diff --git a/go.mod b/go.mod
index 0e065be1a..64ad7f223 100644
--- a/go.mod
+++ b/go.mod
@@ -3,9 +3,9 @@ module github.com/ceph/ceph-csi
go 1.22.0
require (
- github.com/IBM/keyprotect-go-client v0.12.2
- github.com/aws/aws-sdk-go v1.53.14
- github.com/aws/aws-sdk-go-v2/service/sts v1.28.1
+ github.com/IBM/keyprotect-go-client v0.14.1
+ github.com/aws/aws-sdk-go v1.54.6
+ github.com/aws/aws-sdk-go-v2/service/sts v1.29.1
github.com/ceph/ceph-csi/api v0.0.0-00010101000000-000000000000
github.com/ceph/go-ceph v0.28.0
github.com/container-storage-interface/spec v1.9.0
@@ -16,14 +16,14 @@ require (
github.com/google/uuid v1.6.0
github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
- github.com/hashicorp/vault/api v1.12.0
- github.com/kubernetes-csi/csi-lib-utils v0.17.0
+ github.com/hashicorp/vault/api v1.14.0
+ github.com/kubernetes-csi/csi-lib-utils v0.18.1
github.com/kubernetes-csi/external-snapshotter/client/v7 v7.0.0
github.com/libopenstorage/secrets v0.0.0-20231011182615-5f4b25ceede1
- github.com/onsi/ginkgo/v2 v2.17.1
- github.com/onsi/gomega v1.32.0
+ github.com/onsi/ginkgo/v2 v2.19.0
+ github.com/onsi/gomega v1.33.1
github.com/pkg/xattr v0.4.9
- github.com/prometheus/client_golang v1.18.0
+ github.com/prometheus/client_golang v1.19.1
github.com/stretchr/testify v1.9.0
golang.org/x/crypto v0.24.0
golang.org/x/net v0.26.0
@@ -46,7 +46,7 @@ require (
)
require (
- github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0
+ github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.1.0
)
@@ -60,12 +60,12 @@ require (
github.com/ansel1/merry/v2 v2.0.1 // indirect
github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect
github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a // indirect
- github.com/aws/aws-sdk-go-v2 v1.25.2 // indirect
- github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.2 // indirect
- github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.2 // indirect
- github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 // indirect
- github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.2 // indirect
- github.com/aws/smithy-go v1.20.1 // indirect
+ github.com/aws/aws-sdk-go-v2 v1.30.0 // indirect
+ github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12 // indirect
+ github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12 // indirect
+ github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
+ github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14 // indirect
+ github.com/aws/smithy-go v1.20.2 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/blang/semver/v4 v4.0.0 // indirect
github.com/cenkalti/backoff/v3 v3.2.2 // indirect
@@ -82,13 +82,13 @@ require (
github.com/fsnotify/fsnotify v1.7.0 // indirect
github.com/gemalto/flume v0.13.0 // indirect
github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32 // indirect
- github.com/go-jose/go-jose/v3 v3.0.3 // indirect
+ github.com/go-jose/go-jose/v4 v4.0.1 // indirect
github.com/go-logr/logr v1.4.1 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-openapi/jsonpointer v0.19.6 // indirect
github.com/go-openapi/jsonreference v0.20.2 // indirect
github.com/go-openapi/swag v0.22.3 // indirect
- github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
+ github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
@@ -96,7 +96,7 @@ require (
github.com/google/gnostic-models v0.6.8 // indirect
github.com/google/go-cmp v0.6.0 // indirect
github.com/google/gofuzz v1.2.0 // indirect
- github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect
+ github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 // indirect
github.com/gorilla/websocket v1.5.0 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 // indirect
github.com/hashicorp/errwrap v1.1.0 // indirect
@@ -119,7 +119,6 @@ require (
github.com/mailru/easyjson v0.7.7 // indirect
github.com/mattn/go-colorable v0.1.13 // indirect
github.com/mattn/go-isatty v0.0.20 // indirect
- github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
github.com/mitchellh/go-homedir v1.1.0 // indirect
github.com/mitchellh/mapstructure v1.5.0 // indirect
@@ -136,7 +135,7 @@ require (
github.com/pkg/errors v0.9.1 // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
github.com/prometheus/client_model v0.5.0 // indirect
- github.com/prometheus/common v0.45.0 // indirect
+ github.com/prometheus/common v0.48.0 // indirect
github.com/prometheus/procfs v0.12.0 // indirect
github.com/ryanuber/go-glob v1.0.0 // indirect
github.com/sirupsen/logrus v1.9.0 // indirect
diff --git a/go.sum b/go.sum
index c3ad05fa3..0ba3f6952 100644
--- a/go.sum
+++ b/go.sum
@@ -761,8 +761,8 @@ git.sr.ht/~sbinet/gg v0.3.1/go.mod h1:KGYtlADtqsqANL9ueOFkWymvzUvLMQllU5Ixo+8v3p
github.com/Azure/azure-sdk-for-go v62.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 h1:E+OJmp2tPvt1W+amx48v1eqbjDYsgN+RzP4q16yV5eM=
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1/go.mod h1:a6xsAQUZg+VsS3TJ05SRp524Hs4pZ/AeFSr5ENf0Yjo=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0 h1:U2rTu3Ef+7w9FHKIAXM6ZyqF3UOWJZ12zIm8zECAFfg=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 h1:tfLQ34V6F7tVSwoTf/4lH5sE0o6eCJuNDTmH09nDpbc=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg=
github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0 h1:jBQA3cKT4L2rWMpgE7Yt3Hwh2aUj8KXjIGLxjHeYNNo=
github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0/go.mod h1:4OG6tQ9EOP/MT0NMjDlRzWoVFxfu9rN9B2X+tlSVktg=
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.1.0 h1:h4Zxgmi9oyZL2l8jeg1iRTqPloHktywWcu0nlJmo1tA=
@@ -786,8 +786,8 @@ github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2/go.mod h1:wP83
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
github.com/IBM/keyprotect-go-client v0.5.1/go.mod h1:5TwDM/4FRJq1ZOlwQL1xFahLWQ3TveR88VmL1u3njyI=
-github.com/IBM/keyprotect-go-client v0.12.2 h1:Cjxcqin9Pl0xz3MnxdiVd4v/eIa79xL3hQpSbwOr/DQ=
-github.com/IBM/keyprotect-go-client v0.12.2/go.mod h1:yr8h2noNgU8vcbs+vhqoXp3Lmv73PI0zAc6VMgFvWwM=
+github.com/IBM/keyprotect-go-client v0.14.1 h1:FSBJ3l6GKCuB3CoQPvVy94lOzYTKpjov8WdSDt5Ercs=
+github.com/IBM/keyprotect-go-client v0.14.1/go.mod h1:cAt714Vnwnd03mmkBHHSJlDNRVthdRmJB6RePd4/B8Q=
github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c/go.mod h1:X0CRv0ky0k6m906ixxpzmDRLvX58TFUKS2eePweuyxk=
github.com/Microsoft/go-winio v0.6.0 h1:slsWYD/zyx7lCXoZVlvQrj0hPTM1HI4+v1sIda2yDvg=
github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE=
@@ -834,22 +834,22 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkY
github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a h1:idn718Q4B6AGu/h5Sxe66HYVdqdGu2l9Iebqhi/AEoA=
github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
github.com/aws/aws-sdk-go v1.44.164/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
-github.com/aws/aws-sdk-go v1.53.14 h1:SzhkC2Pzag0iRW8WBb80RzKdGXDydJR9LAMs2GyKJ2M=
-github.com/aws/aws-sdk-go v1.53.14/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
-github.com/aws/aws-sdk-go-v2 v1.25.2 h1:/uiG1avJRgLGiQM9X3qJM8+Qa6KRGK5rRPuXE0HUM+w=
-github.com/aws/aws-sdk-go-v2 v1.25.2/go.mod h1:Evoc5AsmtveRt1komDwIsjHFyrP5tDuF1D1U+6z6pNo=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.2 h1:bNo4LagzUKbjdxE0tIcR9pMzLR2U/Tgie1Hq1HQ3iH8=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.2/go.mod h1:wRQv0nN6v9wDXuWThpovGQjqF1HFdcgWjporw14lS8k=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.2 h1:EtOU5jsPdIQNP+6Q2C5e3d65NKT1PeCiQk+9OdzO12Q=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.2/go.mod h1:tyF5sKccmDz0Bv4NrstEr+/9YkSPJHrcO7UsUKf7pWM=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 h1:EyBZibRTVAs6ECHZOw5/wlylS9OcTzwyjeQMudmREjE=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1/go.mod h1:JKpmtYhhPs7D97NL/ltqz7yCkERFW5dOlHyVl66ZYF8=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.2 h1:5ffmXjPtwRExp1zc7gENLgCPyHFbhEPwVTkTiH9niSk=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.2/go.mod h1:Ru7vg1iQ7cR4i7SZ/JTLYN9kaXtbL69UdgG0OQWQxW0=
-github.com/aws/aws-sdk-go-v2/service/sts v1.28.1 h1:3I2cBEYgKhrWlwyZgfpSO2BpaMY1LHPqXYk/QGlu2ew=
-github.com/aws/aws-sdk-go-v2/service/sts v1.28.1/go.mod h1:uQ7YYKZt3adCRrdCBREm1CD3efFLOUNH77MrUCvx5oA=
-github.com/aws/smithy-go v1.20.1 h1:4SZlSlMr36UEqC7XOyRVb27XMeZubNcBNN+9IgEPIQw=
-github.com/aws/smithy-go v1.20.1/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
+github.com/aws/aws-sdk-go v1.54.6 h1:HEYUib3yTt8E6vxjMWM3yAq5b+qjj/6aKA62mkgux9g=
+github.com/aws/aws-sdk-go v1.54.6/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
+github.com/aws/aws-sdk-go-v2 v1.30.0 h1:6qAwtzlfcTtcL8NHtbDQAqgM5s6NDipQTkPxyH/6kAA=
+github.com/aws/aws-sdk-go-v2 v1.30.0/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12 h1:SJ04WXGTwnHlWIODtC5kJzKbeuHt+OUNOgKg7nfnUGw=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12/go.mod h1:FkpvXhA92gb3GE9LD6Og0pHHycTxW7xGpnEh5E7Opwo=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12 h1:hb5KgeYfObi5MHkSSZMEudnIvX30iB+E21evI4r6BnQ=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12/go.mod h1:CroKe/eWJdyfy9Vx4rljP5wTUjNJfb+fPz1uMYUhEGM=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14 h1:zSDPny/pVnkqABXYRicYuPf9z2bTqfH13HT3v6UheIk=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14/go.mod h1:3TTcI5JSzda1nw/pkVC9dhgLre0SNBFj2lYS4GctXKI=
+github.com/aws/aws-sdk-go-v2/service/sts v1.29.1 h1:myX5CxqXE0QMZNja6FA1/FSE3Vu1rVmeUmpJMMzeZg0=
+github.com/aws/aws-sdk-go-v2/service/sts v1.29.1/go.mod h1:N2mQiucsO0VwK9CYuS4/c2n6Smeh1v47Rz3dWCPFLdE=
+github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q=
+github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
@@ -1000,8 +1000,8 @@ github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9
github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
-github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k=
-github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
+github.com/go-jose/go-jose/v4 v4.0.1 h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U=
+github.com/go-jose/go-jose/v4 v4.0.1/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
@@ -1043,8 +1043,9 @@ github.com/go-pdf/fpdf v0.5.0/go.mod h1:HzcnA+A23uwogo0tp9yU+l3V+KXhiESpt1PMayhO
github.com/go-pdf/fpdf v0.6.0/go.mod h1:HzcnA+A23uwogo0tp9yU+l3V+KXhiESpt1PMayhOh5M=
github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
-github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
+github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
+github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
github.com/go-test/deep v1.0.8 h1:TDsG77qcSprGbC6vTN8OuXp5g+J+b5Pcguhf7Zt61VM=
github.com/go-test/deep v1.0.8/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
@@ -1165,8 +1166,9 @@ github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLe
github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec=
github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg=
+github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw=
github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
github.com/google/s2a-go v0.1.0/go.mod h1:OJpEgntRZo8ugHpF9hkoLJbS5dSI20XZeXJ9JVywLlM=
github.com/google/s2a-go v0.1.3/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A=
@@ -1268,8 +1270,8 @@ github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0m
github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc=
github.com/hashicorp/vault/api v1.10.0/go.mod h1:jo5Y/ET+hNyz+JnKDt8XLAdKs+AM0G5W0Vp1IrFI8N8=
-github.com/hashicorp/vault/api v1.12.0 h1:meCpJSesvzQyao8FCOgk2fGdoADAnbDu2WPJN1lDLJ4=
-github.com/hashicorp/vault/api v1.12.0/go.mod h1:si+lJCYO7oGkIoNPAN8j3azBLTn9SjMGS+jFaHd1Cck=
+github.com/hashicorp/vault/api v1.14.0 h1:Ah3CFLixD5jmjusOgm8grfN9M0d+Y8fVR2SW0K6pJLU=
+github.com/hashicorp/vault/api v1.14.0/go.mod h1:pV9YLxBGSz+cItFDd8Ii4G17waWOQ32zVjMWHe/cOqk=
github.com/hashicorp/vault/api/auth/approle v0.5.0 h1:a1TK6VGwYqSAfkmX4y4dJ4WBxMU5dStIZqScW4EPXR8=
github.com/hashicorp/vault/api/auth/approle v0.5.0/go.mod h1:CHOQIA1AZACfjTzHggmyfiOZ+xCSKNRFqe48FTCzH0k=
github.com/hashicorp/vault/api/auth/kubernetes v0.5.0 h1:CXO0fD7M3iCGovP/UApeHhPcH4paDFKcu7AjEXi94rI=
@@ -1333,8 +1335,8 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/kubernetes-csi/csi-lib-utils v0.17.0 h1:xEpJ3WYgMyyYF6fvcKHh4cDRtknuTkBS9rG8bYoLTCU=
-github.com/kubernetes-csi/csi-lib-utils v0.17.0/go.mod h1:2Ba5/aQgUjbpqyC2uCcFwMF3rnPVs5jhZXm8jAzcT9Q=
+github.com/kubernetes-csi/csi-lib-utils v0.18.1 h1:vpg1kbQ6lFVCz7mY71zcqVE7W0GAQXXBoFfHvbW3gdw=
+github.com/kubernetes-csi/csi-lib-utils v0.18.1/go.mod h1:PIcn27zmbY0KBue4JDdZVfDF56tjcS3jKroZPi+pMoY=
github.com/kubernetes-csi/external-snapshotter/client/v4 v4.0.0/go.mod h1:YBCo4DoEeDndqvAn6eeu0vWM7QdXmHEeI9cFWplmBys=
github.com/kubernetes-csi/external-snapshotter/client/v7 v7.0.0 h1:j3YK74myEQRxR/srciTpOrm221SAvz6J5OVWbyfeXFo=
github.com/kubernetes-csi/external-snapshotter/client/v7 v7.0.0/go.mod h1:FlyYFe32mPxKEPaRXKNxfX576d1AoCzstYDoOOnyMA4=
@@ -1375,8 +1377,6 @@ github.com/mattn/go-sqlite3 v1.14.14/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4
github.com/mattn/go-sqlite3 v1.14.15/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg=
github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
-github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg=
-github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k=
github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d h1:5PJl274Y63IEHC+7izoQE9x6ikvDFZS2mDVS3drnohI=
github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
@@ -1442,8 +1442,8 @@ github.com/onsi/ginkgo/v2 v2.11.0/go.mod h1:ZhrRA5XmEE3x3rhlzamx/JJvujdZoJ2uvgI7
github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o=
github.com/onsi/ginkgo/v2 v2.13.2/go.mod h1:XStQ8QcGwLyF4HdfcZB8SFOS/MWCgDuXMSBe6zrvLgM=
github.com/onsi/ginkgo/v2 v2.15.0/go.mod h1:HlxMHtYF57y6Dpf+mc5529KKmSq9h2FpCF+/ZkwUxKM=
-github.com/onsi/ginkgo/v2 v2.17.1 h1:V++EzdbhI4ZV4ev0UTIj0PzhzOcReJFyJaLjtSF55M8=
-github.com/onsi/ginkgo/v2 v2.17.1/go.mod h1:llBI3WDLL9Z6taip6f33H76YcWtJv+7R3HigUjbIBOs=
+github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA=
+github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To=
github.com/onsi/gomega v1.4.2/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
@@ -1465,8 +1465,8 @@ github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3ev
github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
github.com/onsi/gomega v1.31.0/go.mod h1:DW9aCi7U6Yi40wNVAvT6kzFnEVEI5n3DloYBiKiT6zk=
-github.com/onsi/gomega v1.32.0 h1:JRYU78fJ1LPxlckP6Txi/EYqJvjtMrDC04/MM5XRHPk=
-github.com/onsi/gomega v1.32.0/go.mod h1:a4x4gW6Pz2yK1MAmvluYme5lvYTn61afQ2ETw/8n4Lg=
+github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk=
+github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0=
github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaLpt7tQ7oU=
@@ -1522,8 +1522,8 @@ github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrb
github.com/prometheus/client_golang v1.14.0/go.mod h1:8vpkKitgIVNcqrRBWh1C4TIUQgYNtG/XQE4E/Zae36Y=
github.com/prometheus/client_golang v1.15.1/go.mod h1:e9yaBhRPU2pPNsZwE+JdQl0KEt1N9XgF6zxWmaC0xOk=
github.com/prometheus/client_golang v1.16.0/go.mod h1:Zsulrv/L9oM40tJ7T815tM89lFEugiJ9HzIqaAx4LKc=
-github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk=
-github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA=
+github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE=
+github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho=
github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
@@ -1542,8 +1542,8 @@ github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+
github.com/prometheus/common v0.37.0/go.mod h1:phzohg0JFMnBEFGxTDbfu3QyL5GI8gTQJFhYO5B3mfA=
github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc=
github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY=
-github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM=
-github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY=
+github.com/prometheus/common v0.48.0 h1:QO8U2CdOzSn1BBsmXJXduaaW+dY/5QLjfB8svtSzKKE=
+github.com/prometheus/common v0.48.0/go.mod h1:0/KsvlIEfPQCQ5I2iNSAWKPZziNCvRs5EC6ILDTlAPc=
github.com/prometheus/procfs v0.0.0-20180725123919-05ee40e3a273/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md
index 6d4b6feb8..a8c2feb6d 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md
@@ -1,5 +1,29 @@
# Release History
+## 1.7.0 (2024-06-20)
+
+### Features Added
+* `AzurePipelinesCredential` authenticates an Azure Pipelines service connection with
+ workload identity federation
+
+### Breaking Changes
+> These changes affect only code written against a beta version such as v1.7.0-beta.1
+* Removed the persistent token caching API. It will return in v1.8.0-beta.1
+
+## 1.7.0-beta.1 (2024-06-10)
+
+### Features Added
+* Restored `AzurePipelinesCredential` and persistent token caching API
+
+## Breaking Changes
+> These changes affect only code written against a beta version such as v1.6.0-beta.4
+* Values which `NewAzurePipelinesCredential` read from environment variables in
+ prior versions are now parameters
+* Renamed `AzurePipelinesServiceConnectionCredentialOptions` to `AzurePipelinesCredentialOptions`
+
+### Bugs Fixed
+* Managed identity bug fixes
+
## 1.6.0 (2024-06-10)
### Features Added
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/README.md b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/README.md
index b5acff0e6..7e201ea2f 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/README.md
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/README.md
@@ -140,6 +140,7 @@ client := armresources.NewResourceGroupsClient("subscription ID", chain, nil)
|Credential|Usage
|-|-
+|[AzurePipelinesCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#AzurePipelinesCredential)|Authenticate an Azure Pipelines [service connection](https://learn.microsoft.com/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml)
|[ClientAssertionCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ClientAssertionCredential)|Authenticate a service principal with a signed client assertion
|[ClientCertificateCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ClientCertificateCredential)|Authenticate a service principal with a certificate
|[ClientSecretCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ClientSecretCredential)|Authenticate a service principal with a secret
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TOKEN_CACHING.MD b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TOKEN_CACHING.MD
index f9cc48943..fbaa29220 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TOKEN_CACHING.MD
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TOKEN_CACHING.MD
@@ -57,6 +57,7 @@ The following table indicates the state of in-memory and persistent caching in e
|--------------------------------|---------------------------------------------------------------------|--------------------------|
| `AzureCLICredential` | Not Supported | Not Supported |
| `AzureDeveloperCLICredential` | Not Supported | Not Supported |
+| `AzurePipelinesCredential` | Supported | Supported |
| `ClientAssertionCredential` | Supported | Supported |
| `ClientCertificateCredential` | Supported | Supported |
| `ClientSecretCredential` | Supported | Supported |
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TROUBLESHOOTING.md b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TROUBLESHOOTING.md
index 3564e685e..54016a070 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TROUBLESHOOTING.md
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TROUBLESHOOTING.md
@@ -10,6 +10,7 @@ This troubleshooting guide covers failure investigation techniques, common error
- [Enable and configure logging](#enable-and-configure-logging)
- [Troubleshoot AzureCLICredential authentication issues](#troubleshoot-azureclicredential-authentication-issues)
- [Troubleshoot AzureDeveloperCLICredential authentication issues](#troubleshoot-azuredeveloperclicredential-authentication-issues)
+- [Troubleshoot AzurePipelinesCredential authentication issues](#troubleshoot-azurepipelinescredential-authentication-issues)
- [Troubleshoot ClientCertificateCredential authentication issues](#troubleshoot-clientcertificatecredential-authentication-issues)
- [Troubleshoot ClientSecretCredential authentication issues](#troubleshoot-clientsecretcredential-authentication-issues)
- [Troubleshoot DefaultAzureCredential authentication issues](#troubleshoot-defaultazurecredential-authentication-issues)
@@ -226,6 +227,15 @@ azd auth token --output json --scope https://management.core.windows.net/.defaul
|---|---|---|
|no client ID/tenant ID/token file specified|Incomplete configuration|In most cases these values are provided via environment variables set by Azure Workload Identity.
- If your application runs on Azure Kubernetes Servide (AKS) or a cluster that has deployed the Azure Workload Identity admission webhook, check pod labels and service account configuration. See the [AKS documentation](https://learn.microsoft.com/azure/aks/workload-identity-deploy-cluster#disable-workload-identity) and [Azure Workload Identity troubleshooting guide](https://azure.github.io/azure-workload-identity/docs/troubleshooting.html) for more details.
- If your application isn't running on AKS or your cluster hasn't deployed the Workload Identity admission webhook, set these values in `WorkloadIdentityCredentialOptions`
+
+## Troubleshoot AzurePipelinesCredential authentication issues
+
+| Error Message |Description| Mitigation |
+|---|---|---|
+| AADSTS900023: Specified tenant identifier 'some tenant ID' is neither a valid DNS name, nor a valid external domain.|The `tenantID` argument to `NewAzurePipelinesCredential` is incorrect| Verify the tenant ID. It must identify the tenant of the user-assigned managed identity or service principal configured for the service connection.|
+| No service connection found with identifier |The `serviceConnectionID` argument to `NewAzurePipelinesCredential` is incorrect| Verify the service connection ID. This parameter refers to the `resourceId` of the Azure Service Connection. It can also be found in the query string of the service connection's configuration in Azure DevOps. [Azure Pipelines documentation](https://learn.microsoft.com/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml) has more information about service connections.|
+|302 (Found) response from OIDC endpoint|The `systemAccessToken` argument to `NewAzurePipelinesCredential` is incorrect|Check pipeline configuration. This value comes from the predefined variable `System.AccessToken` [as described in Azure Pipelines documentation](https://learn.microsoft.com/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml#systemaccesstoken).|
+
## Get additional help
Additional information on ways to reach out for support can be found in [SUPPORT.md](https://github.com/Azure/azure-sdk-for-go/blob/main/SUPPORT.md).
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_pipelines_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_pipelines_credential.go
index 2655543ae..80c1806bb 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_pipelines_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_pipelines_credential.go
@@ -19,21 +19,20 @@ import (
const (
credNameAzurePipelines = "AzurePipelinesCredential"
oidcAPIVersion = "7.1"
- systemAccessToken = "SYSTEM_ACCESSTOKEN"
systemOIDCRequestURI = "SYSTEM_OIDCREQUESTURI"
)
-// azurePipelinesCredential authenticates with workload identity federation in an Azure Pipeline. See
+// AzurePipelinesCredential authenticates with workload identity federation in an Azure Pipeline. See
// [Azure Pipelines documentation] for more information.
//
// [Azure Pipelines documentation]: https://learn.microsoft.com/azure/devops/pipelines/library/connect-to-azure?view=azure-devops#create-an-azure-resource-manager-service-connection-that-uses-workload-identity-federation
-type azurePipelinesCredential struct {
+type AzurePipelinesCredential struct {
connectionID, oidcURI, systemAccessToken string
cred *ClientAssertionCredential
}
-// azurePipelinesCredentialOptions contains optional parameters for AzurePipelinesCredential.
-type azurePipelinesCredentialOptions struct {
+// AzurePipelinesCredentialOptions contains optional parameters for AzurePipelinesCredential.
+type AzurePipelinesCredentialOptions struct {
azcore.ClientOptions
// AdditionallyAllowedTenants specifies additional tenants for which the credential may acquire tokens.
@@ -48,28 +47,39 @@ type azurePipelinesCredentialOptions struct {
DisableInstanceDiscovery bool
}
-// newAzurePipelinesCredential is the constructor for AzurePipelinesCredential. In addition to its required arguments,
-// it reads a security token for the running build, which is required to authenticate the service connection, from the
-// environment variable SYSTEM_ACCESSTOKEN. See the [Azure Pipelines documentation] for an example showing how to set
-// this variable in build job YAML.
+// NewAzurePipelinesCredential is the constructor for AzurePipelinesCredential.
+//
+// - tenantID: tenant ID of the service principal federated with the service connection
+// - clientID: client ID of that service principal
+// - serviceConnectionID: ID of the service connection to authenticate
+// - systemAccessToken: security token for the running build. See [Azure Pipelines documentation] for
+// an example showing how to get this value.
//
// [Azure Pipelines documentation]: https://learn.microsoft.com/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml#systemaccesstoken
-func newAzurePipelinesCredential(tenantID, clientID, serviceConnectionID string, options *azurePipelinesCredentialOptions) (*azurePipelinesCredential, error) {
- if options == nil {
- options = &azurePipelinesCredentialOptions{}
+func NewAzurePipelinesCredential(tenantID, clientID, serviceConnectionID, systemAccessToken string, options *AzurePipelinesCredentialOptions) (*AzurePipelinesCredential, error) {
+ if !validTenantID(tenantID) {
+ return nil, errInvalidTenantID
+ }
+ if clientID == "" {
+ return nil, errors.New("no client ID specified")
+ }
+ if serviceConnectionID == "" {
+ return nil, errors.New("no service connection ID specified")
+ }
+ if systemAccessToken == "" {
+ return nil, errors.New("no system access token specified")
}
u := os.Getenv(systemOIDCRequestURI)
if u == "" {
return nil, fmt.Errorf("no value for environment variable %s. This should be set by Azure Pipelines", systemOIDCRequestURI)
}
- sat := os.Getenv(systemAccessToken)
- if sat == "" {
- return nil, errors.New("no value for environment variable " + systemAccessToken)
- }
- a := azurePipelinesCredential{
+ a := AzurePipelinesCredential{
connectionID: serviceConnectionID,
oidcURI: u,
- systemAccessToken: sat,
+ systemAccessToken: systemAccessToken,
+ }
+ if options == nil {
+ options = &AzurePipelinesCredentialOptions{}
}
caco := ClientAssertionCredentialOptions{
AdditionallyAllowedTenants: options.AdditionallyAllowedTenants,
@@ -86,7 +96,7 @@ func newAzurePipelinesCredential(tenantID, clientID, serviceConnectionID string,
}
// GetToken requests an access token from Microsoft Entra ID. Azure SDK clients call this method automatically.
-func (a *azurePipelinesCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
+func (a *AzurePipelinesCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
var err error
ctx, endSpan := runtime.StartSpan(ctx, credNameAzurePipelines+"."+traceOpGetToken, a.cred.client.azClient.Tracer(), nil)
defer func() { endSpan(err) }()
@@ -94,7 +104,7 @@ func (a *azurePipelinesCredential) GetToken(ctx context.Context, opts policy.Tok
return tk, err
}
-func (a *azurePipelinesCredential) getAssertion(ctx context.Context) (string, error) {
+func (a *AzurePipelinesCredential) getAssertion(ctx context.Context) (string, error) {
url := a.oidcURI + "?api-version=" + oidcAPIVersion + "&serviceConnectionId=" + a.connectionID
url, err := runtime.EncodeQueryParams(url)
if err != nil {
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/errors.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/errors.go
index 698650bbb..35fa01d13 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/errors.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/errors.go
@@ -83,6 +83,8 @@ func (e *AuthenticationFailedError) Error() string {
anchor = "azure-cli"
case credNameAzureDeveloperCLI:
anchor = "azd"
+ case credNameAzurePipelines:
+ anchor = "apc"
case credNameCert:
anchor = "client-cert"
case credNameSecret:
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go
index 459ef64c6..4305b5d3d 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go
@@ -14,5 +14,5 @@ const (
module = "github.com/Azure/azure-sdk-for-go/sdk/" + component
// Version is the semantic version (see http://semver.org) of this module.
- version = "v1.6.0"
+ version = "v1.7.0"
)
diff --git a/vendor/github.com/IBM/keyprotect-go-client/.travis.yml b/vendor/github.com/IBM/keyprotect-go-client/.travis.yml
index 617e89bf1..cd1e42aa3 100644
--- a/vendor/github.com/IBM/keyprotect-go-client/.travis.yml
+++ b/vendor/github.com/IBM/keyprotect-go-client/.travis.yml
@@ -1,6 +1,6 @@
language: go
-dist: bionic
+dist: jammy
go:
- 1.17.x
@@ -13,7 +13,6 @@ env:
before_install:
- sudo apt-get update
- - pyenv global 3.8
before_script:
- GO111MODULE=off go get -u github.com/haya14busa/goverage
@@ -27,6 +26,9 @@ script:
- $GOPATH/bin/goverage -v -race -coverprofile=cover.out $(go list ./... | grep -v '/vendor|/scripts')
- go tool cover -func=cover.out
- go tool cover -html=cover.out -o=cover.html
+ # these steps are to make sure that node will properly install for semantic release.
+ - nvm install node
+ - npm install -g npm
# To enable semantic-release, uncomment these sections.
before_deploy:
diff --git a/vendor/github.com/IBM/keyprotect-go-client/CONTRIBUTING.md b/vendor/github.com/IBM/keyprotect-go-client/CONTRIBUTING.md
index 3f9ac45dc..26698bbd7 100644
--- a/vendor/github.com/IBM/keyprotect-go-client/CONTRIBUTING.md
+++ b/vendor/github.com/IBM/keyprotect-go-client/CONTRIBUTING.md
@@ -11,6 +11,10 @@ please open a [Github Issue](https://github.com/IBM/keyprotect-go-client/issues)
For your pull request to be merged, it must meet the criteria of a "correct patch", and also
be fully reviewed and approved by two Maintainer level contributors.
+The PR should be named with the proper prefix to satisfy the semantic release.
+- `fix(build):` for patch version bump (0.0.x)
+- `feat(build):` for minor version bump (0.x.0)
+- `perf(build):` for major version bump (x.0.0)
A correct patch is defined as the following:
diff --git a/vendor/github.com/IBM/keyprotect-go-client/instances.go b/vendor/github.com/IBM/keyprotect-go-client/instances.go
index 598de0909..f83fcf233 100644
--- a/vendor/github.com/IBM/keyprotect-go-client/instances.go
+++ b/vendor/github.com/IBM/keyprotect-go-client/instances.go
@@ -61,14 +61,14 @@ type PolicyData struct {
// Attributes contains the details of an instance policy
type Attributes struct {
- AllowedNetwork *string `json:"allowed_network,omitempty"`
- AllowedIP IPAddresses `json:"allowed_ip,omitempty"`
- CreateRootKey *bool `json:"create_root_key,omitempty"`
- CreateStandardKey *bool `json:"create_standard_key,omitempty"`
- ImportRootKey *bool `json:"import_root_key,omitempty"`
- ImportStandardKey *bool `json:"import_standard_key,omitempty"`
- EnforceToken *bool `json:"enforce_token,omitempty"`
- IntervalMonth *int `json:"interval_month,omitempty"`
+ AllowedNetwork *string `json:"allowed_network,omitempty"`
+ AllowedIP *IPAddresses `json:"allowed_ip,omitempty"`
+ CreateRootKey *bool `json:"create_root_key,omitempty"`
+ CreateStandardKey *bool `json:"create_standard_key,omitempty"`
+ ImportRootKey *bool `json:"import_root_key,omitempty"`
+ ImportStandardKey *bool `json:"import_standard_key,omitempty"`
+ EnforceToken *bool `json:"enforce_token,omitempty"`
+ IntervalMonth *int `json:"interval_month,omitempty"`
}
// IPAddresses ...
@@ -313,7 +313,8 @@ func (c *Client) SetAllowedIPInstancePolicy(ctx context.Context, enable bool, al
// The IP address validation is performed by the key protect service.
if enable && len(allowedIPs) != 0 {
policy.PolicyData.Attributes = &Attributes{}
- policy.PolicyData.Attributes.AllowedIP = allowedIPs
+ ips := IPAddresses(allowedIPs)
+ policy.PolicyData.Attributes.AllowedIP = &ips
} else if enable && len(allowedIPs) == 0 {
return fmt.Errorf("Please provide at least 1 IP subnet specified with CIDR notation")
} else if !enable && len(allowedIPs) != 0 {
@@ -445,17 +446,21 @@ type AllowedNetworkPolicyData struct {
// AllowedIPPolicyData defines the attribute input for the Allowed IP instance policy
type AllowedIPPolicyData struct {
Enabled bool
- IPAddresses IPAddresses
+ IPAddresses *IPAddresses
}
// KeyAccessInstancePolicyData defines the attribute input for the Key Create Import Access instance policy
type KeyCreateImportAccessInstancePolicy struct {
- Enabled bool
- CreateRootKey bool
- CreateStandardKey bool
- ImportRootKey bool
- ImportStandardKey bool
- EnforceToken bool
+ Enabled bool
+ Attributes *KeyCreateImportAccessInstancePolicyAttributes
+}
+
+type KeyCreateImportAccessInstancePolicyAttributes struct {
+ CreateRootKey *bool
+ CreateStandardKey *bool
+ ImportRootKey *bool
+ ImportStandardKey *bool
+ EnforceToken *bool
}
type RotationPolicyData struct {
@@ -492,6 +497,7 @@ func (c *Client) SetInstancePolicies(ctx context.Context, policies MultiplePolic
PolicyType: AllowedNetwork,
PolicyData: PolicyData{
Enabled: &(policies.AllowedNetwork.Enabled),
+ // due to legacy reasons, the allowed_network policy requires attribute to always be specified
Attributes: &Attributes{
AllowedNetwork: &(policies.AllowedNetwork.Network),
},
@@ -527,16 +533,19 @@ func (c *Client) SetInstancePolicies(ctx context.Context, policies MultiplePolic
policy := InstancePolicy{
PolicyType: KeyCreateImportAccess,
PolicyData: PolicyData{
- Enabled: &(policies.KeyCreateImportAccess.Enabled),
- Attributes: &Attributes{},
+ Enabled: &(policies.KeyCreateImportAccess.Enabled),
},
}
- policy.PolicyData.Attributes.CreateRootKey = &policies.KeyCreateImportAccess.CreateRootKey
- policy.PolicyData.Attributes.CreateStandardKey = &policies.KeyCreateImportAccess.CreateStandardKey
- policy.PolicyData.Attributes.ImportRootKey = &policies.KeyCreateImportAccess.ImportRootKey
- policy.PolicyData.Attributes.ImportStandardKey = &policies.KeyCreateImportAccess.ImportStandardKey
- policy.PolicyData.Attributes.EnforceToken = &policies.KeyCreateImportAccess.EnforceToken
+ if attr := policies.KeyCreateImportAccess.Attributes; attr != nil {
+ policy.PolicyData.Attributes = &Attributes{
+ CreateRootKey: attr.CreateRootKey,
+ CreateStandardKey: attr.CreateStandardKey,
+ ImportRootKey: attr.ImportRootKey,
+ ImportStandardKey: attr.ImportStandardKey,
+ EnforceToken: attr.EnforceToken,
+ }
+ }
resPolicies = append(resPolicies, policy)
}
diff --git a/vendor/github.com/IBM/keyprotect-go-client/key_rings.go b/vendor/github.com/IBM/keyprotect-go-client/key_rings.go
index a88961c9a..3e5f3ecb0 100644
--- a/vendor/github.com/IBM/keyprotect-go-client/key_rings.go
+++ b/vendor/github.com/IBM/keyprotect-go-client/key_rings.go
@@ -9,7 +9,7 @@ import (
)
const (
- path = "key_rings"
+ keyRingPath = "key_rings"
)
type KeyRing struct {
@@ -28,7 +28,7 @@ type KeyRings struct {
// https://cloud.ibm.com/docs/key-protect?topic=key-protect-managing-key-rings#create-key-ring-api
func (c *Client) CreateKeyRing(ctx context.Context, id string) error {
- req, err := c.newRequest("POST", fmt.Sprintf(path+"/%s", id), nil)
+ req, err := c.newRequest("POST", fmt.Sprintf(keyRingPath+"/%s", id), nil)
if err != nil {
return err
}
@@ -46,7 +46,7 @@ func (c *Client) CreateKeyRing(ctx context.Context, id string) error {
// https://cloud.ibm.com/docs/key-protect?topic=key-protect-managing-key-rings#list-key-ring-api
func (c *Client) GetKeyRings(ctx context.Context) (*KeyRings, error) {
rings := KeyRings{}
- req, err := c.newRequest("GET", path, nil)
+ req, err := c.newRequest("GET", keyRingPath, nil)
if err != nil {
return nil, err
}
@@ -73,7 +73,7 @@ func WithForce(force bool) DeleteKeyRingQueryOption {
// For information please refer to the link below:
// https://cloud.ibm.com/docs/key-protect?topic=key-protect-managing-key-rings#delete-key-ring-api
func (c *Client) DeleteKeyRing(ctx context.Context, id string, opts ...DeleteKeyRingQueryOption) error {
- req, err := c.newRequest("DELETE", fmt.Sprintf(path+"/%s", id), nil)
+ req, err := c.newRequest("DELETE", fmt.Sprintf(keyRingPath+"/%s", id), nil)
for _, opt := range opts {
opt(req)
}
diff --git a/vendor/github.com/IBM/keyprotect-go-client/kmip_mgmt_adapters.go b/vendor/github.com/IBM/keyprotect-go-client/kmip_mgmt_adapters.go
new file mode 100644
index 000000000..4a85a868a
--- /dev/null
+++ b/vendor/github.com/IBM/keyprotect-go-client/kmip_mgmt_adapters.go
@@ -0,0 +1,164 @@
+package kp
+
+import (
+ "context"
+ "fmt"
+ "time"
+)
+
+const (
+ kmipAdapterPath = "kmip_adapters"
+ kmipAdapterType = "application/vnd.ibm.kms.kmip_adapter+json"
+)
+
+type KMIPAdapter struct {
+ ID string `json:"id,omitempty"`
+ Profile string `json:"profile,omitempty"`
+ ProfileData map[string]string `json:"profile_data,omitempty"`
+ Name string `json:"name,omitempty"`
+ Description string `json:"description"`
+ CreatedBy string `json:"created_by,omitempty"`
+ CreatedAt *time.Time `json:"created_at,omitempty"`
+ UpdatedBy string `json:"updated_by,omitempty"`
+ UpdatedAt *time.Time `json:"updated_at,omitempty"`
+}
+
+type KMIPAdapters struct {
+ Metadata CollectionMetadata `json:"metadata"`
+ Adapters []KMIPAdapter `json:"resources"`
+}
+
+const (
+ KMIP_Profile_Native = "native_1.0"
+)
+
+// CreateKMIPAdapter method creates a KMIP Adapter with the specified profile.
+func (c *Client) CreateKMIPAdapter(ctx context.Context, profileOpt CreateKMIPAdapterProfile, options ...CreateKMIPAdapterOption) (*KMIPAdapter, error) {
+ newAdapter := &KMIPAdapter{}
+ profileOpt(newAdapter)
+ for _, opt := range options {
+ opt(newAdapter)
+ }
+ req, err := c.newRequest("POST", kmipAdapterPath, wrapKMIPAdapter(*newAdapter))
+ if err != nil {
+ return nil, err
+ }
+
+ create_resp := &KMIPAdapters{}
+ _, err = c.do(ctx, req, create_resp)
+ if err != nil {
+ return nil, err
+ }
+ return unwrapKMIPAdapterResp(create_resp), nil
+}
+
+// Functions to be passed into the CreateKMIPAdapter() method to specify specific fields.
+type CreateKMIPAdapterOption func(*KMIPAdapter)
+type CreateKMIPAdapterProfile func(*KMIPAdapter)
+
+func WithKMIPAdapterName(name string) CreateKMIPAdapterOption {
+ return func(adapter *KMIPAdapter) {
+ adapter.Name = name
+ }
+}
+
+func WithKMIPAdapterDescription(description string) CreateKMIPAdapterOption {
+ return func(adapter *KMIPAdapter) {
+ adapter.Description = description
+ }
+}
+
+func WithNativeProfile(crkID string) CreateKMIPAdapterProfile {
+ return func(adapter *KMIPAdapter) {
+ adapter.Profile = KMIP_Profile_Native
+
+ adapter.ProfileData = map[string]string{
+ "crk_id": crkID,
+ }
+ }
+}
+
+type ListKmipAdaptersOptions struct {
+ Limit *uint32
+ Offset *uint32
+ TotalCount *bool
+ CrkID *string
+}
+
+// GetKMIPAdapters method lists KMIP Adapters associated with a specific KP instance.
+func (c *Client) GetKMIPAdapters(ctx context.Context, listOpts *ListKmipAdaptersOptions) (*KMIPAdapters, error) {
+ adapters := KMIPAdapters{}
+ req, err := c.newRequest("GET", kmipAdapterPath, nil)
+ if err != nil {
+ return nil, err
+ }
+
+ if listOpts != nil {
+ values := req.URL.Query()
+ if listOpts.Limit != nil {
+ values.Set("limit", fmt.Sprint(*listOpts.Limit))
+ }
+ if listOpts.Offset != nil {
+ values.Set("offset", fmt.Sprint(*listOpts.Offset))
+ }
+ if listOpts.TotalCount != nil {
+ values.Set("totalCount", fmt.Sprint(*listOpts.TotalCount))
+ }
+ if listOpts.CrkID != nil {
+ values.Set("crk_id", *listOpts.CrkID)
+ }
+ req.URL.RawQuery = values.Encode()
+ }
+
+ _, err = c.do(ctx, req, &adapters)
+ if err != nil {
+ return nil, err
+ }
+
+ return &adapters, nil
+}
+
+// GetKMIPAdapter method retrieves a single KMIP Adapter by name or ID.
+func (c *Client) GetKMIPAdapter(ctx context.Context, nameOrID string) (*KMIPAdapter, error) {
+ adapters := KMIPAdapters{}
+ req, err := c.newRequest("GET", fmt.Sprintf("%s/%s", kmipAdapterPath, nameOrID), nil)
+ if err != nil {
+ return nil, err
+ }
+
+ _, err = c.do(ctx, req, &adapters)
+ if err != nil {
+ return nil, err
+ }
+
+ return unwrapKMIPAdapterResp(&adapters), nil
+}
+
+// DeletesKMIPAdapter method deletes a single KMIP Adapter by name or ID.
+func (c *Client) DeleteKMIPAdapter(ctx context.Context, nameOrID string) error {
+ req, err := c.newRequest("DELETE", fmt.Sprintf("%s/%s", kmipAdapterPath, nameOrID), nil)
+ if err != nil {
+ return err
+ }
+
+ _, err = c.do(ctx, req, nil)
+ if err != nil {
+ return err
+ }
+
+ return nil
+}
+
+func wrapKMIPAdapter(adapter KMIPAdapter) KMIPAdapters {
+ return KMIPAdapters{
+ Metadata: CollectionMetadata{
+ CollectionType: kmipAdapterType,
+ CollectionTotal: 1,
+ },
+ Adapters: []KMIPAdapter{adapter},
+ }
+}
+
+func unwrapKMIPAdapterResp(resp *KMIPAdapters) *KMIPAdapter {
+ return &resp.Adapters[0]
+}
diff --git a/vendor/github.com/IBM/keyprotect-go-client/kmip_mgmt_certs.go b/vendor/github.com/IBM/keyprotect-go-client/kmip_mgmt_certs.go
new file mode 100644
index 000000000..06cf9afc9
--- /dev/null
+++ b/vendor/github.com/IBM/keyprotect-go-client/kmip_mgmt_certs.go
@@ -0,0 +1,136 @@
+package kp
+
+import (
+ "context"
+ "fmt"
+ "time"
+)
+
+const (
+ kmipClientCertSubPath = "certificates"
+ kmipClientCertType = "application/vnd.ibm.kms.kmip_client_certificate+json"
+)
+
+type KMIPClientCertificate struct {
+ ID string `json:"id,omitempty"`
+ Name string `json:"name,omitempty"`
+ Certificate string `json:"certificate,omitempty"`
+ CreatedBy string `json:"created_by,omitempty"`
+ CreatedAt *time.Time `json:"created_at,omitempty"`
+}
+
+type KMIPClientCertificates struct {
+ Metadata CollectionMetadata `json:"metadata"`
+ Certificates []KMIPClientCertificate `json:"resources"`
+}
+
+// CreateKMIPClientCertificate registers/creates a KMIP PEM format certificate
+// for use with a specific KMIP adapter.
+// cert_payload is the string representation of
+// the certificate to be associated with the KMIP Adapter in PEM format.
+// It should explicitly have the BEGIN CERTIFICATE and END CERTIFICATE tags.
+// Regex: ^\s*-----BEGIN CERTIFICATE-----[A-Za-z0-9+\/\=\r\n]+-----END CERTIFICATE-----\s*$
+func (c *Client) CreateKMIPClientCertificate(ctx context.Context, adapter_nameOrID, cert_payload string, opts ...CreateKMIPClientCertOption) (*KMIPClientCertificate, error) {
+ newCert := &KMIPClientCertificate{
+ Certificate: cert_payload,
+ }
+ for _, opt := range opts {
+ opt(newCert)
+ }
+ req, err := c.newRequest("POST", fmt.Sprintf("%s/%s/%s", kmipAdapterPath, adapter_nameOrID, kmipClientCertSubPath), wrapKMIPClientCert(*newCert))
+ if err != nil {
+ return nil, err
+ }
+ certResp := &KMIPClientCertificates{}
+ _, err = c.do(ctx, req, certResp)
+ if err != nil {
+ return nil, err
+ }
+
+ return unwrapKMIPClientCert(certResp), nil
+}
+
+type CreateKMIPClientCertOption func(*KMIPClientCertificate)
+
+func WithKMIPClientCertName(name string) CreateKMIPClientCertOption {
+ return func(cert *KMIPClientCertificate) {
+ cert.Name = name
+ }
+}
+
+// GetKMIPClientCertificates lists all certificates associated with a KMIP adapter
+func (c *Client) GetKMIPClientCertificates(ctx context.Context, adapter_nameOrID string, listOpts *ListOptions) (*KMIPClientCertificates, error) {
+ certs := KMIPClientCertificates{}
+ req, err := c.newRequest("GET", fmt.Sprintf("%s/%s/%s", kmipAdapterPath, adapter_nameOrID, kmipClientCertSubPath), nil)
+ if err != nil {
+ return nil, err
+ }
+
+ if listOpts != nil {
+ values := req.URL.Query()
+ if listOpts.Limit != nil {
+ values.Set("limit", fmt.Sprint(*listOpts.Limit))
+ }
+ if listOpts.Offset != nil {
+ values.Set("offset", fmt.Sprint(*listOpts.Offset))
+ }
+ if listOpts.TotalCount != nil {
+ values.Set("totalCount", fmt.Sprint(*listOpts.TotalCount))
+ }
+ req.URL.RawQuery = values.Encode()
+ }
+
+ _, err = c.do(ctx, req, &certs)
+ if err != nil {
+ return nil, err
+ }
+
+ return &certs, nil
+}
+
+// GetKMIPClientCertificate gets a single certificate associated with a KMIP adapter
+func (c *Client) GetKMIPClientCertificate(ctx context.Context, adapter_nameOrID, cert_nameOrID string) (*KMIPClientCertificate, error) {
+ certs := &KMIPClientCertificates{}
+ req, err := c.newRequest("GET", fmt.Sprintf("%s/%s/%s/%s",
+ kmipAdapterPath, adapter_nameOrID, kmipClientCertSubPath, cert_nameOrID), nil)
+ if err != nil {
+ return nil, err
+ }
+
+ _, err = c.do(ctx, req, certs)
+ if err != nil {
+ return nil, err
+ }
+
+ return unwrapKMIPClientCert(certs), nil
+}
+
+// DeleteKMIPClientCertificate deletes a single certificate
+func (c *Client) DeleteKMIPClientCertificate(ctx context.Context, adapter_nameOrID, cert_nameOrID string) error {
+ req, err := c.newRequest("DELETE", fmt.Sprintf("%s/%s/%s/%s",
+ kmipAdapterPath, adapter_nameOrID, kmipClientCertSubPath, cert_nameOrID), nil)
+ if err != nil {
+ return err
+ }
+
+ _, err = c.do(ctx, req, nil)
+ if err != nil {
+ return err
+ }
+
+ return nil
+}
+
+func wrapKMIPClientCert(cert KMIPClientCertificate) KMIPClientCertificates {
+ return KMIPClientCertificates{
+ Metadata: CollectionMetadata{
+ CollectionType: kmipClientCertType,
+ CollectionTotal: 1,
+ },
+ Certificates: []KMIPClientCertificate{cert},
+ }
+}
+
+func unwrapKMIPClientCert(certs *KMIPClientCertificates) *KMIPClientCertificate {
+ return &certs.Certificates[0]
+}
diff --git a/vendor/github.com/IBM/keyprotect-go-client/kmip_mgmt_objects.go b/vendor/github.com/IBM/keyprotect-go-client/kmip_mgmt_objects.go
new file mode 100644
index 000000000..11c5cdfe5
--- /dev/null
+++ b/vendor/github.com/IBM/keyprotect-go-client/kmip_mgmt_objects.go
@@ -0,0 +1,122 @@
+package kp
+
+import (
+ "context"
+ "fmt"
+ "strconv"
+ "strings"
+ "time"
+)
+
+const (
+ kmipObjectSubPath = "kmip_objects"
+ kmipObjectType = "application/vnd.ibm.kms.kmip_object+json"
+)
+
+type KMIPObject struct {
+ ID string `json:"id,omitempty"`
+ KMIPObjectType int `json:"kmip_object_type,omitempty"`
+ ObjectState int `json:"state,omitempty"`
+ CreatedByCertID string `json:"created_by_kmip_client_cert_id,omitempty"`
+ CreatedBy string `json:"created_by,omitempty"`
+ CreatedAt *time.Time `json:"created_at,omitempty"`
+ UpdatedByCertID string `json:"updated_by_kmip_client_cert_id,omitempty"`
+ UpdatedBy string `json:"updated_by,omitempty"`
+ UpdatedAt *time.Time `json:"updated_at,omitempty"`
+ DestroyedByCertID string `json:"destroyed_by_kmip_client_cert_id,omitempty"`
+ DestroyedBy string `json:"destroyed_by,omitempty"`
+ DestroyedAt *time.Time `json:"destroyed_at,omitempty"`
+}
+
+type KMIPObjects struct {
+ Metadata CollectionMetadata `json:"metadata"`
+ Objects []KMIPObject `json:"resources"`
+}
+
+type ListKmipObjectsOptions struct {
+ Limit *uint32
+ Offset *uint32
+ TotalCount *bool
+ ObjectStateFilter *[]int32
+}
+
+func (c *Client) GetKMIPObjects(ctx context.Context, adapter_id string, listOpts *ListKmipObjectsOptions) (*KMIPObjects, error) {
+ objects := KMIPObjects{}
+ req, err := c.newRequest("GET", fmt.Sprintf("%s/%s/%s", kmipAdapterPath, adapter_id, kmipObjectSubPath), nil)
+ if err != nil {
+ return nil, err
+ }
+
+ if listOpts != nil {
+ values := req.URL.Query()
+ if listOpts.Limit != nil {
+ values.Set("limit", fmt.Sprint(*listOpts.Limit))
+ }
+ if listOpts.Offset != nil {
+ values.Set("offset", fmt.Sprint(*listOpts.Offset))
+ }
+ if listOpts.TotalCount != nil {
+ values.Set("totalCount", fmt.Sprint(*listOpts.TotalCount))
+ }
+ if listOpts.ObjectStateFilter != nil {
+ var stateStrs []string
+ for _, i := range *listOpts.ObjectStateFilter {
+ stateStrs = append(stateStrs, strconv.FormatInt(int64(i), 10))
+ }
+ values.Set("state", strings.Join(stateStrs, ","))
+ }
+ req.URL.RawQuery = values.Encode()
+ }
+
+ _, err = c.do(ctx, req, &objects)
+ if err != nil {
+ return nil, err
+ }
+
+ return &objects, nil
+}
+
+func (c *Client) GetKMIPObject(ctx context.Context, adapter_id, object_id string) (*KMIPObject, error) {
+ objects := &KMIPObjects{}
+ req, err := c.newRequest("GET", fmt.Sprintf("%s/%s/%s/%s",
+ kmipAdapterPath, adapter_id, kmipObjectSubPath, object_id), nil)
+ if err != nil {
+ return nil, err
+ }
+
+ _, err = c.do(ctx, req, objects)
+ if err != nil {
+ return nil, err
+ }
+
+ return unwrapKMIPObject(objects), nil
+}
+
+func (c *Client) DeleteKMIPObject(ctx context.Context, adapter_id, object_id string) error {
+ req, err := c.newRequest("DELETE", fmt.Sprintf("%s/%s/%s/%s",
+ kmipAdapterPath, adapter_id, kmipObjectSubPath, object_id), nil)
+ if err != nil {
+ return err
+ }
+
+ _, err = c.do(ctx, req, nil)
+ if err != nil {
+ return err
+ }
+
+ return nil
+}
+
+func wrapKMIPObject(object KMIPObject) KMIPObjects {
+ return KMIPObjects{
+ Metadata: CollectionMetadata{
+ CollectionType: kmipObjectType,
+ CollectionTotal: 1,
+ },
+ Objects: []KMIPObject{object},
+ }
+}
+
+func unwrapKMIPObject(objects *KMIPObjects) *KMIPObject {
+ return &objects.Objects[0]
+}
diff --git a/vendor/github.com/IBM/keyprotect-go-client/kp.go b/vendor/github.com/IBM/keyprotect-go-client/kp.go
index 976324f62..bae2e62ca 100644
--- a/vendor/github.com/IBM/keyprotect-go-client/kp.go
+++ b/vendor/github.com/IBM/keyprotect-go-client/kp.go
@@ -23,7 +23,6 @@ import (
"errors"
"fmt"
"io"
- "io/ioutil"
"net/http"
"net/url"
"strings"
@@ -276,7 +275,7 @@ func (c *Client) do(ctx context.Context, req *http.Request, res interface{}) (*h
}
defer response.Body.Close()
- resBody, err := ioutil.ReadAll(response.Body)
+ resBody, err := io.ReadAll(response.Body)
redact := []string{c.Config.APIKey, req.Header.Get("authorization")}
c.Dump(req, response, []byte{}, resBody, c.Logger, redact)
if err != nil {
@@ -515,3 +514,17 @@ func redact(s string, redactStrings []string) string {
func noredact(s string, redactStrings []string) string {
return s
}
+
+// Collection Metadata is generic and can be shared between multiple resource types
+type CollectionMetadata struct {
+ CollectionType string `json:"collectionType"`
+ CollectionTotal int `json:"collectionTotal"`
+ TotalCount int `json:"totalCount,omitempty"`
+}
+
+// ListsOptions struct to add the query parameters for list functions. Extensible.
+type ListOptions struct {
+ Limit *uint32
+ Offset *uint32
+ TotalCount *bool
+}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/accountid_endpoint_mode.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/accountid_endpoint_mode.go
new file mode 100644
index 000000000..6504a2186
--- /dev/null
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/accountid_endpoint_mode.go
@@ -0,0 +1,18 @@
+package aws
+
+// AccountIDEndpointMode controls how a resolved AWS account ID is handled for endpoint routing.
+type AccountIDEndpointMode string
+
+const (
+ // AccountIDEndpointModeUnset indicates the AWS account ID will not be used for endpoint routing
+ AccountIDEndpointModeUnset AccountIDEndpointMode = ""
+
+ // AccountIDEndpointModePreferred indicates the AWS account ID will be used for endpoint routing if present
+ AccountIDEndpointModePreferred = "preferred"
+
+ // AccountIDEndpointModeRequired indicates an error will be returned if the AWS account ID is not resolved from identity
+ AccountIDEndpointModeRequired = "required"
+
+ // AccountIDEndpointModeDisabled indicates the AWS account ID will be ignored during endpoint routing
+ AccountIDEndpointModeDisabled = "disabled"
+)
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/config.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/config.go
index 2264200c1..16000d792 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/config.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/config.go
@@ -162,6 +162,9 @@ type Config struct {
// This variable is sourced from environment variable AWS_REQUEST_MIN_COMPRESSION_SIZE_BYTES or
// the shared config profile attribute request_min_compression_size_bytes
RequestMinCompressSizeBytes int64
+
+ // Controls how a resolved AWS account ID is handled for endpoint routing.
+ AccountIDEndpointMode AccountIDEndpointMode
}
// NewConfig returns a new Config pointer that can be chained with builder
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/credentials.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/credentials.go
index 714d4ad85..98ba77056 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/credentials.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/credentials.go
@@ -90,6 +90,9 @@ type Credentials struct {
// The time the credentials will expire at. Should be ignored if CanExpire
// is false.
Expires time.Time
+
+ // The ID of the account for the credentials.
+ AccountID string
}
// Expired returns if the credentials have expired.
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/endpoints.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/endpoints.go
index aa10a9b40..99edbf3ee 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/endpoints.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/endpoints.go
@@ -70,6 +70,10 @@ func GetUseFIPSEndpoint(options ...interface{}) (value FIPSEndpointState, found
// The SDK will automatically resolve these endpoints per API client using an
// internal endpoint resolvers. If you'd like to provide custom endpoint
// resolving behavior you can implement the EndpointResolver interface.
+//
+// Deprecated: This structure was used with the global [EndpointResolver]
+// interface, which has been deprecated in favor of service-specific endpoint
+// resolution. See the deprecation docs on that interface for more information.
type Endpoint struct {
// The base URL endpoint the SDK API clients will use to make API calls to.
// The SDK will suffix URI path and query elements to this endpoint.
@@ -124,6 +128,8 @@ type Endpoint struct {
}
// EndpointSource is the endpoint source type.
+//
+// Deprecated: The global [Endpoint] structure is deprecated.
type EndpointSource int
const (
@@ -161,19 +167,25 @@ func (e *EndpointNotFoundError) Unwrap() error {
// API clients will fallback to attempting to resolve the endpoint using its
// internal default endpoint resolver.
//
-// Deprecated: See EndpointResolverWithOptions
+// Deprecated: The global endpoint resolution interface is deprecated. The API
+// for endpoint resolution is now unique to each service and is set via the
+// EndpointResolverV2 field on service client options. Setting a value for
+// EndpointResolver on aws.Config or service client options will prevent you
+// from using any endpoint-related service features released after the
+// introduction of EndpointResolverV2. You may also encounter broken or
+// unexpected behavior when using the old global interface with services that
+// use many endpoint-related customizations such as S3.
type EndpointResolver interface {
ResolveEndpoint(service, region string) (Endpoint, error)
}
// EndpointResolverFunc wraps a function to satisfy the EndpointResolver interface.
//
-// Deprecated: See EndpointResolverWithOptionsFunc
+// Deprecated: The global endpoint resolution interface is deprecated. See
+// deprecation docs on [EndpointResolver].
type EndpointResolverFunc func(service, region string) (Endpoint, error)
// ResolveEndpoint calls the wrapped function and returns the results.
-//
-// Deprecated: See EndpointResolverWithOptions.ResolveEndpoint
func (e EndpointResolverFunc) ResolveEndpoint(service, region string) (Endpoint, error) {
return e(service, region)
}
@@ -184,11 +196,17 @@ func (e EndpointResolverFunc) ResolveEndpoint(service, region string) (Endpoint,
// available. If the EndpointResolverWithOptions returns an EndpointNotFoundError error,
// API clients will fallback to attempting to resolve the endpoint using its
// internal default endpoint resolver.
+//
+// Deprecated: The global endpoint resolution interface is deprecated. See
+// deprecation docs on [EndpointResolver].
type EndpointResolverWithOptions interface {
ResolveEndpoint(service, region string, options ...interface{}) (Endpoint, error)
}
// EndpointResolverWithOptionsFunc wraps a function to satisfy the EndpointResolverWithOptions interface.
+//
+// Deprecated: The global endpoint resolution interface is deprecated. See
+// deprecation docs on [EndpointResolver].
type EndpointResolverWithOptionsFunc func(service, region string, options ...interface{}) (Endpoint, error)
// ResolveEndpoint calls the wrapped function and returns the results.
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go
index 12a331499..51a396ba7 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go
@@ -3,4 +3,4 @@
package aws
// goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.25.2"
+const goModuleVersion = "1.30.0"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics/metrics.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics/metrics.go
index b0133f4c8..19d6107c4 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics/metrics.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics/metrics.go
@@ -112,6 +112,8 @@ type MetricData struct {
ResolveEndpointStartTime time.Time
ResolveEndpointEndTime time.Time
EndpointResolutionDuration time.Duration
+ GetIdentityStartTime time.Time
+ GetIdentityEndTime time.Time
InThroughput float64
OutThroughput float64
RetryCount int
@@ -122,6 +124,7 @@ type MetricData struct {
OperationName string
PartitionID string
Region string
+ UserAgent string
RequestContentLength int64
Stream StreamMetrics
Attempts []AttemptMetrics
@@ -144,8 +147,6 @@ type AttemptMetrics struct {
ConnRequestedTime time.Time
ConnObtainedTime time.Time
ConcurrencyAcquireDuration time.Duration
- CredentialFetchStartTime time.Time
- CredentialFetchEndTime time.Time
SignStartTime time.Time
SignEndTime time.Time
SigningDuration time.Duration
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/user_agent.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/user_agent.go
index db7cda42d..ff0bc921f 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/user_agent.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/user_agent.go
@@ -5,6 +5,7 @@ import (
"fmt"
"os"
"runtime"
+ "sort"
"strings"
"github.com/aws/aws-sdk-go-v2/aws"
@@ -30,6 +31,7 @@ const (
FrameworkMetadata
AdditionalMetadata
ApplicationIdentifier
+ FeatureMetadata2
)
func (k SDKAgentKeyType) string() string {
@@ -50,6 +52,8 @@ func (k SDKAgentKeyType) string() string {
return "lib"
case ApplicationIdentifier:
return "app"
+ case FeatureMetadata2:
+ return "m"
case AdditionalMetadata:
fallthrough
default:
@@ -64,9 +68,29 @@ var validChars = map[rune]bool{
'-': true, '.': true, '^': true, '_': true, '`': true, '|': true, '~': true,
}
+// UserAgentFeature enumerates tracked SDK features.
+type UserAgentFeature string
+
+// Enumerates UserAgentFeature.
+const (
+ UserAgentFeatureResourceModel UserAgentFeature = "A" // n/a (we don't generate separate resource types)
+ UserAgentFeatureWaiter = "B"
+ UserAgentFeaturePaginator = "C"
+ UserAgentFeatureRetryModeLegacy = "D" // n/a (equivalent to standard)
+ UserAgentFeatureRetryModeStandard = "E"
+ UserAgentFeatureRetryModeAdaptive = "F"
+ UserAgentFeatureS3Transfer = "G"
+ UserAgentFeatureS3CryptoV1N = "H" // n/a (crypto client is external)
+ UserAgentFeatureS3CryptoV2 = "I" // n/a
+ UserAgentFeatureS3ExpressBucket = "J"
+ UserAgentFeatureS3AccessGrants = "K" // not yet implemented
+ UserAgentFeatureGZIPRequestCompression = "L"
+)
+
// RequestUserAgent is a build middleware that set the User-Agent for the request.
type RequestUserAgent struct {
sdkAgent, userAgent *smithyhttp.UserAgentBuilder
+ features map[UserAgentFeature]struct{}
}
// NewRequestUserAgent returns a new requestUserAgent which will set the User-Agent and X-Amz-User-Agent for the
@@ -87,6 +111,7 @@ func NewRequestUserAgent() *RequestUserAgent {
r := &RequestUserAgent{
sdkAgent: sdkAgent,
userAgent: userAgent,
+ features: map[UserAgentFeature]struct{}{},
}
addSDKMetadata(r)
@@ -191,6 +216,12 @@ func (u *RequestUserAgent) AddUserAgentKeyValue(key, value string) {
u.userAgent.AddKeyValue(strings.Map(rules, key), strings.Map(rules, value))
}
+// AddUserAgentFeature adds the feature ID to the tracking list to be emitted
+// in the final User-Agent string.
+func (u *RequestUserAgent) AddUserAgentFeature(feature UserAgentFeature) {
+ u.features[feature] = struct{}{}
+}
+
// AddSDKAgentKey adds the component identified by name to the User-Agent string.
func (u *RequestUserAgent) AddSDKAgentKey(keyType SDKAgentKeyType, key string) {
// TODO: should target sdkAgent
@@ -227,6 +258,9 @@ func (u *RequestUserAgent) HandleBuild(ctx context.Context, in middleware.BuildI
func (u *RequestUserAgent) addHTTPUserAgent(request *smithyhttp.Request) {
const userAgent = "User-Agent"
updateHTTPHeader(request, userAgent, u.userAgent.Build())
+ if len(u.features) > 0 {
+ updateHTTPHeader(request, userAgent, buildFeatureMetrics(u.features))
+ }
}
func (u *RequestUserAgent) addHTTPSDKAgent(request *smithyhttp.Request) {
@@ -259,3 +293,13 @@ func rules(r rune) rune {
return '-'
}
}
+
+func buildFeatureMetrics(features map[UserAgentFeature]struct{}) string {
+ fs := make([]string, 0, len(features))
+ for f := range features {
+ fs = append(fs, string(f))
+ }
+
+ sort.Strings(fs)
+ return fmt.Sprintf("%s/%s", FeatureMetadata2.string(), strings.Join(fs, ","))
+}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/ratelimit/none.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/ratelimit/none.go
new file mode 100644
index 000000000..8c7836410
--- /dev/null
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/ratelimit/none.go
@@ -0,0 +1,20 @@
+package ratelimit
+
+import "context"
+
+// None implements a no-op rate limiter which effectively disables client-side
+// rate limiting (also known as "retry quotas").
