc.DialContext(ctx, a.c.ServerAddress, grpc.WithDefaultServiceConfig(roundRobinServiceConfig), + grpc.WithDisableServiceConfig(), grpc.FailOnNonTempDialError(true), grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)), grpc.WithReturnConnectionError(), diff --git a/pkg/agent/client/dial.go b/pkg/agent/client/dial.go index 74c603fe71..ee6625391a 100644 --- a/pkg/agent/client/dial.go +++ b/pkg/agent/client/dial.go @@ -65,6 +65,7 @@ func DialServer(ctx context.Context, config DialServerConfig) (*grpc.ClientConn, } client, err := config.dialContext(ctx, config.Address, grpc.WithDefaultServiceConfig(roundRobinServiceConfig), + grpc.WithDisableServiceConfig(), grpc.FailOnNonTempDialError(true), grpc.WithBlock(), grpc.WithReturnConnectionError(), From 45d29f7b2d15d73b9cf4ad021a39c46958ef3d03 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 22 Dec 2022 16:10:35 -0300 Subject: [PATCH 239/257] Bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.75.0 to 1.77.0 (#3714) Bumps [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2) from 1.75.0 to 1.77.0. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.75.0...service/ec2/v1.77.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 10 +++++----- go.sum | 20 ++++++++++---------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/go.mod b/go.mod index a3e3f22c76..e852670737 100644 --- a/go.mod +++ b/go.mod @@ -17,12 +17,12 @@ require ( github.com/Microsoft/go-winio v0.6.0 github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129 github.com/armon/go-metrics v0.4.1 - github.com/aws/aws-sdk-go-v2 v1.17.2 + github.com/aws/aws-sdk-go-v2 v1.17.3 github.com/aws/aws-sdk-go-v2/config v1.18.2 github.com/aws/aws-sdk-go-v2/credentials v1.13.2 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.19 github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0 - github.com/aws/aws-sdk-go-v2/service/ec2 v1.75.0 + github.com/aws/aws-sdk-go-v2/service/ec2 v1.77.0 github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 github.com/aws/aws-sdk-go-v2/service/kms v1.19.0 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.0 @@ -102,10 +102,10 @@ require ( github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect github.com/agnivade/levenshtein v1.1.1 // indirect github.com/armon/go-radix v1.0.0 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.26 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.20 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.27 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.21 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.3.26 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.20 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.21 // indirect github.com/aws/aws-sdk-go-v2/service/sso v1.11.25 // indirect github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.8 // indirect github.com/aws/smithy-go v1.13.5 // indirect diff --git a/go.sum b/go.sum index b35665ae5a..c3178cf4eb 100644 --- a/go.sum +++ b/go.sum @@ -376,8 +376,8 @@ github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:l github.com/aws/aws-sdk-go-v2 v1.16.13/go.mod h1:xSyvSnzh0KLs5H4HJGeIEsNYemUWdNIl0b/rP6SIsLU= github.com/aws/aws-sdk-go-v2 v1.16.15/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k= github.com/aws/aws-sdk-go-v2 v1.17.1/go.mod h1:JLnGeGONAyi2lWXI1p0PCIOIy333JMVK1U7Hf0aRFLw= -github.com/aws/aws-sdk-go-v2 v1.17.2 h1:r0yRZInwiPBNpQ4aDy/Ssh3ROWsGtKDwar2JS8Lm+N8= -github.com/aws/aws-sdk-go-v2 v1.17.2/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= +github.com/aws/aws-sdk-go-v2 v1.17.3 h1:shN7NlnVzvDUgPQ+1rLMSxY8OWRNDRYtiqe0p/PgrhY= +github.com/aws/aws-sdk-go-v2 v1.17.3/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= github.com/aws/aws-sdk-go-v2/config v1.18.2 h1:tRhTb3xMZsB0gW0sXWpqs9FeIP8iQp5SvnvwiPXzHwo= github.com/aws/aws-sdk-go-v2/config v1.18.2/go.mod h1:9XVoZTdD8ICjrgI5ddb8j918q6lEZkFYpb7uohgvU6c= github.com/aws/aws-sdk-go-v2/credentials v1.13.2 h1:F/v1w0XcFDZjL0bCdi9XWJenoPKjGbzljBhDKcryzEQ= @@ -387,24 +387,24 @@ github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.19/go.mod h1:VihW95zQpeKQWVP github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.20/go.mod h1:gdZ5gRUaxThXIZyZQ8MTtgYBk2jbHgp05BO3GcD9Cwc= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.22/go.mod h1:/vNv5Al0bpiF8YdX2Ov6Xy05VTiXsql94yUqJMYaj0w= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25/go.mod h1:Zb29PYkf42vVYQY6pvSyJCJcFHlPIiY+YKdPtwnvMkY= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.26 h1:5WU31cY7m0tG+AiaXuXGoMzo2GBQ1IixtWa8Yywsgco= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.26/go.mod h1:2E0LdbJW6lbeU4uxjum99GZzI0ZjDpAb0CoSCM0oeEY= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.27 h1:I3cakv2Uy1vNmmhRQmFptYDxOvBnwCdNwyw63N0RaRU= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.27/go.mod h1:a1/UpzeyBBerajpnP5nGZa9mGzsBn5cOKxm6NWQsvoI= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.14/go.mod h1:GEV9jaDPIgayiU+uevxwozcvUOjc+P4aHE2BeSjm2vE= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.16/go.mod h1:62dsXI0BqTIGomDl8Hpm33dv0OntGaVblri3ZRParVQ= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19/go.mod h1:6Q0546uHDp421okhmmGfbxzq2hBqbXFNpi4k+Q1JnQA= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.20 h1:WW0qSzDWoiWU2FS5DbKpxGilFVlCEJPwx4YtjdfI0Jw= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.20/go.mod h1:/+6lSiby8TBFpTVXZgKiN/rCfkYXEGvhlM4zCgPpt7w= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.21 h1:5NbbMrIzmUn/TXFqAle6mgrH5m9cOvMLRGL7pnG8tRE= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.21/go.mod h1:+Gxn8jYn5k9ebfHEqlhrMirFjSW0v0C9fI+KN5vk2kE= github.com/aws/aws-sdk-go-v2/internal/ini v1.3.26 h1:Mza+vlnZr+fPKFKRq/lKGVvM6B/8ZZmNdEopOwSQLms= github.com/aws/aws-sdk-go-v2/internal/ini v1.3.26/go.mod h1:Y2OJ+P+MC1u1VKnavT+PshiEuGPyh/7DqxoDNij4/bg= github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0 h1:2f0kb+39miQPRp0b7Sqq06+TpxI0Nfcra41QxzJPME8= github.com/aws/aws-sdk-go-v2/service/acmpca v1.19.0/go.mod h1:AVLIBQ9V7mcHd5uZT1+wUbBt4QaI/XcOens85Ib0W1o= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.75.0 h1:F0v9HcF7/PSmgG7O7qnVOZLTRb2I2ajrIql+hFSkouU= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.75.0/go.mod h1:/sbgra0egm5fRRlq58Qp+Mrq4mCgWOc4Ug5K6xWCK6M= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.77.0 h1:m6HYlpZlTWb9vHuuRHpWRieqPHWlS0mvQ90OJNrG/Nk= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.77.0/go.mod h1:mV0E7631M1eXdB+tlGFIw6JxfsC7Pz7+7Aw15oLVhZw= github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 h1:m/WtVqEvgwDiUPIW2dtnF2hDE1O62MEflz9ClOlCXAs= github.com/aws/aws-sdk-go-v2/service/iam v1.18.16/go.mod h1:w8wndcRxwILFQAzwkUKyEDz4LDHEBSR78KRdaNjUKQA= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.19/go.mod h1:02CP6iuYP+IVnBX5HULVdSAku/85eHB2Y9EsFhrkEwU= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.20 h1:jlgyHbkZQAgAc7VIxJDmtouH8eNjOk2REVAQfVhdaiQ= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.20/go.mod h1:Xs52xaLBqDEKRcAfX/hgjmD3YQ7c/W+BEyfamlO/W2E= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.21 h1:5C6XgTViSb0bunmU57b3CT+MhxULqHH2721FVA+/kDM= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.21/go.mod h1:lRToEJsn+DRA9lW4O9L9+/3hjTkUzlzyzHqn8MTds5k= github.com/aws/aws-sdk-go-v2/service/kms v1.19.0 h1:ycl4Z01HQyprcfOFMAVwWTNaUm29qHRPZyJunDZZVXg= github.com/aws/aws-sdk-go-v2/service/kms v1.19.0/go.mod h1:kZodDPTQjSH/qM6/OvyTfM5mms5JHB/EKYp5dhn/vI4= github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.0 h1:Lh1yssM4dinNZuESsXnbi+pID8hoviejLZdLmT175i8= From fe4b0dd5511d9c9935956230a992c9e5d2bdfe61 Mon Sep 17 00:00:00 2001 From: Guilherme Oliveira do Carmo Carvalho <33766735+guilhermocc@users.noreply.github.com> Date: Thu, 22 Dec 2022 16:49:10 -0300 Subject: [PATCH 240/257] Expand gcp kms plugin test scenarios (#3696) * Add new test case for retry pending generation state Signed-off-by: Guilherme Carvalho --- .../plugin/keymanager/gcpkms/client_fake.go | 69 ++++++++++++------- pkg/server/plugin/keymanager/gcpkms/gcpkms.go | 5 +- .../plugin/keymanager/gcpkms/gcpkms_test.go | 52 +++++++++----- 3 files changed, 81 insertions(+), 45 deletions(-) diff --git a/pkg/server/plugin/keymanager/gcpkms/client_fake.go b/pkg/server/plugin/keymanager/gcpkms/client_fake.go index 7cd57df98f..7499004562 100644 --- a/pkg/server/plugin/keymanager/gcpkms/client_fake.go +++ b/pkg/server/plugin/keymanager/gcpkms/client_fake.go @@ -261,25 +261,26 @@ func (h3 *fakeIAMHandle3) SetPolicy(ctx context.Context, policy *iam.Policy3) er type fakeKMSClient struct { t *testing.T - mu sync.RWMutex - asymmetricSignErr error - closeErr error - createCryptoKeyErr error - destroyCryptoKeyVersionErr error - destroyTime *timestamppb.Timestamp - fakeIAMHandle *fakeIAMHandle - getCryptoKeyVersionErr error - getPublicKeyErr error - getTokeninfoErr error - listCryptoKeysErr error - listCryptoKeyVersionsErr error - opts []option.ClientOption - pemCrc32C *wrapperspb.Int64Value - signatureCrc32C *wrapperspb.Int64Value - store fakeStore - tokeninfo *oauth2.Tokeninfo - updateCryptoKeyErr error - keyIsDisabled bool + mu sync.RWMutex + asymmetricSignErr error + closeErr error + createCryptoKeyErr error + initialCryptoKeyVersionState kmspb.CryptoKeyVersion_CryptoKeyVersionState + destroyCryptoKeyVersionErr error + destroyTime *timestamppb.Timestamp + fakeIAMHandle *fakeIAMHandle + getCryptoKeyVersionErr error + getPublicKeyErrs []error + getTokeninfoErr error + listCryptoKeysErr error + listCryptoKeyVersionsErr error + opts []option.ClientOption + pemCrc32C *wrapperspb.Int64Value + signatureCrc32C *wrapperspb.Int64Value + store fakeStore + tokeninfo *oauth2.Tokeninfo + updateCryptoKeyErr error + keyIsDisabled bool } func (k *fakeKMSClient) setAsymmetricSignErr(fakeError error) { @@ -296,6 +297,10 @@ func (k *fakeKMSClient) setCreateCryptoKeyErr(fakeError error) { k.createCryptoKeyErr = fakeError } +func (k *fakeKMSClient) setInitialCryptoKeyVersionState(state kmspb.CryptoKeyVersion_CryptoKeyVersionState) { + k.initialCryptoKeyVersionState = state +} + func (k *fakeKMSClient) setDestroyCryptoKeyVersionErr(fakeError error) { k.mu.Lock() defer k.mu.Unlock() @@ -324,11 +329,25 @@ func (k *fakeKMSClient) setIsKeyDisabled(ok bool) { k.keyIsDisabled = ok } -func (k *fakeKMSClient) setGetPublicKeyErr(fakeError error) { +func (k *fakeKMSClient) setGetPublicKeySequentialErrs(fakeError error, count int) { k.mu.Lock() defer k.mu.Unlock() + fakeErrors := make([]error, count) + for i := 0; i < count; i++ { + fakeErrors[i] = fakeError + } + k.getPublicKeyErrs = fakeErrors +} - k.getPublicKeyErr = fakeError +func (k *fakeKMSClient) nextGetPublicKeySequentialErr() error { + k.mu.Lock() + defer k.mu.Unlock() + if len(k.getPublicKeyErrs) == 0 { + return nil + } + err := k.getPublicKeyErrs[0] + k.getPublicKeyErrs = k.getPublicKeyErrs[1:] + return err } func (k *fakeKMSClient) setGetTokeninfoErr(fakeError error) { @@ -549,11 +568,10 @@ func (k *fakeKMSClient) GetCryptoKeyVersion(ctx context.Context, req *kmspb.GetC } func (k *fakeKMSClient) GetPublicKey(ctx context.Context, req *kmspb.GetPublicKeyRequest, opts ...gax.CallOption) (*kmspb.PublicKey, error) { - k.mu.RLock() - defer k.mu.RUnlock() + getPublicKeyErr := k.nextGetPublicKeySequentialErr() - if k.getPublicKeyErr != nil { - return nil, k.getPublicKeyErr + if getPublicKeyErr != nil { + return nil, getPublicKeyErr } fakeCryptoKeyVersion, err := k.store.fetchFakeCryptoKeyVersion(req.Name) @@ -709,6 +727,7 @@ func (k *fakeKMSClient) createFakeCryptoKeyVersion(cryptoKey *kmspb.CryptoKey, v }, CryptoKeyVersion: &kmspb.CryptoKeyVersion{ Name: path.Join(cryptoKey.Name, "cryptoKeyVersions", version), + State: k.initialCryptoKeyVersionState, Algorithm: cryptoKey.VersionTemplate.Algorithm, }, }, nil diff --git a/pkg/server/plugin/keymanager/gcpkms/gcpkms.go b/pkg/server/plugin/keymanager/gcpkms/gcpkms.go index 34e2e250ef..39d7c55cdc 100644 --- a/pkg/server/plugin/keymanager/gcpkms/gcpkms.go +++ b/pkg/server/plugin/keymanager/gcpkms/gcpkms.go @@ -52,6 +52,8 @@ const ( labelNameLastUpdate = "spire-last-update" labelNameServerTD = "spire-server-td" labelNameActive = "spire-active" + + getPublicKeyMaxAttempts = 10 ) func BuiltIn() catalog.BuiltIn { @@ -1031,11 +1033,10 @@ func getOrCreateServerID(idPath string) (string, error) { func getPublicKeyFromCryptoKeyVersion(ctx context.Context, log hclog.Logger, kmsClient cloudKeyManagementService, cryptoKeyVersionName string) ([]byte, error) { kmsPublicKey, errGetPublicKey := kmsClient.GetPublicKey(ctx, &kmspb.GetPublicKeyRequest{Name: cryptoKeyVersionName}) attempts := 1 - const maxAttempts = 10 log = log.With(cryptoKeyVersionNameTag, cryptoKeyVersionName) for errGetPublicKey != nil { - if attempts > maxAttempts { + if attempts > getPublicKeyMaxAttempts { log.Error("Could not get the public key because the CryptoKeyVersion is still being generated. Maximum number of attempts reached.") return nil, errGetPublicKey } diff --git a/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go b/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go index 48a640c2d4..7f9dfd4335 100644 --- a/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go +++ b/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go @@ -128,6 +128,7 @@ func TestConfigure(t *testing.T) { listCryptoKeysErr error describeKeyErr error getPublicKeyErr error + getPublicKeyErrCount int }{ { name: "pass with keys", @@ -326,7 +327,7 @@ func TestConfigure(t *testing.T) { }, }, { - name: "get public key error", + name: "get public key error max attempts", expectMsg: "failed to fetch entries: error getting public key: get public key error", expectCode: codes.Internal, config: &Config{ @@ -352,7 +353,8 @@ func TestConfigure(t *testing.T) { }, }, }, - getPublicKeyErr: errors.New("get public key error"), + getPublicKeyErr: errors.New("get public key error"), + getPublicKeyErrCount: getPublicKeyMaxAttempts + 1, }, } { tt := tt @@ -361,7 +363,7 @@ func TestConfigure(t *testing.T) { ts.fakeKMSClient.putFakeCryptoKeys(tt.fakeCryptoKeys) ts.fakeKMSClient.setListCryptoKeysErr(tt.listCryptoKeysErr) ts.fakeKMSClient.setGetCryptoKeyVersionErr(tt.getCryptoKeyVersionErr) - ts.fakeKMSClient.setGetPublicKeyErr(tt.getPublicKeyErr) + ts.fakeKMSClient.setGetPublicKeySequentialErrs(tt.getPublicKeyErr, tt.getPublicKeyErrCount) var configureRequest *configv1.ConfigureRequest if tt.config != nil { @@ -632,21 +634,23 @@ func TestEnqueueDestructionFailure(t *testing.T) { func TestGenerateKey(t *testing.T) { for _, tt := range []struct { - configureReq *configv1.ConfigureRequest - expectCode codes.Code - expectMsg string - destroyTime *timestamp.Timestamp - fakeCryptoKeys []*fakeCryptoKey - generateKeyReq *keymanagerv1.GenerateKeyRequest - logs []spiretest.LogEntry - name string - testDisabled bool - waitForDelete bool + configureReq *configv1.ConfigureRequest + expectCode codes.Code + expectMsg string + destroyTime *timestamp.Timestamp + fakeCryptoKeys []*fakeCryptoKey + generateKeyReq *keymanagerv1.GenerateKeyRequest + logs []spiretest.LogEntry + name string + testDisabled bool + waitForDelete bool + initialCryptoKeyVersionState kmspb.CryptoKeyVersion_CryptoKeyVersionState createKeyErr error destroyCryptoKeyVersionErr error getCryptoKeyVersionErr error getPublicKeyErr error + getPublicKeyErrCount int getTokenInfoErr error updateCryptoKeyErr error }{ @@ -657,6 +661,16 @@ func TestGenerateKey(t *testing.T) { KeyType: keymanagerv1.KeyType_EC_P256, }, }, + { + name: "success: keeps retrying when crypto key is in pending generation state", + generateKeyReq: &keymanagerv1.GenerateKeyRequest{ + KeyId: spireKeyID1, + KeyType: keymanagerv1.KeyType_EC_P256, + }, + initialCryptoKeyVersionState: kmspb.CryptoKeyVersion_PENDING_GENERATION, + getPublicKeyErr: errors.New("error getting public key"), + getPublicKeyErrCount: 5, + }, { name: "success: non existing key with special characters", generateKeyReq: &keymanagerv1.GenerateKeyRequest{ @@ -776,10 +790,11 @@ func TestGenerateKey(t *testing.T) { }, }, { - name: "get public key error", - expectMsg: "failed to get public key: public key error", - expectCode: codes.Internal, - getPublicKeyErr: errors.New("public key error"), + name: "get public key error", + expectMsg: "failed to get public key: public key error", + expectCode: codes.Internal, + getPublicKeyErr: errors.New("public key error"), + getPublicKeyErrCount: 1, generateKeyReq: &keymanagerv1.GenerateKeyRequest{ KeyId: spireKeyID1, KeyType: keymanagerv1.KeyType_EC_P256, @@ -959,6 +974,7 @@ func TestGenerateKey(t *testing.T) { ts.fakeKMSClient.setDestroyTime(fakeTime) ts.fakeKMSClient.putFakeCryptoKeys(tt.fakeCryptoKeys) ts.fakeKMSClient.setCreateCryptoKeyErr(tt.createKeyErr) + ts.fakeKMSClient.setInitialCryptoKeyVersionState(tt.initialCryptoKeyVersionState) ts.fakeKMSClient.setGetCryptoKeyVersionErr(tt.getCryptoKeyVersionErr) ts.fakeKMSClient.setGetTokeninfoErr(tt.getTokenInfoErr) ts.fakeKMSClient.setUpdateCryptoKeyErr(tt.updateCryptoKeyErr) @@ -986,7 +1002,7 @@ func TestGenerateKey(t *testing.T) { ) require.NoError(t, err) - ts.fakeKMSClient.setGetPublicKeyErr(tt.getPublicKeyErr) + ts.fakeKMSClient.setGetPublicKeySequentialErrs(tt.getPublicKeyErr, tt.getPublicKeyErrCount) resp, err := ts.plugin.GenerateKey(ctx, tt.generateKeyReq) if tt.expectMsg != "" { From 42540aeff4d4644281e5c2499e23561ee0cc52c4 Mon Sep 17 00:00:00 2001 From: Alexander Viktorov Date: Thu, 22 Dec 2022 13:11:17 -0800 Subject: [PATCH 241/257] Add serial number and revision number to svid minting log entries (#3699) * Added svid serial number and entry revision number where applicable Signed-off-by: Alexander Viktorov --- pkg/server/api/svid/v1/service.go | 5 ++++- pkg/server/api/svid/v1/service_test.go | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/pkg/server/api/svid/v1/service.go b/pkg/server/api/svid/v1/service.go index 9b86dfc408..d2efb88c3a 100644 --- a/pkg/server/api/svid/v1/service.go +++ b/pkg/server/api/svid/v1/service.go @@ -115,11 +115,12 @@ func (s *Service) MintX509SVID(ctx context.Context, req *svidv1.MintX509SVIDRequ } rpccontext.AddRPCAuditFields(ctx, logrus.Fields{ - telemetry.ExpiresAt: x509SVID[0].NotAfter.Unix(), + telemetry.ExpiresAt: x509SVID[0].NotAfter.Format(time.RFC3339), }) rpccontext.AuditRPCWithFields(ctx, commonX509SVIDLogFields) log.WithField(telemetry.Expiration, x509SVID[0].NotAfter.Format(time.RFC3339)). + WithField(telemetry.SerialNumber, x509SVID[0].SerialNumber.String()). WithFields(commonX509SVIDLogFields). Debug("Signed X509 SVID") @@ -263,6 +264,8 @@ func (s *Service) newX509SVID(ctx context.Context, param *svidv1.NewX509SVIDPara } log.WithField(telemetry.Expiration, x509Svid[0].NotAfter.Format(time.RFC3339)). + WithField(telemetry.SerialNumber, x509Svid[0].SerialNumber.String()). + WithField(telemetry.RevisionNumber, entry.RevisionNumber). Debug("Signed X509 SVID") return &svidv1.BatchNewX509SVIDResponse_Result{ diff --git a/pkg/server/api/svid/v1/service_test.go b/pkg/server/api/svid/v1/service_test.go index 3777881337..241558359f 100644 --- a/pkg/server/api/svid/v1/service_test.go +++ b/pkg/server/api/svid/v1/service_test.go @@ -54,9 +54,9 @@ func TestServiceMintX509SVID(t *testing.T) { x509CA := test.ca.X509CA() now := test.ca.Clock().Now().UTC() expiredAt := now.Add(test.ca.X509SVIDTTL()) - expiresAtStr := strconv.FormatInt(expiredAt.Unix(), 10) + expiresAtStr := expiredAt.Format(time.RFC3339) customExpiresAt := now.Add(10 * time.Second) - expiresAtCustomStr := strconv.FormatInt(customExpiresAt.Unix(), 10) + expiresAtCustomStr := customExpiresAt.Format(time.RFC3339) for _, tt := range []struct { name string From dbf91a1d4be65a74c603787810fe5ac9fe9b3dbb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 23 Dec 2022 08:39:17 -0700 Subject: [PATCH 242/257] Bump github.com/docker/docker (#3704) Bumps [github.com/docker/docker](https://github.com/docker/docker) from 20.10.21+incompatible to 20.10.22+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](https://github.com/docker/docker/compare/v20.10.21...v20.10.22) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index e852670737..5324378a3a 100644 --- a/go.mod +++ b/go.mod @@ -29,7 +29,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/sts v1.17.4 github.com/blang/semver/v4 v4.0.0 github.com/cenkalti/backoff/v3 v3.2.2 - github.com/docker/docker v20.10.21+incompatible + github.com/docker/docker v20.10.22+incompatible github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1 github.com/go-logr/logr v1.2.3 github.com/go-sql-driver/mysql v1.7.0 diff --git a/go.sum b/go.sum index c3178cf4eb..b1ea4a4817 100644 --- a/go.sum +++ b/go.sum @@ -500,8 +500,8 @@ github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ= github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6bk8XXApsHjKukMl68= github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v20.10.21+incompatible h1:UTLdBmHk3bEY+w8qeO5KttOhy6OmXWsl/FEet9Uswog= -github.com/docker/docker v20.10.21+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v20.10.22+incompatible h1:6jX4yB+NtcbldT90k7vBSaWJDB3i+zkVJT9BEK8kQkk= +github.com/docker/docker v20.10.22+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw= From a9897d088a53dee560ee4bbfc968ee1111a93b66 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 23 Dec 2022 16:13:41 -0300 Subject: [PATCH 243/257] Bump github.com/google/go-tpm-tools from 0.3.9 to 0.3.10 (#3718) Bumps [github.com/google/go-tpm-tools](https://github.com/google/go-tpm-tools) from 0.3.9 to 0.3.10. - [Release notes](https://github.com/google/go-tpm-tools/releases) - [Commits](https://github.com/google/go-tpm-tools/compare/v0.3.9...v0.3.10) --- updated-dependencies: - dependency-name: github.com/google/go-tpm-tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 5 ++++- go.sum | 12 ++++++++++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 5324378a3a..8327e4f40b 100644 --- a/go.mod +++ b/go.mod @@ -38,7 +38,7 @@ require ( github.com/golang/protobuf v1.5.2 github.com/google/go-cmp v0.5.9 github.com/google/go-tpm v0.3.3 - github.com/google/go-tpm-tools v0.3.9 + github.com/google/go-tpm-tools v0.3.10 github.com/googleapis/gax-go/v2 v2.7.0 github.com/gorilla/handlers v1.5.1 github.com/hashicorp/go-hclog v1.4.0 @@ -136,7 +136,9 @@ require ( github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/snappy v0.0.4 // indirect github.com/google/gnostic v0.5.7-v3refs // indirect + github.com/google/go-sev-guest v0.4.1 // indirect github.com/google/gofuzz v1.2.0 // indirect + github.com/google/logger v1.1.1 // indirect github.com/google/uuid v1.3.0 // indirect github.com/googleapis/enterprise-certificate-proxy v0.2.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect @@ -176,6 +178,7 @@ require ( github.com/oklog/run v1.0.0 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 // indirect + github.com/pborman/uuid v1.2.0 // indirect github.com/pierrec/lz4 v2.5.2+incompatible // indirect github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect github.com/pkg/errors v0.9.1 // indirect diff --git a/go.sum b/go.sum index b1ea4a4817..1da9d96cd0 100644 --- a/go.sum +++ b/go.sum @@ -674,19 +674,23 @@ github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-sev-guest v0.4.1 h1:IjxtGAvzR+zSyAqMc1FWfYKCg1cwPkBly9+Xog3YMZc= +github.com/google/go-sev-guest v0.4.1/go.mod h1:UEi9uwoPbLdKGl1QHaq1G8pfCbQ4QP0swWX4J0k6r+Q= github.com/google/go-tpm v0.1.2-0.20190725015402-ae6dd98980d4/go.mod h1:H9HbmUG2YgV/PHITkO7p6wxEEj/v5nlsVWIwumwH2NI= github.com/google/go-tpm v0.3.0/go.mod h1:iVLWvrPp/bHeEkxTFi9WG6K9w0iy2yIszHwZGHPbzAw= github.com/google/go-tpm v0.3.3 h1:P/ZFNBZYXRxc+z7i5uyd8VP7MaDteuLZInzrH2idRGo= github.com/google/go-tpm v0.3.3/go.mod h1:9Hyn3rgnzWF9XBWVk6ml6A6hNkbWjNFlDQL51BeghL4= github.com/google/go-tpm-tools v0.0.0-20190906225433-1614c142f845/go.mod h1:AVfHadzbdzHo54inR2x1v640jdi1YSi3NauM2DUsxk0= github.com/google/go-tpm-tools v0.2.0/go.mod h1:npUd03rQ60lxN7tzeBJreG38RvWwme2N1reF/eeiBk4= -github.com/google/go-tpm-tools v0.3.9 h1:66nkOHZtqmHXVnqonQvPDmiPRn8lcKW3FXzynJiBphg= -github.com/google/go-tpm-tools v0.3.9/go.mod h1:22JvWmHcD5w55cs+nMeqDGDxgNS15/2pDq2cLqnc3rc= +github.com/google/go-tpm-tools v0.3.10 h1:hz9EoyG4Ewa0leT3OvxlWprq14Lw0RBmfFcH9H9+Yas= +github.com/google/go-tpm-tools v0.3.10/go.mod h1:HQfQboO+M8pRtBfO5U3KMhwzfC/XC3TaMCgRfTpII8Q= github.com/google/go-tspi v0.2.1-0.20190423175329-115dea689aad h1:LnpS22S8V1HqbxjveESGAazHhi6BX9SwI2Rij7qZcXQ= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/logger v1.1.1 h1:+6Z2geNxc9G+4D4oDO9njjjn2d0wN5d7uOo0vOIW1NQ= +github.com/google/logger v1.1.1/go.mod h1:BkeJZ+1FhQ+/d087r4dzojEg1u2ZX+ZqG1jTUrLM+zQ= github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPgecwXBIDzw5no= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= @@ -708,6 +712,7 @@ github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLe github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= +github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= @@ -1023,6 +1028,8 @@ github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFSt github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/pascaldekloe/goe v0.1.0 h1:cBOtyMzM9HTpWjXfbbunk26uA6nG3a8n06Wieeh0MwY= github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= +github.com/pborman/uuid v1.2.0 h1:J7Q5mO4ysT1dv8hyrUGHb9+ooztCXu1D8MY8DZYsu3g= +github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= @@ -1487,6 +1494,7 @@ golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= From 0101524d6192edaf137e234191fad5506bea409f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 Dec 2022 15:06:01 -0300 Subject: [PATCH 244/257] Bump github.com/open-policy-agent/opa from 0.47.3 to 0.47.4 (#3722) Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.47.3 to 0.47.4. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-policy-agent/opa/compare/v0.47.3...v0.47.4) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/opa dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 8327e4f40b..6a9827c93b 100644 --- a/go.mod +++ b/go.mod @@ -52,7 +52,7 @@ require ( github.com/lib/pq v1.10.7 github.com/mattn/go-sqlite3 v1.14.16 github.com/mitchellh/cli v1.1.5 - github.com/open-policy-agent/opa v0.47.3 + github.com/open-policy-agent/opa v0.47.4 github.com/prometheus/client_golang v1.14.0 github.com/shirou/gopsutil/v3 v3.22.11 github.com/sirupsen/logrus v1.9.0 diff --git a/go.sum b/go.sum index 1da9d96cd0..a4696574ea 100644 --- a/go.sum +++ b/go.sum @@ -1018,8 +1018,8 @@ github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGV github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.23.0 h1:/oxKu9c2HVap+F3PfKort2Hw5DEU+HGlW8n+tguWsys= -github.com/open-policy-agent/opa v0.47.3 h1:Uj8zw+q6Cvv1iiQFh704Q6sl3fKVvk35WZNJLsd6mgk= -github.com/open-policy-agent/opa v0.47.3/go.mod h1:I5DbT677OGqfk9gvu5i54oIt0rrVf4B5pedpqDquAXo= +github.com/open-policy-agent/opa v0.47.4 h1:CTPIoAv6/UJX+BkSkqytbofWrZHyfQ/A0ESE4FSKR9A= +github.com/open-policy-agent/opa v0.47.4/go.mod h1:I5DbT677OGqfk9gvu5i54oIt0rrVf4B5pedpqDquAXo= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 h1:rc3tiVYb5z54aKaDfakKn0dDjIyPpTtszkjuMzyt7ec= From fc31e86f49da509dcf7db6bc6860f464780d2625 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 Dec 2022 15:41:25 -0300 Subject: [PATCH 245/257] Bump github.com/hashicorp/vault/sdk from 0.6.1 to 0.6.2 (#3720) Bumps [github.com/hashicorp/vault/sdk](https://github.com/hashicorp/vault) from 0.6.1 to 0.6.2. - [Release notes](https://github.com/hashicorp/vault/releases) - [Changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG.md) - [Commits](https://github.com/hashicorp/vault/compare/v0.6.1...v0.6.2) --- updated-dependencies: - dependency-name: github.com/hashicorp/vault/sdk dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 6a9827c93b..329b97c795 100644 --- a/go.mod +++ b/go.mod @@ -45,7 +45,7 @@ require ( github.com/hashicorp/go-plugin v1.4.6 github.com/hashicorp/hcl v1.0.1-0.20190430135223-99e2f22d1c94 github.com/hashicorp/vault/api v1.8.2 - github.com/hashicorp/vault/sdk v0.6.1 + github.com/hashicorp/vault/sdk v0.6.2 github.com/imdario/mergo v0.3.13 github.com/imkira/go-observer v1.0.3 github.com/jinzhu/gorm v1.9.16 diff --git a/go.sum b/go.sum index a4696574ea..ccb223cb62 100644 --- a/go.sum +++ b/go.sum @@ -811,8 +811,8 @@ github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2p github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= github.com/hashicorp/vault/api v1.8.2 h1:C7OL9YtOtwQbTKI9ogB0A1wffRbCN+rH/LLCHO3d8HM= github.com/hashicorp/vault/api v1.8.2/go.mod h1:ML8aYzBIhY5m1MD1B2Q0JV89cC85YVH4t5kBaZiyVaE= -github.com/hashicorp/vault/sdk v0.6.1 h1:sjZC1z4j5Rh2GXYbkxn5BLK05S1p7+MhW4AgdUmgRUA= -github.com/hashicorp/vault/sdk v0.6.1/go.mod h1:Ck4JuAC6usTphfrrRJCRH+7/N7O2ozZzkm/fzQFt4uM= +github.com/hashicorp/vault/sdk v0.6.2 h1:LtWXUM+WheM5T8pOO/6nOTiFwnE+4y3bPztFf15Oz24= +github.com/hashicorp/vault/sdk v0.6.2/go.mod h1:KyfArJkhooyba7gYCKSq8v66QdqJmnbAxtV/OX1+JTs= github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d h1:kJCB4vdITiW1eC1vq2e6IsrXKrZit1bv/TDYFGMp4BQ= github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= From 3ef60fc432a8663d9f727bb6acf65fa35a4ce086 Mon Sep 17 00:00:00 2001 From: Marcos Yacob Date: Mon, 26 Dec 2022 16:35:15 -0300 Subject: [PATCH 246/257] Solve flaky tests caused by edge cases where audit logs from previous calls was not successfully cleaned (#3721) Signed-off-by: Marcos Yacob --- pkg/server/api/agent/v1/service_test.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/pkg/server/api/agent/v1/service_test.go b/pkg/server/api/agent/v1/service_test.go index 0d0101d244..2d587c2e2b 100644 --- a/pkg/server/api/agent/v1/service_test.go +++ b/pkg/server/api/agent/v1/service_test.go @@ -3008,7 +3008,12 @@ func TestAttestAgent(t *testing.T) { e.Data[telemetry.Address] = "" } } - spiretest.AssertLogs(t, test.logHook.AllEntries(), tt.expectLogs) + if tt.retry { + // Prevent cases where audit logs from previous calls are pushed after log is reset + spiretest.AssertLastLogs(t, test.logHook.AllEntries(), tt.expectLogs) + } else { + spiretest.AssertLogs(t, test.logHook.AllEntries(), tt.expectLogs) + } }() ctx, cancel := context.WithCancel(context.Background()) From f659153c65ef7b497d059effbe6bfd80f0b8dd64 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 27 Dec 2022 14:33:53 -0300 Subject: [PATCH 247/257] Bump google.golang.org/api from 0.103.0 to 0.105.0 (#3723) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.103.0 to 0.105.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.103.0...v0.105.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 6 +++--- go.sum | 10 ++++++---- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/go.mod b/go.mod index 329b97c795..174a53ecb9 100644 --- a/go.mod +++ b/go.mod @@ -67,8 +67,8 @@ require ( golang.org/x/sync v0.1.0 golang.org/x/sys v0.3.0 golang.org/x/time v0.3.0 - google.golang.org/api v0.103.0 - google.golang.org/genproto v0.0.0-20221205194025-8222ab48f5fc + google.golang.org/api v0.105.0 + google.golang.org/genproto v0.0.0-20221206210731-b1a01be3a5f6 google.golang.org/grpc v1.51.0 google.golang.org/protobuf v1.28.1 gopkg.in/square/go-jose.v2 v2.6.0 @@ -83,7 +83,7 @@ require ( require ( cloud.google.com/go v0.107.0 // indirect cloud.google.com/go/compute v1.13.0 // indirect - cloud.google.com/go/compute/metadata v0.2.1 // indirect + cloud.google.com/go/compute/metadata v0.2.2 // indirect cloud.google.com/go/longrunning v0.3.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect diff --git a/go.sum b/go.sum index ccb223cb62..40a0432568 100644 --- a/go.sum +++ b/go.sum @@ -93,8 +93,9 @@ cloud.google.com/go/compute v1.12.1/go.mod h1:e8yNOBcBONZU1vJKCvCoDw/4JQsA0dpM4x cloud.google.com/go/compute v1.13.0 h1:AYrLkB8NPdDRslNp4Jxmzrhdr03fUAIDbiGFjLWowoU= cloud.google.com/go/compute v1.13.0/go.mod h1:5aPTS0cUNMIc1CE546K+Th6weJUNQErARyZtRXDJ8GE= cloud.google.com/go/compute/metadata v0.1.0/go.mod h1:Z1VN+bulIf6bt4P/C37K4DyZYZEXYonfTBHHFPO/4UU= -cloud.google.com/go/compute/metadata v0.2.1 h1:efOwf5ymceDhK6PKMnnrTHP4pppY5L22mle96M1yP48= cloud.google.com/go/compute/metadata v0.2.1/go.mod h1:jgHgmJd2RKBGzXqF5LR2EZMGxBkeanZ9wwa75XHJgOM= +cloud.google.com/go/compute/metadata v0.2.2 h1:aWKAjYaBaOSrpKl57+jnS/3fJRQnxL7TvR/u1VVbt6k= +cloud.google.com/go/compute/metadata v0.2.2/go.mod h1:jgHgmJd2RKBGzXqF5LR2EZMGxBkeanZ9wwa75XHJgOM= cloud.google.com/go/contactcenterinsights v1.3.0/go.mod h1:Eu2oemoePuEFc/xKFPjbTuPSj0fYJcPls9TFlPNnHHY= cloud.google.com/go/container v1.6.0/go.mod h1:Xazp7GjJSeUYo688S+6J5V+n/t+G5sKBTFkKNudGRxg= cloud.google.com/go/containeranalysis v0.5.1/go.mod h1:1D92jd8gRR/c0fGMlymRgxWD3Qw9C1ff6/T7mLgVL8I= @@ -1696,8 +1697,9 @@ google.golang.org/api v0.98.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ google.golang.org/api v0.99.0/go.mod h1:1YOf74vkVndF7pG6hIHuINsM7eWwpVTAfNMNiL91A08= google.golang.org/api v0.100.0/go.mod h1:ZE3Z2+ZOr87Rx7dqFsdRQkRBk36kDtp/h+QpHbB7a70= google.golang.org/api v0.102.0/go.mod h1:3VFl6/fzoA+qNuS1N1/VfXY4LjoXN/wzeIp7TweWwGo= -google.golang.org/api v0.103.0 h1:9yuVqlu2JCvcLg9p8S3fcFLZij8EPSyvODIY1rkMizQ= google.golang.org/api v0.103.0/go.mod h1:hGtW6nK1AC+d9si/UBhw8Xli+QMOf6xyNAyJw4qU9w0= +google.golang.org/api v0.105.0 h1:t6P9Jj+6XTn4U9I2wycQai6Q/Kz7iOT+QzjJ3G2V4x8= +google.golang.org/api v0.105.0/go.mod h1:qh7eD5FJks5+BcE+cjBIm6Gz8vioK7EHvnlniqXBnqI= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -1813,8 +1815,8 @@ google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a/go.mod h1:1vXfmgAz google.golang.org/genproto v0.0.0-20221024153911-1573dae28c9c/go.mod h1:9qHF0xnpdSfF6knlcsnpzUu5y+rpwgbvsyGAZPBMg4s= google.golang.org/genproto v0.0.0-20221024183307-1bc688fe9f3e/go.mod h1:9qHF0xnpdSfF6knlcsnpzUu5y+rpwgbvsyGAZPBMg4s= google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c/go.mod h1:CGI5F/G+E5bKwmfYo09AXuVN4dD894kIKUFmVbP2/Fo= -google.golang.org/genproto v0.0.0-20221205194025-8222ab48f5fc h1:nUKKji0AarrQKh6XpFEpG3p1TNztxhe7C8TcUvDgXqw= -google.golang.org/genproto v0.0.0-20221205194025-8222ab48f5fc/go.mod h1:1dOng4TWOomJrDGhpXjfCD35wQC6jnC7HpRmOFRqEV0= +google.golang.org/genproto v0.0.0-20221206210731-b1a01be3a5f6 h1:AGXp12e/9rItf6/4QymU7WsAUwCf+ICW75cuR91nJIc= +google.golang.org/genproto v0.0.0-20221206210731-b1a01be3a5f6/go.mod h1:1dOng4TWOomJrDGhpXjfCD35wQC6jnC7HpRmOFRqEV0= google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= From 202713a7650039f6fbc9da024cc24073d55d00ea Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 30 Dec 2022 07:40:10 -0700 Subject: [PATCH 248/257] Bump sigs.k8s.io/controller-runtime from 0.13.1 to 0.14.1 (#3719) * Bump sigs.k8s.io/controller-runtime from 0.13.1 to 0.14.1 Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.13.1 to 0.14.1. - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/master/RELEASE.md) - [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.13.1...v0.14.1) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-runtime dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update code to solve refactor changes on library Signed-off-by: Marcos Yacob Signed-off-by: dependabot[bot] Signed-off-by: Marcos Yacob Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Marcos Yacob --- go.mod | 34 ++-- go.sum | 73 +++---- .../plugin/notifier/k8sbundle/k8sbundle.go | 40 ++-- .../notifier/k8sbundle/k8sbundle_test.go | 4 +- .../controllers/pod_controller_test.go | 192 ++++++++++-------- 5 files changed, 177 insertions(+), 166 deletions(-) diff --git a/go.mod b/go.mod index 174a53ecb9..c0346596b7 100644 --- a/go.mod +++ b/go.mod @@ -62,7 +62,7 @@ require ( github.com/stretchr/testify v1.8.1 github.com/uber-go/tally/v4 v4.1.4 github.com/zeebo/errs v1.3.0 - golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa + golang.org/x/crypto v0.1.0 golang.org/x/net v0.4.0 golang.org/x/sync v0.1.0 golang.org/x/sys v0.3.0 @@ -74,10 +74,10 @@ require ( gopkg.in/square/go-jose.v2 v2.6.0 k8s.io/api v0.26.0 k8s.io/apimachinery v0.26.0 - k8s.io/client-go v0.25.4 + k8s.io/client-go v0.26.0 k8s.io/kube-aggregator v0.23.3 - k8s.io/utils v0.0.0-20221107191617-1a15be271d1d - sigs.k8s.io/controller-runtime v0.13.1 + k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 + sigs.k8s.io/controller-runtime v0.14.1 ) require ( @@ -86,20 +86,12 @@ require ( cloud.google.com/go/compute/metadata v0.2.2 // indirect cloud.google.com/go/longrunning v0.3.