From 93f21d7cd271f3734d1ace48862721dcd99dd9c3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 24 Oct 2022 14:46:53 -0600 Subject: [PATCH 01/25] chore(deps): bump distroless/base from `9681f07` to `856944e` (#3702) Bumps distroless/base from `9681f07` to `856944e`. --- updated-dependencies: - dependency-name: distroless/base dependency-type: direct:production ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index d15dd538e..9be832bf2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -35,7 +35,7 @@ RUN apt-get update && apt-get install -y ca-certificates # Remove expired root (https://github.com/pomerium/pomerium/issues/2653) RUN rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt && update-ca-certificates -FROM gcr.io/distroless/base:debug@sha256:9681f07e699fa65958ef9b902399d618cb6a4638868d468cf730a2bafd8f3dcc +FROM gcr.io/distroless/base:debug@sha256:856944e81ffb36babf549e52933e1c09379372135a9b73a97f275fa2973de13a ENV AUTOCERT_DIR /data/autocert WORKDIR /pomerium COPY --from=build /go/src/github.com/pomerium/pomerium/bin/* /bin/ From 0dbe41098234f27e08216ec496bbc08f0dddc559 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 24 Oct 2022 14:47:16 -0600 Subject: [PATCH 02/25] chore(deps): bump actions/download-artifact from 3.0.0 to 3.0.1 (#3700) Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 3.0.0 to 3.0.1. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/fb598a63ae348fa914e94cd0ff38f362e927b741...9782bd6a9848b53b110e712e20e42d89988822b7) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 77f39ff7f..aab54839d 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -252,7 +252,7 @@ jobs: - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 - name: retrieve binary - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 + uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 with: name: pomerium ${{ github.run_id }} ${{ matrix.platform }} path: bin/ From ec1ce7927e3b0688c42c990d429eb2a27d404985 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 24 Oct 2022 14:47:30 -0600 Subject: [PATCH 03/25] chore(deps): bump google.golang.org/api from 0.99.0 to 0.100.0 (#3693) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.99.0 to 0.100.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.99.0...v0.100.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 10 +++++----- go.sum | 20 ++++++++++---------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/go.mod b/go.mod index a34d1b808..47f1600af 100644 --- a/go.mod +++ b/go.mod @@ -65,11 +65,11 @@ require ( go.uber.org/zap v1.23.0 golang.org/x/crypto v0.0.0-20221010152910-d6f0a8c073c2 golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e - golang.org/x/net v0.0.0-20221012135044-0b7e1fb9d458 - golang.org/x/oauth2 v0.0.0-20221006150949-b44042a4b9c1 + golang.org/x/net v0.0.0-20221014081412-f15817d10f9b + golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783 golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0 - google.golang.org/api v0.99.0 - google.golang.org/genproto v0.0.0-20221010155953-15ba04fc1c0e + google.golang.org/api v0.100.0 + google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a google.golang.org/grpc v1.50.1 google.golang.org/protobuf v1.28.1 gopkg.in/auth0.v5 v5.21.1 @@ -160,7 +160,7 @@ require ( github.com/google/go-tpm v0.3.2 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect github.com/googleapis/enterprise-certificate-proxy v0.2.0 // indirect - github.com/googleapis/gax-go/v2 v2.5.1 // indirect + github.com/googleapis/gax-go/v2 v2.6.0 // indirect github.com/gordonklaus/ineffassign v0.0.0-20210914165742-4cc7213b9bc8 // indirect github.com/gorilla/securecookie v1.1.1 // indirect github.com/gostaticanalysis/analysisutil v0.7.1 // indirect diff --git a/go.sum b/go.sum index 6f744fed5..e197a7ae4 100644 --- a/go.sum +++ b/go.sum @@ -481,8 +481,8 @@ github.com/googleapis/gax-go/v2 v2.1.1/go.mod h1:hddJymUZASv3XPyGkUpKj8pPO47Rmb0 github.com/googleapis/gax-go/v2 v2.2.0/go.mod h1:as02EH8zWkzwUoLbBaFeQ+arQaj/OthfcblKl4IGNaM= github.com/googleapis/gax-go/v2 v2.3.0/go.mod h1:b8LNqSzNabLiUpXKkY7HAR5jr6bIT99EXz9pXxye9YM= github.com/googleapis/gax-go/v2 v2.4.0/go.mod h1:XOTVJ59hdnfJLIP/dh8n5CGryZR2LxK9wbMD5+iXC6c= -github.com/googleapis/gax-go/v2 v2.5.1 h1:kBRZU0PSuI7PspsSb/ChWoVResUcwNVIdpB049pKTiw= -github.com/googleapis/gax-go/v2 v2.5.1/go.mod h1:h6B0KMMFNtI2ddbGJn3T3ZbwkeT6yqEF02fYlzkUCyo= +github.com/googleapis/gax-go/v2 v2.6.0 h1:SXk3ABtQYDT/OH8jAyvEOQ58mgawq5C4o/4/89qN2ZU= +github.com/googleapis/gax-go/v2 v2.6.0/go.mod h1:1mjbznJAPHFpesgE5ucqfYEscaz5kMdcIDwU/6+DDoY= github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4= github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g= github.com/gordonklaus/ineffassign v0.0.0-20210914165742-4cc7213b9bc8 h1:PVRE9d4AQKmbelZ7emNig1+NT27DUmKZn5qXxfio54U= @@ -1196,8 +1196,8 @@ golang.org/x/net v0.0.0-20220630215102-69896b714898/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/net v0.0.0-20220907135653-1e95f45603a7/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= -golang.org/x/net v0.0.0-20221012135044-0b7e1fb9d458 h1:MgJ6t2zo8v0tbmLCueaCbF1RM+TtB0rs3Lv8DGtOIpY= -golang.org/x/net v0.0.0-20221012135044-0b7e1fb9d458/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= +golang.org/x/net v0.0.0-20221014081412-f15817d10f9b h1:tvrvnPFcdzp294diPnrdZZZ8XUt2Tyj7svb7X52iDuU= +golang.org/x/net v0.0.0-20221014081412-f15817d10f9b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1219,8 +1219,8 @@ golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a/go.mod h1:DAh4E804XQdzx2j golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE= golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= -golang.org/x/oauth2 v0.0.0-20221006150949-b44042a4b9c1 h1:3VPzK7eqH25j7GYw5w6g/GzNRc0/fYtrxz27z1gD4W0= -golang.org/x/oauth2 v0.0.0-20221006150949-b44042a4b9c1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= +golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783 h1:nt+Q6cXKz4MosCSpnbMtqiQ8Oz0pxTef2B4Vca2lvfk= +golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -1500,8 +1500,8 @@ google.golang.org/api v0.75.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69 google.golang.org/api v0.78.0/go.mod h1:1Sg78yoMLOhlQTeF+ARBoytAcH1NNyyl390YMy6rKmw= google.golang.org/api v0.80.0/go.mod h1:xY3nI94gbvBrE0J6NHXhxOmW97HG7Khjkku6AFB3Hyg= google.golang.org/api v0.84.0/go.mod h1:NTsGnUFJMYROtiquksZHBWtHfeMC7iYthki7Eq3pa8o= -google.golang.org/api v0.99.0 h1:tsBtOIklCE2OFxhmcYSVqGwSAN/Y897srxmcvAQnwK8= -google.golang.org/api v0.99.0/go.mod h1:1YOf74vkVndF7pG6hIHuINsM7eWwpVTAfNMNiL91A08= +google.golang.org/api v0.100.0 h1:LGUYIrbW9pzYQQ8NWXlaIVkgnfubVBZbMFb9P8TK374= +google.golang.org/api v0.100.0/go.mod h1:ZE3Z2+ZOr87Rx7dqFsdRQkRBk36kDtp/h+QpHbB7a70= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -1591,8 +1591,8 @@ google.golang.org/genproto v0.0.0-20220518221133-4f43b3371335/go.mod h1:RAyBrSAP google.golang.org/genproto v0.0.0-20220523171625-347a074981d8/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= google.golang.org/genproto v0.0.0-20220608133413-ed9918b62aac/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= -google.golang.org/genproto v0.0.0-20221010155953-15ba04fc1c0e h1:halCgTFuLWDRD61piiNSxPsARANGD3Xl16hPrLgLiIg= -google.golang.org/genproto v0.0.0-20221010155953-15ba04fc1c0e/go.mod h1:3526vdqwhZAwq4wsRUaVG555sVgsNmIjRtO7t/JH29U= +google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a h1:GH6UPn3ixhWcKDhpnEC55S75cerLPdpp3hrhfKYjZgw= +google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.0/go.mod h1:chYK+tFQF0nDUGJgXMSgLCQk3phJEuONr2DCgLDdAQM= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= From aaf3546246d1394318b2dd310a6323a9427af088 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 24 Oct 2022 14:47:47 -0600 Subject: [PATCH 04/25] chore(deps): bump github.com/docker/docker from 20.10.19+incompatible to 20.10.20+incompatible (#3694) chore(deps): bump github.com/docker/docker Bumps [github.com/docker/docker](https://github.com/docker/docker) from 20.10.19+incompatible to 20.10.20+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Changelog](https://github.com/moby/moby/blob/master/CHANGELOG.md) - [Commits](https://github.com/docker/docker/compare/v20.10.19...v20.10.20) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 47f1600af..e610e7a40 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,7 @@ require ( github.com/cespare/xxhash/v2 v2.1.2 github.com/client9/misspell v0.3.4 github.com/coreos/go-oidc/v3 v3.4.0 - github.com/docker/docker v20.10.19+incompatible + github.com/docker/docker v20.10.20+incompatible github.com/envoyproxy/go-control-plane v0.10.3-0.20220819153403-8a9be01c9575 github.com/envoyproxy/protoc-gen-validate v0.6.13 github.com/fsnotify/fsnotify v1.5.4 diff --git a/go.sum b/go.sum index e197a7ae4..86d9f815f 100644 --- a/go.sum +++ b/go.sum @@ -238,8 +238,8 @@ github.com/docker/cli v20.10.17+incompatible h1:eO2KS7ZFeov5UJeaDmIs1NFEDRf32Paq github.com/docker/cli v20.10.17+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6bk8XXApsHjKukMl68= github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v20.10.19+incompatible h1:lzEmjivyNHFHMNAFLXORMBXyGIhw/UP4DvJwvyKYq64= -github.com/docker/docker v20.10.19+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v20.10.20+incompatible h1:kH9tx6XO+359d+iAkumyKDc5Q1kOwPuAUaeri48nD6E= +github.com/docker/docker v20.10.20+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw= From d84df2cca7df6a8bc2e7d16e3acb580babea13a9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 24 Oct 2022 14:48:04 -0600 Subject: [PATCH 05/25] chore(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.1 (#3695) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.0 to 1.8.1. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](https://github.com/stretchr/testify/compare/v1.8.0...v1.8.1) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 6 ++++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index e610e7a40..8c3826e6c 100644 --- a/go.mod +++ b/go.mod @@ -55,7 +55,7 @@ require ( github.com/rs/zerolog v1.28.0 github.com/shirou/gopsutil/v3 v3.22.9 github.com/spf13/viper v1.13.0 - github.com/stretchr/testify v1.8.0 + github.com/stretchr/testify v1.8.1 github.com/tniswong/go.rfcx v0.0.0-20181019234604-07783c52761f github.com/tomnomnom/linkheader v0.0.0-20180905144013-02ca5825eb80 github.com/vektah/gqlparser v1.3.1 @@ -256,7 +256,7 @@ require ( github.com/spf13/pflag v1.0.5 // indirect github.com/ssgreg/nlreturn/v2 v2.2.1 // indirect github.com/stbenjam/no-sprintf-host-port v0.1.1 // indirect - github.com/stretchr/objx v0.4.0 // indirect + github.com/stretchr/objx v0.5.0 // indirect github.com/subosito/gotenv v1.4.1 // indirect github.com/tchap/go-patricia/v2 v2.3.1 // indirect github.com/tdakkota/asciicheck v0.1.1 // indirect diff --git a/go.sum b/go.sum index 86d9f815f..65372c20e 100644 --- a/go.sum +++ b/go.sum @@ -946,8 +946,9 @@ github.com/streadway/amqp v0.0.0-20190404075320-75d898a42a94/go.mod h1:AZpEONHx3 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= -github.com/stretchr/objx v0.4.0 h1:M2gUjqZET1qApGOWNSnZ49BAIMX4F/1plDv3+l31EJ4= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v1.1.4/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= @@ -956,8 +957,9 @@ github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stvp/go-udp-testing v0.0.0-20201019212854-469649b16807/go.mod h1:7jxmlfBCDBXRzr0eAQJ48XC1hBu1np4CS5+cHEYfwpc= github.com/subosito/gotenv v1.4.1 h1:jyEFiXpy21Wm81FBN71l9VoMMV8H8jG+qIK3GCpY6Qs= github.com/subosito/gotenv v1.4.1/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0= From 935507fd544c7cccf53ebaa8871767ddb90cfb16 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 24 Oct 2022 14:48:24 -0600 Subject: [PATCH 06/25] chore(deps): bump stefanzweifel/git-auto-commit-action from 4.15.1 to 4.15.2 (#3699) chore(deps): bump stefanzweifel/git-auto-commit-action Bumps [stefanzweifel/git-auto-commit-action](https://github.com/stefanzweifel/git-auto-commit-action) from 4.15.1 to 4.15.2. - [Release notes](https://github.com/stefanzweifel/git-auto-commit-action/releases) - [Changelog](https://github.com/stefanzweifel/git-auto-commit-action/blob/master/CHANGELOG.md) - [Commits](https://github.com/stefanzweifel/git-auto-commit-action/compare/fd157da78fa13d9383e5580d1fd1184d89554b51...2fde6fc18d3b24c2561ba4b73a8e015e863cef85) --- updated-dependencies: - dependency-name: stefanzweifel/git-auto-commit-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/docker-main.yaml | 2 +- .github/workflows/release.