+//
+// GetToken does nothing and always returns a nil error. The returned
+// token-release function does nothing, and always returns a nil error.
+//
+// AddTokens does nothing and always returns a nil error.
+var None = &none{}
+
+type none struct{}
+
+func (*none) GetToken(ctx context.Context, cost uint) (func() error, error) {
+ return func() error { return nil }, nil
+}
+
+func (*none) AddTokens(v uint) error { return nil }
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/middleware.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/middleware.go
index dc703d482..b645fbdf1 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/middleware.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/middleware.go
@@ -2,12 +2,15 @@ package retry
import (
"context"
+ "errors"
"fmt"
- "github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics"
"strconv"
"strings"
"time"
+ "github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics"
+ internalcontext "github.com/aws/aws-sdk-go-v2/internal/context"
+
"github.com/aws/aws-sdk-go-v2/aws"
awsmiddle "github.com/aws/aws-sdk-go-v2/aws/middleware"
"github.com/aws/aws-sdk-go-v2/internal/sdk"
@@ -39,6 +42,10 @@ type Attempt struct {
requestCloner RequestCloner
}
+// define the threshold at which we will consider certain kind of errors to be probably
+// caused by clock skew
+const skewThreshold = 4 * time.Minute
+
// NewAttemptMiddleware returns a new Attempt retry middleware.
func NewAttemptMiddleware(retryer aws.Retryer, requestCloner RequestCloner, optFns ...func(*Attempt)) *Attempt {
m := &Attempt{
@@ -86,6 +93,9 @@ func (r *Attempt) HandleFinalize(ctx context.Context, in smithymiddle.FinalizeIn
AttemptClockSkew: attemptClockSkew,
})
+ // Setting clock skew to be used on other context (like signing)
+ ctx = internalcontext.SetAttemptSkewContext(ctx, attemptClockSkew)
+
var attemptResult AttemptResult
out, attemptResult, releaseRetryToken, err = r.handleAttempt(attemptCtx, attemptInput, releaseRetryToken, next)
attemptClockSkew, _ = awsmiddle.GetAttemptSkew(attemptResult.ResponseMetadata)
@@ -185,6 +195,8 @@ func (r *Attempt) handleAttempt(
return out, attemptResult, nopRelease, err
}
+ err = wrapAsClockSkew(ctx, err)
+
//------------------------------
// Is Retryable and Should Retry
//------------------------------
@@ -247,6 +259,37 @@ func (r *Attempt) handleAttempt(
return out, attemptResult, releaseRetryToken, err
}
+// errors that, if detected when we know there's a clock skew,
+// can be retried and have a high chance of success
+var possibleSkewCodes = map[string]struct{}{
+ "InvalidSignatureException": {},
+ "SignatureDoesNotMatch": {},
+ "AuthFailure": {},
+}
+
+var definiteSkewCodes = map[string]struct{}{
+ "RequestExpired": {},
+ "RequestInTheFuture": {},
+ "RequestTimeTooSkewed": {},
+}
+
+// wrapAsClockSkew checks if this error could be related to a clock skew
+// error and if so, wrap the error.
+func wrapAsClockSkew(ctx context.Context, err error) error {
+ var v interface{ ErrorCode() string }
+ if !errors.As(err, &v) {
+ return err
+ }
+ if _, ok := definiteSkewCodes[v.ErrorCode()]; ok {
+ return &retryableClockSkewError{Err: err}
+ }
+ _, isPossibleSkewCode := possibleSkewCodes[v.ErrorCode()]
+ if skew := internalcontext.GetAttemptSkewContext(ctx); skew > skewThreshold && isPossibleSkewCode {
+ return &retryableClockSkewError{Err: err}
+ }
+ return err
+}
+
// MetricsHeader attaches SDK request metric header for retries to the transport
type MetricsHeader struct{}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/retryable_error.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/retryable_error.go
index 987affdde..acd8d1cc3 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/retryable_error.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/retryable_error.go
@@ -2,6 +2,7 @@ package retry
import (
"errors"
+ "fmt"
"net"
"net/url"
"strings"
@@ -199,3 +200,23 @@ func (r RetryableErrorCode) IsErrorRetryable(err error) aws.Ternary {
return aws.TrueTernary
}
+
+// retryableClockSkewError marks errors that can be caused by clock skew
+// (difference between server time and client time).
+// This is returned when there's certain confidence that adjusting the client time
+// could allow a retry to succeed
+type retryableClockSkewError struct{ Err error }
+
+func (e *retryableClockSkewError) Error() string {
+ return fmt.Sprintf("Probable clock skew error: %v", e.Err)
+}
+
+// Unwrap returns the wrapped error.
+func (e *retryableClockSkewError) Unwrap() error {
+ return e.Err
+}
+
+// RetryableError allows the retryer to retry this request
+func (e *retryableClockSkewError) RetryableError() bool {
+ return true
+}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/standard.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/standard.go
index 25abffc81..d5ea93222 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/standard.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/standard.go
@@ -123,6 +123,17 @@ type StandardOptions struct {
// Provides the rate limiting strategy for rate limiting attempt retries
// across all attempts the retryer is being used with.
+ //
+ // A RateLimiter operates as a token bucket with a set capacity, where
+ // attempt failures events consume tokens. A retry attempt that attempts to
+ // consume more tokens than what's available results in operation failure.
+ // The default implementation is parameterized as follows:
+ // - a capacity of 500 (DefaultRetryRateTokens)
+ // - a retry caused by a timeout costs 10 tokens (DefaultRetryCost)
+ // - a retry caused by other errors costs 5 tokens (DefaultRetryTimeoutCost)
+ // - an operation that succeeds on the 1st attempt adds 1 token (DefaultNoRetryIncrement)
+ //
+ // You can disable rate limiting by setting this field to ratelimit.None.
RateLimiter RateLimiter
// The cost to deduct from the RateLimiter's token bucket per retry.
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/headers.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/headers.go
index ca738f234..71b1a3521 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/headers.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/headers.go
@@ -38,7 +38,6 @@ var RequiredSignedHeaders = Rules{
"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Algorithm": struct{}{},
"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key": struct{}{},
"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key-Md5": struct{}{},
- "X-Amz-Expected-Bucket-Owner": struct{}{},
"X-Amz-Grant-Full-control": struct{}{},
"X-Amz-Grant-Read": struct{}{},
"X-Amz-Grant-Read-Acp": struct{}{},
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/middleware.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/middleware.go
index febeb0482..a9db6433d 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/middleware.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/middleware.go
@@ -11,7 +11,6 @@ import (
"github.com/aws/aws-sdk-go-v2/aws"
awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware"
- "github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics"
v4Internal "github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4"
internalauth "github.com/aws/aws-sdk-go-v2/internal/auth"
"github.com/aws/aws-sdk-go-v2/internal/sdk"
@@ -301,22 +300,7 @@ func (s *SignHTTPRequestMiddleware) HandleFinalize(ctx context.Context, in middl
return out, metadata, &SigningError{Err: fmt.Errorf("computed payload hash missing from context")}
}
- mctx := metrics.Context(ctx)
-
- if mctx != nil {
- if attempt, err := mctx.Data().LatestAttempt(); err == nil {
- attempt.CredentialFetchStartTime = sdk.NowTime()
- }
- }
-
credentials, err := s.credentialsProvider.Retrieve(ctx)
-
- if mctx != nil {
- if attempt, err := mctx.Data().LatestAttempt(); err == nil {
- attempt.CredentialFetchEndTime = sdk.NowTime()
- }
- }
-
if err != nil {
return out, metadata, &SigningError{Err: fmt.Errorf("failed to retrieve credentials: %w", err)}
}
@@ -337,20 +321,7 @@ func (s *SignHTTPRequestMiddleware) HandleFinalize(ctx context.Context, in middl
})
}
- if mctx != nil {
- if attempt, err := mctx.Data().LatestAttempt(); err == nil {
- attempt.SignStartTime = sdk.NowTime()
- }
- }
-
err = s.signer.SignHTTP(ctx, credentials, req.Request, payloadHash, signingName, signingRegion, sdk.NowTime(), signerOptions...)
-
- if mctx != nil {
- if attempt, err := mctx.Data().LatestAttempt(); err == nil {
- attempt.SignEndTime = sdk.NowTime()
- }
- }
-
if err != nil {
return out, metadata, &SigningError{Err: fmt.Errorf("failed to sign http request, %w", err)}
}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/v4.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/v4.go
index bb61904e1..dcd896a9b 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/v4.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/v4.go
@@ -1,48 +1,41 @@
-// Package v4 implements signing for AWS V4 signer
+// Package v4 implements the AWS signature version 4 algorithm (commonly known
+// as SigV4).
//
-// Provides request signing for request that need to be signed with
-// AWS V4 Signatures.
+// For more information about SigV4, see [Signing AWS API requests] in the IAM
+// user guide.
//
-// # Standalone Signer
+// While this implementation CAN work in an external context, it is developed
+// primarily for SDK use and you may encounter fringe behaviors around header
+// canonicalization.
//
-// Generally using the signer outside of the SDK should not require any additional
+// # Pre-escaping a request URI
//
-// The signer does this by taking advantage of the URL.EscapedPath method. If your request URI requires
+// AWS v4 signature validation requires that the canonical string's URI path
+// component must be the escaped form of the HTTP request's path.
//
-// additional escaping you many need to use the URL.Opaque to define what the raw URI should be sent
-// to the service as.
+// The Go HTTP client will perform escaping automatically on the HTTP request.
+// This may cause signature validation errors because the request differs from
+// the URI path or query from which the signature was generated.
//
-// The signer will first check the URL.Opaque field, and use its value if set.
-// The signer does require the URL.Opaque field to be set in the form of:
+// Because of this, we recommend that you explicitly escape the request when
+// using this signer outside of the SDK to prevent possible signature mismatch.
+// This can be done by setting URL.Opaque on the request. The signer will
+// prefer that value, falling back to the return of URL.EscapedPath if unset.
+//
+// When setting URL.Opaque you must do so in the form of:
//
// "///"
//
// // e.g.
// "//example.com/some/path"
//
-// The leading "//" and hostname are required or the URL.Opaque escaping will
-// not work correctly.
+// The leading "//" and hostname are required or the escaping will not work
+// correctly.
//
-// If URL.Opaque is not set the signer will fallback to the URL.EscapedPath()
-// method and using the returned value.
+// The TestStandaloneSign unit test provides a complete example of using the
+// signer outside of the SDK and pre-escaping the URI path.
//
-// AWS v4 signature validation requires that the canonical string's URI path
-// element must be the URI escaped form of the HTTP request's path.
-// http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
-//
-// The Go HTTP client will perform escaping automatically on the request. Some
-// of these escaping may cause signature validation errors because the HTTP
-// request differs from the URI path or query that the signature was generated.
-// https://golang.org/pkg/net/url/#URL.EscapedPath
-//
-// Because of this, it is recommended that when using the signer outside of the
-// SDK that explicitly escaping the request prior to being signed is preferable,
-// and will help prevent signature validation errors. This can be done by setting
-// the URL.Opaque or URL.RawPath. The SDK will use URL.Opaque first and then
-// call URL.EscapedPath() if Opaque is not set.
-//
-// Test `TestStandaloneSign` provides a complete example of using the signer
-// outside of the SDK and pre-escaping the URI path.
+// [Signing AWS API requests]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
package v4
import (
@@ -402,6 +395,12 @@ func buildQuery(r v4Internal.Rule, header http.Header) (url.Values, http.Header)
query := url.Values{}
unsignedHeaders := http.Header{}
for k, h := range header {
+ // literally just this header has this constraint for some stupid reason,
+ // see #2508
+ if k == "X-Amz-Expected-Bucket-Owner" {
+ k = "x-amz-expected-bucket-owner"
+ }
+
if r.IsValid(k) {
query[k] = h
} else {
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/auth/smithy/v4signer_adapter.go b/vendor/github.com/aws/aws-sdk-go-v2/internal/auth/smithy/v4signer_adapter.go
index 0c5a2d40c..24db8e144 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/auth/smithy/v4signer_adapter.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/auth/smithy/v4signer_adapter.go
@@ -5,6 +5,7 @@ import (
"fmt"
v4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4"
+ internalcontext "github.com/aws/aws-sdk-go-v2/internal/context"
"github.com/aws/aws-sdk-go-v2/internal/sdk"
"github.com/aws/smithy-go"
"github.com/aws/smithy-go/auth"
@@ -39,7 +40,10 @@ func (v *V4SignerAdapter) SignRequest(ctx context.Context, r *smithyhttp.Request
}
hash := v4.GetPayloadHash(ctx)
- err := v.Signer.SignHTTP(ctx, ca.Credentials, r.Request, hash, name, region, sdk.NowTime(), func(o *v4.SignerOptions) {
+ signingTime := sdk.NowTime()
+ skew := internalcontext.GetAttemptSkewContext(ctx)
+ signingTime = signingTime.Add(skew)
+ err := v.Signer.SignHTTP(ctx, ca.Credentials, r.Request, hash, name, region, signingTime, func(o *v4.SignerOptions) {
o.DisableURIPathEscaping, _ = smithyhttp.GetDisableDoubleEncoding(&props)
o.Logger = v.Logger
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md
index b62d57cb5..2d5e63007 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md
@@ -1,3 +1,43 @@
+# v1.3.12 (2024-06-19)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.11 (2024-06-18)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.10 (2024-06-17)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.9 (2024-06-07)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.8 (2024-06-03)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.7 (2024-05-16)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.6 (2024-05-15)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.5 (2024-03-29)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.4 (2024-03-18)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.3 (2024-03-07)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
# v1.3.2 (2024-02-23)
* **Dependency Update**: Updated to the latest SDK module versions
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go
index a99e10d8a..1c96ca6de 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go
@@ -3,4 +3,4 @@
package configsources
// goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.3.2"
+const goModuleVersion = "1.3.12"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/context/context.go b/vendor/github.com/aws/aws-sdk-go-v2/internal/context/context.go
new file mode 100644
index 000000000..f0c283d39
--- /dev/null
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/context/context.go
@@ -0,0 +1,52 @@
+package context
+
+import (
+ "context"
+ "time"
+
+ "github.com/aws/smithy-go/middleware"
+)
+
+type s3BackendKey struct{}
+type checksumInputAlgorithmKey struct{}
+type clockSkew struct{}
+
+const (
+ // S3BackendS3Express identifies the S3Express backend
+ S3BackendS3Express = "S3Express"
+)
+
+// SetS3Backend stores the resolved endpoint backend within the request
+// context, which is required for a variety of custom S3 behaviors.
+func SetS3Backend(ctx context.Context, typ string) context.Context {
+ return middleware.WithStackValue(ctx, s3BackendKey{}, typ)
+}
+
+// GetS3Backend retrieves the stored endpoint backend within the context.
+func GetS3Backend(ctx context.Context) string {
+ v, _ := middleware.GetStackValue(ctx, s3BackendKey{}).(string)
+ return v
+}
+
+// SetChecksumInputAlgorithm sets the request checksum algorithm on the
+// context.
+func SetChecksumInputAlgorithm(ctx context.Context, value string) context.Context {
+ return middleware.WithStackValue(ctx, checksumInputAlgorithmKey{}, value)
+}
+
+// GetChecksumInputAlgorithm returns the checksum algorithm from the context.
+func GetChecksumInputAlgorithm(ctx context.Context) string {
+ v, _ := middleware.GetStackValue(ctx, checksumInputAlgorithmKey{}).(string)
+ return v
+}
+
+// SetAttemptSkewContext sets the clock skew value on the context
+func SetAttemptSkewContext(ctx context.Context, v time.Duration) context.Context {
+ return middleware.WithStackValue(ctx, clockSkew{}, v)
+}
+
+// GetAttemptSkewContext gets the clock skew value from the context
+func GetAttemptSkewContext(ctx context.Context) time.Duration {
+ x, _ := middleware.GetStackValue(ctx, clockSkew{}).(time.Duration)
+ return x
+}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partition.go b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partition.go
index ba6032758..91414afe8 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partition.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partition.go
@@ -12,11 +12,12 @@ type Partition struct {
// PartitionConfig provides the endpoint metadata for an AWS region or partition.
type PartitionConfig struct {
- Name string `json:"name"`
- DnsSuffix string `json:"dnsSuffix"`
- DualStackDnsSuffix string `json:"dualStackDnsSuffix"`
- SupportsFIPS bool `json:"supportsFIPS"`
- SupportsDualStack bool `json:"supportsDualStack"`
+ Name string `json:"name"`
+ DnsSuffix string `json:"dnsSuffix"`
+ DualStackDnsSuffix string `json:"dualStackDnsSuffix"`
+ SupportsFIPS bool `json:"supportsFIPS"`
+ SupportsDualStack bool `json:"supportsDualStack"`
+ ImplicitGlobalRegion string `json:"implicitGlobalRegion"`
}
type RegionOverrides struct {
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.go b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.go
index 849beffd7..5f0779997 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.go
@@ -13,11 +13,12 @@ var partitions = []Partition{
ID: "aws",
RegionRegex: "^(us|eu|ap|sa|ca|me|af|il)\\-\\w+\\-\\d+$",
DefaultConfig: PartitionConfig{
- Name: "aws",
- DnsSuffix: "amazonaws.com",
- DualStackDnsSuffix: "api.aws",
- SupportsFIPS: true,
- SupportsDualStack: true,
+ Name: "aws",
+ DnsSuffix: "amazonaws.com",
+ DualStackDnsSuffix: "api.aws",
+ SupportsFIPS: true,
+ SupportsDualStack: true,
+ ImplicitGlobalRegion: "us-east-1",
},
Regions: map[string]RegionOverrides{
"af-south-1": {
@@ -111,6 +112,13 @@ var partitions = []Partition{
SupportsFIPS: nil,
SupportsDualStack: nil,
},
+ "ca-west-1": {
+ Name: nil,
+ DnsSuffix: nil,
+ DualStackDnsSuffix: nil,
+ SupportsFIPS: nil,
+ SupportsDualStack: nil,
+ },
"eu-central-1": {
Name: nil,
DnsSuffix: nil,
@@ -229,11 +237,12 @@ var partitions = []Partition{
ID: "aws-cn",
RegionRegex: "^cn\\-\\w+\\-\\d+$",
DefaultConfig: PartitionConfig{
- Name: "aws-cn",
- DnsSuffix: "amazonaws.com.cn",
- DualStackDnsSuffix: "api.amazonwebservices.com.cn",
- SupportsFIPS: true,
- SupportsDualStack: true,
+ Name: "aws-cn",
+ DnsSuffix: "amazonaws.com.cn",
+ DualStackDnsSuffix: "api.amazonwebservices.com.cn",
+ SupportsFIPS: true,
+ SupportsDualStack: true,
+ ImplicitGlobalRegion: "cn-northwest-1",
},
Regions: map[string]RegionOverrides{
"aws-cn-global": {
@@ -263,11 +272,12 @@ var partitions = []Partition{
ID: "aws-us-gov",
RegionRegex: "^us\\-gov\\-\\w+\\-\\d+$",
DefaultConfig: PartitionConfig{
- Name: "aws-us-gov",
- DnsSuffix: "amazonaws.com",
- DualStackDnsSuffix: "api.aws",
- SupportsFIPS: true,
- SupportsDualStack: true,
+ Name: "aws-us-gov",
+ DnsSuffix: "amazonaws.com",
+ DualStackDnsSuffix: "api.aws",
+ SupportsFIPS: true,
+ SupportsDualStack: true,
+ ImplicitGlobalRegion: "us-gov-west-1",
},
Regions: map[string]RegionOverrides{
"aws-us-gov-global": {
@@ -297,11 +307,12 @@ var partitions = []Partition{
ID: "aws-iso",
RegionRegex: "^us\\-iso\\-\\w+\\-\\d+$",
DefaultConfig: PartitionConfig{
- Name: "aws-iso",
- DnsSuffix: "c2s.ic.gov",
- DualStackDnsSuffix: "c2s.ic.gov",
- SupportsFIPS: true,
- SupportsDualStack: false,
+ Name: "aws-iso",
+ DnsSuffix: "c2s.ic.gov",
+ DualStackDnsSuffix: "c2s.ic.gov",
+ SupportsFIPS: true,
+ SupportsDualStack: false,
+ ImplicitGlobalRegion: "us-iso-east-1",
},
Regions: map[string]RegionOverrides{
"aws-iso-global": {
@@ -331,11 +342,12 @@ var partitions = []Partition{
ID: "aws-iso-b",
RegionRegex: "^us\\-isob\\-\\w+\\-\\d+$",
DefaultConfig: PartitionConfig{
- Name: "aws-iso-b",
- DnsSuffix: "sc2s.sgov.gov",
- DualStackDnsSuffix: "sc2s.sgov.gov",
- SupportsFIPS: true,
- SupportsDualStack: false,
+ Name: "aws-iso-b",
+ DnsSuffix: "sc2s.sgov.gov",
+ DualStackDnsSuffix: "sc2s.sgov.gov",
+ SupportsFIPS: true,
+ SupportsDualStack: false,
+ ImplicitGlobalRegion: "us-isob-east-1",
},
Regions: map[string]RegionOverrides{
"aws-iso-b-global": {
@@ -358,23 +370,33 @@ var partitions = []Partition{
ID: "aws-iso-e",
RegionRegex: "^eu\\-isoe\\-\\w+\\-\\d+$",
DefaultConfig: PartitionConfig{
- Name: "aws-iso-e",
- DnsSuffix: "cloud.adc-e.uk",
- DualStackDnsSuffix: "cloud.adc-e.uk",
- SupportsFIPS: true,
- SupportsDualStack: false,
+ Name: "aws-iso-e",
+ DnsSuffix: "cloud.adc-e.uk",
+ DualStackDnsSuffix: "cloud.adc-e.uk",
+ SupportsFIPS: true,
+ SupportsDualStack: false,
+ ImplicitGlobalRegion: "eu-isoe-west-1",
+ },
+ Regions: map[string]RegionOverrides{
+ "eu-isoe-west-1": {
+ Name: nil,
+ DnsSuffix: nil,
+ DualStackDnsSuffix: nil,
+ SupportsFIPS: nil,
+ SupportsDualStack: nil,
+ },
},
- Regions: map[string]RegionOverrides{},
},
{
ID: "aws-iso-f",
RegionRegex: "^us\\-isof\\-\\w+\\-\\d+$",
DefaultConfig: PartitionConfig{
- Name: "aws-iso-f",
- DnsSuffix: "csp.hci.ic.gov",
- DualStackDnsSuffix: "csp.hci.ic.gov",
- SupportsFIPS: true,
- SupportsDualStack: false,
+ Name: "aws-iso-f",
+ DnsSuffix: "csp.hci.ic.gov",
+ DualStackDnsSuffix: "csp.hci.ic.gov",
+ SupportsFIPS: true,
+ SupportsDualStack: false,
+ ImplicitGlobalRegion: "us-isof-south-1",
},
Regions: map[string]RegionOverrides{},
},
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.json b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.json
index f376f6908..7a28569c3 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.json
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.json
@@ -198,7 +198,11 @@
"supportsFIPS" : true
},
"regionRegex" : "^eu\\-isoe\\-\\w+\\-\\d+$",
- "regions" : { }
+ "regions" : {
+ "eu-isoe-west-1" : {
+ "description" : "EU ISOE West"
+ }
+ }
}, {
"id" : "aws-iso-f",
"outputs" : {
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md
index b95cd39f4..c0db4db58 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md
@@ -1,3 +1,44 @@
+# v2.6.12 (2024-06-19)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v2.6.11 (2024-06-18)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v2.6.10 (2024-06-17)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v2.6.9 (2024-06-07)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v2.6.8 (2024-06-03)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v2.6.7 (2024-05-16)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v2.6.6 (2024-05-15)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v2.6.5 (2024-03-29)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v2.6.4 (2024-03-18)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v2.6.3 (2024-03-07)
+
+* **Bug Fix**: Remove dependency on go-cmp.
+* **Dependency Update**: Updated to the latest SDK module versions
+
# v2.6.2 (2024-02-23)
* **Dependency Update**: Updated to the latest SDK module versions
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go
index 833b91157..7be8b1ae8 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go
@@ -3,4 +3,4 @@
package endpoints
// goModuleVersion is the tagged release for this module
-const goModuleVersion = "2.6.2"
+const goModuleVersion = "2.6.12"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/middleware/middleware.go b/vendor/github.com/aws/aws-sdk-go-v2/internal/middleware/middleware.go
new file mode 100644
index 000000000..8e24a3f0a
--- /dev/null
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/middleware/middleware.go
@@ -0,0 +1,42 @@
+package middleware
+
+import (
+ "context"
+ "sync/atomic"
+ "time"
+
+ internalcontext "github.com/aws/aws-sdk-go-v2/internal/context"
+ "github.com/aws/smithy-go/middleware"
+)
+
+// AddTimeOffsetMiddleware sets a value representing clock skew on the request context.
+// This can be read by other operations (such as signing) to correct the date value they send
+// on the request
+type AddTimeOffsetMiddleware struct {
+ Offset *atomic.Int64
+}
+
+// ID the identifier for AddTimeOffsetMiddleware
+func (m *AddTimeOffsetMiddleware) ID() string { return "AddTimeOffsetMiddleware" }
+
+// HandleBuild sets a value for attemptSkew on the request context if one is set on the client.
+func (m AddTimeOffsetMiddleware) HandleBuild(ctx context.Context, in middleware.BuildInput, next middleware.BuildHandler) (
+ out middleware.BuildOutput, metadata middleware.Metadata, err error,
+) {
+ if m.Offset != nil {
+ offset := time.Duration(m.Offset.Load())
+ ctx = internalcontext.SetAttemptSkewContext(ctx, offset)
+ }
+ return next.HandleBuild(ctx, in)
+}
+
+// HandleDeserialize gets the clock skew context from the context, and if set, sets it on the pointer
+// held by AddTimeOffsetMiddleware
+func (m *AddTimeOffsetMiddleware) HandleDeserialize(ctx context.Context, in middleware.DeserializeInput, next middleware.DeserializeHandler) (
+ out middleware.DeserializeOutput, metadata middleware.Metadata, err error,
+) {
+ if v := internalcontext.GetAttemptSkewContext(ctx); v != 0 {
+ m.Offset.Store(v.Nanoseconds())
+ }
+ return next.HandleDeserialize(ctx, in)
+}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/CHANGELOG.md
index cac6f926e..9cf6cf22b 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/CHANGELOG.md
@@ -1,3 +1,7 @@
+# v1.11.2 (2024-03-29)
+
+* No change notes available for this release.
+
# v1.11.1 (2024-02-21)
* No change notes available for this release.
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/go_module_metadata.go
index c5ae0f873..6339b5419 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/go_module_metadata.go
@@ -3,4 +3,4 @@
package acceptencoding
// goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.11.1"
+const goModuleVersion = "1.11.2"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md
index 38b0de284..b29f09399 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md
@@ -1,3 +1,52 @@
+# v1.11.14 (2024-06-19)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.11.13 (2024-06-18)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.11.12 (2024-06-17)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.11.11 (2024-06-07)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.11.10 (2024-06-03)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.11.9 (2024-05-16)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.11.8 (2024-05-15)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.11.7 (2024-03-29)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.11.6 (2024-03-18)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.11.5 (2024-03-07)
+
+* **Bug Fix**: Remove dependency on go-cmp.
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.11.4 (2024-03-05)
+
+* **Bug Fix**: Restore typo'd API `AddAsIsInternalPresigingMiddleware` as an alias for backwards compatibility.
+
+# v1.11.3 (2024-03-04)
+
+* **Bug Fix**: Correct a typo in internal AddAsIsPresigningMiddleware API.
+
# v1.11.2 (2024-02-23)
* **Dependency Update**: Updated to the latest SDK module versions
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/context.go b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/context.go
index cc919701a..5d5286f92 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/context.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/context.go
@@ -27,13 +27,21 @@ func GetIsPresigning(ctx context.Context) bool {
type isPresigningKey struct{}
-// AddAsIsPresigingMiddleware adds a middleware to the head of the stack that
+// AddAsIsPresigningMiddleware adds a middleware to the head of the stack that
// will update the stack's context to be flagged as being invoked for the
// purpose of presigning.
-func AddAsIsPresigingMiddleware(stack *middleware.Stack) error {
+func AddAsIsPresigningMiddleware(stack *middleware.Stack) error {
return stack.Initialize.Add(asIsPresigningMiddleware{}, middleware.Before)
}
+// AddAsIsPresigingMiddleware is an alias for backwards compatibility.
+//
+// Deprecated: This API was released with a typo. Use
+// [AddAsIsPresigningMiddleware] instead.
+func AddAsIsPresigingMiddleware(stack *middleware.Stack) error {
+ return AddAsIsPresigningMiddleware(stack)
+}
+
type asIsPresigningMiddleware struct{}
func (asIsPresigningMiddleware) ID() string { return "AsIsPresigningMiddleware" }
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go
index 0af263c5e..f31114ec2 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go
@@ -3,4 +3,4 @@
package presignedurl
// goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.11.2"
+const goModuleVersion = "1.11.14"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md
index 0f4845a52..8c9717a56 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md
@@ -1,3 +1,63 @@
+# v1.29.1 (2024-06-19)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.29.0 (2024-06-18)
+
+* **Feature**: Track usage of various AWS SDK features in user-agent string.
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.13 (2024-06-17)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.12 (2024-06-07)
+
+* **Bug Fix**: Add clock skew correction on all service clients
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.11 (2024-06-03)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.10 (2024-05-23)
+
+* No change notes available for this release.
+
+# v1.28.9 (2024-05-16)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.8 (2024-05-15)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.7 (2024-05-08)
+
+* **Bug Fix**: GoDoc improvement
+
+# v1.28.6 (2024-03-29)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.5 (2024-03-18)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.4 (2024-03-07)
+
+* **Bug Fix**: Remove dependency on go-cmp.
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.3 (2024-03-05)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.2 (2024-03-04)
+
+* **Bug Fix**: Update internal/presigned-url dependency for corrected API name.
+* **Dependency Update**: Updated to the latest SDK module versions
+
# v1.28.1 (2024-02-23)
* **Bug Fix**: Move all common, SDK-side middleware stack ops into the service client module to prevent cross-module compatibility issues in the future.
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_client.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_client.go
index 8b38a505c..acd2b8e7a 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_client.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_client.go
@@ -15,15 +15,18 @@ import (
internalauth "github.com/aws/aws-sdk-go-v2/internal/auth"
internalauthsmithy "github.com/aws/aws-sdk-go-v2/internal/auth/smithy"
internalConfig "github.com/aws/aws-sdk-go-v2/internal/configsources"
+ internalmiddleware "github.com/aws/aws-sdk-go-v2/internal/middleware"
acceptencodingcust "github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding"
presignedurlcust "github.com/aws/aws-sdk-go-v2/service/internal/presigned-url"
smithy "github.com/aws/smithy-go"
+ smithyauth "github.com/aws/smithy-go/auth"
smithydocument "github.com/aws/smithy-go/document"
"github.com/aws/smithy-go/logging"
"github.com/aws/smithy-go/middleware"
smithyhttp "github.com/aws/smithy-go/transport/http"
"net"
"net/http"
+ "sync/atomic"
"time"
)
@@ -34,6 +37,9 @@ const ServiceAPIVersion = "2011-06-15"
// Service.
type Client struct {
options Options
+
+ // Difference between the time reported by the server and the client
+ timeOffset *atomic.Int64
}
// New returns an initialized Client based on the functional options. Provide
@@ -72,6 +78,8 @@ func New(options Options, optFns ...func(*Options)) *Client {
options: options,
}
+ initializeTimeOffsetResolver(client)
+
return client
}
@@ -233,15 +241,16 @@ func setResolvedDefaultsMode(o *Options) {
// NewFromConfig returns a new client from the provided config.
func NewFromConfig(cfg aws.Config, optFns ...func(*Options)) *Client {
opts := Options{
- Region: cfg.Region,
- DefaultsMode: cfg.DefaultsMode,
- RuntimeEnvironment: cfg.RuntimeEnvironment,
- HTTPClient: cfg.HTTPClient,
- Credentials: cfg.Credentials,
- APIOptions: cfg.APIOptions,
- Logger: cfg.Logger,
- ClientLogMode: cfg.ClientLogMode,
- AppID: cfg.AppID,
+ Region: cfg.Region,
+ DefaultsMode: cfg.DefaultsMode,
+ RuntimeEnvironment: cfg.RuntimeEnvironment,
+ HTTPClient: cfg.HTTPClient,
+ Credentials: cfg.Credentials,
+ APIOptions: cfg.APIOptions,
+ Logger: cfg.Logger,
+ ClientLogMode: cfg.ClientLogMode,
+ AppID: cfg.AppID,
+ AccountIDEndpointMode: cfg.AccountIDEndpointMode,
}
resolveAWSRetryerProvider(cfg, &opts)
resolveAWSRetryMaxAttempts(cfg, &opts)
@@ -445,6 +454,30 @@ func addContentSHA256Header(stack *middleware.Stack) error {
return stack.Finalize.Insert(&v4.ContentSHA256Header{}, (*v4.ComputePayloadSHA256)(nil).ID(), middleware.After)
}
+func addIsWaiterUserAgent(o *Options) {
+ o.APIOptions = append(o.APIOptions, func(stack *middleware.Stack) error {
+ ua, err := getOrAddRequestUserAgent(stack)
+ if err != nil {
+ return err
+ }
+
+ ua.AddUserAgentFeature(awsmiddleware.UserAgentFeatureWaiter)
+ return nil
+ })
+}
+
+func addIsPaginatorUserAgent(o *Options) {
+ o.APIOptions = append(o.APIOptions, func(stack *middleware.Stack) error {
+ ua, err := getOrAddRequestUserAgent(stack)
+ if err != nil {
+ return err
+ }
+
+ ua.AddUserAgentFeature(awsmiddleware.UserAgentFeaturePaginator)
+ return nil
+ })
+}
+
func addRetry(stack *middleware.Stack, o Options) error {
attempt := retry.NewAttemptMiddleware(o.Retryer, smithyhttp.RequestCloner, func(m *retry.Attempt) {
m.LogAttempts = o.ClientLogMode.IsRetries()
@@ -488,6 +521,63 @@ func resolveUseFIPSEndpoint(cfg aws.Config, o *Options) error {
return nil
}
+func resolveAccountID(identity smithyauth.Identity, mode aws.AccountIDEndpointMode) *string {
+ if mode == aws.AccountIDEndpointModeDisabled {
+ return nil
+ }
+
+ if ca, ok := identity.(*internalauthsmithy.CredentialsAdapter); ok && ca.Credentials.AccountID != "" {
+ return aws.String(ca.Credentials.AccountID)
+ }
+
+ return nil
+}
+
+func addTimeOffsetBuild(stack *middleware.Stack, c *Client) error {
+ mw := internalmiddleware.AddTimeOffsetMiddleware{Offset: c.timeOffset}
+ if err := stack.Build.Add(&mw, middleware.After); err != nil {
+ return err
+ }
+ return stack.Deserialize.Insert(&mw, "RecordResponseTiming", middleware.Before)
+}
+func initializeTimeOffsetResolver(c *Client) {
+ c.timeOffset = new(atomic.Int64)
+}
+
+func checkAccountID(identity smithyauth.Identity, mode aws.AccountIDEndpointMode) error {
+ switch mode {
+ case aws.AccountIDEndpointModeUnset:
+ case aws.AccountIDEndpointModePreferred:
+ case aws.AccountIDEndpointModeDisabled:
+ case aws.AccountIDEndpointModeRequired:
+ if ca, ok := identity.(*internalauthsmithy.CredentialsAdapter); !ok {
+ return fmt.Errorf("accountID is required but not set")
+ } else if ca.Credentials.AccountID == "" {
+ return fmt.Errorf("accountID is required but not set")
+ }
+ // default check in case invalid mode is configured through request config
+ default:
+ return fmt.Errorf("invalid accountID endpoint mode %s, must be preferred/required/disabled", mode)
+ }
+
+ return nil
+}
+
+func addUserAgentRetryMode(stack *middleware.Stack, options Options) error {
+ ua, err := getOrAddRequestUserAgent(stack)
+ if err != nil {
+ return err
+ }
+
+ switch options.Retryer.(type) {
+ case *retry.Standard:
+ ua.AddUserAgentFeature(awsmiddleware.UserAgentFeatureRetryModeStandard)
+ case *retry.AdaptiveMode:
+ ua.AddUserAgentFeature(awsmiddleware.UserAgentFeatureRetryModeAdaptive)
+ }
+ return nil
+}
+
func addRecursionDetection(stack *middleware.Stack) error {
return stack.Build.Add(&awsmiddleware.RecursionDetection{}, middleware.After)
}
@@ -643,7 +733,7 @@ func (c presignConverter) convertToPresignMiddleware(stack *middleware.Stack, op
if err != nil {
return err
}
- err = presignedurlcust.AddAsIsPresigingMiddleware(stack)
+ err = presignedurlcust.AddAsIsPresigningMiddleware(stack)
if err != nil {
return err
}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRole.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRole.go
index e0e2c9c2e..e74fc8ba9 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRole.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRole.go
@@ -16,69 +16,99 @@ import (
// Amazon Web Services resources. These temporary credentials consist of an access
// key ID, a secret access key, and a security token. Typically, you use AssumeRole
// within your account or for cross-account access. For a comparison of AssumeRole
-// with other API operations that produce temporary credentials, see Requesting
-// Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
-// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
-// in the IAM User Guide. Permissions The temporary security credentials created by
-// AssumeRole can be used to make API calls to any Amazon Web Services service
-// with the following exception: You cannot call the Amazon Web Services STS
-// GetFederationToken or GetSessionToken API operations. (Optional) You can pass
-// inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-// to this operation. You can pass a single JSON policy document to use as an
-// inline session policy. You can also specify up to 10 managed policy Amazon
-// Resource Names (ARNs) to use as managed session policies. The plaintext that you
-// use for both inline and managed session policies can't exceed 2,048 characters.
-// Passing policies to this operation returns new temporary credentials. The
-// resulting session's permissions are the intersection of the role's
-// identity-based policy and the session policies. You can use the role's temporary
-// credentials in subsequent Amazon Web Services API calls to access resources in
-// the account that owns the role. You cannot use session policies to grant more
-// permissions than those allowed by the identity-based policy of the role that is
-// being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-// in the IAM User Guide. When you create a role, you create two policies: a role
-// trust policy that specifies who can assume the role, and a permissions policy
-// that specifies what can be done with the role. You specify the trusted principal
-// that is allowed to assume the role in the role trust policy. To assume a role
-// from a different account, your Amazon Web Services account must be trusted by
-// the role. The trust relationship is defined in the role's trust policy when the
-// role is created. That trust policy states which accounts are allowed to delegate
-// that access to users in the account. A user who wants to access a role in a
-// different account must also have permissions that are delegated from the account
-// administrator. The administrator must attach a policy that allows the user to
-// call AssumeRole for the ARN of the role in the other account. To allow a user
-// to assume a role in the same account, you can do either of the following:
+// with other API operations that produce temporary credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the
+// IAM User Guide.
+//
+// # Permissions
+//
+// The temporary security credentials created by AssumeRole can be used to make
+// API calls to any Amazon Web Services service with the following exception: You
+// cannot call the Amazon Web Services STS GetFederationToken or GetSessionToken
+// API operations.
+//
+// (Optional) You can pass inline or managed [session policies] to this operation. You can pass a
+// single JSON policy document to use as an inline session policy. You can also
+// specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed
+// session policies. The plaintext that you use for both inline and managed session
+// policies can't exceed 2,048 characters. Passing policies to this operation
+// returns new temporary credentials. The resulting session's permissions are the
+// intersection of the role's identity-based policy and the session policies. You
+// can use the role's temporary credentials in subsequent Amazon Web Services API
+// calls to access resources in the account that owns the role. You cannot use
+// session policies to grant more permissions than those allowed by the
+// identity-based policy of the role that is being assumed. For more information,
+// see [Session Policies]in the IAM User Guide.
+//
+// When you create a role, you create two policies: a role trust policy that
+// specifies who can assume the role, and a permissions policy that specifies what
+// can be done with the role. You specify the trusted principal that is allowed to
+// assume the role in the role trust policy.
+//
+// To assume a role from a different account, your Amazon Web Services account
+// must be trusted by the role. The trust relationship is defined in the role's
+// trust policy when the role is created. That trust policy states which accounts
+// are allowed to delegate that access to users in the account.
+//
+// A user who wants to access a role in a different account must also have
+// permissions that are delegated from the account administrator. The administrator
+// must attach a policy that allows the user to call AssumeRole for the ARN of the
+// role in the other account.
+//
+// To allow a user to assume a role in the same account, you can do either of the
+// following:
+//
// - Attach a policy to the user that allows the user to call AssumeRole (as long
// as the role's trust policy trusts the account).
+//
// - Add the user as a principal directly in the role's trust policy.
//
// You can do either because the role’s trust policy acts as an IAM resource-based
// policy. When a resource-based policy grants access to a principal in the same
// account, no additional identity-based policy is required. For more information
-// about trust policies and resource-based policies, see IAM Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)
-// in the IAM User Guide. Tags (Optional) You can pass tag key-value pairs to your
-// session. These tags are called session tags. For more information about session
-// tags, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
-// in the IAM User Guide. An administrator must grant you the permissions necessary
-// to pass session tags. The administrator can also create granular permissions to
-// allow you to pass only specific session tags. For more information, see
-// Tutorial: Using Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
-// in the IAM User Guide. You can set the session tags as transitive. Transitive
-// tags persist during role chaining. For more information, see Chaining Roles
-// with Session Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
-// in the IAM User Guide. Using MFA with AssumeRole (Optional) You can include
-// multi-factor authentication (MFA) information when you call AssumeRole . This is
-// useful for cross-account scenarios to ensure that the user that assumes the role
-// has been authenticated with an Amazon Web Services MFA device. In that scenario,
-// the trust policy of the role being assumed includes a condition that tests for
-// MFA authentication. If the caller does not include valid MFA information, the
-// request to assume the role is denied. The condition in a trust policy that tests
-// for MFA authentication might look like the following example. "Condition":
-// {"Bool": {"aws:MultiFactorAuthPresent": true}} For more information, see
-// Configuring MFA-Protected API Access (https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html)
-// in the IAM User Guide guide. To use MFA with AssumeRole , you pass values for
-// the SerialNumber and TokenCode parameters. The SerialNumber value identifies
-// the user's hardware or virtual MFA device. The TokenCode is the time-based
-// one-time password (TOTP) that the MFA device produces.
+// about trust policies and resource-based policies, see [IAM Policies]in the IAM User Guide.
+//
+// # Tags
+//
+// (Optional) You can pass tag key-value pairs to your session. These tags are
+// called session tags. For more information about session tags, see [Passing Session Tags in STS]in the IAM
+// User Guide.
+//
+// An administrator must grant you the permissions necessary to pass session tags.
+// The administrator can also create granular permissions to allow you to pass only
+// specific session tags. For more information, see [Tutorial: Using Tags for Attribute-Based Access Control]in the IAM User Guide.
+//
+// You can set the session tags as transitive. Transitive tags persist during role
+// chaining. For more information, see [Chaining Roles with Session Tags]in the IAM User Guide.
+//
+// # Using MFA with AssumeRole
+//
+// (Optional) You can include multi-factor authentication (MFA) information when
+// you call AssumeRole . This is useful for cross-account scenarios to ensure that
+// the user that assumes the role has been authenticated with an Amazon Web
+// Services MFA device. In that scenario, the trust policy of the role being
+// assumed includes a condition that tests for MFA authentication. If the caller
+// does not include valid MFA information, the request to assume the role is
+// denied. The condition in a trust policy that tests for MFA authentication might
+// look like the following example.
+//
+// "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}
+//
+// For more information, see [Configuring MFA-Protected API Access] in the IAM User Guide guide.
+//
+// To use MFA with AssumeRole , you pass values for the SerialNumber and TokenCode
+// parameters. The SerialNumber value identifies the user's hardware or virtual
+// MFA device. The TokenCode is the time-based one-time password (TOTP) that the
+// MFA device produces.
+//
+// [Configuring MFA-Protected API Access]: https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html
+// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+// [Chaining Roles with Session Tags]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
+// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
+// [session policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+// [IAM Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
+// [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+// [Tutorial: Using Tags for Attribute-Based Access Control]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
func (c *Client) AssumeRole(ctx context.Context, params *AssumeRoleInput, optFns ...func(*Options)) (*AssumeRoleOutput, error) {
if params == nil {
params = &AssumeRoleInput{}
@@ -101,17 +131,19 @@ type AssumeRoleInput struct {
// This member is required.
RoleArn *string
- // An identifier for the assumed role session. Use the role session name to
- // uniquely identify a session when the same role is assumed by different
- // principals or for different reasons. In cross-account scenarios, the role
- // session name is visible to, and can be logged by the account that owns the role.
- // The role session name is also used in the ARN of the assumed role principal.
- // This means that subsequent cross-account API requests that use the temporary
- // security credentials will expose the role session name to the external account
- // in their CloudTrail logs. The regex used to validate this parameter is a string
- // of characters consisting of upper- and lower-case alphanumeric characters with
- // no spaces. You can also include underscores or any of the following characters:
- // =,.@-
+ // An identifier for the assumed role session.
+ //
+ // Use the role session name to uniquely identify a session when the same role is
+ // assumed by different principals or for different reasons. In cross-account
+ // scenarios, the role session name is visible to, and can be logged by the account
+ // that owns the role. The role session name is also used in the ARN of the assumed
+ // role principal. This means that subsequent cross-account API requests that use
+ // the temporary security credentials will expose the role session name to the
+ // external account in their CloudTrail logs.
+ //
+ // The regex used to validate this parameter is a string of characters consisting
+ // of upper- and lower-case alphanumeric characters with no spaces. You can also
+ // include underscores or any of the following characters: =,.@-
//
// This member is required.
RoleSessionName *string
@@ -122,23 +154,27 @@ type AssumeRoleInput struct {
// hours. If you specify a value higher than this setting or the administrator
// setting (whichever is lower), the operation fails. For example, if you specify a
// session duration of 12 hours, but your administrator set the maximum session
- // duration to 6 hours, your operation fails. Role chaining limits your Amazon Web
- // Services CLI or Amazon Web Services API role session to a maximum of one hour.
- // When you use the AssumeRole API operation to assume a role, you can specify the
- // duration of your role session with the DurationSeconds parameter. You can
- // specify a parameter value of up to 43200 seconds (12 hours), depending on the
- // maximum session duration setting for your role. However, if you assume a role
- // using role chaining and provide a DurationSeconds parameter value greater than
- // one hour, the operation fails. To learn how to view the maximum value for your
- // role, see View the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
- // in the IAM User Guide. By default, the value is set to 3600 seconds. The
- // DurationSeconds parameter is separate from the duration of a console session
- // that you might request using the returned credentials. The request to the
- // federation endpoint for a console sign-in token takes a SessionDuration
+ // duration to 6 hours, your operation fails.
+ //
+ // Role chaining limits your Amazon Web Services CLI or Amazon Web Services API
+ // role session to a maximum of one hour. When you use the AssumeRole API
+ // operation to assume a role, you can specify the duration of your role session
+ // with the DurationSeconds parameter. You can specify a parameter value of up to
+ // 43200 seconds (12 hours), depending on the maximum session duration setting for
+ // your role. However, if you assume a role using role chaining and provide a
+ // DurationSeconds parameter value greater than one hour, the operation fails. To
+ // learn how to view the maximum value for your role, see [View the Maximum Session Duration Setting for a Role]in the IAM User Guide.
+ //
+ // By default, the value is set to 3600 seconds.
+ //
+ // The DurationSeconds parameter is separate from the duration of a console
+ // session that you might request using the returned credentials. The request to
+ // the federation endpoint for a console sign-in token takes a SessionDuration
// parameter that specifies the maximum length of the console session. For more
- // information, see Creating a URL that Enables Federated Users to Access the
- // Amazon Web Services Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
- // in the IAM User Guide.
+ // information, see [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]in the IAM User Guide.
+ //
+ // [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+ // [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
DurationSeconds *int32
// A unique identifier that might be required when you assume a role in another
@@ -149,63 +185,79 @@ type AssumeRoleInput struct {
// the administrator of the trusting account might send an external ID to the
// administrator of the trusted account. That way, only someone with the ID can
// assume the role, rather than everyone in the account. For more information about
- // the external ID, see How to Use an External ID When Granting Access to Your
- // Amazon Web Services Resources to a Third Party (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html)
- // in the IAM User Guide. The regex used to validate this parameter is a string of
- // characters consisting of upper- and lower-case alphanumeric characters with no
- // spaces. You can also include underscores or any of the following characters:
- // =,.@:/-
+ // the external ID, see [How to Use an External ID When Granting Access to Your Amazon Web Services Resources to a Third Party]in the IAM User Guide.
+ //
+ // The regex used to validate this parameter is a string of characters consisting
+ // of upper- and lower-case alphanumeric characters with no spaces. You can also
+ // include underscores or any of the following characters: =,.@:/-
+ //
+ // [How to Use an External ID When Granting Access to Your Amazon Web Services Resources to a Third Party]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
ExternalId *string
// An IAM policy in JSON format that you want to use as an inline session policy.
+ //
// This parameter is optional. Passing policies to this operation returns new
// temporary credentials. The resulting session's permissions are the intersection
// of the role's identity-based policy and the session policies. You can use the
// role's temporary credentials in subsequent Amazon Web Services API calls to
// access resources in the account that owns the role. You cannot use session
// policies to grant more permissions than those allowed by the identity-based
- // policy of the role that is being assumed. For more information, see Session
- // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
- // in the IAM User Guide. The plaintext that you use for both inline and managed
- // session policies can't exceed 2,048 characters. The JSON policy characters can
- // be any ASCII character from the space character to the end of the valid
- // character list (\u0020 through \u00FF). It can also include the tab (\u0009),
- // linefeed (\u000A), and carriage return (\u000D) characters. An Amazon Web
- // Services conversion compresses the passed inline session policy, managed policy
- // ARNs, and session tags into a packed binary format that has a separate limit.
- // Your request can fail for this limit even if your plaintext meets the other
- // requirements. The PackedPolicySize response element indicates by percentage how
- // close the policies and tags for your request are to the upper size limit.
+ // policy of the role that is being assumed. For more information, see [Session Policies]in the IAM
+ // User Guide.
+ //
+ // The plaintext that you use for both inline and managed session policies can't
+ // exceed 2,048 characters. The JSON policy characters can be any ASCII character
+ // from the space character to the end of the valid character list (\u0020 through
+ // \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
+ // return (\u000D) characters.
+ //
+ // An Amazon Web Services conversion compresses the passed inline session policy,
+ // managed policy ARNs, and session tags into a packed binary format that has a
+ // separate limit. Your request can fail for this limit even if your plaintext
+ // meets the other requirements. The PackedPolicySize response element indicates
+ // by percentage how close the policies and tags for your request are to the upper
+ // size limit.
+ //
+ // [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
Policy *string
// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
// use as managed session policies. The policies must exist in the same account as
- // the role. This parameter is optional. You can provide up to 10 managed policy
- // ARNs. However, the plaintext that you use for both inline and managed session
- // policies can't exceed 2,048 characters. For more information about ARNs, see
- // Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
- // in the Amazon Web Services General Reference. An Amazon Web Services conversion
- // compresses the passed inline session policy, managed policy ARNs, and session
- // tags into a packed binary format that has a separate limit. Your request can
- // fail for this limit even if your plaintext meets the other requirements. The
- // PackedPolicySize response element indicates by percentage how close the policies
- // and tags for your request are to the upper size limit. Passing policies to this
- // operation returns new temporary credentials. The resulting session's permissions
- // are the intersection of the role's identity-based policy and the session
- // policies. You can use the role's temporary credentials in subsequent Amazon Web
- // Services API calls to access resources in the account that owns the role. You
- // cannot use session policies to grant more permissions than those allowed by the
- // identity-based policy of the role that is being assumed. For more information,
- // see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
- // in the IAM User Guide.
+ // the role.
+ //
+ // This parameter is optional. You can provide up to 10 managed policy ARNs.
+ // However, the plaintext that you use for both inline and managed session policies
+ // can't exceed 2,048 characters. For more information about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]in the
+ // Amazon Web Services General Reference.
+ //
+ // An Amazon Web Services conversion compresses the passed inline session policy,
+ // managed policy ARNs, and session tags into a packed binary format that has a
+ // separate limit. Your request can fail for this limit even if your plaintext
+ // meets the other requirements. The PackedPolicySize response element indicates
+ // by percentage how close the policies and tags for your request are to the upper
+ // size limit.
+ //
+ // Passing policies to this operation returns new temporary credentials. The
+ // resulting session's permissions are the intersection of the role's
+ // identity-based policy and the session policies. You can use the role's temporary
+ // credentials in subsequent Amazon Web Services API calls to access resources in
+ // the account that owns the role. You cannot use session policies to grant more
+ // permissions than those allowed by the identity-based policy of the role that is
+ // being assumed. For more information, see [Session Policies]in the IAM User Guide.
+ //
+ // [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+ // [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
PolicyArns []types.PolicyDescriptorType
// A list of previously acquired trusted context assertions in the format of a
// JSON array. The trusted context assertion is signed and encrypted by Amazon Web
- // Services STS. The following is an example of a ProvidedContext value that
- // includes a single trusted context assertion and the ARN of the context provider
- // from which the trusted context assertion was generated.
- // [{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"}]
+ // Services STS.
+ //
+ // The following is an example of a ProvidedContext value that includes a single
+ // trusted context assertion and the ARN of the context provider from which the
+ // trusted context assertion was generated.
+ //
+ // [{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"}]
ProvidedContexts []types.ProvidedContext
// The identification number of the MFA device that is associated with the user
@@ -213,79 +265,97 @@ type AssumeRoleInput struct {
// the role being assumed includes a condition that requires MFA authentication.
// The value is either the serial number for a hardware device (such as
// GAHT12345678 ) or an Amazon Resource Name (ARN) for a virtual device (such as
- // arn:aws:iam::123456789012:mfa/user ). The regex used to validate this parameter
- // is a string of characters consisting of upper- and lower-case alphanumeric
- // characters with no spaces. You can also include underscores or any of the
- // following characters: =,.@-
+ // arn:aws:iam::123456789012:mfa/user ).
+ //
+ // The regex used to validate this parameter is a string of characters consisting
+ // of upper- and lower-case alphanumeric characters with no spaces. You can also
+ // include underscores or any of the following characters: =,.@-
SerialNumber *string
// The source identity specified by the principal that is calling the AssumeRole
- // operation. You can require users to specify a source identity when they assume a
- // role. You do this by using the sts:SourceIdentity condition key in a role trust
- // policy. You can use source identity information in CloudTrail logs to determine
- // who took actions with a role. You can use the aws:SourceIdentity condition key
- // to further control access to Amazon Web Services resources based on the value of
- // source identity. For more information about using source identity, see Monitor
- // and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
- // in the IAM User Guide. The regex used to validate this parameter is a string of
- // characters consisting of upper- and lower-case alphanumeric characters with no
- // spaces. You can also include underscores or any of the following characters:
- // =,.@-. You cannot use a value that begins with the text aws: . This prefix is
- // reserved for Amazon Web Services internal use.
+ // operation.
+ //
+ // You can require users to specify a source identity when they assume a role. You
+ // do this by using the sts:SourceIdentity condition key in a role trust policy.
+ // You can use source identity information in CloudTrail logs to determine who took
+ // actions with a role. You can use the aws:SourceIdentity condition key to
+ // further control access to Amazon Web Services resources based on the value of
+ // source identity. For more information about using source identity, see [Monitor and control actions taken with assumed roles]in the
+ // IAM User Guide.
+ //
+ // The regex used to validate this parameter is a string of characters consisting
+ // of upper- and lower-case alphanumeric characters with no spaces. You can also
+ // include underscores or any of the following characters: =,.@-. You cannot use a
+ // value that begins with the text aws: . This prefix is reserved for Amazon Web
+ // Services internal use.
+ //
+ // [Monitor and control actions taken with assumed roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
SourceIdentity *string
// A list of session tags that you want to pass. Each session tag consists of a
- // key name and an associated value. For more information about session tags, see
- // Tagging Amazon Web Services STS Sessions (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
- // in the IAM User Guide. This parameter is optional. You can pass up to 50 session
- // tags. The plaintext session tag keys can’t exceed 128 characters, and the values
- // can’t exceed 256 characters. For these and additional limits, see IAM and STS
- // Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
- // in the IAM User Guide. An Amazon Web Services conversion compresses the passed
- // inline session policy, managed policy ARNs, and session tags into a packed
- // binary format that has a separate limit. Your request can fail for this limit
- // even if your plaintext meets the other requirements. The PackedPolicySize
- // response element indicates by percentage how close the policies and tags for
- // your request are to the upper size limit. You can pass a session tag with the
- // same key as a tag that is already attached to the role. When you do, session
- // tags override a role tag with the same key. Tag key–value pairs are not case
- // sensitive, but case is preserved. This means that you cannot have separate
- // Department and department tag keys. Assume that the role has the Department =
- // Marketing tag and you pass the department = engineering session tag. Department
- // and department are not saved as separate tags, and the session tag passed in
- // the request takes precedence over the role tag. Additionally, if you used
- // temporary credentials to perform this operation, the new session inherits any
- // transitive session tags from the calling session. If you pass a session tag with
- // the same key as an inherited tag, the operation fails. To view the inherited
- // tags for a session, see the CloudTrail logs. For more information, see Viewing
- // Session Tags in CloudTrail (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_ctlogs)
+ // key name and an associated value. For more information about session tags, see [Tagging Amazon Web Services STS Sessions]
// in the IAM User Guide.
+ //
+ // This parameter is optional. You can pass up to 50 session tags. The plaintext
+ // session tag keys can’t exceed 128 characters, and the values can’t exceed 256
+ // characters. For these and additional limits, see [IAM and STS Character Limits]in the IAM User Guide.
+ //
+ // An Amazon Web Services conversion compresses the passed inline session policy,
+ // managed policy ARNs, and session tags into a packed binary format that has a
+ // separate limit. Your request can fail for this limit even if your plaintext
+ // meets the other requirements. The PackedPolicySize response element indicates
+ // by percentage how close the policies and tags for your request are to the upper
+ // size limit.
+ //
+ // You can pass a session tag with the same key as a tag that is already attached
+ // to the role. When you do, session tags override a role tag with the same key.
+ //
+ // Tag key–value pairs are not case sensitive, but case is preserved. This means
+ // that you cannot have separate Department and department tag keys. Assume that
+ // the role has the Department = Marketing tag and you pass the department =
+ // engineering session tag. Department and department are not saved as separate
+ // tags, and the session tag passed in the request takes precedence over the role
+ // tag.
+ //
+ // Additionally, if you used temporary credentials to perform this operation, the
+ // new session inherits any transitive session tags from the calling session. If
+ // you pass a session tag with the same key as an inherited tag, the operation
+ // fails. To view the inherited tags for a session, see the CloudTrail logs. For
+ // more information, see [Viewing Session Tags in CloudTrail]in the IAM User Guide.
+ //
+ // [Tagging Amazon Web Services STS Sessions]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+ // [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
+ // [Viewing Session Tags in CloudTrail]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_ctlogs
Tags []types.Tag
// The value provided by the MFA device, if the trust policy of the role being
// assumed requires MFA. (In other words, if the policy includes a condition that
// tests for MFA). If the role being assumed requires MFA and if the TokenCode
// value is missing or expired, the AssumeRole call returns an "access denied"
- // error. The format for this parameter, as described by its regex pattern, is a
- // sequence of six numeric digits.
+ // error.
+ //
+ // The format for this parameter, as described by its regex pattern, is a sequence
+ // of six numeric digits.
TokenCode *string
// A list of keys for session tags that you want to set as transitive. If you set
// a tag key as transitive, the corresponding key and value passes to subsequent
- // sessions in a role chain. For more information, see Chaining Roles with Session
- // Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
- // in the IAM User Guide. This parameter is optional. When you set session tags as
- // transitive, the session policy and session tags packed binary limit is not
- // affected. If you choose not to specify a transitive tag key, then no tags are
- // passed from this session to any subsequent sessions.
+ // sessions in a role chain. For more information, see [Chaining Roles with Session Tags]in the IAM User Guide.
+ //
+ // This parameter is optional. When you set session tags as transitive, the
+ // session policy and session tags packed binary limit is not affected.
+ //
+ // If you choose not to specify a transitive tag key, then no tags are passed from
+ // this session to any subsequent sessions.
+ //
+ // [Chaining Roles with Session Tags]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
TransitiveTagKeys []string
noSmithyDocumentSerde
}
-// Contains the response to a successful AssumeRole request, including temporary
-// Amazon Web Services credentials that can be used to make Amazon Web Services
-// requests.
+// Contains the response to a successful AssumeRole request, including temporary Amazon Web
+// Services credentials that can be used to make Amazon Web Services requests.
type AssumeRoleOutput struct {
// The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers
@@ -296,9 +366,10 @@ type AssumeRoleOutput struct {
AssumedRoleUser *types.AssumedRoleUser
// The temporary security credentials, which include an access key ID, a secret
- // access key, and a security (or session) token. The size of the security token
- // that STS API operations return is not fixed. We strongly recommend that you make
- // no assumptions about the maximum size.
+ // access key, and a security (or session) token.
+ //
+ // The size of the security token that STS API operations return is not fixed. We
+ // strongly recommend that you make no assumptions about the maximum size.
Credentials *types.Credentials
// A percentage value that indicates the packed size of the session policies and
@@ -308,17 +379,21 @@ type AssumeRoleOutput struct {
PackedPolicySize *int32
// The source identity specified by the principal that is calling the AssumeRole
- // operation. You can require users to specify a source identity when they assume a
- // role. You do this by using the sts:SourceIdentity condition key in a role trust
- // policy. You can use source identity information in CloudTrail logs to determine
- // who took actions with a role. You can use the aws:SourceIdentity condition key
- // to further control access to Amazon Web Services resources based on the value of
- // source identity. For more information about using source identity, see Monitor
- // and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
- // in the IAM User Guide. The regex used to validate this parameter is a string of
- // characters consisting of upper- and lower-case alphanumeric characters with no
- // spaces. You can also include underscores or any of the following characters:
- // =,.@-
+ // operation.
+ //
+ // You can require users to specify a source identity when they assume a role. You
+ // do this by using the sts:SourceIdentity condition key in a role trust policy.
+ // You can use source identity information in CloudTrail logs to determine who took
+ // actions with a role. You can use the aws:SourceIdentity condition key to
+ // further control access to Amazon Web Services resources based on the value of
+ // source identity. For more information about using source identity, see [Monitor and control actions taken with assumed roles]in the
+ // IAM User Guide.
+ //
+ // The regex used to validate this parameter is a string of characters consisting
+ // of upper- and lower-case alphanumeric characters with no spaces. You can also
+ // include underscores or any of the following characters: =,.@-
+ //
+ // [Monitor and control actions taken with assumed roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
SourceIdentity *string
// Metadata pertaining to the operation's result.
@@ -382,6 +457,12 @@ func (c *Client) addOperationAssumeRoleMiddlewares(stack *middleware.Stack, opti
if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
return err
}
+ if err = addTimeOffsetBuild(stack, c); err != nil {
+ return err
+ }
+ if err = addUserAgentRetryMode(stack, options); err != nil {
+ return err
+ }
if err = addOpAssumeRoleValidationMiddleware(stack); err != nil {
return err
}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithSAML.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithSAML.go
index 2a57b72ac..4c685abd5 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithSAML.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithSAML.go
@@ -16,92 +16,132 @@ import (
// mechanism for tying an enterprise identity store or directory to role-based
// Amazon Web Services access without user-specific credentials or configuration.
// For a comparison of AssumeRoleWithSAML with the other API operations that
-// produce temporary credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
-// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
-// in the IAM User Guide. The temporary security credentials returned by this
-// operation consist of an access key ID, a secret access key, and a security
-// token. Applications can use these temporary security credentials to sign calls
-// to Amazon Web Services services. Session Duration By default, the temporary
-// security credentials created by AssumeRoleWithSAML last for one hour. However,
-// you can use the optional DurationSeconds parameter to specify the duration of
-// your session. Your role session lasts for the duration that you specify, or
-// until the time specified in the SAML authentication response's
-// SessionNotOnOrAfter value, whichever is shorter. You can provide a
-// DurationSeconds value from 900 seconds (15 minutes) up to the maximum session
-// duration setting for the role. This setting can have a value from 1 hour to 12
-// hours. To learn how to view the maximum value for your role, see View the
-// Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
-// in the IAM User Guide. The maximum session duration limit applies when you use
-// the AssumeRole* API operations or the assume-role* CLI commands. However the
-// limit does not apply when you use those operations to create a console URL. For
-// more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
-// in the IAM User Guide. Role chaining (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining)
-// limits your CLI or Amazon Web Services API role session to a maximum of one
+// produce temporary credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the IAM User Guide.
+//
+// The temporary security credentials returned by this operation consist of an
+// access key ID, a secret access key, and a security token. Applications can use
+// these temporary security credentials to sign calls to Amazon Web Services
+// services.
+//
+// # Session Duration
+//
+// By default, the temporary security credentials created by AssumeRoleWithSAML
+// last for one hour. However, you can use the optional DurationSeconds parameter
+// to specify the duration of your session. Your role session lasts for the
+// duration that you specify, or until the time specified in the SAML
+// authentication response's SessionNotOnOrAfter value, whichever is shorter. You
+// can provide a DurationSeconds value from 900 seconds (15 minutes) up to the
+// maximum session duration setting for the role. This setting can have a value
+// from 1 hour to 12 hours. To learn how to view the maximum value for your role,
+// see [View the Maximum Session Duration Setting for a Role]in the IAM User Guide. The maximum session duration limit applies when you
+// use the AssumeRole* API operations or the assume-role* CLI commands. However
+// the limit does not apply when you use those operations to create a console URL.
+// For more information, see [Using IAM Roles]in the IAM User Guide.
