From d1ebbde76064e85f58d091db96401c4d551c1bb9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 26 Sep 2025 14:17:55 +0000 Subject: [PATCH] build(deps): bump github.com/open-policy-agent/opa from 1.8.0 to 1.9.0 Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.8.0 to 1.9.0. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-policy-agent/opa/compare/v1.8.0...v1.9.0) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/opa dependency-version: 1.9.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 16 +- go.sum | 35 +- .../lestrrat-go/dsig-secp256k1/.gitignore | 32 + .../lestrrat-go/dsig-secp256k1/Changes | 5 + .../lestrrat-go/dsig-secp256k1/LICENSE | 21 + .../lestrrat-go/dsig-secp256k1/secp256k1.go | 29 + vendor/github.com/lestrrat-go/dsig/.gitignore | 32 + vendor/github.com/lestrrat-go/dsig/Changes | 5 + vendor/github.com/lestrrat-go/dsig/LICENSE | 21 + vendor/github.com/lestrrat-go/dsig/README.md | 163 + .../github.com/lestrrat-go/dsig/algorithms.go | 37 + .../lestrrat-go/dsig/crypto_signer.go | 45 + vendor/github.com/lestrrat-go/dsig/dsig.go | 224 + vendor/github.com/lestrrat-go/dsig/ecdsa.go | 200 + vendor/github.com/lestrrat-go/dsig/eddsa.go | 44 + vendor/github.com/lestrrat-go/dsig/hmac.go | 45 + .../dsig/internal/ecutil/ecutil.go | 76 + vendor/github.com/lestrrat-go/dsig/rsa.go | 63 + vendor/github.com/lestrrat-go/dsig/sign.go | 100 + .../github.com/lestrrat-go/dsig/validation.go | 66 + vendor/github.com/lestrrat-go/dsig/verify.go | 134 + .../lestrrat-go/httprc/v3/.golangci.yml | 2 + .../github.com/lestrrat-go/httprc/v3/Changes | 5 +- .../lestrrat-go/httprc/v3/backend.go | 10 +- .../lestrrat-go/httprc/v3/worker.go | 2 + vendor/github.com/lestrrat-go/jwx/v3/Changes | 14 + .../lestrrat-go/jwx/v3/MODULE.bazel | 6 +- .../jwx/v3/internal/keyconv/keyconv.go | 89 + .../lestrrat-go/jwx/v3/jwe/encrypt.go | 41 +- .../lestrrat-go/jwx/v3/jwk/cache.go | 4 + .../lestrrat-go/jwx/v3/jwk/fetch.go | 2 +- .../lestrrat-go/jwx/v3/jws/es256k.go | 1 + .../github.com/lestrrat-go/jwx/v3/jws/jws.go | 4 + .../lestrrat-go/jwx/v3/jws/jwsbb/BUILD.bazel | 1 + .../lestrrat-go/jwx/v3/jws/jwsbb/ecdsa.go | 87 +- .../lestrrat-go/jwx/v3/jws/jwsbb/eddsa.go | 44 +- .../lestrrat-go/jwx/v3/jws/jwsbb/es256k.go | 14 + .../lestrrat-go/jwx/v3/jws/jwsbb/hmac.go | 71 +- .../lestrrat-go/jwx/v3/jws/jwsbb/jwsbb.go | 65 + .../lestrrat-go/jwx/v3/jws/jwsbb/rsa.go | 95 +- .../lestrrat-go/jwx/v3/jws/jwsbb/sign.go | 127 +- .../lestrrat-go/jwx/v3/jws/jwsbb/verify.go | 152 +- .../opa/capabilities/v1.9.0.json | 4867 +++++++++++++++++ .../opa/internal/runtime/init/init.go | 2 +- .../opa/v1/ast/annotations.go | 50 + .../open-policy-agent/opa/v1/ast/index.go | 56 +- .../open-policy-agent/opa/v1/ast/parser.go | 102 +- .../open-policy-agent/opa/v1/bundle/file.go | 2 +- .../opa/v1/metrics/metrics.go | 36 +- .../open-policy-agent/opa/v1/topdown/eval.go | 3 +- .../opa/v1/topdown/graphql.go | 2 +- .../open-policy-agent/opa/v1/topdown/http.go | 8 + .../opa/v1/topdown/numbers.go | 15 +- .../opa/v1/version/version.go | 2 +- .../prometheus/procfs/Makefile.common | 15 +- vendor/github.com/prometheus/procfs/mdstat.go | 5 +- .../github.com/prometheus/procfs/meminfo.go | 33 + .../github.com/prometheus/procfs/proc_stat.go | 12 +- .../prometheus/procfs/proc_statm.go | 116 + .../rcrowley/go-metrics/.travis.yml | 1 + .../github.com/rcrowley/go-metrics/README.md | 9 + .../sirupsen/logrus/terminal_check_bsd.go | 2 +- .../sirupsen/logrus/terminal_check_unix.go | 2 + .../sirupsen/logrus/terminal_check_wasi.go | 8 + .../sirupsen/logrus/terminal_check_wasip1.go | 8 + vendor/github.com/spf13/pflag/flag.go | 14 +- vendor/modules.txt | 25 +- 67 files changed, 7144 insertions(+), 480 deletions(-) create mode 100644 vendor/github.com/lestrrat-go/dsig-secp256k1/.gitignore create mode 100644 vendor/github.com/lestrrat-go/dsig-secp256k1/Changes create mode 100644 vendor/github.com/lestrrat-go/dsig-secp256k1/LICENSE create mode 100644 vendor/github.com/lestrrat-go/dsig-secp256k1/secp256k1.go create mode 100644 vendor/github.com/lestrrat-go/dsig/.gitignore create mode 100644 vendor/github.com/lestrrat-go/dsig/Changes create mode 100644 vendor/github.com/lestrrat-go/dsig/LICENSE create mode 100644 vendor/github.com/lestrrat-go/dsig/README.md create mode 100644 vendor/github.com/lestrrat-go/dsig/algorithms.go create mode 100644 vendor/github.com/lestrrat-go/dsig/crypto_signer.go create mode 100644 vendor/github.com/lestrrat-go/dsig/dsig.go create mode 100644 vendor/github.com/lestrrat-go/dsig/ecdsa.go create mode 100644 vendor/github.com/lestrrat-go/dsig/eddsa.go create mode 100644 vendor/github.com/lestrrat-go/dsig/hmac.go create mode 100644 vendor/github.com/lestrrat-go/dsig/internal/ecutil/ecutil.go create mode 100644 vendor/github.com/lestrrat-go/dsig/rsa.go create mode 100644 vendor/github.com/lestrrat-go/dsig/sign.go create mode 100644 vendor/github.com/lestrrat-go/dsig/validation.go create mode 100644 vendor/github.com/lestrrat-go/dsig/verify.go create mode 100644 vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/es256k.go create mode 100644 vendor/github.com/open-policy-agent/opa/capabilities/v1.9.0.json create mode 100644 vendor/github.com/prometheus/procfs/proc_statm.go create mode 100644 vendor/github.com/sirupsen/logrus/terminal_check_wasi.go create mode 100644 vendor/github.com/sirupsen/logrus/terminal_check_wasip1.go diff --git a/go.mod b/go.mod index 222388537..605ae0d13 100644 --- a/go.mod +++ b/go.mod @@ -63,7 +63,7 @@ require ( github.com/onsi/ginkgo v1.16.5 github.com/onsi/ginkgo/v2 v2.25.3 github.com/onsi/gomega v1.38.2 - github.com/open-policy-agent/opa v1.8.0 + github.com/open-policy-agent/opa v1.9.0 github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20250724122329-41ba6b191e76 github.com/opencloud-eu/reva/v2 v2.38.1-0.20250924125540-eaa2437c36b2 github.com/opensearch-project/opensearch-go/v4 v4.5.0 @@ -76,7 +76,7 @@ require ( github.com/rogpeppe/go-internal v1.14.1 github.com/rs/cors v1.11.1 github.com/rs/zerolog v1.34.0 - github.com/sirupsen/logrus v1.9.3 + github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af github.com/spf13/afero v1.15.0 github.com/spf13/cobra v1.10.1 github.com/stretchr/testify v1.11.1 @@ -259,9 +259,11 @@ require ( github.com/klauspost/cpuid/v2 v2.2.11 // indirect github.com/leodido/go-urn v1.4.0 // indirect github.com/lestrrat-go/blackmagic v1.0.4 // indirect + github.com/lestrrat-go/dsig v1.0.0 // indirect + github.com/lestrrat-go/dsig-secp256k1 v1.0.0 // indirect github.com/lestrrat-go/httpcc v1.0.1 // indirect - github.com/lestrrat-go/httprc/v3 v3.0.0 // indirect - github.com/lestrrat-go/jwx/v3 v3.0.10 // indirect + github.com/lestrrat-go/httprc/v3 v3.0.1 // indirect + github.com/lestrrat-go/jwx/v3 v3.0.11 // indirect github.com/lestrrat-go/option v1.0.1 // indirect github.com/lestrrat-go/option/v2 v2.0.0 // indirect github.com/libregraph/oidc-go v1.1.0 // indirect @@ -318,9 +320,9 @@ require ( github.com/prometheus/alertmanager v0.28.1 // indirect github.com/prometheus/client_model v0.6.2 // indirect github.com/prometheus/common v0.66.1 // indirect - github.com/prometheus/procfs v0.16.1 // indirect + github.com/prometheus/procfs v0.17.0 // indirect github.com/prometheus/statsd_exporter v0.22.8 // indirect - github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect + github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 // indirect github.com/rivo/uniseg v0.4.7 // indirect github.com/rs/xid v1.6.0 // indirect github.com/russellhaering/goxmldsig v1.5.0 // indirect @@ -338,7 +340,7 @@ require ( github.com/shurcooL/vfsgen v0.0.0-20230704071429-0000e147ea92 // indirect github.com/skeema/knownhosts v1.3.0 // indirect github.com/spacewander/go-suffix-tree v0.0.0-20191010040751-0865e368c784 // indirect - github.com/spf13/pflag v1.0.9 // indirect + github.com/spf13/pflag v1.0.10 // indirect github.com/stretchr/objx v0.5.2 // indirect github.com/studio-b12/gowebdav v0.9.0 // indirect github.com/tchap/go-patricia/v2 v2.3.3 // indirect diff --git a/go.sum b/go.sum index 5035bc0f7..8157db24d 100644 --- a/go.sum +++ b/go.sum @@ -747,12 +747,16 @@ github.com/leonelquinteros/gotext v1.7.2 h1:bDPndU8nt+/kRo1m4l/1OXiiy2v7Z7dfPQ9+ github.com/leonelquinteros/gotext v1.7.2/go.mod h1:9/haCkm5P7Jay1sxKDGJ5WIg4zkz8oZKw4ekNpALob8= github.com/lestrrat-go/blackmagic v1.0.4 h1:IwQibdnf8l2KoO+qC3uT4OaTWsW7tuRQXy9TRN9QanA= github.com/lestrrat-go/blackmagic v1.0.4/go.mod h1:6AWFyKNNj0zEXQYfTMPfZrAXUWUfTIZ5ECEUEJaijtw= +github.com/lestrrat-go/dsig v1.0.0 h1:OE09s2r9Z81kxzJYRn07TFM9XA4akrUdoMwr0L8xj38= +github.com/lestrrat-go/dsig v1.0.0/go.mod h1:dEgoOYYEJvW6XGbLasr8TFcAxoWrKlbQvmJgCR0qkDo= +github.com/lestrrat-go/dsig-secp256k1 v1.0.0 h1:JpDe4Aybfl0soBvoVwjqDbp+9S1Y2OM7gcrVVMFPOzY= +github.com/lestrrat-go/dsig-secp256k1 v1.0.0/go.mod h1:CxUgAhssb8FToqbL8NjSPoGQlnO4w3LG1P0qPWQm/NU= github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE= github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E= -github.com/lestrrat-go/httprc/v3 v3.0.0 h1:nZUx/zFg5uc2rhlu1L1DidGr5Sj02JbXvGSpnY4LMrc= -github.com/lestrrat-go/httprc/v3 v3.0.0/go.mod h1:k2U1QIiyVqAKtkffbg+cUmsyiPGQsb9aAfNQiNFuQ9Q= -github.com/lestrrat-go/jwx/v3 v3.0.10 h1:XuoCBhZBncRIjMQ32HdEc76rH0xK/Qv2wq5TBouYJDw= -github.com/lestrrat-go/jwx/v3 v3.0.10/go.mod h1:kNMedLgTpHvPJkK5EMVa1JFz+UVyY2dMmZKu3qjl/Pk= +github.com/lestrrat-go/httprc/v3 v3.0.1 h1:3n7Es68YYGZb2Jf+k//llA4FTZMl3yCwIjFIk4ubevI= +github.com/lestrrat-go/httprc/v3 v3.0.1/go.mod h1:2uAvmbXE4Xq8kAUjVrZOq1tZVYYYs5iP62Cmtru00xk= +github.com/lestrrat-go/jwx/v3 v3.0.11 h1:yEeUGNUuNjcez/Voxvr7XPTYNraSQTENJgtVTfwvG/w= +github.com/lestrrat-go/jwx/v3 v3.0.11/go.mod h1:XSOAh2SiXm0QgRe3DulLZLyt+wUuEdFo81zuKTLcvgQ= github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU= github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= github.com/lestrrat-go/option/v2 