diff --git a/go.mod b/go.mod index 3072a0ef0..fd36ff277 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,6 @@ go 1.23.2 require ( github.com/aws/aws-sdk-go v1.55.5 github.com/aws/aws-sdk-go-v2 v1.32.2 // indirect - github.com/cenkalti/backoff/v3 v3.2.2 github.com/golang/protobuf v1.5.4 // indirect github.com/golang/snappy v0.0.4 // indirect github.com/google/go-cmp v0.6.0 @@ -58,6 +57,7 @@ require ( github.com/Azure/azure-sdk-for-go/sdk/azcore v1.15.0 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0 github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 + github.com/cenkalti/backoff/v4 v4.3.0 github.com/docker/docker v27.3.1+incompatible github.com/docker/docker-credential-helpers v0.8.2 github.com/docker/go-connections v0.5.0 @@ -67,7 +67,7 @@ require ( github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.10 github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.9 github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.10 - github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.9 + github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.10 github.com/spf13/viper v1.19.0 knative.dev/hack/schema v0.0.0-20240607132042-09143140a254 knative.dev/pkg v0.0.0-20230612155445-74c4be5e935e @@ -191,7 +191,7 @@ require ( github.com/googleapis/gax-go/v2 v2.13.0 // indirect github.com/gorilla/mux v1.8.1 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 // indirect - github.com/hashicorp/vault/api v1.14.0 // indirect + github.com/hashicorp/vault/api v1.15.0 // indirect github.com/imdario/mergo v0.3.16 // indirect github.com/in-toto/in-toto-golang v0.9.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect diff --git a/go.sum b/go.sum index b7d139806..beea88b2b 100644 --- a/go.sum +++ b/go.sum @@ -226,8 +226,6 @@ github.com/buildkite/roko v1.2.0/go.mod h1:23R9e6nHxgedznkwwfmqZ6+0VJZJZ2Sg/uVcp github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0= github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 h1:3uZCA/BLTIu+DqCfguByNMJa2HVHpXvjfy0Dy7g6fuA= github.com/bytecodealliance/wasmtime-go/v3 v3.0.2/go.mod h1:RnUjnIXxEJcL6BgCvNyzCCRzZcxCgsZCi+RNlvYor5Q= -github.com/cenkalti/backoff/v3 v3.2.2 h1:cfUAAO3yvKMYKPrvhDuHSwQnhZNk/RMHKdZqKTxfm6M= -github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs= github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= @@ -537,8 +535,8 @@ github.com/hashicorp/golang-lru v1.0.2 h1:dV3g9Z/unq5DpblPpw+Oqcv4dU/1omnb4Ok8iP github.com/hashicorp/golang-lru v1.0.2/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM= github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM= -github.com/hashicorp/vault/api v1.14.0 h1:Ah3CFLixD5jmjusOgm8grfN9M0d+Y8fVR2SW0K6pJLU= -github.com/hashicorp/vault/api v1.14.0/go.mod h1:pV9YLxBGSz+cItFDd8Ii4G17waWOQ32zVjMWHe/cOqk= +github.com/hashicorp/vault/api v1.15.0 h1:O24FYQCWwhwKnF7CuSqP30S51rTV7vz1iACXE/pj5DA= +github.com/hashicorp/vault/api v1.15.0/go.mod h1:+5YTO09JGn0u+b6ySD/LLVf8WkJCPLAL2Vkmrn2+CM8= github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef h1:A9HsByNhogrvm9cWb28sjiS3i7tcKCkflWFEkHfuAgM= github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef/go.mod h1:lADxMC39cJJqL93Duh1xhAs4I2Zs8mKS89XWXFGp9cs= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= @@ -770,8 +768,8 @@ github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.9 h1:eXFm3cte0hvxxYsvG github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.9/go.mod h1:RYy9GKnFKKwqbg3Uc6rUyhQdichSVkFlfxnY6f7cAWc= github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.10 h1:Xre51HdjIIaVo5ox5zyL+6h0tkrx7Ke9Neh7fLmmZK0= github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.10/go.mod h1:VNfdklQDbyGJog8S7apdxiEfmYmCkKyxrsCL9xprkTY= -github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.9 h1:E+bvFTS6uM//iSAeneNj5pubzntQmio/yAKFzmRzzD0= -github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.9/go.mod h1:0RKVuZXIZAFhT0frfx+GzyrtlesiRK3ceF55nIgkZI4= +github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.10 h1:HjfjL3x3dP2kaGqQHVog974cTcKfzFaGjfZyLQ9KXrg= +github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.10/go.mod h1:jaeEjkTW1p3gUyPjz9lTcT4TydCs208FoyAwIs6bIT4= github.com/sigstore/timestamp-authority v1.2.2 h1:X4qyutnCQqJ0apMewFyx+3t7Tws00JQ/JonBiu3QvLE= github.com/sigstore/timestamp-authority v1.2.2/go.mod h1:nEah4Eq4wpliDjlY342rXclGSO7Kb9hoRrl9tqLW13A= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= diff --git a/third_party/VENDOR-LICENSE/github.com/cenkalti/backoff/v3/LICENSE b/third_party/VENDOR-LICENSE/github.com/cenkalti/backoff/v3/LICENSE deleted file mode 100644 index 89b817996..000000000 --- a/third_party/VENDOR-LICENSE/github.com/cenkalti/backoff/v3/LICENSE +++ /dev/null @@ -1,20 +0,0 @@ -The MIT License (MIT) - -Copyright (c) 2014 Cenk Altı - -Permission is hereby granted, free of charge, to any person obtaining a copy of -this software and associated documentation files (the "Software"), to deal in -the Software without restriction, including without limitation the rights to -use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -the Software, and to permit persons to whom the Software is furnished to do so, -subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/client.go b/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/client.go index 52c991b1e..0090321ca 100644 --- a/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/client.go +++ b/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/client.go @@ -10,6 +10,7 @@ import ( "crypto/tls" "encoding/base64" "encoding/hex" + "encoding/json" "fmt" "net" "net/http" @@ -41,6 +42,7 @@ const ( EnvVaultClientCert = "VAULT_CLIENT_CERT" EnvVaultClientKey = "VAULT_CLIENT_KEY" EnvVaultClientTimeout = "VAULT_CLIENT_TIMEOUT" + EnvVaultHeaders = "VAULT_HEADERS" EnvVaultSRVLookup = "VAULT_SRV_LOOKUP" EnvVaultSkipVerify = "VAULT_SKIP_VERIFY" EnvVaultNamespace = "VAULT_NAMESPACE" @@ -665,6 +667,30 @@ func NewClient(c *Config) (*Client, error) { client.setNamespace(namespace) } + if envHeaders := os.Getenv(EnvVaultHeaders); envHeaders != "" { + var result map[string]any + err := json.Unmarshal([]byte(envHeaders), &result) + if err != nil { + return nil, fmt.Errorf("could not unmarshal environment-supplied headers") + } + var forbiddenHeaders []string + for key, value := range result { + if strings.HasPrefix(key, "X-Vault-") { + forbiddenHeaders = append(forbiddenHeaders, key) + continue + } + + value, ok := value.(string) + if !ok { + return nil, fmt.Errorf("environment-supplied headers include non-string values") + } + client.AddHeader(key, value) + } + if len(forbiddenHeaders) > 0 { + return nil, fmt.Errorf("failed to setup Headers[%s]: Header starting by 'X-Vault-' are for internal usage only", strings.Join(forbiddenHeaders, ", ")) + } + } + return client, nil } @@ -705,7 +731,7 @@ func (c *Client) SetAddress(addr string) error { parsedAddr, err := c.config.ParseAddress(addr) if err != nil { - return errwrap.Wrapf("failed to set address: {{err}}", err) + return fmt.Errorf("failed to set address: %w", err) } c.addr = parsedAddr diff --git a/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/lifetime_watcher.go b/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/lifetime_watcher.go index 4bc1390b9..bdb8fb64b 100644 --- a/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/lifetime_watcher.go +++ b/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/lifetime_watcher.go @@ -10,7 +10,7 @@ import ( "sync" "time" - "github.com/cenkalti/backoff/v3" + "github.com/cenkalti/backoff/v4" ) var ( diff --git a/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/request.go b/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/request.go index a2d912c64..c0c8dea73 100644 --- a/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/request.go +++ b/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/request.go @@ -7,7 +7,6 @@ import ( "bytes" "encoding/json" "io" - "io/ioutil" "net/http" "net/url" @@ -77,13 +76,13 @@ func (r *Request) ToHTTP() (*http.Request, error) { // No body case r.BodyBytes != nil: - req.Request.Body = ioutil.NopCloser(bytes.NewReader(r.BodyBytes)) + req.Request.Body = io.NopCloser(bytes.NewReader(r.BodyBytes)) default: if c, ok := r.Body.(io.ReadCloser); ok { req.Request.Body = c } else { - req.Request.Body = ioutil.NopCloser(r.Body) + req.Request.Body = io.NopCloser(r.Body) } } diff --git a/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/response.go b/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/response.go index 2842c1255..23246bf71 100644 --- a/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/response.go +++ b/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/response.go @@ -8,7 +8,6 @@ import ( "encoding/json" "fmt" "io" - "io/ioutil" "net/http" ) @@ -44,7 +43,7 @@ func (r *Response) Error() error { } r.Body.Close() - r.Body = ioutil.NopCloser(bodyBuf) + r.Body = io.NopCloser(bodyBuf) ns := r.Header.Get(NamespaceHeaderName) // Build up the error object diff --git a/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/secret.go b/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/secret.go index d37bf3cf0..7df9f66a4 100644 --- a/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/secret.go +++ b/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/secret.go @@ -159,6 +159,10 @@ TOKEN_DONE: goto DONE } + if s.Data["identity_policies"] == nil { + goto DONE + } + sList, ok := s.Data["identity_policies"].([]string) if ok { identityPolicies = sList diff --git a/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sudo_paths.go b/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sudo_paths.go index 24beb4bb1..d458cbde0 100644 --- a/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sudo_paths.go +++ b/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sudo_paths.go @@ -28,6 +28,7 @@ var sudoPaths = map[string]*regexp.Regexp{ "/sys/config/ui/headers": regexp.MustCompile(`^/sys/config/ui/headers/?$`), "/sys/config/ui/headers/{header}": regexp.MustCompile(`^/sys/config/ui/headers/.+$`), "/sys/internal/inspect/router/{tag}": regexp.MustCompile(`^/sys/internal/inspect/router/.+$`), + "/sys/internal/counters/activity/export": regexp.MustCompile(`^/sys/internal/counters/activity/export$`), "/sys/leases": regexp.MustCompile(`^/sys/leases$`), // This entry is a bit wrong... sys/leases/lookup does NOT require sudo. But sys/leases/lookup/ with a trailing // slash DOES require sudo. But the part of the Vault CLI that uses this logic doesn't pass operation-appropriate diff --git a/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_raft.go b/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_raft.go index 699f6e9fd..f0e896271 100644 --- a/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_raft.go +++ b/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_raft.go @@ -264,7 +264,7 @@ func (c *Sys) RaftSnapshotWithContext(ctx context.Context, snapWriter io.Writer) continue } var b []byte - b, err = ioutil.ReadAll(t) + b, err = io.ReadAll(t) if err != nil || len(b) == 0 { return }