rebase: bump the github-dependencies group with 2 updates

Bumps the github-dependencies group with 2 updates: [github.com/aws/aws-sdk-go-v2/service/sts](https://github.com/aws/aws-sdk-go-v2) and [github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets](https://github.com/Azure/azure-sdk-for-go).


Updates `github.com/aws/aws-sdk-go-v2/service/sts` from 1.32.2 to 1.32.3
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/v1.32.2...v1.32.3)

Updates `github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets` from 1.1.0 to 1.2.0
- [Release notes](https://github.com/Azure/azure-sdk-for-go/releases)
- [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md)
- [Commits](https://github.com/Azure/azure-sdk-for-go/compare/v1.1...v1.2)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/sts
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-dependencies
- dependency-name: github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
This commit is contained in:
dependabot[bot] 2024-10-28 21:02:22 +00:00 committed by mergify[bot]
parent c3c00b0e61
commit 26c237e314
32 changed files with 416 additions and 329 deletions

16
go.mod
View File

@ -5,7 +5,7 @@ go 1.22.5
require (
github.com/IBM/keyprotect-go-client v0.15.1
github.com/aws/aws-sdk-go v1.55.5
github.com/aws/aws-sdk-go-v2/service/sts v1.32.2
github.com/aws/aws-sdk-go-v2/service/sts v1.32.3
github.com/ceph/ceph-csi/api v0.0.0-00010101000000-000000000000
github.com/ceph/go-ceph v0.30.0
github.com/container-storage-interface/spec v1.10.0
@ -47,24 +47,24 @@ require (
require (
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.1.0
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.2.0
)
require (
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.0 // indirect
github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
github.com/NYTimes/gziphandler v1.1.1 // indirect
github.com/ansel1/merry v1.6.2 // indirect
github.com/ansel1/merry/v2 v2.0.1 // indirect
github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a // indirect
github.com/aws/aws-sdk-go-v2 v1.32.2 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.21 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.21 // indirect
github.com/aws/aws-sdk-go-v2 v1.32.3 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.22 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.22 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.2 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.3 // indirect
github.com/aws/smithy-go v1.22.0 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/blang/semver/v4 v4.0.0 // indirect

32
go.sum
View File

@ -1320,18 +1320,18 @@ gioui.org v0.0.0-20210308172011-57750fc8a0a6/go.mod h1:RSH6KIUZ0p2xy5zHDxgAM4zum
git.sr.ht/~sbinet/gg v0.3.1/go.mod h1:KGYtlADtqsqANL9ueOFkWymvzUvLMQllU5Ixo+8v3pc=
github.com/Azure/azure-sdk-for-go v62.0.0+incompatible h1:8N2k27SYtc12qj5nTsuFMFJPZn5CGmgMWqTy4y9I7Jw=
github.com/Azure/azure-sdk-for-go v62.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0 h1:nyQWyZvwGTvunIMxi1Y9uXkcyr+I7TeNrr/foo4Kpk8=
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0/go.mod h1:l38EPgmsp71HHLq9j7De57JcKOWPyhrsW1Awm1JS6K0=
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0 h1:JZg6HRh6W6U4OLl6lk7BZ7BLisIzM9dG1R50zUk9C/M=
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0/go.mod h1:YL1xnZ6QejvQHWJrX/AvhFl4WW4rqHVoKspWNVwFk0M=
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0 h1:B/dfvscEQtew9dVuoxqxrUKKv8Ih2f55PydknDamU+g=
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0/go.mod h1:fiPSssYvltE08HJchL04dOy+RD4hgrjph0cwGGMntdI=
github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.0 h1:+m0M/LFxN43KvULkDNfdXOgrjtg6UYJPFBJyuEcRCAw=
github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.0/go.mod h1:PwOyop78lveYMRs6oCxjiVyBdyCgIYH6XHIVZO9/SFQ=
github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 h1:ywEEhmNahHBihViHepv3xPBn1663uRv2t2q/ESv9seY=
github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0/go.mod h1:iZDifYGJTIgIIkYRNWPENUnqx6bJ2xnSDFI2tjwZNuY=
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.1.0 h1:h4Zxgmi9oyZL2l8jeg1iRTqPloHktywWcu0nlJmo1tA=
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.1.0/go.mod h1:LgLGXawqSreJz135Elog0ywTJDsm0Hz2k+N+6ZK35u8=
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 h1:D3occbWoio4EBLkbkevetNMAVX197GkzbUMtqjGWn80=
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0/go.mod h1:bTSOgj05NGRuHHhQwAdPnYr9TOdNmKlZTgGLL6nyAdI=
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.2.0 h1:TkNl6WlpHdZSMt0Zngw8y0c9ZMi3GwmYl0kKNbW9PvU=
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.2.0/go.mod h1:ukmL56lWl275SgNFijuwx0Wv6n6HmzzpPWW4kMoy/wY=
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.0 h1:eXnN9kaS8TiDwXjoie3hMRLuwdUBUMW9KRgOqB3mCaw=
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.0/go.mod h1:XIpam8wumeZ5rVMuhdDQLMfIPDf1WO3IzrCRO3e3e3o=
github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
github.com/Azure/go-autorest/autorest v0.11.27/go.mod h1:7l8ybrIdUmGqZMTD0sRtAr8NvbHjfofbf8RSP2q7w7U=
@ -1411,18 +1411,18 @@ github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:l
github.com/aws/aws-sdk-go v1.44.164/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
github.com/aws/aws-sdk-go v1.55.5 h1:KKUZBfBoyqy5d3swXyiC7Q76ic40rYcbqH7qjh59kzU=
github.com/aws/aws-sdk-go v1.55.5/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
github.com/aws/aws-sdk-go-v2 v1.32.2 h1:AkNLZEyYMLnx/Q/mSKkcMqwNFXMAvFto9bNsHqcTduI=
github.com/aws/aws-sdk-go-v2 v1.32.2/go.mod h1:2SK5n0a2karNTv5tbP1SjsX0uhttou00v/HpXKM1ZUo=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.21 h1:UAsR3xA31QGf79WzpG/ixT9FZvQlh5HY1NRqSHBNOCk=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.21/go.mod h1:JNr43NFf5L9YaG3eKTm7HQzls9J+A9YYcGI5Quh1r2Y=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.21 h1:6jZVETqmYCadGFvrYEQfC5fAQmlo80CeL5psbno6r0s=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.21/go.mod h1:1SR0GbLlnN3QUmYaflZNiH1ql+1qrSiB2vwcJ+4UM60=
github.com/aws/aws-sdk-go-v2 v1.32.3 h1:T0dRlFBKcdaUPGNtkBSwHZxrtis8CQU17UpNBZYd0wk=
github.com/aws/aws-sdk-go-v2 v1.32.3/go.mod h1:2SK5n0a2karNTv5tbP1SjsX0uhttou00v/HpXKM1ZUo=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.22 h1:Jw50LwEkVjuVzE1NzkhNKkBf9cRN7MtE1F/b2cOKTUM=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.22/go.mod h1:Y/SmAyPcOTmpeVaWSzSKiILfXTVJwrGmYZhcRbhWuEY=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.22 h1:981MHwBaRZM7+9QSR6XamDzF/o7ouUGxFzr+nVSIhrs=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.22/go.mod h1:1RA1+aBEfn+CAB/Mh0MB6LsdCYCnjZm7tKXtnk499ZQ=
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0 h1:TToQNkvGguu209puTojY/ozlqy2d/SFNcoLIqTFi42g=
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0/go.mod h1:0jp+ltwkf+SwG2fm/PKo8t4y8pJSgOCO4D8Lz3k0aHQ=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.2 h1:s7NA1SOw8q/5c0wr8477yOPp0z+uBaXBnLE0XYb0POA=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.2/go.mod h1:fnjjWyAW/Pj5HYOxl9LJqWtEwS7W2qgcRLWP+uWbss0=
github.com/aws/aws-sdk-go-v2/service/sts v1.32.2 h1:CiS7i0+FUe+/YY1GvIBLLrR/XNGZ4CtM1Ll0XavNuVo=
github.com/aws/aws-sdk-go-v2/service/sts v1.32.2/go.mod h1:HtaiBI8CjYoNVde8arShXb94UbQQi9L4EMr6D+xGBwo=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.3 h1:qcxX0JYlgWH3hpPUnd6U0ikcl6LLA9sLkXE2w1fpMvY=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.3/go.mod h1:cLSNEmI45soc+Ef8K/L+8sEA3A3pYFEYf5B5UI+6bH4=
github.com/aws/aws-sdk-go-v2/service/sts v1.32.3 h1:wVnQ6tigGsRqSWDEEyH6lSAJ9OyFUsSnbaUWChuSGzs=
github.com/aws/aws-sdk-go-v2/service/sts v1.32.3/go.mod h1:VZa9yTFyj4o10YGsmDO4gbQJUvvhY72fhumT8W4LqsE=
github.com/aws/smithy-go v1.22.0 h1:uunKnWlcoL3zO7q+gG2Pk53joueEOsnNB28QdMsmiMM=
github.com/aws/smithy-go v1.22.0/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=