v2.0.0 h1:XxrcaJESE1fokHy3FpaQ/cXW8ZsIdWcdFzzLOcID3Ss= @@ -924,8 +928,8 @@ github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7J github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A= github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k= -github.com/open-policy-agent/opa v1.8.0 h1:4JdYuZcANeUF1v/87NGpirocpaZzJA0PcuL7xfmsMNM= -github.com/open-policy-agent/opa v1.8.0/go.mod h1:vOVZuIJQISnaYcZtQ58yTDkVCp1FmGPwK43pO9qPDqM= +github.com/open-policy-agent/opa v1.9.0 h1:QWFNwbcc29IRy0xwD3hRrMc/RtSersLY1Z6TaID3vgI= +github.com/open-policy-agent/opa v1.9.0/go.mod h1:72+lKmTda0O48m1VKAxxYl7MjP/EWFZu9fxHQK2xihs= github.com/opencloud-eu/go-micro-plugins/v4/store/nats-js-kv v0.0.0-20250512152754-23325793059a h1:Sakl76blJAaM6NxylVkgSzktjo2dS504iDotEFJsh3M= github.com/opencloud-eu/go-micro-plugins/v4/store/nats-js-kv v0.0.0-20250512152754-23325793059a/go.mod h1:pjcozWijkNPbEtX5SIQaxEW/h8VAVZYTLx+70bmB3LY= github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20250724122329-41ba6b191e76 h1:vD/EdfDUrv4omSFjrinT8Mvf+8D7f9g4vgQ2oiDrVUI= @@ -1031,8 +1035,8 @@ github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4O github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4= -github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg= -github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is= +github.com/prometheus/procfs v0.17.0 h1:FuLQ+05u4ZI+SS/w9+BWEM2TXiHKsUQ9TADiRH7DuK0= +github.com/prometheus/procfs v0.17.0/go.mod h1:oPQLaDAMRbA+u8H5Pbfq+dl3VDAvHxMUOVhe0wYB2zw= github.com/prometheus/statsd_exporter v0.22.7/go.mod h1:N/TevpjkIh9ccs6nuzY3jQn9dFqnUakOjnEuMPJJJnI= github.com/prometheus/statsd_exporter v0.22.8 h1:Qo2D9ZzaQG+id9i5NYNGmbf1aa/KxKbB9aKfMS+Yib0= github.com/prometheus/statsd_exporter v0.22.8/go.mod h1:/DzwbTEaFTE0Ojz5PqcSk6+PFHOPWGxdXVr6yC8eFOM= @@ -1041,8 +1045,8 @@ github.com/r3labs/sse/v2 v2.10.0 h1:hFEkLLFY4LDifoHdiCN/LlGBAdVJYsANaLqNYa1l/v0= github.com/r3labs/sse/v2 v2.10.0/go.mod h1:Igau6Whc+F17QUgML1fYe1VPZzTV6EMCnYktEmkNJ7I= github.com/rainycape/memcache v0.0.0-20150622160815-1031fa0ce2f2/go.mod h1:7tZKcyumwBO6qip7RNQ5r77yrssm9bfCowcLEBcU5IA= github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= -github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 h1:MkV+77GLUNo5oJ0jf870itWm3D0Sjh7+Za9gazKc5LQ= -github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= +github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 h1:bsUq1dX0N8AOIL7EB/X911+m4EHsnWEHeJ0c+3TTBrg= +github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/riandyrn/otelchi v0.12.2 h1:6QhGv0LVw/dwjtPd12mnNrl0oEQF4ZAlmHcnlTYbeAg= github.com/riandyrn/otelchi v0.12.2/go.mod h1:weZZeUJURvtCcbWsdb7Y6F8KFZGedJlSrgUjq9VirV8= github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= @@ -1096,8 +1100,8 @@ github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPx github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= -github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= -github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af h1:Sp5TG9f7K39yfB+If0vjp97vuT74F72r8hfRpP8jLU0= +github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/skeema/knownhosts v1.3.0 h1:AM+y0rI04VksttfwjkSTNQorvGqmwATnvnAHpSgc0LY= github.com/skeema/knownhosts v1.3.0/go.mod h1:sPINvnADmT/qYH1kfv+ePMmOBTH6Tbl7b5LvTDjFK7M= github.com/skratchdot/open-golang v0.0.0-20160302144031-75fb7ed4208c/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog= @@ -1124,8 +1128,9 @@ github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb6 github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY= github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk= +github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= github.com/spf13/viper v1.7.1/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= @@ -1272,8 +1277,8 @@ go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 h1:GqRJVj7UmLjCVyVJ3ZF go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0/go.mod h1:ri3aaHSmCTVYu2AWv44YMauwAQc0aqI9gHKIcSbI1pU= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0 h1:lwI4Dc5leUqENgGuQImwLo4WnuXFPetmPpkLi2IrX54= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0/go.mod h1:Kz/oCE7z5wuyhPxsXDuaPteSWqjSBD5YaSdbxZYGbGk= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.37.0 h1:bDMKF3RUSxshZ5OjOTi8rsHGaPKsAt76FaqgvIUySLc= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.37.0/go.mod h1:dDT67G/IkA46Mr2l9Uj7HsQVwsjASyV9SjGofsiUZDA= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 h1:aTL7F04bJHUlztTsNGJ2l+6he8c+y/b//eR0jjjemT4= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0/go.mod h1:kldtb7jDTeol0l3ewcmd8SDvx3EmIE7lyvqbasU3QC4= go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA= go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI= go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E= diff --git a/vendor/github.com/lestrrat-go/dsig-secp256k1/.gitignore b/vendor/github.com/lestrrat-go/dsig-secp256k1/.gitignore new file mode 100644 index 000000000..aaadf736e --- /dev/null +++ b/vendor/github.com/lestrrat-go/dsig-secp256k1/.gitignore @@ -0,0 +1,32 @@ +# If you prefer the allow list template instead of the deny list, see community template: +# https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore +# +# Binaries for programs and plugins +*.exe +*.exe~ +*.dll +*.so +*.dylib + +# Test binary, built with `go test -c` +*.test + +# Code coverage profiles and other test artifacts +*.out +coverage.* +*.coverprofile +profile.cov + +# Dependency directories (remove the comment below to include it) +# vendor/ + +# Go workspace file +go.work +go.work.sum + +# env file +.env + +# Editor/IDE +# .idea/ +# .vscode/ diff --git a/vendor/github.com/lestrrat-go/dsig-secp256k1/Changes b/vendor/github.com/lestrrat-go/dsig-secp256k1/Changes new file mode 100644 index 000000000..4dd588a00 --- /dev/null +++ b/vendor/github.com/lestrrat-go/dsig-secp256k1/Changes @@ -0,0 +1,5 @@ +Changes +======= + +v1.0.0 18 Aug 2025 +* Initial release \ No newline at end of file diff --git a/vendor/github.com/lestrrat-go/dsig-secp256k1/LICENSE b/vendor/github.com/lestrrat-go/dsig-secp256k1/LICENSE new file mode 100644 index 000000000..1e1f5d199 --- /dev/null +++ b/vendor/github.com/lestrrat-go/dsig-secp256k1/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2025 lestrrat-go + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/vendor/github.com/lestrrat-go/dsig-secp256k1/secp256k1.go b/vendor/github.com/lestrrat-go/dsig-secp256k1/secp256k1.go new file mode 100644 index 000000000..85650efa1 --- /dev/null +++ b/vendor/github.com/lestrrat-go/dsig-secp256k1/secp256k1.go @@ -0,0 +1,29 @@ +package dsigsecp256k1 + +import ( + "crypto" + + "github.com/decred/dcrd/dcrec/secp256k1/v4" + "github.com/lestrrat-go/dsig" +) + +const ECDSAWithSecp256k1AndSHA256 = "ECDSA_WITH_SECP256K1_AND_SHA256" + +// init adds secp256k1 support when the dsig_secp256k1 build tag is used. +func init() { + // Register ES256K (secp256k1 + SHA256) support using the new API + err := dsig.RegisterAlgorithm(ECDSAWithSecp256k1AndSHA256, dsig.AlgorithmInfo{ + Family: dsig.ECDSA, + Meta: dsig.ECDSAFamilyMeta{ + Hash: crypto.SHA256, + }, + }) + if err != nil { + panic("failed to register secp256k1 algorithm: " + err.Error()) + } +} + +// secp256k1Curve returns the secp256k1 curve. +func Curve() *secp256k1.KoblitzCurve { + return secp256k1.S256() +} diff --git a/vendor/github.com/lestrrat-go/dsig/.gitignore b/vendor/github.com/lestrrat-go/dsig/.gitignore new file mode 100644 index 000000000..aaadf736e --- /dev/null +++ b/vendor/github.com/lestrrat-go/dsig/.gitignore @@ -0,0 +1,32 @@ +# If you prefer the allow list template instead of the deny list, see community template: +# https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore +# +# Binaries for programs and plugins +*.exe +*.exe~ +*.dll +*.so +*.dylib + +# Test binary, built with `go test -c` +*.test + +# Code coverage profiles and other test artifacts +*.out +coverage.* +*.coverprofile +profile.cov + +# Dependency directories (remove the comment below to include it) +# vendor/ + +# Go workspace file +go.work +go.work.sum + +# env file +.env + +# Editor/IDE +# .idea/ +# .vscode/ diff --git a/vendor/github.com/lestrrat-go/dsig/Changes b/vendor/github.com/lestrrat-go/dsig/Changes new file mode 100644 index 000000000..bccce9761 --- /dev/null +++ b/vendor/github.com/lestrrat-go/dsig/Changes @@ -0,0 +1,5 @@ +Changes +======= + +v1.0.0 - 18 Aug 2025 +* Initial release \ No newline at end of file diff --git a/vendor/github.com/lestrrat-go/dsig/LICENSE b/vendor/github.com/lestrrat-go/dsig/LICENSE new file mode 100644 index 000000000..1e1f5d199 --- /dev/null +++ b/vendor/github.com/lestrrat-go/dsig/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2025 lestrrat-go + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/vendor/github.com/lestrrat-go/dsig/README.md b/vendor/github.com/lestrrat-go/dsig/README.md new file mode 100644 index 000000000..37c194579 --- /dev/null +++ b/vendor/github.com/lestrrat-go/dsig/README.md @@ -0,0 +1,163 @@ +# github.com/lestrrat-go/dsig [![CI](https://github.com/lestrrat-go/dsig/actions/workflows/ci.yml/badge.svg)](https://github.com/lestrrat-go/dsig/actions/workflows/ci.yml) [![Go Reference](https://pkg.go.dev/badge/github.com/lestrrat-go/dsig.svg)](https://pkg.go.dev/github.com/lestrrat-go/dsig) [![codecov.io](https://codecov.io/github/lestrrat-go/dsig/coverage.svg?branch=v1)](https://codecov.io/github/lestrrat-go/dsig?branch=v1) + +Go module providing low-level digital signature operations. + +While there are many standards for generating and verifying digital signatures, the core operations are virtually the same. This module