diff --git a/Dockerfile b/Dockerfile index 99cdfb19e..25d4ca71a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ # Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 -ARG BUILD_IMAGE=golang:1.23.6@sha256:927112936d6b496ed95f55f362cc09da6e3e624ef868814c56d55bd7323e0959 +ARG BUILD_IMAGE=golang:1.24.0@sha256:2b1cbf278ce05a2a310a3d695ebb176420117a8cfcfcc4e5e68a1bef5f6354da ARG BASE_IMAGE=gcr.io/distroless/static:nonroot@sha256:6ec5aa99dc335666e79dc64e4a6c8b89c33a543a1967f20d360922a80dd21f02 # Prepare to cross-compile by always running the build stage in the build platform, not the target platform. diff --git a/generated/1.30/apis/go.mod b/generated/1.30/apis/go.mod index 0a2d9c7f6..f3c2dacae 100644 --- a/generated/1.30/apis/go.mod +++ b/generated/1.30/apis/go.mod @@ -3,7 +3,7 @@ module go.pinniped.dev/generated/1.30/apis go 1.22.0 -toolchain go1.23.6 +toolchain go1.24.0 require ( k8s.io/api v0.30.9 diff --git a/generated/1.30/client/go.mod b/generated/1.30/client/go.mod index ba4822b3d..b7ffe3d15 100644 --- a/generated/1.30/client/go.mod +++ b/generated/1.30/client/go.mod @@ -3,7 +3,7 @@ module go.pinniped.dev/generated/1.30/client go 1.22.0 -toolchain go1.23.6 +toolchain go1.24.0 replace go.pinniped.dev/generated/1.30/apis => ../apis diff --git a/generated/1.31/apis/go.mod b/generated/1.31/apis/go.mod index 29f5f1af4..0723d75b1 100644 --- a/generated/1.31/apis/go.mod +++ b/generated/1.31/apis/go.mod @@ -3,7 +3,7 @@ module go.pinniped.dev/generated/1.31/apis go 1.22.0 -toolchain go1.23.6 +toolchain go1.24.0 require ( k8s.io/api v0.31.5 diff --git a/generated/1.31/client/go.mod b/generated/1.31/client/go.mod index a2ece04b5..ce5c1d3ff 100644 --- a/generated/1.31/client/go.mod +++ b/generated/1.31/client/go.mod @@ -3,7 +3,7 @@ module go.pinniped.dev/generated/1.31/client go 1.22.0 -toolchain go1.23.6 +toolchain go1.24.0 replace go.pinniped.dev/generated/1.31/apis => ../apis diff --git a/go.mod b/go.mod index 1581fc855..2072281db 100644 --- a/go.mod +++ b/go.mod @@ -2,7 +2,7 @@ module go.pinniped.dev go 1.23.0 -toolchain go1.23.6 +toolchain go1.24.0 // When using v0.31.5, need to use this version of structured-merge-diff. // See https://github.com/kubernetes/apimachinery/blob/v0.31.5/go.mod#L30 @@ -39,7 +39,7 @@ require ( github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c github.com/pkg/errors v0.9.1 github.com/sclevine/spec v1.4.0 - github.com/spf13/cobra v1.8.1 + github.com/spf13/cobra v1.9.1 github.com/spf13/pflag v1.0.6 github.com/stretchr/testify v1.10.0 github.com/tdewolff/minify/v2 v2.21.3 @@ -78,7 +78,7 @@ require ( github.com/chromedp/sysutil v1.1.0 // indirect github.com/coreos/go-oidc v2.2.1+incompatible // indirect github.com/coreos/go-systemd/v22 v22.5.0 // indirect - github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect + github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect github.com/cristalhq/jwt/v4 v4.0.2 // indirect github.com/dgraph-io/ristretto v1.0.0 // indirect github.com/dustin/go-humanize v1.0.1 // indirect diff --git a/go.sum b/go.sum index 2b49846d5..10338d607 100644 --- a/go.sum +++ b/go.sum @@ -90,8 +90,8 @@ github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7 github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs= github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= -github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4= -github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0= +github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s= github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE= @@ -528,8 +528,8 @@ github.com/spf13/afero v1.9.5/go.mod h1:UBogFpq8E9Hx+xc5CNTTEpTnuHVmXDwZcZcE1eb/ github.com/spf13/cast v1.5.1 h1:R+kOtfhWQE6TVQzY+4D7wJLBgkdVasCEFxSUBYBYIlA= github.com/spf13/cast v1.5.1/go.mod