fix: passing correct httpClient, do not use DefaultClients (#3319)

most of our deployments use custom certificates, using DefaultClient
makes it virtually impossible to make share URL feature work.

this PR fixes this behavior in the implementation.

Bonus: re-use transports inside console, will add more changes to
take custom transport inputs in subsequent PR.

.github/workflows/cross-compile.yaml

@@ -1,166 +0,0 @@
-# @format
-
-name: Cross Compile
-
-on:
-  pull_request:
-    branches:
-      - master
-    paths:
-      - go.sum
-
-# This ensures that previous jobs for the PR are canceled when the PR is
-# updated.
-concurrency:
-  group: ${{ github.workflow }}-${{ github.head_ref }}
-  cancel-in-progress: true
-
-jobs:
-  cross-compile-1:
-    name: Cross compile
-    needs:
-      - lint-job
-      - ui-assets
-      - reuse-golang-dependencies
-      - semgrep-static-code-analysis
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        go-version: [ 1.21.x ]
-        os: [ ubuntu-latest ]
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v3
-
-      - name: Set up Go ${{ matrix.go-version }} on ${{ matrix.os }}
-        uses: actions/setup-go@v3
-        with:
-          go-version: ${{ matrix.go-version }}
-          cache: true
-        id: go
-
-      - name: Build on ${{ matrix.os }}
-        env:
-          GO111MODULE: on
-          GOOS: linux
-        run: |
-          make crosscompile arg1="'linux/ppc64le linux/mips64'"
-
-  cross-compile-2:
-    name: Cross compile 2
-    needs:
-      - lint-job
-      - ui-assets
-      - reuse-golang-dependencies
-      - semgrep-static-code-analysis
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        go-version: [ 1.21.x ]
-        os: [ ubuntu-latest ]
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v3
-      - name: Set up Go ${{ matrix.go-version }} on ${{ matrix.os }}
-        uses: actions/setup-go@v3
-        with:
-          go-version: ${{ matrix.go-version }}
-          cache: true
-        id: go
-
-      - name: Build on ${{ matrix.os }}
-        env:
-          GO111MODULE: on
-          GOOS: linux
-        run: |
-          make crosscompile arg1="'linux/arm64 linux/s390x'"
-
-  cross-compile-3:
-    name: Cross compile 3
-    needs:
-      - lint-job
-      - ui-assets
-      - reuse-golang-dependencies
-      - semgrep-static-code-analysis
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        go-version: [ 1.21.x ]
-        os: [ ubuntu-latest ]
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v3
-
-      - name: Set up Go ${{ matrix.go-version }} on ${{ matrix.os }}
-        uses: actions/setup-go@v3
-        with:
-          go-version: ${{ matrix.go-version }}
-          cache: true
-        id: go
-
-      - name: Build on ${{ matrix.os }}
-        env:
-          GO111MODULE: on
-          GOOS: linux
-        run: |
-          make crosscompile arg1="'darwin/amd64 freebsd/amd64'"
-
-  cross-compile-4:
-    name: Cross compile 4
-    needs:
-      - lint-job
-      - ui-assets
-      - reuse-golang-dependencies
-      - semgrep-static-code-analysis
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        go-version: [ 1.21.x ]
-        os: [ ubuntu-latest ]
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v3
-
-      - name: Set up Go ${{ matrix.go-version }} on ${{ matrix.os }}
-        uses: actions/setup-go@v3
-        with:
-          go-version: ${{ matrix.go-version }}
-          cache: true
-        id: go
-
-      - name: Build on ${{ matrix.os }}
-        env:
-          GO111MODULE: on
-          GOOS: linux
-        run: |
-          make crosscompile arg1="'windows/amd64 linux/arm'"
-
-  cross-compile-5:
-    name: Cross compile 5
-    needs:
-      - lint-job
-      - ui-assets
-      - reuse-golang-dependencies
-      - semgrep-static-code-analysis
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        go-version: [ 1.21.x ]
-        os: [ ubuntu-latest ]
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v3
-
-      - name: Set up Go ${{ matrix.go-version }} on ${{ matrix.os }}
-        uses: actions/setup-go@v3
-        with:
-          go-version: ${{ matrix.go-version }}
-          cache: true
-        id: go
-
-      - name: Build on ${{ matrix.os }}
-        env:
-          GO111MODULE: on
-          GOOS: linux
-        run: |
-          make crosscompile arg1="'linux/386 netbsd/amd64'"

.github/workflows/jobs.yaml

@@ -105,28 +105,6 @@ jobs:
         continue-on-error: false
         run: |
           ./check-deadcode.sh
-  reuse-golang-dependencies:
-    name: reuse golang dependencies
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        go-version: [ 1.21.x ]
-        os: [ ubuntu-latest ]
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v3
-      - name: Set up Go ${{ matrix.go-version }} on ${{ matrix.os }}
-        uses: actions/setup-go@v3
-        with:
-          go-version: ${{ matrix.go-version }}
-          cache: true
-        id: go
-      - name: Build on ${{ matrix.os }}
-        env:
-          GO111MODULE: on
-          GOOS: linux
-        run: |
-          go mod download
 
   latest-minio:
     name: Build latest MinIO
@@ -140,18 +118,10 @@ jobs:
         uses: actions/checkout@v3
         with:
           repository: minio/minio
-      - uses: actions/cache@v3
-        id: minio-latest-cache
-        name: MinIO Latest Cache
-        with:
-          path: |
-            ./minio
-          key: ${{ runner.os }}-minio-latest-${{ hashFiles('./go.sum') }}
       - name: Set up Go ${{ matrix.go-version }} on ${{ matrix.os }}
         uses: actions/setup-go@v3
         with:
           go-version: ${{ matrix.go-version }}
-          cache: true
         id: go-minio
       - name: Build on ${{ matrix.os }}
         if: steps.minio-latest-cache.outputs.cache-hit != 'true'
@@ -163,7 +133,6 @@ jobs:
     needs:
       - lint-job
       - ui-assets
-      - reuse-golang-dependencies
       - semgrep-static-code-analysis
     runs-on: ${{ matrix.os }}
     strategy:
@@ -703,7 +672,6 @@ jobs:
     needs:
       - lint-job
       - ui-assets
-      - reuse-golang-dependencies
       - semgrep-static-code-analysis
     runs-on: ${{ matrix.os }}
     strategy:
@@ -740,7 +708,6 @@ jobs:
     needs:
       - lint-job
       - ui-assets
-      - reuse-golang-dependencies
       - semgrep-static-code-analysis
     runs-on: ${{ matrix.os }}
     strategy:
@@ -777,7 +744,6 @@ jobs:
     needs:
       - lint-job
       - ui-assets
-      - reuse-golang-dependencies
       - semgrep-static-code-analysis
       - latest-minio
     runs-on: ubuntu-latest
@@ -816,27 +782,23 @@ jobs:
           VERSION=`git rev-parse HEAD`;
           echo $VERSION;
           echo "Create MinIO image";
-          if [ ! -f ../minio ]; then
-              echo "minio binary not found!, so compiling..."
           make docker VERSION=$VERSION;
-          else
+
-              echo "Using binary from cache"
-              cp ../minio .
-          fi
           docker build -q --no-cache -t minio/minio:$VERSION . -f Dockerfile
           echo "Jumping back to console repository to run the integration test"
           cd $GITHUB_WORKSPACE;
           echo "We are going to use the built image on test-integration";
-          VERSION="minio/minio:$VERSION";
+          MINIO_VERSION="minio/minio:$VERSION";
-          echo $VERSION;
+          echo $MINIO_VERSION;
 
           echo "Create bucket for replication with versioning"
           echo "Download mc for Ubuntu"
           wget -q https://dl.min.io/client/mc/release/linux-amd64/mc
           echo "Change the permissions to execute mc command"
           chmod +x mc
+
           echo "Create the folder to put the all.out file"
-          make test-integration MINIO_VERSION=$VERSION;
+          make test-integration MINIO_VERSION=$MINIO_VERSION;
 
       - uses: actions/cache@v3
         id: coverage-cache
@@ -850,7 +812,6 @@ jobs:
     needs:
       - lint-job
       - ui-assets
-      - reuse-golang-dependencies
       - semgrep-static-code-analysis
     runs-on: ubuntu-latest
     steps:
@@ -866,7 +827,6 @@ jobs:
     needs:
       - lint-job
       - ui-assets
-      - reuse-golang-dependencies
       - semgrep-static-code-analysis
       - latest-minio
     runs-on: [ ubuntu-latest ]
@@ -907,20 +867,17 @@ jobs:
           VERSION=`git rev-parse HEAD`;
           echo $VERSION;
           echo "Create MinIO image";
-          if [ ! -f ../minio ]; then
-              echo "minio binary not found!, so compiling..."
           make docker VERSION=$VERSION;
-          else
+
-              echo "Using binary from cache"
-              cp ../minio .
-          fi
           docker build -q --no-cache -t minio/minio:$VERSION . -f Dockerfile
           echo "Jumping back to console repository to run the integration test"
           cd $GITHUB_WORKSPACE;
+
           echo "We are going to use the built image on test-integration";
-          VERSION="minio/minio:$VERSION";
+          MINIO_VERSION="minio/minio:$VERSION";
-          echo $VERSION;
+          echo $MINIO_VERSION;
-          make test-replication MINIO_VERSION=$VERSION;
+
+          make test-replication MINIO_VERSION=$MINIO_VERSION;
       - uses: actions/cache@v3
         id: coverage-cache-replication
         name: Coverage Cache Replication
@@ -941,7 +898,6 @@ jobs:
     needs:
       - lint-job
       - ui-assets
-      - reuse-golang-dependencies
       - semgrep-static-code-analysis
       - latest-minio
     runs-on: ubuntu-latest
@@ -981,26 +937,23 @@ jobs:
           echo "replace github.com/minio/console => ../" >> go.mod
 
           echo "updates to go.mod needed; to update it: go mod tidy"
-          go mod tidy -compat=1.19
+          go mod tidy -compat=1.21
 
           echo "Get git version to build MinIO Image";
           VERSION=`git rev-parse HEAD`;
           echo $VERSION;
           echo "Create MinIO image";
-          if [ ! -f ../minio ]; then
-              echo "minio binary not found!, so compiling..."
           make docker VERSION=$VERSION;
-          else
+
-              echo "Using binary from cache"
-              cp ../minio .
-          fi
           docker build -q --no-cache -t minio/minio:$VERSION . -f Dockerfile
           echo "Jumping back to console repository to run the integration test"
           cd $GITHUB_WORKSPACE;
+
           echo "We are going to use the built image on test-integration";
-          VERSION="minio/minio:$VERSION";
+          MINIO_VERSION="minio/minio:$VERSION";
-          echo $VERSION;
+          echo $MINIO_VERSION;
-          make test-sso-integration MINIO_VERSION=$VERSION;
+
+          make test-sso-integration MINIO_VERSION=$MINIO_VERSION;
       - uses: actions/cache@v3
         id: coverage-cache-sso
         name: Coverage Cache SSO
@@ -1089,7 +1042,7 @@ jobs:
           echo "download golang x tools"
           go mod download golang.org/x/tools
           echo "go mod tidy compat mode"
-          go mod tidy -compat=1.19
+          go mod tidy -compat=1.21
           echo "go build gocoverage.go"
           go build gocovmerge.go
           echo "put together the outs for final coverage resolution"
@@ -1201,7 +1154,6 @@ jobs:
     needs:
       - lint-job
       - ui-assets-istanbul-coverage
-      - reuse-golang-dependencies
       - semgrep-static-code-analysis
     runs-on: ${{ matrix.os }}
     strategy:
@@ -1238,6 +1190,150 @@ jobs:
         run: |
           make console
 
