From ca6687d42810456d239622b87e7a6cd6d405efea Mon Sep 17 00:00:00 2001 From: Pinny Date: Tue, 27 Feb 2024 14:03:11 +0000 Subject: [PATCH 1/4] Bump dependencies --- Dockerfile | 2 +- go.mod | 20 +++++++++++--------- go.sum | 32 ++++++++++++++++---------------- hack/Dockerfile_fips | 2 +- 4 files changed, 29 insertions(+), 27 deletions(-) diff --git a/Dockerfile b/Dockerfile index 38cb1618d..88a8daff6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ # SPDX-License-Identifier: Apache-2.0 ARG BUILD_IMAGE=golang:1.22.0@sha256:7b297d9abee021bab9046e492506b3c2da8a3722cbf301653186545ecc1e00bb -ARG BASE_IMAGE=gcr.io/distroless/static:nonroot@sha256:6a3500b086c2856fbc189f5d11351bdbcf7c4dc5673c2b6070aac9d607da90d7 +ARG BASE_IMAGE=gcr.io/distroless/static:nonroot@sha256:49af06135e8bbe8ddc46c1d28b0bd00961aae9c9ed090bbc0237f58e1462dd4b # Prepare to cross-compile by always running the build stage in the build platform, not the target platform. FROM --platform=$BUILDPLATFORM $BUILD_IMAGE as build-env diff --git a/go.mod b/go.mod index ff6334845..6bb829ad7 100644 --- a/go.mod +++ b/go.mod @@ -1,7 +1,9 @@ module go.pinniped.dev // k8s.io/api@v0.29.0 requires go@1.21 -go 1.21 +go 1.21.3 + +toolchain go1.22.0 // This version taken from https://github.com/kubernetes/apiserver/blob/v0.29.0/go.mod#L14 to avoid compile failures. replace github.com/google/cel-go => github.com/google/cel-go v0.17.7 @@ -24,14 +26,14 @@ replace go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp => go.op require ( github.com/MakeNowJust/heredoc/v2 v2.0.1 - github.com/chromedp/cdproto v0.0.0-20240214232516-ad4608604e9e + github.com/chromedp/cdproto v0.0.0-20240226204813-532e667d868f github.com/chromedp/chromedp v0.9.5 github.com/coreos/go-oidc/v3 v3.9.0 github.com/coreos/go-semver v0.3.1 github.com/creack/pty v1.1.21 github.com/davecgh/go-spew v1.1.1 github.com/felixge/httpsnoop v1.0.4 - github.com/go-jose/go-jose/v3 v3.0.1 + github.com/go-jose/go-jose/v3 v3.0.2 github.com/go-ldap/ldap/v3 v3.4.6 github.com/go-logr/logr v1.4.1 github.com/go-logr/stdr v1.2.2 @@ -53,9 +55,9 @@ require ( github.com/spf13/cobra v1.8.0 github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.8.4 - github.com/tdewolff/minify/v2 v2.20.17 + github.com/tdewolff/minify/v2 v2.20.18 go.uber.org/zap v1.27.0 - golang.org/x/crypto v0.19.0 + golang.org/x/crypto v0.20.0 golang.org/x/net v0.21.0 golang.org/x/oauth2 v0.17.0 golang.org/x/sync v0.6.0 @@ -67,10 +69,10 @@ require ( k8s.io/apiserver v0.29.2 k8s.io/client-go v0.29.2 k8s.io/component-base v0.29.2 - k8s.io/gengo v0.0.0-20240129211411-f967bbeff4b4 + k8s.io/gengo v0.0.0-20240226174109-00c4be8627da k8s.io/klog/v2 v2.120.1 k8s.io/kube-aggregator v0.29.2 - k8s.io/kube-openapi v0.0.0-20240221221325-2ac9dc51f3f1 + k8s.io/kube-openapi v0.0.0-20240227032403-f107216b40e2 k8s.io/utils v0.0.0-20240102154912-e7106e64919e sigs.k8s.io/yaml v1.4.0 ) @@ -173,10 +175,10 @@ require ( go.opentelemetry.io/proto/otlp v1.0.0 // indirect go.uber.org/multierr v1.11.0 // indirect golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc // indirect - golang.org/x/mod v0.14.0 // indirect + golang.org/x/mod v0.15.0 // indirect golang.org/x/sys v0.17.0 // indirect golang.org/x/time v0.3.0 // indirect - golang.org/x/tools v0.16.1 // indirect + golang.org/x/tools