+//
+// [Role chaining]limits your CLI or Amazon Web Services API role session to a maximum of one
// hour. When you use the AssumeRole API operation to assume a role, you can
// specify the duration of your role session with the DurationSeconds parameter.
// You can specify a parameter value of up to 43200 seconds (12 hours), depending
// on the maximum session duration setting for your role. However, if you assume a
// role using role chaining and provide a DurationSeconds parameter value greater
-// than one hour, the operation fails. Permissions The temporary security
-// credentials created by AssumeRoleWithSAML can be used to make API calls to any
-// Amazon Web Services service with the following exception: you cannot call the
-// STS GetFederationToken or GetSessionToken API operations. (Optional) You can
-// pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-// to this operation. You can pass a single JSON policy document to use as an
-// inline session policy. You can also specify up to 10 managed policy Amazon
-// Resource Names (ARNs) to use as managed session policies. The plaintext that you
-// use for both inline and managed session policies can't exceed 2,048 characters.
-// Passing policies to this operation returns new temporary credentials. The
-// resulting session's permissions are the intersection of the role's
-// identity-based policy and the session policies. You can use the role's temporary
-// credentials in subsequent Amazon Web Services API calls to access resources in
-// the account that owns the role. You cannot use session policies to grant more
-// permissions than those allowed by the identity-based policy of the role that is
-// being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-// in the IAM User Guide. Calling AssumeRoleWithSAML does not require the use of
-// Amazon Web Services security credentials. The identity of the caller is
-// validated by using keys in the metadata document that is uploaded for the SAML
-// provider entity for your identity provider. Calling AssumeRoleWithSAML can
-// result in an entry in your CloudTrail logs. The entry includes the value in the
-// NameID element of the SAML assertion. We recommend that you use a NameIDType
-// that is not associated with any personally identifiable information (PII). For
-// example, you could instead use the persistent identifier (
-// urn:oasis:names:tc:SAML:2.0:nameid-format:persistent ). Tags (Optional) You can
-// configure your IdP to pass attributes into your SAML assertion as session tags.
-// Each session tag consists of a key name and an associated value. For more
-// information about session tags, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
-// in the IAM User Guide. You can pass up to 50 session tags. The plaintext session
-// tag keys can’t exceed 128 characters and the values can’t exceed 256 characters.
-// For these and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
-// in the IAM User Guide. An Amazon Web Services conversion compresses the passed
-// inline session policy, managed policy ARNs, and session tags into a packed
-// binary format that has a separate limit. Your request can fail for this limit
-// even if your plaintext meets the other requirements. The PackedPolicySize
-// response element indicates by percentage how close the policies and tags for
-// your request are to the upper size limit. You can pass a session tag with the
-// same key as a tag that is attached to the role. When you do, session tags
-// override the role's tags with the same key. An administrator must grant you the
-// permissions necessary to pass session tags. The administrator can also create
-// granular permissions to allow you to pass only specific session tags. For more
-// information, see Tutorial: Using Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
-// in the IAM User Guide. You can set the session tags as transitive. Transitive
-// tags persist during role chaining. For more information, see Chaining Roles
-// with Session Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
-// in the IAM User Guide. SAML Configuration Before your application can call
-// AssumeRoleWithSAML , you must configure your SAML identity provider (IdP) to
-// issue the claims required by Amazon Web Services. Additionally, you must use
-// Identity and Access Management (IAM) to create a SAML provider entity in your
-// Amazon Web Services account that represents your identity provider. You must
-// also create an IAM role that specifies this SAML provider in its trust policy.
+// than one hour, the operation fails.
+//
+// # Permissions
+//
+// The temporary security credentials created by AssumeRoleWithSAML can be used to
+// make API calls to any Amazon Web Services service with the following exception:
+// you cannot call the STS GetFederationToken or GetSessionToken API operations.
+//
+// (Optional) You can pass inline or managed [session policies] to this operation. You can pass a
+// single JSON policy document to use as an inline session policy. You can also
+// specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed
+// session policies. The plaintext that you use for both inline and managed session
+// policies can't exceed 2,048 characters. Passing policies to this operation
+// returns new temporary credentials. The resulting session's permissions are the
+// intersection of the role's identity-based policy and the session policies. You
+// can use the role's temporary credentials in subsequent Amazon Web Services API
+// calls to access resources in the account that owns the role. You cannot use
+// session policies to grant more permissions than those allowed by the
+// identity-based policy of the role that is being assumed. For more information,
+// see [Session Policies]in the IAM User Guide.
+//
+// Calling AssumeRoleWithSAML does not require the use of Amazon Web Services
+// security credentials. The identity of the caller is validated by using keys in
+// the metadata document that is uploaded for the SAML provider entity for your
+// identity provider.
+//
+// Calling AssumeRoleWithSAML can result in an entry in your CloudTrail logs. The
+// entry includes the value in the NameID element of the SAML assertion. We
+// recommend that you use a NameIDType that is not associated with any personally
+// identifiable information (PII). For example, you could instead use the
+// persistent identifier ( urn:oasis:names:tc:SAML:2.0:nameid-format:persistent ).
+//
+// # Tags
+//
+// (Optional) You can configure your IdP to pass attributes into your SAML
+// assertion as session tags. Each session tag consists of a key name and an
+// associated value. For more information about session tags, see [Passing Session Tags in STS]in the IAM User
+// Guide.
+//
+// You can pass up to 50 session tags. The plaintext session tag keys can’t exceed
+// 128 characters and the values can’t exceed 256 characters. For these and
+// additional limits, see [IAM and STS Character Limits]in the IAM User Guide.
+//
+// An Amazon Web Services conversion compresses the passed inline session policy,
+// managed policy ARNs, and session tags into a packed binary format that has a
+// separate limit. Your request can fail for this limit even if your plaintext
+// meets the other requirements. The PackedPolicySize response element indicates
+// by percentage how close the policies and tags for your request are to the upper
+// size limit.
+//
+// You can pass a session tag with the same key as a tag that is attached to the
+// role. When you do, session tags override the role's tags with the same key.
+//
+// An administrator must grant you the permissions necessary to pass session tags.
+// The administrator can also create granular permissions to allow you to pass only
+// specific session tags. For more information, see [Tutorial: Using Tags for Attribute-Based Access Control]in the IAM User Guide.
+//
+// You can set the session tags as transitive. Transitive tags persist during role
+// chaining. For more information, see [Chaining Roles with Session Tags]in the IAM User Guide.
+//
+// # SAML Configuration
+//
+// Before your application can call AssumeRoleWithSAML , you must configure your
+// SAML identity provider (IdP) to issue the claims required by Amazon Web
+// Services. Additionally, you must use Identity and Access Management (IAM) to
+// create a SAML provider entity in your Amazon Web Services account that
+// represents your identity provider. You must also create an IAM role that
+// specifies this SAML provider in its trust policy.
+//
// For more information, see the following resources:
-// - About SAML 2.0-based Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html)
-// in the IAM User Guide.
-// - Creating SAML Identity Providers (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)
-// in the IAM User Guide.
-// - Configuring a Relying Party and Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html)
-// in the IAM User Guide.
-// - Creating a Role for SAML 2.0 Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html)
-// in the IAM User Guide.
+//
+// [About SAML 2.0-based Federation]
+// - in the IAM User Guide.
+//
+// [Creating SAML Identity Providers]
+// - in the IAM User Guide.
+//
+// [Configuring a Relying Party and Claims]
+// - in the IAM User Guide.
+//
+// [Creating a Role for SAML 2.0 Federation]
+// - in the IAM User Guide.
+//
+// [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+// [Creating a Role for SAML 2.0 Federation]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html
+// [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
+// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
+// [Creating SAML Identity Providers]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
+// [session policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+// [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+// [Tutorial: Using Tags for Attribute-Based Access Control]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
+// [Configuring a Relying Party and Claims]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html
+// [Role chaining]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining
+// [Using IAM Roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
+// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+// [About SAML 2.0-based Federation]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
+// [Chaining Roles with Session Tags]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
func (c *Client) AssumeRoleWithSAML(ctx context.Context, params *AssumeRoleWithSAMLInput, optFns ...func(*Options)) (*AssumeRoleWithSAMLOutput, error) {
if params == nil {
params = &AssumeRoleWithSAMLInput{}
@@ -130,9 +170,11 @@ type AssumeRoleWithSAMLInput struct {
// This member is required.
RoleArn *string
- // The base64 encoded SAML authentication response provided by the IdP. For more
- // information, see Configuring a Relying Party and Adding Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html)
- // in the IAM User Guide.
+ // The base64 encoded SAML authentication response provided by the IdP.
+ //
+ // For more information, see [Configuring a Relying Party and Adding Claims] in the IAM User Guide.
+ //
+ // [Configuring a Relying Party and Adding Claims]: https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html
//
// This member is required.
SAMLAssertion *string
@@ -146,92 +188,114 @@ type AssumeRoleWithSAMLInput struct {
// than this setting, the operation fails. For example, if you specify a session
// duration of 12 hours, but your administrator set the maximum session duration to
// 6 hours, your operation fails. To learn how to view the maximum value for your
- // role, see View the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
- // in the IAM User Guide. By default, the value is set to 3600 seconds. The
- // DurationSeconds parameter is separate from the duration of a console session
- // that you might request using the returned credentials. The request to the
- // federation endpoint for a console sign-in token takes a SessionDuration
+ // role, see [View the Maximum Session Duration Setting for a Role]in the IAM User Guide.
+ //
+ // By default, the value is set to 3600 seconds.
+ //
+ // The DurationSeconds parameter is separate from the duration of a console
+ // session that you might request using the returned credentials. The request to
+ // the federation endpoint for a console sign-in token takes a SessionDuration
// parameter that specifies the maximum length of the console session. For more
- // information, see Creating a URL that Enables Federated Users to Access the
- // Amazon Web Services Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
- // in the IAM User Guide.
+ // information, see [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]in the IAM User Guide.
+ //
+ // [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+ // [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
DurationSeconds *int32
// An IAM policy in JSON format that you want to use as an inline session policy.
+ //
// This parameter is optional. Passing policies to this operation returns new
// temporary credentials. The resulting session's permissions are the intersection
// of the role's identity-based policy and the session policies. You can use the
// role's temporary credentials in subsequent Amazon Web Services API calls to
// access resources in the account that owns the role. You cannot use session
// policies to grant more permissions than those allowed by the identity-based
- // policy of the role that is being assumed. For more information, see Session
- // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
- // in the IAM User Guide. The plaintext that you use for both inline and managed
- // session policies can't exceed 2,048 characters. The JSON policy characters can
- // be any ASCII character from the space character to the end of the valid
- // character list (\u0020 through \u00FF). It can also include the tab (\u0009),
- // linefeed (\u000A), and carriage return (\u000D) characters. An Amazon Web
- // Services conversion compresses the passed inline session policy, managed policy
- // ARNs, and session tags into a packed binary format that has a separate limit.
- // Your request can fail for this limit even if your plaintext meets the other
- // requirements. The PackedPolicySize response element indicates by percentage how
- // close the policies and tags for your request are to the upper size limit.
+ // policy of the role that is being assumed. For more information, see [Session Policies]in the IAM
+ // User Guide.
+ //
+ // The plaintext that you use for both inline and managed session policies can't
+ // exceed 2,048 characters. The JSON policy characters can be any ASCII character
+ // from the space character to the end of the valid character list (\u0020 through
+ // \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
+ // return (\u000D) characters.
+ //
+ // An Amazon Web Services conversion compresses the passed inline session policy,
+ // managed policy ARNs, and session tags into a packed binary format that has a
+ // separate limit. Your request can fail for this limit even if your plaintext
+ // meets the other requirements. The PackedPolicySize response element indicates
+ // by percentage how close the policies and tags for your request are to the upper
+ // size limit.
+ //
+ // [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
Policy *string
// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
// use as managed session policies. The policies must exist in the same account as
- // the role. This parameter is optional. You can provide up to 10 managed policy
- // ARNs. However, the plaintext that you use for both inline and managed session
- // policies can't exceed 2,048 characters. For more information about ARNs, see
- // Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
- // in the Amazon Web Services General Reference. An Amazon Web Services conversion
- // compresses the passed inline session policy, managed policy ARNs, and session
- // tags into a packed binary format that has a separate limit. Your request can
- // fail for this limit even if your plaintext meets the other requirements. The
- // PackedPolicySize response element indicates by percentage how close the policies
- // and tags for your request are to the upper size limit. Passing policies to this
- // operation returns new temporary credentials. The resulting session's permissions
- // are the intersection of the role's identity-based policy and the session
- // policies. You can use the role's temporary credentials in subsequent Amazon Web
- // Services API calls to access resources in the account that owns the role. You
- // cannot use session policies to grant more permissions than those allowed by the
- // identity-based policy of the role that is being assumed. For more information,
- // see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
- // in the IAM User Guide.
+ // the role.
+ //
+ // This parameter is optional. You can provide up to 10 managed policy ARNs.
+ // However, the plaintext that you use for both inline and managed session policies
+ // can't exceed 2,048 characters. For more information about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]in the
+ // Amazon Web Services General Reference.
+ //
+ // An Amazon Web Services conversion compresses the passed inline session policy,
+ // managed policy ARNs, and session tags into a packed binary format that has a
+ // separate limit. Your request can fail for this limit even if your plaintext
+ // meets the other requirements. The PackedPolicySize response element indicates
+ // by percentage how close the policies and tags for your request are to the upper
+ // size limit.
+ //
+ // Passing policies to this operation returns new temporary credentials. The
+ // resulting session's permissions are the intersection of the role's
+ // identity-based policy and the session policies. You can use the role's temporary
+ // credentials in subsequent Amazon Web Services API calls to access resources in
+ // the account that owns the role. You cannot use session policies to grant more
+ // permissions than those allowed by the identity-based policy of the role that is
+ // being assumed. For more information, see [Session Policies]in the IAM User Guide.
+ //
+ // [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+ // [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
PolicyArns []types.PolicyDescriptorType
noSmithyDocumentSerde
}
-// Contains the response to a successful AssumeRoleWithSAML request, including
-// temporary Amazon Web Services credentials that can be used to make Amazon Web
-// Services requests.
+// Contains the response to a successful AssumeRoleWithSAML request, including temporary Amazon Web
+// Services credentials that can be used to make Amazon Web Services requests.
type AssumeRoleWithSAMLOutput struct {
// The identifiers for the temporary security credentials that the operation
// returns.
AssumedRoleUser *types.AssumedRoleUser
- // The value of the Recipient attribute of the SubjectConfirmationData element of
+ // The value of the Recipient attribute of the SubjectConfirmationData element of
// the SAML assertion.
Audience *string
// The temporary security credentials, which include an access key ID, a secret
- // access key, and a security (or session) token. The size of the security token
- // that STS API operations return is not fixed. We strongly recommend that you make
- // no assumptions about the maximum size.
+ // access key, and a security (or session) token.
+ //
+ // The size of the security token that STS API operations return is not fixed. We
+ // strongly recommend that you make no assumptions about the maximum size.
Credentials *types.Credentials
// The value of the Issuer element of the SAML assertion.
Issuer *string
// A hash value based on the concatenation of the following:
+ //
// - The Issuer response value.
+ //
// - The Amazon Web Services account ID.
+ //
// - The friendly name (the last part of the ARN) of the SAML provider in IAM.
+ //
// The combination of NameQualifier and Subject can be used to uniquely identify a
- // user. The following pseudocode shows how the hash value is calculated: BASE64 (
- // SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) )
+ // user.
+ //
+ // The following pseudocode shows how the hash value is calculated:
+ //
+ // BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) )
NameQualifier *string
// A percentage value that indicates the packed size of the session policies and
@@ -240,31 +304,36 @@ type AssumeRoleWithSAMLOutput struct {
// allowed space.
PackedPolicySize *int32
- // The value in the SourceIdentity attribute in the SAML assertion. You can
- // require users to set a source identity value when they assume a role. You do
- // this by using the sts:SourceIdentity condition key in a role trust policy. That
- // way, actions that are taken with the role are associated with that user. After
- // the source identity is set, the value cannot be changed. It is present in the
- // request for all actions that are taken by the role and persists across chained
- // role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining)
- // sessions. You can configure your SAML identity provider to use an attribute
- // associated with your users, like user name or email, as the source identity when
- // calling AssumeRoleWithSAML . You do this by adding an attribute to the SAML
- // assertion. For more information about using source identity, see Monitor and
- // control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
- // in the IAM User Guide. The regex used to validate this parameter is a string of
- // characters consisting of upper- and lower-case alphanumeric characters with no
- // spaces. You can also include underscores or any of the following characters:
- // =,.@-
+ // The value in the SourceIdentity attribute in the SAML assertion.
+ //
+ // You can require users to set a source identity value when they assume a role.
+ // You do this by using the sts:SourceIdentity condition key in a role trust
+ // policy. That way, actions that are taken with the role are associated with that
+ // user. After the source identity is set, the value cannot be changed. It is
+ // present in the request for all actions that are taken by the role and persists
+ // across [chained role]sessions. You can configure your SAML identity provider to use an
+ // attribute associated with your users, like user name or email, as the source
+ // identity when calling AssumeRoleWithSAML . You do this by adding an attribute to
+ // the SAML assertion. For more information about using source identity, see [Monitor and control actions taken with assumed roles]in
+ // the IAM User Guide.
+ //
+ // The regex used to validate this parameter is a string of characters consisting
+ // of upper- and lower-case alphanumeric characters with no spaces. You can also
+ // include underscores or any of the following characters: =,.@-
+ //
+ // [chained role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining
+ // [Monitor and control actions taken with assumed roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
SourceIdentity *string
// The value of the NameID element in the Subject element of the SAML assertion.
Subject *string
- // The format of the name ID, as defined by the Format attribute in the NameID
+ // The format of the name ID, as defined by the Format attribute in the NameID
// element of the SAML assertion. Typical examples of the format are transient or
- // persistent . If the format includes the prefix
- // urn:oasis:names:tc:SAML:2.0:nameid-format , that prefix is removed. For example,
+ // persistent .
+ //
+ // If the format includes the prefix urn:oasis:names:tc:SAML:2.0:nameid-format ,
+ // that prefix is removed. For example,
// urn:oasis:names:tc:SAML:2.0:nameid-format:transient is returned as transient .
// If the format includes any other prefix, the format is returned with no
// modifications.
@@ -328,6 +397,12 @@ func (c *Client) addOperationAssumeRoleWithSAMLMiddlewares(stack *middleware.Sta
if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
return err
}
+ if err = addTimeOffsetBuild(stack, c); err != nil {
+ return err
+ }
+ if err = addUserAgentRetryMode(stack, options); err != nil {
+ return err
+ }
if err = addOpAssumeRoleWithSAMLValidationMiddleware(stack); err != nil {
return err
}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithWebIdentity.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithWebIdentity.go
index 98108ce6a..0b5e5a377 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithWebIdentity.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithWebIdentity.go
@@ -14,105 +14,143 @@ import (
// Returns a set of temporary security credentials for users who have been
// authenticated in a mobile or web application with a web identity provider.
// Example providers include the OAuth 2.0 providers Login with Amazon and
-// Facebook, or any OpenID Connect-compatible identity provider such as Google or
-// Amazon Cognito federated identities (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html)
-// . For mobile applications, we recommend that you use Amazon Cognito. You can use
-// Amazon Cognito with the Amazon Web Services SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/)
-// and the Amazon Web Services SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/)
-// to uniquely identify a user. You can also supply the user with a consistent
-// identity throughout the lifetime of an application. To learn more about Amazon
-// Cognito, see Amazon Cognito identity pools (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html)
-// in Amazon Cognito Developer Guide. Calling AssumeRoleWithWebIdentity does not
-// require the use of Amazon Web Services security credentials. Therefore, you can
-// distribute an application (for example, on mobile devices) that requests
-// temporary security credentials without including long-term Amazon Web Services
-// credentials in the application. You also don't need to deploy server-based proxy
-// services that use long-term Amazon Web Services credentials. Instead, the
-// identity of the caller is validated by using a token from the web identity
-// provider. For a comparison of AssumeRoleWithWebIdentity with the other API
-// operations that produce temporary credentials, see Requesting Temporary
-// Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
-// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
-// in the IAM User Guide. The temporary security credentials returned by this API
-// consist of an access key ID, a secret access key, and a security token.
-// Applications can use these temporary security credentials to sign calls to
-// Amazon Web Services service API operations. Session Duration By default, the
-// temporary security credentials created by AssumeRoleWithWebIdentity last for
-// one hour. However, you can use the optional DurationSeconds parameter to
-// specify the duration of your session. You can provide a value from 900 seconds
-// (15 minutes) up to the maximum session duration setting for the role. This
-// setting can have a value from 1 hour to 12 hours. To learn how to view the
-// maximum value for your role, see View the Maximum Session Duration Setting for
-// a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
-// in the IAM User Guide. The maximum session duration limit applies when you use
-// the AssumeRole* API operations or the assume-role* CLI commands. However the
-// limit does not apply when you use those operations to create a console URL. For
-// more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
-// in the IAM User Guide. Permissions The temporary security credentials created by
-// AssumeRoleWithWebIdentity can be used to make API calls to any Amazon Web
-// Services service with the following exception: you cannot call the STS
-// GetFederationToken or GetSessionToken API operations. (Optional) You can pass
-// inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-// to this operation. You can pass a single JSON policy document to use as an
-// inline session policy. You can also specify up to 10 managed policy Amazon
-// Resource Names (ARNs) to use as managed session policies. The plaintext that you
-// use for both inline and managed session policies can't exceed 2,048 characters.
-// Passing policies to this operation returns new temporary credentials. The
-// resulting session's permissions are the intersection of the role's
-// identity-based policy and the session policies. You can use the role's temporary
-// credentials in subsequent Amazon Web Services API calls to access resources in
-// the account that owns the role. You cannot use session policies to grant more
-// permissions than those allowed by the identity-based policy of the role that is
-// being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-// in the IAM User Guide. Tags (Optional) You can configure your IdP to pass
-// attributes into your web identity token as session tags. Each session tag
-// consists of a key name and an associated value. For more information about
-// session tags, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
-// in the IAM User Guide. You can pass up to 50 session tags. The plaintext session
-// tag keys can’t exceed 128 characters and the values can’t exceed 256 characters.
-// For these and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
-// in the IAM User Guide. An Amazon Web Services conversion compresses the passed
-// inline session policy, managed policy ARNs, and session tags into a packed
-// binary format that has a separate limit. Your request can fail for this limit
-// even if your plaintext meets the other requirements. The PackedPolicySize
-// response element indicates by percentage how close the policies and tags for
-// your request are to the upper size limit. You can pass a session tag with the
-// same key as a tag that is attached to the role. When you do, the session tag
-// overrides the role tag with the same key. An administrator must grant you the
-// permissions necessary to pass session tags. The administrator can also create
-// granular permissions to allow you to pass only specific session tags. For more
-// information, see Tutorial: Using Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
-// in the IAM User Guide. You can set the session tags as transitive. Transitive
-// tags persist during role chaining. For more information, see Chaining Roles
-// with Session Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
-// in the IAM User Guide. Identities Before your application can call
-// AssumeRoleWithWebIdentity , you must have an identity token from a supported
-// identity provider and create a role that the application can assume. The role
-// that your application assumes must trust the identity provider that is
-// associated with the identity token. In other words, the identity provider must
-// be specified in the role's trust policy. Calling AssumeRoleWithWebIdentity can
-// result in an entry in your CloudTrail logs. The entry includes the Subject (http://openid.net/specs/openid-connect-core-1_0.html#Claims)
-// of the provided web identity token. We recommend that you avoid using any
-// personally identifiable information (PII) in this field. For example, you could
-// instead use a GUID or a pairwise identifier, as suggested in the OIDC
-// specification (http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes)
-// . For more information about how to use web identity federation and the
+// Facebook, or any OpenID Connect-compatible identity provider such as Google or [Amazon Cognito federated identities].
+//
+// For mobile applications, we recommend that you use Amazon Cognito. You can use
+// Amazon Cognito with the [Amazon Web Services SDK for iOS Developer Guide]and the [Amazon Web Services SDK for Android Developer Guide] to uniquely identify a user. You can also
+// supply the user with a consistent identity throughout the lifetime of an
+// application.
+//
+// To learn more about Amazon Cognito, see [Amazon Cognito identity pools] in Amazon Cognito Developer Guide.
+//
+// Calling AssumeRoleWithWebIdentity does not require the use of Amazon Web
+// Services security credentials. Therefore, you can distribute an application (for
+// example, on mobile devices) that requests temporary security credentials without
+// including long-term Amazon Web Services credentials in the application. You also
+// don't need to deploy server-based proxy services that use long-term Amazon Web
+// Services credentials. Instead, the identity of the caller is validated by using
+// a token from the web identity provider. For a comparison of
+// AssumeRoleWithWebIdentity with the other API operations that produce temporary
+// credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the IAM User Guide.
+//
+// The temporary security credentials returned by this API consist of an access
+// key ID, a secret access key, and a security token. Applications can use these
+// temporary security credentials to sign calls to Amazon Web Services service API
+// operations.
+//
+// # Session Duration
+//
+// By default, the temporary security credentials created by
+// AssumeRoleWithWebIdentity last for one hour. However, you can use the optional
+// DurationSeconds parameter to specify the duration of your session. You can
+// provide a value from 900 seconds (15 minutes) up to the maximum session duration
+// setting for the role. This setting can have a value from 1 hour to 12 hours. To
+// learn how to view the maximum value for your role, see [View the Maximum Session Duration Setting for a Role]in the IAM User Guide.
+// The maximum session duration limit applies when you use the AssumeRole* API
+// operations or the assume-role* CLI commands. However the limit does not apply
+// when you use those operations to create a console URL. For more information, see
+// [Using IAM Roles]in the IAM User Guide.
+//
+// # Permissions
+//
+// The temporary security credentials created by AssumeRoleWithWebIdentity can be
+// used to make API calls to any Amazon Web Services service with the following
+// exception: you cannot call the STS GetFederationToken or GetSessionToken API
+// operations.
+//
+// (Optional) You can pass inline or managed [session policies] to this operation. You can pass a
+// single JSON policy document to use as an inline session policy. You can also
+// specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed
+// session policies. The plaintext that you use for both inline and managed session
+// policies can't exceed 2,048 characters. Passing policies to this operation
+// returns new temporary credentials. The resulting session's permissions are the
+// intersection of the role's identity-based policy and the session policies. You
+// can use the role's temporary credentials in subsequent Amazon Web Services API
+// calls to access resources in the account that owns the role. You cannot use
+// session policies to grant more permissions than those allowed by the
+// identity-based policy of the role that is being assumed. For more information,
+// see [Session Policies]in the IAM User Guide.
+//
+// # Tags
+//
+// (Optional) You can configure your IdP to pass attributes into your web identity
+// token as session tags. Each session tag consists of a key name and an associated
+// value. For more information about session tags, see [Passing Session Tags in STS]in the IAM User Guide.
+//
+// You can pass up to 50 session tags. The plaintext session tag keys can’t exceed
+// 128 characters and the values can’t exceed 256 characters. For these and
+// additional limits, see [IAM and STS Character Limits]in the IAM User Guide.
+//
+// An Amazon Web Services conversion compresses the passed inline session policy,
+// managed policy ARNs, and session tags into a packed binary format that has a
+// separate limit. Your request can fail for this limit even if your plaintext
+// meets the other requirements. The PackedPolicySize response element indicates
+// by percentage how close the policies and tags for your request are to the upper
+// size limit.
+//
+// You can pass a session tag with the same key as a tag that is attached to the
+// role. When you do, the session tag overrides the role tag with the same key.
+//
+// An administrator must grant you the permissions necessary to pass session tags.
+// The administrator can also create granular permissions to allow you to pass only
+// specific session tags. For more information, see [Tutorial: Using Tags for Attribute-Based Access Control]in the IAM User Guide.
+//
+// You can set the session tags as transitive. Transitive tags persist during role
+// chaining. For more information, see [Chaining Roles with Session Tags]in the IAM User Guide.
+//
+// # Identities
+//
+// Before your application can call AssumeRoleWithWebIdentity , you must have an
+// identity token from a supported identity provider and create a role that the
+// application can assume. The role that your application assumes must trust the
+// identity provider that is associated with the identity token. In other words,
+// the identity provider must be specified in the role's trust policy.
+//
+// Calling AssumeRoleWithWebIdentity can result in an entry in your CloudTrail
+// logs. The entry includes the [Subject]of the provided web identity token. We recommend
+// that you avoid using any personally identifiable information (PII) in this
+// field. For example, you could instead use a GUID or a pairwise identifier, as [suggested in the OIDC specification].
+//
+// For more information about how to use web identity federation and the
// AssumeRoleWithWebIdentity API, see the following resources:
-// - Using Web Identity Federation API Operations for Mobile Apps (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html)
-// and Federation Through a Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity)
-// .
-// - Web Identity Federation Playground (https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/)
-// . Walk through the process of authenticating through Login with Amazon,
+//
+// [Using Web Identity Federation API Operations for Mobile Apps]
+// - and [Federation Through a Web-based Identity Provider].
+//
+// [Web Identity Federation Playground]
+// - . Walk through the process of authenticating through Login with Amazon,
// Facebook, or Google, getting temporary security credentials, and then using
// those credentials to make a request to Amazon Web Services.
-// - Amazon Web Services SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/)
-// and Amazon Web Services SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/)
-// . These toolkits contain sample apps that show how to invoke the identity
-// providers. The toolkits then show how to use the information from these
+//
+// [Amazon Web Services SDK for iOS Developer Guide]
+// - and [Amazon Web Services SDK for Android Developer Guide]. These toolkits contain sample apps that show how to invoke the
+// identity providers. The toolkits then show how to use the information from these
// providers to get and use temporary security credentials.
-// - Web Identity Federation with Mobile Applications (http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications)
-// . This article discusses web identity federation and shows an example of how to
-// use web identity federation to get access to content in Amazon S3.
+//
+// [Web Identity Federation with Mobile Applications]
+// - . This article discusses web identity federation and shows an example of
+// how to use web identity federation to get access to content in Amazon S3.
+//
+// [Amazon Web Services SDK for iOS Developer Guide]: http://aws.amazon.com/sdkforios/
+// [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+// [Web Identity Federation Playground]: https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/
+// [Amazon Web Services SDK for Android Developer Guide]: http://aws.amazon.com/sdkforandroid/
+// [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
+// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
+// [session policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+// [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+// [Subject]: http://openid.net/specs/openid-connect-core-1_0.html#Claims
+// [Tutorial: Using Tags for Attribute-Based Access Control]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
+// [Amazon Cognito identity pools]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html
+// [Federation Through a Web-based Identity Provider]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
+// [Using IAM Roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
+// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+// [Amazon Cognito federated identities]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html
+// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+// [Chaining Roles with Session Tags]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
+// [Web Identity Federation with Mobile Applications]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
+// [Using Web Identity Federation API Operations for Mobile Apps]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
+// [suggested in the OIDC specification]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
func (c *Client) AssumeRoleWithWebIdentity(ctx context.Context, params *AssumeRoleWithWebIdentityInput, optFns ...func(*Options)) (*AssumeRoleWithWebIdentityOutput, error) {
if params == nil {
params = &AssumeRoleWithWebIdentityInput{}
@@ -139,10 +177,11 @@ type AssumeRoleWithWebIdentityInput struct {
// identifier that is associated with the user who is using your application. That
// way, the temporary security credentials that your application will use are
// associated with that user. This session name is included as part of the ARN and
- // assumed role ID in the AssumedRoleUser response element. The regex used to
- // validate this parameter is a string of characters consisting of upper- and
- // lower-case alphanumeric characters with no spaces. You can also include
- // underscores or any of the following characters: =,.@-
+ // assumed role ID in the AssumedRoleUser response element.
+ //
+ // The regex used to validate this parameter is a string of characters consisting
+ // of upper- and lower-case alphanumeric characters with no spaces. You can also
+ // include underscores or any of the following characters: =,.@-
//
// This member is required.
RoleSessionName *string
@@ -162,73 +201,90 @@ type AssumeRoleWithWebIdentityInput struct {
// higher than this setting, the operation fails. For example, if you specify a
// session duration of 12 hours, but your administrator set the maximum session
// duration to 6 hours, your operation fails. To learn how to view the maximum
- // value for your role, see View the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
- // in the IAM User Guide. By default, the value is set to 3600 seconds. The
- // DurationSeconds parameter is separate from the duration of a console session
- // that you might request using the returned credentials. The request to the
- // federation endpoint for a console sign-in token takes a SessionDuration
+ // value for your role, see [View the Maximum Session Duration Setting for a Role]in the IAM User Guide.
+ //
+ // By default, the value is set to 3600 seconds.
+ //
+ // The DurationSeconds parameter is separate from the duration of a console
+ // session that you might request using the returned credentials. The request to
+ // the federation endpoint for a console sign-in token takes a SessionDuration
// parameter that specifies the maximum length of the console session. For more
- // information, see Creating a URL that Enables Federated Users to Access the
- // Amazon Web Services Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
- // in the IAM User Guide.
+ // information, see [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]in the IAM User Guide.
+ //
+ // [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+ // [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
DurationSeconds *int32
// An IAM policy in JSON format that you want to use as an inline session policy.
+ //
// This parameter is optional. Passing policies to this operation returns new
// temporary credentials. The resulting session's permissions are the intersection
// of the role's identity-based policy and the session policies. You can use the
// role's temporary credentials in subsequent Amazon Web Services API calls to
// access resources in the account that owns the role. You cannot use session
// policies to grant more permissions than those allowed by the identity-based
- // policy of the role that is being assumed. For more information, see Session
- // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
- // in the IAM User Guide. The plaintext that you use for both inline and managed
- // session policies can't exceed 2,048 characters. The JSON policy characters can
- // be any ASCII character from the space character to the end of the valid
- // character list (\u0020 through \u00FF). It can also include the tab (\u0009),
- // linefeed (\u000A), and carriage return (\u000D) characters. An Amazon Web
- // Services conversion compresses the passed inline session policy, managed policy
- // ARNs, and session tags into a packed binary format that has a separate limit.
- // Your request can fail for this limit even if your plaintext meets the other
- // requirements. The PackedPolicySize response element indicates by percentage how
- // close the policies and tags for your request are to the upper size limit.
+ // policy of the role that is being assumed. For more information, see [Session Policies]in the IAM
+ // User Guide.
+ //
+ // The plaintext that you use for both inline and managed session policies can't
+ // exceed 2,048 characters. The JSON policy characters can be any ASCII character
+ // from the space character to the end of the valid character list (\u0020 through
+ // \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
+ // return (\u000D) characters.
+ //
+ // An Amazon Web Services conversion compresses the passed inline session policy,
+ // managed policy ARNs, and session tags into a packed binary format that has a
+ // separate limit. Your request can fail for this limit even if your plaintext
+ // meets the other requirements. The PackedPolicySize response element indicates
+ // by percentage how close the policies and tags for your request are to the upper
+ // size limit.
+ //
+ // [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
Policy *string
// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
// use as managed session policies. The policies must exist in the same account as
- // the role. This parameter is optional. You can provide up to 10 managed policy
- // ARNs. However, the plaintext that you use for both inline and managed session
- // policies can't exceed 2,048 characters. For more information about ARNs, see
- // Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
- // in the Amazon Web Services General Reference. An Amazon Web Services conversion
- // compresses the passed inline session policy, managed policy ARNs, and session
- // tags into a packed binary format that has a separate limit. Your request can
- // fail for this limit even if your plaintext meets the other requirements. The
- // PackedPolicySize response element indicates by percentage how close the policies
- // and tags for your request are to the upper size limit. Passing policies to this
- // operation returns new temporary credentials. The resulting session's permissions
- // are the intersection of the role's identity-based policy and the session
- // policies. You can use the role's temporary credentials in subsequent Amazon Web
- // Services API calls to access resources in the account that owns the role. You
- // cannot use session policies to grant more permissions than those allowed by the
- // identity-based policy of the role that is being assumed. For more information,
- // see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
- // in the IAM User Guide.
+ // the role.
+ //
+ // This parameter is optional. You can provide up to 10 managed policy ARNs.
+ // However, the plaintext that you use for both inline and managed session policies
+ // can't exceed 2,048 characters. For more information about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]in the
+ // Amazon Web Services General Reference.
+ //
+ // An Amazon Web Services conversion compresses the passed inline session policy,
+ // managed policy ARNs, and session tags into a packed binary format that has a
+ // separate limit. Your request can fail for this limit even if your plaintext
+ // meets the other requirements. The PackedPolicySize response element indicates
+ // by percentage how close the policies and tags for your request are to the upper
+ // size limit.
+ //
+ // Passing policies to this operation returns new temporary credentials. The
+ // resulting session's permissions are the intersection of the role's
+ // identity-based policy and the session policies. You can use the role's temporary
+ // credentials in subsequent Amazon Web Services API calls to access resources in
+ // the account that owns the role. You cannot use session policies to grant more
+ // permissions than those allowed by the identity-based policy of the role that is
+ // being assumed. For more information, see [Session Policies]in the IAM User Guide.
+ //
+ // [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+ // [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
PolicyArns []types.PolicyDescriptorType
// The fully qualified host component of the domain name of the OAuth 2.0 identity
// provider. Do not specify this value for an OpenID Connect identity provider.
+ //
// Currently www.amazon.com and graph.facebook.com are the only supported identity
// providers for OAuth 2.0 access tokens. Do not include URL schemes and port
- // numbers. Do not specify this value for OpenID Connect ID tokens.
+ // numbers.
+ //
+ // Do not specify this value for OpenID Connect ID tokens.
ProviderId *string
noSmithyDocumentSerde
}
-// Contains the response to a successful AssumeRoleWithWebIdentity request,
-// including temporary Amazon Web Services credentials that can be used to make
-// Amazon Web Services requests.
+// Contains the response to a successful AssumeRoleWithWebIdentity request, including temporary Amazon Web
+// Services credentials that can be used to make Amazon Web Services requests.
type AssumeRoleWithWebIdentityOutput struct {
// The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers
@@ -244,9 +300,10 @@ type AssumeRoleWithWebIdentityOutput struct {
Audience *string
// The temporary security credentials, which include an access key ID, a secret
- // access key, and a security token. The size of the security token that STS API
- // operations return is not fixed. We strongly recommend that you make no
- // assumptions about the maximum size.
+ // access key, and a security token.
+ //
+ // The size of the security token that STS API operations return is not fixed. We
+ // strongly recommend that you make no assumptions about the maximum size.
Credentials *types.Credentials
// A percentage value that indicates the packed size of the session policies and
@@ -255,30 +312,34 @@ type AssumeRoleWithWebIdentityOutput struct {
// allowed space.
PackedPolicySize *int32
- // The issuing authority of the web identity token presented. For OpenID Connect
+ // The issuing authority of the web identity token presented. For OpenID Connect
// ID tokens, this contains the value of the iss field. For OAuth 2.0 access
// tokens, this contains the value of the ProviderId parameter that was passed in
// the AssumeRoleWithWebIdentity request.
Provider *string
// The value of the source identity that is returned in the JSON web token (JWT)
- // from the identity provider. You can require users to set a source identity value
- // when they assume a role. You do this by using the sts:SourceIdentity condition
- // key in a role trust policy. That way, actions that are taken with the role are
- // associated with that user. After the source identity is set, the value cannot be
- // changed. It is present in the request for all actions that are taken by the role
- // and persists across chained role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining)
- // sessions. You can configure your identity provider to use an attribute
+ // from the identity provider.
+ //
+ // You can require users to set a source identity value when they assume a role.
+ // You do this by using the sts:SourceIdentity condition key in a role trust
+ // policy. That way, actions that are taken with the role are associated with that
+ // user. After the source identity is set, the value cannot be changed. It is
+ // present in the request for all actions that are taken by the role and persists
+ // across [chained role]sessions. You can configure your identity provider to use an attribute
// associated with your users, like user name or email, as the source identity when
// calling AssumeRoleWithWebIdentity . You do this by adding a claim to the JSON
- // web token. To learn more about OIDC tokens and claims, see Using Tokens with
- // User Pools (https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html)
- // in the Amazon Cognito Developer Guide. For more information about using source
- // identity, see Monitor and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
- // in the IAM User Guide. The regex used to validate this parameter is a string of
- // characters consisting of upper- and lower-case alphanumeric characters with no
- // spaces. You can also include underscores or any of the following characters:
- // =,.@-
+ // web token. To learn more about OIDC tokens and claims, see [Using Tokens with User Pools]in the Amazon
+ // Cognito Developer Guide. For more information about using source identity, see [Monitor and control actions taken with assumed roles]
+ // in the IAM User Guide.
+ //
+ // The regex used to validate this parameter is a string of characters consisting
+ // of upper- and lower-case alphanumeric characters with no spaces. You can also
+ // include underscores or any of the following characters: =,.@-
+ //
+ // [chained role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining
+ // [Monitor and control actions taken with assumed roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
+ // [Using Tokens with User Pools]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html
SourceIdentity *string
// The unique user identifier that is returned by the identity provider. This
@@ -347,6 +408,12 @@ func (c *Client) addOperationAssumeRoleWithWebIdentityMiddlewares(stack *middlew
if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
return err
}
+ if err = addTimeOffsetBuild(stack, c); err != nil {
+ return err
+ }
+ if err = addUserAgentRetryMode(stack, options); err != nil {
+ return err
+ }
if err = addOpAssumeRoleWithWebIdentityValidationMiddleware(stack); err != nil {
return err
}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_DecodeAuthorizationMessage.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_DecodeAuthorizationMessage.go
index b4ad54ab2..b1f14d28c 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_DecodeAuthorizationMessage.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_DecodeAuthorizationMessage.go
@@ -11,28 +11,39 @@ import (
)
// Decodes additional information about the authorization status of a request from
-// an encoded message returned in response to an Amazon Web Services request. For
-// example, if a user is not authorized to perform an operation that he or she has
-// requested, the request returns a Client.UnauthorizedOperation response (an HTTP
-// 403 response). Some Amazon Web Services operations additionally return an
-// encoded message that can provide details about this authorization failure. Only
-// certain Amazon Web Services operations return an encoded authorization message.
-// The documentation for an individual operation indicates whether that operation
-// returns an encoded message in addition to returning an HTTP code. The message is
-// encoded because the details of the authorization status can contain privileged
-// information that the user who requested the operation should not see. To decode
-// an authorization status message, a user must be granted permissions through an
-// IAM policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)
-// to request the DecodeAuthorizationMessage ( sts:DecodeAuthorizationMessage )
-// action. The decoded message includes the following type of information:
+// an encoded message returned in response to an Amazon Web Services request.
+//
+// For example, if a user is not authorized to perform an operation that he or she
+// has requested, the request returns a Client.UnauthorizedOperation response (an
+// HTTP 403 response). Some Amazon Web Services operations additionally return an
+// encoded message that can provide details about this authorization failure.
+//
+// Only certain Amazon Web Services operations return an encoded authorization
+// message. The documentation for an individual operation indicates whether that
+// operation returns an encoded message in addition to returning an HTTP code.
+//
+// The message is encoded because the details of the authorization status can
+// contain privileged information that the user who requested the operation should
+// not see. To decode an authorization status message, a user must be granted
+// permissions through an IAM [policy]to request the DecodeAuthorizationMessage (
+// sts:DecodeAuthorizationMessage ) action.
+//
+// The decoded message includes the following type of information:
+//
// - Whether the request was denied due to an explicit deny or due to the
-// absence of an explicit allow. For more information, see Determining Whether a
-// Request is Allowed or Denied (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow)
-// in the IAM User Guide.
+// absence of an explicit allow. For more information, see [Determining Whether a Request is Allowed or Denied]in the IAM User
+// Guide.
+//
// - The principal who made the request.
+//
// - The requested action.
+//
// - The requested resource.
+//
// - The values of condition keys in the context of the user's request.
+//
+// [Determining Whether a Request is Allowed or Denied]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow
+// [policy]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
func (c *Client) DecodeAuthorizationMessage(ctx context.Context, params *DecodeAuthorizationMessageInput, optFns ...func(*Options)) (*DecodeAuthorizationMessageOutput, error) {
if params == nil {
params = &DecodeAuthorizationMessageInput{}
@@ -127,6 +138,12 @@ func (c *Client) addOperationDecodeAuthorizationMessageMiddlewares(stack *middle
if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
return err
}
+ if err = addTimeOffsetBuild(stack, c); err != nil {
+ return err
+ }
+ if err = addUserAgentRetryMode(stack, options); err != nil {
+ return err
+ }
if err = addOpDecodeAuthorizationMessageValidationMiddleware(stack); err != nil {
return err
}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetAccessKeyInfo.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetAccessKeyInfo.go
index 1f7cbcc2b..3ba00873d 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetAccessKeyInfo.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetAccessKeyInfo.go
@@ -10,23 +10,31 @@ import (
smithyhttp "github.com/aws/smithy-go/transport/http"
)
-// Returns the account identifier for the specified access key ID. Access keys
-// consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE ) and
-// a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY ).
-// For more information about access keys, see Managing Access Keys for IAM Users (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)
-// in the IAM User Guide. When you pass an access key ID to this operation, it
-// returns the ID of the Amazon Web Services account to which the keys belong.
-// Access key IDs beginning with AKIA are long-term credentials for an IAM user or
-// the Amazon Web Services account root user. Access key IDs beginning with ASIA
-// are temporary credentials that are created using STS operations. If the account
-// in the response belongs to you, you can sign in as the root user and review your
-// root user access keys. Then, you can pull a credentials report (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html)
-// to learn which IAM user owns the keys. To learn who requested the temporary
-// credentials for an ASIA access key, view the STS events in your CloudTrail logs (https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html)
-// in the IAM User Guide. This operation does not indicate the state of the access
-// key. The key might be active, inactive, or deleted. Active keys might not have
-// permissions to perform an operation. Providing a deleted access key might return
-// an error that the key doesn't exist.
+// Returns the account identifier for the specified access key ID.
+//
+// Access keys consist of two parts: an access key ID (for example,
+// AKIAIOSFODNN7EXAMPLE ) and a secret access key (for example,
+// wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY ). For more information about access
+// keys, see [Managing Access Keys for IAM Users]in the IAM User Guide.
+//
+// When you pass an access key ID to this operation, it returns the ID of the
+// Amazon Web Services account to which the keys belong. Access key IDs beginning
+// with AKIA are long-term credentials for an IAM user or the Amazon Web Services
+// account root user. Access key IDs beginning with ASIA are temporary credentials
+// that are created using STS operations. If the account in the response belongs to
+// you, you can sign in as the root user and review your root user access keys.
+// Then, you can pull a [credentials report]to learn which IAM user owns the keys. To learn who
+// requested the temporary credentials for an ASIA access key, view the STS events
+// in your [CloudTrail logs]in the IAM User Guide.
+//
+// This operation does not indicate the state of the access key. The key might be
+// active, inactive, or deleted. Active keys might not have permissions to perform
+// an operation. Providing a deleted access key might return an error that the key
+// doesn't exist.
+//
+// [credentials report]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html
+// [CloudTrail logs]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html
+// [Managing Access Keys for IAM Users]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
func (c *Client) GetAccessKeyInfo(ctx context.Context, params *GetAccessKeyInfoInput, optFns ...func(*Options)) (*GetAccessKeyInfoOutput, error) {
if params == nil {
params = &GetAccessKeyInfoInput{}
@@ -44,9 +52,10 @@ func (c *Client) GetAccessKeyInfo(ctx context.Context, params *GetAccessKeyInfoI
type GetAccessKeyInfoInput struct {
- // The identifier of an access key. This parameter allows (through its regex
- // pattern) a string of characters that can consist of any upper- or lowercase
- // letter or digit.
+ // The identifier of an access key.
+ //
+ // This parameter allows (through its regex pattern) a string of characters that
+ // can consist of any upper- or lowercase letter or digit.
//
// This member is required.
AccessKeyId *string
@@ -120,6 +129,12 @@ func (c *Client) addOperationGetAccessKeyInfoMiddlewares(stack *middleware.Stack
if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
return err
}
+ if err = addTimeOffsetBuild(stack, c); err != nil {
+ return err
+ }
+ if err = addUserAgentRetryMode(stack, options); err != nil {
+ return err
+ }
if err = addOpGetAccessKeyInfoValidationMiddleware(stack); err != nil {
return err
}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetCallerIdentity.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetCallerIdentity.go
index acb7ede44..abac49ad2 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetCallerIdentity.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetCallerIdentity.go
@@ -12,13 +12,15 @@ import (
)
// Returns details about the IAM user or role whose credentials are used to call
-// the operation. No permissions are required to perform this operation. If an
-// administrator attaches a policy to your identity that explicitly denies access
-// to the sts:GetCallerIdentity action, you can still perform this operation.
-// Permissions are not required because the same information is returned when
-// access is denied. To view an example response, see I Am Not Authorized to
-// Perform: iam:DeleteVirtualMFADevice (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa)
-// in the IAM User Guide.
+// the operation.
+//
+// No permissions are required to perform this operation. If an administrator
+// attaches a policy to your identity that explicitly denies access to the
+// sts:GetCallerIdentity action, you can still perform this operation. Permissions
+// are not required because the same information is returned when access is denied.
+// To view an example response, see [I Am Not Authorized to Perform: iam:DeleteVirtualMFADevice]in the IAM User Guide.
+//
+// [I Am Not Authorized to Perform: iam:DeleteVirtualMFADevice]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa
func (c *Client) GetCallerIdentity(ctx context.Context, params *GetCallerIdentityInput, optFns ...func(*Options)) (*GetCallerIdentityOutput, error) {
if params == nil {
params = &GetCallerIdentityInput{}
@@ -38,8 +40,8 @@ type GetCallerIdentityInput struct {
noSmithyDocumentSerde
}
-// Contains the response to a successful GetCallerIdentity request, including
-// information about the entity making the request.
+// Contains the response to a successful GetCallerIdentity request, including information about the
+// entity making the request.
type GetCallerIdentityOutput struct {
// The Amazon Web Services account ID number of the account that owns or contains
@@ -51,8 +53,10 @@ type GetCallerIdentityOutput struct {
// The unique identifier of the calling entity. The exact value depends on the
// type of entity that is making the call. The values returned are those listed in
- // the aws:userid column in the Principal table (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable)
- // found on the Policy Variables reference page in the IAM User Guide.
+ // the aws:userid column in the [Principal table]found on the Policy Variables reference page in
+ // the IAM User Guide.
+ //
+ // [Principal table]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable
UserId *string
// Metadata pertaining to the operation's result.
@@ -116,6 +120,12 @@ func (c *Client) addOperationGetCallerIdentityMiddlewares(stack *middleware.Stac
if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
return err
}
+ if err = addTimeOffsetBuild(stack, c); err != nil {
+ return err
+ }
+ if err = addUserAgentRetryMode(stack, options); err != nil {
+ return err
+ }
if err = stack.Initialize.Add(newServiceMetadataMiddleware_opGetCallerIdentity(options.Region), middleware.Before); err != nil {
return err
}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetFederationToken.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetFederationToken.go
index 3679618cb..2bae67429 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetFederationToken.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetFederationToken.go
@@ -14,74 +14,100 @@ import (
// Returns a set of temporary security credentials (consisting of an access key
// ID, a secret access key, and a security token) for a user. A typical use is in a
// proxy application that gets temporary security credentials on behalf of
-// distributed applications inside a corporate network. You must call the
-// GetFederationToken operation using the long-term security credentials of an IAM
-// user. As a result, this call is appropriate in contexts where those credentials
-// can be safeguarded, usually in a server-based application. For a comparison of
-// GetFederationToken with the other API operations that produce temporary
-// credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
-// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
-// in the IAM User Guide. Although it is possible to call GetFederationToken using
-// the security credentials of an Amazon Web Services account root user rather than
-// an IAM user that you create for the purpose of a proxy application, we do not
-// recommend it. For more information, see Safeguard your root user credentials
-// and don't use them for everyday tasks (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)
-// in the IAM User Guide. You can create a mobile-based or browser-based app that
-// can authenticate users using a web identity provider like Login with Amazon,
-// Facebook, Google, or an OpenID Connect-compatible identity provider. In this
-// case, we recommend that you use Amazon Cognito (http://aws.amazon.com/cognito/)
-// or AssumeRoleWithWebIdentity . For more information, see Federation Through a
-// Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity)
-// in the IAM User Guide. Session duration The temporary credentials are valid for
-// the specified duration, from 900 seconds (15 minutes) up to a maximum of 129,600
-// seconds (36 hours). The default session duration is 43,200 seconds (12 hours).
-// Temporary credentials obtained by using the root user credentials have a maximum
-// duration of 3,600 seconds (1 hour). Permissions You can use the temporary
-// credentials created by GetFederationToken in any Amazon Web Services service
-// with the following exceptions:
+// distributed applications inside a corporate network.
+//
+// You must call the GetFederationToken operation using the long-term security
+// credentials of an IAM user. As a result, this call is appropriate in contexts
+// where those credentials can be safeguarded, usually in a server-based
+// application. For a comparison of GetFederationToken with the other API
+// operations that produce temporary credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the IAM User Guide.
+//
+// Although it is possible to call GetFederationToken using the security
+// credentials of an Amazon Web Services account root user rather than an IAM user
+// that you create for the purpose of a proxy application, we do not recommend it.
+// For more information, see [Safeguard your root user credentials and don't use them for everyday tasks]in the IAM User Guide.
+//
+// You can create a mobile-based or browser-based app that can authenticate users
+// using a web identity provider like Login with Amazon, Facebook, Google, or an
+// OpenID Connect-compatible identity provider. In this case, we recommend that you
+// use [Amazon Cognito]or AssumeRoleWithWebIdentity . For more information, see [Federation Through a Web-based Identity Provider] in the IAM User
+// Guide.
+//
+// # Session duration
+//
+// The temporary credentials are valid for the specified duration, from 900
+// seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default
+// session duration is 43,200 seconds (12 hours). Temporary credentials obtained by
+// using the root user credentials have a maximum duration of 3,600 seconds (1
+// hour).
+//
+// # Permissions
+//
+// You can use the temporary credentials created by GetFederationToken in any
+// Amazon Web Services service with the following exceptions:
+//
// - You cannot call any IAM operations using the CLI or the Amazon Web Services
// API. This limitation does not apply to console sessions.
+//
// - You cannot call any STS operations except GetCallerIdentity .
//
-// You can use temporary credentials for single sign-on (SSO) to the console. You
-// must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-// to this operation. You can pass a single JSON policy document to use as an
-// inline session policy. You can also specify up to 10 managed policy Amazon
-// Resource Names (ARNs) to use as managed session policies. The plaintext that you
-// use for both inline and managed session policies can't exceed 2,048 characters.
+// You can use temporary credentials for single sign-on (SSO) to the console.
+//
+// You must pass an inline or managed [session policy] to this operation. You can pass a single
+// JSON policy document to use as an inline session policy. You can also specify up
+// to 10 managed policy Amazon Resource Names (ARNs) to use as managed session
+// policies. The plaintext that you use for both inline and managed session
+// policies can't exceed 2,048 characters.
+//
// Though the session policy parameters are optional, if you do not pass a policy,
// then the resulting federated user session has no permissions. When you pass
// session policies, the session permissions are the intersection of the IAM user
// policies and the session policies that you pass. This gives you a way to further
// restrict the permissions for a federated user. You cannot use session policies
// to grant more permissions than those that are defined in the permissions policy
-// of the IAM user. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-// in the IAM User Guide. For information about using GetFederationToken to create
-// temporary security credentials, see GetFederationToken—Federation Through a
-// Custom Identity Broker (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken)
-// . You can use the credentials to access a resource that has a resource-based
+// of the IAM user. For more information, see [Session Policies]in the IAM User Guide. For
+// information about using GetFederationToken to create temporary security
+// credentials, see [GetFederationToken—Federation Through a Custom Identity Broker].
+//
+// You can use the credentials to access a resource that has a resource-based
// policy. If that policy specifically references the federated user session in the
// Principal element of the policy, the session has the permissions allowed by the
// policy. These permissions are granted in addition to the permissions granted by
-// the session policies. Tags (Optional) You can pass tag key-value pairs to your
-// session. These are called session tags. For more information about session tags,
-// see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
-// in the IAM User Guide. You can create a mobile-based or browser-based app that
-// can authenticate users using a web identity provider like Login with Amazon,
-// Facebook, Google, or an OpenID Connect-compatible identity provider. In this
-// case, we recommend that you use Amazon Cognito (http://aws.amazon.com/cognito/)
-// or AssumeRoleWithWebIdentity . For more information, see Federation Through a
-// Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity)
-// in the IAM User Guide. An administrator must grant you the permissions necessary
-// to pass session tags. The administrator can also create granular permissions to
-// allow you to pass only specific session tags. For more information, see
-// Tutorial: Using Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
-// in the IAM User Guide. Tag key–value pairs are not case sensitive, but case is
-// preserved. This means that you cannot have separate Department and department
-// tag keys. Assume that the user that you are federating has the Department =
-// Marketing tag and you pass the department = engineering session tag. Department
-// and department are not saved as separate tags, and the session tag passed in
-// the request takes precedence over the user tag.
+// the session policies.
+//
+// # Tags
+//
+// (Optional) You can pass tag key-value pairs to your session. These are called
+// session tags. For more information about session tags, see [Passing Session Tags in STS]in the IAM User
+// Guide.
+//
+// You can create a mobile-based or browser-based app that can authenticate users
+// using a web identity provider like Login with Amazon, Facebook, Google, or an
+// OpenID Connect-compatible identity provider. In this case, we recommend that you
+// use [Amazon Cognito]or AssumeRoleWithWebIdentity . For more information, see [Federation Through a Web-based Identity Provider] in the IAM User
+// Guide.
+//
+// An administrator must grant you the permissions necessary to pass session tags.
+// The administrator can also create granular permissions to allow you to pass only
+// specific session tags. For more information, see [Tutorial: Using Tags for Attribute-Based Access Control]in the IAM User Guide.
+//
+// Tag key–value pairs are not case sensitive, but case is preserved. This means
+// that you cannot have separate Department and department tag keys. Assume that
+// the user that you are federating has the Department = Marketing tag and you
+// pass the department = engineering session tag. Department and department are
+// not saved as separate tags, and the session tag passed in the request takes
+// precedence over the user tag.
+//
+// [Federation Through a Web-based Identity Provider]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
+// [session policy]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+// [Amazon Cognito]: http://aws.amazon.com/cognito/
+// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+// [GetFederationToken—Federation Through a Custom Identity Broker]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken
+// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
+// [Safeguard your root user credentials and don't use them for everyday tasks]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
+// [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+// [Tutorial: Using Tags for Attribute-Based Access Control]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
func (c *Client) GetFederationToken(ctx context.Context, params *GetFederationTokenInput, optFns ...func(*Options)) (*GetFederationTokenOutput, error) {
if params == nil {
params = &GetFederationTokenInput{}
@@ -102,10 +128,11 @@ type GetFederationTokenInput struct {
// The name of the federated user. The name is used as an identifier for the
// temporary security credentials (such as Bob ). For example, you can reference
// the federated user name in a resource-based policy, such as in an Amazon S3
- // bucket policy. The regex used to validate this parameter is a string of
- // characters consisting of upper- and lower-case alphanumeric characters with no
- // spaces. You can also include underscores or any of the following characters:
- // =,.@-
+ // bucket policy.
+ //
+ // The regex used to validate this parameter is a string of characters consisting
+ // of upper- and lower-case alphanumeric characters with no spaces. You can also
+ // include underscores or any of the following characters: =,.@-
//
// This member is required.
Name *string
@@ -119,99 +146,127 @@ type GetFederationTokenInput struct {
DurationSeconds *int32
// An IAM policy in JSON format that you want to use as an inline session policy.
- // You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
- // to this operation. You can pass a single JSON policy document to use as an
- // inline session policy. You can also specify up to 10 managed policy Amazon
- // Resource Names (ARNs) to use as managed session policies. This parameter is
- // optional. However, if you do not pass any session policies, then the resulting
- // federated user session has no permissions. When you pass session policies, the
- // session permissions are the intersection of the IAM user policies and the
- // session policies that you pass. This gives you a way to further restrict the
- // permissions for a federated user. You cannot use session policies to grant more
- // permissions than those that are defined in the permissions policy of the IAM
- // user. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
- // in the IAM User Guide. The resulting credentials can be used to access a
- // resource that has a resource-based policy. If that policy specifically
- // references the federated user session in the Principal element of the policy,
- // the session has the permissions allowed by the policy. These permissions are
- // granted in addition to the permissions that are granted by the session policies.
+ //
+ // You must pass an inline or managed [session policy] to this operation. You can pass a single
+ // JSON policy document to use as an inline session policy. You can also specify up
+ // to 10 managed policy Amazon Resource Names (ARNs) to use as managed session
+ // policies.
+ //
+ // This parameter is optional. However, if you do not pass any session policies,
+ // then the resulting federated user session has no permissions.
+ //
+ // When you pass session policies, the session permissions are the intersection of
+ // the IAM user policies and the session policies that you pass. This gives you a
+ // way to further restrict the permissions for a federated user. You cannot use
+ // session policies to grant more permissions than those that are defined in the
+ // permissions policy of the IAM user. For more information, see [Session Policies]in the IAM User
+ // Guide.
+ //
+ // The resulting credentials can be used to access a resource that has a
+ // resource-based policy. If that policy specifically references the federated user
+ // session in the Principal element of the policy, the session has the permissions
+ // allowed by the policy. These permissions are granted in addition to the
+ // permissions that are granted by the session policies.
+ //
// The plaintext that you use for both inline and managed session policies can't
// exceed 2,048 characters. The JSON policy characters can be any ASCII character
// from the space character to the end of the valid character list (\u0020 through
// \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
- // return (\u000D) characters. An Amazon Web Services conversion compresses the
- // passed inline session policy, managed policy ARNs, and session tags into a
- // packed binary format that has a separate limit. Your request can fail for this
- // limit even if your plaintext meets the other requirements. The PackedPolicySize
- // response element indicates by percentage how close the policies and tags for
- // your request are to the upper size limit.
- Policy *string
-
- // The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
- // use as a managed session policy. The policies must exist in the same account as
- // the IAM user that is requesting federated access. You must pass an inline or
- // managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
- // to this operation. You can pass a single JSON policy document to use as an
- // inline session policy. You can also specify up to 10 managed policy Amazon
- // Resource Names (ARNs) to use as managed session policies. The plaintext that you
- // use for both inline and managed session policies can't exceed 2,048 characters.
- // You can provide up to 10 managed policy ARNs. For more information about ARNs,
- // see Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
- // in the Amazon Web Services General Reference. This parameter is optional.
- // However, if you do not pass any session policies, then the resulting federated
- // user session has no permissions. When you pass session policies, the session
- // permissions are the intersection of the IAM user policies and the session
- // policies that you pass. This gives you a way to further restrict the permissions
- // for a federated user. You cannot use session policies to grant more permissions
- // than those that are defined in the permissions policy of the IAM user. For more
- // information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
- // in the IAM User Guide. The resulting credentials can be used to access a
- // resource that has a resource-based policy. If that policy specifically
- // references the federated user session in the Principal element of the policy,
- // the session has the permissions allowed by the policy. These permissions are
- // granted in addition to the permissions that are granted by the session policies.
+ // return (\u000D) characters.
+ //
// An Amazon Web Services conversion compresses the passed inline session policy,
// managed policy ARNs, and session tags into a packed binary format that has a
// separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates
// by percentage how close the policies and tags for your request are to the upper
// size limit.
+ //
+ // [session policy]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+ // [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+ Policy *string
+
+ // The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
+ // use as a managed session policy. The policies must exist in the same account as
+ // the IAM user that is requesting federated access.
+ //
+ // You must pass an inline or managed [session policy] to this operation. You can pass a single
+ // JSON policy document to use as an inline session policy. You can also specify up
+ // to 10 managed policy Amazon Resource Names (ARNs) to use as managed session
+ // policies. The plaintext that you use for both inline and managed session
+ // policies can't exceed 2,048 characters. You can provide up to 10 managed policy
+ // ARNs. For more information about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]in the Amazon Web Services General
+ // Reference.
+ //
+ // This parameter is optional. However, if you do not pass any session policies,
+ // then the resulting federated user session has no permissions.
+ //
+ // When you pass session policies, the session permissions are the intersection of
+ // the IAM user policies and the session policies that you pass. This gives you a
+ // way to further restrict the permissions for a federated user. You cannot use
+ // session policies to grant more permissions than those that are defined in the
+ // permissions policy of the IAM user. For more information, see [Session Policies]in the IAM User
+ // Guide.
+ //
+ // The resulting credentials can be used to access a resource that has a
+ // resource-based policy. If that policy specifically references the federated user
+ // session in the Principal element of the policy, the session has the permissions
+ // allowed by the policy. These permissions are granted in addition to the
+ // permissions that are granted by the session policies.
+ //
+ // An Amazon Web Services conversion compresses the passed inline session policy,
+ // managed policy ARNs, and session tags into a packed binary format that has a
+ // separate limit. Your request can fail for this limit even if your plaintext
+ // meets the other requirements. The PackedPolicySize response element indicates
+ // by percentage how close the policies and tags for your request are to the upper
+ // size limit.
+ //
+ // [session policy]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+ // [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+ // [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
PolicyArns []types.PolicyDescriptorType
// A list of session tags. Each session tag consists of a key name and an
- // associated value. For more information about session tags, see Passing Session
- // Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
- // in the IAM User Guide. This parameter is optional. You can pass up to 50 session
- // tags. The plaintext session tag keys can’t exceed 128 characters and the values
- // can’t exceed 256 characters. For these and additional limits, see IAM and STS
- // Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
- // in the IAM User Guide. An Amazon Web Services conversion compresses the passed
- // inline session policy, managed policy ARNs, and session tags into a packed
- // binary format that has a separate limit. Your request can fail for this limit
- // even if your plaintext meets the other requirements. The PackedPolicySize
- // response element indicates by percentage how close the policies and tags for
- // your request are to the upper size limit. You can pass a session tag with the
- // same key as a tag that is already attached to the user you are federating. When
- // you do, session tags override a user tag with the same key. Tag key–value pairs
- // are not case sensitive, but case is preserved. This means that you cannot have
- // separate Department and department tag keys. Assume that the role has the
- // Department = Marketing tag and you pass the department = engineering session
- // tag. Department and department are not saved as separate tags, and the session
- // tag passed in the request takes precedence over the role tag.
+ // associated value. For more information about session tags, see [Passing Session Tags in STS]in the IAM User
+ // Guide.
+ //
+ // This parameter is optional. You can pass up to 50 session tags. The plaintext
+ // session tag keys can’t exceed 128 characters and the values can’t exceed 256
+ // characters. For these and additional limits, see [IAM and STS Character Limits]in the IAM User Guide.
