Kenneth Jenkins
bbf0f60e2d
autocert: exclude non-https routes ( #5733 )
...
Exclude non-https routes from the domains eligible for autocert.
2025-07-22 09:28:33 -07:00
Caleb Doxsey
254b86c479
core: test improvements ( #5734 )
...
## Summary
Refactor the storage tests so they're mostly in `storagetest` and used
for both providers.
Use `SO_REUSEPORT` on listeners to try and make tests more reliable.
## Related issues
<!-- For example...
- #159
-->
## User Explanation
<!-- How would you explain this change to the user? If this
change doesn't create any user-facing changes, you can leave
this blank. If filled out, add the `docs` label -->
## Checklist
- [ ] reference any related issues
- [ ] updated unit tests
- [x] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [x] ready for review
2025-07-22 07:03:50 -06:00
Denis Mishin
f6ddb8878d
mcp: if upstream oauth does not return a refresh token, keep previous ( #5738 )
...
## Summary
Upstream OAuth2 providers may not return the refresh token at every
access token renewal request,
this PR ensures we do not accidentally overwrite the refresh token at
hand with an empty string.
## Related issues
Fix
https://linear.app/pomerium/issue/ENG-2619/mcp-upstream-oauth2-google-drive-did-not-return-refresh-token
## User Explanation
<!-- How would you explain this change to the user? If this
change doesn't create any user-facing changes, you can leave
this blank. If filled out, add the `docs` label -->
## Checklist
- [x] reference any related issues
- [ ] updated unit tests
- [ ] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [ ] ready for review
2025-07-21 21:10:32 -04:00
Caleb Doxsey
d5178f24a3
config: support multiple running services in addition to all-in-one mode ( #5656 )
...
## Summary
Currently you can either run a single service or all-in-one mode. This
PR adds support for running any 2 or 3 services together. For example
`services: authorize,proxy`.
I think I updated the conditions to make sense, but there's some risk
here as there may have been some assumptions in places I'm overlooking.
## Related issues
-
[ENG-2485](https://linear.app/pomerium/issue/ENG-2485/core-support-running-multiple-but-not-all-services )
## Checklist
- [x] reference any related issues
- [x] updated unit tests
- [x] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [x] ready for review
2025-07-21 14:28:31 -06:00
Denis Mishin
4de63aa746
mcp: add server.path convenience option ( #5726 )
...
## Summary
Adds `mcp.server.path` optional convenience option, that would be taken
into account in the `.mcp/routes` call, and would return the `url` with
defined path.
Useful when host does not mount http endpoint at root, and i.e. has
additional handlers such as `/readyz`.
## Related issues
<!-- For example...
- #159
-->
## User Explanation
<!-- How would you explain this change to the user? If this
change doesn't create any user-facing changes, you can leave
this blank. If filled out, add the `docs` label -->
## Checklist
- [ ] reference any related issues
- [ ] updated unit tests
- [ ] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [ ] ready for review
2025-07-17 11:18:55 -04:00
Caleb Doxsey
622519e901
databroker: update identity manager to use route credentials ( #5728 )
...
## Summary
Currently when we refresh sessions we always use the global IdP
credentials. This PR updates the identity manager to use route settings
when defined.
To do this a new `idp_id` field is added to the session stored in the
databroker.
## Related issues
-
[ENG-2595](https://linear.app/pomerium/issue/ENG-2595/refresh-using-custom-idp-uses-wrong-credentials )
- https://github.com/pomerium/pomerium/issues/4759
## Checklist
- [x] reference any related issues
- [x] updated unit tests
- [x] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [x] ready for review
2025-07-15 18:04:36 -06:00
Joe Kralicky
33abea3ea6
ssh: improve 'whoami' format ( #5714 )
...
Old:
```
User ID: xxx
Session ID: xxx
Expires at: 2025-07-10 08:39:40.64992461 +0000 UTC
Claims:
aud: [xxx]
email: [foo@bar.com ]
email_verified: [true]
exp: [1.75212238e+09]
family_name: [bar]
given_name: [foo]
iat: [1.75208638e+09]
iss: [https://example.com ]
name: [Foo Bar]
nickname: [foobar]
picture: [https://example.com ]
sub: [xxx]
updated_at: [2025-07-09T18:12:15.226Z]
```
New:
```
User ID: xxx
Session ID: xxx
Expires at: 2025-07-10 11:23:27.641004885 +0000 UTC (in 13h59m57s)
Claims:
aud: "xxx"
email: "foo@bar.com"
email_verified: true
exp: 2025-07-10 07:23:27 +0000 UTC (in 9h59m56s)
family_name: "bar"
given_name: "foo"
iat: 2025-07-09 21:23:27 +0000 UTC (4s ago)
iss: "https://example.com "
name: "Foo Bar"
nickname: "foobar"
picture: "https://example.com "
sub: "xxx"
updated_at: "2025-07-09T18:12:15.226Z"
```
2025-07-10 15:57:07 -04:00
Denis Mishin
8a89c975d9
mcp: delete upstream oauth2 token ( #5707 )
...
## Summary
Adds `POST /.pomerium/mcp/routes/disconnect` that allows an MCP client
application to request upstream OAuth2 tokens to be purged, so that a
user may get a new ones with possibly different scopes.
## Related issues
Fix
https://linear.app/pomerium/issue/ENG-2545/mcp-user-should-be-able-to-purge-their-upstream-oauth2-token
## User Explanation
<!-- How would you explain this change to the user? If this
change doesn't create any user-facing changes, you can leave
this blank. If filled out, add the `docs` label -->
## Checklist
- [x] reference any related issues
- [x] updated unit tests
- [x] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [x] ready for review
2025-07-08 12:46:45 -04:00
Denis Mishin
f5c5326c72
mcp: respond with jsonrpc error when MCP request is denied ( #5694 )
...
## Summary
Individual MCP method calls may be denied (i.e. via `mcp_tool`
criterion) and Pomerium has to respond with MCP protocol error, which is
JSON-RPC error message, rather then with HTTP level error which seems to
break some MCP clients.