View File

@ -1,5 +1,30 @@
# Release History
## 1.16.0 (2024-10-17)
### Features Added
* Added field `Kind` to `runtime.StartSpanOptions` to allow a kind to be set when starting a span.
### Bugs Fixed
* `BearerTokenPolicy` now rewinds request bodies before retrying
## 1.15.0 (2024-10-14)
### Features Added
* `BearerTokenPolicy` handles CAE claims challenges
### Bugs Fixed
* Omit the `ResponseError.RawResponse` field from JSON marshaling so instances can be marshaled.
* Fixed an integer overflow in the retry policy.
### Other Changes
* Update dependencies.
## 1.14.0 (2024-08-07)
### Features Added

View File

@ -5,7 +5,6 @@ package runtime
import (
"context"
"encoding/base64"
"fmt"
"net/http"
"strings"
@ -66,31 +65,16 @@ func NewBearerTokenPolicy(cred azcore.TokenCredential, opts *armpolicy.BearerTok
p.btp = azruntime.NewBearerTokenPolicy(cred, opts.Scopes, &azpolicy.BearerTokenOptions{
InsecureAllowCredentialWithHTTP: opts.InsecureAllowCredentialWithHTTP,
AuthorizationHandler: azpolicy.AuthorizationHandler{
OnChallenge: p.onChallenge,
OnRequest: p.onRequest,
OnRequest: p.onRequest,
},
})
return p
}
func (b *BearerTokenPolicy) onChallenge(req *azpolicy.Request, res *http.Response, authNZ func(azpolicy.TokenRequestOptions) error) error {
challenge := res.Header.Get(shared.HeaderWWWAuthenticate)
claims, err := parseChallenge(challenge)
if err != nil {
// the challenge contains claims we can't parse
return err
} else if claims != "" {
// request a new token having the specified claims, send the request again
return authNZ(azpolicy.TokenRequestOptions{Claims: claims, EnableCAE: true, Scopes: b.scopes})
}
// auth challenge didn't include claims, so this is a simple authorization failure
return azruntime.NewResponseError(res)
}
// onRequest authorizes requests with one or more bearer tokens
func (b *BearerTokenPolicy) onRequest(req *azpolicy.Request, authNZ func(azpolicy.TokenRequestOptions) error) error {
// authorize the request with a token for the primary tenant
err := authNZ(azpolicy.TokenRequestOptions{EnableCAE: true, Scopes: b.scopes})
err := authNZ(azpolicy.TokenRequestOptions{Scopes: b.scopes})
if err != nil || len(b.auxResources) == 0 {
return err
}
@ -116,31 +100,3 @@ func (b *BearerTokenPolicy) onRequest(req *azpolicy.Request, authNZ func(azpolic
func (b *BearerTokenPolicy) Do(req *azpolicy.Request) (*http.Response, error) {
return b.btp.Do(req)
}
// parseChallenge parses claims from an authentication challenge issued by ARM so a client can request a token
// that will satisfy conditional access policies. It returns a non-nil error when the given value contains
// claims it can't parse. If the value contains no claims, it returns an empty string and a nil error.
func parseChallenge(wwwAuthenticate string) (string, error) {
claims := ""
var err error
for _, param := range strings.Split(wwwAuthenticate, ",") {
if _, after, found := strings.Cut(param, "claims="); found {
if claims != "" {
// The header contains multiple challenges, at least two of which specify claims. The specs allow this
// but it's unclear what a client should do in this case and there's as yet no concrete example of it.
err = fmt.Errorf("found multiple claims challenges in %q", wwwAuthenticate)
break
}
// trim stuff that would get an error from RawURLEncoding; claims may or may not be padded
claims = strings.Trim(after, `\"=`)
// we don't return this error because it's something unhelpful like "illegal base64 data at input byte 42"
if b, decErr := base64.RawURLEncoding.DecodeString(claims); decErr == nil {
claims = string(b)
} else {
err = fmt.Errorf("failed to parse claims from %q", wwwAuthenticate)
break
}
}
}
return claims, err
}

