From ae23c8d939709d7de024d1dfa358aa9ed1a5b69e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 7 Oct 2025 19:54:20 +0000 Subject: [PATCH] build(deps): bump github.com/spiffe/go-spiffe/v2 from 2.5.0 to 2.6.0 Bumps [github.com/spiffe/go-spiffe/v2](https://github.com/spiffe/go-spiffe) from 2.5.0 to 2.6.0. - [Release notes](https://github.com/spiffe/go-spiffe/releases) - [Changelog](https://github.com/spiffe/go-spiffe/blob/main/CHANGELOG.md) - [Commits](https://github.com/spiffe/go-spiffe/compare/v2.5.0...v2.6.0) --- updated-dependencies: - dependency-name: github.com/spiffe/go-spiffe/v2 dependency-version: 2.6.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 5 +- go.sum | 10 +- .../go-jose/go-jose/v4/CHANGELOG.md | 101 ---- .../github.com/go-jose/go-jose/v4/README.md | 76 +-- .../github.com/go-jose/go-jose/v4/crypter.go | 4 + vendor/github.com/go-jose/go-jose/v4/jwk.go | 59 +- .../github.com/go-jose/go-jose/v4/shared.go | 1 - .../go-spiffe/v2/bundle/jwtbundle/bundle.go | 20 +- .../go-spiffe/v2/bundle/jwtbundle/set.go | 3 +- .../v2/bundle/spiffebundle/bundle.go | 28 +- .../go-spiffe/v2/bundle/spiffebundle/set.go | 7 +- .../go-spiffe/v2/bundle/x509bundle/bundle.go | 18 +- .../go-spiffe/v2/bundle/x509bundle/set.go | 3 +- .../v2/proto/spiffe/workload/workload.pb.go | 525 +++++------------- .../proto/spiffe/workload/workload_grpc.pb.go | 192 +++---- .../v2/spiffetls/tlsconfig/config.go | 1 + .../spiffe/go-spiffe/v2/svid/jwtsvid/svid.go | 38 +- .../spiffe/go-spiffe/v2/svid/x509svid/svid.go | 51 +- .../go-spiffe/v2/svid/x509svid/verify.go | 31 +- .../go-spiffe/v2/workloadapi/bundlesource.go | 17 +- .../go-spiffe/v2/workloadapi/jwtsource.go | 11 +- .../go-spiffe/v2/workloadapi/watcher.go | 4 +- .../go-spiffe/v2/workloadapi/x509source.go | 13 +- vendor/github.com/zeebo/errs/.gitignore | 1 - vendor/github.com/zeebo/errs/AUTHORS | 5 - vendor/github.com/zeebo/errs/LICENSE | 21 - vendor/github.com/zeebo/errs/README.md | 235 -------- vendor/github.com/zeebo/errs/errs.go | 298 ---------- vendor/github.com/zeebo/errs/group.go | 85 --- vendor/github.com/zeebo/errs/is_go1.20.go | 8 - vendor/github.com/zeebo/errs/is_go_other.go | 17 - vendor/modules.txt | 9 +- 32 files changed, 456 insertions(+), 1441 deletions(-) delete mode 100644 vendor/github.com/go-jose/go-jose/v4/CHANGELOG.md delete mode 100644 vendor/github.com/zeebo/errs/.gitignore delete mode 100644 vendor/github.com/zeebo/errs/AUTHORS delete mode 100644 vendor/github.com/zeebo/errs/LICENSE delete mode 100644 vendor/github.com/zeebo/errs/README.md delete mode 100644 vendor/github.com/zeebo/errs/errs.go delete mode 100644 vendor/github.com/zeebo/errs/group.go delete mode 100644 vendor/github.com/zeebo/errs/is_go1.20.go delete mode 100644 vendor/github.com/zeebo/errs/is_go_other.go diff --git a/go.mod b/go.mod index 7bf6a6050fe..517ebc0faca 100644 --- a/go.mod +++ b/go.mod @@ -17,7 +17,7 @@ require ( github.com/opencontainers/image-spec v1.1.1 // indirect github.com/pkg/errors v0.9.1 github.com/sigstore/sigstore v1.9.5 - github.com/spiffe/go-spiffe/v2 v2.5.0 + github.com/spiffe/go-spiffe/v2 v2.6.0 github.com/spiffe/spire-api-sdk v1.12.4 github.com/tektoncd/plumbing v0.0.0-20220817140952-3da8ce01aeeb go.opencensus.io v0.24.0 @@ -81,7 +81,7 @@ require ( github.com/felixge/httpsnoop v1.0.4 // indirect github.com/fxamacker/cbor/v2 v2.7.0 // indirect github.com/go-fed/httpsig v1.1.0 // indirect - github.com/go-jose/go-jose/v4 v4.1.1 // indirect + github.com/go-jose/go-jose/v4 v4.1.2 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/golang-jwt/jwt/v5 v5.2.2 // indirect github.com/google/gnostic-models v0.6.9 // indirect @@ -112,7 +112,6 @@ require ( github.com/stoewer/go-strcase v1.3.0 // indirect github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect github.com/x448/float16 v0.8.4 // indirect - github.com/zeebo/errs v1.4.0 // indirect go.opentelemetry.io/auto/sdk v1.1.0 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect diff --git a/go.sum b/go.sum index 6c298107efb..4136b64c522 100644 --- a/go.sum +++ b/go.sum @@ -462,8 +462,8 @@ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2 github.com/go-ini/ini v1.25.4/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8= github.com/go-jose/go-jose/v3 v3.0.4 h1:Wp5HA7bLQcKnf6YYao/4kpRpVMp/yf6+pJKV8WFSaNY= github.com/go-jose/go-jose/v3 v3.0.4/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ= -github.com/go-jose/go-jose/v4 v4.1.1 h1:JYhSgy4mXXzAdF3nUx3ygx347LRXJRrpgyU3adRmkAI= -github.com/go-jose/go-jose/v4 v4.1.1/go.mod h1:BdsZGqgdO3b6tTc6LSE56wcDbMMLuPsw5d4ZD5f94kA= +github.com/go-jose/go-jose/v4 v4.1.2 h1:TK/7NqRQZfgAh+Td8AlsrvtPoUyiHh0LqVvokh+1vHI= +github.com/go-jose/go-jose/v4 v4.1.2/go.mod h1:22cg9HWM1pOlnRiY+9cQYJ9XHmya1bYW8OeDM6Ku6Oo= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY= @@ -1035,8 +1035,8 @@ github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE= github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns= -github.com/spiffe/go-spiffe/v2 v2.5.0 h1:N2I01KCUkv1FAjZXJMwh95KK1ZIQLYbPfhaxw8WS0hE= -github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g= +github.com/spiffe/go-spiffe/v2 v2.6.0 h1:l+DolpxNWYgruGQVV0xsfeya3CsC7m8iBzDnMpsbLuo= +github.com/spiffe/go-spiffe/v2 v2.6.0/go.mod h1:gm2SeUoMZEtpnzPNs2Csc0D/gX33k1xIx7lEzqblHEs= github.com/spiffe/spire-api-sdk v1.12.4 h1:RFMW7aPylHrJOPWY+w+YjElKCRUJPOUAMEyn7w4wLTU= github.com/spiffe/spire-api-sdk v1.12.4/go.mod h1:4uuhFlN6KBWjACRP3xXwrOTNnvaLp1zJs8Lribtr4fI= github.com/src-d/gcfg v1.4.0/go.mod h1:p/UMsR43ujA89BJY9duynAwIpvqEujIH/jFlfL7jWoI= @@ -1111,8 +1111,6 @@ github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5t github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43/go.mod h1:aX5oPXxHm3bOH+xeAttToC8pqch2ScQN/JoXYupl6xs= github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50/go.mod h1:NUSPSUX/bi6SeDMUh6brw0nXpxHnc96TguQh0+r/ssA= github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f/go.mod h1:GlGEuHIJweS1mbCqG+7vt2nvWLzLLnRHbXz5JKd/Qbg= -github.com/zeebo/errs v1.4.0 h1:XNdoD/RRMKP7HD0UhJnIzUy74ISdGGxURlYG8HSWSfM= -github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ= diff --git a/vendor/github.com/go-jose/go-jose/v4/CHANGELOG.md b/vendor/github.com/go-jose/go-jose/v4/CHANGELOG.md deleted file mode 100644 index 66a8a0f89a6..00000000000 --- a/vendor/github.com/go-jose/go-jose/v4/CHANGELOG.md +++ /dev/null @@ -1,101 +0,0 @@ -## Changed - - - Defined a custom error, ErrUnexpectedSignatureAlgorithm, returned when a JWS - header contains an unsupported signature algorithm. - -# v4.0.4 - -## Fixed - - - Reverted "Allow unmarshalling JSONWebKeySets with unsupported key types" as a - breaking change. See #136 / #137. - -# v4.0.3 - -## Changed - - - Allow unmarshalling JSONWebKeySets with unsupported key types (#130) - - Document that OpaqueKeyEncrypter can't be implemented (for now) (#129) - - Dependency updates - -# v4.0.2 - -## Changed - - - Improved documentation of Verify() to note that JSONWebKeySet is a supported - argument type (#104) - - Defined exported error values for missing x5c header and unsupported elliptic - curves error cases (#117) - -# v4.0.1 - -## Fixed - - - An attacker could send a JWE containing compressed data that used large - amounts of memory and CPU when decompressed by `Decrypt` or `DecryptMulti`. - Those functions now return an error if the decompressed data would exceed - 250kB or 10x the compressed size (whichever is larger). Thanks to - Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@zer0yu and @chenjj) - for reporting. - -# v4.0.0 - -This release makes some breaking changes in order to more thoroughly -address the vulnerabilities discussed in [Three New Attacks Against JSON Web -Tokens][1], "Sign/encrypt confusion", "Billion hash attack", and "Polyglot -token". - -## Changed - - - Limit JWT encryption types (exclude password or public key types) (#78) - - Enforce minimum length for HMAC keys (#85) - - jwt: match any audience in a list, rather than requiring all audiences (#81) - - jwt: accept only Compact Serialization (#75) - - jws: Add expected algorithms for signatures (#74) - - Require specifying expected algorithms for ParseEncrypted, - ParseSigned, ParseDetached, jwt.ParseEncrypted, jwt.ParseSigned, - jwt.ParseSignedAndEncrypted (#69, #74) - - Usually there is a small, known set of appropriate algorithms for a program - to use and it's a mistake to allow unexpected algorithms. For instance the - "billion hash attack" relies in part on programs accepting the PBES2 - encryption algorithm and doing the necessary work even if they weren't - specifically configured to allow PBES2. - - Revert "Strip padding off base64 strings" (#82) - - The specs require base64url encoding without padding. - - Minimum supported Go version is now 1.21 - -## Added - - - ParseSignedCompact, ParseSignedJSON, ParseEncryptedCompact, ParseEncryptedJSON. - - These allow parsing a specific serialization, as opposed to ParseSigned and - ParseEncrypted, which try to automatically detect which serialization was - provided. It's common to require a specific serialization for a specific - protocol - for instance JWT requires Compact serialization. - -[1]: https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf - -# v3.0.2 - -## Fixed - - - DecryptMulti: handle decompression error (#19) - -## Changed - - - jwe/CompactSerialize: improve performance (#67) - - Increase the default number of PBKDF2 iterations to 600k (#48) - - Return the proper algorithm for ECDSA keys (#45) - -## Added - - - Add Thumbprint support for opaque signers (#38) - -# v3.0.1 - -## Fixed - - - Security issue: an attacker specifying a large "p2c" value can cause - JSONWebEncryption.Decrypt and JSONWebEncryption.DecryptMulti to consume large - amounts of CPU, causing a DoS. Thanks to Matt Schwager (@mschwager) for the - disclosure and to Tom Tervoort for originally publishing the category of attack. - https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf diff --git a/vendor/github.com/go-jose/go-jose/v4/README.md b/vendor/github.com/go-jose/go-jose/v4/README.md index 02b5749546b..ca5f1d790b8 100644 --- a/vendor/github.com/go-jose/go-jose/v4/README.md +++ b/vendor/github.com/go-jose/go-jose/v4/README.md @@ -3,7 +3,6 @@ [![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v4.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v4) [![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v4/jwt.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v4/jwt) [![license](https://img.shields.io/badge/license-apache_2.0-blue.svg?style=flat)](https://raw.githubusercontent.com/go-jose/go-jose/master/LICENSE) -[![test](https://img.shields.io/github/checks-status/go-jose/go-jose/v4)](https://github.com/go-jose/go-jose/actions) Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. This includes support for JSON Web Encryption, @@ -29,17 +28,20 @@ libraries in other languages. ### Versions -[Version 4](https://github.com/go-jose/go-jose) -([branch](https://github.com/go-jose/go-jose/tree/main), -[doc](https://pkg.go.dev/github.com/go-jose/go-jose/v4), [releases](https://github.com/go-jose/go-jose/releases)) is the current stable version: +The forthcoming Version 5 will be released with several breaking API changes, +and will require Golang's `encoding/json/v2`, which is currently requires +Go 1.25 built with GOEXPERIMENT=jsonv2. + +Version 4 is the current stable version: import "github.com/go-jose/go-jose/v4" -The old [square/go-jose](https://github.com/square/go-jose) repo contains the prior v1 and v2 versions, which -are still useable but not actively developed anymore. +It supports at least the current and previous Golang release. Currently it +requires Golang 1.23. + +Version 3 is only receiving critical security updates. Migration to Version 4 is recommended. -Version 3, in this repo, is still receiving security fixes but not functionality -updates. +Versions 1 and 2 are obsolete, but can be found in the old repository, [square/go-jose](https://github.com/square/go-jose). ### Supported algorithms @@ -47,36 +49,36 @@ See below for a table of supported algorithms. Algorithm identifiers match the names in the [JSON Web Algorithms](https://dx.doi.org/10.17487/RFC7518) standard where possible. The Godoc reference has a list of constants. - Key encryption | Algorithm identifier(s) - :------------------------- | :------------------------------ - RSA-PKCS#1v1.5 | RSA1_5 - RSA-OAEP | RSA-OAEP, RSA-OAEP-256 - AES key wrap | A128KW, A192KW, A256KW - AES-GCM key wrap | A128GCMKW, A192GCMKW, A256GCMKW - ECDH-ES + AES key wrap | ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW - ECDH-ES (direct) | ECDH-ES1 - Direct encryption | dir1 +| Key encryption | Algorithm identifier(s) | +|:-----------------------|:-----------------------------------------------| +| RSA-PKCS#1v1.5 | RSA1_5 | +| RSA-OAEP | RSA-OAEP, RSA-OAEP-256 | +| AES key wrap | A128KW, A192KW, A256KW | +| AES-GCM key wrap | A128GCMKW, A192GCMKW, A256GCMKW | +| ECDH-ES + AES key wrap | ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW | +| ECDH-ES (direct) | ECDH-ES1 | +| Direct encryption | dir1 | 1. Not supported in multi-recipient mode - Signing / MAC | Algorithm identifier(s) - :------------------------- | :------------------------------ - RSASSA-PKCS#1v1.5 | RS256, RS384, RS512 - RSASSA-PSS | PS256, PS384, PS512 - HMAC | HS256, HS384, HS512 - ECDSA | ES256, ES384, ES512 - Ed25519 | EdDSA2 +| Signing / MAC | Algorithm identifier(s) | +|:------------------|:------------------------| +| RSASSA-PKCS#1v1.5 | RS256, RS384, RS512 | +| RSASSA-PSS | PS256, PS384, PS512 | +| HMAC | HS256, HS384, HS512 | +| ECDSA | ES256, ES384, ES512 | +| Ed25519 | EdDSA2 | 2. Only available in version 2 of the package - Content encryption | Algorithm identifier(s) - :------------------------- | :------------------------------ - AES-CBC+HMAC | A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 - AES-GCM | A128GCM, A192GCM, A256GCM +| Content encryption | Algorithm identifier(s) | +|:-------------------|:--------------------------------------------| +| AES-CBC+HMAC | A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 | +| AES-GCM | A128GCM, A192GCM, A256GCM | - Compression | Algorithm identifiers(s) - :------------------------- | ------------------------------- - DEFLATE (RFC 1951) | DEF +| Compression | Algorithm identifiers(s) | +|:-------------------|--------------------------| +| DEFLATE (RFC 1951) | DEF | ### Supported key types @@ -85,12 +87,12 @@ library, and can be passed to corresponding functions such as `NewEncrypter` or `NewSigner`. Each of these keys can also be wrapped in a JWK if desired, which allows attaching a key id. - Algorithm(s) | Corresponding types - :------------------------- | ------------------------------- - RSA | *[rsa.PublicKey](https://pkg.go.dev/crypto/rsa/#PublicKey), *[rsa.PrivateKey](https://pkg.go.dev/crypto/rsa/#PrivateKey) - ECDH, ECDSA | *[ecdsa.PublicKey](https://pkg.go.dev/crypto/ecdsa/#PublicKey), *[ecdsa.PrivateKey](https://pkg.go.dev/crypto/ecdsa/#PrivateKey) - EdDSA1 | [ed25519.PublicKey](https://pkg.go.dev/crypto/ed25519#PublicKey), [ed25519.PrivateKey](https://pkg.go.dev/crypto/ed25519#PrivateKey) - AES, HMAC | []byte +| Algorithm(s) | Corresponding types | +|:------------------|--------------------------------------------------------------------------------------------------------------------------------------| +| RSA | *[rsa.PublicKey](https://pkg.go.dev/crypto/rsa/#PublicKey), *[rsa.PrivateKey](https://pkg.go.dev/crypto/rsa/#PrivateKey) | +| ECDH, ECDSA | *[ecdsa.PublicKey](https://pkg.go.dev/crypto/ecdsa/#PublicKey), *[ecdsa.PrivateKey](https://pkg.go.dev/crypto/ecdsa/#PrivateKey) | +| EdDSA1 | [ed25519.PublicKey](https://pkg.go.dev/crypto/ed25519#PublicKey), [ed25519.PrivateKey](https://pkg.go.dev/crypto/ed25519#PrivateKey) | +| AES, HMAC | []byte | 1. Only available in version 2 or later of the package