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 // indirect - github.com/Azure/go-autorest v14.2.0+incompatible // indirect - github.com/Azure/go-autorest/autorest v0.11.27 // indirect - github.com/Azure/go-autorest/autorest/adal v0.9.20 // indirect - github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect - github.com/Azure/go-autorest/logger v0.2.1 // indirect - github.com/Azure/go-autorest/tracing v0.6.0 // indirect github.com/AzureAD/microsoft-authentication-library-for-go v0.7.0 // indirect github.com/DataDog/datadog-go v3.2.0+incompatible // indirect github.com/Masterminds/goutils v1.1.1 // indirect github.com/Masterminds/semver/v3 v3.1.1 // indirect github.com/Masterminds/sprig/v3 v3.2.1 // indirect github.com/OneOfOne/xxhash v1.2.8 // indirect - github.com/PuerkitoBio/purell v1.1.1 // indirect - github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect github.com/agnivade/levenshtein v1.1.1 // indirect github.com/armon/go-radix v1.0.0 // indirect github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.27 // indirect @@ -117,18 +109,18 @@ require ( github.com/docker/distribution v2.8.1+incompatible // indirect github.com/docker/go-connections v0.4.0 // indirect github.com/docker/go-units v0.4.0 // indirect - github.com/emicklei/go-restful/v3 v3.8.0 // indirect + github.com/emicklei/go-restful/v3 v3.9.0 // indirect github.com/envoyproxy/protoc-gen-validate v0.6.2 // indirect github.com/evanphx/json-patch v4.12.0+incompatible // indirect github.com/evanphx/json-patch/v5 v5.6.0 // indirect github.com/fatih/color v1.13.0 // indirect - github.com/felixge/httpsnoop v1.0.2 // indirect + github.com/felixge/httpsnoop v1.0.3 // indirect github.com/fsnotify/fsnotify v1.6.0 // indirect github.com/ghodss/yaml v1.0.0 // indirect github.com/go-logr/zapr v1.2.3 // indirect github.com/go-ole/go-ole v1.2.6 // indirect github.com/go-openapi/jsonpointer v0.19.5 // indirect - github.com/go-openapi/jsonreference v0.19.5 // indirect + github.com/go-openapi/jsonreference v0.20.0 // indirect github.com/go-openapi/swag v0.19.14 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect @@ -166,7 +158,7 @@ require ( github.com/mailru/easyjson v0.7.6 // indirect github.com/mattn/go-colorable v0.1.12 // indirect github.com/mattn/go-isatty v0.0.14 // indirect - github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect + github.com/matttproud/golang_protobuf_extensions v1.0.2 // indirect github.com/mitchellh/copystructure v1.0.0 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/mitchellh/go-testing-interface v1.0.0 // indirect @@ -204,20 +196,20 @@ require ( go.opencensus.io v0.24.0 // indirect go.uber.org/atomic v1.10.0 // indirect go.uber.org/multierr v1.8.0 // indirect - go.uber.org/zap v1.23.0 // indirect - golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect + go.uber.org/zap v1.24.0 // indirect + golang.org/x/mod v0.6.0 // indirect golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783 // indirect golang.org/x/term v0.3.0 // indirect golang.org/x/text v0.5.0 // indirect - golang.org/x/tools v0.1.12 // indirect + golang.org/x/tools v0.2.0 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect google.golang.org/appengine v1.6.7 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/apiextensions-apiserver v0.25.0 // indirect - k8s.io/component-base v0.25.0 // indirect + k8s.io/apiextensions-apiserver v0.26.0 // indirect + k8s.io/component-base v0.26.0 // indirect k8s.io/klog/v2 v2.80.1 // indirect k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect diff --git a/go.sum b/go.sum index 40a0432568..335830b7e9 100644 --- a/go.sum +++ b/go.sum @@ -306,23 +306,12 @@ github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1. github.com/Azure/go-ansiterm v0.0.0-20210608223527-2377c96fe795/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8= github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= -github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= github.com/Azure/go-autorest/autorest v0.11.18/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA= -github.com/Azure/go-autorest/autorest v0.11.27 h1:F3R3q42aWytozkV8ihzcgMO4OA4cuqr3bNlsEuF6//A= -github.com/Azure/go-autorest/autorest v0.11.27/go.mod h1:7l8ybrIdUmGqZMTD0sRtAr8NvbHjfofbf8RSP2q7w7U= github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M= -github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= -github.com/Azure/go-autorest/autorest/adal v0.9.20 h1:gJ3E98kMpFB1MFqQCvA1yFab8vthOeD4VlFRQULxahg= -github.com/Azure/go-autorest/autorest/adal v0.9.20/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= -github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw= github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= -github.com/Azure/go-autorest/autorest/mocks v0.4.2 h1:PGN4EDXnuQbojHbU0UWoNvmu9AGVwYHG9/fkDYhtAfw= -github.com/Azure/go-autorest/autorest/mocks v0.4.2/go.mod h1:Vy7OitM9Kei0i1Oj+LvyAWMXJHeKH1MVlzFugfVrmyU= -github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg= github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= -github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo= github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= github.com/AzureAD/microsoft-authentication-library-for-go v0.4.0/go.mod h1:Vt9sXTKwMyGcOxSmLDMnGPgqsUg7m8pe215qMLrDXw4= github.com/AzureAD/microsoft-authentication-library-for-go v0.7.0 h1:VgSJlZH5u0k2qxSpqyghcFQKmvYckj46uymKK5XzkBM= @@ -348,9 +337,7 @@ github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAE github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8= github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q= github.com/PuerkitoBio/goquery v1.5.1/go.mod h1:GsLWisAFVj4WgDibEWF4pvYnkVQBpKBKeU+7zCJoLcc= -github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI= github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= -github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8= github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo= @@ -513,8 +500,8 @@ github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25Kn github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= -github.com/emicklei/go-restful/v3 v3.8.0 h1:eCZ8ulSerjdAiaNpF7GxXIE7ZCMo1moN1qX+S609eVw= -github.com/emicklei/go-restful/v3 v3.8.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE= +github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= @@ -540,8 +527,8 @@ github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w= github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo= github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= -github.com/felixge/httpsnoop v1.0.2 h1:+nS9g82KMXccJ/wp0zyRW9ZBHFETmMGtkk+2CTTrW4o= -github.com/felixge/httpsnoop v1.0.2/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= +github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk= +github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw= @@ -581,8 +568,9 @@ github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34 github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY= github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= -github.com/go-openapi/jsonreference v0.19.5 h1:1WJP/wi4OjB4iV8KVbH73rQaoialJrqv8gitZLxGLtM= github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg= +github.com/go-openapi/jsonreference v0.20.0 h1:MYlu0sBgChmCfJxxUKZ8g1cPWFOB37YSZqewK7OKeyA= +github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXymS4zJbYVCZmcgkasdo= github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng= github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= @@ -605,7 +593,6 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= -github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-jwt/jwt/v4 v4.4.2 h1:rcc4lwaZgFMCZ5jxF9ABolDcIHdBytAFgqFPbSJQAYs= github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= @@ -956,8 +943,9 @@ github.com/mattn/go-sqlite3 v1.14.0/go.mod h1:JIl7NbARA7phWnGvh0LKTyg7S9BA+6gx71 github.com/mattn/go-sqlite3 v1.14.16 h1:yOQRA0RpS5PFz/oikGwBEqvAWhWg5ufRz4ETLjwpU1Y= github.com/mattn/go-sqlite3 v1.14.16/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= -github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= +github.com/matttproud/golang_protobuf_extensions v1.0.2 h1:hAHbPm5IJGijwng3PWk09JkG9WeqChjprR5s9bBZ+OM= +github.com/matttproud/golang_protobuf_extensions v1.0.2/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= github.com/microsoft/go-mssqldb v0.17.0/go.mod h1:OkoNGhGEs8EZqchVTtochlXruEhEOaO4S0d2sB5aeGQ= github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= github.com/miekg/dns v1.1.43 h1:JKfpVSCB84vrAmHzyrsxB5NAr5kLoMXZArPSw7Qlgyg= @@ -985,7 +973,7 @@ github.com/mitchellh/reflectwalk v1.0.1 h1:FVzMWA5RllMAKIdUSC8mdWo3XtwoecrH79BY7 github.com/mitchellh/reflectwalk v1.0.1/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= github.com/moby/term v0.0.0-20210610120745-9d4ed1856297/go.mod h1:vgPCkQMyxTZ7IDy8SXRufE172gr8+K/JE/7hHFxHW3A= -github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 h1:dcztxKSvZ4Id8iPpHERQBbIJfabdt4wUm5qy3wOL2Zc= +github.com/moby/term v0.0.0-20220808134915-39b0c02b01ae h1:O4SWKdcHVCvYqyDV+9CJA1fcDN2L11Bule0iFy3YlAI= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= @@ -1005,20 +993,19 @@ github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+ github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= github.com/nishanths/predeclared v0.0.0-20200524104333-86fad755b4d3/go.mod h1:nt3d53pc1VYcphSCIaYAJtnPYnr3Zyn8fMq2wvPGPso= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= -github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/oklog/run v1.0.0 h1:Ru7dDtJNOyC66gQ5dQmaCa0qIsAUFY3sFpK1Xk8igrw= github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= +github.com/onsi/ginkgo v1.14.0 h1:2mOpI4JVVPBN+WQRa0WKH2eXR+Ey+uK4n7Zj0aYpIQA= github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= -github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= -github.com/onsi/ginkgo/v2 v2.4.0 h1:+Ig9nvqgS5OBSACXNk15PLdp0U9XPYROt9CFzVdFGIs= +github.com/onsi/ginkgo/v2 v2.6.0 h1:9t9b9vRUbFq3C4qKFCGkVuq/fIHji802N1nrtkh1mNc= github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= -github.com/onsi/gomega v1.23.0 h1:/oxKu9c2HVap+F3PfKort2Hw5DEU+HGlW8n+tguWsys= +github.com/onsi/gomega v1.24.1 h1:KORJXNNTzJXzu4ScJWssJfJMnJ+2QJqhoQSRwNlze9E= github.com/open-policy-agent/opa v0.47.4 h1:CTPIoAv6/UJX+BkSkqytbofWrZHyfQ/A0ESE4FSKR9A= github.com/open-policy-agent/opa v0.47.4/go.mod h1:I5DbT677OGqfk9gvu5i54oIt0rrVf4B5pedpqDquAXo= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= @@ -1243,7 +1230,7 @@ go.uber.org/atomic v1.10.0 h1:9qC72Qh0+3MqyJbAn8YU5xVq1frD8bn3JtD2oXtafVQ= go.uber.org/atomic v1.10.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= -go.uber.org/goleak v1.1.12 h1:gZAh5/EyT/HQwlpkCy6wTpqfH9H8Lz8zbm3dZh+OyzA= +go.uber.org/goleak v1.2.0 h1:xqgm/S+aQvhWFTtR0XK3Jvg7z8kGV8P4X14IzwN3Eqk= go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4= go.uber.org/multierr v1.5.0/go.mod h1:FeouvMocqHpRaaGuG9EjoKcStLC43Zu/fmqdUMPcKYU= @@ -1256,8 +1243,9 @@ go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM= go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo= go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI= -go.uber.org/zap v1.23.0 h1:OjGQ5KQDEUawVHxNwQgPpiypGHOxo2mNZsOqTak4fFY= go.uber.org/zap v1.23.0/go.mod h1:D+nX8jyLsMHMYrln8A0rJjFt/T/9/bGgIhAqxv5URuY= +go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60= +go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= @@ -1278,10 +1266,10 @@ golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa h1:zuSxTR4o9y82ebqCUJYNGJbGPo6sKVl54f/TVDObg1c= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU= +golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -1318,8 +1306,9 @@ golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= -golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 h1:6zppjxzCulZykYSLyVDYbneBfbaBIQPYMevg0bEwv2s= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.6.0 h1:b9gGHsz9/HhJ3HF5DHQytPpuwocVTChQJK3AvoLRD5I= +golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI= golang.org/x/net v0.0.0-20180218175443-cbe0f9307d01/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180530234432-1e491301e022/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1631,8 +1620,9 @@ golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.6-0.20210820212750-d4cc65f0b2ff/go.mod h1:YD9qOF0M9xpSpdWTBbzEl5e/RnCefISl8E5Noe10jFM= -golang.org/x/tools v0.1.12 h1:VveCTK38A2rkS8ZqFY25HIDFscX5X9OoEhJd3quQmXU= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/tools v0.2.0 h1:G6AHpWxTMGY1KyEYoAQ5WTtIekUUvDNjan3ugu60JvE= +golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA= golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -1894,7 +1884,6 @@ gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76 gopkg.in/square/go-jose.v2 v2.4.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI= gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= -gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/validator.v2 v2.0.0-20200605151824-2b28d334fa05/go.mod h1:o4V0GXN9/CAmCsvJ0oXYZvrZOe7syiDZSN1GWGZTGzc= gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= @@ -1926,19 +1915,19 @@ honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9 k8s.io/api v0.23.3/go.mod h1:w258XdGyvCmnBj/vGzQMj6kzdufJZVUwEM1U2fRJwSQ= k8s.io/api v0.26.0 h1:IpPlZnxBpV1xl7TGk/X6lFtpgjgntCg8PJ+qrPHAC7I= k8s.io/api v0.26.0/go.mod h1:k6HDTaIFC8yn1i6pSClSqIwLABIcLV9l5Q4EcngKnQg= -k8s.io/apiextensions-apiserver v0.25.0 h1:CJ9zlyXAbq0FIW8CD7HHyozCMBpDSiH7EdrSTCZcZFY= -k8s.io/apiextensions-apiserver v0.25.0/go.mod h1:3pAjZiN4zw7R8aZC5gR0y3/vCkGlAjCazcg1me8iB/E= +k8s.io/apiextensions-apiserver v0.26.0 h1:Gy93Xo1eg2ZIkNX/8vy5xviVSxwQulsnUdQ00nEdpDo= +k8s.io/apiextensions-apiserver v0.26.0/go.mod h1:7ez0LTiyW5nq3vADtK6C3kMESxadD51Bh6uz3JOlqWQ= k8s.io/apimachinery v0.23.3/go.mod h1:BEuFMMBaIbcOqVIJqNZJXGFTP4W6AycEpb5+m/97hrM= k8s.io/apimachinery v0.26.0 h1:1feANjElT7MvPqp0JT6F3Ss6TWDwmcjLypwoPpEf7zg= k8s.io/apimachinery v0.26.0/go.mod h1:tnPmbONNJ7ByJNz9+n9kMjNP8ON+1qoAIIC70lztu74= k8s.io/apiserver v0.23.3/go.mod h1:3HhsTmC+Pn+Jctw+Ow0LHA4dQ4oXrQ4XJDzrVDG64T4= k8s.io/client-go v0.23.3/go.mod h1:47oMd+YvAOqZM7pcQ6neJtBiFH7alOyfunYN48VsmwE= -k8s.io/client-go v0.25.4 h1:3RNRDffAkNU56M/a7gUfXaEzdhZlYhoW8dgViGy5fn8= -k8s.io/client-go v0.25.4/go.mod h1:8trHCAC83XKY0wsBIpbirZU4NTUpbuhc2JnI7OruGZw= +k8s.io/client-go v0.26.0 h1:lT1D3OfO+wIi9UFolCrifbjUUgu7CpLca0AD8ghRLI8= +k8s.io/client-go v0.26.0/go.mod h1:I2Sh57A79EQsDmn7F7ASpmru1cceh3ocVT9KlX2jEZg= k8s.io/code-generator v0.23.3/go.mod h1:S0Q1JVA+kSzTI1oUvbKAxZY/DYbA/ZUb4Uknog12ETk= k8s.io/component-base v0.23.3/go.mod h1:1Smc4C60rWG7d3HjSYpIwEbySQ3YWg0uzH5a2AtaTLg= -k8s.io/component-base v0.25.0 h1:haVKlLkPCFZhkcqB6WCvpVxftrg6+FK5x1ZuaIDaQ5Y= -k8s.io/component-base v0.25.0/go.mod h1:F2Sumv9CnbBlqrpdf7rKZTmmd2meJq0HizeyY/yAFxk= +k8s.io/component-base v0.26.0 h1:0IkChOCohtDHttmKuz+EP3j3+qKmV55rM9gIFTXA7Vs= +k8s.io/component-base v0.26.0/go.mod h1:lqHwlfV1/haa14F/Z5Zizk5QmzaVf23nQzCwVOQpfC8= k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= @@ -1952,14 +1941,14 @@ k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 h1:+70TFaan3hfJzs+7VK2o+O k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4= k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20211116205334-6203023598ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -k8s.io/utils v0.0.0-20221107191617-1a15be271d1d h1:0Smp/HP1OH4Rvhe+4B8nWGERtlqAGSftbSbbmm45oFs= -k8s.io/utils v0.0.0-20221107191617-1a15be271d1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 h1:KTgPnR10d5zhztWptI952TNtt/4u5h3IzDXkdIMuo2Y= +k8s.io/utils v0.0.0-20221128185143-99ec85e7a448/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.27/go.mod h1:tq2nT0Kx7W+/f2JVE+zxYtUhdjuELJkVpNz+x/QN5R4= -sigs.k8s.io/controller-runtime v0.13.1 h1:tUsRCSJVM1QQOOeViGeX3GMT3dQF1eePPw6sEE3xSlg= -sigs.k8s.io/controller-runtime v0.13.1/go.mod h1:Zbz+el8Yg31jubvAEyglRZGdLAjplZl+PgtYNI6WNTI= +sigs.k8s.io/controller-runtime v0.14.1 h1:vThDes9pzg0Y+UbCPY3Wj34CGIYPgdmspPm2GIpxpzM= +sigs.k8s.io/controller-runtime v0.14.1/go.mod h1:GaRkrY8a7UZF0kqFFbUKG7n9ICiTY5T55P1RiE3UZlU= sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= diff --git a/pkg/server/plugin/notifier/k8sbundle/k8sbundle.go b/pkg/server/plugin/notifier/k8sbundle/k8sbundle.go index 0bde1d47da..2894ccc0e6 100644 --- a/pkg/server/plugin/notifier/k8sbundle/k8sbundle.go +++ b/pkg/server/plugin/notifier/k8sbundle/k8sbundle.go @@ -160,7 +160,10 @@ func (p *Plugin) startInformers(ctx context.Context, config *pluginConfig, clien if config.WebhookLabel != "" || config.APIServiceLabel != "" { informerSynced := []cache.InformerSynced{} for _, client := range clients { - informer := client.Informer(p.hooks.informerCallback) + informer, err := client.Informer(p.hooks.informerCallback) + if err != nil { + return err + } if informer != nil { go informer.Run(stopCh) informerSynced = append(informerSynced, informer.HasSynced) @@ -421,7 +424,7 @@ type kubeClient interface { GetList(ctx context.Context) (runtime.Object, error) CreatePatch(ctx context.Context, obj runtime.Object, resp *identityproviderv1.FetchX509IdentityResponse) (runtime.Object, error) Patch(ctx context.Context, namespace, name string, patchBytes []byte) error - Informer(callback informerCallback) cache.SharedIndexInformer + Informer(callback informerCallback) (cache.SharedIndexInformer, error) } // configMapClient encapsulates the Kubernetes API for updating the CA Bundle in a config map @@ -467,8 +470,8 @@ func (c configMapClient) Patch(ctx context.Context, namespace, name string, patc return err } -func (c configMapClient) Informer(callback informerCallback) cache.SharedIndexInformer { - return nil +func (c configMapClient) Informer(callback informerCallback) (cache.SharedIndexInformer, error) { + return nil, nil } // apiServiceClient encapsulates the Kubernetes API for updating the CA Bundle in an API Service @@ -518,9 +521,11 @@ func (c apiServiceClient) Patch(ctx context.Context, namespace, name string, pat return err } -func (c apiServiceClient) Informer(callback informerCallback) cache.SharedIndexInformer { +func (c apiServiceClient) Informer(callback informerCallback) (cache.SharedIndexInformer, error) { informer := c.factory.Apiregistration().V1().APIServices().Informer() - informer.AddEventHandler(cache.ResourceEventHandlerFuncs{ + // AddEventHandler now support returning event handler registration, + // to remove them if required (https://github.com/kubernetes-sigs/controller-runtime/pull/2046) + _, err := informer.AddEventHandler(cache.ResourceEventHandlerFuncs{ AddFunc: func(obj interface{}) { callback(c, obj.(runtime.Object)) }, @@ -528,7 +533,10 @@ func (c apiServiceClient) Informer(callback informerCallback) cache.SharedIndexI callback(c, newObj.(runtime.Object)) }, }) - return informer + if err != nil { + return nil, err + } + return informer, nil } // mutatingWebhookClient encapsulates the Kubernetes API for updating the CA Bundle in a mutating webhook @@ -589,9 +597,9 @@ func (c mutatingWebhookClient) Patch(ctx context.Context, namespace, name string return err } -func (c mutatingWebhookClient) Informer(callback informerCallback) cache.SharedIndexInformer { +func (c mutatingWebhookClient) Informer(callback informerCallback) (cache.SharedIndexInformer, error) { informer := c.factory.Admissionregistration().V1().MutatingWebhookConfigurations().Informer() - informer.AddEventHandler(cache.ResourceEventHandlerFuncs{ + _, err := informer.AddEventHandler(cache.ResourceEventHandlerFuncs{ AddFunc: func(obj interface{}) { callback(c, obj.(runtime.Object)) }, @@ -599,7 +607,10 @@ func (c mutatingWebhookClient) Informer(callback informerCallback) cache.SharedI callback(c, newObj.(runtime.Object)) }, }) - return informer + if err != nil { + return nil, err + } + return informer, nil } // validatingWebhookClient encapsulates the Kubernetes API for updating the CA Bundle in a validating webhook @@ -660,9 +671,9 @@ func (c validatingWebhookClient) Patch(ctx context.Context, namespace, name stri return err } -func (c validatingWebhookClient) Informer(callback informerCallback) cache.SharedIndexInformer { +func (c validatingWebhookClient) Informer(callback informerCallback) (cache.SharedIndexInformer, error) { informer := c.factory.Admissionregistration().V1().ValidatingWebhookConfigurations().Informer() - informer.AddEventHandler(cache.ResourceEventHandlerFuncs{ + _, err := informer.AddEventHandler(cache.ResourceEventHandlerFuncs{ AddFunc: func(obj interface{}) { callback(c, obj.(runtime.Object)) }, @@ -670,7 +681,10 @@ func (c validatingWebhookClient) Informer(callback informerCallback) cache.Share callback(c, newObj.