## Related issues
Fix
https://linear.app/pomerium/issue/ENG-2521/pomerium-does-not-return-an-mcp-error-when-a-tool-call-is-unauthorized
## User Explanation
<!-- How would you explain this change to the user? If this
change doesn't create any user-facing changes, you can leave
this blank. If filled out, add the `docs` label -->
## Checklist
- [x] reference any related issues
- [x] updated unit tests
- [x] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [x] ready for review
2025-07-08 09:07:26 -06:00
Joe Kralicky
559545f686
ssh: add runtime flag for jump host mode ( #5699 )
...
Adds a new runtime flag `ssh_allow_direct_tcpip` (default false) which
enables the "jump-host mode". This is disabled by default since we are
missing related config options/policy criteria.
2025-07-07 12:29:05 -04:00
Denis Mishin
624622f236
authorize: add request body logging ( #5696 )
...
## Summary
Adds an option to log request body for protocols that perform request
inspection, such as MCP.
## Related issues
Fix
https://linear.app/pomerium/issue/ENG-2544/authorize-request-body-logging
## User Explanation
<!-- How would you explain this change to the user? If this
change doesn't create any user-facing changes, you can leave
this blank. If filled out, add the `docs` label -->
## Checklist
- [ ] reference any related issues
- [ ] updated unit tests
- [ ] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [ ] ready for review
2025-07-07 12:12:29 -04:00
Kenneth Jenkins
9678e6a231
ssh: implement authorization policy evaluation ( #5665 )
...
Implement the pkg/ssh.AuthInterface. Add logic for converting from the
ssh stream state to an evaluator request, and for interpreting the
results of policy evaluation. Refactor some of the existing authorize
logic to make it easier to reuse.
2025-07-01 12:04:00 -07:00
Joe Kralicky
9437cec21d
testenv: do not attempt to shutdown pomerium if it fails to start ( #5679 )
...
## Summary
This should fix some test flakes. If (*Pomerium).Start() fails, we
should not attempt to call (*Pomerium).Shutdown().
## Related issues
<!-- For example...
- #159
-->
## User Explanation
<!-- How would you explain this change to the user? If this
change doesn't create any user-facing changes, you can leave
this blank. If filled out, add the `docs` label -->
## Checklist
- [ ] reference any related issues
- [ ] updated unit tests
- [ ] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [ ] ready for review
2025-07-01 13:58:29 -04:00
Kenneth Jenkins
6a65c52a6c
refactor testenv mock IdP to also work standalone ( #5678 )
...
Refactor the testenv mock IdP implementation to split off the core
functionality from the testenv environment setup. Add a Start() method
to run the mock IdP as an httptest server, tied to a test lifecycle.
This allows the mock IdP to be used also in tests that do not start a
full Pomerium instance.
2025-06-27 14:04:58 -07:00
Kenneth Jenkins
717a7bdf5a
testenv: add support for SSH routes/upstreams ( #5676 )
...
Add the new types scenarios.SSH for configuring Pomerium with the global
SSH config options, and upstreams.SSHUpstream for configuring an
individual SSH upstream/route.
Add barebones device auth flow support to the testenv mock IdP, for use
with the SSH auth flow.
---------
Co-authored-by: Joe Kralicky <joekralicky@gmail.com>
2025-06-26 10:49:52 -07:00
Denis Mishin
9363457849
mcp: add mcp method and tool logging to authorize ( #5668 )
...
## Summary
Adds support for extending authorization log with Model Context Protocol
details.
i.e.
```json
{
"level": "info",
"server-name": "all",
"service": "authorize",
"mcp-method": "tools/call",
"mcp-tool": "describe_table",
"mcp-tool-parameters": { "table_name": "Categories" },
"allow": true,
"allow-why-true": ["email-ok", "mcp-tool-ok"],
"deny": false,
"deny-why-false": [],
"time": "2025-06-24T17:40:41-04:00",
"message": "authorize check"
}
```
## Related issues
Fixes
https://linear.app/pomerium/issue/ENG-2393/mcp-authorize-each-incoming-request-to-an-mcp-route
## User Explanation
<!-- How would you explain this change to the user? If this
change doesn't create any user-facing changes, you can leave
this blank. If filled out, add the `docs` label -->
## Checklist
- [x] reference any related issues
- [x] updated unit tests
- [x] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [x] ready for review
2025-06-24 20:58:51 -04:00
Denis Mishin
db6449ecca
mcp: split mcp into server and client for better option grouping ( #5666 )
2025-06-24 10:21:32 -07:00
dependabot[bot]
b0c2e2dede
chore(deps): bump the go group with 24 updates ( #5638 )
...
Bumps the go group with 24 updates:
| Package | From | To |
| --- | --- | --- |
| [cloud.google.com/go/storage](https://github.com/googleapis/google-cloud-go ) | `1.53.0` | `1.55.0` |
| [github.com/VictoriaMetrics/fastcache](https://github.com/VictoriaMetrics/fastcache ) | `1.12.2` | `1.12.4` |
| [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2 ) | `1.79.3` | `1.80.0` |
| [github.com/docker/docker](https://github.com/docker/docker ) | `28.1.1+incompatible` | `28.2.2+incompatible` |
| [github.com/exaring/otelpgx](https://github.com/exaring/otelpgx ) | `0.9.1` | `0.9.3` |
| [github.com/google/go-jsonnet](https://github.com/google/go-jsonnet ) | `0.20.0` | `0.21.0` |
| [github.com/jackc/pgx/v5](https://github.com/jackc/pgx ) | `5.7.4` | `5.7.5` |
| [github.com/miekg/dns](https://github.com/miekg/dns ) | `1.1.65` | `1.1.66` |
| [github.com/minio/minio-go/v7](https://github.com/minio/minio-go ) | `7.0.91` | `7.0.92` |
| [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa ) | `1.4.2` | `1.5.0` |
| [github.com/pires/go-proxyproto](https://github.com/pires/go-proxyproto ) | `0.8.0` | `0.8.1` |
| [github.com/quic-go/quic-go](https://github.com/quic-go/quic-go ) | `0.51.0` | `0.52.0` |
| [go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc](https://github.com/open-telemetry/opentelemetry-go-contrib ) | `0.60.0` | `0.61.0` |
| [go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp](https://github.com/open-telemetry/opentelemetry-go-contrib ) | `0.60.0` | `0.61.0` |
| [go.opentelemetry.io/contrib/propagators/autoprop](https://github.com/open-telemetry/opentelemetry-go-contrib ) | `0.60.0` | `0.61.0` |
| [go.opentelemetry.io/otel/bridge/opencensus](https://github.com/open-telemetry/opentelemetry-go ) | `1.35.0` | `1.36.0` |
| [go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc](https://github.com/open-telemetry/opentelemetry-go ) | `1.35.0` | `1.36.0` |
| [go.opentelemetry.io/otel/exporters/otlp/otlptrace](https://github.com/open-telemetry/opentelemetry-go ) | `1.35.0` | `1.36.0` |
| [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc](https://github.com/open-telemetry/opentelemetry-go ) | `1.35.0` | `1.36.0` |
| [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp](https://github.com/open-telemetry/opentelemetry-go ) | `1.35.0` | `1.36.0` |
| [go.opentelemetry.io/proto/otlp](https://github.com/open-telemetry/opentelemetry-proto-go ) | `1.6.0` | `1.7.0` |
| [google.golang.org/api](https://github.com/googleapis/google-api-go-client ) | `0.230.0` | `0.235.0` |
| [google.golang.org/genproto/googleapis/rpc](https://github.com/googleapis/go-genproto ) | `0.0.0-20250428153025-10db94c68c34` | `0.0.0-20250528174236-200df99c418a` |
| [google.golang.org/grpc](https://github.com/grpc/grpc-go ) | `1.72.0` | `1.72.2` |