diff --git a/vendor/github.com/go-jose/go-jose/v4/crypter.go b/vendor/github.com/go-jose/go-jose/v4/crypter.go index d81b03b4474..ab02a28e26b 100644 --- a/vendor/github.com/go-jose/go-jose/v4/crypter.go +++ b/vendor/github.com/go-jose/go-jose/v4/crypter.go @@ -286,6 +286,10 @@ func makeJWERecipient(alg KeyAlgorithm, encryptionKey interface{}) (recipientKey return newSymmetricRecipient(alg, encryptionKey) case string: return newSymmetricRecipient(alg, []byte(encryptionKey)) + case JSONWebKey: + recipient, err := makeJWERecipient(alg, encryptionKey.Key) + recipient.keyID = encryptionKey.KeyID + return recipient, err case *JSONWebKey: recipient, err := makeJWERecipient(alg, encryptionKey.Key) recipient.keyID = encryptionKey.KeyID diff --git a/vendor/github.com/go-jose/go-jose/v4/jwk.go b/vendor/github.com/go-jose/go-jose/v4/jwk.go index 9700f8906c4..164d6a16197 100644 --- a/vendor/github.com/go-jose/go-jose/v4/jwk.go +++ b/vendor/github.com/go-jose/go-jose/v4/jwk.go @@ -175,6 +175,8 @@ func (k JSONWebKey) MarshalJSON() ([]byte, error) { } // UnmarshalJSON reads a key from its JSON representation. +// +// Returns ErrUnsupportedKeyType for unrecognized or unsupported "kty" header values. func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) { var raw rawJSONWebKey err = json.Unmarshal(data, &raw) @@ -228,7 +230,7 @@ func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) { } key, err = raw.symmetricKey() case "OKP": - if raw.Crv == "Ed25519" && raw.X != nil { + if raw.Crv == "Ed25519" { if raw.D != nil { key, err = raw.edPrivateKey() if err == nil { @@ -238,17 +240,27 @@ func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) { key, err = raw.edPublicKey() keyPub = key } - } else { - return fmt.Errorf("go-jose/go-jose: unknown curve '%s'", raw.Crv) } - default: - return fmt.Errorf("go-jose/go-jose: unknown json web key type '%s'", raw.Kty) + case "": + // kty MUST be present + err = fmt.Errorf("go-jose/go-jose: missing json web key type") } if err != nil { return } + if key == nil { + // RFC 7517: + // 5. JWK Set Format + // ... + // Implementations SHOULD ignore JWKs within a JWK Set that use "kty" + // (key type) values that are not understood by them, that are missing + // required members, or for which values are out of the supported + // ranges. + return ErrUnsupportedKeyType + } + if certPub != nil && keyPub != nil { if !reflect.DeepEqual(certPub, keyPub) { return errors.New("go-jose/go-jose: invalid JWK, public keys in key and x5c fields do not match") @@ -581,10 +593,10 @@ func fromEcPublicKey(pub *ecdsa.PublicKey) (*rawJSONWebKey, error) { func (key rawJSONWebKey) edPrivateKey() (ed25519.PrivateKey, error) { var missing []string - switch { - case key.D == nil: + if key.D == nil { missing = append(missing, "D") - case key.X == nil: + } + if key.X == nil { missing = append(missing, "X") } @@ -611,19 +623,21 @@ func (key rawJSONWebKey) edPublicKey() (ed25519.PublicKey, error) { func (key rawJSONWebKey) rsaPrivateKey() (*rsa.PrivateKey, error) { var missing []string - switch { - case key.N == nil: + if key.N == nil { missing = append(missing, "N") - case key.E == nil: + } + if key.E == nil { missing = append(missing, "E") - case key.D == nil: + } + if key.D == nil { missing = append(missing, "D") - case key.P == nil: + } + if key.P == nil { missing = append(missing, "P") - case key.Q == nil: + } + if key.Q == nil { missing = append(missing, "Q") } - if len(missing) > 0 { return nil, fmt.Errorf("go-jose/go-jose: invalid RSA private key, missing %s value(s)", strings.Join(missing, ", ")) } @@ -698,8 +712,19 @@ func (key rawJSONWebKey) ecPrivateKey() (*ecdsa.PrivateKey, error) { return nil, fmt.Errorf("go-jose/go-jose: unsupported elliptic curve '%s'", key.Crv) } - if key.X == nil || key.Y == nil || key.D == nil { - return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key, missing x/y/d values") + var missing []string + if key.X == nil { + missing = append(missing, "X") + } + if key.Y == nil { + missing = append(missing, "Y") + } + if key.D == nil { + missing = append(missing, "D") + } + + if len(missing) > 0 { + return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key, missing %s value(s)", strings.Join(missing, ", ")) } // The length of this octet string MUST be the full size of a coordinate for diff --git a/vendor/github.com/go-jose/go-jose/v4/shared.go b/vendor/github.com/go-jose/go-jose/v4/shared.go index 1ec33961265..56a81b258d0 100644 --- a/vendor/github.com/go-jose/go-jose/v4/shared.go +++ b/vendor/github.com/go-jose/go-jose/v4/shared.go @@ -22,7 +22,6 @@ import ( "encoding/base64" "errors" "fmt" - "github.com/go-jose/go-jose/v4/json" ) diff --git a/vendor/github.com/spiffe/go-spiffe/v2/bundle/jwtbundle/bundle.go b/vendor/github.com/spiffe/go-spiffe/v2/bundle/jwtbundle/bundle.go index ebd3cacd47b..78cdaddfcad 100644 --- a/vendor/github.com/spiffe/go-spiffe/v2/bundle/jwtbundle/bundle.go +++ b/vendor/github.com/spiffe/go-spiffe/v2/bundle/jwtbundle/bundle.go @@ -4,6 +4,7 @@ import ( "crypto" "encoding/json" "errors" + "fmt" "io" "os" "sync" @@ -11,11 +12,8 @@ import ( "github.com/go-jose/go-jose/v4" "github.com/spiffe/go-spiffe/v2/internal/jwtutil" "github.com/spiffe/go-spiffe/v2/spiffeid" - "github.com/zeebo/errs" ) -var jwtbundleErr = errs.Class("jwtbundle") - // Bundle is a collection of trusted JWT authorities for a trust domain. type Bundle struct { trustDomain spiffeid.TrustDomain @@ -44,7 +42,7 @@ func FromJWTAuthorities(trustDomain spiffeid.TrustDomain, jwtAuthorities map[str func Load(trustDomain spiffeid.TrustDomain, path string) (*Bundle, error) { bundleBytes, err := os.ReadFile(path) if err != nil { - return nil, jwtbundleErr.New("unable to read JWT bundle: %w", err) + return nil, wrapJwtbundleErr(fmt.Errorf("unable to read JWT bundle: %w", err)) } return Parse(trustDomain, bundleBytes) @@ -54,7 +52,7 @@ func Load(trustDomain spiffeid.TrustDomain, path string) (*Bundle, error) { func Read(trustDomain spiffeid.TrustDomain, r io.Reader) (*Bundle, error) { b, err := io.ReadAll(r) if err != nil { - return nil, jwtbundleErr.New("unable to read: %v", err) + return nil, wrapJwtbundleErr(fmt.Errorf("unable to read: %v", err)) } return Parse(trustDomain, b) @@ -64,13 +62,13 @@ func Read(trustDomain spiffeid.TrustDomain, r io.Reader) (*Bundle, error) { func Parse(trustDomain spiffeid.TrustDomain, bundleBytes []byte) (*Bundle, error) { jwks := new(jose.JSONWebKeySet) if err := json.Unmarshal(bundleBytes, jwks); err != nil { - return nil, jwtbundleErr.New("unable to parse JWKS: %v", err) + return nil, wrapJwtbundleErr(fmt.Errorf("unable to parse JWKS: %v", err)) } bundle := New(trustDomain) for i, key := range jwks.Keys { if err := bundle.AddJWTAuthority(key.KeyID, key.Key); err != nil { - return nil, jwtbundleErr.New("error adding authority %d of JWKS: %v", i, errors.Unwrap(err)) + return nil, wrapJwtbundleErr(fmt.Errorf("error adding authority %d of JWKS: %v", i, errors.Unwrap(err))) } } @@ -116,7 +114,7 @@ func (b *Bundle) HasJWTAuthority(keyID string) bool { // under the given key ID, it is replaced. A key ID must be specified. func (b *Bundle) AddJWTAuthority(keyID string, jwtAuthority crypto.PublicKey) error { if keyID == "" { - return jwtbundleErr.New("keyID cannot be empty") + return wrapJwtbundleErr(errors.New("keyID cannot be empty")) } b.mtx.Lock() @@ -193,8 +191,12 @@ func (b *Bundle) GetJWTBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (* defer b.mtx.RUnlock() if b.trustDomain != trustDomain { - return nil, jwtbundleErr.New("no JWT bundle for trust domain %q", trustDomain) + return nil, wrapJwtbundleErr(fmt.Errorf("no JWT bundle for trust domain %q", trustDomain)) } return b, nil } + +func wrapJwtbundleErr(err error) error { + return fmt.Errorf("jwtbundle: %w", err) +} diff --git a/vendor/github.com/spiffe/go-spiffe/v2/bundle/jwtbundle/set.go b/vendor/github.com/spiffe/go-spiffe/v2/bundle/jwtbundle/set.go index 048dd0d8a8a..ec0836ec77e 100644 --- a/vendor/github.com/spiffe/go-spiffe/v2/bundle/jwtbundle/set.go +++ b/vendor/github.com/spiffe/go-spiffe/v2/bundle/jwtbundle/set.go @@ -1,6 +1,7 @@ package jwtbundle import ( + "fmt" "sort" "sync" @@ -98,7 +99,7 @@ func (s *Set) GetJWTBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bun bundle, ok := s.bundles[trustDomain] if !ok { - return nil, jwtbundleErr.New("no JWT bundle for trust domain %q", trustDomain) + return nil, wrapJwtbundleErr(fmt.Errorf("no JWT bundle for trust domain %q", trustDomain)) } return bundle, nil diff --git a/vendor/github.com/spiffe/go-spiffe/v2/bundle/spiffebundle/bundle.go b/vendor/github.com/spiffe/go-spiffe/v2/bundle/spiffebundle/bundle.go index 13b103e24cc..712ec636bdd 100644 --- a/vendor/github.com/spiffe/go-spiffe/v2/bundle/spiffebundle/bundle.go +++ b/vendor/github.com/spiffe/go-spiffe/v2/bundle/spiffebundle/bundle.go @@ -5,6 +5,7 @@ import ( "crypto/x509" "encoding/json" "errors" + "fmt" "io" "os" "sync" @@ -16,7 +17,6 @@ import ( "github.com/spiffe/go-spiffe/v2/internal/jwtutil" "github.com/spiffe/go-spiffe/v2/internal/x509util" "github.com/spiffe/go-spiffe/v2/spiffeid" - "github.com/zeebo/errs" ) const ( @@ -24,8 +24,6 @@ const ( jwtSVIDUse = "jwt-svid" ) -var spiffebundleErr = errs.Class("spiffebundle") - type bundleDoc struct { jose.JSONWebKeySet SequenceNumber *uint64 `json:"spiffe_sequence,omitempty"` @@ -59,7 +57,7 @@ func New(trustDomain spiffeid.TrustDomain) *Bundle { func Load(trustDomain spiffeid.TrustDomain, path string) (*Bundle, error) { bundleBytes, err := os.ReadFile(path) if err != nil { - return nil, spiffebundleErr.New("unable to read SPIFFE bundle: %w", err) + return nil, wrapSpiffebundleErr(fmt.Errorf("unable to read SPIFFE bundle: %w", err)) } return Parse(trustDomain, bundleBytes) @@ -70,7 +68,7 @@ func Load(trustDomain spiffeid.TrustDomain, path string) (*Bundle, error) { func Read(trustDomain spiffeid.TrustDomain, r io.Reader) (*Bundle, error) { b, err := io.ReadAll(r) if err != nil { - return nil, spiffebundleErr.New("unable to read: %v", err) + return nil, wrapSpiffebundleErr(fmt.Errorf("unable to read: %v", err)) } return Parse(trustDomain, b) @@ -81,7 +79,7 @@ func Read(trustDomain spiffeid.TrustDomain, r io.Reader) (*Bundle, error) { func Parse(trustDomain spiffeid.TrustDomain, bundleBytes []byte) (*Bundle, error) { jwks := &bundleDoc{} if err := json.Unmarshal(bundleBytes, jwks); err != nil { - return nil, spiffebundleErr.New("unable to parse JWKS: %v", err) + return nil, wrapSpiffebundleErr(fmt.Errorf("unable to parse JWKS: %v", err)) } bundle := New(trustDomain) @@ -95,19 +93,19 @@ func Parse(trustDomain spiffeid.TrustDomain, bundleBytes []byte) (*Bundle, error if jwks.Keys == nil { // The parameter keys MUST be present. // https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Trust_Domain_and_Bundle.md#413-keys - return nil, spiffebundleErr.New("no authorities found") + return nil, wrapSpiffebundleErr(errors.New("no authorities found")) } for i, key := range jwks.Keys { switch key.Use { // Two SVID types are supported: x509-svid and jwt-svid. case x509SVIDUse: if len(key.Certificates) != 1 { - return nil, spiffebundleErr.New("expected a single certificate in %s entry %d; got %d", x509SVIDUse, i, len(key.Certificates)) + return nil, wrapSpiffebundleErr(fmt.Errorf("expected a single certificate in %s entry %d; got %d", x509SVIDUse, i, len(key.Certificates))) } bundle.AddX509Authority(key.Certificates[0]) case jwtSVIDUse: if err := bundle.AddJWTAuthority(key.KeyID, key.Key); err != nil { - return nil, spiffebundleErr.New("error adding authority %d of JWKS: %v", i, errors.Unwrap(err)) + return nil, wrapSpiffebundleErr(fmt.Errorf("error adding authority %d of JWKS: %v", i, errors.Unwrap(err))) } } } @@ -239,7 +237,7 @@ func (b *Bundle) HasJWTAuthority(keyID string) bool { // under the given key ID, it is replaced. A key ID must be specified. func (b *Bundle) AddJWTAuthority(keyID string, jwtAuthority crypto.PublicKey) error { if keyID == "" { - return spiffebundleErr.New("keyID cannot be empty") + return wrapSpiffebundleErr(errors.New("keyID cannot be empty")) } b.mtx.Lock() @@ -405,7 +403,7 @@ func (b *Bundle) GetBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bun defer b.mtx.RUnlock() if b.trustDomain != trustDomain { - return nil, spiffebundleErr.New("no SPIFFE bundle for trust domain %q", trustDomain) + return nil, wrapSpiffebundleErr(fmt.Errorf("no SPIFFE bundle for trust domain %q", trustDomain)) } return b, nil @@ -419,7 +417,7 @@ func (b *Bundle) GetX509BundleForTrustDomain(trustDomain spiffeid.TrustDomain) ( defer b.mtx.RUnlock() if b.trustDomain != trustDomain { - return nil, spiffebundleErr.New("no X.509 bundle for trust domain %q", trustDomain) + return nil, wrapSpiffebundleErr(fmt.Errorf("no X.509 bundle for trust domain %q", trustDomain)) } return b.X509Bundle(), nil @@ -433,7 +431,7 @@ func (b *Bundle) GetJWTBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (* defer b.mtx.RUnlock() if b.trustDomain != trustDomain { - return nil, spiffebundleErr.New("no JWT bundle for trust domain %q", trustDomain) + return nil, wrapSpiffebundleErr(fmt.Errorf("no JWT bundle for trust domain %q", trustDomain)) } return b.JWTBundle(), nil @@ -483,3 +481,7 @@ func copySequenceNumber(sequenceNumber *uint64) *uint64 { copied := *sequenceNumber return &copied } + +func wrapSpiffebundleErr(err error) error { + return fmt.Errorf("spiffebundle: %w", err) +} diff --git a/vendor/github.com/spiffe/go-spiffe/v2/bundle/spiffebundle/set.go b/vendor/github.com/spiffe/go-spiffe/v2/bundle/spiffebundle/set.go index 2738135c04a..e0d5d4568bf 100644 --- a/vendor/github.com/spiffe/go-spiffe/v2/bundle/spiffebundle/set.go +++ b/vendor/github.com/spiffe/go-spiffe/v2/bundle/spiffebundle/set.go @@ -1,6 +1,7 @@ package spiffebundle import ( + "fmt" "sort" "sync" @@ -100,7 +101,7 @@ func (s *Set) GetBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bundle bundle, ok := s.bundles[trustDomain] if !ok { - return nil, spiffebundleErr.New("no SPIFFE bundle for trust domain %q", trustDomain) + return nil, wrapSpiffebundleErr(fmt.Errorf("no SPIFFE bundle for trust domain %q", trustDomain)) } return bundle, nil @@ -114,7 +115,7 @@ func (s *Set) GetX509BundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*x5 bundle, ok := s.bundles[trustDomain] if !ok { - return nil, spiffebundleErr.New("no X.509 bundle for trust domain %q", trustDomain) + return nil, wrapSpiffebundleErr(fmt.Errorf("no X.509 bundle for trust domain %q", trustDomain)) } return bundle.X509Bundle(), nil @@ -128,7 +129,7 @@ func (s *Set) GetJWTBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*jwt bundle, ok := s.bundles[trustDomain] if !ok { - return nil, spiffebundleErr.New("no JWT bundle for trust domain %q", trustDomain) + return nil, wrapSpiffebundleErr(fmt.Errorf("no JWT bundle for trust domain %q", trustDomain)) } return bundle.JWTBundle(), nil diff --git a/vendor/github.com/spiffe/go-spiffe/v2/bundle/x509bundle/bundle.go b/vendor/github.com/spiffe/go-spiffe/v2/bundle/x509bundle/bundle.go index a70bb62fd70..4cc816d24fb 100644 --- a/vendor/github.com/spiffe/go-spiffe/v2/bundle/x509bundle/bundle.go +++ b/vendor/github.com/spiffe/go-spiffe/v2/bundle/x509bundle/bundle.go @@ -2,6 +2,7 @@ package x509bundle import ( "crypto/x509" + "fmt" "io" "os" "sync" @@ -9,11 +10,8 @@ import ( "github.com/spiffe/go-spiffe/v2/internal/pemutil" "github.com/spiffe/go-spiffe/v2/internal/x509util" "github.com/spiffe/go-spiffe/v2/spiffeid" - "github.com/zeebo/errs" ) -var x509bundleErr = errs.Class("x509bundle") - // Bundle is a collection of trusted X.509 authorities for a trust domain. type Bundle struct { trustDomain spiffeid.TrustDomain @@ -42,7 +40,7 @@ func FromX509Authorities(trustDomain spiffeid.TrustDomain, authorities []*x509.C func Load(trustDomain spiffeid.TrustDomain, path string) (*Bundle, error) { fileBytes, err := os.ReadFile(path) if err != nil { - return nil, x509bundleErr.New("unable to load X.509 