+  cross-compile-1:
+    name: Cross compile
+    needs:
+      - lint-job
+      - ui-assets
+      - semgrep-static-code-analysis
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        go-version: [ 1.21.x ]
+        os: [ ubuntu-latest ]
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+
+      - name: Set up Go ${{ matrix.go-version }} on ${{ matrix.os }}
+        uses: actions/setup-go@v3
+        with:
+          go-version: ${{ matrix.go-version }}
+          cache: true
+        id: go
+
+      - name: Build on ${{ matrix.os }}
+        env:
+          GO111MODULE: on
+          GOOS: linux
+        run: |
+          make crosscompile arg1="'linux/ppc64le linux/mips64'"
+
+  cross-compile-2:
+    name: Cross compile 2
+    needs:
+      - lint-job
+      - ui-assets
+      - semgrep-static-code-analysis
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        go-version: [ 1.21.x ]
+        os: [ ubuntu-latest ]
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+      - name: Set up Go ${{ matrix.go-version }} on ${{ matrix.os }}
+        uses: actions/setup-go@v3
+        with:
+          go-version: ${{ matrix.go-version }}
+          cache: true
+        id: go
+
+      - name: Build on ${{ matrix.os }}
+        env:
+          GO111MODULE: on
+          GOOS: linux
+        run: |
+          make crosscompile arg1="'linux/arm64 linux/s390x'"
+
+  cross-compile-3:
+    name: Cross compile 3
+    needs:
+      - lint-job
+      - ui-assets
+      - semgrep-static-code-analysis
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        go-version: [ 1.21.x ]
+        os: [ ubuntu-latest ]
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+
+      - name: Set up Go ${{ matrix.go-version }} on ${{ matrix.os }}
+        uses: actions/setup-go@v3
+        with:
+          go-version: ${{ matrix.go-version }}
+          cache: true
+        id: go
+
+      - name: Build on ${{ matrix.os }}
+        env:
+          GO111MODULE: on
+          GOOS: linux
+        run: |
+          make crosscompile arg1="'darwin/amd64 freebsd/amd64'"
+
+  cross-compile-4:
+    name: Cross compile 4
+    needs:
+      - lint-job
+      - ui-assets
+      - semgrep-static-code-analysis
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        go-version: [ 1.21.x ]
+        os: [ ubuntu-latest ]
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+
+      - name: Set up Go ${{ matrix.go-version }} on ${{ matrix.os }}
+        uses: actions/setup-go@v3
+        with:
+          go-version: ${{ matrix.go-version }}
+          cache: true
+        id: go
+
+      - name: Build on ${{ matrix.os }}
+        env:
+          GO111MODULE: on
+          GOOS: linux
+        run: |
+          make crosscompile arg1="'windows/amd64 linux/arm'"
+
+  cross-compile-5:
+    name: Cross compile 5
+    needs:
+      - lint-job
+      - ui-assets
+      - semgrep-static-code-analysis
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        go-version: [ 1.21.x ]
+        os: [ ubuntu-latest ]
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+
+      - name: Set up Go ${{ matrix.go-version }} on ${{ matrix.os }}
+        uses: actions/setup-go@v3
+        with:
+          go-version: ${{ matrix.go-version }}
+          cache: true
+        id: go
+
+      - name: Build on ${{ matrix.os }}
+        env:
+          GO111MODULE: on
+          GOOS: linux
+        run: |
+          make crosscompile arg1="'linux/386 netbsd/amd64'"
+          
   playwright:
     needs:
       - compile-binary-istanbul-coverage

api/admin_info.go

@@ -994,8 +994,6 @@ func unmarshalPrometheus(ctx context.Context, httpClnt *http.Client, endpoint st
 }
 
 func testPrometheusURL(ctx context.Context, url string) bool {
-	clientIP := utils.ClientIPFromContext(ctx)
-	httpClnt := GetConsoleHTTPClient(url, clientIP)
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url+"/-/healthy", nil)
 	if err != nil {
 		ErrorWithContext(ctx, fmt.Errorf("error Building Request: (%v)", err))
@@ -1003,11 +1001,13 @@ func testPrometheusURL(ctx context.Context, url string) bool {
 	}
 
 	prometheusBearer := getPrometheusAuthToken()
-
 	if prometheusBearer != "" {
 		req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", prometheusBearer))
 	}
 
+	clientIP := utils.ClientIPFromContext(ctx)
+	httpClnt := GetConsoleHTTPClient(clientIP)
+
 	response, err := httpClnt.Do(req)
 	if err != nil {
 		ErrorWithContext(ctx, fmt.Errorf("default Prometheus URL not reachable, trying root testing: (%v)", err))
@@ -1050,7 +1050,7 @@ func getWidgetDetails(ctx context.Context, prometheusURL string, selector string
 		return nil, ErrorWithContext(ctx, errors.New("prometheus URL is unreachable"))
 	}
 	clientIP := utils.ClientIPFromContext(ctx)
-	httpClnt := GetConsoleHTTPClient(prometheusURL, clientIP)
+	httpClnt := GetConsoleHTTPClient(clientIP)
 
 	labelResultsCh := make(chan LabelResults)
 

api/admin_releases.go

@@ -97,7 +97,7 @@ func getReleases(endpoint, repo, currentRelease, search, filter, clientIP string
 	req.URL.RawQuery = q.Encode()
 	req.Header.Set("Content-Type", "application/json")
 
-	client := GetConsoleHTTPClient("", clientIP)
+	client := GetConsoleHTTPClient(clientIP)
 	client.Timeout = time.Second * 5
 
 	resp, err := client.Do(req)

api/admin_subnet.go

@@ -96,7 +96,7 @@ func SubnetRegisterWithAPIKey(ctx context.Context, minioClient MinioAdmin, apiKe
 		return false, err
 	}
 	clientIP := utils.ClientIPFromContext(ctx)
-	registerResult, err := subnet.Register(GetConsoleHTTPClient("", clientIP), serverInfo, apiKey, "", "")
+	registerResult, err := subnet.Register(GetConsoleHTTPClient(clientIP), serverInfo, apiKey, "", "")
 	if err != nil {
 		return false, err
 	}
@@ -199,7 +199,6 @@ func SubnetLoginWithMFA(client xhttp.ClientI, username, mfaToken, otp string) (*
 // GetSubnetHTTPClient will return a client with proxy if configured, otherwise will return the default console http client
 func GetSubnetHTTPClient(ctx context.Context, minioClient MinioAdmin) (*xhttp.Client, error) {
 	clientIP := utils.ClientIPFromContext(ctx)
-	subnetHTTPClient := GetConsoleHTTPClient("", clientIP)
 	subnetKey, err := GetSubnetKeyFromMinIOConfig(ctx, minioClient)
 	if err != nil {
 		return nil, err
@@ -209,18 +208,24 @@ func GetSubnetHTTPClient(ctx context.Context, minioClient MinioAdmin) (*xhttp.Cl
 	if subnetKey.Proxy != "" {
 		proxy = subnetKey.Proxy
 	}
+
+	tr := GlobalTransport.Clone()
 	if proxy != "" {
-		subnetProxyURL, err := url.Parse(proxy)
+		u, err := url.Parse(proxy)
 		if err != nil {
 			return nil, err
 		}
-		subnetHTTPClient.Transport.(*ConsoleTransport).Transport.Proxy = http.ProxyURL(subnetProxyURL)
+		tr.Proxy = http.ProxyURL(u)
 	}
 
-	clientI := &xhttp.Client{
+	return &xhttp.Client{
-		Client: subnetHTTPClient,
+		Client: &http.Client{
-	}
+			Transport: &ConsoleTransport{
-	return clientI, nil
+				Transport: tr,
+				ClientIP:  clientIP,
+			},
+		},
+	}, nil
 }
 
 func GetSubnetLoginWithMFAResponse(session *models.Principal, params subnetApi.SubnetLoginMFAParams) (*models.SubnetLoginResponse, *CodedAPIError) {
@@ -322,7 +327,7 @@ func GetSubnetInfoResponse(session *models.Principal, params subnetApi.SubnetInf
 	defer cancel()
 	clientIP := utils.ClientIPFromContext(ctx)
 	client := &xhttp.Client{
-		Client: GetConsoleHTTPClient("", clientIP),
+		Client: GetConsoleHTTPClient(clientIP),
 	}
 	// license gets seeded to us by MinIO
 	seededLicense := os.Getenv(EnvSubnetLicense)

api/client-admin.go

@@ -24,6 +24,7 @@ import (
 	"net"
 	"net/http"
 	"net/url"
+	"regexp"
 	"strings"
 	"time"
 
@@ -213,11 +214,11 @@ func (ac AdminClient) listPolicies(ctx context.Context) (map[string]*iampolicy.P
 
 // implements madmin.ListCannedPolicies()
 func (ac AdminClient) getPolicy(ctx context.Context, name string) (*iampolicy.Policy, error) {
-	praw, err := ac.Client.InfoCannedPolicy(ctx, name)
+	info, err := ac.Client.InfoCannedPolicyV2(ctx, name)
 	if err != nil {
 		return nil, err
 	}
-	return iampolicy.ParseConfig(bytes.NewReader(praw))
+	return iampolicy.ParseConfig(bytes.NewReader(info.Policy))
 }
 
 // implements madmin.RemoveCannedPolicy()
@@ -236,6 +237,7 @@ func (ac AdminClient) addPolicy(ctx context.Context, name string, policy *iampol
 
