diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index c792a05b9..e00037e07 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -5,10 +5,12 @@ on: push: branches: - main + - staging - 1.0.0* pull_request: branches: - main + - staging - 1.0.0* schedule: - cron: '30 1 * * 0' diff --git a/.github/workflows/e2e-cli.yml b/.github/workflows/e2e-cli.yml index 30ecfc5f5..549118ebb 100644 --- a/.github/workflows/e2e-cli.yml +++ b/.github/workflows/e2e-cli.yml @@ -36,7 +36,7 @@ jobs: - name: Check build run: bin/ratify version - name: Upload coverage to codecov.io - uses: codecov/codecov-action@7afa10ed9b269c561c2336fd862446844e0cbf71 # v4.2.0 + uses: codecov/codecov-action@84508663e988701840491b86de86b666e8a86bed # v4.3.0 env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} - name: Run helm lint @@ -64,7 +64,7 @@ jobs: make install ratify-config install-bats make test-e2e-cli GOCOVERDIR=${GITHUB_WORKSPACE}/test/e2e/.cover - name: Upload coverage to codecov.io - uses: codecov/codecov-action@7afa10ed9b269c561c2336fd862446844e0cbf71 # v4.2.0 + uses: codecov/codecov-action@84508663e988701840491b86de86b666e8a86bed # v4.3.0 env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} markdown-link-check: diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index 382e27524..44a5f084f 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -3,6 +3,7 @@ on: push: branches: - main + - staging - 1.0.0* pull_request: workflow_dispatch: diff --git a/.github/workflows/high-availability.yml b/.github/workflows/high-availability.yml index 06acdcee3..03ffd5693 100644 --- a/.github/workflows/high-availability.yml +++ b/.github/workflows/high-availability.yml @@ -6,11 +6,13 @@ on: pull_request: branches: - main + - staging - 1.0.0* push: branches: - 1.0.0* - main + - staging workflow_dispatch: permissions: read-all diff --git a/.github/workflows/quick-start.yml b/.github/workflows/quick-start.yml index 29d7dd424..8fc887517 100644 --- a/.github/workflows/quick-start.yml +++ b/.github/workflows/quick-start.yml @@ -6,10 +6,12 @@ on: pull_request: branches: - main + - staging - 1.0.0* push: branches: - 1.0.0* + - staging - main workflow_dispatch: diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 2a47a0218..b81777d0e 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -5,7 +5,9 @@ on: # Weekly on Saturdays. - cron: '30 1 * * 6' push: - branches: [ main ] + branches: + - main + - staging workflow_dispatch: permissions: read-all diff --git a/.vscode/launch.json b/.vscode/launch.json index 3f39685ca..d032aae19 100644 --- a/.vscode/launch.json +++ b/.vscode/launch.json @@ -12,15 +12,15 @@ "program": "${workspaceFolder}/cmd/ratify", "env": { "RATIFY_EXPERIMENTAL_DYNAMIC_PLUGINS": "1", - "RATIFY_LOG_LEVEL": "debug", + "RATIFY_LOG_LEVEL": "debug" }, "args": [ "verify", "-s", "${input:subject}", "-c", - "${input:configPath}", - ], + "${input:configPath}" + ] }, { "name": "Serve", @@ -35,10 +35,9 @@ "serve", "--http", ":6001" - ], + ] }, { - // This requires your kubeconfig to be pointed at a cluster with Ratify CRDs installed "name": "Serve w/ CRD manager", "type": "go", "request": "launch", @@ -47,18 +46,19 @@ "env": { "RATIFY_LOG_LEVEL": "debug", "RATIFY_EXPERIMENTAL_DYNAMIC_PLUGINS": "1", - "RATIFY_NAMESPACE": "gatekeeper-system", + "RATIFY_NAMESPACE": "gatekeeper-system" }, "args": [ "serve", "--enable-crd-manager", "--http", ":6001" - ], + ] }, { // This requires your kubeconfig to be pointed at a cluster with Ratify CRDs installed - // This requires you to have generated tls.crt and tls.key and placed them in a single directory + // This requires you to have generated server TLS certs: tls.crt, tls.key, ca.crt, ca.key and placed them in a single directory + // This requires you to have a client CA cert (Gatekeeper CA cert) to verify the client cert "name": "Serve w/ CRD manager and TLS enabled", "type": "go", "request": "launch", @@ -73,8 +73,9 @@ "--enable-crd-manager", "--http", ":6001", - "--cert-dir=${input:tlsDir}" - ], + "--cert-dir=${input:tlsDir}", + "--ca-cert-file=${input:clientCACert}", + ] }, { "name": "Debug SBOM Plugin", @@ -87,7 +88,7 @@ "RATIFY_LOG_LEVEL": "debug", "RATIFY_VERIFIER_COMMAND": "VERIFY", "RATIFY_VERIFIER_SUBJECT": "wabbitnetworks.azurecr.io/test/image:sbom", - "RATIFY_VERIFIER_VERSION": "1.0.0", + "RATIFY_VERIFIER_VERSION": "1.0.0" }, "console": "integratedTerminal" } @@ -111,5 +112,11 @@ "description": "Absolute path to tls cert and key directory", "default": "${workspaceFolder}/tls/certs" }, + { + "id": "clientCACert", + "type": "promptString", + "description": "Absolute path to client CA cert (Gatekeeper CA cert)", + "default": "${workspaceFolder}/client-ca-cert/ca.crt" + } ] } diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 343d0da35..2efa7239e 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -269,19 +269,25 @@ Gatekeeper requires TLS for external data provider interactions. As such ratify helm install ratify \ ./charts/ratify --atomic \ --namespace gatekeeper-system \ - --set-file notationCert=./test/testdata/notation.crt \ + --set logger.level=debug \ + --set-file notationCerts[0]=./test/testdata/notation.crt \ --set-file provider.tls.crt=./tls/certs/tls.crt \ --set-file provider.tls.key=./tls/certs/tls.key \ - --set-file provider.tls.cabundle=./tls/certs/ca.crt + --set-file provider.tls.cabundle="$(cat ./tls/certs/ca.crt | base64 | tr -d '\n\r')" \ + --set-file provider.tls.caCert=./tls/certs/ca.crt \ + --set-file provider.tls.caKey=./tls/certs/ca.key ``` +Update the `KubernetesLocalProcessConfig.yaml` with updated directory/file paths: +- In the file, set the `` to an absolute directory accessible on local environment. This is the directory where Bridge to K8s will download the Azure Workload Identity JWT token. +- In the file, set the `` to an absolute directory accessible on local environment. This is the directory where Bridge to K8s will download the `client-ca-cert` volume (Gatekeeper's `ca.crt`). Configure Bridge to Kubernetes (Comprehensive guide [here](https://learn.microsoft.com/en-us/visualstudio/bridge/bridge-to-kubernetes-vs-code)) 1. Open the `Command Palette` in VSCode `CTRL-SHIFT-P` -1. Select `Bridge to Kubernetes: Configure` -1. Select `Ratify` from the list as the service to redirect to -1. Set port to be 6001 -1. Select `Serve w/ CRD manager and TLS enabled` as the launch config -1. Select 'No' for request isolation +2. Select `Bridge to Kubernetes: Configure` +3. Select `Ratify` from the list as the service to redirect to +4. Set port to be 6001 +5. Select `Serve w/ CRD manager and TLS enabled` as the launch config +6. Select 'No' for request isolation This should automatically append a new Bridge to Kubernetes configuration to the launch.json file and add a new tasks.json file. diff --git a/KubernetesLocalProcessConfig.yaml b/KubernetesLocalProcessConfig.yaml new file mode 100644 index 000000000..98890ec3f --- /dev/null +++ b/KubernetesLocalProcessConfig.yaml @@ -0,0 +1,15 @@ +version: 0.1 +env: + - name: azure-identity-token # REMOVE if not using Azure Workload Identity + value: $(volumeMounts:azure-identity-token) # REMOVE if not using Azure Workload Identity + - name: client-ca-cert + value: $(volumeMounts:client-ca-cert) + - name: AZURE_FEDERATED_TOKEN_FILE # REMOVE if not using Azure Workload Identity + value: /azure-identity-token # REMOVE if not using Azure Workload Identity + - name: RATIFY_NAMESPACE + value: gatekeeper-system +volumeMounts: + - name: client-ca-cert + localPath: + - name: azure-identity-token # REMOVE if not using Azure Workload Identity + localPath: # REMOVE if not using Azure Workload Identity \ No newline at end of file diff --git a/RELEASES.md b/RELEASES.md index 6487a911c..7f9318bd4 100644 --- a/RELEASES.md +++ b/RELEASES.md @@ -88,6 +88,6 @@ helm install ratify \ --set image.repository=ghcr.io/deislabs/ratify-dev --set image.crdRepository=ghcr.io/deislabs/ratify-crds-dev --set image.tag=dev.. - --set-file notationCert=./test/testdata/notation.crt + --set-file notationCerts[0]=./test/testdata/notation.crt ``` NOTE: the tag field is the only value that will change when updating to newer dev build images \ No newline at end of file diff --git a/charts/ratify/README.md b/charts/ratify/README.md index 1f4fd7bc1..eafe93360 100644 --- a/charts/ratify/README.md +++ b/charts/ratify/README.md @@ -30,6 +30,10 @@ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documen $ helm upgrade -n gatekeeper-system [RELEASE_NAME] ratify/ratify ``` +## Deprecation Policy + +Values marked `# DEPRECATED` in the `values.yaml` as well as **DEPRECATED** in the below parameters will NOT be supported in the next major version release. Existing functionality will remain backwards compatible until the next major version release. + ## Parameters | Parameter | Description | Default | @@ -43,7 +47,6 @@ $ helm upgrade -n gatekeeper-system [RELEASE_NAME] ratify/ratify | replicaCount | The number of Ratify replicas in deployment | 1 | | affinity | Pod affinity for the Ratify deployment | `{}` | | tolerations | Pod tolerations for the Ratify deployment | `[]` | -| notationCert | Public certificate/certificate chain used to create inline certstore used by Notation verifier. This value has been ***deprecated*** , and will be removed in future releases of Ratify. Please switch to ```notationCerts``` to specify an array of verification certificates | `` | | notationCerts | An array of public certificate/certificate chain used to create inline certstore used by Notation verifier | `` | | cosign.enabled | Enables/disables cosign tag-based signature lookup in ORAS store. MUST be set to true for cosign verification. | `true` | | cosign.key | Public certificate used by cosign verifier | `` | @@ -120,11 +123,17 @@ $ helm upgrade -n gatekeeper-system [RELEASE_NAME] ratify/ratify | azureWorkloadIdentity.clientId | ClientID of AAD application/Managed identity associated with Workload Identity | `` | | azureManagedIdentity.clientId | ClientID of Managed identity | `` | | azureManagedIdentity.tenantId | TenantID of Managed Identity resource | `` | -| akvCertConfig.enabled | Enables/disables Azure Key Vault certificate store. If you are using a custom chart, certificate store should be referenced through a Verifier CR. References in ConfigMap will not be correctly resolved. | `false` | -| akvCertConfig.vaultURI | Vault URI for AKV configured | `` | -| akvCertConfig.cert1Name | Exact name of the certificate stored in AKV. This value has been ***deprecated*** , and will be removed in future releases of Ratify. Please switch to ```akvCertConfig.certificates``` to specify an array of certificates | `` | -| akvCertConfig.cert1Version | Exact version of certificate to use from AKV. This value has been ***deprecated*** , and will be removed in future releases of Ratify. Please switch to ```akvCertConfig.certificates``` to specify an array of verification certificates | `` | -| akvCertConfig.cert2Name | Exact name of the certificate stored in AKV. This value has been ***deprecated*** , and will be removed in future releases of Ratify. Please switch to ```akvCertConfig.certificates``` to specify an array of verification certificates | `` | -| akvCertConfig.cert2Version | Exact version of certificate to use from AKV. This value has been ***deprecated*** , and will be removed in future releases of Ratify. Please switch to ```akvCertConfig.certificates``` to specify an array of verification certificates | `` | -| akvCertConfig.certificates | An array of certificate objects identified by `name` and `version` stored in AKV | `` | -| akvCertConfig.tenantId | TenantID of the configured AKV resource | `` | +| azurekeyvault.enabled | Enables/disables Azure Key Vault key management provider. If you are using a custom chart, certificate store should be referenced through a Verifier CR. | `false` | +| azurekeyvault.vaultURI | Vault URI for Azure Key Vault | `` | +| azurekeyvault.tenantId | Tenant ID of the configured Azure Key Vault resource | `` | +| azurekeyvault.certificates | An array of certificate objects identified by `name` and `version` (optional) stored in Azure Key Vault | `[]` | +| azurekeyvault.keys | An array of key objects identified by `name` and `version` (optional) stored in Azure Key Vault | `[]` | +| notationCert | **DEPRECATED** Please switch to `notationCerts` to specify an array of verification certificates. Public certificate/certificate chain used to create inline certstore used by Notation verifier. | `` | +| akvCertConfig.enabled | **DEPRECATED** Please use `azurekeyvault.enabled` instead. Enables/disables Azure Key Vault certificate store. If you are using a custom chart, certificate store should be referenced through a Verifier CR. References in ConfigMap will not be correctly resolved. | `false` | +| akvCertConfig.vaultURI | **DEPRECATED** Please use `azurekeyvault.vaultURI` instead. Vault URI for AKV configured | `` | +| akvCertConfig.cert1Name | **DEPRECATED** Please use `azurekeyvault.certificates` instead. Exact name of the certificate stored in AKV. | `` | +| akvCertConfig.cert1Version | **DEPRECATED** Please use `azurekeyvault.certificates` instead. Exact version of certificate to use from AKV.certificates | `` | +| akvCertConfig.cert2Name | **DEPRECATED** Please use `azurekeyvault.certificates` instead. Exact name of the certificate stored in AKV. | `` | +| akvCertConfig.cert2Version | **DEPRECATED** Please use `azurekeyvault.certificates` instead. Exact version of certificate to use from AKV. | `` | +| akvCertConfig.certificates | **DEPRECATED** Please use `azurekeyvault.certificates` instead. An array of certificate objects identified by `name` and `version` stored in AKV | `` | +| akvCertConfig.tenantId | **DEPRECATED** Please use `azurekeyvault.certificates` instead. TenantID of the configured AKV resource | `` | diff --git a/charts/ratify/templates/akv-key-management-provider.yaml b/charts/ratify/templates/akv-key-management-provider.yaml index 548080600..831496792 100644 --- a/charts/ratify/templates/akv-key-management-provider.yaml +++ b/charts/ratify/templates/akv-key-management-provider.yaml @@ -1,4 +1,4 @@ -{{- if .Values.akvCertConfig.enabled }} +{{- if or .Values.azurekeyvault.enabled .Values.akvCertConfig.enabled }} apiVersion: config.ratify.deislabs.io/v1beta1 kind: KeyManagementProvider metadata: @@ -9,7 +9,13 @@ metadata: spec: type: azurekeyvault parameters: - vaultURI: {{ required "vaultURI must be provided when AKV cert config is enabled" .Values.akvCertConfig.vaultURI }} + {{- if .Values.azurekeyvault.vaultURI }} + vaultURI: {{ .Values.azurekeyvault.vaultURI }} + {{- else if .Values.akvCertConfig.vaultURI }} + vaultURI: {{ .Values.akvCertConfig.vaultURI }} + {{- else }} + {{- fail "vaultURI must be provided when azurekeyvault is enabled. please specify azurekeyvault.vaultURI" }} + {{- end }} certificates: {{- if .Values.akvCertConfig.cert1Name }} - name: {{ .Values.akvCertConfig.cert1Name }} @@ -25,6 +31,25 @@ spec: version: {{ .version }} {{- end }} {{- end }} - tenantID: {{ required "tenantID must be provided when AKV cert config is enabled" .Values.akvCertConfig.tenantId }} + {{- range .Values.azurekeyvault.certificates }} + {{- if .name }} + - name: {{ .name }} + version: {{ .version }} + {{- end }} + {{- end }} + keys: + {{- range .Values.azurekeyvault.keys }} + {{- if .name }} + - name: {{ .name }} + version: {{ .version }} + {{- end }} + {{- end }} + {{- if .Values.azurekeyvault.tenantId }} + tenantID: {{ .Values.azurekeyvault.tenantId }} + {{- else if .Values.akvCertConfig.tenantId }} + tenantID: {{ .Values.akvCertConfig.tenantId }} + {{- else }} + {{- fail "tenantID must be provided when azurekeyvault is enabled. please specify azurekeyvault.tenantId" }} + {{- end }} clientID: {{ required "clientID must be provided when use workload identity in akv" .Values.azureWorkloadIdentity.clientId }} {{ end }} \ No newline at end of file diff --git a/charts/ratify/templates/inline-key-management-provider.yaml b/charts/ratify/templates/inline-key-management-provider.yaml index aafbad449..665ea0b75 100644 --- a/charts/ratify/templates/inline-key-management-provider.yaml +++ b/charts/ratify/templates/inline-key-management-provider.yaml @@ -28,4 +28,19 @@ spec: parameters: contentType: certificate value: {{ $cert | quote }} +{{- end }} +--- +{{- range $i, $key := .Values.cosignKeys }} +apiVersion: config.ratify.deislabs.io/v1beta1 +kind: KeyManagementProvider +metadata: + name: {{$fullname}}-cosign-inline-key-{{$i}} + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-weight: "5" +spec: + type: inline + parameters: + contentType: key + value: {{ $key | quote }} {{- end }} \ No newline at end of file diff --git a/charts/ratify/templates/verifier.yaml b/charts/ratify/templates/verifier.yaml index eea0c33c0..6f3c78378 100644 --- a/charts/ratify/templates/verifier.yaml +++ b/charts/ratify/templates/verifier.yaml @@ -14,7 +14,7 @@ spec: parameters: verificationCertStores: certs: - {{- if .Values.akvCertConfig.enabled }} + {{- if or .Values.azurekeyvault.enabled .Values.akvCertConfig.enabled }} - kmprovider-akv {{- else }} {{- if .Values.notationCert }} diff --git a/charts/ratify/values.yaml b/charts/ratify/values.yaml index 94c9c19e8..315dbf509 100644 --- a/charts/ratify/values.yaml +++ b/charts/ratify/values.yaml @@ -9,8 +9,8 @@ fullnameOverride: "" replicaCount: 1 affinity: {} tolerations: [] -notationCert: "" notationCerts: [] +cosignKeys: [] cosign: enabled: true @@ -49,7 +49,7 @@ instrumentation: # Can be used to authenticate to: # ACR -> oras.authProviders.azureWorkloadIdentityEnabled -# Key Vault -> akvCertConfig.enabled +# Key Vault -> azurekeyvault.enabled azureWorkloadIdentity: clientId: @@ -57,15 +57,12 @@ azureManagedIdentity: clientId: tenantId: -akvCertConfig: +azurekeyvault: enabled: false vaultURI: - cert1Name: - cert1Version: - cert2Name: - cert2Version: - certificates: tenantId: + certificates: [] + keys: [] oras: useHttp: false @@ -148,3 +145,14 @@ featureFlags: RATIFY_CERT_ROTATION: false # RATIFY_EXPERIMENTAL_HIGH_AVAILABILITY enables high availability mode including distributed caching. RATIFY_EXPERIMENTAL_HIGH_AVAILABILITY: false + +notationCert: "" # DEPRECATED: Use notationCerts instead +akvCertConfig: # DEPRECATED: Use azurekeyvault instead + enabled: false # DEPRECATED: Use azurekeyvault.enabled instead + vaultURI: # DEPRECATED: Use azurekeyvault.vaultURI instead + cert1Name: # DEPRECATED: Use azurekeyvault.certificates instead + cert1Version: # DEPRECATED: Use azurekeyvault.certificates instead + cert2Name: # DEPRECATED: Use azurekeyvault.certificates instead + cert2Version: # DEPRECATED: Use azurekeyvault.certificates instead + certificates: # DEPRECATED: Use azurekeyvault.certificates instead + tenantId: # DEPRECATED: Use azurekeyvault.tenantId instead \ No newline at end of file diff --git a/config/configManager.go b/config/configManager.go index e43f253d3..a507d3228 100644 --- a/config/configManager.go +++ b/config/configManager.go @@ -16,6 +16,7 @@ limitations under the License. package config import ( + "context" "os" "time" @@ -25,7 +26,7 @@ import ( "github.com/sirupsen/logrus" ) -type GetExecutor func() *ef.Executor +type GetExecutor func(context.Context) *ef.Executor var ( configHash string @@ -38,7 +39,7 @@ func GetExecutorAndWatchForUpdate(configFilePath string) (GetExecutor, error) { cf, err := Load(configFilePath) if err != nil { - return func() *ef.Executor { return &ef.Executor{} }, err + return func(context.Context) *ef.Executor { return &ef.Executor{} }, err } configHash = cf.fileHash @@ -46,7 +47,7 @@ func GetExecutorAndWatchForUpdate(configFilePath string) (GetExecutor, error) { stores, verifiers, policyEnforcer, err := CreateFromConfig(cf) if err != nil { - return func() *ef.Executor { return &ef.Executor{} }, err + return func(context.Context) *ef.Executor { return &ef.Executor{} }, err } executor = ef.Executor{ @@ -59,12 +60,12 @@ func GetExecutorAndWatchForUpdate(configFilePath string) (GetExecutor, error) { err = watchForConfigurationChange(configFilePath) if err != nil { - return func() *ef.Executor { return &ef.Executor{} }, err + return func(context.Context) *ef.Executor { return &ef.Executor{} }, err } logrus.Info("configuration successfully loaded.") - return func() *ef.Executor { return &executor }, nil + return func(context.Context) *ef.Executor { return &executor }, nil } func reloadExecutor(configFilePath string) { diff --git a/dev.helmfile.yaml b/dev.helmfile.yaml index 4fd0eb057..73ab8a466 100644 --- a/dev.helmfile.yaml +++ b/dev.helmfile.yaml @@ -72,7 +72,7 @@ releases: - "-n" - "gatekeeper-system" set: - - name: notationCert + - name: notationCerts[0] value: {{ exec "curl" (list "-sSL" "https://raw.githubusercontent.com/deislabs/ratify/main/test/testdata/notation.crt") | quote }} - name: featureFlags.RATIFY_CERT_ROTATION value: true diff --git a/dev.high-availability.helmfile.yaml b/dev.high-availability.helmfile.yaml index 3beac173d..70692d85f 100644 --- a/dev.high-availability.helmfile.yaml +++ b/dev.high-availability.helmfile.yaml @@ -141,7 +141,7 @@ releases: value: true - name: logger.level value: debug - - name: notationCert + - name: notationCerts[0] value: {{ exec "curl" (list "-sSL" "https://raw.githubusercontent.com/deislabs/ratify/main/test/testdata/notation.crt") | quote }} - name: replicaCount value: 2 diff --git a/errors/errors.go b/errors/errors.go index 75ccbc784..8f98e6def 100644 --- a/errors/errors.go +++ b/errors/errors.go @@ -118,11 +118,4 @@ var ( Message: "data encoding failure", Description: "Failed to encode data. Please verify the encoding data.", }) - - // ErrorCodeKeyManagementConflict is returned when key management provider and certificate store are configured together. - ErrorCodeKeyManagementConflict = Register("errcode", ErrorDescriptor{ - Value: "KEY_MANAGEMENT_CONFLICT", - Message: "key management provider and certificate store should not be configured together", - Description: "Key management provider and certificate store should not be configured together. Please migrate to key management provider and delete certificate store.", - }) ) diff --git a/errors/pluginerrors.go b/errors/pluginerrors.go index 81944f588..cc851e1f9 100644 --- a/errors/pluginerrors.go +++ b/errors/pluginerrors.go @@ -145,6 +145,14 @@ var ( Description: "The certificate is invalid. Please verify the provided inline certificates or certificates fetched from key vault are in valid format. Refer to https://ratify.dev/docs/reference/crds/certificate-stores for more information.", }) + // ErrorCodeKeyInvalid is returned when