implements the core functionality of digital signature generation / verifications in a framework agnostic way. + +# Features + +* RSA signatures (PKCS1v15 and PSS) +* ECDSA signatures (P-256, P-384, P-521) +* EdDSA signatures (Ed25519, Ed448) +* HMAC signatures (SHA-256, SHA-384, SHA-512) +* Support for crypto.Signer interface +* Allows for dynamic additions of algorithms in limited cases. + +# SYNOPSIS + + +```go +package examples_test + +import ( + "crypto/ecdsa" + "crypto/ed25519" + "crypto/elliptic" + "crypto/rand" + "crypto/rsa" + "fmt" + + "github.com/lestrrat-go/dsig" +) + +func Example() { + payload := []byte("hello world") + + // RSA signing and verification + { + privKey, err := rsa.GenerateKey(rand.Reader, 2048) + if err != nil { + fmt.Printf("failed to generate RSA key: %s\n", err) + return + } + + // Sign with RSA-PSS SHA256 + signature, err := dsig.Sign(privKey, dsig.RSAPSSWithSHA256, payload, nil) + if err != nil { + fmt.Printf("failed to sign with RSA: %s\n", err) + return + } + + // Verify with RSA-PSS SHA256 + err = dsig.Verify(&privKey.PublicKey, dsig.RSAPSSWithSHA256, payload, signature) + if err != nil { + fmt.Printf("failed to verify RSA signature: %s\n", err) + return + } + } + + // ECDSA signing and verification + { + privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { + fmt.Printf("failed to generate ECDSA key: %s\n", err) + return + } + + // Sign with ECDSA P-256 SHA256 + signature, err := dsig.Sign(privKey, dsig.ECDSAWithP256AndSHA256, payload, nil) + if err != nil { + fmt.Printf("failed to sign with ECDSA: %s\n", err) + return + } + + // Verify with ECDSA P-256 SHA256 + err = dsig.Verify(&privKey.PublicKey, dsig.ECDSAWithP256AndSHA256, payload, signature) + if err != nil { + fmt.Printf("failed to verify ECDSA signature: %s\n", err) + return + } + } + + // EdDSA signing and verification + { + pubKey, privKey, err := ed25519.GenerateKey(rand.Reader) + if err != nil { + fmt.Printf("failed to generate Ed25519 key: %s\n", err) + return + } + + // Sign with EdDSA + signature, err := dsig.Sign(privKey, dsig.EdDSA, payload, nil) + if err != nil { + fmt.Printf("failed to sign with EdDSA: %s\n", err) + return + } + + // Verify with EdDSA + err = dsig.Verify(pubKey, dsig.EdDSA, payload, signature) + if err != nil { + fmt.Printf("failed to verify EdDSA signature: %s\n", err) + return + } + } + + // HMAC signing and verification + { + key := []byte("secret-key") + + // Sign with HMAC SHA256 + signature, err := dsig.Sign(key, dsig.HMACWithSHA256, payload, nil) + if err != nil { + fmt.Printf("failed to sign with HMAC: %s\n", err) + return + } + + // Verify with HMAC SHA256 + err = dsig.Verify(key, dsig.HMACWithSHA256, payload, signature) + if err != nil { + fmt.Printf("failed to verify HMAC signature: %s\n", err) + return + } + } + // OUTPUT: +} +``` +source: [examples/dsig_readme_example_test.go](https://github.com/lestrrat-go/dsig/blob/v1/examples/dsig_readme_example_test.go) + + +# Supported Algorithms + +| Constant | Algorithm | Key Type | +|----------|-----------|----------| +| `HMACWithSHA256` | HMAC using SHA-256 | []byte | +| `HMACWithSHA384` | HMAC using SHA-384 | []byte | +| `HMACWithSHA512` | HMAC using SHA-512 | []byte | +| `RSAPKCS1v15WithSHA256` | RSA PKCS#1 v1.5 using SHA-256 | *rsa.PrivateKey / *rsa.PublicKey | +| `RSAPKCS1v15WithSHA384` | RSA PKCS#1 v1.5 using SHA-384 | *rsa.PrivateKey / *rsa.PublicKey | +| `RSAPKCS1v15WithSHA512` | RSA PKCS#1 v1.5 using SHA-512 | *rsa.PrivateKey / *rsa.PublicKey | +| `RSAPSSWithSHA256` | RSA PSS using SHA-256 | *rsa.PrivateKey / *rsa.PublicKey | +| `RSAPSSWithSHA384` | RSA PSS using SHA-384 | *rsa.PrivateKey / *rsa.PublicKey | +| `RSAPSSWithSHA512` | RSA PSS using SHA-512 | *rsa.PrivateKey / *rsa.PublicKey | +| `ECDSAWithP256AndSHA256` | ECDSA using P-256 and SHA-256 | *ecdsa.PrivateKey / *ecdsa.PublicKey | +| `ECDSAWithP384AndSHA384` | ECDSA using P-384 and SHA-384 | *ecdsa.PrivateKey / *ecdsa.PublicKey | +| `ECDSAWithP521AndSHA512` | ECDSA using P-521 and SHA-512 | *ecdsa.PrivateKey / *ecdsa.PublicKey | +| `EdDSA` | EdDSA using Ed25519 or Ed448 | ed25519.PrivateKey / ed25519.PublicKey | + +# Description + +This library provides low-level digital signature operations. It does minimal parameter validation for performance, uses strongly typed APIs, and has minimal dependencies. + +# Contributions + +## Issues + +For bug reports and feature requests, please include failing tests when possible. + +## Pull Requests + +Please include tests that exercise your changes. + +# Related Libraries + +* [github.com/lestrrat-go/jwx](https://github.com/lestrrat-go/jwx) - JOSE (JWA/JWE/JWK/JWS/JWT) implementation \ No newline at end of file diff --git a/vendor/github.com/lestrrat-go/dsig/algorithms.go b/vendor/github.com/lestrrat-go/dsig/algorithms.go new file mode 100644 index 000000000..0895c6476 --- /dev/null +++ b/vendor/github.com/lestrrat-go/dsig/algorithms.go @@ -0,0 +1,37 @@ +package dsig + +// This file defines verbose algorithm name constants that can be mapped to by +// different standards (RFC7518, FIDO, etc.) for interoperability. +// +// The algorithm names are intentionally verbose to avoid any ambiguity about +// the exact cryptographic operations being performed. + +const ( + // HMAC signature algorithms + // These use Hash-based Message Authentication Code with specified hash functions + HMACWithSHA256 = "HMAC_WITH_SHA256" + HMACWithSHA384 = "HMAC_WITH_SHA384" + HMACWithSHA512 = "HMAC_WITH_SHA512" + + // RSA signature algorithms with PKCS#1 v1.5 padding + // These use RSA signatures with PKCS#1 v1.5 padding and specified hash functions + RSAPKCS1v15WithSHA256 = "RSA_PKCS1v15_WITH_SHA256" + RSAPKCS1v15WithSHA384 = "RSA_PKCS1v15_WITH_SHA384" + RSAPKCS1v15WithSHA512 = "RSA_PKCS1v15_WITH_SHA512" + + // RSA signature algorithms with PSS padding + // These use RSA signatures with Probabilistic Signature Scheme (PSS) padding + RSAPSSWithSHA256 = "RSA_PSS_WITH_SHA256" + RSAPSSWithSHA384 = "RSA_PSS_WITH_SHA384" + RSAPSSWithSHA512 = "RSA_PSS_WITH_SHA512" + + // ECDSA signature algorithms + // These use Elliptic Curve Digital Signature Algorithm with specified curves and hash functions + ECDSAWithP256AndSHA256 = "ECDSA_WITH_P256_AND_SHA256" + ECDSAWithP384AndSHA384 = "ECDSA_WITH_P384_AND_SHA384" + ECDSAWithP521AndSHA512 = "ECDSA_WITH_P521_AND_SHA512" + + // EdDSA signature algorithms + // These use Edwards-curve Digital Signature Algorithm (supports Ed25519 and Ed448) + EdDSA = "EDDSA" +) \ No newline at end of file diff --git a/vendor/github.com/lestrrat-go/dsig/crypto_signer.go b/vendor/github.com/lestrrat-go/dsig/crypto_signer.go new file mode 100644 index 000000000..f81666708 --- /dev/null +++ b/vendor/github.com/lestrrat-go/dsig/crypto_signer.go @@ -0,0 +1,45 @@ +package dsig + +import ( + "crypto" + "crypto/rand" + "fmt" + "io" +) + +// cryptosign is a low-level function that signs a payload using a crypto.Signer. +// If hash is crypto.Hash(0), the payload is signed directly without hashing. +// Otherwise, the payload is hashed using the specified hash function before signing. +// +// rr is an io.Reader that provides randomness for signing. If rr is nil, it defaults to rand.Reader. +func cryptosign(signer crypto.Signer, payload []byte, hash crypto.Hash, opts crypto.SignerOpts, rr io.Reader) ([]byte, error) { + if rr == nil { + rr = rand.Reader + } + + var digest []byte + if hash == crypto.Hash(0) { + digest = payload + } else { + h := hash.New() + if _, err := h.Write(payload); err != nil { + return nil, fmt.Errorf(`failed to write payload to hash: %w`, err) + } + digest = h.Sum(nil) + } + return signer.Sign(rr, digest, opts) +} + +// SignCryptoSigner generates a signature using a crypto.Signer interface. +// This function can be used for hardware security modules, smart cards, +// and other implementations of the crypto.Signer interface. +// +// rr is an io.Reader that provides randomness for signing. If rr is nil, it defaults to rand.Reader. +// +// Returns the signature bytes or an error if signing fails. +func SignCryptoSigner(signer crypto.Signer, raw []byte, h crypto.Hash, opts crypto.SignerOpts, rr io.Reader) ([]byte, error) { + if signer == nil { + return nil, fmt.Errorf("dsig.SignCryptoSigner: signer is nil") + } + return cryptosign(signer, raw, h, opts, rr) +} diff --git a/vendor/github.com/lestrrat-go/dsig/dsig.go b/vendor/github.com/lestrrat-go/dsig/dsig.go new file mode 100644 index 000000000..de6cbdec4 --- /dev/null +++ b/vendor/github.com/lestrrat-go/dsig/dsig.go @@ -0,0 +1,224 @@ +// Package dsig provides digital signature operations for Go. +// It contains low-level signature generation and verification tools that +// can be used by other signing libraries +// +// The package follows these design principles: +// 1. Does minimal checking of input parameters (for performance); callers need to ensure that the parameters are valid. +// 2. All exported functions are strongly typed (i.e. they do not take `any` types unless they absolutely have to). +// 3. Does not rely on other high-level packages (standalone, except for internal packages). +package dsig + +import ( + "crypto" + "crypto/sha256" + "crypto/sha512" + "fmt" + "hash" + "sync" +) + +// Family represents the cryptographic algorithm family +type Family int + +const ( + InvalidFamily Family = iota + HMAC + RSA + ECDSA + EdDSAFamily + maxFamily +) + +// String returns the string representation of the Family +func (f Family) String() string { + switch f { + case HMAC: + return "HMAC" + case RSA: + return "RSA" + case ECDSA: + return "ECDSA" + case EdDSAFamily: + return "EdDSA" + default: + return "InvalidFamily" + } +} + +// AlgorithmInfo contains metadata about a digital signature algorithm +type AlgorithmInfo struct { + Family Family // The cryptographic family (HMAC, RSA, ECDSA, EdDSA) + Meta any // Family-specific metadata +} + +// HMACFamilyMeta contains metadata specific to HMAC algorithms +type HMACFamilyMeta struct { + HashFunc func() hash.Hash // Hash function constructor +} + +// RSAFamilyMeta contains metadata specific to RSA algorithms +type RSAFamilyMeta struct { + Hash crypto.Hash // Hash algorithm + PSS bool // Whether to use PSS padding (false = PKCS#1 v1.5) +} + +// ECDSAFamilyMeta contains metadata specific to ECDSA algorithms +type ECDSAFamilyMeta struct { + Hash crypto.Hash // Hash algorithm +} + +// EdDSAFamilyMeta contains metadata specific to EdDSA algorithms +// Currently EdDSA doesn't need specific metadata, but this provides extensibility +type EdDSAFamilyMeta struct { + // Reserved for future use +} + +var algorithms = make(map[string]AlgorithmInfo) +var muAlgorithms sync.RWMutex + +// RegisterAlgorithm registers a new digital signature algorithm with the specified family and metadata. +// +// info.Meta should contain extra metadata for some algorithms. Currently HMAC, RSA, +// and ECDSA family of algorithms need their respective metadata (HMACFamilyMeta, +// RSAFamilyMeta, and ECDSAFamilyMeta). Metadata for other families are ignored. +func RegisterAlgorithm(name string, info AlgorithmInfo) error { + muAlgorithms.Lock() + defer muAlgorithms.Unlock() + + // Validate the metadata matches the family + switch info.Family { + case HMAC: + if _, ok := info.Meta.(HMACFamilyMeta); !ok { + return fmt.Errorf("invalid HMAC metadata for algorithm %s", name) + } + case RSA: + if _, ok := info.Meta.(RSAFamilyMeta); !ok { + return fmt.Errorf("invalid RSA metadata for algorithm %s", name) + } + case ECDSA: + if _, ok := info.Meta.(ECDSAFamilyMeta); !ok { + return fmt.Errorf("invalid ECDSA metadata for algorithm %s", name) + } + case EdDSAFamily: + // EdDSA metadata is optional for now + default: + return fmt.Errorf("unsupported algorithm family %s for algorithm %s", info.Family, name) + } + + algorithms[name] = info + return nil +} + +// GetAlgorithmInfo retrieves the algorithm information for a given algorithm name. +// Returns the info and true if found, zero value and false if not found. +func GetAlgorithmInfo(name string) (AlgorithmInfo, bool) { + muAlgorithms.RLock() + defer muAlgorithms.RUnlock() + + info, ok := algorithms[name] + return info, ok +} + +func init() { + // Register all standard algorithms with their metadata + toRegister := map[string]AlgorithmInfo{ + // HMAC algorithms + HMACWithSHA256: { + Family: HMAC, + Meta: HMACFamilyMeta{ + HashFunc: sha256.New, + }, + }, + HMACWithSHA384: { + Family: HMAC, + Meta: HMACFamilyMeta{ + HashFunc: sha512.New384, + }, + }, + HMACWithSHA512: { + Family: HMAC, + Meta: HMACFamilyMeta{ + HashFunc: sha512.New, + }, + }, + + // RSA PKCS#1 v1.5 algorithms + RSAPKCS1v15WithSHA256: { + Family: RSA, + Meta: RSAFamilyMeta{ + Hash: crypto.SHA256, + PSS: false, + }, + }, + RSAPKCS1v15WithSHA384: { + Family: RSA, + Meta: RSAFamilyMeta{ + Hash: crypto.SHA384, + PSS: false, + }, + }, + RSAPKCS1v15WithSHA512: { + Family: RSA, + Meta: RSAFamilyMeta{ + Hash: crypto.SHA512, + PSS: false, + }, + }, + + // RSA PSS algorithms + RSAPSSWithSHA256: { + Family: RSA, + Meta: RSAFamilyMeta{ + Hash: crypto.SHA256, + PSS: true, + }, + }, + RSAPSSWithSHA384: { + Family: RSA, + Meta: RSAFamilyMeta{ + Hash: crypto.SHA384, + PSS: true, + }, + }, + RSAPSSWithSHA512: { + Family: RSA, + Meta: RSAFamilyMeta{ + Hash: crypto.SHA512, + PSS: true, + }, + }, + + // ECDSA algorithms + ECDSAWithP256AndSHA256: { + Family: ECDSA, + Meta: ECDSAFamilyMeta{ + Hash: crypto.SHA256, + }, + }, + ECDSAWithP384AndSHA384: { + Family: ECDSA, + Meta: ECDSAFamilyMeta{ + Hash: crypto.SHA384, + }, + }, + ECDSAWithP521AndSHA512: { + Family: ECDSA, + Meta: ECDSAFamilyMeta{ + Hash: crypto.SHA512, + }, + }, + + // EdDSA algorithm + EdDSA: { + Family: EdDSAFamily, + Meta: EdDSAFamilyMeta{}, + }, + } + + for name, info := range toRegister { + if err := RegisterAlgorithm(name, info); err != nil { + panic(fmt.Sprintf("failed to register algorithm %s: %v", name, err)) + } + } +} + diff --git a/vendor/github.com/lestrrat-go/dsig/ecdsa.go b/vendor/github.com/lestrrat-go/dsig/ecdsa.go new file mode 100644 index 000000000..a04a26691 --- /dev/null +++ b/vendor/github.com/lestrrat-go/dsig/ecdsa.go @@ -0,0 +1,200 @@ +package dsig + +import ( + "crypto" + "crypto/ecdsa" + "crypto/rand" + "encoding/asn1" + "fmt" + "io" + "math/big" + + "github.com/lestrrat-go/dsig/internal/ecutil" +) + + +func ecdsaGetSignerKey(key any) (*ecdsa.PrivateKey, crypto.Signer, bool, error) { + cs, isCryptoSigner := key.(crypto.Signer) + if isCryptoSigner { + if !isValidECDSAKey(key) { + return nil, nil, false, fmt.Errorf(`invalid key type %T for ECDSA algorithm`, key) + } + + switch key.(type) { + case ecdsa.PrivateKey, *ecdsa.PrivateKey: + // if it's ecdsa.PrivateKey, it's more efficient to + // go through the non-crypto.Signer route. Set isCryptoSigner to false + isCryptoSigner = false + } + } + + if isCryptoSigner { + return nil, cs, true, nil + } + + privkey, ok := key.(*ecdsa.PrivateKey) + if !ok { + return nil, nil, false, fmt.Errorf(`invalid key type %T. *ecdsa.PrivateKey is required`, key) + } + return privkey, nil, false, nil +} + +// UnpackASN1ECDSASignature unpacks an ASN.1 encoded ECDSA signature into r and s values. +// This is typically used when working with crypto.Signer interfaces that return ASN.1 encoded signatures. +func UnpackASN1ECDSASignature(signed []byte, r, s *big.Int) error { + // Okay, this is silly, but hear me out. When we use the + // crypto.Signer interface, the PrivateKey is hidden. + // But we need some information about the key (its bit size). + // + // So while silly, we're going to have to make another call + // here and fetch the Public key. + // (This probably means that this information should be cached somewhere) + var p struct { + R *big.Int // TODO: get this from a pool? + S *big.Int + } + if _, err := asn1.Unmarshal(signed, &p); err != nil { + return fmt.Errorf(`failed to unmarshal ASN1 encoded signature: %w`, err) + } + + r.Set(p.R) + s.Set(p.S) + return nil +} + +// UnpackECDSASignature unpacks a JWS-format ECDSA signature into r and s values. +// The signature should be in the format specified by RFC 7515 (r||s as fixed-length byte arrays). +func UnpackECDSASignature(signature []byte, pubkey *ecdsa.PublicKey, r, s *big.Int) error { + keySize := ecutil.CalculateKeySize(pubkey.Curve) + if len(signature) != keySize*2 { + return fmt.Errorf(`invalid signature length for curve %q`, pubkey.Curve.Params().Name) + } + + r.SetBytes(signature[:keySize]) + s.SetBytes(signature[keySize:]) + + return nil +} + +// PackECDSASignature packs the r and s values from an ECDSA signature into a JWS-format byte slice. +// The output format follows RFC 7515: r||s as fixed-length byte arrays. +func PackECDSASignature(r *big.Int, sbig *big.Int, curveBits int) ([]byte, error) { + keyBytes := curveBits / 8 + if curveBits%8 > 0 { + keyBytes++ + } + + // Serialize r and s into fixed-length bytes + rBytes := r.Bytes() + rBytesPadded := make([]byte, keyBytes) + copy(rBytesPadded[keyBytes-len(rBytes):], rBytes) + + sBytes := sbig.Bytes() + sBytesPadded := make([]byte, keyBytes) + copy(sBytesPadded[keyBytes-len(sBytes):], sBytes) + + // Output as r||s + return append(rBytesPadded, sBytesPadded...), nil +} + +// SignECDSA generates an ECDSA signature for the given payload using the specified private key and hash. +// The raw parameter should be the pre-computed signing input (typically header.payload). +// +// rr is an io.Reader that provides randomness for signing. if rr is nil, it defaults to rand.Reader. +func SignECDSA(key *ecdsa.PrivateKey, payload []byte, h crypto.Hash, rr io.Reader) ([]byte, error) { + if !isValidECDSAKey(key) { + return nil, fmt.Errorf(`invalid key type %T for ECDSA algorithm`, key) + } + hh := h.New() + if _, err := hh.Write(payload); err != nil { + return nil, fmt.Errorf(`failed to write payload using ecdsa: %w`, err) + } + digest := hh.Sum(nil) + + if rr == nil { + rr = rand.Reader + } + + // Sign and get r, s values + r, s, err := ecdsa.Sign(rr, key, digest) + if err != nil { + return nil, fmt.Errorf(`failed to sign payload using ecdsa: %w`, err) + } + + return PackECDSASignature(r, s, key.Curve.Params().BitSize) +} + +// SignECDSACryptoSigner generates an ECDSA signature using a crypto.Signer interface. +// This function works with hardware security modules and other crypto.Signer implementations. +// The signature is converted from ASN.1 format to JWS format (r||s). +// +// rr is an io.Reader that provides randomness for signing. If rr is nil, it defaults to rand.Reader. +func SignECDSACryptoSigner(signer crypto.Signer, raw []byte, h crypto.Hash, rr io.Reader) ([]byte, error) { + signed, err := SignCryptoSigner(signer, raw, h, h, rr) + if err != nil { + return nil, fmt.Errorf(`failed to sign payload using crypto.Signer: %w`, err) + } + + return signECDSACryptoSigner(signer, signed) +} + +func signECDSACryptoSigner(signer crypto.Signer, signed []byte) ([]byte, error) { + cpub := signer.Public() + pubkey, ok := cpub.