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-main.yaml b/.github/workflows/docker-main.yaml index e65d48d35..0fb8672c7 100644 --- a/.github/workflows/docker-main.yaml +++ b/.github/workflows/docker-main.yaml @@ -90,7 +90,7 @@ jobs: projects/pomerium-master-postgres/pomerium/values.yaml - name: Commit changes - uses: stefanzweifel/git-auto-commit-action@fd157da78fa13d9383e5580d1fd1184d89554b51 + uses: stefanzweifel/git-auto-commit-action@2fde6fc18d3b24c2561ba4b73a8e015e863cef85 with: commit_message: | Bump test environment pomerium/pomerium diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index fd6710b1d..a89743fe3 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -127,7 +127,7 @@ jobs: cmd: yq eval '.pomerium.image.tag = "${{ needs.goreleaser.outputs.tag }}"' -i projects/pomerium-demo/pomerium-demo/values.yaml - name: Commit changes - uses: stefanzweifel/git-auto-commit-action@fd157da78fa13d9383e5580d1fd1184d89554b51 + uses: stefanzweifel/git-auto-commit-action@2fde6fc18d3b24c2561ba4b73a8e015e863cef85 with: commit_message: | Bump test environment pomerium/pomerium From 31c1677a357198e0dc743ed268f4253961062273 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 24 Oct 2022 14:48:45 -0600 Subject: [PATCH 07/25] chore(deps): bump actions/upload-artifact from 3.1.0 to 3.1.1 (#3698) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.1.0 to 3.1.1. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/3cea5372237819ed00197afe530f5a7ea3e805c8...83fd05a356d7e2593de66fc9913b3002723633cb) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index aab54839d..c6ac55afd 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -192,7 +192,7 @@ jobs: make build - name: save binary - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb with: path: bin/pomerium* name: pomerium ${{ github.run_id }} ${{ matrix.platform }} From c504589a3b2893227c2cdc59a38ebf0f17ff65bd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 24 Oct 2022 14:49:32 -0600 Subject: [PATCH 08/25] chore(deps): bump github.com/prometheus/client_model from 0.2.0 to 0.3.0 (#3696) Bumps [github.com/prometheus/client_model](https://github.com/prometheus/client_model) from 0.2.0 to 0.3.0. - [Release notes](https://github.com/prometheus/client_model/releases) - [Commits](https://github.com/prometheus/client_model/compare/v0.2.0...v0.3.0) --- updated-dependencies: - dependency-name: github.com/prometheus/client_model dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index 8c3826e6c..c5e33731f 100644 --- a/go.mod +++ b/go.mod @@ -48,7 +48,7 @@ require ( github.com/pomerium/csrf v1.7.0 github.com/pomerium/webauthn v0.0.0-20211014213840-422c7ce1077f github.com/prometheus/client_golang v1.13.0 - github.com/prometheus/client_model v0.2.0 + github.com/prometheus/client_model v0.3.0 github.com/prometheus/common v0.37.0 github.com/prometheus/procfs v0.8.0 github.com/rs/cors v1.8.2 diff --git a/go.sum b/go.sum index 65372c20e..16293b677 100644 --- a/go.sum +++ b/go.sum @@ -814,8 +814,9 @@ github.com/prometheus/client_golang v1.13.0/go.mod h1:vTeo+zgvILHsnnj/39Ou/1fPN5 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/client_model v0.2.0 h1:uq5h0d+GuxiXLJLNABMgp2qUWDPiLvgCzz2dUR+/W/M= github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.3.0 h1:UBgGFHqYdG/TPFD1B1ogZywDqEkwp3fBMvqdiQ7Xew4= +github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w= github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= From 9482dba0499c2593d3c292e4c11edf7400c806dc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 24 Oct 2022 14:49:58 -0600 Subject: [PATCH 09/25] chore(deps): bump github.com/golangci/golangci-lint from 1.50.0 to 1.50.1 (#3697) chore(deps): bump github.com/golangci/golangci-lint Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.50.0 to 1.50.1. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](https://github.com/golangci/golangci-lint/compare/v1.50.0...v1.50.1) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 28 ++++++++++++++-------------- go.sum | 53 ++++++++++++++++++++++++++++------------------------- 2 files changed, 42 insertions(+), 39 deletions(-) diff --git a/go.mod b/go.mod index c5e33731f..fc42a6956 100644 --- a/go.mod +++ b/go.mod @@ -23,7 +23,7 @@ require ( github.com/go-redis/redis/v8 v8.11.5 github.com/golang/mock v1.6.0 github.com/golang/protobuf v1.5.2 - github.com/golangci/golangci-lint v1.50.0 + github.com/golangci/golangci-lint v1.50.1 github.com/google/btree v1.1.2 github.com/google/go-cmp v0.5.9 github.com/google/go-jsonnet v0.18.0 @@ -63,9 +63,9 @@ require ( github.com/yuin/gopher-lua v0.0.0-20200816102855-ee81675732da go.opencensus.io v0.23.0 go.uber.org/zap v1.23.0 - golang.org/x/crypto v0.0.0-20221010152910-d6f0a8c073c2 + golang.org/x/crypto v0.1.0 golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e - golang.org/x/net v0.0.0-20221014081412-f15817d10f9b + golang.org/x/net v0.1.0 golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783 golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0 google.golang.org/api v0.100.0 @@ -85,7 +85,7 @@ require ( github.com/Antonboom/errname v0.1.7 // indirect github.com/Antonboom/nilnil v0.1.1 // indirect github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect - github.com/BurntSushi/toml v1.2.0 // indirect + github.com/BurntSushi/toml v1.2.1 // indirect github.com/DataDog/datadog-go v3.5.0+incompatible // indirect github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24 // indirect github.com/GaijinEntertainment/go-exhaustruct/v2 v2.3.0 // indirect @@ -114,7 +114,7 @@ require ( github.com/cncf/xds/go v0.0.0-20220314180256-7f1daf1720fc // indirect github.com/containerd/continuity v0.3.0 // indirect github.com/curioswitch/go-reassign v0.2.0 // indirect - github.com/daixiang0/gci v0.8.0 // indirect + github.com/daixiang0/gci v0.8.1 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/denis-tingaikin/go-header v0.4.3 // indirect github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect @@ -173,7 +173,7 @@ require ( github.com/hexops/gotextdiff v1.0.3 // indirect github.com/iancoleman/strcase v0.2.0 // indirect github.com/imdario/mergo v0.3.12 // indirect - github.com/inconshreveable/mousetrap v1.0.0 // indirect + github.com/inconshreveable/mousetrap v1.0.1 // indirect github.com/jackc/chunkreader/v2 v2.0.1 // indirect github.com/jackc/pgio v1.0.0 // indirect github.com/jackc/pgpassfile v1.0.0 // indirect @@ -186,7 +186,7 @@ require ( github.com/julz/importas v0.1.0 // indirect github.com/kisielk/errcheck v1.6.2 // indirect github.com/kisielk/gotool v1.0.0 // indirect - github.com/kkHAIKE/contextcheck v1.1.2 // indirect + github.com/kkHAIKE/contextcheck v1.1.3 // indirect github.com/klauspost/compress v1.15.11 // indirect github.com/klauspost/cpuid/v2 v2.1.1 // indirect github.com/kulti/thelper v0.6.3 // indirect @@ -251,7 +251,7 @@ require ( github.com/sourcegraph/go-diff v0.6.1 // indirect github.com/spf13/afero v1.9.2 // indirect github.com/spf13/cast v1.5.0 // indirect - github.com/spf13/cobra v1.5.0 // indirect + github.com/spf13/cobra v1.6.0 // indirect github.com/spf13/jwalterweatherman v1.1.0 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/ssgreg/nlreturn/v2 v2.2.1 // indirect @@ -266,8 +266,8 @@ require ( github.com/tinylib/msgp v1.1.2 // indirect github.com/tklauser/go-sysconf v0.3.10 // indirect github.com/tklauser/numcpus v0.4.0 // indirect - github.com/tomarrell/wrapcheck/v2 v2.6.2 // indirect - github.com/tommy-muehle/go-mnd/v2 v2.5.0 // indirect + github.com/tomarrell/wrapcheck/v2 v2.7.0 // indirect + github.com/tommy-muehle/go-mnd/v2 v2.5.1 // indirect github.com/uber/jaeger-client-go v2.25.0+incompatible // indirect github.com/ultraware/funlen v0.0.3 // indirect github.com/ultraware/whitespace v0.0.5 // indirect @@ -286,10 +286,10 @@ require ( go.uber.org/multierr v1.6.0 // indirect golang.org/x/exp/typeparams v0.0.0-20220827204233-334a2380cb91 // indirect golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect - golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect - golang.org/x/sys v0.0.0-20221010170243-090e33056c14 // indirect - golang.org/x/text v0.3.8 // indirect - golang.org/x/tools v0.1.12 // indirect + golang.org/x/mod v0.6.0 // indirect + golang.org/x/sys v0.1.0 // indirect + golang.org/x/text v0.4.0 // indirect + golang.org/x/tools v0.2.0 // indirect google.golang.org/appengine v1.6.7 // indirect gopkg.in/DataDog/dd-trace-go.v1 v1.22.0 // indirect gopkg.in/ini.v1 v1.67.0 // indirect diff --git a/go.sum b/go.sum index 16293b677..5960ce441 100644 --- a/go.sum +++ b/go.sum @@ -77,8 +77,8 @@ github.com/Azure/go-ansiterm v0.0.0-20210608223527-2377c96fe795/go.mod h1:LmzpDX github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8= github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/BurntSushi/toml v1.2.0 h1:Rt8g24XnyGTyglgET/PRUNlrUeu9F5L+7FilkXfZgs0= -github.com/BurntSushi/toml v1.2.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= +github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak= +github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/CAFxX/httpcompression v0.0.8 h1:UBWojERnpCS6X7whJkGGZeCC3ruZBRwkwkcnfGfb0ko= github.com/CAFxX/httpcompression v0.0.8/go.mod h1:bVd1taHK1vYb5SWe9lwNDCqrfj2ka+C1Zx7JHzxuHnU= @@ -219,8 +219,8 @@ github.com/cristalhq/acmd v0.8.1/go.mod h1:LG5oa43pE/BbxtfMoImHCQN++0Su7dzipdgBj github.com/curioswitch/go-reassign v0.2.0 h1:G9UZyOcpk/d7Gd6mqYgd8XYWFMw/znxwGDUstnC9DIo= github.com/curioswitch/go-reassign v0.2.0/go.mod h1:x6OpXuWvgfQaMGks2BZybTngWjT84hqJfKoO8Tt/Roc= github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= -github.com/daixiang0/gci v0.8.0 h1:DzWYUm4+bc+taVUtuq1tsIMb/QFMMYgDIiykSoO98ZU= -github.com/daixiang0/gci v0.8.0/go.mod h1:EpVfrztufwVgQRXjnX4zuNinEpLj5OmMjtu/+MB0V0c= +github.com/daixiang0/gci v0.8.1 h1:T4xpSC+hmsi4CSyuYfIJdMZAr9o7xZmHpQVygMghGZ4= +github.com/daixiang0/gci v0.8.1/go.mod h1:EpVfrztufwVgQRXjnX4zuNinEpLj5OmMjtu/+MB0V0c= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -402,8 +402,8 @@ github.com/golangci/go-misc v0.0.0-20220329215616-d24fe342adfe h1:6RGUuS7EGotKx6 github.com/golangci/go-misc v0.0.0-20220329215616-d24fe342adfe/go.mod h1:gjqyPShc/m8pEMpk0a3SeagVb0kaqvhscv+i9jI5ZhQ= github.com/golangci/gofmt v0.0.0-20220901101216-f2edd75033f2 h1:amWTbTGqOZ71ruzrdA+Nx5WA3tV1N0goTspwmKCQvBY= github.com/golangci/gofmt v0.0.0-20220901101216-f2edd75033f2/go.mod h1:9wOXstvyDRshQ9LggQuzBCGysxs3b6Uo/1MvYCR2NMs= -github.com/golangci/golangci-lint v1.50.0 h1:+Xmyt8rKLauNLp2gzcxKMN8VNGqGc5Avc2ZLTwIOpEA= -github.com/golangci/golangci-lint v1.50.0/go.mod h1:UqtDvK24R9OizqRF06foPX8opRMzQB0HQK90uI2JgKc= +github.com/golangci/golangci-lint v1.50.1 h1:C829clMcZXEORakZlwpk7M4iDw2XiwxxKaG504SZ9zY= +github.com/golangci/golangci-lint v1.50.1/go.mod h1:AQjHBopYS//oB8xs0y0M/dtxdKHkdhl0RvmjUct0/4w= github.com/golangci/lint-1 v0.0.0-20191013205115-297bf364a8e0 h1:MfyDlzVjl1hoaPzPD4Gpb/QgoRfSBR0jdhwGyAWwMSA= github.com/golangci/lint-1 v0.0.0-20191013205115-297bf364a8e0/go.mod h1:66R6K6P6VWk9I95jvqGxkqJxVWGFy9XlDwLwVz1RCFg= github.com/golangci/maligned v0.0.0-20180506175553-b1d89398deca h1:kNY3/svz5T29MYHubXix4aDDuE3RWHkPvopM/EDv/MA= @@ -541,8 +541,9 @@ github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1: github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU= github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= -github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc= +github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/jackc/chunkreader v1.0.0/go.mod h1:RT6O25fNZIuasFJRyZ4R/Y2BbhasbmZXF9QQ7T3kePo= github.com/jackc/chunkreader/v2 v2.0.0/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk= github.com/jackc/chunkreader/v2 v2.0.1 h1:i+RDz65UE+mmpjTfyz0MoVTnzeYxroil2G82ki7MGG8= @@ -618,8 +619,8 @@ github.com/kisielk/errcheck v1.6.2 h1:uGQ9xI8/pgc9iOoCe7kWQgRE6SBTrCGmTSf0LrEtY7 github.com/kisielk/errcheck v1.6.2/go.mod h1:nXw/i/MfnvRHqXa7XXmQMUB0oNFGuBrNI8d8NLy0LPw= github.com/kisielk/gotool v1.0.0 h1:AV2c/EiW3KqPNT9ZKl07ehoAGi4C5/01Cfbblndcapg= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/kkHAIKE/contextcheck v1.1.2 h1:BYUSG/GhMhqVz//yjl8IkBDlMEws+9DtCmkz18QO1gg= -github.com/kkHAIKE/contextcheck v1.1.2/go.mod h1:PG/cwd6c0705/LM0KTr1acO2gORUxkSVWyLJOFW5qoo= +github.com/kkHAIKE/contextcheck v1.1.3 h1:l4pNvrb8JSwRd51ojtcOxOeHJzHek+MtOyXbaR0uvmw= +github.com/kkHAIKE/contextcheck v1.1.3/go.mod h1:PG/cwd6c0705/LM0KTr1acO2gORUxkSVWyLJOFW5qoo= github.com/klauspost/compress v1.14.1/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= github.com/klauspost/compress v1.15.11 h1:Lcadnb3RKGin4FYM/orgq0qde+nc15E5Cbqg4B9Sx9c= github.com/klauspost/compress v1.15.11/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrDDJnH7hvFVbGM= @@ -927,8 +928,8 @@ github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w= github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU= github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE= -github.com/spf13/cobra v1.5.0 h1:X+jTBEBqF0bHN+9cSMgmfuvv2VHJ9ezmFNf9Y/XstYU= -github.com/spf13/cobra v1.5.0/go.mod h1:dWXEIy2H428czQCjInthrTRUg7yKbok+2Qi/yBIJoUM= +github.com/spf13/cobra v1.6.0 h1:42a0n6jwCot1pUmomAp4T7DeMD+20LFv4Q54pxLf2LI= +github.com/spf13/cobra v1.6.0/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY= github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk= github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= @@ -988,10 +989,10 @@ github.com/tklauser/numcpus v0.4.0/go.mod h1:1+UI3pD8NW14VMwdgJNJ1ESk2UnwhAnz5hM