Updates `cloud.google.com/go/storage` from 1.53.0 to 1.55.0
- [Release notes](https://github.com/googleapis/google-cloud-go/releases )
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md )
- [Commits](googleapis/google-cloud-go@spanner/v1.53.0...spanner/v1.55.0)
Updates `github.com/VictoriaMetrics/fastcache` from 1.12.2 to 1.12.4
- [Release notes](https://github.com/VictoriaMetrics/fastcache/releases )
- [Commits](VictoriaMetrics/fastcache@v1.12.2...v1.12.4)
Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.79.3 to 1.80.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases )
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json )
- [Commits](aws/aws-sdk-go-v2@service/s3/v1.79.3...service/s3/v1.80.0)
Updates `github.com/docker/docker` from 28.1.1+incompatible to 28.2.2+incompatible
- [Release notes](https://github.com/docker/docker/releases )
- [Commits](moby/moby@v28.1.1...v28.2.2)
Updates `github.com/exaring/otelpgx` from 0.9.1 to 0.9.3
- [Release notes](https://github.com/exaring/otelpgx/releases )
- [Commits](exaring/otelpgx@v0.9.1...v0.9.3)
Updates `github.com/google/go-jsonnet` from 0.20.0 to 0.21.0
- [Release notes](https://github.com/google/go-jsonnet/releases )
- [Changelog](https://github.com/google/go-jsonnet/blob/master/.goreleaser.yml )
- [Commits](google/go-jsonnet@v0.20.0...v0.21.0)
Updates `github.com/jackc/pgx/v5` from 5.7.4 to 5.7.5
- [Changelog](https://github.com/jackc/pgx/blob/master/CHANGELOG.md )
- [Commits](jackc/pgx@v5.7.4...v5.7.5)
Updates `github.com/miekg/dns` from 1.1.65 to 1.1.66
- [Changelog](https://github.com/miekg/dns/blob/master/Makefile.release )
- [Commits](miekg/dns@v1.1.65...v1.1.66)
Updates `github.com/minio/minio-go/v7` from 7.0.91 to 7.0.92
- [Release notes](https://github.com/minio/minio-go/releases )
- [Commits](minio/minio-go@v7.0.91...v7.0.92)
Updates `github.com/open-policy-agent/opa` from 1.4.2 to 1.5.0
- [Release notes](https://github.com/open-policy-agent/opa/releases )
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md )
- [Commits](open-policy-agent/opa@v1.4.2...v1.5.0)
Updates `github.com/pires/go-proxyproto` from 0.8.0 to 0.8.1
- [Release notes](https://github.com/pires/go-proxyproto/releases )
- [Commits](pires/go-proxyproto@v0.8.0...v0.8.1)
Updates `github.com/quic-go/quic-go` from 0.51.0 to 0.52.0
- [Release notes](https://github.com/quic-go/quic-go/releases )
- [Commits](quic-go/quic-go@v0.51.0...v0.52.0)
Updates `go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc` from 0.60.0 to 0.61.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md )
- [Commits](open-telemetry/opentelemetry-go-contrib@zpages/v0.60.0...zpages/v0.61.0)
Updates `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` from 0.60.0 to 0.61.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md )
- [Commits](open-telemetry/opentelemetry-go-contrib@zpages/v0.60.0...zpages/v0.61.0)
Updates `go.opentelemetry.io/contrib/propagators/autoprop` from 0.60.0 to 0.61.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md )
- [Commits](open-telemetry/opentelemetry-go-contrib@zpages/v0.60.0...zpages/v0.61.0)
Updates `go.opentelemetry.io/otel/bridge/opencensus` from 1.35.0 to 1.36.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md )
- [Commits](open-telemetry/opentelemetry-go@v1.35.0...v1.36.0)
Updates `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc` from 1.35.0 to 1.36.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md )
- [Commits](open-telemetry/opentelemetry-go@v1.35.0...v1.36.0)
Updates `go.opentelemetry.io/otel/exporters/otlp/otlptrace` from 1.35.0 to 1.36.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md )
- [Commits](open-telemetry/opentelemetry-go@v1.35.0...v1.36.0)
Updates `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc` from 1.35.0 to 1.36.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md )
- [Commits](open-telemetry/opentelemetry-go@v1.35.0...v1.36.0)
Updates `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp` from 1.35.0 to 1.36.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md )
- [Commits](open-telemetry/opentelemetry-go@v1.35.0...v1.36.0)
Updates `go.opentelemetry.io/proto/otlp` from 1.6.0 to 1.7.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-proto-go/releases )
- [Commits](open-telemetry/opentelemetry-proto-go@v1.6.0...v1.7.0)
Updates `google.golang.org/api` from 0.230.0 to 0.235.0
- [Release notes](https://github.com/googleapis/google-api-go-client/releases )
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md )
- [Commits](googleapis/google-api-go-client@v0.230.0...v0.235.0)
Updates `google.golang.org/genproto/googleapis/rpc` from 0.0.0-20250428153025-10db94c68c34 to 0.0.0-20250528174236-200df99c418a
- [Commits](https://github.com/googleapis/go-genproto/commits )
Updates `google.golang.org/grpc` from 1.72.0 to 1.72.2
- [Release notes](https://github.com/grpc/grpc-go/releases )
- [Commits](grpc/grpc-go@v1.72.0...v1.72.2)
---
updated-dependencies:
- dependency-name: cloud.google.com/go/storage
dependency-version: 1.55.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/VictoriaMetrics/fastcache
dependency-version: 1.12.4
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/aws/aws-sdk-go-v2/service/s3
dependency-version: 1.80.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/docker/docker
dependency-version: 28.2.2+incompatible
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/exaring/otelpgx
dependency-version: 0.9.3
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/google/go-jsonnet
dependency-version: 0.21.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/jackc/pgx/v5
dependency-version: 5.7.5
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/miekg/dns
dependency-version: 1.1.66
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/minio/minio-go/v7
dependency-version: 7.0.92
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/open-policy-agent/opa
dependency-version: 1.5.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/pires/go-proxyproto
dependency-version: 0.8.1
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/quic-go/quic-go
dependency-version: 0.52.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
dependency-version: 0.61.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
dependency-version: 0.61.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/contrib/propagators/autoprop
dependency-version: 0.61.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/otel/bridge/opencensus
dependency-version: 1.36.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc
dependency-version: 1.36.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace
dependency-version: 1.36.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc
dependency-version: 1.36.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
dependency-version: 1.36.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/proto/otlp
dependency-version: 1.7.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: google.golang.org/api
dependency-version: 0.235.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: google.golang.org/genproto/googleapis/rpc
dependency-version: 0.0.0-20250528174236-200df99c418a
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: google.golang.org/grpc
dependency-version: 1.72.2
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
...