+ //
+ // An Amazon Web Services conversion compresses the passed inline session policy,
+ // managed policy ARNs, and session tags into a packed binary format that has a
+ // separate limit. Your request can fail for this limit even if your plaintext
+ // meets the other requirements. The PackedPolicySize response element indicates
+ // by percentage how close the policies and tags for your request are to the upper
+ // size limit.
+ //
+ // You can pass a session tag with the same key as a tag that is already attached
+ // to the user you are federating. When you do, session tags override a user tag
+ // with the same key.
+ //
+ // Tag key–value pairs are not case sensitive, but case is preserved. This means
+ // that you cannot have separate Department and department tag keys. Assume that
+ // the role has the Department = Marketing tag and you pass the department =
+ // engineering session tag. Department and department are not saved as separate
+ // tags, and the session tag passed in the request takes precedence over the role
+ // tag.
+ //
+ // [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+ // [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
Tags []types.Tag
noSmithyDocumentSerde
}
-// Contains the response to a successful GetFederationToken request, including
-// temporary Amazon Web Services credentials that can be used to make Amazon Web
-// Services requests.
+// Contains the response to a successful GetFederationToken request, including temporary Amazon Web
+// Services credentials that can be used to make Amazon Web Services requests.
type GetFederationTokenOutput struct {
// The temporary security credentials, which include an access key ID, a secret
- // access key, and a security (or session) token. The size of the security token
- // that STS API operations return is not fixed. We strongly recommend that you make
- // no assumptions about the maximum size.
+ // access key, and a security (or session) token.
+ //
+ // The size of the security token that STS API operations return is not fixed. We
+ // strongly recommend that you make no assumptions about the maximum size.
Credentials *types.Credentials
// Identifiers for the federated user associated with the credentials (such as
@@ -287,6 +342,12 @@ func (c *Client) addOperationGetFederationTokenMiddlewares(stack *middleware.Sta
if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
return err
}
+ if err = addTimeOffsetBuild(stack, c); err != nil {
+ return err
+ }
+ if err = addUserAgentRetryMode(stack, options); err != nil {
+ return err
+ }
if err = addOpGetFederationTokenValidationMiddleware(stack); err != nil {
return err
}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetSessionToken.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetSessionToken.go
index 751fb147d..c73316a3c 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetSessionToken.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetSessionToken.go
@@ -15,43 +15,58 @@ import (
// IAM user. The credentials consist of an access key ID, a secret access key, and
// a security token. Typically, you use GetSessionToken if you want to use MFA to
// protect programmatic calls to specific Amazon Web Services API operations like
-// Amazon EC2 StopInstances . MFA-enabled IAM users must call GetSessionToken and
-// submit an MFA code that is associated with their MFA device. Using the temporary
-// security credentials that the call returns, IAM users can then make programmatic
-// calls to API operations that require MFA authentication. An incorrect MFA code
-// causes the API to return an access denied error. For a comparison of
-// GetSessionToken with the other API operations that produce temporary
-// credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
-// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
-// in the IAM User Guide. No permissions are required for users to perform this
-// operation. The purpose of the sts:GetSessionToken operation is to authenticate
-// the user using MFA. You cannot use policies to control authentication
-// operations. For more information, see Permissions for GetSessionToken (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html)
-// in the IAM User Guide. Session Duration The GetSessionToken operation must be
-// called by using the long-term Amazon Web Services security credentials of an IAM
-// user. Credentials that are created by IAM users are valid for the duration that
-// you specify. This duration can range from 900 seconds (15 minutes) up to a
-// maximum of 129,600 seconds (36 hours), with a default of 43,200 seconds (12
-// hours). Credentials based on account credentials can range from 900 seconds (15
-// minutes) up to 3,600 seconds (1 hour), with a default of 1 hour. Permissions The
-// temporary security credentials created by GetSessionToken can be used to make
-// API calls to any Amazon Web Services service with the following exceptions:
+// Amazon EC2 StopInstances .
+//
+// MFA-enabled IAM users must call GetSessionToken and submit an MFA code that is
+// associated with their MFA device. Using the temporary security credentials that
+// the call returns, IAM users can then make programmatic calls to API operations
+// that require MFA authentication. An incorrect MFA code causes the API to return
+// an access denied error. For a comparison of GetSessionToken with the other API
+// operations that produce temporary credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the IAM User Guide.
+//
+// No permissions are required for users to perform this operation. The purpose of
+// the sts:GetSessionToken operation is to authenticate the user using MFA. You
+// cannot use policies to control authentication operations. For more information,
+// see [Permissions for GetSessionToken]in the IAM User Guide.
+//
+// # Session Duration
+//
+// The GetSessionToken operation must be called by using the long-term Amazon Web
+// Services security credentials of an IAM user. Credentials that are created by
+// IAM users are valid for the duration that you specify. This duration can range
+// from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours),
+// with a default of 43,200 seconds (12 hours). Credentials based on account
+// credentials can range from 900 seconds (15 minutes) up to 3,600 seconds (1
+// hour), with a default of 1 hour.
+//
+// # Permissions
+//
+// The temporary security credentials created by GetSessionToken can be used to
+// make API calls to any Amazon Web Services service with the following exceptions:
+//
// - You cannot call any IAM API operations unless MFA authentication
// information is included in the request.
+//
// - You cannot call any STS API except AssumeRole or GetCallerIdentity .
//
// The credentials that GetSessionToken returns are based on permissions
// associated with the IAM user whose credentials were used to call the operation.
-// The temporary credentials have the same permissions as the IAM user. Although it
-// is possible to call GetSessionToken using the security credentials of an Amazon
-// Web Services account root user rather than an IAM user, we do not recommend it.
-// If GetSessionToken is called using root user credentials, the temporary
-// credentials have root user permissions. For more information, see Safeguard
-// your root user credentials and don't use them for everyday tasks (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)
-// in the IAM User Guide For more information about using GetSessionToken to
-// create temporary credentials, see Temporary Credentials for Users in Untrusted
-// Environments (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken)
-// in the IAM User Guide.
+// The temporary credentials have the same permissions as the IAM user.
+//
+// Although it is possible to call GetSessionToken using the security credentials
+// of an Amazon Web Services account root user rather than an IAM user, we do not
+// recommend it. If GetSessionToken is called using root user credentials, the
+// temporary credentials have root user permissions. For more information, see [Safeguard your root user credentials and don't use them for everyday tasks]in
+// the IAM User Guide
+//
+// For more information about using GetSessionToken to create temporary
+// credentials, see [Temporary Credentials for Users in Untrusted Environments]in the IAM User Guide.
+//
+// [Permissions for GetSessionToken]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html
+// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
+// [Temporary Credentials for Users in Untrusted Environments]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken
+// [Safeguard your root user credentials and don't use them for everyday tasks]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
+// [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
func (c *Client) GetSessionToken(ctx context.Context, params *GetSessionTokenInput, optFns ...func(*Options)) (*GetSessionTokenOutput, error) {
if params == nil {
params = &GetSessionTokenInput{}
@@ -83,10 +98,11 @@ type GetSessionTokenInput struct {
// number for a hardware device (such as GAHT12345678 ) or an Amazon Resource Name
// (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user ). You
// can find the device for an IAM user by going to the Amazon Web Services
- // Management Console and viewing the user's security credentials. The regex used
- // to validate this parameter is a string of characters consisting of upper- and
- // lower-case alphanumeric characters with no spaces. You can also include
- // underscores or any of the following characters: =,.@:/-
+ // Management Console and viewing the user's security credentials.
+ //
+ // The regex used to validate this parameter is a string of characters consisting
+ // of upper- and lower-case alphanumeric characters with no spaces. You can also
+ // include underscores or any of the following characters: =,.@:/-
SerialNumber *string
// The value provided by the MFA device, if MFA is required. If any policy
@@ -94,22 +110,24 @@ type GetSessionTokenInput struct {
// authentication is required, the user must provide a code when requesting a set
// of temporary security credentials. A user who fails to provide the code receives
// an "access denied" response when requesting resources that require MFA
- // authentication. The format for this parameter, as described by its regex
- // pattern, is a sequence of six numeric digits.
+ // authentication.
+ //
+ // The format for this parameter, as described by its regex pattern, is a sequence
+ // of six numeric digits.
TokenCode *string
noSmithyDocumentSerde
}
-// Contains the response to a successful GetSessionToken request, including
-// temporary Amazon Web Services credentials that can be used to make Amazon Web
-// Services requests.
+// Contains the response to a successful GetSessionToken request, including temporary Amazon Web
+// Services credentials that can be used to make Amazon Web Services requests.
type GetSessionTokenOutput struct {
// The temporary security credentials, which include an access key ID, a secret
- // access key, and a security (or session) token. The size of the security token
- // that STS API operations return is not fixed. We strongly recommend that you make
- // no assumptions about the maximum size.
+ // access key, and a security (or session) token.
+ //
+ // The size of the security token that STS API operations return is not fixed. We
+ // strongly recommend that you make no assumptions about the maximum size.
Credentials *types.Credentials
// Metadata pertaining to the operation's result.
@@ -173,6 +191,12 @@ func (c *Client) addOperationGetSessionTokenMiddlewares(stack *middleware.Stack,
if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
return err
}
+ if err = addTimeOffsetBuild(stack, c); err != nil {
+ return err
+ }
+ if err = addUserAgentRetryMode(stack, options); err != nil {
+ return err
+ }
if err = stack.Initialize.Add(newServiceMetadataMiddleware_opGetSessionToken(options.Region), middleware.Before); err != nil {
return err
}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/auth.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/auth.go
index 9db5bfd43..e842a7f7e 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/auth.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/auth.go
@@ -12,7 +12,7 @@ import (
smithyhttp "github.com/aws/smithy-go/transport/http"
)
-func bindAuthParamsRegion(params *AuthResolverParameters, _ interface{}, options Options) {
+func bindAuthParamsRegion(_ interface{}, params *AuthResolverParameters, _ interface{}, options Options) {
params.Region = options.Region
}
@@ -90,12 +90,12 @@ type AuthResolverParameters struct {
Region string
}
-func bindAuthResolverParams(operation string, input interface{}, options Options) *AuthResolverParameters {
+func bindAuthResolverParams(ctx context.Context, operation string, input interface{}, options Options) *AuthResolverParameters {
params := &AuthResolverParameters{
Operation: operation,
}
- bindAuthParamsRegion(params, input, options)
+ bindAuthParamsRegion(ctx, params, input, options)
return params
}
@@ -157,7 +157,7 @@ func (*resolveAuthSchemeMiddleware) ID() string {
func (m *resolveAuthSchemeMiddleware) HandleFinalize(ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler) (
out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
) {
- params := bindAuthResolverParams(m.operation, getOperationInput(ctx), m.options)
+ params := bindAuthResolverParams(ctx, m.operation, getOperationInput(ctx), m.options)
options, err := m.options.AuthSchemeResolver.ResolveAuthSchemes(ctx, params)
if err != nil {
return out, metadata, fmt.Errorf("resolve auth scheme: %w", err)
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/deserializers.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/deserializers.go
index 5d634ce35..7e4346ec9 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/deserializers.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/deserializers.go
@@ -20,8 +20,17 @@ import (
"io"
"strconv"
"strings"
+ "time"
)
+func deserializeS3Expires(v string) (*time.Time, error) {
+ t, err := smithytime.ParseHTTPDate(v)
+ if err != nil {
+ return nil, nil
+ }
+ return &t, nil
+}
+
type awsAwsquery_deserializeOpAssumeRole struct {
}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/doc.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/doc.go
index d963fd8d1..cbb19c7f6 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/doc.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/doc.go
@@ -3,9 +3,11 @@
// Package sts provides the API client, operations, and parameter types for AWS
// Security Token Service.
//
-// Security Token Service Security Token Service (STS) enables you to request
-// temporary, limited-privilege credentials for users. This guide provides
-// descriptions of the STS API. For more information about using this service, see
-// Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)
-// .
+// # Security Token Service
+//
+// Security Token Service (STS) enables you to request temporary,
+// limited-privilege credentials for users. This guide provides descriptions of the
+// STS API. For more information about using this service, see [Temporary Security Credentials].
+//
+// [Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html
package sts
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/endpoints.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/endpoints.go
index 32e2d5435..c99982cb5 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/endpoints.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/endpoints.go
@@ -1045,7 +1045,7 @@ type endpointParamsBinder interface {
bindEndpointParams(*EndpointParameters)
}
-func bindEndpointParams(input interface{}, options Options) *EndpointParameters {
+func bindEndpointParams(ctx context.Context, input interface{}, options Options) *EndpointParameters {
params := &EndpointParameters{}
params.Region = bindRegion(options.Region)
@@ -1075,6 +1075,10 @@ func (m *resolveEndpointV2Middleware) HandleFinalize(ctx context.Context, in mid
return next.HandleFinalize(ctx, in)
}
+ if err := checkAccountID(getIdentity(ctx), m.options.AccountIDEndpointMode); err != nil {
+ return out, metadata, fmt.Errorf("invalid accountID set: %w", err)
+ }
+
req, ok := in.Request.(*smithyhttp.Request)
if !ok {
return out, metadata, fmt.Errorf("unknown transport type %T", in.Request)
@@ -1084,7 +1088,7 @@ func (m *resolveEndpointV2Middleware) HandleFinalize(ctx context.Context, in mid
return out, metadata, fmt.Errorf("expected endpoint resolver to not be nil")
}
- params := bindEndpointParams(getOperationInput(ctx), m.options)
+ params := bindEndpointParams(ctx, getOperationInput(ctx), m.options)
endpt, err := m.options.EndpointResolverV2.ResolveEndpoint(ctx, *params)
if err != nil {
return out, metadata, fmt.Errorf("failed to resolve service endpoint, %w", err)
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/generated.json b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/generated.json
index 54fac4bd5..6b6e839e6 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/generated.json
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/generated.json
@@ -5,8 +5,7 @@
"github.com/aws/aws-sdk-go-v2/internal/endpoints/v2": "v2.0.0-00010101000000-000000000000",
"github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding": "v1.0.5",
"github.com/aws/aws-sdk-go-v2/service/internal/presigned-url": "v1.0.7",
- "github.com/aws/smithy-go": "v1.4.0",
- "github.com/google/go-cmp": "v0.5.4"
+ "github.com/aws/smithy-go": "v1.4.0"
},
"files": [
"api_client.go",
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go
index 06957274a..37685a5e6 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go
@@ -3,4 +3,4 @@
package sts
// goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.28.1"
+const goModuleVersion = "1.29.1"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/options.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/options.go
index 5c1be79f8..a9a35881a 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/options.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/options.go
@@ -24,6 +24,9 @@ type Options struct {
// modify this list for per operation behavior.
APIOptions []func(*middleware.Stack) error
+ // Indicates how aws account ID is applied in endpoint2.0 routing
+ AccountIDEndpointMode aws.AccountIDEndpointMode
+
// The optional application specific identifier appended to the User-Agent header.
AppID string
@@ -50,8 +53,10 @@ type Options struct {
// Deprecated: Deprecated: EndpointResolver and WithEndpointResolver. Providing a
// value for this field will likely prevent you from using any endpoint-related
// service features released after the introduction of EndpointResolverV2 and
- // BaseEndpoint. To migrate an EndpointResolver implementation that uses a custom
- // endpoint, set the client option BaseEndpoint instead.
+ // BaseEndpoint.
+ //
+ // To migrate an EndpointResolver implementation that uses a custom endpoint, set
+ // the client option BaseEndpoint instead.
EndpointResolver EndpointResolver
// Resolves the endpoint used for a particular service operation. This should be
@@ -70,17 +75,20 @@ type Options struct {
// RetryMaxAttempts specifies the maximum number attempts an API client will call
// an operation that fails with a retryable error. A value of 0 is ignored, and
// will not be used to configure the API client created default retryer, or modify
- // per operation call's retry max attempts. If specified in an operation call's
- // functional options with a value that is different than the constructed client's
- // Options, the Client's Retryer will be wrapped to use the operation's specific
- // RetryMaxAttempts value.
+ // per operation call's retry max attempts.
+ //
+ // If specified in an operation call's functional options with a value that is
+ // different than the constructed client's Options, the Client's Retryer will be
+ // wrapped to use the operation's specific RetryMaxAttempts value.
RetryMaxAttempts int
// RetryMode specifies the retry mode the API client will be created with, if
- // Retryer option is not also specified. When creating a new API Clients this
- // member will only be used if the Retryer Options member is nil. This value will
- // be ignored if Retryer is not nil. Currently does not support per operation call
- // overrides, may in the future.
+ // Retryer option is not also specified.
+ //
+ // When creating a new API Clients this member will only be used if the Retryer
+ // Options member is nil. This value will be ignored if Retryer is not nil.
+ //
+ // Currently does not support per operation call overrides, may in the future.
RetryMode aws.RetryMode
// Retryer guides how HTTP requests should be retried in case of recoverable
@@ -97,8 +105,9 @@ type Options struct {
// The initial DefaultsMode used when the client options were constructed. If the
// DefaultsMode was set to aws.DefaultsModeAuto this will store what the resolved
- // value was at that point in time. Currently does not support per operation call
- // overrides, may in the future.
+ // value was at that point in time.
+ //
+ // Currently does not support per operation call overrides, may in the future.
resolvedDefaultsMode aws.DefaultsMode
// The HTTP client to invoke API calls with. Defaults to client's default HTTP
@@ -143,6 +152,7 @@ func WithAPIOptions(optFns ...func(*middleware.Stack) error) func(*Options) {
// Deprecated: EndpointResolver and WithEndpointResolver. Providing a value for
// this field will likely prevent you from using any endpoint-related service
// features released after the introduction of EndpointResolverV2 and BaseEndpoint.
+//
// To migrate an EndpointResolver implementation that uses a custom endpoint, set
// the client option BaseEndpoint instead.
func WithEndpointResolver(v EndpointResolver) func(*Options) {
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/errors.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/errors.go
index 097875b27..9573a4b64 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/errors.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/errors.go
@@ -65,9 +65,10 @@ func (e *IDPCommunicationErrorException) ErrorCode() string {
func (e *IDPCommunicationErrorException) ErrorFault() smithy.ErrorFault { return smithy.FaultClient }
// The identity provider (IdP) reported that authentication failed. This might be
-// because the claim is invalid. If this error is returned for the
-// AssumeRoleWithWebIdentity operation, it can also mean that the claim has expired
-// or has been explicitly revoked.
+// because the claim is invalid.
+//
+// If this error is returned for the AssumeRoleWithWebIdentity operation, it can
+// also mean that the claim has expired or has been explicitly revoked.
type IDPRejectedClaimException struct {
Message *string
@@ -183,11 +184,13 @@ func (e *MalformedPolicyDocumentException) ErrorFault() smithy.ErrorFault { retu
// compresses the session policy document, session policy ARNs, and session tags
// into a packed binary format that has a separate limit. The error message
// indicates by percentage how close the policies and tags are to the upper size
-// limit. For more information, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
-// in the IAM User Guide. You could receive this error even though you meet other
-// defined session policy and session tag limits. For more information, see IAM
-// and STS Entity Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length)
-// in the IAM User Guide.
+// limit. For more information, see [Passing Session Tags in STS]in the IAM User Guide.
+//
+// You could receive this error even though you meet other defined session policy
+// and session tag limits. For more information, see [IAM and STS Entity Character Limits]in the IAM User Guide.
+//
+// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+// [IAM and STS Entity Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length
type PackedPolicyTooLargeException struct {
Message *string
@@ -215,9 +218,10 @@ func (e *PackedPolicyTooLargeException) ErrorFault() smithy.ErrorFault { return
// STS is not activated in the requested region for the account that is being
// asked to generate credentials. The account administrator must use the IAM
-// console to activate STS in that region. For more information, see Activating
-// and Deactivating Amazon Web Services STS in an Amazon Web Services Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
-// in the IAM User Guide.
+// console to activate STS in that region. For more information, see [Activating and Deactivating Amazon Web Services STS in an Amazon Web Services Region]in the IAM
+// User Guide.
+//
+// [Activating and Deactivating Amazon Web Services STS in an Amazon Web Services Region]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html
type RegionDisabledException struct {
Message *string
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/types.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/types.go
index e3701d11d..dff7a3c2e 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/types.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/types.go
@@ -11,10 +11,11 @@ import (
// returns.
type AssumedRoleUser struct {
- // The ARN of the temporary security credentials that are returned from the
- // AssumeRole action. For more information about ARNs and how to use them in
- // policies, see IAM Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
- // in the IAM User Guide.
+ // The ARN of the temporary security credentials that are returned from the AssumeRole
+ // action. For more information about ARNs and how to use them in policies, see [IAM Identifiers]in
+ // the IAM User Guide.
+ //
+ // [IAM Identifiers]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html
//
// This member is required.
Arn *string
@@ -61,8 +62,9 @@ type FederatedUser struct {
// The ARN that specifies the federated user that is associated with the
// credentials. For more information about ARNs and how to use them in policies,
- // see IAM Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
- // in the IAM User Guide.
+ // see [IAM Identifiers]in the IAM User Guide.
+ //
+ // [IAM Identifiers]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html
//
// This member is required.
Arn *string
@@ -81,9 +83,10 @@ type FederatedUser struct {
type PolicyDescriptorType struct {
// The Amazon Resource Name (ARN) of the IAM managed policy to use as a session
- // policy for the role. For more information about ARNs, see Amazon Resource Names
- // (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
- // in the Amazon Web Services General Reference.
+ // policy for the role. For more information about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]in the Amazon Web
+ // Services General Reference.
+ //
+ // [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
Arn *string
noSmithyDocumentSerde
@@ -107,23 +110,30 @@ type ProvidedContext struct {
// You can pass custom key-value pair attributes when you assume a role or
// federate a user. These are called session tags. You can then use the session
-// tags to control access to resources. For more information, see Tagging Amazon
-// Web Services STS Sessions (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
-// in the IAM User Guide.
+// tags to control access to resources. For more information, see [Tagging Amazon Web Services STS Sessions]in the IAM User
+// Guide.
+//
+// [Tagging Amazon Web Services STS Sessions]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
type Tag struct {
- // The key for a session tag. You can pass up to 50 session tags. The plain text
- // session tag keys can’t exceed 128 characters. For these and additional limits,
- // see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
- // in the IAM User Guide.
+ // The key for a session tag.
+ //
+ // You can pass up to 50 session tags. The plain text session tag keys can’t
+ // exceed 128 characters. For these and additional limits, see [IAM and STS Character Limits]in the IAM User
+ // Guide.
+ //
+ // [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
//
// This member is required.
Key *string
- // The value for a session tag. You can pass up to 50 session tags. The plain text
- // session tag values can’t exceed 256 characters. For these and additional limits,
- // see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
- // in the IAM User Guide.
+ // The value for a session tag.
+ //
+ // You can pass up to 50 session tags. The plain text session tag values can’t
+ // exceed 256 characters. For these and additional limits, see [IAM and STS Character Limits]in the IAM User
+ // Guide.
+ //
+ // [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
//
// This member is required.
Value *string
diff --git a/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go b/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go
index fa5625df4..5eb8c0779 100644
--- a/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go
@@ -1079,6 +1079,9 @@ var awsPartition = partition{
endpointKey{
Region: "ap-southeast-2",
}: endpoint{},
+ endpointKey{
+ Region: "ca-central-1",
+ }: endpoint{},
endpointKey{
Region: "eu-central-1",
}: endpoint{},
@@ -1091,6 +1094,9 @@ var awsPartition = partition{
endpointKey{
Region: "eu-west-3",
}: endpoint{},
+ endpointKey{
+ Region: "sa-east-1",
+ }: endpoint{},
endpointKey{
Region: "us-east-1",
}: endpoint{},
@@ -4583,91 +4589,6 @@ var awsPartition = partition{
}: endpoint{},
},
},
- "backupstorage": service{
- Endpoints: serviceEndpoints{
- endpointKey{
- Region: "af-south-1",
- }: endpoint{},
- endpointKey{
- Region: "ap-east-1",
- }: endpoint{},
- endpointKey{
- Region: "ap-northeast-1",
- }: endpoint{},
- endpointKey{
- Region: "ap-northeast-2",
- }: endpoint{},
- endpointKey{
- Region: "ap-northeast-3",
- }: endpoint{},
- endpointKey{
- Region: "ap-south-1",
- }: endpoint{},
- endpointKey{
- Region: "ap-south-2",
- }: endpoint{},
- endpointKey{
- Region: "ap-southeast-1",
- }: endpoint{},
- endpointKey{
- Region: "ap-southeast-2",
- }: endpoint{},
- endpointKey{
- Region: "ap-southeast-3",
- }: endpoint{},
- endpointKey{
- Region: "ap-southeast-4",
- }: endpoint{},
- endpointKey{
- Region: "ca-central-1",
- }: endpoint{},
- endpointKey{
- Region: "eu-central-1",
- }: endpoint{},
- endpointKey{
- Region: "eu-central-2",
- }: endpoint{},
- endpointKey{
- Region: "eu-north-1",
- }: endpoint{},
- endpointKey{
- Region: "eu-south-1",
- }: endpoint{},
- endpointKey{
- Region: "eu-south-2",
- }: endpoint{},
- endpointKey{
- Region: "eu-west-1",
- }: endpoint{},
- endpointKey{
- Region: "eu-west-2",
- }: endpoint{},
- endpointKey{
- Region: "eu-west-3",
- }: endpoint{},
- endpointKey{
- Region: "me-central-1",
- }: endpoint{},
- endpointKey{
- Region: "me-south-1",
- }: endpoint{},
- endpointKey{
- Region: "sa-east-1",
- }: endpoint{},
- endpointKey{
- Region: "us-east-1",
- }: endpoint{},
- endpointKey{
- Region: "us-east-2",
- }: endpoint{},
- endpointKey{
- Region: "us-west-1",
- }: endpoint{},
- endpointKey{
- Region: "us-west-2",
- }: endpoint{},
- },
- },
"batch": service{
Defaults: endpointDefaults{
defaultKey{}: endpoint{},
@@ -4873,6 +4794,14 @@ var awsPartition = partition{
Region: "ap-southeast-2",
},
},
+ endpointKey{
+ Region: "bedrock-ca-central-1",
+ }: endpoint{
+ Hostname: "bedrock.ca-central-1.amazonaws.com",
+ CredentialScope: credentialScope{
+ Region: "ca-central-1",
+ },
+ },
endpointKey{
Region: "bedrock-eu-central-1",
}: endpoint{
@@ -4889,6 +4818,14 @@ var awsPartition = partition{
Region: "eu-west-1",
},
},
+ endpointKey{
+ Region: "bedrock-eu-west-2",
+ }: endpoint{
+ Hostname: "bedrock.eu-west-2.amazonaws.com",
+ CredentialScope: credentialScope{
+ Region: "eu-west-2",
+ },
+ },
endpointKey{
Region: "bedrock-eu-west-3",
}: endpoint{
@@ -4897,6 +4834,14 @@ var awsPartition = partition{
Region: "eu-west-3",
},
},
+ endpointKey{
+ Region: "bedrock-fips-ca-central-1",
+ }: endpoint{
+ Hostname: "bedrock-fips.ca-central-1.amazonaws.com",
+ CredentialScope: credentialScope{
+ Region: "ca-central-1",
+ },
+ },
endpointKey{
Region: "bedrock-fips-us-east-1",
}: endpoint{
@@ -4945,6 +4890,14 @@ var awsPartition = partition{
Region: "ap-southeast-2",
},
},
+ endpointKey{
+ Region: "bedrock-runtime-ca-central-1",
+ }: endpoint{
+ Hostname: "bedrock-runtime.ca-central-1.amazonaws.com",
+ CredentialScope: credentialScope{
+ Region: "ca-central-1",
+ },
+ },
endpointKey{
Region: "bedrock-runtime-eu-central-1",
}: endpoint{
@@ -4961,6 +4914,14 @@ var awsPartition = partition{
Region: "eu-west-1",
},
},
+ endpointKey{
+ Region: "bedrock-runtime-eu-west-2",
+ }: endpoint{
+ Hostname: "bedrock-runtime.eu-west-2.amazonaws.com",
+ CredentialScope: credentialScope{
+ Region: "eu-west-2",
+ },
+ },
endpointKey{
Region: "bedrock-runtime-eu-west-3",
}: endpoint{
@@ -4969,6 +4930,14 @@ var awsPartition = partition{
Region: "eu-west-3",
},
},
+ endpointKey{
+ Region: "bedrock-runtime-fips-ca-central-1",
+ }: endpoint{
+ Hostname: "bedrock-runtime-fips.ca-central-1.amazonaws.com",
+ CredentialScope: credentialScope{
+ Region: "ca-central-1",
+ },
+ },
endpointKey{
Region: "bedrock-runtime-fips-us-east-1",
}: endpoint{
@@ -4985,6 +4954,14 @@ var awsPartition = partition{
Region: "us-west-2",
},
},
+ endpointKey{
+ Region: "bedrock-runtime-sa-east-1",
+ }: endpoint{
+ Hostname: "bedrock-runtime.sa-east-1.amazonaws.com",
+ CredentialScope: credentialScope{
+ Region: "sa-east-1",
+ },
+ },
endpointKey{
Region: "bedrock-runtime-us-east-1",
}: endpoint{
@@ -5001,6 +4978,14 @@ var awsPartition = partition{
Region: "us-west-2",
},
},
+ endpointKey{
+ Region: "bedrock-sa-east-1",
+ }: endpoint{
+ Hostname: "bedrock.sa-east-1.amazonaws.com",
+ CredentialScope: credentialScope{
+ Region: "sa-east-1",
+ },
+ },
endpointKey{
Region: "bedrock-us-east-1",
}: endpoint{
@@ -5017,15 +5002,24 @@ var awsPartition = partition{
Region: "us-west-2",
},
},
+ endpointKey{
+ Region: "ca-central-1",
+ }: endpoint{},
endpointKey{
Region: "eu-central-1",
}: endpoint{},
endpointKey{
Region: "eu-west-1",
}: endpoint{},
+ endpointKey{
+ Region: "eu-west-2",
+ }: endpoint{},
endpointKey{
Region: "eu-west-3",
}: endpoint{},
+ endpointKey{
+ Region: "sa-east-1",
+ }: endpoint{},
endpointKey{
Region: "us-east-1",
}: endpoint{},
@@ -5083,6 +5077,12 @@ var awsPartition = partition{
},
"cases": service{
Endpoints: serviceEndpoints{
+ endpointKey{
+ Region: "ap-northeast-1",
+ }: endpoint{},
+ endpointKey{
+ Region: "ap-northeast-2",
+ }: endpoint{},
endpointKey{
Region: "ap-southeast-1",
}: endpoint{},
@@ -5297,69 +5297,157 @@ var awsPartition = partition{
endpointKey{
Region: "af-south-1",
}: endpoint{},
+ endpointKey{
+ Region: "af-south-1",
+ Variant: dualStackVariant,
+ }: endpoint{},
endpointKey{
Region: "ap-east-1",
}: endpoint{},
+ endpointKey{
+ Region: "ap-east-1",
+ Variant: dualStackVariant,
+ }: endpoint{},
endpointKey{
Region: "ap-northeast-1",
}: endpoint{},
+ endpointKey{
+ Region: "ap-northeast-1",
+ Variant: dualStackVariant,
+ }: endpoint{},
endpointKey{
Region: "ap-northeast-2",
}: endpoint{},
+ endpointKey{
+ Region: "ap-northeast-2",
+ Variant: dualStackVariant,
+ }: endpoint{},
endpointKey{
Region: "ap-northeast-3",
}: endpoint{},
+ endpointKey{
+ Region: "ap-northeast-3",
+ Variant: dualStackVariant,
+ }: endpoint{},
endpointKey{
Region: "ap-south-1",
}: endpoint{},
+ endpointKey{
+ Region: "ap-south-1",
+ Variant: dualStackVariant,
+ }: endpoint{},
endpointKey{
Region: "ap-southeast-1",
}: endpoint{},
+ endpointKey{
+ Region: "ap-southeast-1",
+ Variant: dualStackVariant,
+ }: endpoint{},
endpointKey{
Region: "ap-southeast-2",
}: endpoint{},
+ endpointKey{
+ Region: "ap-southeast-2",
+ Variant: dualStackVariant,
+ }: endpoint{},
endpointKey{
Region: "ca-central-1",
}: endpoint{},
+ endpointKey{
+ Region: "ca-central-1",
+ Variant: dualStackVariant,
+ }: endpoint{},
endpointKey{
Region: "eu-central-1",
}: endpoint{},
+ endpointKey{
+ Region: "eu-central-1",
+ Variant: dualStackVariant,
+ }: endpoint{},
endpointKey{
Region: "eu-north-1",
}: endpoint{},
+ endpointKey{
+ Region: "eu-north-1",
+ Variant: dualStackVariant,
+ }: endpoint{},
endpointKey{
Region: "eu-south-1",
}: endpoint{},
+ endpointKey{
+ Region: "eu-south-1",
+ Variant: dualStackVariant,
+ }: endpoint{},
endpointKey{
Region: "eu-west-1",
}: endpoint{},
+ endpointKey{
+ Region: "eu-west-1",
+ Variant: dualStackVariant,
+ }: endpoint{},
endpointKey{
Region: "eu-west-2",
}: endpoint{},
+ endpointKey{
+ Region: "eu-west-2",
+ Variant: dualStackVariant,
+ }: endpoint{},
endpointKey{
Region: "eu-west-3",
}: endpoint{},
+ endpointKey{
+ Region: "eu-west-3",
+ Variant: dualStackVariant,
+ }: endpoint{},
endpointKey{
Region: "il-central-1",
}: endpoint{},
+ endpointKey{
+ Region: "il-central-1",
+ Variant: dualStackVariant,
+ }: endpoint{},
endpointKey{
Region: "me-south-1",
}: endpoint{},
+ endpointKey{
+ Region: "me-south-1",
+ Variant: dualStackVariant,
+ }: endpoint{},
endpointKey{
Region: "sa-east-1",
}: endpoint{},
+ endpointKey{
+ Region: "sa-east-1",
+ Variant: dualStackVariant,
+ }: endpoint{},
endpointKey{
Region: "us-east-1",
}: endpoint{},
+ endpointKey{
+ Region: "us-east-1",
+ Variant: dualStackVariant,
+ }: endpoint{},
endpointKey{
Region: "us-east-2",
}: endpoint{},
+ endpointKey{
+ Region: "us-east-2",
+ Variant: dualStackVariant,
+ }: endpoint{},
endpointKey{
Region: "us-west-1",
}: endpoint{},
+ endpointKey{
+ Region: "us-west-1",
+ Variant: dualStackVariant,
+ }: endpoint{},
endpointKey{
Region: "us-west-2",
}: endpoint{},
+ endpointKey{
+ Region: "us-west-2",
+ Variant: dualStackVariant,
+ }: endpoint{},
},
},
"cloudcontrolapi": service{
@@ -9264,9 +9352,21 @@ var awsPartition = partition{
endpointKey{
Region: "ca-central-1",
}: endpoint{},
+ endpointKey{
+ Region: "ca-central-1",
+ Variant: fipsVariant,
+ }: endpoint{
+ Hostname: "directconnect-fips.ca-central-1.amazonaws.com",
+ },
endpointKey{
Region: "ca-west-1",
}: endpoint{},
+ endpointKey{
+ Region: "ca-west-1",
+ Variant: fipsVariant,
+ }: endpoint{
+ Hostname: "directconnect-fips.ca-west-1.amazonaws.com",
+ },
endpointKey{
Region: "eu-central-1",
}: endpoint{},
@@ -9291,6 +9391,24 @@ var awsPartition = partition{
endpointKey{
Region: "eu-west-3",
}: endpoint{},
+ endpointKey{
+ Region: "fips-ca-central-1",
+ }: endpoint{
+ Hostname: "directconnect-fips.ca-central-1.amazonaws.com",
+ CredentialScope: credentialScope{
+ Region: "ca-central-1",
+ },
+ Deprecated: boxedTrue,
+ },
+ endpointKey{
+ Region: "fips-ca-west-1",
+ }: endpoint{
+ Hostname: "directconnect-fips.ca-west-1.amazonaws.com",
+ CredentialScope: credentialScope{
+ Region: "ca-west-1",
+ },
+ Deprecated: boxedTrue,
+ },
endpointKey{
Region: "fips-us-east-1",
}: endpoint{
@@ -15561,6 +15679,9 @@ var awsPartition = partition{
endpointKey{
Region: "ca-central-1",
}: endpoint{},
+ endpointKey{
+ Region: "ca-west-1",
+ }: endpoint{},
endpointKey{
Region: "eu-central-1",
}: endpoint{},
@@ -17465,12 +17586,27 @@ var awsPartition = partition{
endpointKey{
Region: "ca-central-1",
}: endpoint{},
+ endpointKey{
+ Region: "ca-central-1",
+ Variant: fipsVariant,
+ }: endpoint{
+ Hostname: "kendra-fips.ca-central-1.amazonaws.com",
+ },
endpointKey{
Region: "eu-west-1",
}: endpoint{},
endpointKey{
Region: "eu-west-2",
}: endpoint{},
+ endpointKey{
+ Region: "fips-ca-central-1",
+ }: endpoint{
+ Hostname: "kendra-fips.ca-central-1.amazonaws.com",
+ CredentialScope: credentialScope{
+ Region: "ca-central-1",
+ },
+ Deprecated: boxedTrue,
+ },
endpointKey{
Region: "fips-us-east-1",
}: endpoint{
@@ -21684,6 +21820,9 @@ var awsPartition = partition{
endpointKey{
Region: "ca-central-1",
}: endpoint{},
+ endpointKey{
+ Region: "ca-west-1",
+ }: endpoint{},
endpointKey{
Region: "eu-central-1",
}: endpoint{},
@@ -25241,6 +25380,9 @@ var awsPartition = partition{
},
Deprecated: boxedTrue,
},
+ endpointKey{
+ Region: "me-central-1",
+ }: endpoint{},
endpointKey{
Region: "sa-east-1",
}: endpoint{},
@@ -31870,6 +32012,24 @@ var awsPartition = partition{
},
Deprecated: boxedTrue,
},
+ endpointKey{
+ Region: "ca-west-1",
+ }: endpoint{},
+ endpointKey{
+ Region: "ca-west-1",
+ Variant: fipsVariant,
+ }: endpoint{
+ Hostname: "storagegateway-fips.ca-west-1.amazonaws.com",
+ },
+ endpointKey{
+ Region: "ca-west-1-fips",
+ }: endpoint{
+ Hostname: "storagegateway-fips.ca-west-1.amazonaws.com",
+ CredentialScope: credentialScope{
+ Region: "ca-west-1",
+ },
+ Deprecated: boxedTrue,
+ },
endpointKey{
Region: "eu-central-1",
}: endpoint{},
@@ -33793,6 +33953,9 @@ var awsPartition = partition{
endpointKey{
Region: "eu-west-2",
}: endpoint{},
+ endpointKey{
+ Region: "eu-west-3",
+ }: endpoint{},
endpointKey{
Region: "sa-east-1",
}: endpoint{},
@@ -33802,6 +33965,9 @@ var awsPartition = partition{
endpointKey{
Region: "us-east-2",
}: endpoint{},
+ endpointKey{
+ Region: "us-west-1",
+ }: endpoint{},
endpointKey{
Region: "us-west-2",
}: endpoint{},
@@ -36138,16 +36304,6 @@ var awscnPartition = partition{
}: endpoint{},
},
},
- "backupstorage": service{
- Endpoints: serviceEndpoints{
- endpointKey{
- Region: "cn-north-1",
- }: endpoint{},
- endpointKey{
- Region: "cn-northwest-1",
- }: endpoint{},
- },
- },
"batch": service{
Endpoints: serviceEndpoints{
endpointKey{
@@ -38917,16 +39073,6 @@ var awsusgovPartition = partition{
}: endpoint{},
},
},
- "backupstorage": service{
- Endpoints: serviceEndpoints{
- endpointKey{
- Region: "us-gov-east-1",
- }: endpoint{},
- endpointKey{
- Region: "us-gov-west-1",
- }: endpoint{},
- },
- },
"batch": service{
Defaults: endpointDefaults{
defaultKey{}: endpoint{},
@@ -38977,6 +39123,22 @@ var awsusgovPartition = partition{
},
"bedrock": service{
Endpoints: serviceEndpoints{
+ endpointKey{
+ Region: "bedrock-fips-us-gov-west-1",
+ }: endpoint{
+ Hostname: "bedrock-fips.us-gov-west-1.amazonaws.com",
+ CredentialScope: credentialScope{
+ Region: "us-gov-west-1",
+ },
+ },
+ endpointKey{
+ Region: "bedrock-runtime-fips-us-gov-west-1",
+ }: endpoint{
+ Hostname: "bedrock-runtime-fips.us-gov-west-1.amazonaws.com",
+ CredentialScope: credentialScope{
+ Region: "us-gov-west-1",
+ },
+ },
endpointKey{
Region: "bedrock-runtime-us-gov-west-1",
}: endpoint{
@@ -41821,6 +41983,62 @@ var awsusgovPartition = partition{
}: endpoint{},
},
},
+ "kinesisvideo": service{
+ Endpoints: serviceEndpoints{
+ endpointKey{
+ Region: "fips-us-gov-east-1",
+ }: endpoint{
+ Hostname: "kinesisvideo-fips.us-gov-east-1.amazonaws.com",
+ CredentialScope: credentialScope{
+ Region: "us-gov-east-1",
+ },
+ Deprecated: boxedTrue,
+ },
+ endpointKey{
+ Region: "fips-us-gov-west-1",
+ }: endpoint{
+ Hostname: "kinesisvideo-fips.us-gov-west-1.amazonaws.com",
+ CredentialScope: credentialScope{
+ Region: "us-gov-west-1",
+ },
+ Deprecated: boxedTrue,
+ },
+ endpointKey{
+ Region: "us-gov-east-1",
+ }: endpoint{
+ Hostname: "kinesisvideo-fips.us-gov-east-1.amazonaws.com",
+ CredentialScope: credentialScope{
+ Region: "us-gov-east-1",
+ },
+ },
+ endpointKey{
+ Region: "us-gov-east-1",
+ Variant: fipsVariant,
+ }: endpoint{
+ Hostname: "kinesisvideo-fips.us-gov-east-1.amazonaws.com",
+ CredentialScope: credentialScope{
+ Region: "us-gov-east-1",
+ },
+ },
+ endpointKey{
+ Region: "us-gov-west-1",
+ }: endpoint{
+ Hostname: "kinesisvideo-fips.us-gov-west-1.amazonaws.com",
+ CredentialScope: credentialScope{
+ Region: "us-gov-west-1",
+ },
+ },
+ endpointKey{
+ Region: "us-gov-west-1",
+ Variant: fipsVariant,
+ }: endpoint{
+ Hostname: "kinesisvideo-fips.us-gov-west-1.amazonaws.com",
+ CredentialScope: credentialScope{
+ Region: "us-gov-west-1",
+ },
+ },
+ },
+ },
"kms": service{
Endpoints: serviceEndpoints{
endpointKey{
@@ -43562,6 +43780,46 @@ var awsusgovPartition = partition{
},
},
},
+ "securitylake": service{
+ Endpoints: serviceEndpoints{
+ endpointKey{
+ Region: "us-gov-east-1",
+ }: endpoint{},
+ endpointKey{
+ Region: "us-gov-east-1",
+ Variant: fipsVariant,
+ }: endpoint{
+ Hostname: "securitylake.us-gov-east-1.amazonaws.com",
+ },
+ endpointKey{
+ Region: "us-gov-east-1-fips",
+ }: endpoint{
+ Hostname: "securitylake.us-gov-east-1.amazonaws.com",
+ CredentialScope: credentialScope{
+ Region: "us-gov-east-1",
+ },
+ Deprecated: boxedTrue,
+ },
+ endpointKey{
+ Region: "us-gov-west-1",
+ }: endpoint{},
+ endpointKey{
+ Region: "us-gov-west-1",
+ Variant: fipsVariant,
+ }: endpoint{
+ Hostname: "securitylake.us-gov-west-1.amazonaws.com",
+ },
+ endpointKey{
+ Region: "us-gov-west-1-fips",
+ }: endpoint{
+ Hostname: "securitylake.us-gov-west-1.amazonaws.com",
+ CredentialScope: credentialScope{
+ Region: "us-gov-west-1",
+ },
+ Deprecated: boxedTrue,
+ },
+ },
+ },
"serverlessrepo": service{
Defaults: endpointDefaults{
defaultKey{}: endpoint{
@@ -45743,42 +46001,12 @@ var awsisoPartition = partition{
},
"ram": service{
Endpoints: serviceEndpoints{
- endpointKey{
- Region: "fips-us-iso-east-1",
- }: endpoint{
- Hostname: "ram-fips.us-iso-east-1.c2s.ic.gov",
- CredentialScope: credentialScope{
- Region: "us-iso-east-1",
- },
- Deprecated: boxedTrue,
- },
- endpointKey{
- Region: "fips-us-iso-west-1",
- }: endpoint{
- Hostname: "ram-fips.us-iso-west-1.c2s.ic.gov",
- CredentialScope: credentialScope{
- Region: "us-iso-west-1",
- },
- Deprecated: boxedTrue,
- },
endpointKey{
Region: "us-iso-east-1",
}: endpoint{},
- endpointKey{
- Region: "us-iso-east-1",
- Variant: fipsVariant,
- }: endpoint{
- Hostname: "ram-fips.us-iso-east-1.c2s.ic.gov",
- },
endpointKey{
Region: "us-iso-west-1",
}: endpoint{},
- endpointKey{
- Region: "us-iso-west-1",
- Variant: fipsVariant,
- }: endpoint{
- Hostname: "ram-fips.us-iso-west-1.c2s.ic.gov",
- },
},
},
"rbin": service{
@@ -45823,37 +46051,10 @@ var awsisoPartition = partition{
},
"rds": service{
Endpoints: serviceEndpoints{
- endpointKey{
- Region: "rds-fips.us-iso-east-1",
- }: endpoint{
- Hostname: "rds-fips.us-iso-east-1.c2s.ic.gov",
- CredentialScope: credentialScope{
- Region: "us-iso-east-1",
- },
- Deprecated: boxedTrue,
- },
- endpointKey{
- Region: "rds-fips.us-iso-west-1",
- }: endpoint{
- Hostname: "rds-fips.us-iso-west-1.c2s.ic.gov",
- CredentialScope: credentialScope{
- Region: "us-iso-west-1",
- },
- Deprecated: boxedTrue,
- },
endpointKey{
Region: "rds.us-iso-east-1",
}: endpoint{
- CredentialScope: credentialScope{
- Region: "us-iso-east-1",
- },
- Deprecated: boxedTrue,
- },
- endpointKey{
- Region: "rds.us-iso-east-1",
- Variant: fipsVariant,
- }: endpoint{
- Hostname: "rds-fips.us-iso-east-1.c2s.ic.gov",
+ Hostname: "rds.us-iso-east-1.c2s.ic.gov",
CredentialScope: credentialScope{
Region: "us-iso-east-1",
},
@@ -45862,16 +46063,7 @@ var awsisoPartition = partition{
endpointKey{
Region: "rds.us-iso-west-1",
}: endpoint{
- CredentialScope: credentialScope{
- Region: "us-iso-west-1",
- },
- Deprecated: boxedTrue,
- },
- endpointKey{
- Region: "rds.us-iso-west-1",
- Variant: fipsVariant,
- }: endpoint{
- Hostname: "rds-fips.us-iso-west-1.c2s.ic.gov",
+ Hostname: "rds.us-iso-west-1.c2s.ic.gov",
CredentialScope: credentialScope{
Region: "us-iso-west-1",
},
@@ -45884,12 +46076,12 @@ var awsisoPartition = partition{
Region: "us-iso-east-1",
Variant: fipsVariant,
}: endpoint{
- Hostname: "rds-fips.us-iso-east-1.c2s.ic.gov",
+ Hostname: "rds.us-iso-east-1.c2s.ic.gov",
},
endpointKey{
Region: "us-iso-east-1-fips",
}: endpoint{
- Hostname: "rds-fips.us-iso-east-1.c2s.ic.gov",
+ Hostname: "rds.us-iso-east-1.c2s.ic.gov",
CredentialScope: credentialScope{
Region: "us-iso-east-1",
},
@@ -45902,12 +46094,12 @@ var awsisoPartition = partition{
Region: "us-iso-west-1",
Variant: fipsVariant,
}: endpoint{
- Hostname: "rds-fips.us-iso-west-1.c2s.ic.gov",
+ Hostname: "rds.us-iso-west-1.c2s.ic.gov",
},
endpointKey{
Region: "us-iso-west-1-fips",
}: endpoint{
- Hostname: "rds-fips.us-iso-west-1.c2s.ic.gov",
+ Hostname: "rds.us-iso-west-1.c2s.ic.gov",
CredentialScope: credentialScope{
Region: "us-iso-west-1",
},
@@ -46866,24 +47058,9 @@ var awsisobPartition = partition{
},
"ram": service{
Endpoints: serviceEndpoints{
- endpointKey{
- Region: "fips-us-isob-east-1",
- }: endpoint{
- Hostname: "ram-fips.us-isob-east-1.sc2s.sgov.gov",
- CredentialScope: credentialScope{
- Region: "us-isob-east-1",
- },
- Deprecated: boxedTrue,
- },
endpointKey{
Region: "us-isob-east-1",
}: endpoint{},
- endpointKey{
- Region: "us-isob-east-1",
- Variant: fipsVariant,
- }: endpoint{
- Hostname: "ram-fips.us-isob-east-1.sc2s.sgov.gov",
- },
},
},
"rbin": service{
@@ -46910,28 +47087,10 @@ var awsisobPartition = partition{
},
"rds": service{
Endpoints: serviceEndpoints{
- endpointKey{
- Region: "rds-fips.us-isob-east-1",
- }: endpoint{
- Hostname: "rds-fips.us-isob-east-1.sc2s.sgov.gov",
- CredentialScope: credentialScope{
- Region: "us-isob-east-1",
- },
- Deprecated: boxedTrue,
- },
endpointKey{
Region: "rds.us-isob-east-1",
}: endpoint{
- CredentialScope: credentialScope{
- Region: "us-isob-east-1",
- },
- Deprecated: boxedTrue,
- },
- endpointKey{
- Region: "rds.us-isob-east-1",
- Variant: fipsVariant,
- }: endpoint{
- Hostname: "rds-fips.us-isob-east-1.sc2s.sgov.gov",
+ Hostname: "rds.us-isob-east-1.sc2s.sgov.gov",
CredentialScope: credentialScope{
Region: "us-isob-east-1",
},
@@ -46944,12 +47103,12 @@ var awsisobPartition = partition{
Region: "us-isob-east-1",
Variant: fipsVariant,
}: endpoint{
- Hostname: "rds-fips.us-isob-east-1.sc2s.sgov.gov",
+ Hostname: "rds.us-isob-east-1.sc2s.sgov.gov",
},
endpointKey{
Region: "us-isob-east-1-fips",
}: endpoint{
- Hostname: "rds-fips.us-isob-east-1.sc2s.sgov.gov",
+ Hostname: "rds.us-isob-east-1.sc2s.sgov.gov",
CredentialScope: credentialScope{
Region: "us-isob-east-1",
},
diff --git a/vendor/github.com/aws/aws-sdk-go/aws/version.go b/vendor/github.com/aws/aws-sdk-go/aws/version.go
index 60b9f8636..193f4be1a 100644
--- a/vendor/github.com/aws/aws-sdk-go/aws/version.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/version.go
@@ -5,4 +5,4 @@ package aws
const SDKName = "aws-sdk-go"
// SDKVersion is the version of this SDK
-const SDKVersion = "1.53.14"
+const SDKVersion = "1.54.6"
diff --git a/vendor/github.com/aws/aws-sdk-go/service/kms/api.go b/vendor/github.com/aws/aws-sdk-go/service/kms/api.go
index f25af3aaa..30d4752cd 100644
--- a/vendor/github.com/aws/aws-sdk-go/service/kms/api.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/kms/api.go
@@ -807,6 +807,7 @@ func (c *KMS) CreateCustomKeyStoreRequest(input *CreateCustomKeyStoreInput) (req
// for Amazon VPC endpoint service connectivity for an external key store.
//
// - XksProxyInvalidResponseException
+//
// KMS cannot interpret the response it received from the external key store
// proxy. The problem might be a poorly constructed response, but it could also
// be a transient network issue. If you see this error repeatedly, report it
@@ -1107,11 +1108,15 @@ func (c *KMS) CreateKeyRequest(input *CreateKeyInput) (req *request.Request, out
// Asymmetric KMS keys contain an RSA key pair, Elliptic Curve (ECC) key pair,
// or an SM2 key pair (China Regions only). The private key in an asymmetric
// KMS key never leaves KMS unencrypted. However, you can use the GetPublicKey
-// operation to download the public key so it can be used outside of KMS. KMS
-// keys with RSA or SM2 key pairs can be used to encrypt or decrypt data or
-// sign and verify messages (but not both). KMS keys with ECC key pairs can
-// be used only to sign and verify messages. For information about asymmetric
-// KMS keys, see Asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html)
+// operation to download the public key so it can be used outside of KMS. Each
+// KMS key can have only one key usage. KMS keys with RSA key pairs can be used
+// to encrypt and decrypt data or sign and verify messages (but not both). KMS
+// keys with NIST-recommended ECC key pairs can be used to sign and verify messages
+// or derive shared secrets (but not both). KMS keys with ECC_SECG_P256K1 can
+// be used only to sign and verify messages. KMS keys with SM2 key pairs (China
+// Regions only) can be used to either encrypt and decrypt data, sign and verify
+// messages, or derive shared secrets (you must choose one key usage type).
+// For information about asymmetric KMS keys, see Asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html)
// in the Key Management Service Developer Guide.
//
// # HMAC KMS key
@@ -1554,7 +1559,8 @@ func (c *KMS) DecryptRequest(input *DecryptInput) (req *request.Request, output
// For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
-// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
+// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
+// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation.
//
// To find the encryption or signing algorithms supported for a particular KMS
@@ -2068,6 +2074,219 @@ func (c *KMS) DeleteImportedKeyMaterialWithContext(ctx aws.Context, input *Delet
return out, req.Send()
}
+const opDeriveSharedSecret = "DeriveSharedSecret"
+
+// DeriveSharedSecretRequest generates a "aws/request.Request" representing the
+// client's request for the DeriveSharedSecret operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See DeriveSharedSecret for more information on using the DeriveSharedSecret
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+// // Example sending a request using the DeriveSharedSecretRequest method.
+// req, resp := client.DeriveSharedSecretRequest(params)
+//
+// err := req.Send()
+// if err == nil { // resp is now filled
+// fmt.Println(resp)
+// }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeriveSharedSecret
+func (c *KMS) DeriveSharedSecretRequest(input *DeriveSharedSecretInput) (req *request.Request, output *DeriveSharedSecretOutput) {
+ op := &request.Operation{
+ Name: opDeriveSharedSecret,
+ HTTPMethod: "POST",
+ HTTPPath: "/",
+ }
+
+ if input == nil {
+ input = &DeriveSharedSecretInput{}
+ }
+
+ output = &DeriveSharedSecretOutput{}
+ req = c.newRequest(op, input, output)
+ return
+}
+
+// DeriveSharedSecret API operation for AWS Key Management Service.
+//
+// Derives a shared secret using a key agreement algorithm.
+//
+// You must use an asymmetric NIST-recommended elliptic curve (ECC) or SM2 (China
+// Regions only) KMS key pair with a KeyUsage value of KEY_AGREEMENT to call
+// DeriveSharedSecret.
+//
+// DeriveSharedSecret uses the Elliptic Curve Cryptography Cofactor Diffie-Hellman
+// Primitive (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf#page=60)
+// (ECDH) to establish a key agreement between two peers by deriving a shared
+// secret from their elliptic curve public-private key pairs. You can use the
+// raw shared secret that DeriveSharedSecret returns to derive a symmetric key
+// that can encrypt and decrypt data that is sent between the two peers, or
+// that can generate and verify HMACs. KMS recommends that you follow NIST recommendations
+// for key derivation (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf)
+// when using the raw shared secret to derive a symmetric key.
+//
+// The following workflow demonstrates how to establish key agreement over an
+// insecure communication channel using DeriveSharedSecret.
+//
+// Alice calls CreateKey to create an asymmetric KMS key pair with a KeyUsage
+// value of KEY_AGREEMENT.
+//
+// The asymmetric KMS key must use a NIST-recommended elliptic curve (ECC) or
+// SM2 (China Regions only) key spec.
+//
+// Bob creates an elliptic curve key pair.
+//
+// Bob can call CreateKey to create an asymmetric KMS key pair or generate a
+// key pair outside of KMS. Bob's key pair must use the same NIST-recommended
+// elliptic curve (ECC) or SM2 (China Regions ony) curve as Alice.
+//
+// Alice and Bob exchange their public keys through an insecure communication
+// channel (like the internet).
+//
+// Use GetPublicKey to download the public key of your asymmetric KMS key pair.
+//
+// KMS strongly recommends verifying that the public key you receive came from
+// the expected party before using it to derive a shared secret.
+//
+// Alice calls DeriveSharedSecret.
+//
+// KMS uses the private key from the KMS key pair generated in Step 1, Bob's
+// public key, and the Elliptic Curve Cryptography Cofactor Diffie-Hellman Primitive
+// to derive the shared secret. The private key in your KMS key pair never leaves
+// KMS unencrypted. DeriveSharedSecret returns the raw shared secret.
+//
+// Bob uses the Elliptic Curve Cryptography Cofactor Diffie-Hellman Primitive
+// to calculate the same raw secret using his private key and Alice's public
+// key.
+//
+// To derive a shared secret you must provide a key agreement algorithm, the
+// private key of the caller's asymmetric NIST-recommended elliptic curve or
+// SM2 (China Regions only) KMS key pair, and the public key from your peer's
+// NIST-recommended elliptic curve or SM2 (China Regions only) key pair. The
+// public key can be from another asymmetric KMS key pair or from a key pair
+// generated outside of KMS, but both key pairs must be on the same elliptic
+// curve.
+//
+// The KMS key that you use for this operation must be in a compatible key state.
+// For details, see Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+// in the Key Management Service Developer Guide.
+//
+// Cross-account use: Yes. To perform this operation with a KMS key in a different
+// Amazon Web Services account, specify the key ARN or alias ARN in the value
+// of the KeyId parameter.
+//
+// Required permissions: kms:DeriveSharedSecret (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
+// (key policy)
+//
+// Related operations:
+//
+// - CreateKey
+//
+// - GetPublicKey
+//
+// - DescribeKey
+//
+// Eventual consistency: The KMS API follows an eventual consistency model.
+// For more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html).
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation DeriveSharedSecret for usage and error information.
+//
+// Returned Error Types:
+//
+// - NotFoundException
+// The request was rejected because the specified entity or resource could not
+// be found.
+//
+// - DisabledException
+// The request was rejected because the specified KMS key is not enabled.
+//
+// - KeyUnavailableException
+// The request was rejected because the specified KMS key was not available.
+// You can retry the request.
+//
+// - DependencyTimeoutException
+// The system timed out while trying to fulfill the request. You can retry the
+// request.
+//
+// - InvalidGrantTokenException
+// The request was rejected because the specified grant token is not valid.
+//
+// - InvalidKeyUsageException
+// The request was rejected for one of the following reasons:
+//
+// - The KeyUsage value of the KMS key is incompatible with the API operation.
+//
+// - The encryption algorithm or signing algorithm specified for the operation
+// is incompatible with the type of key material in the KMS key (KeySpec).
+//
+// For encrypting, decrypting, re-encrypting, and generating data keys, the
+// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
+// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
+// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
+// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
+// of a KMS key, use the DescribeKey operation.
+//
+// To find the encryption or signing algorithms supported for a particular KMS
+// key, use the DescribeKey operation.
+//
+// - InternalException
+// The request was rejected because an internal exception occurred. The request
+// can be retried.
+//
+// - InvalidStateException
+// The request was rejected because the state of the specified resource is not
+// valid for this request.
+//
+// This exceptions means one of the following:
+//
+// - The key state of the KMS key is not compatible with the operation. To
+// find the key state, use the DescribeKey operation. For more information
+// about which key states are compatible with each KMS operation, see Key
+// states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+// in the Key Management Service Developer Guide .
+//
+// - For cryptographic operations on KMS keys in custom key stores, this
+// exception represents a general failure with many possible causes. To identify
+// the cause, see the error message that accompanies the exception.
+//
+// - DryRunOperationException
+// The request was rejected because the DryRun parameter was specified.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeriveSharedSecret
+func (c *KMS) DeriveSharedSecret(input *DeriveSharedSecretInput) (*DeriveSharedSecretOutput, error) {
+ req, out := c.DeriveSharedSecretRequest(input)
+ return out, req.Send()
+}
+
+// DeriveSharedSecretWithContext is the same as DeriveSharedSecret with the addition of
+// the ability to pass a context and additional request options.
+//
+// See DeriveSharedSecret for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) DeriveSharedSecretWithContext(ctx aws.Context, input *DeriveSharedSecretInput, opts ...request.Option) (*DeriveSharedSecretOutput, error) {
+ req, out := c.DeriveSharedSecretRequest(input)
+ req.SetContext(ctx)
+ req.ApplyOptions(opts...)
+ return out, req.Send()
+}
+
const opDescribeCustomKeyStores = "DescribeCustomKeyStores"
// DescribeCustomKeyStoresRequest generates a "aws/request.Request" representing the
@@ -3326,7 +3545,8 @@ func (c *KMS) EncryptRequest(input *EncryptInput) (req *request.Request, output
// For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
-// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
+// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
+// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation.
//
// To find the encryption or signing algorithms supported for a particular KMS
@@ -3554,7 +3774,8 @@ func (c *KMS) GenerateDataKeyRequest(input *GenerateDataKeyInput) (req *request.
// For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
-// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
+// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
+// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation.
//
// To find the encryption or signing algorithms supported for a particular KMS
@@ -3772,7 +3993,8 @@ func (c *KMS) GenerateDataKeyPairRequest(input *GenerateDataKeyPairInput) (req *
// For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
-// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
+// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
+// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation.
//
// To find the encryption or signing algorithms supported for a particular KMS
@@ -3969,7 +4191,8 @@ func (c *KMS) GenerateDataKeyPairWithoutPlaintextRequest(input *GenerateDataKeyP
// For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
-// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
+// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
+// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation.
//
// To find the encryption or signing algorithms supported for a particular KMS
@@ -4178,7 +4401,8 @@ func (c *KMS) GenerateDataKeyWithoutPlaintextRequest(input *GenerateDataKeyWitho
// For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
-// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
+// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
+// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation.
//
// To find the encryption or signing algorithms supported for a particular KMS
@@ -4343,7 +4567,8 @@ func (c *KMS) GenerateMacRequest(input *GenerateMacInput) (req *request.Request,
// For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
-// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
+// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
+// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation.
//
// To find the encryption or signing algorithms supported for a particular KMS
@@ -4911,9 +5136,9 @@ func (c *KMS) GetParametersForImportRequest(input *GetParametersForImportInput)
// GetParametersForImport returns the items that you need to import your key
// material.
//
-// - The public key (or "wrapping key") of an asymmetric key pair that KMS
-// generates. You will use this public key to encrypt ("wrap") your key material
-// while it's in transit to KMS.
+// - The public key (or "wrapping key") of an RSA key pair that KMS generates.
+// You will use this public key to encrypt ("wrap") your key material while
+// it's in transit to KMS.
//
// - A import token that ensures that KMS can decrypt your key material and
// associate it with the correct KMS key.
@@ -5089,7 +5314,8 @@ func (c *KMS) GetPublicKeyRequest(input *GetPublicKeyInput) (req *request.Reques
// The type of key material in the public key, such as RSA_4096 or ECC_NIST_P521.
//
// - KeyUsage (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeyUsage):
-// Whether the key is used for encryption or signing.
+// Whether the key is used for encryption, signing, or deriving a shared
+// secret.
//
// - EncryptionAlgorithms (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-EncryptionAlgorithms)
// or SigningAlgorithms (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-SigningAlgorithms):
@@ -5170,7 +5396,8 @@ func (c *KMS) GetPublicKeyRequest(input *GetPublicKeyInput) (req *request.Reques
// For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
-// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
+// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
+// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation.
//
// To find the encryption or signing algorithms supported for a particular KMS
@@ -7082,7 +7309,8 @@ func (c *KMS) ReEncryptRequest(input *ReEncryptInput) (req *request.Request, out
// For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
-// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
+// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
+// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation.
//
// To find the encryption or signing algorithms supported for a particular KMS
@@ -8134,7 +8362,8 @@ func (c *KMS) SignRequest(input *SignInput) (req *request.Request, output *SignO
// For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
-// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
+// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
+// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation.
//
// To find the encryption or signing algorithms supported for a particular KMS
@@ -8939,6 +9168,7 @@ func (c *KMS) UpdateCustomKeyStoreRequest(input *UpdateCustomKeyStoreInput) (req
// for Amazon VPC endpoint service connectivity for an external key store.
//
// - XksProxyInvalidResponseException
+//
// KMS cannot interpret the response it received from the external key store
// proxy. The problem might be a poorly constructed response, but it could also
// be a transient network issue. If you see this error repeatedly, report it
@@ -9412,7 +9642,8 @@ func (c *KMS) VerifyRequest(input *VerifyInput) (req *request.Request, output *V
// For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
-// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
+// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
+// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation.
//
// To find the encryption or signing algorithms supported for a particular KMS
@@ -9576,7 +9807,8 @@ func (c *KMS) VerifyMacRequest(input *VerifyMacInput) (req *request.Request, out
// For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
-// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
+// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
+// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation.
//
// To find the encryption or signing algorithms supported for a particular KMS
@@ -11140,15 +11372,18 @@ type CreateKeyInput struct {
//
// * HMAC keys (symmetric) HMAC_224 HMAC_256 HMAC_384 HMAC_512
//
- // * Asymmetric RSA key pairs RSA_2048 RSA_3072 RSA_4096
+ // * Asymmetric RSA key pairs (encryption and decryption -or- signing and
+ // verification) RSA_2048 RSA_3072 RSA_4096
//
- // * Asymmetric NIST-recommended elliptic curve key pairs ECC_NIST_P256 (secp256r1)
- // ECC_NIST_P384 (secp384r1) ECC_NIST_P521 (secp521r1)
+ // * Asymmetric NIST-recommended elliptic curve key pairs (signing and verification
+ // -or- deriving shared secrets) ECC_NIST_P256 (secp256r1) ECC_NIST_P384
+ // (secp384r1) ECC_NIST_P521 (secp521r1)
//
- // * Other asymmetric elliptic curve key pairs ECC_SECG_P256K1 (secp256k1),
- // commonly used for cryptocurrencies.