 // implements madmin.SetPolicy()
 func (ac AdminClient) setPolicy(ctx context.Context, policyName, entityName string, isGroup bool) error {
+	// nolint:staticcheck // ignore SA1019
 	return ac.Client.SetPolicy(ctx, policyName, entityName, isGroup)
 }
 
@@ -468,7 +470,7 @@ func newAdminFromClaims(claims *models.Principal, clientIP string) (*madmin.Admi
 		return nil, err
 	}
 	adminClient.SetAppInfo(globalAppName, pkg.Version)
-	adminClient.SetCustomTransport(GetConsoleHTTPClient(getMinIOServer(), clientIP).Transport)
+	adminClient.SetCustomTransport(PrepareSTSClientTransport(clientIP))
 	return adminClient, nil
 }
 
@@ -487,8 +489,8 @@ func newAdminFromCreds(accessKey, secretKey, endpoint string, tlsEnabled bool) (
 
 // isLocalAddress returns true if the url contains an IPv4/IPv6 hostname
 // that points to the local machine - FQDN are not supported
-func isLocalIPEndpoint(addr string) bool {
+func isLocalIPEndpoint(endpoint string) bool {
-	u, err := url.Parse(addr)
+	u, err := url.Parse(endpoint)
 	if err != nil {
 		return false
 	}
@@ -501,6 +503,9 @@ func isLocalIPAddress(ipAddr string) bool {
 	if ipAddr == "" {
 		return false
 	}
+	if ipAddr == "localhost" {
+		return true
+	}
 	ip := net.ParseIP(ipAddr)
 	return ip != nil && ip.IsLoopback()
 }
@@ -508,43 +513,75 @@ func isLocalIPAddress(ipAddr string) bool {
 // GetConsoleHTTPClient caches different http clients depending on the target endpoint while taking
 // in consideration CA certs stored in ${HOME}/.console/certs/CAs and ${HOME}/.minio/certs/CAs
 // If the target endpoint points to a loopback device, skip the TLS verification.
-func GetConsoleHTTPClient(address string, clientIP string) *http.Client {
+func GetConsoleHTTPClient(clientIP string) *http.Client {
-	u, err := url.Parse(address)
+	return PrepareConsoleHTTPClient(clientIP)
-	if err == nil {
-		address = u.Hostname()
 }
 
-	client := PrepareConsoleHTTPClient(isLocalIPAddress(address), clientIP)
+var (
+	// De-facto standard header keys.
+	xForwardedFor = http.CanonicalHeaderKey("X-Forwarded-For")
+	xRealIP       = http.CanonicalHeaderKey("X-Real-IP")
+)
 
-	return client
+var (
+	// RFC7239 defines a new "Forwarded: " header designed to replace the
+	// existing use of X-Forwarded-* headers.
+	// e.g. Forwarded: for=192.0.2.60;proto=https;by=203.0.113.43
+	forwarded = http.CanonicalHeaderKey("Forwarded")
+	// Allows for a sub-match of the first value after 'for=' to the next
+	// comma, semi-colon or space. The match is case-insensitive.
+	forRegex = regexp.MustCompile(`(?i)(?:for=)([^(;|,| )]+)(.*)`)
+)
+
+// getSourceIPFromHeaders retrieves the IP from the X-Forwarded-For, X-Real-IP
+// and RFC7239 Forwarded headers (in that order)
+func getSourceIPFromHeaders(r *http.Request) string {
+	var addr string
+
+	if fwd := r.Header.Get(xForwardedFor); fwd != "" {
+		// Only grab the first (client) address. Note that '192.168.0.1,
+		// 10.1.1.1' is a valid key for X-Forwarded-For where addresses after
+		// the first may represent forwarding proxies earlier in the chain.
+		s := strings.Index(fwd, ", ")
+		if s == -1 {
+			s = len(fwd)
+		}
+		addr = fwd[:s]
+	} else if fwd := r.Header.Get(xRealIP); fwd != "" {
+		// X-Real-IP should only contain one IP address (the client making the
+		// request).
+		addr = fwd
+	} else if fwd := r.Header.Get(forwarded); fwd != "" {
+		// match should contain at least two elements if the protocol was
+		// specified in the Forwarded header. The first element will always be
+		// the 'for=' capture, which we ignore. In the case of multiple IP
+		// addresses (for=8.8.8.8, 8.8.4.4, 172.16.1.20 is valid) we only
+		// extract the first, which should be the client IP.
+		if match := forRegex.FindStringSubmatch(fwd); len(match) > 1 {
+			// IPv6 addresses in Forwarded headers are quoted-strings. We strip
+			// these quotes.
+			addr = strings.Trim(match[1], `"`)
+		}
 	}
 
+	return addr
+}
+
+// getClientIP retrieves the IP from the request headers
+// and falls back to r.RemoteAddr when necessary.
+// however returns without bracketing.
 func getClientIP(r *http.Request) string {
-	// Try to get the IP address from the X-Real-IP header
+	addr := getSourceIPFromHeaders(r)
-	// If the X-Real-IP header is not present, then it will return an empty string
+	if addr == "" {
-	xRealIP := r.Header.Get("X-Real-IP")
+		addr = r.RemoteAddr
-	if xRealIP != "" {
-		return xRealIP
 	}
 
-	// Try to get the IP address from the X-Forwarded-For header
+	// Default to remote address if headers not set.
-	// If the X-Forwarded-For header is not present, then it will return an empty string
+	raddr, _, _ := net.SplitHostPort(addr)
-	xForwardedFor := r.Header.Get("X-Forwarded-For")
+	if raddr == "" {
-	if xForwardedFor != "" {
+		return addr
-		// X-Forwarded-For can contain multiple addresses, we return the first one
-		split := strings.Split(xForwardedFor, ",")
-		if len(split) > 0 {
-			return strings.TrimSpace(split[0])
 	}
-	}
+	return raddr
-
-	// If neither header is present (or they were empty), then fall back to the connection's remote address
-	ip, _, err := net.SplitHostPort(r.RemoteAddr)
-	if err != nil {
-		// In case there's an error, return an empty string
-		return ""
-	}
-	return ip
 }
 
 func (ac AdminClient) speedtest(ctx context.Context, opts madmin.SpeedtestOpts) (chan madmin.SpeedTestResult, error) {

api/client.go

@@ -341,7 +341,7 @@ func stsCredentials(minioURL, accessKey, secretKey, location, clientIP string) (
 		DurationSeconds: int(xjwt.GetConsoleSTSDuration().Seconds()),
 	}
 	stsAssumeRole := &credentials.STSAssumeRole{
-		Client:      GetConsoleHTTPClient(minioURL, clientIP),
+		Client:      GetConsoleHTTPClient(clientIP),
 		STSEndpoint: minioURL,
 		Options:     opts,
 	}
@@ -357,7 +357,7 @@ func NewConsoleCredentials(accessKey, secretKey, location, clientIP string) (*cr
 	// LDAP authentication for Console
 	case ldap.GetLDAPEnabled():
 		{
-			creds, err := auth.GetCredentialsFromLDAP(GetConsoleHTTPClient(minioURL, clientIP), minioURL, accessKey, secretKey)
+			creds, err := auth.GetCredentialsFromLDAP(GetConsoleHTTPClient(clientIP), minioURL, accessKey, secretKey)
 			if err != nil {
 				return nil, err
 			}
@@ -414,7 +414,7 @@ func newMinioClient(claims *models.Principal, clientIP string) (*minio.Client, e
 	minioClient, err := minio.New(endpoint, &minio.Options{
 		Creds:     creds,
 		Secure:    secure,
-		Transport: GetConsoleHTTPClient(getMinIOServer(), clientIP).Transport,
+		Transport: GetConsoleHTTPClient(clientIP).Transport,
 	})
 	if err != nil {
 		return nil, err
@@ -426,10 +426,9 @@ func newMinioClient(claims *models.Principal, clientIP string) (*minio.Client, e
 
 // computeObjectURLWithoutEncode returns a MinIO url containing the object filename without encoding
 func computeObjectURLWithoutEncode(bucketName, prefix string) (string, error) {
-	endpoint := getMinIOServer()
+	u, err := xnet.ParseHTTPURL(getMinIOServer())
-	u, err := xnet.ParseHTTPURL(endpoint)
 	if err != nil {
-		return "", fmt.Errorf("the provided endpoint is invalid")
+		return "", fmt.Errorf("the provided endpoint: '%s' is invalid", getMinIOServer())
 	}
 	var p string
 	if strings.TrimSpace(bucketName) != "" {
@@ -438,7 +437,7 @@ func computeObjectURLWithoutEncode(bucketName, prefix string) (string, error) {
 	if strings.TrimSpace(prefix) != "" {
 		p = pathJoinFinalSlash(p, prefix)
 	}
-	return fmt.Sprintf("%s://%s/%s", u.Scheme, u.Host, p), nil
+	return u.String() + "/" + p, nil
 }
 
 // newS3BucketClient creates a new mc S3Client to talk to the server based on a bucket
@@ -479,22 +478,18 @@ func pathJoinFinalSlash(elem ...string) string {
 func newS3Config(endpoint, accessKey, secretKey, sessionToken string, clientIP string) *mc.Config {
 	// We have a valid alias and hostConfig. We populate the/
 	// consoleCredentials from the match found in the config file.
-	s3Config := new(mc.Config)
+	return &mc.Config{
-
+		HostURL:      endpoint,
-	s3Config.AppName = globalAppName
+		AccessKey:    accessKey,
-	s3Config.AppVersion = pkg.Version
+		SecretKey:    secretKey,
-	s3Config.Debug = false
+		SessionToken: sessionToken,
-
+		Signature:    "S3v4",
-	s3Config.HostURL = endpoint
+		AppName:      globalAppName,
-	s3Config.AccessKey = accessKey
+		AppVersion:   pkg.Version,
-	s3Config.SecretKey = secretKey
+		Insecure:     isLocalIPEndpoint(endpoint),
-	s3Config.SessionToken = sessionToken
+		Transport: &ConsoleTransport{
-	s3Config.Signature = "S3v4"
+			ClientIP:  clientIP,
-
+			Transport: GlobalTransport,
-	insecure := isLocalIPEndpoint(endpoint)
+		},
-
+	}
-	s3Config.Insecure = insecure
-	s3Config.Transport = PrepareSTSClientTransport(insecure, clientIP).Transport
-
-	return s3Config
 }

api/client_test.go

@@ -1,5 +1,5 @@
 // This file is part of MinIO Console Server
-// Copyright (c) 2021 MinIO, Inc.
+// Copyright (c) 2024 MinIO, Inc.
 //
 // This program is free software: you can redistribute it and/or modify
 // it under the terms of the GNU Affero General Public License as published by
@@ -80,11 +80,12 @@ func Test_computeObjectURLWithoutEncode(t *testing.T) {
 			got, err := computeObjectURLWithoutEncode(tt.args.bucketName, tt.args.prefix)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("computeObjectURLWithoutEncode() errors = %v, wantErr %v", err, tt.wantErr)
-				return
 			}
+			if err == nil {
 				if got != tt.want {
 					t.Errorf("computeObjectURLWithoutEncode() got = %v, want %v", got, tt.want)
 				}
+			}
 		})
 	}
 }

api/config.go

@@ -17,10 +17,13 @@
 package api
 
 import (
+	"crypto/tls"
 	"crypto/x509"
 	"net"
+	"net/http"
 	"strconv"
 	"strings"
+	"time"
 