bundle file: %w", err) + return nil, wrapX509bundleErr(fmt.Errorf("unable to load X.509 bundle file: %w", err)) } return Parse(trustDomain, fileBytes) @@ -53,7 +51,7 @@ func Load(trustDomain spiffeid.TrustDomain, path string) (*Bundle, error) { func Read(trustDomain spiffeid.TrustDomain, r io.Reader) (*Bundle, error) { b, err := io.ReadAll(r) if err != nil { - return nil, x509bundleErr.New("unable to read X.509 bundle: %v", err) + return nil, wrapX509bundleErr(fmt.Errorf("unable to read X.509 bundle: %v", err)) } return Parse(trustDomain, b) @@ -69,7 +67,7 @@ func Parse(trustDomain spiffeid.TrustDomain, b []byte) (*Bundle, error) { certs, err := pemutil.ParseCertificates(b) if err != nil { - return nil, x509bundleErr.New("cannot parse certificate: %v", err) + return nil, wrapX509bundleErr(fmt.Errorf("cannot parse certificate: %v", err)) } for _, cert := range certs { bundle.AddX509Authority(cert) @@ -87,7 +85,7 @@ func ParseRaw(trustDomain spiffeid.TrustDomain, b []byte) (*Bundle, error) { certs, err := x509.ParseCertificates(b) if err != nil { - return nil, x509bundleErr.New("cannot parse certificate: %v", err) + return nil, wrapX509bundleErr(fmt.Errorf("cannot parse certificate: %v", err)) } for _, cert := range certs { bundle.AddX509Authority(cert) @@ -195,8 +193,12 @@ func (b *Bundle) Clone() *Bundle { // returned if the trust domain does not match that of the bundle. func (b *Bundle) GetX509BundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bundle, error) { if b.trustDomain != trustDomain { - return nil, x509bundleErr.New("no X.509 bundle found for trust domain: %q", trustDomain) + return nil, wrapX509bundleErr(fmt.Errorf("no X.509 bundle found for trust domain: %q", trustDomain)) } return b, nil } + +func wrapX509bundleErr(err error) error { + return fmt.Errorf("x509bundle: %w", err) +} diff --git a/vendor/github.com/spiffe/go-spiffe/v2/bundle/x509bundle/set.go b/vendor/github.com/spiffe/go-spiffe/v2/bundle/x509bundle/set.go index 522e2492656..9a90d40e637 100644 --- a/vendor/github.com/spiffe/go-spiffe/v2/bundle/x509bundle/set.go +++ b/vendor/github.com/spiffe/go-spiffe/v2/bundle/x509bundle/set.go @@ -1,6 +1,7 @@ package x509bundle import ( + "fmt" "sort" "sync" @@ -98,7 +99,7 @@ func (s *Set) GetX509BundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bu bundle, ok := s.bundles[trustDomain] if !ok { - return nil, x509bundleErr.New("no X.509 bundle for trust domain %q", trustDomain) + return nil, wrapX509bundleErr(fmt.Errorf("no X.509 bundle for trust domain %q", trustDomain)) } return bundle, nil diff --git a/vendor/github.com/spiffe/go-spiffe/v2/proto/spiffe/workload/workload.pb.go b/vendor/github.com/spiffe/go-spiffe/v2/proto/spiffe/workload/workload.pb.go index d5fd87acfe1..46f42511945 100644 --- a/vendor/github.com/spiffe/go-spiffe/v2/proto/spiffe/workload/workload.pb.go +++ b/vendor/github.com/spiffe/go-spiffe/v2/proto/spiffe/workload/workload.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.28.1 -// protoc v3.14.0 +// protoc-gen-go v1.36.6 +// protoc v6.30.2 // source: workload.proto package workload @@ -12,6 +12,7 @@ import ( structpb "google.golang.org/protobuf/types/known/structpb" reflect "reflect" sync "sync" + unsafe "unsafe" ) const ( @@ -24,18 +25,16 @@ const ( // The X509SVIDRequest message conveys parameters for requesting an X.509-SVID. // There are currently no request parameters. type X509SVIDRequest struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache + state protoimpl.MessageState `protogen:"open.v1"` unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache } func (x *X509SVIDRequest) Reset() { *x = X509SVIDRequest{} - if protoimpl.UnsafeEnabled { - mi := &file_workload_proto_msgTypes[0] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } + mi := &file_workload_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) } func (x *X509SVIDRequest) String() string { @@ -46,7 +45,7 @@ func (*X509SVIDRequest) ProtoMessage() {} func (x *X509SVIDRequest) ProtoReflect() protoreflect.Message { mi := &file_workload_proto_msgTypes[0] - if protoimpl.UnsafeEnabled && x != nil { + if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) @@ -65,10 +64,7 @@ func (*X509SVIDRequest) Descriptor() ([]byte, []int) { // including a set of global CRLs and a list of bundles the workload may use // for federating with foreign trust domains. type X509SVIDResponse struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - + state protoimpl.MessageState `protogen:"open.v1"` // Required. A list of X509SVID messages, each of which includes a single // X.509-SVID, its private key, and the bundle for the trust domain. Svids []*X509SVID `protobuf:"bytes,1,rep,name=svids,proto3" json:"svids,omitempty"` @@ -77,16 +73,16 @@ type X509SVIDResponse struct { // Optional. CA certificate bundles belonging to foreign trust domains that // the workload should trust, keyed by the SPIFFE ID of the foreign trust // domain. Bundles are ASN.1 DER encoded. - FederatedBundles map[string][]byte `protobuf:"bytes,3,rep,name=federated_bundles,json=federatedBundles,proto3" json:"federated_bundles,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` + FederatedBundles map[string][]byte `protobuf:"bytes,3,rep,name=federated_bundles,json=federatedBundles,proto3" json:"federated_bundles,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache } func (x *X509SVIDResponse) Reset() { *x = X509SVIDResponse{} - if protoimpl.UnsafeEnabled { - mi := &file_workload_proto_msgTypes[1] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } + mi := &file_workload_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) } func (x *X509SVIDResponse) String() string { @@ -97,7 +93,7 @@ func (*X509SVIDResponse) ProtoMessage() {} func (x *X509SVIDResponse) ProtoReflect() protoreflect.Message { mi := &file_workload_proto_msgTypes[1] - if protoimpl.UnsafeEnabled && x != nil { + if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) @@ -136,10 +132,7 @@ func (x *X509SVIDResponse) GetFederatedBundles() map[string][]byte { // The X509SVID message carries a single SVID and all associated information, // including the X.509 bundle for the trust domain. type X509SVID struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - + state protoimpl.MessageState `protogen:"open.v1"` // Required. The SPIFFE ID of the SVID in this entry SpiffeId string `protobuf:"bytes,1,opt,name=spiffe_id,json=spiffeId,proto3" json:"spiffe_id,omitempty"` // Required. ASN.1 DER encoded certificate chain. MAY include @@ -153,16 +146,16 @@ type X509SVID struct { // identity should be used by a workload when more than one SVID is returned. // For example, `internal` and `external` to indicate an SVID for internal or // external use, respectively. - Hint string `protobuf:"bytes,5,opt,name=hint,proto3" json:"hint,omitempty"` + Hint string `protobuf:"bytes,5,opt,name=hint,proto3" json:"hint,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache } func (x *X509SVID) Reset() { *x = X509SVID{} - if protoimpl.UnsafeEnabled { - mi := &file_workload_proto_msgTypes[2] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } + mi := &file_workload_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) } func (x *X509SVID) String() string { @@ -173,7 +166,7 @@ func (*X509SVID) ProtoMessage() {} func (x *X509SVID) ProtoReflect() protoreflect.Message { mi := &file_workload_proto_msgTypes[2] - if protoimpl.UnsafeEnabled && x != nil { + if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) @@ -226,18 +219,16 @@ func (x *X509SVID) GetHint() string { // The X509BundlesRequest message conveys parameters for requesting X.509 // bundles. There are currently no such parameters. type X509BundlesRequest struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache + state protoimpl.MessageState `protogen:"open.v1"` unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache } func (x *X509BundlesRequest) Reset() { *x = X509BundlesRequest{} - if protoimpl.UnsafeEnabled { - mi := &file_workload_proto_msgTypes[3] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } + mi := &file_workload_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) } func (x *X509BundlesRequest) String() string { @@ -248,7 +239,7 @@ func (*X509BundlesRequest) ProtoMessage() {} func (x *X509BundlesRequest) ProtoReflect() protoreflect.Message { mi := &file_workload_proto_msgTypes[3] - if protoimpl.UnsafeEnabled && x != nil { + if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) @@ -266,25 +257,22 @@ func (*X509BundlesRequest) Descriptor() ([]byte, []int) { // The X509BundlesResponse message carries a set of global CRLs and a map of // trust bundles the workload should trust. type X509BundlesResponse struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - + state protoimpl.MessageState `protogen:"open.v1"` // Optional. ASN.1 DER encoded certificate revocation lists. Crl [][]byte `protobuf:"bytes,1,rep,name=crl,proto3" json:"crl,omitempty"` // Required. CA certificate bundles belonging to trust domains that the // workload should trust, keyed by the SPIFFE ID of the trust domain. // Bundles are ASN.1 DER encoded. - Bundles map[string][]byte `protobuf:"bytes,2,rep,name=bundles,proto3" json:"bundles,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` + Bundles map[string][]byte `protobuf:"bytes,2,rep,name=bundles,proto3" json:"bundles,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache } func (x *X509BundlesResponse) Reset() { *x = X509BundlesResponse{} - if protoimpl.UnsafeEnabled { - mi := &file_workload_proto_msgTypes[4] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } + mi := &file_workload_proto_msgTypes[4] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) } func (x *X509BundlesResponse) String() string { @@ -295,7 +283,7 @@ func (*X509BundlesResponse) ProtoMessage() {} func (x *X509BundlesResponse) ProtoReflect() protoreflect.Message { mi := &file_workload_proto_msgTypes[4] - if protoimpl.UnsafeEnabled && x != nil { + if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) @@ -325,24 +313,21 @@ func (x *X509BundlesResponse) GetBundles() map[string][]byte { } type JWTSVIDRequest struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - + state protoimpl.MessageState `protogen:"open.v1"` // Required. The audience(s) the workload intends to authenticate against. Audience []string `protobuf:"bytes,1,rep,name=audience,proto3" json:"audience,omitempty"` // Optional. The requested SPIFFE ID for the JWT-SVID. If unset, all // JWT-SVIDs to which the workload is entitled are requested. - SpiffeId string `protobuf:"bytes,2,opt,name=spiffe_id,json=spiffeId,proto3" json:"spiffe_id,omitempty"` + SpiffeId string `protobuf:"bytes,2,opt,name=spiffe_id,json=spiffeId,proto3" json:"spiffe_id,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache } func (x *JWTSVIDRequest) Reset() { *x = JWTSVIDRequest{} - if protoimpl.UnsafeEnabled { - mi := &file_workload_proto_msgTypes[5] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } + mi := &file_workload_proto_msgTypes[5] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) } func (x *JWTSVIDRequest) String() string { @@ -353,7 +338,7 @@ func (*JWTSVIDRequest) ProtoMessage() {} func (x *JWTSVIDRequest) ProtoReflect() protoreflect.Message { mi := &file_workload_proto_msgTypes[5] - if protoimpl.UnsafeEnabled && x != nil { + if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) @@ -384,21 +369,18 @@ func (x *JWTSVIDRequest) GetSpiffeId() string { // The JWTSVIDResponse message conveys JWT-SVIDs. type JWTSVIDResponse struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - + state protoimpl.MessageState `protogen:"open.v1"` // Required. The list of returned JWT-SVIDs. - Svids []*JWTSVID `protobuf:"bytes,1,rep,name=svids,proto3" json:"svids,omitempty"` + Svids []*JWTSVID `protobuf:"bytes,1,rep,name=svids,proto3" json:"svids,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache } func (x *JWTSVIDResponse) Reset() { *x = JWTSVIDResponse{} - if protoimpl.UnsafeEnabled { - mi := &file_workload_proto_msgTypes[6] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } + mi := &file_workload_proto_msgTypes[6] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) } func (x *JWTSVIDResponse) String() string { @@ -409,7 +391,7 @@ func (*JWTSVIDResponse) ProtoMessage() {} func (x *JWTSVIDResponse) ProtoReflect() protoreflect.Message { mi := &file_workload_proto_msgTypes[6] - if protoimpl.UnsafeEnabled && x != nil { + if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) @@ -433,10 +415,7 @@ func (x *JWTSVIDResponse) GetSvids() []*JWTSVID { // The JWTSVID message carries the JWT-SVID token and associated metadata. type JWTSVID struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - + state protoimpl.MessageState `protogen:"open.v1"` // Required. The SPIFFE ID of the JWT-SVID. SpiffeId string `protobuf:"bytes,1,opt,name=spiffe_id,json=spiffeId,proto3" json:"spiffe_id,omitempty"` // Required. Encoded JWT using JWS Compact Serialization. @@ -445,16 +424,16 @@ type JWTSVID struct { // identity should be used by a workload when more than one SVID is returned. // For example, `internal` and `external` to indicate an SVID for internal or // external use, respectively. - Hint string `protobuf:"bytes,3,opt,name=hint,proto3" json:"hint,omitempty"` + Hint string `protobuf:"bytes,3,opt,name=hint,proto3" json:"hint,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache } func (x *JWTSVID) Reset() { *x = JWTSVID{} - if protoimpl.UnsafeEnabled { - mi := &file_workload_proto_msgTypes[7] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } + mi := &file_workload_proto_msgTypes[7] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) } func (x *JWTSVID) String() string { @@ -465,7 +444,7 @@ func (*JWTSVID) ProtoMessage() {} func (x *JWTSVID) ProtoReflect() protoreflect.Message { mi := &file_workload_proto_msgTypes[7] - if protoimpl.UnsafeEnabled && x != nil { + if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) @@ -504,18 +483,16 @@ func (x *JWTSVID) GetHint() string { // The JWTBundlesRequest message conveys parameters for requesting JWT bundles. // There are currently no such parameters. type JWTBundlesRequest struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache + state protoimpl.MessageState `protogen:"open.v1"` unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache } func (x *JWTBundlesRequest) Reset() { *x = JWTBundlesRequest{} - if protoimpl.UnsafeEnabled { - mi := &file_workload_proto_msgTypes[8] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } + mi := &file_workload_proto_msgTypes[8] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) } func (x *JWTBundlesRequest) String() string { @@ -526,7 +503,7 @@ func (*JWTBundlesRequest) ProtoMessage() {} func (x *JWTBundlesRequest) ProtoReflect() protoreflect.Message { mi := &file_workload_proto_msgTypes[8] - if protoimpl.UnsafeEnabled && x != nil { + if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) @@ -543,22 +520,19 @@ func (*JWTBundlesRequest) Descriptor() ([]byte, []int) { // The JWTBundlesReponse conveys JWT bundles. type JWTBundlesResponse struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - + state protoimpl.MessageState `protogen:"open.v1"` // Required. JWK encoded JWT bundles, keyed by the SPIFFE ID of the trust // domain. - Bundles map[string][]byte `protobuf:"bytes,1,rep,name=bundles,proto3" json:"bundles,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` + Bundles map[string][]byte `protobuf:"bytes,1,rep,name=bundles,proto3" json:"bundles,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache } func (x *JWTBundlesResponse) Reset() { *x = JWTBundlesResponse{} - if protoimpl.UnsafeEnabled { - mi := &file_workload_proto_msgTypes[9] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } + mi := &file_workload_proto_msgTypes[9] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) } func (x *JWTBundlesResponse) String() string { @@ -569,7 +543,7 @@ func (*JWTBundlesResponse) ProtoMessage() {} func (x *JWTBundlesResponse) ProtoReflect() protoreflect.Message { mi := &file_workload_proto_msgTypes[9] - if protoimpl.UnsafeEnabled && x != nil { + if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) @@ -594,26 +568,23 @@ func (x *JWTBundlesResponse) GetBundles() map[string][]byte { // The ValidateJWTSVIDRequest message conveys request parameters for // JWT-SVID validation. type ValidateJWTSVIDRequest struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - + state protoimpl.MessageState `protogen:"open.v1"` // Required. The audience of the validating party. The JWT-SVID must // contain an audience claim which contains this value in order to // succesfully validate. Audience string `protobuf:"bytes,1,opt,name=audience,proto3" json:"audience,omitempty"` // Required. The JWT-SVID to validate, encoded using JWS Compact // Serialization. - Svid string `protobuf:"bytes,2,opt,name=svid,proto3" json:"svid,omitempty"` + Svid string `protobuf:"bytes,2,opt,name=svid,proto3" json:"svid,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache } func (x *ValidateJWTSVIDRequest) Reset() { *x = ValidateJWTSVIDRequest{} - if protoimpl.UnsafeEnabled { - mi := &file_workload_proto_msgTypes[10] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } + mi := &file_workload_proto_msgTypes[10] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) } func (x *ValidateJWTSVIDRequest) String() string { @@ -624,7 +595,7 @@ func (*ValidateJWTSVIDRequest) ProtoMessage() {} func (x *ValidateJWTSVIDRequest) ProtoReflect() protoreflect.Message { mi := &file_workload_proto_msgTypes[10] - if protoimpl.UnsafeEnabled && x != nil { + if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) @@ -655,24 +626,21 @@ func (x *ValidateJWTSVIDRequest) GetSvid() string { // The ValidateJWTSVIDReponse message conveys the JWT-SVID validation results. type ValidateJWTSVIDResponse struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - + state protoimpl.MessageState `protogen:"open.v1"` // Required. The SPIFFE ID of the validated JWT-SVID. SpiffeId string `protobuf:"bytes,1,opt,name=spiffe_id,json=spiffeId,proto3" json:"spiffe_id,omitempty"` // Optional. Arbitrary claims contained within the payload of the validated // JWT-SVID. - Claims *structpb.Struct `protobuf:"bytes,2,opt,name=claims,proto3" json:"claims,omitempty"` + Claims *structpb.Struct `protobuf:"bytes,2,opt,name=claims,proto3" json:"claims,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache } func (x *ValidateJWTSVIDResponse) Reset() { *x = ValidateJWTSVIDResponse{} - if protoimpl.UnsafeEnabled { - mi := &file_workload_proto_msgTypes[11] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } + mi := &file_workload_proto_msgTypes[11] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) } func (x *ValidateJWTSVIDResponse) String() string { @@ -683,7 +651,7 @@ func (*ValidateJWTSVIDResponse) ProtoMessage() {} func (x *ValidateJWTSVIDResponse) ProtoReflect() protoreflect.Message { mi := &file_workload_proto_msgTypes[11] - if protoimpl.UnsafeEnabled && x != nil { + if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) @@ -714,122 +682,72 @@ func (x *ValidateJWTSVIDResponse) GetClaims() *structpb.Struct { var File_workload_proto protoreflect.FileDescriptor -var file_workload_proto_rawDesc = []byte{ - 0x0a, 0x0e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x1a, 0x1c, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, - 0x66, 0x2f, 0x73, 0x74, 0x72, 0x75, 0x63, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x11, - 0x0a, 0x0f, 0x58, 0x35, 0x30, 0x39, 0x53, 0x56, 0x49, 0x44, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, - 0x74, 0x22, 0xe0, 0x01, 0x0a, 0x10, 0x58, 0x35, 0x30, 0x39, 0x53, 0x56, 0x49, 0x44, 0x52, 0x65, - 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1f, 0x0a, 0x05, 0x73, 0x76, 0x69, 0x64, 0x73, 0x18, - 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x09, 0x2e, 0x58, 0x35, 0x30, 0x39, 0x53, 0x56, 0x49, 0x44, - 0x52, 0x05, 0x73, 0x76, 0x69, 0x64, 0x73, 0x12, 0x10, 0x0a, 0x03, 0x63, 0x72, 0x6c, 0x18, 0x02, - 0x20, 0x03, 0x28, 0x0c, 0x52, 0x03, 0x63, 0x72, 0x6c, 0x12, 0x54, 0x0a, 0x11, 0x66, 0x65, 0x64, - 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x5f, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x18, 0x03, - 0x20, 0x03, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x58, 0x35, 0x30, 0x39, 0x53, 0x56, 0x49, 0x44, 0x52, - 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2e, 0x46, 0x65, 0x64, 0x65, 0x72, 0x61, 0x74, 0x65, - 0x64, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x10, 0x66, - 0x65, 0x64, 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x1a, - 0x43, 0x0a, 0x15, 0x46, 0x65, 0x64, 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x42, 0x75, 0x6e, 0x64, - 0x6c, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, - 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, - 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, - 0x3a, 0x02, 0x38, 0x01, 0x22, 0x94, 0x01, 0x0a, 0x08, 0x58, 0x35, 0x30, 0x39, 0x53, 0x56, 0x49, - 0x44, 0x12, 0x1b, 0x0a, 0x09, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x49, 0x64, 0x12, 0x1b, - 0x0a, 0x09, 0x78, 0x35, 0x30, 0x39, 0x5f, 0x73, 0x76, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, - 0x0c, 0x52, 0x08, 0x78, 0x35, 0x30, 0x39, 0x53, 0x76, 0x69, 0x64, 0x12, 0x22, 0x0a, 0x0d, 0x78, - 0x35, 0x30, 0x39, 0x5f, 0x73, 0x76, 0x69, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20, 0x01, - 0x28, 0x0c, 0x52, 0x0b, 0x78, 0x35, 0x30, 0x39, 0x53, 0x76, 0x69, 0x64, 0x4b, 0x65, 0x79, 0x12, - 0x16, 0x0a, 0x06, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c, 0x52, - 0x06, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x68, 0x69, 0x6e, 0x74, 0x18, - 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x68, 0x69, 0x6e, 0x74, 0x22, 0x14, 0x0a, 0x12, 0x58, - 0x35, 0x30, 0x39, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, - 0x74, 0x22, 0xa0, 0x01, 0x0a, 0x13, 0x58, 0x35, 0x30, 0x39, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, - 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x63, 0x72, 0x6c, - 0x18, 0x01, 0x20, 0x03, 0x28, 0x0c, 0x52, 0x03, 0x63, 0x72, 0x6c, 0x12, 0x3b, 0x0a, 0x07, 0x62, - 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x58, - 0x35, 0x30, 0x39, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, - 0x73, 0x65, 0x2e, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, - 0x07, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x1a, 0x3a, 0x0a, 0x0c, 0x42, 0x75, 0x6e, 0x64, - 0x6c, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, - 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, - 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, - 0x3a, 0x02, 0x38, 0x01, 0x22, 0x49, 0x0a, 0x0e, 0x4a, 0x57, 0x54, 0x53, 0x56, 0x49, 0x44, 0x52, - 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, - 0x63, 0x65, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x08, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, - 0x63, 0x65, 0x12, 0x1b, 0x0a, 0x09, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x5f, 0x69, 0x64, 0x18, - 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x49, 0x64, 0x22, - 0x31, 0x0a, 0x0f, 0x4a, 0x57, 0x54, 0x53, 0x56, 0x49, 0x44, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, - 0x73, 0x65, 0x12, 0x1e, 0x0a, 0x05, 0x73, 0x76, 0x69, 0x64, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, - 0x0b, 0x32, 0x08, 0x2e, 0x4a, 0x57, 0x54, 0x53, 0x56, 0x49, 0x44, 0x52, 0x05, 0x73, 0x76, 0x69, - 0x64, 0x73, 0x22, 0x4e, 0x0a, 0x07, 0x4a, 0x57, 0x54, 0x53, 0x56, 0x49, 0x44, 0x12, 0x1b, 0x0a, - 0x09, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x08, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x49, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x73, 0x76, - 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x73, 0x76, 0x69, 0x64, 0x12, 0x12, - 0x0a, 0x04, 0x68, 0x69, 0x6e, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x68, 0x69, - 0x6e, 0x74, 0x22, 0x13, 0x0a, 0x11, 0x4a, 0x57, 0x54, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, - 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x8c, 0x01, 0x0a, 0x12, 0x4a, 0x57, 0x54, 0x42, - 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3a, - 0x0a, 0x07, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, - 0x20, 0x2e, 0x4a, 0x57, 0x54, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, - 0x6f, 0x6e, 0x73, 0x65, 0x2e, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, - 0x79, 0x52, 0x07, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x1a, 0x3a, 0x0a, 0x0c, 0x42, 0x75, - 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, - 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, - 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x05, 0x76, 0x61, 0x6c, - 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x48, 0x0a, 0x16, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, - 0x74, 0x65, 0x4a, 0x57, 0x54, 0x53, 0x56, 0x49, 0x44, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, - 0x12, 0x1a, 0x0a, 0x08, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x08, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x12, 0x12, 0x0a, 0x04, - 0x73, 0x76, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x73, 0x76, 0x69, 0x64, - 0x22, 0x67, 0x0a, 0x17, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x4a, 0x57, 0x54, 0x53, - 0x56, 0x49, 0x44, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1b, 0x0a, 0x09, 0x73, - 0x70, 0x69, 0x66, 0x66, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, - 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x49, 0x64, 0x12, 0x2f, 0x0a, 0x06, 0x63, 0x6c, 0x61, 0x69, - 0x6d, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, - 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x74, 0x72, 0x75, 0x63, - 0x74, 0x52, 0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x32, 0xc3, 0x02, 0x0a, 0x11, 0x53, 0x70, - 0x69, 0x66, 0x66, 0x65, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x41, 0x50, 0x49, 0x12, - 0x36, 0x0a, 0x0d, 0x46, 0x65, 0x74, 0x63, 0x68, 0x58, 0x35, 0x30, 0x39, 0x53, 0x56, 0x49, 0x44, - 0x12, 0x10, 0x2e, 0x58, 0x35, 0x30, 0x39, 0x53, 0x56, 0x49, 0x44, 0x52, 0x65, 0x71, 0x75, 0x65, - 0x73, 0x74, 0x1a, 0x11, 0x2e, 0x58, 0x35, 0x30, 0x39, 0x53, 0x56, 0x49, 0x44, 0x52, 0x65, 0x73, - 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x30, 0x01, 0x12, 0x3f, 0x0a, 0x10, 0x46, 0x65, 0x74, 0x63, 0x68, - 0x58, 0x35, 0x30, 0x39, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x12, 0x13, 0x2e, 0x58, 0x35, - 0x30, 0x39, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, - 0x1a, 0x14, 0x2e, 0x58, 0x35, 0x30, 0x39, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x52, 0x65, - 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x30, 0x01, 0x12, 0x31, 0x0a, 0x0c, 0x46, 0x65, 0x74, 0x63, - 0x68, 0x4a, 0x57, 0x54, 0x53, 0x56, 0x49, 0x44, 0x12, 0x0f, 0x2e, 0x4a, 0x57, 0x54, 0x53, 0x56, - 0x49, 0x44, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x10, 0x2e, 0x4a, 0x57, 0x54, 0x53, - 0x56, 0x49, 0x44, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3c, 0x0a, 0x0f, 0x46, - 0x65, 0x74, 0x63, 0x68, 0x4a, 0x57, 0x54, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x12, 0x12, - 0x2e, 0x4a, 0x57, 0x54, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, - 0x73, 0x74, 0x1a, 0x13, 0x2e, 0x4a, 0x57, 0x54, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x52, - 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x30, 0x01, 0x12, 0x44, 0x0a, 0x0f, 0x56, 0x61, 0x6c, - 0x69, 0x64, 0x61, 0x74, 0x65, 0x4a, 0x57, 0x54, 0x53, 0x56, 0x49, 0x44, 0x12, 0x17, 0x2e, 0x56, - 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x4a, 0x57, 0x54, 0x53, 0x56, 0x49, 0x44, 0x52, 0x65, - 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x18, 0x2e, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, - 0x4a, 0x57, 0x54, 0x53, 0x56, 0x49, 0x44, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, - 0x3f, 0x5a, 0x3d, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x70, - 0x69, 0x66, 0x66, 0x65, 0x2f, 0x67, 0x6f, 0x2d, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x2f, 0x76, - 0x32, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x2f, 0x77, - 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x3b, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, - 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, -} +const file_workload_proto_rawDesc = "" + + "\n" + + "\x0eworkload.proto\x1a\x1cgoogle/protobuf/struct.proto\"\x11\n" + + "\x0fX509SVIDRequest\"\xe0\x01\n" + + "\x10X509SVIDResponse\x12\x1f\n" + + "\x05svids\x18\x01 \x03(\v2\t.X509SVIDR\x05svids\x12\x10\n" + + "\x03crl\x18\x02 \x03(\fR\x03crl\x12T\n" + + "\x11federated_bundles\x18\x03 \x03(\v2'.X509SVIDResponse.FederatedBundlesEntryR\x10federatedBundles\x1aC\n" + + "\x15FederatedBundlesEntry\x12\x10\n" + + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + + "\x05value\x18\x02 \x01(\fR\x05value:\x028\x01\"\x94\x01\n" + + "\bX509SVID\x12\x1b\n" + + "\tspiffe_id\x18\x01 \x01(\tR\bspiffeId\x12\x1b\n" + + "\tx509_svid\x18\x02 \x01(\fR\bx509Svid\x12\"\n" + + "\rx509_svid_key\x18\x03 \x01(\fR\vx509SvidKey\x12\x16\n" + + "\x06bundle\x18\x04 \x01(\fR\x06bundle\x12\x12\n" + + "\x04hint\x18\x05 \x01(\tR\x04hint\"\x14\n" + + "\x12X509BundlesRequest\"\xa0\x01\n" + + "\x13X509BundlesResponse\x12\x10\n" + + "\x03crl\x18\x01 \x03(\fR\x03crl\x12;\n" + + "\abundles\x18\x02 \x03(\v2!.X509BundlesResponse.BundlesEntryR\abundles\x1a:\n" + + "\fBundlesEntry\x12\x10\n" + + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + + "\x05value\x18\x02 \x01(\fR\x05value:\x028\x01\"I\n" + + "\x0eJWTSVIDRequest\x12\x1a\n" + + "\baudience\x18\x01 \x03(\tR\baudience\x12\x1b\n" + + "\tspiffe_id\x18\x02 \x01(\tR\bspiffeId\"1\n" + + "\x0fJWTSVIDResponse\x12\x1e\n" + + "\x05svids\x18\x01 \x03(\v2\b.JWTSVIDR\x05svids\"N\n" + + "\aJWTSVID\x12\x1b\n" + + "\tspiffe_id\x18\x01 \x01(\tR\bspiffeId\x12\x12\n" + + "\x04svid\x18\x02 \x01(\tR\x04svid\x12\x12\n" + + "\x04hint\x18\x03 \x01(\tR\x04hint\"\x13\n" + + "\x11JWTBundlesRequest\"\x8c\x01\n" + + "\x12JWTBundlesResponse\x12:\n" + + "\abundles\x18\x01 \x03(\v2 .JWTBundlesResponse.BundlesEntryR\abundles\x1a:\n" + + "\fBundlesEntry\x12\x10\n" + + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + + "\x05value\x18\x02 \x01(\fR\x05value:\x028\x01\"H\n" + + "\x16ValidateJWTSVIDRequest\x12\x1a\n" + + "\baudience\x18\x01 \x01(\tR\baudience\x12\x12\n" + + "\x04svid\x18\x02 \x01(\tR\x04svid\"g\n" + + "\x17ValidateJWTSVIDResponse\x12\x1b\n" + + "\tspiffe_id\x18\x01 \x01(\tR\bspiffeId\x12/\n" + + "\x06claims\x18\x02 \x01(\v2\x17.google.protobuf.StructR\x06claims2\xc3\x02\n" + + "\x11SpiffeWorkloadAPI\x126\n" + + "\rFetchX509SVID\x12\x10.X509SVIDRequest\x1a\x11.X509SVIDResponse0\x01\x12?