View File

@ -11,4 +11,7 @@ import "github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported"
// ResponseError is returned when a request is made to a service and
// the service returns a non-success HTTP status code.
// Use errors.As() to access this type in the error chain.
//
// When marshaling instances, the RawResponse field will be omitted.
// However, the contents returned by Error() will be preserved.
type ResponseError = exported.ResponseError

View File

@ -117,12 +117,18 @@ type ResponseError struct {
StatusCode int
// RawResponse is the underlying HTTP response.
RawResponse *http.Response
RawResponse *http.Response `json:"-"`
errMsg string
}
// Error implements the error interface for type ResponseError.
// Note that the message contents are not contractual and can change over time.
func (e *ResponseError) Error() string {
if e.errMsg != "" {
return e.errMsg
}
const separator = "--------------------------------------------------------------------------------"
// write the request method and URL with response status code
msg := &bytes.Buffer{}
@ -163,5 +169,33 @@ func (e *ResponseError) Error() string {
}
fmt.Fprintln(msg, separator)
return msg.String()
e.errMsg = msg.String()
return e.errMsg
}
// internal type used for marshaling/unmarshaling
type responseError struct {
ErrorCode string `json:"errorCode"`
StatusCode int `json:"statusCode"`
ErrorMessage string `json:"errorMessage"`
}
func (e ResponseError) MarshalJSON() ([]byte, error) {
return json.Marshal(responseError{
ErrorCode: e.ErrorCode,
StatusCode: e.StatusCode,
ErrorMessage: e.Error(),
})
}
func (e *ResponseError) UnmarshalJSON(data []byte) error {
re := responseError{}
if err := json.Unmarshal(data, &re); err != nil {
return err
}
e.ErrorCode = re.ErrorCode
e.StatusCode = re.StatusCode
e.errMsg = re.ErrorMessage
return nil
}

View File

@ -40,5 +40,5 @@ const (
Module = "azcore"
// Version is the semantic version (see http://semver.org) of this module.
Version = "v1.14.0"
Version = "v1.16.0"
)

View File

@ -161,19 +161,20 @@ type BearerTokenOptions struct {
// AuthorizationHandler allows SDK developers to insert custom logic that runs when BearerTokenPolicy must authorize a request.
type AuthorizationHandler struct {
// OnRequest is called each time the policy receives a request. Its func parameter authorizes the request with a token
// from the policy's given credential. Implementations that need to perform I/O should use the Request's context,
// available from Request.Raw().Context(). When OnRequest returns an error, the policy propagates that error and doesn't
// send the request. When OnRequest is nil, the policy follows its default behavior, authorizing the request with a
// token from its credential according to its configuration.
// OnRequest provides TokenRequestOptions the policy can use to acquire a token for a request. The policy calls OnRequest
// whenever it needs a token and may call it multiple times for the same request. Its func parameter authorizes the request
// with a token from the policy's credential. Implementations that need to perform I/O should use the Request's context,
// available from Request.Raw().Context(). When OnRequest returns an error, the policy propagates that error and doesn't send
// the request. When OnRequest is nil, the policy follows its default behavior, which is to authorize the request with a token
// from its credential according to its configuration.
OnRequest func(*Request, func(TokenRequestOptions) error) error
// OnChallenge is called when the policy receives a 401 response, allowing the AuthorizationHandler to re-authorize the
// request according to an authentication challenge (the Response's WWW-Authenticate header). OnChallenge is responsible
// for parsing parameters from the challenge. Its func parameter will authorize the request with a token from the policy's
// given credential. Implementations that need to perform I/O should use the Request's context, available from
// Request.Raw().Context(). When OnChallenge returns nil, the policy will send the request again. When OnChallenge is nil,
// the policy will return any 401 response to the client.
// OnChallenge allows clients to implement custom HTTP authentication challenge handling. BearerTokenPolicy calls it upon
// receiving a 401 response containing multiple Bearer challenges or a challenge BearerTokenPolicy itself can't handle.
// OnChallenge is responsible for parsing challenge(s) (the Response's WWW-Authenticate header) and reauthorizing the
// Request accordingly. Its func argument authorizes the Request with a token from the policy's credential using the given
// TokenRequestOptions. OnChallenge should honor the Request's context, available from Request.Raw().Context(). When
// OnChallenge returns nil, the policy will send the Request again.
OnChallenge func(*Request, *http.Response, func(TokenRequestOptions) error) error
}