 	"github.com/minio/console/pkg/auth/idp/oauth2"
 	xcerts "github.com/minio/pkg/v2/certs"
@@ -54,6 +57,31 @@ var (
 	GlobalPublicCerts []*x509.Certificate
 	// GlobalTLSCertsManager custom TLS Manager for SNI support
 	GlobalTLSCertsManager *xcerts.Manager
+	// GlobalTransport is common transport used for all HTTP calls, this is set via
+	// MinIO server to be the correct transport, however we still define some defaults
+	// here just in case.
+	GlobalTransport = &http.Transport{
+		Proxy: http.ProxyFromEnvironment,
+		DialContext: (&net.Dialer{
+			Timeout:   10 * time.Second,
+			KeepAlive: 15 * time.Second,
+		}).DialContext,
+		MaxIdleConns:          1024,
+		MaxIdleConnsPerHost:   1024,
+		IdleConnTimeout:       90 * time.Second,
+		TLSHandshakeTimeout:   10 * time.Second,
+		ExpectContinueTimeout: 10 * time.Second,
+		DisableCompression:    true, // Set to avoid auto-decompression
+		TLSClientConfig: &tls.Config{
+			// Can't use SSLv3 because of POODLE and BEAST
+			// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
+			// Can't use TLSv1.1 because of RC4 cipher usage
+			MinVersion: tls.VersionTLS12,
+			// Console runs in the same pod/node as MinIO this is acceptable.
+			InsecureSkipVerify: true,
+			RootCAs:            GlobalRootCAs,
+		},
+	}
 )
 
 // MinIOConfig represents application configuration passed in from the MinIO

api/license.go

@@ -55,7 +55,7 @@ func getLicenseInfo(client http.Client, license string) (*licverifier.LicenseInf
 }
 
 func fetchLicensePlan() {
-	client := GetConsoleHTTPClient("", "127.0.0.1")
+	client := GetConsoleHTTPClient("127.0.0.1")
 	licenseInfo, err := getLicenseInfo(*client, os.Getenv(EnvSubnetLicense))
 	if err != nil {
 		return

api/public_objects.go

@@ -57,7 +57,9 @@ func getDownloadPublicObjectResponse(params public.DownloadSharedObjectParams) (
 	if err != nil {
 		return nil, ErrorWithContext(ctx, err)
 	}
-	resp, err := http.DefaultClient.Do(req)
+
+	clnt := PrepareConsoleHTTPClient(getClientIP(params.HTTPRequest))
+	resp, err := clnt.Do(req)
 	if err != nil {
 		return nil, ErrorWithContext(ctx, err)
 	}

api/service_accounts_handlers.go

@@ -153,14 +153,15 @@ func getCreateServiceAccountResponse(session *models.Principal, params saApi.Cre
 	// defining the client to be used
 	userAdminClient := AdminClient{Client: userAdmin}
 
-	var parsedExpiry time.Time
+	var expiry *time.Time
 	if params.Body.Expiry != "" {
-		parsedExpiry, err = time.Parse(time.RFC3339, params.Body.Expiry)
+		parsedExpiry, err := time.Parse(time.RFC3339, params.Body.Expiry)
 		if err != nil {
 			return nil, ErrorWithContext(ctx, err)
 		}
+		expiry = &parsedExpiry
 	}
-	saCreds, err := createServiceAccount(ctx, userAdminClient, params.Body.Policy, params.Body.Name, params.Body.Description, &parsedExpiry, params.Body.Comment)
+	saCreds, err := createServiceAccount(ctx, userAdminClient, params.Body.Policy, params.Body.Name, params.Body.Description, expiry, params.Body.Comment)
 	if err != nil {
 		return nil, ErrorWithContext(ctx, err)
 	}
@@ -203,14 +204,15 @@ func getCreateAUserServiceAccountResponse(session *models.Principal, params user
 		return nil, ErrorWithContext(ctx, err)
 	}
 
-	var parsedExpiry time.Time
+	var expiry *time.Time
 	if params.Body.Expiry != "" {
-		parsedExpiry, err = time.Parse(time.RFC3339, params.Body.Expiry)
+		parsedExpiry, err := time.Parse(time.RFC3339, params.Body.Expiry)
 		if err != nil {
 			return nil, ErrorWithContext(ctx, err)
 		}
+		expiry = &parsedExpiry
 	}
-	saCreds, err := createAUserServiceAccount(ctx, userAdminClient, params.Body.Policy, name, params.Body.Name, params.Body.Description, &parsedExpiry, params.Body.Comment)
+	saCreds, err := createAUserServiceAccount(ctx, userAdminClient, params.Body.Policy, name, params.Body.Name, params.Body.Description, expiry, params.Body.Comment)
 	if err != nil {
 		return nil, ErrorWithContext(ctx, err)
 	}
@@ -248,14 +250,15 @@ func getCreateAUserServiceAccountCredsResponse(session *models.Principal, params
 		}
 	}
 
-	var parsedExpiry time.Time
+	var expiry *time.Time
 	if serviceAccount.Expiry != "" {
-		parsedExpiry, err = time.Parse(time.RFC3339, serviceAccount.Expiry)
+		parsedExpiry, err := time.Parse(time.RFC3339, serviceAccount.Expiry)
 		if err != nil {
 			return nil, ErrorWithContext(ctx, err)
 		}
+		expiry = &parsedExpiry
 	}
-	saCreds, err := createAUserServiceAccountCreds(ctx, userAdminClient, serviceAccount.Policy, user, serviceAccount.AccessKey, serviceAccount.SecretKey, serviceAccount.Name, serviceAccount.Description, &parsedExpiry, serviceAccount.Comment)
+	saCreds, err := createAUserServiceAccountCreds(ctx, userAdminClient, serviceAccount.Policy, user, serviceAccount.AccessKey, serviceAccount.SecretKey, serviceAccount.Name, serviceAccount.Description, expiry, serviceAccount.Comment)
 	if err != nil {
 		return nil, ErrorWithContext(ctx, err)
 	}
@@ -289,15 +292,16 @@ func getCreateServiceAccountCredsResponse(session *models.Principal, params saAp
 		}
 	}
 
-	var parsedExpiry time.Time
+	var expiry *time.Time
 	if params.Body.Expiry != "" {
-		parsedExpiry, err = time.Parse(time.RFC3339, params.Body.Expiry)
+		parsedExpiry, err := time.Parse(time.RFC3339, params.Body.Expiry)
 		if err != nil {
 			return nil, ErrorWithContext(ctx, err)
 		}
+		expiry = &parsedExpiry
 	}
 
-	saCreds, err := createServiceAccountCreds(ctx, userAdminClient, serviceAccount.Policy, serviceAccount.AccessKey, serviceAccount.SecretKey, params.Body.Name, params.Body.Description, &parsedExpiry, params.Body.Comment)
+	saCreds, err := createServiceAccountCreds(ctx, userAdminClient, serviceAccount.Policy, serviceAccount.AccessKey, serviceAccount.SecretKey, params.Body.Name, params.Body.Description, expiry, params.Body.Comment)
 	if err != nil {
 		return nil, ErrorWithContext(ctx, err)
 	}
@@ -313,6 +317,25 @@ func getUserServiceAccounts(ctx context.Context, userClient MinioAdmin, user str
 	saList := models.ServiceAccounts{}
 
 	for _, acc := range listServAccs.Accounts {
+		if acc.AccountStatus != "" {
+			// Newer releases of MinIO would support enhanced listServiceAccounts()
+			// we can avoid infoServiceAccount() at that point, this scales well
+			// for 100's of service accounts.
+			expiry := ""
+			if acc.Expiration != nil {
+				expiry = acc.Expiration.Format(time.RFC3339)
+			}
+
+			saList = append(saList, &models.ServiceAccountsItems0{
+				AccountStatus: acc.AccountStatus,
+				Description:   acc.Description,
+				Expiration:    expiry,
+				Name:          acc.Name,
+				AccessKey:     acc.AccessKey,
+			})
+			continue
+		}
+
 		aInfo, err := userClient.infoServiceAccount(ctx, acc.AccessKey)
 		if err != nil {
 			continue
@@ -439,14 +462,14 @@ func getServiceAccountInfo(session *models.Principal, params saApi.GetServiceAcc
 }
 
 // setServiceAccountPolicy sets policy for a service account
-func updateServiceAccountDetails(ctx context.Context, userClient MinioAdmin, accessKey string, policy string, expiry time.Time, name string, description string, status string, secretKey string) error {
+func updateServiceAccountDetails(ctx context.Context, userClient MinioAdmin, accessKey string, policy string, expiry *time.Time, name string, description string, status string, secretKey string) error {
 	req := madmin.UpdateServiceAccountReq{
 		NewPolicy:      json.RawMessage(policy),
 		NewSecretKey:   secretKey,
 		NewStatus:      status,
 		NewName:        name,
 		NewDescription: description,
-		NewExpiration:  &expiry,
+		NewExpiration:  expiry,
 	}
 
 	err := userClient.updateServiceAccount(ctx, accessKey, req)
@@ -471,14 +494,15 @@ func updateSetServiceAccountResponse(session *models.Principal, params saApi.Upd
 	// defining the client to be used
 	userAdminClient := AdminClient{Client: userAdmin}
 