github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tniswong/go.rfcx v0.0.0-20181019234604-07783c52761f h1:C43EMGXFtvYf/zunHR6ivZV7Z6ytg73t0GXwYyicXMQ= github.com/tniswong/go.rfcx v0.0.0-20181019234604-07783c52761f/go.mod h1:N+sR0vLSCTtI6o06PMWsjMB4TVqqDttKNq4iC9wvxVY= -github.com/tomarrell/wrapcheck/v2 v2.6.2 h1:3dI6YNcrJTQ/CJQ6M/DUkc0gnqYSIk6o0rChn9E/D0M= -github.com/tomarrell/wrapcheck/v2 v2.6.2/go.mod h1:ao7l5p0aOlUNJKI0qVwB4Yjlqutd0IvAB9Rdwyilxvg= -github.com/tommy-muehle/go-mnd/v2 v2.5.0 h1:iAj0a8e6+dXSL7Liq0aXPox36FiN1dBbjA6lt9fl65s= -github.com/tommy-muehle/go-mnd/v2 v2.5.0/go.mod h1:WsUAkMJMYww6l/ufffCD3m+P7LEvr8TnZn9lwVDlgzw= +github.com/tomarrell/wrapcheck/v2 v2.7.0 h1:J/F8DbSKJC83bAvC6FoZaRjZiZ/iKoueSdrEkmGeacA= +github.com/tomarrell/wrapcheck/v2 v2.7.0/go.mod h1:ao7l5p0aOlUNJKI0qVwB4Yjlqutd0IvAB9Rdwyilxvg= +github.com/tommy-muehle/go-mnd/v2 v2.5.1 h1:NowYhSdyE/1zwK9QCLeRb6USWdoif80Ie+v+yU8u1Zw= +github.com/tommy-muehle/go-mnd/v2 v2.5.1/go.mod h1:WsUAkMJMYww6l/ufffCD3m+P7LEvr8TnZn9lwVDlgzw= github.com/tomnomnom/linkheader v0.0.0-20180905144013-02ca5825eb80 h1:nrZ3ySNYwJbSpD6ce9duiP+QkD3JuLCcWkdaehUS/3Y= github.com/tomnomnom/linkheader v0.0.0-20180905144013-02ca5825eb80/go.mod h1:iFyPdL66DjUD96XmzVL3ZntbzcflLnznH0fr99w5VqE= github.com/uber/jaeger-client-go v2.25.0+incompatible h1:IxcNZ7WRY1Y3G4poYlx24szfsn/3LvK9QHCq9oQw8+U= @@ -1093,8 +1094,8 @@ golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.0.0-20221010152910-d6f0a8c073c2 h1:x8vtB3zMecnlqZIwJNUUpwYKYSqCz5jXbiyv0ZJJZeI= -golang.org/x/crypto v0.0.0-20221010152910-d6f0a8c073c2/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU= +golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -1139,8 +1140,9 @@ golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY= -golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 h1:6zppjxzCulZykYSLyVDYbneBfbaBIQPYMevg0bEwv2s= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.6.0 h1:b9gGHsz9/HhJ3HF5DHQytPpuwocVTChQJK3AvoLRD5I= +golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1199,8 +1201,8 @@ golang.org/x/net v0.0.0-20220630215102-69896b714898/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/net v0.0.0-20220907135653-1e95f45603a7/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= -golang.org/x/net v0.0.0-20221014081412-f15817d10f9b h1:tvrvnPFcdzp294diPnrdZZZ8XUt2Tyj7svb7X52iDuU= -golang.org/x/net v0.0.0-20221014081412-f15817d10f9b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= +golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0= +golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1339,8 +1341,8 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908150016-7ac13a9a928d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20221010170243-090e33056c14 h1:k5II8e6QD8mITdi+okbbmR/cIyEbeXLBhy5Ha4nevyc= -golang.org/x/sys v0.0.0-20221010170243-090e33056c14/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= @@ -1353,8 +1355,8 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.3.8 h1:nAL+RVCQ9uMn3vJZbV+MRnydTJFPf8qqY42YiA6MrqY= -golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= +golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg= +golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -1451,8 +1453,9 @@ golang.org/x/tools v0.1.9-0.20211228192929-ee1ca4ffc4da/go.mod h1:nABZi5QlRsZVlz golang.org/x/tools v0.1.9/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU= golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E= golang.org/x/tools v0.1.11/go.mod h1:SgwaegtQh8clINPpECJMqnxLv9I09HLqnW3RMqW0CA4= -golang.org/x/tools v0.1.12 h1:VveCTK38A2rkS8ZqFY25HIDFscX5X9OoEhJd3quQmXU= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/tools v0.2.0 h1:G6AHpWxTMGY1KyEYoAQ5WTtIekUUvDNjan3ugu60JvE= +golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA= golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= From 63b210e51d467222d38a01cb8102d46e0cee7f3e Mon Sep 17 00:00:00 2001 From: Caleb Doxsey Date: Tue, 25 Oct 2022 08:00:21 -0600 Subject: [PATCH 10/25] httputil: remove error details (#3703) --- authenticate/handlers_test.go | 2 +- internal/httputil/errors.go | 11 ++++++--- internal/httputil/errors_test.go | 2 +- internal/httputil/handlers_test.go | 4 +-- internal/middleware/middleware_test.go | 2 +- proxy/forward_auth_test.go | 6 ++--- proxy/handlers_test.go | 4 +-- ui/src/components/ErrorPage.tsx | 34 ++++++++++++-------------- ui/src/types/index.ts | 1 - 9 files changed, 33 insertions(+), 33 deletions(-) diff --git a/authenticate/handlers_test.go b/authenticate/handlers_test.go index e2903eaf2..d8aa493df 100644 --- a/authenticate/handlers_test.go +++ b/authenticate/handlers_test.go @@ -294,7 +294,7 @@ func TestAuthenticate_SignOut(t *testing.T) { identity.MockProvider{LogOutResponse: (*uriParseHelper("https://microsoft.com"))}, &mstore.Store{Encrypted: true, Session: &sessions.State{}}, http.StatusOK, - "{\"Status\":200,\"Error\":\"OK: user logged out\"}\n", + "{\"Status\":200}\n", }, } for _, tt := range tests { diff --git a/internal/httputil/errors.go b/internal/httputil/errors.go index 6ad70099b..980664c24 100644 --- a/internal/httputil/errors.go +++ b/internal/httputil/errors.go @@ -5,6 +5,7 @@ import ( "net/http" "net/url" + "github.com/pomerium/pomerium/internal/log" "github.com/pomerium/pomerium/internal/telemetry/requestid" "github.com/pomerium/pomerium/pkg/contextutil" "github.com/pomerium/pomerium/ui" @@ -52,7 +53,6 @@ func (e *HTTPError) ErrorResponse(ctx context.Context, w http.ResponseWriter, r } response := struct { Status int - Error string StatusText string `json:"-"` RequestID string `json:",omitempty"` CanDebug bool `json:"-"` @@ -61,7 +61,6 @@ func (e *HTTPError) ErrorResponse(ctx context.Context, w http.ResponseWriter, r }{ Status: e.Status, StatusText: StatusText(e.Status), - Error: e.Error(), RequestID: reqID, CanDebug: e.Status/100 == 4 && (e.DebugURL != nil || reqID != ""), DebugURL: e.DebugURL, @@ -70,6 +69,13 @@ func (e *HTTPError) ErrorResponse(ctx context.Context, w http.ResponseWriter, r // indicate to clients that the error originates from Pomerium, not the app w.Header().Set(HeaderPomeriumResponse, "true") + log.Error(ctx). + Err(e.Err). + Int("status", e.Status). + Str("status-text", StatusText(e.Status)). + Str("request-id", reqID). + Msg("httputil: error") + if r.Header.Get("Accept") == "application/json" { RenderJSON(w, e.Status, response) return @@ -77,7 +83,6 @@ func (e *HTTPError) ErrorResponse(ctx context.Context, w http.ResponseWriter, r m := map[string]any{ "canDebug": response.CanDebug, - "error": response.Error, "requestId": response.RequestID, "status": response.Status, "statusText": response.StatusText, diff --git a/internal/httputil/errors_test.go b/internal/httputil/errors_test.go index 020f8d192..41018bf40 100644 --- a/internal/httputil/errors_test.go +++ b/internal/httputil/errors_test.go @@ -19,7 +19,7 @@ func TestHTTPError_ErrorResponse(t *testing.T) { wantStatus int wantBody string }{ - {"404 json", http.StatusNotFound, errors.New("route not known"), "application/json", http.StatusNotFound, "{\"Status\":404,\"Error\":\"Not Found: route not known\"}\n"}, + {"404 json", http.StatusNotFound, errors.New("route not known"), "application/json", http.StatusNotFound, "{\"Status\":404}\n"}, {"404 html", http.StatusNotFound, errors.New("route not known"), "", http.StatusNotFound, ""}, } for _, tt := range tests { diff --git a/internal/httputil/handlers_test.go b/internal/httputil/handlers_test.go index 2786bae9c..3ccd8b973 100644 --- a/internal/httputil/handlers_test.go +++ b/internal/httputil/handlers_test.go @@ -75,8 +75,8 @@ func TestHandlerFunc_ServeHTTP(t *testing.T) { f HandlerFunc wantBody string }{ - {"good http error", func(w http.ResponseWriter, r *http.Request) error { return NewError(404, errors.New("404")) }, "{\"Status\":404,\"Error\":\"Not Found: 404\"}\n"}, - {"good std error", func(w http.ResponseWriter, r *http.Request) error { return errors.New("404") }, "{\"Status\":500,\"Error\":\"Internal Server Error: 404\"}\n"}, + {"good http error", func(w http.ResponseWriter, r *http.Request) error { return NewError(404, errors.New("404")) }, "{\"Status\":404}\n"}, + {"good std error", func(w http.ResponseWriter, r *http.Request) error { return errors.New("404") }, "{\"Status\":500}\n"}, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { diff --git a/internal/middleware/middleware_test.go b/internal/middleware/middleware_test.go index 26d80125b..86ef88f16 100644 --- a/internal/middleware/middleware_test.go +++ b/internal/middleware/middleware_test.go @@ -55,7 +55,7 @@ func TestValidateSignature(t *testing.T) { wantBody string }{ {"good", []byte("secret"), []byte("secret"), http.StatusOK, http.StatusText(http.StatusOK)}, - {"secret mistmatch", []byte("secret"), []byte("hunter42"), http.StatusBadRequest, "{\"Status\":400,\"Error\":\"Bad Request: internal/urlutil: hmac failed\"}\n"}, + {"secret mistmatch", []byte("secret"), []byte("hunter42"), http.StatusBadRequest, "{\"Status\":400}\n"}, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { diff --git a/proxy/forward_auth_test.go b/proxy/forward_auth_test.go index a732a9856..e17571977 100644 --- a/proxy/forward_auth_test.go +++ b/proxy/forward_auth_test.go @@ -63,9 +63,9 @@ func TestProxy_ForwardAuth(t *testing.T) { wantBody string }{ {"good verify only, no redirect", opts, nil, http.MethodGet, nil, nil, "https://some.domain.example/verify", "https://some.domain.example", &mock.Encoder{}, &mstore.Store{Session: &sessions.State{}}, allowClient, http.StatusOK, ""}, - {"bad empty domain uri", opts, nil, http.MethodGet, nil, map[string]string{"uri": ""}, "https://some.domain.example/", "", &mock.Encoder{}, &mstore.Store{Session: &sessions.State{}}, allowClient, http.StatusBadRequest, "{\"Status\":400,\"Error\":\"Bad Request: https: url does contain a valid hostname\"}\n"}, - {"bad naked domain uri", opts, nil, http.MethodGet, nil, nil, "https://some.domain.example/", "a.naked.domain", &mock.Encoder{}, &mstore.Store{Session: &sessions.State{}}, allowClient, http.StatusBadRequest, "{\"Status\":400,\"Error\":\"Bad Request: a.naked.domain url does contain a valid scheme\"}\n"}, - {"bad empty verification uri", opts, nil, http.MethodGet, nil, nil, "https://some.domain.example/", " ", &mock.Encoder{}, &mstore.Store{Session: &sessions.State{}}, allowClient, http.StatusBadRequest, "{\"Status\":400,\"Error\":\"Bad Request: %20 url does contain a valid scheme\"}\n"}, + {"bad empty domain uri", opts, nil, http.MethodGet, nil, map[string]string{"uri": ""}, "https://some.domain.example/", "", &mock.Encoder{}, &mstore.Store{Session: &sessions.State{}}, allowClient, http.StatusBadRequest, "{\"Status\":400}\n"}, + {"bad naked domain uri", opts, nil, http.MethodGet, nil, nil, "https://some.domain.example/", "a.naked.domain", &mock.Encoder{}, &mstore.Store{Session: &sessions.State{}}, allowClient, http.StatusBadRequest, "{\"Status\":400}\n"}, + {"bad empty verification uri", opts, nil, http.MethodGet, nil, nil, "https://some.domain.example/", " ", &mock.Encoder{}, &mstore.Store{Session: &sessions.State{}}, allowClient, http.StatusBadRequest, "{\"Status\":400}\n"}, // traefik {"good traefik callback", opts, nil, http.MethodGet, map[string]string{httputil.HeaderForwardedURI: "https://some.domain.example?" + urlutil.QuerySessionEncrypted + "=" + goodEncryptionString}, nil, "https://some.domain.example/", "https://some.domain.example", &mock.Encoder{}, &mstore.Store{Session: &sessions.State{}}, allowClient, http.StatusFound, ""}, {"bad traefik callback bad session", opts, nil, http.MethodGet, map[string]string{httputil.HeaderForwardedURI: "https://some.domain.example?" + urlutil.QuerySessionEncrypted + "=" + goodEncryptionString + "garbage"}, nil, "https://some.domain.example/", "https://some.domain.example", &mock.Encoder{}, &mstore.Store{Session: &sessions.State{}}, allowClient, http.StatusBadRequest, ""}, diff --git a/proxy/handlers_test.go b/proxy/handlers_test.go index f842e7615..3e6b1e517 100644 --- a/proxy/handlers_test.go +++ b/proxy/handlers_test.go @@ -331,14 +331,14 @@ func TestProxy_ProgrammaticLogin(t *testing.T) { opts, http.MethodGet, "https", "corp.example.example", "/.pomerium/api/v1/login", nil, map[string]string{urlutil.QueryRedirectURI: "localhost"}, http.StatusBadRequest, - "{\"Status\":400,\"Error\":\"Bad Request: localhost url does contain a valid scheme\"}\n", + "{\"Status\":400}\n", }, { "bad redirect_uri not whitelisted", opts, http.MethodGet, "https", "corp.example.example", "/.pomerium/api/v1/login", nil, map[string]string{urlutil.QueryRedirectURI: "https://example.com"}, http.StatusBadRequest, - "{\"Status\":400,\"Error\":\"Bad Request: invalid redirect uri\"}\n", + "{\"Status\":400}\n", }, { "bad http method", diff --git a/ui/src/components/ErrorPage.tsx b/ui/src/components/ErrorPage.tsx index 77fe07a89..6e4b33200 100644 --- a/ui/src/components/ErrorPage.tsx +++ b/ui/src/components/ErrorPage.tsx @@ -1,30 +1,31 @@ -import {ErrorPageData, PolicyEvaluationTrace} from "../types"; -import SectionFooter from "./SectionFooter"; +import { ListItemProps, TableCell } from "@mui/material"; import Alert from "@mui/material/Alert"; import AlertTitle from "@mui/material/AlertTitle"; import Box from "@mui/material/Box"; import Container from "@mui/material/Container"; import Paper from "@mui/material/Paper"; import Stack from "@mui/material/Stack"; -import Typography from "@mui/material/Typography"; -import React, { FC } from "react"; -import Markdown from "markdown-to-jsx"; -import {ListItemProps, TableCell} from "@mui/material"; -import {CheckCircle, MinusCircle, XCircle} from "react-feather"; import Table from "@mui/material/Table"; -import TableRow from "@mui/material/TableRow"; import TableHead from "@mui/material/TableHead"; +import TableRow from "@mui/material/TableRow"; +import Typography from "@mui/material/Typography"; +import Markdown from "markdown-to-jsx"; +import React, { FC } from "react"; +import { CheckCircle, MinusCircle, XCircle } from "react-feather"; + +import { ErrorPageData, PolicyEvaluationTrace } from "../types"; +import SectionFooter from "./SectionFooter"; type PolicyEvaluationTraceDetailsProps = { trace: PolicyEvaluationTrace; } & ListItemProps; const PolicyEvaluationTraceDetails: FC = ({ - trace, - ...props + trace, + ...props }) => { return ( - + {trace.deny ? ( ) : trace.allow ? ( @@ -34,9 +35,7 @@ const PolicyEvaluationTraceDetails: FC = ({ )} - - {trace.explanation || trace.id} - + {trace.explanation || trace.id} @@ -63,14 +62,11 @@ export const ErrorPage: FC = ({ data }) => { {data?.status || 500}{" "} {data?.statusText || "Internal Server Error"} - {data?.error || "Internal Server Error"} {!!data?.errorMessageFirstParagraph && ( - - - {data.errorMessageFirstParagraph} - + + {data.errorMessageFirstParagraph} )} {traces?.length > 0 && ( diff --git a/ui/src/types/index.ts b/ui/src/types/index.ts index 55c1ee6e0..1d5df7a46 100644 --- a/ui/src/types/index.ts +++ b/ui/src/types/index.ts @@ -92,7 +92,6 @@ export type ErrorPageData = BasePageData & { canDebug?: boolean; debugUrl?: string; - error?: string; requestId?: string; status?: number; statusText?: string; From b68dc1ff4f4196e69fae6c35f91f51a3f9126bc7 Mon Sep 17 00:00:00 2001 From: Caleb Doxsey Date: Tue, 25 Oct 2022 08:01:33 -0600 Subject: [PATCH 11/25] controlplane: move jwks.json endpoint to control plane (#3691) --- authenticate/handlers.go | 14 -------- authenticate/handlers_test.go | 21 ----------- internal/controlplane/http.go | 34 +++++++----------- internal/controlplane/server.go | 3 ++ internal/controlplane/server_test.go | 52 +++++++++++++++++++++------- internal/httputil/handlers.go | 45 ++++++++++++++++++++++++ 6 files changed, 99 insertions(+), 70 deletions(-) diff --git a/authenticate/handlers.go b/authenticate/handlers.go index 6e9420826..4085033bf 100644 --- a/authenticate/handlers.go +++ b/authenticate/handlers.go @@ -74,7 +74,6 @@ func (a *Authenticate) Mount(r *mux.Router) { r.Path("/oauth2/callback").Handler(httputil.HandlerFunc(a.OAuthCallback)).Methods(http.MethodGet) a.mountDashboard(r) - a.mountWellKnown(r) } func (a *Authenticate) mountDashboard(r *mux.Router) { @@ -112,19 +111,6 @@ func (a *Authenticate) mountDashboard(r *mux.Router) { cr.Path("/").Handler(a.requireValidSignature(a.Callback)).Methods(http.MethodGet) } -func (a *Authenticate) mountWellKnown(r *mux.Router) { - r.Path("/.well-known/pomerium/jwks.json").Handler(cors.AllowAll().Handler(httputil.HandlerFunc(a.jwks))).Methods(http.MethodGet) -} - -// jwks returns the signing key(s) the client can use to validate signatures -// from the authorization server. -// -// https://tools.ietf.org/html/rfc8414 -func (a *Authenticate) jwks(w http.ResponseWriter, r *http.Request) error { - httputil.RenderJSON(w, http.StatusOK, a.state.Load().jwk) - return nil -} - // RetrieveSession is the middleware used retrieve session by the sessionLoaders func (a *Authenticate) RetrieveSession(next http.Handler) http.Handler { return sessions.RetrieveSession(a.state.Load().sessionLoaders...)(next) diff --git a/authenticate/handlers_test.go b/authenticate/handlers_test.go index d8aa493df..6bec7f561 100644 --- a/authenticate/handlers_test.go +++ b/authenticate/handlers_test.go @@ -595,27 +595,6 @@ func TestAuthenticate_SessionValidatorMiddleware(t *testing.T) { } } -func TestJwksEndpoint(t *testing.T) { - o := newTestOptions(t) - o.SigningKey = "LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUpCMFZkbko1VjEvbVlpYUlIWHhnd2Q0Yzd5YWRTeXMxb3Y0bzA1b0F3ekdvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFVUc1eENQMEpUVDFINklvbDhqS3VUSVBWTE0wNENnVzlQbEV5cE5SbVdsb29LRVhSOUhUMwpPYnp6aktZaWN6YjArMUt3VjJmTVRFMTh1dy82MXJVQ0JBPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=" - auth, err := New(&config.Config{Options: o}) - if err != nil { - t.Fatal(err) - return - } - h := auth.Handler() - if h == nil { - t.Error("handler cannot be nil") - } - req := httptest.NewRequest("GET", "/.well-known/pomerium/jwks.json", nil) - req.Header.Set("Accept", "application/json") - rr := httptest.NewRecorder() - h.ServeHTTP(rr, req) - body := rr.Body.String() - expected := "{\"keys\":[{\"use\":\"sig\",\"kty\":\"EC\",\"kid\":\"5b419ade1895fec2d2def6cd33b1b9a018df60db231dc5ecb85cbed6d942813c\",\"crv\":\"P-256\",\"alg\":\"ES256\",\"x\":\"UG5xCP0JTT1H6Iol8jKuTIPVLM04CgW9PlEypNRmWlo\",\"y\":\"KChF0fR09zm884ymInM29PtSsFdnzExNfLsP-ta1AgQ\"}]}\n" - assert.Equal(t, expected, body) -} - func TestAuthenticate_userInfo(t *testing.T) { t.Parallel() diff --git a/internal/controlplane/http.go b/internal/controlplane/http.go index 468974a60..162254b47 100644 --- a/internal/controlplane/http.go +++ b/internal/controlplane/http.go @@ -2,15 +2,14 @@ package controlplane import ( + "fmt" "net/http" - "net/url" "time" "github.com/CAFxX/httpcompression" "github.com/gorilla/handlers" "github.com/gorilla/mux" - "github.com/pomerium/csrf" "github.com/pomerium/pomerium/config" "github.com/pomerium/pomerium/internal/httputil" "github.com/pomerium/pomerium/internal/log" @@ -47,32 +46,23 @@ func (srv *Server) addHTTPMiddleware(root *mux.Router, cfg *config.Config) { root.Use(telemetry.HTTPStatsHandler(func() string { return srv.currentConfig.Load().Options.InstallationID }, srv.name)) - root.HandleFunc("/healthz", httputil.HealthCheck) - root.HandleFunc("/ping", httputil.HealthCheck) - root.Handle("/.well-known/pomerium", httputil.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error { - return wellKnownPomerium(w, r, cfg) - })) - root.Handle("/.well-known/pomerium/", httputil.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error { - return wellKnownPomerium(w, r, cfg) - })) } -func wellKnownPomerium(w http.ResponseWriter, r *http.Request, cfg *config.Config) error { +func (srv *Server) mountCommonEndpoints(root *mux.Router, cfg *config.Config) error { authenticateURL, err := cfg.Options.GetAuthenticateURL() if err != nil { - return err + return fmt.Errorf("invalid authenticate URL: %w", err) } - wellKnownURLs := struct { - OAuth2Callback string `json:"authentication_callback_endpoint"` // RFC6749 - JSONWebKeySetURL string `json:"jwks_uri"` // RFC7517 - FrontchannelLogoutURI string `json:"frontchannel_logout_uri"` // https://openid.net/specs/openid-connect-frontchannel-1_0.html - }{ - authenticateURL.ResolveReference(&url.URL{Path: "/oauth2/callback"}).String(), - authenticateURL.ResolveReference(&url.URL{Path: "/.well-known/pomerium/jwks.json"}).String(), - authenticateURL.ResolveReference(&url.URL{Path: "/.pomerium/sign_out"}).String(), + rawSigningKey, err := cfg.Options.GetSigningKey() + if err != nil { + return fmt.Errorf("invalid signing key: %w", err) } - w.Header().Set("X-CSRF-Token", csrf.Token(r)) - httputil.RenderJSON(w, http.StatusOK, wellKnownURLs) + + root.HandleFunc("/healthz", httputil.HealthCheck) + root.HandleFunc("/ping", httputil.HealthCheck) + root.Handle("/.well-known/pomerium", httputil.WellKnownPomeriumHandler(authenticateURL)) + root.Handle("/.well-known/pomerium/", httputil.WellKnownPomeriumHandler(authenticateURL)) + root.Path("/.well-known/pomerium/jwks.json").Methods(http.MethodGet).Handler(httputil.JWKSHandler(rawSigningKey)) return nil } diff --git a/internal/controlplane/server.go b/internal/controlplane/server.go index 057c9571e..98153e03b 100644 --- a/internal/controlplane/server.go +++ b/internal/controlplane/server.go @@ -285,6 +285,9 @@ func (srv *Server) EnableProxy(svc Service) error { func (srv *Server) updateRouter(cfg *config.Config) error { httpRouter := mux.NewRouter() srv.addHTTPMiddleware(httpRouter, cfg) + if err := srv.mountCommonEndpoints(httpRouter, cfg); err != nil { + return err + } if srv.authenticateSvc != nil { authenticateURL, err := cfg.Options.GetInternalAuthenticateURL() if err != nil { diff --git a/internal/controlplane/server_test.go b/internal/controlplane/server_test.go index 5cd5fe5e2..981002af3 100644 --- a/internal/controlplane/server_test.go +++ b/internal/controlplane/server_test.go @@ -15,7 +15,7 @@ import ( "github.com/pomerium/pomerium/pkg/netutil" ) -func TestServerWellKnown(t *testing.T) { +func TestServerHTTP(t *testing.T) { ports, err := netutil.AllocatePorts(5) require.NoError(t, err) @@ -33,23 +33,49 @@ func TestServerWellKnown(t *testing.T) { Options: config.NewDefaultOptions(), } cfg.Options.AuthenticateURLString = "https://authenticate.localhost.pomerium.io" + cfg.Options.SigningKey = "LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUpCMFZkbko1VjEvbVlpYUlIWHhnd2Q0Yzd5YWRTeXMxb3Y0bzA1b0F3ekdvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFVUc1eENQMEpUVDFINklvbDhqS3VUSVBWTE0wNENnVzlQbEV5cE5SbVdsb29LRVhSOUhUMwpPYnp6aktZaWN6YjArMUt3VjJmTVRFMTh1dy82MXJVQ0JBPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=" + src := config.NewStaticSource(cfg) srv, err := NewServer(cfg, config.NewMetricsManager(ctx, src), events.New()) require.NoError(t, err) go srv.Run(ctx) - res, err := http.Get(fmt.Sprintf("http://localhost:%s/.well-known/pomerium", src.GetConfig().HTTPPort)) - require.NoError(t, err) - defer res.Body.Close() + t.Run("well-known", func(t *testing.T) { + res, err := http.Get(fmt.Sprintf("http://localhost:%s/.well-known/pomerium", src.GetConfig().HTTPPort)) + require.NoError(t, err) + defer res.Body.Close() - var actual map[string]any - err = json.NewDecoder(res.Body).Decode(&actual) - require.NoError(t, err) + var actual map[string]any + err = json.NewDecoder(res.Body).Decode(&actual) + require.NoError(t, err) - expect := map[string]any{ - "authentication_callback_endpoint": "https://authenticate.localhost.pomerium.io/oauth2/callback", - "frontchannel_logout_uri": "https://authenticate.localhost.pomerium.io/.pomerium/sign_out", - "jwks_uri": "https://authenticate.localhost.pomerium.io/.well-known/pomerium/jwks.json", - } - assert.Equal(t, expect, actual) + expect := map[string]any{ + "authentication_callback_endpoint": "https://authenticate.localhost.pomerium.io/oauth2/callback", + "frontchannel_logout_uri": "https://authenticate.localhost.pomerium.io/.pomerium/sign_out", + "jwks_uri": "https://authenticate.localhost.pomerium.io/.well-known/pomerium/jwks.json", + } + assert.Equal(t, expect, actual) + }) + t.Run("jwks", func(t *testing.T) { + res, err := http.Get(fmt.Sprintf("http://localhost:%s/.well-known/pomerium/jwks.json", src.GetConfig().HTTPPort)) + require.NoError(t, err) + defer res.Body.Close() + + var actual map[string]any + err = json.NewDecoder(res.Body).Decode(&actual) + require.NoError(t, err) + + expect := map[string]any{ + "keys": []any{map[string]any{ + "alg": "ES256", + "crv": "P-256", + "kid": "5b419ade1895fec2d2def6cd33b1b9a018df60db231dc5ecb85cbed6d942813c", + "kty": "EC", + "use": "sig", + "x": "UG5xCP0JTT1H6Iol8jKuTIPVLM04CgW9PlEypNRmWlo", + "y": "KChF0fR09zm884ymInM29PtSsFdnzExNfLsP-ta1AgQ", + }}, + } + assert.Equal(t, expect, actual) + }) } diff --git a/internal/httputil/handlers.go b/internal/httputil/handlers.go index 50d1fabb8..a4eef0c74 100644 --- a/internal/httputil/handlers.go +++ b/internal/httputil/handlers.go @@ -2,10 +2,17 @@ package httputil import ( "bytes" + "encoding/base64" "encoding/json" "errors" "fmt" "net/http" + "net/url" + + "github.com/go-jose/go-jose/v3" + + "github.com/pomerium/csrf" + "github.com/pomerium/pomerium/pkg/cryptutil" ) // HealthCheck is a simple healthcheck handler that responds to GET and HEAD @@ -64,3 +71,41 @@ func (f HandlerFunc) ServeHTTP(w http.ResponseWriter, r *http.Request) { e.ErrorResponse(r.Context(), w, r) } } + +// JWKSHandler returns the /.well-known/pomerium/jwks.json handler. +func JWKSHandler(rawSigningKey string) http.Handler { + return HandlerFunc(func(w http.ResponseWriter, r *http.Request) error { + var jwks jose.JSONWebKeySet + if rawSigningKey != "" { + decodedCert, err := base64.StdEncoding.DecodeString(rawSigningKey) + if err != nil { + return NewError(http.StatusInternalServerError, errors.New("bad signing key")) + } + jwk, err := cryptutil.PublicJWKFromBytes(decodedCert) + if err != nil { + return NewError(http.StatusInternalServerError, errors.New("bad signing key")) + } + jwks.Keys = append(jwks.Keys, *jwk) + } + RenderJSON(w, http.StatusOK, jwks) + return nil + }) +} + +// WellKnownPomeriumHandler returns the /.well-known/pomerium handler. +func WellKnownPomeriumHandler(authenticateURL *url.URL) http.Handler { + return HandlerFunc(func(w http.ResponseWriter, r *http.Request) error { + wellKnownURLs := struct { + OAuth2Callback string `json:"authentication_callback_endpoint"` // RFC6749 + JSONWebKeySetURL string `json:"jwks_uri"` // RFC7517 + FrontchannelLogoutURI string `json:"frontchannel_logout_uri"` // https://openid.net/specs/openid-connect-frontchannel-1_0.html + }{ + authenticateURL.ResolveReference(&url.URL{Path: "/oauth2/callback"}).String(), + authenticateURL.ResolveReference(&url.URL{Path: "/.well-known/pomerium/jwks.json"}).String(), + authenticateURL.ResolveReference(&url.URL{Path: "/.pomerium/sign_out"}).String(), + } + w.Header().Set("X-CSRF-Token", csrf.Token(r)) + RenderJSON(w, http.StatusOK, wellKnownURLs) + return nil + }) +} From 3f7a482815325bcb1bffe0c3b6dca6075f96e27f Mon Sep 17 00:00:00 2001 From: Caleb Doxsey Date: Tue, 25 Oct 2022 12:37:46 -0600 Subject: [PATCH 12/25] envoyconfig: fix databroker health checks (#3706) --- config/envoyconfig/clusters.