Signed-off-by: dependabot[bot] <support@github.com>
2025-06-17 09:36:50 -07:00
Denis Mishin
3cf420afc9
telemetry: backport component ( #5655 )
...
## Summary
Backport `telemetry.Component` that provides centralized tracing,
logging and metrics for operations.
## Related issues
<!-- For example...
- #159
-->
## User Explanation
<!-- How would you explain this change to the user? If this
change doesn't create any user-facing changes, you can leave
this blank. If filled out, add the `docs` label -->
## Checklist
- [ ] reference any related issues
- [ ] updated unit tests
- [ ] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [ ] ready for review
---------
Co-authored-by: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>
2025-06-16 13:10:51 -04:00
Denis Mishin
777b3b12d2
mcp: client registration/token fixes ( #5649 )
...
## Summary
Fixes to MCP code registration and token requests.
1. ease some requirements on fields that are RECOMMENDED
2. fill in defaults
3. store both request and response in the client registration
4. check client secret in the /token request
## Related issues
- Fixes
https://linear.app/pomerium/issue/ENG-2462/mcp-ignore-unknown-grant-types-in-the-client-registration
- Fixes
https://linear.app/pomerium/issue/ENG-2461/mcp-support-client-secret-in-dynamic-client-registration
## User Explanation
<!-- How would you explain this change to the user? If this
change doesn't create any user-facing changes, you can leave
this blank. If filled out, add the `docs` label -->
## Checklist
- [x] reference any related issues
- [x] updated unit tests
- [x] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [ ] ready for review
2025-06-11 11:28:24 -04:00
Caleb Doxsey
9631d9ff1c
cryptutil: add a function to normalize PEM files so that leaf certificates appear first ( #5642 )
...
## Summary
Go requires that the first certificate in a bundle be the one associated
with a private key:
> LoadX509KeyPair reads and parses a public/private key pair from a pair
of files. The files must contain PEM encoded data. The certificate file
may contain intermediate certificates following the leaf certificate to
form a certificate chain. On successful return, Certificate.Leaf will be
populated.
I don't think Go is unusual in this regard, but to make the code more
tolerant, add a new `NormalizePEM` function which will take raw PEM data
and rewrite it so that leaf certificates appear first. This will be used
in zero and the enterprise console.
## Related issues
-
[ENG-2433](https://linear.app/pomerium/issue/ENG-2423/enterprise-console-updatekeypair-check-is-too-restrictive )
## Checklist
- [x] reference any related issues
- [x] updated unit tests
- [x] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [x] ready for review
2025-06-06 12:37:02 -06:00
Denis Mishin
6e765abe2e
mcp: ignore unknown fields in the client registration request ( #5643 )
...
## Summary
Some clients may send RFC7591 Client Registration Request with extra
fields that are not part of the spec, and we used too restrictive
decoder for that. This PR ignores the unknown fields.
## Related issues
<!-- For example...
- #159
-->
## User Explanation
<!-- How would you explain this change to the user? If this
change doesn't create any user-facing changes, you can leave
this blank. If filled out, add the `docs` label -->
## Checklist
- [ ] reference any related issues
- [ ] updated unit tests
- [ ] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [ ] ready for review
2025-06-04 18:27:04 -04:00
Denis Mishin
b944e68232
mcp: implement connect ( #5640 )
...
## Summary
adds implementation of `/.pomerium/mcp/connect` method, that takes a
`redirect_url` parameter and would ensure the user goes thru required
redirects so that its session is hydrated with the upstream Oauth token
for the MCP server.
the `redirect_url` parameter host must match one of the _client_ mcp
routes (currently identified by the presence of `mcp:
pass_upstream_access_token: true` in the route.
## Related issues
Fix
https://linear.app/pomerium/issue/ENG-2321/mcp-support-handling-external-oauth-servers
## User Explanation
<!-- How would you explain this change to the user? If this
change doesn't create any user-facing changes, you can leave
this blank. If filled out, add the `docs` label -->
## Checklist
- [x] reference any related issues
- [x] updated unit tests
- [ ] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [x] ready for review
2025-06-02 17:19:34 -04:00
Caleb Doxsey
6918bf83cb
databroker: add a wait field to sync request ( #5630 )
...
## Summary
Add a new `wait` field to the sync request for the databroker. The
current behavior is to always wait for changes in a never-ending stream
of records, but there are cases where it would be useful to stream the
changes and stop when there are no changes remaining. The storage
backends already support this.
The `wait` field is optional and the default will be to wait, preserving
the existing behavior.