(runtime.Object)) }, }) - return informer + if err != nil { + return nil, err + } + return informer, nil } // bundleData formats the bundle data for inclusion in the config map diff --git a/pkg/server/plugin/notifier/k8sbundle/k8sbundle_test.go b/pkg/server/plugin/notifier/k8sbundle/k8sbundle_test.go index c80f2edcf0..af5df0e414 100644 --- a/pkg/server/plugin/notifier/k8sbundle/k8sbundle_test.go +++ b/pkg/server/plugin/notifier/k8sbundle/k8sbundle_test.go @@ -773,8 +773,8 @@ func (c *fakeKubeClient) Patch(ctx context.Context, namespace, configMap string, return nil } -func (c *fakeKubeClient) Informer(callback informerCallback) cache.SharedIndexInformer { - return nil +func (c *fakeKubeClient) Informer(callback informerCallback) (cache.SharedIndexInformer, error) { + return nil, nil } func (c *fakeKubeClient) getConfigMap(namespace, configMap string) *corev1.ConfigMap { diff --git a/support/k8s/k8s-workload-registrar/mode-reconcile/controllers/pod_controller_test.go b/support/k8s/k8s-workload-registrar/mode-reconcile/controllers/pod_controller_test.go index 600b630526..eb767cd3f7 100644 --- a/support/k8s/k8s-workload-registrar/mode-reconcile/controllers/pod_controller_test.go +++ b/support/k8s/k8s-workload-registrar/mode-reconcile/controllers/pod_controller_test.go @@ -39,8 +39,6 @@ type PodControllerTestSuite struct { ds *fakedatastore.DataStore entryClient *fakeentryclient.Client - k8sClient client.Client - log logr.Logger } @@ -52,8 +50,6 @@ func (s *PodControllerTestSuite) SetupTest() { s.ctrl = mockCtrl - s.k8sClient = fake.NewClientBuilder().WithScheme(scheme.Scheme).Build() - s.log = zap.New() } @@ -85,8 +81,9 @@ func (s *PodControllerTestSuite) TestAddChangeRemovePod() { for _, tt := range tests { tt := tt s.Run(tt.first, func() { + k8sClient := createK8sClient() r := NewPodReconciler( - s.k8sClient, + k8sClient, s.log, scheme.Scheme, podControllerTestTrustDomain, @@ -122,7 +119,7 @@ func (s *PodControllerTestSuite) TestAddChangeRemovePod() { _, err := s.ds.AppendBundle(ctx, &common.Bundle{TrustDomainId: "spiffe://example.io"}) s.Assert().NoError(err) - err = s.k8sClient.Create(ctx, &pod) + err = k8sClient.Create(ctx, &pod) s.Assert().NoError(err) _, err = r.Reconcile(ctx, ctrl.Request{ @@ -143,7 +140,7 @@ func (s *PodControllerTestSuite) TestAddChangeRemovePod() { pod.Annotations["spiffe"] = "annotation2" pod.Spec.ServiceAccountName = "sa2" - err = s.k8sClient.Update(ctx, &pod) + err = k8sClient.Update(ctx, &pod) s.Assert().NoError(err) _, err = r.Reconcile(ctx, ctrl.Request{ @@ -166,7 +163,7 @@ func (s *PodControllerTestSuite) TestAddChangeRemovePod() { s.Assert().NoError(err) s.Assert().Len(es, 1) - err = s.k8sClient.Delete(ctx, &pod) + err = k8sClient.Delete(ctx, &pod) s.Assert().NoError(err) _, err = r.Reconcile(ctx, ctrl.Request{ @@ -189,8 +186,32 @@ func (s *PodControllerTestSuite) TestAddChangeRemovePod() { func (s *PodControllerTestSuite) TestAddDnsNames() { ctx := context.TODO() + endpointsToCreate := corev1.Endpoints{ + ObjectMeta: metav1.ObjectMeta{Name: "foo-svc", Namespace: "bar"}, + Subsets: []corev1.EndpointSubset{{ + Addresses: []corev1.EndpointAddress{ + { + IP: "123.123.123.123", + TargetRef: &corev1.ObjectReference{ + Kind: "Pod", + Namespace: "bar", + Name: "foo", + }, + }, + }, + Ports: []corev1.EndpointPort{ + { + Name: "endpointName", + Protocol: "TCP", + Port: 12345, + }, + }, + }}, + } + k8sClient := createK8sClientWithEndpoint(&endpointsToCreate, "foo") + r := NewPodReconciler( - s.k8sClient, + k8sClient, s.log, scheme.Scheme, podControllerTestTrustDomain, @@ -218,7 +239,7 @@ func (s *PodControllerTestSuite) TestAddDnsNames() { PodIP: "123.123.123.124", }, } - err := s.k8sClient.Create(ctx, &pod) + err := k8sClient.Create(ctx, &pod) s.Assert().NoError(err) _, err = r.Reconcile(ctx, ctrl.Request{ @@ -240,30 +261,7 @@ func (s *PodControllerTestSuite) TestAddDnsNames() { }, es[0].DnsNames) } - endpointsToCreate := corev1.Endpoints{ - ObjectMeta: metav1.ObjectMeta{Name: "foo-svc", Namespace: "bar"}, - Subsets: []corev1.EndpointSubset{{ - Addresses: []corev1.EndpointAddress{ - { - IP: "123.123.123.123", - TargetRef: &corev1.ObjectReference{ - Kind: "Pod", - Namespace: "bar", - Name: "foo", - }, - }, - }, - Ports: []corev1.EndpointPort{ - { - Name: "endpointName", - Protocol: "TCP", - Port: 12345, - }, - }, - }}, - } - - err = s.k8sClient.Create(ctx, &endpointsToCreate) + err = k8sClient.Create(ctx, &endpointsToCreate) s.Assert().NoError(err) _, err = r.Reconcile(ctx, ctrl.Request{ @@ -302,8 +300,32 @@ func (s *PodControllerTestSuite) TestAddDnsNames() { func (s *PodControllerTestSuite) TestDottedPodNamesDns() { ctx := context.TODO() + endpointsToCreate := corev1.Endpoints{ + ObjectMeta: metav1.ObjectMeta{Name: "foo-svc", Namespace: "bar"}, + Subsets: []corev1.EndpointSubset{{ + Addresses: []corev1.EndpointAddress{ + { + IP: "123.123.123.123", + TargetRef: &corev1.ObjectReference{ + Kind: "Pod", + Namespace: "bar", + Name: "foo.3.0.0.woo", + }, + }, + }, + Ports: []corev1.EndpointPort{ + { + Name: "endpointName", + Protocol: "TCP", + Port: 12345, + }, + }, + }}, + } + k8sClient := createK8sClientWithEndpoint(&endpointsToCreate, "foo.3.0.0.woo") + r := NewPodReconciler( - s.k8sClient, + k8sClient, s.log, scheme.Scheme, podControllerTestTrustDomain, @@ -331,33 +353,10 @@ func (s *PodControllerTestSuite) TestDottedPodNamesDns() { PodIP: "123.123.123.124", }, } - err := s.k8sClient.Create(ctx, &pod) + err := k8sClient.Create(ctx, &pod) s.Assert().NoError(err) - endpointsToCreate := corev1.Endpoints{ - ObjectMeta: metav1.ObjectMeta{Name: "foo-svc", Namespace: "bar"}, - Subsets: []corev1.EndpointSubset{{ - Addresses: []corev1.EndpointAddress{ - { - IP: "123.123.123.123", - TargetRef: &corev1.ObjectReference{ - Kind: "Pod", - Namespace: "bar", - Name: "foo.3.0.0.woo", - }, - }, - }, - Ports: []corev1.EndpointPort{ - { - Name: "endpointName", - Protocol: "TCP", - Port: 12345, - }, - }, - }}, - } - - err = s.k8sClient.Create(ctx, &endpointsToCreate) + err = k8sClient.Create(ctx, &endpointsToCreate) s.Assert().NoError(err) _, err = r.Reconcile(ctx, ctrl.Request{ @@ -393,8 +392,31 @@ func (s *PodControllerTestSuite) TestDottedPodNamesDns() { func (s *PodControllerTestSuite) TestDottedServiceNamesDns() { ctx := context.TODO() + endpointsToCreate := corev1.Endpoints{ + ObjectMeta: metav1.ObjectMeta{Name: "foo-svc.3.0.0", Namespace: "bar"}, + Subsets: []corev1.EndpointSubset{{ + Addresses: []corev1.EndpointAddress{ + { + IP: "123.123.123.123", + TargetRef: &corev1.ObjectReference{ + Kind: "Pod", + Namespace: "bar", + Name: "foo", + }, + }, + }, + Ports: []corev1.EndpointPort{ + { + Name: "endpointName", + Protocol: "TCP", + Port: 12345, + }, + }, + }}, + } + k8sClient := createK8sClientWithEndpoint(&endpointsToCreate, "foo") r := NewPodReconciler( - s.k8sClient, + k8sClient, s.log, scheme.Scheme, podControllerTestTrustDomain, @@ -422,33 +444,10 @@ func (s *PodControllerTestSuite) TestDottedServiceNamesDns() { PodIP: "123.123.123.124", }, } - err := s.k8sClient.Create(ctx, &pod) + err := k8sClient.Create(ctx, &pod) s.Assert().NoError(err) - endpointsToCreate := corev1.Endpoints{ - ObjectMeta: metav1.ObjectMeta{Name: "foo-svc.3.0.0", Namespace: "bar"}, - Subsets: []corev1.EndpointSubset{{ - Addresses: []corev1.EndpointAddress{ - { - IP: "123.123.123.123", - TargetRef: &corev1.ObjectReference{ - Kind: "Pod", - Namespace: "bar", - Name: "foo", - }, - }, - }, - Ports: []corev1.EndpointPort{ - { - Name: "endpointName", - Protocol: "TCP", - Port: 12345, - }, - }, - }}, - } - - err = s.k8sClient.Create(ctx, &endpointsToCreate) + err = k8sClient.Create(ctx, &endpointsToCreate) s.Assert().NoError(err) _, err = r.Reconcile(ctx, ctrl.Request{ @@ -476,8 +475,9 @@ func (s *PodControllerTestSuite) TestDottedServiceNamesDns() { func (s *PodControllerTestSuite) TestSkipsDisabledNamespace() { ctx := context.TODO() + k8sClient := createK8sClient() r := NewPodReconciler( - s.k8sClient, + k8sClient, s.log, scheme.Scheme, podControllerTestTrustDomain, @@ -505,7 +505,7 @@ func (s *PodControllerTestSuite) TestSkipsDisabledNamespace() { PodIP: "123.123.123.124", }, } - err := s.k8sClient.Create(ctx, &pod) + err := k8sClient.Create(ctx, &pod) s.Assert().NoError(err) _, err = r.Reconcile(ctx, ctrl.Request{ @@ -522,3 +522,19 @@ func (s *PodControllerTestSuite) TestSkipsDisabledNamespace() { s.Assert().NoError(err) s.Assert().Len(es, 0) } + +func createK8sClient() client.Client { + return fake.NewClientBuilder(). + WithScheme(scheme.Scheme). + Build() +} + +// createK8sClientWithEndpoint add Index to client, that is used to filter resources +func createK8sClientWithEndpoint(endpoints *corev1.Endpoints, uid string) client.Client { + return fake.NewClientBuilder(). + WithScheme(scheme.Scheme). + WithIndex(endpoints, + endpointSubsetAddressReferenceField, + func(client.Object) []string { return []string{uid} }). + Build() +} From 8aae8a382ad50d2e7ab9aeb85b30a8f8920ada3b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 30 Dec 2022 15:23:32 -0300 Subject: [PATCH 249/257] Bump k8s.io/kube-aggregator from 0.23.3 to 0.26.0 (#3693) Bumps [k8s.io/kube-aggregator](https://github.com/kubernetes/kube-aggregator) from 0.23.3 to 0.26.0. - [Release notes](https://github.com/kubernetes/kube-aggregator/releases) - [Commits](https://github.com/kubernetes/kube-aggregator/compare/v0.23.3...v0.26.0) --- updated-dependencies: - dependency-name: k8s.io/kube-aggregator dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 198 +-------------------------------------------------------- 2 files changed, 3 insertions(+), 197 deletions(-) diff --git a/go.mod b/go.mod index c0346596b7..57c269492f 100644 --- a/go.mod +++ b/go.mod @@ -75,7 +75,7 @@ require ( k8s.io/api v0.26.0 k8s.io/apimachinery v0.26.0 k8s.io/client-go v0.26.0 - k8s.io/kube-aggregator v0.23.3 + k8s.io/kube-aggregator v0.26.0 k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 sigs.k8s.io/controller-runtime v0.14.1 ) diff --git a/go.sum b/go.sum index 335830b7e9..835ad08d61 100644 --- a/go.sum +++ b/go.sum @@ -136,7 +136,6 @@ cloud.google.com/go/edgecontainer v0.2.0/go.mod h1:RTmLijy+lGpQ7BXuTDa4C4ssxyXT3 cloud.google.com/go/essentialcontacts v1.3.0/go.mod h1:r+OnHa5jfj90qIfZDO/VztSFqbQan7HV75p8sA+mdGI= cloud.google.com/go/eventarc v1.7.0/go.mod h1:6ctpF3zTnaQCxUjHUdcfgcA1A2T309+omHZth7gDfmc= cloud.google.com/go/filestore v1.3.0/go.mod h1:+qbvHGvXU1HaKX2nD0WEPo92TP/8AQuCVEBXNY9z0+w= -cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk= cloud.google.com/go/functions v1.6.0/go.mod h1:3H1UA3qiIPRWD7PeZKLvHZ9SaQhR26XIJcC0A5GbvAk= cloud.google.com/go/functions v1.7.0/go.mod h1:+d+QBcWM+RsrgZfV9xo6KfA1GlzJfxcfZcRPEhDDfzg= cloud.google.com/go/functions v1.8.0/go.mod h1:RTZ4/HsQjIqIYP9a9YPbU+QFoQsAlYgrwOXJWHn1POY= @@ -303,16 +302,7 @@ github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork v1.1.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork v1.1.0/go.mod h1:243D9iHbcQXoFUtgHJwL7gl2zx1aDuDMjvBZVGr2uW0= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0 h1:ECsQtyERDVz3NP3kvDOTLvbQhqWp/x9EsGKtb4ogUr8= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0/go.mod h1:s1tW/At+xHqjNFvWU4G0c0Qv33KOhvbGNj0RCTQDV8s= -github.com/Azure/go-ansiterm v0.0.0-20210608223527-2377c96fe795/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8= -github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= -github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= -github.com/Azure/go-autorest/autorest v0.11.18/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA= -github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M= -github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= -github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= -github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= -github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= github.com/AzureAD/microsoft-authentication-library-for-go v0.4.0/go.mod h1:Vt9sXTKwMyGcOxSmLDMnGPgqsUg7m8pe215qMLrDXw4= github.com/AzureAD/microsoft-authentication-library-for-go v0.7.0 h1:VgSJlZH5u0k2qxSpqyghcFQKmvYckj46uymKK5XzkBM= github.com/AzureAD/microsoft-authentication-library-for-go v0.7.0/go.mod h1:BDJ5qMFKx9DugEg3+uQSDCdbYPr5s9vBTrL9P8TpqOU= @@ -331,14 +321,10 @@ github.com/Masterminds/sprig/v3 v3.2.1/go.mod h1:UoaO7Yp8KlPnJIYWTFkMaqPUYKTfGFP github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= github.com/Microsoft/go-winio v0.6.0 h1:slsWYD/zyx7lCXoZVlvQrj0hPTM1HI4+v1sIda2yDvg= github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE= -github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= -github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8= github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q= github.com/PuerkitoBio/goquery v1.5.1/go.mod h1:GsLWisAFVj4WgDibEWF4pvYnkVQBpKBKeU+7zCJoLcc= -github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= -github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8= github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= @@ -352,15 +338,12 @@ github.com/andybalholm/cascadia v1.1.0/go.mod h1:GsXiBklL0woXo1j/WYWtSYYC4ouU9Pq github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE= -github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= -github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= github.com/armon/go-metrics v0.4.1 h1:hR91U9KYmb6bLBYLQjyM+3j+rcd/UhE+G78SFnF8gJA= github.com/armon/go-metrics v0.4.1/go.mod h1:E6amYzXo6aW1tqzoZGT755KkbgrJsSdpwZ+3JqfkOG4= github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI= github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= -github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= github.com/aws/aws-sdk-go-v2 v1.16.13/go.mod h1:xSyvSnzh0KLs5H4HJGeIEsNYemUWdNIl0b/rP6SIsLU= github.com/aws/aws-sdk-go-v2 v1.16.15/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k= github.com/aws/aws-sdk-go-v2 v1.17.1/go.mod h1:JLnGeGONAyi2lWXI1p0PCIOIy333JMVK1U7Hf0aRFLw= @@ -408,7 +391,6 @@ github.com/aws/smithy-go v1.13.3/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J github.com/aws/smithy-go v1.13.4/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/aws/smithy-go v1.13.5 h1:hgz0X/DX0dGqTYpGALqXJoRKRj5oQ7150i5FdTePzO8= github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= -github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM= github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= @@ -417,9 +399,6 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/bgentry/speakeasy v0.1.0 h1:ByYyxL9InA1OWqxJqqp2A5pYHUrCiAL6K3J+LKSsQkY= github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= -github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84= -github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM= -github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 h1:3uZCA/BLTIu+DqCfguByNMJa2HVHpXvjfy0Dy7g6fuA= @@ -427,8 +406,6 @@ github.com/cactus/go-statsd-client/statsd v0.0.0-20200423205355-cb0885a1018c/go. github.com/cenkalti/backoff/v3 v3.2.2 h1:cfUAAO3yvKMYKPrvhDuHSwQnhZNk/RMHKdZqKTxfm6M= github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= -github.com/certifi/gocertifi v0.0.0-20191021191039-0944d244cd40/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA= -github.com/certifi/gocertifi v0.0.0-20200922220541-2c3bb06c6054/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA= github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= @@ -452,26 +429,18 @@ github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWH github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490 h1:KwaoQzs/WeUxxJqiJsZ4euOly1Az/IgZXXSxlD/UBNk= github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ= -github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5/go.mod h1:h6jFvWxBdQXxjopDMZyH2UVceIRfR84bdzbkoKrsWNo= -github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA= -github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f/go.mod h1:i/u985jwjWRlyHXQbwatDASoW0RMlZ/3i9yJHE2xLkI= github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= -github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= -github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= -github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= -github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= -github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -496,10 +465,6 @@ github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo= -github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= -github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= -github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= -github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE= github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= @@ -529,17 +494,12 @@ github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo= github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk= github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= -github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= -github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw= github.com/foxcpp/go-mockdns v0.0.0-20210729171921-fb145fc6f897 h1:E52jfcE64UG42SwLmrW0QByONfGynWuzBvm86BoB9z8= github.com/frankban/quicktest v1.13.0 h1:yNZif1OkDfNoDfb9zZa9aXIpejNR4F23Wely0c+Qdqk= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= -github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= -github.com/getkin/kin-openapi v0.76.0/go.mod h1:660oXbgy5JFMKreazJaQTw7o+X00qeSyhcnluiMv+Xg= -github.com/getsentry/raven-go v0.2.0/go.mod h1:KungGk8q33+aIAZUIVWZDr2OfAEBsO49PX4NzFV5kcQ= github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= @@ -553,13 +513,10 @@ github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs= -github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= -github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0= github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/zapr v1.2.0/go.mod h1:Qa4Bsj2Vb+FAVeAKsLD8RLQ+YRJB8YDmOAKxaBQf7Ro= github.com/go-logr/zapr v1.2.3 h1:a9vnzlIBPQBBkeaR9IuMUfmVOrQlkoC4YfPoFkX3T7A= github.com/go-logr/zapr v1.2.3/go.mod h1:eIauM6P8qSvTw5o2ez6UEAfGjQKrxQTl5EoK+Qa2oG4= github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY= @@ -567,8 +524,6 @@ github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiU github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY= github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= -github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= -github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg= github.com/go-openapi/jsonreference v0.20.0 h1:MYlu0sBgChmCfJxxUKZ8g1cPWFOB37YSZqewK7OKeyA= github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXymS4zJbYVCZmcgkasdo= github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= @@ -588,7 +543,6 @@ github.com/gofrs/uuid v4.3.1+incompatible h1:0/KbAdpx3UXAx1kEOWHJeOkpbgRFGHVgv+C github.com/gofrs/uuid v4.3.1+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= -github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= @@ -640,7 +594,6 @@ github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= -github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= github.com/google/certificate-transparency-go v1.1.2 h1:4hE0GEId6NAW28dFpC+LrRGwQX5dtmXQGDbg8+/MZOM= github.com/google/flatbuffers v1.12.1 h1:MVlul7pQNoDzWRLTw5imwYsl+usrS1TXG2H4jg6ImGw= github.com/google/gnostic v0.5.7-v3refs h1:FhTMOKj2VhjpouxvWJAV1TL304uMlb9zcDqkl6cEI54= @@ -674,7 +627,6 @@ github.com/google/go-tpm-tools v0.3.10 h1:hz9EoyG4Ewa0leT3OvxlWprq14Lw0RBmfFcH9H github.com/google/go-tpm-tools v0.3.10/go.mod h1:HQfQboO+M8pRtBfO5U3KMhwzfC/XC3TaMCgRfTpII8Q= github.com/google/go-tspi v0.2.1-0.20190423175329-115dea689aad h1:LnpS22S8V1HqbxjveESGAazHhi6BX9SwI2Rij7qZcXQ= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/logger v1.1.1 h1:+6Z2geNxc9G+4D4oDO9njjjn2d0wN5d7uOo0vOIW1NQ= @@ -720,26 +672,17 @@ github.com/googleapis/gax-go/v2 v2.5.1/go.mod h1:h6B0KMMFNtI2ddbGJn3T3ZbwkeT6yqE github.com/googleapis/gax-go/v2 v2.6.0/go.mod h1:1mjbznJAPHFpesgE5ucqfYEscaz5kMdcIDwU/6+DDoY= github.com/googleapis/gax-go/v2 v2.7.0 h1:IcsPKeInNvYi7eqSaDjiZqDDKu5rsmunY0Y1YupQSSQ= github.com/googleapis/gax-go/v2 v2.7.0/go.mod h1:TEop28CZZQ2y+c0VxMUmu1lV+fQx57QpBWsYpwqHJx8= -github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU= -github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA= github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4= -github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gordonklaus/ineffassign v0.0.0-20200309095847-7953dde2c7bf/go.mod h1:cuNKsD1zp2v6XfE/orVX2QE1LC+i254ceGcVeDT3pTU= github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4= github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q= -github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= -github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= -github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= -github.com/grpc-ecosystem/go-grpc-middleware v1.3.0/go.mod h1:z0ButlSOZa5vEBq9m2m2hlwIgKw+rp3sdCBRoJY+30Y= github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/hanwen/go-fuse v1.0.0/go.mod h1:unqXarDXqzAk0rt98O2tVndEPIpUgLD9+rwFisZH3Ok= github.com/hanwen/go-fuse/v2 v2.1.0/go.mod h1:oRyA5eK+pvJyv5otpO/DgccS8y/RvYMaO00GgRLGryc= -github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= -github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -755,7 +698,6 @@ github.com/hashicorp/go-hclog v1.4.