provided key is invalid. + // TODO: add website docs for this error code and update URL for error description + ErrorCodeKeyInvalid = Register("errcode", ErrorDescriptor{ + Value: "KEY_INVALID", + Message: "key invalid", + Description: "The key is invalid. Please verify the provided inline key or key fetched from key vault is in valid format. Refer to [INPUT URL] for more information.", + }) + // ErrorCodePolicyProviderNotFound is returned when a policy provider cannot // be found. ErrorCodePolicyProviderNotFound = Register("errcode", ErrorDescriptor{ diff --git a/go.mod b/go.mod index a421ac098..1a5249640 100644 --- a/go.mod +++ b/go.mod @@ -10,12 +10,12 @@ retract ( require ( github.com/Azure/azure-sdk-for-go v68.0.0+incompatible - github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.2 - github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.0 + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.2 github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 - github.com/aws/aws-sdk-go-v2 v1.24.1 - github.com/aws/aws-sdk-go-v2/config v1.26.6 - github.com/aws/aws-sdk-go-v2/credentials v1.16.16 + github.com/aws/aws-sdk-go-v2 v1.26.1 + github.com/aws/aws-sdk-go-v2/config v1.27.11 + github.com/aws/aws-sdk-go-v2/credentials v1.17.11 github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2 github.com/cespare/xxhash/v2 v2.2.0 github.com/dapr/go-sdk v1.8.0 @@ -24,6 +24,7 @@ require ( github.com/docker/cli v24.0.9+incompatible github.com/docker/distribution v2.8.3+incompatible github.com/fsnotify/fsnotify v1.7.0 + github.com/go-jose/go-jose/v3 v3.0.3 github.com/golang/protobuf v1.5.4 github.com/google/go-containerregistry v0.19.1 github.com/gorilla/mux v1.8.1 @@ -31,22 +32,22 @@ require ( github.com/notaryproject/notation-go v1.0.1 github.com/open-policy-agent/cert-controller v0.8.0 github.com/open-policy-agent/frameworks/constraint v0.0.0-20230411224310-3f237e2710fa - github.com/open-policy-agent/opa v0.61.0 + github.com/open-policy-agent/opa v0.63.0 github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0 github.com/owenrumney/go-sarif/v2 v2.3.1 github.com/pkg/errors v0.9.1 - github.com/sigstore/cosign/v2 v2.2.3 + github.com/sigstore/cosign/v2 v2.2.4 github.com/sigstore/sigstore v1.8.3 github.com/sirupsen/logrus v1.9.3 github.com/spdx/tools-golang v0.5.3 github.com/spf13/cobra v1.8.0 github.com/xlab/treeprint v1.1.0 go.opentelemetry.io/otel/exporters/prometheus v0.39.0 - go.opentelemetry.io/otel/metric v1.22.0 + go.opentelemetry.io/otel/metric v1.24.0 go.opentelemetry.io/otel/sdk/metric v0.39.0 - golang.org/x/sync v0.6.0 - google.golang.org/grpc v1.61.2 + golang.org/x/sync v0.7.0 + google.golang.org/grpc v1.62.2 google.golang.org/protobuf v1.33.0 k8s.io/api v0.28.8 k8s.io/apimachinery v0.28.8 @@ -79,13 +80,13 @@ require ( github.com/aliyun/credentials-go v1.3.1 // indirect github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 // indirect github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 // indirect github.com/clbanning/mxj/v2 v2.7.0 // indirect github.com/cloudflare/circl v1.3.7 // indirect github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect - github.com/coreos/go-oidc/v3 v3.9.0 // indirect + github.com/coreos/go-oidc/v3 v3.10.0 // indirect github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect github.com/dimchansky/utfbom v1.1.1 // indirect @@ -94,39 +95,38 @@ require ( github.com/evanphx/json-patch/v5 v5.6.0 // indirect github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect github.com/go-ini/ini v1.67.0 // indirect - github.com/go-jose/go-jose/v3 v3.0.3 // indirect + github.com/go-jose/go-jose/v4 v4.0.1 // indirect github.com/go-ldap/ldap/v3 v3.4.6 // indirect github.com/gobwas/glob v0.2.3 // indirect - github.com/golang-jwt/jwt/v5 v5.2.0 // indirect + github.com/golang-jwt/jwt/v5 v5.2.1 // indirect github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect github.com/google/go-github/v55 v55.0.0 // indirect github.com/google/go-querystring v1.1.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/hashicorp/go-retryablehttp v0.7.5 // indirect - github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect github.com/miekg/pkcs11 v1.1.1 // indirect github.com/mozillazg/docker-credential-acr-helper v0.3.0 // indirect github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect github.com/sagikazarmark/locafero v0.4.0 // indirect github.com/sagikazarmark/slog-shim v0.1.0 // indirect github.com/segmentio/ksuid v1.0.4 // indirect - github.com/sigstore/fulcio v1.4.3 // indirect - github.com/sigstore/timestamp-authority v1.2.1 // indirect + github.com/sigstore/fulcio v1.4.5 // indirect + github.com/sigstore/timestamp-authority v1.2.2 // indirect github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect github.com/sourcegraph/conc v0.3.0 // indirect github.com/tchap/go-patricia/v2 v2.3.1 // indirect github.com/thales-e-security/pool v0.0.2 // indirect github.com/tjfoc/gmsm v1.4.1 // indirect - github.com/xanzy/go-gitlab v0.96.0 // indirect + github.com/xanzy/go-gitlab v0.102.0 // indirect github.com/yashtewari/glob-intersection v0.2.0 // indirect - go.step.sm/crypto v0.42.1 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240116215550-a9fa1716bcac // indirect + go.step.sm/crypto v0.44.2 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 // indirect gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect sigs.k8s.io/release-utils v0.7.7 // indirect ) require ( - cloud.google.com/go/compute v1.23.3 // indirect + cloud.google.com/go/compute v1.25.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect github.com/Azure/go-autorest/autorest v0.11.29 @@ -136,15 +136,15 @@ require ( github.com/Azure/go-autorest/tracing v0.6.0 // indirect github.com/OneOfOne/xxhash v1.2.8 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 // indirect - github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 // indirect - github.com/aws/smithy-go v1.19.0 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 // indirect + github.com/aws/smithy-go v1.20.2 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver v3.5.1+incompatible // indirect github.com/bshuster-repo/logrus-logstash-hook v1.1.0 @@ -158,22 +158,22 @@ require ( github.com/go-chi/chi v4.1.2+incompatible // indirect github.com/go-logr/logr v1.4.1 github.com/go-logr/stdr v1.2.2 // indirect - github.com/go-openapi/analysis v0.22.0 // indirect - github.com/go-openapi/errors v0.21.0 // indirect - github.com/go-openapi/jsonpointer v0.20.2 // indirect - github.com/go-openapi/jsonreference v0.20.4 // indirect - github.com/go-openapi/loads v0.21.5 // indirect - github.com/go-openapi/runtime v0.27.1 // indirect - github.com/go-openapi/spec v0.20.13 // indirect - github.com/go-openapi/strfmt v0.22.0 // indirect - github.com/go-openapi/swag v0.22.9 // indirect - github.com/go-openapi/validate v0.22.4 // indirect + github.com/go-openapi/analysis v0.23.0 // indirect + github.com/go-openapi/errors v0.22.0 // indirect + github.com/go-openapi/jsonpointer v0.21.0 // indirect + github.com/go-openapi/jsonreference v0.21.0 // indirect + github.com/go-openapi/loads v0.22.0 // indirect + github.com/go-openapi/runtime v0.28.0 // indirect + github.com/go-openapi/spec v0.21.0 // indirect + github.com/go-openapi/strfmt v0.23.0 // indirect + github.com/go-openapi/swag v0.23.0 // indirect + github.com/go-openapi/validate v0.24.0 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt/v4 v4.5.0 // indirect - github.com/golang/glog v1.1.2 // indirect + github.com/golang/glog v1.2.0 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/snappy v0.0.4 // indirect - github.com/google/certificate-transparency-go v1.1.7 // indirect + github.com/google/certificate-transparency-go v1.1.8 // indirect github.com/google/go-cmp v0.6.0 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/google/uuid v1.6.0 @@ -185,7 +185,7 @@ require ( github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect - github.com/klauspost/compress v1.17.2 // indirect + github.com/klauspost/compress v1.17.4 // indirect github.com/kylelemons/godebug v1.1.0 // indirect github.com/letsencrypt/boulder v0.0.0-20231026200631-000cd05d5491 // indirect github.com/magiconair/properties v1.8.7 // indirect @@ -200,56 +200,55 @@ require ( github.com/pelletier/go-toml/v2 v2.1.0 // indirect github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect - github.com/prometheus/client_golang v1.18.0 - github.com/prometheus/client_model v0.5.0 // indirect - github.com/prometheus/common v0.45.0 // indirect + github.com/prometheus/client_golang v1.19.0 + github.com/prometheus/client_model v0.6.0 // indirect + github.com/prometheus/common v0.51.1 // indirect github.com/prometheus/procfs v0.12.0 // indirect github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect github.com/sassoftware/relic v7.2.1+incompatible // indirect github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect github.com/shibumi/go-pathspec v1.3.0 // indirect - github.com/sigstore/rekor v1.3.4 // indirect + github.com/sigstore/rekor v1.3.6 // indirect github.com/spf13/afero v1.11.0 // indirect github.com/spf13/cast v1.6.0 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/spf13/viper v1.18.2 // indirect - github.com/stretchr/testify v1.8.4 + github.com/stretchr/testify v1.9.0 github.com/subosito/gotenv v1.6.0 // indirect github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect github.com/theupdateframework/go-tuf v0.7.0 // indirect github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect github.com/transparency-dev/merkle v0.0.2 // indirect github.com/vbatts/tar-split v0.11.5 // indirect - github.com/veraison/go-cose v1.2.0 // indirect + github.com/veraison/go-cose v1.2.1 // indirect github.com/x448/float16 v0.8.4 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 - go.mongodb.org/mongo-driver v1.13.1 // indirect - go.opentelemetry.io/otel v1.22.0 - go.opentelemetry.io/otel/sdk v1.22.0 - go.opentelemetry.io/otel/trace v1.22.0 // indirect + go.mongodb.org/mongo-driver v1.14.0 // indirect + go.opentelemetry.io/otel v1.24.0 + go.opentelemetry.io/otel/sdk v1.24.0 + go.opentelemetry.io/otel/trace v1.24.0 // indirect go.uber.org/atomic v1.11.0 // indirect go.uber.org/multierr v1.11.0 // indirect - go.uber.org/zap v1.26.0 // indirect - golang.org/x/crypto v0.20.0 + go.uber.org/zap v1.27.0 // indirect + golang.org/x/crypto v0.22.0 golang.org/x/exp v0.0.0-20231108232855-2478ac86f678 // indirect - golang.org/x/mod v0.14.0 // indirect - golang.org/x/net v0.21.0 // indirect - golang.org/x/oauth2 v0.17.0 // indirect - golang.org/x/sys v0.17.0 // indirect - golang.org/x/term v0.17.0 // indirect + golang.org/x/mod v0.16.0 // indirect + golang.org/x/net v0.22.0 // indirect + golang.org/x/oauth2 v0.19.0 // indirect + golang.org/x/sys v0.19.0 // indirect + golang.org/x/term v0.19.0 // indirect golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.5.0 // indirect gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect - google.golang.org/appengine v1.6.8 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 gopkg.in/yaml.v3 v3.0.1 k8s.io/apiextensions-apiserver v0.27.7 // indirect k8s.io/component-base v0.27.7 // indirect - k8s.io/klog/v2 v2.100.1 // indirect + k8s.io/klog/v2 v2.120.1 // indirect k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect sigs.k8s.io/controller-runtime v0.15.3 diff --git a/go.sum b/go.sum index 460662d2e..b31d75989 100644 --- a/go.sum +++ b/go.sum @@ -13,23 +13,23 @@ cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKV cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= -cloud.google.com/go v0.110.10 h1:LXy9GEO+timppncPIAZoOj3l58LIU9k+kn48AN7IO3Y= +cloud.google.com/go v0.112.1 h1:uJSeirPke5UNZHIb4SxfZklVSiWWVqW4oXlETwZziwM= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= -cloud.google.com/go/compute v1.23.3 h1:6sVlXXBmbd7jNX0Ipq0trII3e4n1/MsADLK6a+aiVlk= -cloud.google.com/go/compute v1.23.3/go.mod h1:VCgBUoMnIVIR0CscqQiPJLAG25E3ZRZMzcFZeQ+h8CI= +cloud.google.com/go/compute v1.25.0 h1:H1/4SqSUhjPFE7L5ddzHOfY2bCAvjwNRZPNl6Ni5oYU= +cloud.google.com/go/compute v1.25.0/go.mod h1:GR7F0ZPZH8EhChlMo9FkLd7eUTwEymjqQagxzilIxIE= cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY= cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= -cloud.google.com/go/iam v1.1.5 h1:1jTsCu4bcsNsE4iiqNT5SHwrDRCfRmIaaaVFhRveTJI= -cloud.google.com/go/iam v1.1.5/go.mod h1:rB6P/Ic3mykPbFio+vo7403drjlgvoWfYpJhMXEbzv8= -cloud.google.com/go/kms v1.15.5 h1:pj1sRfut2eRbD9pFRjNnPNg/CzJPuQAzUujMIM1vVeM= -cloud.google.com/go/kms v1.15.5/go.mod h1:cU2H5jnp6G2TDpUGZyqTCoy1n16fbubHZjmVXSMtwDI= +cloud.google.com/go/iam v1.1.6 h1:bEa06k05IO4f4uJonbB5iAgKTPpABy1ayxaIZV/GHVc= +cloud.google.com/go/iam v1.1.6/go.mod h1:O0zxdPeGBoFdWW3HWmBxJsk0pfvNM/p/qa82rWOGTwI= +cloud.google.com/go/kms v1.15.8 h1:szIeDCowID8th2i8XE4uRev5PMxQFqW+JjwYxL9h6xs= +cloud.google.com/go/kms v1.15.8/go.mod h1:WoUHcDjD9pluCg7pNds131awnH429QGvRM3N/4MyoVs= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= @@ -39,23 +39,27 @@ cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0Zeo cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= +cuelabs.dev/go/oci/ociregistry v0.0.0-20240314152124-224736b49f2e h1:GwCVItFUPxwdsEYnlUcJ6PJxOjTeFFCKOh6QWg4oAzQ= +cuelabs.dev/go/oci/ociregistry v0.0.0-20240314152124-224736b49f2e/go.mod h1:ApHceQLLwcOkCEXM1+DyCXTHEJhNGDpJ2kmV6axsx24= +cuelang.org/go v0.8.1 h1:VFYsxIFSPY5KgSaH1jQ2GxHOrbu6Ga3kEI70yCZwnOg= +cuelang.org/go v0.8.1/go.mod h1:CoDbYolfMms4BhWUlhD+t5ORnihR7wvjcfgyO9lL5FI= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= -github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230618160516-e936619f9f18 h1:rd389Q26LMy03gG4anandGFC2LW/xvjga5GezeeaxQk= -github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230618160516-e936619f9f18/go.mod h1:fgJuSBrJP5qZtKqaMJE0hmhS2tmRH+44IkfZvjtaf1M= +github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230919221257-8b5d3ce2d11d h1:zjqpY4C7H15HjRPEenkS4SAn3Jy2eRRjkjZbGR30TOg= +github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230919221257-8b5d3ce2d11d/go.mod h1:XNqJ7hv2kY++g8XEHREpi+JqZo3+0l+CH2egBVN4yqM= github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 h1:8+4G8JaejP8Xa6W46PzJEwisNgBXMvFcz78N6zG/ARw= github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0/go.mod h1:GgeIE+1be8Ivm7Sh4RgwI42aTtC9qrcj+Y9Y6CjJhJs= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.2 h1:c4k2FIYIh4xtwqrQwV0Ct1v5+ehlNXj5NI/MWVsiTkQ= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.2/go.mod h1:5FDJtLEO/GxwNgUxbwrY3LP0pEoThTQJtk2oysdXHxM= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 h1:sO0/P7g68FrryJzljemN+6GTssUXdANk6aJ7T1ZxnsQ= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1/go.mod h1:h8hyGFDsU5HMivxiS2iYFZsgDbU9OnnJ163x5UGVKYo= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.0 h1:U/kwEXj0Y+1REAkV4kV8VO1CsEp8tSaQDG/7qC5XuqQ= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.0/go.mod h1:a6xsAQUZg+VsS3TJ05SRp524Hs4pZ/AeFSr5ENf0Yjo= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.2 h1:FDif4R1+UUR+00q6wquyX90K7A8dN+R5E8GEadoP7sU= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.2/go.mod h1:aiYBYui4BJ/BJCAIKs92XiPyQfTaBWqvHujDwKb6CBU= github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 h1:LqbJ/WzJUwBf8UiaSzgX7aMclParm9/5Vgp+TY51uBQ= github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2/go.mod h1:yInRyqWXAuaPrgI7p70+lDDgh3mlBohis29jGMISnmc= -github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1 h1:MyVTgWR8qd/Jw1Le0NZebGBUCLbtak3bJ3z1OlqZBpw= -github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1/go.mod h1:GpPjLhVR9dnUoJMyHWSPy71xY9/lcmpzIPZXmF0FCVY= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.1.0 h1:DRiANoJTiW6obBQe3SqZizkuV1PEgfiiGivmVocDy64= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.1.0/go.mod h1:qLIye2hwb/ZouqhpSD9Zn3SJipvpEnz1Ywl3VUk9Y0s= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 h1:D3occbWoio4EBLkbkevetNMAVX197GkzbUMtqjGWn80= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0/go.mod h1:bTSOgj05NGRuHHhQwAdPnYr9TOdNmKlZTgGLL6nyAdI= github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= @@ -91,6 +95,8 @@ github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 h1:XHOnouVk1mx github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= +github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow= +github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM= github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8= github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q= github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c h1:kMFnB0vCcX7IL/m9Y5LO+KQYv+t1CQOiFe6+SV2J7bE= @@ -152,44 +158,44 @@ github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= -github.com/aws/aws-sdk-go v1.50.0 h1:HBtrLeO+QyDKnc3t1+5DR1RxodOHCGr8ZcrHudpv7jI= -github.com/aws/aws-sdk-go v1.50.0/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= +github.com/aws/aws-sdk-go v1.51.6 h1:Ld36dn9r7P9IjU8WZSaswQ8Y/XUCRpewim5980DwYiU= +github.com/aws/aws-sdk-go v1.51.6/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= github.com/aws/aws-sdk-go-v2 v1.21.2/go.mod h1:ErQhvNuEMhJjweavOYhxVkn2RUx7kQXVATHrjKtxIpM= -github.com/aws/aws-sdk-go-v2 v1.24.1 h1:xAojnj+ktS95YZlDf0zxWBkbFtymPeDP+rvUQIH3uAU= -github.com/aws/aws-sdk-go-v2 v1.24.1/go.mod h1:LNh45Br1YAkEKaAqvmE1m8FUx6a5b/V0oAKV7of29b4= -github.com/aws/aws-sdk-go-v2/config v1.26.6 h1:Z/7w9bUqlRI0FFQpetVuFYEsjzE3h7fpU6HuGmfPL/o= -github.com/aws/aws-sdk-go-v2/config v1.26.6/go.mod h1:uKU6cnDmYCvJ+pxO9S4cWDb2yWWIH5hra+32hVh1MI4= -github.com/aws/aws-sdk-go-v2/credentials v1.16.16 h1:8q6Rliyv0aUFAVtzaldUEcS+T5gbadPbWdV1WcAddK8= -github.com/aws/aws-sdk-go-v2/credentials v1.16.16/go.mod h1:UHVZrdUsv63hPXFo1H7c5fEneoVo9UXiz36QG1GEPi0= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 h1:c5I5iH+DZcH3xOIMlz3/tCKJDaHFwYEmxvlh2fAcFo8= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11/go.mod h1:cRrYDYAMUohBJUtUnOhydaMHtiK/1NZ0Otc9lIb6O0Y= +github.com/aws/aws-sdk-go-v2 v1.26.1 h1:5554eUqIYVWpU0YmeeYZ0wU64H2VLBs8TlhRB2L+EkA= +github.com/aws/aws-sdk-go-v2 v1.26.1/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM= +github.com/aws/aws-sdk-go-v2/config v1.27.11 h1:f47rANd2LQEYHda2ddSCKYId18/8BhSRM4BULGmfgNA= +github.com/aws/aws-sdk-go-v2/config v1.27.11/go.mod h1:SMsV78RIOYdve1vf36z8LmnszlRWkwMQtomCAI0/mIE= +github.com/aws/aws-sdk-go-v2/credentials v1.17.11 h1:YuIB1dJNf1Re822rriUOTxopaHHvIq0l/pX3fwO+Tzs= +github.com/aws/aws-sdk-go-v2/credentials v1.17.11/go.mod h1:AQtFPsDH9bI2O+71anW6EKL+NcD7LG3dpKGMV4SShgo= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 h1:FVJ0r5XTHSmIHJV6KuDmdYhEpvlHpiSd38RQWhut5J4= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1/go.mod h1:zusuAeqezXzAB24LGuzuekqMAEgWkVYukBec3kr3jUg= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43/go.mod h1:auo+PiyLl0n1l8A0e8RIeR8tOzYPfZZH/JNlrJ8igTQ= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 h1:vF+Zgd9s+H4vOXd5BMaPWykta2a6Ih0AKLq/X6NYKn4= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10/go.mod h1:6BkRjejp/GR4411UGqkX8+wFMbFbqsUIimfK4XjOKR4= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 h1:aw39xVGeRWlWx9EzGVnhOR4yOjQDHPQ6o6NmBlscyQg= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5/go.mod h1:FSaRudD0dXiMPK2UjknVwwTYyZMRsHv3TtkabsZih5I= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37/go.mod h1:Qe+2KtKml+FEsQF/DHmDV+xjtche/hwoF75EG4UlHW8= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 h1:nYPe006ktcqUji8S2mqXf9c/7NdiKriOwMvWQHgYztw= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10/go.mod h1:6UV4SZkVvmODfXKql4LCbaZUpF7HO2BX38FgBf9ZOLw= -github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3 h1:n3GDfwqF2tzEkXlv5cuy4iy7LpKDtqDMcNLfZDu9rls= -github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3/go.mod h1:6fQQgfuGmw8Al/3M2IgIllycxV7ZW7WCdVSqfBeUiCY= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 h1:PG1F3OD1szkuQPzDw3CIQsRIrtTlUC3lP84taWzHlq0= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5/go.mod h1:jU1li6RFryMz+so64PpKtudI+QzbKoIEivqdf6LNpOc= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY= github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2 h1:y6LX9GUoEA3mO0qpFl1ZQHj1rFyPWVphlzebiSt2tKE= github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2/go.mod h1:Q0LcmaN/Qr8+4aSBrdrXXePqoX0eOuYpJLbYpilmWnA= github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2 h1:PpbXaecV3sLAS6rjQiaKw4/jyq3Z8gNzmoJupHAoBp0= github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2/go.mod h1:fUHpGXr4DrXkEDpGAjClPsviWf+Bszeb0daKE0blxv8= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 h1:/b31bi3YVNlkzkBrm9LfpaKoaYZUxIAj4sHfOTmLfqw= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4/go.mod h1:2aGXHFmbInwgP9ZfpmdIfOELL79zhdNYNmReK8qDfdQ= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 h1:DBYTXwIGQSGs9w4jKm60F5dmCQ3EEruxdc0MFh+3EY4= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10/go.mod h1:wohMUQiFdzo0NtxbBg0mSRGZ4vL3n0dKjLTINdcIino= -github.com/aws/aws-sdk-go-v2/service/kms v1.27.9 h1:W9PbZAZAEcelhhjb7KuwUtf+Lbc+i7ByYJRuWLlnxyQ= -github.com/aws/aws-sdk-go-v2/service/kms v1.27.9/go.mod h1:2tFmR7fQnOdQlM2ZCEPpFnBIQD1U8wmXmduBgZbOag0= -github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 h1:eajuO3nykDPdYicLlP3AGgOyVN3MOlFmZv7WGTuJPow= -github.com/aws/aws-sdk-go-v2/service/sso v1.18.7/go.mod h1:+mJNDdF+qiUlNKNC3fxn74WWNN+sOiGOEImje+3ScPM= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 h1:QPMJf+Jw8E1l7zqhZmMlFw6w1NmfkfiSK8mS4zOx3BA= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7/go.mod h1:ykf3COxYI0UJmxcfcxcVuz7b6uADi1FkiUz6Eb7AgM8= -github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 h1:NzO4Vrau795RkUdSHKEwiR01FaGzGOH1EETJ+5QHnm0= -github.com/aws/aws-sdk-go-v2/service/sts v1.26.7/go.mod h1:6h2YuIoxaMSCFf5fi1EgZAwdfkGMgDY+DVfa61uLe4U= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 h1:ogRAwT1/gxJBcSWDMZlgyFUM962F51A5CRhDLbxLdmo= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7/go.mod h1:YCsIZhXfRPLFFCl5xxY+1T9RKzOKjCut+28JSX2DnAk= +github.com/aws/aws-sdk-go-v2/service/kms v1.30.0 h1:yS0JkEdV6h9JOo8sy2JSpjX+i7vsKifU8SIeHrqiDhU= +github.com/aws/aws-sdk-go-v2/service/kms v1.30.0/go.mod h1:+I8VUUSVD4p5ISQtzpgSva4I8cJ4SQ4b1dcBcof7O+g= +github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 h1:vN8hEbpRnL7+Hopy9dzmRle1xmDc7o8tmY0klsr175w= +github.com/aws/aws-sdk-go-v2/service/sso v1.20.5/go.mod h1:qGzynb/msuZIE8I75DVRCUXw3o3ZyBmUvMwQ2t/BrGM= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 h1:Jux+gDDyi1Lruk+KHF91tK2KCuY61kzoCpvtvJJBtOE= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4/go.mod h1:mUYPBhaF2lGiukDEjJX2BLRRKTmoUSitGDUgM4tRxak= +github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 h1:cwIxeBttqPN3qkaAjcEcsh8NYr8n2HZPkcKgPAi1phU= +github.com/aws/aws-sdk-go-v2/service/sts v1.28.6/go.mod h1:FZf1/nKNEkHdGGJP/cI2MoIMquumuRK6ol3QQJNDxmw= github.com/aws/smithy-go v1.15.