## Related issues
-
[ENG-2401](https://linear.app/pomerium/issue/ENG-2401/enterprise-console-improve-performance-of-directory-sync-using-cached )
## Checklist
- [x] reference any related issues
- [ ] updated unit tests
- [x] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [x] ready for review
2025-05-29 12:50:14 -06:00
Caleb Doxsey
13554ec78d
core: more metrics ( #5629 )
...
## Summary
Add some more metrics:
- Authenticate token verification
- Authorization log duration
- Authorization evaluator and header evaluator
- IDP token session creator
HTTP and gRPC endpoints are already instrumented via middleware, which
covers authenticate, proxy and databroker endpoints. Postgres is also
already instrumented using `otelpgx`.
## Related issues
-
[ENG-2407](https://linear.app/pomerium/issue/ENG-2407/add-additional-metrics-and-tracing-spans-to-pomerium )
## Checklist
- [x] reference any related issues
- [ ] updated unit tests
- [ ] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [x] ready for review
2025-05-29 09:34:41 -06:00
Caleb Doxsey
180884cc21
add metrics for cache ( #5627 )
...
## Summary
Add metrics for the global cache. Configure `otel` to export metrics to
prometheus.
## Related issues
-
[ENG-2407](https://linear.app/pomerium/issue/ENG-2407/add-additional-metrics-and-tracing-spans-to-pomerium )
## Checklist
- [x] reference any related issues
- [ ] updated unit tests
- [ ] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [x] ready for review
2025-05-28 09:49:30 -06:00
Caleb Doxsey
7a6d7c5a3c
config: use stable route ids for authorize matching and order xds responses ( #5618 )
...
## Summary
Update the `RouteID` to use the `policy.ID` if it is set. This makes it
so that updated routes use a stable identifier between updates so if the
envoy control plane is updated before the authorize service's internal
definitions (or vice-versa) the authorize service will still be able to
match the route.
The current behavior results in a 404 if envoy passes the old route id.
The new behavior will result in inconsistency, but it should be quickly
remedied. To help with debugging 4 new fields were added to the
authorize check log. The `route-id` and `route-checksum` as the
authorize sees it and the `envoy-route-id` and `envoy-route-checksum` as
envoy sees it.
I also updated the way we send updates to envoy to try and model their
recommended approach:
> In general, to avoid traffic drop, sequencing of updates should follow
a make before break model, wherein:
>
> - CDS updates (if any) must always be pushed first.
> - EDS updates (if any) must arrive after CDS updates for the
respective clusters.
> - LDS updates must arrive after corresponding CDS/EDS updates.
> - RDS updates related to the newly added listeners must arrive after
CDS/EDS/LDS updates.
> - VHDS updates (if any) related to the newly added RouteConfigurations
must arrive after RDS updates.
> - Stale CDS clusters and related EDS endpoints (ones no longer being
referenced) can then be removed.
This should help avoid 404s when configuration is being updated.
## Related issues
-
[ENG-2386](https://linear.app/pomerium/issue/ENG-2386/large-number-of-routes-leads-to-404s-and-slowness )
## Checklist
- [x] reference any related issues
- [x] updated unit tests
- [x] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [x] ready for review
2025-05-19 10:52:15 -06:00
dependabot[bot]
c1c540f876
chore(deps): bump the go group across 1 directory with 31 updates ( #5608 )
...
* chore(deps): bump the go group across 1 directory with 31 updates
---
updated-dependencies:
- dependency-name: buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go
dependency-version: 1.36.6-20250425153114-8976f5be98c1.1
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: cloud.google.com/go/storage
dependency-version: 1.53.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/aws/aws-sdk-go-v2/config
dependency-version: 1.29.14
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/aws/aws-sdk-go-v2/service/s3
dependency-version: 1.79.3
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/caddyserver/certmagic
dependency-version: 0.23.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/cloudflare/circl
dependency-version: 1.6.1
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/coreos/go-oidc/v3
dependency-version: 3.14.1
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/docker/docker
dependency-version: 28.1.1+incompatible
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/exaring/otelpgx
dependency-version: 0.9.1
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/fsnotify/fsnotify
dependency-version: 1.9.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/gaissmai/bart
dependency-version: 0.20.4
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/grpc-ecosystem/go-grpc-middleware/v2
dependency-version: 2.3.2
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/mholt/acmez/v3
dependency-version: 3.1.2
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/miekg/dns
dependency-version: 1.1.65
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/minio/minio-go/v7
dependency-version: 7.0.91
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/open-policy-agent/opa
dependency-version: 1.4.2
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/pires/go-proxyproto
dependency-version: 0.8.1
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/prometheus/client_golang
dependency-version: 1.22.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/prometheus/client_model
dependency-version: 0.6.2
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/prometheus/procfs
dependency-version: 0.16.1
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/quic-go/quic-go
dependency-version: 0.51.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/testcontainers/testcontainers-go
dependency-version: 0.37.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/proto/otlp
dependency-version: 1.6.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.uber.org/mock
dependency-version: 0.5.2
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: golang.org/x/crypto
dependency-version: 0.37.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: golang.org/x/net
dependency-version: 0.39.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: golang.org/x/oauth2
dependency-version: 0.29.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: golang.org/x/sync
dependency-version: 0.13.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: golang.org/x/sys
dependency-version: 0.32.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: google.golang.org/api
dependency-version: 0.230.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: google.golang.org/genproto/googleapis/rpc
dependency-version: 0.0.0-20250428153025-10db94c68c34
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
...
* hold back go-proxyproto, update protovalidate-go
The go-proxyproto module appears to have an incorrect go directive, so
hold off on this version update for now.
The bufbuild/protovalidate/protocolbuffers/go module requires a newer
version of the bufbuild/protovalidate-go module. This also introduces a
small formatting change to the validation error message in one of our
unit tests.
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>
2025-05-07 10:04:03 -07:00
Denis Mishin
1a19ccabd8
mcp: add global runtime flag ( #5604 )
...
## Summary
Adds global runtime flag to enable/disable MCP support. (off by
default).