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVH github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc= github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= -github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= @@ -765,7 +707,6 @@ github.com/hashicorp/go-plugin v1.4.6/go.mod h1:viDMjcLJuDui6pXb8U4HVfb8AamCWhHG github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= github.com/hashicorp/go-retryablehttp v0.6.6 h1:HJunrbHTDDbBb/ay4kxa1n+dLmttUlnP3V9oNE4hmsM= github.com/hashicorp/go-retryablehttp v0.6.6/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= -github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU= github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc= github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= github.com/hashicorp/go-secure-stdlib/mlock v0.1.1 h1:cCRo8gK7oq6A2L6LICkUZ+/a5rLiRXFMf1Qd4xSwxTc= @@ -775,17 +716,13 @@ github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6/go.mod h1:QmrqtbKuxxSWTN3 github.com/hashicorp/go-secure-stdlib/strutil v0.1.1/go.mod h1:gKOamz3EwoIoJq7mlMIRBpVTAUn8qPCrEclOKKWhD3U= github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts= github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4= -github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU= github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc= github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A= -github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4= github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= -github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-uuid v1.0.2 h1:cfejS+Tpcp13yd5nYHWDI6qVCny6wyX2Mt5SGur2IGE= github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-version v1.2.0 h1:3vNe/fWF5CBgRIguda1meWhsZHy3m8gCJ5wx+dIzX/E= github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= -github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc= @@ -793,10 +730,6 @@ github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uG github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/hashicorp/hcl v1.0.1-0.20190430135223-99e2f22d1c94 h1:LaH4JWe6Q7ICdxL5raxQjSRw7Pj8uTtAENrjejIYZIg= github.com/hashicorp/hcl v1.0.1-0.20190430135223-99e2f22d1c94/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= -github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= -github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= -github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= -github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= github.com/hashicorp/vault/api v1.8.2 h1:C7OL9YtOtwQbTKI9ogB0A1wffRbCN+rH/LLCHO3d8HM= github.com/hashicorp/vault/api v1.8.2/go.mod h1:ML8aYzBIhY5m1MD1B2Q0JV89cC85YVH4t5kBaZiyVaE= github.com/hashicorp/vault/sdk v0.6.2 h1:LtWXUM+WheM5T8pOO/6nOTiFwnE+4y3bPztFf15Oz24= @@ -804,14 +737,12 @@ github.com/hashicorp/vault/sdk v0.6.2/go.mod h1:KyfArJkhooyba7gYCKSq8v66QdqJmnbA github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d h1:kJCB4vdITiW1eC1vq2e6IsrXKrZit1bv/TDYFGMp4BQ= github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= -github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/huandu/xstrings v1.3.1/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= github.com/huandu/xstrings v1.3.2 h1:L18LIDzqlW6xN2rEkpdV8+oL/IXWJ1APd+vsdYy4Wdw= github.com/huandu/xstrings v1.3.2/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= github.com/iancoleman/strcase v0.2.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= -github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk= github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg= @@ -871,7 +802,6 @@ github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHW github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= -github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= @@ -883,11 +813,9 @@ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnr github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= -github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= -github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/compress v1.13.6 h1:P76CopJELS0TiO2mebmnzgWaajssP/EszplttgQxcgc= @@ -918,8 +846,6 @@ github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I= github.com/lyft/protoc-gen-star v0.5.3/go.mod h1:V0xaHgaf5oCCqmcxYcWiDfTiKsZsRc87/1qhoTACD8w= github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= -github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= -github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60= github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA= @@ -943,27 +869,21 @@ github.com/mattn/go-sqlite3 v1.14.0/go.mod h1:JIl7NbARA7phWnGvh0LKTyg7S9BA+6gx71 github.com/mattn/go-sqlite3 v1.14.16 h1:yOQRA0RpS5PFz/oikGwBEqvAWhWg5ufRz4ETLjwpU1Y= github.com/mattn/go-sqlite3 v1.14.16/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= -github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= github.com/matttproud/golang_protobuf_extensions v1.0.2 h1:hAHbPm5IJGijwng3PWk09JkG9WeqChjprR5s9bBZ+OM= github.com/matttproud/golang_protobuf_extensions v1.0.2/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= github.com/microsoft/go-mssqldb v0.17.0/go.mod h1:OkoNGhGEs8EZqchVTtochlXruEhEOaO4S0d2sB5aeGQ= -github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= github.com/miekg/dns v1.1.43 h1:JKfpVSCB84vrAmHzyrsxB5NAr5kLoMXZArPSw7Qlgyg= github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= github.com/mitchellh/cli v1.1.5 h1:OxRIeJXpAMztws/XHlN2vu6imG5Dpq+j61AzAX5fLng= github.com/mitchellh/cli v1.1.5/go.mod h1:v8+iFts2sPIKUV1ltktPXMCC8fumSKFItNcD2cLtRR4= github.com/mitchellh/copystructure v1.0.0 h1:Laisrj+bAB6b/yJwB5Bt3ITZhGJdqmxquMKeZ+mmkFQ= github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw= -github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-testing-interface v0.0.0-20171004221916-a61a99592b77/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= github.com/mitchellh/go-testing-interface v1.0.0 h1:fzU/JVNcaqHQEcVFAKeR41fkiLdIPrefOvVG1VZ96U0= github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= -github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg= -github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY= -github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= @@ -971,8 +891,6 @@ github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RR github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/mitchellh/reflectwalk v1.0.1 h1:FVzMWA5RllMAKIdUSC8mdWo3XtwoecrH79BY70sEEpE= github.com/mitchellh/reflectwalk v1.0.1/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= -github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= -github.com/moby/term v0.0.0-20210610120745-9d4ed1856297/go.mod h1:vgPCkQMyxTZ7IDy8SXRufE172gr8+K/JE/7hHFxHW3A= github.com/moby/term v0.0.0-20220808134915-39b0c02b01ae h1:O4SWKdcHVCvYqyDV+9CJA1fcDN2L11Bule0iFy3YlAI= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= @@ -984,27 +902,16 @@ github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjY github.com/modocache/gover v0.0.0-20171022184752-b58185e213c5/go.mod h1:caMODM3PzxT8aQXRPkAt8xlV/e7d7w8GM5g0fa5F0D8= github.com/montanaflynn/stats v0.6.6/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow= github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= -github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= -github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= github.com/nishanths/predeclared v0.0.0-20200524104333-86fad755b4d3/go.mod h1:nt3d53pc1VYcphSCIaYAJtnPYnr3Zyn8fMq2wvPGPso= -github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/oklog/run v1.0.0 h1:Ru7dDtJNOyC66gQ5dQmaCa0qIsAUFY3sFpK1Xk8igrw= github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= -github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= -github.com/onsi/ginkgo v1.14.0 h1:2mOpI4JVVPBN+WQRa0WKH2eXR+Ey+uK4n7Zj0aYpIQA= -github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= github.com/onsi/ginkgo/v2 v2.6.0 h1:9t9b9vRUbFq3C4qKFCGkVuq/fIHji802N1nrtkh1mNc= -github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= -github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= -github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.24.1 h1:KORJXNNTzJXzu4ScJWssJfJMnJ+2QJqhoQSRwNlze9E= github.com/open-policy-agent/opa v0.47.4 h1:CTPIoAv6/UJX+BkSkqytbofWrZHyfQ/A0ESE4FSKR9A= github.com/open-policy-agent/opa v0.47.4/go.mod h1:I5DbT677OGqfk9gvu5i54oIt0rrVf4B5pedpqDquAXo= @@ -1012,15 +919,11 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 h1:rc3tiVYb5z54aKaDfakKn0dDjIyPpTtszkjuMzyt7ec= github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= -github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= -github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/pascaldekloe/goe v0.1.0 h1:cBOtyMzM9HTpWjXfbbunk26uA6nG3a8n06Wieeh0MwY= github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/pborman/uuid v1.2.0 h1:J7Q5mO4ysT1dv8hyrUGHb9+ooztCXu1D8MY8DZYsu3g= github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= -github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= -github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/pierrec/lz4 v2.5.2+incompatible h1:WCjObylUIOlKy/+7Abdn34TLIkXiA4UWUMhxq9m9ZXI= github.com/pierrec/lz4 v2.5.2+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4/go.mod h1:N6UoU20jOqggOuDwUaBQpluzLNDqif3kq9z2wpdYEfQ= @@ -1038,7 +941,6 @@ github.com/posener/complete v1.2.3 h1:NP0eAhjcjImqslEwo/1hq7gpajME0fTLTezBKDqfXq github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSgv7Sy7s/s= github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c h1:ncq/mPwQF4JjgDlrVEn3C11VoGHZN7m8qihwgMEtzYw= github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE= -github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= @@ -1060,7 +962,6 @@ github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y8 github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8bs7vj7HSQ4= github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc= -github.com/prometheus/common v0.28.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= github.com/prometheus/common v0.37.0 h1:ccBbHCgIiT9uSoFY0vX8H3zsNR5eLt17/RQLUvn8pXE= github.com/prometheus/common v0.37.0/go.mod h1:phzohg0JFMnBEFGxTDbfu3QyL5GI8gTQJFhYO5B3mfA= @@ -1084,12 +985,10 @@ github.com/rs/zerolog v1.13.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OK github.com/rs/zerolog v1.15.0/go.mod h1:xYTKnLHcpfU2225ny5qZjxnj9NvkumZYjJHlAThCjNc= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= -github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= github.com/shirou/gopsutil/v3 v3.22.11 h1:kxsPKS+Eeo+VnEQ2XCaGJepeP6KY53QoRTETx3+1ndM= github.com/shirou/gopsutil/v3 v3.22.11/go.mod h1:xl0EeL4vXJ+hQMAGN8B9VFpxukEMA0XdevQOe5MZ1oY= github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24/go.mod h1:M+9NzErvs504Cn4c5DxATwIqPbtswREoFCre64PpcG4= @@ -1101,16 +1000,11 @@ github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMB github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= -github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0= github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= -github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= -github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= -github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= -github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4= github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I= github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= @@ -1118,17 +1012,12 @@ github.com/spf13/cast v1.3.1 h1:nFm6S0SMdyzrzcmThSipiEubIDy8WEXKNZ0UOgiRpng= github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE= -github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo= -github.com/spf13/cobra v1.2.1/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t68Nk= github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= -github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE= -github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= -github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns= github.com/spiffe/go-spiffe/v2 v2.0.1-0.20220414143532-2ed460a8b9d3 h1:FpqM5PfWHs4Ze36HwzMpRefrv8kkmxFgtG9Qc6hL7Dc= github.com/spiffe/go-spiffe/v2 v2.0.1-0.20220414143532-2ed460a8b9d3/go.mod h1:ifsAYiK9MOyuGYFUHUQ3K47dj+k/gd4IcWhlCyDJZEU= github.com/spiffe/spire-api-sdk v1.2.5-0.20221020001527-5895a0279944 h1:yoKYON+goNlajhkpKSfwVPB1qvmeh9MmWDyj5zc4C7o= @@ -1153,7 +1042,6 @@ github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1F github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes= github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k= github.com/tklauser/go-sysconf v0.3.11 h1:89WgdJhk5SNwJfu+GKyYveZ4IaJ7xAkecBo+KdJV0CM= @@ -1161,7 +1049,6 @@ github.com/tklauser/go-sysconf v0.3.11/go.mod h1:GqXfhXY3kiPa0nAXPDIQIWzJbMCB7Am github.com/tklauser/numcpus v0.6.0 h1:kebhY2Qt+3U6RNK7UqpYNA+tJ23IBEGKkB7JQBfDYms= github.com/tklauser/numcpus v0.6.0/go.mod h1:FEZLMke0lhOUG6w2JadTzp0a+Nl8PF/GFkQ5UVIcaL4= github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= -github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM= github.com/twmb/murmur3 v1.1.5/go.mod h1:Qq/R7NUyOfr65zD+6Q5IHKsJLwP7exErjN6lyyq3OSQ= github.com/twmb/murmur3 v1.1.6 h1:mqrRot1BRxm+Yct+vavLMou2/iJt0tNVTTC0QoIjaZg= @@ -1183,7 +1070,6 @@ github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= -github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= github.com/yusufpapurcu/wmi v1.2.2 h1:KBNDSne4vP5mbSWnJbO+51IMOXJB67QiYCSBrubbPRg= github.com/yusufpapurcu/wmi v1.2.2/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= @@ -1192,14 +1078,6 @@ github.com/zeebo/errs v1.3.0 h1:hmiaKqgYZzcVgRL1Vkc1Mn2914BbzB0IBxs+ebeutGs= github.com/zeebo/errs v1.3.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q= go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= -go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4= -go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs= -go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g= -go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ= -go.etcd.io/etcd/client/v3 v3.5.0/go.mod h1:AIKXXVX/DQXtfTEqBryiLTUXwON+GuvO6Z7lLS/oTh0= -go.etcd.io/etcd/pkg/v3 v3.5.0/go.mod h1:UzJGatBQ1lXChBkQF0AuAtkRQMYnHubxAEYIrC3MSsE= -go.etcd.io/etcd/raft/v3 v3.5.0/go.mod h1:UFOHSIvO/nKwd4lhkwabrTD3cqW5yVyYYf/KlD00Szc= -go.etcd.io/etcd/server/v3 v3.5.0/go.mod h1:3Ah5ruV+M+7RZr0+Y/5mNLwC+eQlni+mQmOVdCRJoS4= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= @@ -1209,17 +1087,6 @@ go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= -go.opentelemetry.io/contrib v0.20.0/go.mod h1:G/EtFaa6qaN7+LxqfIAT3GiZa7Wv5DTBUzl5H4LY0Kc= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0/go.mod h1:oVGt1LRbBOBq1A5BQLlUg9UaU/54aiHw8cgjV3aWZ/E= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.20.0/go.mod h1:2AboqHi0CiIZU0qwhtUfCYD1GeUzvvIXWNkhDt7ZMG4= -go.opentelemetry.io/otel v0.20.0/go.mod h1:Y3ugLH2oa81t5QO+Lty+zXf8zC9L26ax4Nzoxm/dooo= -go.opentelemetry.io/otel/exporters/otlp v0.20.0/go.mod h1:YIieizyaN77rtLJra0buKiNBOm9XQfkPEKBeuhoMwAM= -go.opentelemetry.io/otel/metric v0.20.0/go.mod h1:598I5tYlH1vzBjn+BTuhzTCSb/9debfNp6R3s7Pr1eU= -go.opentelemetry.io/otel/oteltest v0.20.0/go.mod h1:L7bgKf9ZB7qCwT9Up7i9/pn0PWIa9FqQ2IQ8LoxiGnw= -go.opentelemetry.io/otel/sdk v0.20.0/go.mod h1:g/IcepuwNsoiX5Byy2nNV0ySUF1em498m7hBWC279Yc= -go.opentelemetry.io/otel/sdk/export/metric v0.20.0/go.mod h1:h7RBNMsDJ5pmI1zExLi+bJK+Dr8NQCh0qGhm1KDnNlE= -go.opentelemetry.io/otel/sdk/metric v0.20.0/go.mod h1:knxiS8Xd4E/N+ZqKmUPf3gTTZ4/0TjTXukfxjzSTpHE= -go.opentelemetry.io/otel/trace v0.20.0/go.mod h1:6GjCW8zgDjwGHGa6GkyeB8+/5vjT16gUEi0Nf1iBdgw= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= @@ -1241,13 +1108,11 @@ go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9E go.uber.org/zap v1.9.1/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM= -go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo= go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI= go.uber.org/zap v1.23.0/go.mod h1:D+nX8jyLsMHMYrln8A0rJjFt/T/9/bGgIhAqxv5URuY= go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60= go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= -golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= @@ -1260,11 +1125,9 @@ golang.org/x/crypto v0.0.0-20191205180655-e7c4368fe9dd/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20200414173820-0848c9571904/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201203163018-be400aefbc4c/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= @@ -1313,10 +1176,7 @@ golang.org/x/net v0.0.0-20180218175443-cbe0f9307d01/go.mod h1:mL1N/T3taQHkDXs73r golang.org/x/net v0.0.0-20180530234432-1e491301e022/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1331,7 +1191,6 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -1342,7 +1201,6 @@ golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/ golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= @@ -1351,7 +1209,6 @@ golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= @@ -1359,10 +1216,8 @@ golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLd golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= @@ -1388,7 +1243,6 @@ golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= @@ -1423,8 +1277,6 @@ golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -1440,13 +1292,10 @@ golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -1462,14 +1311,11 @@ golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200923182605-d9f96fdee20d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -1482,7 +1328,6 @@ golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -1495,10 +1340,8 @@ golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210629170331-7dc0b73dc9fb/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210816183151-1e6c022a8912/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -1527,7 +1370,6 @@ golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ= golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.3.0 h1:qoo4akIqOcDME5bhc/NgxUdovd6BSS2uMsVjB56q1xI= golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA= @@ -1547,27 +1389,22 @@ golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.2.