+ // * Other asymmetric elliptic curve key pairs (signing and verification)
+ // ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies.
//
- // * SM2 key pairs (China Regions only) SM2
+ // * SM2 key pairs (encryption and decryption -or- signing and verification
+ // -or- deriving shared secrets) SM2 (China Regions only)
KeySpec *string `type:"string" enum:"KeySpec"`
// Determines the cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations)
@@ -11163,13 +11398,16 @@ type CreateKeyInput struct {
//
// * For HMAC KMS keys (symmetric), specify GENERATE_VERIFY_MAC.
//
- // * For asymmetric KMS keys with RSA key material, specify ENCRYPT_DECRYPT
+ // * For asymmetric KMS keys with RSA key pairs, specify ENCRYPT_DECRYPT
// or SIGN_VERIFY.
//
- // * For asymmetric KMS keys with ECC key material, specify SIGN_VERIFY.
+ // * For asymmetric KMS keys with NIST-recommended elliptic curve key pairs,
+ // specify SIGN_VERIFY or KEY_AGREEMENT.
//
- // * For asymmetric KMS keys with SM2 key material (China Regions only),
- // specify ENCRYPT_DECRYPT or SIGN_VERIFY.
+ // * For asymmetric KMS keys with ECC_SECG_P256K1 key pairs specify SIGN_VERIFY.
+ //
+ // * For asymmetric KMS keys with SM2 key pairs (China Regions only), specify
+ // ENCRYPT_DECRYPT, SIGN_VERIFY, or KEY_AGREEMENT.
KeyUsage *string `type:"string" enum:"KeyUsageType"`
// Creates a multi-Region primary key that you can replicate into other Amazon
@@ -12555,6 +12793,282 @@ func (s *DependencyTimeoutException) RequestID() string {
return s.RespMetadata.RequestID
}
+type DeriveSharedSecretInput struct {
+ _ struct{} `type:"structure"`
+
+ // Checks if your request will succeed. DryRun is an optional parameter.
+ //
+ // To learn more about how to use this parameter, see Testing your KMS API calls
+ // (https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html)
+ // in the Key Management Service Developer Guide.
+ DryRun *bool `type:"boolean"`
+
+ // A list of grant tokens.
+ //
+ // Use a grant token when your permission to call this operation comes from
+ // a new grant that has not yet achieved eventual consistency. For more information,
+ // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token)
+ // and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token)
+ // in the Key Management Service Developer Guide.
+ GrantTokens []*string `type:"list"`
+
+ // Specifies the key agreement algorithm used to derive the shared secret. The
+ // only valid value is ECDH.
+ //
+ // KeyAgreementAlgorithm is a required field
+ KeyAgreementAlgorithm *string `type:"string" required:"true" enum:"KeyAgreementAlgorithmSpec"`
+
+ // Identifies an asymmetric NIST-recommended ECC or SM2 (China Regions only)
+ // KMS key. KMS uses the private key in the specified key pair to derive the
+ // shared secret. The key usage of the KMS key must be KEY_AGREEMENT. To find
+ // the KeyUsage of a KMS key, use the DescribeKey operation.
+ //
+ // To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
+ // When using an alias name, prefix it with "alias/". To specify a KMS key in
+ // a different Amazon Web Services account, you must use the key ARN or alias
+ // ARN.
+ //
+ // For example:
+ //
+ // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
+ //
+ // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
+ //
+ // * Alias name: alias/ExampleAlias
+ //
+ // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
+ //
+ // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.
+ // To get the alias name and alias ARN, use ListAliases.
+ //
+ // KeyId is a required field
+ KeyId *string `min:"1" type:"string" required:"true"`
+
+ // Specifies the public key in your peer's NIST-recommended elliptic curve (ECC)
+ // or SM2 (China Regions only) key pair.
+ //
+ // The public key must be a DER-encoded X.509 public key, also known as SubjectPublicKeyInfo
+ // (SPKI), as defined in RFC 5280 (https://tools.ietf.org/html/rfc5280).
+ //
+ // GetPublicKey returns the public key of an asymmetric KMS key pair in the
+ // required DER-encoded format.
+ //
+ // If you use Amazon Web Services CLI version 1 (https://docs.aws.amazon.com/cli/v1/userguide/cli-chap-welcome.html),
+ // you must provide the DER-encoded X.509 public key in a file. Otherwise, the
+ // Amazon Web Services CLI Base64-encodes the public key a second time, resulting
+ // in a ValidationException.
+ //
+ // You can specify the public key as binary data in a file using fileb (fileb://)
+ // or in-line using a Base64 encoded string.
+ // PublicKey is automatically base64 encoded/decoded by the SDK.
+ //
+ // PublicKey is a required field
+ PublicKey []byte `min:"1" type:"blob" required:"true"`
+
+ // A signed attestation document (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc)
+ // from an Amazon Web Services Nitro enclave and the encryption algorithm to
+ // use with the enclave's public key. The only valid encryption algorithm is
+ // RSAES_OAEP_SHA_256.
+ //
+ // This parameter only supports attestation documents for Amazon Web Services
+ // Nitro Enclaves. To call DeriveSharedSecret for an Amazon Web Services Nitro
+ // Enclaves, use the Amazon Web Services Nitro Enclaves SDK (https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk)
+ // to generate the attestation document and then use the Recipient parameter
+ // from any Amazon Web Services SDK to provide the attestation document for
+ // the enclave.
+ //
+ // When you use this parameter, instead of returning a plaintext copy of the
+ // shared secret, KMS encrypts the plaintext shared secret under the public
+ // key in the attestation document, and returns the resulting ciphertext in
+ // the CiphertextForRecipient field in the response. This ciphertext can be
+ // decrypted only with the private key in the enclave. The CiphertextBlob field
+ // in the response contains the encrypted shared secret derived from the KMS
+ // key specified by the KeyId parameter and public key specified by the PublicKey
+ // parameter. The SharedSecret field in the response is null or empty.
+ //
+ // For information about the interaction between KMS and Amazon Web Services
+ // Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS (https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html)
+ // in the Key Management Service Developer Guide.
+ Recipient *RecipientInfo `type:"structure"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DeriveSharedSecretInput) String() string {
+ return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DeriveSharedSecretInput) GoString() string {
+ return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *DeriveSharedSecretInput) Validate() error {
+ invalidParams := request.ErrInvalidParams{Context: "DeriveSharedSecretInput"}
+ if s.KeyAgreementAlgorithm == nil {
+ invalidParams.Add(request.NewErrParamRequired("KeyAgreementAlgorithm"))
+ }
+ if s.KeyId == nil {
+ invalidParams.Add(request.NewErrParamRequired("KeyId"))
+ }
+ if s.KeyId != nil && len(*s.KeyId) < 1 {
+ invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
+ }
+ if s.PublicKey == nil {
+ invalidParams.Add(request.NewErrParamRequired("PublicKey"))
+ }
+ if s.PublicKey != nil && len(s.PublicKey) < 1 {
+ invalidParams.Add(request.NewErrParamMinLen("PublicKey", 1))
+ }
+ if s.Recipient != nil {
+ if err := s.Recipient.Validate(); err != nil {
+ invalidParams.AddNested("Recipient", err.(request.ErrInvalidParams))
+ }
+ }
+
+ if invalidParams.Len() > 0 {
+ return invalidParams
+ }
+ return nil
+}
+
+// SetDryRun sets the DryRun field's value.
+func (s *DeriveSharedSecretInput) SetDryRun(v bool) *DeriveSharedSecretInput {
+ s.DryRun = &v
+ return s
+}
+
+// SetGrantTokens sets the GrantTokens field's value.
+func (s *DeriveSharedSecretInput) SetGrantTokens(v []*string) *DeriveSharedSecretInput {
+ s.GrantTokens = v
+ return s
+}
+
+// SetKeyAgreementAlgorithm sets the KeyAgreementAlgorithm field's value.
+func (s *DeriveSharedSecretInput) SetKeyAgreementAlgorithm(v string) *DeriveSharedSecretInput {
+ s.KeyAgreementAlgorithm = &v
+ return s
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *DeriveSharedSecretInput) SetKeyId(v string) *DeriveSharedSecretInput {
+ s.KeyId = &v
+ return s
+}
+
+// SetPublicKey sets the PublicKey field's value.
+func (s *DeriveSharedSecretInput) SetPublicKey(v []byte) *DeriveSharedSecretInput {
+ s.PublicKey = v
+ return s
+}
+
+// SetRecipient sets the Recipient field's value.
+func (s *DeriveSharedSecretInput) SetRecipient(v *RecipientInfo) *DeriveSharedSecretInput {
+ s.Recipient = v
+ return s
+}
+
+type DeriveSharedSecretOutput struct {
+ _ struct{} `type:"structure"`
+
+ // The plaintext shared secret encrypted with the public key in the attestation
+ // document.
+ //
+ // This field is included in the response only when the Recipient parameter
+ // in the request includes a valid attestation document from an Amazon Web Services
+ // Nitro enclave. For information about the interaction between KMS and Amazon
+ // Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses
+ // KMS (https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html)
+ // in the Key Management Service Developer Guide.
+ // CiphertextForRecipient is automatically base64 encoded/decoded by the SDK.
+ CiphertextForRecipient []byte `min:"1" type:"blob"`
+
+ // Identifies the key agreement algorithm used to derive the shared secret.
+ KeyAgreementAlgorithm *string `type:"string" enum:"KeyAgreementAlgorithmSpec"`
+
+ // Identifies the KMS key used to derive the shared secret.
+ KeyId *string `min:"1" type:"string"`
+
+ // The source of the key material for the specified KMS key.
+ //
+ // When this value is AWS_KMS, KMS created the key material. When this value
+ // is EXTERNAL, the key material was imported or the KMS key doesn't have any
+ // key material.
+ //
+ // The only valid values for DeriveSharedSecret are AWS_KMS and EXTERNAL. DeriveSharedSecret
+ // does not support KMS keys with a KeyOrigin value of AWS_CLOUDHSM or EXTERNAL_KEY_STORE.
+ KeyOrigin *string `type:"string" enum:"OriginType"`
+
+ // The raw secret derived from the specified key agreement algorithm, private
+ // key in the asymmetric KMS key, and your peer's public key.
+ //
+ // If the response includes the CiphertextForRecipient field, the SharedSecret
+ // field is null or empty.
+ //
+ // SharedSecret is a sensitive parameter and its value will be
+ // replaced with "sensitive" in string returned by DeriveSharedSecretOutput's
+ // String and GoString methods.
+ //
+ // SharedSecret is automatically base64 encoded/decoded by the SDK.
+ SharedSecret []byte `min:"1" type:"blob" sensitive:"true"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DeriveSharedSecretOutput) String() string {
+ return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DeriveSharedSecretOutput) GoString() string {
+ return s.String()
+}
+
+// SetCiphertextForRecipient sets the CiphertextForRecipient field's value.
+func (s *DeriveSharedSecretOutput) SetCiphertextForRecipient(v []byte) *DeriveSharedSecretOutput {
+ s.CiphertextForRecipient = v
+ return s
+}
+
+// SetKeyAgreementAlgorithm sets the KeyAgreementAlgorithm field's value.
+func (s *DeriveSharedSecretOutput) SetKeyAgreementAlgorithm(v string) *DeriveSharedSecretOutput {
+ s.KeyAgreementAlgorithm = &v
+ return s
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *DeriveSharedSecretOutput) SetKeyId(v string) *DeriveSharedSecretOutput {
+ s.KeyId = &v
+ return s
+}
+
+// SetKeyOrigin sets the KeyOrigin field's value.
+func (s *DeriveSharedSecretOutput) SetKeyOrigin(v string) *DeriveSharedSecretOutput {
+ s.KeyOrigin = &v
+ return s
+}
+
+// SetSharedSecret sets the SharedSecret field's value.
+func (s *DeriveSharedSecretOutput) SetSharedSecret(v []byte) *DeriveSharedSecretOutput {
+ s.SharedSecret = v
+ return s
+}
+
type DescribeCustomKeyStoresInput struct {
_ struct{} `type:"structure"`
@@ -14006,9 +14520,11 @@ type GenerateDataKeyPairInput struct {
// RSAES_OAEP_SHA_256.
//
// This parameter only supports attestation documents for Amazon Web Services
- // Nitro Enclaves. To include this parameter, use the Amazon Web Services Nitro
- // Enclaves SDK (https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk)
- // or any Amazon Web Services SDK.
+ // Nitro Enclaves. To call DeriveSharedSecret for an Amazon Web Services Nitro
+ // Enclaves, use the Amazon Web Services Nitro Enclaves SDK (https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk)
+ // to generate the attestation document and then use the Recipient parameter
+ // from any Amazon Web Services SDK to provide the attestation document for
+ // the enclave.
//
// When you use this parameter, instead of returning a plaintext copy of the
// private data key, KMS encrypts the plaintext private data key under the public
@@ -15199,25 +15715,19 @@ type GetParametersForImportInput struct {
// KeyId is a required field
KeyId *string `min:"1" type:"string" required:"true"`
- // The algorithm you will use with the asymmetric public key (PublicKey) in
- // the response to protect your key material during import. For more information,
- // see Select a wrapping algorithm (kms/latest/developerguide/importing-keys-get-public-key-and-token.html#select-wrapping-algorithm)
+ // The algorithm you will use with the RSA public key (PublicKey) in the response
+ // to protect your key material during import. For more information, see Select
+ // a wrapping algorithm (kms/latest/developerguide/importing-keys-get-public-key-and-token.html#select-wrapping-algorithm)
// in the Key Management Service Developer Guide.
//
// For RSA_AES wrapping algorithms, you encrypt your key material with an AES
// key that you generate, then encrypt your AES key with the RSA public key
// from KMS. For RSAES wrapping algorithms, you encrypt your key material directly
- // with the RSA public key from KMS. For SM2PKE wrapping algorithms, you encrypt
- // your key material directly with the SM2 public key from KMS.
+ // with the RSA public key from KMS.
//
// The wrapping algorithms that you can use depend on the type of key material
// that you are importing. To import an RSA private key, you must use an RSA_AES
- // wrapping algorithm, except in China Regions, where you must use the SM2PKE
- // wrapping algorithm to import an RSA private key.
- //
- // The SM2PKE wrapping algorithm is available only in China Regions. The RSA_AES_KEY_WRAP_SHA_256
- // and RSA_AES_KEY_WRAP_SHA_1 wrapping algorithms are not supported in China
- // Regions.
+ // wrapping algorithm.
//
// * RSA_AES_KEY_WRAP_SHA_256 — Supported for wrapping RSA and ECC key
// material.
@@ -15237,24 +15747,19 @@ type GetParametersForImportInput struct {
// * RSAES_PKCS1_V1_5 (Deprecated) — As of October 10, 2023, KMS does not
// support the RSAES_PKCS1_V1_5 wrapping algorithm.
//
- // * SM2PKE (China Regions only) — supported for wrapping RSA, ECC, and
- // SM2 key material.
- //
// WrappingAlgorithm is a required field
WrappingAlgorithm *string `type:"string" required:"true" enum:"AlgorithmSpec"`
- // The type of public key to return in the response. You will use this wrapping
+ // The type of RSA public key to return in the response. You will use this wrapping
// key with the specified wrapping algorithm to protect your key material during
// import.
//
- // Use the longest wrapping key that is practical.
+ // Use the longest RSA wrapping key that is practical.
//
// You cannot use an RSA_2048 public key to directly wrap an ECC_NIST_P521 private
// key. Instead, use an RSA_AES wrapping algorithm or choose a longer RSA public
// key.
//
- // The SM2 wrapping key spec is available only in China Regions.
- //
// WrappingKeySpec is a required field
WrappingKeySpec *string `type:"string" required:"true" enum:"WrappingKeySpec"`
}
@@ -15490,6 +15995,10 @@ type GetPublicKeyOutput struct {
// is ENCRYPT_DECRYPT.
EncryptionAlgorithms []*string `type:"list" enum:"EncryptionAlgorithmSpec"`
+ // The key agreement algorithm used to derive a shared secret. This field is
+ // present only when the KMS key has a KeyUsage value of KEY_AGREEMENT.
+ KeyAgreementAlgorithms []*string `type:"list" enum:"KeyAgreementAlgorithmSpec"`
+
// The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN))
// of the asymmetric KMS key from which the public key was downloaded.
KeyId *string `min:"1" type:"string"`
@@ -15497,11 +16006,11 @@ type GetPublicKeyOutput struct {
// The type of the of the public key that was downloaded.
KeySpec *string `type:"string" enum:"KeySpec"`
- // The permitted use of the public key. Valid values are ENCRYPT_DECRYPT or
- // SIGN_VERIFY.
+ // The permitted use of the public key. Valid values for asymmetric key pairs
+ // are ENCRYPT_DECRYPT, SIGN_VERIFY, and KEY_AGREEMENT.
//
- // This information is critical. If a public key with SIGN_VERIFY key usage
- // encrypts data outside of KMS, the ciphertext cannot be decrypted.
+ // This information is critical. For example, if a public key with SIGN_VERIFY
+ // key usage encrypts data outside of KMS, the ciphertext cannot be decrypted.
KeyUsage *string `type:"string" enum:"KeyUsageType"`
// The exported public key.
@@ -15550,6 +16059,12 @@ func (s *GetPublicKeyOutput) SetEncryptionAlgorithms(v []*string) *GetPublicKeyO
return s
}
+// SetKeyAgreementAlgorithms sets the KeyAgreementAlgorithms field's value.
+func (s *GetPublicKeyOutput) SetKeyAgreementAlgorithms(v []*string) *GetPublicKeyOutput {
+ s.KeyAgreementAlgorithms = v
+ return s
+}
+
// SetKeyId sets the KeyId field's value.
func (s *GetPublicKeyOutput) SetKeyId(v string) *GetPublicKeyOutput {
s.KeyId = &v
@@ -16603,7 +17118,8 @@ func (s *InvalidImportTokenException) RequestID() string {
// For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
-// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
+// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
+// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation.
//
// To find the encryption or signing algorithms supported for a particular KMS
@@ -17052,6 +17568,9 @@ type KeyMetadata struct {
// only when Origin is EXTERNAL, otherwise this value is omitted.
ExpirationModel *string `type:"string" enum:"ExpirationModelType"`
+ // The key agreement algorithm used to derive a shared secret.
+ KeyAgreementAlgorithms []*string `type:"list" enum:"KeyAgreementAlgorithmSpec"`
+
// The globally unique identifier for the KMS key.
//
// KeyId is a required field
@@ -17232,6 +17751,12 @@ func (s *KeyMetadata) SetExpirationModel(v string) *KeyMetadata {
return s
}
+// SetKeyAgreementAlgorithms sets the KeyAgreementAlgorithms field's value.
+func (s *KeyMetadata) SetKeyAgreementAlgorithms(v []*string) *KeyMetadata {
+ s.KeyAgreementAlgorithms = v
+ return s
+}
+
// SetKeyId sets the KeyId field's value.
func (s *KeyMetadata) SetKeyId(v string) *KeyMetadata {
s.KeyId = &v
@@ -23034,6 +23559,9 @@ const (
// GrantOperationVerifyMac is a GrantOperation enum value
GrantOperationVerifyMac = "VerifyMac"
+
+ // GrantOperationDeriveSharedSecret is a GrantOperation enum value
+ GrantOperationDeriveSharedSecret = "DeriveSharedSecret"
)
// GrantOperation_Values returns all elements of the GrantOperation enum
@@ -23055,6 +23583,19 @@ func GrantOperation_Values() []string {
GrantOperationGenerateDataKeyPairWithoutPlaintext,
GrantOperationGenerateMac,
GrantOperationVerifyMac,
+ GrantOperationDeriveSharedSecret,
+ }
+}
+
+const (
+ // KeyAgreementAlgorithmSpecEcdh is a KeyAgreementAlgorithmSpec enum value
+ KeyAgreementAlgorithmSpecEcdh = "ECDH"
+)
+
+// KeyAgreementAlgorithmSpec_Values returns all elements of the KeyAgreementAlgorithmSpec enum
+func KeyAgreementAlgorithmSpec_Values() []string {
+ return []string{
+ KeyAgreementAlgorithmSpecEcdh,
}
}
@@ -23195,6 +23736,9 @@ const (
// KeyUsageTypeGenerateVerifyMac is a KeyUsageType enum value
KeyUsageTypeGenerateVerifyMac = "GENERATE_VERIFY_MAC"
+
+ // KeyUsageTypeKeyAgreement is a KeyUsageType enum value
+ KeyUsageTypeKeyAgreement = "KEY_AGREEMENT"
)
// KeyUsageType_Values returns all elements of the KeyUsageType enum
@@ -23203,6 +23747,7 @@ func KeyUsageType_Values() []string {
KeyUsageTypeSignVerify,
KeyUsageTypeEncryptDecrypt,
KeyUsageTypeGenerateVerifyMac,
+ KeyUsageTypeKeyAgreement,
}
}
diff --git a/vendor/github.com/aws/aws-sdk-go/service/kms/errors.go b/vendor/github.com/aws/aws-sdk-go/service/kms/errors.go
index 170e2335d..993fd2386 100644
--- a/vendor/github.com/aws/aws-sdk-go/service/kms/errors.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/kms/errors.go
@@ -279,7 +279,8 @@ const (
// For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
- // codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
+ // codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
+ // agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation.
//
// To find the encryption or signing algorithms supported for a particular KMS
@@ -424,6 +425,7 @@ const (
// ErrCodeXksProxyInvalidResponseException for service response error code
// "XksProxyInvalidResponseException".
//
+ //
// KMS cannot interpret the response it received from the external key store
// proxy. The problem might be a poorly constructed response, but it could also
// be a transient network issue. If you see this error repeatedly, report it
diff --git a/vendor/github.com/aws/smithy-go/CHANGELOG.md b/vendor/github.com/aws/smithy-go/CHANGELOG.md
index b8d6561a4..39ffae999 100644
--- a/vendor/github.com/aws/smithy-go/CHANGELOG.md
+++ b/vendor/github.com/aws/smithy-go/CHANGELOG.md
@@ -1,3 +1,7 @@
+# Release (2024-03-29)
+
+* No change notes available for this release.
+
# Release (2024-02-21)
## Module Highlights
diff --git a/vendor/github.com/aws/smithy-go/go_module_metadata.go b/vendor/github.com/aws/smithy-go/go_module_metadata.go
index 341392e10..a6b22f353 100644
--- a/vendor/github.com/aws/smithy-go/go_module_metadata.go
+++ b/vendor/github.com/aws/smithy-go/go_module_metadata.go
@@ -3,4 +3,4 @@
package smithy
// goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.20.1"
+const goModuleVersion = "1.20.2"
diff --git a/vendor/github.com/go-jose/go-jose/v3/jwt/jwt.go b/vendor/github.com/go-jose/go-jose/v3/jwt/jwt.go
deleted file mode 100644
index 8553fc50b..000000000
--- a/vendor/github.com/go-jose/go-jose/v3/jwt/jwt.go
+++ /dev/null
@@ -1,133 +0,0 @@
-/*-
- * Copyright 2016 Zbigniew Mandziejewicz
- * Copyright 2016 Square, Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jwt
-
-import (
- "fmt"
- "strings"
-
- jose "github.com/go-jose/go-jose/v3"
- "github.com/go-jose/go-jose/v3/json"
-)
-
-// JSONWebToken represents a JSON Web Token (as specified in RFC7519).
-type JSONWebToken struct {
- payload func(k interface{}) ([]byte, error)
- unverifiedPayload func() []byte
- Headers []jose.Header
-}
-
-type NestedJSONWebToken struct {
- enc *jose.JSONWebEncryption
- Headers []jose.Header
-}
-
-// Claims deserializes a JSONWebToken into dest using the provided key.
-func (t *JSONWebToken) Claims(key interface{}, dest ...interface{}) error {
- b, err := t.payload(key)
- if err != nil {
- return err
- }
-
- for _, d := range dest {
- if err := json.Unmarshal(b, d); err != nil {
- return err
- }
- }
-
- return nil
-}
-
-// UnsafeClaimsWithoutVerification deserializes the claims of a
-// JSONWebToken into the dests. For signed JWTs, the claims are not
-// verified. This function won't work for encrypted JWTs.
-func (t *JSONWebToken) UnsafeClaimsWithoutVerification(dest ...interface{}) error {
- if t.unverifiedPayload == nil {
- return fmt.Errorf("go-jose/go-jose: Cannot get unverified claims")
- }
- claims := t.unverifiedPayload()
- for _, d := range dest {
- if err := json.Unmarshal(claims, d); err != nil {
- return err
- }
- }
- return nil
-}
-
-func (t *NestedJSONWebToken) Decrypt(decryptionKey interface{}) (*JSONWebToken, error) {
- b, err := t.enc.Decrypt(decryptionKey)
- if err != nil {
- return nil, err
- }
-
- sig, err := ParseSigned(string(b))
- if err != nil {
- return nil, err
- }
-
- return sig, nil
-}
-
-// ParseSigned parses token from JWS form.
-func ParseSigned(s string) (*JSONWebToken, error) {
- sig, err := jose.ParseSigned(s)
- if err != nil {
- return nil, err
- }
- headers := make([]jose.Header, len(sig.Signatures))
- for i, signature := range sig.Signatures {
- headers[i] = signature.Header
- }
-
- return &JSONWebToken{
- payload: sig.Verify,
- unverifiedPayload: sig.UnsafePayloadWithoutVerification,
- Headers: headers,
- }, nil
-}
-
-// ParseEncrypted parses token from JWE form.
-func ParseEncrypted(s string) (*JSONWebToken, error) {
- enc, err := jose.ParseEncrypted(s)
- if err != nil {
- return nil, err
- }
-
- return &JSONWebToken{
- payload: enc.Decrypt,
- Headers: []jose.Header{enc.Header},
- }, nil
-}
-
-// ParseSignedAndEncrypted parses signed-then-encrypted token from JWE form.
-func ParseSignedAndEncrypted(s string) (*NestedJSONWebToken, error) {
- enc, err := jose.ParseEncrypted(s)
- if err != nil {
- return nil, err
- }
-
- contentType, _ := enc.Header.ExtraHeaders[jose.HeaderContentType].(string)
- if strings.ToUpper(contentType) != "JWT" {
- return nil, ErrInvalidContentType
- }
-
- return &NestedJSONWebToken{
- enc: enc,
- Headers: []jose.Header{enc.Header},
- }, nil
-}
diff --git a/vendor/github.com/go-jose/go-jose/v3/.gitignore b/vendor/github.com/go-jose/go-jose/v4/.gitignore
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/.gitignore
rename to vendor/github.com/go-jose/go-jose/v4/.gitignore
diff --git a/vendor/github.com/go-jose/go-jose/v3/.golangci.yml b/vendor/github.com/go-jose/go-jose/v4/.golangci.yml
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/.golangci.yml
rename to vendor/github.com/go-jose/go-jose/v4/.golangci.yml
diff --git a/vendor/github.com/go-jose/go-jose/v3/.travis.yml b/vendor/github.com/go-jose/go-jose/v4/.travis.yml
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/.travis.yml
rename to vendor/github.com/go-jose/go-jose/v4/.travis.yml
diff --git a/vendor/github.com/go-jose/go-jose/v3/CHANGELOG.md b/vendor/github.com/go-jose/go-jose/v4/CHANGELOG.md
similarity index 96%
rename from vendor/github.com/go-jose/go-jose/v3/CHANGELOG.md
rename to vendor/github.com/go-jose/go-jose/v4/CHANGELOG.md
index ce2a54ebf..28bdd2fc0 100644
--- a/vendor/github.com/go-jose/go-jose/v3/CHANGELOG.md
+++ b/vendor/github.com/go-jose/go-jose/v4/CHANGELOG.md
@@ -45,12 +45,6 @@ token".
[1]: https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf
-# v3.0.3
-
-## Fixed
-
- - Limit decompression output size to prevent a DoS. Backport from v4.0.1.
-
# v3.0.2
## Fixed
diff --git a/vendor/github.com/go-jose/go-jose/v3/CONTRIBUTING.md b/vendor/github.com/go-jose/go-jose/v4/CONTRIBUTING.md
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/CONTRIBUTING.md
rename to vendor/github.com/go-jose/go-jose/v4/CONTRIBUTING.md
diff --git a/vendor/github.com/go-jose/go-jose/v3/LICENSE b/vendor/github.com/go-jose/go-jose/v4/LICENSE
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/LICENSE
rename to vendor/github.com/go-jose/go-jose/v4/LICENSE
diff --git a/vendor/github.com/go-jose/go-jose/v3/README.md b/vendor/github.com/go-jose/go-jose/v4/README.md
similarity index 82%
rename from vendor/github.com/go-jose/go-jose/v3/README.md
rename to vendor/github.com/go-jose/go-jose/v4/README.md
index 282cd9e13..79a7c5ecc 100644
--- a/vendor/github.com/go-jose/go-jose/v3/README.md
+++ b/vendor/github.com/go-jose/go-jose/v4/README.md
@@ -1,17 +1,9 @@
# Go JOSE
-### Versions
-
-[Version 4](https://github.com/go-jose/go-jose)
-([branch](https://github.com/go-jose/go-jose/),
-[doc](https://pkg.go.dev/github.com/go-jose/go-jose/v4), [releases](https://github.com/go-jose/go-jose/releases)) is the current stable version:
-
- import "github.com/go-jose/go-jose/v4"
-
-The old [square/go-jose](https://github.com/square/go-jose) repo contains the prior v1 and v2 versions, which
-are deprecated.
-
-### Summary
+[![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v4.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v4)
+[![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v4/jwt.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v4/jwt)
+[![license](https://img.shields.io/badge/license-apache_2.0-blue.svg?style=flat)](https://raw.githubusercontent.com/go-jose/go-jose/master/LICENSE)
+[![test](https://img.shields.io/github/checks-status/go-jose/go-jose/v4)](https://github.com/go-jose/go-jose/actions)
Package jose aims to provide an implementation of the Javascript Object Signing
and Encryption set of standards. This includes support for JSON Web Encryption,
@@ -43,6 +35,20 @@ of [case-insensitive matching](https://www.ietf.org/mail-archive/web/json/curren
This is to avoid differences in interpretation of messages between go-jose and
libraries in other languages.
+### Versions
+
+[Version 4](https://github.com/go-jose/go-jose)
+([branch](https://github.com/go-jose/go-jose/tree/main),
+[doc](https://pkg.go.dev/github.com/go-jose/go-jose/v4), [releases](https://github.com/go-jose/go-jose/releases)) is the current stable version:
+
+ import "github.com/go-jose/go-jose/v4"
+
+The old [square/go-jose](https://github.com/square/go-jose) repo contains the prior v1 and v2 versions, which
+are still useable but not actively developed anymore.
+
+Version 3, in this repo, is still receiving security fixes but not functionality
+updates.
+
### Supported algorithms
See below for a table of supported algorithms. Algorithm identifiers match
@@ -98,11 +104,11 @@ allows attaching a key id.
## Examples
-[![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v3.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v3)
-[![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v3/jwt.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v3/jwt)
+[![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v4.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v4)
+[![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v4/jwt.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v4/jwt)
Examples can be found in the Godoc
reference for this package. The
-[`jose-util`](https://github.com/go-jose/go-jose/tree/v3/jose-util)
+[`jose-util`](https://github.com/go-jose/go-jose/tree/v4/jose-util)
subdirectory also contains a small command-line utility which might be useful
as an example as well.
diff --git a/vendor/github.com/go-jose/go-jose/v3/SECURITY.md b/vendor/github.com/go-jose/go-jose/v4/SECURITY.md
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/SECURITY.md
rename to vendor/github.com/go-jose/go-jose/v4/SECURITY.md
diff --git a/vendor/github.com/go-jose/go-jose/v3/asymmetric.go b/vendor/github.com/go-jose/go-jose/v4/asymmetric.go
similarity index 99%
rename from vendor/github.com/go-jose/go-jose/v3/asymmetric.go
rename to vendor/github.com/go-jose/go-jose/v4/asymmetric.go
index d4d4961b2..f8d5774ef 100644
--- a/vendor/github.com/go-jose/go-jose/v3/asymmetric.go
+++ b/vendor/github.com/go-jose/go-jose/v4/asymmetric.go
@@ -29,8 +29,8 @@ import (
"fmt"
"math/big"
- josecipher "github.com/go-jose/go-jose/v3/cipher"
- "github.com/go-jose/go-jose/v3/json"
+ josecipher "github.com/go-jose/go-jose/v4/cipher"
+ "github.com/go-jose/go-jose/v4/json"
)
// A generic RSA-based encrypter/verifier
diff --git a/vendor/github.com/go-jose/go-jose/v3/cipher/cbc_hmac.go b/vendor/github.com/go-jose/go-jose/v4/cipher/cbc_hmac.go
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/cipher/cbc_hmac.go
rename to vendor/github.com/go-jose/go-jose/v4/cipher/cbc_hmac.go
diff --git a/vendor/github.com/go-jose/go-jose/v3/cipher/concat_kdf.go b/vendor/github.com/go-jose/go-jose/v4/cipher/concat_kdf.go
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/cipher/concat_kdf.go
rename to vendor/github.com/go-jose/go-jose/v4/cipher/concat_kdf.go
diff --git a/vendor/github.com/go-jose/go-jose/v3/cipher/ecdh_es.go b/vendor/github.com/go-jose/go-jose/v4/cipher/ecdh_es.go
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/cipher/ecdh_es.go
rename to vendor/github.com/go-jose/go-jose/v4/cipher/ecdh_es.go
diff --git a/vendor/github.com/go-jose/go-jose/v3/cipher/key_wrap.go b/vendor/github.com/go-jose/go-jose/v4/cipher/key_wrap.go
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/cipher/key_wrap.go
rename to vendor/github.com/go-jose/go-jose/v4/cipher/key_wrap.go
diff --git a/vendor/github.com/go-jose/go-jose/v3/crypter.go b/vendor/github.com/go-jose/go-jose/v4/crypter.go
similarity index 99%
rename from vendor/github.com/go-jose/go-jose/v3/crypter.go
rename to vendor/github.com/go-jose/go-jose/v4/crypter.go
index 8870e8905..aba08424c 100644
--- a/vendor/github.com/go-jose/go-jose/v3/crypter.go
+++ b/vendor/github.com/go-jose/go-jose/v4/crypter.go
@@ -22,7 +22,7 @@ import (
"errors"
"fmt"
- "github.com/go-jose/go-jose/v3/json"
+ "github.com/go-jose/go-jose/v4/json"
)
// Encrypter represents an encrypter which produces an encrypted JWE object.
diff --git a/vendor/github.com/go-jose/go-jose/v3/doc.go b/vendor/github.com/go-jose/go-jose/v4/doc.go
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/doc.go
rename to vendor/github.com/go-jose/go-jose/v4/doc.go
diff --git a/vendor/github.com/go-jose/go-jose/v3/encoding.go b/vendor/github.com/go-jose/go-jose/v4/encoding.go
similarity index 92%
rename from vendor/github.com/go-jose/go-jose/v3/encoding.go
rename to vendor/github.com/go-jose/go-jose/v4/encoding.go
index 9f07cfdcb..4f6e0d4a5 100644
--- a/vendor/github.com/go-jose/go-jose/v3/encoding.go
+++ b/vendor/github.com/go-jose/go-jose/v4/encoding.go
@@ -27,7 +27,7 @@ import (
"strings"
"unicode"
- "github.com/go-jose/go-jose/v3/json"
+ "github.com/go-jose/go-jose/v4/json"
)
// Helper function to serialize known-good objects.
@@ -106,10 +106,7 @@ func inflate(input []byte) ([]byte, error) {
output := new(bytes.Buffer)
reader := flate.NewReader(bytes.NewBuffer(input))
- maxCompressedSize := 10 * int64(len(input))
- if maxCompressedSize < 250000 {
- maxCompressedSize = 250000
- }
+ maxCompressedSize := max(250_000, 10*int64(len(input)))
limit := maxCompressedSize + 1
n, err := io.CopyN(output, reader, limit)
@@ -167,7 +164,7 @@ func (b *byteBuffer) UnmarshalJSON(data []byte) error {
return nil
}
- decoded, err := base64URLDecode(encoded)
+ decoded, err := base64.RawURLEncoding.DecodeString(encoded)
if err != nil {
return err
}
@@ -197,12 +194,6 @@ func (b byteBuffer) toInt() int {
return int(b.bigInt().Int64())
}
-// base64URLDecode is implemented as defined in https://www.rfc-editor.org/rfc/rfc7515.html#appendix-C
-func base64URLDecode(value string) ([]byte, error) {
- value = strings.TrimRight(value, "=")
- return base64.RawURLEncoding.DecodeString(value)
-}
-
func base64EncodeLen(sl []byte) int {
return base64.RawURLEncoding.EncodedLen(len(sl))
}
diff --git a/vendor/github.com/go-jose/go-jose/v3/json/LICENSE b/vendor/github.com/go-jose/go-jose/v4/json/LICENSE
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/json/LICENSE
rename to vendor/github.com/go-jose/go-jose/v4/json/LICENSE
diff --git a/vendor/github.com/go-jose/go-jose/v3/json/README.md b/vendor/github.com/go-jose/go-jose/v4/json/README.md
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/json/README.md
rename to vendor/github.com/go-jose/go-jose/v4/json/README.md
diff --git a/vendor/github.com/go-jose/go-jose/v3/json/decode.go b/vendor/github.com/go-jose/go-jose/v4/json/decode.go
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/json/decode.go
rename to vendor/github.com/go-jose/go-jose/v4/json/decode.go
diff --git a/vendor/github.com/go-jose/go-jose/v3/json/encode.go b/vendor/github.com/go-jose/go-jose/v4/json/encode.go
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/json/encode.go
rename to vendor/github.com/go-jose/go-jose/v4/json/encode.go
diff --git a/vendor/github.com/go-jose/go-jose/v3/json/indent.go b/vendor/github.com/go-jose/go-jose/v4/json/indent.go
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/json/indent.go
rename to vendor/github.com/go-jose/go-jose/v4/json/indent.go
diff --git a/vendor/github.com/go-jose/go-jose/v3/json/scanner.go b/vendor/github.com/go-jose/go-jose/v4/json/scanner.go
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/json/scanner.go
rename to vendor/github.com/go-jose/go-jose/v4/json/scanner.go
diff --git a/vendor/github.com/go-jose/go-jose/v3/json/stream.go b/vendor/github.com/go-jose/go-jose/v4/json/stream.go
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/json/stream.go
rename to vendor/github.com/go-jose/go-jose/v4/json/stream.go
diff --git a/vendor/github.com/go-jose/go-jose/v3/json/tags.go b/vendor/github.com/go-jose/go-jose/v4/json/tags.go
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/json/tags.go
rename to vendor/github.com/go-jose/go-jose/v4/json/tags.go
diff --git a/vendor/github.com/go-jose/go-jose/v3/jwe.go b/vendor/github.com/go-jose/go-jose/v4/jwe.go
similarity index 63%
rename from vendor/github.com/go-jose/go-jose/v3/jwe.go
rename to vendor/github.com/go-jose/go-jose/v4/jwe.go
index 4267ac750..89f03ee3e 100644
--- a/vendor/github.com/go-jose/go-jose/v3/jwe.go
+++ b/vendor/github.com/go-jose/go-jose/v4/jwe.go
@@ -18,10 +18,11 @@ package jose
import (
"encoding/base64"
+ "errors"
"fmt"
"strings"
- "github.com/go-jose/go-jose/v3/json"
+ "github.com/go-jose/go-jose/v4/json"
)
// rawJSONWebEncryption represents a raw JWE JSON object. Used for parsing/serializing.
@@ -104,29 +105,75 @@ func (obj JSONWebEncryption) computeAuthData() []byte {
return output
}
-// ParseEncrypted parses an encrypted message in compact or JWE JSON Serialization format.
-func ParseEncrypted(input string) (*JSONWebEncryption, error) {
- input = stripWhitespace(input)
- if strings.HasPrefix(input, "{") {
- return parseEncryptedFull(input)
+func containsKeyAlgorithm(haystack []KeyAlgorithm, needle KeyAlgorithm) bool {
+ for _, algorithm := range haystack {
+ if algorithm == needle {
+ return true
+ }
}
-
- return parseEncryptedCompact(input)
+ return false
}
-// parseEncryptedFull parses a message in compact format.
-func parseEncryptedFull(input string) (*JSONWebEncryption, error) {
+func containsContentEncryption(haystack []ContentEncryption, needle ContentEncryption) bool {
+ for _, algorithm := range haystack {
+ if algorithm == needle {
+ return true
+ }
+ }
+ return false
+}
+
+// ParseEncrypted parses an encrypted message in JWE Compact or JWE JSON Serialization.
+//
+// https://datatracker.ietf.org/doc/html/rfc7516#section-3.1
+// https://datatracker.ietf.org/doc/html/rfc7516#section-3.2
+//
+// The keyAlgorithms and contentEncryption parameters are used to validate the "alg" and "enc"
+// header parameters respectively. They must be nonempty, and each "alg" or "enc" header in
+// parsed data must contain a value that is present in the corresponding parameter. That
+// includes the protected and unprotected headers as well as all recipients. To accept
+// multiple algorithms, pass a slice of all the algorithms you want to accept.
+func ParseEncrypted(input string,
+ keyEncryptionAlgorithms []KeyAlgorithm,
+ contentEncryption []ContentEncryption,
+) (*JSONWebEncryption, error) {
+ input = stripWhitespace(input)
+ if strings.HasPrefix(input, "{") {
+ return ParseEncryptedJSON(input, keyEncryptionAlgorithms, contentEncryption)
+ }
+
+ return ParseEncryptedCompact(input, keyEncryptionAlgorithms, contentEncryption)
+}
+
+// ParseEncryptedJSON parses a message in JWE JSON Serialization.
+//
+// https://datatracker.ietf.org/doc/html/rfc7516#section-3.2
+func ParseEncryptedJSON(
+ input string,
+ keyEncryptionAlgorithms []KeyAlgorithm,
+ contentEncryption []ContentEncryption,
+) (*JSONWebEncryption, error) {
var parsed rawJSONWebEncryption
err := json.Unmarshal([]byte(input), &parsed)
if err != nil {
return nil, err
}
- return parsed.sanitized()
+ return parsed.sanitized(keyEncryptionAlgorithms, contentEncryption)
}
// sanitized produces a cleaned-up JWE object from the raw JSON.
-func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
+func (parsed *rawJSONWebEncryption) sanitized(
+ keyEncryptionAlgorithms []KeyAlgorithm,
+ contentEncryption []ContentEncryption,
+) (*JSONWebEncryption, error) {
+ if len(keyEncryptionAlgorithms) == 0 {
+ return nil, errors.New("go-jose/go-jose: no key algorithms provided")
+ }
+ if len(contentEncryption) == 0 {
+ return nil, errors.New("go-jose/go-jose: no content encryption algorithms provided")
+ }
+
obj := &JSONWebEncryption{
original: parsed,
unprotected: parsed.Unprotected,
@@ -170,7 +217,7 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
} else {
obj.recipients = make([]recipientInfo, len(parsed.Recipients))
for r := range parsed.Recipients {
- encryptedKey, err := base64URLDecode(parsed.Recipients[r].EncryptedKey)
+ encryptedKey, err := base64.RawURLEncoding.DecodeString(parsed.Recipients[r].EncryptedKey)
if err != nil {
return nil, err
}
@@ -185,10 +232,31 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
}
}
- for _, recipient := range obj.recipients {
+ for i, recipient := range obj.recipients {
headers := obj.mergedHeaders(&recipient)
- if headers.getAlgorithm() == "" || headers.getEncryption() == "" {
- return nil, fmt.Errorf("go-jose/go-jose: message is missing alg/enc headers")
+ if headers.getAlgorithm() == "" {
+ return nil, fmt.Errorf(`go-jose/go-jose: recipient %d: missing header "alg"`, i)
+ }
+ if headers.getEncryption() == "" {
+ return nil, fmt.Errorf(`go-jose/go-jose: recipient %d: missing header "enc"`, i)
+ }
+ err := validateAlgEnc(headers, keyEncryptionAlgorithms, contentEncryption)
+ if err != nil {
+ return nil, fmt.Errorf("go-jose/go-jose: recipient %d: %s", i, err)
+ }
+
+ }
+
+ if obj.protected != nil {
+ err := validateAlgEnc(*obj.protected, keyEncryptionAlgorithms, contentEncryption)
+ if err != nil {
+ return nil, fmt.Errorf("go-jose/go-jose: protected header: %s", err)
+ }
+ }
+ if obj.unprotected != nil {
+ err := validateAlgEnc(*obj.unprotected, keyEncryptionAlgorithms, contentEncryption)
+ if err != nil {
+ return nil, fmt.Errorf("go-jose/go-jose: unprotected header: %s", err)
}
}
@@ -200,34 +268,52 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
return obj, nil
}
-// parseEncryptedCompact parses a message in compact format.
-func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
+func validateAlgEnc(headers rawHeader, keyAlgorithms []KeyAlgorithm, contentEncryption []ContentEncryption) error {
+ alg := headers.getAlgorithm()
+ enc := headers.getEncryption()
+ if alg != "" && !containsKeyAlgorithm(keyAlgorithms, alg) {
+ return fmt.Errorf("unexpected key algorithm %q; expected %q", alg, keyAlgorithms)
+ }
+ if alg != "" && !containsContentEncryption(contentEncryption, enc) {
+ return fmt.Errorf("unexpected content encryption algorithm %q; expected %q", enc, contentEncryption)
+ }
+ return nil
+}
+
+// ParseEncryptedCompact parses a message in JWE Compact Serialization.
+//
+// https://datatracker.ietf.org/doc/html/rfc7516#section-3.1
+func ParseEncryptedCompact(
+ input string,
+ keyAlgorithms []KeyAlgorithm,
+ contentEncryption []ContentEncryption,
+) (*JSONWebEncryption, error) {
parts := strings.Split(input, ".")
if len(parts) != 5 {
return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
}
- rawProtected, err := base64URLDecode(parts[0])
+ rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
if err != nil {
return nil, err
}
- encryptedKey, err := base64URLDecode(parts[1])
+ encryptedKey, err := base64.RawURLEncoding.DecodeString(parts[1])
if err != nil {
return nil, err
}
- iv, err := base64URLDecode(parts[2])
+ iv, err := base64.RawURLEncoding.DecodeString(parts[2])
if err != nil {
return nil, err
}
- ciphertext, err := base64URLDecode(parts[3])
+ ciphertext, err := base64.RawURLEncoding.DecodeString(parts[3])
if err != nil {
return nil, err
}
- tag, err := base64URLDecode(parts[4])
+ tag, err := base64.RawURLEncoding.DecodeString(parts[4])
if err != nil {
return nil, err
}
@@ -240,7 +326,7 @@ func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
Tag: newBuffer(tag),
}
- return raw.sanitized()
+ return raw.sanitized(keyAlgorithms, contentEncryption)
}
// CompactSerialize serializes an object using the compact serialization format.
diff --git a/vendor/github.com/go-jose/go-jose/v3/jwk.go b/vendor/github.com/go-jose/go-jose/v4/jwk.go
similarity index 99%
rename from vendor/github.com/go-jose/go-jose/v3/jwk.go
rename to vendor/github.com/go-jose/go-jose/v4/jwk.go
index e4021959a..a565aaab2 100644
--- a/vendor/github.com/go-jose/go-jose/v3/jwk.go
+++ b/vendor/github.com/go-jose/go-jose/v4/jwk.go
@@ -35,7 +35,7 @@ import (
"reflect"
"strings"
- "github.com/go-jose/go-jose/v3/json"
+ "github.com/go-jose/go-jose/v4/json"
)
// rawJSONWebKey represents a public or private key in JWK format, used for parsing/serializing.
@@ -266,7 +266,7 @@ func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
// x5t parameters are base64url-encoded SHA thumbprints
// See RFC 7517, Section 4.8, https://tools.ietf.org/html/rfc7517#section-4.8
- x5tSHA1bytes, err := base64URLDecode(raw.X5tSHA1)
+ x5tSHA1bytes, err := base64.RawURLEncoding.DecodeString(raw.X5tSHA1)
if err != nil {
return errors.New("go-jose/go-jose: invalid JWK, x5t header has invalid encoding")
}
@@ -286,7 +286,7 @@ func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
k.CertificateThumbprintSHA1 = x5tSHA1bytes
- x5tSHA256bytes, err := base64URLDecode(raw.X5tSHA256)
+ x5tSHA256bytes, err := base64.RawURLEncoding.DecodeString(raw.X5tSHA256)
if err != nil {
return errors.New("go-jose/go-jose: invalid JWK, x5t#S256 header has invalid encoding")
}
diff --git a/vendor/github.com/go-jose/go-jose/v3/jws.go b/vendor/github.com/go-jose/go-jose/v4/jws.go
similarity index 80%
rename from vendor/github.com/go-jose/go-jose/v3/jws.go
rename to vendor/github.com/go-jose/go-jose/v4/jws.go
index e37007dbb..3a912301a 100644
--- a/vendor/github.com/go-jose/go-jose/v3/jws.go
+++ b/vendor/github.com/go-jose/go-jose/v4/jws.go
@@ -23,7 +23,7 @@ import (
"fmt"
"strings"
- "github.com/go-jose/go-jose/v3/json"
+ "github.com/go-jose/go-jose/v4/json"
)
// rawJSONWebSignature represents a raw JWS JSON object. Used for parsing/serializing.
@@ -75,22 +75,41 @@ type Signature struct {
original *rawSignatureInfo
}
-// ParseSigned parses a signed message in compact or JWS JSON Serialization format.
-func ParseSigned(signature string) (*JSONWebSignature, error) {
+// ParseSigned parses a signed message in JWS Compact or JWS JSON Serialization.
+//
+// https://datatracker.ietf.org/doc/html/rfc7515#section-7
+func ParseSigned(
+ signature string,
+ signatureAlgorithms []SignatureAlgorithm,
+) (*JSONWebSignature, error) {
signature = stripWhitespace(signature)
if strings.HasPrefix(signature, "{") {
- return parseSignedFull(signature)
+ return ParseSignedJSON(signature, signatureAlgorithms)
}
- return parseSignedCompact(signature, nil)
+ return parseSignedCompact(signature, nil, signatureAlgorithms)
+}
+
+// ParseSignedCompact parses a message in JWS Compact Serialization.
+//
+// https://datatracker.ietf.org/doc/html/rfc7515#section-7.1
+func ParseSignedCompact(
+ signature string,
+ signatureAlgorithms []SignatureAlgorithm,
+) (*JSONWebSignature, error) {
+ return parseSignedCompact(signature, nil, signatureAlgorithms)
}
// ParseDetached parses a signed message in compact serialization format with detached payload.
-func ParseDetached(signature string, payload []byte) (*JSONWebSignature, error) {
+func ParseDetached(
+ signature string,
+ payload []byte,
+ signatureAlgorithms []SignatureAlgorithm,
+) (*JSONWebSignature, error) {
if payload == nil {
return nil, errors.New("go-jose/go-jose: nil payload")
}
- return parseSignedCompact(stripWhitespace(signature), payload)
+ return parseSignedCompact(stripWhitespace(signature), payload, signatureAlgorithms)
}
// Get a header value
@@ -137,19 +156,36 @@ func (obj JSONWebSignature) computeAuthData(payload []byte, signature *Signature
return authData.Bytes(), nil
}
-// parseSignedFull parses a message in full format.
-func parseSignedFull(input string) (*JSONWebSignature, error) {
+// ParseSignedJSON parses a message in JWS JSON Serialization.
+//
+// https://datatracker.ietf.org/doc/html/rfc7515#section-7.2
+func ParseSignedJSON(
+ input string,
+ signatureAlgorithms []SignatureAlgorithm,
+) (*JSONWebSignature, error) {
var parsed rawJSONWebSignature
err := json.Unmarshal([]byte(input), &parsed)
if err != nil {
return nil, err
}
- return parsed.sanitized()
+ return parsed.sanitized(signatureAlgorithms)
+}
+
+func containsSignatureAlgorithm(haystack []SignatureAlgorithm, needle SignatureAlgorithm) bool {
+ for _, algorithm := range haystack {
+ if algorithm == needle {
+ return true
+ }
+ }
+ return false
}
// sanitized produces a cleaned-up JWS object from the raw JSON.
-func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
+func (parsed *rawJSONWebSignature) sanitized(signatureAlgorithms []SignatureAlgorithm) (*JSONWebSignature, error) {
+ if len(signatureAlgorithms) == 0 {
+ return nil, errors.New("go-jose/go-jose: no signature algorithms specified")
+ }
if parsed.Payload == nil {
return nil, fmt.Errorf("go-jose/go-jose: missing payload in JWS message")
}
@@ -198,6 +234,12 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
return nil, err
}
+ alg := SignatureAlgorithm(signature.Header.Algorithm)
+ if !containsSignatureAlgorithm(signatureAlgorithms, alg) {
+ return nil, fmt.Errorf("go-jose/go-jose: unexpected signature algorithm %q; expected %q",
+ alg, signatureAlgorithms)
+ }
+
if signature.header != nil {
signature.Unprotected, err = signature.header.sanitized()
if err != nil {
@@ -241,6 +283,12 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
return nil, err
}
+ alg := SignatureAlgorithm(obj.Signatures[i].Header.Algorithm)
+ if !containsSignatureAlgorithm(signatureAlgorithms, alg) {
+ return nil, fmt.Errorf("go-jose/go-jose: unexpected signature algorithm %q; expected %q",
+ alg, signatureAlgorithms)
+ }
+
if obj.Signatures[i].header != nil {
obj.Signatures[i].Unprotected, err = obj.Signatures[i].header.sanitized()
if err != nil {
@@ -274,7 +322,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
}
// parseSignedCompact parses a message in compact format.
-func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) {
+func parseSignedCompact(
+ input string,
+ payload []byte,
+ signatureAlgorithms []SignatureAlgorithm,
+) (*JSONWebSignature, error) {
parts := strings.Split(input, ".")
if len(parts) != 3 {
return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
@@ -284,19 +336,19 @@ func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error)
return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
}
- rawProtected, err := base64URLDecode(parts[0])
+ rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
if err != nil {
return nil, err
}
if payload == nil {
- payload, err = base64URLDecode(parts[1])
+ payload, err = base64.RawURLEncoding.DecodeString(parts[1])
if err != nil {
return nil, err
}
}
- signature, err := base64URLDecode(parts[2])
+ signature, err := base64.RawURLEncoding.DecodeString(parts[2])
if err != nil {
return nil, err
}
@@ -306,7 +358,7 @@ func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error)
Protected: newBuffer(rawProtected),
Signature: newBuffer(signature),
}
- return raw.sanitized()
+ return raw.sanitized(signatureAlgorithms)
}
func (obj JSONWebSignature) compactSerialize(detached bool) (string, error) {
diff --git a/vendor/github.com/go-jose/go-jose/v3/jwt/builder.go b/vendor/github.com/go-jose/go-jose/v4/jwt/builder.go
similarity index 83%
rename from vendor/github.com/go-jose/go-jose/v3/jwt/builder.go
rename to vendor/github.com/go-jose/go-jose/v4/jwt/builder.go
index 7df270cc3..d68bb3725 100644
--- a/vendor/github.com/go-jose/go-jose/v3/jwt/builder.go
+++ b/vendor/github.com/go-jose/go-jose/v4/jwt/builder.go
@@ -21,13 +21,13 @@ import (
"bytes"
"reflect"
- "github.com/go-jose/go-jose/v3/json"
+ "github.com/go-jose/go-jose/v4/json"
- "github.com/go-jose/go-jose/v3"
+ "github.com/go-jose/go-jose/v4"
)
// Builder is a utility for making JSON Web Tokens. Calls can be chained, and
-// errors are accumulated until the final call to CompactSerialize/FullSerialize.
+// errors are accumulated until the final call to Serialize.
type Builder interface {
// Claims encodes claims into JWE/JWS form. Multiple calls will merge claims
// into single JSON object. If you are passing private claims, make sure to set
@@ -36,15 +36,13 @@ type Builder interface {
Claims(i interface{}) Builder
// Token builds a JSONWebToken from provided data.
Token() (*JSONWebToken, error)
- // FullSerialize serializes a token using the JWS/JWE JSON Serialization format.
- FullSerialize() (string, error)
- // CompactSerialize serializes a token using the compact serialization format.
- CompactSerialize() (string, error)
+ // Serialize serializes a token.
+ Serialize() (string, error)
}
// NestedBuilder is a utility for making Signed-Then-Encrypted JSON Web Tokens.
// Calls can be chained, and errors are accumulated until final call to
-// CompactSerialize/FullSerialize.
+// Serialize.
type NestedBuilder interface {
// Claims encodes claims into JWE/JWS form. Multiple calls will merge claims
// into single JSON object. If you are passing private claims, make sure to set
@@ -53,10 +51,8 @@ type NestedBuilder interface {
Claims(i interface{}) NestedBuilder
// Token builds a NestedJSONWebToken from provided data.
Token() (*NestedJSONWebToken, error)
- // FullSerialize serializes a token using the JSON Serialization format.
- FullSerialize() (string, error)
- // CompactSerialize serializes a token using the compact serialization format.
- CompactSerialize() (string, error)
+ // Serialize serializes a token.
+ Serialize() (string, error)
}
type builder struct {
@@ -194,7 +190,7 @@ func (b *signedBuilder) Token() (*JSONWebToken, error) {
return b.builder.token(sig.Verify, h)
}
-func (b *signedBuilder) CompactSerialize() (string, error) {
+func (b *signedBuilder) Serialize() (string, error) {
sig, err := b.sign()
if err != nil {
return "", err
@@ -203,15 +199,6 @@ func (b *signedBuilder) CompactSerialize() (string, error) {
return sig.CompactSerialize()
}
-func (b *signedBuilder) FullSerialize() (string, error) {
- sig, err := b.sign()
- if err != nil {
- return "", err
- }
-
- return sig.FullSerialize(), nil
-}
-
func (b *signedBuilder) sign() (*jose.JSONWebSignature, error) {
if b.err != nil {
return nil, b.err
@@ -232,7 +219,7 @@ func (b *encryptedBuilder) Claims(i interface{}) Builder {
}
}
-func (b *encryptedBuilder) CompactSerialize() (string, error) {
+func (b *encryptedBuilder) Serialize() (string, error) {
enc, err := b.encrypt()
if err != nil {
return "", err
@@ -241,15 +228,6 @@ func (b *encryptedBuilder) CompactSerialize() (string, error) {
return enc.CompactSerialize()
}
-func (b *encryptedBuilder) FullSerialize() (string, error) {
- enc, err := b.encrypt()
- if err != nil {
- return "", err
- }
-
- return enc.FullSerialize(), nil
-}
-
func (b *encryptedBuilder) Token() (*JSONWebToken, error) {
enc, err := b.encrypt()
if err != nil {
@@ -280,6 +258,8 @@ func (b *nestedBuilder) Claims(i interface{}) NestedBuilder {
}
}
+// Token produced a token suitable for serialization. It cannot be decrypted
+// without serializing and then deserializing.
func (b *nestedBuilder) Token() (*NestedJSONWebToken, error) {
enc, err := b.signAndEncrypt()
if err != nil {
@@ -287,12 +267,13 @@ func (b *nestedBuilder) Token() (*NestedJSONWebToken, error) {
}
return &NestedJSONWebToken{
- enc: enc,
- Headers: []jose.Header{enc.Header},
+ allowedSignatureAlgorithms: nil,
+ enc: enc,
+ Headers: []jose.Header{enc.Header},
}, nil
}
-func (b *nestedBuilder) CompactSerialize() (string, error) {
+func (b *nestedBuilder) Serialize() (string, error) {
enc, err := b.signAndEncrypt()
if err != nil {
return "", err
diff --git a/vendor/github.com/go-jose/go-jose/v3/jwt/claims.go b/vendor/github.com/go-jose/go-jose/v4/jwt/claims.go
similarity index 98%
rename from vendor/github.com/go-jose/go-jose/v3/jwt/claims.go
rename to vendor/github.com/go-jose/go-jose/v4/jwt/claims.go
index b2a8dc8d4..e73412a39 100644
--- a/vendor/github.com/go-jose/go-jose/v3/jwt/claims.go
+++ b/vendor/github.com/go-jose/go-jose/v4/jwt/claims.go
@@ -21,7 +21,7 @@ import (
"strconv"
"time"
- "github.com/go-jose/go-jose/v3/json"
+ "github.com/go-jose/go-jose/v4/json"
)
// Claims represents public claim values (as specified in RFC 7519).
diff --git a/vendor/github.com/go-jose/go-jose/v3/jwt/doc.go b/vendor/github.com/go-jose/go-jose/v4/jwt/doc.go
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/jwt/doc.go
rename to vendor/github.com/go-jose/go-jose/v4/jwt/doc.go
diff --git a/vendor/github.com/go-jose/go-jose/v3/jwt/errors.go b/vendor/github.com/go-jose/go-jose/v4/jwt/errors.go
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/jwt/errors.go
rename to vendor/github.com/go-jose/go-jose/v4/jwt/errors.go
diff --git a/vendor/github.com/go-jose/go-jose/v4/jwt/jwt.go b/vendor/github.com/go-jose/go-jose/v4/jwt/jwt.go
new file mode 100644
index 000000000..c4998d787
--- /dev/null
+++ b/vendor/github.com/go-jose/go-jose/v4/jwt/jwt.go
@@ -0,0 +1,198 @@
+/*-
+ * Copyright 2016 Zbigniew Mandziejewicz
+ * Copyright 2016 Square, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jwt
+
+import (
+ "fmt"
+ "strings"
+
+ jose "github.com/go-jose/go-jose/v4"
+ "github.com/go-jose/go-jose/v4/json"
+)
+
+// JSONWebToken represents a JSON Web Token (as specified in RFC7519).
+type JSONWebToken struct {
+ payload func(k interface{}) ([]byte, error)
+ unverifiedPayload func() []byte
+ Headers []jose.Header
+}
+
+type NestedJSONWebToken struct {
+ enc *jose.JSONWebEncryption
+ Headers []jose.Header
+ // Used when parsing and decrypting an input
+ allowedSignatureAlgorithms []jose.SignatureAlgorithm
+}
+
+// Claims deserializes a JSONWebToken into dest using the provided key.
+func (t *JSONWebToken) Claims(key interface{}, dest ...interface{}) error {
+ b, err := t.payload(key)
+ if err != nil {
+ return err
+ }
+
+ for _, d := range dest {
+ if err := json.Unmarshal(b, d); err != nil {
+ return err
+ }
+ }
+
+ return nil
+}
+
+// UnsafeClaimsWithoutVerification deserializes the claims of a
+// JSONWebToken into the dests. For signed JWTs, the claims are not
+// verified. This function won't work for encrypted JWTs.
+func (t *JSONWebToken) UnsafeClaimsWithoutVerification(dest ...interface{}) error {
+ if t.unverifiedPayload == nil {
+ return fmt.Errorf("go-jose/go-jose: Cannot get unverified claims")
+ }
+ claims := t.unverifiedPayload()
+ for _, d := range dest {
+ if err := json.Unmarshal(claims, d); err != nil {
+ return err
+ }
+ }
+ return nil
+}
+
+func (t *NestedJSONWebToken) Decrypt(decryptionKey interface{}) (*JSONWebToken, error) {
+ b, err := t.enc.Decrypt(decryptionKey)
+ if err != nil {
+ return nil, err
+ }
+
+ sig, err := ParseSigned(string(b), t.allowedSignatureAlgorithms)
+ if err != nil {
+ return nil, err
+ }
+
+ return sig, nil
+}
+
+// ParseSigned parses token from JWS form.
+func ParseSigned(s string, signatureAlgorithms []jose.SignatureAlgorithm) (*JSONWebToken, error) {
+ sig, err := jose.ParseSignedCompact(s, signatureAlgorithms)
+ if err != nil {
+ return nil, err
+ }
+ headers := make([]jose.Header, len(sig.Signatures))
+ for i, signature := range sig.Signatures {
+ headers[i] = signature.Header
+ }
+
+ return &JSONWebToken{
+ payload: sig.Verify,
+ unverifiedPayload: sig.UnsafePayloadWithoutVerification,
+ Headers: headers,
+ }, nil
+}
+
+func validateKeyEncryptionAlgorithm(algs []jose.KeyAlgorithm) error {
+ for _, alg := range algs {
+ switch alg {
+ case jose.ED25519,
+ jose.RSA1_5,
+ jose.RSA_OAEP,
+ jose.RSA_OAEP_256,
+ jose.ECDH_ES,
+ jose.ECDH_ES_A128KW,
+ jose.ECDH_ES_A192KW,
+ jose.ECDH_ES_A256KW:
+ return fmt.Errorf("asymmetric encryption algorithms not supported for JWT: "+
+ "invalid key encryption algorithm: %s", alg)
+ case jose.PBES2_HS256_A128KW,
+ jose.PBES2_HS384_A192KW,
+ jose.PBES2_HS512_A256KW:
+ return fmt.Errorf("password-based encryption not supported for JWT: "+
+ "invalid key encryption algorithm: %s", alg)
+ }
+ }
+ return nil
+}
+
+func parseEncryptedCompact(
+ s string,
+ keyAlgorithms []jose.KeyAlgorithm,
+ contentEncryption []jose.ContentEncryption,
+) (*jose.JSONWebEncryption, error) {
+ err := validateKeyEncryptionAlgorithm(keyAlgorithms)
+ if err != nil {
+ return nil, err
+ }
+ enc, err := jose.ParseEncryptedCompact(s, keyAlgorithms, contentEncryption)
+ if err != nil {
+ return nil, err
+ }
+ return enc, nil
+}
+
+// ParseEncrypted parses token from JWE form.
+//
+// The keyAlgorithms and contentEncryption parameters are used to validate the "alg" and "enc"
+// header parameters respectively. They must be nonempty, and each "alg" or "enc" header in
+// parsed data must contain a value that is present in the corresponding parameter. That
+// includes the protected and unprotected headers as well as all recipients. To accept
+// multiple algorithms, pass a slice of all the algorithms you want to accept.
+func ParseEncrypted(s string,
+ keyAlgorithms []jose.KeyAlgorithm,
+ contentEncryption []jose.ContentEncryption,
+) (*JSONWebToken, error) {
+ enc, err := parseEncryptedCompact(s, keyAlgorithms, contentEncryption)
+ if err != nil {
+ return nil, err
+ }
+
+ return &JSONWebToken{
+ payload: enc.Decrypt,
+ Headers: []jose.Header{enc.Header},
+ }, nil
+}
+
+// ParseSignedAndEncrypted parses signed-then-encrypted token from JWE form.