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= -github.com/aws/smithy-go v1.19.0 h1:KWFKQV80DpP3vJrrA9sVAHQ5gc2z8i4EzrLhLlWXcBM= -github.com/aws/smithy-go v1.19.0/go.mod h1:NukqUGpCZIILqqiV0NIjeFh24kd/FAa4beRb6nbIUPE= +github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q= +github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E= github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 h1:SoFYaT9UyGkR0+nogNyD/Lj+bsixB+SNuAS4ABlEs6M= github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8/go.mod h1:2JF49jcDOrLStIXN/j/K1EKRq8a8R2qRnlZA6/o/c7c= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -198,6 +204,12 @@ github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdn github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/bshuster-repo/logrus-logstash-hook v1.1.0 h1:o2FzZifLg+z/DN1OFmzTWzZZx/roaqt8IPZCIVco8r4= github.com/bshuster-repo/logrus-logstash-hook v1.1.0/go.mod h1:Q2aXOe7rNuPgbBtPCOzYyWDvKX7+FpxE5sRdvcPoui0= +github.com/buildkite/agent/v3 v3.62.0 h1:yvzSjI8Lgifw883I8m9u8/L/Thxt4cLFd5aWPn3gg70= +github.com/buildkite/agent/v3 v3.62.0/go.mod h1:jN6SokGXrVNNIpI0BGQ+j5aWeI3gin8F+3zwA5Q6gqM= +github.com/buildkite/go-pipeline v0.3.2 h1:SW4EaXNwfjow7xDRPGgX0Rcx+dPj5C1kV9LKCLjWGtM= +github.com/buildkite/go-pipeline v0.3.2/go.mod h1:iY5jzs3Afc8yHg6KDUcu3EJVkfaUkd9x/v/OH98qyUA= +github.com/buildkite/interpolate v0.0.0-20200526001904-07f35b4ae251 h1:k6UDF1uPYOs0iy1HPeotNa155qXRWrzKnqAaGXHLZCE= +github.com/buildkite/interpolate v0.0.0-20200526001904-07f35b4ae251/go.mod h1:gbPR1gPu9dB96mucYIR7T3B7p/78hRVSOuzIWLHK2Y4= github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0= github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 h1:3uZCA/BLTIu+DqCfguByNMJa2HVHpXvjfy0Dy7g6fuA= github.com/bytecodealliance/wasmtime-go/v3 v3.0.2/go.mod h1:RnUjnIXxEJcL6BgCvNyzCCRzZcxCgsZCi+RNlvYor5Q= @@ -225,14 +237,16 @@ github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUK github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU= github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= +github.com/cockroachdb/apd/v3 v3.2.1 h1:U+8j7t0axsIgvQUqthuNm82HIrYXodOV2iWLWtEaIwg= +github.com/cockroachdb/apd/v3 v3.2.1/go.mod h1:klXJcjp+FffLTHlhIG69tezTDvdP065naDsHzKhYSqc= github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUoc7Ik9EfrFqcylYqgPZ9ANSbTAntnE= github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb/go.mod h1:ZjrT6AXHbDs86ZSdt/osfBi5qfexBrKUdONk989Wnk4= github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be h1:J5BL2kskAlV9ckgEsNQXscjIaLiOYiZ75d4e94E6dcQ= github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be/go.mod h1:mk5IQ+Y0ZeO87b858TlA645sVcEcbiX6YqP98kt+7+w= github.com/containerd/stargz-snapshotter/estargz v0.14.3 h1:OqlDCK3ZVUO6C3B/5FSkDwbkEETK84kQgEeFwDC+62k= github.com/containerd/stargz-snapshotter/estargz v0.14.3/go.mod h1:KY//uOCIkSuNAHhJogcZtrNHdKrA99/FCCRjE3HD36o= -github.com/coreos/go-oidc/v3 v3.9.0 h1:0J/ogVOd4y8P0f0xUh8l9t07xRP/d8tccvjHl2dcsSo= -github.com/coreos/go-oidc/v3 v3.9.0/go.mod h1:rTKz2PYwftcrtoCzV5g5kvfJoWcm0Mk8AF8y1iAQro4= +github.com/coreos/go-oidc/v3 v3.10.0 h1:tDnXHnLyiTVyT/2zLDGj09pFPkhND8Gl8lnTRhoEaJU= +github.com/coreos/go-oidc/v3 v3.10.0/go.mod h1:5j11xcw0D3+SGxn6Z/WFADsgcWVMyNAlSQupk0KK3ac= github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 h1:2Dx4IHfC1yHWI12AxQDJM1QbRCDfk6M+blLzlZCXdrc= github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw= @@ -279,6 +293,8 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/proto v1.12.1 h1:6n/Z2pZAnBwuhU66Gs8160B8rrrYKo7h2F2sCOnNceE= +github.com/emicklei/proto v1.12.1/go.mod h1:rn1FgRS/FANiZdD2djyH7TMA9jdRDcYQ9IEN9yvjX0A= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= @@ -293,8 +309,8 @@ github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw= github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g= -github.com/foxcpp/go-mockdns v1.0.0 h1:7jBqxd3WDWwi/6WhDvacvH1XsN3rOLXyHM1uhvIx6FI= -github.com/foxcpp/go-mockdns v1.0.0/go.mod h1:lgRN6+KxQBawyIghpnl5CezHFGS9VLzvtVlwxvzXTQ4= +github.com/foxcpp/go-mockdns v1.1.0 h1:jI0rD8M0wuYAxL7r/ynTrCQQq0BVqfB99Vgk7DlmewI= +github.com/foxcpp/go-mockdns v1.1.0/go.mod h1:IhLeSFGed3mJIAXPH2aiRQB+kqz7oqu8ld2qVbOu7Wk= github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= @@ -315,11 +331,12 @@ github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A= github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8= github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k= github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ= +github.com/go-jose/go-jose/v4 v4.0.1 h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U= +github.com/go-jose/go-jose/v4 v4.0.1/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY= github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY= github.com/go-ldap/ldap/v3 v3.4.6 h1:ert95MdbiG7aWo/oPYp9btL3KJlMPKnP58r09rI8T+A= github.com/go-ldap/ldap/v3 v3.4.6/go.mod h1:IGMQANNtxpsOzj7uUAMjpGBaOVTC4DYyIy8VsTdxmtc= github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= -github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= @@ -327,26 +344,28 @@ github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-logr/zapr v1.2.4 h1:QHVo+6stLbfJmYGkQ7uGHUCu5hnAFAj6mDe6Ea0SeOo= github.com/go-logr/zapr v1.2.4/go.mod h1:FyHWQIzQORZ0QVE1BtVHv3cKtNLuXsbNLtpuhNapBOA= -github.com/go-openapi/analysis v0.22.0 h1:wQ/d07nf78HNj4u+KiSY0sT234IAyePPbMgpUjUJQR0= -github.com/go-openapi/analysis v0.22.0/go.mod h1:acDnkkCI2QxIo8sSIPgmp1wUlRohV7vfGtAIVae73b0= -github.com/go-openapi/errors v0.21.0 h1:FhChC/duCnfoLj1gZ0BgaBmzhJC2SL/sJr8a2vAobSY= -github.com/go-openapi/errors v0.21.0/go.mod h1:jxNTMUxRCKj65yb/okJGEtahVd7uvWnuWfj53bse4ho= -github.com/go-openapi/jsonpointer v0.20.2 h1:mQc3nmndL8ZBzStEo3JYF8wzmeWffDH4VbXz58sAx6Q= -github.com/go-openapi/jsonpointer v0.20.2/go.mod h1:bHen+N0u1KEO3YlmqOjTT9Adn1RfD91Ar825/PuiRVs= -github.com/go-openapi/jsonreference v0.20.4 h1:bKlDxQxQJgwpUSgOENiMPzCTBVuc7vTdXSSgNeAhojU= -github.com/go-openapi/jsonreference v0.20.4/go.mod h1:5pZJyJP2MnYCpoeoMAql78cCHauHj0V9Lhc506VOpw4= -github.com/go-openapi/loads v0.21.5 h1:jDzF4dSoHw6ZFADCGltDb2lE4F6De7aWSpe+IcsRzT0= -github.com/go-openapi/loads v0.21.5/go.mod h1:PxTsnFBoBe+z89riT+wYt3prmSBP6GDAQh2l9H1Flz8= -github.com/go-openapi/runtime v0.27.1 h1:ae53yaOoh+fx/X5Eaq8cRmavHgDma65XPZuvBqvJYto= -github.com/go-openapi/runtime v0.27.1/go.mod h1:fijeJEiEclyS8BRurYE1DE5TLb9/KZl6eAdbzjsrlLU= -github.com/go-openapi/spec v0.20.13 h1:XJDIN+dLH6vqXgafnl5SUIMnzaChQ6QTo0/UPMbkIaE= -github.com/go-openapi/spec v0.20.13/go.mod h1:8EOhTpBoFiask8rrgwbLC3zmJfz4zsCUueRuPM6GNkw= -github.com/go-openapi/strfmt v0.22.0 h1:Ew9PnEYc246TwrEspvBdDHS4BVKXy/AOVsfqGDgAcaI= -github.com/go-openapi/strfmt v0.22.0/go.mod h1:HzJ9kokGIju3/K6ap8jL+OlGAbjpSv27135Yr9OivU4= -github.com/go-openapi/swag v0.22.9 h1:XX2DssF+mQKM2DHsbgZK74y/zj4mo9I99+89xUmuZCE= -github.com/go-openapi/swag v0.22.9/go.mod h1:3/OXnFfnMAwBD099SwYRk7GD3xOrr1iL7d/XNLXVVwE= -github.com/go-openapi/validate v0.22.4 h1:5v3jmMyIPKTR8Lv9syBAIRxG6lY0RqeBPB1LKEijzk8= -github.com/go-openapi/validate v0.22.4/go.mod h1:qm6O8ZIcPVdSY5219468Jv7kBdGvkiZLPOmqnqTUZ2A= +github.com/go-openapi/analysis v0.23.0 h1:aGday7OWupfMs+LbmLZG4k0MYXIANxcuBTYUC03zFCU= +github.com/go-openapi/analysis v0.23.0/go.mod h1:9mz9ZWaSlV8TvjQHLl2mUW2PbZtemkE8yA5v22ohupo= +github.com/go-openapi/errors v0.22.0 h1:c4xY/OLxUBSTiepAg3j/MHuAv5mJhnf53LLMWFB+u/w= +github.com/go-openapi/errors v0.22.0/go.mod h1:J3DmZScxCDufmIMsdOuDHxJbdOGC0xtUynjIx092vXE= +github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ= +github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY= +github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ= +github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4= +github.com/go-openapi/loads v0.22.0 h1:ECPGd4jX1U6NApCGG1We+uEozOAvXvJSF4nnwHZ8Aco= +github.com/go-openapi/loads v0.22.0/go.mod h1:yLsaTCS92mnSAZX5WWoxszLj0u+Ojl+Zs5Stn1oF+rs= +github.com/go-openapi/runtime v0.28.0 h1:gpPPmWSNGo214l6n8hzdXYhPuJcGtziTOgUpvsFWGIQ= +github.com/go-openapi/runtime v0.28.0/go.mod h1:QN7OzcS+XuYmkQLw05akXk0jRH/eZ3kb18+1KwW9gyc= +github.com/go-openapi/spec v0.21.0 h1:LTVzPc3p/RzRnkQqLRndbAzjY0d0BCL72A6j3CdL9ZY= +github.com/go-openapi/spec v0.21.0/go.mod h1:78u6VdPw81XU44qEWGhtr982gJ5BWg2c0I5XwVMotYk= +github.com/go-openapi/strfmt v0.23.0 h1:nlUS6BCqcnAk0pyhi9Y+kdDVZdZMHfEKQiS4HaMgO/c= +github.com/go-openapi/strfmt v0.23.0/go.mod h1:NrtIpfKtWIygRkKVsxh7XQMDQW5HKQl6S5ik2elW+K4= +github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE= +github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ= +github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3BumrGD58= +github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ= +github.com/go-piv/piv-go v1.11.0 h1:5vAaCdRTFSIW4PeqMbnsDlUZ7odMYWnHBDGdmtU/Zhg= +github.com/go-piv/piv-go v1.11.0/go.mod h1:NZ2zmjVkfFaL/CF8cVQ/pXdXtuj110zEKGdJM6fJZZM= github.com/go-rod/rod v0.114.7 h1:h4pimzSOUnw7Eo41zdJA788XsawzHjJMyzCE3BrBww0= github.com/go-rod/rod v0.114.7/go.mod h1:aiedSEFg5DwG/fnNbUOTPMTTWX3MRj6vIs/a684Mthw= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= @@ -365,11 +384,11 @@ github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzw github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= -github.com/golang-jwt/jwt/v5 v5.2.0 h1:d/ix8ftRUorsN+5eMIlF4T6J8CAt9rch3My2winC1Jw= -github.com/golang-jwt/jwt/v5 v5.2.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= +github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= +github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= -github.com/golang/glog v1.1.2 h1:DVjP2PbBOzHyzA+dn3WhHIq4NdVu3Q+pvivFICf/7fo= -github.com/golang/glog v1.1.2/go.mod h1:zR+okUeTbrL6EL3xHUDxZuEtGv04p5shwip1+mL/rLQ= +github.com/golang/glog v1.2.0 h1:uCdmnmatrKCgMBlM4rMuJZWOkPDqdbZPnrMXDY4gI68= +github.com/golang/glog v1.2.0/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -400,13 +419,12 @@ github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaS github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= -github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= -github.com/google/certificate-transparency-go v1.1.7 h1:IASD+NtgSTJLPdzkthwvAG1ZVbF2WtFg4IvoA68XGSw= -github.com/google/certificate-transparency-go v1.1.7/go.mod h1:FSSBo8fyMVgqptbfF6j5p/XNdgQftAhSmXcIxV9iphE= +github.com/google/certificate-transparency-go v1.1.8 h1:LGYKkgZF7satzgTak9R4yzfJXEeYVAjV6/EAEJOf1to= +github.com/google/certificate-transparency-go v1.1.8/go.mod h1:bV/o8r0TBKRf1X//iiiSgWrvII4d7/8OiA+3vG26gI8= github.com/google/flatbuffers v2.0.8+incompatible h1:ivUb1cGomAB101ZM1T0nOiWz9pSrTMoa9+EiY7igmkM= github.com/google/flatbuffers v2.0.8+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 h1:0VpGH+cDhbDtdcweoyCVsF3fhN8kejK6rFe/2FFX2nU= @@ -451,8 +469,8 @@ github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o= github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw= github.com/google/tink/go v1.7.0 h1:6Eox8zONGebBFcCBqkVmt60LaWZa6xg1cl/DwAh/J1w= github.com/google/tink/go v1.7.0/go.mod h1:GAUOd+QE3pgj9q8VKIGTCP33c/B7eb4NhxLcgTJZStM= -github.com/google/trillian v1.5.3 h1:3ioA5p09qz+U9/t2riklZtaQdZclaStp0/eQNfewNRg= -github.com/google/trillian v1.5.3/go.mod h1:p4tcg7eBr7aT6DxrAoILpc3uXNfcuAvZSnQKonVg+Eo= +github.com/google/trillian v1.6.0 h1:jMBeDBIkINFvS2n6oV5maDqfRlxREAc6CW9QYWQ0qT4= +github.com/google/trillian v1.6.0/go.mod h1:Yu3nIMITzNhhMJEHjAtp6xKiu+H/iHu2Oq5FjV2mCWI= github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -460,15 +478,15 @@ github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfF github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= -github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas= -github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU= +github.com/googleapis/gax-go/v2 v2.12.3 h1:5/zPPDvw8Q1SuXjrqrZslrqT7dL/uJT2CQii/cLCKqA= +github.com/googleapis/gax-go/v2 v2.12.3/go.mod h1:AKloxT6GtNbaLm8QTNSidHUVsHYcBHwWRvkNFJUQcS4= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.18.0 h1:RtRsiaGvWxcwd8y3BiRZxsylPT8hLWZ5SPcfI+3IDNk= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.18.0/go.mod h1:TzP6duP4Py2pHLVPPQp42aoYI92+PCrVotyR5e8Vqlk= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 h1:/c3QmbOGMGTOumP2iT/rCwB7b0QDGLKzqOmktBjT+Is= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1/go.mod h1:5SN9VR2LTsRFsrEC6FHgRbTWrTHu6tqPeKxEQv15giM= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= @@ -492,8 +510,8 @@ github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM= github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM= -github.com/hashicorp/vault/api v1.10.0 h1:/US7sIjWN6Imp4o/Rj1Ce2Nr5bki/AXi9vAW3p2tOJQ= -github.com/hashicorp/vault/api v1.10.0/go.mod h1:jo5Y/ET+hNyz+JnKDt8XLAdKs+AM0G5W0Vp1IrFI8N8= +github.com/hashicorp/vault/api v1.12.2 h1:7YkCTE5Ni90TcmYHDBExdt4WGJxhpzaHqR6uGbQb/rE= +github.com/hashicorp/vault/api v1.12.2/go.mod h1:LSGf1NGT1BnvFFnKVtnvcaLBM2Lz+gJdpL6HUYed8KE= github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef h1:A9HsByNhogrvm9cWb28sjiS3i7tcKCkflWFEkHfuAgM= github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef/go.mod h1:lADxMC39cJJqL93Duh1xhAs4I2Zs8mKS89XWXFGp9cs= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= @@ -507,8 +525,8 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 h1:TMtDYDHKYY15rFihtRfck/bfFqNfvcabqvXAFQfAUpY= github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267/go.mod h1:h1nSAbGFqGVzn6Jyl1R/iCcBUHN4g+gW1u9CoBTrb9E= -github.com/jellydator/ttlcache/v3 v3.1.1 h1:RCgYJqo3jgvhl+fEWvjNW8thxGWsgxi+TPhRir1Y9y8= -github.com/jellydator/ttlcache/v3 v3.1.1/go.mod h1:hi7MGFdMAwZna5n2tuvh63DvFLzVKySzCVW6+0gA2n4= +github.com/jellydator/ttlcache/v3 v3.2.0 h1:6lqVJ8X3ZaUwvzENqPAobDsXNExfUJd61u++uW8a3LE= +github.com/jellydator/ttlcache/v3 v3.2.0/go.mod h1:hi7MGFdMAwZna5n2tuvh63DvFLzVKySzCVW6+0gA2n4= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= @@ -527,9 +545,8 @@ github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfV github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= -github.com/klauspost/compress v1.17.2 h1:RlWWUY/Dr4fL8qk9YG7DTZ7PDgME2V4csBXA8L/ixi4= -github.com/klauspost/compress v1.17.2/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= +github.com/klauspost/compress v1.17.4 h1:Ej5ixsIri7BrIjBkRZLTo6ghwrEtHFk7ijlczPW4fZ4= +github.com/klauspost/compress v1.17.4/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= @@ -547,18 +564,18 @@ github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= -github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= -github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= +github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng= +github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= -github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg= -github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k= -github.com/miekg/dns v1.1.55 h1:GoQ4hpsj0nFLYe+bWiCToyrBEJXkQfOOIvFGFy0lEgo= -github.com/miekg/dns v1.1.55/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY= +github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM= +github.com/miekg/dns v1.1.57/go.mod h1:uqRjCRUuEAA6qsOiJvDd+CFo/vW+y5WR6SNmHE55hZk= github.com/miekg/pkcs11 v1.0.3-0.20190429190417-a667d056470f/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= github.com/miekg/pkcs11 v1.1.1 h1:Ugu9pdy6vAYku5DEpVWVFPYnzV+bxB+iRdbuFSu7TvU= github.com/miekg/pkcs11 v1.1.1/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0= +github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= @@ -568,7 +585,6 @@ github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lN github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= -github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc= github.com/mozillazg/docker-credential-acr-helper v0.3.0 h1:DVWFZ3/O8BP6Ue3iS/Olw+G07u1hCq1EOVCDZZjCIBI= github.com/mozillazg/docker-credential-acr-helper v0.3.0/go.mod h1:cZlu3tof523ujmLuiNUb6JsjtHcNA70u1jitrrdnuyA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= @@ -586,6 +602,8 @@ github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= +github.com/oleiade/reflections v1.0.1 h1:D1XO3LVEYroYskEsoSiGItp9RUxG6jWnCVvrqH0HHQM= +github.com/oleiade/reflections v1.0.1/go.mod h1:rdFxbxq4QXVZWj0F+e9jqjDkc7dbp97vkRixKo2JR60= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0= @@ -604,8 +622,8 @@ github.com/open-policy-agent/cert-controller v0.8.0 h1:pao3WCLsKGz5dSWSlNUFrNFQd github.com/open-policy-agent/cert-controller v0.8.0/go.mod h1:alotCQRwX4M6VEwEgO53FB6nGLSlvah6L0pWxSRslIk= github.com/open-policy-agent/frameworks/constraint v0.0.0-20230411224310-3f237e2710fa h1:1r6gnPhbsswSIem/Fa11fKo/MhjijzvqSxWIu+3HQeY= github.com/open-policy-agent/frameworks/constraint v0.0.0-20230411224310-3f237e2710fa/go.mod h1:nrGEsNJ9LyQa68eqwV6snwCc7pbkvwUJLPZlq6zz6Fs= -github.com/open-policy-agent/opa v0.61.0 h1:nhncQ2CAYtQTV/SMBhDDPsCpCQsUW+zO/1j+T5V7oZg= -github.com/open-policy-agent/opa v0.61.0/go.mod h1:7OUuzJnsS9yHf8lw0ApfcbrnaRG1EkN3J2fuuqi4G/E= +github.com/open-policy-agent/opa v0.63.0 h1:ztNNste1v8kH0/vJMJNquE45lRvqwrM5mY9Ctr9xIXw= +github.com/open-policy-agent/opa v0.63.0/go.mod h1:9VQPqEfoB2N//AToTxzZ1pVTVPUoF2Mhd64szzjWPpU= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= @@ -615,6 +633,8 @@ github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYr github.com/owenrumney/go-sarif v1.1.1/go.mod h1:dNDiPlF04ESR/6fHlPyq7gHKmrM0sHUvAGjsoh8ZH0U= github.com/owenrumney/go-sarif/v2 v2.3.1 h1:77opmuqxQZE1UF6TylFz5XllVEI72WijgwpwNw4JTmY= github.com/owenrumney/go-sarif/v2 v2.3.1/go.mod h1:MSqMMx9WqlBSY7pXoOZWgEsVB4FDNfhcaXDA1j6Sr+w= +github.com/pborman/uuid v1.2.1 h1:+ZZIw58t/ozdjRaXh/3awHfmWRbzYxJoAdNJxe/3pvw= +github.com/pborman/uuid v1.2.1/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= github.com/pelletier/go-toml/v2 v2.1.0 h1:FnwAJ4oYMvbT/34k9zzHuZNrhlz48GB3/s6at6/MHO4= github.com/pelletier/go-toml/v2 v2.1.0/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdUvyaeZurnPPDc= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ= @@ -629,19 +649,21 @@ github.com/prometheus/client_golang v1.12.2 h1:51L9cDoUHVrXx4zWYlcLQIZ+d+VXHgqnY github.com/prometheus/client_golang v1.12.2/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw= -github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI= +github.com/prometheus/client_model v0.6.0 h1:k1v3CzpSRUTrKMppY35TLwPvxHqBu0bYgxZzqGIgaos= +github.com/prometheus/client_model v0.6.0/go.mod h1:NTQHnmxFpouOD0DpvP4XujX3CdOAGQPoaGhyTchlyt8= github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= -github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM= -github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY= +github.com/prometheus/common v0.51.1 h1:eIjN50Bwglz6a/c3hAgSMcofL3nD+nFQkV6Dd4DsQCw= +github.com/prometheus/common v0.51.1/go.mod h1:lrWtQx+iDfn2mbH5GUzlH9TSHyfZpHkSiG1W7y3sF2Q= github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= +github.com/protocolbuffers/txtpbfmt v0.0.0-20231025115547-084445ff1adf h1:014O62zIzQwvoD7Ekj3ePDF5bv9Xxy0w6AZk0qYbjUk= +github.com/protocolbuffers/txtpbfmt v0.0.0-20231025115547-084445ff1adf/go.mod h1:jgxiZysxFPM+iWKwQwPR+y+Jvo54ARd4EisXxKYpB5c= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= -github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= -github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= +github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= +github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= @@ -651,32 +673,32 @@ github.com/sagikazarmark/slog-shim v0.1.0 h1:diDBnUNK9N/354PgrxMywXnAwEr1QZcOr6g github.com/sagikazarmark/slog-shim v0.1.0/go.mod h1:SrcSrq8aKtyuqEI1uvTDTK1arOWRIczQRv+GVI1AkeQ= github.com/sassoftware/relic v7.2.1+incompatible h1:Pwyh1F3I0r4clFJXkSI8bOyJINGqpgjJU3DYAZeI05A= github.com/sassoftware/relic v7.2.1+incompatible/go.mod h1:CWfAxv73/iLZ17rbyhIEq3K9hs5w6FpNMdUT//qR+zk= -github.com/sassoftware/relic/v7 v7.6.1 h1:O5s8ewCgq5QYNpv45dK4u6IpBmDM9RIcsbf/G1uXepQ= -github.com/sassoftware/relic/v7 v7.6.1/go.mod h1:NxwtWxWxlUa9as2qZi635Ye6bBT/tGnMALLq7dSfOOU= +github.com/sassoftware/relic/v7 v7.6.2 h1:rS44Lbv9G9eXsukknS4mSjIAuuX+lMq/FnStgmZlUv4= +github.com/sassoftware/relic/v7 v7.6.2/go.mod h1:kjmP0IBVkJZ6gXeAu35/KCEfca//+PKM6vTAsyDPY+k= github.com/secure-systems-lab/go-securesystemslib v0.8.0 h1:mr5An6X45Kb2nddcFlbmfHkLguCE9laoZCUzEEpIZXA= github.com/secure-systems-lab/go-securesystemslib v0.8.0/go.mod h1:UH2VZVuJfCYR8WgMlCU1uFsOUU+KeyrTWcSS73NBOzU= github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c= github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE= github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh5dkI= github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE= -github.com/sigstore/cosign/v2 v2.2.3 h1:WX7yawI+EXu9h7S5bZsfYCbB9XW6Jc43ctKy/NoOSiA= -github.com/sigstore/cosign/v2 v2.2.3/go.mod h1:WpMn4MBt0cI23GdHsePwO4NxhX1FOz1ITGB3ALUjFaI= -github.com/sigstore/fulcio v1.4.3 h1:9JcUCZjjVhRF9fmhVuz6i1RyhCc/EGCD7MOl+iqCJLQ= -github.com/sigstore/fulcio v1.4.3/go.mod h1:BQPWo7cfxmJwgaHlphUHUpFkp5+YxeJes82oo39m5og= -github.com/sigstore/rekor v1.3.4 h1:RGIia1iOZU7fOiiP2UY/WFYhhp50S5aUm7YrM8aiA6E= -github.com/sigstore/rekor v1.3.4/go.mod h1:1GubPVO2yO+K0m0wt/3SHFqnilr/hWbsjSOe7Vzxrlg= +github.com/sigstore/cosign/v2 v2.2.4 h1:iY4vtEacmu2hkNj1Fh+8EBqBwKs2DHM27/lbNWDFJro= +github.com/sigstore/cosign/v2 v2.2.4/go.mod h1:JZlRD2uaEjVAvZ1XJ3QkkZJhTqSDVtLaet+C/TMR81Y= +github.com/sigstore/fulcio v1.4.5 h1:WWNnrOknD0DbruuZWCbN+86WRROpEl3Xts+WT2Ek1yc= +github.com/sigstore/fulcio v1.4.5/go.mod h1:oz3Qwlma8dWcSS/IENR/6SjbW4ipN0cxpRVfgdsjMU8= +github.com/sigstore/rekor v1.3.6 h1:QvpMMJVWAp69a3CHzdrLelqEqpTM3ByQRt5B5Kspbi8= +github.com/sigstore/rekor v1.3.6/go.mod h1:JDTSNNMdQ/PxdsS49DJkJ+pRJCO/83nbR5p3aZQteXc= github.com/sigstore/sigstore v1.8.3 h1:G7LVXqL+ekgYtYdksBks9B38dPoIsbscjQJX/MGWkA4= github.com/sigstore/sigstore v1.8.3/go.mod h1:mqbTEariiGA94cn6G3xnDiV6BD8eSLdL/eA7bvJ0fVs= -github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.1 h1:rEDdUefulkIQaMJyzLwtgPDLNXBIltBABiFYfb0YmgQ= -github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.1/go.mod h1:RCdYCc1IxCYWzh2IdzdA6Yf7JIY0cMRqH08fpQYechw= -github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.1 h1:DvRWG99QGWZC5mp42SEde2Xke/Q384Idnj2da7yB+Mk= -github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.1/go.mod h1:s13mo3a0UCQS3+PAUUZfvKe48sMDMsHk2GE1b2YfPcU= -github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.1 