h1:b9PdjNptOpzXr7Rq1q9gJML/2cdGQAo69NKzQ10KN48= github.com/spf13/cobra v1.6.1/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY= -github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= -github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= +github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo= +github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0= github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk= github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= diff --git a/hack/Dockerfile_fips b/hack/Dockerfile_fips index 3fbecdcac..81309df53 100644 --- a/hack/Dockerfile_fips +++ b/hack/Dockerfile_fips @@ -16,7 +16,7 @@ # See https://go.googlesource.com/go/+/dev.boringcrypto/README.boringcrypto.md # and https://kupczynski.info/posts/fips-golang/ for details. -ARG BUILD_IMAGE=golang:1.23.6@sha256:927112936d6b496ed95f55f362cc09da6e3e624ef868814c56d55bd7323e0959 +ARG BUILD_IMAGE=golang:1.24.0@sha256:2b1cbf278ce05a2a310a3d695ebb176420117a8cfcfcc4e5e68a1bef5f6354da ARG BASE_IMAGE=gcr.io/distroless/static:nonroot@sha256:6ec5aa99dc335666e79dc64e4a6c8b89c33a543a1967f20d360922a80dd21f02 # This is not currently using --platform to prepare to cross-compile because we use gcc below to build diff --git a/hack/lib/lint-version.txt b/hack/lib/lint-version.txt index 1180c5942..65d11a24b 100644 --- a/hack/lib/lint-version.txt +++ b/hack/lib/lint-version.txt @@ -1 +1 @@ -1.63.4 +1.64.5 diff --git a/hack/update-go-mod/go.mod b/hack/update-go-mod/go.mod index 091e79b72..18197c220 100644 --- a/hack/update-go-mod/go.mod +++ b/hack/update-go-mod/go.mod @@ -2,6 +2,6 @@ module go.pinniped.dev/update-go-mod go 1.22.0 -toolchain go1.23.6 +toolchain go1.24.0 require golang.org/x/mod v0.22.0 diff --git a/internal/concierge/impersonator/impersonator.go b/internal/concierge/impersonator/impersonator.go index bdd37212d..29c0210bd 100644 --- a/internal/concierge/impersonator/impersonator.go +++ b/internal/concierge/impersonator/impersonator.go @@ -1,4 +1,4 @@ -// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package impersonator @@ -650,7 +650,6 @@ func getTransportForUser(ctx context.Context, userInfo user.Info, delegate, dele } func canImpersonateFully(userInfo user.Info) bool { - //nolint:gosimple // this structure is on purpose because we plan to expand this function if len(userInfo.GetUID()) == 0 { return true } diff --git a/internal/crypto/ptls/default_profile_max_tls_version_for_fips_13.go b/internal/crypto/ptls/default_profile_max_tls_version_for_fips_13.go deleted file mode 100644 index b1c5a4b7e..000000000 --- a/internal/crypto/ptls/default_profile_max_tls_version_for_fips_13.go +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright 2024 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -//go:build fips_enable_tls13_max_for_default_profile - -package ptls - -import "crypto/tls" - -const DefaultProfileMaxTLSVersionForFIPS = tls.VersionTLS13 diff --git a/internal/crypto/ptls/default_profile_max_tls_version_for_fips_default_value.go b/internal/crypto/ptls/default_profile_max_tls_version_for_fips_default_value.go deleted file mode 100644 index 0490ffa5a..000000000 --- a/internal/crypto/ptls/default_profile_max_tls_version_for_fips_default_value.go +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright 2024 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -//go:build !fips_enable_tls13_max_for_default_profile - -package ptls - -import "crypto/tls" - -const DefaultProfileMaxTLSVersionForFIPS = tls.VersionTLS12 diff --git a/internal/crypto/ptls/profiles_fips_strict.go b/internal/crypto/ptls/profiles_fips_strict.go index b26fbd273..97fbc126d 100644 --- a/internal/crypto/ptls/profiles_fips_strict.go +++ b/internal/crypto/ptls/profiles_fips_strict.go @@ -1,4 +1,4 @@ -// Copyright 2022-2024 