(*ecdsa.PublicKey) + if !ok { + return nil, fmt.Errorf(`expected *ecdsa.PublicKey, got %T`, pubkey) + } + curveBits := pubkey.Curve.Params().BitSize + + var r, s big.Int + if err := UnpackASN1ECDSASignature(signed, &r, &s); err != nil { + return nil, fmt.Errorf(`failed to unpack ASN1 encoded signature: %w`, err) + } + + return PackECDSASignature(&r, &s, curveBits) +} + +func ecdsaVerify(key *ecdsa.PublicKey, buf []byte, h crypto.Hash, r, s *big.Int) error { + hasher := h.New() + hasher.Write(buf) + digest := hasher.Sum(nil) + if !ecdsa.Verify(key, digest, r, s) { + return NewVerificationError("invalid ECDSA signature") + } + return nil +} + +// VerifyECDSA verifies an ECDSA signature for the given payload. +// This function verifies the signature using the specified public key and hash algorithm. +// The payload parameter should be the pre-computed signing input (typically header.payload). +func VerifyECDSA(key *ecdsa.PublicKey, payload, signature []byte, h crypto.Hash) error { + var r, s big.Int + if err := UnpackECDSASignature(signature, key, &r, &s); err != nil { + return fmt.Errorf("dsig.VerifyECDSA: failed to unpack ECDSA signature: %w", err) + } + + return ecdsaVerify(key, payload, h, &r, &s) +} + +// VerifyECDSACryptoSigner verifies an ECDSA signature for crypto.Signer implementations. +// This function is useful for verifying signatures created by hardware security modules +// or other implementations of the crypto.Signer interface. +// The payload parameter should be the pre-computed signing input (typically header.payload). +func VerifyECDSACryptoSigner(signer crypto.Signer, payload, signature []byte, h crypto.Hash) error { + var pubkey *ecdsa.PublicKey + switch cpub := signer.Public(); cpub := cpub.(type) { + case ecdsa.PublicKey: + pubkey = &cpub + case *ecdsa.PublicKey: + pubkey = cpub + default: + return fmt.Errorf(`dsig.VerifyECDSACryptoSigner: expected *ecdsa.PublicKey, got %T`, cpub) + } + + var r, s big.Int + if err := UnpackECDSASignature(signature, pubkey, &r, &s); err != nil { + return fmt.Errorf("dsig.VerifyECDSACryptoSigner: failed to unpack ASN.1 encoded ECDSA signature: %w", err) + } + + return ecdsaVerify(pubkey, payload, h, &r, &s) +} diff --git a/vendor/github.com/lestrrat-go/dsig/eddsa.go b/vendor/github.com/lestrrat-go/dsig/eddsa.go new file mode 100644 index 000000000..6562da37b --- /dev/null +++ b/vendor/github.com/lestrrat-go/dsig/eddsa.go @@ -0,0 +1,44 @@ +package dsig + +import ( + "crypto" + "crypto/ed25519" + "fmt" +) + +func eddsaGetSigner(key any) (crypto.Signer, error) { + // The ed25519.PrivateKey object implements crypto.Signer, so we should + // simply accept a crypto.Signer here. + signer, ok := key.(crypto.Signer) + if ok { + if !isValidEDDSAKey(key) { + return nil, fmt.Errorf(`invalid key type %T for EdDSA algorithm`, key) + } + return signer, nil + } + + // This fallback exists for cases when users give us a pointer instead of non-pointer, etc. + privkey, ok := key.(ed25519.PrivateKey) + if !ok { + return nil, fmt.Errorf(`failed to retrieve ed25519.PrivateKey out of %T`, key) + } + return privkey, nil +} + +// SignEdDSA generates an EdDSA (Ed25519) signature for the given payload. +// The raw parameter should be the pre-computed signing input (typically header.payload). +// EdDSA is deterministic and doesn't require additional hashing of the input. +func SignEdDSA(key ed25519.PrivateKey, payload []byte) ([]byte, error) { + return ed25519.Sign(key, payload), nil +} + +// VerifyEdDSA verifies an EdDSA (Ed25519) signature for the given payload. +// This function verifies the signature using Ed25519 verification algorithm. +// The payload parameter should be the pre-computed signing input (typically header.payload). +// EdDSA is deterministic and provides strong security guarantees without requiring hash function selection. +func VerifyEdDSA(key ed25519.PublicKey, payload, signature []byte) error { + if !ed25519.Verify(key, payload, signature) { + return fmt.Errorf("invalid EdDSA signature") + } + return nil +} diff --git a/vendor/github.com/lestrrat-go/dsig/hmac.go b/vendor/github.com/lestrrat-go/dsig/hmac.go new file mode 100644 index 000000000..8b2612279 --- /dev/null +++ b/vendor/github.com/lestrrat-go/dsig/hmac.go @@ -0,0 +1,45 @@ +package dsig + +import ( + "crypto/hmac" + "fmt" + "hash" +) + +func toHMACKey(dst *[]byte, key any) error { + keyBytes, ok := key.([]byte) + if !ok { + return fmt.Errorf(`dsig.toHMACKey: invalid key type %T. []byte is required`, key) + } + + if len(keyBytes) == 0 { + return fmt.Errorf(`dsig.toHMACKey: missing key while signing payload`) + } + + *dst = keyBytes + return nil +} + +// SignHMAC generates an HMAC signature for the given payload using the specified hash function and key. +// The raw parameter should be the pre-computed signing input (typically header.payload). +func SignHMAC(key, payload []byte, hfunc func() hash.Hash) ([]byte, error) { + h := hmac.New(hfunc, key) + if _, err := h.Write(payload); err != nil { + return nil, fmt.Errorf(`failed to write payload using hmac: %w`, err) + } + return h.Sum(nil), nil +} + +// VerifyHMAC verifies an HMAC signature for the given payload. +// This function verifies the signature using the specified key and hash function. +// The payload parameter should be the pre-computed signing input (typically header.payload). +func VerifyHMAC(key, payload, signature []byte, hfunc func() hash.Hash) error { + expected, err := SignHMAC(key, payload, hfunc) + if err != nil { + return fmt.Errorf("failed to sign payload for verification: %w", err) + } + if !hmac.Equal(signature, expected) { + return NewVerificationError("invalid HMAC signature") + } + return nil +} diff --git a/vendor/github.com/lestrrat-go/dsig/internal/ecutil/ecutil.go b/vendor/github.com/lestrrat-go/dsig/internal/ecutil/ecutil.go new file mode 100644 index 000000000..cf0bd4ac4 --- /dev/null +++ b/vendor/github.com/lestrrat-go/dsig/internal/ecutil/ecutil.go @@ -0,0 +1,76 @@ +// Package ecutil defines tools that help with elliptic curve related +// computation +package ecutil + +import ( + "crypto/elliptic" + "math/big" + "sync" +) + +const ( + // size of buffer that needs to be allocated for EC521 curve + ec521BufferSize = 66 // (521 / 8) + 1 +) + +var ecpointBufferPool = sync.Pool{ + New: func() any { + // In most cases the curve bit size will be less than this length + // so allocate the maximum, and keep reusing + buf := make([]byte, 0, ec521BufferSize) + return &buf + }, +} + +func getCrvFixedBuffer(size int) []byte { + //nolint:forcetypeassert + buf := *(ecpointBufferPool.Get().(*[]byte)) + if size > ec521BufferSize && cap(buf) < size { + buf = append(buf, make([]byte, size-cap(buf))...) + } + return buf[:size] +} + +// ReleaseECPointBuffer releases the []byte buffer allocated. +func ReleaseECPointBuffer(buf []byte) { + buf = buf[:cap(buf)] + buf[0] = 0x0 + for i := 1; i < len(buf); i *= 2 { + copy(buf[i:], buf[:i]) + } + buf = buf[:0] + ecpointBufferPool.Put(&buf) +} + +func CalculateKeySize(crv elliptic.Curve) int { + // We need to create a buffer that fits the entire curve. + // If the curve size is 66, that fits in 9 bytes. If the curve + // size is 64, it fits in 8 bytes. + bits := crv.Params().BitSize + + // For most common cases we know before hand what the byte length + // is going to be. optimize + var inBytes int + switch bits { + case 224, 256, 384: // TODO: use constant? + inBytes = bits / 8 + case 521: + inBytes = ec521BufferSize + default: + inBytes = bits / 8 + if (bits % 8) != 0 { + inBytes++ + } + } + + return inBytes +} + +// AllocECPointBuffer allocates a buffer for the given point in the given +// curve. This buffer should be released using the ReleaseECPointBuffer +// function. +func AllocECPointBuffer(v *big.Int, crv elliptic.Curve) []byte { + buf := getCrvFixedBuffer(CalculateKeySize(crv)) + v.FillBytes(buf) + return buf +} diff --git a/vendor/github.com/lestrrat-go/dsig/rsa.go b/vendor/github.com/lestrrat-go/dsig/rsa.go new file mode 100644 index 000000000..a339fe5b7 --- /dev/null +++ b/vendor/github.com/lestrrat-go/dsig/rsa.go @@ -0,0 +1,63 @@ +package dsig + +import ( + "crypto" + "crypto/rsa" + "fmt" + "io" +) + +func rsaGetSignerCryptoSignerKey(key any) (crypto.Signer, bool, error) { + if !isValidRSAKey(key) { + return nil, false, fmt.Errorf(`invalid key type %T for RSA algorithm`, key) + } + cs, isCryptoSigner := key.(crypto.Signer) + if isCryptoSigner { + return cs, true, nil + } + return nil, false, nil +} + +// rsaPSSOptions returns the PSS options for RSA-PSS signatures with the specified hash. +// The salt length is set to equal the hash length as per RFC 7518. +func rsaPSSOptions(h crypto.Hash) rsa.PSSOptions { + return rsa.PSSOptions{ + Hash: h, + SaltLength: rsa.PSSSaltLengthEqualsHash, + } +} + +// SignRSA generates an RSA signature for the given payload using the specified private key and options. +// The raw parameter should be the pre-computed signing input (typically header.payload). +// If pss is true, RSA-PSS is used; otherwise, PKCS#1 v1.5 is used. +// +// The rr parameter is an optional io.Reader that can be used to provide randomness for signing. +// If rr is nil, it defaults to rand.Reader. +func SignRSA(key *rsa.PrivateKey, payload []byte, h crypto.Hash, pss bool, rr io.Reader) ([]byte, error) { + if !isValidRSAKey(key) { + return nil, fmt.Errorf(`invalid key type %T for RSA algorithm`, key) + } + var opts crypto.SignerOpts = h + if pss { + rsaopts := rsaPSSOptions(h) + opts = &rsaopts + } + return cryptosign(key, payload, h, opts, rr) +} + +// VerifyRSA verifies an RSA signature for the given payload and header. +// This function constructs the signing input by encoding the header and payload according to JWS specification, +// then verifies the signature using the specified public key and hash algorithm. +// If pss is true, RSA-PSS verification is used; otherwise, PKCS#1 v1.5 verification is used. +func VerifyRSA(key *rsa.PublicKey, payload, signature []byte, h crypto.Hash, pss bool) error { + if !isValidRSAKey(key) { + return fmt.Errorf(`invalid key type %T for RSA algorithm`, key) + } + hasher := h.New() + hasher.Write(payload) + digest := hasher.Sum(nil) + if pss { + return rsa.VerifyPSS(key, h, digest, signature, &rsa.PSSOptions{Hash: h, SaltLength: rsa.PSSSaltLengthEqualsHash}) + } + return rsa.VerifyPKCS1v15(key, h, digest, signature) +} diff --git a/vendor/github.com/lestrrat-go/dsig/sign.go b/vendor/github.com/lestrrat-go/dsig/sign.go new file mode 100644 index 000000000..e2a6bde29 --- /dev/null +++ b/vendor/github.com/lestrrat-go/dsig/sign.go @@ -0,0 +1,100 @@ +package dsig + +import ( + "crypto" + "crypto/rsa" + "fmt" + "io" +) + +// Sign generates a digital signature using the specified key and algorithm. +// +// This function loads the signer registered in the dsig package _ONLY_. +// It does not support custom signers that the user might have registered. +// +// rr is an io.Reader that provides randomness for signing. If rr is nil, it defaults to rand.Reader. +// Not all algorithms require this parameter, but it is included for consistency. +// 99% of the time, you can pass nil for rr, and it will work fine. +func Sign(key any, alg string, payload []byte, rr io.Reader) ([]byte, error) { + info, ok := GetAlgorithmInfo(alg) + if !ok { + return nil, fmt.Errorf(`dsig.Sign: unsupported signature algorithm %q`, alg) + } + + switch info.Family { + case HMAC: + return dispatchHMACSign(key, info, payload) + case RSA: + return dispatchRSASign(key, info, payload, rr) + case ECDSA: + return dispatchECDSASign(key, info, payload, rr) + case EdDSAFamily: + return dispatchEdDSASign(key, info, payload, rr) + default: + return nil, fmt.Errorf(`dsig.Sign: unsupported signature family %q`, info.Family) + } +} + +func dispatchHMACSign(key any, info AlgorithmInfo, payload []byte) ([]byte, error) { + meta, ok := info.Meta.(HMACFamilyMeta) + if !ok { + return nil, fmt.Errorf(`dsig.Sign: invalid HMAC metadata`) + } + + var hmackey []byte + if err := toHMACKey(&hmackey, key); err != nil { + return nil, fmt.Errorf(`dsig.Sign: %w`, err) + } + return SignHMAC(hmackey, payload, meta.HashFunc) +} + +func dispatchRSASign(key any, info AlgorithmInfo, payload []byte, rr io.Reader) ([]byte, error) { + meta, ok := info.Meta.(RSAFamilyMeta) + if !ok { + return nil, fmt.Errorf(`dsig.Sign: invalid RSA metadata`) + } + + cs, isCryptoSigner, err := rsaGetSignerCryptoSignerKey(key) + if err != nil { + return nil, fmt.Errorf(`dsig.Sign: %w`, err) + } + if isCryptoSigner { + var options crypto.SignerOpts = meta.Hash + if meta.PSS { + rsaopts := rsaPSSOptions(meta.Hash) + options = &rsaopts + } + return SignCryptoSigner(cs, payload, meta.Hash, options, rr) + } + + privkey, ok := key.(*rsa.PrivateKey) + if !ok { + return nil, fmt.Errorf(`dsig.Sign: invalid key type %T. *rsa.PrivateKey is required`, key) + } + return SignRSA(privkey, payload, meta.Hash, meta.PSS, rr) +} + +func dispatchEdDSASign(key any, _ AlgorithmInfo, payload []byte, rr io.Reader) ([]byte, error) { + signer, err := eddsaGetSigner(key) + if err != nil { + return nil, fmt.Errorf(`dsig.Sign: %w`, err) + } + + return SignCryptoSigner(signer, payload, crypto.Hash(0), crypto.Hash(0), rr) +} + +func dispatchECDSASign(key any, info AlgorithmInfo, payload []byte, rr io.Reader) ([]byte, error) { + meta, ok := info.Meta.(ECDSAFamilyMeta) + if !ok { + return nil, fmt.Errorf(`dsig.Sign: invalid ECDSA metadata`) + } + + privkey, cs, isCryptoSigner, err := ecdsaGetSignerKey(key) + if err != nil { + return nil, fmt.Errorf(`dsig.Sign: %w`, err) + } + if isCryptoSigner { + return SignECDSACryptoSigner(cs, payload, meta.Hash, rr) + } + return SignECDSA(privkey, payload, meta.Hash, rr) +} diff --git a/vendor/github.com/lestrrat-go/dsig/validation.go b/vendor/github.com/lestrrat-go/dsig/validation.go new file mode 100644 index 000000000..17682d853 --- /dev/null +++ b/vendor/github.com/lestrrat-go/dsig/validation.go @@ -0,0 +1,66 @@ +package dsig + +import ( + "crypto/ecdsa" + "crypto/ed25519" + "crypto/rsa" +) + +// isValidRSAKey validates that the provided key type is appropriate for RSA algorithms. +// It returns false if the key is clearly incompatible (e.g., ECDSA or EdDSA keys). +func isValidRSAKey(key any) bool { + switch key.(type) { + case + ecdsa.PrivateKey, *ecdsa.PrivateKey, + ed25519.PrivateKey: + // these are NOT ok for RSA algorithms + return false + } + return true +} + +// isValidECDSAKey validates that the provided key type is appropriate for ECDSA algorithms. +// It returns false if the key is clearly incompatible (e.g., RSA or EdDSA keys). +func isValidECDSAKey(key any) bool { + switch key.(type) { + case + ed25519.PrivateKey, + rsa.PrivateKey, *rsa.PrivateKey: + // these are NOT ok for ECDSA algorithms + return false + } + return true +} + +// isValidEDDSAKey validates that the provided key type is appropriate for EdDSA algorithms. +// It returns false if the key is clearly incompatible (e.g., RSA or ECDSA keys). +func isValidEDDSAKey(key any) bool { + switch key.(type) { + case + ecdsa.PrivateKey, *ecdsa.PrivateKey, + rsa.PrivateKey, *rsa.PrivateKey: + // these are NOT ok for EdDSA algorithms + return false + } + return true +} + +// VerificationError represents an error that occurred during signature verification. +type VerificationError struct { + message string +} + +func (e *VerificationError) Error() string { + return e.message +} + +// NewVerificationError creates a new verification error with the given message. +func NewVerificationError(message string) error { + return &VerificationError{message: message} +} + +// IsVerificationError checks if the given error is a verification error. +func IsVerificationError(err error) bool { + _, ok := err.(*VerificationError) + return ok +} diff --git a/vendor/github.com/lestrrat-go/dsig/verify.go b/vendor/github.com/lestrrat-go/dsig/verify.go new file mode 100644 index 000000000..86085b0a3 --- /dev/null +++ b/vendor/github.com/lestrrat-go/dsig/verify.go @@ -0,0 +1,134 @@ +package dsig + +import ( + "crypto" + "crypto/ecdsa" + "crypto/ed25519" + "crypto/rsa" + "fmt" +) + +// Verify verifies a digital signature using the specified key and algorithm. +// +// This function loads the verifier registered in the dsig package _ONLY_. +// It does not support custom verifiers that the user might have registered. +func Verify(key any, alg string, payload, signature []byte) error { + info, ok := GetAlgorithmInfo(alg) + if !ok { + return fmt.Errorf(`dsig.Verify: unsupported signature algorithm %q`, alg) + } + + switch info.Family { + case HMAC: + return dispatchHMACVerify(key, info, payload, signature) + case RSA: + return dispatchRSAVerify(key, info, payload, signature) + case ECDSA: + return dispatchECDSAVerify(key, info, payload, signature) + case EdDSAFamily: + return dispatchEdDSAVerify(key, info, payload, signature) + default: + return fmt.Errorf(`dsig.Verify: unsupported signature family %q`, info.Family) + } +} + +func dispatchHMACVerify(key any, info AlgorithmInfo, payload, signature []byte) error { + meta, ok := info.Meta.(HMACFamilyMeta) + if !ok { + return fmt.Errorf(`dsig.Verify: invalid HMAC metadata`) + } + + var hmackey []byte + if err := toHMACKey(&hmackey, key); err != nil { + return fmt.Errorf(`dsig.Verify: %w`, err) + } + return VerifyHMAC(hmackey, payload, signature, meta.HashFunc) +} + +func dispatchRSAVerify(key any, info AlgorithmInfo, payload, signature []byte) error { + meta, ok := info.Meta.(RSAFamilyMeta) + if !ok { + return fmt.Errorf(`dsig.Verify: invalid RSA metadata`) + } + + var pubkey *rsa.PublicKey + + if cs, ok := key.(crypto.Signer); ok { + cpub := cs.Public() + switch cpub := cpub.(type) { + case rsa.PublicKey: + pubkey = &cpub + case *rsa.PublicKey: + pubkey = cpub + default: + return fmt.Errorf(`dsig.Verify: failed to retrieve rsa.PublicKey out of crypto.Signer %T`, key) + } + } else { + var ok bool + pubkey, ok = key.(*rsa.PublicKey) + if !ok { + return fmt.Errorf(`dsig.Verify: failed to retrieve *rsa.PublicKey out of %T`, key) + } + } + + return VerifyRSA(pubkey, payload, signature, meta.Hash, meta.PSS) +} + +func dispatchECDSAVerify(key any, info AlgorithmInfo, payload, signature []byte) error { + meta, ok := info.Meta.(ECDSAFamilyMeta) + if !ok { + return fmt.Errorf(`dsig.Verify: invalid ECDSA metadata`) + } + + pubkey, cs, isCryptoSigner, err := ecdsaGetVerifierKey(key) + if err != nil { + return fmt.Errorf(`dsig.Verify: %w`, err) + } + if isCryptoSigner { + return VerifyECDSACryptoSigner(cs, payload, signature, meta.Hash) + } + return VerifyECDSA(pubkey, payload, signature, meta.Hash) +} + +func dispatchEdDSAVerify(key any, _ AlgorithmInfo, payload, signature []byte) error { + var pubkey ed25519.PublicKey + signer, ok := key.(crypto.Signer) + if ok { + v := signer.Public() + pubkey, ok = v.(ed25519.PublicKey) + if !ok { + return fmt.Errorf(`dsig.Verify: expected crypto.Signer.Public() to return ed25519.PublicKey, but got %T`, v) + } + } else { + var ok bool + pubkey, ok = key.(ed25519.PublicKey) + if !ok { + return fmt.Errorf(`dsig.Verify: failed to retrieve ed25519.PublicKey out of %T`, key) + } + } + + return VerifyEdDSA(pubkey, payload, signature) +} + +func ecdsaGetVerifierKey(key any) (*ecdsa.PublicKey, crypto.Signer, bool, error) { + cs, isCryptoSigner := key.(crypto.Signer) + if isCryptoSigner { + switch key.(type) { + case ecdsa.PublicKey, *ecdsa.PublicKey: + // if it's ecdsa.PublicKey, it's more efficient to + // go through the non-crypto.Signer route. Set isCryptoSigner to false + isCryptoSigner = false + } + } + + if isCryptoSigner { + return nil, cs, true, nil + } + + pubkey, ok := key.