v0.18.0 // indirect google.golang.org/appengine v1.6.8 // indirect google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d // indirect google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d // indirect diff --git a/go.sum b/go.sum index a4e3b0064..b883909f0 100644 --- a/go.sum +++ b/go.sum @@ -70,8 +70,8 @@ github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XL github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chromedp/cdproto v0.0.0-20240202021202-6d0b6a386732/go.mod h1:GKljq0VrfU4D5yc+2qA6OVr8pmO/MBbPEWqWQ/oqGEs= -github.com/chromedp/cdproto v0.0.0-20240214232516-ad4608604e9e h1:kXEolCWQZzuEFcuaTzfqXToX+e29OcvK87BcBiBBJ1c= -github.com/chromedp/cdproto v0.0.0-20240214232516-ad4608604e9e/go.mod h1:GKljq0VrfU4D5yc+2qA6OVr8pmO/MBbPEWqWQ/oqGEs= +github.com/chromedp/cdproto v0.0.0-20240226204813-532e667d868f h1:jODunjTDQHm0Srs2IsfcS3hOmNLUN7Spag3NJZQra2g= +github.com/chromedp/cdproto v0.0.0-20240226204813-532e667d868f/go.mod h1:GKljq0VrfU4D5yc+2qA6OVr8pmO/MBbPEWqWQ/oqGEs= github.com/chromedp/chromedp v0.9.5 h1:viASzruPJOiThk7c5bueOUY91jGLJVximoEMGoH93rg= github.com/chromedp/chromedp v0.9.5/go.mod h1:D4I2qONslauw/C7INoCir1BJkSwBYMyZgx8X276z3+Y= github.com/chromedp/sysutil v1.0.0 h1:+ZxhTpfpZlmchB58ih/LBHX52ky7w2VhQVKQMucy3Ic= @@ -149,8 +149,8 @@ github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkPro github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= -github.com/go-jose/go-jose/v3 v3.0.1 h1:pWmKFVtt+Jl0vBZTIpz/eAKwsm6LkIxDVVbFHKkchhA= -github.com/go-jose/go-jose/v3 v3.0.1/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8= +github.com/go-jose/go-jose/v3 v3.0.2 h1:2Edjn8Nrb44UvTdp84KU0bBPs1cO7noRCybtS3eJEUQ= +github.com/go-jose/go-jose/v3 v3.0.2/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ= github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY= github.com/go-ldap/ldap/v3 v3.4.6 h1:ert95MdbiG7aWo/oPYp9btL3KJlMPKnP58r09rI8T+A= github.com/go-ldap/ldap/v3 v3.4.6/go.mod h1:IGMQANNtxpsOzj7uUAMjpGBaOVTC4DYyIy8VsTdxmtc= @@ -552,8 +552,8 @@ github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcU github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/subosito/gotenv v1.4.2 h1:X1TuBLAMDFbaTAChgCBLu3DU3UPyELpnF2jjJ2cz/S8= github.com/subosito/gotenv v1.4.2/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0= -github.com/tdewolff/minify/v2 v2.20.17 h1:zGqEDhspr3XjSrQI/56vw9IdAhLAaKTLXWnDBsxNVt8= -github.com/tdewolff/minify/v2 v2.20.17/go.mod h1:ulkFoeAVWMLEyjuDz1ZIWOA31g5aWOawCFRp9R/MudM= +github.com/tdewolff/minify/v2 v2.20.18 h1:y+s6OzlZwFqApgNXWNtaMuEMEPbHT72zrCyb9Az35Xo= +github.com/tdewolff/minify/v2 v2.20.18/go.mod h1:ulkFoeAVWMLEyjuDz1ZIWOA31g5aWOawCFRp9R/MudM= github.com/tdewolff/parse/v2 v2.7.12 h1:tgavkHc2ZDEQVKy1oWxwIyh5bP4F5fEh/JmBwPP/3LQ= github.com/tdewolff/parse/v2 v2.7.12/go.mod h1:3FbJWZp3XT9OWVN3Hmfp0p/a08v4h8J9W1aghka0soA= github.com/tdewolff/test v1.0.11-0.20231101010635-f1265d231d52/go.mod h1:6DAvZliBAAnD7rhVgwaM7DE5/d9NMOAJ09SqYqeK4QE= @@ -656,7 +656,6 @@ golang.org/x/crypto v0.0.0-20190411191339-88737f569e3a/go.mod h1:WFFai1msRO1wXaE golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201203163018-be400aefbc4c/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= @@ -666,8 +665,9 @@ golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= -golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo= golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= +golang.org/x/crypto v0.20.0 h1:jmAMJJZXr5KiCw05dfYK9QnqaqKLYXijU23lsEdcQqg= +golang.org/x/crypto v0.20.0/go.mod h1:Xwo95rrVNIoSMx9wa1JroENMToLWn3RNVrTBpLHgZPQ= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -707,8 +707,8 @@ golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= -golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.15.0 h1:SernR4v+D55NyBH2QiEQrlBAnj1ECL6AGrA5+dPaMY8= +golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -925,8 +925,8 @@ golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= golang.org/x/tools v0.8.0/go.mod h1:JxBZ99ISMI5ViVkT1tr6tdNmXeTrcpVSD3vZ1RsRdN4= -golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA= -golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0= +golang.org/x/tools v0.18.0 h1:k8NLag8AGHnn+PHbl7g43CtqZAwG60vZkLqgyZgIHgQ= +golang.org/x/tools v0.18.0/go.mod h1:GL7B4CwcLLeo59yx/9UWWuNOW1n3VZ4f5axWfML7Lcg= golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -1078,8 +1078,8 @@ k8s.io/client-go v0.29.2 h1:FEg85el1TeZp+/vYJM7hkDlSTFZ+c5nnK44DJ4FyoRg= k8s.io/client-go v0.29.2/go.mod h1:knlvFZE58VpqbQpJNbCbctTVXcd35mMyAAwBdpt4jrA= k8s.io/component-base v0.29.2 h1:lpiLyuvPA9yV1aQwGLENYyK7n/8t6l3nn3zAtFTJYe8= k8s.io/component-base v0.29.2/go.mod h1:BfB3SLrefbZXiBfbM+2H1dlat21Uewg/5qtKOl8degM= -k8s.io/gengo v0.0.0-20240129211411-f967bbeff4b4 h1:izq7u3SJBdOAuA5YYe1/PIp9jczrih/jGlKRRt0G7bQ= -k8s.io/gengo v0.0.0-20240129211411-f967bbeff4b4/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= +k8s.io/gengo v0.0.0-20240226174109-00c4be8627da h1:uH7pylUCo++9PSvrUA34sbk4Y6PHw/bgEFa80pejI+I= +k8s.io/gengo v0.0.0-20240226174109-00c4be8627da/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= @@ -1087,8 +1087,8 @@ k8s.io/kms v0.29.2 h1:MDsbp98gSlEQs7K7dqLKNNTwKFQRYYvO4UOlBOjNy6Y= k8s.io/kms v0.29.2/go.mod h1:s/9RC4sYRZ/6Tn6yhNjbfJuZdb8LzlXhdlBnKizeFDo= k8s.io/kube-aggregator v0.29.2 h1:z9qJn5wlGmGaX6EfM7OEhr6fq6SBjDKR6tPRZ/qgxeY= k8s.io/kube-aggregator v0.29.2/go.mod h1:QEuwzmMJJsg0eg1Gv+u4cWcYeJG2+8vN8/nTXBzopUo= -k8s.io/kube-openapi v0.0.0-20240221221325-2ac9dc51f3f1 h1:rtdnaWfP40MTKv7izH81gkWpZB45pZrwIxyZdPSn1mI= -k8s.io/kube-openapi v0.0.0-20240221221325-2ac9dc51f3f1/go.mod h1:Pa1PvrP7ACSkuX6I7KYomY6cmMA0Tx86waBhDUgoKPw= +k8s.io/kube-openapi v0.0.0-20240227032403-f107216b40e2 h1:02WBxjyRwX4rJdl3XlWVjFbXT/kAKCsipoM8hQY3Dwo= +k8s.io/kube-openapi v0.0.0-20240227032403-f107216b40e2/go.mod h1:B7Huvd1LKZtTYmY+nC6rnmN8lyGYT9lifBcPD5epL6k= k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCfRziVtos3ofG/sQ= k8s.io/utils v0.0.0-20240102154912-e7106e64919e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= diff --git a/hack/Dockerfile_fips b/hack/Dockerfile_fips index a7f7964fa..b998cf505 100644 --- a/hack/Dockerfile_fips +++ b/hack/Dockerfile_fips @@ -17,7 +17,7 @@ # and https://kupczynski.info/posts/fips-golang/ for details. ARG BUILD_IMAGE=golang:1.22.0@sha256:7b297d9abee021bab9046e492506b3c2da8a3722cbf301653186545ecc1e00bb -ARG BASE_IMAGE=gcr.io/distroless/static:nonroot@sha256:6a3500b086c2856fbc189f5d11351bdbcf7c4dc5673c2b6070aac9d607da90d7 +ARG BASE_IMAGE=gcr.io/distroless/static:nonroot@sha256:49af06135e8bbe8ddc46c1d28b0bd00961aae9c9ed090bbc0237f58e1462dd4b # This is not currently using --platform to prepare to cross-compile because we use gcc below to build # platform-specific GCO code. This makes multi-arch builds slow due to target platform emulation. From d88883328a8af1bd482c3b76c82055826e270609 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Tue, 27 Feb 2024 12:02:59 -0800 Subject: [PATCH 2/4] Update codeql workflow actions to latest versions and add setup-go See deprecation of v2 message in README.md at https://github.com/github/codeql-action Added setup-go because codeql code scanning stopped working and gave this error message: The go.mod file requires version v1.21.3 of Go, but version v1.20.14 is installed. Consider adding an actions/setup-go step to your workflow. --- .github/workflows/codeql-analysis.yml | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 96ac73e75..9b9b0b762 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -29,11 +29,13 @@ jobs: language: [ 'go', 'javascript' ] steps: + # Checkout our repository. + # See https://github.com/actions/checkout for documentation. - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -43,10 +45,16 @@ jobs: # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs # queries: security-extended,security-and-quality + # Install Go. + # See https://github.com/actions/setup-go?tab=readme-ov-file#getting-go-version-from-the-gomod-file. + - uses: actions/setup-go@v5 + with: + go-version-file: 'go.mod' + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@v3 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -59,6 +67,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@v3 with: category: "/language:${{matrix.language}}" From 50b54580de0c5f8324dcd59136d3e19be05bf6d4 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Tue, 27 Feb 2024 14:29:15 -0800 Subject: [PATCH 3/4] Fix races in login_test.go units tests --- pkg/oidcclient/login.go | 4 ++++ pkg/oidcclient/login_test.go | 42 +++++++++++++++++++++++++++++------- 2 files changed, 38 insertions(+), 8 deletions(-) diff --git a/pkg/oidcclient/login.go b/pkg/oidcclient/login.go index d9ed0d097..a828f12e3 100644 --- a/pkg/oidcclient/login.go +++ b/pkg/oidcclient/login.go @@ -669,6 +669,9 @@ func (h *handlerState) webBrowserBasedAuth(authorizeOptions *[]oauth2.AuthCodeOp } } +// promptForWebLogin prints a login URL to the screen, if needed. It will also print the "paste yor authorization code" +// prompt to the screen and wait for user input, if needed. It can be cancelled by the context provided. +// It returns a function which should be invoked by the caller to perform some cleanup. func (h *handlerState) promptForWebLogin(ctx context.Context, authorizeURL string, printAuthorizeURL bool) func() { if printAuthorizeURL { _, _ = fmt.Fprintf(h.out, "Log in by visiting this link:\n\n %s\n\n", authorizeURL) @@ -714,6 +717,7 @@ func (h *handlerState) promptForWebLogin(ctx context.Context, authorizeURL strin } // promptForValue interactively prompts the user for a plaintext value and reads their input. +// If the context is canceled, it will return an error immediately. // This can be replaced by a mock implementation for unit tests. func promptForValue(ctx context.Context, promptLabel string, out io.Writer) (string, error) { if !term.IsTerminal(stdin()) { diff --git a/pkg/oidcclient/login_test.go b/pkg/oidcclient/login_test.go index 1ad388351..bf7d499c0 100644 --- a/pkg/oidcclient/login_test.go +++ b/pkg/oidcclient/login_test.go @@ -1159,6 +1159,23 @@ func TestLogin(t *testing.T) { //nolint:gocyclo h.stdinIsTTY = func() bool { return true } h.stderrIsTTY = func() bool { return true } + // Because response_mode=form_post, the Login function is going to prompt the user + // to paste their authcode. This test needs to handle that prompt. + h.promptForValue = func(ctx context.Context, promptLabel string, _ io.Writer) (string, error) { + assert.Equal(t, " Optionally, paste your authorization code: ", promptLabel) + // This test does not want to simulate the user entering their authcode at the prompt, + // nor does it want to simulate a prompt error, so this function should hang as if + // we are waiting for user input. Otherwise, promptForWebLogin would be racing to + // write the result of this function to the callback chan (versus this test trying + // to write its own callbackResult to the same chan). + // The context passed into this function should be cancelled by the caller when it + // has received the authcode callback because the caller is no longer interested in + // waiting for the prompt anymore at that point, so this function can finish when + // the context is cancelled. + <-ctx.Done() + return "", errors.New("this error should be ignored by the caller because the context is already cancelled") + } + cache := &mockSessionCache{t: t, getReturnsToken: nil} cacheKey := SessionCacheKey{ Issuer: formPostSuccessServer.URL, @@ -2467,6 +2484,8 @@ func withOutWriter(t *testing.T, out io.Writer) Option { func TestHandlePasteCallback(t *testing.T) { const testRedirectURI = "http://127.0.0.1:12324/callback" const testAuthURL = "https://test-authorize-url/" + const cancelledAuthcodePromptOutput = "[...]\n" + const newlineAfterEveryAuthcodePromptOutput = "\n" expectedAuthURLOutput := func(expectedAuthURL string) string { return fmt.Sprintf("Log in by visiting this link:\n\n %s\n\n", expectedAuthURL) @@ -2522,7 +2541,7 @@ func TestHandlePasteCallback(t *testing.T) { }, authorizeURL: testAuthURL, printAuthorizeURL: true, - wantStderr: expectedAuthURLOutput(testAuthURL), + wantStderr: expectedAuthURLOutput(testAuthURL) + cancelledAuthcodePromptOutput + newlineAfterEveryAuthcodePromptOutput, wantCallback: &callbackResult{ err: fmt.Errorf("failed to prompt for manual authorization code: some prompt error"), }, @@ -2549,7 +2568,7 @@ func TestHandlePasteCallback(t *testing.T) { }, authorizeURL: testAuthURL, printAuthorizeURL: true, - wantStderr: expectedAuthURLOutput(testAuthURL), + wantStderr: expectedAuthURLOutput(testAuthURL) + newlineAfterEveryAuthcodePromptOutput, wantCallback: &callbackResult{ err: fmt.Errorf("some exchange error"), }, @@ -2576,7 +2595,7 @@ func TestHandlePasteCallback(t *testing.T) { }, authorizeURL: testAuthURL, printAuthorizeURL: true, - wantStderr: expectedAuthURLOutput(testAuthURL), + wantStderr: expectedAuthURLOutput(testAuthURL) + newlineAfterEveryAuthcodePromptOutput, wantCallback: &callbackResult{ token: &oidctypes.Token{IDToken: &oidctypes.IDToken{Token: "test-id-token"}}, }, @@ -2602,8 +2621,8 @@ func TestHandlePasteCallback(t *testing.T) { } }, authorizeURL: testAuthURL, - printAuthorizeURL: false, // do not want to print auth URL - wantStderr: "", // auth URL was not printed to stdout + printAuthorizeURL: false, // do not want to print auth URL + wantStderr: newlineAfterEveryAuthcodePromptOutput, // auth URL was not printed to stdout wantCallback: &callbackResult{ token: &oidctypes.Token{IDToken: &oidctypes.IDToken{Token: "test-id-token"}}, }, @@ -2628,9 +2647,7 @@ func TestHandlePasteCallback(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), time.Minute) defer cancel() - h.promptForWebLogin(ctx, tt.authorizeURL, tt.printAuthorizeURL) - - require.Equal(t, tt.wantStderr, buf.String()) + cleanupPrompt := h.promptForWebLogin(ctx, tt.authorizeURL, tt.printAuthorizeURL) if tt.wantCallback != nil { select { @@ -2640,6 +2657,15 @@ func TestHandlePasteCallback(t *testing.T) { require.Equal(t, *tt.wantCallback, result) } } + + // Reading buf before the goroutine inside of promptForWebLogin finishes is a data race, + // because that goroutine will also try to write to buf. + // Avoid this by shutting down its goroutine by cancelling its context, + // and clean it up with its cleanup function (which waits for it to be done). + // Then it should always be safe to read buf. + cancel() + cleanupPrompt() + require.Equal(t, tt.wantStderr, buf.String()) }) } } From 28251f8b92a9694d65dc52beb7978fc76b26b4fa Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Tue, 27 Feb 2024 14:54:26 -0800 Subject: [PATCH 4/4] Update some comments in go.mod --- go.mod | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index 6bb829ad7..154cb0b10 100644 --- a/go.mod +++ b/go.mod @@ -1,16 +1,15 @@ module go.pinniped.dev -// k8s.io/api@v0.29.0 requires go@1.21 go 1.21.3 toolchain go1.22.0 -// This version taken from https://github.com/kubernetes/apiserver/blob/v0.29.0/go.mod#L14 to avoid compile failures. +// This version taken from https://github.com/kubernetes/apiserver/blob/v0.29.2/go.mod#L14 to avoid compile failures. replace github.com/google/cel-go => github.com/google/cel-go v0.17.7 // Fostite depends on ory/x which depends on opentelemetry. kubernetes/apiserver also depends on opentelemetry. // Where they clash and cause "go mod tidy" to fail, use replace directives to make it work. -// Copied from https://github.com/kubernetes/apiserver/blob/v0.29.0/go.mod#L28-L33. +// Copied from https://github.com/kubernetes/apiserver/blob/v0.29.2/go.mod#L28-L33. replace ( go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc => go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.42.0 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp => go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0 @@ -20,7 +19,7 @@ replace ( go.opentelemetry.io/otel/trace => go.opentelemetry.io/otel/trace v1.19.0 ) -// https://github.com/kubernetes/apiserver/blob/v0.29.0/go.mod does not include this one, but it is also needed +// https://github.com/kubernetes/apiserver/blob/v0.29.2/go.mod does not include this one, but it is also needed // to resolve the clashes with ory/x, so use the same version that kubernetes/apiserver chooses for opentelemetry. replace go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp => go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0