-	var parsedExpiry time.Time
+	var expiry *time.Time
 	if params.Body.Expiry != "" {
-		parsedExpiry, err = time.Parse(time.RFC3339, params.Body.Expiry)
+		parsedExpiry, err := time.Parse(time.RFC3339, params.Body.Expiry)
 		if err != nil {
 			return ErrorWithContext(ctx, err)
 		}
+		expiry = &parsedExpiry
 	}
-	err = updateServiceAccountDetails(ctx, userAdminClient, accessKey, policy, parsedExpiry, params.Body.Name, params.Body.Description, params.Body.Status, params.Body.SecretKey)
+	err = updateServiceAccountDetails(ctx, userAdminClient, accessKey, policy, expiry, params.Body.Name, params.Body.Description, params.Body.Status, params.Body.SecretKey)
 	if err != nil {
 		return ErrorWithContext(ctx, err)
 	}

api/tls.go

@@ -17,65 +17,35 @@
 package api
 
 import (
-	"crypto/tls"
-	"net"
 	"net/http"
-	"time"
 )
 
 type ConsoleTransport struct {
-	Transport *http.Transport
+	Transport http.RoundTripper
 	ClientIP  string
 }
 
 func (t *ConsoleTransport) RoundTrip(req *http.Request) (*http.Response, error) {
-	req.Header.Add("X-Forwarded-For", t.ClientIP)
+	if t.ClientIP != "" {
-	resp, err := t.Transport.RoundTrip(req)
+		// Do not set an empty x-forwarded-for
-	return resp, err
+		req.Header.Add(xForwardedFor, t.ClientIP)
+	}
+	return t.Transport.RoundTrip(req)
 }
 
 // PrepareSTSClientTransport :
-func PrepareSTSClientTransport(insecure bool, remoteAddress string) *ConsoleTransport {
+func PrepareSTSClientTransport(clientIP string) *ConsoleTransport {
-	// This takes github.com/minio/madmin-go/v3/transport.go as an example
+	return &ConsoleTransport{
-	//
+		Transport: GlobalTransport,
-	// DefaultTransport - this default transport is similar to
+		ClientIP:  clientIP,
-	// http.DefaultTransport but with additional param  DisableCompression
-	// is set to true to avoid decompressing content with 'gzip' encoding.
-	DefaultTransport := &http.Transport{
-		Proxy: http.ProxyFromEnvironment,
-		DialContext: (&net.Dialer{
-			Timeout:   10 * time.Second,
-			KeepAlive: 15 * time.Second,
-		}).DialContext,
-		MaxIdleConns:          1024,
-		MaxIdleConnsPerHost:   1024,
-		IdleConnTimeout:       90 * time.Second,
-		TLSHandshakeTimeout:   10 * time.Second,
-		ExpectContinueTimeout: 10 * time.Second,
-		DisableCompression:    true,
-		TLSClientConfig: &tls.Config{
-			// Can't use SSLv3 because of POODLE and BEAST
-			// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
-			// Can't use TLSv1.1 because of RC4 cipher usage
-			MinVersion:         tls.VersionTLS12,
-			InsecureSkipVerify: insecure,
-			RootCAs:            GlobalRootCAs,
-		},
 	}
-	t := &ConsoleTransport{
-		Transport: DefaultTransport,
-		ClientIP:  remoteAddress,
-	}
-	return t
 }
 
 // PrepareConsoleHTTPClient returns an http.Client with custom configurations need it by *credentials.STSAssumeRole
 // custom configurations include the use of CA certificates
-func PrepareConsoleHTTPClient(insecure bool, clientIP string) *http.Client {
+func PrepareConsoleHTTPClient(clientIP string) *http.Client {
-	transport := PrepareSTSClientTransport(insecure, clientIP)
 	// Return http client with default configuration
-	c := &http.Client{
+	return &http.Client{
-		Transport: transport,
+		Transport: PrepareSTSClientTransport(clientIP),
 	}
-	return c
 }

api/user_log_search.go

@@ -98,7 +98,7 @@ func getLogSearchResponse(session *models.Principal, params logApi.LogSearchPara
 }
 
 func logSearch(endpoint string, clientIP string) (*models.LogSearchResponse, error) {
-	httpClnt := GetConsoleHTTPClient(endpoint, clientIP)
+	httpClnt := GetConsoleHTTPClient(clientIP)
 	resp, err := httpClnt.Get(endpoint)
 	if err != nil {
 		return nil, fmt.Errorf("the Log Search API cannot be reached. Please review the URL and try again %v", err)

api/user_login.go

@@ -191,8 +191,7 @@ func getLoginDetailsResponse(params authApi.LoginDetailParams, openIDProviders o
 	for name, provider := range openIDProviders {
 		// initialize new oauth2 client
 
-		oauth2Client, err := provider.GetOauth2Provider(name, nil, r, GetConsoleHTTPClient("", getClientIP(params.HTTPRequest)),
+		oauth2Client, err := provider.GetOauth2Provider(name, nil, r, GetConsoleHTTPClient(getClientIP(params.HTTPRequest)))
-			GetConsoleHTTPClient(getMinIOServer(), getClientIP(params.HTTPRequest)))
 		if err != nil {
 			continue
 		}
@@ -281,8 +280,8 @@ func getLoginOauth2AuthResponse(params authApi.LoginOauth2AuthParams, openIDProv
 		}
 
 		// Initialize new identity provider with new oauth2Client per IDPName
-		oauth2Client, err := providerCfg.GetOauth2Provider(IDPName, nil, r, GetConsoleHTTPClient("", getClientIP(params.HTTPRequest)),
+		oauth2Client, err := providerCfg.GetOauth2Provider(IDPName, nil, r,
-			GetConsoleHTTPClient(getMinIOServer(), getClientIP(params.HTTPRequest)))
+			GetConsoleHTTPClient(getClientIP(params.HTTPRequest)))
 		if err != nil {
 			return nil, ErrorWithContext(ctx, err)
 		}

api/user_logout.go

@@ -18,7 +18,6 @@ package api
 
 import (
 	"context"
-	"crypto/tls"
 	"encoding/base64"
 	"encoding/json"
 	"net/http"
@@ -103,11 +102,7 @@ func logoutFromIDPProvider(r *http.Request, state string) error {
 		params.Add("client_secret", providerCfg.ClientSecret)
 		params.Add("refresh_token", refreshToken.Value)
 		client := &http.Client{
-			Transport: &http.Transport{
+			Transport: GlobalTransport,
-				TLSClientConfig: &tls.Config{
-					RootCAs: GlobalRootCAs,
-				},
-			},
 		}
 		_, err := client.PostForm(providerCfg.EndSessionEndpoint, params)
 		if err != nil {

cmd/console/app_commands.go

@@ -19,6 +19,7 @@ package main
 import (
 	"context"
 	"fmt"
+	"net/http"
 	"strconv"
 	"time"
 
@@ -42,8 +43,8 @@ func StartServer(ctx *cli.Context) error {
 
 	xctx := context.Background()
 
-	transport := api.PrepareSTSClientTransport(false, api.LocalAddress)
+	transport := api.PrepareSTSClientTransport(api.LocalAddress).Transport.(*http.Transport)
-	if err := logger.InitializeLogger(xctx, transport.Transport); err != nil {
+	if err := logger.InitializeLogger(xctx, transport); err != nil {
 		fmt.Println("error InitializeLogger", err)
 		logger.CriticalIf(xctx, err)
 	}

go.mod

@@ -17,13 +17,13 @@ require (
 	github.com/golang-jwt/jwt/v4 v4.5.0
 	github.com/google/uuid v1.6.0
 	github.com/jessevdk/go-flags v1.5.0
-	github.com/klauspost/compress v1.17.7
+	github.com/klauspost/compress v1.17.8
 	github.com/minio/cli v1.24.2
 	github.com/minio/highwayhash v1.0.2
 	github.com/minio/kes v0.23.0
-	github.com/minio/madmin-go/v3 v3.0.50
+	github.com/minio/madmin-go/v3 v3.0.51
-	github.com/minio/mc v0.0.0-20240330152952-9f8147bf0e03
+	github.com/minio/mc v0.0.0-20240430174448-dcb911bed9d5
-	github.com/minio/minio-go/v7 v7.0.69
+	github.com/minio/minio-go/v7 v7.0.70
 	github.com/minio/selfupdate v0.6.0
 	github.com/minio/websocket v1.6.0
 	github.com/mitchellh/go-homedir v1.1.0
@@ -32,8 +32,8 @@ require (
 	github.com/stretchr/testify v1.9.0
 	github.com/tidwall/gjson v1.17.1
 	github.com/unrolled/secure v1.14.0
-	golang.org/x/crypto v0.21.0
+	golang.org/x/crypto v0.22.0
-	golang.org/x/net v0.23.0
+	golang.org/x/net v0.24.0
 	golang.org/x/oauth2 v0.18.0
 	// Added to include security fix for
 	// https://github.com/golang/go/issues/56152
@@ -43,7 +43,7 @@ require (
 
 require (
 	github.com/mattn/go-ieproxy v0.0.11
-	github.com/minio/pkg/v2 v2.0.13
+	github.com/minio/pkg/v2 v2.0.17
 )
 