\n" + + "\x10FetchX509Bundles\x12\x13.X509BundlesRequest\x1a\x14.X509BundlesResponse0\x01\x121\n" + + "\fFetchJWTSVID\x12\x0f.JWTSVIDRequest\x1a\x10.JWTSVIDResponse\x12<\n" + + "\x0fFetchJWTBundles\x12\x12.JWTBundlesRequest\x1a\x13.JWTBundlesResponse0\x01\x12D\n" + + "\x0fValidateJWTSVID\x12\x17.ValidateJWTSVIDRequest\x1a\x18.ValidateJWTSVIDResponseB?Z=github.com/spiffe/go-spiffe/v2/proto/spiffe/workload;workloadb\x06proto3" var ( file_workload_proto_rawDescOnce sync.Once - file_workload_proto_rawDescData = file_workload_proto_rawDesc + file_workload_proto_rawDescData []byte ) func file_workload_proto_rawDescGZIP() []byte { file_workload_proto_rawDescOnce.Do(func() { - file_workload_proto_rawDescData = protoimpl.X.CompressGZIP(file_workload_proto_rawDescData) + file_workload_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_workload_proto_rawDesc), len(file_workload_proto_rawDesc))) }) return file_workload_proto_rawDescData } var file_workload_proto_msgTypes = make([]protoimpl.MessageInfo, 15) -var file_workload_proto_goTypes = []interface{}{ +var file_workload_proto_goTypes = []any{ (*X509SVIDRequest)(nil), // 0: X509SVIDRequest (*X509SVIDResponse)(nil), // 1: X509SVIDResponse (*X509SVID)(nil), // 2: X509SVID @@ -876,157 +794,11 @@ func file_workload_proto_init() { if File_workload_proto != nil { return } - if !protoimpl.UnsafeEnabled { - file_workload_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*X509SVIDRequest); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_workload_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*X509SVIDResponse); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_workload_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*X509SVID); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_workload_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*X509BundlesRequest); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_workload_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*X509BundlesResponse); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_workload_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*JWTSVIDRequest); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_workload_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*JWTSVIDResponse); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_workload_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*JWTSVID); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_workload_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*JWTBundlesRequest); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_workload_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*JWTBundlesResponse); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_workload_proto_msgTypes[10].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*ValidateJWTSVIDRequest); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_workload_proto_msgTypes[11].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*ValidateJWTSVIDResponse); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - } type x struct{} out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: file_workload_proto_rawDesc, + RawDescriptor: unsafe.Slice(unsafe.StringData(file_workload_proto_rawDesc), len(file_workload_proto_rawDesc)), NumEnums: 0, NumMessages: 15, NumExtensions: 0, @@ -1037,7 +809,6 @@ func file_workload_proto_init() { MessageInfos: file_workload_proto_msgTypes, }.Build() File_workload_proto = out.File - file_workload_proto_rawDesc = nil file_workload_proto_goTypes = nil file_workload_proto_depIdxs = nil } diff --git a/vendor/github.com/spiffe/go-spiffe/v2/proto/spiffe/workload/workload_grpc.pb.go b/vendor/github.com/spiffe/go-spiffe/v2/proto/spiffe/workload/workload_grpc.pb.go index 4dcb38736c7..0203d5f7a40 100644 --- a/vendor/github.com/spiffe/go-spiffe/v2/proto/spiffe/workload/workload_grpc.pb.go +++ b/vendor/github.com/spiffe/go-spiffe/v2/proto/spiffe/workload/workload_grpc.pb.go @@ -1,4 +1,8 @@ // Code generated by protoc-gen-go-grpc. DO NOT EDIT. +// versions: +// - protoc-gen-go-grpc v1.5.1 +// - protoc v6.30.2 +// source: workload.proto package workload @@ -11,7 +15,16 @@ import ( // This is a compile-time assertion to ensure that this generated file // is compatible with the grpc package it is being compiled against. -const _ = grpc.SupportPackageIsVersion7 +// Requires gRPC-Go v1.64.0 or later. +const _ = grpc.SupportPackageIsVersion9 + +const ( + SpiffeWorkloadAPI_FetchX509SVID_FullMethodName = "/SpiffeWorkloadAPI/FetchX509SVID" + SpiffeWorkloadAPI_FetchX509Bundles_FullMethodName = "/SpiffeWorkloadAPI/FetchX509Bundles" + SpiffeWorkloadAPI_FetchJWTSVID_FullMethodName = "/SpiffeWorkloadAPI/FetchJWTSVID" + SpiffeWorkloadAPI_FetchJWTBundles_FullMethodName = "/SpiffeWorkloadAPI/FetchJWTBundles" + SpiffeWorkloadAPI_ValidateJWTSVID_FullMethodName = "/SpiffeWorkloadAPI/ValidateJWTSVID" +) // SpiffeWorkloadAPIClient is the client API for SpiffeWorkloadAPI service. // @@ -21,12 +34,12 @@ type SpiffeWorkloadAPIClient interface { // as well as related information like trust bundles and CRLs. As this // information changes, subsequent messages will be streamed from the // server. - FetchX509SVID(ctx context.Context, in *X509SVIDRequest, opts ...grpc.CallOption) (SpiffeWorkloadAPI_FetchX509SVIDClient, error) + FetchX509SVID(ctx context.Context, in *X509SVIDRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[X509SVIDResponse], error) // Fetch trust bundles and CRLs. Useful for clients that only need to // validate SVIDs without obtaining an SVID for themself. As this // information changes, subsequent messages will be streamed from the // server. - FetchX509Bundles(ctx context.Context, in *X509BundlesRequest, opts ...grpc.CallOption) (SpiffeWorkloadAPI_FetchX509BundlesClient, error) + FetchX509Bundles(ctx context.Context, in *X509BundlesRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[X509BundlesResponse], error) // Fetch JWT-SVIDs for all SPIFFE identities the workload is entitled to, // for the requested audience. If an optional SPIFFE ID is requested, only // the JWT-SVID for that SPIFFE ID is returned. @@ -34,7 +47,7 @@ type SpiffeWorkloadAPIClient interface { // Fetches the JWT bundles, formatted as JWKS documents, keyed by the // SPIFFE ID of the trust domain. As this information changes, subsequent // messages will be streamed from the server. - FetchJWTBundles(ctx context.Context, in *JWTBundlesRequest, opts ...grpc.CallOption) (SpiffeWorkloadAPI_FetchJWTBundlesClient, error) + FetchJWTBundles(ctx context.Context, in *JWTBundlesRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[JWTBundlesResponse], error) // Validates a JWT-SVID against the requested audience. Returns the SPIFFE // ID of the JWT-SVID and JWT claims. ValidateJWTSVID(ctx context.Context, in *ValidateJWTSVIDRequest, opts ...grpc.CallOption) (*ValidateJWTSVIDResponse, error) @@ -48,12 +61,13 @@ func NewSpiffeWorkloadAPIClient(cc grpc.ClientConnInterface) SpiffeWorkloadAPICl return &spiffeWorkloadAPIClient{cc} } -func (c *spiffeWorkloadAPIClient) FetchX509SVID(ctx context.Context, in *X509SVIDRequest, opts ...grpc.CallOption) (SpiffeWorkloadAPI_FetchX509SVIDClient, error) { - stream, err := c.cc.NewStream(ctx, &_SpiffeWorkloadAPI_serviceDesc.Streams[0], "/SpiffeWorkloadAPI/FetchX509SVID", opts...) +func (c *spiffeWorkloadAPIClient) FetchX509SVID(ctx context.Context, in *X509SVIDRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[X509SVIDResponse], error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + stream, err := c.cc.NewStream(ctx, &SpiffeWorkloadAPI_ServiceDesc.Streams[0], SpiffeWorkloadAPI_FetchX509SVID_FullMethodName, cOpts...) if err != nil { return nil, err } - x := &spiffeWorkloadAPIFetchX509SVIDClient{stream} + x := &grpc.GenericClientStream[X509SVIDRequest, X509SVIDResponse]{ClientStream: stream} if err := x.ClientStream.SendMsg(in); err != nil { return nil, err } @@ -63,29 +77,16 @@ func (c *spiffeWorkloadAPIClient) FetchX509SVID(ctx context.Context, in *X509SVI return x, nil } -type SpiffeWorkloadAPI_FetchX509SVIDClient interface { - Recv() (*X509SVIDResponse, error) - grpc.ClientStream -} - -type spiffeWorkloadAPIFetchX509SVIDClient struct { - grpc.ClientStream -} - -func (x *spiffeWorkloadAPIFetchX509SVIDClient) Recv() (*X509SVIDResponse, error) { - m := new(X509SVIDResponse) - if err := x.ClientStream.RecvMsg(m); err != nil { - return nil, err - } - return m, nil -} +// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name. +type SpiffeWorkloadAPI_FetchX509SVIDClient = grpc.ServerStreamingClient[X509SVIDResponse] -func (c *spiffeWorkloadAPIClient) FetchX509Bundles(ctx context.Context, in *X509BundlesRequest, opts ...grpc.CallOption) (SpiffeWorkloadAPI_FetchX509BundlesClient, error) { - stream, err := c.cc.NewStream(ctx, &_SpiffeWorkloadAPI_serviceDesc.Streams[1], "/SpiffeWorkloadAPI/FetchX509Bundles", opts...) +func (c *spiffeWorkloadAPIClient) FetchX509Bundles(ctx context.Context, in *X509BundlesRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[X509BundlesResponse], error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + stream, err := c.cc.NewStream(ctx, &SpiffeWorkloadAPI_ServiceDesc.Streams[1], SpiffeWorkloadAPI_FetchX509Bundles_FullMethodName, cOpts...) if err != nil { return nil, err } - x := &spiffeWorkloadAPIFetchX509BundlesClient{stream} + x := &grpc.GenericClientStream[X509BundlesRequest, X509BundlesResponse]{ClientStream: stream} if err := x.ClientStream.SendMsg(in); err != nil { return nil, err } @@ -95,38 +96,26 @@ func (c *spiffeWorkloadAPIClient) FetchX509Bundles(ctx context.Context, in *X509 return x, nil } -type SpiffeWorkloadAPI_FetchX509BundlesClient interface { - Recv() (*X509BundlesResponse, error) - grpc.ClientStream -} - -type spiffeWorkloadAPIFetchX509BundlesClient struct { - grpc.ClientStream -} - -func (x *spiffeWorkloadAPIFetchX509BundlesClient) Recv() (*X509BundlesResponse, error) { - m := new(X509BundlesResponse) - if err := x.ClientStream.RecvMsg(m); err != nil { - return nil, err - } - return m, nil -} +// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name. +type SpiffeWorkloadAPI_FetchX509BundlesClient = grpc.ServerStreamingClient[X509BundlesResponse] func (c *spiffeWorkloadAPIClient) FetchJWTSVID(ctx context.Context, in *JWTSVIDRequest, opts ...grpc.CallOption) (*JWTSVIDResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) out := new(JWTSVIDResponse) - err := c.cc.Invoke(ctx, "/SpiffeWorkloadAPI/FetchJWTSVID", in, out, opts...) + err := c.cc.Invoke(ctx, SpiffeWorkloadAPI_FetchJWTSVID_FullMethodName, in, out, cOpts...) if err != nil { return nil, err } return out, nil } -func (c *spiffeWorkloadAPIClient) FetchJWTBundles(ctx context.Context, in *JWTBundlesRequest, opts ...grpc.CallOption) (SpiffeWorkloadAPI_FetchJWTBundlesClient, error) { - stream, err := c.cc.NewStream(ctx, &_SpiffeWorkloadAPI_serviceDesc.Streams[2], "/SpiffeWorkloadAPI/FetchJWTBundles", opts...) +func (c *spiffeWorkloadAPIClient) FetchJWTBundles(ctx context.Context, in *JWTBundlesRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[JWTBundlesResponse], error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + stream, err := c.cc.NewStream(ctx, &SpiffeWorkloadAPI_ServiceDesc.Streams[2], SpiffeWorkloadAPI_FetchJWTBundles_FullMethodName, cOpts...) if err != nil { return nil, err } - x := &spiffeWorkloadAPIFetchJWTBundlesClient{stream} + x := &grpc.GenericClientStream[JWTBundlesRequest, JWTBundlesResponse]{ClientStream: stream} if err := x.ClientStream.SendMsg(in); err != nil { return nil, err } @@ -136,26 +125,13 @@ func (c *spiffeWorkloadAPIClient) FetchJWTBundles(ctx context.Context, in *JWTBu return x, nil } -type SpiffeWorkloadAPI_FetchJWTBundlesClient interface { - Recv() (*JWTBundlesResponse, error) - grpc.ClientStream -} - -type spiffeWorkloadAPIFetchJWTBundlesClient struct { - grpc.ClientStream -} - -func (x *spiffeWorkloadAPIFetchJWTBundlesClient) Recv() (*JWTBundlesResponse, error) { - m := new(JWTBundlesResponse) - if err := x.ClientStream.RecvMsg(m); err != nil { - return nil, err - } - return m, nil -} +// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name. +type SpiffeWorkloadAPI_FetchJWTBundlesClient = grpc.ServerStreamingClient[JWTBundlesResponse] func (c *spiffeWorkloadAPIClient) ValidateJWTSVID(ctx context.Context, in *ValidateJWTSVIDRequest, opts ...grpc.CallOption) (*ValidateJWTSVIDResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) out := new(ValidateJWTSVIDResponse) - err := c.cc.Invoke(ctx, "/SpiffeWorkloadAPI/ValidateJWTSVID", in, out, opts...) + err := c.cc.Invoke(ctx, SpiffeWorkloadAPI_ValidateJWTSVID_FullMethodName, in, out, cOpts...) if err != nil { return nil, err } @@ -164,18 +140,18 @@ func (c *spiffeWorkloadAPIClient) ValidateJWTSVID(ctx context.Context, in *Valid // SpiffeWorkloadAPIServer is the server API for SpiffeWorkloadAPI service. // All implementations must embed UnimplementedSpiffeWorkloadAPIServer -// for forward compatibility +// for forward compatibility. type SpiffeWorkloadAPIServer interface { // Fetch X.509-SVIDs for all SPIFFE identities the workload is entitled to, // as well as related information like trust bundles and CRLs. As this // information changes, subsequent messages will be streamed from the // server. - FetchX509SVID(*X509SVIDRequest, SpiffeWorkloadAPI_FetchX509SVIDServer) error + FetchX509SVID(*X509SVIDRequest, grpc.ServerStreamingServer[X509SVIDResponse]) error // Fetch trust bundles and CRLs. Useful for clients that only need to // validate SVIDs without obtaining an SVID for themself. As this // information changes, subsequent messages will be streamed from the // server. - FetchX509Bundles(*X509BundlesRequest, SpiffeWorkloadAPI_FetchX509BundlesServer) error + FetchX509Bundles(*X509BundlesRequest, grpc.ServerStreamingServer[X509BundlesResponse]) error // Fetch JWT-SVIDs for all SPIFFE identities the workload is entitled to, // for the requested audience. If an optional SPIFFE ID is requested, only // the JWT-SVID for that SPIFFE ID is returned. @@ -183,33 +159,37 @@ type SpiffeWorkloadAPIServer interface { // Fetches the JWT bundles, formatted as JWKS documents, keyed by the // SPIFFE ID of the trust domain. As this information changes, subsequent // messages will be streamed from the server. - FetchJWTBundles(*JWTBundlesRequest, SpiffeWorkloadAPI_FetchJWTBundlesServer) error + FetchJWTBundles(*JWTBundlesRequest, grpc.ServerStreamingServer[JWTBundlesResponse]) error // Validates a JWT-SVID against the requested audience. Returns the SPIFFE // ID of the JWT-SVID and JWT claims. ValidateJWTSVID(context.Context, *ValidateJWTSVIDRequest) (*ValidateJWTSVIDResponse, error) mustEmbedUnimplementedSpiffeWorkloadAPIServer() } -// UnimplementedSpiffeWorkloadAPIServer must be embedded to have forward compatible implementations. -type UnimplementedSpiffeWorkloadAPIServer struct { -} +// UnimplementedSpiffeWorkloadAPIServer must be embedded to have +// forward compatible implementations. +// +// NOTE: this should be embedded by value instead of pointer to avoid a nil +// pointer dereference when methods are called. +type UnimplementedSpiffeWorkloadAPIServer struct{} -func (UnimplementedSpiffeWorkloadAPIServer) FetchX509SVID(*X509SVIDRequest, SpiffeWorkloadAPI_FetchX509SVIDServer) error { +func (UnimplementedSpiffeWorkloadAPIServer) FetchX509SVID(*X509SVIDRequest, grpc.ServerStreamingServer[X509SVIDResponse]) error { return status.Errorf(codes.Unimplemented, "method FetchX509SVID not implemented") } -func (UnimplementedSpiffeWorkloadAPIServer) FetchX509Bundles(*X509BundlesRequest, SpiffeWorkloadAPI_FetchX509BundlesServer) error { +func (UnimplementedSpiffeWorkloadAPIServer) FetchX509Bundles(*X509BundlesRequest, grpc.ServerStreamingServer[X509BundlesResponse]) error { return status.Errorf(codes.Unimplemented, "method FetchX509Bundles not implemented") } func (UnimplementedSpiffeWorkloadAPIServer) FetchJWTSVID(context.Context, *JWTSVIDRequest) (*JWTSVIDResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method FetchJWTSVID not implemented") } -func (UnimplementedSpiffeWorkloadAPIServer) FetchJWTBundles(*JWTBundlesRequest, SpiffeWorkloadAPI_FetchJWTBundlesServer) error { +func (UnimplementedSpiffeWorkloadAPIServer) FetchJWTBundles(*JWTBundlesRequest, grpc.ServerStreamingServer[JWTBundlesResponse]) error { return status.Errorf(codes.Unimplemented, "method FetchJWTBundles not implemented") } func (UnimplementedSpiffeWorkloadAPIServer) ValidateJWTSVID(context.Context, *ValidateJWTSVIDRequest) (*ValidateJWTSVIDResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method ValidateJWTSVID not implemented") } func (UnimplementedSpiffeWorkloadAPIServer) mustEmbedUnimplementedSpiffeWorkloadAPIServer() {} +func (UnimplementedSpiffeWorkloadAPIServer) testEmbeddedByValue() {} // UnsafeSpiffeWorkloadAPIServer may be embedded to opt out of forward compatibility for this service. // Use of this interface is not recommended, as added methods to SpiffeWorkloadAPIServer will @@ -219,7 +199,14 @@ type UnsafeSpiffeWorkloadAPIServer interface { } func RegisterSpiffeWorkloadAPIServer(s grpc.ServiceRegistrar, srv SpiffeWorkloadAPIServer) { - s.RegisterService(&_SpiffeWorkloadAPI_serviceDesc, srv) + // If the following call pancis, it indicates UnimplementedSpiffeWorkloadAPIServer was + // embedded by pointer and is nil. This will cause panics if an + // unimplemented method is ever invoked, so we test this at initialization + // time to prevent it from happening at runtime later due to I/O. + if t, ok := srv.