+//
+// The encryptionKeyAlgorithms and contentEncryption parameters are used to validate the "alg" and "enc"
+// header parameters, respectively, of the outer JWE. They must be nonempty, and each "alg" or "enc"
+// header in parsed data must contain a value that is present in the corresponding parameter. That
+// includes the protected and unprotected headers as well as all recipients. To accept
+// multiple algorithms, pass a slice of all the algorithms you want to accept.
+//
+// The signatureAlgorithms parameter is used to validate the "alg" header parameter of the
+// inner JWS. It must be nonempty, and the "alg" header in the inner JWS must contain a value
+// that is present in the parameter.
+func ParseSignedAndEncrypted(s string,
+ encryptionKeyAlgorithms []jose.KeyAlgorithm,
+ contentEncryption []jose.ContentEncryption,
+ signatureAlgorithms []jose.SignatureAlgorithm,
+) (*NestedJSONWebToken, error) {
+ enc, err := parseEncryptedCompact(s, encryptionKeyAlgorithms, contentEncryption)
+ if err != nil {
+ return nil, err
+ }
+
+ contentType, _ := enc.Header.ExtraHeaders[jose.HeaderContentType].(string)
+ if strings.ToUpper(contentType) != "JWT" {
+ return nil, ErrInvalidContentType
+ }
+
+ return &NestedJSONWebToken{
+ allowedSignatureAlgorithms: signatureAlgorithms,
+ enc: enc,
+ Headers: []jose.Header{enc.Header},
+ }, nil
+}
diff --git a/vendor/github.com/go-jose/go-jose/v3/jwt/validation.go b/vendor/github.com/go-jose/go-jose/v4/jwt/validation.go
similarity index 91%
rename from vendor/github.com/go-jose/go-jose/v3/jwt/validation.go
rename to vendor/github.com/go-jose/go-jose/v4/jwt/validation.go
index 09d8541f4..841a93eef 100644
--- a/vendor/github.com/go-jose/go-jose/v3/jwt/validation.go
+++ b/vendor/github.com/go-jose/go-jose/v4/jwt/validation.go
@@ -33,8 +33,9 @@ type Expected struct {
Issuer string
// Subject matches the "sub" claim exactly.
Subject string
- // Audience matches the values in "aud" claim, regardless of their order.
- Audience Audience
+ // AnyAudience matches if there is a non-empty intersection between
+ // its values and the values in the "aud" claim.
+ AnyAudience Audience
// ID matches the "jti" claim exactly.
ID string
// Time matches the "exp", "nbf" and "iat" claims with leeway.
@@ -88,12 +89,18 @@ func (c Claims) ValidateWithLeeway(e Expected, leeway time.Duration) error {
return ErrInvalidID
}
- if len(e.Audience) != 0 {
- for _, v := range e.Audience {
- if !c.Audience.Contains(v) {
- return ErrInvalidAudience
+ if len(e.AnyAudience) != 0 {
+ var intersection bool
+ for _, v := range e.AnyAudience {
+ if c.Audience.Contains(v) {
+ intersection = true
+ break
}
}
+
+ if !intersection {
+ return ErrInvalidAudience
+ }
}
// validate using the e.Time, or time.Now if not provided
diff --git a/vendor/github.com/go-jose/go-jose/v3/opaque.go b/vendor/github.com/go-jose/go-jose/v4/opaque.go
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/opaque.go
rename to vendor/github.com/go-jose/go-jose/v4/opaque.go
diff --git a/vendor/github.com/go-jose/go-jose/v3/shared.go b/vendor/github.com/go-jose/go-jose/v4/shared.go
similarity index 99%
rename from vendor/github.com/go-jose/go-jose/v3/shared.go
rename to vendor/github.com/go-jose/go-jose/v4/shared.go
index 489a04e32..b485e43bd 100644
--- a/vendor/github.com/go-jose/go-jose/v3/shared.go
+++ b/vendor/github.com/go-jose/go-jose/v4/shared.go
@@ -23,7 +23,7 @@ import (
"errors"
"fmt"
- "github.com/go-jose/go-jose/v3/json"
+ "github.com/go-jose/go-jose/v4/json"
)
// KeyAlgorithm represents a key management algorithm.
diff --git a/vendor/github.com/go-jose/go-jose/v3/signing.go b/vendor/github.com/go-jose/go-jose/v4/signing.go
similarity index 97%
rename from vendor/github.com/go-jose/go-jose/v3/signing.go
rename to vendor/github.com/go-jose/go-jose/v4/signing.go
index 52f3d8560..f0b0294f3 100644
--- a/vendor/github.com/go-jose/go-jose/v3/signing.go
+++ b/vendor/github.com/go-jose/go-jose/v4/signing.go
@@ -25,7 +25,7 @@ import (
"errors"
"fmt"
- "github.com/go-jose/go-jose/v3/json"
+ "github.com/go-jose/go-jose/v4/json"
)
// NonceSource represents a source of random nonces to go into JWS objects
@@ -49,6 +49,11 @@ type Signer interface {
// - JSONWebKey
// - []byte (an HMAC key)
// - Any type that satisfies the OpaqueSigner interface
+//
+// If the key is an HMAC key, it must have at least as many bytes as the relevant hash output:
+// - HS256: 32 bytes
+// - HS384: 48 bytes
+// - HS512: 64 bytes
type SigningKey struct {
Algorithm SignatureAlgorithm
Key interface{}
@@ -355,6 +360,11 @@ func (ctx *genericSigner) Options() SignerOptions {
// - JSONWebKey
// - []byte (an HMAC key)
// - Any type that implements the OpaqueVerifier interface.
+//
+// If the key is an HMAC key, it must have at least as many bytes as the relevant hash output:
+// - HS256: 32 bytes
+// - HS384: 48 bytes
+// - HS512: 64 bytes
func (obj JSONWebSignature) Verify(verificationKey interface{}) ([]byte, error) {
err := obj.DetachedVerify(obj.payload, verificationKey)
if err != nil {
diff --git a/vendor/github.com/go-jose/go-jose/v3/symmetric.go b/vendor/github.com/go-jose/go-jose/v4/symmetric.go
similarity index 96%
rename from vendor/github.com/go-jose/go-jose/v3/symmetric.go
rename to vendor/github.com/go-jose/go-jose/v4/symmetric.go
index 10d8e19fd..a69103b08 100644
--- a/vendor/github.com/go-jose/go-jose/v3/symmetric.go
+++ b/vendor/github.com/go-jose/go-jose/v4/symmetric.go
@@ -32,7 +32,7 @@ import (
"golang.org/x/crypto/pbkdf2"
- josecipher "github.com/go-jose/go-jose/v3/cipher"
+ josecipher "github.com/go-jose/go-jose/v4/cipher"
)
// RandReader is a cryptographically secure random number generator (stubbed out in tests).
@@ -454,7 +454,7 @@ func (ctx *symmetricKeyCipher) decryptKey(headers rawHeader, recipient *recipien
func (ctx symmetricMac) signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) {
mac, err := ctx.hmac(payload, alg)
if err != nil {
- return Signature{}, errors.New("go-jose/go-jose: failed to compute hmac")
+ return Signature{}, err
}
return Signature{
@@ -486,12 +486,24 @@ func (ctx symmetricMac) verifyPayload(payload []byte, mac []byte, alg SignatureA
func (ctx symmetricMac) hmac(payload []byte, alg SignatureAlgorithm) ([]byte, error) {
var hash func() hash.Hash
+ // https://datatracker.ietf.org/doc/html/rfc7518#section-3.2
+ // A key of the same size as the hash output (for instance, 256 bits for
+ // "HS256") or larger MUST be used
switch alg {
case HS256:
+ if len(ctx.key)*8 < 256 {
+ return nil, ErrInvalidKeySize
+ }
hash = sha256.New
case HS384:
+ if len(ctx.key)*8 < 384 {
+ return nil, ErrInvalidKeySize
+ }
hash = sha512.New384
case HS512:
+ if len(ctx.key)*8 < 512 {
+ return nil, ErrInvalidKeySize
+ }
hash = sha512.New
default:
return nil, ErrUnsupportedAlgorithm
diff --git a/vendor/github.com/go-task/slim-sprig/.editorconfig b/vendor/github.com/go-task/slim-sprig/v3/.editorconfig
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/.editorconfig
rename to vendor/github.com/go-task/slim-sprig/v3/.editorconfig
diff --git a/vendor/github.com/go-task/slim-sprig/.gitattributes b/vendor/github.com/go-task/slim-sprig/v3/.gitattributes
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/.gitattributes
rename to vendor/github.com/go-task/slim-sprig/v3/.gitattributes
diff --git a/vendor/github.com/go-task/slim-sprig/.gitignore b/vendor/github.com/go-task/slim-sprig/v3/.gitignore
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/.gitignore
rename to vendor/github.com/go-task/slim-sprig/v3/.gitignore
diff --git a/vendor/github.com/go-task/slim-sprig/CHANGELOG.md b/vendor/github.com/go-task/slim-sprig/v3/CHANGELOG.md
similarity index 95%
rename from vendor/github.com/go-task/slim-sprig/CHANGELOG.md
rename to vendor/github.com/go-task/slim-sprig/v3/CHANGELOG.md
index 61d8ebffc..2ce45dd4e 100644
--- a/vendor/github.com/go-task/slim-sprig/CHANGELOG.md
+++ b/vendor/github.com/go-task/slim-sprig/v3/CHANGELOG.md
@@ -1,5 +1,24 @@
# Changelog
+## Release 3.2.3 (2022-11-29)
+
+### Changed
+
+- Updated docs (thanks @book987 @aJetHorn @neelayu @pellizzetti @apricote @SaigyoujiYuyuko233 @AlekSi)
+- #348: Updated huandu/xstrings which fixed a snake case bug (thanks @yxxhero)
+- #353: Updated masterminds/semver which included bug fixes
+- #354: Updated golang.org/x/crypto which included bug fixes
+
+## Release 3.2.2 (2021-02-04)
+
+This is a re-release of 3.2.1 to satisfy something with the Go module system.
+
+## Release 3.2.1 (2021-02-04)
+
+### Changed
+
+- Upgraded `Masterminds/goutils` to `v1.1.1`. see the [Security Advisory](https://github.com/Masterminds/goutils/security/advisories/GHSA-xg2h-wx96-xgxr)
+
## Release 3.2.0 (2020-12-14)
### Added
diff --git a/vendor/github.com/go-task/slim-sprig/LICENSE.txt b/vendor/github.com/go-task/slim-sprig/v3/LICENSE.txt
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/LICENSE.txt
rename to vendor/github.com/go-task/slim-sprig/v3/LICENSE.txt
diff --git a/vendor/github.com/go-task/slim-sprig/README.md b/vendor/github.com/go-task/slim-sprig/v3/README.md
similarity index 88%
rename from vendor/github.com/go-task/slim-sprig/README.md
rename to vendor/github.com/go-task/slim-sprig/v3/README.md
index 72579471f..b5ab56425 100644
--- a/vendor/github.com/go-task/slim-sprig/README.md
+++ b/vendor/github.com/go-task/slim-sprig/v3/README.md
@@ -1,4 +1,4 @@
-# Slim-Sprig: Template functions for Go templates [![GoDoc](https://godoc.org/github.com/go-task/slim-sprig?status.svg)](https://godoc.org/github.com/go-task/slim-sprig) [![Go Report Card](https://goreportcard.com/badge/github.com/go-task/slim-sprig)](https://goreportcard.com/report/github.com/go-task/slim-sprig)
+# Slim-Sprig: Template functions for Go templates [![Go Reference](https://pkg.go.dev/badge/github.com/go-task/slim-sprig/v3.svg)](https://pkg.go.dev/github.com/go-task/slim-sprig/v3)
Slim-Sprig is a fork of [Sprig](https://github.com/Masterminds/sprig), but with
all functions that depend on external (non standard library) or crypto packages
diff --git a/vendor/github.com/go-task/slim-sprig/Taskfile.yml b/vendor/github.com/go-task/slim-sprig/v3/Taskfile.yml
similarity index 89%
rename from vendor/github.com/go-task/slim-sprig/Taskfile.yml
rename to vendor/github.com/go-task/slim-sprig/v3/Taskfile.yml
index cdcfd223b..8e6346bb1 100644
--- a/vendor/github.com/go-task/slim-sprig/Taskfile.yml
+++ b/vendor/github.com/go-task/slim-sprig/v3/Taskfile.yml
@@ -1,6 +1,6 @@
# https://taskfile.dev
-version: '2'
+version: '3'
tasks:
default:
diff --git a/vendor/github.com/go-task/slim-sprig/crypto.go b/vendor/github.com/go-task/slim-sprig/v3/crypto.go
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/crypto.go
rename to vendor/github.com/go-task/slim-sprig/v3/crypto.go
diff --git a/vendor/github.com/go-task/slim-sprig/date.go b/vendor/github.com/go-task/slim-sprig/v3/date.go
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/date.go
rename to vendor/github.com/go-task/slim-sprig/v3/date.go
diff --git a/vendor/github.com/go-task/slim-sprig/defaults.go b/vendor/github.com/go-task/slim-sprig/v3/defaults.go
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/defaults.go
rename to vendor/github.com/go-task/slim-sprig/v3/defaults.go
diff --git a/vendor/github.com/go-task/slim-sprig/dict.go b/vendor/github.com/go-task/slim-sprig/v3/dict.go
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/dict.go
rename to vendor/github.com/go-task/slim-sprig/v3/dict.go
diff --git a/vendor/github.com/go-task/slim-sprig/doc.go b/vendor/github.com/go-task/slim-sprig/v3/doc.go
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/doc.go
rename to vendor/github.com/go-task/slim-sprig/v3/doc.go
diff --git a/vendor/github.com/go-task/slim-sprig/functions.go b/vendor/github.com/go-task/slim-sprig/v3/functions.go
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/functions.go
rename to vendor/github.com/go-task/slim-sprig/v3/functions.go
diff --git a/vendor/github.com/go-task/slim-sprig/list.go b/vendor/github.com/go-task/slim-sprig/v3/list.go
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/list.go
rename to vendor/github.com/go-task/slim-sprig/v3/list.go
diff --git a/vendor/github.com/go-task/slim-sprig/network.go b/vendor/github.com/go-task/slim-sprig/v3/network.go
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/network.go
rename to vendor/github.com/go-task/slim-sprig/v3/network.go
diff --git a/vendor/github.com/go-task/slim-sprig/numeric.go b/vendor/github.com/go-task/slim-sprig/v3/numeric.go
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/numeric.go
rename to vendor/github.com/go-task/slim-sprig/v3/numeric.go
diff --git a/vendor/github.com/go-task/slim-sprig/reflect.go b/vendor/github.com/go-task/slim-sprig/v3/reflect.go
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/reflect.go
rename to vendor/github.com/go-task/slim-sprig/v3/reflect.go
diff --git a/vendor/github.com/go-task/slim-sprig/regex.go b/vendor/github.com/go-task/slim-sprig/v3/regex.go
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/regex.go
rename to vendor/github.com/go-task/slim-sprig/v3/regex.go
diff --git a/vendor/github.com/go-task/slim-sprig/strings.go b/vendor/github.com/go-task/slim-sprig/v3/strings.go
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/strings.go
rename to vendor/github.com/go-task/slim-sprig/v3/strings.go
diff --git a/vendor/github.com/go-task/slim-sprig/url.go b/vendor/github.com/go-task/slim-sprig/v3/url.go
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/url.go
rename to vendor/github.com/go-task/slim-sprig/v3/url.go
diff --git a/vendor/github.com/google/pprof/profile/encode.go b/vendor/github.com/google/pprof/profile/encode.go
index ab7f03ae2..860bb304c 100644
--- a/vendor/github.com/google/pprof/profile/encode.go
+++ b/vendor/github.com/google/pprof/profile/encode.go
@@ -17,6 +17,7 @@ package profile
import (
"errors"
"sort"
+ "strings"
)
func (p *Profile) decoder() []decoder {
@@ -183,12 +184,13 @@ var profileDecoder = []decoder{
// repeated Location location = 4
func(b *buffer, m message) error {
x := new(Location)
- x.Line = make([]Line, 0, 8) // Pre-allocate Line buffer
+ x.Line = b.tmpLines[:0] // Use shared space temporarily
pp := m.(*Profile)
pp.Location = append(pp.Location, x)
err := decodeMessage(b, x)
- var tmp []Line
- x.Line = append(tmp, x.Line...) // Shrink to allocated size
+ b.tmpLines = x.Line[:0]
+ // Copy to shrink size and detach from shared space.
+ x.Line = append([]Line(nil), x.Line...)
return err
},
// repeated Function function = 5
@@ -252,6 +254,14 @@ func (p *Profile) postDecode() error {
} else {
mappings[m.ID] = m
}
+
+ // If this a main linux kernel mapping with a relocation symbol suffix
+ // ("[kernel.kallsyms]_text"), extract said suffix.
+ // It is fairly hacky to handle at this level, but the alternatives appear even worse.
+ const prefix = "[kernel.kallsyms]"
+ if strings.HasPrefix(m.File, prefix) {
+ m.KernelRelocationSymbol = m.File[len(prefix):]
+ }
}
functions := make(map[uint64]*Function, len(p.Function))
@@ -298,41 +308,52 @@ func (p *Profile) postDecode() error {
st.Unit, err = getString(p.stringTable, &st.unitX, err)
}
+ // Pre-allocate space for all locations.
+ numLocations := 0
for _, s := range p.Sample {
- labels := make(map[string][]string, len(s.labelX))
- numLabels := make(map[string][]int64, len(s.labelX))
- numUnits := make(map[string][]string, len(s.labelX))
- for _, l := range s.labelX {
- var key, value string
- key, err = getString(p.stringTable, &l.keyX, err)
- if l.strX != 0 {
- value, err = getString(p.stringTable, &l.strX, err)
- labels[key] = append(labels[key], value)
- } else if l.numX != 0 || l.unitX != 0 {
- numValues := numLabels[key]
- units := numUnits[key]
- if l.unitX != 0 {
- var unit string
- unit, err = getString(p.stringTable, &l.unitX, err)
- units = padStringArray(units, len(numValues))
- numUnits[key] = append(units, unit)
- }
- numLabels[key] = append(numLabels[key], l.numX)
- }
- }
- if len(labels) > 0 {
- s.Label = labels
- }
- if len(numLabels) > 0 {
- s.NumLabel = numLabels
- for key, units := range numUnits {
- if len(units) > 0 {
- numUnits[key] = padStringArray(units, len(numLabels[key]))
+ numLocations += len(s.locationIDX)
+ }
+ locBuffer := make([]*Location, numLocations)
+
+ for _, s := range p.Sample {
+ if len(s.labelX) > 0 {
+ labels := make(map[string][]string, len(s.labelX))
+ numLabels := make(map[string][]int64, len(s.labelX))
+ numUnits := make(map[string][]string, len(s.labelX))
+ for _, l := range s.labelX {
+ var key, value string
+ key, err = getString(p.stringTable, &l.keyX, err)
+ if l.strX != 0 {
+ value, err = getString(p.stringTable, &l.strX, err)
+ labels[key] = append(labels[key], value)
+ } else if l.numX != 0 || l.unitX != 0 {
+ numValues := numLabels[key]
+ units := numUnits[key]
+ if l.unitX != 0 {
+ var unit string
+ unit, err = getString(p.stringTable, &l.unitX, err)
+ units = padStringArray(units, len(numValues))
+ numUnits[key] = append(units, unit)
+ }
+ numLabels[key] = append(numLabels[key], l.numX)
}
}
- s.NumUnit = numUnits
+ if len(labels) > 0 {
+ s.Label = labels
+ }
+ if len(numLabels) > 0 {
+ s.NumLabel = numLabels
+ for key, units := range numUnits {
+ if len(units) > 0 {
+ numUnits[key] = padStringArray(units, len(numLabels[key]))
+ }
+ }
+ s.NumUnit = numUnits
+ }
}
- s.Location = make([]*Location, len(s.locationIDX))
+
+ s.Location = locBuffer[:len(s.locationIDX)]
+ locBuffer = locBuffer[len(s.locationIDX):]
for i, lid := range s.locationIDX {
if lid < uint64(len(locationIds)) {
s.Location[i] = locationIds[lid]
@@ -509,6 +530,7 @@ func (p *Line) decoder() []decoder {
func (p *Line) encode(b *buffer) {
encodeUint64Opt(b, 1, p.functionIDX)
encodeInt64Opt(b, 2, p.Line)
+ encodeInt64Opt(b, 3, p.Column)
}
var lineDecoder = []decoder{
@@ -517,6 +539,8 @@ var lineDecoder = []decoder{
func(b *buffer, m message) error { return decodeUint64(b, &m.(*Line).functionIDX) },
// optional int64 line = 2
func(b *buffer, m message) error { return decodeInt64(b, &m.(*Line).Line) },
+ // optional int64 column = 3
+ func(b *buffer, m message) error { return decodeInt64(b, &m.(*Line).Column) },
}
func (p *Function) decoder() []decoder {
diff --git a/vendor/github.com/google/pprof/profile/filter.go b/vendor/github.com/google/pprof/profile/filter.go
index ea8e66c68..c794b9390 100644
--- a/vendor/github.com/google/pprof/profile/filter.go
+++ b/vendor/github.com/google/pprof/profile/filter.go
@@ -22,6 +22,10 @@ import "regexp"
// samples where at least one frame matches focus but none match ignore.
// Returns true is the corresponding regexp matched at least one sample.
func (p *Profile) FilterSamplesByName(focus, ignore, hide, show *regexp.Regexp) (fm, im, hm, hnm bool) {
+ if focus == nil && ignore == nil && hide == nil && show == nil {
+ fm = true // Missing focus implies a match
+ return
+ }
focusOrIgnore := make(map[uint64]bool)
hidden := make(map[uint64]bool)
for _, l := range p.Location {
diff --git a/vendor/github.com/google/pprof/profile/legacy_java_profile.go b/vendor/github.com/google/pprof/profile/legacy_java_profile.go
index 91f45e53c..4580bab18 100644
--- a/vendor/github.com/google/pprof/profile/legacy_java_profile.go
+++ b/vendor/github.com/google/pprof/profile/legacy_java_profile.go
@@ -56,7 +56,7 @@ func javaCPUProfile(b []byte, period int64, parse func(b []byte) (uint64, []byte
}
// Strip out addresses for better merge.
- if err = p.Aggregate(true, true, true, true, false); err != nil {
+ if err = p.Aggregate(true, true, true, true, false, false); err != nil {
return nil, err
}
@@ -99,7 +99,7 @@ func parseJavaProfile(b []byte) (*Profile, error) {
}
// Strip out addresses for better merge.
- if err = p.Aggregate(true, true, true, true, false); err != nil {
+ if err = p.Aggregate(true, true, true, true, false, false); err != nil {
return nil, err
}
diff --git a/vendor/github.com/google/pprof/profile/legacy_profile.go b/vendor/github.com/google/pprof/profile/legacy_profile.go
index 0c8f3bb5b..8d07fd6c2 100644
--- a/vendor/github.com/google/pprof/profile/legacy_profile.go
+++ b/vendor/github.com/google/pprof/profile/legacy_profile.go
@@ -295,11 +295,12 @@ func get64b(b []byte) (uint64, []byte) {
//
// The general format for profilez samples is a sequence of words in
// binary format. The first words are a header with the following data:
-// 1st word -- 0
-// 2nd word -- 3
-// 3rd word -- 0 if a c++ application, 1 if a java application.
-// 4th word -- Sampling period (in microseconds).
-// 5th word -- Padding.
+//
+// 1st word -- 0
+// 2nd word -- 3
+// 3rd word -- 0 if a c++ application, 1 if a java application.
+// 4th word -- Sampling period (in microseconds).
+// 5th word -- Padding.
func parseCPU(b []byte) (*Profile, error) {
var parse func([]byte) (uint64, []byte)
var n1, n2, n3, n4, n5 uint64
@@ -403,15 +404,18 @@ func cleanupDuplicateLocations(p *Profile) {
//
// profilez samples are a repeated sequence of stack frames of the
// form:
-// 1st word -- The number of times this stack was encountered.
-// 2nd word -- The size of the stack (StackSize).
-// 3rd word -- The first address on the stack.
-// ...
-// StackSize + 2 -- The last address on the stack
+//
+// 1st word -- The number of times this stack was encountered.
+// 2nd word -- The size of the stack (StackSize).
+// 3rd word -- The first address on the stack.
+// ...
+// StackSize + 2 -- The last address on the stack
+//
// The last stack trace is of the form:
-// 1st word -- 0
-// 2nd word -- 1
-// 3rd word -- 0
+//
+// 1st word -- 0
+// 2nd word -- 1
+// 3rd word -- 0
//
// Addresses from stack traces may point to the next instruction after
// each call. Optionally adjust by -1 to land somewhere on the actual
@@ -861,7 +865,6 @@ func parseThread(b []byte) (*Profile, error) {
// Recognize each thread and populate profile samples.
for !isMemoryMapSentinel(line) {
if strings.HasPrefix(line, "---- no stack trace for") {
- line = ""
break
}
if t := threadStartRE.FindStringSubmatch(line); len(t) != 4 {
diff --git a/vendor/github.com/google/pprof/profile/merge.go b/vendor/github.com/google/pprof/profile/merge.go
index 9978e7330..eee0132e7 100644
--- a/vendor/github.com/google/pprof/profile/merge.go
+++ b/vendor/github.com/google/pprof/profile/merge.go
@@ -15,6 +15,7 @@
package profile
import (
+ "encoding/binary"
"fmt"
"sort"
"strconv"
@@ -58,7 +59,7 @@ func Merge(srcs []*Profile) (*Profile, error) {
for _, src := range srcs {
// Clear the profile-specific hash tables
- pm.locationsByID = make(map[uint64]*Location, len(src.Location))
+ pm.locationsByID = makeLocationIDMap(len(src.Location))
pm.functionsByID = make(map[uint64]*Function, len(src.Function))
pm.mappingsByID = make(map[uint64]mapInfo, len(src.Mapping))
@@ -136,7 +137,7 @@ type profileMerger struct {
p *Profile
// Memoization tables within a profile.
- locationsByID map[uint64]*Location
+ locationsByID locationIDMap
functionsByID map[uint64]*Function
mappingsByID map[uint64]mapInfo
@@ -153,6 +154,16 @@ type mapInfo struct {
}
func (pm *profileMerger) mapSample(src *Sample) *Sample {
+ // Check memoization table
+ k := pm.sampleKey(src)
+ if ss, ok := pm.samples[k]; ok {
+ for i, v := range src.Value {
+ ss.Value[i] += v
+ }
+ return ss
+ }
+
+ // Make new sample.
s := &Sample{
Location: make([]*Location, len(src.Location)),
Value: make([]int64, len(src.Value)),
@@ -177,52 +188,98 @@ func (pm *profileMerger) mapSample(src *Sample) *Sample {
s.NumLabel[k] = vv
s.NumUnit[k] = uu
}
- // Check memoization table. Must be done on the remapped location to
- // account for the remapped mapping. Add current values to the
- // existing sample.
- k := s.key()
- if ss, ok := pm.samples[k]; ok {
- for i, v := range src.Value {
- ss.Value[i] += v
- }
- return ss
- }
copy(s.Value, src.Value)
pm.samples[k] = s
pm.p.Sample = append(pm.p.Sample, s)
return s
}
-// key generates sampleKey to be used as a key for maps.
-func (sample *Sample) key() sampleKey {
- ids := make([]string, len(sample.Location))
- for i, l := range sample.Location {
- ids[i] = strconv.FormatUint(l.ID, 16)
+func (pm *profileMerger) sampleKey(sample *Sample) sampleKey {
+ // Accumulate contents into a string.
+ var buf strings.Builder
+ buf.Grow(64) // Heuristic to avoid extra allocs
+
+ // encode a number
+ putNumber := func(v uint64) {
+ var num [binary.MaxVarintLen64]byte
+ n := binary.PutUvarint(num[:], v)
+ buf.Write(num[:n])
}
- labels := make([]string, 0, len(sample.Label))
- for k, v := range sample.Label {
- labels = append(labels, fmt.Sprintf("%q%q", k, v))
+ // encode a string prefixed with its length.
+ putDelimitedString := func(s string) {
+ putNumber(uint64(len(s)))
+ buf.WriteString(s)
}
- sort.Strings(labels)
- numlabels := make([]string, 0, len(sample.NumLabel))
- for k, v := range sample.NumLabel {
- numlabels = append(numlabels, fmt.Sprintf("%q%x%x", k, v, sample.NumUnit[k]))
+ for _, l := range sample.Location {
+ // Get the location in the merged profile, which may have a different ID.
+ if loc := pm.mapLocation(l); loc != nil {
+ putNumber(loc.ID)
+ }
}
- sort.Strings(numlabels)
+ putNumber(0) // Delimiter
- return sampleKey{
- strings.Join(ids, "|"),
- strings.Join(labels, ""),
- strings.Join(numlabels, ""),
+ for _, l := range sortedKeys1(sample.Label) {
+ putDelimitedString(l)
+ values := sample.Label[l]
+ putNumber(uint64(len(values)))
+ for _, v := range values {
+ putDelimitedString(v)
+ }
}
+
+ for _, l := range sortedKeys2(sample.NumLabel) {
+ putDelimitedString(l)
+ values := sample.NumLabel[l]
+ putNumber(uint64(len(values)))
+ for _, v := range values {
+ putNumber(uint64(v))
+ }
+ units := sample.NumUnit[l]
+ putNumber(uint64(len(units)))
+ for _, v := range units {
+ putDelimitedString(v)
+ }
+ }
+
+ return sampleKey(buf.String())
}
-type sampleKey struct {
- locations string
- labels string
- numlabels string
+type sampleKey string
+
+// sortedKeys1 returns the sorted keys found in a string->[]string map.
+//
+// Note: this is currently non-generic since github pprof runs golint,
+// which does not support generics. When that issue is fixed, it can
+// be merged with sortedKeys2 and made into a generic function.
+func sortedKeys1(m map[string][]string) []string {
+ if len(m) == 0 {
+ return nil
+ }
+ keys := make([]string, 0, len(m))
+ for k := range m {
+ keys = append(keys, k)
+ }
+ sort.Strings(keys)
+ return keys
+}
+
+// sortedKeys2 returns the sorted keys found in a string->[]int64 map.
+//
+// Note: this is currently non-generic since github pprof runs golint,
+// which does not support generics. When that issue is fixed, it can
+// be merged with sortedKeys1 and made into a generic function.
+func sortedKeys2(m map[string][]int64) []string {
+ if len(m) == 0 {
+ return nil
+ }
+ keys := make([]string, 0, len(m))
+ for k := range m {
+ keys = append(keys, k)
+ }
+ sort.Strings(keys)
+ return keys
}
func (pm *profileMerger) mapLocation(src *Location) *Location {
@@ -230,7 +287,7 @@ func (pm *profileMerger) mapLocation(src *Location) *Location {
return nil
}
- if l, ok := pm.locationsByID[src.ID]; ok {
+ if l := pm.locationsByID.get(src.ID); l != nil {
return l
}
@@ -249,10 +306,10 @@ func (pm *profileMerger) mapLocation(src *Location) *Location {
// account for the remapped mapping ID.
k := l.key()
if ll, ok := pm.locations[k]; ok {
- pm.locationsByID[src.ID] = ll
+ pm.locationsByID.set(src.ID, ll)
return ll
}
- pm.locationsByID[src.ID] = l
+ pm.locationsByID.set(src.ID, l)
pm.locations[k] = l
pm.p.Location = append(pm.p.Location, l)
return l
@@ -269,12 +326,13 @@ func (l *Location) key() locationKey {
key.addr -= l.Mapping.Start
key.mappingID = l.Mapping.ID
}
- lines := make([]string, len(l.Line)*2)
+ lines := make([]string, len(l.Line)*3)
for i, line := range l.Line {
if line.Function != nil {
lines[i*2] = strconv.FormatUint(line.Function.ID, 16)
}
lines[i*2+1] = strconv.FormatInt(line.Line, 16)
+ lines[i*2+2] = strconv.FormatInt(line.Column, 16)
}
key.lines = strings.Join(lines, "|")
return key
@@ -303,16 +361,17 @@ func (pm *profileMerger) mapMapping(src *Mapping) mapInfo {
return mi
}
m := &Mapping{
- ID: uint64(len(pm.p.Mapping) + 1),
- Start: src.Start,
- Limit: src.Limit,
- Offset: src.Offset,
- File: src.File,
- BuildID: src.BuildID,
- HasFunctions: src.HasFunctions,
- HasFilenames: src.HasFilenames,
- HasLineNumbers: src.HasLineNumbers,
- HasInlineFrames: src.HasInlineFrames,
+ ID: uint64(len(pm.p.Mapping) + 1),
+ Start: src.Start,
+ Limit: src.Limit,
+ Offset: src.Offset,
+ File: src.File,
+ KernelRelocationSymbol: src.KernelRelocationSymbol,
+ BuildID: src.BuildID,
+ HasFunctions: src.HasFunctions,
+ HasFilenames: src.HasFilenames,
+ HasLineNumbers: src.HasLineNumbers,
+ HasInlineFrames: src.HasInlineFrames,
}
pm.p.Mapping = append(pm.p.Mapping, m)
@@ -360,6 +419,7 @@ func (pm *profileMerger) mapLine(src Line) Line {
ln := Line{
Function: pm.mapFunction(src.Function),
Line: src.Line,
+ Column: src.Column,
}
return ln
}
@@ -479,3 +539,131 @@ func (p *Profile) compatible(pb *Profile) error {
func equalValueType(st1, st2 *ValueType) bool {
return st1.Type == st2.Type && st1.Unit == st2.Unit
}
+
+// locationIDMap is like a map[uint64]*Location, but provides efficiency for
+// ids that are densely numbered, which is often the case.
+type locationIDMap struct {
+ dense []*Location // indexed by id for id < len(dense)
+ sparse map[uint64]*Location // indexed by id for id >= len(dense)
+}
+
+func makeLocationIDMap(n int) locationIDMap {
+ return locationIDMap{
+ dense: make([]*Location, n),
+ sparse: map[uint64]*Location{},
+ }
+}
+
+func (lm locationIDMap) get(id uint64) *Location {
+ if id < uint64(len(lm.dense)) {
+ return lm.dense[int(id)]
+ }
+ return lm.sparse[id]
+}
+
+func (lm locationIDMap) set(id uint64, loc *Location) {
+ if id < uint64(len(lm.dense)) {
+ lm.dense[id] = loc
+ return
+ }
+ lm.sparse[id] = loc
+}
+
+// CompatibilizeSampleTypes makes profiles compatible to be compared/merged. It
+// keeps sample types that appear in all profiles only and drops/reorders the
+// sample types as necessary.
+//
+// In the case of sample types order is not the same for given profiles the
+// order is derived from the first profile.
+//
+// Profiles are modified in-place.
+//
+// It returns an error if the sample type's intersection is empty.
+func CompatibilizeSampleTypes(ps []*Profile) error {
+ sTypes := commonSampleTypes(ps)
+ if len(sTypes) == 0 {
+ return fmt.Errorf("profiles have empty common sample type list")
+ }
+ for _, p := range ps {
+ if err := compatibilizeSampleTypes(p, sTypes); err != nil {
+ return err
+ }
+ }
+ return nil
+}
+
+// commonSampleTypes returns sample types that appear in all profiles in the
+// order how they ordered in the first profile.
+func commonSampleTypes(ps []*Profile) []string {
+ if len(ps) == 0 {
+ return nil
+ }
+ sTypes := map[string]int{}
+ for _, p := range ps {
+ for _, st := range p.SampleType {
+ sTypes[st.Type]++
+ }
+ }
+ var res []string
+ for _, st := range ps[0].SampleType {
+ if sTypes[st.Type] == len(ps) {
+ res = append(res, st.Type)
+ }
+ }
+ return res
+}
+
+// compatibilizeSampleTypes drops sample types that are not present in sTypes
+// list and reorder them if needed.
+//
+// It sets DefaultSampleType to sType[0] if it is not in sType list.
+//
+// It assumes that all sample types from the sTypes list are present in the
+// given profile otherwise it returns an error.
+func compatibilizeSampleTypes(p *Profile, sTypes []string) error {
+ if len(sTypes) == 0 {
+ return fmt.Errorf("sample type list is empty")
+ }
+ defaultSampleType := sTypes[0]
+ reMap, needToModify := make([]int, len(sTypes)), false
+ for i, st := range sTypes {
+ if st == p.DefaultSampleType {
+ defaultSampleType = p.DefaultSampleType
+ }
+ idx := searchValueType(p.SampleType, st)
+ if idx < 0 {
+ return fmt.Errorf("%q sample type is not found in profile", st)
+ }
+ reMap[i] = idx
+ if idx != i {
+ needToModify = true
+ }
+ }
+ if !needToModify && len(sTypes) == len(p.SampleType) {
+ return nil
+ }
+ p.DefaultSampleType = defaultSampleType
+ oldSampleTypes := p.SampleType
+ p.SampleType = make([]*ValueType, len(sTypes))
+ for i, idx := range reMap {
+ p.SampleType[i] = oldSampleTypes[idx]
+ }
+ values := make([]int64, len(sTypes))
+ for _, s := range p.Sample {
+ for i, idx := range reMap {
+ values[i] = s.Value[idx]
+ }
+ s.Value = s.Value[:len(values)]
+ copy(s.Value, values)
+ }
+ return nil
+}
+
+func searchValueType(vts []*ValueType, s string) int {
+ for i, vt := range vts {
+ if vt.Type == s {
+ return i
+ }
+ }
+ return -1
+}
diff --git a/vendor/github.com/google/pprof/profile/profile.go b/vendor/github.com/google/pprof/profile/profile.go
index 2590c8ddb..62df80a55 100644
--- a/vendor/github.com/google/pprof/profile/profile.go
+++ b/vendor/github.com/google/pprof/profile/profile.go
@@ -21,7 +21,6 @@ import (
"compress/gzip"
"fmt"
"io"
- "io/ioutil"
"math"
"path/filepath"
"regexp"
@@ -73,9 +72,23 @@ type ValueType struct {
type Sample struct {
Location []*Location
Value []int64
- Label map[string][]string
+ // Label is a per-label-key map to values for string labels.
+ //
+ // In general, having multiple values for the given label key is strongly
+ // discouraged - see docs for the sample label field in profile.proto. The
+ // main reason this unlikely state is tracked here is to make the
+ // decoding->encoding roundtrip not lossy. But we expect that the value
+ // slices present in this map are always of length 1.
+ Label map[string][]string
+ // NumLabel is a per-label-key map to values for numeric labels. See a note
+ // above on handling multiple values for a label.
NumLabel map[string][]int64
- NumUnit map[string][]string
+ // NumUnit is a per-label-key map to the unit names of corresponding numeric
+ // label values. The unit info may be missing even if the label is in
+ // NumLabel, see the docs in profile.proto for details. When the value is
+ // slice is present and not nil, its length must be equal to the length of
+ // the corresponding value slice in NumLabel.
+ NumUnit map[string][]string
locationIDX []uint64
labelX []label
@@ -106,6 +119,15 @@ type Mapping struct {
fileX int64
buildIDX int64
+
+ // Name of the kernel relocation symbol ("_text" or "_stext"), extracted from File.
+ // For linux kernel mappings generated by some tools, correct symbolization depends
+ // on knowing which of the two possible relocation symbols was used for `Start`.
+ // This is given to us as a suffix in `File` (e.g. "[kernel.kallsyms]_stext").
+ //
+ // Note, this public field is not persisted in the proto. For the purposes of
+ // copying / merging / hashing profiles, it is considered subsumed by `File`.
+ KernelRelocationSymbol string
}
// Location corresponds to Profile.Location
@@ -123,6 +145,7 @@ type Location struct {
type Line struct {
Function *Function
Line int64
+ Column int64
functionIDX uint64
}
@@ -144,7 +167,7 @@ type Function struct {
// may be a gzip-compressed encoded protobuf or one of many legacy
// profile formats which may be unsupported in the future.
func Parse(r io.Reader) (*Profile, error) {
- data, err := ioutil.ReadAll(r)
+ data, err := io.ReadAll(r)
if err != nil {
return nil, err
}
@@ -159,7 +182,7 @@ func ParseData(data []byte) (*Profile, error) {
if len(data) >= 2 && data[0] == 0x1f && data[1] == 0x8b {
gz, err := gzip.NewReader(bytes.NewBuffer(data))
if err == nil {
- data, err = ioutil.ReadAll(gz)
+ data, err = io.ReadAll(gz)
}
if err != nil {
return nil, fmt.Errorf("decompressing profile: %v", err)
@@ -414,7 +437,7 @@ func (p *Profile) CheckValid() error {
// Aggregate merges the locations in the profile into equivalence
// classes preserving the request attributes. It also updates the
// samples to point to the merged locations.
-func (p *Profile) Aggregate(inlineFrame, function, filename, linenumber, address bool) error {
+func (p *Profile) Aggregate(inlineFrame, function, filename, linenumber, columnnumber, address bool) error {
for _, m := range p.Mapping {
m.HasInlineFrames = m.HasInlineFrames && inlineFrame
m.HasFunctions = m.HasFunctions && function
@@ -436,7 +459,7 @@ func (p *Profile) Aggregate(inlineFrame, function, filename, linenumber, address
}
// Aggregate locations
- if !inlineFrame || !address || !linenumber {
+ if !inlineFrame || !address || !linenumber || !columnnumber {
for _, l := range p.Location {
if !inlineFrame && len(l.Line) > 1 {
l.Line = l.Line[len(l.Line)-1:]
@@ -444,6 +467,12 @@ func (p *Profile) Aggregate(inlineFrame, function, filename, linenumber, address
if !linenumber {
for i := range l.Line {
l.Line[i].Line = 0
+ l.Line[i].Column = 0
+ }
+ }
+ if !columnnumber {
+ for i := range l.Line {
+ l.Line[i].Column = 0
}
}
if !address {
@@ -605,10 +634,11 @@ func (l *Location) string() string {
for li := range l.Line {
lnStr := "??"
if fn := l.Line[li].Function; fn != nil {
- lnStr = fmt.Sprintf("%s %s:%d s=%d",
+ lnStr = fmt.Sprintf("%s %s:%d:%d s=%d",
fn.Name,
fn.Filename,
l.Line[li].Line,
+ l.Line[li].Column,
fn.StartLine)
if fn.Name != fn.SystemName {
lnStr = lnStr + "(" + fn.SystemName + ")"
@@ -707,6 +737,35 @@ func (s *Sample) HasLabel(key, value string) bool {
return false
}
+// SetNumLabel sets the specified key to the specified value for all samples in the
+// profile. "unit" is a slice that describes the units that each corresponding member
+// of "values" is measured in (e.g. bytes or seconds). If there is no relevant
+// unit for a given value, that member of "unit" should be the empty string.
+// "unit" must either have the same length as "value", or be nil.
+func (p *Profile) SetNumLabel(key string, value []int64, unit []string) {
+ for _, sample := range p.Sample {
+ if sample.NumLabel == nil {
+ sample.NumLabel = map[string][]int64{key: value}
+ } else {
+ sample.NumLabel[key] = value
+ }
+ if sample.NumUnit == nil {
+ sample.NumUnit = map[string][]string{key: unit}
+ } else {
+ sample.NumUnit[key] = unit
+ }
+ }
+}
+
+// RemoveNumLabel removes all numerical labels associated with the specified key for all
+// samples in the profile.
+func (p *Profile) RemoveNumLabel(key string) {
+ for _, sample := range p.Sample {
+ delete(sample.NumLabel, key)
+ delete(sample.NumUnit, key)
+ }
+}
+
// DiffBaseSample returns true if a sample belongs to the diff base and false
// otherwise.
func (s *Sample) DiffBaseSample() bool {
diff --git a/vendor/github.com/google/pprof/profile/proto.go b/vendor/github.com/google/pprof/profile/proto.go
index 539ad3ab3..a15696ba1 100644
--- a/vendor/github.com/google/pprof/profile/proto.go
+++ b/vendor/github.com/google/pprof/profile/proto.go
@@ -39,11 +39,12 @@ import (
)
type buffer struct {
- field int // field tag
- typ int // proto wire type code for field
- u64 uint64
- data []byte
- tmp [16]byte
+ field int // field tag
+ typ int // proto wire type code for field
+ u64 uint64
+ data []byte
+ tmp [16]byte
+ tmpLines []Line // temporary storage used while decoding "repeated Line".
}
type decoder func(*buffer, message) error
@@ -286,7 +287,6 @@ func decodeInt64s(b *buffer, x *[]int64) error {
if b.typ == 2 {
// Packed encoding
data := b.data
- tmp := make([]int64, 0, len(data)) // Maximally sized
for len(data) > 0 {
var u uint64
var err error
@@ -294,9 +294,8 @@ func decodeInt64s(b *buffer, x *[]int64) error {
if u, data, err = decodeVarint(data); err != nil {
return err
}
- tmp = append(tmp, int64(u))
+ *x = append(*x, int64(u))
}
- *x = append(*x, tmp...)
return nil
}
var i int64
@@ -319,7 +318,6 @@ func decodeUint64s(b *buffer, x *[]uint64) error {
if b.typ == 2 {
data := b.data
// Packed encoding
- tmp := make([]uint64, 0, len(data)) // Maximally sized
for len(data) > 0 {
var u uint64
var err error
@@ -327,9 +325,8 @@ func decodeUint64s(b *buffer, x *[]uint64) error {
if u, data, err = decodeVarint(data); err != nil {
return err
}
- tmp = append(tmp, u)
+ *x = append(*x, u)
}
- *x = append(*x, tmp...)
return nil
}
var u uint64
diff --git a/vendor/github.com/google/pprof/profile/prune.go b/vendor/github.com/google/pprof/profile/prune.go
index 02d21a818..b2f9fd546 100644
--- a/vendor/github.com/google/pprof/profile/prune.go
+++ b/vendor/github.com/google/pprof/profile/prune.go
@@ -62,15 +62,31 @@ func (p *Profile) Prune(dropRx, keepRx *regexp.Regexp) {
prune := make(map[uint64]bool)
pruneBeneath := make(map[uint64]bool)
+ // simplifyFunc can be expensive, so cache results.
+ // Note that the same function name can be encountered many times due
+ // different lines and addresses in the same function.
+ pruneCache := map[string]bool{} // Map from function to whether or not to prune
+ pruneFromHere := func(s string) bool {
+ if r, ok := pruneCache[s]; ok {
+ return r
+ }
+ funcName := simplifyFunc(s)
+ if dropRx.MatchString(funcName) {
+ if keepRx == nil || !keepRx.MatchString(funcName) {
+ pruneCache[s] = true
+ return true
+ }
+ }
+ pruneCache[s] = false
+ return false
+ }
+
for _, loc := range p.Location {
var i int
for i = len(loc.Line) - 1; i >= 0; i-- {
if fn := loc.Line[i].Function; fn != nil && fn.Name != "" {
- funcName := simplifyFunc(fn.Name)
- if dropRx.MatchString(funcName) {
- if keepRx == nil || !keepRx.MatchString(funcName) {
- break
- }
+ if pruneFromHere(fn.Name) {
+ break
}
}
}
diff --git a/vendor/github.com/hashicorp/vault/api/lifetime_watcher.go b/vendor/github.com/hashicorp/vault/api/lifetime_watcher.go
index 5c060e5a1..4bc1390b9 100644
--- a/vendor/github.com/hashicorp/vault/api/lifetime_watcher.go
+++ b/vendor/github.com/hashicorp/vault/api/lifetime_watcher.go
@@ -6,6 +6,7 @@ package api
import (
"errors"
"math/rand"
+ "strings"
"sync"
"time"
@@ -31,6 +32,7 @@ var (
DefaultRenewerRenewBuffer = 5
)
+//go:generate enumer -type=RenewBehavior -trimprefix=RenewBehavior
type RenewBehavior uint
const (
@@ -288,12 +290,18 @@ func (r *LifetimeWatcher) doRenewWithOptions(tokenMode bool, nonRenewable bool,
switch {
case nonRenewable || r.renewBehavior == RenewBehaviorRenewDisabled:
// Can't or won't renew, just keep the same expiration so we exit
- // when it's reauthentication time
+ // when it's re-authentication time
remainingLeaseDuration = fallbackLeaseDuration
default:
// Renew the token
renewal, err = renew(credString, r.increment)
+ if err != nil && strings.Contains(err.Error(), "permission denied") {
+ // We can't renew since the token doesn't have permission to. Fall back
+ // to the code path for non-renewable tokens.
+ nonRenewable = true
+ continue
+ }
if err != nil || renewal == nil || (tokenMode && renewal.Auth == nil) {
if r.renewBehavior == RenewBehaviorErrorOnErrors {
if err != nil {
@@ -349,8 +357,11 @@ func (r *LifetimeWatcher) doRenewWithOptions(tokenMode bool, nonRenewable bool,
if errorBackoff == nil {
sleepDuration = r.calculateSleepDuration(remainingLeaseDuration, priorDuration)
- } else if errorBackoff.NextBackOff() == backoff.Stop {
- return err
+ } else {
+ sleepDuration = errorBackoff.NextBackOff()
+ if sleepDuration == backoff.Stop {
+ return err
+ }
}
// remainingLeaseDuration becomes the priorDuration for the next loop
diff --git a/vendor/github.com/hashicorp/vault/api/plugin_helpers.go b/vendor/github.com/hashicorp/vault/api/plugin_helpers.go
index 3705c7310..d330478f5 100644
--- a/vendor/github.com/hashicorp/vault/api/plugin_helpers.go
+++ b/vendor/github.com/hashicorp/vault/api/plugin_helpers.go
@@ -13,8 +13,8 @@ import (
"net/url"
"os"
- "github.com/go-jose/go-jose/v3/jwt"
-
+ jose "github.com/go-jose/go-jose/v4"
+ "github.com/go-jose/go-jose/v4/jwt"
"github.com/hashicorp/errwrap"
)
@@ -41,6 +41,11 @@ const (
// PluginUnwrapTokenEnv is the ENV name used to pass unwrap tokens to the
// plugin.
PluginUnwrapTokenEnv = "VAULT_UNWRAP_TOKEN"
+
+ // CubbyHoleJWTSignatureAlgorithm is the signature algorithm used for
+ // the unwrap token that Vault passes to a plugin when auto-mTLS is
+ // not enabled.
+ CubbyHoleJWTSignatureAlgorithm = jose.ES512
)
// PluginAPIClientMeta is a helper that plugins can use to configure TLS connections
@@ -103,7 +108,7 @@ func VaultPluginTLSProviderContext(ctx context.Context, apiTLSConfig *TLSConfig)
return func() (*tls.Config, error) {
unwrapToken := os.Getenv(PluginUnwrapTokenEnv)
- parsedJWT, err := jwt.ParseSigned(unwrapToken)
+ parsedJWT, err := jwt.ParseSigned(unwrapToken, []jose.SignatureAlgorithm{CubbyHoleJWTSignatureAlgorithm})
if err != nil {
return nil, errwrap.Wrapf("error parsing wrapping token: {{err}}", err)
}
diff --git a/vendor/github.com/hashicorp/vault/api/plugin_runtime_types.go b/vendor/github.com/hashicorp/vault/api/plugin_runtime_types.go
index d3acd0d00..2514f1279 100644
--- a/vendor/github.com/hashicorp/vault/api/plugin_runtime_types.go
+++ b/vendor/github.com/hashicorp/vault/api/plugin_runtime_types.go
@@ -9,11 +9,9 @@ package api
import "fmt"
-var PluginRuntimeTypes = []PluginRuntimeType{
- PluginRuntimeTypeUnsupported,
- PluginRuntimeTypeContainer,
-}
+var PluginRuntimeTypes = _PluginRuntimeTypeValues
+//go:generate enumer -type=PluginRuntimeType -trimprefix=PluginRuntimeType -transform=snake
type PluginRuntimeType uint32
// This is a list of PluginRuntimeTypes used by Vault.
@@ -22,20 +20,11 @@ const (
PluginRuntimeTypeContainer
)
-func (r PluginRuntimeType) String() string {
- switch r {
- case PluginRuntimeTypeContainer:
- return "container"
- default:
- return "unsupported"
- }
-}
-
+// ParsePluginRuntimeType is a wrapper around PluginRuntimeTypeString kept for backwards compatibility.
func ParsePluginRuntimeType(PluginRuntimeType string) (PluginRuntimeType, error) {
- switch PluginRuntimeType {
- case "container":
- return PluginRuntimeTypeContainer, nil
- default:
+ t, err := PluginRuntimeTypeString(PluginRuntimeType)
+ if err != nil {
return PluginRuntimeTypeUnsupported, fmt.Errorf("%q is not a supported plugin runtime type", PluginRuntimeType)
}
+ return t, nil
}
diff --git a/vendor/github.com/hashicorp/vault/api/pluginruntimetype_enumer.go b/vendor/github.com/hashicorp/vault/api/pluginruntimetype_enumer.go
new file mode 100644
index 000000000..663f440ff
--- /dev/null
+++ b/vendor/github.com/hashicorp/vault/api/pluginruntimetype_enumer.go
@@ -0,0 +1,49 @@
+// Code generated by "enumer -type=PluginRuntimeType -trimprefix=PluginRuntimeType -transform=snake"; DO NOT EDIT.
+
+package api
+
+import (
+ "fmt"
+)
+
+const _PluginRuntimeTypeName = "unsupportedcontainer"
+
+var _PluginRuntimeTypeIndex = [...]uint8{0, 11, 20}
+
+func (i PluginRuntimeType) String() string {
+ if i >= PluginRuntimeType(len(_PluginRuntimeTypeIndex)-1) {
+ return fmt.Sprintf("PluginRuntimeType(%d)", i)
+ }
+ return _PluginRuntimeTypeName[_PluginRuntimeTypeIndex[i]:_PluginRuntimeTypeIndex[i+1]]
+}
+
+var _PluginRuntimeTypeValues = []PluginRuntimeType{0, 1}
+
+var _PluginRuntimeTypeNameToValueMap = map[string]PluginRuntimeType{
+ _PluginRuntimeTypeName[0:11]: 0,
+ _PluginRuntimeTypeName[11:20]: 1,
+}
+
+// PluginRuntimeTypeString retrieves an enum value from the enum constants string name.
+// Throws an error if the param is not part of the enum.
+func PluginRuntimeTypeString(s string) (PluginRuntimeType, error) {
+ if val, ok := _PluginRuntimeTypeNameToValueMap[s]; ok {
+ return val, nil
+ }
+ return 0, fmt.Errorf("%s does not belong to PluginRuntimeType values", s)
+}
+
+// PluginRuntimeTypeValues returns all values of the enum
+func PluginRuntimeTypeValues() []PluginRuntimeType {
+ return _PluginRuntimeTypeValues
+}
+
+// IsAPluginRuntimeType returns "true" if the value is listed in the enum definition. "false" otherwise
+func (i PluginRuntimeType) IsAPluginRuntimeType() bool {
+ for _, v := range _PluginRuntimeTypeValues {
+ if i == v {
+ return true
+ }
+ }
+ return false
+}
diff --git a/vendor/github.com/hashicorp/vault/api/renewbehavior_enumer.go b/vendor/github.com/hashicorp/vault/api/renewbehavior_enumer.go
new file mode 100644
index 000000000..9b272e3e0
--- /dev/null
+++ b/vendor/github.com/hashicorp/vault/api/renewbehavior_enumer.go
@@ -0,0 +1,50 @@
+// Code generated by "enumer -type=RenewBehavior -trimprefix=RenewBehavior"; DO NOT EDIT.
+
+package api
+
+import (
+ "fmt"
+)
+
+const _RenewBehaviorName = "IgnoreErrorsRenewDisabledErrorOnErrors"
+
+var _RenewBehaviorIndex = [...]uint8{0, 12, 25, 38}
+
+func (i RenewBehavior) String() string {
+ if i >= RenewBehavior(len(_RenewBehaviorIndex)-1) {
+ return fmt.Sprintf("RenewBehavior(%d)", i)
+ }
+ return _RenewBehaviorName[_RenewBehaviorIndex[i]:_RenewBehaviorIndex[i+1]]
+}
+
+var _RenewBehaviorValues = []RenewBehavior{0, 1, 2}
+
+var _RenewBehaviorNameToValueMap = map[string]RenewBehavior{
+ _RenewBehaviorName[0:12]: 0,
+ _RenewBehaviorName[12:25]: 1,
+ _RenewBehaviorName[25:38]: 2,
+}
+
+// RenewBehaviorString retrieves an enum value from the enum constants string name.
+// Throws an error if the param is not part of the enum.
+func RenewBehaviorString(s string) (RenewBehavior, error) {
+ if val, ok := _RenewBehaviorNameToValueMap[s]; ok {
+ return val, nil
+ }
+ return 0, fmt.Errorf("%s does not belong to RenewBehavior values", s)
+}
+
+// RenewBehaviorValues returns all values of the enum
+func RenewBehaviorValues() []RenewBehavior {
+ return _RenewBehaviorValues
+}
+
+// IsARenewBehavior returns "true" if the value is listed in the enum definition. "false" otherwise
+func (i RenewBehavior) IsARenewBehavior() bool {
+ for _, v := range _RenewBehaviorValues {
+ if i == v {
+ return true
+ }
+ }
+ return false
+}
diff --git a/vendor/github.com/hashicorp/vault/api/replication_status.go b/vendor/github.com/hashicorp/vault/api/replication_status.go
index 9bc02d539..d7224ff11 100644
--- a/vendor/github.com/hashicorp/vault/api/replication_status.go
+++ b/vendor/github.com/hashicorp/vault/api/replication_status.go
@@ -19,13 +19,14 @@ const (
)
type ClusterInfo struct {
- APIAddr string `json:"api_address,omitempty" mapstructure:"api_address"`
- ClusterAddress string `json:"cluster_address,omitempty" mapstructure:"cluster_address"`
- ConnectionStatus string `json:"connection_status,omitempty" mapstructure:"connection_status"`
- LastHeartBeat string `json:"last_heartbeat,omitempty" mapstructure:"last_heartbeat"`
- LastHeartBeatDurationMillis string `json:"last_heartbeat_duration_ms,omitempty" mapstructure:"last_heartbeat_duration_ms"`
- ClockSkewMillis string `json:"clock_skew_ms,omitempty" mapstructure:"clock_skew_ms"`
- NodeID string `json:"node_id,omitempty" mapstructure:"node_id"`
+ APIAddr string `json:"api_address,omitempty" mapstructure:"api_address"`
+ ClusterAddress string `json:"cluster_address,omitempty" mapstructure:"cluster_address"`
+ ConnectionStatus string `json:"connection_status,omitempty" mapstructure:"connection_status"`
+ LastHeartBeat string `json:"last_heartbeat,omitempty" mapstructure:"last_heartbeat"`
+ LastHeartBeatDurationMillis string `json:"last_heartbeat_duration_ms,omitempty" mapstructure:"last_heartbeat_duration_ms"`
+ ClockSkewMillis string `json:"clock_skew_ms,omitempty" mapstructure:"clock_skew_ms"`
+ NodeID string `json:"node_id,omitempty" mapstructure:"node_id"`
+ ReplicationPrimaryCanaryAgeMillis string `json:"replication_primary_canary_age_ms,omitempty" mapstructure:"replication_primary_canary_age_ms"`
}
type ReplicationStatusGenericResponse struct {
diff --git a/vendor/github.com/hashicorp/vault/api/sys_auth.go b/vendor/github.com/hashicorp/vault/api/sys_auth.go
index e81441219..67beb63db 100644
--- a/vendor/github.com/hashicorp/vault/api/sys_auth.go
+++ b/vendor/github.com/hashicorp/vault/api/sys_auth.go
@@ -12,6 +12,41 @@ import (
"github.com/mitchellh/mapstructure"
)
+func (c *Sys) GetAuth(path string) (*AuthMount, error) {
+ return c.GetAuthWithContext(context.Background(), path)
+}
+
+func (c *Sys) GetAuthWithContext(ctx context.Context, path string) (*AuthMount, error) {
+ ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+ defer cancelFunc()
+
+ // use `sys/mounts/auth/:path` so we don't require sudo permissions
+ // historically, `sys/auth` doesn't require sudo, so we don't require it here either
+ r := c.c.NewRequest(http.MethodGet, fmt.Sprintf("/v1/sys/mounts/auth/%s", path))
+
+ resp, err := c.c.rawRequestWithContext(ctx, r)
+ if err != nil {
+ return nil, err
+ }
+ defer resp.Body.Close()
+
+ secret, err := ParseSecret(resp.Body)
+ if err != nil {
+ return nil, err
+ }
+ if secret == nil || secret.Data == nil {
+ return nil, errors.New("data from server response is empty")
+ }
+
+ mount := AuthMount{}
+ err = mapstructure.Decode(secret.Data, &mount)
+ if err != nil {
+ return nil, err
+ }
+
+ return &mount, nil
+}
+
func (c *Sys) ListAuth() (map[string]*AuthMount, error) {
return c.ListAuthWithContext(context.Background())
}
diff --git a/vendor/github.com/hashicorp/vault/api/sys_hastatus.go b/vendor/github.com/hashicorp/vault/api/sys_hastatus.go
index 58a73b89c..2e54651e1 100644
--- a/vendor/github.com/hashicorp/vault/api/sys_hastatus.go
+++ b/vendor/github.com/hashicorp/vault/api/sys_hastatus.go
@@ -35,14 +35,15 @@ type HAStatusResponse struct {
}
type HANode struct {
- Hostname string `json:"hostname"`
- APIAddress string `json:"api_address"`
- ClusterAddress string `json:"cluster_address"`
- ActiveNode bool `json:"active_node"`
- LastEcho *time.Time `json:"last_echo"`
- EchoDurationMillis int64 `json:"echo_duration_ms"`
- ClockSkewMillis int64 `json:"clock_skew_ms"`
- Version string `json:"version"`
- UpgradeVersion string `json:"upgrade_version,omitempty"`
- RedundancyZone string `json:"redundancy_zone,omitempty"`
+ Hostname string `json:"hostname"`
+ APIAddress string `json:"api_address"`
+ ClusterAddress string `json:"cluster_address"`
+ ActiveNode bool `json:"active_node"`
+ LastEcho *time.Time `json:"last_echo"`
+ EchoDurationMillis int64 `json:"echo_duration_ms"`
+ ClockSkewMillis int64 `json:"clock_skew_ms"`
+ Version string `json:"version"`
+ UpgradeVersion string `json:"upgrade_version,omitempty"`
+ RedundancyZone string `json:"redundancy_zone,omitempty"`
+ ReplicationPrimaryCanaryAgeMillis int64 `json:"replication_primary_canary_age_ms"`
}
diff --git a/vendor/github.com/hashicorp/vault/api/sys_health.go b/vendor/github.com/hashicorp/vault/api/sys_health.go
index 0dc849885..6868b96d7 100644
--- a/vendor/github.com/hashicorp/vault/api/sys_health.go
+++ b/vendor/github.com/hashicorp/vault/api/sys_health.go
@@ -38,18 +38,19 @@ func (c *Sys) HealthWithContext(ctx context.Context) (*HealthResponse, error) {
}
type HealthResponse struct {
- Initialized bool `json:"initialized"`
- Sealed bool `json:"sealed"`
- Standby bool `json:"standby"`
- PerformanceStandby bool `json:"performance_standby"`
- ReplicationPerformanceMode string `json:"replication_performance_mode"`
- ReplicationDRMode string `json:"replication_dr_mode"`
- ServerTimeUTC int64 `json:"server_time_utc"`
- Version string `json:"version"`
- ClusterName string `json:"cluster_name,omitempty"`
- ClusterID string `json:"cluster_id,omitempty"`
- LastWAL uint64 `json:"last_wal,omitempty"`
- Enterprise bool `json:"enterprise"`
- EchoDurationMillis int64 `json:"echo_duration_ms"`
- ClockSkewMillis int64 `json:"clock_skew_ms"`
+ Initialized bool `json:"initialized"`
+ Sealed bool `json:"sealed"`
+ Standby bool `json:"standby"`
+ PerformanceStandby bool `json:"performance_standby"`
+ ReplicationPerformanceMode string `json:"replication_performance_mode"`
+ ReplicationDRMode string `json:"replication_dr_mode"`
+ ServerTimeUTC int64 `json:"server_time_utc"`
+ Version string `json:"version"`
+ ClusterName string `json:"cluster_name,omitempty"`
+ ClusterID string `json:"cluster_id,omitempty"`
+ LastWAL uint64 `json:"last_wal,omitempty"`
+ Enterprise bool `json:"enterprise"`
+ EchoDurationMillis int64 `json:"echo_duration_ms"`
+ ClockSkewMillis int64 `json:"clock_skew_ms"`
+ ReplicationPrimaryCanaryAgeMillis int64 `json:"replication_primary_canary_age_ms"`
}
diff --git a/vendor/github.com/hashicorp/vault/api/sys_mounts.go b/vendor/github.com/hashicorp/vault/api/sys_mounts.go
index b9f4f8f6f..64529986a 100644
--- a/vendor/github.com/hashicorp/vault/api/sys_mounts.go
+++ b/vendor/github.com/hashicorp/vault/api/sys_mounts.go
@@ -13,6 +13,39 @@ import (
"github.com/mitchellh/mapstructure"
)
+func (c *Sys) GetMount(path string) (*MountOutput, error) {
+ return c.GetMountWithContext(context.Background(), path)
+}
+
+func (c *Sys) GetMountWithContext(ctx context.Context, path string) (*MountOutput, error) {
+ ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+ defer cancelFunc()
+
+ r := c.c.NewRequest(http.MethodGet, fmt.Sprintf("/v1/sys/mounts/%s", path))
+
+ resp, err := c.c.rawRequestWithContext(ctx, r)
+ if err != nil {
+ return nil, err
+ }
+ defer resp.Body.Close()
+
+ secret, err := ParseSecret(resp.Body)
+ if err != nil {
+ return nil, err
+ }
+ if secret == nil || secret.Data == nil {
+ return nil, errors.New("data from server response is empty")
+ }
+
+ mount := MountOutput{}
+ err = mapstructure.Decode(secret.Data, &mount)
+ if err != nil {
+ return nil, err
+ }
+
+ return &mount, nil
+}
+
func (c *Sys) ListMounts() (map[string]*MountOutput, error) {
return c.ListMountsWithContext(context.Background())
}
diff --git a/vendor/github.com/hashicorp/vault/api/sys_raft.go b/vendor/github.com/hashicorp/vault/api/sys_raft.go
index 4b9487c61..699f6e9fd 100644
--- a/vendor/github.com/hashicorp/vault/api/sys_raft.go
+++ b/vendor/github.com/hashicorp/vault/api/sys_raft.go
@@ -9,6 +9,7 @@ import (
"context"
"encoding/json"
"errors"
+ "fmt"
"io"
"io/ioutil"
"net/http"
@@ -100,6 +101,23 @@ type AutopilotState struct {
OptimisticFailureTolerance int `mapstructure:"optimistic_failure_tolerance,omitempty"`
}
+func (a *AutopilotState) String() string {
+ var result string
+ result += fmt.Sprintf("Healthy: %t. FailureTolerance: %d. Leader: %s. OptimisticFailureTolerance: %d\n", a.Healthy, a.FailureTolerance, a.Leader, a.OptimisticFailureTolerance)
+ for _, s := range a.Servers {
+ result += fmt.Sprintf("Server: %s\n", s)
+ }
+ result += fmt.Sprintf("Voters: %v\n", a.Voters)
+ result += fmt.Sprintf("NonVoters: %v\n", a.NonVoters)
+
+ for name, zone := range a.RedundancyZones {
+ result += fmt.Sprintf("RedundancyZone %s: %s\n", name, &zone)
+ }
+
+ result += fmt.Sprintf("Upgrade: %s", a.Upgrade)
+ return result
+}
+
// AutopilotServer represents the server blocks in the response of the raft
// autopilot state API.
type AutopilotServer struct {
@@ -119,12 +137,21 @@ type AutopilotServer struct {
NodeType string `mapstructure:"node_type,omitempty"`
}
+func (a *AutopilotServer) String() string {
+ return fmt.Sprintf("ID: %s. Name: %s. Address: %s. NodeStatus: %s. LastContact: %s. LastTerm: %d. LastIndex: %d. Healthy: %t. StableSince: %s. Status: %s. Version: %s. UpgradeVersion: %s. RedundancyZone: %s. NodeType: %s",
+ a.ID, a.Name, a.Address, a.NodeStatus, a.LastContact, a.LastTerm, a.LastIndex, a.Healthy, a.StableSince, a.Status, a.Version, a.UpgradeVersion, a.RedundancyZone, a.NodeType)
+}
+
type AutopilotZone struct {
Servers []string `mapstructure:"servers,omitempty"`
Voters []string `mapstructure:"voters,omitempty"`
FailureTolerance int `mapstructure:"failure_tolerance,omitempty"`
}
+func (a *AutopilotZone) String() string {
+ return fmt.Sprintf("Servers: %v. Voters: %v. FailureTolerance: %d", a.Servers, a.Voters, a.FailureTolerance)
+}
+
type AutopilotUpgrade struct {
Status string `mapstructure:"status"`
TargetVersion string `mapstructure:"target_version,omitempty"`
@@ -137,6 +164,17 @@ type AutopilotUpgrade struct {
RedundancyZones map[string]AutopilotZoneUpgradeVersions `mapstructure:"redundancy_zones,omitempty"`
}
+func (a *AutopilotUpgrade) String() string {
+ result := fmt.Sprintf("Status: %s. TargetVersion: %s. TargetVersionVoters: %v. TargetVersionNonVoters: %v. TargetVersionReadReplicas: %v. OtherVersionVoters: %v. OtherVersionNonVoters: %v. OtherVersionReadReplicas: %v",
+ a.Status, a.TargetVersion, a.TargetVersionVoters, a.TargetVersionNonVoters, a.TargetVersionReadReplicas, a.OtherVersionVoters, a.OtherVersionNonVoters, a.OtherVersionReadReplicas)
+
+ for name, zone := range a.RedundancyZones {
+ result += fmt.Sprintf("Redundancy Zone %s: %s", name, zone)
+ }
+
+ return result
+}
+
type AutopilotZoneUpgradeVersions struct {
TargetVersionVoters []string `mapstructure:"target_version_voters,omitempty"`
TargetVersionNonVoters []string `mapstructure:"target_version_non_voters,omitempty"`
@@ -144,6 +182,11 @@ type AutopilotZoneUpgradeVersions struct {
OtherVersionNonVoters []string `mapstructure:"other_version_non_voters,omitempty"`
}
+func (a *AutopilotZoneUpgradeVersions) String() string {
+ return fmt.Sprintf("TargetVersionVoters: %v. TargetVersionNonVoters: %v. OtherVersionVoters: %v. OtherVersionNonVoters: %v",
+ a.TargetVersionVoters, a.TargetVersionNonVoters, a.OtherVersionVoters, a.OtherVersionNonVoters)
+}
+
// RaftJoin wraps RaftJoinWithContext using context.Background.
func (c *Sys) RaftJoin(opts *RaftJoinRequest) (*RaftJoinResponse, error) {
return c.RaftJoinWithContext(context.Background(), opts)
diff --git a/vendor/github.com/kubernetes-csi/csi-lib-utils/connection/connection.go b/vendor/github.com/kubernetes-csi/csi-lib-utils/connection/connection.go
index ee0388934..3efc871b5 100644
--- a/vendor/github.com/kubernetes-csi/csi-lib-utils/connection/connection.go
+++ b/vendor/github.com/kubernetes-csi/csi-lib-utils/connection/connection.go
@@ -29,6 +29,8 @@ import (
"github.com/kubernetes-csi/csi-lib-utils/protosanitizer"
"go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
"google.golang.org/grpc"
+ "google.golang.org/grpc/backoff"
+ "google.golang.org/grpc/credentials/insecure"
"k8s.io/klog/v2"
)
@@ -73,21 +75,21 @@ func SetMaxGRPCLogLength(characterCount int) {
//
// For other connections, the default behavior from gRPC is used and
// loss of connection is not detected reliably.