 require (
@@ -54,7 +54,7 @@ require (
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/charmbracelet/bubbles v0.18.0 // indirect
 	github.com/charmbracelet/bubbletea v0.25.0 // indirect
 	github.com/charmbracelet/lipgloss v0.10.0 // indirect
@@ -63,11 +63,9 @@ require (
 	github.com/coreos/go-semver v0.3.1 // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/fatih/structs v1.1.0 // indirect
-	github.com/gdamore/encoding v1.0.0 // indirect
-	github.com/gdamore/tcell/v2 v2.7.4 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-openapi/analysis v0.23.0 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
@@ -79,9 +77,8 @@ require (
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/jedib0t/go-pretty/v6 v6.5.4 // indirect
+	github.com/jedib0t/go-pretty/v6 v6.5.8 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
-	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/juju/ratelimit v1.0.2 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.7 // indirect
 	github.com/lestrrat-go/backoff/v2 v2.0.8 // indirect
@@ -91,7 +88,7 @@ require (
 	github.com/lestrrat-go/jwx v1.2.29 // indirect
 	github.com/lestrrat-go/option v1.0.1 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
-	github.com/lufia/plan9stats v0.0.0-20240226150601-1dcf7310316a // indirect
+	github.com/lufia/plan9stats v0.0.0-20240408141607-282e7b5d6b74 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
@@ -102,16 +99,12 @@ require (
 	github.com/minio/filepath v1.0.0 // indirect
 	github.com/minio/kes-go v0.2.1 // indirect
 	github.com/minio/md5-simd v1.1.2 // indirect
-	github.com/minio/sha256-simd v1.0.1 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/montanaflynn/stats v0.7.1 // indirect
 	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
 	github.com/muesli/cancelreader v0.2.2 // indirect
 	github.com/muesli/reflow v0.3.0 // indirect
 	github.com/muesli/termenv v0.15.2 // indirect
-	github.com/navidys/tvxwidgets v0.6.0 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/olekukonko/tablewriter v0.0.5 // indirect
 	github.com/philhofer/fwd v1.1.2 // indirect
@@ -121,36 +114,35 @@ require (
 	github.com/posener/complete v1.2.3 // indirect
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
 	github.com/prometheus/client_golang v1.19.0 // indirect
-	github.com/prometheus/client_model v0.6.0 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.50.0 // indirect
+	github.com/prometheus/common v0.52.3 // indirect
 	github.com/prometheus/procfs v0.13.0 // indirect
 	github.com/prometheus/prom2json v1.3.3 // indirect
-	github.com/rivo/tview v0.0.0-20240307173318-e804876934a1 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rjeczalik/notify v0.9.3 // indirect
 	github.com/safchain/ethtool v0.3.0 // indirect
-	github.com/shirou/gopsutil/v3 v3.24.2 // indirect
+	github.com/shirou/gopsutil/v3 v3.24.3 // indirect
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
 	github.com/tinylib/msgp v1.1.9 // indirect
 	github.com/tklauser/go-sysconf v0.3.13 // indirect
 	github.com/tklauser/numcpus v0.7.0 // indirect
-	github.com/vbauerster/mpb/v8 v8.7.2 // indirect
+	github.com/vbauerster/mpb/v8 v8.7.3 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
-	go.etcd.io/etcd/api/v3 v3.5.12 // indirect
+	go.etcd.io/etcd/api/v3 v3.5.13 // indirect
-	go.etcd.io/etcd/client/pkg/v3 v3.5.12 // indirect
+	go.etcd.io/etcd/client/pkg/v3 v3.5.13 // indirect
-	go.etcd.io/etcd/client/v3 v3.5.12 // indirect
+	go.etcd.io/etcd/client/v3 v3.5.13 // indirect
 	go.mongodb.org/mongo-driver v1.14.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/sync v0.6.0 // indirect
+	golang.org/x/sync v0.7.0 // indirect
-	golang.org/x/sys v0.18.0 // indirect
+	golang.org/x/sys v0.19.0 // indirect
-	golang.org/x/term v0.18.0 // indirect
+	golang.org/x/term v0.19.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240311173647-c811ad7063a7 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240415180920-8c6c420018be // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240311173647-c811ad7063a7 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240415180920-8c6c420018be // indirect
-	google.golang.org/grpc v1.62.1 // indirect
+	google.golang.org/grpc v1.63.2 // indirect
 	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