View File

@ -4,9 +4,12 @@
package runtime
import (
"encoding/base64"
"errors"
"net/http"
"regexp"
"strings"
"sync"
"time"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported"
@ -17,6 +20,11 @@ import (
)
// BearerTokenPolicy authorizes requests with bearer tokens acquired from a TokenCredential.
// It handles [Continuous Access Evaluation] (CAE) challenges. Clients needing to handle
// additional authentication challenges, or needing more control over authorization, should
// provide a [policy.AuthorizationHandler] in [policy.BearerTokenOptions].
//
// [Continuous Access Evaluation]: https://learn.microsoft.com/entra/identity/conditional-access/concept-continuous-access-evaluation
type BearerTokenPolicy struct {
// mainResource is the resource to be retreived using the tenant specified in the credential
mainResource *temporal.Resource[exported.AccessToken, acquiringResourceState]
@ -51,8 +59,18 @@ func NewBearerTokenPolicy(cred exported.TokenCredential, scopes []string, opts *
if opts == nil {
opts = &policy.BearerTokenOptions{}
}
ah := opts.AuthorizationHandler
if ah.OnRequest == nil {
// Set a default OnRequest that simply requests a token with the given scopes. OnChallenge
// doesn't get a default so the policy can use a nil check to determine whether the caller
// provided an implementation.
ah.OnRequest = func(_ *policy.Request, authNZ func(policy.TokenRequestOptions) error) error {
// authNZ sets EnableCAE: true in all cases, no need to duplicate that here
return authNZ(policy.TokenRequestOptions{Scopes: scopes})
}
}
return &BearerTokenPolicy{
authzHandler: opts.AuthorizationHandler,
authzHandler: ah,
cred: cred,
scopes: scopes,
mainResource: temporal.NewResource(acquire),
@ -63,6 +81,7 @@ func NewBearerTokenPolicy(cred exported.TokenCredential, scopes []string, opts *
// authenticateAndAuthorize returns a function which authorizes req with a token from the policy's credential
func (b *BearerTokenPolicy) authenticateAndAuthorize(req *policy.Request) func(policy.TokenRequestOptions) error {
return func(tro policy.TokenRequestOptions) error {
tro.EnableCAE = true
as := acquiringResourceState{p: b, req: req, tro: tro}
tk, err := b.mainResource.Get(as)
if err != nil {
@ -86,12 +105,7 @@ func (b *BearerTokenPolicy) Do(req *policy.Request) (*http.Response, error) {
return nil, err
}
var err error
if b.authzHandler.OnRequest != nil {
err = b.authzHandler.OnRequest(req, b.authenticateAndAuthorize(req))
} else {
err = b.authenticateAndAuthorize(req)(policy.TokenRequestOptions{Scopes: b.scopes})
}
err := b.authzHandler.OnRequest(req, b.authenticateAndAuthorize(req))
if err != nil {
return nil, errorinfo.NonRetriableError(err)
}
@ -101,17 +115,54 @@ func (b *BearerTokenPolicy) Do(req *policy.Request) (*http.Response, error) {
return nil, err
}
res, err = b.handleChallenge(req, res, false)
return res, err
}
// handleChallenge handles authentication challenges either directly (for CAE challenges) or by calling
// the AuthorizationHandler. It's a no-op when the response doesn't include an authentication challenge.
// It will recurse at most once, to handle a CAE challenge following a non-CAE challenge handled by the
// AuthorizationHandler.
func (b *BearerTokenPolicy) handleChallenge(req *policy.Request, res *http.Response, recursed bool) (*http.Response, error) {
var err error
if res.StatusCode == http.StatusUnauthorized {
b.mainResource.Expire()
if res.Header.Get("WWW-Authenticate") != "" && b.authzHandler.OnChallenge != nil {
if err = b.authzHandler.OnChallenge(req, res, b.authenticateAndAuthorize(req)); err == nil {
res, err = req.Next()
if res.Header.Get(shared.HeaderWWWAuthenticate) != "" {
caeChallenge, parseErr := parseCAEChallenge(res)
if parseErr != nil {
return res, parseErr
}
switch {
case caeChallenge != nil:
authNZ := func(tro policy.TokenRequestOptions) error {
// Take the TokenRequestOptions provided by OnRequest and add the challenge claims. The value
// will be empty at time of writing because CAE is the only feature involving claims. If in
// the future some client needs to specify unrelated claims, this function may need to merge
// them with the challenge claims.
tro.Claims = caeChallenge.params["claims"]
return b.authenticateAndAuthorize(req)(tro)
}
if err = b.authzHandler.OnRequest(req, authNZ); err == nil {
if err = req.RewindBody(); err == nil {
res, err = req.Next()
}
}
case b.authzHandler.OnChallenge != nil && !recursed:
if err = b.authzHandler.OnChallenge(req, res, b.authenticateAndAuthorize(req)); err == nil {
if err = req.RewindBody(); err == nil {
if res, err = req.Next(); err == nil {
res, err = b.handleChallenge(req, res, true)
}
}
} else {
// don't retry challenge handling errors
err = errorinfo.NonRetriableError(err)
}
default:
// return the response to the pipeline
}
}
}
if err != nil {
err = errorinfo.NonRetriableError(err)
}
return res, err
}
@ -121,3 +172,65 @@ func checkHTTPSForAuth(req *policy.Request, allowHTTP bool) error {
}
return nil
}
// parseCAEChallenge returns a *authChallenge representing Response's CAE challenge (nil when Response has none).
// If Response includes a CAE challenge having invalid claims, it returns a NonRetriableError.
func parseCAEChallenge(res *http.Response) (*authChallenge, error) {
var (
caeChallenge *authChallenge
err error
)
for _, c := range parseChallenges(res) {
if c.scheme == "Bearer" {
if claims := c.params["claims"]; claims != "" && c.params["error"] == "insufficient_claims" {
if b, de := base64.StdEncoding.DecodeString(claims); de == nil {
c.params["claims"] = string(b)
caeChallenge = &c
} else {
// don't include the decoding error because it's something
// unhelpful like "illegal base64 data at input byte 42"
err = errorinfo.NonRetriableError(errors.New("authentication challenge contains invalid claims: " + claims))
}
break
}
}
}
return caeChallenge, err
}
var (
challenge, challengeParams *regexp.Regexp
once = &sync.Once{}
)
type authChallenge struct {
scheme string
params map[string]string
}
// parseChallenges assumes authentication challenges have quoted parameter values
func parseChallenges(res *http.Response) []authChallenge {
once.Do(func() {
// matches challenges having quoted parameters, capturing scheme and parameters
challenge = regexp.MustCompile(`(?:(\w+) ((?:\w+="[^"]*",?\s*)+))`)
// captures parameter names and values in a match of the above expression
challengeParams = regexp.MustCompile(`(\w+)="([^"]*)"`)
})
parsed := []authChallenge{}
// WWW-Authenticate can have multiple values, each containing multiple challenges
for _, h := range res.Header.Values(shared.HeaderWWWAuthenticate) {
for _, sm := range challenge.FindAllStringSubmatch(h, -1) {
// sm is [challenge, scheme, params] (see regexp documentation on submatches)
c := authChallenge{
params: make(map[string]string),
scheme: sm[1],
}
for _, sm := range challengeParams.FindAllStringSubmatch(sm[2], -1) {
// sm is [key="value", key, value] (see regexp documentation on submatches)
c.params[sm[1]] = sm[2]
}
parsed = append(parsed, c)
}
}
return parsed
}