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/config/envoyconfig/clusters.go b/config/envoyconfig/clusters.go index 4357d9ed6..f5eaeaa30 100644 --- a/config/envoyconfig/clusters.go +++ b/config/envoyconfig/clusters.go @@ -67,7 +67,7 @@ func (b *Builder) BuildClusters(ctx context.Context, cfg *config.Config) ([]*env } if len(authorizeURLs) > 1 { authorizeCluster.HealthChecks = grpcHealthChecks("pomerium-authorize") - authorizeCluster.OutlierDetection = grpcAuthorizeOutlierDetection() + authorizeCluster.OutlierDetection = grpcOutlierDetection() } databrokerCluster, err := b.buildInternalCluster(ctx, cfg.Options, "pomerium-databroker", databrokerURLs, upstreamProtocolHTTP2) @@ -75,8 +75,8 @@ func (b *Builder) BuildClusters(ctx context.Context, cfg *config.Config) ([]*env return nil, err } if len(databrokerURLs) > 1 { - authorizeCluster.HealthChecks = grpcHealthChecks("pomerium-databroker") - authorizeCluster.OutlierDetection = grpcAuthorizeOutlierDetection() + databrokerCluster.HealthChecks = grpcHealthChecks("pomerium-databroker") + databrokerCluster.OutlierDetection = grpcOutlierDetection() } envoyAdminCluster, err := b.buildEnvoyAdminCluster(ctx, cfg) @@ -406,8 +406,8 @@ func (b *Builder) buildCluster( return cluster.Validate() } -// grpcAuthorizeOutlierDetection defines slightly more aggressive malfunction detection for authorize endpoints -func grpcAuthorizeOutlierDetection() *envoy_config_cluster_v3.OutlierDetection { +// grpcOutlierDetection defines slightly more aggressive malfunction detection for grpc endpoints +func grpcOutlierDetection() *envoy_config_cluster_v3.OutlierDetection { return &envoy_config_cluster_v3.OutlierDetection{ Consecutive_5Xx: wrapperspb.UInt32(5), Interval: durationpb.New(time.Second * 10), From 30bdae3d9e3d81722efdfac92daa667ec24876e7 Mon Sep 17 00:00:00 2001 From: Caleb Doxsey Date: Tue, 25 Oct 2022 16:20:32 -0600 Subject: [PATCH 13/25] sessions: check idp id to detect provider changes to force session invalidation (#3707) * sessions: check idp id to detect provider changes to force session invalidation * remove dead code * fix test --- authenticate/handlers.go | 4 +- authenticate/state.go | 4 +- authorize/check_response_test.go | 5 -- authorize/grpc.go | 3 +- authorize/grpc_test.go | 5 -- authorize/session.go | 63 --------------- authorize/session_test.go | 76 ------------------ authorize/state.go | 14 ++-- config/identity.go | 22 +++++- config/session.go | 83 ++++++++++++++++++++ config/session_test.go | 128 +++++++++++++++++++++++++++++++ internal/sessions/middleware.go | 24 +----- internal/sessions/store.go | 19 +++++ proxy/state.go | 8 -- 14 files changed, 265 insertions(+), 193 deletions(-) delete mode 100644 authorize/session.go delete mode 100644 authorize/session_test.go create mode 100644 config/session.go create mode 100644 config/session_test.go diff --git a/authenticate/handlers.go b/authenticate/handlers.go index 4085033bf..6a23ca72b 100644 --- a/authenticate/handlers.go +++ b/authenticate/handlers.go @@ -111,9 +111,9 @@ func (a *Authenticate) mountDashboard(r *mux.Router) { cr.Path("/").Handler(a.requireValidSignature(a.Callback)).Methods(http.MethodGet) } -// RetrieveSession is the middleware used retrieve session by the sessionLoaders +// RetrieveSession is the middleware used retrieve session by the sessionLoader func (a *Authenticate) RetrieveSession(next http.Handler) http.Handler { - return sessions.RetrieveSession(a.state.Load().sessionLoaders...)(next) + return sessions.RetrieveSession(a.state.Load().sessionLoader)(next) } // VerifySession is the middleware used to enforce a valid authentication diff --git a/authenticate/state.go b/authenticate/state.go index 0b6b7924a..dcbccfc0f 100644 --- a/authenticate/state.go +++ b/authenticate/state.go @@ -42,7 +42,7 @@ type authenticateState struct { sessionStore sessions.SessionStore // sessionLoaders are a collection of session loaders to attempt to pull // a user's session state from - sessionLoaders []sessions.SessionLoader + sessionLoader sessions.SessionLoader jwk *jose.JSONWebKeySet @@ -120,7 +120,7 @@ func newAuthenticateStateFromConfig(cfg *config.Config) (*authenticateState, err } state.sessionStore = cookieStore - state.sessionLoaders = []sessions.SessionLoader{cookieStore} + state.sessionLoader = cookieStore state.jwk = new(jose.JSONWebKeySet) signingKey, err := cfg.Options.GetSigningKey() if err != nil { diff --git a/authorize/check_response_test.go b/authorize/check_response_test.go index 1dbf50c9b..438a6a25b 100644 --- a/authorize/check_response_test.go +++ b/authorize/check_response_test.go @@ -19,7 +19,6 @@ import ( "github.com/pomerium/pomerium/authorize/internal/store" "github.com/pomerium/pomerium/config" "github.com/pomerium/pomerium/internal/atomicutil" - "github.com/pomerium/pomerium/internal/encoding/jws" "github.com/pomerium/pomerium/internal/testutil" "github.com/pomerium/pomerium/pkg/policy/criteria" ) @@ -68,8 +67,6 @@ func TestAuthorize_okResponse(t *testing.T) { JWTClaimsHeaders: config.NewJWTClaimHeaders("email"), } a := &Authorize{currentOptions: config.NewAtomicOptions(), state: atomicutil.NewValue(new(authorizeState))} - encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0}) - a.state.Load().encoder = encoder a.currentOptions.Store(opt) a.store = store.New() pe, err := newPolicyEvaluator(opt, a.store) @@ -124,8 +121,6 @@ func TestAuthorize_okResponse(t *testing.T) { func TestAuthorize_deniedResponse(t *testing.T) { a := &Authorize{currentOptions: config.NewAtomicOptions(), state: atomicutil.NewValue(new(authorizeState))} - encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0}) - a.state.Load().encoder = encoder a.currentOptions.Store(&config.Options{ Policies: []config.Policy{{ Source: &config.StringURL{URL: &url.URL{Host: "example.com"}}, diff --git a/authorize/grpc.go b/authorize/grpc.go index 4816fe0d2..03664157d 100644 --- a/authorize/grpc.go +++ b/authorize/grpc.go @@ -55,8 +55,7 @@ func (a *Authorize) Check(ctx context.Context, in *envoy_service_auth_v3.CheckRe } } - rawJWT, _ := loadRawSession(hreq, a.currentOptions.Load(), state.encoder) - sessionState, _ := loadSession(state.encoder, rawJWT) + sessionState, _ := state.sessionStore.LoadSessionState(hreq) var s sessionOrServiceAccount var u *user.User diff --git a/authorize/grpc_test.go b/authorize/grpc_test.go index 28a8cdbbb..5fa8910fb 100644 --- a/authorize/grpc_test.go +++ b/authorize/grpc_test.go @@ -16,7 +16,6 @@ import ( "github.com/pomerium/pomerium/authorize/evaluator" "github.com/pomerium/pomerium/config" "github.com/pomerium/pomerium/internal/atomicutil" - "github.com/pomerium/pomerium/internal/encoding/jws" "github.com/pomerium/pomerium/internal/httputil" "github.com/pomerium/pomerium/internal/sessions" "github.com/pomerium/pomerium/pkg/grpc/databroker" @@ -48,8 +47,6 @@ yE+vPxsiUkvQHdO2fojCkY8jg70jxM+gu59tPDNbw3Uh/2Ij310FgTHsnGQMyA== func Test_getEvaluatorRequest(t *testing.T) { a := &Authorize{currentOptions: config.NewAtomicOptions(), state: atomicutil.NewValue(new(authorizeState))} - encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0}) - a.state.Load().encoder = encoder a.currentOptions.Store(&config.Options{ Policies: []config.Policy{{ Source: &config.StringURL{URL: &url.URL{Host: "example.com"}}, @@ -262,8 +259,6 @@ func Test_handleForwardAuth(t *testing.T) { func Test_getEvaluatorRequestWithPortInHostHeader(t *testing.T) { a := &Authorize{currentOptions: config.NewAtomicOptions(), state: atomicutil.NewValue(new(authorizeState))} - encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0}) - a.state.Load().encoder = encoder a.currentOptions.Store(&config.Options{ Policies: []config.Policy{{ Source: &config.StringURL{URL: &url.URL{Host: "example.com"}}, diff --git a/authorize/session.go b/authorize/session.go deleted file mode 100644 index c40b7add6..000000000 --- a/authorize/session.go +++ /dev/null @@ -1,63 +0,0 @@ -package authorize - -import ( - "errors" - "net/http" - - "github.com/pomerium/pomerium/config" - "github.com/pomerium/pomerium/internal/encoding" - "github.com/pomerium/pomerium/internal/sessions" - "github.com/pomerium/pomerium/internal/sessions/cookie" - "github.com/pomerium/pomerium/internal/sessions/header" - "github.com/pomerium/pomerium/internal/sessions/queryparam" - "github.com/pomerium/pomerium/internal/urlutil" -) - -func loadRawSession(req *http.Request, options *config.Options, encoder encoding.MarshalUnmarshaler) ([]byte, error) { - var loaders []sessions.SessionLoader - cookieStore, err := getCookieStore(options, encoder) - if err != nil { - return nil, err - } - loaders = append(loaders, - cookieStore, - header.NewStore(encoder), - queryparam.NewStore(encoder, urlutil.QuerySession), - ) - - for _, loader := range loaders { - sess, err := loader.LoadSession(req) - if err != nil && !errors.Is(err, sessions.ErrNoSessionFound) { - return nil, err - } else if err == nil { - return []byte(sess), nil - } - } - - return nil, sessions.ErrNoSessionFound -} - -func loadSession(encoder encoding.MarshalUnmarshaler, rawJWT []byte) (*sessions.State, error) { - var s sessions.State - err := encoder.Unmarshal(rawJWT, &s) - if err != nil { - return nil, err - } - return &s, nil -} - -func getCookieStore(options *config.Options, encoder encoding.MarshalUnmarshaler) (sessions.SessionStore, error) { - cookieStore, err := cookie.NewStore(func() cookie.Options { - return cookie.Options{ - Name: options.CookieName, - Domain: options.CookieDomain, - Secure: options.CookieSecure, - HTTPOnly: options.CookieHTTPOnly, - Expire: options.CookieExpire, - } - }, encoder) - if err != nil { - return nil, err - } - return cookieStore, nil -} diff --git a/authorize/session_test.go b/authorize/session_test.go deleted file mode 100644 index 53b509e80..000000000 --- a/authorize/session_test.go +++ /dev/null @@ -1,76 +0,0 @@ -package authorize - -import ( - "net/url" - "testing" - - envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" - "github.com/stretchr/testify/assert" - - "github.com/pomerium/pomerium/config" - "github.com/pomerium/pomerium/internal/encoding/jws" - "github.com/pomerium/pomerium/internal/sessions" -) - -func TestLoadSession(t *testing.T) { - opts := config.NewDefaultOptions() - encoder, err := jws.NewHS256Signer(nil) - if !assert.NoError(t, err) { - return - } - state := &sessions.State{ID: "xyz"} - rawjwt, err := encoder.Marshal(state) - if !assert.NoError(t, err) { - return - } - - load := func(t *testing.T, hattrs *envoy_service_auth_v3.AttributeContext_HttpRequest) (*sessions.State, error) { - req := getHTTPRequestFromCheckRequest(&envoy_service_auth_v3.CheckRequest{ - Attributes: &envoy_service_auth_v3.AttributeContext{ - Request: &envoy_service_auth_v3.AttributeContext_Request{ - Http: hattrs, - }, - }, - }) - raw, err := loadRawSession(req, opts, encoder) - if err != nil { - return nil, err - } - var state sessions.State - err = encoder.Unmarshal(raw, &state) - if err != nil { - return nil, err - } - return &state, nil - } - - t.Run("header", func(t *testing.T) { - hattrs := &envoy_service_auth_v3.AttributeContext_HttpRequest{ - Id: "req-1", - Method: "GET", - Headers: map[string]string{ - "Authorization": "Pomerium " + string(rawjwt), - }, - Path: "/hello/world", - Host: "example.com", - Scheme: "https", - } - sess, err := load(t, hattrs) - assert.NoError(t, err) - assert.NotNil(t, sess) - }) - t.Run("query param", func(t *testing.T) { - hattrs := &envoy_service_auth_v3.AttributeContext_HttpRequest{ - Id: "req-1", - Method: "GET", - Path: "/hello/world?" + url.Values{ - "pomerium_session": []string{string(rawjwt)}, - }.Encode(), - Host: "example.com", - Scheme: "https", - } - sess, err := load(t, hattrs) - assert.NoError(t, err) - assert.NotNil(t, sess) - }) -} diff --git a/authorize/state.go b/authorize/state.go index 6440c4a10..4bf58a040 100644 --- a/authorize/state.go +++ b/authorize/state.go @@ -9,8 +9,6 @@ import ( "github.com/pomerium/pomerium/authorize/evaluator" "github.com/pomerium/pomerium/authorize/internal/store" "github.com/pomerium/pomerium/config" - "github.com/pomerium/pomerium/internal/encoding" - "github.com/pomerium/pomerium/internal/encoding/jws" "github.com/pomerium/pomerium/pkg/grpc" "github.com/pomerium/pomerium/pkg/grpc/databroker" "github.com/pomerium/pomerium/pkg/protoutil" @@ -21,10 +19,10 @@ var outboundGRPCConnection = new(grpc.CachedOutboundGRPClientConn) type authorizeState struct { sharedKey []byte evaluator *evaluator.Evaluator - encoder encoding.MarshalUnmarshaler dataBrokerClientConnection *googlegrpc.ClientConn dataBrokerClient databroker.DataBrokerServiceClient auditEncryptor *protoutil.Encryptor + sessionStore *config.SessionStore } func newAuthorizeStateFromConfig(cfg *config.Config, store *store.Store) (*authorizeState, error) { @@ -46,11 +44,6 @@ func newAuthorizeStateFromConfig(cfg *config.Config, store *store.Store) (*autho return nil, err } - state.encoder, err = jws.NewHS256Signer(state.sharedKey) - if err != nil { - return nil, err - } - sharedKey, err := cfg.Options.GetSharedKey() if err != nil { return nil, err @@ -76,5 +69,10 @@ func newAuthorizeStateFromConfig(cfg *config.Config, store *store.Store) (*autho state.auditEncryptor = protoutil.NewEncryptor(auditKey) } + state.sessionStore, err = config.NewSessionStore(cfg.Options) + if err != nil { + return nil, fmt.Errorf("authorize: invalid session store: %w", err) + } + return state, nil } diff --git a/config/identity.go b/config/identity.go index 7fc1a1cbd..5843c3147 100644 --- a/config/identity.go +++ b/config/identity.go @@ -1,14 +1,16 @@ package config import ( + "github.com/pomerium/pomerium/internal/urlutil" "github.com/pomerium/pomerium/pkg/grpc/identity" ) // GetIdentityProviderForID returns the identity provider associated with the given IDP id. // If none is found the default provider is returned. func (o *Options) GetIdentityProviderForID(idpID string) (*identity.Provider, error) { - for _, policy := range o.GetAllPolicies() { - idp, err := o.GetIdentityProviderForPolicy(&policy) //nolint + for _, p := range o.GetAllPolicies() { + p := p + idp, err := o.GetIdentityProviderForPolicy(&p) if err != nil { return nil, err } @@ -48,3 +50,19 @@ func (o *Options) GetIdentityProviderForPolicy(policy *Policy) (*identity.Provid idp.Id = idp.Hash() return idp, nil } + +// GetIdentityProviderForRequestURL gets the identity provider associated with the given request URL. +func (o *Options) GetIdentityProviderForRequestURL(requestURL string) (*identity.Provider, error) { + u, err := urlutil.ParseAndValidateURL(requestURL) + if err != nil { + return nil, err + } + + for _, p := range o.GetAllPolicies() { + p := p + if p.Matches(*u) { + return o.GetIdentityProviderForPolicy(&p) + } + } + return o.GetIdentityProviderForPolicy(nil) +} diff --git a/config/session.go b/config/session.go new file mode 100644 index 000000000..6f3b36ccb --- /dev/null +++ b/config/session.go @@ -0,0 +1,83 @@ +package config + +import ( + "fmt" + "net/http" + + "github.com/pomerium/pomerium/internal/encoding" + "github.com/pomerium/pomerium/internal/encoding/jws" + "github.com/pomerium/pomerium/internal/sessions" + "github.com/pomerium/pomerium/internal/sessions/cookie" + "github.com/pomerium/pomerium/internal/sessions/header" + "github.com/pomerium/pomerium/internal/sessions/queryparam" + "github.com/pomerium/pomerium/internal/urlutil" +) + +// A SessionStore saves and loads sessions based on the options. +type SessionStore struct { + options *Options + encoder encoding.MarshalUnmarshaler + loader sessions.SessionLoader +} + +// NewSessionStore creates a new SessionStore from the Options. +func NewSessionStore(options *Options) (*SessionStore, error) { + store := &SessionStore{ + options: options, + } + + sharedKey, err := options.GetSharedKey() + if err != nil { + return nil, fmt.Errorf("config/sessions: shared_key is required: %w", err) + } + + store.encoder, err = jws.NewHS256Signer(sharedKey) + if err != nil { + return nil, fmt.Errorf("config/sessions: invalid session encoder: %w", err) + } + + cookieStore, err := cookie.NewStore(func() cookie.Options { + return cookie.Options{ + Name: options.CookieName, + Domain: options.CookieDomain, + Secure: options.CookieSecure, + HTTPOnly: options.CookieHTTPOnly, + Expire: options.CookieExpire, + } + }, store.encoder) + if err != nil { + return nil, err + } + headerStore := header.NewStore(store.encoder) + queryParamStore := queryparam.NewStore(store.encoder, urlutil.QuerySession) + store.loader = sessions.MultiSessionLoader(cookieStore, headerStore, queryParamStore) + + return store, nil +} + +// LoadSessionState loads the session state from a request. +func (store *SessionStore) LoadSessionState(r *http.Request) (*sessions.State, error) { + rawJWT, err := store.loader.LoadSession(r) + if err != nil { + return nil, err + } + + var state sessions.State + err = store.encoder.Unmarshal([]byte(rawJWT), &state) + if err != nil { + return nil, err + } + + // confirm that the identity provider id matches the state + idp, err := store.options.GetIdentityProviderForRequestURL(urlutil.GetAbsoluteURL(r).String()) + if err != nil { + return nil, err + } + + if idp.GetId() != state.IdentityProviderID { + return nil, fmt.Errorf("unexpected session state identity provider id: %s != %s", + idp.GetId(), state.IdentityProviderID) + } + + return &state, nil +} diff --git a/config/session_test.go b/config/session_test.go new file mode 100644 index 000000000..6a1471b26 --- /dev/null +++ b/config/session_test.go @@ -0,0 +1,128 @@ +package config + +import ( + "encoding/base64" + "net/http" + "net/url" + "testing" + + "github.com/google/go-cmp/cmp" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/pomerium/pomerium/internal/encoding/jws" + "github.com/pomerium/pomerium/internal/httputil" + "github.com/pomerium/pomerium/internal/sessions" + "github.com/pomerium/pomerium/internal/urlutil" + "github.com/pomerium/pomerium/pkg/cryptutil" +) + +func TestSessionStore_LoadSessionState(t *testing.T) { + t.Parallel() + + sharedKey := cryptutil.NewKey() + options := NewDefaultOptions() + options.SharedKey = base64.StdEncoding.EncodeToString(sharedKey) + options.Provider = "oidc" + options.ProviderURL = "https://oidc.example.com" + options.ClientID = "client_id" + options.ClientSecret = "client_secret" + options.Policies = append(options.Policies, + Policy{ + From: "https://p1.example.com", + To: mustParseWeightedURLs(t, "https://p1"), + IDPClientID: "client_id_1", + IDPClientSecret: "client_secret_1", + }, + Policy{ + From: "https://p2.example.com", + To: mustParseWeightedURLs(t, "https://p2"), + IDPClientID: "client_id_2", + IDPClientSecret: "client_secret_2", + }) + require.NoError(t, options.Validate()) + + store, err := NewSessionStore(options) + require.NoError(t, err) + + idp1, err := options.GetIdentityProviderForPolicy(nil) + require.NoError(t, err) + require.NotNil(t, idp1) + + idp2, err := options.GetIdentityProviderForPolicy(&options.Policies[0]) + require.NoError(t, err) + require.NotNil(t, idp2) + + idp3, err := options.GetIdentityProviderForPolicy(&options.Policies[1]) + require.NoError(t, err) + require.NotNil(t, idp3) + + makeJWS := func(t *testing.T, state *sessions.State) string { + e, err := jws.NewHS256Signer(sharedKey) + require.NoError(t, err) + + rawJWS, err := e.Marshal(state) + require.NoError(t, err) + + return string(rawJWS) + } + + t.Run("mssing", func(t *testing.T) { + r, err := http.NewRequest(http.MethodGet, "https://p1.example.com", nil) + require.NoError(t, err) + s, err := store.LoadSessionState(r) + assert.ErrorIs(t, err, sessions.ErrNoSessionFound) + assert.Nil(t, s) + }) + t.Run("query", func(t *testing.T) { + rawJWS := makeJWS(t, &sessions.State{ + Issuer: "authenticate.example.com", + ID: "example", + IdentityProviderID: idp2.GetId(), + }) + + r, err := http.NewRequest(http.MethodGet, "https://p1.example.com?"+url.Values{ + urlutil.QuerySession: {rawJWS}, + }.Encode(), nil) + require.NoError(t, err) + s, err := store.LoadSessionState(r) + assert.NoError(t, err) + assert.Empty(t, cmp.Diff(&sessions.State{ + Issuer: "authenticate.example.com", + ID: "example", + IdentityProviderID: idp2.GetId(), + }, s)) + }) + t.Run("header", func(t *testing.T) { + rawJWS := makeJWS(t, &sessions.State{ + Issuer: "authenticate.example.com", + ID: "example", + IdentityProviderID: idp3.GetId(), + }) + + r, err := http.NewRequest(http.MethodGet, "https://p2.example.com", nil) + require.NoError(t, err) + r.Header.Set(httputil.HeaderPomeriumAuthorization, rawJWS) + s, err := store.LoadSessionState(r) + assert.NoError(t, err) + assert.Empty(t, cmp.Diff(&sessions.State{ + Issuer: "authenticate.example.com", + ID: "example", + IdentityProviderID: idp3.GetId(), + }, s)) + }) + t.Run("wrong idp", func(t *testing.T) { + rawJWS := makeJWS(t, &sessions.State{ + Issuer: "authenticate.example.com", + ID: "example", + IdentityProviderID: idp1.GetId(), + }) + + r, err := http.NewRequest(http.MethodGet, "https://p2.example.com", nil) + require.NoError(t, err) + r.Header.Set(httputil.HeaderPomeriumAuthorization, rawJWS) + s, err := store.LoadSessionState(r) + assert.Error(t, err) + assert.Nil(t, s) + }) +} diff --git a/internal/sessions/middleware.go b/internal/sessions/middleware.go index af17d3c42..45d5047e6 100644 --- a/internal/sessions/middleware.go +++ b/internal/sessions/middleware.go @@ -2,7 +2,6 @@ package sessions import ( "context" - "errors" "net/http" ) @@ -14,17 +13,17 @@ var ( // RetrieveSession takes a slice of session loaders and tries to find a valid // session in the order they were supplied and is added to the request's context -func RetrieveSession(s ...SessionLoader) func(http.Handler) http.Handler { +func RetrieveSession(s SessionLoader) func(http.Handler) http.Handler { return func(next http.Handler) http.Handler { - return retrieve(s...)(next) + return retrieve(s)(next) } } -func retrieve(s ...SessionLoader) func(http.Handler) http.Handler { +func retrieve(s SessionLoader) func(http.Handler) http.Handler { return func(next http.Handler) http.Handler { hfn := func(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - jwt, err := retrieveFromRequest(r, s...) + jwt, err := s.LoadSession(r) ctx = NewContext(ctx, jwt, err) next.ServeHTTP(w, r.WithContext(ctx)) } @@ -32,21 +31,6 @@ func retrieve(s ...SessionLoader) func(http.Handler) http.Handler { } } -// retrieveFromRequest extracts sessions state from the request by calling -// token find functions in the order they where provided. -func retrieveFromRequest(r *http.Request, sessions ...SessionLoader) (string, error) { - for _, s := range sessions { - jwt, err := s.LoadSession(r) - if err != nil && !errors.Is(err, ErrNoSessionFound) { - return "", err - } else if err == nil { - return jwt, nil - } - } - - return "", ErrNoSessionFound -} - // NewContext sets context values for the user session state and error. func NewContext(ctx context.Context, jwt string, err error) context.Context { ctx = context.WithValue(ctx, SessionCtxKey, jwt) diff --git a/internal/sessions/store.go b/internal/sessions/store.go index 7f838763a..bc88207ac 100644 --- a/internal/sessions/store.go +++ b/internal/sessions/store.go @@ -3,6 +3,7 @@ package sessions import ( + "errors" "net/http" ) @@ -17,3 +18,21 @@ type SessionStore interface { type SessionLoader interface { LoadSession(*http.Request) (string, error) } + +type multiSessionLoader []SessionLoader + +func (l multiSessionLoader) LoadSession(r *http.Request) (string, error) { + for _, ll := range l { + s, err := ll.LoadSession(r) + if errors.Is(err, ErrNoSessionFound) { + continue + } + return s, err + } + return "", ErrNoSessionFound +} + +// MultiSessionLoader returns a session loader that returns the first session available. +func MultiSessionLoader(loaders ...SessionLoader) SessionLoader { + return multiSessionLoader(loaders) +} diff --git a/proxy/state.go b/proxy/state.go index f8bc827fd..b4ed3cdfd 100644 --- a/proxy/state.go +++ b/proxy/state.go @@ -9,8 +9,6 @@ import ( "github.com/pomerium/pomerium/internal/encoding/jws" "github.com/pomerium/pomerium/internal/sessions" "github.com/pomerium/pomerium/internal/sessions/cookie" - "github.com/pomerium/pomerium/internal/sessions/header" - "github.com/pomerium/pomerium/internal/sessions/queryparam" "github.com/pomerium/pomerium/pkg/cryptutil" ) @@ -26,7 +24,6 @@ type proxyState struct { encoder encoding.MarshalUnmarshaler cookieSecret []byte sessionStore sessions.SessionStore - sessionLoaders []sessions.SessionLoader jwtClaimHeaders config.JWTClaimHeaders programmaticRedirectDomainWhitelist []string @@ -84,11 +81,6 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) { if err != nil { return nil, err } - state.sessionLoaders = []sessions.SessionLoader{ - state.sessionStore, - header.NewStore(state.encoder), - queryparam.NewStore(state.encoder, "pomerium_session"), - } state.programmaticRedirectDomainWhitelist = cfg.Options.ProgrammaticRedirectDomainWhitelist return state, nil From 1b596115e9616146285762639facb6dc889510a3 Mon Sep 17 00:00:00 2001 From: Caleb Doxsey Date: Wed, 26 Oct 2022 07:40:13 -0600 Subject: [PATCH 14/25] postgres: increase record batch size (#3708) --- pkg/storage/postgres/stream.