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190425163242-31fd60d6bfdc/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/tools v0.0.0-20190624222133-a101b041ded4/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20190823170909-c4a336ef6a2f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= @@ -1576,7 +1413,6 @@ golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= @@ -1597,7 +1433,6 @@ golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjs golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200522201501-cb1345f3a375/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= @@ -1619,7 +1454,6 @@ golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.1.6-0.20210820212750-d4cc65f0b2ff/go.mod h1:YD9qOF0M9xpSpdWTBbzEl5e/RnCefISl8E5Noe10jFM= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.2.0 h1:G6AHpWxTMGY1KyEYoAQ5WTtIekUUvDNjan3ugu60JvE= golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA= @@ -1657,7 +1491,6 @@ google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34q google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU= google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94= -google.golang.org/api v0.44.0/go.mod h1:EBOGZqzyhtvMDoxwS97ctnh0zUmYY6CxqXsc1AvkYD8= google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59tHXo= google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtukyy4= google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw= @@ -1720,7 +1553,6 @@ google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfG google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200423170343-7949de9c1215/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= @@ -1872,19 +1704,13 @@ gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= -gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= gopkg.in/inconshreveable/log15.v2 v2.0.0-20180818164646-67afb5ed74ec/go.mod h1:aPpfJ7XW+gOuirDoZ8gHhLh3kZ1B08FtV2bbmy7Jv3s= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= -gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= -gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= -gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= -gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/square/go-jose.v2 v2.4.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI= gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= -gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/validator.v2 v2.0.0-20200605151824-2b28d334fa05/go.mod h1:o4V0GXN9/CAmCsvJ0oXYZvrZOe7syiDZSN1GWGZTGzc= gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= @@ -1902,9 +1728,7 @@ gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk= gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= -gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= @@ -1912,50 +1736,32 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.23.3/go.mod h1:w258XdGyvCmnBj/vGzQMj6kzdufJZVUwEM1U2fRJwSQ= k8s.io/api v0.26.0 h1:IpPlZnxBpV1xl7TGk/X6lFtpgjgntCg8PJ+qrPHAC7I= k8s.io/api v0.26.0/go.mod h1:k6HDTaIFC8yn1i6pSClSqIwLABIcLV9l5Q4EcngKnQg= k8s.io/apiextensions-apiserver v0.26.0 h1:Gy93Xo1eg2ZIkNX/8vy5xviVSxwQulsnUdQ00nEdpDo= k8s.io/apiextensions-apiserver v0.26.0/go.mod h1:7ez0LTiyW5nq3vADtK6C3kMESxadD51Bh6uz3JOlqWQ= -k8s.io/apimachinery v0.23.3/go.mod h1:BEuFMMBaIbcOqVIJqNZJXGFTP4W6AycEpb5+m/97hrM= k8s.io/apimachinery v0.26.0 h1:1feANjElT7MvPqp0JT6F3Ss6TWDwmcjLypwoPpEf7zg= k8s.io/apimachinery v0.26.0/go.mod h1:tnPmbONNJ7ByJNz9+n9kMjNP8ON+1qoAIIC70lztu74= -k8s.io/apiserver v0.23.3/go.mod h1:3HhsTmC+Pn+Jctw+Ow0LHA4dQ4oXrQ4XJDzrVDG64T4= -k8s.io/client-go v0.23.3/go.mod h1:47oMd+YvAOqZM7pcQ6neJtBiFH7alOyfunYN48VsmwE= k8s.io/client-go v0.26.0 h1:lT1D3OfO+wIi9UFolCrifbjUUgu7CpLca0AD8ghRLI8= k8s.io/client-go v0.26.0/go.mod h1:I2Sh57A79EQsDmn7F7ASpmru1cceh3ocVT9KlX2jEZg= -k8s.io/code-generator v0.23.3/go.mod h1:S0Q1JVA+kSzTI1oUvbKAxZY/DYbA/ZUb4Uknog12ETk= -k8s.io/component-base v0.23.3/go.mod h1:1Smc4C60rWG7d3HjSYpIwEbySQ3YWg0uzH5a2AtaTLg= k8s.io/component-base v0.26.0 h1:0IkChOCohtDHttmKuz+EP3j3+qKmV55rM9gIFTXA7Vs= k8s.io/component-base v0.26.0/go.mod h1:lqHwlfV1/haa14F/Z5Zizk5QmzaVf23nQzCwVOQpfC8= -k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= -k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= -k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= -k8s.io/klog/v2 v2.30.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/klog/v2 v2.80.1 h1:atnLQ121W371wYYFawwYx1aEY2eUfs4l3J72wtgAwV4= k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/kube-aggregator v0.23.3 h1:9IP+D+YzIbGor/TArN3pYf9Thj19wYhzLRGRrFaKFSs= -k8s.io/kube-aggregator v0.23.3/go.mod h1:pt5QJ3QaIdhZzNlUvN5wndbM0LNT4BvhszGkzy2QdFo= -k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65/go.mod h1:sX9MT8g7NVZM5lVL/j8QyCCJe8YSMW30QvGZWaCIDIk= +k8s.io/kube-aggregator v0.26.0 h1:XF/Q5FwdLmCsK1RKGFNWfIo/b+r63sXOu+KKcaIFa/M= +k8s.io/kube-aggregator v0.26.0/go.mod h1:QUGAvubVFZ43JiT2gMm6f15FvFkyJcZeDcV1nIbmfgk= k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 h1:+70TFaan3hfJzs+7VK2o+OGxg8HsuBr/5f6tVAjDu6E= k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4= -k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -k8s.io/utils v0.0.0-20211116205334-6203023598ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 h1:KTgPnR10d5zhztWptI952TNtt/4u5h3IzDXkdIMuo2Y= k8s.io/utils v0.0.0-20221128185143-99ec85e7a448/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= -sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.27/go.mod h1:tq2nT0Kx7W+/f2JVE+zxYtUhdjuELJkVpNz+x/QN5R4= sigs.k8s.io/controller-runtime v0.14.1 h1:vThDes9pzg0Y+UbCPY3Wj34CGIYPgdmspPm2GIpxpzM= sigs.k8s.io/controller-runtime v0.14.1/go.mod h1:GaRkrY8a7UZF0kqFFbUKG7n9ICiTY5T55P1RiE3UZlU= -sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= -sigs.k8s.io/structured-merge-diff/v4 v4.2.1/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4= sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= -sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= From afcbde6297be74c1101337c121d41b0a8f084fb0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 30 Dec 2022 16:31:08 -0300 Subject: [PATCH 250/257] Bump github.com/aws/aws-sdk-go-v2/service/secretsmanager (#3725) Bumps [github.com/aws/aws-sdk-go-v2/service/secretsmanager](https://github.com/aws/aws-sdk-go-v2) from 1.16.0 to 1.17.0. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/v1.16.0...v1.17.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/secretsmanager dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 8 ++------ 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/go.mod b/go.mod index 57c269492f..cca5f46127 100644 --- a/go.mod +++ b/go.mod @@ -25,7 +25,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/ec2 v1.77.0 github.com/aws/aws-sdk-go-v2/service/iam v1.18.16 github.com/aws/aws-sdk-go-v2/service/kms v1.19.0 - github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.0 + github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.17.0 github.com/aws/aws-sdk-go-v2/service/sts v1.17.4 github.com/blang/semver/v4 v4.0.0 github.com/cenkalti/backoff/v3 v3.2.2 diff --git a/go.sum b/go.sum index 835ad08d61..c3b450c81c 100644 --- a/go.sum +++ b/go.sum @@ -345,7 +345,6 @@ github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI= github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/aws/aws-sdk-go-v2 v1.16.13/go.mod h1:xSyvSnzh0KLs5H4HJGeIEsNYemUWdNIl0b/rP6SIsLU= -github.com/aws/aws-sdk-go-v2 v1.16.15/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k= github.com/aws/aws-sdk-go-v2 v1.17.1/go.mod h1:JLnGeGONAyi2lWXI1p0PCIOIy333JMVK1U7Hf0aRFLw= github.com/aws/aws-sdk-go-v2 v1.17.3 h1:shN7NlnVzvDUgPQ+1rLMSxY8OWRNDRYtiqe0p/PgrhY= github.com/aws/aws-sdk-go-v2 v1.17.3/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= @@ -356,12 +355,10 @@ github.com/aws/aws-sdk-go-v2/credentials v1.13.2/go.mod h1:eAT5aj/WJ2UDIA0IVNFc2 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.19 h1:E3PXZSI3F2bzyj6XxUXdTIfvp425HHhwKsFvmzBwHgs= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.19/go.mod h1:VihW95zQpeKQWVPGkwT+2+WJNQV8UXFfMTWdU6VErL8= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.20/go.mod h1:gdZ5gRUaxThXIZyZQ8MTtgYBk2jbHgp05BO3GcD9Cwc= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.22/go.mod h1:/vNv5Al0bpiF8YdX2Ov6Xy05VTiXsql94yUqJMYaj0w= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25/go.mod h1:Zb29PYkf42vVYQY6pvSyJCJcFHlPIiY+YKdPtwnvMkY= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.27 h1:I3cakv2Uy1vNmmhRQmFptYDxOvBnwCdNwyw63N0RaRU= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.27/go.mod h1:a1/UpzeyBBerajpnP5nGZa9mGzsBn5cOKxm6NWQsvoI= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.14/go.mod h1:GEV9jaDPIgayiU+uevxwozcvUOjc+P4aHE2BeSjm2vE= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.16/go.mod h1:62dsXI0BqTIGomDl8Hpm33dv0OntGaVblri3ZRParVQ= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19/go.mod h1:6Q0546uHDp421okhmmGfbxzq2hBqbXFNpi4k+Q1JnQA= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.21 h1:5NbbMrIzmUn/TXFqAle6mgrH5m9cOvMLRGL7pnG8tRE= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.21/go.mod h1:+Gxn8jYn5k9ebfHEqlhrMirFjSW0v0C9fI+KN5vk2kE= @@ -378,8 +375,8 @@ github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.21 h1:5C6XgTViS github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.21/go.mod h1:lRToEJsn+DRA9lW4O9L9+/3hjTkUzlzyzHqn8MTds5k= github.com/aws/aws-sdk-go-v2/service/kms v1.19.0 h1:ycl4Z01HQyprcfOFMAVwWTNaUm29qHRPZyJunDZZVXg= github.com/aws/aws-sdk-go-v2/service/kms v1.19.0/go.mod h1:kZodDPTQjSH/qM6/OvyTfM5mms5JHB/EKYp5dhn/vI4= -github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.0 h1:Lh1yssM4dinNZuESsXnbi+pID8hoviejLZdLmT175i8= -github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.0/go.mod h1:z0y2iDaghoq7uv6kndhrJCTzgVckv8Aak8kpnu2kYjs= +github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.17.0 h1:6W6BLZcXytRJsVvc2gGwxKE4wbMSlWqdxZivBP/E+ys= +github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.17.0/go.mod h1:jAeo/PdIJZuDSwsvxJS94G4d6h8tStj7WXVuKwLHWU8= github.com/aws/aws-sdk-go-v2/service/sso v1.11.25 h1:GFZitO48N/7EsFDt8fMa5iYdmWqkUDDB3Eje6z3kbG0= github.com/aws/aws-sdk-go-v2/service/sso v1.11.25/go.mod h1:IARHuzTXmj1C0KS35vboR0FeJ89OkEy1M9mWbK2ifCI= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.8 h1:jcw6kKZrtNfBPJkaHrscDOZoe5gvi9wjudnxvozYFJo= @@ -387,7 +384,6 @@ github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.8/go.mod h1:er2JHN+kBY6FcMfcB github.com/aws/aws-sdk-go-v2/service/sts v1.17.4 h1:YNncBj5dVYd05i4ZQ+YicOotSXo0ufc9P8kTioi13EM= github.com/aws/aws-sdk-go-v2/service/sts v1.17.4/go.mod h1:bXcN3koeVYiJcdDU89n3kCYILob7Y34AeLopUbZgLT4= github.com/aws/smithy-go v1.13.1/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= -github.com/aws/smithy-go v1.13.3/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/aws/smithy-go v1.13.4/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/aws/smithy-go v1.13.5 h1:hgz0X/DX0dGqTYpGALqXJoRKRj5oQ7150i5FdTePzO8= github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= From 3306e22a14a6cd2345fb042b0f8c2ce66e682ad1 Mon Sep 17 00:00:00 2001 From: Marcos Yacob Date: Tue, 3 Jan 2023 11:41:21 -0300 Subject: [PATCH 251/257] Clean some code Signed-off-by: Marcos Yacob --- doc/plugin_agent_workloadattestor_k8s.md | 10 ++--- .../plugin/workloadattestor/k8s/k8s_posix.go | 16 ++++---- .../workloadattestor/k8s/k8s_posix_test.go | 6 +-- .../workloadattestor/k8s/sigstore/sigstore.go | 37 ++++++++++--------- .../k8s/sigstore/sigstore_test.go | 2 +- 5 files changed, 37 insertions(+), 34 deletions(-) diff --git a/doc/plugin_agent_workloadattestor_k8s.md b/doc/plugin_agent_workloadattestor_k8s.md index fd51ba8c1f..eb6f27a5ce 100644 --- a/doc/plugin_agent_workloadattestor_k8s.md +++ b/doc/plugin_agent_workloadattestor_k8s.md @@ -47,7 +47,7 @@ server name validation against the kubelet certificate. since [hostprocess](https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/) container is required on the agent container. | Configuration | Description | -| ------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +|--------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `disable_container_selectors` | If true, container selectors are not produced. This can be used to produce pod selectors when the workload pod is known but the workload container is not ready at the time of attestation. | | `kubelet_read_only_port` | The kubelet read-only port. This is mutually exclusive with `kubelet_secure_port`. | | `kubelet_secure_port` | The kubelet secure port. It defaults to `10250` unless `kubelet_read_only_port` is set. | @@ -62,11 +62,11 @@ since [hostprocess](https://kubernetes.io/docs/tasks/configure-pod-container/cre | `experimental` | The experimental options that are subject to change or removal. | | Experimental options | Description | -| -------------------- | ---------------------------------------------------------------------------------------------------------------------------- | +|----------------------|----------------------------------------------------------------------------------------------------------------------------- | | `sigstore` | Sigstore options. Options described below. See [Sigstore workload attestor for SPIRE](#sigstore-workload-attestor-for-spire) | | Sigstore options | Description | -| ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +|------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `skip_signature_verification_image_list` | The list of images, described as digest hashes, that should be skipped in signature verification. Defaults to empty list. | | `allowed_subjects_list` | A map of allowed subject strings, keyed by the OIDC Provider URI, that are trusted and are allowed to sign container images artifacts. Defaults to empty. If empty, no workload will pass signature validation, unless listed on `skip_signature_verification_image_list`. (eg. `"https://accounts.google.com" = ["subject1@example.com","subject2@example.com"]`). | | `rekor_url` | The rekor URL to use with cosign. Required. See notes below. | @@ -98,7 +98,7 @@ This effectively securely pins the CA roots. We allow you to also specify truste ### K8s selectors | Selector | Value | -| ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +|--------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | k8s:ns | The workload's namespace | | k8s:sa | The workload's service account | | k8s:container-image | The Image OR ImageID of the container in the workload's pod which is requesting an SVID, [as reported by K8S](https://pkg.go.dev/k8s.io/api/core/v1#ContainerStatus). Selector value may be an image tag, such as: `docker.io/envoyproxy/envoy-alpine:v1.16.0`, or a resolved SHA256 image digest, such as `docker.io/envoyproxy/envoy-alpine@sha256:bf862e5f5eca0a73e7e538224578c5cf867ce2be91b5eaed22afc153c00363eb` | @@ -117,7 +117,7 @@ This effectively securely pins the CA roots. We allow you to also specify truste Sigstore enabled selectors (available when configured to use sigstore) | Selector | Value | -| -------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +|----------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | k8s:${containerID}:image-signature-content | A containerID is an unique alphanumeric number for each container. The value of the signature itself in a hash (eg. "k8s:000000:image-signature-content:MEUCIQCyem8Gcr0sPFMP7fTXazCN57NcN5+MjxJw9Oo0x2eM+AIgdgBP96BO1Te/NdbjHbUeb0BUye6deRgVtQEv5No5smA=") | | k8s:${containerID}:image-signature-subject | OIDC principal that signed it​ (eg. "k8s:000000:image-signature-subject:spirex@example.com") | | k8s:${containerID}:image-signature-logid | A unique LogID for the Rekor transparency log​ (eg. "k8s:000000:image-signature-logid:samplelogID") | diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go index 9589b73799..1264f750fd 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go @@ -213,6 +213,14 @@ func canonicalizePodUID(uid string) types.UID { } func configureSigstoreClient(client sigstore.Sigstore, c *SigstoreHCLConfig, log hclog.Logger) error { + // Rekor URL is required + if c.RekorURL == nil { + return status.Errorf(codes.InvalidArgument, "missing Rekor URL") + } + if err := client.SetRekorURL(*c.RekorURL); err != nil { + return status.Errorf(codes.InvalidArgument, "failed to set Rekor URL: %v", err) + } + // Configure sigstore settings enforceSCT := true if c.EnforceSCT != nil { @@ -223,7 +231,7 @@ func configureSigstoreClient(client sigstore.Sigstore, c *SigstoreHCLConfig, log client.ClearSkipList() if c.SkippedImages != nil { - client.AddSkippedImage(c.SkippedImages) + client.AddSkippedImages(c.SkippedImages) } client.SetLogger(log) client.ClearAllowedSubjects() @@ -232,11 +240,5 @@ func configureSigstoreClient(client sigstore.Sigstore, c *SigstoreHCLConfig, log client.AddAllowedSubject(issuer, subject) } } - if c.RekorURL == nil { - return status.Errorf(codes.InvalidArgument, "missing Rekor URL") - } - if err := client.SetRekorURL(*c.RekorURL); err != nil { - return status.Errorf(codes.InvalidArgument, "failed to parse Rekor URL: %v", err) - } return nil } diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go index cc4425f1b0..aeda010b79 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go @@ -219,7 +219,7 @@ func (s *Suite) TestFailedToCreateHelperFromConfigure() { } `), plugintest.CaptureConfigureError(&err)) - spiretest.RequireGRPCStatus(t, err, codes.InvalidArgument, "failed to parse Rekor URL: host is required on rekor URL") + spiretest.RequireGRPCStatus(t, err, codes.InvalidArgument, "failed to set Rekor URL: host is required on rekor URL") } func (s *Suite) TestHelperConfigure() { @@ -293,7 +293,7 @@ func (s *Suite) TestHelperConfigure() { }, clientErr: errors.New("oh no"), errCode: codes.InvalidArgument, - errMsg: "failed to parse Rekor URL: oh no", + errMsg: "failed to set Rekor URL: oh no", }, } { s.T().Run(tt.name, func(t *testing.T) { @@ -771,7 +771,7 @@ func (s *sigstoreMock) AddAllowedSubject(issuer string, subject string) { s.allowedSubjects[issuer][subject] = struct{}{} } -func (s *sigstoreMock) AddSkippedImage(images []string) { +func (s *sigstoreMock) AddSkippedImages(images []string) { if s.skippedImages == nil { s.skippedImages = make(map[string]struct{}) } diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index dc57ff612a..020d07e0a9 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -46,7 +46,7 @@ type Sigstore interface { SelectorValuesFromSignature(oci.Signature) (*SelectorsFromSignatures, error) ExtractSelectorsFromSignatures(signatures []oci.Signature, containerID string) []SelectorsFromSignatures ShouldSkipImage(imageID string) (bool, error) - AddSkippedImage(imageID []string) + AddSkippedImages(imageID []string) ClearSkipList() AddAllowedSubject(issuer string, subject string) ClearAllowedSubjects() @@ -73,6 +73,7 @@ type BundleBody struct { Spec BundleSpec `json:"spec"` } +// Data extracted from signature type SelectorsFromSignatures struct { Subject string Content string @@ -94,6 +95,22 @@ func New(cache Cache, logger hclog.Logger) Sigstore { } } +type sigstoreImpl struct { + functionHooks sigstoreFunctionHooks + skippedImages map[string]struct{} + subjectAllowList map[string]map[string]struct{} + rekorURL url.URL + logger hclog.Logger + sigstorecache Cache + enforceSCT bool +} + +type sigstoreFunctionHooks struct { + verifyFunction verifyFunctionType + fetchImageManifestFunction fetchImageManifestFunctionType + checkOptsFunction checkOptsFunctionType +} + func (s *sigstoreImpl) SetEnforceSCT(enforceSCT bool) { s.enforceSCT = enforceSCT } @@ -212,7 +229,7 @@ func (s *sigstoreImpl) ShouldSkipImage(imageID string) (bool, error) { } // AddSkippedImage adds the image ID and selectors to the skip list. -func (s *sigstoreImpl) AddSkippedImage(imageIDList []string) { +func (s *sigstoreImpl) AddSkippedImages(imageIDList []string) { if s.skippedImages == nil { s.skippedImages = make(map[string]struct{}) } @@ -464,19 +481,3 @@ type verifyFunctionType func(context.Context, name.Reference, *cosign.CheckOpts) type fetchImageManifestFunctionType func(name.Reference, ...remote.Option) (*remote.Descriptor, error) type checkOptsFunctionType func(url.URL, bool) (*cosign.CheckOpts, error) - -type sigstoreImpl struct { - functionHooks sigstoreFunctionHooks - skippedImages map[string]struct{} - subjectAllowList map[string]map[string]struct{} - rekorURL url.URL - logger hclog.Logger - sigstorecache Cache - enforceSCT bool -} - -type sigstoreFunctionHooks struct { - verifyFunction verifyFunctionType - fetchImageManifestFunction fetchImageManifestFunctionType - checkOptsFunction checkOptsFunctionType -} diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index b303419f1b..b87ff73a47 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -884,7 +884,7 @@ func TestSigstoreimpl_AddSkippedImage(t *testing.T) { sigstore := sigstoreImpl{ skippedImages: tt.skippedImages, } - sigstore.AddSkippedImage(tt.imageID) + sigstore.AddSkippedImages(tt.imageID) require.Equal(t, tt.want, sigstore.skippedImages) }) } From be2947fb7194e88f08f3baccebfbec021487fc9d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Jan 2023 14:32:47 -0300 Subject: [PATCH 252/257] Bump golang.org/x/crypto from 0.1.0 to 0.4.0 (#3724) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.1.0 to 0.4.0. - [Release notes](https://github.com/golang/crypto/releases) - [Commits](https://github.com/golang/crypto/compare/v0.1.0...v0.4.