View File

@ -96,6 +96,8 @@ func (h *httpTracePolicy) Do(req *policy.Request) (resp *http.Response, err erro
// StartSpanOptions contains the optional values for StartSpan.
type StartSpanOptions struct {
// Kind indicates the kind of Span.
Kind tracing.SpanKind
// Attributes contains key-value pairs of attributes for the span.
Attributes []tracing.Attribute
}
@ -115,7 +117,6 @@ func StartSpan(ctx context.Context, name string, tracer tracing.Tracer, options
// we MUST propagate the active tracer before returning so that the trace policy can access it
ctx = context.WithValue(ctx, shared.CtxWithTracingTracer{}, tracer)
const newSpanKind = tracing.SpanKindInternal
if activeSpan := ctx.Value(ctxActiveSpan{}); activeSpan != nil {
// per the design guidelines, if a SDK method Foo() calls SDK method Bar(),
// then the span for Bar() must be suppressed. however, if Bar() makes a REST
@ -131,12 +132,15 @@ func StartSpan(ctx context.Context, name string, tracer tracing.Tracer, options
if options == nil {
options = &StartSpanOptions{}
}
if options.Kind == 0 {
options.Kind = tracing.SpanKindInternal
}
ctx, span := tracer.Start(ctx, name, &tracing.SpanOptions{
Kind: newSpanKind,
Kind: options.Kind,
Attributes: options.Attributes,
})
ctx = context.WithValue(ctx, ctxActiveSpan{}, newSpanKind)
ctx = context.WithValue(ctx, ctxActiveSpan{}, options.Kind)
return ctx, func(err error) {
if err != nil {
errType := strings.Replace(fmt.Sprintf("%T", err), "*exported.", "*azcore.", 1)

View File

@ -59,13 +59,33 @@ func setDefaults(o *policy.RetryOptions) {
}
func calcDelay(o policy.RetryOptions, try int32) time.Duration { // try is >=1; never 0
delay := time.Duration((1<<try)-1) * o.RetryDelay
// avoid overflow when shifting left
factor := time.Duration(math.MaxInt64)
if try < 63 {
factor = time.Duration(int64(1<<try) - 1)
}
// Introduce some jitter: [0.0, 1.0) / 2 = [0.0, 0.5) + 0.8 = [0.8, 1.3)
delay = time.Duration(delay.Seconds() * (rand.Float64()/2 + 0.8) * float64(time.Second)) // NOTE: We want math/rand; not crypto/rand
if delay > o.MaxRetryDelay {
delay := factor * o.RetryDelay
if delay < factor {
// overflow has happened so set to max value
delay = time.Duration(math.MaxInt64)
}
// Introduce jitter: [0.0, 1.0) / 2 = [0.0, 0.5) + 0.8 = [0.8, 1.3)
jitterMultiplier := rand.Float64()/2 + 0.8 // NOTE: We want math/rand; not crypto/rand
delayFloat := float64(delay) * jitterMultiplier
if delayFloat > float64(math.MaxInt64) {
// the jitter pushed us over MaxInt64, so just use MaxInt64
delay = time.Duration(math.MaxInt64)
} else {
delay = time.Duration(delayFloat)
}
if delay > o.MaxRetryDelay { // MaxRetryDelay is backfilled with non-negative value
delay = o.MaxRetryDelay
}
return delay
}

View File

@ -1,5 +1,12 @@
# Release History
## 1.2.0 (2024-10-21)
### Features Added
* Added CAE support
* Client requests tokens from the Vault's tenant, overriding any credential default
(thanks @francescomari)
## 1.1.0 (2024-02-13)
### Other Changes