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/storage/postgres/stream.go b/pkg/storage/postgres/stream.go index 3dc265f67..e5c9fbf75 100644 --- a/pkg/storage/postgres/stream.go +++ b/pkg/storage/postgres/stream.go @@ -11,7 +11,7 @@ import ( "github.com/pomerium/pomerium/pkg/storage" ) -const recordBatchSize = 64 +const recordBatchSize = 4 * 1024 type recordStream struct { backend *Backend From 6a9d6e45e11a5a31ca41b0d56ac16fab712edf6a Mon Sep 17 00:00:00 2001 From: Caleb Doxsey Date: Thu, 27 Oct 2022 08:32:06 -0600 Subject: [PATCH 15/25] config: allow blank identity providers when loading sessions for service account support (#3709) --- config/session.go | 16 +++++++++------- config/session_test.go | 16 ++++++++++++++++ 2 files changed, 25 insertions(+), 7 deletions(-) diff --git a/config/session.go b/config/session.go index 6f3b36ccb..f9a494005 100644 --- a/config/session.go +++ b/config/session.go @@ -69,14 +69,16 @@ func (store *SessionStore) LoadSessionState(r *http.Request) (*sessions.State, e } // confirm that the identity provider id matches the state - idp, err := store.options.GetIdentityProviderForRequestURL(urlutil.GetAbsoluteURL(r).String()) - if err != nil { - return nil, err - } + if state.IdentityProviderID != "" { + idp, err := store.options.GetIdentityProviderForRequestURL(urlutil.GetAbsoluteURL(r).String()) + if err != nil { + return nil, err + } - if idp.GetId() != state.IdentityProviderID { - return nil, fmt.Errorf("unexpected session state identity provider id: %s != %s", - idp.GetId(), state.IdentityProviderID) + if idp.GetId() != state.IdentityProviderID { + return nil, fmt.Errorf("unexpected session state identity provider id: %s != %s", + idp.GetId(), state.IdentityProviderID) + } } return &state, nil diff --git a/config/session_test.go b/config/session_test.go index 6a1471b26..058850b86 100644 --- a/config/session_test.go +++ b/config/session_test.go @@ -125,4 +125,20 @@ func TestSessionStore_LoadSessionState(t *testing.T) { assert.Error(t, err) assert.Nil(t, s) }) + t.Run("blank idp", func(t *testing.T) { + rawJWS := makeJWS(t, &sessions.State{ + Issuer: "authenticate.example.com", + ID: "example", + }) + + r, err := http.NewRequest(http.MethodGet, "https://p2.example.com", nil) + require.NoError(t, err) + r.Header.Set(httputil.HeaderPomeriumAuthorization, rawJWS) + s, err := store.LoadSessionState(r) + assert.NoError(t, err) + assert.Empty(t, cmp.Diff(&sessions.State{ + Issuer: "authenticate.example.com", + ID: "example", + }, s)) + }) } From 3f9dfbef76517e4c01250586045fe1cbd49069ee Mon Sep 17 00:00:00 2001 From: Caleb Doxsey Date: Fri, 28 Oct 2022 08:41:12 -0600 Subject: [PATCH 16/25] device: add generic methods for working with user+session devices (#3710) --- authenticate/handlers/webauthn/helpers.go | 32 --------------- authenticate/handlers/webauthn/webauthn.go | 8 ++-- pkg/grpc/session/session.go | 8 ++++ pkg/grpc/user/user.go | 16 ++++++++ pkg/slices/slices.go | 47 ++++++++++++++++++++++ 5 files changed, 75 insertions(+), 36 deletions(-) delete mode 100644 authenticate/handlers/webauthn/helpers.go create mode 100644 pkg/slices/slices.go diff --git a/authenticate/handlers/webauthn/helpers.go b/authenticate/handlers/webauthn/helpers.go deleted file mode 100644 index 319e8952f..000000000 --- a/authenticate/handlers/webauthn/helpers.go +++ /dev/null @@ -1,32 +0,0 @@ -package webauthn - -import "github.com/pomerium/pomerium/pkg/grpc/session" - -func containsString(elements []string, value string) bool { - for _, element := range elements { - if element == value { - return true - } - } - return false -} - -func removeString(elements []string, value string) []string { - dup := make([]string, 0, len(elements)) - for _, element := range elements { - if element != value { - dup = append(dup, element) - } - } - return dup -} - -func removeSessionDeviceCredential(elements []*session.Session_DeviceCredential, id string) []*session.Session_DeviceCredential { - dup := make([]*session.Session_DeviceCredential, 0, len(elements)) - for _, element := range elements { - if element.GetId() != id { - dup = append(dup, element) - } - } - return dup -} diff --git a/authenticate/handlers/webauthn/webauthn.go b/authenticate/handlers/webauthn/webauthn.go index d29b69ddc..84e792cf2 100644 --- a/authenticate/handlers/webauthn/webauthn.go +++ b/authenticate/handlers/webauthn/webauthn.go @@ -324,7 +324,7 @@ func (h *Handler) handleRegister(w http.ResponseWriter, r *http.Request, state * } // save the user - u.DeviceCredentialIds = append(u.DeviceCredentialIds, deviceCredential.GetId()) + u.AddDeviceCredentialID(deviceCredential.GetId()) _, err = databroker.Put(ctx, state.Client, u) if err != nil { return err @@ -356,7 +356,7 @@ func (h *Handler) handleUnregister(w http.ResponseWriter, r *http.Request, state } // ensure we only allow removing a device credential the user owns - if !containsString(u.GetDeviceCredentialIds(), deviceCredentialID) { + if !u.HasDeviceCredentialID(deviceCredentialID) { return errInvalidDeviceCredential } @@ -373,14 +373,14 @@ func (h *Handler) handleUnregister(w http.ResponseWriter, r *http.Request, state } // remove the credential from the user - u.DeviceCredentialIds = removeString(u.DeviceCredentialIds, deviceCredentialID) + u.RemoveDeviceCredentialID(deviceCredentialID) _, err = databroker.Put(ctx, state.Client, u) if err != nil { return err } // remove the credential from the session - state.Session.DeviceCredentials = removeSessionDeviceCredential(state.Session.DeviceCredentials, deviceCredentialID) + state.Session.RemoveDeviceCredentialID(deviceCredentialID) return h.saveSessionAndRedirect(w, r, state, urlutil.GetAbsoluteURL(r).ResolveReference(&url.URL{ Path: "/.pomerium", }).String()) diff --git a/pkg/grpc/session/session.go b/pkg/grpc/session/session.go index 009278d22..8dcb68e1c 100644 --- a/pkg/grpc/session/session.go +++ b/pkg/grpc/session/session.go @@ -12,6 +12,7 @@ import ( "github.com/pomerium/pomerium/internal/identity" "github.com/pomerium/pomerium/pkg/grpc/databroker" "github.com/pomerium/pomerium/pkg/protoutil" + "github.com/pomerium/pomerium/pkg/slices" ) // Delete deletes a session from the databroker. @@ -78,3 +79,10 @@ func (x *Session) SetRawIDToken(rawIDToken string) { } x.IdToken.Raw = rawIDToken } + +// RemoveDeviceCredentialID removes a device credential id. +func (x *Session) RemoveDeviceCredentialID(deviceCredentialID string) { + x.DeviceCredentials = slices.Filter(x.DeviceCredentials, func(el *Session_DeviceCredential) bool { + return el.GetId() != deviceCredentialID + }) +} diff --git a/pkg/grpc/user/user.go b/pkg/grpc/user/user.go index e10969175..b3fb600fe 100644 --- a/pkg/grpc/user/user.go +++ b/pkg/grpc/user/user.go @@ -8,6 +8,7 @@ import ( "github.com/pomerium/pomerium/internal/identity" "github.com/pomerium/pomerium/pkg/grpc/databroker" + "github.com/pomerium/pomerium/pkg/slices" ) // Get gets a user from the databroker. @@ -47,3 +48,18 @@ func (x *User) GetClaim(claim string) []interface{} { } return vs } + +// AddDeviceCredentialID adds a device credential id to the list of device credential ids. +func (x *User) AddDeviceCredentialID(deviceCredentialID string) { + x.DeviceCredentialIds = slices.Unique(append(x.DeviceCredentialIds, deviceCredentialID)) +} + +// HasDeviceCredentialID returns true if the user has the device credential id. +func (x *User) HasDeviceCredentialID(deviceCredentialID string) bool { + return slices.Contains(x.DeviceCredentialIds, deviceCredentialID) +} + +// RemoveDeviceCredentialID removes the device credential id from the list of device credential ids. +func (x *User) RemoveDeviceCredentialID(deviceCredentialID string) { + x.DeviceCredentialIds = slices.Remove(x.DeviceCredentialIds, deviceCredentialID) +} diff --git a/pkg/slices/slices.go b/pkg/slices/slices.go new file mode 100644 index 000000000..3a3317505 --- /dev/null +++ b/pkg/slices/slices.go @@ -0,0 +1,47 @@ +// Package slices contains functions for working with slices. +package slices + +// Contains returns true if e is in s. +func Contains[S ~[]E, E comparable](s S, e E) bool { + for _, el := range s { + if el == e { + return true + } + } + return false +} + +// Filter returns a new slice containing only those elements for which f(element) is true. +func Filter[S ~[]E, E any](s S, f func(E) bool) S { + var ns S + for _, el := range s { + if f(el) { + ns = append(ns, el) + } + } + return ns +} + +// Remove removes e from s. +func Remove[S ~[]E, E comparable](s S, e E) S { + var ns S + for _, el := range s { + if el != e { + ns = append(ns, el) + } + } + return ns +} + +// Unique returns the unique elements of s. +func Unique[S ~[]E, E comparable](s S) S { + var ns S + h := map[E]struct{}{} + for _, el := range s { + if _, ok := h[el]; !ok { + h[el] = struct{}{} + ns = append(ns, el) + } + } + return ns +} From d8f4355f66e90c66e8a339c41d4baf713a07fdfc Mon Sep 17 00:00:00 2001 From: Denis Mishin Date: Fri, 28 Oct 2022 14:59:43 -0400 Subject: [PATCH 17/25] fix unused key warnings in routes (#3711) --- config/options.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/config/options.go b/config/options.go index 5a128f45e..916f287a1 100644 --- a/config/options.go +++ b/config/options.go @@ -11,6 +11,7 @@ import ( "os" "path/filepath" "reflect" + "regexp" "strings" "time" @@ -403,10 +404,15 @@ func optionsFromViper(configFile string) (*Options, error) { return o, nil } +var ( + // policy's embedded protobuf structs are decoded by separate hook and are unknown to mapstructure + routesEmbeddedFieldsRe = regexp.MustCompile(`(routes|policy)\[\.*`) +) + func checkUnusedConfigFields(configFile string, unused []string) { keys := make([]string, 0, len(unused)) for _, k := range unused { - if !strings.HasPrefix(k, "policy[") { // policy's embedded protobuf structs are decoded by separate hook and are unknown to mapstructure + if !routesEmbeddedFieldsRe.MatchString(k) { keys = append(keys, k) } } From 4cb2e9e005e570ccfbd3fd60f0f95f74e10054fd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 31 Oct 2022 12:26:39 -0400 Subject: [PATCH 18/25] chore(deps): bump mikefarah/yq from 4.28.2 to 4.29.2 (#3717) Bumps [mikefarah/yq](https://github.com/mikefarah/yq) from 4.28.2 to 4.29.2. - [Release notes](https://github.com/mikefarah/yq/releases) - [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt) - [Commits](https://github.com/mikefarah/yq/compare/1f0881fb5faf371694bfa108753cda0b824f5037...5e490527de24715db37869037083f7f391dde5a6) --- updated-dependencies: - dependency-name: mikefarah/yq dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/docker-main.yaml | 2 +- .github/workflows/release.