-func Connect(address string, metricsManager metrics.CSIMetricsManager, options ...Option) (*grpc.ClientConn, error) {
+func Connect(ctx context.Context, address string, metricsManager metrics.CSIMetricsManager, options ...Option) (*grpc.ClientConn, error) {
// Prepend default options
options = append([]Option{WithTimeout(time.Second * 30)}, options...)
if metricsManager != nil {
options = append([]Option{WithMetrics(metricsManager)}, options...)
}
- return connect(address, options)
+ return connect(ctx, address, options)
}
// ConnectWithoutMetrics behaves exactly like Connect except no metrics are recorded.
// This function is deprecated, prefer using Connect with `nil` as the metricsManager.
-func ConnectWithoutMetrics(address string, options ...Option) (*grpc.ClientConn, error) {
+func ConnectWithoutMetrics(ctx context.Context, address string, options ...Option) (*grpc.ClientConn, error) {
// Prepend default options
options = append([]Option{WithTimeout(time.Second * 30)}, options...)
- return connect(address, options)
+ return connect(ctx, address, options)
}
// Option is the type of all optional parameters for Connect.
@@ -97,7 +99,7 @@ type Option func(o *options)
// connection got lost. If that callback returns true, the connection
// is reestablished. Otherwise the connection is left as it is and
// all future gRPC calls using it will fail with status.Unavailable.
-func OnConnectionLoss(reconnect func() bool) Option {
+func OnConnectionLoss(reconnect func(context.Context) bool) Option {
return func(o *options) {
o.reconnect = reconnect
}
@@ -105,19 +107,25 @@ func OnConnectionLoss(reconnect func() bool) Option {
// ExitOnConnectionLoss returns callback for OnConnectionLoss() that writes
// an error to /dev/termination-log and exits.
-func ExitOnConnectionLoss() func() bool {
- return func() bool {
+func ExitOnConnectionLoss() func(context.Context) bool {
+ return func(ctx context.Context) bool {
terminationMsg := "Lost connection to CSI driver, exiting"
if err := os.WriteFile(terminationLogPath, []byte(terminationMsg), 0644); err != nil {
- klog.Errorf("%s: %s", terminationLogPath, err)
+ klog.FromContext(ctx).Error(err, "Failed to write a message to the termination logfile", "terminationLogPath", terminationLogPath)
}
- klog.Exit(terminationMsg)
+ klog.FromContext(ctx).Error(nil, terminationMsg)
+ klog.FlushAndExit(klog.ExitFlushTimeout, 1)
// Not reached.
return false
}
}
// WithTimeout adds a configurable timeout on the gRPC calls.
+// Note that this timeout also prevents all attempts to reconnect
+// because it uses context.WithTimeout internally.
+//
+// For more details, see https://github.com/grpc/grpc-go/issues/133
+// and https://github.com/kubernetes-csi/csi-lib-utils/pull/149#discussion_r1574707477
func WithTimeout(timeout time.Duration) Option {
return func(o *options) {
o.timeout = timeout
@@ -139,7 +147,7 @@ func WithOtelTracing() Option {
}
type options struct {
- reconnect func() bool
+ reconnect func(context.Context) bool
timeout time.Duration
metricsManager metrics.CSIMetricsManager
enableOtelTracing bool
@@ -147,22 +155,28 @@ type options struct {
// connect is the internal implementation of Connect. It has more options to enable testing.
func connect(
+ ctx context.Context,
address string,
connectOptions []Option) (*grpc.ClientConn, error) {
+ logger := klog.FromContext(ctx)
var o options
for _, option := range connectOptions {
option(&o)
}
+ bc := backoff.DefaultConfig
+ bc.MaxDelay = time.Second
dialOptions := []grpc.DialOption{
- grpc.WithInsecure(), // Don't use TLS, it's usually local Unix domain socket in a container.
- grpc.WithBackoffMaxDelay(time.Second), // Retry every second after failure.
+ grpc.WithTransportCredentials(insecure.NewCredentials()), // Don't use TLS, it's usually local Unix domain socket in a container.
+ grpc.WithConnectParams(grpc.ConnectParams{Backoff: bc}), // Retry every second after failure.
grpc.WithBlock(), // Block until connection succeeds.
grpc.WithIdleTimeout(time.Duration(0)), // Never close connection because of inactivity.
}
if o.timeout > 0 {
- dialOptions = append(dialOptions, grpc.WithTimeout(o.timeout))
+ var cancel context.CancelFunc
+ ctx, cancel = context.WithTimeout(ctx, o.timeout)
+ defer cancel()
}
interceptors := []grpc.UnaryClientInterceptor{LogGRPC}
@@ -186,20 +200,25 @@ func connect(
lostConnection := false
reconnect := true
- dialOptions = append(dialOptions, grpc.WithDialer(func(addr string, timeout time.Duration) (net.Conn, error) {
+ dialOptions = append(dialOptions, grpc.WithContextDialer(func(ctx context.Context, addr string) (net.Conn, error) {
+ logger := klog.FromContext(ctx)
if haveConnected && !lostConnection {
// We have detected a loss of connection for the first time. Decide what to do...
// Record this once. TODO (?): log at regular time intervals.
- klog.Errorf("Lost connection to %s.", address)
+ logger.Error(nil, "Lost connection", "address", address)
// Inform caller and let it decide? Default is to reconnect.
if o.reconnect != nil {
- reconnect = o.reconnect()
+ reconnect = o.reconnect(ctx)
}
lostConnection = true
}
if !reconnect {
return nil, errors.New("connection lost, reconnecting disabled")
}
+ var timeout time.Duration
+ if deadline, ok := ctx.Deadline(); ok {
+ timeout = time.Until(deadline)
+ }
conn, err := net.DialTimeout("unix", address[len(unixPrefix):], timeout)
if err == nil {
// Connection reestablished.
@@ -212,14 +231,14 @@ func connect(
return nil, errors.New("OnConnectionLoss callback only supported for unix:// addresses")
}
- klog.V(5).Infof("Connecting to %s", address)
+ logger.V(5).Info("Connecting", "address", address)
// Connect in background.
var conn *grpc.ClientConn
var err error
ready := make(chan bool)
go func() {
- conn, err = grpc.Dial(address, dialOptions...)
+ conn, err = grpc.DialContext(ctx, address, dialOptions...)
close(ready)
}()
@@ -231,7 +250,7 @@ func connect(
for {
select {
case <-ticker.C:
- klog.Warningf("Still connecting to %s", address)
+ logger.Info("Still connecting", "address", address)
case <-ready:
return conn, err
@@ -241,15 +260,14 @@ func connect(
// LogGRPC is gPRC unary interceptor for logging of CSI messages at level 5. It removes any secrets from the message.
func LogGRPC(ctx context.Context, method string, req, reply interface{}, cc *grpc.ClientConn, invoker grpc.UnaryInvoker, opts ...grpc.CallOption) error {
- klog.V(5).Infof("GRPC call: %s", method)
- klog.V(5).Infof("GRPC request: %s", protosanitizer.StripSecrets(req))
+ logger := klog.FromContext(ctx)
+ logger.V(5).Info("GRPC call", "method", method, "request", protosanitizer.StripSecrets(req))
err := invoker(ctx, method, req, reply, cc, opts...)
cappedStr := protosanitizer.StripSecrets(reply).String()
if maxLogChar > 0 && len(cappedStr) > maxLogChar {
cappedStr = cappedStr[:maxLogChar] + fmt.Sprintf(" [response body too large, log capped to %d chars]", maxLogChar)
}
- klog.V(5).Infof("GRPC response: %s", cappedStr)
- klog.V(5).Infof("GRPC error: %v", err)
+ logger.V(5).Info("GRPC response", "response", cappedStr, "err", err)
return err
}
@@ -286,14 +304,14 @@ func (cmm ExtendedCSIMetricsManager) RecordMetricsClientInterceptor(
if additionalInfo != nil {
additionalInfoVal, ok := additionalInfo.(AdditionalInfo)
if !ok {
- klog.Errorf("Failed to record migrated status, cannot convert additional info %v", additionalInfo)
+ klog.FromContext(ctx).Error(nil, "Failed to record migrated status, cannot convert additional info", "additionalInfo", additionalInfo)
return err
}
migrated = additionalInfoVal.Migrated
}
cmmv, metricsErr := cmm.WithLabelValues(map[string]string{metrics.LabelMigrated: migrated})
if metricsErr != nil {
- klog.Errorf("Failed to record migrated status, error: %v", metricsErr)
+ klog.FromContext(ctx).Error(metricsErr, "Failed to record migrated status")
} else {
cmmBase = cmmv
}
diff --git a/vendor/github.com/kubernetes-csi/csi-lib-utils/rpc/common.go b/vendor/github.com/kubernetes-csi/csi-lib-utils/rpc/common.go
index 263bfba37..f83a7f15c 100644
--- a/vendor/github.com/kubernetes-csi/csi-lib-utils/rpc/common.go
+++ b/vendor/github.com/kubernetes-csi/csi-lib-utils/rpc/common.go
@@ -133,10 +133,15 @@ func GetGroupControllerCapabilities(ctx context.Context, conn *grpc.ClientConn)
// ProbeForever calls Probe() of a CSI driver and waits until the driver becomes ready.
// Any error other than timeout is returned.
-func ProbeForever(conn *grpc.ClientConn, singleProbeTimeout time.Duration) error {
+func ProbeForever(ctx context.Context, conn *grpc.ClientConn, singleProbeTimeout time.Duration) error {
+ logger := klog.FromContext(ctx)
+ ticker := time.NewTicker(probeInterval)
+ defer ticker.Stop()
+
for {
- klog.Info("Probing CSI driver for readiness")
- ready, err := probeOnce(conn, singleProbeTimeout)
+ // Run the probe once before waiting for the ticker
+ logger.Info("Probing CSI driver for readiness")
+ ready, err := probeOnce(ctx, conn, singleProbeTimeout)
if err != nil {
st, ok := status.FromError(err)
if !ok {
@@ -148,21 +153,25 @@ func ProbeForever(conn *grpc.ClientConn, singleProbeTimeout time.Duration) error
return fmt.Errorf("CSI driver probe failed: %s", err)
}
// Timeout -> driver is not ready. Fall through to sleep() below.
- klog.Warning("CSI driver probe timed out")
+ logger.Info("CSI driver probe timed out")
} else {
if ready {
return nil
}
- klog.Warning("CSI driver is not ready")
+ logger.Info("CSI driver is not ready")
+ }
+ select {
+ case <-ctx.Done():
+ return ctx.Err()
+ case <-ticker.C:
+ continue
}
- // Timeout was returned or driver is not ready.
- time.Sleep(probeInterval)
}
}
// probeOnce is a helper to simplify defer cancel()
-func probeOnce(conn *grpc.ClientConn, timeout time.Duration) (bool, error) {
- ctx, cancel := context.WithTimeout(context.Background(), timeout)
+func probeOnce(ctx context.Context, conn *grpc.ClientConn, timeout time.Duration) (bool, error) {
+ ctx, cancel := context.WithTimeout(ctx, timeout)
defer cancel()
return Probe(ctx, conn)
}
diff --git a/vendor/github.com/matttproud/golang_protobuf_extensions/v2/LICENSE b/vendor/github.com/matttproud/golang_protobuf_extensions/v2/LICENSE
deleted file mode 100644
index 8dada3eda..000000000
--- a/vendor/github.com/matttproud/golang_protobuf_extensions/v2/LICENSE
+++ /dev/null
@@ -1,201 +0,0 @@
- Apache License
- Version 2.0, January 2004
- http://www.apache.org/licenses/
-
- TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
- 1. Definitions.
-
- "License" shall mean the terms and conditions for use, reproduction,
- and distribution as defined by Sections 1 through 9 of this document.
-
- "Licensor" shall mean the copyright owner or entity authorized by
- the copyright owner that is granting the License.
-
- "Legal Entity" shall mean the union of the acting entity and all
- other entities that control, are controlled by, or are under common
- control with that entity. For the purposes of this definition,
- "control" means (i) the power, direct or indirect, to cause the
- direction or management of such entity, whether by contract or
- otherwise, or (ii) ownership of fifty percent (50%) or more of the
- outstanding shares, or (iii) beneficial ownership of such entity.
-
- "You" (or "Your") shall mean an individual or Legal Entity
- exercising permissions granted by this License.
-
- "Source" form shall mean the preferred form for making modifications,
- including but not limited to software source code, documentation
- source, and configuration files.
-
- "Object" form shall mean any form resulting from mechanical
- transformation or translation of a Source form, including but
- not limited to compiled object code, generated documentation,
- and conversions to other media types.
-
- "Work" shall mean the work of authorship, whether in Source or
- Object form, made available under the License, as indicated by a
- copyright notice that is included in or attached to the work
- (an example is provided in the Appendix below).
-
- "Derivative Works" shall mean any work, whether in Source or Object
- form, that is based on (or derived from) the Work and for which the
- editorial revisions, annotations, elaborations, or other modifications
- represent, as a whole, an original work of authorship. For the purposes
- of this License, Derivative Works shall not include works that remain
- separable from, or merely link (or bind by name) to the interfaces of,
- the Work and Derivative Works thereof.
-
- "Contribution" shall mean any work of authorship, including
- the original version of the Work and any modifications or additions
- to that Work or Derivative Works thereof, that is intentionally
- submitted to Licensor for inclusion in the Work by the copyright owner
- or by an individual or Legal Entity authorized to submit on behalf of
- the copyright owner. For the purposes of this definition, "submitted"
- means any form of electronic, verbal, or written communication sent
- to the Licensor or its representatives, including but not limited to
- communication on electronic mailing lists, source code control systems,
- and issue tracking systems that are managed by, or on behalf of, the
- Licensor for the purpose of discussing and improving the Work, but
- excluding communication that is conspicuously marked or otherwise
- designated in writing by the copyright owner as "Not a Contribution."
-
- "Contributor" shall mean Licensor and any individual or Legal Entity
- on behalf of whom a Contribution has been received by Licensor and
- subsequently incorporated within the Work.
-
- 2. Grant of Copyright License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- copyright license to reproduce, prepare Derivative Works of,
- publicly display, publicly perform, sublicense, and distribute the
- Work and such Derivative Works in Source or Object form.
-
- 3. Grant of Patent License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- (except as stated in this section) patent license to make, have made,
- use, offer to sell, sell, import, and otherwise transfer the Work,
- where such license applies only to those patent claims licensable
- by such Contributor that are necessarily infringed by their
- Contribution(s) alone or by combination of their Contribution(s)
- with the Work to which such Contribution(s) was submitted. If You
- institute patent litigation against any entity (including a
- cross-claim or counterclaim in a lawsuit) alleging that the Work
- or a Contribution incorporated within the Work constitutes direct
- or contributory patent infringement, then any patent licenses
- granted to You under this License for that Work shall terminate
- as of the date such litigation is filed.
-
- 4. Redistribution. You may reproduce and distribute copies of the
- Work or Derivative Works thereof in any medium, with or without
- modifications, and in Source or Object form, provided that You
- meet the following conditions:
-
- (a) You must give any other recipients of the Work or
- Derivative Works a copy of this License; and
-
- (b) You must cause any modified files to carry prominent notices
- stating that You changed the files; and
-
- (c) You must retain, in the Source form of any Derivative Works
- that You distribute, all copyright, patent, trademark, and
- attribution notices from the Source form of the Work,
- excluding those notices that do not pertain to any part of
- the Derivative Works; and
-
- (d) If the Work includes a "NOTICE" text file as part of its
- distribution, then any Derivative Works that You distribute must
- include a readable copy of the attribution notices contained
- within such NOTICE file, excluding those notices that do not
- pertain to any part of the Derivative Works, in at least one
- of the following places: within a NOTICE text file distributed
- as part of the Derivative Works; within the Source form or
- documentation, if provided along with the Derivative Works; or,
- within a display generated by the Derivative Works, if and
- wherever such third-party notices normally appear. The contents
- of the NOTICE file are for informational purposes only and
- do not modify the License. You may add Your own attribution
- notices within Derivative Works that You distribute, alongside
- or as an addendum to the NOTICE text from the Work, provided
- that such additional attribution notices cannot be construed
- as modifying the License.
-
- You may add Your own copyright statement to Your modifications and
- may provide additional or different license terms and conditions
- for use, reproduction, or distribution of Your modifications, or
- for any such Derivative Works as a whole, provided Your use,
- reproduction, and distribution of the Work otherwise complies with
- the conditions stated in this License.
-
- 5. Submission of Contributions. Unless You explicitly state otherwise,
- any Contribution intentionally submitted for inclusion in the Work
- by You to the Licensor shall be under the terms and conditions of
- this License, without any additional terms or conditions.
- Notwithstanding the above, nothing herein shall supersede or modify
- the terms of any separate license agreement you may have executed
- with Licensor regarding such Contributions.
-
- 6. Trademarks. This License does not grant permission to use the trade
- names, trademarks, service marks, or product names of the Licensor,
- except as required for reasonable and customary use in describing the
- origin of the Work and reproducing the content of the NOTICE file.
-
- 7. Disclaimer of Warranty. Unless required by applicable law or
- agreed to in writing, Licensor provides the Work (and each
- Contributor provides its Contributions) on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
- implied, including, without limitation, any warranties or conditions
- of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
- PARTICULAR PURPOSE. You are solely responsible for determining the
- appropriateness of using or redistributing the Work and assume any
- risks associated with Your exercise of permissions under this License.
-
- 8. Limitation of Liability. In no event and under no legal theory,
- whether in tort (including negligence), contract, or otherwise,
- unless required by applicable law (such as deliberate and grossly
- negligent acts) or agreed to in writing, shall any Contributor be
- liable to You for damages, including any direct, indirect, special,
- incidental, or consequential damages of any character arising as a
- result of this License or out of the use or inability to use the
- Work (including but not limited to damages for loss of goodwill,
- work stoppage, computer failure or malfunction, or any and all
- other commercial damages or losses), even if such Contributor
- has been advised of the possibility of such damages.
-
- 9. Accepting Warranty or Additional Liability. While redistributing
- the Work or Derivative Works thereof, You may choose to offer,
- and charge a fee for, acceptance of support, warranty, indemnity,
- or other liability obligations and/or rights consistent with this
- License. However, in accepting such obligations, You may act only
- on Your own behalf and on Your sole responsibility, not on behalf
- of any other Contributor, and only if You agree to indemnify,
- defend, and hold each Contributor harmless for any liability
- incurred by, or claims asserted against, such Contributor by reason
- of your accepting any such warranty or additional liability.
-
- END OF TERMS AND CONDITIONS
-
- APPENDIX: How to apply the Apache License to your work.
-
- To apply the Apache License to your work, attach the following
- boilerplate notice, with the fields enclosed by brackets "{}"
- replaced with your own identifying information. (Don't include
- the brackets!) The text should be enclosed in the appropriate
- comment syntax for the file format. We also recommend that a
- file or class name and description of purpose be included on the
- same "printed page" as the copyright notice for easier
- identification within third-party archives.
-
- Copyright {yyyy} {name of copyright owner}
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
diff --git a/vendor/github.com/matttproud/golang_protobuf_extensions/v2/NOTICE b/vendor/github.com/matttproud/golang_protobuf_extensions/v2/NOTICE
deleted file mode 100644
index 5d8cb5b72..000000000
--- a/vendor/github.com/matttproud/golang_protobuf_extensions/v2/NOTICE
+++ /dev/null
@@ -1 +0,0 @@
-Copyright 2012 Matt T. Proud (matt.proud@gmail.com)
diff --git a/vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/.gitignore b/vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/.gitignore
deleted file mode 100644
index e16fb946b..000000000
--- a/vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-cover.dat
diff --git a/vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/Makefile b/vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/Makefile
deleted file mode 100644
index 81be21437..000000000
--- a/vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/Makefile
+++ /dev/null
@@ -1,7 +0,0 @@
-all:
-
-cover:
- go test -cover -v -coverprofile=cover.dat ./...
- go tool cover -func cover.dat
-
-.PHONY: cover
diff --git a/vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/decode.go b/vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/decode.go
deleted file mode 100644
index 7c08e564f..000000000
--- a/vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/decode.go
+++ /dev/null
@@ -1,81 +0,0 @@
-// Copyright 2013 Matt T. Proud
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package pbutil
-
-import (
- "encoding/binary"
- "errors"
- "io"
-
- "google.golang.org/protobuf/proto"
-)
-
-// TODO: Give error package name prefix in next minor release.
-var errInvalidVarint = errors.New("invalid varint32 encountered")
-
-// ReadDelimited decodes a message from the provided length-delimited stream,
-// where the length is encoded as 32-bit varint prefix to the message body.
-// It returns the total number of bytes read and any applicable error. This is
-// roughly equivalent to the companion Java API's
-// MessageLite#parseDelimitedFrom. As per the reader contract, this function
-// calls r.Read repeatedly as required until exactly one message including its
-// prefix is read and decoded (or an error has occurred). The function never
-// reads more bytes from the stream than required. The function never returns
-// an error if a message has been read and decoded correctly, even if the end
-// of the stream has been reached in doing so. In that case, any subsequent
-// calls return (0, io.EOF).
-func ReadDelimited(r io.Reader, m proto.Message) (n int, err error) {
- // TODO: Consider allowing the caller to specify a decode buffer in the
- // next major version.
-
- // TODO: Consider using error wrapping to annotate error state in pass-
- // through cases in the next minor version.
-
- // Per AbstractParser#parsePartialDelimitedFrom with
- // CodedInputStream#readRawVarint32.
- var headerBuf [binary.MaxVarintLen32]byte
- var bytesRead, varIntBytes int
- var messageLength uint64
- for varIntBytes == 0 { // i.e. no varint has been decoded yet.
- if bytesRead >= len(headerBuf) {
- return bytesRead, errInvalidVarint
- }
- // We have to read byte by byte here to avoid reading more bytes
- // than required. Each read byte is appended to what we have
- // read before.
- newBytesRead, err := r.Read(headerBuf[bytesRead : bytesRead+1])
- if newBytesRead == 0 {
- if err != nil {
- return bytesRead, err
- }
- // A Reader should not return (0, nil); but if it does, it should
- // be treated as no-op according to the Reader contract.
- continue
- }
- bytesRead += newBytesRead
- // Now present everything read so far to the varint decoder and
- // see if a varint can be decoded already.
- messageLength, varIntBytes = binary.Uvarint(headerBuf[:bytesRead])
- }
-
- messageBuf := make([]byte, messageLength)
- newBytesRead, err := io.ReadFull(r, messageBuf)
- bytesRead += newBytesRead
- if err != nil {
- return bytesRead, err
- }
-
- return bytesRead, proto.Unmarshal(messageBuf, m)
-}
diff --git a/vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/doc.go b/vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/doc.go
deleted file mode 100644
index c318385cb..000000000
--- a/vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/doc.go
+++ /dev/null
@@ -1,16 +0,0 @@
-// Copyright 2013 Matt T. Proud
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// Package pbutil provides record length-delimited Protocol Buffer streaming.
-package pbutil
diff --git a/vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/encode.go b/vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/encode.go
deleted file mode 100644
index e58dd9d29..000000000
--- a/vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/encode.go
+++ /dev/null
@@ -1,49 +0,0 @@
-// Copyright 2013 Matt T. Proud
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package pbutil
-
-import (
- "encoding/binary"
- "io"
-
- "google.golang.org/protobuf/proto"
-)
-
-// WriteDelimited encodes and dumps a message to the provided writer prefixed
-// with a 32-bit varint indicating the length of the encoded message, producing
-// a length-delimited record stream, which can be used to chain together
-// encoded messages of the same type together in a file. It returns the total
-// number of bytes written and any applicable error. This is roughly
-// equivalent to the companion Java API's MessageLite#writeDelimitedTo.
-func WriteDelimited(w io.Writer, m proto.Message) (n int, err error) {
- // TODO: Consider allowing the caller to specify an encode buffer in the
- // next major version.
-
- buffer, err := proto.Marshal(m)
- if err != nil {
- return 0, err
- }
-
- var buf [binary.MaxVarintLen32]byte
- encodedLength := binary.PutUvarint(buf[:], uint64(len(buffer)))
-
- sync, err := w.Write(buf[:encodedLength])
- if err != nil {
- return sync, err
- }
-
- n, err = w.Write(buffer)
- return n + sync, err
-}
diff --git a/vendor/github.com/onsi/ginkgo/v2/CHANGELOG.md b/vendor/github.com/onsi/ginkgo/v2/CHANGELOG.md
index 44222220a..76577dc78 100644
--- a/vendor/github.com/onsi/ginkgo/v2/CHANGELOG.md
+++ b/vendor/github.com/onsi/ginkgo/v2/CHANGELOG.md
@@ -1,3 +1,48 @@
+## 2.19.0
+
+### Features
+
+[Label Sets](https://onsi.github.io/ginkgo/#label-sets) allow for more expressive and flexible label filtering.
+
+## 2.18.0
+
+### Features
+- Add --slience-skips and --force-newlines [f010b65]
+- fail when no tests were run and --fail-on-empty was set [d80eebe]
+
+### Fixes
+- Fix table entry context edge case [42013d6]
+
+### Maintenance
+- Bump golang.org/x/tools from 0.20.0 to 0.21.0 (#1406) [fcf1fd7]
+- Bump github.com/onsi/gomega from 1.33.0 to 1.33.1 (#1399) [8bb14fd]
+- Bump golang.org/x/net from 0.24.0 to 0.25.0 (#1407) [04bfad7]
+
+## 2.17.3
+
+### Fixes
+`ginkgo watch` now ignores hidden files [bde6e00]
+
+## 2.17.2
+
+### Fixes
+- fix: close files [32259c8]
+- fix github output log level for skipped specs [780e7a3]
+
+### Maintenance
+- Bump github.com/google/pprof [d91fe4e]
+- Bump github.com/go-task/slim-sprig to v3 [8cb662e]
+- Bump golang.org/x/net in /integration/_fixtures/version_mismatch_fixture (#1391) [3134422]
+- Bump github-pages from 230 to 231 in /docs (#1384) [eca81b4]
+- Bump golang.org/x/tools from 0.19.0 to 0.20.0 (#1383) [760def8]
+- Bump golang.org/x/net from 0.23.0 to 0.24.0 (#1381) [4ce33f4]
+- Fix test for gomega version bump [f2fcd97]
+- Bump github.com/onsi/gomega from 1.30.0 to 1.33.0 (#1390) [fd622d2]
+- Bump golang.org/x/tools from 0.17.0 to 0.19.0 (#1368) [5474a26]
+- Bump github-pages from 229 to 230 in /docs (#1359) [e6d1170]
+- Bump google.golang.org/protobuf from 1.28.0 to 1.33.0 (#1374) [7f447b2]
+- Bump golang.org/x/net from 0.20.0 to 0.23.0 (#1380) [f15239a]
+
## 2.17.1
### Fixes
diff --git a/vendor/github.com/onsi/ginkgo/v2/CONTRIBUTING.md b/vendor/github.com/onsi/ginkgo/v2/CONTRIBUTING.md
index 1da92fe7e..80de566a5 100644
--- a/vendor/github.com/onsi/ginkgo/v2/CONTRIBUTING.md
+++ b/vendor/github.com/onsi/ginkgo/v2/CONTRIBUTING.md
@@ -6,8 +6,10 @@ Your contributions to Ginkgo are essential for its long-term maintenance and imp
- Ensure adequate test coverage:
- When adding to the Ginkgo library, add unit and/or integration tests (under the `integration` folder).
- When adding to the Ginkgo CLI, note that there are very few unit tests. Please add an integration test.
-- Make sure all the tests succeed via `ginkgo -r -p`
-- Vet your changes via `go vet ./...`
-- Update the documentation. Ginkgo uses `godoc` comments and documentation in `docs/index.md`. You can run `bundle exec jekyll serve` in the `docs` directory to preview your changes.
+- Run `make` or:
+ - Install ginkgo locally via `go install ./...`
+ - Make sure all the tests succeed via `ginkgo -r -p`
+ - Vet your changes via `go vet ./...`
+- Update the documentation. Ginkgo uses `godoc` comments and documentation in `docs/index.md`. You can run `bundle && bundle exec jekyll serve` in the `docs` directory to preview your changes.
-Thanks for supporting Ginkgo!
\ No newline at end of file
+Thanks for supporting Ginkgo!
diff --git a/vendor/github.com/onsi/ginkgo/v2/Makefile b/vendor/github.com/onsi/ginkgo/v2/Makefile
new file mode 100644
index 000000000..cb099aff9
--- /dev/null
+++ b/vendor/github.com/onsi/ginkgo/v2/Makefile
@@ -0,0 +1,11 @@
+# default task since it's first
+.PHONY: all
+all: vet test
+
+.PHONY: test
+test:
+ go run github.com/onsi/ginkgo/v2/ginkgo -r -p
+
+.PHONY: vet
+vet:
+ go vet ./...
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/bootstrap_command.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/bootstrap_command.go
index 73aff0b7a..b2dc59be6 100644
--- a/vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/bootstrap_command.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/bootstrap_command.go
@@ -7,7 +7,7 @@ import (
"os"
"text/template"
- sprig "github.com/go-task/slim-sprig"
+ sprig "github.com/go-task/slim-sprig/v3"
"github.com/onsi/ginkgo/v2/ginkgo/command"
"github.com/onsi/ginkgo/v2/ginkgo/internal"
"github.com/onsi/ginkgo/v2/types"
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/generate_command.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/generate_command.go
index be01dec97..cf3b7cb6d 100644
--- a/vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/generate_command.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/generate_command.go
@@ -10,7 +10,7 @@ import (
"strings"
"text/template"
- sprig "github.com/go-task/slim-sprig"
+ sprig "github.com/go-task/slim-sprig/v3"
"github.com/onsi/ginkgo/v2/ginkgo/command"
"github.com/onsi/ginkgo/v2/ginkgo/internal"
"github.com/onsi/ginkgo/v2/types"
@@ -174,6 +174,7 @@ func moduleName(modRoot string) string {
if err != nil {
return ""
}
+ defer modFile.Close()
mod := make([]byte, 128)
_, err = modFile.Read(mod)
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/profiles_and_reports.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/profiles_and_reports.go
index 5f35864dd..8e16d2bb0 100644
--- a/vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/profiles_and_reports.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/profiles_and_reports.go
@@ -161,6 +161,7 @@ func MergeAndCleanupCoverProfiles(profiles []string, destination string) error {
if err != nil {
return err
}
+ defer dst.Close()
err = DumpCoverProfiles(merged, dst)
if err != nil {
return err
@@ -196,6 +197,7 @@ func MergeProfiles(profilePaths []string, destination string) error {
return fmt.Errorf("Could not open profile: %s\n%s", profilePath, err.Error())
}
prof, err := profile.Parse(proFile)
+ _ = proFile.Close()
if err != nil {
return fmt.Errorf("Could not parse profile: %s\n%s", profilePath, err.Error())
}
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/package_hash.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/package_hash.go
index 17d052bdc..0e6ae1f29 100644
--- a/vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/package_hash.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/package_hash.go
@@ -4,6 +4,7 @@ import (
"fmt"
"os"
"regexp"
+ "strings"
"time"
)
@@ -79,6 +80,10 @@ func (p *PackageHash) computeHashes() (codeHash string, codeModifiedTime time.Ti
continue
}
+ if isHiddenFile(info) {
+ continue
+ }
+
if goTestRegExp.MatchString(info.Name()) {
testHash += p.hashForFileInfo(info)
if info.ModTime().After(testModifiedTime) {
@@ -103,6 +108,10 @@ func (p *PackageHash) computeHashes() (codeHash string, codeModifiedTime time.Ti
return
}
+func isHiddenFile(info os.FileInfo) bool {
+ return strings.HasPrefix(info.Name(), ".") || strings.HasPrefix(info.Name(), "_")
+}
+
func (p *PackageHash) hashForFileInfo(info os.FileInfo) string {
return fmt.Sprintf("%s_%d_%d", info.Name(), info.Size(), info.ModTime().UnixNano())
}
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/suite.go b/vendor/github.com/onsi/ginkgo/v2/internal/suite.go
index a994ee3d6..a3c9e6bf1 100644
--- a/vendor/github.com/onsi/ginkgo/v2/internal/suite.go
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/suite.go
@@ -489,10 +489,15 @@ func (suite *Suite) runSpecs(description string, suiteLabels Labels, suitePath s
newGroup(suite).run(specs.AtIndices(groupedSpecIndices[groupedSpecIdx]))
}
- if specs.HasAnySpecsMarkedPending() && suite.config.FailOnPending {
+ if suite.config.FailOnPending && specs.HasAnySpecsMarkedPending() {
suite.report.SpecialSuiteFailureReasons = append(suite.report.SpecialSuiteFailureReasons, "Detected pending specs and --fail-on-pending is set")
suite.report.SuiteSucceeded = false
}
+
+ if suite.config.FailOnEmpty && specs.CountWithoutSkip() == 0 {
+ suite.report.SpecialSuiteFailureReasons = append(suite.report.SpecialSuiteFailureReasons, "Detected no specs ran and --fail-on-empty is set")
+ suite.report.SuiteSucceeded = false
+ }
}
if ranBeforeSuite {
diff --git a/vendor/github.com/onsi/ginkgo/v2/reporters/default_reporter.go b/vendor/github.com/onsi/ginkgo/v2/reporters/default_reporter.go
index 4026859ec..480730486 100644
--- a/vendor/github.com/onsi/ginkgo/v2/reporters/default_reporter.go
+++ b/vendor/github.com/onsi/ginkgo/v2/reporters/default_reporter.go
@@ -202,6 +202,11 @@ func (r *DefaultReporter) DidRun(report types.SpecReport) {
v := r.conf.Verbosity()
inParallel := report.RunningInParallel
+ //should we completely omit this spec?
+ if report.State.Is(types.SpecStateSkipped) && r.conf.SilenceSkips {
+ return
+ }
+
header := r.specDenoter
if report.LeafNodeType.Is(types.NodeTypesForSuiteLevelNodes) {
header = fmt.Sprintf("[%s]", report.LeafNodeType)
@@ -278,9 +283,12 @@ func (r *DefaultReporter) DidRun(report types.SpecReport) {
}
}
- // If we have no content to show, jsut emit the header and return
+ // If we have no content to show, just emit the header and return
if !reportHasContent {
r.emit(r.f(highlightColor + header + "{{/}}"))
+ if r.conf.ForceNewlines {
+ r.emit("\n")
+ }
return
}
@@ -419,7 +427,11 @@ func (r *DefaultReporter) emitFailure(indent uint, state types.SpecState, failur
highlightColor := r.highlightColorForState(state)
r.emitBlock(r.fi(indent, highlightColor+"[%s] %s{{/}}", r.humanReadableState(state), failure.Message))
if r.conf.GithubOutput {
- r.emitBlock(r.fi(indent, "::error file=%s,line=%d::%s %s", failure.Location.FileName, failure.Location.LineNumber, failure.FailureNodeType, failure.TimelineLocation.Time.Format(types.GINKGO_TIME_FORMAT)))
+ level := "error"
+ if state.Is(types.SpecStateSkipped) {
+ level = "notice"
+ }
+ r.emitBlock(r.fi(indent, "::%s file=%s,line=%d::%s %s", level, failure.Location.FileName, failure.Location.LineNumber, failure.FailureNodeType, failure.TimelineLocation.Time.Format(types.GINKGO_TIME_FORMAT)))
} else {
r.emitBlock(r.fi(indent, highlightColor+"In {{bold}}[%s]{{/}}"+highlightColor+" at: {{bold}}%s{{/}} {{gray}}@ %s{{/}}\n", failure.FailureNodeType, failure.Location, failure.TimelineLocation.Time.Format(types.GINKGO_TIME_FORMAT)))
}
diff --git a/vendor/github.com/onsi/ginkgo/v2/reporters/junit_report.go b/vendor/github.com/onsi/ginkgo/v2/reporters/junit_report.go
index 43244a9bd..562e0f62b 100644
--- a/vendor/github.com/onsi/ginkgo/v2/reporters/junit_report.go
+++ b/vendor/github.com/onsi/ginkgo/v2/reporters/junit_report.go
@@ -177,6 +177,7 @@ func GenerateJUnitReportWithConfig(report types.Report, dst string, config Junit
{"FocusFiles", strings.Join(report.SuiteConfig.FocusFiles, ";")},
{"SkipFiles", strings.Join(report.SuiteConfig.SkipFiles, ";")},
{"FailOnPending", fmt.Sprintf("%t", report.SuiteConfig.FailOnPending)},
+ {"FailOnEmpty", fmt.Sprintf("%t", report.SuiteConfig.FailOnEmpty)},
{"FailFast", fmt.Sprintf("%t", report.SuiteConfig.FailFast)},
{"FlakeAttempts", fmt.Sprintf("%d", report.SuiteConfig.FlakeAttempts)},
{"DryRun", fmt.Sprintf("%t", report.SuiteConfig.DryRun)},
@@ -324,6 +325,7 @@ func MergeAndCleanupJUnitReports(sources []string, dst string) ([]string, error)
continue
}
err = xml.NewDecoder(f).Decode(&report)
+ _ = f.Close()
if err != nil {
messages = append(messages, fmt.Sprintf("Could not decode %s:\n%s", source, err.Error()))
continue
diff --git a/vendor/github.com/onsi/ginkgo/v2/table_dsl.go b/vendor/github.com/onsi/ginkgo/v2/table_dsl.go
index a3aef821b..c7de7a8be 100644
--- a/vendor/github.com/onsi/ginkgo/v2/table_dsl.go
+++ b/vendor/github.com/onsi/ginkgo/v2/table_dsl.go
@@ -269,11 +269,15 @@ func generateTable(description string, isSubtree bool, args ...interface{}) {
internalNodeArgs = append(internalNodeArgs, entry.decorations...)
hasContext := false
- if internalBodyType.NumIn() > 0. {
+ if internalBodyType.NumIn() > 0 {
if internalBodyType.In(0).Implements(specContextType) {
hasContext = true
- } else if internalBodyType.In(0).Implements(contextType) && (len(entry.parameters) == 0 || !reflect.TypeOf(entry.parameters[0]).Implements(contextType)) {
+ } else if internalBodyType.In(0).Implements(contextType) {
hasContext = true
+ if len(entry.parameters) > 0 && reflect.TypeOf(entry.parameters[0]) != nil && reflect.TypeOf(entry.parameters[0]).Implements(contextType) {
+ // we allow you to pass in a non-nil context
+ hasContext = false
+ }
}
}
diff --git a/vendor/github.com/onsi/ginkgo/v2/types/config.go b/vendor/github.com/onsi/ginkgo/v2/types/config.go
index cef273ee1..66463cf5e 100644
--- a/vendor/github.com/onsi/ginkgo/v2/types/config.go
+++ b/vendor/github.com/onsi/ginkgo/v2/types/config.go
@@ -25,6 +25,7 @@ type SuiteConfig struct {
SkipFiles []string
LabelFilter string
FailOnPending bool
+ FailOnEmpty bool
FailFast bool
FlakeAttempts int
MustPassRepeatedly int
@@ -90,6 +91,8 @@ type ReporterConfig struct {
FullTrace bool
ShowNodeEvents bool
GithubOutput bool
+ SilenceSkips bool
+ ForceNewlines bool
JSONReport string
JUnitReport string
@@ -275,6 +278,8 @@ var SuiteConfigFlags = GinkgoFlags{
Usage: "If set, ginkgo will stop running a test suite after a failure occurs."},
{KeyPath: "S.FlakeAttempts", Name: "flake-attempts", SectionKey: "failure", UsageDefaultValue: "0 - failed tests are not retried", DeprecatedName: "flakeAttempts", DeprecatedDocLink: "changed-command-line-flags",
Usage: "Make up to this many attempts to run each spec. If any of the attempts succeed, the suite will not be failed."},
+ {KeyPath: "S.FailOnEmpty", Name: "fail-on-empty", SectionKey: "failure",
+ Usage: "If set, ginkgo will mark the test suite as failed if no specs are run."},
{KeyPath: "S.DryRun", Name: "dry-run", SectionKey: "debug", DeprecatedName: "dryRun", DeprecatedDocLink: "changed-command-line-flags",
Usage: "If set, ginkgo will walk the test hierarchy without actually running anything. Best paired with -v."},
@@ -334,6 +339,10 @@ var ReporterConfigFlags = GinkgoFlags{
Usage: "If set, default reporter prints node > Enter and < Exit events when specs fail"},
{KeyPath: "R.GithubOutput", Name: "github-output", SectionKey: "output",
Usage: "If set, default reporter prints easier to manage output in Github Actions."},
+ {KeyPath: "R.SilenceSkips", Name: "silence-skips", SectionKey: "output",
+ Usage: "If set, default reporter will not print out skipped tests."},
+ {KeyPath: "R.ForceNewlines", Name: "force-newlines", SectionKey: "output",
+ Usage: "If set, default reporter will ensure a newline appears after each test."},
{KeyPath: "R.JSONReport", Name: "json-report", UsageArgument: "filename.json", SectionKey: "output",
Usage: "If set, Ginkgo will generate a JSON-formatted test report at the specified location."},
diff --git a/vendor/github.com/onsi/ginkgo/v2/types/label_filter.go b/vendor/github.com/onsi/ginkgo/v2/types/label_filter.go
index b0d3b651e..7fdc8aa23 100644
--- a/vendor/github.com/onsi/ginkgo/v2/types/label_filter.go
+++ b/vendor/github.com/onsi/ginkgo/v2/types/label_filter.go
@@ -45,6 +45,83 @@ func orAction(a, b LabelFilter) LabelFilter {
return func(labels []string) bool { return a(labels) || b(labels) }
}
+func labelSetFor(key string, labels []string) map[string]bool {
+ key = strings.ToLower(strings.TrimSpace(key))
+ out := map[string]bool{}
+ for _, label := range labels {
+ components := strings.SplitN(label, ":", 2)
+ if len(components) < 2 {
+ continue
+ }
+ if key == strings.ToLower(strings.TrimSpace(components[0])) {
+ out[strings.ToLower(strings.TrimSpace(components[1]))] = true
+ }
+ }
+
+ return out
+}
+
+func isEmptyLabelSetAction(key string) LabelFilter {
+ return func(labels []string) bool {
+ return len(labelSetFor(key, labels)) == 0
+ }
+}
+
+func containsAnyLabelSetAction(key string, expectedValues []string) LabelFilter {
+ return func(labels []string) bool {
+ set := labelSetFor(key, labels)
+ for _, value := range expectedValues {
+ if set[value] {
+ return true
+ }
+ }
+ return false
+ }
+}
+
+func containsAllLabelSetAction(key string, expectedValues []string) LabelFilter {
+ return func(labels []string) bool {
+ set := labelSetFor(key, labels)
+ for _, value := range expectedValues {
+ if !set[value] {
+ return false
+ }
+ }
+ return true
+ }
+}
+
+func consistsOfLabelSetAction(key string, expectedValues []string) LabelFilter {
+ return func(labels []string) bool {
+ set := labelSetFor(key, labels)
+ if len(set) != len(expectedValues) {
+ return false
+ }
+ for _, value := range expectedValues {
+ if !set[value] {
+ return false
+ }
+ }
+ return true
+ }
+}
+
+func isSubsetOfLabelSetAction(key string, expectedValues []string) LabelFilter {
+ expectedSet := map[string]bool{}
+ for _, value := range expectedValues {
+ expectedSet[value] = true
+ }
+ return func(labels []string) bool {
+ set := labelSetFor(key, labels)
+ for value := range set {
+ if !expectedSet[value] {
+ return false
+ }
+ }
+ return true
+ }
+}
+
type lfToken uint
const (
@@ -58,6 +135,9 @@ const (
lfTokenOr
lfTokenRegexp
lfTokenLabel
+ lfTokenSetKey
+ lfTokenSetOperation
+ lfTokenSetArgument
lfTokenEOF
)
@@ -71,6 +151,8 @@ func (l lfToken) Precedence() int {
return 2
case lfTokenNot:
return 3
+ case lfTokenSetOperation:
+ return 4
}
return -1
}
@@ -93,6 +175,12 @@ func (l lfToken) String() string {
return "/regexp/"
case lfTokenLabel:
return "label"
+ case lfTokenSetKey:
+ return "set_key"
+ case lfTokenSetOperation:
+ return "set_operation"
+ case lfTokenSetArgument:
+ return "set_argument"
case lfTokenEOF:
return "EOF"
}
@@ -148,6 +236,35 @@ func (tn *treeNode) constructLabelFilter(input string) (LabelFilter, error) {
return nil, GinkgoErrors.SyntaxErrorParsingLabelFilter(input, tn.location, fmt.Sprintf("RegExp compilation error: %s", err))
}
return matchLabelRegexAction(re), nil
+ case lfTokenSetOperation:
+ tokenSetOperation := strings.ToLower(tn.value)
+ if tokenSetOperation == "isempty" {
+ return isEmptyLabelSetAction(tn.leftNode.value), nil
+ }
+ if tn.rightNode == nil {
+ return nil, GinkgoErrors.SyntaxErrorParsingLabelFilter(input, tn.location, fmt.Sprintf("Set operation '%s' is missing an argument.", tn.value))
+ }
+
+ rawValues := strings.Split(tn.rightNode.value, ",")
+ values := make([]string, len(rawValues))
+ for i := range rawValues {
+ values[i] = strings.ToLower(strings.TrimSpace(rawValues[i]))
+ if strings.ContainsAny(values[i], "&|!,()/") {
+ return nil, GinkgoErrors.SyntaxErrorParsingLabelFilter(input, tn.rightNode.location, fmt.Sprintf("Invalid label value '%s' in set operation argument.", values[i]))
+ } else if values[i] == "" {
+ return nil, GinkgoErrors.SyntaxErrorParsingLabelFilter(input, tn.rightNode.location, "Empty label value in set operation argument.")
+ }
+ }
+ switch tokenSetOperation {
+ case "containsany":
+ return containsAnyLabelSetAction(tn.leftNode.value, values), nil
+ case "containsall":
+ return containsAllLabelSetAction(tn.leftNode.value, values), nil
+ case "consistsof":
+ return consistsOfLabelSetAction(tn.leftNode.value, values), nil
+ case "issubsetof":
+ return isSubsetOfLabelSetAction(tn.leftNode.value, values), nil
+ }
}
if tn.rightNode == nil {
@@ -203,7 +320,17 @@ func (tn *treeNode) toString(indent int) string {
return out
}
+var validSetOperations = map[string]string{
+ "containsany": "containsAny",
+ "containsall": "containsAll",
+ "consistsof": "consistsOf",
+ "issubsetof": "isSubsetOf",
+ "isempty": "isEmpty",
+}
+
func tokenize(input string) func() (*treeNode, error) {
+ lastToken := lfTokenInvalid
+ lastValue := ""
runes, i := []rune(input), 0
peekIs := func(r rune) bool {
@@ -233,6 +360,53 @@ func tokenize(input string) func() (*treeNode, error) {
}
node := &treeNode{location: i}
+ defer func() {
+ lastToken = node.token
+ lastValue = node.value
+ }()
+
+ if lastToken == lfTokenSetKey {
+ //we should get a valid set operation next
+ value, n := consumeUntil(" )")
+ if validSetOperations[strings.ToLower(value)] == "" {
+ return &treeNode{}, GinkgoErrors.SyntaxErrorParsingLabelFilter(input, i, fmt.Sprintf("Invalid set operation '%s'.", value))
+ }
+ i += n
+ node.token, node.value = lfTokenSetOperation, value
+ return node, nil
+ }
+ if lastToken == lfTokenSetOperation {
+ //we should get an argument next, if we aren't isempty
+ var arg = ""
+ origI := i
+ if runes[i] == '{' {
+ i += 1
+ value, n := consumeUntil("}")
+ if i+n >= len(runes) {
+ return &treeNode{}, GinkgoErrors.SyntaxErrorParsingLabelFilter(input, i-1, "Missing closing '}' in set operation argument?")
+ }
+ i += n + 1
+ arg = value
+ } else {
+ value, n := consumeUntil("&|!,()/")
+ i += n
+ arg = strings.TrimSpace(value)
+ }
+ if strings.ToLower(lastValue) == "isempty" && arg != "" {
+ return &treeNode{}, GinkgoErrors.SyntaxErrorParsingLabelFilter(input, origI, fmt.Sprintf("isEmpty does not take arguments, was passed '%s'.", arg))
+ }
+ if arg == "" && strings.ToLower(lastValue) != "isempty" {
+ if i < len(runes) && runes[i] == '/' {
+ return &treeNode{}, GinkgoErrors.SyntaxErrorParsingLabelFilter(input, origI, "Set operations do not support regular expressions.")
+ } else {
+ return &treeNode{}, GinkgoErrors.SyntaxErrorParsingLabelFilter(input, origI, fmt.Sprintf("Set operation '%s' requires an argument.", lastValue))
+ }
+ }
+ // note that we sent an empty SetArgument token if we are isempty
+ node.token, node.value = lfTokenSetArgument, arg
+ return node, nil
+ }
+
switch runes[i] {
case '&':
if !peekIs('&') {
@@ -264,8 +438,38 @@ func tokenize(input string) func() (*treeNode, error) {
i += n + 1
node.token, node.value = lfTokenRegexp, value
default:
- value, n := consumeUntil("&|!,()/")
+ value, n := consumeUntil("&|!,()/:")
i += n
+ value = strings.TrimSpace(value)
+
+ //are we the beginning of a set operation?
+ if i < len(runes) && runes[i] == ':' {
+ if peekIs(' ') {
+ if value == "" {
+ return &treeNode{}, GinkgoErrors.SyntaxErrorParsingLabelFilter(input, i, "Missing set key.")
+ }
+ i += 1
+ //we are the beginning of a set operation
+ node.token, node.value = lfTokenSetKey, value
+ return node, nil
+ }
+ additionalValue, n := consumeUntil("&|!,()/")
+ additionalValue = strings.TrimSpace(additionalValue)
+ if additionalValue == ":" {
+ return &treeNode{}, GinkgoErrors.SyntaxErrorParsingLabelFilter(input, i, "Missing set operation.")
+ }
+ i += n
+ value += additionalValue
+ }
+
+ valueToCheckForSetOperation := strings.ToLower(value)
+ for setOperation := range validSetOperations {
+ idx := strings.Index(valueToCheckForSetOperation, " "+setOperation)
+ if idx > 0 {
+ return &treeNode{}, GinkgoErrors.SyntaxErrorParsingLabelFilter(input, i-n+idx+1, fmt.Sprintf("Looks like you are using the set operator '%s' but did not provide a set key. Did you forget the ':'?", validSetOperations[setOperation]))
+ }
+ }
+
node.token, node.value = lfTokenLabel, strings.TrimSpace(value)
}
return node, nil
@@ -307,7 +511,7 @@ LOOP:
switch node.token {
case lfTokenEOF:
break LOOP
- case lfTokenLabel, lfTokenRegexp:
+ case lfTokenLabel, lfTokenRegexp, lfTokenSetKey:
if current.rightNode != nil {
return nil, GinkgoErrors.SyntaxErrorParsingLabelFilter(input, node.location, "Found two adjacent labels. You need an operator between them.")
}
@@ -326,6 +530,18 @@ LOOP:
node.setLeftNode(nodeToStealFrom.rightNode)
nodeToStealFrom.setRightNode(node)
current = node
+ case lfTokenSetOperation:
+ if current.rightNode == nil {
+ return nil, GinkgoErrors.SyntaxErrorParsingLabelFilter(input, node.location, fmt.Sprintf("Set operation '%s' missing left hand operand.", node.value))
+ }
+ node.setLeftNode(current.rightNode)
+ current.setRightNode(node)
+ current = node
+ case lfTokenSetArgument:
+ if current.rightNode != nil {
+ return nil, GinkgoErrors.SyntaxErrorParsingLabelFilter(input, node.location, fmt.Sprintf("Unexpected set argument '%s'.", node.token))
+ }
+ current.setRightNode(node)
case lfTokenCloseGroup:
firstUnmatchedOpenNode := current.firstUnmatchedOpenNode()
if firstUnmatchedOpenNode == nil {
@@ -354,5 +570,14 @@ func ValidateAndCleanupLabel(label string, cl CodeLocation) (string, error) {
if strings.ContainsAny(out, "&|!,()/") {
return "", GinkgoErrors.InvalidLabel(label, cl)
}
+ if out[0] == ':' {
+ return "", GinkgoErrors.InvalidLabel(label, cl)
+ }
+ if strings.Contains(out, ":") {
+ components := strings.SplitN(out, ":", 2)
+ if len(components) < 2 || components[1] == "" {
+ return "", GinkgoErrors.InvalidLabel(label, cl)
+ }
+ }
return out, nil
}
diff --git a/vendor/github.com/onsi/ginkgo/v2/types/version.go b/vendor/github.com/onsi/ginkgo/v2/types/version.go
index 851d42b45..acab03492 100644
--- a/vendor/github.com/onsi/ginkgo/v2/types/version.go
+++ b/vendor/github.com/onsi/ginkgo/v2/types/version.go
@@ -1,3 +1,3 @@
package types
-const VERSION = "2.17.1"
+const VERSION = "2.19.0"
diff --git a/vendor/github.com/onsi/gomega/CHANGELOG.md b/vendor/github.com/onsi/gomega/CHANGELOG.md
index 01ec5245c..62af14ad2 100644
--- a/vendor/github.com/onsi/gomega/CHANGELOG.md
+++ b/vendor/github.com/onsi/gomega/CHANGELOG.md
@@ -1,3 +1,22 @@
+## 1.33.1
+
+### Fixes
+- fix confusing eventually docs [3a66379]
+
+### Maintenance
+- Bump github.com/onsi/ginkgo/v2 from 2.17.1 to 2.17.2 [e9bc35a]
+
+## 1.33.0
+
+### Features
+
+`Receive` not accepts `Receive(, MATCHER>)`, allowing you to pick out a specific value on the channel that satisfies the provided matcher and is stored in the provided pointer.
+
+### Maintenance
+- Bump github.com/onsi/ginkgo/v2 from 2.15.0 to 2.17.1 (#745) [9999deb]
+- Bump github-pages from 229 to 230 in /docs (#735) [cb5ff21]
+- Bump golang.org/x/net from 0.20.0 to 0.23.0 (#746) [bac6596]
+
## 1.32.0
### Maintenance
diff --git a/vendor/github.com/onsi/gomega/gomega_dsl.go b/vendor/github.com/onsi/gomega/gomega_dsl.go
index ffb81b1fe..9697d5134 100644
--- a/vendor/github.com/onsi/gomega/gomega_dsl.go
+++ b/vendor/github.com/onsi/gomega/gomega_dsl.go
@@ -22,7 +22,7 @@ import (
"github.com/onsi/gomega/types"
)
-const GOMEGA_VERSION = "1.32.0"
+const GOMEGA_VERSION = "1.33.1"
const nilGomegaPanic = `You are trying to make an assertion, but haven't registered Gomega's fail handler.
If you're using Ginkgo then you probably forgot to put your assertion in an It().
@@ -372,11 +372,11 @@ You can ensure that you get a number of consecutive successful tries before succ
Finally, in addition to passing timeouts and a context to Eventually you can be more explicit with Eventually's chaining configuration methods:
- Eventually(..., "1s", "2s", ctx).Should(...)
+ Eventually(..., "10s", "2s", ctx).Should(...)
is equivalent to
- Eventually(...).WithTimeout(time.Second).WithPolling(2*time.Second).WithContext(ctx).Should(...)
+ Eventually(...).WithTimeout(10*time.Second).WithPolling(2*time.Second).WithContext(ctx).Should(...)
*/
func Eventually(actualOrCtx interface{}, args ...interface{}) AsyncAssertion {
ensureDefaultGomegaIsConfigured()
diff --git a/vendor/github.com/onsi/gomega/matchers.go b/vendor/github.com/onsi/gomega/matchers.go
index 8860d677f..7ef27dc9c 100644
--- a/vendor/github.com/onsi/gomega/matchers.go
+++ b/vendor/github.com/onsi/gomega/matchers.go
@@ -194,20 +194,21 @@ func BeClosed() types.GomegaMatcher {
//
// will repeatedly attempt to pull values out of `c` until a value matching "bar" is received.
//
-// Finally, if you want to have a reference to the value *sent* to the channel you can pass the `Receive` matcher a pointer to a variable of the appropriate type:
+// Furthermore, if you want to have a reference to the value *sent* to the channel you can pass the `Receive` matcher a pointer to a variable of the appropriate type:
//
// var myThing thing
// Eventually(thingChan).Should(Receive(&myThing))
// Expect(myThing.Sprocket).Should(Equal("foo"))
// Expect(myThing.IsValid()).Should(BeTrue())
+//
+// Finally, if you want to match the received object as well as get the actual received value into a variable, so you can reason further about the value received,
+// you can pass a pointer to a variable of the approriate type first, and second a matcher:
+//
+// var myThing thing
+// Eventually(thingChan).Should(Receive(&myThing, ContainSubstring("bar")))
func Receive(args ...interface{}) types.GomegaMatcher {
- var arg interface{}
- if len(args) > 0 {
- arg = args[0]
- }
-
return &matchers.ReceiveMatcher{
- Arg: arg,
+ Args: args,
}
}
diff --git a/vendor/github.com/onsi/gomega/matchers/receive_matcher.go b/vendor/github.com/onsi/gomega/matchers/receive_matcher.go
index 1936a2ba5..948164eaf 100644
--- a/vendor/github.com/onsi/gomega/matchers/receive_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/receive_matcher.go
@@ -3,6 +3,7 @@
package matchers
import (
+ "errors"
"fmt"
"reflect"
@@ -10,7 +11,7 @@ import (
)
type ReceiveMatcher struct {
- Arg interface{}
+ Args []interface{}
receivedValue reflect.Value
channelClosed bool
}
@@ -29,16 +30,39 @@ func (matcher *ReceiveMatcher) Match(actual interface{}) (success bool, err erro
var subMatcher omegaMatcher
var hasSubMatcher bool
+ var resultReference interface{}
- if matcher.Arg != nil {
- subMatcher, hasSubMatcher = (matcher.Arg).(omegaMatcher)
- if !hasSubMatcher {
- argType := reflect.TypeOf(matcher.Arg)
- if argType.Kind() != reflect.Ptr {
- return false, fmt.Errorf("Cannot assign a value from the channel:\n%s\nTo:\n%s\nYou need to pass a pointer!", format.Object(actual, 1), format.Object(matcher.Arg, 1))
- }
+ // Valid arg formats are as follows, always with optional POINTER before
+ // optional MATCHER:
+ // - Receive()
+ // - Receive(POINTER)
+ // - Receive(MATCHER)
+ // - Receive(POINTER, MATCHER)
+ args := matcher.Args
+ if len(args) > 0 {
+ arg := args[0]
+ _, isSubMatcher := arg.(omegaMatcher)
+ if !isSubMatcher && reflect.ValueOf(arg).Kind() == reflect.Ptr {
+ // Consume optional POINTER arg first, if it ain't no matcher ;)
+ resultReference = arg
+ args = args[1:]
}
}
+ if len(args) > 0 {
+ arg := args[0]
+ subMatcher, hasSubMatcher = arg.(omegaMatcher)
+ if !hasSubMatcher {
+ // At this point we assume the dev user wanted to assign a received
+ // value, so [POINTER,]MATCHER.
+ return false, fmt.Errorf("Cannot assign a value from the channel:\n%s\nTo:\n%s\nYou need to pass a pointer!", format.Object(actual, 1), format.Object(arg, 1))
+ }
+ // Consume optional MATCHER arg.
+ args = args[1:]
+ }
+ if len(args) > 0 {
+ // If there are still args present, reject all.
+ return false, errors.New("Receive matcher expects at most an optional pointer and/or an optional matcher")
+ }
winnerIndex, value, open := reflect.Select([]reflect.SelectCase{
{Dir: reflect.SelectRecv, Chan: channelValue},
@@ -58,16 +82,20 @@ func (matcher *ReceiveMatcher) Match(actual interface{}) (success bool, err erro
}
if hasSubMatcher {
- if didReceive {
- matcher.receivedValue = value
- return subMatcher.Match(matcher.receivedValue.Interface())
+ if !didReceive {
+ return false, nil
}
- return false, nil
+ matcher.receivedValue = value
+ if match, err := subMatcher.Match(matcher.receivedValue.Interface()); err != nil || !match {
+ return match, err
+ }
+ // if we received a match, then fall through in order to handle an
+ // optional assignment of the received value to the specified reference.