(*ecdsa.PublicKey) + if !ok { + return nil, nil, false, fmt.Errorf(`invalid key type %T. *ecdsa.PublicKey is required`, key) + } + + return pubkey, nil, false, nil +} diff --git a/vendor/github.com/lestrrat-go/httprc/v3/.golangci.yml b/vendor/github.com/lestrrat-go/httprc/v3/.golangci.yml index a51b41b4a..b3af8cfe1 100644 --- a/vendor/github.com/lestrrat-go/httprc/v3/.golangci.yml +++ b/vendor/github.com/lestrrat-go/httprc/v3/.golangci.yml @@ -29,6 +29,7 @@ linters: - nakedret - nestif - nlreturn + - noinlineerr - nonamedreturns - paralleltest - tagliatelle @@ -37,6 +38,7 @@ linters: - varnamelen - wrapcheck - wsl + - wsl_v5 settings: govet: disable: diff --git a/vendor/github.com/lestrrat-go/httprc/v3/Changes b/vendor/github.com/lestrrat-go/httprc/v3/Changes index 3c82040d4..4dc6f9f4b 100644 --- a/vendor/github.com/lestrrat-go/httprc/v3/Changes +++ b/vendor/github.com/lestrrat-go/httprc/v3/Changes @@ -1,7 +1,10 @@ Changes ======= -v3.0.0 UNRELEASED +v3.0.1 18 Aug 2025 +* Refresh() no longer requires the resource to be ready. + +v3.0.0 5 Jun 2025 [Breaking Changes] * The entire API has been re-imagined for Go versions that allow typed parameters diff --git a/vendor/github.com/lestrrat-go/httprc/v3/backend.go b/vendor/github.com/lestrrat-go/httprc/v3/backend.go index 7d4fb496a..31f9fc07d 100644 --- a/vendor/github.com/lestrrat-go/httprc/v3/backend.go +++ b/vendor/github.com/lestrrat-go/httprc/v3/backend.go @@ -71,6 +71,7 @@ func (c *ctrlBackend) refreshResource(ctx context.Context, req refreshRequest) { c.traceSink.Put(ctx, fmt.Sprintf("httprc controller: [refresh] START %q", req.u)) defer c.traceSink.Put(ctx, fmt.Sprintf("httprc controller: [refresh] END %q", req.u)) u := req.u + r, ok := c.items[u] if !ok { c.traceSink.Put(ctx, fmt.Sprintf("httprc controller: [refresh] %s is not registered", req.u)) @@ -78,12 +79,9 @@ func (c *ctrlBackend) refreshResource(ctx context.Context, req refreshRequest) { return } - // Make sure it's ready - if err := r.Ready(ctx); err != nil { - c.traceSink.Put(ctx, fmt.Sprintf("httprc controller: [refresh] %s did not become ready: %v", req.u, err)) - sendReply(ctx, req.reply, struct{}{}, err) - return - } + // Note: We don't wait for r.Ready() here because refresh should work + // regardless of whether the resource has been fetched before. This allows + // refresh to work with resources registered using WithWaitReady(false). r.SetNext(time.Unix(0, 0)) sendWorkerSynchronous(ctx, c.syncoutgoing, synchronousRequest{ diff --git a/vendor/github.com/lestrrat-go/httprc/v3/worker.go b/vendor/github.com/lestrrat-go/httprc/v3/worker.go index 57d7fb962..d11477dad 100644 --- a/vendor/github.com/lestrrat-go/httprc/v3/worker.go +++ b/vendor/github.com/lestrrat-go/httprc/v3/worker.go @@ -39,10 +39,12 @@ func (w worker) Run(ctx context.Context, readywg *sync.WaitGroup, donewg *sync.W case sr := <-w.nextsync: w.traceSink.Put(ctx, fmt.Sprintf("httprc worker: syncing %q (synchronous)", sr.resource.URL())) if err := sr.resource.Sync(ctx); err != nil { + w.traceSink.Put(ctx, fmt.Sprintf("httprc worker: FAILED to sync %q (synchronous): %s", sr.resource.URL(), err)) sendReply(ctx, sr.reply, struct{}{}, err) sr.resource.SetBusy(false) return } + w.traceSink.Put(ctx, fmt.Sprintf("httprc worker: SUCCESS syncing %q (synchronous)", sr.resource.URL())) sr.resource.SetBusy(false) sendReply(ctx, sr.reply, struct{}{}, nil) w.sendAdjustIntervalRequest(ctx, sr.resource) diff --git a/vendor/github.com/lestrrat-go/jwx/v3/Changes b/vendor/github.com/lestrrat-go/jwx/v3/Changes index 77381cf19..29910bf35 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/Changes +++ b/vendor/github.com/lestrrat-go/jwx/v3/Changes @@ -4,6 +4,20 @@ Changes v3 has many incompatibilities with v2. To see the full list of differences between v2 and v3, please read the Changes-v3.md file (https://github.com/lestrrat-go/jwx/blob/develop/v3/Changes-v3.md) +v3.0.11 14 Sep 2025 + * [jwk] Add `(jwk.Cache).Shutdown()` method that delegates to the httprc controller + object, to shutdown the cache. + * [jwk] Change timing of `res.Body.Close()` call + * [jwe] Previously, ecdh.PrivateKey/ecdh.PublicKey were not properly handled + when used for encryption, which has been fixed. + * [jws/jwsbb] (EXPERIMENTAL/BREAKS COMPATIBILITY) Convert most functions into + thin wrappers around functions from github.com/lestrrat-go/dsig package. + As a related change, HAMCHashFuncFor/RSAHashFuncFor/ECDSAHashFuncFor/RSAPSSOptions + have been removed or unexported. + Users of this module should be using jwsbb.Sign() and jwsbb.Verify() instead of + algorithm specific jwsbb.SignRSA()/jwsbb.VerifyRSA() and such. If you feel the + need to use these functions, you should use github.com/lestrrat-go/dsig directly. + v3.0.10 04 Aug 2025 * [jws/jwsbb] Add `jwsbb.ErrHeaderNotFound()` to return the same error type as when a non-existent header is requested. via `HeaderGetXXX()` functions. Previously, this diff --git a/vendor/github.com/lestrrat-go/jwx/v3/MODULE.bazel b/vendor/github.com/lestrrat-go/jwx/v3/MODULE.bazel index 004fb2a9a..167e9b5c8 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/MODULE.bazel +++ b/vendor/github.com/lestrrat-go/jwx/v3/MODULE.bazel @@ -9,9 +9,9 @@ bazel_dep(name = "rules_go", version = "0.55.1") bazel_dep(name = "gazelle", version = "0.44.0") bazel_dep(name = "aspect_bazel_lib", version = "2.11.0") -# Go SDK setup - using Go 1.23.6 to match the toolchain in go.mod +# Go SDK setup - using Go 1.24.4 to match the toolchain in go.mod go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk") -go_sdk.download(version = "1.23.6") +go_sdk.download(version = "1.24.4") # Go dependencies from go.mod go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps") @@ -23,6 +23,8 @@ use_repo( "com_github_decred_dcrd_dcrec_secp256k1_v4", "com_github_goccy_go_json", "com_github_lestrrat_go_blackmagic", + "com_github_lestrrat_go_dsig", + "com_github_lestrrat_go_dsig_secp256k1", "com_github_lestrrat_go_httprc_v3", "com_github_lestrrat_go_option_v2", "com_github_segmentio_asm", diff --git a/vendor/github.com/lestrrat-go/jwx/v3/internal/keyconv/keyconv.go b/vendor/github.com/lestrrat-go/jwx/v3/internal/keyconv/keyconv.go index b911839c5..751fd8f05 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/internal/keyconv/keyconv.go +++ b/vendor/github.com/lestrrat-go/jwx/v3/internal/keyconv/keyconv.go @@ -5,8 +5,10 @@ import ( "crypto/ecdh" "crypto/ecdsa" "crypto/ed25519" + "crypto/elliptic" "crypto/rsa" "fmt" + "math/big" "github.com/lestrrat-go/blackmagic" "github.com/lestrrat-go/jwx/v3/jwk" @@ -263,3 +265,90 @@ func ECDHPublicKey(dst, src any) error { return blackmagic.AssignIfCompatible(dst, pubECDH) } + +// ecdhCurveToElliptic maps ECDH curves to elliptic curves +func ecdhCurveToElliptic(ecdhCurve ecdh.Curve) (elliptic.Curve, error) { + switch ecdhCurve { + case ecdh.P256(): + return elliptic.P256(), nil + case ecdh.P384(): + return elliptic.P384(), nil + case ecdh.P521(): + return elliptic.P521(), nil + default: + return nil, fmt.Errorf(`keyconv: unsupported ECDH curve: %v`, ecdhCurve) + } +} + +// ecdhPublicKeyToECDSA converts an ECDH public key to an ECDSA public key +func ecdhPublicKeyToECDSA(ecdhPubKey *ecdh.PublicKey) (*ecdsa.PublicKey, error) { + curve, err := ecdhCurveToElliptic(ecdhPubKey.Curve()) + if err != nil { + return nil, err + } + + pubBytes := ecdhPubKey.Bytes() + + // Parse the uncompressed point format (0x04 prefix + X + Y coordinates) + if len(pubBytes) == 0 || pubBytes[0] != 0x04 { + return nil, fmt.Errorf(`keyconv: invalid ECDH public key format`) + } + + keyLen := (len(pubBytes) - 1) / 2 + if len(pubBytes) != 1+2*keyLen { + return nil, fmt.Errorf(`keyconv: invalid ECDH public key length`) + } + + x := new(big.Int).SetBytes(pubBytes[1 : 1+keyLen]) + y := new(big.Int).SetBytes(pubBytes[1+keyLen:]) + + return &ecdsa.PublicKey{ + Curve: curve, + X: x, + Y: y, + }, nil +} + +func ECDHToECDSA(dst, src any) error { + // convert ecdh.PublicKey to ecdsa.PublicKey, ecdh.PrivateKey to ecdsa.PrivateKey + + // First, handle value types by converting to pointers + switch s := src.(type) { + case ecdh.PrivateKey: + src = &s + case ecdh.PublicKey: + src = &s + } + + var privBytes []byte + var pubkey *ecdh.PublicKey + // Now handle the actual conversion with pointer types + switch src := src.(type) { + case *ecdh.PrivateKey: + pubkey = src.PublicKey() + privBytes = src.Bytes() + case *ecdh.PublicKey: + pubkey = src + default: + return fmt.Errorf(`keyconv: expected ecdh.PrivateKey, *ecdh.PrivateKey, ecdh.PublicKey, or *ecdh.PublicKey, got %T`, src) + } + + // convert the public key + ecdsaPubKey, err := ecdhPublicKeyToECDSA(pubkey) + if err != nil { + return fmt.Errorf(`keyconv.ECDHToECDSA: failed to convert ECDH public key to ECDSA public key: %w`, err) + } + + // return if we were being asked to convert *ecdh.PublicKey + if privBytes == nil { + return blackmagic.AssignIfCompatible(dst, ecdsaPubKey) + } + + // Then create the private key with the public key embedded + ecdsaPrivKey := &ecdsa.PrivateKey{ + D: new(big.Int).SetBytes(privBytes), + PublicKey: *ecdsaPubKey, + } + + return blackmagic.AssignIfCompatible(dst, ecdsaPrivKey) +} diff --git a/vendor/github.com/lestrrat-go/jwx/v3/jwe/encrypt.go b/vendor/github.com/lestrrat-go/jwx/v3/jwe/encrypt.go index a71e71689..e75f342a3 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/jwe/encrypt.go +++ b/vendor/github.com/lestrrat-go/jwx/v3/jwe/encrypt.go @@ -96,23 +96,48 @@ func (e *encrypter) EncryptKey(cek []byte) (keygen.ByteSource, error) { keyToUse = e.pubkey } - // Handle ecdsa.PublicKey by value - convert to pointer - if pk, ok := keyToUse.(ecdsa.PublicKey); ok { - keyToUse = &pk + switch key := keyToUse.(type) { + case *ecdsa.PublicKey: + // no op + case ecdsa.PublicKey: + keyToUse = &key + case *ecdsa.PrivateKey: + keyToUse = &key.PublicKey + case ecdsa.PrivateKey: + keyToUse = &key.PublicKey + case *ecdh.PublicKey: + // no op + case ecdh.PublicKey: + keyToUse = &key + case ecdh.PrivateKey: + keyToUse = key.PublicKey() + case *ecdh.PrivateKey: + keyToUse = key.PublicKey() } // Determine key type and call appropriate function + switch key := keyToUse.