View File

@ -0,0 +1,92 @@
# Guide to migrate from `keyvault` to `azsecrets`
This guide is intended to assist in the migration to the `azsecrets` module from the deprecated `keyvault` module. `azsecrets` allows users to create and manage [secrets] with Azure Key Vault.
## General changes
In the past, Azure Key Vault operations were all contained in a single package. For Go, this was `github.com/Azure/azure-sdk-for-go/services/keyvault/<version>/keyvault`.
The new SDK divides the Key Vault API into separate modules for keys, secrets, and certificates. This guide focuses on migrating secret operations to use the new `azsecrets` module.
There are other changes besides the module name. For example, some type and method names are different, and all new modules authenticate using our [azidentity] module.
## Code examples
The following code example shows the difference between the old and new modules when creating a secret. The biggest differences are the client and authentication. In the `keyvault` module, users created a `keyvault.BaseClient` then added an `Authorizer` to the client to authenticate. In the `azsecrets` module, users create a credential using the [azidentity] module then use that credential to construct the client.
Another difference is that the Key Vault URL is now passed to the client once during construction, not every time a method is called.
### `keyvault` create secret
```go
import (
"context"
"fmt"
"github.com/Azure/azure-sdk-for-go/profiles/latest/keyvault/keyvault"
kvauth "github.com/Azure/azure-sdk-for-go/services/keyvault/auth"
)
func main() {
vaultURL := "https://<TODO: your vault name>.vault.azure.net"
secretName := "mySecret"
secretValue := "mySecretValue"
authorizer, err := kvauth.NewAuthorizerFromEnvironment()
if err != nil {
// TODO: handle error
}
basicClient := keyvault.New()
basicClient.Authorizer = authorizer
fmt.Println("\ncreating secret in keyvault:")
var secParams keyvault.SecretSetParameters
secParams.Value = &secretValue
newBundle, err := basicClient.SetSecret(context.Background(), vaultURL, secretName, secParams)
if err != nil {
// TODO: handle error
}
fmt.Println("added/updated: " + *newBundle.ID)
}
```
### `azsecrets` create secret
```go
package main
import (
"context"
"fmt"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets"
)
func main() {
vaultURL := "https://<TODO: your vault name>.vault.azure.net"
secretName := "mySecret"
secretValue := "mySecretValue"
cred, err := azidentity.NewDefaultAzureCredential(nil)
if err != nil {
// TODO: handle error
}
client, err := azsecrets.NewClient(vaultURL, cred, nil)
if err != nil {
// TODO: handle error
}
resp, err := client.SetSecret(context.TODO(), secretName, azsecrets.SetSecretParameters{Value: &secretValue}, nil)
if err != nil {
// TODO: handle error
}
fmt.Printf("Set secret %s", resp.ID.Name())
}
```
[azidentity]: https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity
[secrets]: https://learn.microsoft.com/azure/key-vault/secrets/about-secrets

View File

@ -2,5 +2,5 @@
"AssetsRepo": "Azure/azure-sdk-assets",
"AssetsRepoPrefixPath": "go",
"TagPrefix": "go/security/keyvault/azsecrets",
"Tag": "go/security/keyvault/azsecrets_46bc7ae56f"
"Tag": "go/security/keyvault/azsecrets_f05a21134a"
}

View File

@ -22,9 +22,10 @@ pr:
include:
- sdk/security/keyvault/azsecrets
stages:
- template: /eng/pipelines/templates/jobs/archetype-sdk-client.yml
extends:
template: /eng/pipelines/templates/jobs/archetype-sdk-client.yml
parameters:
ServiceDirectory: 'security/keyvault/azsecrets'
RunLiveTests: true
UsePipelineProxy: false
SupportedClouds: 'Public,UsGov,China'

View File

@ -35,62 +35,18 @@
"description": "The location of the resource. By default, this is the same as the resource group."
}
},
"hsmLocation": {
"type": "string",
"defaultValue": "southcentralus",
"allowedValues": [
"australiacentral",
"canadacentral",
"centralus",
"eastasia",
"eastus2",
"koreacentral",
"northeurope",
"southafricanorth",
"southcentralus",
"southeastasia",
"switzerlandnorth",
"uksouth",
"westeurope",
"westus"
],
"metadata": {
"description": "The location of the Managed HSM. By default, this is 'southcentralus'."
}
},
"enableHsm": {
"type": "bool",
"defaultValue": false,
"metadata": {
"description": "Whether to enable deployment of Managed HSM. The default is false."
}
},
"keyVaultSku": {
"type": "string",
"defaultValue": "premium",
"metadata": {
"description": "Key Vault SKU to deploy. The default is 'premium'"
}
},
"attestationImage": {
"type": "string",
"defaultValue": "keyvault-mock-attestation:latest",
"metadata": {
"description": "The container image name and tag to use for the attestation mock service."
}
}
},
"variables": {
"attestationFarm": "[concat(parameters('baseName'), 'farm')]",
"attestationSite": "[concat(parameters('baseName'), 'site')]",
"attestationUri": "[concat('DOCKER|azsdkengsys.azurecr.io/', parameters('attestationImage'))]",
"kvApiVersion": "2019-09-01",
"kvName": "[parameters('baseName')]",
"hsmApiVersion": "2021-04-01-preview",
"hsmName": "[concat(parameters('baseName'), 'hsm')]",
"mgmtApiVersion": "2019-04-01",
"blobContainerName": "backup",
"primaryAccountName": "[concat(parameters('baseName'), 'prim')]",
"encryption": {
"services": {
"blob": {
@ -180,116 +136,6 @@
"enableSoftDelete": true,
"softDeleteRetentionInDays": 7
}
},
{
"type": "Microsoft.KeyVault/managedHSMs",
"apiVersion": "[variables('hsmApiVersion')]",
"name": "[variables('hsmName')]",
"condition": "[parameters('enableHsm')]",
"location": "[parameters('hsmLocation')]",
"sku": {
"family": "B",
"name": "Standard_B1"
},
"properties": {
"tenantId": "[parameters('tenantId')]",
"initialAdminObjectIds": "[union(array(parameters('testApplicationOid')), array(parameters('provisionerApplicationOid')))]",
"enablePurgeProtection": false,
"enableSoftDelete": true,
"softDeleteRetentionInDays": 7,
"publicNetworkAccess": "Enabled",
"networkAcls": "[variables('networkAcls')]"
}
},
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "[variables('mgmtApiVersion')]",
"name": "[variables('primaryAccountName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_RAGRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"networkAcls": "[variables('networkAcls')]",
"supportsHttpsTrafficOnly": true,
"encryption": "[variables('encryption')]",
"accessTier": "Hot"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2019-06-01",
"name": "[concat(variables('primaryAccountName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', variables('primaryAccountName'))]"
],
"sku": {
"name": "Standard_RAGRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": []
},
"deleteRetentionPolicy": {
"enabled": false
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(variables('primaryAccountName'), '/default/', variables('blobContainerName'))]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('primaryAccountName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('primaryAccountName'))]"
],
"properties": {
"publicAccess": "None"
}
},
{
"type": "Microsoft.Web/serverfarms",
"apiVersion": "2020-12-01",
"name": "[variables('attestationFarm')]",
"condition": "[parameters('enableHsm')]",
"location": "[parameters('location')]",
"kind": "linux",
"sku": {
"name": "B1"
},
"properties": {
"reserved": true
}
},
{
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"name": "[variables('attestationSite')]",
"condition": "[parameters('enableHsm')]",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('attestationFarm'))]"
],
"location": "[parameters('location')]",
"properties": {
"httpsOnly": true,
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('attestationFarm'))]",
"siteConfig": {
"name": "[variables('attestationSite')]",
"alwaysOn": true,
"linuxFxVersion": "[variables('attestationUri')]",
"appSettings": [
{
"name": "WEBSITES_ENABLE_APP_SERVICE_STORAGE",
"value": "false"
}
]
}
}
}
],
"outputs": {
@ -297,11 +143,6 @@
"type": "string",
"value": "[reference(variables('kvName')).vaultUri]"
},
"AZURE_MANAGEDHSM_URL": {
"type": "string",
"condition": "[parameters('enableHsm')]",
"value": "[reference(variables('hsmName')).hsmUri]"
},
"KEYVAULT_SKU": {
"type": "string",
"value": "[reference(parameters('baseName')).sku.name]"
@ -309,23 +150,6 @@
"CLIENT_OBJECTID": {
"type": "string",
"value": "[parameters('testApplicationOid')]"
},
"BLOB_STORAGE_ACCOUNT_NAME": {
"type": "string",
"value": "[variables('primaryAccountName')]"
},
"BLOB_PRIMARY_STORAGE_ACCOUNT_KEY": {
"type": "string",
"value": "[listKeys(variables('primaryAccountName'), variables('mgmtApiVersion')).keys[0].value]"
},
"BLOB_CONTAINER_NAME" : {
"type": "string",
"value": "[variables('blobContainerName')]"
},
"AZURE_KEYVAULT_ATTESTATION_URL": {
"type": "string",
"condition": "[parameters('enableHsm')]",
"value": "[format('https://{0}/', reference(variables('attestationSite')).defaultHostName)]"
}
}
}