```yaml
runtime_flags:
mcp: true
```
## Related issues
Fix:
https://linear.app/pomerium/issue/ENG-2367/place-mcp-support-behind-a-runtime-flag
## User Explanation
<!-- How would you explain this change to the user? If this
change doesn't create any user-facing changes, you can leave
this blank. If filled out, add the `docs` label -->
## Checklist
- [x] reference any related issues
- [ ] updated unit tests
- [ ] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [ ] ready for review
2025-05-02 16:33:42 -04:00
Denis Mishin
6caf65a117
mcp: add list-routes client helper ( #5596 )
2025-05-01 15:02:28 -04:00
Caleb Doxsey
2d097ec2f8
add additional authorization check logs ( #5598 )
2025-05-01 10:57:28 -06:00
Denis Mishin
9d66f762e1
mcp: handle and pass upstream oauth2 tokens ( #5595 )
2025-05-01 12:42:31 -04:00
Denis Mishin
561b6040b5
mcp: redirect to upstream oauth2 for authentication ( #5594 )
2025-05-01 12:16:44 -04:00
Denis Mishin
5b024a8ada
mcp: pass access token to the upstream ( #5593 )
2025-04-29 12:13:18 -04:00
Denis Mishin
daaf5b8e30
mcp: authorize: load session from the access token ( #5591 )
2025-04-28 16:32:06 -04:00
Denis Mishin
0602f5e00d
mcp: token: handle authorization_code (pt2) ( #5589 )
2025-04-28 14:37:19 -04:00
Denis Mishin
7b9c392531
mcp: token: handle authorization_code request (pt1) ( #5587 )
2025-04-28 14:09:22 -04:00
Denis Mishin
4dd5357fe3
mcp: extend code usage ( #5588 )
2025-04-25 14:47:11 -04:00
Denis Mishin
9e4947c62f
mcp: authorize request (pt2) ( #5586 )
2025-04-24 12:11:19 -07:00
Denis Mishin
63ccf6ab93
mcp: authorize request (pt1) ( #5585 )
2025-04-24 14:59:12 -04:00
Denis Mishin
b566661353
mcp: client registration: store to the databroker ( #5584 )
2025-04-24 14:54:31 -04:00
Denis Mishin
9f4b03f916
mcp: add rfc7591 types ( #5583 )
2025-04-24 14:46:08 -04:00
Denis Mishin
db221cb826
mcp: storage scaffolding ( #5581 )
2025-04-23 13:39:27 -04:00
Denis Mishin
f1a9401ddc
mcp: scaffolding of /.pomerium/mcp routes ( #5580 )
2025-04-23 12:36:31 -04:00
Denis Mishin
cb0e8aaf06
mcp: add oauth metadata endpoint ( #5579 )
2025-04-23 12:24:00 -04:00
Caleb Doxsey
8738066ce4
storage: add sync querier ( #5570 )
...
* storage: add fallback querier
* storage: add sync querier
* storage: add typed querier
* use synced querier
2025-04-23 10:15:48 -06:00
Kenneth Jenkins
e1d84a1dde
logging: standardize on hyphens in attribute names ( #5577 )
2025-04-22 10:57:19 -07:00
Caleb Doxsey
e78cfc0687
cleanup logs ( #5571 )
2025-04-14 08:20:10 -06:00
Caleb Doxsey
a1eb75a8fe
add support for pomerium.request.headers for set_request_headers ( #5563 )
...
* add support for pomerium.request.headers for set_request_headers
* add peg grammar
2025-04-07 10:32:03 -06:00
dependabot[bot]
5f95dd32db
chore(deps): bump the go group with 39 updates ( #5559 )
...
* chore(deps): bump the go group with 39 updates
Bumps the go group with 39 updates:
| Package | From | To |
| --- | --- | --- |
| [cloud.google.com/go/storage](https://github.com/googleapis/google-cloud-go ) | `1.50.0` | `1.51.0` |
| [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2 ) | `1.29.8` | `1.29.12` |
| [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2 ) | `1.78.0` | `1.79.0` |
| [github.com/bits-and-blooms/bitset](https://github.com/bits-and-blooms/bitset ) | `1.21.0` | `1.22.0` |
| [github.com/caddyserver/certmagic](https://github.com/caddyserver/certmagic ) | `0.21.7` | `0.22.2` |
| [github.com/coreos/go-oidc/v3](https://github.com/coreos/go-oidc ) | `3.12.0` | `3.13.0` |
| [github.com/docker/docker](https://github.com/docker/docker ) | `28.0.1+incompatible` | `28.0.4+incompatible` |
| [github.com/grpc-ecosystem/go-grpc-middleware/v2](https://github.com/grpc-ecosystem/go-grpc-middleware ) | `2.3.0` | `2.3.1` |
| [github.com/jackc/pgx/v5](https://github.com/jackc/pgx ) | `5.7.2` | `5.7.4` |
| [github.com/mholt/acmez/v3](https://github.com/mholt/acmez ) | `3.0.1` | `3.1.1` |
| [github.com/minio/minio-go/v7](https://github.com/minio/minio-go ) | `7.0.87` | `7.0.89` |
| [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa ) | `1.2.0` | `1.3.0` |
| [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang ) | `1.21.0` | `1.21.1` |
| [github.com/prometheus/common](https://github.com/prometheus/common ) | `0.62.0` | `0.63.0` |
| [github.com/prometheus/procfs](https://github.com/prometheus/procfs ) | `0.15.1` | `0.16.0` |
| [github.com/quic-go/quic-go](https://github.com/quic-go/quic-go ) | `0.50.0` | `0.50.1` |
| [github.com/rs/zerolog](https://github.com/rs/zerolog ) | `1.33.0` | `1.34.0` |
| [github.com/spf13/viper](https://github.com/spf13/viper ) | `1.19.0` | `1.20.1` |
| [github.com/testcontainers/testcontainers-go](https://github.com/testcontainers/testcontainers-go ) | `0.35.0` | `0.36.0` |
| [go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc](https://github.com/open-telemetry/opentelemetry-go-contrib ) | `0.59.0` | `0.60.0` |
| [go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp](https://github.com/open-telemetry/opentelemetry-go-contrib ) | `0.59.0` | `0.60.0` |
| [go.opentelemetry.io/contrib/propagators/autoprop](https://github.com/open-telemetry/opentelemetry-go-contrib ) | `0.59.0` | `0.60.0` |
| [go.opentelemetry.io/otel](https://github.com/open-telemetry/opentelemetry-go ) | `1.34.0` | `1.35.0` |
| [go.opentelemetry.io/otel/bridge/opencensus](https://github.com/open-telemetry/opentelemetry-go ) | `1.34.0` | `1.35.0` |
| [go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc](https://github.com/open-telemetry/opentelemetry-go ) | `1.34.0` | `1.35.0` |
| [go.opentelemetry.io/otel/exporters/otlp/otlptrace](https://github.com/open-telemetry/opentelemetry-go ) | `1.34.0` | `1.35.0` |
| [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc](https://github.com/open-telemetry/opentelemetry-go ) | `1.34.0` | `1.35.0` |
| [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp](https://github.com/open-telemetry/opentelemetry-go ) | `1.34.0` | `1.35.0` |
| [go.opentelemetry.io/otel/metric](https://github.com/open-telemetry/opentelemetry-go ) | `1.34.0` | `1.35.0` |
| [go.opentelemetry.io/otel/sdk](https://github.com/open-telemetry/opentelemetry-go ) | `1.34.0` | `1.35.0` |
| [go.opentelemetry.io/otel/sdk/metric](https://github.com/open-telemetry/opentelemetry-go ) | `1.34.0` | `1.35.0` |
| [go.opentelemetry.io/otel/trace](https://github.com/open-telemetry/opentelemetry-go ) | `1.34.0` | `1.35.0` |
| [golang.org/x/net](https://github.com/golang/net ) | `0.37.0` | `0.38.0` |