go.sum

@@ -16,8 +16,8 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
 github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
-github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
-github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/charmbracelet/bubbles v0.18.0 h1:PYv1A036luoBGroX6VWjQIE9Syf2Wby2oOl/39KLfy0=
 github.com/charmbracelet/bubbles v0.18.0/go.mod h1:08qhZhtIwzgrtBjAcJnij1t1H0ZRjwHyGsy6AL11PSw=
 github.com/charmbracelet/bubbletea v0.25.0 h1:bAfwk7jRz7FKFl9RzlIULPkStffg5k6pNt5dywy4TcM=
@@ -38,8 +38,9 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/decred/dcrd/crypto/blake256 v1.0.1/go.mod h1:2OfgNZ5wDpcsFmHmCK5gZTPcCXqlm2ArzUIkw9czNJo=
-github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etlyjdBU4sfcs2WYQMs=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 h1:rpfIENRNNilwHwZeG5+P150SMrnNEcHYvcCuK6dPZSg=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
@@ -49,12 +50,6 @@ github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
 github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
 github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo=
 github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
-github.com/gdamore/encoding v1.0.0 h1:+7OoQ1Bc6eTm5niUzBa0Ctsh6JbMW6Ra+YNuAtDBdko=
-github.com/gdamore/encoding v1.0.0/go.mod h1:alR0ol34c49FCSBLjhosxzcPHQbf2trDkoo5dl+VrEg=
-github.com/gdamore/tcell/v2 v2.7.4 h1:sg6/UnTM9jGpZU+oFYAsDahfchWAFW8Xx2yFinNSAYU=
-github.com/gdamore/tcell/v2 v2.7.4/go.mod h1:dSXtXTSK0VsW1biw65DZLZ2NKr7j0qP/0J7ONmsraWg=
-github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
-github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
 github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
 github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
@@ -78,8 +73,6 @@ github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+Gr
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
 github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3BumrGD58=
 github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ=
-github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
-github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
 github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU=
 github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
@@ -97,9 +90,6 @@ github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20211214055906-6f57359322fd h1:1FjCyPC+syAzJ5/2S8fqdZK1R22vvA0J7JZKcuOIQ7Y=
-github.com/google/pprof v0.0.0-20211214055906-6f57359322fd/go.mod h1:KgnwoLYCZ8IQu3XUZ8Nc/bM9CCZFOyjUNOSygVozoDg=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
@@ -112,20 +102,18 @@ github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+l
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/jedib0t/go-pretty/v6 v6.5.4 h1:gOGo0613MoqUcf0xCj+h/V3sHDaZasfv152G6/5l91s=
+github.com/jedib0t/go-pretty/v6 v6.5.8 h1:8BCzJdSvUbaDuRba4YVh+SKMGcAAKdkcF3SVFbrHAtQ=
-github.com/jedib0t/go-pretty/v6 v6.5.4/go.mod h1:5LQIxa52oJ/DlDSLv0HEkWOFMDGoWkJb9ss5KqPpJBg=
+github.com/jedib0t/go-pretty/v6 v6.5.8/go.mod h1:zbn98qrYlh95FIhwwsbIip0LYpwSG8SUOScs+v9/t0E=
 github.com/jessevdk/go-flags v1.5.0 h1:1jKYvbxEjfUl0fmqTCOfonvskHHXMjBySTLW4y9LFvc=
 github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
-github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
-github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/juju/ratelimit v1.0.2 h1:sRxmtRiajbvrcLQT7S+JbqU0ntsb9W2yhSdNN8tWfaI=
 github.com/juju/ratelimit v1.0.2/go.mod h1:qapgC/Gy+xNh9UxzV13HGGl/6UXNN+ct+vwSgWNm/qk=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.17.7 h1:ehO88t2UGzQK66LMdE8tibEd1ErmzZjNEqWkjLAKQQg=
+github.com/klauspost/compress v1.17.8 h1:YcnTYrq7MikUT7k0Yb5eceMmALQPYBW/Xltxn0NAMnU=
-github.com/klauspost/compress v1.17.7/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
+github.com/klauspost/compress v1.17.8/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
 github.com/klauspost/cpuid/v2 v2.0.1/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
 github.com/klauspost/cpuid/v2 v2.2.7 h1:ZWSB3igEs+d0qvnxR/ZBzXVmxkgt8DdzP6m9pfuVLDM=
 github.com/klauspost/cpuid/v2 v2.2.7/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
@@ -149,8 +137,8 @@ github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmt
 github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY=
 github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
 github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I=
-github.com/lufia/plan9stats v0.0.0-20240226150601-1dcf7310316a h1:3Bm7EwfUQUvhNeKIkUct/gl9eod1TcXuj8stxvi/GoI=
+github.com/lufia/plan9stats v0.0.0-20240408141607-282e7b5d6b74 h1:1KuuSOy4ZNgW0KA2oYIngXVFhQcXxhLqCVK7cBcldkk=
-github.com/lufia/plan9stats v0.0.0-20240226150601-1dcf7310316a/go.mod h1:ilwx/Dta8jXAgpFYFvSWEMwxmbWXyiUHkd5FwyKhb5k=
+github.com/lufia/plan9stats v0.0.0-20240408141607-282e7b5d6b74/go.mod h1:ilwx/Dta8jXAgpFYFvSWEMwxmbWXyiUHkd5FwyKhb5k=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
@@ -184,33 +172,26 @@ github.com/minio/kes v0.23.0 h1:T0zHtyDoI3JdKrVvzdM4xwVryYYyh5pKwNUVBoqxsNs=
 github.com/minio/kes v0.23.0/go.mod h1:vvXVGcgu9mYLkbVWlEvFFl6bYR196RQlOU2Q+rHApl8=
 github.com/minio/kes-go v0.2.1 h1:KnqS+p6xoSFJZbQhmJaz/PbxeA6nQyRqT/ywrn5lU2o=
 github.com/minio/kes-go v0.2.1/go.mod h1:76xf7l41Wrh+IifisABXK2S8uZWYgWV1IGBKC3GdOJk=
-github.com/minio/madmin-go/v3 v3.0.50 h1:+RQMetVFvPQmAOEDN/xmLhwk9+xOzu3rqwnlZEskgvg=
+github.com/minio/madmin-go/v3 v3.0.51 h1:brGOvDP8KvoHb/bdzCHUPFCbTtrN8o507uPHZpyuinM=
-github.com/minio/madmin-go/v3 v3.0.50/go.mod h1:ZDF7kf5fhmxLhbGTqyq5efs4ao0v4eWf7nOuef/ljJs=
+github.com/minio/madmin-go/v3 v3.0.51/go.mod h1:IFAwr0XMrdsLovxAdCcuq/eoL4nRuMVQQv0iubJANQw=
-github.com/minio/mc v0.0.0-20240330152952-9f8147bf0e03 h1:xF1hntqvs/CVEHGBETSrIMTW3iSU3k2j/YCFXGDWoBs=
+github.com/minio/mc v0.0.0-20240430174448-dcb911bed9d5 h1:VDXLzvY0Jxk4lzIntGXZuw0VH7S1JgQBmjWGkz7xphU=
-github.com/minio/mc v0.0.0-20240330152952-9f8147bf0e03/go.mod h1:RMCe706GTL9EOO6pxzFXd9Vp+3w2L1uctPiycmLDr9U=
+github.com/minio/mc v0.0.0-20240430174448-dcb911bed9d5/go.mod h1:aOiBeSNmpfJn1yyz+EujrTM+XmUwkXiM69zSXg12VDM=
 github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=
 github.com/minio/md5-simd v1.1.2/go.mod h1:MzdKDxYpY2BT9XQFocsiZf/NKVtR7nkE4RoEpN+20RM=
-github.com/minio/minio-go/v7 v7.0.69 h1:l8AnsQFyY1xiwa/DaQskY4NXSLA2yrGsW5iD9nRPVS0=
+github.com/minio/minio-go/v7 v7.0.70 h1:1u9NtMgfK1U42kUxcsl5v0yj6TEOPR497OAQxpJnn2g=
-github.com/minio/minio-go/v7 v7.0.69/go.mod h1:XAvOPJQ5Xlzk5o3o/ArO2NMbhSGkimC+bpW/ngRKDmQ=
+github.com/minio/minio-go/v7 v7.0.70/go.mod h1:4yBA8v80xGA30cfM3fz0DKYMXunWl/AV/6tWEs9ryzo=
 github.com/minio/mux v1.9.0 h1:dWafQFyEfGhJvK6AwLOt83bIG5bxKxKJnKMCi0XAaoA=
 github.com/minio/mux v1.9.0/go.mod h1:1pAare17ZRL5GpmNL+9YmqHoWnLmMZF9C/ioUCfy0BQ=
-github.com/minio/pkg/v2 v2.0.13 h1:Tm4koPzm+gVVCU5YLPtzXzfwkCR5sd/asXCu/RABSeA=
+github.com/minio/pkg/v2 v2.0.17 h1:ndmGlitUj/eCVRPmfsAw3KlbtVNxqk0lQIvDXlcTHiQ=
-github.com/minio/pkg/v2 v2.0.13/go.mod h1:zbVATXCinLCo+L/4vsPyqgiA4OYPXCJb+/E4KfE396A=
+github.com/minio/pkg/v2 v2.0.17/go.mod h1:V+OP/fKRD/qhJMQpdXXrCXcLYjGMpHKEE26zslthm5k=
 github.com/minio/selfupdate v0.6.0 h1:i76PgT0K5xO9+hjzKcacQtO7+MjJ4JKA8Ak8XQ9DDwU=
 github.com/minio/selfupdate v0.6.0/go.mod h1:bO02GTIPCMQFTEvE5h4DjYB58bCoZ35XLeBf0buTDdM=
-github.com/minio/sha256-simd v1.0.1 h1:6kaan5IFmwTNynnKKpDHe6FWHohJOHhCPchzK49dzMM=
-github.com/minio/sha256-simd v1.0.1/go.mod h1:Pz6AKMiUdngCLpeTL/RJY1M9rUuPMYujV5xJjtbRSN8=
 github.com/minio/websocket v1.6.0 h1:CPvnQvNvlVaQmvw5gtJNyYQhg4+xRmrPNhBbv8BdpAE=
 github.com/minio/websocket v1.6.0/go.mod h1:COH1CePZfHT9Ec1O7vZjTlX5uEPpyYnrifPNbu665DM=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
-github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
-github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/montanaflynn/stats v0.7.1 h1:etflOAAHORrCC44V+aR6Ftzort912ZU+YLiSTuV8eaE=
 github.com/montanaflynn/stats v0.7.1/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow=
 github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 h1:ZK8zHtRHOkbHy6Mmr5D264iyp3TiX5OmNcI5cIARiQI=
@@ -221,16 +202,10 @@ github.com/muesli/reflow v0.3.0 h1:IFsN6K9NfGtjeggFP+68I4chLZV2yIKsXJFNZ+eWh6s=
 github.com/muesli/reflow v0.3.0/go.mod h1:pbwTDkVPibjO2kyvBQRBxTWEEGDGq0FlB1BIKtnHY/8=
 github.com/muesli/termenv v0.15.2 h1:GohcuySI0QmI3wN8Ok9PtKGkgkFIk7y6Vpb5PvrY+Wo=
 github.com/muesli/termenv v0.15.2/go.mod h1:Epx+iuz8sNs7mNKhxzH4fWXGNpZwUaJKRS1noLXviQ8=
-github.com/navidys/tvxwidgets v0.6.0 h1:ARIXGfx4aURHMhq+LW5vIoCCDx1X/PdTF8AcUq+nWZ0=
-github.com/navidys/tvxwidgets v0.6.0/go.mod h1:wd6aS2OzjZczFbg8GCaVuwkFcY1eixlT/y7Lc/YIwlg=
 github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
 github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
 github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
-github.com/onsi/ginkgo/v2 v2.16.0 h1:7q1w9frJDzninhXxjZd+Y/x54XNjG/UlRLIYPZafsPM=
-github.com/onsi/ginkgo/v2 v2.16.0/go.mod h1:llBI3WDLL9Z6taip6f33H76YcWtJv+7R3HigUjbIBOs=
-github.com/onsi/gomega v1.31.1 h1:KYppCUK+bUgAZwHOu7EXVBKyQA6ILvOESHkn/tgoqvo=
-github.com/onsi/gomega v1.31.1/go.mod h1:y40C95dwAD1Nz36SsEnxvfFe8FFfNxzI5eJ0EYGyAy0=
 github.com/philhofer/fwd v1.1.2 h1:bnDivRJ1EWPjUIRXV5KfORO897HTbpFAQddBdE8t7Gw=
 github.com/philhofer/fwd v1.1.2/go.mod h1:qkPdfjR2SIEbspLqpe1tO4n5yICnr2DY7mqEx2tUTP0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
@@ -247,19 +222,16 @@ github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 h1:o4JXh1EVt
 github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
 github.com/prometheus/client_golang v1.19.0 h1:ygXvpU1AoN1MhdzckN+PyD9QJOSD4x7kmXYlnfbA6JU=
 github.com/prometheus/client_golang v1.19.0/go.mod h1:ZRM9uEAypZakd+q/x7+gmsvXdURP+DABIEIjnmDdp+k=
-github.com/prometheus/client_model v0.6.0 h1:k1v3CzpSRUTrKMppY35TLwPvxHqBu0bYgxZzqGIgaos=
+github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
-github.com/prometheus/client_model v0.6.0/go.mod h1:NTQHnmxFpouOD0DpvP4XujX3CdOAGQPoaGhyTchlyt8=
+github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.50.0 h1:YSZE6aa9+luNa2da6/Tik0q0A5AbR+U003TItK57CPQ=
+github.com/prometheus/common v0.52.3 h1:5f8uj6ZwHSscOGNdIQg6OiZv/ybiK2CO2q2drVZAQSA=
-github.com/prometheus/common v0.50.0/go.mod h1:wHFBCEVWVmHMUpg7pYcOm2QUR/ocQdYSJVQJKnHc3xQ=
+github.com/prometheus/common v0.52.3/go.mod h1:BrxBKv3FWBIGXw89Mg1AeBq7FSyRzXWI3l3e7W3RN5U=
 github.com/prometheus/procfs v0.13.0 h1:GqzLlQyfsPbaEHaQkO7tbDlriv/4o5Hudv6OXHGKX7o=
 github.com/prometheus/procfs v0.13.0/go.mod h1:cd4PFCR54QLnGKPaKGA6l+cfuNXtht43ZKY6tow0Y1g=
 github.com/prometheus/prom2json v1.3.3 h1:IYfSMiZ7sSOfliBoo89PcufjWO4eAR0gznGcETyaUgo=
 github.com/prometheus/prom2json v1.3.3/go.mod h1:Pv4yIPktEkK7btWsrUTWDDDrnpUrAELaOCj+oFwlgmc=
-github.com/rivo/tview v0.0.0-20240307173318-e804876934a1 h1:bWLHTRekAy497pE7+nXSuzXwwFHI0XauRzz6roUvY+s=
-github.com/rivo/tview v0.0.0-20240307173318-e804876934a1/go.mod h1:02iFIz7K/A9jGCvrizLPvoqr4cEIx7q54RH5Qudkrss=
 github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
-github.com/rivo/uniseg v0.4.3/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rjeczalik/notify v0.9.3 h1:6rJAzHTGKXGj76sbRgDiDcYj/HniypXmSJo1SWakZeY=
@@ -272,8 +244,8 @@ github.com/safchain/ethtool v0.3.0 h1:gimQJpsI6sc1yIqP/y8GYgiXn/NjgvpM0RNoWLVVmP
 github.com/safchain/ethtool v0.3.0/go.mod h1:SA9BwrgyAqNo7M+uaL6IYbxpm5wk3L7Mm6ocLW+CJUs=
 github.com/secure-io/sio-go v0.3.1 h1:dNvY9awjabXTYGsTF1PiCySl9Ltofk9GA3VdWlo7rRc=
 github.com/secure-io/sio-go v0.3.1/go.mod h1:+xbkjDzPjwh4Axd07pRKSNriS9SCiYksWnZqdnfpQxs=
-github.com/shirou/gopsutil/v3 v3.24.2 h1:kcR0erMbLg5/3LcInpw0X/rrPSqq4CDPyI6A6ZRC18Y=
+github.com/shirou/gopsutil/v3 v3.24.3 h1:eoUGJSmdfLzJ3mxIhmOAhgKEKgQkeOwKpz1NbhVnuPE=
-github.com/shirou/gopsutil/v3 v3.24.2/go.mod h1:tSg/594BcA+8UdQU2XcW803GWYgdtauFFPgJCJKZlVk=
+github.com/shirou/gopsutil/v3 v3.24.3/go.mod h1:JpND7O217xa72ewWz9zN2eIIkPWsDN/3pl0H8Qt0uwg=
 github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM=
 github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ=
 github.com/shoenig/test v0.6.4 h1:kVTaSd7WLz5WZ2IaoM0RSzRsUD+m8wRR+5qvntpn4LU=
@@ -282,7 +254,6 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
-github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
@@ -307,19 +278,19 @@ github.com/tklauser/numcpus v0.7.0 h1:yjuerZP127QG9m5Zh/mSO4wqurYil27tHrqwRoRjpr
 github.com/tklauser/numcpus v0.7.0/go.mod h1:bb6dMVcj8A42tSE7i32fsIUCbQNllK5iDguyOZRUzAY=
 github.com/unrolled/secure v1.14.0 h1:u9vJTU/pR4Bny0ntLUMxdfLtmIRGvQf2sEFuA0TG9AE=
 github.com/unrolled/secure v1.14.0/go.mod h1:BmF5hyM6tXczk3MpQkFf1hpKSRqCyhqcbiQtiAF7+40=
-github.com/vbauerster/mpb/v8 v8.7.2 h1:SMJtxhNho1MV3OuFgS1DAzhANN1Ejc5Ct+0iSaIkB14=
+github.com/vbauerster/mpb/v8 v8.7.3 h1:n/mKPBav4FFWp5fH4U0lPpXfiOmCEgl5Yx/NM3tKJA0=
-github.com/vbauerster/mpb/v8 v8.7.2/go.mod h1:ZFnrjzspgDHoxYLGvxIruiNk73GNTPG4YHgVNpR10VY=
+github.com/vbauerster/mpb/v8 v8.7.3/go.mod h1:9nFlNpDGVoTmQ4QvNjSLtwLmAFjwmq0XaAF26toHGNM=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
 github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
-go.etcd.io/etcd/api/v3 v3.5.12 h1:W4sw5ZoU2Juc9gBWuLk5U6fHfNVyY1WC5g9uiXZio/c=
+go.etcd.io/etcd/api/v3 v3.5.13 h1:8WXU2/NBge6AUF1K1gOexB6e07NgsN1hXK0rSTtgSp4=
-go.etcd.io/etcd/api/v3 v3.5.12/go.mod h1:Ot+o0SWSyT6uHhA56al1oCED0JImsRiU9Dc26+C2a+4=
+go.etcd.io/etcd/api/v3 v3.5.13/go.mod h1:gBqlqkcMMZMVTMm4NDZloEVJzxQOQIls8splbqBDa0c=
-go.etcd.io/etcd/client/pkg/v3 v3.5.12 h1:EYDL6pWwyOsylrQyLp2w+HkQ46ATiOvoEdMarindU2A=
+go.etcd.io/etcd/client/pkg/v3 v3.5.13 h1:RVZSAnWWWiI5IrYAXjQorajncORbS0zI48LQlE2kQWg=
-go.etcd.io/etcd/client/pkg/v3 v3.5.12/go.mod h1:seTzl2d9APP8R5Y2hFL3NVlD6qC/dOT+3kvrqPyTas4=
+go.etcd.io/etcd/client/pkg/v3 v3.5.13/go.mod h1:XxHT4u1qU12E2+po+UVPrEeL94Um6zL58ppuJWXSAB8=
-go.etcd.io/etcd/client/v3 v3.5.12 h1:v5lCPXn1pf1Uu3M4laUE2hp/geOTc5uPcYYsNe1lDxg=
+go.etcd.io/etcd/client/v3 v3.5.13 h1:o0fHTNJLeO0MyVbc7I3fsCf6nrOqn5d+diSarKnB2js=
-go.etcd.io/etcd/client/v3 v3.5.12/go.mod h1:tSbBCakoWmmddL+BKVAJHa9km+O/E+bumDe9mSbPiqw=
+go.etcd.io/etcd/client/v3 v3.5.13/go.mod h1:cqiAeY8b5DEEcpxvgWKsbLIWNM/8Wy2xJSDMtioMcoI=
 go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80=
 go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
@@ -336,8 +307,9 @@ golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWP
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211209193657-4570a0811e8b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
 golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
+golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30=
+golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
@@ -352,8 +324,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
-golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
+golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w=
-golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
+golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8=
 golang.org/x/oauth2 v0.18.0 h1:09qnuIAgzdx1XplqJvW6CQqMCtGZykZWcXzPMPUusvI=
 golang.org/x/oauth2 v0.18.0/go.mod h1:Wf7knwG0MPoWIMMBgFlEaSUDaKskp0dCfrlJRJXbBi8=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -362,8 +334,8 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
+golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
-golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180926160741-c2ed4eda69e7/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190130150945-aca44879d564/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -389,16 +361,18 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
 golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
+golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
-golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8=
 golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
+golang.org/x/term v0.19.0 h1:+ThwsDv+tYfnJFhF4L8jITxu1tdTWRTZpdsWgEgjL6Q=
+golang.org/x/term v0.19.0/go.mod h1:2CuTdWZ7KHSQwUzKva0cbMg6q2DMI3Mmxp+gKJbskEk=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -414,20 +388,18 @@ golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roY
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc=
-golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM=
 google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds=
-google.golang.org/genproto/googleapis/api v0.0.0-20240311173647-c811ad7063a7 h1:oqta3O3AnlWbmIE3bFnWbu4bRxZjfbWCp0cKSuZh01E=
+google.golang.org/genproto/googleapis/api v0.0.0-20240415180920-8c6c420018be h1:Zz7rLWqp0ApfsR/l7+zSHhY3PMiH2xqgxlfYfAfNpoU=
-google.golang.org/genproto/googleapis/api v0.0.0-20240311173647-c811ad7063a7/go.mod h1:VQW3tUculP/D4B+xVCo+VgSq8As6wA9ZjHl//pmk+6s=
+google.golang.org/genproto/googleapis/api v0.0.0-20240415180920-8c6c420018be/go.mod h1:dvdCTIoAGbkWbcIKBniID56/7XHTt6WfxXNMxuziJ+w=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240311173647-c811ad7063a7 h1:8EeVk1VKMD+GD/neyEHGmz7pFblqPjHoi+PGQIlLx2s=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240415180920-8c6c420018be h1:LG9vZxsWGOmUKieR8wPAUR3u3MpnYFQZROPIMaXh7/A=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240311173647-c811ad7063a7/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240415180920-8c6c420018be/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY=
-google.golang.org/grpc v1.62.1 h1:B4n+nfKzOICUXMgyrNd19h/I9oH0L1pizfk1d4zSgTk=
+google.golang.org/grpc v1.63.2 h1:MUeiw1B2maTVZthpU5xvASfTh3LDbxHd6IJ6QQVU+xM=
-google.golang.org/grpc v1.62.1/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE=
+google.golang.org/grpc v1.63.2/go.mod h1:WAX/8DgncnokcFUldAxq7GeB5DXHDbMF+lLvDomNkRA=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=