h1:lwdRsJv1UbBemuk7w5YfXAQilQxMoFevrzamdPbG0wY= -github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.1/go.mod h1:2OaSQ80EcdyVRSQ3T4d1lsc6Scopblsiq8U2AEk5K1A= -github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.1 h1:9Ki0qudKpc1FQdef7xHO2bkLyTuw+qNUpWRzjBEmF4c= -github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.1/go.mod h1:nhIgyu4YwwNgalIwTGsoAzam16jjAn3ADRSWKbWPwGI= -github.com/sigstore/timestamp-authority v1.2.1 h1:j9RmqSAdvKgSofeltPO4x7d+1M3AXaROBzUJ+AA7L5Q= -github.com/sigstore/timestamp-authority v1.2.1/go.mod h1:Ce+vWWEf0QaKLY2u6mpwEJbmYXEVeOfUk4fQ69kE6ck= +github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3 h1:LTfPadUAo+PDRUbbdqbeSl2OuoFQwUFTnJ4stu+nwWw= +github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3/go.mod h1:QV/Lxlxm0POyhfyBtIbTWxNeF18clMlkkyL9mu45y18= +github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.3 h1:xgbPRCr2npmmsuVVteJqi/ERw9+I13Wou7kq0Yk4D8g= +github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.3/go.mod h1:G4+I83FILPX6MtnoaUdmv/bRGEVtR3JdLeJa/kXdk/0= +github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.3 h1:vDl2fqPT0h3D/k6NZPlqnKFd1tz3335wm39qjvpZNJc= +github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.3/go.mod h1:9uOJXbXEXj+M6QjMKH5PaL5WDMu43rHfbIMgXzA8eKI= +github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.3 h1:h9G8j+Ds21zqqulDbA/R/ft64oQQIyp8S7wJYABYSlg= +github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.3/go.mod h1:zgCeHOuqF6k7A7TTEvftcA9V3FRzB7mrPtHOhXAQBnc= +github.com/sigstore/timestamp-authority v1.2.2 h1:X4qyutnCQqJ0apMewFyx+3t7Tws00JQ/JonBiu3QvLE= +github.com/sigstore/timestamp-authority v1.2.2/go.mod h1:nEah4Eq4wpliDjlY342rXclGSO7Kb9hoRrl9tqLW13A= github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= @@ -702,6 +724,8 @@ github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.18.2 h1:LUXCnvUvSM6FXAsj6nnfc8Q2tp1dIgUfY9Kc8GsSOiQ= github.com/spf13/viper v1.18.2/go.mod h1:EKmWIqdnk5lOcmR72yw6hS+8OPYcwD0jteitLMVB+yk= +github.com/spiffe/go-spiffe/v2 v2.2.0 h1:9Vf06UsvsDbLYK/zJ4sYsIsHmMFknUD+feA7IYoWMQY= +github.com/spiffe/go-spiffe/v2 v2.2.0/go.mod h1:Urzb779b3+IwDJD2ZbN8fVl3Aa8G4N/PiUe6iXC0XxU= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= @@ -715,8 +739,9 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8= github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU= github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d h1:vfofYNRScrDdvS342BElfbETmL1Aiz3i2t0zfRj16Hs= @@ -736,17 +761,14 @@ github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG github.com/transparency-dev/merkle v0.0.2/go.mod h1:pqSy+OXefQ1EDUVmAJ8MUhHB9TXGuzVAT58PqBoHz1A= github.com/vbatts/tar-split v0.11.5 h1:3bHCTIheBm1qFTcgh9oPu+nNBtX+XJIupG/vacinCts= github.com/vbatts/tar-split v0.11.5/go.mod h1:yZbwRsSeGjusneWgA781EKej9HF8vme8okylkAeNKLk= -github.com/veraison/go-cose v1.2.0 h1:Ok0Hr3GMAf8K/1NB4sV65QGgCiukG1w1QD+H5tmt0Ow= -github.com/veraison/go-cose v1.2.0/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4= +github.com/veraison/go-cose v1.2.1 h1:Gj4x20D0YP79J2+cK3anjGEMwIkg2xX+TKVVGUXwNAc= +github.com/veraison/go-cose v1.2.1/go.mod h1:t6V8WJzHm1PD5HNsuDjW3KLv577uWb6UTzbZGvdQHD8= github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4= github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= -github.com/xanzy/go-gitlab v0.96.0 h1:LGkZ+wSNMRtHIBaYE4Hq3dZVjprwHv3Y1+rhKU3WETs= -github.com/xanzy/go-gitlab v0.96.0/go.mod h1:ETg8tcj4OhrB84UEgeE8dSuV/0h4BBL1uOV/qK0vlyI= -github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI= -github.com/xdg-go/scram v1.1.2/go.mod h1:RT/sEzTbU5y00aCK8UOx6R7YryM0iF1N2MOmC3kKLN4= -github.com/xdg-go/stringprep v1.0.4/go.mod h1:mPGuuIYwz7CmR2bT9j4GbQqutWS1zV24gijq1dTyGkM= +github.com/xanzy/go-gitlab v0.102.0 h1:ExHuJ1OTQ2yt25zBMMj0G96ChBirGYv8U7HyUiYkZ+4= +github.com/xanzy/go-gitlab v0.102.0/go.mod h1:ETg8tcj4OhrB84UEgeE8dSuV/0h4BBL1uOV/qK0vlyI= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= @@ -758,7 +780,6 @@ github.com/xlab/treeprint v1.1.0 h1:G/1DjNkPpfZCFt9CSh6b5/nY4VimlbHF3Rh4obvtzDk= github.com/xlab/treeprint v1.1.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= github.com/yashtewari/glob-intersection v0.2.0 h1:8iuHdN88yYuCzCdjt0gDe+6bAhUwBeEWqThExu54RFg= github.com/yashtewari/glob-intersection v0.2.0/go.mod h1:LK7pIC3piUjovexikBbJ26Yml7g8xa5bsjfx2v1fwok= -github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA= github.com/ysmood/fetchup v0.2.3 h1:ulX+SonA0Vma5zUFXtv52Kzip/xe7aj4vqT5AJwQ+ZQ= github.com/ysmood/fetchup v0.2.3/go.mod h1:xhibcRKziSvol0H1/pj33dnKrYyI2ebIvz5cOOkYGns= github.com/ysmood/goob v0.4.0 h1:HsxXhyLBeGzWXnqVKtmT9qM7EuVs/XOgkX7T6r1o1AQ= @@ -775,11 +796,13 @@ github.com/yuin/goldmark v1.1.30/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= -github.com/zalando/go-keyring v0.2.2 h1:f0xmpYiSrHtSNAVgwip93Cg8tuF45HJM6rHq/A5RI/4= -github.com/zalando/go-keyring v0.2.2/go.mod h1:sI3evg9Wvpw3+n4SqplGSJUMwtDeROfD4nsFz4z9PG0= +github.com/zalando/go-keyring v0.2.3 h1:v9CUu9phlABObO4LPWycf+zwMG7nlbb3t/B5wa97yms= +github.com/zalando/go-keyring v0.2.3/go.mod h1:HL4k+OXQfJUWaMnqyuSOc0drfGPX2b51Du6K+MRgZMk= github.com/zclconf/go-cty v1.10.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk= -go.mongodb.org/mongo-driver v1.13.1 h1:YIc7HTYsKndGK4RFzJ3covLz1byri52x0IoMB0Pt/vk= -go.mongodb.org/mongo-driver v1.13.1/go.mod h1:wcDf1JBCXy2mOW0bWHwO/IOYqdca1MPCwDtFu/Z9+eo= +github.com/zeebo/errs v1.3.0 h1:hmiaKqgYZzcVgRL1Vkc1Mn2914BbzB0IBxs+ebeutGs= +github.com/zeebo/errs v1.3.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= +go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80= +go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= @@ -787,38 +810,38 @@ go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.47.0 h1:UNQQKPfTDe1J81ViolILjTKPr9WetKW6uei2hFgJmFs= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.47.0/go.mod h1:r9vWsPS/3AQItv3OSlEJ/E4mbrhUbbw18meOjArPtKQ= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.47.0 h1:sv9kVfal0MK0wBMCOGr+HeJm9v803BkJxGrk2au7j08= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.47.0/go.mod h1:SK2UL73Zy1quvRPonmOmRDiWk1KBV3LyIeeIxcEApWw= -go.opentelemetry.io/otel v1.22.0 h1:xS7Ku+7yTFvDfDraDIJVpw7XPyuHlB9MCiqqX5mcJ6Y= -go.opentelemetry.io/otel v1.22.0/go.mod h1:eoV4iAi3Ea8LkAEI9+GFT44O6T/D0GWAVFyZVCC6pMI= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0 h1:cl5P5/GIfFh4t6xyruOgJP5QiA1pw4fYYdv6nc6CBWw= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0/go.mod h1:zgBdWWAu7oEEMC06MMKc5NLbA/1YDXV1sMpSqEeLQLg= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 h1:4Pp6oUg3+e/6M4C0A/3kJ2VYa++dsWVTtGgLVj5xtHg= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0/go.mod h1:Mjt1i1INqiaoZOMGR1RIUJN+i3ChKoFRqzrRQhlkbs0= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 h1:jq9TW8u3so/bN+JPT166wjOI6/vQPF6Xe7nMNIltagk= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0/go.mod h1:p8pYQP+m5XfbZm9fxtSKAbM6oIllS7s2AfxrChvc7iw= +go.opentelemetry.io/otel v1.24.0 h1:0LAOdjNmQeSTzGBzduGe/rU4tZhMwL5rWgtp9Ku5Jfo= +go.opentelemetry.io/otel v1.24.0/go.mod h1:W7b9Ozg4nkF5tWI5zsXkaKKDjdVjpD4oAt9Qi/MArHo= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0 h1:9M3+rhx7kZCIQQhQRYaZCdNu1V73tm4TvXs2ntl98C4= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0/go.mod h1:noq80iT8rrHP1SfybmPiRGc9dc5M8RPmGvtwo7Oo7tc= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0 h1:tIqheXEFWAZ7O8A7m+J0aPTmpJN3YQ7qetUAdkkkKpk= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0/go.mod h1:nUeKExfxAQVbiVFn32YXpXZZHZ61Cc3s3Rn1pDBGAb0= go.opentelemetry.io/otel/exporters/prometheus v0.39.0 h1:whAaiHxOatgtKd+w0dOi//1KUxj3KoPINZdtDaDj3IA= go.opentelemetry.io/otel/exporters/prometheus v0.39.0/go.mod h1:4jo5Q4CROlCpSPsXLhymi+LYrDXd2ObU5wbKayfZs7Y= -go.opentelemetry.io/otel/metric v1.22.0 h1:lypMQnGyJYeuYPhOM/bgjbFM6WE44W1/T45er4d8Hhg= -go.opentelemetry.io/otel/metric v1.22.0/go.mod h1:evJGjVpZv0mQ5QBRJoBF64yMuOf4xCWdXjK8pzFvliY= -go.opentelemetry.io/otel/sdk v1.22.0 h1:6coWHw9xw7EfClIC/+O31R8IY3/+EiRFHevmHafB2Gw= -go.opentelemetry.io/otel/sdk v1.22.0/go.mod h1:iu7luyVGYovrRpe2fmj3CVKouQNdTOkxtLzPvPz1DOc= +go.opentelemetry.io/otel/metric v1.24.0 h1:6EhoGWWK28x1fbpA4tYTOWBkPefTDQnb8WSGXlc88kI= +go.opentelemetry.io/otel/metric v1.24.0/go.mod h1:VYhLe1rFfxuTXLgj4CBiyz+9WYBA8pNGJgDcSFRKBco= +go.opentelemetry.io/otel/sdk v1.24.0 h1:YMPPDNymmQN3ZgczicBY3B6sf9n62Dlj9pWD3ucgoDw= +go.opentelemetry.io/otel/sdk v1.24.0/go.mod h1:KVrIYw6tEubO9E96HQpcmpTKDVn9gdv35HoYiQWGDFg= go.opentelemetry.io/otel/sdk/metric v0.39.0 h1:Kun8i1eYf48kHH83RucG93ffz0zGV1sh46FAScOTuDI= go.opentelemetry.io/otel/sdk/metric v0.39.0/go.mod h1:piDIRgjcK7u0HCL5pCA4e74qpK/jk3NiUoAHATVAmiI= -go.opentelemetry.io/otel/trace v1.22.0 h1:Hg6pPujv0XG9QaVbGOBVHunyuLcCC3jN7WEhPx83XD0= -go.opentelemetry.io/otel/trace v1.22.0/go.mod h1:RbbHXVqKES9QhzZq/fE5UnOSILqRt40a21sPw2He1xo= +go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y1YELI= +go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU= go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I= go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM= -go.step.sm/crypto v0.42.1 h1:OmwHm3GJO8S4VGWL3k4+I+Q4P/F2s+j8msvTyGnh1Vg= -go.step.sm/crypto v0.42.1/go.mod h1:yNcTLFQBnYCA75fC5bklBoTAT7y0dRZsB1TkinB8JMs= +go.step.sm/crypto v0.44.2 h1:t3p3uQ7raP2jp2ha9P6xkQF85TJZh+87xmjSLaib+jk= +go.step.sm/crypto v0.44.2/go.mod h1:x1439EnFhadzhkuaGX7sz03LEMQ+jV4gRamf5LCZJQQ= go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= -go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo= -go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so= +go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= +go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= @@ -829,7 +852,6 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20201012173705-84dcc777aaee/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= @@ -837,8 +859,8 @@ golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I= golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= -golang.org/x/crypto v0.20.0 h1:jmAMJJZXr5KiCw05dfYK9QnqaqKLYXijU23lsEdcQqg= -golang.org/x/crypto v0.20.0/go.mod h1:Xwo95rrVNIoSMx9wa1JroENMToLWn3RNVrTBpLHgZPQ= +golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30= +golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -873,8 +895,8 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= -golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.16.0 h1:QX4fJ0Rr5cPQCF7O9lh9Se4pmwfwskqZfq5moyldzic= +golang.org/x/mod v0.16.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -918,16 +940,16 @@ golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ= -golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4= -golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= +golang.org/x/net v0.22.0 h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc= +golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.17.0 h1:6m3ZPmLEFdVxKKWnKq4VqZ60gutO35zm+zrAHVmHyDQ= -golang.org/x/oauth2 v0.17.0/go.mod h1:OzPDGQiuQMguemayvdylqddI7qcD9lnSDb+1FiwQ5HA= +golang.org/x/oauth2 v0.19.0 h1:9+E/EZBCbTLNrbN35fHv/a/d/mOBatymz1zbtQrXpIg= +golang.org/x/oauth2 v0.19.0/go.mod h1:vYi7skDa1x015PmRRYZ7+s1cWyPgrPiSYRe4rnsexc8= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -940,8 +962,8 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ= -golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= +golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -994,8 +1016,9 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= +golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= @@ -1004,8 +1027,9 @@ golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo= golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU= -golang.org/x/term v0.17.0 h1:mkTF7LCd6WGJNL3K1Ad7kwxNfYAW6a8a8QqtMblp/4U= golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= +golang.org/x/term v0.19.0 h1:+ThwsDv+tYfnJFhF4L8jITxu1tdTWRTZpdsWgEgjL6Q= +golang.org/x/term v0.19.0/go.mod h1:2CuTdWZ7KHSQwUzKva0cbMg6q2DMI3Mmxp+gKJbskEk= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1014,7 +1038,6 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= @@ -1075,8 +1098,8 @@ golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4f golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA= -golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0= +golang.org/x/tools v0.19.0 h1:tfGCXNR1OsFG+sVdLAitlpjAvD/I6dHDKnYrpEZUHkw= +golang.org/x/tools v0.19.0/go.mod h1:qoJWxmGSIBmAeriMx19ogtrEPrGtDbPK634QFIcLAhc= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -1100,16 +1123,14 @@ google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0M google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM= google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc= -google.golang.org/api v0.159.0 h1:fVTj+7HHiUYz4JEZCHHoRIeQX7h5FMzrA2RF/DzDdbs= -google.golang.org/api v0.159.0/go.mod h1:0mu0TpK33qnydLvWqbImq2b1eQ5FHRSDCBzAxX9ZHyw= +google.golang.org/api v0.172.0 h1:/1OcMZGPmW1rX2LCu2CmGUD1KXK1+pfzxotxyRUCCdk= +google.golang.org/api v0.172.0/go.mod h1:+fJZq6QXWfa9pXhnIzsjx4yI22d4aI9ZpLb58gvXjis= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM= -google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= @@ -1139,12 +1160,12 @@ google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7Fc google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20240102182953-50ed04b92917 h1:nz5NESFLZbJGPFxDT/HCn+V1mZ8JGNoY4nUpmW/Y2eg= -google.golang.org/genproto v0.0.0-20240102182953-50ed04b92917/go.mod h1:pZqR+glSb11aJ+JQcczCvgf47+duRuzNSKqE8YAQnV0= -google.golang.org/genproto/googleapis/api v0.0.0-20240102182953-50ed04b92917 h1:rcS6EyEaoCO52hQDupoSfrxI3R6C2Tq741is7X8OvnM= -google.golang.org/genproto/googleapis/api v0.0.0-20240102182953-50ed04b92917/go.mod h1:CmlNWB9lSezaYELKS5Ym1r44VrrbPUa7JTvw+6MbpJ0= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240116215550-a9fa1716bcac h1:nUQEQmH/csSvFECKYRv6HWEyypysidKl2I6Qpsglq/0= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240116215550-a9fa1716bcac/go.mod h1:daQN87bsDqDoe316QbbvX60nMoJQa4r6Ds0ZuoAe5yA= +google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7 h1:ImUcDPHjTrAqNhlOkSocDLfG9rrNHH7w7uoKWPaWZ8s= +google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7/go.mod h1:/3XmxOjePkvmKrHuBy4zNFw7IzxJXtAgdpXi8Ll990U= +google.golang.org/genproto/googleapis/api v0.0.0-20240311173647-c811ad7063a7 h1:oqta3O3AnlWbmIE3bFnWbu4bRxZjfbWCp0cKSuZh01E= +google.golang.org/genproto/googleapis/api v0.0.0-20240311173647-c811ad7063a7/go.mod h1:VQW3tUculP/D4B+xVCo+VgSq8As6wA9ZjHl//pmk+6s= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 h1:NnYq6UN9ReLM9/Y01KWNOWyI5xQ9kbIms5GGJVwS/Yc= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= @@ -1157,8 +1178,8 @@ google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKa google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.61.2 h1:TzJay21lXCf7BiNFKl7mSskt5DlkKAumAYTs52SpJeo= -google.golang.org/grpc v1.61.2/go.mod h1:VUbo7IFqmF1QtCAstipjG0GIoq49KvMe9+h1jFLBNJs= +google.golang.org/grpc v1.62.2 h1:iEIj1U5qjyBjzkM5nk3Fq+S1IbjbXSyqeULZ1Nfo4AA= +google.golang.org/grpc v1.62.2/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -1218,8 +1239,8 @@ k8s.io/client-go v0.28.8 h1:TE59Tjd87WKvS2FPBTfIKLFX0nQJ4SSHsnDo5IHjgOw= k8s.io/client-go v0.28.8/go.mod h1:uDVQ/rPzWpWIy40c6lZ4mUwaEvRWGnpoqSO4FM65P3o= k8s.io/component-base v0.27.7 h1:kngM58HR9W9Nqpv7e4rpdRyWnKl/ABpUhLAZ+HoliMs= k8s.io/component-base v0.27.7/go.mod h1:YGjlCVL1oeKvG3HSciyPHFh+LCjIEqsxz4BDR3cfHRs= -k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= -k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= +k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-aggregator v0.27.2 h1:jfHoPip+qN/fn3OcrYs8/xMuVYvkJHKo0H0DYciqdns= k8s.io/kube-aggregator v0.27.2/go.mod h1:mwrTt4ESjQ7A6847biwohgZWn8P/KzSFHegEScbSGY4= k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780= @@ -1242,5 +1263,5 @@ sigs.k8s.io/structured-merge-diff/v4 v4.3.0/go.mod h1:N8hJocpFajUSSeSJ9bOZ77Vzej sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= -software.sslmate.com/src/go-pkcs12 v0.2.0 h1:nlFkj7bTysH6VkC4fGphtjXRbezREPgrHuJG20hBGPE= -software.sslmate.com/src/go-pkcs12 v0.2.0/go.mod h1:23rNcYsMabIc1otwLpTkCCPwUq6kQsTyowttG/as0kQ= +software.sslmate.com/src/go-pkcs12 v0.4.0 h1:H2g08FrTvSFKUj+D309j1DPfk5APnIdAQAB8aEykJ5k= +software.sslmate.com/src/go-pkcs12 v0.4.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI= diff --git a/httpserver/handlers.go b/httpserver/handlers.go index 57c999bad..46267bf91 100644 --- a/httpserver/handlers.go +++ b/httpserver/handlers.go @@ -83,11 +83,6 @@ func (server *Server) verify(ctx context.Context, w http.ResponseWriter, r *http results = append(results, returnItem) mu.Unlock() }() - if err := server.validateComponents(verifyComponents); err != nil { - logger.GetLogger(ctx, server.LogOption).Error(err) - returnItem.Error = err.Error() - return - } requestKey, err := pkgUtils.ParseRequestKey(key) if err != nil { returnItem.Error = err.Error() @@ -100,6 +95,12 @@ func (server *Server) verify(ctx context.Context, w http.ResponseWriter, r *http } ctx = ctxUtils.SetContextWithNamespace(ctx, requestKey.Namespace) + if err := server.validateComponents(ctx, verifyComponents); err != nil { + logger.GetLogger(ctx, server.LogOption).Error(err) + returnItem.Error = err.Error() + return + } + if subjectReference.Digest.String() == "" { logger.GetLogger(ctx, server.LogOption).Warn("Digest should be used instead of tagged reference. The resolved digest may not point to the same signed artifact, since tags are mutable.") } @@ -129,7 +130,7 @@ func (server *Server) verify(ctx context.Context, w http.ResponseWriter, r *http verifyParameters := executor.VerifyParameters{ Subject: resolvedSubjectReference, } - if result, err = server.GetExecutor().VerifySubject(ctx, verifyParameters); err != nil { + if result, err = server.GetExecutor(ctx).VerifySubject(ctx, verifyParameters); err != nil { returnItem.Error = errors.ErrorCodeExecutorFailure.WithError(err).WithComponentType(errors.Executor).Error() return } @@ -145,7 +146,7 @@ func (server *Server) verify(ctx context.Context, w http.ResponseWriter, r *http logger.GetLogger(ctx, server.LogOption).Infof("verify result for subject %s: %s", resolvedSubjectReference, string(res)) } } - returnItem.Value = fromVerifyResult(result, server.GetExecutor().PolicyEnforcer.GetPolicyType(ctx)) + returnItem.Value = fromVerifyResult(result, server.GetExecutor(ctx).PolicyEnforcer.GetPolicyType(ctx)) logger.GetLogger(ctx, server.LogOption).Debugf("verification: execution time for image %s: %dms", resolvedSubjectReference, time.Since(routineStartTime).Milliseconds()) }(utils.SanitizeString(key), ctx) } @@ -192,11 +193,6 @@ func (server *Server) mutate(ctx context.Context, w http.ResponseWriter, r *http results = append(results, returnItem) mu.Unlock() }() - if err := server.validateComponents(mutateComponents); err != nil { - logger.GetLogger(ctx, server.LogOption).Error(err) - returnItem.Error = err.Error() - return - } requestKey, err := pkgUtils.ParseRequestKey(image) if err != nil { returnItem.Error = err.Error() @@ -209,11 +205,18 @@ func (server *Server) mutate(ctx context.Context, w http.ResponseWriter, r *http returnItem.Error = err.Error() return } + ctx = ctxUtils.SetContextWithNamespace(ctx, requestKey.Namespace) + if err := server.validateComponents(ctx, mutateComponents); err != nil { + logger.GetLogger(ctx, server.LogOption).Error(err) + returnItem.Error = err.Error() + return + } + if parsedReference.Digest == "" { var selectedStore referrerstore.ReferrerStore - for _, store := range server.GetExecutor().ReferrerStores { + for _, store := range server.GetExecutor(ctx).ReferrerStores { if store.Name() == server.MutationStoreName { selectedStore = store break @@ -243,20 +246,20 @@ func (server *Server) mutate(ctx context.Context, w http.ResponseWriter, r *http return sendResponse(&results, "", w, http.StatusOK, true) } -func (server *Server) validateComponents(handlerComponents string) error { +func (server *Server) validateComponents(ctx context.Context, handlerComponents string) error { if handlerComponents == mutateComponents { - if len(server.GetExecutor().ReferrerStores) == 0 { + if len(server.GetExecutor(ctx).ReferrerStores) == 0 { return errors.ErrorCodeConfigInvalid.WithComponentType(errors.ReferrerStore).WithDetail("referrer store config should have at least one store") } } if handlerComponents == verifyComponents { - if len(server.GetExecutor().ReferrerStores) == 0 { + if len(server.GetExecutor(ctx).ReferrerStores) == 0 { return errors.ErrorCodeConfigInvalid.WithComponentType(errors.ReferrerStore).WithDetail("referrer store config should have at least one store") } - if server.GetExecutor().PolicyEnforcer == nil { + if server.GetExecutor(ctx).PolicyEnforcer == nil { return errors.ErrorCodeConfigInvalid.WithComponentType(errors.PolicyProvider).WithDetail("policy provider config must be specified") } - if len(server.GetExecutor().Verifiers) == 0 { + if len(server.GetExecutor(ctx).Verifiers) == 0 { return errors.ErrorCodeConfigInvalid.WithComponentType(errors.Verifier).WithDetail("verifiers config should have at least one verifier") } } diff --git a/httpserver/server.go b/httpserver/server.go index c52daf19d..bca7db43a 100644 --- a/httpserver/server.go +++ b/httpserver/server.go @@ -178,13 +178,13 @@ func (server *Server) registerHandlers() error { if err != nil { return err } - server.register(http.MethodPost, verifyPath, processTimeout(server.verify, server.GetExecutor().GetVerifyRequestTimeout(), false)) + server.register(http.MethodPost, verifyPath, processTimeout(server.verify, server.GetExecutor(server.Context).GetVerifyRequestTimeout(), false)) mutatePath, err := url.JoinPath(ServerRootURL, "mutate") if err != nil { return err } - server.register(http.MethodPost, mutatePath, processTimeout(server.mutate, server.GetExecutor().GetMutationRequestTimeout(), true)) + server.register(http.MethodPost, mutatePath, processTimeout(server.mutate, server.GetExecutor(server.Context).GetMutationRequestTimeout(), true)) return nil } diff --git a/httpserver/server_test.go b/httpserver/server_test.go index 9a4587287..cb04b73d2 100644 --- a/httpserver/server_test.go +++ b/httpserver/server_test.go @@ -46,7 +46,7 @@ import ( const testArtifactType string = "test-type1" const testImageNameTagged string = "localhost:5000/net-monitor:v1" -func testGetExecutor() *core.Executor { +func testGetExecutor(context.Context) *core.Executor { return &core.Executor{ Verifiers: []verifier.ReferenceVerifier{}, ReferrerStores: []referrerstore.ReferrerStore{}, @@ -138,7 +138,7 @@ func TestServer_Timeout_Failed(t *testing.T) { Verifiers: []verifier.ReferenceVerifier{ver}, } - getExecutor := func() *core.Executor { + getExecutor := func(context.Context) *core.Executor { return ex } @@ -151,7 +151,7 @@ func TestServer_Timeout_Failed(t *testing.T) { handler := contextHandler{ context: server.Context, - handler: processTimeout(server.verify, server.GetExecutor().GetVerifyRequestTimeout(), false), + handler: processTimeout(server.verify, server.GetExecutor(nil).GetVerifyRequestTimeout(), false), } handler.ServeHTTP(responseRecorder, request) @@ -209,7 +209,7 @@ func TestServer_MultipleSubjects_Success(t *testing.T) { }, } - getExecutor := func() *core.Executor { + getExecutor := func(context.Context) *core.Executor { return ex } @@ -222,7 +222,7 @@ func TestServer_MultipleSubjects_Success(t *testing.T) { handler := contextHandler{ context: server.Context, - handler: processTimeout(server.verify, server.GetExecutor().GetVerifyRequestTimeout(), false), + handler: processTimeout(server.verify, server.GetExecutor(nil).GetVerifyRequestTimeout(), false), } handler.ServeHTTP(responseRecorder, request) @@ -280,7 +280,7 @@ func TestServer_Mutation_Success(t *testing.T) { Verifiers: []verifier.ReferenceVerifier{ver}, } - getExecutor := func() *core.Executor { + getExecutor := func(context.Context) *core.Executor { return ex } @@ -294,7 +294,7 @@ func TestServer_Mutation_Success(t *testing.T) { handler := contextHandler{ context: server.Context, - handler: processTimeout(server.mutate, server.GetExecutor().GetMutationRequestTimeout(), true), + handler: processTimeout(server.mutate, server.GetExecutor(nil).GetMutationRequestTimeout(), true), } handler.ServeHTTP(responseRecorder, request) @@ -356,7 +356,7 @@ func TestServer_Mutation_ReferrerStoreConfigInvalid_Failure(t *testing.T) { Verifiers: []verifier.ReferenceVerifier{ver}, } - getExecutor := func() *core.Executor { + getExecutor := func(context.Context) *core.Executor { return ex } @@ -370,7 +370,7 @@ func TestServer_Mutation_ReferrerStoreConfigInvalid_Failure(t *testing.T) { handler := contextHandler{ context: server.Context, - handler: processTimeout(server.mutate, server.GetExecutor().GetMutationRequestTimeout(), true), + handler: processTimeout(server.mutate, server.GetExecutor(nil).GetMutationRequestTimeout(), true), } handler.ServeHTTP(responseRecorder, request) @@ -439,7 +439,7 @@ func TestServer_MultipleRequestsForSameSubject_Success(t *testing.T) { }, } - getExecutor := func() *core.Executor { + getExecutor := func(context.Context) *core.Executor { return ex } @@ -452,7 +452,7 @@ func TestServer_MultipleRequestsForSameSubject_Success(t *testing.T) { handler := contextHandler{ context: server.Context, - handler: processTimeout(server.verify, server.GetExecutor().GetVerifyRequestTimeout(), false), + handler: processTimeout(server.verify, server.GetExecutor(nil).GetVerifyRequestTimeout(), false), } handler.ServeHTTP(responseRecorder, request) @@ -491,7 +491,7 @@ func TestServer_Verify_ParseReference_Failure(t *testing.T) { }, } - getExecutor := func() *core.Executor { + getExecutor := func(context.Context) *core.Executor { return ex } @@ -504,7 +504,7 @@ func TestServer_Verify_ParseReference_Failure(t *testing.T) { handler := contextHandler{ context: server.Context, - handler: processTimeout(server.verify, server.GetExecutor().GetVerifyRequestTimeout(), false), + handler: processTimeout(server.verify, server.GetExecutor(nil).GetVerifyRequestTimeout(), false), } handler.ServeHTTP(responseRecorder, request) @@ -564,7 +564,7 @@ func TestServer_Verify_PolicyEnforcerConfigInvalid_Failure(t *testing.T) { Verifiers: []verifier.ReferenceVerifier{ver}, } - getExecutor := func() *core.Executor { + getExecutor := func(context.Context) *core.Executor { return ex } @@ -578,7 +578,7 @@ func TestServer_Verify_PolicyEnforcerConfigInvalid_Failure(t *testing.T) { handler := contextHandler{ context: server.Context, - handler: processTimeout(server.verify, server.GetExecutor().GetVerifyRequestTimeout(), false), + handler: processTimeout(server.verify, server.GetExecutor(nil).GetVerifyRequestTimeout(), false), } handler.ServeHTTP(responseRecorder, request) @@ -633,7 +633,7 @@ func TestServer_Verify_VerifierConfigInvalid_Failure(t *testing.T) { Verifiers: []verifier.ReferenceVerifier{}, } - getExecutor := func() *core.Executor { + getExecutor := func(context.Context) *core.Executor { return ex } @@ -647,7 +647,7 @@ func TestServer_Verify_VerifierConfigInvalid_Failure(t *testing.T) { handler := contextHandler{ context: server.Context, - handler: processTimeout(server.verify, server.GetExecutor().GetVerifyRequestTimeout(), false), + handler: processTimeout(server.verify, server.GetExecutor(nil).GetVerifyRequestTimeout(), false), } handler.ServeHTTP(responseRecorder, request) diff --git a/internal/logger/logger.go b/internal/logger/logger.go index 15a5a78d7..83b76c1fe 100644 --- a/internal/logger/logger.go +++ b/internal/logger/logger.go @@ -66,6 +66,8 @@ const ( Cache componentType = "cache" // CertProvider is the component type for certificate provider. CertProvider componentType = "certificateProvider" + // KeyManagementProvider is the component type for key management provider. + KeyManagementProvider componentType = "keyManagementProvider" // AuthProvider is the component type for auth provider. AuthProvider componentType = "authProvider" // PolicyProvider is the component type for policy provider. diff --git a/pkg/controllers/keymanagementprovider_controller.go b/pkg/controllers/keymanagementprovider_controller.go index 6d2c6f15e..787ca1fb4 100644 --- a/pkg/controllers/keymanagementprovider_controller.go +++ b/pkg/controllers/keymanagementprovider_controller.go @@ -20,6 +20,7 @@ import ( "context" "encoding/json" "fmt" + "maps" _ "github.com/deislabs/ratify/pkg/keymanagementprovider/azurekeyvault" // register azure key vault key management provider _ "github.com/deislabs/ratify/pkg/keymanagementprovider/inline" // register inline key management provider @@ -32,7 +33,6 @@ import ( configv1beta1 "github.com/deislabs/ratify/api/v1beta1" c "github.com/deislabs/ratify/config" - re "github.com/deislabs/ratify/errors" "github.com/deislabs/ratify/pkg/keymanagementprovider" "github.com/deislabs/ratify/pkg/keymanagementprovider/config" "github.com/deislabs/ratify/pkg/keymanagementprovider/factory" @@ -80,9 +80,8 @@ func (r *KeyManagementProviderReconciler) Reconcile(ctx context.Context, req ctr } // if certificate store is configured, return error. Only one of certificate store and key management provider can be configured if len(certificateStoreList.Items) > 0 { - err := re.ErrorCodeKeyManagementConflict.WithComponentType(re.KeyManagementProvider).WithPluginName(resource).WithDetail("certificate store already exists") - // Note: for backwards compatibility in upgrade scenarios, Ratify will only log an error. - logger.Error(err) + // Note: for backwards compatibility in upgrade scenarios, Ratify will only log a warning statement. + logger.Warn("Certificate Store already exists. Key management provider and certificate store should not be configured together. Please migrate to key management provider and delete certificate store.") } provider, err := specToKeyManagementProvider(keyManagementProvider.Spec) @@ -91,17 +90,28 @@ func (r *KeyManagementProviderReconciler) Reconcile(ctx context.Context, req ctr return ctrl.Result{}, err } + // fetch certificates and store in map certificates, certAttributes, err := provider.GetCertificates(ctx) if err != nil { writeKMProviderStatus(ctx, r, &keyManagementProvider, logger, isFetchSuccessful, err.Error(), lastFetchedTime, nil) return ctrl.Result{}, fmt.Errorf("Error fetching certificates in KMProvider %v with %v provider, error: %w", resource, keyManagementProvider.Spec.Type, err) } + + // fetch keys and store in map + keys, keyAttributes, err := provider.GetKeys(ctx) + if err != nil { + writeKMProviderStatus(ctx, r, &keyManagementProvider, logger, isFetchSuccessful, err.Error(), lastFetchedTime, nil) + return ctrl.Result{}, fmt.Errorf("Error fetching keys in KMProvider %v with %v provider, error: %w", resource, keyManagementProvider.Spec.Type, err) + } keymanagementprovider.SetCertificatesInMap(resource, certificates) + keymanagementprovider.SetKeysInMap(resource, keys) + // merge certificates and keys status into one + maps.Copy(keyAttributes, certAttributes) isFetchSuccessful = true emptyErrorString := "" - writeKMProviderStatus(ctx, r, &keyManagementProvider, logger, isFetchSuccessful, emptyErrorString, lastFetchedTime, certAttributes) + writeKMProviderStatus(ctx, r, &keyManagementProvider, logger, isFetchSuccessful, emptyErrorString, lastFetchedTime, keyAttributes) - logger.Infof("%v certificates fetched for key management provider %v", len(certificates), resource) + logger.Infof("%v certificate(s) & %v key(s) fetched for key management provider %v", len(certificates), len(keys), resource) // returning empty result and no error to indicate we’ve successfully reconciled this object return ctrl.Result{}, nil diff --git a/pkg/controllers/keymanagementprovider_controller_test.go b/pkg/controllers/keymanagementprovider_controller_test.go index cb746f416..8a0c6104d 100644 --- a/pkg/controllers/keymanagementprovider_controller_test.go +++ b/pkg/controllers/keymanagementprovider_controller_test.go @@ -71,7 +71,7 @@ func TestKMProviderUpdateErrorStatus(t *testing.T) { func TestKMProviderUpdateSuccessStatus(t *testing.T) { kmProviderStatus := keymanagementprovider.KeyManagementProviderStatus{} properties := map[string]string{} - properties["CertName"] = "wabbit" + properties["Name"] = "wabbit" properties["Version"] = "ABC" kmProviderStatus["Certificates"] = properties diff --git a/pkg/controllers/policy_controller.go b/pkg/controllers/policy_controller.go index 5f29a55e1..dfc2eebf9 100644 --- a/pkg/controllers/policy_controller.go +++ b/pkg/controllers/policy_controller.go @@ -38,17 +38,6 @@ type PolicyReconciler struct { Scheme *runtime.Scheme } -type policy struct { - // The name of the policy. - Name string - // The policy enforcer making a decision. - Enforcer policyprovider.PolicyProvider -} - -// ActivePolicy is the active policy generated from CRD. There would be exactly -// one active policy at any given time. -var ActivePolicy policy - //+kubebuilder:rbac:groups=config.ratify.deislabs.io,resources=policies,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=config.ratify.deislabs.io,resources=policies/status,verbs=get;update;patch //+kubebuilder:rbac:groups=config.ratify.deislabs.io,resources=policies/finalizers,verbs=update @@ -66,9 +55,10 @@ func (r *PolicyReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctr policyLogger.Infof("Reconciling Policy %s", resource) if err := r.Get(ctx, req.NamespacedName, &policy); err != nil { - if apierrors.IsNotFound(err) && resource == ActivePolicy.Name { + if apierrors.IsNotFound(err) { policyLogger.Infof("delete event detected, removing policy %s", resource) - ActivePolicy.deletePolicy(resource) + // TODO: pass the actual namespace once multi-tenancy is supported. + ActivePolicies.DeletePolicy(constants.EmptyNamespace, resource) } else { policyLogger.Error("failed to get Policy: ", err) } @@ -105,8 +95,8 @@ func policyAddOrReplace(spec configv1beta1.PolicySpec) error { return fmt.Errorf("failed to create policy enforcer: %w", err) } - ActivePolicy.Name = spec.Type - ActivePolicy.Enforcer = policyEnforcer + // TODO: pass the actual namespace once multi-tenancy is supported. + ActivePolicies.AddPolicy(constants.EmptyNamespace, constants.RatifyPolicy, policyEnforcer) return nil } @@ -141,18 +131,6 @@ func rawToPolicyConfig(raw []byte, policyName string) (config.PoliciesConfig, er }, nil } -func (p *policy) deletePolicy(resource string) { - if p.Name == resource { - p.Name = "" - p.Enforcer = nil - } -} - -// IsEmpty returns true if there is no policy set up. -func (p *policy) IsEmpty() bool { - return p.Name == "" && p.Enforcer == nil -} - func writePolicyStatus(ctx context.Context, r client.StatusClient, policy *configv1beta1.Policy, logger *logrus.Entry, isSuccess bool, errString string) { if isSuccess { updatePolicySuccessStatus(policy) diff --git a/pkg/controllers/policy_controller_test.go b/pkg/controllers/policy_controller_test.go index d3b041719..6e81a5764 100644 --- a/pkg/controllers/policy_controller_test.go +++ b/pkg/controllers/policy_controller_test.go @@ -63,67 +63,6 @@ func (c mockStatusClient) Status() client.SubResourceWriter { return writer } -func TestDeletePolicy(t *testing.T) { - testCases := []struct { - name string - policyName string - expectPolicyName string - }{ - { - name: "Delete same name", - policyName: policyName1, - expectPolicyName: "", - }, - { - name: "Delete different name", - policyName: policyName2, - expectPolicyName: policyName1, - }, - } - - for _, tc := range testCases { - t.Run(tc.name, func(t *testing.T) { - policy := &policy{ - Name: policyName1, - } - policy.deletePolicy(tc.policyName) - if policy.Name != tc.expectPolicyName { - t.Fatalf("Expected policy name to be %s, got %s", tc.expectPolicyName, policy.Name) - } - }) - } -} - -func TestIsEmpty(t *testing.T) { - testCases := []struct { - name string - policy *policy - expect bool - }{ - { - name: "Empty policy", - policy: &policy{}, - expect: true, - }, - { - name: "Non-empty policy", - policy: &policy{ - Name: policyName1, - }, - expect: false, - }, - } - - for _, tc := range testCases { - t.Run(tc.name, func(t *testing.T) { - isEmpty := tc.policy.IsEmpty() - if isEmpty != tc.expect { - t.Fatalf("Expected to be %t, got %t", tc.expect, isEmpty) - } - }) - } -} - func TestRawToPolicyConfig(t *testing.T) { testCases := []struct { name string diff --git a/pkg/controllers/resource_map.go b/pkg/controllers/resource_map.go new file mode 100644 index 000000000..5352a1462 --- /dev/null +++ b/pkg/controllers/resource_map.go @@ -0,0 +1,31 @@ +/* +Copyright The Ratify Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at +http://www.apache.org/licenses/LICENSE-2.0 +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package controllers + +import ( + "github.com/deislabs/ratify/pkg/customresources/policies" + rs "github.com/deislabs/ratify/pkg/customresources/referrerstores" + "github.com/deislabs/ratify/pkg/customresources/verifiers" +) + +var ( + VerifierMap = verifiers.NewActiveVerifiers() + + // ActivePolicy is the active policy generated from CRD. There would be exactly + // one active policy belonging to a namespace at any given time. + ActivePolicies = policies.NewActivePolicies() + + // a map to track active stores + StoreMap = rs.NewActiveStores() +) diff --git a/pkg/controllers/store_controller.go b/pkg/controllers/store_controller.go index b4421a6ef..5371e7c4c 100644 --- a/pkg/controllers/store_controller.go +++ b/pkg/controllers/store_controller.go @@ -27,7 +27,7 @@ import ( configv1beta1 "github.com/deislabs/ratify/api/v1beta1" "github.com/deislabs/ratify/config" - "github.com/deislabs/ratify/pkg/referrerstore" + "github.com/deislabs/ratify/internal/constants" rc "github.com/deislabs/ratify/pkg/referrerstore/config" sf "github.com/deislabs/ratify/pkg/referrerstore/factory" "github.com/deislabs/ratify/pkg/referrerstore/types" @@ -40,11 +40,6 @@ type StoreReconciler struct { Scheme *runtime.Scheme } -var ( - // a map to track active stores - StoreMap = map[string]referrerstore.ReferrerStore{} -) - //+kubebuilder:rbac:groups=config.ratify.deislabs.io,resources=stores,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=config.ratify.deislabs.io,resources=stores/status,verbs=get;update;patch //+kubebuilder:rbac:groups=config.ratify.deislabs.io,resources=stores/finalizers,verbs=update @@ -64,7 +59,8 @@ func (r *StoreReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl if err := r.Get(ctx, req.NamespacedName, &store); err != nil { if apierrors.IsNotFound(err) { storeLogger.Infof("deletion detected, removing store %v", req.Name) - storeRemove(resource) + // TODO: pass the actual namespace once multi-tenancy is supported. + StoreMap.DeleteStore(constants.EmptyNamespace, resource) } else { storeLogger.Error(err, "unable to fetch store") } @@ -115,17 +111,13 @@ func storeAddOrReplace(spec configv1beta1.StoreSpec, fullname string) error { return fmt.Errorf("store factory failed to create store from store config, err: %w", err) } - StoreMap[fullname] = storeReference + // TODO: pass the actual namespace once multi-tenancy is supported. + StoreMap.AddStore(constants.EmptyNamespace, fullname, storeReference) logrus.Infof("store '%v' added to store map", storeReference.Name()) return nil } -// Remove store from map -func storeRemove(resourceName string) { - delete(StoreMap, resourceName) -} - // Returns a store reference from spec func specToStoreConfig(storeSpec configv1beta1.StoreSpec) (rc.StorePluginConfig, error) { storeConfig := rc.StorePluginConfig{} diff --git a/pkg/controllers/store_controller_test.go b/pkg/controllers/store_controller_test.go index 8838b9c6d..1897d5711 100644 --- a/pkg/controllers/store_controller_test.go +++ b/pkg/controllers/store_controller_test.go @@ -22,7 +22,8 @@ import ( "testing" configv1beta1 "github.com/deislabs/ratify/api/v1beta1" - "github.com/deislabs/ratify/pkg/referrerstore" + "github.com/deislabs/ratify/internal/constants" + rs "github.com/deislabs/ratify/pkg/customresources/referrerstores" "github.com/deislabs/ratify/pkg/utils" "github.com/sirupsen/logrus" "k8s.io/apimachinery/pkg/runtime" @@ -47,15 +48,15 @@ func TestStoreAdd_EmptyParameter(t *testing.T) { if err := storeAddOrReplace(testStoreSpec, "oras"); err != nil { t.Fatalf("storeAddOrReplace() expected no error, actual %v", err) } - if len(StoreMap) != 1 { - t.Fatalf("Store map expected size 1, actual %v", len(StoreMap)) + if StoreMap.GetStoreCount() != 1 { + t.Fatalf("Store map expected size 1, actual %v", StoreMap.GetStoreCount()) } } func TestStoreAdd_WithParameters(t *testing.T) { resetStoreMap() - if len(StoreMap) != 0 { - t.Fatalf("Store map expected size 0, actual %v", len(StoreMap)) + if StoreMap.GetStoreCount() != 0 { + t.Fatalf("Store map expected size 0, actual %v", StoreMap.GetStoreCount()) } dirPath, err := utils.CreatePlugin(sampleName) if err != nil { @@ -68,8 +69,8 @@ func TestStoreAdd_WithParameters(t *testing.T) { if err := storeAddOrReplace(testStoreSpec, "testObject"); err != nil { t.Fatalf("storeAddOrReplace() expected no error, actual %v", err) } - if len(StoreMap) != 1 { - t.Fatalf("Store map expected size 1, actual %v", len(StoreMap)) + if StoreMap.GetStoreCount() != 1 { + t.Fatalf("Store map expected size 1, actual %v", StoreMap.GetStoreCount()) } } @@ -137,8 +138,8 @@ func TestStore_UpdateAndDelete(t *testing.T) { if err := storeAddOrReplace(testStoreSpec, sampleName); err != nil { t.Fatalf("storeAddOrReplace() expected no error, actual %v", err) } - if len(StoreMap) != 1 { - t.Fatalf("Store map expected size 1, actual %v", len(StoreMap)) + if StoreMap.GetStoreCount() != 1 { + t.Fatalf("Store map expected size 1, actual %v", StoreMap.GetStoreCount()) } // modify the Store @@ -152,19 +153,19 @@ func TestStore_UpdateAndDelete(t *testing.T) { } // validate no Store has been added - if len(StoreMap) != 1 { - t.Fatalf("Store map should be 1 after replacement, actual %v", len(StoreMap)) + if StoreMap.GetStoreCount() != 1 { + t.Fatalf("Store map should be 1 after replacement, actual %v", StoreMap.GetStoreCount()) } - storeRemove(sampleName) + StoreMap.DeleteStore(constants.EmptyNamespace, sampleName) - if len(StoreMap) != 0 { - t.Fatalf("Store map should be 0 after deletion, actual %v", len(StoreMap)) + if StoreMap.GetStoreCount() != 0 { + t.Fatalf("Store map should be 0 after deletion, actual %v", StoreMap.GetStoreCount()) } } func resetStoreMap() { - StoreMap = map[string]referrerstore.ReferrerStore{} + StoreMap = rs.NewActiveStores() } func getOrasStoreSpec(pluginName, pluginPath string) configv1beta1.StoreSpec { diff --git a/pkg/controllers/verifier_controller.go b/pkg/controllers/verifier_controller.go index 31cb83a5b..1cd8bb726 100644 --- a/pkg/controllers/verifier_controller.go +++ b/pkg/controllers/verifier_controller.go @@ -24,8 +24,8 @@ import ( configv1beta1 "github.com/deislabs/ratify/api/v1beta1" "github.com/deislabs/ratify/config" re "github.com/deislabs/ratify/errors" + "github.com/deislabs/ratify/internal/constants" "github.com/deislabs/ratify/pkg/utils" - vr "github.com/deislabs/ratify/pkg/verifier" vc "github.com/deislabs/ratify/pkg/verifier/config" vf "github.com/deislabs/ratify/pkg/verifier/factory" "github.com/deislabs/ratify/pkg/verifier/types" @@ -43,11 +43,6 @@ type VerifierReconciler struct { Scheme *runtime.Scheme } -var ( - // a map to track of active verifiers - VerifierMap = map[string]vr.ReferenceVerifier{} -) - //+kubebuilder:rbac:groups=config.ratify.deislabs.io,resources=verifiers,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=config.ratify.deislabs.io,resources=verifiers/status,verbs=get;update;patch //+kubebuilder:rbac:groups=config.ratify.deislabs.io,resources=verifiers/finalizers,verbs=update @@ -72,7 +67,8 @@ func (r *VerifierReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c if err := r.Get(ctx, req.NamespacedName, &verifier); err != nil { if apierrors.IsNotFound(err) { verifierLogger.Infof("delete event detected, removing verifier %v", resource) - verifierRemove(resource) + // TODO: pass the actual namespace once multi-tenancy is supported. + VerifierMap.DeleteVerifier(constants.EmptyNamespace, resource) } else { verifierLogger.Error(err, "unable to fetch verifier") } @@ -122,17 +118,13 @@ func verifierAddOrReplace(spec configv1beta1.VerifierSpec, objectName string, na logrus.Error(err, "unable to create verifier from verifier config") return err } - VerifierMap[objectName] = referenceVerifier + // TODO: pass the actual namespace once multi-tenancy is supported. + VerifierMap.AddVerifier(constants.EmptyNamespace, objectName, referenceVerifier) logrus.Infof("verifier '%v' added to verifier map", referenceVerifier.Name()) return nil } -// remove verifier from map -func verifierRemove(objectName string) { - delete(VerifierMap, objectName) -} - // returns a verifier reference from spec func specToVerifierConfig(verifierSpec configv1beta1.VerifierSpec, verifierName string) (vc.VerifierConfig, error) { verifierConfig := vc.VerifierConfig{} diff --git a/pkg/controllers/verifier_controller_test.go b/pkg/controllers/verifier_controller_test.go index 6ecad4020..48ceea6ec 100644 --- a/pkg/controllers/verifier_controller_test.go +++ b/pkg/controllers/verifier_controller_test.go @@ -23,8 +23,8 @@ import ( configv1beta1 "github.com/deislabs/ratify/api/v1beta1" "github.com/deislabs/ratify/internal/constants" + "github.com/deislabs/ratify/pkg/customresources/verifiers" "github.com/deislabs/ratify/pkg/utils" - vr "github.com/deislabs/ratify/pkg/verifier" "github.com/sirupsen/logrus" "k8s.io/apimachinery/pkg/runtime" "sigs.k8s.io/controller-runtime/pkg/client" @@ -34,7 +34,7 @@ const licenseChecker = "licensechecker" func TestMain(m *testing.M) { // make sure to reset verifierMap before each test run - VerifierMap = map[string]vr.ReferenceVerifier{} + VerifierMap = verifiers.NewActiveVerifiers() code := m.Run() os.Exit(code) } @@ -56,15 +56,15 @@ func TestVerifierAdd_EmptyParameter(t *testing.T) { if err := verifierAddOrReplace(testVerifierSpec, sampleName, constants.EmptyNamespace); err != nil { t.Fatalf("verifierAddOrReplace() expected no error, actual %v", err) } - if len(VerifierMap) != 1 { - t.Fatalf("Verifier map expected size 1, actual %v", len(VerifierMap)) + if VerifierMap.GetVerifierCount() != 1 { + t.Fatalf("Verifier map expected size 1, actual %v", VerifierMap.GetVerifierCount()) } } func TestVerifierAdd_WithParameters(t *testing.T) { resetVerifierMap() - if len(VerifierMap) != 0 { - t.Fatalf("Verifier map expected size 0, actual %v", len(VerifierMap)) + if VerifierMap.GetVerifierCount() != 0 { + t.Fatalf("Verifier map expected size 0, actual %v", VerifierMap.GetVerifierCount()) } dirPath, err := utils.CreatePlugin(licenseChecker) @@ -78,8 +78,8 @@ func TestVerifierAdd_WithParameters(t *testing.T) { if err := verifierAddOrReplace(testVerifierSpec, "testObject", constants.EmptyNamespace); err != nil { t.Fatalf("verifierAddOrReplace() expected no error, actual %v", err) } - if len(VerifierMap) != 1 { - t.Fatalf("Verifier map expected size 1, actual %v", len(VerifierMap)) + if VerifierMap.GetVerifierCount() != 1 { + t.Fatalf("Verifier map expected size 1, actual %v", VerifierMap.GetVerifierCount()) } } @@ -109,8 +109,8 @@ func TestVerifier_UpdateAndDelete(t *testing.T) { if err := verifierAddOrReplace(testVerifierSpec, licenseChecker, constants.EmptyNamespace); err != nil { t.Fatalf("verifierAddOrReplace() expected no error, actual %v", err) } - if len(VerifierMap) != 1 { - t.Fatalf("Verifier map expected size 1, actual %v", len(VerifierMap)) + if VerifierMap.GetVerifierCount() != 1 { + t.Fatalf("Verifier map expected size 1, actual %v", VerifierMap.GetVerifierCount()) } // modify the verifier @@ -121,14 +121,14 @@ func TestVerifier_UpdateAndDelete(t *testing.T) { } // validate no verifier has been added - if len(VerifierMap) != 1 { - t.Fatalf("Verifier map should be 1 after replacement, actual %v", len(VerifierMap)) + if VerifierMap.GetVerifierCount() != 1 { + t.Fatalf("Verifier map should be 1 after replacement, actual %v", VerifierMap.GetVerifierCount()) } - verifierRemove(licenseChecker) + VerifierMap.DeleteVerifier(constants.EmptyNamespace, licenseChecker) - if len(VerifierMap) != 0 { - t.Fatalf("Verifier map should be 0 after deletion, actual %v", len(VerifierMap)) + if VerifierMap.GetVerifierCount() != 0 { + t.Fatalf("Verifier map should be 0 after deletion, actual %v", VerifierMap.GetVerifierCount()) } } @@ -206,7 +206,7 @@ func TestGetCertStoreNamespace(t *testing.T) { } func resetVerifierMap() { - VerifierMap = map[string]vr.ReferenceVerifier{} + VerifierMap = verifiers.NewActiveVerifiers() } func getLicenseCheckerFromParam(parametersString, pluginPath string) configv1beta1.VerifierSpec { diff --git a/pkg/customresources/policies/api.go b/pkg/customresources/policies/api.go new file mode 100644 index 000000000..1973c8cc4 --- /dev/null +++ b/pkg/customresources/policies/api.go @@ -0,0 +1,33 @@ +/* +Copyright The Ratify Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package policies + +import "github.com/deislabs/ratify/pkg/policyprovider" + +// PolicyManager is an interface that defines the methods for managing policies across different scopes. +type PolicyManager interface { + // GetPolicy returns the policy for the given scope. + GetPolicy(scope string) policyprovider.PolicyProvider + + // AddPolicy adds the given policy under the given scope. + AddPolicy(scope, policyName string, policy policyprovider.PolicyProvider) + + // DeletePolicy deletes the policy from the given scope. + DeletePolicy(scope, policyName string) + + // IsEmpty returns true if there are no policies. + IsEmpty() bool +} diff --git a/pkg/customresources/policies/policies.go b/pkg/customresources/policies/policies.go new file mode 100644 index 000000000..d562d659c --- /dev/null +++ b/pkg/customresources/policies/policies.go @@ -0,0 +1,77 @@ +/* +Copyright The Ratify Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package policies + +import ( + "github.com/deislabs/ratify/internal/constants" + "github.com/deislabs/ratify/pkg/policyprovider" +) + +// PolicyWrapper wraps policy provider with its policy name. +type PolicyWrapper struct { + Name string + Policy policyprovider.PolicyProvider +} + +// ActivePolicies implements PolicyManager interface. +type ActivePolicies struct { + // TODO: Implement concurrent safety using sync.Map + // ScopedPolicies is a mapping from scope to a policy. + // Note: Scope is utilized for organizing and isolating verifiers. In a Kubernetes (K8s) environment, the scope can be either a namespace or an empty string ("") for cluster-wide verifiers. + ScopedPolicies map[string]PolicyWrapper +} + +func NewActivePolicies() PolicyManager { + return &ActivePolicies{ + ScopedPolicies: make(map[string]PolicyWrapper), + } +} + +// GetPolicy fulfills the PolicyManager interface. +// It returns the policy for the given scope. If no policy is found for the given scope, it returns cluster-wide policy. +// TODO: Current implementation always fetches the cluster-wide policy. Will implement the logic to fetch the policy for the given scope. +func (p *ActivePolicies) GetPolicy(_ string) policyprovider.PolicyProvider { + policy, ok := p.ScopedPolicies[constants.EmptyNamespace] + if ok { + return policy.Policy + } + return nil +} + +// AddPolicy fulfills the PolicyManager interface. +// It adds the given policy under the given scope. +func (p *ActivePolicies) AddPolicy(scope, policyName string, policy policyprovider.PolicyProvider) { + p.ScopedPolicies[scope] = PolicyWrapper{ + Name: policyName, + Policy: policy, + } +} + +// DeletePolicy fulfills the PolicyManager interface. +// It deletes the policy from the given scope. +func (p *ActivePolicies) DeletePolicy(scope, policyName string) { + if policy, ok := p.ScopedPolicies[scope]; ok { + if policy.Name == policyName { + delete(p.ScopedPolicies, scope) + } + } +} + +// IsEmpty fulfills the PolicyManager interface. +// IsEmpty returns true if there are no policies. +func (p *ActivePolicies) IsEmpty() bool { + return len(p.ScopedPolicies) == 0 +} diff --git a/pkg/customresources/policies/policies_test.go b/pkg/customresources/policies/policies_test.go new file mode 100644 index 000000000..69cd407a1 --- /dev/null +++ b/pkg/customresources/policies/policies_test.go @@ -0,0 +1,95 @@ +/* +Copyright The Ratify Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package policies + +import ( + "context" + "testing" + + "github.com/deislabs/ratify/internal/constants" + "github.com/deislabs/ratify/pkg/common" + "github.com/deislabs/ratify/pkg/executor/types" + "github.com/deislabs/ratify/pkg/ocispecs" +) + +type mockPolicy struct{} + +func (p mockPolicy) VerifyNeeded(_ context.Context, _ common.Reference, _ ocispecs.ReferenceDescriptor) bool { + return true +} + +func (p mockPolicy) ContinueVerifyOnFailure(_ context.Context, _ common.Reference, _ ocispecs.ReferenceDescriptor, _ types.VerifyResult) bool { + return true +} + +func (p mockPolicy) ErrorToVerifyResult(_ context.Context, _ string, _ error) types.VerifyResult { + return types.VerifyResult{} +} + +func (p mockPolicy) OverallVerifyResult(_ context.Context, _ []interface{}) bool { + return true +} + +func (p mockPolicy) GetPolicyType(_ context.Context) string { + return "" +} + +const ( + namespace1 = constants.EmptyNamespace + namespace2 = "namespace2" + name1 = "name1" + name2 = "name2" +) + +var ( + policy1 = mockPolicy{} + policy2 = mockPolicy{} +) + +func TestPoliciesOperations(t *testing.T) { + policies := NewActivePolicies() + + if !policies.IsEmpty() { + t.Errorf("Expected policies to be empty") + } + + policies.AddPolicy(namespace1, name1, policy1) + policies.AddPolicy(namespace2, name1, policy2) + + if policies.IsEmpty() { + t.Errorf("Expected policies to not be empty") + } + + if policies.GetPolicy(namespace1) != policy1 { + t.Errorf("Expected policy1 to be returned") + } + + if policies.GetPolicy(namespace2) != policy2 { + t.Errorf("Expected policy2 to be returned") + } + + policies.DeletePolicy(namespace2, name1) + + if policies.GetPolicy(namespace2) != policy1 { + t.Errorf("Expected policy1 to be returned") + } + + policies.DeletePolicy(namespace1, name1) + + if policies.GetPolicy(namespace1) != nil { + t.Errorf("Expected no policy to be returned") + } +} diff --git a/pkg/customresources/referrerstores/api.go b/pkg/customresources/referrerstores/api.go new file mode 100644 index 000000000..6b435c7e9 --- /dev/null +++ b/pkg/customresources/referrerstores/api.go @@ -0,0 +1,38 @@ +/* +Copyright The Ratify Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package referrerstores + +import ( + "github.com/deislabs/ratify/pkg/referrerstore" +) + +// ReferrerStoreManager is an interface that defines the methods for managing referrer stores across different scopes. +type ReferrerStoreManager interface { + // Stores returns the list of referrer stores for the given scope. + GetStores(scope string) []referrerstore.ReferrerStore + + // AddStore adds the given store under the given scope. + AddStore(scope, storeName string, store referrerstore.ReferrerStore) + + // DeleteStore deletes the policy from the given scope. + DeleteStore(scope, storeName string) + + // IsEmpty returns true if there are no stores. + IsEmpty() bool + + // GetStoreCount returns the number of stores in all scopes. + GetStoreCount() int +} diff --git a/pkg/customresources/referrerstores/stores.go b/pkg/customresources/referrerstores/stores.go new file mode 100644 index 000000000..f60f83b0e --- /dev/null +++ b/pkg/customresources/referrerstores/stores.go @@ -0,0 +1,89 @@ +/* +Copyright The Ratify Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package referrerstores + +import ( + "github.com/deislabs/ratify/pkg/referrerstore" +) + +// ActiveStores implements the ReferrerStoreManager interface. +type ActiveStores struct { + // TODO: Implement concurrent safety using sync.Map + // The structure of the map is as follows: + // The first level maps from scope to stores + // The second level maps from store name to store + // Example: + // { + // "namespace1": { + // "store1": store1, + // "store2": store2 + // } + // } + // Note: Scope is utilized for organizing and isolating stores. In a Kubernetes (K8s) environment, the scope can be either a namespace or an empty string ("") for cluster-wide stores. + ScopedStores map[string]map[string]referrerstore.ReferrerStore +} + +func NewActiveStores() ReferrerStoreManager { + return &ActiveStores{ + ScopedStores: make(map[string]map[string]referrerstore.ReferrerStore), + } +} + +// GetStores fulfills the ReferrerStoreManager interface. +// It returns all the stores in the ActiveStores for the given scope. If no stores are found for the given scope, it returns cluster-wide stores. +// TODO: Current implementation fetches stores for all namespaces including cluster-wide ones. Will support actual namespace based stores in future. +func (s *ActiveStores) GetStores(_ string) []referrerstore.ReferrerStore { + stores := []referrerstore.ReferrerStore{} + for _, scopedStores := range s.ScopedStores { + for _, store := range scopedStores { + stores = append(stores, store) + } + } + return stores +} + +// AddStore fulfills the ReferrerStoreManager interface. +// It adds the given store under the given scope. +func (s *ActiveStores) AddStore(scope, storeName string, store referrerstore.ReferrerStore) { + if _, ok := s.ScopedStores[scope]; !ok { + s.ScopedStores[scope] = make(map[string]referrerstore.ReferrerStore) + } + s.ScopedStores[scope][storeName] = store +} + +// DeleteStore fulfills the ReferrerStoreManager interface. +// It deletes the store with the given name under the given scope. +func (s *ActiveStores) DeleteStore(scope, storeName string) { + if stores, ok := s.ScopedStores[scope]; ok { + delete(stores, storeName) + } +} + +// IsEmpty fulfills the ReferrerStoreManager interface. +// It returns true if there are no stores in the ActiveStores. +func (s *ActiveStores) IsEmpty() bool { + return s.GetStoreCount() == 0 +} + +// GetStore fulfills the ReferrerStoreManager interface. +// GetStoreCount returns the total number of stores in the ActiveStores. +func (s *ActiveStores) GetStoreCount() int { + count := 0 + for _, stores := range s.ScopedStores { + count += len(stores) + } + return count +} diff --git a/pkg/customresources/referrerstores/stores_test.go b/pkg/customresources/referrerstores/stores_test.go new file mode 100644 index 000000000..46a375801 --- /dev/null +++ b/pkg/customresources/referrerstores/stores_test.go @@ -0,0 +1,104 @@ +/* +Copyright The Ratify Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package referrerstores + +import ( + "context" + "testing" + + "github.com/deislabs/ratify/internal/constants" + "github.com/deislabs/ratify/pkg/common" + "github.com/deislabs/ratify/pkg/ocispecs" + rs "github.com/deislabs/ratify/pkg/referrerstore" + "github.com/deislabs/ratify/pkg/referrerstore/config" + "github.com/opencontainers/go-digest" +) + +type mockStore struct { + name string +} + +func (s mockStore) Name() string { + return s.name +} + +func (s mockStore) ListReferrers(_ context.Context, _ common.Reference, _ []string, _ string, _ *ocispecs.SubjectDescriptor) (rs.ListReferrersResult, error) { + return rs.ListReferrersResult{}, nil +} + +func (s mockStore) GetBlobContent(_ context.Context, _ common.Reference, _ digest.Digest) ([]byte, error) { + return nil, nil +} + +func (s mockStore) GetReferenceManifest(_ context.Context, _ common.Reference, _ ocispecs.ReferenceDescriptor) (ocispecs.ReferenceManifest, error) { + return ocispecs.ReferenceManifest{}, nil +} + +func (s mockStore) GetConfig() *config.StoreConfig { + return nil +} + +func (s mockStore) GetSubjectDescriptor(_ context.Context, _ common.Reference) (*ocispecs.SubjectDescriptor, error) { + return nil, nil +} + +const ( + namespace1 = constants.EmptyNamespace + namespace2 = "namespace2" + name1 = "name1" + name2 = "name2" +) + +var ( + store1 = mockStore{name: name1} + store2 = mockStore{name: name2} +) + +func TestStoresOperations(t *testing.T) { + stores := NewActiveStores() + stores.AddStore(namespace1, store1.Name(), store1) + stores.AddStore(namespace1, store2.Name(), store2) + stores.AddStore(namespace2, store1.Name(), store1) + stores.AddStore(namespace2, store2.Name(), store2) + + if stores.GetStoreCount() != 4 { + t.Fatalf("Expected 4 namespaces, got %d", stores.GetStoreCount()) + } + + stores.DeleteStore(namespace2, store1.Name()) + if len(stores.GetStores(namespace2)) != 3 { + t.Fatalf("Expected 3 store in namespace %s, got %d", namespace2, len(stores.GetStores(namespace2))) + } + + stores.DeleteStore(namespace2, store2.Name()) + if len(stores.GetStores(namespace2)) != 2 { + t.Fatalf("Expected 2 stores in namespace %s, got %d", namespace2, len(stores.GetStores(namespace2))) + } + + stores.DeleteStore(namespace1, store1.Name()) + if len(stores.GetStores(namespace1)) != 1 { + t.Fatalf("Expected 1 store in namespace %s, got %d", namespace1, len(stores.GetStores(namespace1))) + } + + stores.DeleteStore(namespace1, store2.Name()) + if len(stores.GetStores(namespace1)) != 0 { + t.Fatalf("Expected 0 stores in namespace %s, got %d", namespace1, len(stores.GetStores(namespace1))) + } + + if !stores.IsEmpty() { + t.Fatalf("Expected stores to be empty") + } +} diff --git a/pkg/customresources/verifiers/api.go b/pkg/customresources/verifiers/api.go new file mode 100644 index 000000000..7d35e7be5 --- /dev/null +++ b/pkg/customresources/verifiers/api.go @@ -0,0 +1,38 @@ +/* +Copyright The Ratify Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package verifiers + +import ( + vr "github.com/deislabs/ratify/pkg/verifier" +) + +// VerifierManager is an interface that defines the methods for managing verifiers across different scopes. +type VerifierManager interface { + // GetVerifiers returns verifiers under the given scope. + GetVerifiers(scope string) []vr.ReferenceVerifier + + // AddVerifier adds a verifier to the given scope. + AddVerifier(scope, verifierName string, verifier vr.ReferenceVerifier) + + // DeleteVerifier deletes a verifier from the given scope. + DeleteVerifier(scope, verifierName string) + + // IsEmpty returns true if verifiers are empty. + IsEmpty() bool + + // GetVerifierCount returns the number of verifiers in all scopes. + GetVerifierCount() int +} diff --git a/pkg/customresources/verifiers/verifiers.go b/pkg/customresources/verifiers/verifiers.go new file mode 100644 index 000000000..2e96c85ca --- /dev/null +++ b/pkg/customresources/verifiers/verifiers.go @@ -0,0 +1,81 @@ +/* +Copyright The Ratify Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package verifiers + +import ( + vr "github.com/deislabs/ratify/pkg/verifier" +) + +// ActiveVerifiers implements VerifierManger interface. +type ActiveVerifiers struct { + // TODO: Implement concurrent safety using sync.Map + // The structure of the map is as follows: + // The first level maps from scope to verifiers + // The second level maps from verifier name to verifier + // Example: + // { + // "namespace1": { + // "verifier1": verifier1, + // "verifier2": verifier2 + // } + // } + // Note: Scope is utilized for organizing and isolating verifiers. In a Kubernetes (K8s) environment, the scope can be either a namespace or an empty string ("") for cluster-wide verifiers. + ScopedVerifiers map[string]map[string]vr.ReferenceVerifier +} + +func NewActiveVerifiers() VerifierManager { + return &ActiveVerifiers{ + ScopedVerifiers: make(map[string]map[string]vr.ReferenceVerifier), + } +} + +// GetVerifiers implements the VerifierManager interface. +// It returns a list of verifiers for the given scope. If no verifiers are found for the given scope, it returns cluster-wide verifiers. +// TODO: Current implementation fetches verifiers for all namespaces including cluster-wide ones. Will support actual namespace based verifiers in future. +func (v *ActiveVerifiers) GetVerifiers(_ string) []vr.ReferenceVerifier { + verifiers := []vr.ReferenceVerifier{} + for _, scopedVerifiers := range v.ScopedVerifiers { + for _, verifier := range scopedVerifiers { + verifiers = append(verifiers, verifier) + } + } + return verifiers +} + +func (v *ActiveVerifiers) AddVerifier(scope, verifierName string, verifier vr.ReferenceVerifier) { + if _, ok := v.ScopedVerifiers[scope]; !ok { + v.ScopedVerifiers[scope] = make(map[string]vr.ReferenceVerifier) + } + v.ScopedVerifiers[scope][verifierName] = verifier +} + +func (v *ActiveVerifiers) DeleteVerifier(scope, verifierName string) { + if verifiers, ok := v.ScopedVerifiers[scope]; ok { + delete(verifiers, verifierName) + } +} + +func (v *ActiveVerifiers) IsEmpty() bool { + return v.GetVerifierCount() == 0 +} + +func (v *ActiveVerifiers) GetVerifierCount() int { + count := 0 + for _, verifiers := range v.ScopedVerifiers { + count += len(verifiers) + } + return count +} diff --git a/pkg/customresources/verifiers/verifiers_test.go b/pkg/customresources/verifiers/verifiers_test.go new file mode 100644 index 000000000..652a9cfcf --- /dev/null +++ b/pkg/customresources/verifiers/verifiers_test.go @@ -0,0 +1,105 @@ +/* +Copyright The Ratify Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package verifiers + +import ( + "context" + "testing" + + "github.com/deislabs/ratify/internal/constants" + "github.com/deislabs/ratify/pkg/common" + "github.com/deislabs/ratify/pkg/ocispecs" + "github.com/deislabs/ratify/pkg/referrerstore" + "github.com/deislabs/ratify/pkg/verifier" +) + +type mockVerifier struct { + name string +} + +func (v mockVerifier) Name() string { + return v.name +} + +func (v mockVerifier) Type() string { + return "mockType" +} + +func (v mockVerifier) CanVerify(_ context.Context, _ ocispecs.ReferenceDescriptor) bool { + return true +} + +func (v mockVerifier) Verify(_ context.Context, _ common.Reference, _ ocispecs.ReferenceDescriptor, _ referrerstore.ReferrerStore) (verifier.VerifierResult, error) { + return verifier.VerifierResult{}, nil +} + +func (v mockVerifier) GetNestedReferences() []string { + return nil +} + +const ( + namespace1 = constants.EmptyNamespace + namespace2 = "namespace2" + name1 = "name1" + name2 = "name2" +) + +var ( + verifier1 = mockVerifier{name: name1} + verifier2 = mockVerifier{name: name2} +) + +func TestVerifiersOperations(t *testing.T) { + verifiers := NewActiveVerifiers() + verifiers.AddVerifier(namespace1, verifier1.Name(), verifier1) + verifiers.AddVerifier(namespace1, verifier2.Name(), verifier2) + verifiers.AddVerifier(namespace2, verifier1.Name(), verifier1) + verifiers.AddVerifier(namespace2, verifier2.Name(), verifier2) + + if verifiers.IsEmpty() { + t.Error("Expected verifiers to not be empty") + } + + if verifiers.GetVerifierCount() != 4 { + t.Errorf("Expected 4 verifiers, got %d", verifiers.GetVerifierCount()) + } + + if len(verifiers.GetVerifiers(namespace1)) != 4 { + t.Errorf("Expected 4 verifiers, got %d", len(verifiers.GetVerifiers(namespace1))) + } + + if len(verifiers.GetVerifiers(namespace2)) != 4 { + t.Errorf("Expected 4 verifiers, got %d", len(verifiers.GetVerifiers(namespace2))) + } + + verifiers.DeleteVerifier(namespace2, verifier1.Name()) + verifiers.DeleteVerifier(namespace2, verifier2.Name()) + + if len(verifiers.GetVerifiers(namespace2)) != 2 { + t.Errorf("Expected 2 verifiers, got %d", len(verifiers.GetVerifiers(namespace2))) + } + + verifiers.DeleteVerifier(namespace1, verifier1.Name()) + verifiers.DeleteVerifier(namespace1, verifier2.Name()) + + if !verifiers.IsEmpty() { + t.Error("Expected verifiers to be empty") + } + + if verifiers.GetVerifierCount() != 0 { + t.Errorf("Expected 0 verifiers, got %d", verifiers.GetVerifierCount()) + } +} diff --git a/pkg/executor/core/executor.go b/pkg/executor/core/executor.go index 74a071d26..08e89bece 100644 --- a/pkg/executor/core/executor.go +++ b/pkg/executor/core/executor.go @@ -60,6 +60,9 @@ type Executor struct { // TODO Logging within executor // VerifySubject verifies the subject and returns results. func (executor Executor) VerifySubject(ctx context.Context, verifyParameters e.VerifyParameters) (types.VerifyResult, error) { + if executor.PolicyEnforcer == nil { + return types.VerifyResult{}, errors.ErrorCodePolicyProviderNotFound.WithComponentType(errors.Executor) + } result, err := executor.verifySubjectInternal(ctx, verifyParameters) if err != nil { // get the result for the error based on the policy. diff --git a/pkg/keymanagementprovider/azurekeyvault/provider.go b/pkg/keymanagementprovider/azurekeyvault/provider.go index 3230ae0ff..ebde84a50 100644 --- a/pkg/keymanagementprovider/azurekeyvault/provider.go +++ b/pkg/keymanagementprovider/azurekeyvault/provider.go @@ -19,12 +19,12 @@ package azurekeyvault // Source: https://github.com/Azure/secrets-store-csi-driver-provider-azure/tree/release-1.4/pkg/provider import ( "context" + "crypto" "crypto/x509" "encoding/base64" "encoding/json" "encoding/pem" "fmt" - "reflect" "strings" "time" @@ -35,6 +35,7 @@ import ( "github.com/deislabs/ratify/pkg/keymanagementprovider/config" "github.com/deislabs/ratify/pkg/keymanagementprovider/factory" "github.com/deislabs/ratify/pkg/metrics" + "github.com/go-jose/go-jose/v3" "golang.org/x/crypto/pkcs12" kv "github.com/Azure/azure-sdk-for-go/services/keyvault/v7.1/keyvault" @@ -48,16 +49,17 @@ const ( ) var logOpt = logger.Option{ - ComponentType: logger.CertProvider, + ComponentType: logger.KeyManagementProvider, } type AKVKeyManagementProviderConfig struct { - Type string `json:"type"` - VaultURI string `json:"vaultURI"` - TenantID string `json:"tenantID"` - ClientID string `json:"clientID"` - CloudName string `json:"cloudName,omitempty"` - Certificates []types.KeyVaultCertificate `json:"certificates,omitempty"` + Type string `json:"type"` + VaultURI string `json:"vaultURI"` + TenantID string `json:"tenantID"` + ClientID string `json:"clientID"` + CloudName string `json:"cloudName,omitempty"` + Certificates []types.KeyVaultValue `json:"certificates,omitempty"` + Keys []types.KeyVaultValue `json:"keys,omitempty"` } type akvKMProvider struct { @@ -66,11 +68,17 @@ type akvKMProvider struct { tenantID string clientID string cloudName string - certificates []types.KeyVaultCertificate + certificates []types.KeyVaultValue + keys []types.KeyVaultValue cloudEnv *azure.Environment + kvClient *kv.BaseClient } type akvKMProviderFactory struct{} +// initKVClient is a function to initialize the keyvault client +// used for mocking purposes +var initKVClient = initializeKvClient + // init calls to register the provider func init() { factory.Register(providerName, &akvKMProviderFactory{}) @@ -86,16 +94,16 @@ func (f *akvKMProviderFactory) Create(_ string, keyManagementProviderConfig conf } if err := json.Unmarshal(keyManagementProviderConfigBytes, &conf); err != nil { - return nil, re.ErrorCodeConfigInvalid.NewError(re.CertProvider, "", re.EmptyLink, err, "failed to parse AKV key management provider configuration", re.HideStackTrace) + return nil, re.ErrorCodeConfigInvalid.NewError(re.KeyManagementProvider, "", re.EmptyLink, err, "failed to parse AKV key management provider configuration", re.HideStackTrace) } azureCloudEnv, err := parseAzureEnvironment(conf.CloudName) if err != nil { - return nil, re.ErrorCodeConfigInvalid.NewError(re.CertProvider, providerName, re.EmptyLink, nil, fmt.Sprintf("cloudName %s is not valid", conf.CloudName), re.HideStackTrace) + return nil, re.ErrorCodeConfigInvalid.NewError(re.KeyManagementProvider, providerName, re.EmptyLink, nil, fmt.Sprintf("cloudName %s is not valid", conf.CloudName), re.HideStackTrace) } - if len(conf.Certificates) == 0 { - return nil, re.ErrorCodeConfigInvalid.NewError(re.CertProvider, providerName, re.EmptyLink, nil, "no keyvault certificates configured", re.HideStackTrace) + if len(conf.Certificates) == 0 && len(conf.Keys) == 0 { + return nil, re.ErrorCodeConfigInvalid.NewError(re.KeyManagementProvider, providerName, re.EmptyLink, nil, "no keyvault certificates or keys configured", re.HideStackTrace) } provider := &akvKMProvider{ @@ -105,25 +113,27 @@ func (f *akvKMProviderFactory) Create(_ string, keyManagementProviderConfig conf clientID: strings.TrimSpace(conf.ClientID), cloudName: strings.TrimSpace(conf.CloudName), certificates: conf.Certificates, + keys: conf.Keys, cloudEnv: azureCloudEnv, } if err := provider.validate(); err != nil { return nil, err } + logger.GetLogger(context.Background(), logOpt).Debugf("vaultURI %s", provider.vaultURI) + + kvClient, err := initKVClient(context.Background(), provider.cloudEnv.KeyVaultEndpoint, provider.tenantID, provider.clientID) + if err != nil { + return nil, re.ErrorCodePluginInitFailure.NewError(re.KeyManagementProvider, providerName, re.AKVLink, err, "failed to create keyvault client", re.HideStackTrace) + } + provider.kvClient = kvClient + return provider, nil } // GetCertificates returns an array of certificates based on certificate properties defined in config // get certificate retrieve the entire cert chain using getSecret API call func (s *akvKMProvider) GetCertificates(ctx context.Context) (map[keymanagementprovider.KMPMapKey][]*x509.Certificate, keymanagementprovider.KeyManagementProviderStatus, error) { - logger.GetLogger(ctx, logOpt).Debugf("vaultURI %s", s.vaultURI) - - kvClient, err := initializeKvClient(ctx, s.cloudEnv.KeyVaultEndpoint, s.tenantID, s.clientID) - if err != nil { - return nil, nil, re.ErrorCodePluginInitFailure.NewError(re.CertProvider, providerName, re.AKVLink, err, "failed to get keyvault client", re.HideStackTrace) - } - certsMap := map[keymanagementprovider.KMPMapKey][]*x509.Certificate{} certsStatus := []map[string]string{} for _, keyVaultCert := range s.certificates { @@ -132,14 +142,12 @@ func (s *akvKMProvider) GetCertificates(ctx context.Context) (map[keymanagementp // fetch the object from Key Vault // GetSecret is required so we can fetch the entire cert chain. See issue https://github.com/deislabs/ratify/issues/695 for details startTime := time.Now() - secretBundle, err := kvClient.GetSecret(ctx, s.vaultURI, keyVaultCert.Name, keyVaultCert.Version) - + secretBundle, err := s.kvClient.GetSecret(ctx, s.vaultURI, keyVaultCert.Name, keyVaultCert.Version) if err != nil { return nil, nil, fmt.Errorf("failed to get secret objectName:%s, objectVersion:%s, error: %w", keyVaultCert.Name, keyVaultCert.Version, err) } certResult, certProperty, err := getCertsFromSecretBundle(ctx, secretBundle, keyVaultCert.Name) - if err != nil { return nil, nil, fmt.Errorf("failed to get certificates from secret bundle:%w", err) } @@ -150,42 +158,51 @@ func (s *akvKMProvider) GetCertificates(ctx context.Context) (map[keymanagementp certsMap[certMapKey] = certResult } - return certsMap, getCertStatusMap(certsStatus), nil + return certsMap, getStatusMap(certsStatus, types.CertificatesStatus), nil } -// azure keyvault provider certificate status is a map from "certificates" key to an array of of certificate status -func getCertStatusMap(certsStatus []map[string]string) keymanagementprovider.KeyManagementProviderStatus { - status := keymanagementprovider.KeyManagementProviderStatus{} - status[types.CertificatesStatus] = certsStatus - return status -} +// GetKeys returns an array of keys based on key properties defined in config +func (s *akvKMProvider) GetKeys(ctx context.Context) (map[keymanagementprovider.KMPMapKey]crypto.PublicKey, keymanagementprovider.KeyManagementProviderStatus, error) { + keysMap := map[keymanagementprovider.KMPMapKey]crypto.PublicKey{} + keysStatus := []map[string]string{} -// return a certificate status object that consist of the cert name, version and last refreshed time -func getCertStatusProperty(certificateName, version, lastRefreshed string) map[string]string { - certProperty := map[string]string{} - certProperty[types.CertificateName] = certificateName - certProperty[types.CertificateVersion] = version - certProperty[types.CertificateLastRefreshed] = lastRefreshed - return certProperty -} + for _, keyVaultKey := range s.keys { + logger.GetLogger(ctx, logOpt).Debugf("fetching key from key vault, keyName %v, keyvault %v", keyVaultKey.Name, s.vaultURI) -// formatKeyVaultCertificate formats the fields in KeyVaultCertificate -func formatKeyVaultCertificate(object *types.KeyVaultCertificate) { - if object == nil { - return - } - objectPtr := reflect.ValueOf(object) - objectValue := objectPtr.Elem() + // fetch the key object from Key Vault + startTime := time.Now() + keyBundle, err := s.kvClient.GetKey(ctx, s.vaultURI, keyVaultKey.Name, keyVaultKey.Version) + if err != nil { + return nil, nil, fmt.Errorf("failed to get key objectName:%s, objectVersion:%s, error: %w", keyVaultKey.Name, keyVaultKey.Version, err) + } - for i := 0; i < objectValue.NumField(); i++ { - field := objectValue.Field(i) - if field.Type() != reflect.TypeOf("") { - continue + publicKey, err := getKeyFromKeyBundle(keyBundle) + if err != nil { + return nil, nil, fmt.Errorf("failed to get key from key bundle:%w", err) } - str := field.Interface().(string) - str = strings.TrimSpace(str) - field.SetString(str) + keysMap[keymanagementprovider.KMPMapKey{Name: keyVaultKey.Name, Version: keyVaultKey.Version}] = publicKey + metrics.ReportAKVCertificateDuration(ctx, time.Since(startTime).Milliseconds(), keyVaultKey.Name) + properties := getStatusProperty(keyVaultKey.Name, keyVaultKey.Version, time.Now().Format(time.RFC3339)) + keysStatus = append(keysStatus, properties) } + + return keysMap, getStatusMap(keysStatus, types.KeysStatus), nil +} + +// azure keyvault provider certificate/key status is a map from "certificates" key or "keys" key to an array of key management provider status +func getStatusMap(statusMap []map[string]string, contentType string) keymanagementprovider.KeyManagementProviderStatus { + status := keymanagementprovider.KeyManagementProviderStatus{} + status[contentType] = statusMap + return status +} + +// return a status object that consist of the cert/key name, version and last refreshed time +func getStatusProperty(name, version, lastRefreshed string) map[string]string { + properties := map[string]string{} + properties[types.StatusName] = name + properties[types.StatusVersion] = version + properties[types.StatusLastRefreshed] = lastRefreshed + return properties } // parseAzureEnvironment returns azure environment by name @@ -206,12 +223,12 @@ func initializeKvClient(ctx context.Context, keyVaultEndpoint, tenantID, clientI err := kvClient.AddToUserAgent("ratify") if err != nil { - return nil, re.ErrorCodeConfigInvalid.NewError(re.CertProvider, providerName, re.AKVLink, err, "failed to add user agent to keyvault client", re.PrintStackTrace) + return nil, re.ErrorCodeConfigInvalid.NewError(re.KeyManagementProvider, providerName, re.AKVLink, err, "failed to add user agent to keyvault client", re.PrintStackTrace) } kvClient.Authorizer, err = getAuthorizerForWorkloadIdentity(ctx, tenantID, clientID, kvEndpoint) if err != nil { - return nil, re.ErrorCodeAuthDenied.NewError(re.CertProvider, providerName, re.AKVLink, err, "failed to get authorizer for keyvault client", re.PrintStackTrace) + return nil, re.ErrorCodeAuthDenied.NewError(re.KeyManagementProvider, providerName, re.AKVLink, err, "failed to get authorizer for keyvault client", re.PrintStackTrace) } return &kvClient, nil } @@ -220,7 +237,7 @@ func initializeKvClient(ctx context.Context, keyVaultEndpoint, tenantID, clientI // In a certificate chain scenario, all certificates from root to leaf will be returned func getCertsFromSecretBundle(ctx context.Context, secretBundle kv.SecretBundle, certName string) ([]*x509.Certificate, []map[string]string, error) { if secretBundle.ContentType == nil || secretBundle.Value == nil || secretBundle.ID == nil { - return nil, nil, re.ErrorCodeCertInvalid.NewError(re.CertProvider, providerName, re.EmptyLink, nil, "found invalid secret bundle for certificate %s, contentType, value, and id must not be nil", re.HideStackTrace) + return nil, nil, re.ErrorCodeCertInvalid.NewError(re.KeyManagementProvider, providerName, re.EmptyLink, nil, "found invalid secret bundle for certificate %s, contentType, value, and id must not be nil", re.HideStackTrace) } version := getObjectVersion(*secretBundle.ID) @@ -229,7 +246,7 @@ func getCertsFromSecretBundle(ctx context.Context, secretBundle kv.SecretBundle, // akv plugin supports both PKCS12 and PEM. https://github.com/Azure/notation-azure-kv/blob/558e7345ef8318783530de6a7a0a8420b9214ba8/Notation.Plugin.AzureKeyVault/KeyVault/KeyVaultClient.cs#L192 if *secretBundle.ContentType != PKCS12ContentType && *secretBundle.ContentType != PEMContentType { - return nil, nil, re.ErrorCodeCertInvalid.NewError(re.CertProvider, providerName, re.EmptyLink, nil, fmt.Sprintf("certificate %s version %s, unsupported secret content type %s, supported type are %s and %s", certName, version, *secretBundle.ContentType, PKCS12ContentType, PEMContentType), re.HideStackTrace) + return nil, nil, re.ErrorCodeCertInvalid.NewError(re.KeyManagementProvider, providerName, re.EmptyLink, nil, fmt.Sprintf("certificate %s version %s, unsupported secret content type %s, supported type are %s and %s", certName, version, *secretBundle.ContentType, PKCS12ContentType, PEMContentType), re.HideStackTrace) } results := []*x509.Certificate{} @@ -241,12 +258,12 @@ func getCertsFromSecretBundle(ctx context.Context, secretBundle kv.SecretBundle, if *secretBundle.ContentType == PKCS12ContentType { p12, err := base64.StdEncoding.DecodeString(*secretBundle.Value) if err != nil { - return nil, nil, re.ErrorCodeCertInvalid.NewError(re.CertProvider, providerName, re.EmptyLink, err, fmt.Sprintf("azure keyvault certificate provider: failed to decode PKCS12 Value. Certificate %s, version %s", certName, version), re.HideStackTrace) + return nil, nil, re.ErrorCodeCertInvalid.NewError(re.KeyManagementProvider, providerName, re.EmptyLink, err, fmt.Sprintf("azure keyvault key management provider: failed to decode PKCS12 Value. Certificate %s, version %s", certName, version), re.HideStackTrace) } blocks, err := pkcs12.ToPEM(p12, "") if err != nil { - return nil, nil, re.ErrorCodeCertInvalid.NewError(re.CertProvider, providerName, re.EmptyLink, err, fmt.Sprintf("azure keyvault certificate provider: failed to convert PKCS12 Value to PEM. Certificate %s, version %s", certName, version), re.HideStackTrace) + return nil, nil, re.ErrorCodeCertInvalid.NewError(re.KeyManagementProvider, providerName, re.EmptyLink, err, fmt.Sprintf("azure keyvault key management provider: failed to convert PKCS12 Value to PEM. Certificate %s, version %s", certName, version), re.HideStackTrace) } var pemData []byte @@ -261,32 +278,61 @@ func getCertsFromSecretBundle(ctx context.Context, secretBundle kv.SecretBundle, for block != nil { switch block.Type { case "PRIVATE KEY": - logger.GetLogger(ctx, logOpt).Warnf("azure keyvault certificate provider: certificate %s, version %s private key skipped. Please see doc to learn how to create a new certificate in keyvault with non exportable keys. https://learn.microsoft.com/en-us/azure/key-vault/certificates/how-to-export-certificate?tabs=azure-cli#exportable-and-non-exportable-keys", certName, version) + logger.GetLogger(ctx, logOpt).Warnf("azure keyvault key management provider: certificate %s, version %s private key skipped. Please see doc to learn how to create a new certificate in keyvault with non exportable keys. https://learn.microsoft.com/en-us/azure/key-vault/certificates/how-to-export-certificate?tabs=azure-cli#exportable-and-non-exportable-keys", certName, version) case "CERTIFICATE": var pemData []byte pemData = append(pemData, pem.EncodeToMemory(block)...) decodedCerts, err := keymanagementprovider.DecodeCertificates(pemData) if err != nil { - return nil, nil, re.ErrorCodeCertInvalid.NewError(re.CertProvider, providerName, re.EmptyLink, err, fmt.Sprintf("azure keyvault certificate provider: failed to decode Certificate %s, version %s", certName, version), re.HideStackTrace) + return nil, nil, re.ErrorCodeCertInvalid.NewError(re.KeyManagementProvider, providerName, re.EmptyLink, err, fmt.Sprintf("azure keyvault key management provider: failed to decode Certificate %s, version %s", certName, version), re.HideStackTrace) } for _, cert := range decodedCerts { results = append(results, cert) - certProperty := getCertStatusProperty(certName, version, lastRefreshed) + certProperty := getStatusProperty(certName, version, lastRefreshed) certsStatus = append(certsStatus, certProperty) } default: - logger.GetLogger(ctx, logOpt).Warnf("certificate '%s', version '%s': azure keyvault certificate provider detected unknown block type %s", certName, version, block.Type) + logger.GetLogger(ctx, logOpt).Warnf("certificate '%s', version '%s': azure keyvault key management provider detected unknown block type %s", certName, version, block.Type) } block, rest = pem.Decode(rest) if block == nil && len(rest) > 0 { - return nil, nil, re.ErrorCodeCertInvalid.NewError(re.CertProvider, providerName, re.EmptyLink, nil, fmt.Sprintf("certificate '%s', version '%s': azure keyvault certificate provider error, block is nil and remaining block to parse > 0", certName, version), re.HideStackTrace) + return nil, nil, re.ErrorCodeCertInvalid.NewError(re.KeyManagementProvider, providerName, re.EmptyLink, nil, fmt.Sprintf("certificate '%s', version '%s': azure keyvault key management provider error, block is nil and remaining block to parse > 0", certName, version), re.HideStackTrace) } } logger.GetLogger(ctx, logOpt).Debugf("azurekeyvault certprovider getCertsFromSecretBundle: %v certificates parsed, Certificate '%s', version '%s'", len(results), certName, version) return results, certsStatus, nil } +// Based on https://github.com/sigstore/sigstore/blob/8b208f7d608b80a7982b2a66358b8333b1eec542/pkg/signature/kms/azure/client.go#L258 +func getKeyFromKeyBundle(keyBundle kv.KeyBundle) (crypto.PublicKey, error) { + webKey := keyBundle.Key + if webKey == nil { + return nil, re.ErrorCodeKeyInvalid.NewError(re.KeyManagementProvider, providerName, re.EmptyLink, nil, "found invalid key bundle, key must not be nil", re.HideStackTrace) + } + + keyType := webKey.Kty + switch keyType { + case kv.ECHSM: + webKey.Kty = kv.EC + case kv.RSAHSM: + webKey.Kty = kv.RSA + } + + keyBytes, err := json.Marshal(webKey) + if err != nil { + return nil, re.ErrorCodeKeyInvalid.NewError(re.KeyManagementProvider, providerName, re.EmptyLink, err, "failed to marshal key", re.HideStackTrace) + } + + key := jose.JSONWebKey{} + err = key.UnmarshalJSON(keyBytes) + if err != nil { + return nil, re.ErrorCodeKeyInvalid.NewError(re.KeyManagementProvider, providerName, re.EmptyLink, err, "failed to unmarshal key into JSON Web Key", re.HideStackTrace) + } + + return key.Key, nil +} + // getObjectVersion parses the id to retrieve the version // of object fetched // example id format - https://kindkv.vault.azure.net/secrets/actual/1f304204f3624873aab40231241243eb @@ -297,25 +343,29 @@ func getObjectVersion(id string) string { return splitID[len(splitID)-1] } -// validate checks vaultURI, tenantID, clientID are set and all certificates have a name -// removes all whitespace from key vault certificate fields +// validate checks vaultURI, tenantID, clientID are set and all certificates/keys have a name func (s *akvKMProvider) validate() error { if s.vaultURI == "" { - return re.ErrorCodeConfigInvalid.NewError(re.CertProvider, providerName, re.EmptyLink, nil, "vaultURI is not set", re.HideStackTrace) + return re.ErrorCodeConfigInvalid.NewError(re.KeyManagementProvider, providerName, re.EmptyLink, nil, "vaultURI is not set", re.HideStackTrace) } if s.tenantID == "" { - return re.ErrorCodeConfigInvalid.NewError(re.CertProvider, providerName, re.EmptyLink, nil, "tenantID is not set", re.HideStackTrace) + return re.ErrorCodeConfigInvalid.NewError(re.KeyManagementProvider, providerName, re.EmptyLink, nil, "tenantID is not set", re.HideStackTrace) } if s.clientID == "" { - return re.ErrorCodeConfigInvalid.NewError(re.CertProvider, providerName, re.EmptyLink, nil, "clientID is not set", re.HideStackTrace) + return re.ErrorCodeConfigInvalid.NewError(re.KeyManagementProvider, providerName, re.EmptyLink, nil, "clientID is not set", re.HideStackTrace) } // all certificates must have a name for i := range s.certificates { - // remove whitespace from all fields in key vault cert - formatKeyVaultCertificate(&s.certificates[i]) if s.certificates[i].Name == "" { - return re.ErrorCodeConfigInvalid.NewError(re.CertProvider, providerName, re.EmptyLink, nil, fmt.Sprintf("certificate name is not set for certificate %d", i), re.HideStackTrace) + return re.ErrorCodeConfigInvalid.NewError(re.KeyManagementProvider, providerName, re.EmptyLink, nil, fmt.Sprintf("name is not set for the %d th certificate", i+1), re.HideStackTrace) + } + } + + // all keys must have a name + for i := range s.keys { + if s.keys[i].Name == "" { + return re.ErrorCodeConfigInvalid.NewError(re.KeyManagementProvider, providerName, re.EmptyLink, nil, fmt.Sprintf("name is not set for the %d th key", i+1), re.HideStackTrace) } } diff --git a/pkg/keymanagementprovider/azurekeyvault/provider_test.go b/pkg/keymanagementprovider/azurekeyvault/provider_test.go index f850bf0b6..fc9730cad 100644 --- a/pkg/keymanagementprovider/azurekeyvault/provider_test.go +++ b/pkg/keymanagementprovider/azurekeyvault/provider_test.go @@ -19,7 +19,7 @@ package azurekeyvault // Source: https://github.com/Azure/secrets-store-csi-driver-provider-azure/tree/release-1.4/pkg/provider import ( "context" - "reflect" + "crypto" "strings" "testing" "time" @@ -53,47 +53,6 @@ func TestParseAzureEnvironment(t *testing.T) { } } -// TestFormatKeyVaultCertificate tests the formatKeyVaultCertificate function -func TestFormatKeyVaultCertificate(t *testing.T) { - cases := []struct { - desc string - keyVaultObject types.KeyVaultCertificate - expectedKeyVaultObject types.KeyVaultCertificate - }{ - { - desc: "leading and trailing whitespace trimmed from all fields", - keyVaultObject: types.KeyVaultCertificate{ - Name: "cert1 ", - Version: "", - }, - expectedKeyVaultObject: types.KeyVaultCertificate{ - Name: "cert1", - Version: "", - }, - }, - { - desc: "no data loss for already sanitized object", - keyVaultObject: types.KeyVaultCertificate{ - Name: "cert1", - Version: "version1", - }, - expectedKeyVaultObject: types.KeyVaultCertificate{ - Name: "cert1", - Version: "version1", - }, - }, - } - - for i, tc := range cases { - t.Run(tc.desc, func(t *testing.T) { - formatKeyVaultCertificate(&cases[i].keyVaultObject) - if !reflect.DeepEqual(cases[i].keyVaultObject, tc.expectedKeyVaultObject) { - t.Fatalf("expected: %+v, but got: %+v", tc.expectedKeyVaultObject, cases[i].keyVaultObject) - } - }) - } -} - func SkipTestInitializeKVClient(t *testing.T) { testEnvs := []azure.Environment{ azure.PublicCloud, @@ -164,7 +123,7 @@ func TestCreate(t *testing.T) { expectErr: true, }, { - name: "certificates array not set", + name: "certificates & keys array not set", config: config.KeyManagementProviderConfig{ "vaultUri": "https://testkv.vault.azure.net/", "tenantID": "tid", @@ -197,9 +156,26 @@ func TestCreate(t *testing.T) { }, expectErr: true, }, + { + name: "invalid key name", + config: config.KeyManagementProviderConfig{ + "vaultUri": "https://testkv.vault.azure.net/", + "tenantID": "tid", + "clientID": "clientid", + "keys": []map[string]interface{}{ + { + "name": "", + }, + }, + }, + expectErr: true, + }, } for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { + initKVClient = func(ctx context.Context, keyVaultEndpoint, tenantID, clientID string) (*kv.BaseClient, error) { + return &kv.BaseClient{}, nil + } _, err := factory.Create("v1", tc.config, "") if tc.expectErr != (err != nil) { t.Fatalf("error = %v, expectErr = %v", err, tc.expectErr) @@ -234,8 +210,36 @@ func TestGetCertificates(t *testing.T) { assert.Nil(t, certStatus) } -// TestGetCertStatusMap tests the getCertStatusMap function -func TestGetCertStatusMap(t *testing.T) { +// TestGetKeys tests the GetKeys function +func TestGetKeys(t *testing.T) { + factory := &akvKMProviderFactory{} + config := config.KeyManagementProviderConfig{ + "vaultUri": "https://testkv.vault.azure.net/", + "tenantID": "tid", + "clientID": "clientid", + "keys": []map[string]interface{}{ + { + "name": "key1", + }, + }, + } + + initKVClient = func(ctx context.Context, keyVaultEndpoint, tenantID, clientID string) (*kv.BaseClient, error) { + return &kv.BaseClient{}, nil + } + provider, err := factory.Create("v1", config, "") + if err != nil { + t.Fatalf("expected no err but got error = %v", err) + } + + keys, keyStatus, err := provider.GetKeys(context.Background()) + assert.NotNil(t, err) + assert.Nil(t, keys) + assert.Nil(t, keyStatus) +} + +// TestGetStatusMap tests the getStatusMap function +func TestGetStatusMap(t *testing.T) { certsStatus := []map[string]string{} certsStatus = append(certsStatus, map[string]string{ "CertName": "Cert1", @@ -246,7 +250,7 @@ func TestGetCertStatusMap(t *testing.T) { "CertVersion": "VersionEDF", }) - actual := getCertStatusMap(certsStatus) + actual := getStatusMap(certsStatus, types.CertificatesStatus) assert.NotNil(t, actual[types.CertificatesStatus]) } @@ -258,16 +262,16 @@ func TestGetObjectVersion(t *testing.T) { assert.Equal(t, expectedVersion, actual) } -// TestGetCertStatus tests the getCertStatusProperty function -func TestGetCertStatusProperty(t *testing.T) { +// TestGetStatus tests the getStatusProperty function +func TestGetStatusProperty(t *testing.T) { timeNow := time.Now().String() certName := "certName" certVersion := "versionABC" - status := getCertStatusProperty(certName, certVersion, timeNow) - assert.Equal(t, certName, status[types.CertificateName]) - assert.Equal(t, timeNow, status[types.CertificateLastRefreshed]) - assert.Equal(t, certVersion, status[types.CertificateVersion]) + status := getStatusProperty(certName, certVersion, timeNow) + assert.Equal(t, certName, status[types.StatusName]) + assert.Equal(t, timeNow, status[types.StatusLastRefreshed]) + assert.Equal(t, certVersion, status[types.StatusVersion]) } // TestGetCertsFromSecretBundle tests the getCertsFromSecretBundle function @@ -335,3 +339,150 @@ func TestGetCertsFromSecretBundle(t *testing.T) { }) } } + +func TestGetKeyFromKeyBundle(t *testing.T) { + cases := []struct { + desc string + keyBundle kv.KeyBundle + expectedErr bool + output crypto.PublicKey + }{ + { + desc: "no key in key bundle", + keyBundle: kv.KeyBundle{ + Key: nil, + }, + expectedErr: true, + output: nil, + }, + { + desc: "invalid key in key bundle", + keyBundle: kv.KeyBundle{ + Key: &kv.JSONWebKey{}, + }, + expectedErr: true, + output: nil, + }, + } + for _, tc := range cases { + t.Run(tc.desc, func(t *testing.T) { + key, err := getKeyFromKeyBundle(tc.keyBundle) + if tc.expectedErr { + assert.NotNil(t, err) + assert.Nil(t, key) + } else { + assert.Nil(t, err) + assert.NotNil(t, key) + } + if tc.output != nil { + assert.Equal(t, tc.output, key) + } + }) + } +} + +func TestValidate(t *testing.T) { + vaultURI := "https://test.vault.azure.net" + tenantID := "testTenantID" + clientID := "testClientID" + validTestCerts := []types.KeyVaultValue{ + { + Name: "testCert", + Version: "testVersion", + }, + } + validTestKeys := []types.KeyVaultValue{ + { + Name: "testKey", + Version: "testVersion", + }, + } + + cases := []struct { + desc string + provider akvKMProvider + expectedErr bool + }{ + { + desc: "Valid Provider", + expectedErr: false, + provider: akvKMProvider{ + vaultURI: vaultURI, + tenantID: tenantID, + clientID: clientID, + certificates: validTestCerts, + keys: validTestKeys, + }, + }, + { + desc: "Missing Vault URI", + expectedErr: true, + provider: akvKMProvider{ + tenantID: tenantID, + clientID: clientID, + certificates: validTestCerts, + keys: validTestKeys, + }, + }, + { + desc: "Missing Tenant ID", + expectedErr: true, + provider: akvKMProvider{ + vaultURI: vaultURI, + clientID: clientID, + certificates: validTestCerts, + keys: validTestKeys, + }, + }, + { + desc: "Missing Client ID", + expectedErr: true, + provider: akvKMProvider{ + vaultURI: vaultURI, + tenantID: tenantID, + certificates: validTestCerts, + keys: validTestKeys, + }, + }, + { + desc: "Missing Certificate Name", + expectedErr: true, + provider: akvKMProvider{ + vaultURI: vaultURI, + tenantID: tenantID, + clientID: clientID, + keys: validTestKeys, + certificates: []types.KeyVaultValue{ + { + Version: "testVersion", + }, + }, + }, + }, + { + desc: "Missing Key Name", + expectedErr: true, + provider: akvKMProvider{ + vaultURI: vaultURI, + tenantID: tenantID, + clientID: clientID, + certificates: validTestCerts, + keys: []types.KeyVaultValue{ + { + Version: "testVersion", + }, + }, + }, + }, + } + for _, tc := range cases { + t.Run(tc.desc, func(t *testing.T) { + err := tc.provider.validate() + if tc.expectedErr { + assert.NotNil(t, err) + } else { + assert.Nil(t, err) + } + }) + } +} diff --git a/pkg/keymanagementprovider/azurekeyvault/types/types.go b/pkg/keymanagementprovider/azurekeyvault/types/types.go index f6caa11ba..5cde59583 100644 --- a/pkg/keymanagementprovider/azurekeyvault/types/types.go +++ b/pkg/keymanagementprovider/azurekeyvault/types/types.go @@ -19,18 +19,20 @@ const ( CertificateType = "CERTIFICATE" // key of the certificate status property CertificatesStatus = "Certificates" + // key of the key status property + KeysStatus = "Keys" // Static string for certificate name for the certificate status property - CertificateName = "Name" + StatusName = "Name" // Certificate version string for the certificate status property - CertificateVersion = "Version" + StatusVersion = "Version" // Last refreshed string for the certificate status property - CertificateLastRefreshed = "LastRefreshed" + StatusLastRefreshed = "LastRefreshed" ) -// KeyVaultCertificate holds keyvault certificate related config -type KeyVaultCertificate struct { - // the name of the Azure Key Vault certificate +// KeyVaultValue holds keyvault certificate/key related config +type KeyVaultValue struct { + // the name of the Azure Key Vault certificate/key Name string `json:"name" yaml:"name"` - // the version of the Azure Key Vault certificate + // the version of the Azure Key Vault certificate/key Version string `json:"version" yaml:"version"` } diff --git a/pkg/keymanagementprovider/inline/provider.go b/pkg/keymanagementprovider/inline/provider.go index 4a480d603..f14335658 100644 --- a/pkg/keymanagementprovider/inline/provider.go +++ b/pkg/keymanagementprovider/inline/provider.go @@ -17,8 +17,10 @@ package inline import ( "context" + "crypto" "crypto/x509" "encoding/json" + "fmt" "github.com/deislabs/ratify/errors" "github.com/deislabs/ratify/pkg/keymanagementprovider" @@ -32,6 +34,7 @@ const ( providerName string = "inline" certificateContentType string = "certificate" certificatesMapKey string = "certs" + keyContentType string = "key" ) //nolint:revive @@ -43,6 +46,7 @@ type InlineKMProviderConfig struct { type inlineKMProvider struct { certs map[keymanagementprovider.KMPMapKey][]*x509.Certificate + keys map[keymanagementprovider.KMPMapKey]crypto.PublicKey contentType string } type inlineKMProviderFactory struct{} @@ -70,26 +74,43 @@ func (f *inlineKMProviderFactory) Create(_ string, keyManagementProviderConfig c return nil, errors.ErrorCodeConfigInvalid.WithComponentType(errors.KeyManagementProvider).WithDetail("contentType parameter is not set") } - // only support certificate content type for now - if conf.ContentType != certificateContentType { - return nil, errors.ErrorCodeConfigInvalid.WithComponentType(errors.KeyManagementProvider).WithDetail("contentType parameter is not set to 'certificate'") - } - if conf.Value == "" { return nil, errors.ErrorCodeConfigInvalid.WithComponentType(errors.KeyManagementProvider).WithDetail("value parameter is not set") } - certs, err := keymanagementprovider.DecodeCertificates([]byte(conf.Value)) - if err != nil { - return nil, errors.ErrorCodeCertInvalid.WithComponentType(errors.KeyManagementProvider) - } - certMap := map[keymanagementprovider.KMPMapKey][]*x509.Certificate{ - {}: certs, + var certMap map[keymanagementprovider.KMPMapKey][]*x509.Certificate + var keyMap map[keymanagementprovider.KMPMapKey]crypto.PublicKey + + switch conf.ContentType { + case certificateContentType: + certs, err := keymanagementprovider.DecodeCertificates([]byte(conf.Value)) + if err != nil { + return nil, errors.ErrorCodeCertInvalid.WithComponentType(errors.KeyManagementProvider) + } + certMap = map[keymanagementprovider.KMPMapKey][]*x509.Certificate{ + {}: certs, + } + case keyContentType: + key, err := keymanagementprovider.DecodeKey([]byte(conf.Value)) + if err != nil { + return nil, errors.ErrorCodeKeyInvalid.WithComponentType(errors.KeyManagementProvider) + } + keyMap = map[keymanagementprovider.KMPMapKey]crypto.PublicKey{ + {}: key, + } + default: + return nil, errors.ErrorCodeConfigInvalid.WithComponentType(errors.KeyManagementProvider).WithDetail(fmt.Sprintf("content type %s is not supported", conf.ContentType)) } - return &inlineKMProvider{certs: certMap, contentType: conf.ContentType}, nil + + return &inlineKMProvider{certs: certMap, keys: keyMap, contentType: conf.ContentType}, nil } // GetCertificates returns previously fetched certificates func (s *inlineKMProvider) GetCertificates(_ context.Context) (map[keymanagementprovider.KMPMapKey][]*x509.Certificate, keymanagementprovider.KeyManagementProviderStatus, error) { return s.certs, nil, nil } + +// GetKeys returns previously fetched keys +func (s *inlineKMProvider) GetKeys(_ context.Context) (map[keymanagementprovider.KMPMapKey]crypto.PublicKey, keymanagementprovider.KeyManagementProviderStatus, error) { + return s.keys, nil, nil +} diff --git a/pkg/keymanagementprovider/keymanagementprovider.go b/pkg/keymanagementprovider/keymanagementprovider.go index 8478480ab..b0731f342 100644 --- a/pkg/keymanagementprovider/keymanagementprovider.go +++ b/pkg/keymanagementprovider/keymanagementprovider.go @@ -17,11 +17,13 @@ package keymanagementprovider import ( "context" + "crypto" "crypto/x509" "encoding/pem" "sync" "github.com/deislabs/ratify/errors" + "github.com/sigstore/sigstore/pkg/cryptoutils" ) // This is a map of properties for fetched certificates/keys @@ -40,11 +42,25 @@ type KMPMapKey struct { type KeyManagementProvider interface { // Returns an array of certificates and the provider specific cert attributes GetCertificates(ctx context.Context) (map[KMPMapKey][]*x509.Certificate, KeyManagementProviderStatus, error) + // Returns an array of keys and the provider specific key attributes + GetKeys(ctx context.Context) (map[KMPMapKey]crypto.PublicKey, KeyManagementProviderStatus, error) } -// static concurreny-safe map to store certificates fetched from key management provider +// static concurrency-safe map to store certificates fetched from key management provider +// layout: +// +// map["/"] = map[KMPMapKey][]*x509.Certificate +// where KMPMapKey is dimensioned by the name and version of the certificate. +// Array of x509 Certificates for certificate chain scenarios var certificatesMap sync.Map +// static concurrency-safe map to store keys fetched from key management provider +// layout: +// +// map["/"] = map[KMPMapKey]PublicKey +// where KMPMapKey is dimensioned by the name and version of the public key. +var keyMap sync.Map + // DecodeCertificates decodes PEM-encoded bytes into an x509.Certificate chain. func DecodeCertificates(value []byte) ([]*x509.Certificate, error) { var certs []*x509.Certificate @@ -70,6 +86,17 @@ func DecodeCertificates(value []byte) ([]*x509.Certificate, error) { return certs, nil } +// DecodeKey takes in a PEM encoded byte array and returns a public key +// PEM encoded byte array is expected to be a single public key. If multiple +// are provided, the first one is returned +func DecodeKey(value []byte) (crypto.PublicKey, error) { + pk, err := cryptoutils.UnmarshalPEMToPublicKey(value) + if err != nil { + return nil, errors.ErrorCodeKeyInvalid.WithComponentType(errors.KeyManagementProvider).WithDetail("error parsing public key").WithError(err) + } + return pk, nil +} + // SetCertificatesInMap sets the certificates in the map // it is concurrency-safe func SetCertificatesInMap(resource string, certs map[KMPMapKey][]*x509.Certificate) { @@ -93,9 +120,37 @@ func DeleteCertificatesFromMap(resource string) { // FlattenKMPMap flattens the map of certificates fetched for a single key management provider resource and returns a single array func FlattenKMPMap(certMap map[KMPMapKey][]*x509.Certificate) []*x509.Certificate { - var certs []*x509.Certificate - for _, v := range certMap { - certs = append(certs, v...) + var items []*x509.Certificate + for _, val := range certMap { + items = append(items, val...) + } + return items +} + +// FlattenKMPMapKeys flattens the map of keys fetched for a single key management provider resource and returns a single array +func FlattenKMPMapKeys(keyMap map[KMPMapKey]crypto.PublicKey) []crypto.PublicKey { + items := []crypto.PublicKey{} + for _, val := range keyMap { + items = append(items, val) } - return certs + return items +} + +// SetKeysInMap sets the keys in the map +func SetKeysInMap(resource string, keys map[KMPMapKey]crypto.PublicKey) { + keyMap.Store(resource, keys) +} + +// GetKeysFromMap gets the keys from the map and returns an empty map of keys if not found +func GetKeysFromMap(resource string) map[KMPMapKey]crypto.PublicKey { + keys, ok := keyMap.Load(resource) + if !ok { + return map[KMPMapKey]crypto.PublicKey{} + } + return keys.(map[KMPMapKey]crypto.PublicKey) +} + +// DeleteKeysFromMap deletes the keys from the map +func DeleteKeysFromMap(resource string) { + keyMap.Delete(resource) } diff --git a/pkg/keymanagementprovider/keymanagementprovider_test.go b/pkg/keymanagementprovider/keymanagementprovider_test.go index 97b300772..3607d2d98 100644 --- a/pkg/keymanagementprovider/keymanagementprovider_test.go +++ b/pkg/keymanagementprovider/keymanagementprovider_test.go @@ -16,6 +16,8 @@ limitations under the License. package keymanagementprovider import ( + "crypto" + "crypto/rsa" "crypto/x509" "errors" "testing" @@ -172,3 +174,79 @@ func TestFlattenKMPMap(t *testing.T) { t.Fatalf("certificates should have been flattened") } } + +// TestSetKeysInMap checks if keys are set in the map +func TestSetKeysInMap(t *testing.T) { + keyMap.Delete("test") + SetKeysInMap("test", map[KMPMapKey]crypto.PublicKey{{}: &rsa.PublicKey{}}) + if _, ok := keyMap.Load("test"); !ok { + t.Fatalf("keysMap should have been set for key") + } +} + +// TestGetKeysFromMap checks if keys are fetched from the map +func TestGetKeysFromMap(t *testing.T) { + keyMap.Delete("test") + SetKeysInMap("test", map[KMPMapKey]crypto.PublicKey{{}: &rsa.PublicKey{}}) + keys := GetKeysFromMap("test") + if len(keys) != 1 { + t.Fatalf("keys should have been fetched from the map") + } +} + +// TestGetKeysFromMap_FailedToFetch checks if keys fail to fetch from map +func TestGetKeysFromMap_FailedToFetch(t *testing.T) { + keyMap.Delete("test") + keys := GetKeysFromMap("test") + if len(keys) != 0 { + t.Fatalf("keys should not have been fetched from the map") + } +} + +// TestDeleteKeysFromMap checks if key map entry is deleted from the map +func TestDeleteKeysFromMap(t *testing.T) { + keyMap.Delete("test") + SetKeysInMap("test", map[KMPMapKey]crypto.PublicKey{{}: &rsa.PublicKey{}}) + DeleteKeysFromMap("test") + if _, ok := keyMap.Load("test"); ok { + t.Fatalf("keysMap should have been deleted for key") + } +} + +// TestFlattenKMPMapKeys checks if keys in map are flattened to a single array +func TestFlattenKMPMapKeys(t *testing.T) { + keys := FlattenKMPMapKeys(map[KMPMapKey]crypto.PublicKey{{Name: "testkey1"}: &rsa.PublicKey{}, {Name: "testkey2"}: &rsa.PublicKey{}}) + if len(keys) != 2 { + t.Fatalf("keys should have been flattened") + } +} + +// TestDecodeKey checks if key is decoded from pem +func TestDecodeKey(t *testing.T) { + validKey := `-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEozC27QupU+1GvAL0tqR7bT3Vpyyf +OSeWVmPjy6J5x8+6OIpmTs8PKQB1vTF0gErwa1gS/QaOElLaxDKy0GS9Jg== +-----END PUBLIC KEY-----` + cases := []struct { + desc string + pemString string + expectedErr bool + }{ + { + desc: "valid public key", + pemString: validKey, + expectedErr: false, + }, + { + desc: "invalid public key", + pemString: "foo", + expectedErr: true, + }, + } + for _, tc := range cases { + t.Run(tc.desc, func(t *testing.T) { + _, err := DecodeKey([]byte(tc.pemString)) + assert.Equal(t, tc.expectedErr, err != nil) + }) + } +} diff --git a/pkg/keymanagementprovider/mocks/types.go b/pkg/keymanagementprovider/mocks/types.go index 6bbf2dc80..1a3b60ad4 100644 --- a/pkg/keymanagementprovider/mocks/types.go +++ b/pkg/keymanagementprovider/mocks/types.go @@ -17,6 +17,7 @@ package mocks import ( "context" + "crypto" "crypto/x509" "github.com/deislabs/ratify/pkg/keymanagementprovider" @@ -24,6 +25,7 @@ import ( type TestKeyManagementProvider struct { certificates map[keymanagementprovider.KMPMapKey][]*x509.Certificate + keys map[keymanagementprovider.KMPMapKey]crypto.PublicKey status keymanagementprovider.KeyManagementProviderStatus err error } @@ -31,3 +33,7 @@ type TestKeyManagementProvider struct { func (c *TestKeyManagementProvider) GetCertificates(_ context.Context) (map[keymanagementprovider.KMPMapKey][]*x509.Certificate, keymanagementprovider.KeyManagementProviderStatus, error) { return c.certificates, c.status, c.err } + +func (c *TestKeyManagementProvider) GetKeys(_ context.Context) (map[keymanagementprovider.KMPMapKey]crypto.PublicKey, keymanagementprovider.KeyManagementProviderStatus, error) { + return c.keys, c.status, c.err +} diff --git a/pkg/manager/manager.go b/pkg/manager/manager.go index 36cd2cd09..2527f43ce 100644 --- a/pkg/manager/manager.go +++ b/pkg/manager/manager.go @@ -30,7 +30,6 @@ import ( "github.com/deislabs/ratify/config" "github.com/deislabs/ratify/httpserver" "github.com/deislabs/ratify/pkg/featureflag" - "github.com/deislabs/ratify/pkg/policyprovider" _ "github.com/deislabs/ratify/pkg/policyprovider/configpolicy" // register config policy provider _ "github.com/deislabs/ratify/pkg/policyprovider/regopolicy" // register rego policy provider _ "github.com/deislabs/ratify/pkg/referrerstore/oras" // register ORAS referrer store @@ -49,10 +48,9 @@ import ( configv1alpha1 "github.com/deislabs/ratify/api/v1alpha1" configv1beta1 "github.com/deislabs/ratify/api/v1beta1" + ctxUtils "github.com/deislabs/ratify/internal/context" "github.com/deislabs/ratify/pkg/controllers" ef "github.com/deislabs/ratify/pkg/executor/core" - "github.com/deislabs/ratify/pkg/referrerstore" - vr "github.com/deislabs/ratify/pkg/verifier" //+kubebuilder:scaffold:imports ) @@ -84,28 +82,12 @@ func StartServer(httpServerAddress, configFilePath, certDirectory, caCertFile st } // initialize server - server, err := httpserver.NewServer(context.Background(), httpServerAddress, func() *ef.Executor { - var activeVerifiers []vr.ReferenceVerifier - var activeStores []referrerstore.ReferrerStore - var activePolicyEnforcer policyprovider.PolicyProvider + server, err := httpserver.NewServer(context.Background(), httpServerAddress, func(ctx context.Context) *ef.Executor { + namespace := ctxUtils.GetNamespace(ctx) - // check if there are active verifiers from crd controller - if len(controllers.VerifierMap) > 0 { - for _, value := range controllers.VerifierMap { - activeVerifiers = append(activeVerifiers, value) - } - } - - // check if there are active stores from crd controller - if len(controllers.StoreMap) > 0 { - for _, value := range controllers.StoreMap { - activeStores = append(activeStores, value) - } - } - - if !controllers.ActivePolicy.IsEmpty() { - activePolicyEnforcer = controllers.ActivePolicy.Enforcer - } + activeVerifiers := controllers.VerifierMap.GetVerifiers(namespace) + activePolicyEnforcer := controllers.ActivePolicies.GetPolicy(namespace) + activeStores := controllers.StoreMap.GetStores(namespace) // return executor with latest configuration executor := ef.Executor{ diff --git a/scripts/azure-ci-test.sh b/scripts/azure-ci-test.sh index 15d4513b7..347be097d 100755 --- a/scripts/azure-ci-test.sh +++ b/scripts/azure-ci-test.sh @@ -64,11 +64,11 @@ deploy_ratify() { --set image.crdRepository=${REGISTRY}/test/localbuildcrd \ --set image.tag=${TAG} \ --set gatekeeper.version=${GATEKEEPER_VERSION} \ - --set akvCertConfig.enabled=true \ - --set akvCertConfig.vaultURI=${VAULT_URI} \ - --set akvCertConfig.certificates[0].name=${NOTATION_PEM_NAME} \ - --set akvCertConfig.certificates[1].name=${NOTATION_CHAIN_PEM_NAME} \ - --set akvCertConfig.tenantId=${TENANT_ID} \ + --set azurekeyvault.enabled=true \ + --set azurekeyvault.vaultURI=${VAULT_URI} \ + --set azurekeyvault.certificates[0].name=${NOTATION_PEM_NAME} \ + --set azurekeyvault.certificates[1].name=${NOTATION_CHAIN_PEM_NAME} \ + --set azurekeyvault.tenantId=${TENANT_ID} \ --set oras.authProviders.azureWorkloadIdentityEnabled=true \ --set azureWorkloadIdentity.clientId=${IDENTITY_CLIENT_ID} \ --set-file cosign.key=".staging/cosign/cosign.pub" \