View File

@ -8,5 +8,5 @@ package azsecrets
const (
moduleName = "github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets"
version = "v1.1.0"
version = "v1.2.0"
)

View File

@ -1,5 +1,16 @@
# Release History
## 1.1.0 (2024-10-21)
### Features Added
* Added CAE support
* `KeyVaultChallengePolicy` always requests tokens from the Vault's tenant, overriding any credential default
## 1.0.1 (2024-04-09)
### Other Changes
* Upgraded dependencies
## 1.0.0 (2023-08-15)
### Features Added

View File

@ -17,7 +17,6 @@ import (
"github.com/Azure/azure-sdk-for-go/sdk/azcore"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
"github.com/Azure/azure-sdk-for-go/sdk/internal/errorinfo"
)
const challengeMatchError = `challenge resource "%s" doesn't match the requested domain. Set DisableChallengeResourceVerification to true in your client options to disable. See https://aka.ms/azsdk/blog/vault-uri for more information`
@ -31,9 +30,7 @@ type KeyVaultChallengePolicyOptions struct {
type keyVaultAuthorizer struct {
// tro is the policy's authentication parameters. These are discovered from an authentication challenge
// elicited ahead of the first client request.
tro policy.TokenRequestOptions
// TODO: move into tro once it has a tenant field (https://github.com/Azure/azure-sdk-for-go/issues/19841)
tenantID string
tro policy.TokenRequestOptions
verifyChallengeResource bool
}
@ -58,7 +55,7 @@ func NewKeyVaultChallengePolicy(cred azcore.TokenCredential, opts *KeyVaultChall
}
func (k *keyVaultAuthorizer) authorize(req *policy.Request, authNZ func(policy.TokenRequestOptions) error) error {
if len(k.tro.Scopes) == 0 || k.tenantID == "" {
if len(k.tro.Scopes) == 0 || k.tro.TenantID == "" {
if body := req.Body(); body != nil {
// We don't know the scope or tenant ID because we haven't seen a challenge yet. We elicit one now by sending
// the request without authorization, first removing its body, if any. authorizeOnChallenge will reattach the
@ -105,29 +102,11 @@ func parseTenant(url string) string {
return tenant
}
type challengePolicyError struct {
err error
}
func (c *challengePolicyError) Error() string {
return c.err.Error()
}
func (*challengePolicyError) NonRetriable() {
// marker method
}
func (c *challengePolicyError) Unwrap() error {
return c.err
}
var _ errorinfo.NonRetriable = (*challengePolicyError)(nil)
// updateTokenRequestOptions parses authentication parameters from Key Vault's challenge
func (k *keyVaultAuthorizer) updateTokenRequestOptions(resp *http.Response, req *http.Request) error {
authHeader := resp.Header.Get("WWW-Authenticate")
if authHeader == "" {
return &challengePolicyError{err: errors.New("response has no WWW-Authenticate header for challenge authentication")}
return errors.New("response has no WWW-Authenticate header for challenge authentication")
}
// Strip down to auth and resource
@ -147,7 +126,7 @@ func (k *keyVaultAuthorizer) updateTokenRequestOptions(resp *http.Response, req
}
}
k.tenantID = parseTenant(vals["authorization"])
k.tro.TenantID = parseTenant(vals["authorization"])
scope := ""
if v, ok := vals["scope"]; ok {
scope = v
@ -155,16 +134,16 @@ func (k *keyVaultAuthorizer) updateTokenRequestOptions(resp *http.Response, req
scope = v
}
if scope == "" {
return &challengePolicyError{err: errors.New("could not find a valid resource in the WWW-Authenticate header")}
return errors.New("could not find a valid resource in the WWW-Authenticate header")
}
if k.verifyChallengeResource {
// the challenge resource's host must match the requested vault's host
parsed, err := url.Parse(scope)
if err != nil {
return &challengePolicyError{err: fmt.Errorf(`invalid challenge resource "%s": %v`, scope, err)}
return fmt.Errorf("invalid challenge resource %q: %v", scope, err)
}
if !strings.HasSuffix(req.URL.Host, "."+parsed.Host) {
return &challengePolicyError{err: fmt.Errorf(challengeMatchError, scope)}
return fmt.Errorf(challengeMatchError, scope)
}
}
if !strings.HasSuffix(scope, "/.default") {