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index cca5f46127..caac10c3d0 100644 --- a/go.mod +++ b/go.mod @@ -62,7 +62,7 @@ require ( github.com/stretchr/testify v1.8.1 github.com/uber-go/tally/v4 v4.1.4 github.com/zeebo/errs v1.3.0 - golang.org/x/crypto v0.1.0 + golang.org/x/crypto v0.4.0 golang.org/x/net v0.4.0 golang.org/x/sync v0.1.0 golang.org/x/sys v0.3.0 diff --git a/go.sum b/go.sum index c3b450c81c..b33e4adac5 100644 --- a/go.sum +++ b/go.sum @@ -1127,8 +1127,8 @@ golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU= -golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw= +golang.org/x/crypto v0.4.0 h1:UVQgzMY87xqpKNgb+kDsll2Igd33HszWHFLmpaRMq/8= +golang.org/x/crypto v0.4.0/go.mod h1:3quD/ATkf6oY+rnes5c3ExXTbLc8mueNue5/DoinL80= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= From 1399ff5d4a5a2a6e681e8765e1a1d7c05a8f5e74 Mon Sep 17 00:00:00 2001 From: Marcos Yacob Date: Tue, 3 Jan 2023 18:01:40 -0300 Subject: [PATCH 253/257] minor change Signed-off-by: Marcos Yacob --- pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index 020d07e0a9..423cf5b617 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -433,8 +433,7 @@ func getBundleSignatureContent(bundle *bundle.RekorBundle) (string, error) { } body64, ok := bundle.Payload.Body.(string) if !ok { - returnedType := fmt.Sprintf("expected payload body to be a string but got %T instead", bundle.Payload.Body) - return "", fmt.Errorf(returnedType) + return "", fmt.Errorf("expected payload body to be a string but got %T instead", bundle.Payload.Body) } body, err := base64.StdEncoding.DecodeString(body64) if err != nil { From 7c333d5eacb4397011e5fee862082e7e7325beef Mon Sep 17 00:00:00 2001 From: Marcos Yacob Date: Wed, 4 Jan 2023 12:18:57 -0300 Subject: [PATCH 254/257] clean code and solve a configuration issue Signed-off-by: Marcos Yacob --- conf/agent/agent_full.conf | 4 +- .../workloadattestor/k8s/sigstore/sigstore.go | 7 +-- .../k8s/sigstore/sigstore_test.go | 44 +++++++++---------- 3 files changed, 28 insertions(+), 27 deletions(-) diff --git a/conf/agent/agent_full.conf b/conf/agent/agent_full.conf index 5843d8b54e..9ade8ea621 100644 --- a/conf/agent/agent_full.conf +++ b/conf/agent/agent_full.conf @@ -376,11 +376,11 @@ plugins { # will be checked against, keyed by OIDC Provider URI. # Signatures from subjects outside this list will be ignored. These should be email addresses. # allowed_subjects_list { - # "https://accounts.google.com" = ["subject1@example.com","subject2@example.com"] + # "https://accounts.google.com" = ["subject1@example.com","subject2@example.com"] + # } # enforce_sct: to be set as false in case of a private deployment not using the public CT # enforce_sct = true - # } # } } } diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go index 423cf5b617..9ea07adfcd 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore.go @@ -37,7 +37,7 @@ const ( var ( // OIDC token issuer Object Identifier - OIDCIssuerOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 1} + oidcIssuerOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 1} ) type Sigstore interface { @@ -354,9 +354,10 @@ func defaultCheckOptsFunction(rekorURL url.URL, enforceSCT bool) (*cosign.CheckO return nil, fmt.Errorf("failed to get fulcio root certificates: %w", err) } + cfg := rekor.DefaultTransportConfig().WithBasePath(rekorURL.Path).WithHost(rekorURL.Host) co := &cosign.CheckOpts{ // Set the rekor client - RekorClient: rekor.NewHTTPClientWithConfig(nil, rekor.DefaultTransportConfig().WithBasePath(rekorURL.Path).WithHost(rekorURL.Host)), + RekorClient: rekor.NewHTTPClientWithConfig(nil, cfg), RootCerts: rootCerts, EnforceSCT: enforceSCT, } @@ -419,7 +420,7 @@ func certOIDCProvider(cert *x509.Certificate) (string, error) { } for _, ext := range cert.Extensions { - if ext.Id.Equal(OIDCIssuerOID) { + if ext.Id.Equal(oidcIssuerOID) { return string(ext.Value), nil } } diff --git a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go index b87ff73a47..40529455e4 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/sigstore/sigstore_test.go @@ -386,7 +386,7 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { cert: &x509.Certificate{ EmailAddresses: []string{"spirex@example.com"}, Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, + Id: oidcIssuerOID, Value: []byte(`issuer1`), }}, }, @@ -420,7 +420,7 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { cert: &x509.Certificate{ EmailAddresses: []string{"spirex1@example.com"}, Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, + Id: oidcIssuerOID, Value: []byte(`issuer1`), }}, }, @@ -437,7 +437,7 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { cert: &x509.Certificate{ EmailAddresses: []string{"spirex2@example.com"}, Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, + Id: oidcIssuerOID, Value: []byte(`issuer1`), }}, }, @@ -484,7 +484,7 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { "spirex2@example.com", }, Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, + Id: oidcIssuerOID, Value: []byte(`issuer1`), }}, }, @@ -529,7 +529,7 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { }, }, Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, + Id: oidcIssuerOID, Value: []byte(`issuer1`), }}, }, @@ -623,7 +623,7 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { }, cert: &x509.Certificate{ EmailAddresses: []string{"spirex@example.com"}, Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, + Id: oidcIssuerOID, Value: []byte(``), }}, }, @@ -675,7 +675,7 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { cert: &x509.Certificate{ EmailAddresses: []string{"spirex@example.com"}, Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, + Id: oidcIssuerOID, Value: []byte(`issuer1`), }}, }, @@ -703,7 +703,7 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { cert: &x509.Certificate{ EmailAddresses: []string{"spirex@example.com"}, Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, + Id: oidcIssuerOID, Value: []byte(`issuer1`), }}, }, @@ -731,7 +731,7 @@ func TestSigstoreimpl_ExtractSelectorsFromSignatures(t *testing.T) { cert: &x509.Certificate{ EmailAddresses: []string{"spirex@example.com"}, Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, + Id: oidcIssuerOID, Value: []byte(`issuer2`), }}, }, @@ -1235,7 +1235,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { cert: &x509.Certificate{ EmailAddresses: []string{"spirex@example.com"}, Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, + Id: oidcIssuerOID, Value: []byte(`issuer1`), }}, }, @@ -1265,7 +1265,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { cert: &x509.Certificate{ EmailAddresses: nil, Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, + Id: oidcIssuerOID, Value: []byte(`issuer1`), }}, }, @@ -1282,7 +1282,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { cert: &x509.Certificate{ EmailAddresses: []string{"spirex1@example.com"}, Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, + Id: oidcIssuerOID, Value: []byte(`issuer1`), }}, }, @@ -1308,7 +1308,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { cert: &x509.Certificate{ EmailAddresses: []string{"spirex@example.com"}, Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, + Id: oidcIssuerOID, Value: []byte(`issuer1`), }}, }, @@ -1338,7 +1338,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { cert: &x509.Certificate{ EmailAddresses: []string{"spirex@example.com"}, Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, + Id: oidcIssuerOID, Value: []byte(`issuer1`), }}, }, @@ -1357,7 +1357,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { cert: &x509.Certificate{ EmailAddresses: []string{"spirex@example.com"}, Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, + Id: oidcIssuerOID, Value: []byte(`issuer1`), }}, }, @@ -1383,7 +1383,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { cert: &x509.Certificate{ EmailAddresses: []string{"spirex@example.com"}, Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, + Id: oidcIssuerOID, Value: []byte(`issuer1`), }}, }, @@ -1409,7 +1409,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { cert: &x509.Certificate{ EmailAddresses: []string{"spirex@example.com"}, Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, + Id: oidcIssuerOID, Value: []byte(`issuer1`), }}, }, @@ -1435,7 +1435,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { cert: &x509.Certificate{ EmailAddresses: []string{"spirex@example.com"}, Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, + Id: oidcIssuerOID, Value: []byte(`issuer1`), }}, }, @@ -1461,7 +1461,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { cert: &x509.Certificate{ EmailAddresses: []string{"spirex@example.com"}, Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, + Id: oidcIssuerOID, Value: []byte(`issuer1`), }}, }, @@ -1487,7 +1487,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { cert: &x509.Certificate{ EmailAddresses: []string{"spirex@example.com"}, Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, + Id: oidcIssuerOID, Value: []byte(`issuer1`), }}, }, @@ -1529,7 +1529,7 @@ func TestSigstoreimpl_SelectorValuesFromSignature(t *testing.T) { cert: &x509.Certificate{ EmailAddresses: []string{"spirex@example.com"}, Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, + Id: oidcIssuerOID, Value: []byte(`issuer1`), }}, }, @@ -1610,7 +1610,7 @@ func TestSigstoreimpl_AttestContainerSignatures(t *testing.T) { cert: &x509.Certificate{ EmailAddresses: []string{"spirex@example.com"}, Extensions: []pkix.Extension{{ - Id: OIDCIssuerOID, + Id: oidcIssuerOID, Value: []byte(`issuer1`), }}, }, From 4e8aee56c79b9c2aa550abc3173c8763527aa1bc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 4 Jan 2023 16:13:32 -0300 Subject: [PATCH 255/257] Bump github.com/shirou/gopsutil/v3 from 3.22.11 to 3.22.12 (#3728) Bumps [github.com/shirou/gopsutil/v3](https://github.com/shirou/gopsutil) from 3.22.11 to 3.22.12. - [Release notes](https://github.com/shirou/gopsutil/releases) - [Commits](https://github.com/shirou/gopsutil/commits/v3.22.12) --- updated-dependencies: - dependency-name: github.com/shirou/gopsutil/v3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index caac10c3d0..33a3483e5a 100644 --- a/go.mod +++ b/go.mod @@ -54,7 +54,7 @@ require ( github.com/mitchellh/cli v1.1.5 github.com/open-policy-agent/opa v0.47.4 github.com/prometheus/client_golang v1.14.0 - github.com/shirou/gopsutil/v3 v3.22.11 + github.com/shirou/gopsutil/v3 v3.22.12 github.com/sirupsen/logrus v1.9.0 github.com/spiffe/go-spiffe/v2 v2.0.1-0.20220414143532-2ed460a8b9d3 github.com/spiffe/spire-api-sdk v1.2.5-0.20221020001527-5895a0279944 diff --git a/go.sum b/go.sum index b33e4adac5..6f10f6c95c 100644 --- a/go.sum +++ b/go.sum @@ -985,8 +985,8 @@ github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFo github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= -github.com/shirou/gopsutil/v3 v3.22.11 h1:kxsPKS+Eeo+VnEQ2XCaGJepeP6KY53QoRTETx3+1ndM= -github.com/shirou/gopsutil/v3 v3.22.11/go.mod h1:xl0EeL4vXJ+hQMAGN8B9VFpxukEMA0XdevQOe5MZ1oY= +github.com/shirou/gopsutil/v3 v3.22.12 h1:oG0ns6poeUSxf78JtOsfygNWuEHYYz8hnnNg7P04TJs= +github.com/shirou/gopsutil/v3 v3.22.12/go.mod h1:Xd7P1kwZcp5VW52+9XsirIKd/BROzbb2wdX3Kqlz9uI= github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24/go.mod h1:M+9NzErvs504Cn4c5DxATwIqPbtswREoFCre64PpcG4= github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ= github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= From a7df8a5389dbda467e3c32d8d8be26402baa5c9c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?= Date: Wed, 4 Jan 2023 17:37:09 -0300 Subject: [PATCH 256/257] Support running SPIRE as a Windows service (#3625) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Support running SPIRE as a Windows service Signed-off-by: Agustín Martínez Fayó --- cmd/spire-agent/cli/cli.go | 5 +- cmd/spire-agent/cli/run/run.go | 14 +- cmd/spire-agent/main.go | 3 +- cmd/spire-server/cli/cli.go | 5 +- cmd/spire-server/cli/run/run.go | 14 +- cmd/spire-server/main.go | 3 +- doc/spire_agent.md | 19 ++ doc/spire_server.md | 19 ++ pkg/common/entrypoint/entrypoint_posix.go | 23 ++ .../entrypoint/entrypoint_posix_test.go | 21 ++ pkg/common/entrypoint/entrypoint_windows.go | 73 ++++ .../entrypoint/entrypoint_windows_test.go | 323 ++++++++++++++++++ pkg/common/entrypoint/service_windows.go | 70 ++++ 13 files changed, 578 insertions(+), 14 deletions(-) create mode 100644 pkg/common/entrypoint/entrypoint_posix.go create mode 100644 pkg/common/entrypoint/entrypoint_posix_test.go create mode 100644 pkg/common/entrypoint/entrypoint_windows.go create mode 100644 pkg/common/entrypoint/entrypoint_windows_test.go create mode 100644 pkg/common/entrypoint/service_windows.go diff --git a/cmd/spire-agent/cli/cli.go b/cmd/spire-agent/cli/cli.go index bc5203c079..80fe546887 100644 --- a/cmd/spire-agent/cli/cli.go +++ b/cmd/spire-agent/cli/cli.go @@ -1,6 +1,7 @@ package cli import ( + "context" stdlog "log" "github.com/mitchellh/cli" @@ -17,7 +18,7 @@ type CLI struct { AllowUnknownConfig bool } -func (cc *CLI) Run(args []string) int { +func (cc *CLI) Run(ctx context.Context, args []string) int { c := cli.NewCLI("spire-agent", version.Version()) c.Args = args c.Commands = map[string]cli.CommandFactory{ @@ -37,7 +38,7 @@ func (cc *CLI) Run(args []string) int { return &api.WatchCLI{}, nil }, "run": func() (cli.Command, error) { - return run.NewRunCommand(cc.LogOptions, cc.AllowUnknownConfig), nil + return run.NewRunCommand(ctx, cc.LogOptions, cc.AllowUnknownConfig), nil }, "healthcheck": func() (cli.Command, error) { return healthcheck.NewHealthCheckCommand(), nil diff --git a/cmd/spire-agent/cli/run/run.go b/cmd/spire-agent/cli/run/run.go index 92d69efbca..4d55ba9993 100644 --- a/cmd/spire-agent/cli/run/run.go +++ b/cmd/spire-agent/cli/run/run.go @@ -111,17 +111,19 @@ type experimentalConfig struct { } type Command struct { + ctx context.Context logOptions []log.Option env *common_cli.Env allowUnknownConfig bool } -func NewRunCommand(logOptions []log.Option, allowUnknownConfig bool) cli.Command { - return newRunCommand(common_cli.DefaultEnv, logOptions, allowUnknownConfig) +func NewRunCommand(ctx context.Context, logOptions []log.Option, allowUnknownConfig bool) cli.Command { + return newRunCommand(ctx, common_cli.DefaultEnv, logOptions, allowUnknownConfig) } -func newRunCommand(env *common_cli.Env, logOptions []log.Option, allowUnknownConfig bool) *Command { +func newRunCommand(ctx context.Context, env *common_cli.Env, logOptions []log.Option, allowUnknownConfig bool) *Command { return &Command{ + ctx: ctx, env: env, logOptions: logOptions, allowUnknownConfig: allowUnknownConfig, @@ -183,7 +185,11 @@ func (cmd *Command) Run(args []string) int { a := agent.New(c) - ctx, stop := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM) + ctx := cmd.ctx + if ctx == nil { + ctx = context.Background() + } + ctx, stop := signal.NotifyContext(ctx, syscall.SIGINT, syscall.SIGTERM) defer stop() err = a.Run(ctx) diff --git a/cmd/spire-agent/main.go b/cmd/spire-agent/main.go index 10ac96733f..c208ddeb22 100644 --- a/cmd/spire-agent/main.go +++ b/cmd/spire-agent/main.go @@ -4,8 +4,9 @@ import ( "os" "github.com/spiffe/spire/cmd/spire-agent/cli" + "github.com/spiffe/spire/pkg/common/entrypoint" ) func main() { - os.Exit(new(cli.CLI).Run(os.Args[1:])) + os.Exit(entrypoint.NewEntryPoint(new(cli.CLI).Run).Main()) } diff --git a/cmd/spire-server/cli/cli.go b/cmd/spire-server/cli/cli.go index a1e6c4352c..025b17bd2c 100644 --- a/cmd/spire-server/cli/cli.go +++ b/cmd/spire-server/cli/cli.go @@ -1,6 +1,7 @@ package cli import ( + "context" stdlog "log" "github.com/mitchellh/cli" @@ -25,7 +26,7 @@ type CLI struct { } // Run configures the server CLI commands and subcommands. -func (cc *CLI) Run(args []string) int { +func (cc *CLI) Run(ctx context.Context, args []string) int { c := cli.NewCLI("spire-server", version.Version()) c.Args = args c.Commands = map[string]cli.CommandFactory{ @@ -93,7 +94,7 @@ func (cc *CLI) Run(args []string) int { return federation.NewUpdateCommand(), nil }, "run": func() (cli.Command, error) { - return run.NewRunCommand(cc.LogOptions, cc.AllowUnknownConfig), nil + return run.NewRunCommand(ctx, cc.LogOptions, cc.AllowUnknownConfig), nil }, "token generate": func() (cli.Command, error) { return token.NewGenerateCommand(), nil diff --git a/cmd/spire-server/cli/run/run.go b/cmd/spire-server/cli/run/run.go index a0253ab0ec..f0bc3a2015 100644 --- a/cmd/spire-server/cli/run/run.go +++ b/cmd/spire-server/cli/run/run.go @@ -168,12 +168,13 @@ type rateLimitConfig struct { UnusedKeys []string `hcl:",unusedKeys"` } -func NewRunCommand(logOptions []log.Option, allowUnknownConfig bool) cli.Command { - return newRunCommand(common_cli.DefaultEnv, logOptions, allowUnknownConfig) +func NewRunCommand(ctx context.Context, logOptions []log.Option, allowUnknownConfig bool) cli.Command { + return newRunCommand(ctx, common_cli.DefaultEnv, logOptions, allowUnknownConfig) } -func newRunCommand(env *common_cli.Env, logOptions []log.Option, allowUnknownConfig bool) *Command { +func newRunCommand(ctx context.Context, env *common_cli.Env, logOptions []log.Option, allowUnknownConfig