the Pinniped contributors. All Rights Reserved. +// Copyright 2022-2025 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 // This file overrides profiles.go when Pinniped is built in FIPS-only mode. @@ -37,11 +37,9 @@ var ( // insecureCipherSuiteIDs is a list of additional ciphers that should be allowed for both clients // and servers when using TLS 1.2. // - // FIPS allows the use of these specific ciphers that golang considers insecure. - insecureCipherSuiteIDs = []uint16{ - tls.TLS_RSA_WITH_AES_128_GCM_SHA256, - tls.TLS_RSA_WITH_AES_256_GCM_SHA384, - } + // Previous versions of FIPS allowed the use of some specific ciphers that golang considers insecure. + // Go 1.24 does not anymore, so now this list is empty. + insecureCipherSuiteIDs []uint16 // additionalSecureCipherSuiteIDsOnlyForLDAPClients are additional ciphers to use only for LDAP clients // when using TLS 1.2. These can be used when the Pinniped Supervisor is making calls to an LDAP server @@ -62,8 +60,7 @@ func init() { // this init runs before we have parsed our config to determine our log level // thus we must use a log statement that will always print instead of conditionally print plog.Always("this server was compiled to use boring crypto in FIPS-only mode", - "go version", runtime.Version(), - "DefaultProfileMaxTLSVersionForFIPS", tls.VersionName(DefaultProfileMaxTLSVersionForFIPS)) + "go version", runtime.Version()) } // Default: see comment in profiles.go. @@ -72,8 +69,8 @@ func init() { // and insecureCipherSuiteIDs values defined above. func Default(rootCAs *x509.CertPool) *tls.Config { config := buildTLSConfig(rootCAs, allHardcodedAllowedCipherSuites(), getUserConfiguredAllowedCipherSuitesForTLSOneDotTwo()) - // Until goboring supports TLS 1.3, make the max version 1.2 by default. Allow it to be overridden by a build tag. - config.MaxVersion = DefaultProfileMaxTLSVersionForFIPS + // Note: starting in Go 1.24, boringcrypto supports TLS 1.3, so we allow it here. + config.MaxVersion = tls.VersionTLS13 return config } @@ -86,15 +83,18 @@ func DefaultLDAP(rootCAs *x509.CertPool) *tls.Config { // Secure: see comment in profiles.go. // This chooses different cipher suites and/or TLS versions compared to non-FIPS mode. -// Until goboring supports TLS 1.3, make the Secure profile the same as the Default profile in FIPS mode. -// Until then, this is not any different from the Default profile in FIPS mode. +// Note: starting in Go 1.24, boringcrypto supports TLS 1.3, so we allow it here. +// However, until it is safe to assume that a FIPS-compiled k8s server supports TLS 1.3, continue to +// make the Secure profile the same as the Default profile in FIPS mode, to allow both TLS 1.2 and 1.3. func Secure(rootCAs *x509.CertPool) *tls.Config { return Default(rootCAs) } // SecureServing: see comment in profiles.go. // This chooses different cipher suites and/or TLS versions compared to non-FIPS mode. -// Until goboring supports TLS 1.3, make SecureServing use the same as the defaultServing profile in FIPS mode. +// Note: starting in Go 1.24, boringcrypto supports TLS 1.3, so we allow it here. +// However, until it is safe to assume that a FIPS-compiled k8s server supports TLS 1.3, continue to +// make SecureServing use the same as the defaultServing profile in FIPS mode, to allow both TLS 1.2 and 1.3. func SecureServing(opts *options.SecureServingOptionsWithLoopback) { defaultServing(opts) } diff --git a/test/integration/limited_ciphers_fips_test.go b/test/integration/limited_ciphers_fips_test.go index 7eeb6993b..f8fd3c261 100644 --- a/test/integration/limited_ciphers_fips_test.go +++ b/test/integration/limited_ciphers_fips_test.go @@ -1,4 +1,4 @@ -// Copyright 2024 the Pinniped contributors. All Rights Reserved. +// Copyright 2024-2025 