(interface{ testEmbeddedByValue() }); ok { + t.testEmbeddedByValue() + } + s.RegisterService(&SpiffeWorkloadAPI_ServiceDesc, srv) } func _SpiffeWorkloadAPI_FetchX509SVID_Handler(srv interface{}, stream grpc.ServerStream) error { @@ -227,42 +214,22 @@ func _SpiffeWorkloadAPI_FetchX509SVID_Handler(srv interface{}, stream grpc.Serve if err := stream.RecvMsg(m); err != nil { return err } - return srv.(SpiffeWorkloadAPIServer).FetchX509SVID(m, &spiffeWorkloadAPIFetchX509SVIDServer{stream}) + return srv.(SpiffeWorkloadAPIServer).FetchX509SVID(m, &grpc.GenericServerStream[X509SVIDRequest, X509SVIDResponse]{ServerStream: stream}) } -type SpiffeWorkloadAPI_FetchX509SVIDServer interface { - Send(*X509SVIDResponse) error - grpc.ServerStream -} - -type spiffeWorkloadAPIFetchX509SVIDServer struct { - grpc.ServerStream -} - -func (x *spiffeWorkloadAPIFetchX509SVIDServer) Send(m *X509SVIDResponse) error { - return x.ServerStream.SendMsg(m) -} +// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name. +type SpiffeWorkloadAPI_FetchX509SVIDServer = grpc.ServerStreamingServer[X509SVIDResponse] func _SpiffeWorkloadAPI_FetchX509Bundles_Handler(srv interface{}, stream grpc.ServerStream) error { m := new(X509BundlesRequest) if err := stream.RecvMsg(m); err != nil { return err } - return srv.(SpiffeWorkloadAPIServer).FetchX509Bundles(m, &spiffeWorkloadAPIFetchX509BundlesServer{stream}) + return srv.(SpiffeWorkloadAPIServer).FetchX509Bundles(m, &grpc.GenericServerStream[X509BundlesRequest, X509BundlesResponse]{ServerStream: stream}) } -type SpiffeWorkloadAPI_FetchX509BundlesServer interface { - Send(*X509BundlesResponse) error - grpc.ServerStream -} - -type spiffeWorkloadAPIFetchX509BundlesServer struct { - grpc.ServerStream -} - -func (x *spiffeWorkloadAPIFetchX509BundlesServer) Send(m *X509BundlesResponse) error { - return x.ServerStream.SendMsg(m) -} +// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name. +type SpiffeWorkloadAPI_FetchX509BundlesServer = grpc.ServerStreamingServer[X509BundlesResponse] func _SpiffeWorkloadAPI_FetchJWTSVID_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { in := new(JWTSVIDRequest) @@ -274,7 +241,7 @@ func _SpiffeWorkloadAPI_FetchJWTSVID_Handler(srv interface{}, ctx context.Contex } info := &grpc.UnaryServerInfo{ Server: srv, - FullMethod: "/SpiffeWorkloadAPI/FetchJWTSVID", + FullMethod: SpiffeWorkloadAPI_FetchJWTSVID_FullMethodName, } handler := func(ctx context.Context, req interface{}) (interface{}, error) { return srv.(SpiffeWorkloadAPIServer).FetchJWTSVID(ctx, req.(*JWTSVIDRequest)) @@ -287,21 +254,11 @@ func _SpiffeWorkloadAPI_FetchJWTBundles_Handler(srv interface{}, stream grpc.Ser if err := stream.RecvMsg(m); err != nil { return err } - return srv.(SpiffeWorkloadAPIServer).FetchJWTBundles(m, &spiffeWorkloadAPIFetchJWTBundlesServer{stream}) + return srv.(SpiffeWorkloadAPIServer).FetchJWTBundles(m, &grpc.GenericServerStream[JWTBundlesRequest, JWTBundlesResponse]{ServerStream: stream}) } -type SpiffeWorkloadAPI_FetchJWTBundlesServer interface { - Send(*JWTBundlesResponse) error - grpc.ServerStream -} - -type spiffeWorkloadAPIFetchJWTBundlesServer struct { - grpc.ServerStream -} - -func (x *spiffeWorkloadAPIFetchJWTBundlesServer) Send(m *JWTBundlesResponse) error { - return x.ServerStream.SendMsg(m) -} +// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name. +type SpiffeWorkloadAPI_FetchJWTBundlesServer = grpc.ServerStreamingServer[JWTBundlesResponse] func _SpiffeWorkloadAPI_ValidateJWTSVID_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { in := new(ValidateJWTSVIDRequest) @@ -313,7 +270,7 @@ func _SpiffeWorkloadAPI_ValidateJWTSVID_Handler(srv interface{}, ctx context.Con } info := &grpc.UnaryServerInfo{ Server: srv, - FullMethod: "/SpiffeWorkloadAPI/ValidateJWTSVID", + FullMethod: SpiffeWorkloadAPI_ValidateJWTSVID_FullMethodName, } handler := func(ctx context.Context, req interface{}) (interface{}, error) { return srv.(SpiffeWorkloadAPIServer).ValidateJWTSVID(ctx, req.(*ValidateJWTSVIDRequest)) @@ -321,7 +278,10 @@ func _SpiffeWorkloadAPI_ValidateJWTSVID_Handler(srv interface{}, ctx context.Con return interceptor(ctx, in, info, handler) } -var _SpiffeWorkloadAPI_serviceDesc = grpc.ServiceDesc{ +// SpiffeWorkloadAPI_ServiceDesc is the grpc.ServiceDesc for SpiffeWorkloadAPI service. +// It's only intended for direct use with grpc.RegisterService, +// and not to be introspected or modified (even as a copy) +var SpiffeWorkloadAPI_ServiceDesc = grpc.ServiceDesc{ ServiceName: "SpiffeWorkloadAPI", HandlerType: (*SpiffeWorkloadAPIServer)(nil), Methods: []grpc.MethodDesc{ diff --git a/vendor/github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig/config.go b/vendor/github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig/config.go index 0ef3969a023..0331fc198d4 100644 --- a/vendor/github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig/config.go +++ b/vendor/github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig/config.go @@ -221,6 +221,7 @@ func getTLSCertificate(svid x509svid.Source, trace Trace) (*tls.Certificate, err cert := &tls.Certificate{ Certificate: make([][]byte, 0, len(s.Certificates)), PrivateKey: s.PrivateKey, + Leaf: s.Certificates[0], } for _, svidCert := range s.Certificates { diff --git a/vendor/github.com/spiffe/go-spiffe/v2/svid/jwtsvid/svid.go b/vendor/github.com/spiffe/go-spiffe/v2/svid/jwtsvid/svid.go index d46f80035db..15aabc532c5 100644 --- a/vendor/github.com/spiffe/go-spiffe/v2/svid/jwtsvid/svid.go +++ b/vendor/github.com/spiffe/go-spiffe/v2/svid/jwtsvid/svid.go @@ -1,13 +1,14 @@ package jwtsvid import ( + "errors" + "fmt" "time" "github.com/go-jose/go-jose/v4" "github.com/go-jose/go-jose/v4/jwt" "github.com/spiffe/go-spiffe/v2/bundle/jwtbundle" "github.com/spiffe/go-spiffe/v2/spiffeid" - "github.com/zeebo/errs" ) var ( @@ -22,8 +23,6 @@ var ( jose.PS384, jose.PS512, } - - jwtsvidErr = errs.Class("jwtsvid") ) // tokenValidator validates the token and returns the claims @@ -54,25 +53,25 @@ func ParseAndValidate(token string, bundles jwtbundle.Source, audience []string) // Obtain the key ID from the header keyID := tok.Headers[0].KeyID if keyID == "" { - return nil, jwtsvidErr.New("token header missing key id") + return nil, wrapJwtsvidErr(errors.New("token header missing key id")) } // Get JWT Bundle bundle, err := bundles.GetJWTBundleForTrustDomain(trustDomain) if err != nil { - return nil, jwtsvidErr.New("no bundle found for trust domain %q", trustDomain) + return nil, wrapJwtsvidErr(fmt.Errorf("no bundle found for trust domain %q", trustDomain)) } // Find JWT authority using the key ID from the token header authority, ok := bundle.FindJWTAuthority(keyID) if !ok { - return nil, jwtsvidErr.New("no JWT authority %q found for trust domain %q", keyID, trustDomain) + return nil, wrapJwtsvidErr(fmt.Errorf("no JWT authority %q found for trust domain %q", keyID, trustDomain)) } // Obtain and verify the token claims using the obtained JWT authority claimsMap := make(map[string]interface{}) if err := tok.Claims(authority, &claimsMap); err != nil { - return nil, jwtsvidErr.New("unable to get claims from token: %v", err) + return nil, wrapJwtsvidErr(fmt.Errorf("unable to get claims from token: %v", err)) } return claimsMap, nil @@ -86,7 +85,7 @@ func ParseInsecure(token string, audience []string) (*SVID, error) { // Obtain the token claims insecurely, i.e. without signature verification claimsMap := make(map[string]interface{}) if err := tok.UnsafeClaimsWithoutVerification(&claimsMap); err != nil { - return nil, jwtsvidErr.New("unable to get claims from token: %v", err) + return nil, wrapJwtsvidErr(fmt.Errorf("unable to get claims from token: %v", err)) } return claimsMap, nil @@ -103,26 +102,31 @@ func parse(token string, audience []string, getClaims tokenValidator) (*SVID, er // Parse serialized token tok, err := jwt.ParseSigned(token, allowedSignatureAlgorithms) if err != nil { - return nil, jwtsvidErr.New("unable to parse JWT token") + return nil, wrapJwtsvidErr(errors.New("unable to parse JWT token")) + } + + // forbid tokens which have the `typ` header, which is not either "JOSE" or "JWT" + if typ, present := tok.Headers[0].ExtraHeaders[jose.HeaderType]; present && typ != "JOSE" && typ != "JWT" { + return nil, wrapJwtsvidErr(errors.New("token header type not equal to either JWT or JOSE")) } // Parse out the unverified claims. We need to look up the key by the trust // domain of the SPIFFE ID. var claims jwt.Claims if err := tok.UnsafeClaimsWithoutVerification(&claims); err != nil { - return nil, jwtsvidErr.New("unable to get claims from token: %v", err) + return nil, wrapJwtsvidErr(fmt.Errorf("unable to get claims from token: %v", err)) } switch { case claims.Subject == "": - return nil, jwtsvidErr.New("token missing subject claim") + return nil, wrapJwtsvidErr(errors.New("token missing subject claim")) case claims.Expiry == nil: - return nil, jwtsvidErr.New("token missing exp claim") + return nil, wrapJwtsvidErr(errors.New("token missing exp claim")) } spiffeID, err := spiffeid.FromString(claims.Subject) if err != nil { - return nil, jwtsvidErr.New("token has an invalid subject claim: %v", err) + return nil, wrapJwtsvidErr(fmt.Errorf("token has an invalid subject claim: %v", err)) } // Create generic map of claims @@ -139,9 +143,9 @@ func parse(token string, audience []string, getClaims tokenValidator) (*SVID, er // Convert expected validation errors for pretty errors switch err { case jwt.ErrExpired: - err = jwtsvidErr.New("token has expired") + err = wrapJwtsvidErr(errors.New("token has expired")) case jwt.ErrInvalidAudience: - err = jwtsvidErr.New("expected audience in %q (audience=%q)", audience, claims.Audience) + err = wrapJwtsvidErr(fmt.Errorf("expected audience in %q (audience=%q)", audience, claims.Audience)) } return nil, err } @@ -154,3 +158,7 @@ func parse(token string, audience []string, getClaims tokenValidator) (*SVID, er token: token, }, nil } + +func wrapJwtsvidErr(err error) error { + return fmt.Errorf("jwtsvid: %w", err) +} diff --git a/vendor/github.com/spiffe/go-spiffe/v2/svid/x509svid/svid.go b/vendor/github.com/spiffe/go-spiffe/v2/svid/x509svid/svid.go index 7302f3a5739..c2e234d77ae 100644 --- a/vendor/github.com/spiffe/go-spiffe/v2/svid/x509svid/svid.go +++ b/vendor/github.com/spiffe/go-spiffe/v2/svid/x509svid/svid.go @@ -7,12 +7,13 @@ import ( "crypto/ed25519" "crypto/rsa" "crypto/x509" + "errors" + "fmt" "os" "github.com/spiffe/go-spiffe/v2/internal/pemutil" "github.com/spiffe/go-spiffe/v2/internal/x509util" "github.com/spiffe/go-spiffe/v2/spiffeid" - "github.com/zeebo/errs" ) // SVID represents a SPIFFE X509-SVID. @@ -39,12 +40,12 @@ type SVID struct { func Load(certFile, keyFile string) (*SVID, error) { certBytes, err := os.ReadFile(certFile) if err != nil { - return nil, x509svidErr.New("cannot read certificate file: %w", err) + return nil, wrapX509svidErr(fmt.Errorf("cannot read certificate file: %w", err)) } keyBytes, err := os.ReadFile(keyFile) if err != nil { - return nil, x509svidErr.New("cannot read key file: %w", err) + return nil, wrapX509svidErr(fmt.Errorf("cannot read key file: %w", err)) } return Parse(certBytes, keyBytes) @@ -56,12 +57,12 @@ func Load(certFile, keyFile string) (*SVID, error) { func Parse(certBytes, keyBytes []byte) (*SVID, error) { certs, err := pemutil.ParseCertificates(certBytes) if err != nil { - return nil, x509svidErr.New("cannot parse PEM encoded certificate: %v", err) + return nil, wrapX509svidErr(fmt.Errorf("cannot parse PEM encoded certificate: %v", err)) } privateKey, err := pemutil.ParsePrivateKey(keyBytes) if err != nil { - return nil, x509svidErr.New("cannot parse PEM encoded private key: %v", err) + return nil, wrapX509svidErr(fmt.Errorf("cannot parse PEM encoded private key: %v", err)) } return newSVID(certs, privateKey) @@ -74,12 +75,12 @@ func Parse(certBytes, keyBytes []byte) (*SVID, error) { func ParseRaw(certBytes, keyBytes []byte) (*SVID, error) { certificates, err := x509.ParseCertificates(certBytes) if err != nil { - return nil, x509svidErr.New("cannot parse DER encoded certificate: %v", err) + return nil, wrapX509svidErr(fmt.Errorf("cannot parse DER encoded certificate: %v", err)) } privateKey, err := x509.ParsePKCS8PrivateKey(keyBytes) if err != nil { - return nil, x509svidErr.New("cannot parse DER encoded private key: %v", err) + return nil, wrapX509svidErr(fmt.Errorf("cannot parse DER encoded private key: %v", err)) } return newSVID(certificates, privateKey) @@ -89,12 +90,12 @@ func ParseRaw(certBytes, keyBytes []byte) (*SVID, error) { // and private key. func (s *SVID) Marshal() ([]byte, []byte, error) { if len(s.Certificates) == 0 { - return nil, nil, x509svidErr.New("no certificates to marshal") + return nil, nil, wrapX509svidErr(errors.New("no certificates to marshal")) } certBytes := pemutil.EncodeCertificates(s.Certificates) keyBytes, err := pemutil.EncodePKCS8PrivateKey(s.PrivateKey) if err != nil { - return nil, nil, x509svidErr.New("cannot encode private key: %v", err) + return nil, nil, wrapX509svidErr(fmt.Errorf("cannot encode private key: %v", err)) } return certBytes, keyBytes, nil @@ -106,11 +107,11 @@ func (s *SVID) Marshal() ([]byte, []byte, error) { func (s *SVID) MarshalRaw() ([]byte, []byte, error) { key, err := x509.MarshalPKCS8PrivateKey(s.PrivateKey) if err != nil { - return nil, nil, x509svidErr.New("cannot marshal private key: %v", err) + return nil, nil, wrapX509svidErr(fmt.Errorf("cannot marshal private key: %v", err)) } if len(s.Certificates) == 0 { - return nil, nil, x509svidErr.New("no certificates to marshal") + return nil, nil, wrapX509svidErr(errors.New("no certificates to marshal")) } certs := x509util.ConcatRawCertsFromCerts(s.Certificates) @@ -125,12 +126,12 @@ func (s *SVID) GetX509SVID() (*SVID, error) { func newSVID(certificates []*x509.Certificate, privateKey crypto.PrivateKey) (*SVID, error) { spiffeID, err := validateCertificates(certificates) if err != nil { - return nil, x509svidErr.New("certificate validation failed: %v", err) + return nil, wrapX509svidErr(fmt.Errorf("certificate validation failed: %v", err)) } signer, err := validatePrivateKey(privateKey, certificates[0]) if err != nil { - return nil, x509svidErr.New("private key validation failed: %v", err) + return nil, wrapX509svidErr(fmt.Errorf("private key validation failed: %v", err)) } return &SVID{ @@ -144,7 +145,7 @@ func newSVID(certificates []*x509.Certificate, privateKey crypto.PrivateKey) (*S // to the spiffe standard and returns the spiffe id of the leaf certificate func validateCertificates(certificates []*x509.Certificate) (*spiffeid.ID, error) { if len(certificates) == 0 { - return nil, errs.New("no certificates found") + return nil, errors.New("no certificates found") } leafID, err := validateLeafCertificate(certificates[0]) @@ -163,10 +164,10 @@ func validateCertificates(certificates []*x509.Certificate) (*spiffeid.ID, error func validateLeafCertificate(leaf *x509.Certificate) (*spiffeid.ID, error) { leafID, err := IDFromCert(leaf) if err != nil { - return nil, errs.New("cannot get leaf certificate SPIFFE ID: %v", err) + return nil, fmt.Errorf("cannot get leaf certificate SPIFFE ID: %v", err) } if leaf.IsCA { - return nil, errs.New("leaf certificate must not have CA flag set to true") + return nil, errors.New("leaf certificate must not have CA flag set to true") } err = validateKeyUsage(leaf) @@ -180,10 +181,10 @@ func validateLeafCertificate(leaf *x509.Certificate) (*spiffeid.ID, error) { func validateSigningCertificates(signingCerts []*x509.Certificate) error { for _, cert := range signingCerts { if !cert.IsCA { - return errs.New("signing certificate must have CA flag set to true") + return errors.New("signing certificate must have CA flag set to true") } if cert.KeyUsage&x509.KeyUsageCertSign == 0 { - return errs.New("signing certificate must have 'keyCertSign' set as key usage") + return errors.New("signing certificate must have 'keyCertSign' set as key usage") } } @@ -193,18 +194,18 @@ func validateSigningCertificates(signingCerts []*x509.Certificate) error { func validateKeyUsage(leaf *x509.Certificate) error { switch { case leaf.KeyUsage&x509.KeyUsageDigitalSignature == 0: - return errs.New("leaf certificate must have 'digitalSignature' set as key usage") + return errors.New("leaf certificate must have 'digitalSignature' set as key usage") case leaf.KeyUsage&x509.KeyUsageCertSign > 0: - return errs.New("leaf certificate must not have 'keyCertSign' set as key usage") + return errors.New("leaf certificate must not have 'keyCertSign' set as key usage") case leaf.KeyUsage&x509.KeyUsageCRLSign > 0: - return errs.New("leaf certificate must not have 'cRLSign' set as key usage") + return errors.New("leaf certificate must not have 'cRLSign' set as key usage") } return nil } func validatePrivateKey(privateKey crypto.PrivateKey, leaf *x509.Certificate) (crypto.Signer, error) { if privateKey == nil { - return nil, errs.New("no private key found") + return nil, errors.New("no private key found") } matched, err := keyMatches(privateKey, leaf.PublicKey) @@ -212,12 +213,12 @@ func validatePrivateKey(privateKey crypto.PrivateKey, leaf *x509.Certificate) (c return nil, err } if !matched { - return nil, errs.New("leaf certificate does not match private key") + return nil, errors.New("leaf certificate does not match private key") } signer, ok := privateKey.