pkg/auth/idp/oauth2/config.go

@@ -52,9 +52,9 @@ type ProviderConfig struct {
 //
 // We only support Authentication with the Authorization Code Flow - spec:
 // https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
-func (pc ProviderConfig) GetOauth2Provider(name string, scopes []string, r *http.Request, idpClient, stsClient *http.Client) (provider *Provider, err error) {
+func (pc ProviderConfig) GetOauth2Provider(name string, scopes []string, r *http.Request, clnt *http.Client) (provider *Provider, err error) {
 	var ddoc DiscoveryDoc
-	ddoc, err = parseDiscoveryDoc(r.Context(), pc.URL, idpClient)
+	ddoc, err = parseDiscoveryDoc(r.Context(), pc.URL, clnt)
 	if err != nil {
 		return nil, err
 	}
@@ -112,9 +112,7 @@ func (pc ProviderConfig) GetOauth2Provider(name string, scopes []string, r *http
 
 	client.IDPName = name
 	client.UserInfo = pc.Userinfo
-
+	client.client = clnt
-	client.provHTTPClient = idpClient
-	client.stsHTTPClient = stsClient
 
 	return client, nil
 }

pkg/auth/idp/oauth2/provider.go

@@ -112,8 +112,7 @@ type Provider struct {
 	UserInfo     bool
 	RefreshToken string
 	oauth2Config Configuration
-	provHTTPClient *http.Client
+	client       *http.Client
-	stsHTTPClient  *http.Client
 }
 
 // DefaultDerivedKey is the key used to compute the HMAC for signing the oauth state parameter
@@ -204,7 +203,7 @@ func NewOauth2ProviderClient(scopes []string, r *http.Request, httpClient *http.
 
 	client.IDPName = GetIDPClientID()
 	client.UserInfo = GetIDPUserInfo()
-	client.provHTTPClient = httpClient
+	client.client = httpClient
 
 	return client, nil
 }
@@ -212,12 +211,12 @@ func NewOauth2ProviderClient(scopes []string, r *http.Request, httpClient *http.
 var defaultScopes = []string{"openid", "profile", "email"}
 
 // NewOauth2ProviderClientByName returns a provider if present specified by the input name of the provider.
-func (ois OpenIDPCfg) NewOauth2ProviderClientByName(name string, scopes []string, r *http.Request, idpClient, stsClient *http.Client) (provider *Provider, err error) {
+func (ois OpenIDPCfg) NewOauth2ProviderClientByName(name string, scopes []string, r *http.Request, clnt *http.Client) (provider *Provider, err error) {
 	oi, ok := ois[name]
 	if !ok {
 		return nil, fmt.Errorf("%s IDP provider does not exist", name)
 	}
-	return oi.GetOauth2Provider(name, scopes, r, idpClient, stsClient)
+	return oi.GetOauth2Provider(name, scopes, r, clnt)
 }
 
 // NewOauth2ProviderClient instantiates a new oauth2 client using the
@@ -227,9 +226,9 @@ func (ois OpenIDPCfg) NewOauth2ProviderClientByName(name string, scopes []string
 //
 // We only support Authentication with the Authorization Code Flow - spec:
 // https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
-func (ois OpenIDPCfg) NewOauth2ProviderClient(scopes []string, r *http.Request, idpClient, stsClient *http.Client) (provider *Provider, providerCfg ProviderConfig, err error) {
+func (ois OpenIDPCfg) NewOauth2ProviderClient(scopes []string, r *http.Request, clnt *http.Client) (provider *Provider, providerCfg ProviderConfig, err error) {
 	for name, oi := range ois {
-		provider, err = oi.GetOauth2Provider(name, scopes, r, idpClient, stsClient)
+		provider, err = oi.GetOauth2Provider(name, scopes, r, clnt)
 		if err != nil {
 			// Upon error look for the next IDP.
 			continue
@@ -278,7 +277,7 @@ func (client *Provider) VerifyIdentity(ctx context.Context, code, state, roleARN
 		return nil, err
 	}
 	getWebTokenExpiry := func() (*credentials.WebIdentityToken, error) {
-		customCtx := context.WithValue(ctx, oauth2.HTTPClient, client.provHTTPClient)
+		customCtx := context.WithValue(ctx, oauth2.HTTPClient, client.client)
 		oauth2Token, err := client.oauth2Config.Exchange(customCtx, code)
 		if err != nil {
 			return nil, err
@@ -328,7 +327,7 @@ func (client *Provider) VerifyIdentity(ctx context.Context, code, state, roleARN
 	stsEndpoint := GetSTSEndpoint()
 
 	sts := credentials.New(&credentials.STSWebIdentity{
-		Client:              client.stsHTTPClient,
+		Client:              client.client,
 		STSEndpoint:         stsEndpoint,
 		GetWebIDTokenExpiry: getWebTokenExpiry,
 		RoleARN:             roleARN,
@@ -342,7 +341,7 @@ func (client *Provider) VerifyIdentityForOperator(ctx context.Context, code, sta
 	if err := validateOauth2State(state, keyFunc); err != nil {
 		return nil, err
 	}
-	customCtx := context.WithValue(ctx, oauth2.HTTPClient, client.provHTTPClient)
+	customCtx := context.WithValue(ctx, oauth2.HTTPClient, client.client)
 	oauth2Token, err := client.oauth2Config.Exchange(customCtx, code)
 	if err != nil {
 		return nil, err