| [golang.org/x/oauth2](https://github.com/golang/oauth2 ) | `0.27.0` | `0.28.0` |
| [golang.org/x/time](https://github.com/golang/time ) | `0.10.0` | `0.11.0` |
| [google.golang.org/api](https://github.com/googleapis/google-api-go-client ) | `0.223.0` | `0.224.0` |
| [google.golang.org/genproto/googleapis/rpc](https://github.com/googleapis/go-genproto ) | `0.0.0-20250219182151-9fdb1cabc7b2` | `0.0.0-20250303144028-a0af3efb3deb` |
| [google.golang.org/grpc](https://github.com/grpc/grpc-go ) | `1.71.0` | `1.71.1` |
| google.golang.org/protobuf | `1.36.5` | `1.36.6` |
Updates `cloud.google.com/go/storage` from 1.50.0 to 1.51.0
- [Release notes](https://github.com/googleapis/google-cloud-go/releases )
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md )
- [Commits](https://github.com/googleapis/google-cloud-go/compare/spanner/v1.50.0...spanner/v1.51.0 )
Updates `github.com/aws/aws-sdk-go-v2/config` from 1.29.8 to 1.29.12
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases )
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json )
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.29.8...config/v1.29.12 )
Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.78.0 to 1.79.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases )
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json )
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.78.0...service/s3/v1.79.0 )
Updates `github.com/bits-and-blooms/bitset` from 1.21.0 to 1.22.0
- [Release notes](https://github.com/bits-and-blooms/bitset/releases )
- [Commits](https://github.com/bits-and-blooms/bitset/compare/v1.21.0...v1.22.0 )
Updates `github.com/caddyserver/certmagic` from 0.21.7 to 0.22.2
- [Release notes](https://github.com/caddyserver/certmagic/releases )
- [Commits](https://github.com/caddyserver/certmagic/compare/v0.21.7...v0.22.2 )
Updates `github.com/coreos/go-oidc/v3` from 3.12.0 to 3.13.0
- [Release notes](https://github.com/coreos/go-oidc/releases )
- [Commits](https://github.com/coreos/go-oidc/compare/v3.12.0...v3.13.0 )
Updates `github.com/docker/docker` from 28.0.1+incompatible to 28.0.4+incompatible
- [Release notes](https://github.com/docker/docker/releases )
- [Commits](https://github.com/docker/docker/compare/v28.0.1...v28.0.4 )
Updates `github.com/grpc-ecosystem/go-grpc-middleware/v2` from 2.3.0 to 2.3.1
- [Release notes](https://github.com/grpc-ecosystem/go-grpc-middleware/releases )
- [Commits](https://github.com/grpc-ecosystem/go-grpc-middleware/compare/v2.3.0...v2.3.1 )
Updates `github.com/jackc/pgx/v5` from 5.7.2 to 5.7.4
- [Changelog](https://github.com/jackc/pgx/blob/master/CHANGELOG.md )
- [Commits](https://github.com/jackc/pgx/compare/v5.7.2...v5.7.4 )
Updates `github.com/mholt/acmez/v3` from 3.0.1 to 3.1.1
- [Release notes](https://github.com/mholt/acmez/releases )
- [Commits](https://github.com/mholt/acmez/compare/v3.0.1...v3.1.1 )
Updates `github.com/minio/minio-go/v7` from 7.0.87 to 7.0.89
- [Release notes](https://github.com/minio/minio-go/releases )
- [Commits](https://github.com/minio/minio-go/compare/v7.0.87...v7.0.89 )
Updates `github.com/open-policy-agent/opa` from 1.2.0 to 1.3.0
- [Release notes](https://github.com/open-policy-agent/opa/releases )
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md )
- [Commits](https://github.com/open-policy-agent/opa/compare/v1.2.0...v1.3.0 )
Updates `github.com/prometheus/client_golang` from 1.21.0 to 1.21.1
- [Release notes](https://github.com/prometheus/client_golang/releases )
- [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md )
- [Commits](https://github.com/prometheus/client_golang/compare/v1.21.0...v1.21.1 )
Updates `github.com/prometheus/common` from 0.62.0 to 0.63.0
- [Release notes](https://github.com/prometheus/common/releases )
- [Changelog](https://github.com/prometheus/common/blob/main/RELEASE.md )
- [Commits](https://github.com/prometheus/common/compare/v0.62.0...v0.63.0 )
Updates `github.com/prometheus/procfs` from 0.15.1 to 0.16.0
- [Release notes](https://github.com/prometheus/procfs/releases )
- [Commits](https://github.com/prometheus/procfs/compare/v0.15.1...v0.16.0 )
Updates `github.com/quic-go/quic-go` from 0.50.0 to 0.50.1
- [Release notes](https://github.com/quic-go/quic-go/releases )
- [Changelog](https://github.com/quic-go/quic-go/blob/master/Changelog.md )
- [Commits](https://github.com/quic-go/quic-go/compare/v0.50.0...v0.50.1 )
Updates `github.com/rs/zerolog` from 1.33.0 to 1.34.0
- [Commits](https://github.com/rs/zerolog/compare/v1.33.0...v1.34.0 )
Updates `github.com/spf13/viper` from 1.19.0 to 1.20.1
- [Release notes](https://github.com/spf13/viper/releases )
- [Commits](https://github.com/spf13/viper/compare/v1.19.0...v1.20.1 )
Updates `github.com/testcontainers/testcontainers-go` from 0.35.0 to 0.36.0
- [Release notes](https://github.com/testcontainers/testcontainers-go/releases )
- [Commits](https://github.com/testcontainers/testcontainers-go/compare/v0.35.0...v0.36.0 )
Updates `go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc` from 0.59.0 to 0.60.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md )
- [Commits](https://github.com/open-telemetry/opentelemetry-go-contrib/compare/zpages/v0.59.0...zpages/v0.60.0 )
Updates `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` from 0.59.0 to 0.60.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md )
- [Commits](https://github.com/open-telemetry/opentelemetry-go-contrib/compare/zpages/v0.59.0...zpages/v0.60.0 )
Updates `go.opentelemetry.io/contrib/propagators/autoprop` from 0.59.0 to 0.60.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md )
- [Commits](https://github.com/open-telemetry/opentelemetry-go-contrib/compare/zpages/v0.59.0...zpages/v0.60.0 )
Updates `go.opentelemetry.io/otel` from 1.34.0 to 1.35.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md )
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.34.0...v1.35.0 )
Updates `go.opentelemetry.io/otel/bridge/opencensus` from 1.34.0 to 1.35.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md )
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.34.0...v1.35.0 )
Updates `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc` from 1.34.0 to 1.35.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md )
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.34.0...v1.35.0 )
Updates `go.opentelemetry.io/otel/exporters/otlp/otlptrace` from 1.34.0 to 1.35.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md )