(crypto.Signer) if !ok { - return nil, errs.New("expected crypto.Signer; got %T", privateKey) + return nil, fmt.Errorf("expected crypto.Signer; got %T", privateKey) } return signer, nil @@ -235,7 +236,7 @@ func keyMatches(privateKey crypto.PrivateKey, publicKey crypto.PublicKey) (bool, ed25519PublicKey, ok := publicKey.(ed25519.PublicKey) return ok && bytes.Equal(privateKey.Public().(ed25519.PublicKey), ed25519PublicKey), nil default: - return false, errs.New("unsupported private key type %T", privateKey) + return false, fmt.Errorf("unsupported private key type %T", privateKey) } } diff --git a/vendor/github.com/spiffe/go-spiffe/v2/svid/x509svid/verify.go b/vendor/github.com/spiffe/go-spiffe/v2/svid/x509svid/verify.go index 681d2844a13..178450166a2 100644 --- a/vendor/github.com/spiffe/go-spiffe/v2/svid/x509svid/verify.go +++ b/vendor/github.com/spiffe/go-spiffe/v2/svid/x509svid/verify.go @@ -2,16 +2,15 @@ package x509svid import ( "crypto/x509" + "errors" + "fmt" "time" "github.com/spiffe/go-spiffe/v2/bundle/x509bundle" "github.com/spiffe/go-spiffe/v2/internal/x509util" "github.com/spiffe/go-spiffe/v2/spiffeid" - "github.com/zeebo/errs" ) -var x509svidErr = errs.Class("x509svid") - // VerifyOption is an option used when verifying X509-SVIDs. type VerifyOption interface { apply(config *verifyConfig) @@ -36,29 +35,29 @@ func Verify(certs []*x509.Certificate, bundleSource x509bundle.Source, opts ...V switch { case len(certs) == 0: - return spiffeid.ID{}, nil, x509svidErr.New("empty certificates chain") + return spiffeid.ID{}, nil, wrapX509svidErr(errors.New("empty certificates chain")) case bundleSource == nil: - return spiffeid.ID{}, nil, x509svidErr.New("bundleSource is required") + return spiffeid.ID{}, nil, wrapX509svidErr(errors.New("bundleSource is required")) } leaf := certs[0] id, err := IDFromCert(leaf) if err != nil { - return spiffeid.ID{}, nil, x509svidErr.New("could not get leaf SPIFFE ID: %w", err) + return spiffeid.ID{}, nil, wrapX509svidErr(fmt.Errorf("could not get leaf SPIFFE ID: %w", err)) } switch { case leaf.IsCA: - return id, nil, x509svidErr.New("leaf certificate with CA flag set to true") + return id, nil, wrapX509svidErr(errors.New("leaf certificate with CA flag set to true")) case leaf.KeyUsage&x509.KeyUsageCertSign > 0: - return id, nil, x509svidErr.New("leaf certificate with KeyCertSign key usage") + return id, nil, wrapX509svidErr(errors.New("leaf certificate with KeyCertSign key usage")) case leaf.KeyUsage&x509.KeyUsageCRLSign > 0: - return id, nil, x509svidErr.New("leaf certificate with KeyCrlSign key usage") + return id, nil, wrapX509svidErr(errors.New("leaf certificate with KeyCrlSign key usage")) } bundle, err := bundleSource.GetX509BundleForTrustDomain(id.TrustDomain()) if err != nil { - return id, nil, x509svidErr.New("could not get X509 bundle: %w", err) + return id, nil, wrapX509svidErr(fmt.Errorf("could not get X509 bundle: %w", err)) } verifiedChains, err := leaf.Verify(x509.VerifyOptions{ @@ -68,7 +67,7 @@ func Verify(certs []*x509.Certificate, bundleSource x509bundle.Source, opts ...V CurrentTime: config.now, }) if err != nil { - return id, nil, x509svidErr.New("could not verify leaf certificate: %w", err) + return id, nil, wrapX509svidErr(fmt.Errorf("could not verify leaf certificate: %w", err)) } return id, verifiedChains, nil @@ -82,7 +81,7 @@ func ParseAndVerify(rawCerts [][]byte, bundleSource x509bundle.Source, opts ...V for _, rawCert := range rawCerts { cert, err := x509.ParseCertificate(rawCert) if err != nil { - return spiffeid.ID{}, nil, x509svidErr.New("unable to parse certificate: %w", err) + return spiffeid.ID{}, nil, wrapX509svidErr(fmt.Errorf("unable to parse certificate: %w", err)) } certs = append(certs, cert) } @@ -95,9 +94,9 @@ func ParseAndVerify(rawCerts [][]byte, bundleSource x509bundle.Source, opts ...V func IDFromCert(cert *x509.Certificate) (spiffeid.ID, error) { switch { case len(cert.URIs) == 0: - return spiffeid.ID{}, errs.New("certificate contains no URI SAN") + return spiffeid.ID{}, errors.New("certificate contains no URI SAN") case len(cert.URIs) > 1: - return spiffeid.ID{}, errs.New("certificate contains more than one URI SAN") + return spiffeid.ID{}, errors.New("certificate contains more than one URI SAN") } return spiffeid.FromURI(cert.URIs[0]) } @@ -111,3 +110,7 @@ type verifyOption func(config *verifyConfig) func (fn verifyOption) apply(config *verifyConfig) { fn(config) } + +func wrapX509svidErr(err error) error { + return fmt.Errorf("x509svid: %w", err) +} diff --git a/vendor/github.com/spiffe/go-spiffe/v2/workloadapi/bundlesource.go b/vendor/github.com/spiffe/go-spiffe/v2/workloadapi/bundlesource.go index 2a253efc7d9..81c7de5cb2e 100644 --- a/vendor/github.com/spiffe/go-spiffe/v2/workloadapi/bundlesource.go +++ b/vendor/github.com/spiffe/go-spiffe/v2/workloadapi/bundlesource.go @@ -4,17 +4,16 @@ import ( "context" "crypto" "crypto/x509" + "errors" + "fmt" "sync" "github.com/spiffe/go-spiffe/v2/bundle/jwtbundle" "github.com/spiffe/go-spiffe/v2/bundle/spiffebundle" "github.com/spiffe/go-spiffe/v2/bundle/x509bundle" "github.com/spiffe/go-spiffe/v2/spiffeid" - "github.com/zeebo/errs" ) -var bundlesourceErr = errs.Class("bundlesource") - // BundleSource is a source of SPIFFE bundles maintained via the Workload API. type BundleSource struct { watcher *watcher @@ -73,7 +72,7 @@ func (s *BundleSource) GetBundleForTrustDomain(trustDomain spiffeid.TrustDomain) x509Authorities, hasX509Authorities := s.x509Authorities[trustDomain] jwtAuthorities, hasJWTAuthorities := s.jwtAuthorities[trustDomain] if !hasX509Authorities && !hasJWTAuthorities { - return nil, bundlesourceErr.New("no SPIFFE bundle for trust domain %q", trustDomain) + return nil, wrapBundlesourceErr(fmt.Errorf("no SPIFFE bundle for trust domain %q", trustDomain)) } bundle := spiffebundle.New(trustDomain) if hasX509Authorities { @@ -96,7 +95,7 @@ func (s *BundleSource) GetX509BundleForTrustDomain(trustDomain spiffeid.TrustDom x509Authorities, hasX509Authorities := s.x509Authorities[trustDomain] if !hasX509Authorities { - return nil, bundlesourceErr.New("no X.509 bundle for trust domain %q", trustDomain) + return nil, wrapBundlesourceErr(fmt.Errorf("no X.509 bundle for trust domain %q", trustDomain)) } return x509bundle.FromX509Authorities(trustDomain, x509Authorities), nil } @@ -112,7 +111,7 @@ func (s *BundleSource) GetJWTBundleForTrustDomain(trustDomain spiffeid.TrustDoma jwtAuthorities, hasJWTAuthorities := s.jwtAuthorities[trustDomain] if !hasJWTAuthorities { - return nil, bundlesourceErr.New("no JWT bundle for trust domain %q", trustDomain) + return nil, wrapBundlesourceErr(fmt.Errorf("no JWT bundle for trust domain %q", trustDomain)) } return jwtbundle.FromJWTAuthorities(trustDomain, jwtAuthorities), nil } @@ -182,7 +181,11 @@ func (s *BundleSource) checkClosed() error { s.closeMtx.RLock() defer s.closeMtx.RUnlock() if s.closed { - return bundlesourceErr.New("source is closed") + return wrapBundlesourceErr(errors.New("source is closed")) } return nil } + +func wrapBundlesourceErr(err error) error { + return fmt.Errorf("bundlesource: %w", err) +} diff --git a/vendor/github.com/spiffe/go-spiffe/v2/workloadapi/jwtsource.go b/vendor/github.com/spiffe/go-spiffe/v2/workloadapi/jwtsource.go index 11223539030..247f5cc6fb7 100644 --- a/vendor/github.com/spiffe/go-spiffe/v2/workloadapi/jwtsource.go +++ b/vendor/github.com/spiffe/go-spiffe/v2/workloadapi/jwtsource.go @@ -2,16 +2,15 @@ package workloadapi import ( "context" + "errors" + "fmt" "sync" "github.com/spiffe/go-spiffe/v2/bundle/jwtbundle" "github.com/spiffe/go-spiffe/v2/spiffeid" "github.com/spiffe/go-spiffe/v2/svid/jwtsvid" - "github.com/zeebo/errs" ) -var jwtsourceErr = errs.Class("jwtsource") - // JWTSource is a source of JWT-SVID and JWT bundles maintained via the // Workload API. type JWTSource struct { @@ -121,7 +120,11 @@ func (s *JWTSource) checkClosed() error { s.closeMtx.RLock() defer s.closeMtx.RUnlock() if s.closed { - return jwtsourceErr.New("source is closed") + return wrapJwtsourceErr(errors.New("source is closed")) } return nil } + +func wrapJwtsourceErr(err error) error { + return fmt.Errorf("jwtsource: %w", err) +} diff --git a/vendor/github.com/spiffe/go-spiffe/v2/workloadapi/watcher.go b/vendor/github.com/spiffe/go-spiffe/v2/workloadapi/watcher.go index a105a60d762..f72e03b2d4f 100644 --- a/vendor/github.com/spiffe/go-spiffe/v2/workloadapi/watcher.go +++ b/vendor/github.com/spiffe/go-spiffe/v2/workloadapi/watcher.go @@ -2,11 +2,11 @@ package workloadapi import ( "context" + "errors" "sync" "github.com/spiffe/go-spiffe/v2/bundle/jwtbundle" "github.com/spiffe/go-spiffe/v2/svid/jwtsvid" - "github.com/zeebo/errs" ) type sourceClient interface { @@ -58,7 +58,7 @@ func newWatcher(ctx context.Context, config watcherConfig, x509ContextFn func(*X // If this function fails, we need to clean up the source. defer func() { if err != nil { - err = errs.Combine(err, w.Close()) + err = errors.Join(err, w.Close()) } }() diff --git a/vendor/github.com/spiffe/go-spiffe/v2/workloadapi/x509source.go b/vendor/github.com/spiffe/go-spiffe/v2/workloadapi/x509source.go index 28287f68ed6..2a942a96ed5 100644 --- a/vendor/github.com/spiffe/go-spiffe/v2/workloadapi/x509source.go +++ b/vendor/github.com/spiffe/go-spiffe/v2/workloadapi/x509source.go @@ -2,16 +2,15 @@ package workloadapi import ( "context" + "errors" + "fmt" "sync" "github.com/spiffe/go-spiffe/v2/bundle/x509bundle" "github.com/spiffe/go-spiffe/v2/spiffeid" "github.com/spiffe/go-spiffe/v2/svid/x509svid" - "github.com/zeebo/errs" ) -var x509sourceErr = errs.Class("x509source") - // X509Source is a source of X509-SVIDs and X.509 bundles maintained via the // Workload API. type X509Source struct { @@ -74,7 +73,7 @@ func (s *X509Source) GetX509SVID() (*x509svid.SVID, error) { // This is a defensive check and should be unreachable since the source // waits for the initial Workload API update before returning from // New(). - return nil, x509sourceErr.New("missing X509-SVID") + return nil, wrapX509sourceErr(errors.New("missing X509-SVID")) } return svid, nil } @@ -118,7 +117,11 @@ func (s *X509Source) checkClosed() error { s.closeMtx.RLock() defer s.closeMtx.RUnlock() if s.closed { - return x509sourceErr.New("source is closed") + return wrapX509sourceErr(errors.New("source is closed")) } return nil } + +func wrapX509sourceErr(err error) error { + return fmt.Errorf("x509source: %w", err) +} diff --git a/vendor/github.com/zeebo/errs/.gitignore b/vendor/github.com/zeebo/errs/.gitignore deleted file mode 100644 index 722d5e71d93..00000000000 --- a/vendor/github.com/zeebo/errs/.gitignore +++ /dev/null @@ -1 +0,0 @@ -.vscode diff --git a/vendor/github.com/zeebo/errs/AUTHORS b/vendor/github.com/zeebo/errs/AUTHORS deleted file mode 100644 index 6246e7403d5..00000000000 --- a/vendor/github.com/zeebo/errs/AUTHORS +++ /dev/null @@ -1,5 +0,0 @@ -Egon Elbre -Jeff Wendling -JT Olio -Kaloyan Raev -paul cannon diff --git a/vendor/github.com/zeebo/errs/LICENSE b/vendor/github.com/zeebo/errs/LICENSE deleted file mode 100644 index 3ba91930ed2..00000000000 --- a/vendor/github.com/zeebo/errs/LICENSE +++ /dev/null @@ -1,21 +0,0 @@ -MIT License - -Copyright (c) 2017 The Authors - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. diff --git a/vendor/github.com/zeebo/errs/README.md b/vendor/github.com/zeebo/errs/README.md deleted file mode 100644 index 0f72bf7b012..00000000000 --- a/vendor/github.com/zeebo/errs/README.md +++ /dev/null @@ -1,235 +0,0 @@ -# errs - -[![GoDoc](https://godoc.org/github.com/zeebo/errs?status.svg)](https://godoc.org/github.com/zeebo/errs) -[![Sourcegraph](https://sourcegraph.com/github.com/zeebo/errs/-/badge.svg)](https://sourcegraph.com/github.com/zeebo/errs?badge) -[![Go Report Card](https://goreportcard.com/badge/github.com/zeebo/errs)](https://goreportcard.com/report/github.com/zeebo/errs) - -errs is a package for making errors friendly and easy. - -### Creating Errors - -The easiest way to use it, is to use the package level [New][New] function. -It's much like `fmt.Errorf`, but better. For example: - -```go -func checkThing() error { - return errs.New("what's up with %q?", "zeebo") -} -``` - -Why is it better? Errors come with a stack trace that is only printed -when a `"+"` character is used in the format string. This should retain the -benefits of being able to diagnose where and why errors happen, without all of -the noise of printing a stack trace in every situation. For example: - -```go -func doSomeRealWork() { - err := checkThing() - if err != nil { - fmt.Printf("%+v\n", err) // contains stack trace if it's a errs error. - fmt.Printf("%v\n", err) // does not contain a stack trace - return - } -} -``` - -### Error Classes - -You can create a [Class][Class] of errors and check if any error was created by -that class. The class name is prefixed to all of the errors it creates. For example: - -```go -var Unauthorized = errs.Class("unauthorized") - -func checkUser(username, password string) error { - if username != "zeebo" { - return Unauthorized.New("who is %q?", username) - } - if password != "hunter2" { - return Unauthorized.New("that's not a good password, jerkmo!") - } - return nil -} - -func handleRequest() { - if err := checkUser("zeebo", "hunter3"); Unauthorized.Has(err) { - fmt.Println(err) - } - - // output: - // unauthorized: that's not a good password, jerkmo! -} -``` - -Classes can also [Wrap][ClassWrap] other errors, and errors may be wrapped -multiple times. For example: - -```go -var ( - Error = errs.Class("mypackage") - Unauthorized = errs.Class("unauthorized") -) - -func deep3() error { - return fmt.Errorf("ouch") -} - -func deep2() error { - return Unauthorized.Wrap(deep3()) -} - -func deep1() error { - return Error.Wrap(deep2()) -} - -func deep() { - fmt.Println(deep1()) - - // output: - // mypackage: unauthorized: ouch -} -``` - -In the above example, both `Error.Has(deep1())` and `Unauthorized.Has(deep1())` -would return `true`, and the stack trace would only be recorded once at the -`deep2` call. - -In