}
if didReceive {
- if matcher.Arg != nil {
- outValue := reflect.ValueOf(matcher.Arg)
+ if resultReference != nil {
+ outValue := reflect.ValueOf(resultReference)
if value.Type().AssignableTo(outValue.Elem().Type()) {
outValue.Elem().Set(value)
@@ -77,7 +105,7 @@ func (matcher *ReceiveMatcher) Match(actual interface{}) (success bool, err erro
outValue.Elem().Set(value.Elem())
return true, nil
} else {
- return false, fmt.Errorf("Cannot assign a value from the channel:\n%s\nType:\n%s\nTo:\n%s", format.Object(actual, 1), format.Object(value.Interface(), 1), format.Object(matcher.Arg, 1))
+ return false, fmt.Errorf("Cannot assign a value from the channel:\n%s\nType:\n%s\nTo:\n%s", format.Object(actual, 1), format.Object(value.Interface(), 1), format.Object(resultReference, 1))
}
}
@@ -88,7 +116,11 @@ func (matcher *ReceiveMatcher) Match(actual interface{}) (success bool, err erro
}
func (matcher *ReceiveMatcher) FailureMessage(actual interface{}) (message string) {
- subMatcher, hasSubMatcher := (matcher.Arg).(omegaMatcher)
+ var matcherArg interface{}
+ if len(matcher.Args) > 0 {
+ matcherArg = matcher.Args[len(matcher.Args)-1]
+ }
+ subMatcher, hasSubMatcher := (matcherArg).(omegaMatcher)
closedAddendum := ""
if matcher.channelClosed {
@@ -105,7 +137,11 @@ func (matcher *ReceiveMatcher) FailureMessage(actual interface{}) (message strin
}
func (matcher *ReceiveMatcher) NegatedFailureMessage(actual interface{}) (message string) {
- subMatcher, hasSubMatcher := (matcher.Arg).(omegaMatcher)
+ var matcherArg interface{}
+ if len(matcher.Args) > 0 {
+ matcherArg = matcher.Args[len(matcher.Args)-1]
+ }
+ subMatcher, hasSubMatcher := (matcherArg).(omegaMatcher)
closedAddendum := ""
if matcher.channelClosed {
diff --git a/vendor/github.com/prometheus/client_golang/prometheus/testutil/promlint/promlint.go b/vendor/github.com/prometheus/client_golang/prometheus/testutil/promlint/promlint.go
index dd29cccc3..ea46f38ec 100644
--- a/vendor/github.com/prometheus/client_golang/prometheus/testutil/promlint/promlint.go
+++ b/vendor/github.com/prometheus/client_golang/prometheus/testutil/promlint/promlint.go
@@ -68,7 +68,7 @@ func (l *Linter) Lint() ([]Problem, error) {
var problems []Problem
if l.r != nil {
- d := expfmt.NewDecoder(l.r, expfmt.FmtText)
+ d := expfmt.NewDecoder(l.r, expfmt.NewFormat(expfmt.TypeTextPlain))
mf := &dto.MetricFamily{}
for {
diff --git a/vendor/github.com/prometheus/client_golang/prometheus/testutil/testutil.go b/vendor/github.com/prometheus/client_golang/prometheus/testutil/testutil.go
index 269f56435..9dce15eaf 100644
--- a/vendor/github.com/prometheus/client_golang/prometheus/testutil/testutil.go
+++ b/vendor/github.com/prometheus/client_golang/prometheus/testutil/testutil.go
@@ -265,13 +265,13 @@ func compareMetricFamilies(got, expected []*dto.MetricFamily, metricNames ...str
// result.
func compare(got, want []*dto.MetricFamily) error {
var gotBuf, wantBuf bytes.Buffer
- enc := expfmt.NewEncoder(&gotBuf, expfmt.FmtText)
+ enc := expfmt.NewEncoder(&gotBuf, expfmt.NewFormat(expfmt.TypeTextPlain))
for _, mf := range got {
if err := enc.Encode(mf); err != nil {
return fmt.Errorf("encoding gathered metrics failed: %w", err)
}
}
- enc = expfmt.NewEncoder(&wantBuf, expfmt.FmtText)
+ enc = expfmt.NewEncoder(&wantBuf, expfmt.NewFormat(expfmt.TypeTextPlain))
for _, mf := range want {
if err := enc.Encode(mf); err != nil {
return fmt.Errorf("encoding expected metrics failed: %w", err)
diff --git a/vendor/github.com/prometheus/common/expfmt/decode.go b/vendor/github.com/prometheus/common/expfmt/decode.go
index 0ca86a3dc..b2b89b017 100644
--- a/vendor/github.com/prometheus/common/expfmt/decode.go
+++ b/vendor/github.com/prometheus/common/expfmt/decode.go
@@ -14,6 +14,7 @@
package expfmt
import (
+ "bufio"
"fmt"
"io"
"math"
@@ -21,8 +22,8 @@ import (
"net/http"
dto "github.com/prometheus/client_model/go"
+ "google.golang.org/protobuf/encoding/protodelim"
- "github.com/matttproud/golang_protobuf_extensions/v2/pbutil"
"github.com/prometheus/common/model"
)
@@ -44,7 +45,7 @@ func ResponseFormat(h http.Header) Format {
mediatype, params, err := mime.ParseMediaType(ct)
if err != nil {
- return FmtUnknown
+ return fmtUnknown
}
const textType = "text/plain"
@@ -52,28 +53,28 @@ func ResponseFormat(h http.Header) Format {
switch mediatype {
case ProtoType:
if p, ok := params["proto"]; ok && p != ProtoProtocol {
- return FmtUnknown
+ return fmtUnknown
}
if e, ok := params["encoding"]; ok && e != "delimited" {
- return FmtUnknown
+ return fmtUnknown
}
- return FmtProtoDelim
+ return fmtProtoDelim
case textType:
if v, ok := params["version"]; ok && v != TextVersion {
- return FmtUnknown
+ return fmtUnknown
}
- return FmtText
+ return fmtText
}
- return FmtUnknown
+ return fmtUnknown
}
// NewDecoder returns a new decoder based on the given input format.
// If the input format does not imply otherwise, a text format decoder is returned.
func NewDecoder(r io.Reader, format Format) Decoder {
- switch format {
- case FmtProtoDelim:
+ switch format.FormatType() {
+ case TypeProtoDelim:
return &protoDecoder{r: r}
}
return &textDecoder{r: r}
@@ -86,8 +87,10 @@ type protoDecoder struct {
// Decode implements the Decoder interface.
func (d *protoDecoder) Decode(v *dto.MetricFamily) error {
- _, err := pbutil.ReadDelimited(d.r, v)
- if err != nil {
+ opts := protodelim.UnmarshalOptions{
+ MaxSize: -1,
+ }
+ if err := opts.UnmarshalFrom(bufio.NewReader(d.r), v); err != nil {
return err
}
if !model.IsValidMetricName(model.LabelValue(v.GetName())) {
diff --git a/vendor/github.com/prometheus/common/expfmt/encode.go b/vendor/github.com/prometheus/common/expfmt/encode.go
index ca2140600..8fd806184 100644
--- a/vendor/github.com/prometheus/common/expfmt/encode.go
+++ b/vendor/github.com/prometheus/common/expfmt/encode.go
@@ -18,10 +18,12 @@ import (
"io"
"net/http"
- "github.com/matttproud/golang_protobuf_extensions/v2/pbutil"
- "github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg"
+ "google.golang.org/protobuf/encoding/protodelim"
"google.golang.org/protobuf/encoding/prototext"
+ "github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg"
+ "github.com/prometheus/common/model"
+
dto "github.com/prometheus/client_model/go"
)
@@ -60,23 +62,32 @@ func (ec encoderCloser) Close() error {
// as the support is still experimental. To include the option to negotiate
// FmtOpenMetrics, use NegotiateOpenMetrics.
func Negotiate(h http.Header) Format {
+ escapingScheme := Format(fmt.Sprintf("; escaping=%s", Format(model.NameEscapingScheme.String())))
for _, ac := range goautoneg.ParseAccept(h.Get(hdrAccept)) {
+ if escapeParam := ac.Params[model.EscapingKey]; escapeParam != "" {
+ switch Format(escapeParam) {
+ case model.AllowUTF8, model.EscapeUnderscores, model.EscapeDots, model.EscapeValues:
+ escapingScheme = Format(fmt.Sprintf("; escaping=%s", escapeParam))
+ default:
+ // If the escaping parameter is unknown, ignore it.
+ }
+ }
ver := ac.Params["version"]
if ac.Type+"/"+ac.SubType == ProtoType && ac.Params["proto"] == ProtoProtocol {
switch ac.Params["encoding"] {
case "delimited":
- return FmtProtoDelim
+ return fmtProtoDelim + escapingScheme
case "text":
- return FmtProtoText
+ return fmtProtoText + escapingScheme
case "compact-text":
- return FmtProtoCompact
+ return fmtProtoCompact + escapingScheme
}
}
if ac.Type == "text" && ac.SubType == "plain" && (ver == TextVersion || ver == "") {
- return FmtText
+ return fmtText + escapingScheme
}
}
- return FmtText
+ return fmtText + escapingScheme
}
// NegotiateIncludingOpenMetrics works like Negotiate but includes
@@ -84,29 +95,40 @@ func Negotiate(h http.Header) Format {
// temporary and will disappear once FmtOpenMetrics is fully supported and as
// such may be negotiated by the normal Negotiate function.
func NegotiateIncludingOpenMetrics(h http.Header) Format {
+ escapingScheme := Format(fmt.Sprintf("; escaping=%s", Format(model.NameEscapingScheme.String())))
for _, ac := range goautoneg.ParseAccept(h.Get(hdrAccept)) {
+ if escapeParam := ac.Params[model.EscapingKey]; escapeParam != "" {
+ switch Format(escapeParam) {
+ case model.AllowUTF8, model.EscapeUnderscores, model.EscapeDots, model.EscapeValues:
+ escapingScheme = Format(fmt.Sprintf("; escaping=%s", escapeParam))
+ default:
+ // If the escaping parameter is unknown, ignore it.
+ }
+ }
ver := ac.Params["version"]
if ac.Type+"/"+ac.SubType == ProtoType && ac.Params["proto"] == ProtoProtocol {
switch ac.Params["encoding"] {
case "delimited":
- return FmtProtoDelim
+ return fmtProtoDelim + escapingScheme
case "text":
- return FmtProtoText
+ return fmtProtoText + escapingScheme
case "compact-text":
- return FmtProtoCompact
+ return fmtProtoCompact + escapingScheme
}
}
if ac.Type == "text" && ac.SubType == "plain" && (ver == TextVersion || ver == "") {
- return FmtText
+ return fmtText + escapingScheme
}
if ac.Type+"/"+ac.SubType == OpenMetricsType && (ver == OpenMetricsVersion_0_0_1 || ver == OpenMetricsVersion_1_0_0 || ver == "") {
- if ver == OpenMetricsVersion_1_0_0 {
- return FmtOpenMetrics_1_0_0
+ switch ver {
+ case OpenMetricsVersion_1_0_0:
+ return fmtOpenMetrics_1_0_0 + escapingScheme
+ default:
+ return fmtOpenMetrics_0_0_1 + escapingScheme
}
- return FmtOpenMetrics_0_0_1
}
}
- return FmtText
+ return fmtText + escapingScheme
}
// NewEncoder returns a new encoder based on content type negotiation. All
@@ -115,44 +137,48 @@ func NegotiateIncludingOpenMetrics(h http.Header) Format {
// for FmtOpenMetrics, but a future (breaking) release will add the Close method
// to the Encoder interface directly. The current version of the Encoder
// interface is kept for backwards compatibility.
+// In cases where the Format does not allow for UTF-8 names, the global
+// NameEscapingScheme will be applied.
func NewEncoder(w io.Writer, format Format) Encoder {
- switch format {
- case FmtProtoDelim:
+ escapingScheme := format.ToEscapingScheme()
+
+ switch format.FormatType() {
+ case TypeProtoDelim:
return encoderCloser{
encode: func(v *dto.MetricFamily) error {
- _, err := pbutil.WriteDelimited(w, v)
+ _, err := protodelim.MarshalTo(w, v)
return err
},
close: func() error { return nil },
}
- case FmtProtoCompact:
+ case TypeProtoCompact:
return encoderCloser{
encode: func(v *dto.MetricFamily) error {
- _, err := fmt.Fprintln(w, v.String())
+ _, err := fmt.Fprintln(w, model.EscapeMetricFamily(v, escapingScheme).String())
return err
},
close: func() error { return nil },
}
- case FmtProtoText:
+ case TypeProtoText:
return encoderCloser{
encode: func(v *dto.MetricFamily) error {
- _, err := fmt.Fprintln(w, prototext.Format(v))
+ _, err := fmt.Fprintln(w, prototext.Format(model.EscapeMetricFamily(v, escapingScheme)))
return err
},
close: func() error { return nil },
}
- case FmtText:
+ case TypeTextPlain:
return encoderCloser{
encode: func(v *dto.MetricFamily) error {
- _, err := MetricFamilyToText(w, v)
+ _, err := MetricFamilyToText(w, model.EscapeMetricFamily(v, escapingScheme))
return err
},
close: func() error { return nil },
}
- case FmtOpenMetrics_0_0_1, FmtOpenMetrics_1_0_0:
+ case TypeOpenMetrics:
return encoderCloser{
encode: func(v *dto.MetricFamily) error {
- _, err := MetricFamilyToOpenMetrics(w, v)
+ _, err := MetricFamilyToOpenMetrics(w, model.EscapeMetricFamily(v, escapingScheme))
return err
},
close: func() error {
diff --git a/vendor/github.com/prometheus/common/expfmt/expfmt.go b/vendor/github.com/prometheus/common/expfmt/expfmt.go
index c4cb20f0d..6fc9555e3 100644
--- a/vendor/github.com/prometheus/common/expfmt/expfmt.go
+++ b/vendor/github.com/prometheus/common/expfmt/expfmt.go
@@ -14,30 +14,154 @@
// Package expfmt contains tools for reading and writing Prometheus metrics.
package expfmt
+import (
+ "strings"
+
+ "github.com/prometheus/common/model"
+)
+
// Format specifies the HTTP content type of the different wire protocols.
type Format string
-// Constants to assemble the Content-Type values for the different wire protocols.
+// Constants to assemble the Content-Type values for the different wire
+// protocols. The Content-Type strings here are all for the legacy exposition
+// formats, where valid characters for metric names and label names are limited.
+// Support for arbitrary UTF-8 characters in those names is already partially
+// implemented in this module (see model.ValidationScheme), but to actually use
+// it on the wire, new content-type strings will have to be agreed upon and
+// added here.
const (
TextVersion = "0.0.4"
ProtoType = `application/vnd.google.protobuf`
ProtoProtocol = `io.prometheus.client.MetricFamily`
- ProtoFmt = ProtoType + "; proto=" + ProtoProtocol + ";"
+ protoFmt = ProtoType + "; proto=" + ProtoProtocol + ";"
OpenMetricsType = `application/openmetrics-text`
OpenMetricsVersion_0_0_1 = "0.0.1"
OpenMetricsVersion_1_0_0 = "1.0.0"
- // The Content-Type values for the different wire protocols.
- FmtUnknown Format = ``
- FmtText Format = `text/plain; version=` + TextVersion + `; charset=utf-8`
- FmtProtoDelim Format = ProtoFmt + ` encoding=delimited`
- FmtProtoText Format = ProtoFmt + ` encoding=text`
- FmtProtoCompact Format = ProtoFmt + ` encoding=compact-text`
- FmtOpenMetrics_1_0_0 Format = OpenMetricsType + `; version=` + OpenMetricsVersion_1_0_0 + `; charset=utf-8`
- FmtOpenMetrics_0_0_1 Format = OpenMetricsType + `; version=` + OpenMetricsVersion_0_0_1 + `; charset=utf-8`
+ // The Content-Type values for the different wire protocols. Note that these
+ // values are now unexported. If code was relying on comparisons to these
+ // constants, instead use FormatType().
+ fmtUnknown Format = ``
+ fmtText Format = `text/plain; version=` + TextVersion + `; charset=utf-8`
+ fmtProtoDelim Format = protoFmt + ` encoding=delimited`
+ fmtProtoText Format = protoFmt + ` encoding=text`
+ fmtProtoCompact Format = protoFmt + ` encoding=compact-text`
+ fmtOpenMetrics_1_0_0 Format = OpenMetricsType + `; version=` + OpenMetricsVersion_1_0_0 + `; charset=utf-8`
+ fmtOpenMetrics_0_0_1 Format = OpenMetricsType + `; version=` + OpenMetricsVersion_0_0_1 + `; charset=utf-8`
)
const (
hdrContentType = "Content-Type"
hdrAccept = "Accept"
)
+
+// FormatType is a Go enum representing the overall category for the given
+// Format. As the number of Format permutations increases, doing basic string
+// comparisons are not feasible, so this enum captures the most useful
+// high-level attribute of the Format string.
+type FormatType int
+
+const (
+ TypeUnknown = iota
+ TypeProtoCompact
+ TypeProtoDelim
+ TypeProtoText
+ TypeTextPlain
+ TypeOpenMetrics
+)
+
+// NewFormat generates a new Format from the type provided. Mostly used for
+// tests, most Formats should be generated as part of content negotiation in
+// encode.go.
+func NewFormat(t FormatType) Format {
+ switch t {
+ case TypeProtoCompact:
+ return fmtProtoCompact
+ case TypeProtoDelim:
+ return fmtProtoDelim
+ case TypeProtoText:
+ return fmtProtoText
+ case TypeTextPlain:
+ return fmtText
+ case TypeOpenMetrics:
+ return fmtOpenMetrics_1_0_0
+ default:
+ return fmtUnknown
+ }
+}
+
+// FormatType deduces an overall FormatType for the given format.
+func (f Format) FormatType() FormatType {
+ toks := strings.Split(string(f), ";")
+ if len(toks) < 2 {
+ return TypeUnknown
+ }
+
+ params := make(map[string]string)
+ for i, t := range toks {
+ if i == 0 {
+ continue
+ }
+ args := strings.Split(t, "=")
+ if len(args) != 2 {
+ continue
+ }
+ params[strings.TrimSpace(args[0])] = strings.TrimSpace(args[1])
+ }
+
+ switch strings.TrimSpace(toks[0]) {
+ case ProtoType:
+ if params["proto"] != ProtoProtocol {
+ return TypeUnknown
+ }
+ switch params["encoding"] {
+ case "delimited":
+ return TypeProtoDelim
+ case "text":
+ return TypeProtoText
+ case "compact-text":
+ return TypeProtoCompact
+ default:
+ return TypeUnknown
+ }
+ case OpenMetricsType:
+ if params["charset"] != "utf-8" {
+ return TypeUnknown
+ }
+ return TypeOpenMetrics
+ case "text/plain":
+ v, ok := params["version"]
+ if !ok {
+ return TypeTextPlain
+ }
+ if v == TextVersion {
+ return TypeTextPlain
+ }
+ return TypeUnknown
+ default:
+ return TypeUnknown
+ }
+}
+
+// ToEscapingScheme returns an EscapingScheme depending on the Format. Iff the
+// Format contains a escaping=allow-utf-8 term, it will select NoEscaping. If a valid
+// "escaping" term exists, that will be used. Otherwise, the global default will
+// be returned.
+func (format Format) ToEscapingScheme() model.EscapingScheme {
+ for _, p := range strings.Split(string(format), ";") {
+ toks := strings.Split(p, "=")
+ if len(toks) != 2 {
+ continue
+ }
+ key, value := strings.TrimSpace(toks[0]), strings.TrimSpace(toks[1])
+ if key == model.EscapingKey {
+ scheme, err := model.ToEscapingScheme(value)
+ if err != nil {
+ return model.NameEscapingScheme
+ }
+ return scheme
+ }
+ }
+ return model.NameEscapingScheme
+}
diff --git a/vendor/github.com/prometheus/common/expfmt/openmetrics_create.go b/vendor/github.com/prometheus/common/expfmt/openmetrics_create.go
index 21cdddcf0..5622578ed 100644
--- a/vendor/github.com/prometheus/common/expfmt/openmetrics_create.go
+++ b/vendor/github.com/prometheus/common/expfmt/openmetrics_create.go
@@ -35,6 +35,18 @@ import (
// sanity checks. If the input contains duplicate metrics or invalid metric or
// label names, the conversion will result in invalid text format output.
//
+// If metric names conform to the legacy validation pattern, they will be placed
+// outside the brackets in the traditional way, like `foo{}`. If the metric name
+// fails the legacy validation check, it will be placed quoted inside the
+// brackets: `{"foo"}`. As stated above, the input is assumed to be santized and
+// no error will be thrown in this case.
+//
+// Similar to metric names, if label names conform to the legacy validation
+// pattern, they will be unquoted as normal, like `foo{bar="baz"}`. If the label
+// name fails the legacy validation check, it will be quoted:
+// `foo{"bar"="baz"}`. As stated above, the input is assumed to be santized and
+// no error will be thrown in this case.
+//
// This function fulfills the type 'expfmt.encoder'.
//
// Note that OpenMetrics requires a final `# EOF` line. Since this function acts
@@ -98,7 +110,7 @@ func MetricFamilyToOpenMetrics(out io.Writer, in *dto.MetricFamily) (written int
if err != nil {
return
}
- n, err = w.WriteString(shortName)
+ n, err = writeName(w, shortName)
written += n
if err != nil {
return
@@ -124,7 +136,7 @@ func MetricFamilyToOpenMetrics(out io.Writer, in *dto.MetricFamily) (written int
if err != nil {
return
}
- n, err = w.WriteString(shortName)
+ n, err = writeName(w, shortName)
written += n
if err != nil {
return
@@ -303,21 +315,9 @@ func writeOpenMetricsSample(
floatValue float64, intValue uint64, useIntValue bool,
exemplar *dto.Exemplar,
) (int, error) {
- var written int
- n, err := w.WriteString(name)
- written += n
- if err != nil {
- return written, err
- }
- if suffix != "" {
- n, err = w.WriteString(suffix)
- written += n
- if err != nil {
- return written, err
- }
- }
- n, err = writeOpenMetricsLabelPairs(
- w, metric.Label, additionalLabelName, additionalLabelValue,
+ written := 0
+ n, err := writeOpenMetricsNameAndLabelPairs(
+ w, name+suffix, metric.Label, additionalLabelName, additionalLabelValue,
)
written += n
if err != nil {
@@ -365,27 +365,58 @@ func writeOpenMetricsSample(
return written, nil
}
-// writeOpenMetricsLabelPairs works like writeOpenMetrics but formats the float
-// in OpenMetrics style.
-func writeOpenMetricsLabelPairs(
+// writeOpenMetricsNameAndLabelPairs works like writeOpenMetricsSample but
+// formats the float in OpenMetrics style.
+func writeOpenMetricsNameAndLabelPairs(
w enhancedWriter,
+ name string,
in []*dto.LabelPair,
additionalLabelName string, additionalLabelValue float64,
) (int, error) {
- if len(in) == 0 && additionalLabelName == "" {
- return 0, nil
- }
var (
- written int
- separator byte = '{'
+ written int
+ separator byte = '{'
+ metricInsideBraces = false
)
+
+ if name != "" {
+ // If the name does not pass the legacy validity check, we must put the
+ // metric name inside the braces, quoted.
+ if !model.IsValidLegacyMetricName(model.LabelValue(name)) {
+ metricInsideBraces = true
+ err := w.WriteByte(separator)
+ written++
+ if err != nil {
+ return written, err
+ }
+ separator = ','
+ }
+
+ n, err := writeName(w, name)
+ written += n
+ if err != nil {
+ return written, err
+ }
+ }
+
+ if len(in) == 0 && additionalLabelName == "" {
+ if metricInsideBraces {
+ err := w.WriteByte('}')
+ written++
+ if err != nil {
+ return written, err
+ }
+ }
+ return written, nil
+ }
+
for _, lp := range in {
err := w.WriteByte(separator)
written++
if err != nil {
return written, err
}
- n, err := w.WriteString(lp.GetName())
+ n, err := writeName(w, lp.GetName())
written += n
if err != nil {
return written, err
@@ -451,7 +482,7 @@ func writeExemplar(w enhancedWriter, e *dto.Exemplar) (int, error) {
if err != nil {
return written, err
}
- n, err = writeOpenMetricsLabelPairs(w, e.Label, "", 0)
+ n, err = writeOpenMetricsNameAndLabelPairs(w, "", e.Label, "", 0)
written += n
if err != nil {
return written, err
diff --git a/vendor/github.com/prometheus/common/expfmt/text_create.go b/vendor/github.com/prometheus/common/expfmt/text_create.go
index 2946b8f1a..f9b8265a9 100644
--- a/vendor/github.com/prometheus/common/expfmt/text_create.go
+++ b/vendor/github.com/prometheus/common/expfmt/text_create.go
@@ -62,6 +62,18 @@ var (
// contains duplicate metrics or invalid metric or label names, the conversion
// will result in invalid text format output.
//
+// If metric names conform to the legacy validation pattern, they will be placed
+// outside the brackets in the traditional way, like `foo{}`. If the metric name
+// fails the legacy validation check, it will be placed quoted inside the
+// brackets: `{"foo"}`. As stated above, the input is assumed to be santized and
+// no error will be thrown in this case.
+//
+// Similar to metric names, if label names conform to the legacy validation
+// pattern, they will be unquoted as normal, like `foo{bar="baz"}`. If the label
+// name fails the legacy validation check, it will be quoted:
+// `foo{"bar"="baz"}`. As stated above, the input is assumed to be santized and
+// no error will be thrown in this case.
+//
// This method fulfills the type 'prometheus.encoder'.
func MetricFamilyToText(out io.Writer, in *dto.MetricFamily) (written int, err error) {
// Fail-fast checks.
@@ -98,7 +110,7 @@ func MetricFamilyToText(out io.Writer, in *dto.MetricFamily) (written int, err e
if err != nil {
return
}
- n, err = w.WriteString(name)
+ n, err = writeName(w, name)
written += n
if err != nil {
return
@@ -124,7 +136,7 @@ func MetricFamilyToText(out io.Writer, in *dto.MetricFamily) (written int, err e
if err != nil {
return
}
- n, err = w.WriteString(name)
+ n, err = writeName(w, name)
written += n
if err != nil {
return
@@ -280,21 +292,9 @@ func writeSample(
additionalLabelName string, additionalLabelValue float64,
value float64,
) (int, error) {
- var written int
- n, err := w.WriteString(name)
- written += n
- if err != nil {
- return written, err
- }
- if suffix != "" {
- n, err = w.WriteString(suffix)
- written += n
- if err != nil {
- return written, err
- }
- }
- n, err = writeLabelPairs(
- w, metric.Label, additionalLabelName, additionalLabelValue,
+ written := 0
+ n, err := writeNameAndLabelPairs(
+ w, name+suffix, metric.Label, additionalLabelName, additionalLabelValue,
)
written += n
if err != nil {
@@ -330,32 +330,64 @@ func writeSample(
return written, nil
}
-// writeLabelPairs converts a slice of LabelPair proto messages plus the
-// explicitly given additional label pair into text formatted as required by the
-// text format and writes it to 'w'. An empty slice in combination with an empty
-// string 'additionalLabelName' results in nothing being written. Otherwise, the
-// label pairs are written, escaped as required by the text format, and enclosed
-// in '{...}'. The function returns the number of bytes written and any error
-// encountered.
-func writeLabelPairs(
+// writeNameAndLabelPairs converts a slice of LabelPair proto messages plus the
+// explicitly given metric name and additional label pair into text formatted as
+// required by the text format and writes it to 'w'. An empty slice in
+// combination with an empty string 'additionalLabelName' results in nothing
+// being written. Otherwise, the label pairs are written, escaped as required by
+// the text format, and enclosed in '{...}'. The function returns the number of
+// bytes written and any error encountered. If the metric name is not
+// legacy-valid, it will be put inside the brackets as well. Legacy-invalid
+// label names will also be quoted.
+func writeNameAndLabelPairs(
w enhancedWriter,
+ name string,
in []*dto.LabelPair,
additionalLabelName string, additionalLabelValue float64,
) (int, error) {
- if len(in) == 0 && additionalLabelName == "" {
- return 0, nil
- }
var (
- written int
- separator byte = '{'
+ written int
+ separator byte = '{'
+ metricInsideBraces = false
)
+
+ if name != "" {
+ // If the name does not pass the legacy validity check, we must put the
+ // metric name inside the braces.
+ if !model.IsValidLegacyMetricName(model.LabelValue(name)) {
+ metricInsideBraces = true
+ err := w.WriteByte(separator)
+ written++
+ if err != nil {
+ return written, err
+ }
+ separator = ','
+ }
+ n, err := writeName(w, name)
+ written += n
+ if err != nil {
+ return written, err
+ }
+ }
+
+ if len(in) == 0 && additionalLabelName == "" {
+ if metricInsideBraces {
+ err := w.WriteByte('}')
+ written++
+ if err != nil {
+ return written, err
+ }
+ }
+ return written, nil
+ }
+
for _, lp := range in {
err := w.WriteByte(separator)
written++
if err != nil {
return written, err
}
- n, err := w.WriteString(lp.GetName())
+ n, err := writeName(w, lp.GetName())
written += n
if err != nil {
return written, err
@@ -462,3 +494,27 @@ func writeInt(w enhancedWriter, i int64) (int, error) {
numBufPool.Put(bp)
return written, err
}
+
+// writeName writes a string as-is if it complies with the legacy naming
+// scheme, or escapes it in double quotes if not.
+func writeName(w enhancedWriter, name string) (int, error) {
+ if model.IsValidLegacyMetricName(model.LabelValue(name)) {
+ return w.WriteString(name)
+ }
+ var written int
+ var err error
+ err = w.WriteByte('"')
+ written++
+ if err != nil {
+ return written, err
+ }
+ var n int
+ n, err = writeEscapedString(w, name, true)
+ written += n
+ if err != nil {
+ return written, err
+ }
+ err = w.WriteByte('"')
+ written++
+ return written, err
+}
diff --git a/vendor/github.com/prometheus/common/expfmt/text_parse.go b/vendor/github.com/prometheus/common/expfmt/text_parse.go
index 35db1cc9d..26490211a 100644
--- a/vendor/github.com/prometheus/common/expfmt/text_parse.go
+++ b/vendor/github.com/prometheus/common/expfmt/text_parse.go
@@ -16,6 +16,7 @@ package expfmt
import (
"bufio"
"bytes"
+ "errors"
"fmt"
"io"
"math"
@@ -24,8 +25,9 @@ import (
dto "github.com/prometheus/client_model/go"
- "github.com/prometheus/common/model"
"google.golang.org/protobuf/proto"
+
+ "github.com/prometheus/common/model"
)
// A stateFn is a function that represents a state in a state machine. By
@@ -112,7 +114,7 @@ func (p *TextParser) TextToMetricFamilies(in io.Reader) (map[string]*dto.MetricF
// stream. Turn this error into something nicer and more
// meaningful. (io.EOF is often used as a signal for the legitimate end
// of an input stream.)
- if p.err == io.EOF {
+ if p.err != nil && errors.Is(p.err, io.EOF) {
p.parseError("unexpected end of input stream")
}
return p.metricFamiliesByName, p.err
@@ -146,7 +148,7 @@ func (p *TextParser) startOfLine() stateFn {
// which is not an error but the signal that we are done.
// Any other error that happens to align with the start of
// a line is still an error.
- if p.err == io.EOF {
+ if errors.Is(p.err, io.EOF) {
p.err = nil
}
return nil
diff --git a/vendor/github.com/prometheus/common/model/alert.go b/vendor/github.com/prometheus/common/model/alert.go
index 35e739c7a..178fdbaf6 100644
--- a/vendor/github.com/prometheus/common/model/alert.go
+++ b/vendor/github.com/prometheus/common/model/alert.go
@@ -90,13 +90,13 @@ func (a *Alert) Validate() error {
return fmt.Errorf("start time must be before end time")
}
if err := a.Labels.Validate(); err != nil {
- return fmt.Errorf("invalid label set: %s", err)
+ return fmt.Errorf("invalid label set: %w", err)
}
if len(a.Labels) == 0 {
return fmt.Errorf("at least one label pair required")
}
if err := a.Annotations.Validate(); err != nil {
- return fmt.Errorf("invalid annotations: %s", err)
+ return fmt.Errorf("invalid annotations: %w", err)
}
return nil
}
diff --git a/vendor/github.com/prometheus/common/model/labels.go b/vendor/github.com/prometheus/common/model/labels.go
index ef8956335..3317ce22f 100644
--- a/vendor/github.com/prometheus/common/model/labels.go
+++ b/vendor/github.com/prometheus/common/model/labels.go
@@ -97,17 +97,25 @@ var LabelNameRE = regexp.MustCompile("^[a-zA-Z_][a-zA-Z0-9_]*$")
// therewith.
type LabelName string
-// IsValid is true iff the label name matches the pattern of LabelNameRE. This
-// method, however, does not use LabelNameRE for the check but a much faster
-// hardcoded implementation.
+// IsValid returns true iff name matches the pattern of LabelNameRE for legacy
+// names, and iff it's valid UTF-8 if NameValidationScheme is set to
+// UTF8Validation. For the legacy matching, it does not use LabelNameRE for the
+// check but a much faster hardcoded implementation.
func (ln LabelName) IsValid() bool {
if len(ln) == 0 {
return false
}
- for i, b := range ln {
- if !((b >= 'a' && b <= 'z') || (b >= 'A' && b <= 'Z') || b == '_' || (b >= '0' && b <= '9' && i > 0)) {
- return false
+ switch NameValidationScheme {
+ case LegacyValidation:
+ for i, b := range ln {
+ if !((b >= 'a' && b <= 'z') || (b >= 'A' && b <= 'Z') || b == '_' || (b >= '0' && b <= '9' && i > 0)) {
+ return false
+ }
}
+ case UTF8Validation:
+ return utf8.ValidString(string(ln))
+ default:
+ panic(fmt.Sprintf("Invalid name validation scheme requested: %d", NameValidationScheme))
}
return true
}
@@ -164,7 +172,7 @@ func (l LabelNames) String() string {
// A LabelValue is an associated value for a LabelName.
type LabelValue string
-// IsValid returns true iff the string is a valid UTF8.
+// IsValid returns true iff the string is a valid UTF-8.
func (lv LabelValue) IsValid() bool {
return utf8.ValidString(string(lv))
}
diff --git a/vendor/github.com/prometheus/common/model/metadata.go b/vendor/github.com/prometheus/common/model/metadata.go
new file mode 100644
index 000000000..447ab8ad6
--- /dev/null
+++ b/vendor/github.com/prometheus/common/model/metadata.go
@@ -0,0 +1,28 @@
+// Copyright 2023 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package model
+
+// MetricType represents metric type values.
+type MetricType string
+
+const (
+ MetricTypeCounter = MetricType("counter")
+ MetricTypeGauge = MetricType("gauge")
+ MetricTypeHistogram = MetricType("histogram")
+ MetricTypeGaugeHistogram = MetricType("gaugehistogram")
+ MetricTypeSummary = MetricType("summary")
+ MetricTypeInfo = MetricType("info")
+ MetricTypeStateset = MetricType("stateset")
+ MetricTypeUnknown = MetricType("unknown")
+)
diff --git a/vendor/github.com/prometheus/common/model/metric.go b/vendor/github.com/prometheus/common/model/metric.go
index 00804b7fe..0bd29b3a3 100644
--- a/vendor/github.com/prometheus/common/model/metric.go
+++ b/vendor/github.com/prometheus/common/model/metric.go
@@ -18,15 +18,84 @@ import (
"regexp"
"sort"
"strings"
+ "unicode/utf8"
+
+ dto "github.com/prometheus/client_model/go"
+ "google.golang.org/protobuf/proto"
)
var (
- // MetricNameRE is a regular expression matching valid metric
- // names. Note that the IsValidMetricName function performs the same
- // check but faster than a match with this regular expression.
- MetricNameRE = regexp.MustCompile(`^[a-zA-Z_:][a-zA-Z0-9_:]*$`)
+ // NameValidationScheme determines the method of name validation to be used by
+ // all calls to IsValidMetricName() and LabelName IsValid(). Setting UTF-8 mode
+ // in isolation from other components that don't support UTF-8 may result in
+ // bugs or other undefined behavior. This value is intended to be set by
+ // UTF-8-aware binaries as part of their startup. To avoid need for locking,
+ // this value should be set once, ideally in an init(), before multiple
+ // goroutines are started.
+ NameValidationScheme = LegacyValidation
+
+ // NameEscapingScheme defines the default way that names will be
+ // escaped when presented to systems that do not support UTF-8 names. If the
+ // Content-Type "escaping" term is specified, that will override this value.
+ NameEscapingScheme = ValueEncodingEscaping
)
+// ValidationScheme is a Go enum for determining how metric and label names will
+// be validated by this library.
+type ValidationScheme int
+
+const (
+ // LegacyValidation is a setting that requirets that metric and label names
+ // conform to the original Prometheus character requirements described by
+ // MetricNameRE and LabelNameRE.
+ LegacyValidation ValidationScheme = iota
+
+ // UTF8Validation only requires that metric and label names be valid UTF-8
+ // strings.
+ UTF8Validation
+)
+
+type EscapingScheme int
+
+const (
+ // NoEscaping indicates that a name will not be escaped. Unescaped names that
+ // do not conform to the legacy validity check will use a new exposition
+ // format syntax that will be officially standardized in future versions.
+ NoEscaping EscapingScheme = iota
+
+ // UnderscoreEscaping replaces all legacy-invalid characters with underscores.
+ UnderscoreEscaping
+
+ // DotsEscaping is similar to UnderscoreEscaping, except that dots are
+ // converted to `_dot_` and pre-existing underscores are converted to `__`.
+ DotsEscaping
+
+ // ValueEncodingEscaping prepends the name with `U__` and replaces all invalid
+ // characters with the unicode value, surrounded by underscores. Single
+ // underscores are replaced with double underscores.
+ ValueEncodingEscaping
+)
+
+const (
+ // EscapingKey is the key in an Accept or Content-Type header that defines how
+ // metric and label names that do not conform to the legacy character
+ // requirements should be escaped when being scraped by a legacy prometheus
+ // system. If a system does not explicitly pass an escaping parameter in the
+ // Accept header, the default NameEscapingScheme will be used.
+ EscapingKey = "escaping"
+
+ // Possible values for Escaping Key:
+ AllowUTF8 = "allow-utf-8" // No escaping required.
+ EscapeUnderscores = "underscores"
+ EscapeDots = "dots"
+ EscapeValues = "values"
+)
+
+// MetricNameRE is a regular expression matching valid metric
+// names. Note that the IsValidMetricName function performs the same
+// check but faster than a match with this regular expression.
+var MetricNameRE = regexp.MustCompile(`^[a-zA-Z_:][a-zA-Z0-9_:]*$`)
+
// A Metric is similar to a LabelSet, but the key difference is that a Metric is
// a singleton and refers to one and only one stream of samples.
type Metric LabelSet
@@ -86,17 +155,302 @@ func (m Metric) FastFingerprint() Fingerprint {
return LabelSet(m).FastFingerprint()
}
-// IsValidMetricName returns true iff name matches the pattern of MetricNameRE.
+// IsValidMetricName returns true iff name matches the pattern of MetricNameRE
+// for legacy names, and iff it's valid UTF-8 if the UTF8Validation scheme is
+// selected.
+func IsValidMetricName(n LabelValue) bool {
+ switch NameValidationScheme {
+ case LegacyValidation:
+ return IsValidLegacyMetricName(n)
+ case UTF8Validation:
+ if len(n) == 0 {
+ return false
+ }
+ return utf8.ValidString(string(n))
+ default:
+ panic(fmt.Sprintf("Invalid name validation scheme requested: %d", NameValidationScheme))
+ }
+}
+
+// IsValidLegacyMetricName is similar to IsValidMetricName but always uses the
+// legacy validation scheme regardless of the value of NameValidationScheme.
// This function, however, does not use MetricNameRE for the check but a much
// faster hardcoded implementation.
-func IsValidMetricName(n LabelValue) bool {
+func IsValidLegacyMetricName(n LabelValue) bool {
if len(n) == 0 {
return false
}
for i, b := range n {
- if !((b >= 'a' && b <= 'z') || (b >= 'A' && b <= 'Z') || b == '_' || b == ':' || (b >= '0' && b <= '9' && i > 0)) {
+ if !isValidLegacyRune(b, i) {
return false
}
}
return true
}
+
+// EscapeMetricFamily escapes the given metric names and labels with the given
+// escaping scheme. Returns a new object that uses the same pointers to fields
+// when possible and creates new escaped versions so as not to mutate the
+// input.
+func EscapeMetricFamily(v *dto.MetricFamily, scheme EscapingScheme) *dto.MetricFamily {
+ if v == nil {
+ return nil
+ }
+
+ if scheme == NoEscaping {
+ return v
+ }
+
+ out := &dto.MetricFamily{
+ Help: v.Help,
+ Type: v.Type,
+ }
+
+ // If the name is nil, copy as-is, don't try to escape.
+ if v.Name == nil || IsValidLegacyMetricName(LabelValue(v.GetName())) {
+ out.Name = v.Name
+ } else {
+ out.Name = proto.String(EscapeName(v.GetName(), scheme))
+ }
+ for _, m := range v.Metric {
+ if !metricNeedsEscaping(m) {
+ out.Metric = append(out.Metric, m)
+ continue
+ }
+
+ escaped := &dto.Metric{
+ Gauge: m.Gauge,
+ Counter: m.Counter,
+ Summary: m.Summary,
+ Untyped: m.Untyped,
+ Histogram: m.Histogram,
+ TimestampMs: m.TimestampMs,
+ }
+
+ for _, l := range m.Label {
+ if l.GetName() == MetricNameLabel {
+ if l.Value == nil || IsValidLegacyMetricName(LabelValue(l.GetValue())) {
+ escaped.Label = append(escaped.Label, l)
+ continue
+ }
+ escaped.Label = append(escaped.Label, &dto.LabelPair{
+ Name: proto.String(MetricNameLabel),
+ Value: proto.String(EscapeName(l.GetValue(), scheme)),
+ })
+ continue
+ }
+ if l.Name == nil || IsValidLegacyMetricName(LabelValue(l.GetName())) {
+ escaped.Label = append(escaped.Label, l)
+ continue
+ }
+ escaped.Label = append(escaped.Label, &dto.LabelPair{
+ Name: proto.String(EscapeName(l.GetName(), scheme)),
+ Value: l.Value,
+ })
+ }
+ out.Metric = append(out.Metric, escaped)
+ }
+ return out
+}
+
+func metricNeedsEscaping(m *dto.Metric) bool {
+ for _, l := range m.Label {
+ if l.GetName() == MetricNameLabel && !IsValidLegacyMetricName(LabelValue(l.GetValue())) {
+ return true
+ }
+ if !IsValidLegacyMetricName(LabelValue(l.GetName())) {
+ return true
+ }
+ }
+ return false
+}
+
+const (
+ lowerhex = "0123456789abcdef"
+)
+
+// EscapeName escapes the incoming name according to the provided escaping
+// scheme. Depending on the rules of escaping, this may cause no change in the
+// string that is returned. (Especially NoEscaping, which by definition is a
+// noop). This function does not do any validation of the name.
+func EscapeName(name string, scheme EscapingScheme) string {
+ if len(name) == 0 {
+ return name
+ }
+ var escaped strings.Builder
+ switch scheme {
+ case NoEscaping:
+ return name
+ case UnderscoreEscaping:
+ if IsValidLegacyMetricName(LabelValue(name)) {
+ return name
+ }
+ for i, b := range name {
+ if isValidLegacyRune(b, i) {
+ escaped.WriteRune(b)
+ } else {
+ escaped.WriteRune('_')
+ }
+ }
+ return escaped.String()
+ case DotsEscaping:
+ // Do not early return for legacy valid names, we still escape underscores.
+ for i, b := range name {
+ if b == '_' {
+ escaped.WriteString("__")
+ } else if b == '.' {
+ escaped.WriteString("_dot_")
+ } else if isValidLegacyRune(b, i) {
+ escaped.WriteRune(b)
+ } else {
+ escaped.WriteRune('_')
+ }
+ }
+ return escaped.String()
+ case ValueEncodingEscaping:
+ if IsValidLegacyMetricName(LabelValue(name)) {
+ return name
+ }
+ escaped.WriteString("U__")
+ for i, b := range name {
+ if isValidLegacyRune(b, i) {
+ escaped.WriteRune(b)
+ } else if !utf8.ValidRune(b) {
+ escaped.WriteString("_FFFD_")
+ } else if b < 0x100 {
+ escaped.WriteRune('_')
+ for s := 4; s >= 0; s -= 4 {
+ escaped.WriteByte(lowerhex[b>>uint(s)&0xF])
+ }
+ escaped.WriteRune('_')
+ } else if b < 0x10000 {
+ escaped.WriteRune('_')
+ for s := 12; s >= 0; s -= 4 {
+ escaped.WriteByte(lowerhex[b>>uint(s)&0xF])
+ }
+ escaped.WriteRune('_')
+ }
+ }
+ return escaped.String()
+ default:
+ panic(fmt.Sprintf("invalid escaping scheme %d", scheme))
+ }
+}
+
+// lower function taken from strconv.atoi
+func lower(c byte) byte {
+ return c | ('x' - 'X')
+}
+
+// UnescapeName unescapes the incoming name according to the provided escaping
+// scheme if possible. Some schemes are partially or totally non-roundtripable.
+// If any error is enountered, returns the original input.
+func UnescapeName(name string, scheme EscapingScheme) string {
+ if len(name) == 0 {
+ return name
+ }
+ switch scheme {
+ case NoEscaping:
+ return name
+ case UnderscoreEscaping:
+ // It is not possible to unescape from underscore replacement.
+ return name
+ case DotsEscaping:
+ name = strings.ReplaceAll(name, "_dot_", ".")
+ name = strings.ReplaceAll(name, "__", "_")
+ return name
+ case ValueEncodingEscaping:
+ escapedName, found := strings.CutPrefix(name, "U__")
+ if !found {
+ return name
+ }
+
+ var unescaped strings.Builder
+ TOP:
+ for i := 0; i < len(escapedName); i++ {
+ // All non-underscores are treated normally.
+ if escapedName[i] != '_' {
+ unescaped.WriteByte(escapedName[i])
+ continue
+ }
+ i++
+ if i >= len(escapedName) {
+ return name
+ }
+ // A double underscore is a single underscore.
+ if escapedName[i] == '_' {
+ unescaped.WriteByte('_')
+ continue
+ }
+ // We think we are in a UTF-8 code, process it.
+ var utf8Val uint
+ for j := 0; i < len(escapedName); j++ {
+ // This is too many characters for a utf8 value.
+ if j > 4 {
+ return name
+ }
+ // Found a closing underscore, convert to a rune, check validity, and append.
+ if escapedName[i] == '_' {
+ utf8Rune := rune(utf8Val)
+ if !utf8.ValidRune(utf8Rune) {
+ return name
+ }
+ unescaped.WriteRune(utf8Rune)
+ continue TOP
+ }
+ r := lower(escapedName[i])
+ utf8Val *= 16
+ if r >= '0' && r <= '9' {
+ utf8Val += uint(r) - '0'
+ } else if r >= 'a' && r <= 'f' {
+ utf8Val += uint(r) - 'a' + 10
+ } else {
+ return name
+ }
+ i++
+ }
+ // Didn't find closing underscore, invalid.
+ return name
+ }
+ return unescaped.String()
+ default:
+ panic(fmt.Sprintf("invalid escaping scheme %d", scheme))
+ }
+}
+
+func isValidLegacyRune(b rune, i int) bool {
+ return (b >= 'a' && b <= 'z') || (b >= 'A' && b <= 'Z') || b == '_' || b == ':' || (b >= '0' && b <= '9' && i > 0)
+}
+
+func (e EscapingScheme) String() string {
+ switch e {
+ case NoEscaping:
+ return AllowUTF8
+ case UnderscoreEscaping:
+ return EscapeUnderscores
+ case DotsEscaping:
+ return EscapeDots
+ case ValueEncodingEscaping:
+ return EscapeValues
+ default:
+ panic(fmt.Sprintf("unknown format scheme %d", e))
+ }
+}
+
+func ToEscapingScheme(s string) (EscapingScheme, error) {
+ if s == "" {
+ return NoEscaping, fmt.Errorf("got empty string instead of escaping scheme")
+ }
+ switch s {
+ case AllowUTF8:
+ return NoEscaping, nil
+ case EscapeUnderscores:
+ return UnderscoreEscaping, nil
+ case EscapeDots:
+ return DotsEscaping, nil
+ case EscapeValues:
+ return ValueEncodingEscaping, nil
+ default:
+ return NoEscaping, fmt.Errorf("unknown format scheme " + s)
+ }
+}
diff --git a/vendor/github.com/prometheus/common/model/signature.go b/vendor/github.com/prometheus/common/model/signature.go
index 8762b13c6..dc8a0026c 100644
--- a/vendor/github.com/prometheus/common/model/signature.go
+++ b/vendor/github.com/prometheus/common/model/signature.go
@@ -22,10 +22,8 @@ import (
// when calculating their combined hash value (aka signature aka fingerprint).
const SeparatorByte byte = 255
-var (
- // cache the signature of an empty label set.
- emptyLabelSignature = hashNew()
-)
+// cache the signature of an empty label set.
+var emptyLabelSignature = hashNew()
// LabelsToSignature returns a quasi-unique signature (i.e., fingerprint) for a
// given label set. (Collisions are possible but unlikely if the number of label
diff --git a/vendor/github.com/prometheus/common/model/silence.go b/vendor/github.com/prometheus/common/model/silence.go
index bb99889d2..910b0b71f 100644
--- a/vendor/github.com/prometheus/common/model/silence.go
+++ b/vendor/github.com/prometheus/common/model/silence.go
@@ -81,7 +81,7 @@ func (s *Silence) Validate() error {
}
for _, m := range s.Matchers {
if err := m.Validate(); err != nil {
- return fmt.Errorf("invalid matcher: %s", err)
+ return fmt.Errorf("invalid matcher: %w", err)
}
}
if s.StartsAt.IsZero() {
diff --git a/vendor/github.com/prometheus/common/model/value.go b/vendor/github.com/prometheus/common/model/value.go
index 9eb440413..8050637d8 100644
--- a/vendor/github.com/prometheus/common/model/value.go
+++ b/vendor/github.com/prometheus/common/model/value.go
@@ -21,14 +21,12 @@ import (
"strings"
)
-var (
- // ZeroSample is the pseudo zero-value of Sample used to signal a
- // non-existing sample. It is a Sample with timestamp Earliest, value 0.0,
- // and metric nil. Note that the natural zero value of Sample has a timestamp
- // of 0, which is possible to appear in a real Sample and thus not suitable
- // to signal a non-existing Sample.
- ZeroSample = Sample{Timestamp: Earliest}
-)
+// ZeroSample is the pseudo zero-value of Sample used to signal a
+// non-existing sample. It is a Sample with timestamp Earliest, value 0.0,
+// and metric nil. Note that the natural zero value of Sample has a timestamp
+// of 0, which is possible to appear in a real Sample and thus not suitable
+// to signal a non-existing Sample.
+var ZeroSample = Sample{Timestamp: Earliest}
// Sample is a sample pair associated with a metric. A single sample must either
// define Value or Histogram but not both. Histogram == nil implies the Value
@@ -274,7 +272,7 @@ func (s *Scalar) UnmarshalJSON(b []byte) error {
value, err := strconv.ParseFloat(f, 64)
if err != nil {
- return fmt.Errorf("error parsing sample value: %s", err)
+ return fmt.Errorf("error parsing sample value: %w", err)
}
s.Value = SampleValue(value)
return nil
diff --git a/vendor/github.com/prometheus/common/model/value_float.go b/vendor/github.com/prometheus/common/model/value_float.go
index 0f615a705..ae35cc2ab 100644
--- a/vendor/github.com/prometheus/common/model/value_float.go
+++ b/vendor/github.com/prometheus/common/model/value_float.go
@@ -20,14 +20,12 @@ import (
"strconv"
)
-var (
- // ZeroSamplePair is the pseudo zero-value of SamplePair used to signal a
- // non-existing sample pair. It is a SamplePair with timestamp Earliest and
- // value 0.0. Note that the natural zero value of SamplePair has a timestamp
- // of 0, which is possible to appear in a real SamplePair and thus not
- // suitable to signal a non-existing SamplePair.
- ZeroSamplePair = SamplePair{Timestamp: Earliest}
-)
+// ZeroSamplePair is the pseudo zero-value of SamplePair used to signal a
+// non-existing sample pair. It is a SamplePair with timestamp Earliest and
+// value 0.0. Note that the natural zero value of SamplePair has a timestamp
+// of 0, which is possible to appear in a real SamplePair and thus not
+// suitable to signal a non-existing SamplePair.
+var ZeroSamplePair = SamplePair{Timestamp: Earliest}
// A SampleValue is a representation of a value for a given sample at a given
// time.
diff --git a/vendor/google.golang.org/protobuf/encoding/protodelim/protodelim.go b/vendor/google.golang.org/protobuf/encoding/protodelim/protodelim.go
new file mode 100644
index 000000000..2ef36bbcf
--- /dev/null
+++ b/vendor/google.golang.org/protobuf/encoding/protodelim/protodelim.go
@@ -0,0 +1,160 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package protodelim marshals and unmarshals varint size-delimited messages.
+package protodelim
+
+import (
+ "bufio"
+ "encoding/binary"
+ "fmt"
+ "io"
+
+ "google.golang.org/protobuf/encoding/protowire"
+ "google.golang.org/protobuf/internal/errors"
+ "google.golang.org/protobuf/proto"
+)
+
+// MarshalOptions is a configurable varint size-delimited marshaler.
+type MarshalOptions struct{ proto.MarshalOptions }
+
+// MarshalTo writes a varint size-delimited wire-format message to w.
+// If w returns an error, MarshalTo returns it unchanged.
+func (o MarshalOptions) MarshalTo(w io.Writer, m proto.Message) (int, error) {
+ msgBytes, err := o.MarshalOptions.Marshal(m)
+ if err != nil {
+ return 0, err
+ }
+
+ sizeBytes := protowire.AppendVarint(nil, uint64(len(msgBytes)))
+ sizeWritten, err := w.Write(sizeBytes)
+ if err != nil {
+ return sizeWritten, err
+ }
+ msgWritten, err := w.Write(msgBytes)
+ if err != nil {
+ return sizeWritten + msgWritten, err
+ }
+ return sizeWritten + msgWritten, nil
+}
+
+// MarshalTo writes a varint size-delimited wire-format message to w
+// with the default options.
+//
+// See the documentation for [MarshalOptions.MarshalTo].
+func MarshalTo(w io.Writer, m proto.Message) (int, error) {
+ return MarshalOptions{}.MarshalTo(w, m)
+}
+
+// UnmarshalOptions is a configurable varint size-delimited unmarshaler.
+type UnmarshalOptions struct {
+ proto.UnmarshalOptions
+
+ // MaxSize is the maximum size in wire-format bytes of a single message.
+ // Unmarshaling a message larger than MaxSize will return an error.
+ // A zero MaxSize will default to 4 MiB.
+ // Setting MaxSize to -1 disables the limit.
+ MaxSize int64
+}
+
+const defaultMaxSize = 4 << 20 // 4 MiB, corresponds to the default gRPC max request/response size
+
+// SizeTooLargeError is an error that is returned when the unmarshaler encounters a message size
+// that is larger than its configured [UnmarshalOptions.MaxSize].
+type SizeTooLargeError struct {
+ // Size is the varint size of the message encountered
+ // that was larger than the provided MaxSize.
+ Size uint64
+
+ // MaxSize is the MaxSize limit configured in UnmarshalOptions, which Size exceeded.
+ MaxSize uint64
+}
+
+func (e *SizeTooLargeError) Error() string {
+ return fmt.Sprintf("message size %d exceeded unmarshaler's maximum configured size %d", e.Size, e.MaxSize)
+}
+
+// Reader is the interface expected by [UnmarshalFrom].
+// It is implemented by *[bufio.Reader].
+type Reader interface {
+ io.Reader
+ io.ByteReader
+}
+
+// UnmarshalFrom parses and consumes a varint size-delimited wire-format message
+// from r.
+// The provided message must be mutable (e.g., a non-nil pointer to a message).
+//
+// The error is [io.EOF] error only if no bytes are read.
+// If an EOF happens after reading some but not all the bytes,
+// UnmarshalFrom returns a non-io.EOF error.
+// In particular if r returns a non-io.EOF error, UnmarshalFrom returns it unchanged,
+// and if only a size is read with no subsequent message, [io.ErrUnexpectedEOF] is returned.
+func (o UnmarshalOptions) UnmarshalFrom(r Reader, m proto.Message) error {
+ var sizeArr [binary.MaxVarintLen64]byte
+ sizeBuf := sizeArr[:0]
+ for i := range sizeArr {
+ b, err := r.ReadByte()
+ if err != nil {
+ // Immediate EOF is unexpected.
+ if err == io.EOF && i != 0 {
+ break
+ }
+ return err
+ }
+ sizeBuf = append(sizeBuf, b)
+ if b < 0x80 {
+ break
+ }
+ }
+ size, n := protowire.ConsumeVarint(sizeBuf)
+ if n < 0 {
+ return protowire.ParseError(n)
+ }
+
+ maxSize := o.MaxSize
+ if maxSize == 0 {
+ maxSize = defaultMaxSize
+ }
+ if maxSize != -1 && size > uint64(maxSize) {
+ return errors.Wrap(&SizeTooLargeError{Size: size, MaxSize: uint64(maxSize)}, "")
+ }
+
+ var b []byte
+ var err error
+ if br, ok := r.(*bufio.Reader); ok {
+ // Use the []byte from the bufio.Reader instead of having to allocate one.
+ // This reduces CPU usage and allocated bytes.
+ b, err = br.Peek(int(size))
+ if err == nil {
+ defer br.Discard(int(size))
+ } else {
+ b = nil
+ }
+ }
+ if b == nil {
+ b = make([]byte, size)
+ _, err = io.ReadFull(r, b)
+ }
+
+ if err == io.EOF {
+ return io.ErrUnexpectedEOF
+ }
+ if err != nil {
+ return err
+ }
+ if err := o.Unmarshal(b, m); err != nil {
+ return err
+ }
+ return nil
+}
+
+// UnmarshalFrom parses and consumes a varint size-delimited wire-format message
+// from r with the default options.
+// The provided message must be mutable (e.g., a non-nil pointer to a message).
+//
+// See the documentation for [UnmarshalOptions.UnmarshalFrom].
+func UnmarshalFrom(r Reader, m proto.Message) error {
+ return UnmarshalOptions{}.UnmarshalFrom(r, m)
+}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index b18c9c11d..e87c6c7ee 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -20,7 +20,7 @@ github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime
github.com/Azure/azure-sdk-for-go/sdk/azcore/streaming
github.com/Azure/azure-sdk-for-go/sdk/azcore/to
github.com/Azure/azure-sdk-for-go/sdk/azcore/tracing
-# github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0
+# github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0
## explicit; go 1.18
github.com/Azure/azure-sdk-for-go/sdk/azidentity
github.com/Azure/azure-sdk-for-go/sdk/azidentity/internal
@@ -62,7 +62,7 @@ github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/options
github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/shared
github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/version
github.com/AzureAD/microsoft-authentication-library-for-go/apps/public
-# github.com/IBM/keyprotect-go-client v0.12.2
+# github.com/IBM/keyprotect-go-client v0.14.1
## explicit; go 1.15
github.com/IBM/keyprotect-go-client
github.com/IBM/keyprotect-go-client/iam
@@ -81,7 +81,7 @@ github.com/antlr/antlr4/runtime/Go/antlr/v4
# github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a
## explicit
github.com/asaskevich/govalidator
-# github.com/aws/aws-sdk-go v1.53.14
+# github.com/aws/aws-sdk-go v1.54.6
## explicit; go 1.19
github.com/aws/aws-sdk-go/aws
github.com/aws/aws-sdk-go/aws/auth/bearer
@@ -126,7 +126,7 @@ github.com/aws/aws-sdk-go/service/sso/ssoiface
github.com/aws/aws-sdk-go/service/ssooidc
github.com/aws/aws-sdk-go/service/sts
github.com/aws/aws-sdk-go/service/sts/stsiface
-# github.com/aws/aws-sdk-go-v2 v1.25.2
+# github.com/aws/aws-sdk-go-v2 v1.30.0
## explicit; go 1.20
github.com/aws/aws-sdk-go-v2/aws
github.com/aws/aws-sdk-go-v2/aws/defaults
@@ -141,31 +141,33 @@ github.com/aws/aws-sdk-go-v2/aws/signer/v4
github.com/aws/aws-sdk-go-v2/aws/transport/http
github.com/aws/aws-sdk-go-v2/internal/auth
github.com/aws/aws-sdk-go-v2/internal/auth/smithy
+github.com/aws/aws-sdk-go-v2/internal/context
github.com/aws/aws-sdk-go-v2/internal/endpoints
github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn
+github.com/aws/aws-sdk-go-v2/internal/middleware
github.com/aws/aws-sdk-go-v2/internal/rand
github.com/aws/aws-sdk-go-v2/internal/sdk
github.com/aws/aws-sdk-go-v2/internal/strings
github.com/aws/aws-sdk-go-v2/internal/sync/singleflight
github.com/aws/aws-sdk-go-v2/internal/timeconv
-# github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.2
+# github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12
## explicit; go 1.20
github.com/aws/aws-sdk-go-v2/internal/configsources
-# github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.2
+# github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12
## explicit; go 1.20
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2
-# github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1
+# github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2
## explicit; go 1.20
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding
-# github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.2
+# github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14
## explicit; go 1.20
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url
-# github.com/aws/aws-sdk-go-v2/service/sts v1.28.1
+# github.com/aws/aws-sdk-go-v2/service/sts v1.29.1
## explicit; go 1.20
github.com/aws/aws-sdk-go-v2/service/sts
github.com/aws/aws-sdk-go-v2/service/sts/internal/endpoints
github.com/aws/aws-sdk-go-v2/service/sts/types
-# github.com/aws/smithy-go v1.20.1
+# github.com/aws/smithy-go v1.20.2
## explicit; go 1.20
github.com/aws/smithy-go
github.com/aws/smithy-go/auth
@@ -275,12 +277,12 @@ github.com/gemalto/kmip-go/ttlv
# github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32
## explicit
github.com/ghodss/yaml
-# github.com/go-jose/go-jose/v3 v3.0.3
-## explicit; go 1.12
-github.com/go-jose/go-jose/v3
-github.com/go-jose/go-jose/v3/cipher
-github.com/go-jose/go-jose/v3/json
-github.com/go-jose/go-jose/v3/jwt
+# github.com/go-jose/go-jose/v4 v4.0.1
+## explicit; go 1.21
+github.com/go-jose/go-jose/v4
+github.com/go-jose/go-jose/v4/cipher
+github.com/go-jose/go-jose/v4/json
+github.com/go-jose/go-jose/v4/jwt
# github.com/go-logr/logr v1.4.1
## explicit; go 1.18
github.com/go-logr/logr
@@ -298,9 +300,9 @@ github.com/go-openapi/jsonreference/internal
# github.com/go-openapi/swag v0.22.3
## explicit; go 1.18
github.com/go-openapi/swag
-# github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572
-## explicit; go 1.13
-github.com/go-task/slim-sprig
+# github.com/go-task/slim-sprig/v3 v3.0.0
+## explicit; go 1.20
+github.com/go-task/slim-sprig/v3
# github.com/gogo/protobuf v1.3.2
## explicit; go 1.15
github.com/gogo/protobuf/gogoproto
@@ -374,8 +376,8 @@ github.com/google/go-cmp/cmp/internal/value
## explicit; go 1.12
github.com/google/gofuzz
github.com/google/gofuzz/bytesource
-# github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1
-## explicit; go 1.14
+# github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6
+## explicit; go 1.19
github.com/google/pprof/profile
# github.com/google/uuid v1.6.0
## explicit
@@ -429,8 +431,8 @@ github.com/hashicorp/hcl/hcl/token
github.com/hashicorp/hcl/json/parser
github.com/hashicorp/hcl/json/scanner
github.com/hashicorp/hcl/json/token
-# github.com/hashicorp/vault/api v1.12.0
-## explicit; go 1.19
+# github.com/hashicorp/vault/api v1.14.0
+## explicit; go 1.21
github.com/hashicorp/vault/api
# github.com/hashicorp/vault/api/auth/approle v0.5.0
## explicit; go 1.16
@@ -453,8 +455,8 @@ github.com/josharian/intern
# github.com/json-iterator/go v1.1.12
## explicit; go 1.12
github.com/json-iterator/go
-# github.com/kubernetes-csi/csi-lib-utils v0.17.0
-## explicit; go 1.21
+# github.com/kubernetes-csi/csi-lib-utils v0.18.1
+## explicit; go 1.22.0
github.com/kubernetes-csi/csi-lib-utils/connection
github.com/kubernetes-csi/csi-lib-utils/metrics
github.com/kubernetes-csi/csi-lib-utils/protosanitizer
@@ -485,9 +487,6 @@ github.com/mattn/go-colorable
# github.com/mattn/go-isatty v0.0.20
## explicit; go 1.15
github.com/mattn/go-isatty
-# github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0
-## explicit; go 1.19
-github.com/matttproud/golang_protobuf_extensions/v2/pbutil
# github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d
## explicit
github.com/mgutz/ansi
@@ -516,7 +515,7 @@ github.com/munnerz/goautoneg
# github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f
## explicit
github.com/mxk/go-flowrate/flowrate
-# github.com/onsi/ginkgo/v2 v2.17.1
+# github.com/onsi/ginkgo/v2 v2.19.0
## explicit; go 1.20
github.com/onsi/ginkgo/v2
github.com/onsi/ginkgo/v2/config
@@ -538,7 +537,7 @@ github.com/onsi/ginkgo/v2/internal/parallel_support
github.com/onsi/ginkgo/v2/internal/testingtproxy
github.com/onsi/ginkgo/v2/reporters
github.com/onsi/ginkgo/v2/types
-# github.com/onsi/gomega v1.32.0
+# github.com/onsi/gomega v1.33.1
## explicit; go 1.20
github.com/onsi/gomega
github.com/onsi/gomega/format
@@ -574,8 +573,8 @@ github.com/pkg/xattr
# github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2
## explicit
github.com/pmezard/go-difflib/difflib
-# github.com/prometheus/client_golang v1.18.0
-## explicit; go 1.19
+# github.com/prometheus/client_golang v1.19.1
+## explicit; go 1.20
github.com/prometheus/client_golang/prometheus
github.com/prometheus/client_golang/prometheus/collectors
github.com/prometheus/client_golang/prometheus/internal
@@ -586,7 +585,7 @@ github.com/prometheus/client_golang/prometheus/testutil/promlint/validations
# github.com/prometheus/client_model v0.5.0
## explicit; go 1.19
github.com/prometheus/client_model/go
-# github.com/prometheus/common v0.45.0
+# github.com/prometheus/common v0.48.0
## explicit; go 1.20
github.com/prometheus/common/expfmt
github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg
@@ -888,6 +887,7 @@ google.golang.org/grpc/status
google.golang.org/grpc/tap
# google.golang.org/protobuf v1.34.2
## explicit; go 1.20
+google.golang.org/protobuf/encoding/protodelim
google.golang.org/protobuf/encoding/protojson
google.golang.org/protobuf/encoding/prototext
google.golang.org/protobuf/encoding/protowire