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.34.0...v1.35.0 )
Updates `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc` from 1.34.0 to 1.35.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md )
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.34.0...v1.35.0 )
Updates `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp` from 1.34.0 to 1.35.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md )
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.34.0...v1.35.0 )
Updates `go.opentelemetry.io/otel/metric` from 1.34.0 to 1.35.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md )
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.34.0...v1.35.0 )
Updates `go.opentelemetry.io/otel/sdk` from 1.34.0 to 1.35.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md )
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.34.0...v1.35.0 )
Updates `go.opentelemetry.io/otel/sdk/metric` from 1.34.0 to 1.35.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md )
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.34.0...v1.35.0 )
Updates `go.opentelemetry.io/otel/trace` from 1.34.0 to 1.35.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md )
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.34.0...v1.35.0 )
Updates `golang.org/x/net` from 0.37.0 to 0.38.0
- [Commits](https://github.com/golang/net/compare/v0.37.0...v0.38.0 )
Updates `golang.org/x/oauth2` from 0.27.0 to 0.28.0
- [Commits](https://github.com/golang/oauth2/compare/v0.27.0...v0.28.0 )
Updates `golang.org/x/time` from 0.10.0 to 0.11.0
- [Commits](https://github.com/golang/time/compare/v0.10.0...v0.11.0 )
Updates `google.golang.org/api` from 0.223.0 to 0.224.0
- [Release notes](https://github.com/googleapis/google-api-go-client/releases )
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md )
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.223.0...v0.224.0 )
Updates `google.golang.org/genproto/googleapis/rpc` from 0.0.0-20250219182151-9fdb1cabc7b2 to 0.0.0-20250303144028-a0af3efb3deb
- [Commits](https://github.com/googleapis/go-genproto/commits )
Updates `google.golang.org/grpc` from 1.71.0 to 1.71.1
- [Release notes](https://github.com/grpc/grpc-go/releases )
- [Commits](https://github.com/grpc/grpc-go/compare/v1.71.0...v1.71.1 )
Updates `google.golang.org/protobuf` from 1.36.5 to 1.36.6
---
updated-dependencies:
- dependency-name: cloud.google.com/go/storage
dependency-version: 1.51.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/aws/aws-sdk-go-v2/config
dependency-version: 1.29.12
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/aws/aws-sdk-go-v2/service/s3
dependency-version: 1.79.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/bits-and-blooms/bitset
dependency-version: 1.22.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/caddyserver/certmagic
dependency-version: 0.22.2
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/coreos/go-oidc/v3
dependency-version: 3.13.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/docker/docker
dependency-version: 28.0.4+incompatible
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/grpc-ecosystem/go-grpc-middleware/v2
dependency-version: 2.3.1
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/jackc/pgx/v5
dependency-version: 5.7.4
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/mholt/acmez/v3
dependency-version: 3.1.1
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/minio/minio-go/v7
dependency-version: 7.0.89
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/open-policy-agent/opa
dependency-version: 1.3.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/prometheus/client_golang
dependency-version: 1.21.1
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/prometheus/common
dependency-version: 0.63.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/prometheus/procfs
dependency-version: 0.16.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/quic-go/quic-go
dependency-version: 0.50.1
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/rs/zerolog
dependency-version: 1.34.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/spf13/viper
dependency-version: 1.20.1
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/testcontainers/testcontainers-go
dependency-version: 0.36.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
dependency-version: 0.60.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
dependency-version: 0.60.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/contrib/propagators/autoprop
dependency-version: 0.60.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/otel
dependency-version: 1.35.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/otel/bridge/opencensus
dependency-version: 1.35.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc
dependency-version: 1.35.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace
dependency-version: 1.35.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc
dependency-version: 1.35.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
dependency-version: 1.35.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/otel/metric
dependency-version: 1.35.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/otel/sdk
dependency-version: 1.35.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/otel/sdk/metric
dependency-version: 1.35.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/otel/trace
dependency-version: 1.35.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: golang.org/x/net
dependency-version: 0.38.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: golang.org/x/oauth2
dependency-version: 0.28.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: golang.org/x/time
dependency-version: 0.11.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: google.golang.org/api
dependency-version: 0.224.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: google.golang.org/genproto/googleapis/rpc
dependency-version: 0.0.0-20250303144028-a0af3efb3deb
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: google.golang.org/grpc
dependency-version: 1.71.1
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: google.golang.org/protobuf
dependency-version: 1.36.6
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
...
Signed-off-by: dependabot[bot] <support@github.com>
* fix build errors
* update OPA formatting in policy generator test
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>
2025-04-04 16:26:51 -07:00