addition, when an error has been wrapped, wrapping it again with the same class will -not do anything. For example: - -```go -func doubleWrap() { - fmt.Println(Error.Wrap(Error.New("foo"))) - - // output: - // mypackage: foo -} -``` - -This is to make it an easier decision if you should wrap or not (you should). - -### Utilities - -[Classes][Classes] is a helper function to get a slice of classes that an error -has. The latest wrap is first in the slice. For example: - -```go -func getClasses() { - classes := errs.Classes(deep1()) - fmt.Println(classes[0] == &Error) - fmt.Println(classes[1] == &Unauthorized) - - // output: - // true - // true -} -``` - -Finally, a helper function, [Unwrap][Unwrap] is provided to get the -wrapped error in cases where you might want to inspect details. For -example: - -```go -var Error = errs.Class("mypackage") - -func getHandle() (*os.File, error) { - fh, err := os.Open("neat_things") - if err != nil { - return nil, Error.Wrap(err) - } - return fh, nil -} - -func checkForNeatThings() { - fh, err := getHandle() - if os.IsNotExist(errs.Unwrap(err)) { - panic("no neat things?!") - } - if err != nil { - panic("phew, at least there are neat things, even if i can't see them") - } - fh.Close() -} -``` - -It knows about both the `Unwrap() error` and `Unwrap() []error` methods that are -often used in the community, and will call them as many times as possible. - -### Defer - -The package also provides [WrapP][WrapP] versions of [Wrap][Wrap] that are useful -in defer contexts. For example: - -```go -func checkDefer() (err error) { - defer Error.WrapP(&err) - - fh, err := os.Open("secret_stash") - if err != nil { - return nil, err - } - return fh.Close() -} -``` - -### Groups - -[Groups][Group] allow one to collect a set of errors. For example: - -```go -func tonsOfErrors() error { - var group errs.Group - for _, work := range someWork { - group.Add(maybeErrors(work)) - } - return group.Err() -} -``` - -Some things to note: - -- The [Add][GroupAdd] method only adds to the group if the passed in error is non-nil. -- The [Err][GroupErr] method returns an error only if non-nil errors have been added, and - additionally returns just the error if only one error was added. Thus, we always - have that if you only call `group.Add(err)`, then `group.Err() == err`. - -The returned error will format itself similarly: - -```go -func groupFormat() { - var group errs.Group - group.Add(errs.New("first")) - group.Add(errs.New("second")) - err := group.Err() - - fmt.Printf("%v\n", err) - fmt.Println() - fmt.Printf("%+v\n", err) - - // output: - // first; second - // - // group: - // --- first - // ... stack trace - // --- second - // ... stack trace -} -``` - -### Contributing - -errs is released under an MIT License. If you want to contribute, be sure to -add yourself to the list in AUTHORS. - -[New]: https://godoc.org/github.com/zeebo/errs#New -[Wrap]: https://godoc.org/github.com/zeebo/errs#Wrap -[WrapP]: https://godoc.org/github.com/zeebo/errs#WrapP -[Class]: https://godoc.org/github.com/zeebo/errs#Class -[ClassNew]: https://godoc.org/github.com/zeebo/errs#Class.New -[ClassWrap]: https://godoc.org/github.com/zeebo/errs#Class.Wrap -[Unwrap]: https://godoc.org/github.com/zeebo/errs#Unwrap -[Classes]: https://godoc.org/github.com/zeebo/errs#Classes -[Group]: https://godoc.org/github.com/zeebo/errs#Group -[GroupAdd]: https://godoc.org/github.com/zeebo/errs#Group.Add -[GroupErr]: https://godoc.org/github.com/zeebo/errs#Group.Err diff --git a/vendor/github.com/zeebo/errs/errs.go b/vendor/github.com/zeebo/errs/errs.go deleted file mode 100644 index 9a42e3da87e..00000000000 --- a/vendor/github.com/zeebo/errs/errs.go +++ /dev/null @@ -1,298 +0,0 @@ -// Package errs provides a simple error package with stack traces. -package errs - -import ( - "fmt" - "io" - "runtime" -) - -// Namer is implemented by all errors returned in this package. It returns a -// name for the class of error it is, and a boolean indicating if the name is -// valid. -type Namer interface{ Name() (string, bool) } - -// Causer is implemented by all errors returned in this package. It returns -// the underlying cause of the error, or nil if there is no underlying cause. -// -// Deprecated: check for the 'Unwrap()' interface from the stdlib errors package -// instead. -type Causer interface{ Cause() error } - -// New returns an error not contained in any class. This is the same as calling -// fmt.Errorf(...) except it captures a stack trace on creation. -func New(format string, args ...interface{}) error { - return (*Class).create(nil, 3, fmt.Errorf(format, args...)) -} - -// Wrap returns an error not contained in any class. It just associates a stack -// trace with the error. Wrap returns nil if err is nil. -func Wrap(err error) error { - return (*Class).create(nil, 3, err) -} - -// WrapP stores into the error pointer if it contains a non-nil error an error not -// contained in any class. It just associates a stack trace with the error. WrapP -// does nothing if the pointer or pointed at error is nil. -func WrapP(err *error) { - if err != nil && *err != nil { - *err = (*Class).create(nil, 3, *err) - } -} - -// Often, we call Unwrap as much as possible. Since comparing arbitrary -// interfaces with equality isn't panic safe, we only loop up to 100 -// times to ensure that a poor implementation that causes a cycle does -// not run forever. -const maxUnwrap = 100 - -// Unwrap returns the final, most underlying error, if any, or just the error. -// -// Deprecated: Prefer errors.Is() and errors.As(). -func Unwrap(err error) error { - for i := 0; err != nil && i < maxUnwrap; i++ { - var nerr error - - switch e := err.(type) { - case Causer: - nerr = e.Cause() - - case interface{ Unwrap() error }: - nerr = e.Unwrap() - - case interface{ Ungroup() []error }: - // consider the first error to be the "main" error. - errs := e.Ungroup() - if len(errs) > 0 { - nerr = errs[0] - } - case interface{ Unwrap() []error }: - // consider the first error to be the "main" error. - errs := e.Unwrap() - if len(errs) > 0 { - nerr = errs[0] - } - } - - if nerr == nil { - return err - } - err = nerr - } - - return err -} - -// Classes returns all the classes that have wrapped the error. -func Classes(err error) (classes []*Class) { - IsFunc(err, func(err error) bool { - if e, ok := err.(*errorT); ok { - classes = append(classes, e.class) - } - return false - }) - return classes -} - -// IsFunc checks if any of the underlying errors matches the func -func IsFunc(err error, is func(err error) bool) bool { - for { - if is(err) { - return true - } - - switch u := err.(type) { - case interface{ Unwrap() error }: - err = u.Unwrap() - case Causer: - err = u.Cause() - - case interface{ Ungroup() []error }: - for _, err := range u.Ungroup() { - if IsFunc(err, is) { - return true - } - } - return false - case interface{ Unwrap() []error }: - for _, err := range u.Unwrap() { - if IsFunc(err, is) { - return true - } - } - return false - - default: - return false - } - } -} - -// -// error classes -// - -// Class represents a class of errors. You can construct errors, and check if -// errors are part of the class. -type Class string - -// Has returns true if the passed in error (or any error wrapped by it) has -// this class. -func (c *Class) Has(err error) bool { - return IsFunc(err, func(err error) bool { - errt, ok := err.(*errorT) - return ok && errt.class == c - }) -} - -// New constructs an error with the format string that will be contained by -// this class. This is the same as calling Wrap(fmt.Errorf(...)). -func (c *Class) New(format string, args ...interface{}) error { - return c.create(3, fmt.Errorf(format, args...)) -} - -// Wrap returns a new error based on the passed in error that is contained in -// this class. Wrap returns nil if err is nil. -func (c *Class) Wrap(err error) error { - return c.create(3, err) -} - -// WrapP stores into the error pointer if it contains a non-nil error an error contained -// in this class. WrapP does nothing if the pointer or pointed at error is nil. -func (c *Class) WrapP(err *error) { - if err != nil && *err != nil { - *err = c.create(3, *err) - } -} - -// Instance creates a class membership object which implements the error -// interface and allows errors.Is() to check whether given errors are -// (or contain) an instance of this class. -// -// This makes possible a construct like the following: -// -// if errors.Is(err, MyClass.Instance()) { -// fmt.Printf("err is an instance of MyClass") -// } -// -// ..without requiring the Class type to implement the error interface itself, -// as that would open the door to sundry misunderstandings and misusage. -func (c *Class) Instance() error { - return (*classMembershipChecker)(c) -} - -// create constructs the error, or just adds the class to the error, keeping -// track of the stack if it needs to construct it. -func (c *Class) create(depth int, err error) error { - if err == nil { - return nil - } - - var pcs []uintptr - if err, ok := err.(*errorT); ok { - if c == nil || err.class == c { - return err - } - pcs = err.pcs - } - - errt := &errorT{ - class: c, - err: err, - pcs: pcs, - } - - if errt.pcs == nil { - errt.pcs = make([]uintptr, 64) - n := runtime.Callers(depth, errt.pcs) - errt.pcs = errt.pcs[:n:n] - } - - return errt -} - -type classMembershipChecker Class - -func (cmc *classMembershipChecker) Error() string { - panic("classMembershipChecker used as concrete error! don't do that") -} - -// -// errors -// - -// errorT is the type of errors returned from this package. -type errorT struct { - class *Class - err error - pcs []uintptr -} - -var ( // ensure *errorT implements the helper interfaces. - _ Namer = (*errorT)(nil) - _ Causer = (*errorT)(nil) - _ error = (*errorT)(nil) -) - -// Stack returns the pcs for the stack trace associated with the error. -func (e *errorT) Stack() []uintptr { return e.pcs } - -// errorT implements the error interface. -func (e *errorT) Error() string { - return fmt.Sprintf("%v", e) -} - -// Format handles the formatting of the error. Using a "+" on the format string -// specifier will also write the stack trace. -func (e *errorT) Format(f fmt.State, c rune) { - sep := "" - if e.class != nil && *e.class != "" { - fmt.Fprintf(f, "%s", string(*e.class)) - sep = ": " - } - if text := e.err.Error(); len(text) > 0 { - fmt.Fprintf(f, "%s%v", sep, text) - } - if f.Flag(int('+')) { - summarizeStack(f, e.pcs) - } -} - -// Cause implements the interface wrapping errors were previously -// expected to implement to allow getting at underlying causes. -func (e *errorT) Cause() error { - return e.err -} - -// Unwrap returns the immediate underlying error. -func (e *errorT) Unwrap() error { - return e.err -} - -// Name returns the name for the error, which is the first wrapping class. -func (e *errorT) Name() (string, bool) { - if e.class == nil { - return "", false - } - return string(*e.class), true -} - -// Is determines whether an error is an instance of the given error class. -// -// Use with (*Class).Instance(). -func (e *errorT) Is(err error) bool { - cmc, ok := err.(*classMembershipChecker) - return ok && e.class == (*Class)(cmc) -} - -// summarizeStack writes stack line entries to the writer. -func summarizeStack(w io.Writer, pcs []uintptr) { - frames := runtime.CallersFrames(pcs) - for { - frame, more := frames.Next() - if !more { - return - } - fmt.Fprintf(w, "\n\t%s:%d", frame.Function, frame.Line) - } -} diff --git a/vendor/github.com/zeebo/errs/group.go b/vendor/github.com/zeebo/errs/group.go deleted file mode 100644 index 22b824aaf86..00000000000 --- a/vendor/github.com/zeebo/errs/group.go +++ /dev/null @@ -1,85 +0,0 @@ -package errs - -import ( - "fmt" - "io" -) - -// Group is a list of errors. -type Group []error - -// Combine combines multiple non-empty errors into a single error. -func Combine(errs ...error) error { - var group Group - group.Add(errs...) - return group.Err() -} - -// Add adds non-empty errors to the Group. -func (group *Group) Add(errs ...error) { - for _, err := range errs { - if err != nil { - *group = append(*group, err) - } - } -} - -// Err returns an error containing all of the non-nil errors. -// If there was only one error, it will return it. -// If there were none, it returns nil. -func (group Group) Err() error { - sanitized := group.sanitize() - if len(sanitized) == 0 { - return nil - } - if len(sanitized) == 1 { - return sanitized[0] - } - return combinedError(sanitized) -} - -// sanitize returns group that doesn't contain nil-s -func (group Group) sanitize() Group { - // sanity check for non-nil errors - for i, err := range group { - if err == nil { - sanitized := make(Group, 0, len(group)-1) - sanitized = append(sanitized, group[:i]...) - sanitized.Add(group[i+1:]...) - return sanitized - } - } - - return group -} - -// combinedError is a list of non-empty errors -type combinedError []error - -// Unwrap returns the first error. -func (group combinedError) Unwrap() []error { return group } - -// Error returns error string delimited by semicolons. -func (group combinedError) Error() string { return fmt.Sprintf("%v", group) } - -// Format handles the formatting of the error. Using a "+" on the format -// string specifier will cause the errors to be formatted with "+" and -// delimited by newlines. They are delimited by semicolons otherwise. -func (group combinedError) Format(f fmt.State, c rune) { - delim := "; " - if f.Flag(int('+')) { - io.WriteString(f, "group:\n--- ") - delim = "\n--- " - } - - for i, err := range group { - if i != 0 { - io.WriteString(f, delim) - } - if formatter, ok := err.(fmt.Formatter); ok { - formatter.Format(f, c) - } else { - fmt.Fprintf(f, "%v", err) - } - } -} diff --git a/vendor/github.com/zeebo/errs/is_go1.20.go b/vendor/github.com/zeebo/errs/is_go1.20.go deleted file mode 100644 index 6f8799aa482..00000000000 --- a/vendor/github.com/zeebo/errs/is_go1.20.go +++ /dev/null @@ -1,8 +0,0 @@ -//go:build go1.20 - -package errs - -import "errors" - -// Is checks if any of the underlying errors matches target -func Is(err, target error) bool { return errors.Is(err, target) } diff --git a/vendor/github.com/zeebo/errs/is_go_other.go b/vendor/github.com/zeebo/errs/is_go_other.go deleted file mode 100644 index 92f3b5b61f8..00000000000 --- a/vendor/github.com/zeebo/errs/is_go_other.go +++ /dev/null @@ -1,17 +0,0 @@ -//go:build !go1.20 -// +build !go1.20 - -package errs - -// Is checks if any of the underlying errors matches target -func Is(err, target error) bool { - return IsFunc(err, func(err error) bool { - if err == target { - return true - } - if x, ok := err.(interface{ Is(error) bool }); ok && x.Is(target) { - return true - } - return false - }) -} diff --git a/vendor/modules.txt b/vendor/modules.txt index f267b2899cb..dfe6bf12557 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -382,7 +382,7 @@ github.com/go-jose/go-jose/v3/cipher github.com/go-jose/go-jose/v3/cryptosigner github.com/go-jose/go-jose/v3/json github.com/go-jose/go-jose/v3/jwt -# github.com/go-jose/go-jose/v4 v4.1.1 +# github.com/go-jose/go-jose/v4 v4.1.2 ## explicit; go 1.23.0 github.com/go-jose/go-jose/v4 github.com/go-jose/go-jose/v4/cipher @@ -786,8 +786,8 @@ github.com/sirupsen/logrus # github.com/spf13/pflag v1.0.6 ## explicit; go 1.12 github.com/spf13/pflag -# github.com/spiffe/go-spiffe/v2 v2.5.0 -## explicit; go 1.22.11 +# github.com/spiffe/go-spiffe/v2 v2.6.0 +## explicit; go 1.24.0 github.com/spiffe/go-spiffe/v2/bundle/jwtbundle github.com/spiffe/go-spiffe/v2/bundle/spiffebundle github.com/spiffe/go-spiffe/v2/bundle/x509bundle @@ -828,9 +828,6 @@ github.com/vbatts/tar-split/archive/tar # github.com/x448/float16 v0.8.4 ## explicit; go 1.11 github.com/x448/float16 -# github.com/zeebo/errs v1.4.0 -## explicit; go 1.12 -github.com/zeebo/errs # go.opencensus.io v0.24.0 ## explicit; go 1.13 go.opencensus.io