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 //go:build fips_strict @@ -21,12 +21,11 @@ func TestLimitedCiphersFIPS_Disruptive(t *testing.T) { "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_RSA_WITH_AES_256_GCM_SHA384", // this is an insecure cipher but allowed for FIPS }, // Expected server configuration for the Supervisor's OIDC endpoints. &tls.Config{ MinVersion: tls.VersionTLS12, // Supervisor OIDC always allows TLS 1.2 clients to connect - MaxVersion: tls.VersionTLS12, // boringcrypto does not use TLS 1.3 yet + MaxVersion: tls.VersionTLS13, CipherSuites: []uint16{ // Supervisor OIDC endpoints configured with EC certs use only EC ciphers. tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, @@ -35,13 +34,12 @@ func TestLimitedCiphersFIPS_Disruptive(t *testing.T) { }, // Expected server configuration for the Supervisor and Concierge aggregated API endpoints. &tls.Config{ - MinVersion: tls.VersionTLS12, // boringcrypto does not use TLS 1.3 yet - MaxVersion: tls.VersionTLS12, // boringcrypto does not use TLS 1.3 yet + MinVersion: tls.VersionTLS12, // always allow TLS 1.2 in fips mode + MaxVersion: tls.VersionTLS13, CipherSuites: []uint16{ tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - tls.TLS_RSA_WITH_AES_256_GCM_SHA384, }, }, ) diff --git a/test/integration/ptls_fips_test.go b/test/integration/ptls_fips_test.go index fcea5fb6c..8609aa97d 100644 --- a/test/integration/ptls_fips_test.go +++ b/test/integration/ptls_fips_test.go @@ -1,4 +1,4 @@ -// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 //go:build fips_strict @@ -65,8 +65,6 @@ var expectedFIPSCipherSuites = []uint16{ tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - tls.TLS_RSA_WITH_AES_128_GCM_SHA256, - tls.TLS_RSA_WITH_AES_256_GCM_SHA384, } func TestDefault_Parallel(t *testing.T) { @@ -77,7 +75,7 @@ func TestDefault_Parallel(t *testing.T) { actual := ptls.Default(aCertPool) expected := &tls.Config{ MinVersion: tls.VersionTLS12, - MaxVersion: tls.VersionTLS12, // goboring does not currently support TLS 1.3, so prevent its use + MaxVersion: tls.VersionTLS13, CipherSuites: expectedFIPSCipherSuites, NextProtos: []string{"h2", "http/1.1"}, RootCAs: aCertPool, @@ -94,7 +92,7 @@ func TestDefaultLDAP_Parallel(t *testing.T) { actual := ptls.DefaultLDAP(aCertPool) expected := &tls.Config{ MinVersion: tls.VersionTLS12, - MaxVersion: tls.VersionTLS12, // goboring does not currently support TLS 1.3, so prevent its use + MaxVersion: tls.VersionTLS13, CipherSuites: expectedFIPSCipherSuites, NextProtos: []string{"h2", "http/1.1"}, RootCAs: aCertPool, @@ -110,10 +108,8 @@ func TestSecure_Parallel(t *testing.T) { actual := ptls.Secure(aCertPool) expected := &tls.Config{ - // goboring does not currently support TLS 1.3, so where we would normally require it by making it the - // min version for the secure profile, we cannot do that in FIPS mode - MinVersion: tls.VersionTLS12, - MaxVersion: tls.VersionTLS12, // goboring does not currently support TLS 1.3, so prevent its use + MinVersion: tls.VersionTLS12, // allow TLS 1.2 in FIPS mode + MaxVersion: tls.VersionTLS13, CipherSuites: expectedFIPSCipherSuites, NextProtos: []string{"h2", "http/1.1"}, RootCAs: aCertPool, @@ -135,10 +131,8 @@ func TestSecureServing_Parallel(t *testing.T) { require.Equal(t, options.SecureServingOptionsWithLoopback{ SecureServingOptions: &options.SecureServingOptions{ - CipherSuites: expectedFIPSCipherSuiteNames, - // goboring does not currently support TLS 1.3, so where we would normally require it by making it the - // min version for secure serving for aggregated API servers, we cannot do that in FIPS mode - MinTLSVersion: "VersionTLS12", + CipherSuites: expectedFIPSCipherSuiteNames, + MinTLSVersion: "VersionTLS12", // allow TLS 1.2 in FIPS mode }, }, *opts) }