View File

@ -21,8 +21,8 @@ pr:
include:
- sdk/security/keyvault/internal
stages:
- template: /eng/pipelines/templates/jobs/archetype-sdk-client.yml
extends:
template: /eng/pipelines/templates/jobs/archetype-sdk-client.yml
parameters:
ServiceDirectory: 'security/keyvault/internal'
RunLiveTests: false

View File

@ -7,5 +7,5 @@
package internal
const (
version = "v1.0.0" //nolint
version = "v1.1.0" //nolint
)

View File

@ -3,4 +3,4 @@
package aws
// goModuleVersion is the tagged release for this module
const goModuleVersion = "1.32.2"
const goModuleVersion = "1.32.3"

View File

@ -372,8 +372,9 @@ func GetSignedRequestSignature(r *http.Request) ([]byte, error) {
const authHeaderSignatureElem = "Signature="
if auth := r.Header.Get(authorizationHeader); len(auth) != 0 {
ps := strings.Split(auth, ", ")
ps := strings.Split(auth, ",")
for _, p := range ps {
p = strings.TrimSpace(p)
if idx := strings.Index(p, authHeaderSignatureElem); idx >= 0 {
sig := p[len(authHeaderSignatureElem):]
if len(sig) == 0 {

View File

@ -1,3 +1,7 @@
# v1.3.22 (2024-10-28)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.3.21 (2024-10-08)
* **Dependency Update**: Updated to the latest SDK module versions

View File

@ -3,4 +3,4 @@
package configsources
// goModuleVersion is the tagged release for this module
const goModuleVersion = "1.3.21"
const goModuleVersion = "1.3.22"

View File

@ -1,3 +1,7 @@
# v2.6.22 (2024-10-28)
* **Dependency Update**: Updated to the latest SDK module versions
# v2.6.21 (2024-10-08)
* **Dependency Update**: Updated to the latest SDK module versions

View File

@ -3,4 +3,4 @@
package endpoints
// goModuleVersion is the tagged release for this module
const goModuleVersion = "2.6.21"
const goModuleVersion = "2.6.22"

View File

@ -1,3 +1,7 @@
# v1.12.3 (2024-10-28)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.12.2 (2024-10-08)
* **Dependency Update**: Updated to the latest SDK module versions

View File

@ -3,4 +3,4 @@
package presignedurl
// goModuleVersion is the tagged release for this module
const goModuleVersion = "1.12.2"
const goModuleVersion = "1.12.3"

View File

@ -1,3 +1,7 @@
# v1.32.3 (2024-10-28)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.32.2 (2024-10-08)
* **Dependency Update**: Updated to the latest SDK module versions

View File

@ -3,4 +3,4 @@
package sts
// goModuleVersion is the tagged release for this module
const goModuleVersion = "1.32.2"
const goModuleVersion = "1.32.3"

16
vendor/modules.txt vendored
View File

@ -1,4 +1,4 @@
# github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0
# github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0
## explicit; go 1.18
github.com/Azure/azure-sdk-for-go/sdk/azcore
github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/internal/resource
@ -33,10 +33,10 @@ github.com/Azure/azure-sdk-for-go/sdk/internal/log
github.com/Azure/azure-sdk-for-go/sdk/internal/poller
github.com/Azure/azure-sdk-for-go/sdk/internal/temporal
github.com/Azure/azure-sdk-for-go/sdk/internal/uuid
# github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.1.0
# github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.2.0
## explicit; go 1.18
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets
# github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0
# github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.0
## explicit; go 1.18
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal
# github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2
@ -126,7 +126,7 @@ github.com/aws/aws-sdk-go/service/sso/ssoiface
github.com/aws/aws-sdk-go/service/ssooidc
github.com/aws/aws-sdk-go/service/sts
github.com/aws/aws-sdk-go/service/sts/stsiface
# github.com/aws/aws-sdk-go-v2 v1.32.2
# github.com/aws/aws-sdk-go-v2 v1.32.3
## explicit; go 1.21
github.com/aws/aws-sdk-go-v2/aws
github.com/aws/aws-sdk-go-v2/aws/defaults
@ -149,19 +149,19 @@ github.com/aws/aws-sdk-go-v2/internal/sdk
github.com/aws/aws-sdk-go-v2/internal/strings
github.com/aws/aws-sdk-go-v2/internal/sync/singleflight
github.com/aws/aws-sdk-go-v2/internal/timeconv
# github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.21
# github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.22
## explicit; go 1.21
github.com/aws/aws-sdk-go-v2/internal/configsources
# github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.21
# github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.22
## explicit; go 1.21
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2
# github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0
## explicit; go 1.21
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding
# github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.2
# github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.3
## explicit; go 1.21
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url
# github.com/aws/aws-sdk-go-v2/service/sts v1.32.2
# github.com/aws/aws-sdk-go-v2/service/sts v1.32.3
## explicit; go 1.21
github.com/aws/aws-sdk-go-v2/service/sts
github.com/aws/aws-sdk-go-v2/service/sts/internal/endpoints