bool) *Command { return &Command{ + ctx: ctx, env: env, logOptions: logOptions, allowUnknownConfig: allowUnknownConfig, @@ -182,6 +183,7 @@ func newRunCommand(env *common_cli.Env, logOptions []log.Option, allowUnknownCon // Run Command struct type Command struct { + ctx context.Context logOptions []log.Option env *common_cli.Env allowUnknownConfig bool @@ -241,7 +243,11 @@ func (cmd *Command) Run(args []string) int { s := server.New(*c) - ctx, stop := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM) + ctx := cmd.ctx + if ctx == nil { + ctx = context.Background() + } + ctx, stop := signal.NotifyContext(ctx, syscall.SIGINT, syscall.SIGTERM) defer stop() err = s.Run(ctx) diff --git a/cmd/spire-server/main.go b/cmd/spire-server/main.go index 3962cc788b..ac72e48413 100644 --- a/cmd/spire-server/main.go +++ b/cmd/spire-server/main.go @@ -4,8 +4,9 @@ import ( "os" "github.com/spiffe/spire/cmd/spire-server/cli" + "github.com/spiffe/spire/pkg/common/entrypoint" ) func main() { - os.Exit(new(cli.CLI).Run(os.Args[1:])) + os.Exit(entrypoint.NewEntryPoint(new(cli.CLI).Run).Main()) } diff --git a/doc/spire_agent.md b/doc/spire_agent.md index 728439f573..444fb6d0fa 100644 --- a/doc/spire_agent.md +++ b/doc/spire_agent.md @@ -169,6 +169,25 @@ the following flags are available: | `-trustBundleUrl` | URL to download the SPIRE server CA bundle | | | `-trustDomain` | The trust domain that this agent belongs to (should be no more than 255 characters) | | +#### Running SPIRE Agent as a Windows service + +On Windows platform, SPIRE Agent can optionally be run as a Windows service. When running as a Windows service, the only command supported is the `run` command. + +_Note: SPIRE does not automatically create the service in the system, it must be created by the user. +When starting the service, all the arguments to execute SPIRE Agent with the `run` command must be passed as service arguments._ + +##### Example to create the SPIRE Agent Windows service + +```bash +> sc.exe create spire-agent binpath=c:\spire\bin\spire-agent.exe +``` + +##### Example to run the SPIRE Agent Windows service + +```bash +> sc.exe start spire-agent run -config c:\spire\conf\agent\agent.conf +``` + ### `spire-agent api fetch` Calls the workload API to fetch an X509-SVID. This command is aliased to `spire-agent api fetch x509`. diff --git a/doc/spire_server.md b/doc/spire_server.md index 6c3c4cdac0..33a86b1f25 100644 --- a/doc/spire_server.md +++ b/doc/spire_server.md @@ -255,6 +255,25 @@ Most of the configuration file above options have identical command-line counter | `-socketPath` | Path to bind the SPIRE Server API socket to | | | `-trustDomain` | The trust domain that this server belongs to (should be no more than 255 characters) | | +#### Running SPIRE Server as a Windows service + +On Windows platform, SPIRE Server can optionally be run as a Windows service. When running as a Windows service, the only command supported is the `run` command. + +_Note: SPIRE does not automatically create the service in the system, it must be created by the user. +When starting the service, all the arguments to execute SPIRE Server with the `run` command must be passed as service arguments._ + +##### Example to create the SPIRE Server Windows service + +```bash +> sc.exe create spire-server binpath=c:\spire\bin\spire-server.exe +``` + +##### Example to run the SPIRE Server Windows service + +```bash +> sc.exe start spire-server run -config c:\spire\conf\server\server.conf +``` + ### `spire-server token generate` Generates one node join token and creates a registration entry for it. This token can be used to diff --git a/pkg/common/entrypoint/entrypoint_posix.go b/pkg/common/entrypoint/entrypoint_posix.go new file mode 100644 index 0000000000..cca596d704 --- /dev/null +++ b/pkg/common/entrypoint/entrypoint_posix.go @@ -0,0 +1,23 @@ +//go:build !windows +// +build !windows + +package entrypoint + +import ( + "context" + "os" +) + +type EntryPoint struct { + runCmdFn func(ctx context.Context, args []string) int +} + +func NewEntryPoint(runFn func(ctx context.Context, args []string) int) *EntryPoint { + return &EntryPoint{ + runCmdFn: runFn, + } +} + +func (e *EntryPoint) Main() int { + return e.runCmdFn(context.Background(), os.Args[1:]) +} diff --git a/pkg/common/entrypoint/entrypoint_posix_test.go b/pkg/common/entrypoint/entrypoint_posix_test.go new file mode 100644 index 0000000000..81be978781 --- /dev/null +++ b/pkg/common/entrypoint/entrypoint_posix_test.go @@ -0,0 +1,21 @@ +//go:build !windows +// +build !windows + +package entrypoint + +import ( + "context" + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestEntryPoint(t *testing.T) { + assert.Equal(t, + NewEntryPoint(func(ctx context.Context, args []string) int { return 0 }).Main(), + 0) + + assert.Equal(t, + NewEntryPoint(func(ctx context.Context, args []string) int { return 1 }).Main(), + 1) +} diff --git a/pkg/common/entrypoint/entrypoint_windows.go b/pkg/common/entrypoint/entrypoint_windows.go new file mode 100644 index 0000000000..a7694c1ce3 --- /dev/null +++ b/pkg/common/entrypoint/entrypoint_windows.go @@ -0,0 +1,73 @@ +//go:build windows +// +build windows + +package entrypoint + +import ( + "context" + "fmt" + "os" + + "golang.org/x/sys/windows/svc" +) + +type systemCaller interface { + IsWindowsService() (bool, error) + Run(name string, handler svc.Handler) error +} + +type systemCall struct { +} + +func (s *systemCall) IsWindowsService() (bool, error) { + return svc.IsWindowsService() +} + +func (s *systemCall) Run(name string, handler svc.Handler) error { + return svc.Run(name, handler) +} + +type EntryPoint struct { + handler svc.Handler + runCmdFn func(ctx context.Context, args []string) int + sc systemCaller +} + +func NewEntryPoint(runCmdFn func(ctx context.Context, args []string) int) *EntryPoint { + return &EntryPoint{ + runCmdFn: runCmdFn, + handler: &service{ + executeServiceFn: func(ctx context.Context, stop context.CancelFunc, args []string) int { + defer stop() + retCode := runCmdFn(ctx, args[1:]) + return retCode + }, + }, + sc: &systemCall{}, + } +} + +func (e *EntryPoint) Main() int { + // Determining if SPIRE is running as a Windows service is done + // with a best-effort approach. If there is an error, just fallback + // to the behavior of not running as a Windows service. + isWindowsService, err := e.sc.IsWindowsService() + if err != nil { + fmt.Fprintf(os.Stderr, "Could not determine if running as a Windows service: %v", err) + } + if isWindowsService { + errChan := make(chan error) + go func() { + // Since the service runs in its own process, the service name is ignored. + // https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-startservicectrldispatcherw + errChan <- e.sc.Run("", e.handler) + }() + err = <-errChan + if err != nil { + return 1 + } + return 0 + } + + return e.runCmdFn(context.Background(), os.Args[1:]) +} diff --git a/pkg/common/entrypoint/entrypoint_windows_test.go b/pkg/common/entrypoint/entrypoint_windows_test.go new file mode 100644 index 0000000000..b3a69670b9 --- /dev/null +++ b/pkg/common/entrypoint/entrypoint_windows_test.go @@ -0,0 +1,323 @@ +//go:build windows +// +build windows + +package entrypoint + +import ( + "context" + "errors" + "sync" + "syscall" + "testing" + "time" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "golang.org/x/sys/windows" + "golang.org/x/sys/windows/svc" +) + +var runArgs = []string{"process-name", "run"} + +type fakeSystemCall struct { + mtx sync.RWMutex + args []string + exitCode uint32 + isWindowsService bool + isWindowsServiceErr error + runErr error + s service + svcSpecificEC bool + changeRequestCh chan svc.ChangeRequest + statusCh chan svc.Status +} + +func (s *fakeSystemCall) initChannels() { + s.mtx.Lock() + defer s.mtx.Unlock() + + s.changeRequestCh = make(chan svc.ChangeRequest, 1) + s.statusCh = make(chan svc.Status, 1) +} + +func (s *fakeSystemCall) IsWindowsService() (bool, error) { + s.mtx.RLock() + defer s.mtx.RUnlock() + + return s.isWindowsService, s.isWindowsServiceErr +} + +func (s *fakeSystemCall) Run(name string, handler svc.Handler) error { + var ( + wg sync.WaitGroup + svcSpecificEC bool + exitCode uint32 + ) + + wg.Add(1) + go func() { + defer wg.Done() + s.mtx.RLock() + defer s.mtx.RUnlock() + + svcSpecificEC, exitCode = s.s.Execute(s.args, s.changeRequestCh, s.statusCh) + }() + + c := make(chan struct{}) + go func() { + defer close(c) + wg.Wait() + }() + select { + case <-c: + case <-time.After(time.Minute): + panic("timed out") + } + + s.statusCh <- svc.Status{State: svc.Stopped} + + s.mtx.Lock() + defer s.mtx.Unlock() + s.svcSpecificEC = svcSpecificEC + s.exitCode = exitCode + return s.runErr +} + +func newEntryPoint(runCmdFn func(ctx context.Context, args []string) int, sc systemCaller) *EntryPoint { + return &EntryPoint{ + handler: &service{ + executeServiceFn: func(ctx context.Context, stop context.CancelFunc, args []string) int { + retCode := runCmdFn(ctx, args[1:]) + defer stop() + return retCode + }, + }, + runCmdFn: runCmdFn, + sc: sc, + } +} + +func TestNotAService(t *testing.T) { + tests := []struct { + name string + retCode int + expectRunErr string + sc *fakeSystemCall + }{ + { + name: "success", + sc: &fakeSystemCall{}, + }, + { + name: "failure", + retCode: 1, + sc: &fakeSystemCall{}, + }, + } + for _, testCase := range tests { + t.Run(testCase.name, func(t *testing.T) { + retCodeCh := make(chan int, 1) + + go func() { + ep := newEntryPoint(func(ctx context.Context, args []string) int { + return testCase.retCode + }, testCase.sc) + retCodeCh <- ep.Main() + assert.True(t, true) + }() + + assertWithTimeout(t, testCase.retCode, retCodeCh) + }) + } +} + +func TestService(t *testing.T) { + tests := []struct { + name string + runCmdRetCode int + executeServiceFailure bool + expectRunErr string + sc *fakeSystemCall + }{ + { + name: "success", + sc: &fakeSystemCall{ + args: runArgs, + s: service{ + executeServiceFn: func(ctx context.Context, stop context.CancelFunc, args []string) int { + return 0 + }, + }, + isWindowsService: true, + }, + }, + { + name: "fatal app exit", + executeServiceFailure: true, + sc: &fakeSystemCall{ + args: runArgs, + s: service{ + executeServiceFn: func(ctx context.Context, stop context.CancelFunc, args []string) int { + stop() + return 1 + }, + }, + isWindowsService: true, + }, + }, + } + for _, testCase := range tests { + t.Run(testCase.name, func(t *testing.T) { + retCodeCh := make(chan int, 1) + go func() { + ep := newEntryPoint(func(ctx context.Context, args []string) int { + return testCase.runCmdRetCode + }, testCase.sc) + retCodeCh <- ep.Main() + }() + + testCase.sc.initChannels() + + // This is running as a service. + // Check if we expect a failure running the service. + if testCase.executeServiceFailure { + // First status of the service should be Running. + waitForServiceState(t, testCase.sc.statusCh, svc.Running) + + // Since there was a failure, it should transition to Stopped, + // first having the StopPending status. + waitForServiceState(t, testCase.sc.statusCh, svc.StopPending) + + // Final status should be Stopped. + waitForServiceState(t, testCase.sc.statusCh, svc.Stopped) + + // Assert the return code for Main(). + assertWithTimeout(t, testCase.runCmdRetCode, retCodeCh) + + assert.False(t, testCase.sc.svcSpecificEC) + assert.Equal(t, uint32(windows.ERROR_FATAL_APP_EXIT), testCase.sc.exitCode) + return + } + + status := <-testCase.sc.statusCh + assert.Equal(t, svc.Running, status.State) + + // Interrogate the service, which should return the current status. + testCase.sc.changeRequestCh <- svc.ChangeRequest{ + Cmd: svc.Interrogate, + CurrentStatus: status, + } + + waitForServiceState(t, testCase.sc.statusCh, status.State) + + // Stop the service. Status should reflect that's pending to stop. + testCase.sc.changeRequestCh <- svc.ChangeRequest{Cmd: svc.Stop} + waitForServiceState(t, testCase.sc.statusCh, svc.StopPending) + + // Next status should be Stopped. + waitForServiceState(t, testCase.sc.statusCh, svc.Stopped) + }) + } +} + +func TestRunSvcFailure(t *testing.T) { + tests := []struct { + name string + runCmdRetCode int + expectRunErr string + sc *fakeSystemCall + }{ + { + name: "svc.Run failure", + runCmdRetCode: 1, + sc: &fakeSystemCall{ + args: runArgs, + runErr: errors.New("run error"), + s: service{ + executeServiceFn: func(ctx context.Context, stop context.CancelFunc, args []string) int { + stop() + return 0 + }, + }, + isWindowsService: true, + }, + }, + } + for _, testCase := range tests { + t.Run(testCase.name, func(t *testing.T) { + retCodeCh := make(chan int, 1) + go func() { + ep := newEntryPoint(func(ctx context.Context, args []string) int { + return testCase.runCmdRetCode + }, testCase.sc) + retCodeCh <- ep.Main() + }() + + testCase.sc.initChannels() + + // First status of the service should be Running. + waitForServiceState(t, testCase.sc.statusCh, svc.Running) + + // Since there was a failure, it should transition to Stopped, + // first having the StopPending status. + waitForServiceState(t, testCase.sc.statusCh, svc.StopPending) + + // Final status should be Stopped. + waitForServiceState(t, testCase.sc.statusCh, svc.Stopped) + + // Assert the return code for Main(). + assertWithTimeout(t, testCase.runCmdRetCode, retCodeCh) + }) + } +} + +func TestUnsupportedCommand(t *testing.T) { + tests := []struct { + name string + expectRetCode int + expectRunErr string + sc *fakeSystemCall + }{ + { + name: "service - unsupported command", + sc: &fakeSystemCall{ + args: []string{"bundle", "show"}, + s: service{ + executeServiceFn: func(ctx context.Context, stop context.CancelFunc, args []string) int { + return 0 + }, + }, + isWindowsService: true, + }, + }, + } + for _, testCase := range tests { + t.Run(testCase.name, func(t *testing.T) { + testCase.sc.initChannels() + + ep := newEntryPoint(func(ctx context.Context, args []string) int { + return 1 + }, testCase.sc) + assert.Equal(t, 0, ep.Main()) + assert.Equal(t, windows.ERROR_BAD_ARGUMENTS, syscall.Errno(testCase.sc.exitCode)) + }) + } +} + +func waitForServiceState(t *testing.T, statusCh chan svc.Status, state svc.State) { + select { + case status := <-statusCh: + assert.Equal(t, state, status.State) + case <-time.After(time.Second * 5): + require.FailNow(t, "timed out waiting for service state") + } +} + +func assertWithTimeout(t *testing.T, expectedRetCode int, retCodeCh chan int) { + select { + case <-time.After(time.Minute): + assert.FailNow(t, "timed out waiting for return code") + case retCode := <-retCodeCh: + assert.Equal(t, expectedRetCode, retCode) + } +} diff --git a/pkg/common/entrypoint/service_windows.go b/pkg/common/entrypoint/service_windows.go new file mode 100644 index 0000000000..b3b27ee2a5 --- /dev/null +++ b/pkg/common/entrypoint/service_windows.go @@ -0,0 +1,70 @@ +//go:build windows +// +build windows + +package entrypoint + +import ( + "context" + "sync" + + "golang.org/x/sys/windows" + "golang.org/x/sys/windows/svc" +) + +const supportedCommand = "run" + +type service struct { + mtx sync.RWMutex + executeServiceFn func(ctx context.Context, stop context.CancelFunc, args []string) int +} + +func (s *service) Execute(args []string, changeRequest <-chan svc.ChangeRequest, status chan<- svc.Status) (svcSpecificEC bool, exitCode uint32) { + // Validate that we are executing the "run" command. + // First argument (args[0]) is always the process name. Command name is + // expected in the second argument (args[1]). + if len(args) < 2 || args[1] != supportedCommand { + return false, uint32(windows.ERROR_BAD_ARGUMENTS) + } + + // Update the status to indicate that SPIRE is running. + // Only Stop and Shutdown commands are accepted (Interrogate is always accepted). + status <- svc.Status{ + State: svc.Running, + Accepts: svc.AcceptStop | svc.AcceptShutdown, + } + + var ( + wg sync.WaitGroup + retCode int + ) + ctx, stop := context.WithCancel(context.Background()) + wg.Add(1) + go func() { + defer wg.Done() + s.mtx.RLock() + defer s.mtx.RUnlock() + if retCode = s.executeServiceFn(ctx, stop, args); retCode != 0 { + retCode = int(windows.ERROR_FATAL_APP_EXIT) + } + }() + +loop: + for { + select { + case <-ctx.Done(): + break loop + case c := <-changeRequest: + switch c.Cmd { + case svc.Interrogate: + status <- c.CurrentStatus + case svc.Stop, svc.Shutdown: + break loop + } + } + } + + status <- svc.Status{State: svc.StopPending} + stop() + wg.Wait() + return false, uint32(retCode) +} From 0a9d64048a193978331ad74b2d5663aad73c98e1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 4 Jan 2023 21:11:57 -0300 Subject: [PATCH 257/257] Bump golang.org/x/net from 0.4.0 to 0.5.0 (#3730) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.4.0 to 0.5.0. - [Release notes](https://github.com/golang/net/releases) - [Commits](https://github.com/golang/net/compare/v0.4.0...v0.5.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 8 ++++---- go.sum | 15 ++++++++------- 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/go.mod b/go.mod index 33a3483e5a..3d037a443a 100644 --- a/go.mod +++ b/go.mod @@ -63,9 +63,9 @@ require ( github.com/uber-go/tally/v4 v4.1.4 github.com/zeebo/errs v1.3.0 golang.org/x/crypto v0.4.0 - golang.org/x/net v0.4.0 + golang.org/x/net v0.5.0 golang.org/x/sync v0.1.0 - golang.org/x/sys v0.3.0 + golang.org/x/sys v0.4.0 golang.org/x/time v0.3.0 google.golang.org/api v0.105.0 google.golang.org/genproto v0.0.0-20221206210731-b1a01be3a5f6 @@ -199,8 +199,8 @@ require ( go.uber.org/zap v1.24.0 // indirect golang.org/x/mod v0.6.0 // indirect golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783 // indirect - golang.org/x/term v0.3.0 // indirect - golang.org/x/text v0.5.0 // indirect + golang.org/x/term v0.4.0 // indirect + golang.org/x/text v0.6.0 // indirect golang.org/x/tools v0.2.0 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect diff --git a/go.sum b/go.sum index 6f10f6c95c..0ff57b2e76 100644 --- a/go.sum +++ b/go.sum @@ -1226,8 +1226,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/net v0.0.0-20221012135044-0b7e1fb9d458/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/net v0.0.0-20221014081412-f15817d10f9b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= -golang.org/x/net v0.4.0 h1:Q5QPcMlvfxFTAPV0+07Xz/MpK9NTXu2VDUuy0FeMfaU= -golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= +golang.org/x/net v0.5.0 h1:GyT4nK/YDHSqa1c4753ouYCDajOYKTja9Xb/OHtgvSw= +golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1362,13 +1362,14 @@ golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220731174439-a90be440212d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ= golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.4.0 h1:Zr2JFtRQNX3BCZ8YtxRE9hNJYC8J6I1MVbMg6owUp18= +golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.3.0 h1:qoo4akIqOcDME5bhc/NgxUdovd6BSS2uMsVjB56q1xI= -golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA= +golang.org/x/term v0.4.0 h1:O7UWfv5+A2qiuulQk30kVinPoMtoIPeVaKLEgLpVkvg= +golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1380,8 +1381,8 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM= -golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.6.0 h1:3XmdazWV+ubf7QgHSTWeykHOci5oeekaGJBLkrkaw4k= +golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=