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-main.yaml b/.github/workflows/docker-main.yaml index 0fb8672c7..4b1c3c786 100644 --- a/.github/workflows/docker-main.yaml +++ b/.github/workflows/docker-main.yaml @@ -83,7 +83,7 @@ jobs: token: ${{ secrets.APPARITOR_GITHUB_TOKEN }} - name: Bump psql environment - uses: mikefarah/yq@1f0881fb5faf371694bfa108753cda0b824f5037 + uses: mikefarah/yq@5e490527de24715db37869037083f7f391dde5a6 with: cmd: yq eval '.pomerium.image.tag = "${{ needs.publish.outputs.sha-tag }}"' -i diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index a89743fe3..8a19713ce 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -122,7 +122,7 @@ jobs: token: ${{ secrets.APPARITOR_GITHUB_TOKEN }} - name: Bump test environment - uses: mikefarah/yq@1f0881fb5faf371694bfa108753cda0b824f5037 + uses: mikefarah/yq@5e490527de24715db37869037083f7f391dde5a6 with: cmd: yq eval '.pomerium.image.tag = "${{ needs.goreleaser.outputs.tag }}"' -i projects/pomerium-demo/pomerium-demo/values.yaml From f4f1e2948452662e8281cda722bcbe1836fd6e0d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 1 Nov 2022 11:20:03 -0400 Subject: [PATCH 19/25] chore(deps): bump debian from `1b1d158` to `9583740` (#3719) Bumps debian from `1b1d158` to `9583740`. --- updated-dependencies: - dependency-name: debian dependency-type: direct:production ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 9be832bf2..07655f0d4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -30,7 +30,7 @@ RUN make build-go NAME=pomerium RUN touch /config.yaml # build our own root trust store from current stable -FROM debian:stable@sha256:1b1d158efc589b1eb8858acdc95bd0ff4c5344958f834b7326662da8482b3e7d as casource +FROM debian:stable@sha256:9583740c100697a7dd186b80198a66ad24927e03437414559f90e0ed2639346e as casource RUN apt-get update && apt-get install -y ca-certificates # Remove expired root (https://github.com/pomerium/pomerium/issues/2653) RUN rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt && update-ca-certificates From 8a05c6e4f1513d3bb21b6c516d4491b3b8c66b6a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 2 Nov 2022 07:37:32 -0600 Subject: [PATCH 20/25] chore(deps): bump github.com/docker/docker from 20.10.20+incompatible to 20.10.21+incompatible (#3712) chore(deps): bump github.com/docker/docker Bumps [github.com/docker/docker](https://github.com/docker/docker) from 20.10.20+incompatible to 20.10.21+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Changelog](https://github.com/moby/moby/blob/master/CHANGELOG.md) - [Commits](https://github.com/docker/docker/compare/v20.10.20...v20.10.21) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index fc42a6956..099473b7e 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,7 @@ require ( github.com/cespare/xxhash/v2 v2.1.2 github.com/client9/misspell v0.3.4 github.com/coreos/go-oidc/v3 v3.4.0 - github.com/docker/docker v20.10.20+incompatible + github.com/docker/docker v20.10.21+incompatible github.com/envoyproxy/go-control-plane v0.10.3-0.20220819153403-8a9be01c9575 github.com/envoyproxy/protoc-gen-validate v0.6.13 github.com/fsnotify/fsnotify v1.5.4 diff --git a/go.sum b/go.sum index 5960ce441..9b4223d09 100644 --- a/go.sum +++ b/go.sum @@ -238,8 +238,8 @@ github.com/docker/cli v20.10.17+incompatible h1:eO2KS7ZFeov5UJeaDmIs1NFEDRf32Paq github.com/docker/cli v20.10.17+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6bk8XXApsHjKukMl68= github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v20.10.20+incompatible h1:kH9tx6XO+359d+iAkumyKDc5Q1kOwPuAUaeri48nD6E= -github.com/docker/docker v20.10.20+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v20.10.21+incompatible h1:UTLdBmHk3bEY+w8qeO5KttOhy6OmXWsl/FEet9Uswog= +github.com/docker/docker v20.10.21+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw= From 42b4a197e34be088c06ec4c2d507736b6af06cb9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 2 Nov 2022 07:37:58 -0600 Subject: [PATCH 21/25] chore(deps): bump github.com/fsnotify/fsnotify from 1.5.4 to 1.6.0 (#3713) Bumps [github.com/fsnotify/fsnotify](https://github.com/fsnotify/fsnotify) from 1.5.4 to 1.6.0. - [Release notes](https://github.com/fsnotify/fsnotify/releases) - [Changelog](https://github.com/fsnotify/fsnotify/blob/main/CHANGELOG.md) - [Commits](https://github.com/fsnotify/fsnotify/compare/v1.5.4...v1.6.0) --- updated-dependencies: - dependency-name: github.com/fsnotify/fsnotify dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index 099473b7e..328c5e9ee 100644 --- a/go.mod +++ b/go.mod @@ -17,7 +17,7 @@ require ( github.com/docker/docker v20.10.21+incompatible github.com/envoyproxy/go-control-plane v0.10.3-0.20220819153403-8a9be01c9575 github.com/envoyproxy/protoc-gen-validate v0.6.13 - github.com/fsnotify/fsnotify v1.5.4 + github.com/fsnotify/fsnotify v1.6.0 github.com/go-chi/chi/v5 v5.0.7 github.com/go-jose/go-jose/v3 v3.0.0 github.com/go-redis/redis/v8 v8.11.5 diff --git a/go.sum b/go.sum index 9b4223d09..a2cb834e6 100644 --- a/go.sum +++ b/go.sum @@ -284,8 +284,9 @@ github.com/foxcpp/go-mockdns v0.0.0-20210729171921-fb145fc6f897 h1:E52jfcE64UG42 github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k= github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= -github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI= github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU= +github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= +github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= github.com/fxamacker/cbor/v2 v2.3.0 h1:aM45YGMctNakddNNAezPxDUpv38j44Abh+hifNuqXik= github.com/fxamacker/cbor/v2 v2.3.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo= github.com/fzipp/gocyclo v0.6.0 h1:lsblElZG7d3ALtGMx9fmxeTKZaLLpU8mET09yN4BBLo= @@ -1341,6 +1342,7 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908150016-7ac13a9a928d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= From 372a7477c005c904add88b1f1473cc15a8013dad Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 2 Nov 2022 07:38:47 -0600 Subject: [PATCH 22/25] chore(deps): bump github.com/google/go-jsonnet from 0.18.0 to 0.19.1 (#3715) Bumps [github.com/google/go-jsonnet](https://github.com/google/go-jsonnet) from 0.18.0 to 0.19.1. - [Release notes](https://github.com/google/go-jsonnet/releases) - [Changelog](https://github.com/google/go-jsonnet/blob/master/.goreleaser.yml) - [Commits](https://github.com/google/go-jsonnet/compare/v0.18.0...v0.19.1) --- updated-dependencies: - dependency-name: github.com/google/go-jsonnet dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index 328c5e9ee..d933ccdb9 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( github.com/golangci/golangci-lint v1.50.1 github.com/google/btree v1.1.2 github.com/google/go-cmp v0.5.9 - github.com/google/go-jsonnet v0.18.0 + github.com/google/go-jsonnet v0.19.1 github.com/google/uuid v1.3.0 github.com/gorilla/handlers v1.5.1 github.com/gorilla/mux v1.8.0 diff --git a/go.sum b/go.sum index a2cb834e6..b762ae1b3 100644 --- a/go.sum +++ b/go.sum @@ -269,7 +269,7 @@ github.com/esimonov/ifshort v1.0.4 h1:6SID4yGWfRae/M7hkVDVVyppy8q/v9OuxNdmjLQStB github.com/esimonov/ifshort v1.0.4/go.mod h1:Pe8zjlRrJ80+q2CxHLfEOfTwxCZ4O+MuhcHcfgNWTk0= github.com/ettle/strcase v0.1.1 h1:htFueZyVeE1XNnMEfbqp5r67qAN/4r6ya1ysq8Q+Zcw= github.com/ettle/strcase v0.1.1/go.mod h1:hzDLsPC7/lwKyBOywSHEP89nt2pDgdy+No1NBA9o9VY= -github.com/fatih/color v1.10.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM= +github.com/fatih/color v1.12.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM= github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w= github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= github.com/fatih/structtag v1.2.0 h1:/OdNE99OxoI/PqaW/SuSK9uxxT3f/tcSZgon/ssNSx4= @@ -438,8 +438,8 @@ github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-jsonnet v0.18.0 h1:/6pTy6g+Jh1a1I2UMoAODkqELFiVIdOxbNwv0DDzoOg= -github.com/google/go-jsonnet v0.18.0/go.mod h1:C3fTzyVJDslXdiTqw/bTFk7vSGyCtH3MGRbDfvEwGd0= +github.com/google/go-jsonnet v0.19.1 h1:MORxkrG0elylUqh36R4AcSPX0oZQa9hvI3lroN+kDhs= +github.com/google/go-jsonnet v0.19.1/go.mod h1:5JVT33JVCoehdTj5Z2KJq1eIdt3Nb8PCmZ+W5D8U350= github.com/google/go-tpm v0.1.2-0.20190725015402-ae6dd98980d4/go.mod h1:H9HbmUG2YgV/PHITkO7p6wxEEj/v5nlsVWIwumwH2NI= github.com/google/go-tpm v0.3.0/go.mod h1:iVLWvrPp/bHeEkxTFi9WG6K9w0iy2yIszHwZGHPbzAw= github.com/google/go-tpm v0.3.2 h1:3iQQ2dlEf+1no7CLlfLPYzxhQy7j2G/emBqU5okydaw= From e3ab2dd81ad04a00d2d4c6cdaa85d5f07ee67f94 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 2 Nov 2022 07:39:13 -0600 Subject: [PATCH 23/25] chore(deps): bump golang from `403f389` to `b448089` (#3718) Bumps golang from `403f389` to `b448089`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Dockerfile | 2 +- Dockerfile.debug | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 07655f0d4..f6d886de2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,7 +13,7 @@ RUN make yarn COPY ./ui/ ./ui/ RUN make build-ui -FROM golang:1.19.2-buster@sha256:403f38941d7643bc91fad0227ebee6ddd80159b79fc339f6702271a2679a5f11 as build +FROM golang:1.19.2-buster@sha256:b4480899915b13370161a7e574174212b21baccade35b4df86358d76f83da7f9 as build WORKDIR /go/src/github.com/pomerium/pomerium RUN apt-get update \ diff --git a/Dockerfile.debug b/Dockerfile.debug index 666baf5f6..c0cfcfc35 100644 --- a/Dockerfile.debug +++ b/Dockerfile.debug @@ -13,7 +13,7 @@ RUN make yarn COPY ./ui/ ./ui/ RUN make build-ui -FROM golang:1.19.2-buster@sha256:403f38941d7643bc91fad0227ebee6ddd80159b79fc339f6702271a2679a5f11 as build +FROM golang:1.19.2-buster@sha256:b4480899915b13370161a7e574174212b21baccade35b4df86358d76f83da7f9 as build WORKDIR /go/src/github.com/pomerium/pomerium RUN apt-get update \ From 7b6880cfd0678da17a9286ecd3dc10a23b310fe1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 2 Nov 2022 07:39:30 -0600 Subject: [PATCH 24/25] chore(deps): bump stefanzweifel/git-auto-commit-action from 4.15.2 to 4.15.3 (#3716) chore(deps): bump stefanzweifel/git-auto-commit-action Bumps [stefanzweifel/git-auto-commit-action](https://github.com/stefanzweifel/git-auto-commit-action) from 4.15.2 to 4.15.3. - [Release notes](https://github.com/stefanzweifel/git-auto-commit-action/releases) - [Changelog](https://github.com/stefanzweifel/git-auto-commit-action/blob/master/CHANGELOG.md) - [Commits](https://github.com/stefanzweifel/git-auto-commit-action/compare/2fde6fc18d3b24c2561ba4b73a8e015e863cef85...0049e3fa4059ca715255fbbcb7dea4516f02ce0a) --- updated-dependencies: - dependency-name: stefanzweifel/git-auto-commit-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/docker-main.yaml | 2 +- .github/workflows/release.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-main.yaml b/.github/workflows/docker-main.yaml index 4b1c3c786..9ee3fb831 100644 --- a/.github/workflows/docker-main.yaml +++ b/.github/workflows/docker-main.yaml @@ -90,7 +90,7 @@ jobs: projects/pomerium-master-postgres/pomerium/values.yaml - name: Commit changes - uses: stefanzweifel/git-auto-commit-action@2fde6fc18d3b24c2561ba4b73a8e015e863cef85 + uses: stefanzweifel/git-auto-commit-action@0049e3fa4059ca715255fbbcb7dea4516f02ce0a with: commit_message: | Bump test environment pomerium/pomerium diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 8a19713ce..f52b31837 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -127,7 +127,7 @@ jobs: cmd: yq eval '.pomerium.image.tag = "${{ needs.goreleaser.outputs.tag }}"' -i projects/pomerium-demo/pomerium-demo/values.yaml - name: Commit changes - uses: stefanzweifel/git-auto-commit-action@2fde6fc18d3b24c2561ba4b73a8e015e863cef85 + uses: stefanzweifel/git-auto-commit-action@0049e3fa4059ca715255fbbcb7dea4516f02ce0a with: commit_message: | Bump test environment pomerium/pomerium From bb5c80bae9334d7c63e7503a7eecc37924dddd2a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 2 Nov 2022 07:39:50 -0600 Subject: [PATCH 25/25] chore(deps): bump google.golang.org/api from 0.100.0 to 0.101.0 (#3714) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.100.0 to 0.101.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.100.0...v0.101.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 6 +++--- go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index d933ccdb9..fa45f159c 100644 --- a/go.mod +++ b/go.mod @@ -67,9 +67,9 @@ require ( golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e golang.org/x/net v0.1.0 golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783 - golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0 - google.golang.org/api v0.100.0 - google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a + golang.org/x/sync v0.1.0 + google.golang.org/api v0.101.0 + google.golang.org/genproto v0.0.0-20221018160656-63c7b68cfc55 google.golang.org/grpc v1.50.1 google.golang.org/protobuf v1.28.1 gopkg.in/auth0.v5 v5.21.1 diff --git a/go.sum b/go.sum index b762ae1b3..1215f6ac1 100644 --- a/go.sum +++ b/go.sum @@ -1240,8 +1240,8 @@ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0 h1:cu5kTvlzcw1Q5S9f5ip1/cpiB4nXvw1XYzFPGgzLUOY= -golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o= +golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -1508,8 +1508,8 @@ google.golang.org/api v0.75.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69 google.golang.org/api v0.78.0/go.mod h1:1Sg78yoMLOhlQTeF+ARBoytAcH1NNyyl390YMy6rKmw= google.golang.org/api v0.80.0/go.mod h1:xY3nI94gbvBrE0J6NHXhxOmW97HG7Khjkku6AFB3Hyg= google.golang.org/api v0.84.0/go.mod h1:NTsGnUFJMYROtiquksZHBWtHfeMC7iYthki7Eq3pa8o= -google.golang.org/api v0.100.0 h1:LGUYIrbW9pzYQQ8NWXlaIVkgnfubVBZbMFb9P8TK374= -google.golang.org/api v0.100.0/go.mod h1:ZE3Z2+ZOr87Rx7dqFsdRQkRBk36kDtp/h+QpHbB7a70= +google.golang.org/api v0.101.0 h1:lJPPeEBIRxGpGLwnBTam1NPEM8Z2BmmXEd3z812pjwM= +google.golang.org/api v0.101.0/go.mod h1:CjxAAWWt3A3VrUE2IGDY2bgK5qhoG/OkyWVlYcP05MY= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -1599,8 +1599,8 @@ google.golang.org/genproto v0.0.0-20220518221133-4f43b3371335/go.mod h1:RAyBrSAP google.golang.org/genproto v0.0.0-20220523171625-347a074981d8/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= google.golang.org/genproto v0.0.0-20220608133413-ed9918b62aac/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= -google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a h1:GH6UPn3ixhWcKDhpnEC55S75cerLPdpp3hrhfKYjZgw= -google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM= +google.golang.org/genproto v0.0.0-20221018160656-63c7b68cfc55 h1:U1u4KB2kx6KR/aJDjQ97hZ15wQs8ZPvDcGcRynBhkvg= +google.golang.org/genproto v0.0.0-20221018160656-63c7b68cfc55/go.mod h1:45EK0dUbEZ2NHjCeAd2LXmyjAgGUGrpGROgjhC3ADck= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.0/go.mod h1:chYK+tFQF0nDUGJgXMSgLCQk3phJEuONr2DCgLDdAQM= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=