(type) { + case *ecdh.PublicKey: + if key.Curve() == ecdh.X25519() { + if !keywrap { + return jwebb.KeyEncryptECDHESX25519(cek, e.keyalg.String(), e.apu, e.apv, key, keysize, e.ctalg.String()) + } + return jwebb.KeyEncryptECDHESKeyWrapX25519(cek, e.keyalg.String(), e.apu, e.apv, key, keysize, e.ctalg.String()) + } + + var ecdsaKey *ecdsa.PublicKey + if err := keyconv.ECDHToECDSA(&ecdsaKey, key); err != nil { + return nil, fmt.Errorf(`encrypt: failed to convert ECDH public key to ECDSA: %w`, err) + } + keyToUse = ecdsaKey + } + switch key := keyToUse.(type) { case *ecdsa.PublicKey: if !keywrap { return jwebb.KeyEncryptECDHESECDSA(cek, e.keyalg.String(), e.apu, e.apv, key, keysize, e.ctalg.String()) } return jwebb.KeyEncryptECDHESKeyWrapECDSA(cek, e.keyalg.String(), e.apu, e.apv, key, keysize, e.ctalg.String()) - case *ecdh.PublicKey: - if !keywrap { - return jwebb.KeyEncryptECDHESX25519(cek, e.keyalg.String(), e.apu, e.apv, key, keysize, e.ctalg.String()) - } - return jwebb.KeyEncryptECDHESKeyWrapX25519(cek, e.keyalg.String(), e.apu, e.apv, key, keysize, e.ctalg.String()) default: return nil, fmt.Errorf(`encrypt: unsupported key type for ECDH-ES: %T`, keyToUse) } diff --git a/vendor/github.com/lestrrat-go/jwx/v3/jwk/cache.go b/vendor/github.com/lestrrat-go/jwx/v3/jwk/cache.go index d827668e1..b83b56c79 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/jwk/cache.go +++ b/vendor/github.com/lestrrat-go/jwx/v3/jwk/cache.go @@ -223,6 +223,10 @@ func (c *Cache) Unregister(ctx context.Context, u string) error { return c.ctrl.Remove(ctx, u) } +func (c *Cache) Shutdown(ctx context.Context) error { + return c.ctrl.ShutdownContext(ctx) +} + // CachedSet is a thin shim over jwk.Cache that allows the user to cloak // jwk.Cache as if it's a `jwk.Set`. Behind the scenes, the `jwk.Set` is // retrieved from the `jwk.Cache` for every operation. diff --git a/vendor/github.com/lestrrat-go/jwx/v3/jwk/fetch.go b/vendor/github.com/lestrrat-go/jwx/v3/jwk/fetch.go index 2b7917fd2..910a2101d 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/jwk/fetch.go +++ b/vendor/github.com/lestrrat-go/jwx/v3/jwk/fetch.go @@ -102,13 +102,13 @@ func Fetch(ctx context.Context, u string, options ...FetchOption) (Set, error) { if err != nil { return nil, fmt.Errorf(`jwk.Fetch: request failed: %w`, err) } + defer res.Body.Close() if res.StatusCode != http.StatusOK { return nil, fmt.Errorf(`jwk.Fetch: request returned status %d, expected 200`, res.StatusCode) } buf, err := io.ReadAll(res.Body) - defer res.Body.Close() if err != nil { return nil, fmt.Errorf(`jwk.Fetch: failed to read response body for %q: %w`, u, err) } diff --git a/vendor/github.com/lestrrat-go/jwx/v3/jws/es256k.go b/vendor/github.com/lestrrat-go/jwx/v3/jws/es256k.go index ff5a1d8f7..3b68c4614 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/jws/es256k.go +++ b/vendor/github.com/lestrrat-go/jwx/v3/jws/es256k.go @@ -8,5 +8,6 @@ import ( ) func init() { + // Register ES256K to EC algorithm family addAlgorithmForKeyType(jwa.EC(), jwa.ES256K()) } diff --git a/vendor/github.com/lestrrat-go/jwx/v3/jws/jws.go b/vendor/github.com/lestrrat-go/jwx/v3/jws/jws.go index b41b2758b..1fa77438b 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/jws/jws.go +++ b/vendor/github.com/lestrrat-go/jwx/v3/jws/jws.go @@ -19,6 +19,10 @@ // To verify, use `jws.Verify`. It will parse the `encodedjws` buffer // and verify the result using `algorithm` and `key`. Upon successful // verification, the original payload is returned, so you can work on it. +// +// As a sidenote, consider using github.com/lestrrat-go/htmsig if you +// looking for HTTP Message Signatures (RFC9421) -- it uses the same +// underlying signing/verification mechanisms as this module. package jws import ( diff --git a/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/BUILD.bazel b/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/BUILD.bazel index f8fcdac4a..0799e8111 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/BUILD.bazel +++ b/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/BUILD.bazel @@ -23,6 +23,7 @@ go_library( "//internal/pool", "//internal/tokens", "//jws/internal/keytype", + "@com_github_lestrrat_go_dsig//:dsig", ], ) diff --git a/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/ecdsa.go b/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/ecdsa.go index bd7ef4adc..1eb492ee7 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/ecdsa.go +++ b/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/ecdsa.go @@ -3,59 +3,27 @@ package jwsbb import ( "crypto" "crypto/ecdsa" - "crypto/rand" "encoding/asn1" "fmt" "io" "math/big" + "github.com/lestrrat-go/dsig" "github.com/lestrrat-go/jwx/v3/internal/ecutil" - "github.com/lestrrat-go/jwx/v3/internal/keyconv" - "github.com/lestrrat-go/jwx/v3/jws/internal/keytype" ) -var ecdsaHashFuncs = map[string]crypto.Hash{ - "ES256": crypto.SHA256, - "ES256K": crypto.SHA256, - "ES384": crypto.SHA384, - "ES512": crypto.SHA512, -} - -func isSuppotedECDSAAlgorithm(alg string) bool { - _, ok := ecdsaHashFuncs[alg] - return ok -} - -func ECDSAHashFuncFor(alg string) (crypto.Hash, error) { - if h, ok := ecdsaHashFuncs[alg]; ok { - return h, nil +// ecdsaHashToDsigAlgorithm maps ECDSA hash functions to dsig algorithm constants +func ecdsaHashToDsigAlgorithm(h crypto.Hash) (string, error) { + switch h { + case crypto.SHA256: + return dsig.ECDSAWithP256AndSHA256, nil + case crypto.SHA384: + return dsig.ECDSAWithP384AndSHA384, nil + case crypto.SHA512: + return dsig.ECDSAWithP521AndSHA512, nil + default: + return "", fmt.Errorf("unsupported ECDSA hash function: %v", h) } - return 0, fmt.Errorf(`unsupported ECDSA algorithm %s`, alg) -} - -func ecdsaGetSignerKey(key any) (*ecdsa.PrivateKey, crypto.Signer, bool, error) { - cs, isCryptoSigner := key.(crypto.Signer) - if isCryptoSigner { - if !keytype.IsValidECDSAKey(key) { - return nil, nil, false, fmt.Errorf(`cannot use key of type %T`, key) - } - switch key.(type) { - case ecdsa.PrivateKey, *ecdsa.PrivateKey: - // if it's ecdsa.PrivateKey, it's more efficient to - // go through the non-crypto.Signer route. Set isCryptoSigner to false - isCryptoSigner = false - } - } - - if isCryptoSigner { - return nil, cs, true, nil - } - - var privkey *ecdsa.PrivateKey - if err := keyconv.ECDSAPrivateKey(&privkey, key); err != nil { - return nil, nil, false, fmt.Errorf(`invalid key type %T. ecdsa.PrivateKey is required: %w`, key, err) - } - return privkey, nil, false, nil } // UnpackASN1ECDSASignature unpacks an ASN.1 encoded ECDSA signature into r and s values. @@ -120,24 +88,16 @@ func PackECDSASignature(r *big.Int, sbig *big.Int, curveBits int) ([]byte, error // The raw parameter should be the pre-computed signing input (typically header.payload). // // rr is an io.Reader that provides randomness for signing. if rr is nil, it defaults to rand.Reader. +// +// This function is now a thin wrapper around dsig.SignECDSA. For new projects, you should +// consider using dsig instead of this function. func SignECDSA(key *ecdsa.PrivateKey, payload []byte, h crypto.Hash, rr io.Reader) ([]byte, error) { - hh := h.New() - if _, err := hh.Write(payload); err != nil { - return nil, fmt.Errorf(`failed to write payload using ecdsa: %w`, err) - } - digest := hh.Sum(nil) - - if rr == nil { - rr = rand.Reader - } - - // Sign and get r, s values - r, s, err := ecdsa.Sign(rr, key, digest) + dsigAlg, err := ecdsaHashToDsigAlgorithm(h) if err != nil { - return nil, fmt.Errorf(`failed to sign payload using ecdsa: %w`, err) + return nil, fmt.Errorf("jwsbb.SignECDSA: %w", err) } - return PackECDSASignature(r, s, key.Curve.Params().BitSize) + return dsig.Sign(key, dsigAlg, payload, rr) } // SignECDSACryptoSigner generates an ECDSA signature using a crypto.Signer interface. @@ -183,13 +143,16 @@ func ecdsaVerify(key *ecdsa.PublicKey, buf []byte, h crypto.Hash, r, s *big.Int) // VerifyECDSA verifies an ECDSA signature for the given payload. // This function verifies the signature using the specified public key and hash algorithm. // The payload parameter should be the pre-computed signing input (typically header.payload). +// +// This function is now a thin wrapper around dsig.VerifyECDSA. For new projects, you should +// consider using dsig instead of this function. func VerifyECDSA(key *ecdsa.PublicKey, payload, signature []byte, h crypto.Hash) error { - var r, s big.Int - if err := UnpackECDSASignature(signature, key, &r, &s); err != nil { - return fmt.Errorf("jwsbb.ECDSAVerifier: failed to unpack ECDSA signature: %w", err) + dsigAlg, err := ecdsaHashToDsigAlgorithm(h) + if err != nil { + return fmt.Errorf("jwsbb.VerifyECDSA: %w", err) } - return ecdsaVerify(key, payload, h, &r, &s) + return dsig.Verify(key, dsigAlg, payload, signature) } // VerifyECDSACryptoSigner verifies an ECDSA signature for crypto.Signer implementations. diff --git a/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/eddsa.go b/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/eddsa.go index a5e41d2ec..960cf97dd 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/eddsa.go +++ b/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/eddsa.go @@ -1,52 +1,30 @@ package jwsbb import ( - "crypto" "crypto/ed25519" - "fmt" - "github.com/lestrrat-go/jwx/v3/internal/keyconv" - "github.com/lestrrat-go/jwx/v3/jws/internal/keytype" + "github.com/lestrrat-go/dsig" ) -func isSupportedEdDSAAlgorithm(alg string) bool { - return alg == "EdDSA" -} - -func eddsaGetSigner(key any) (crypto.Signer, error) { - // The ed25519.PrivateKey object implements crypto.Signer, so we should - // simply accept a crypto.Signer here. - signer, ok := key.(crypto.Signer) - if ok { - if !keytype.IsValidEDDSAKey(key) { - return nil, fmt.Errorf(`cannot use key of type %T to generate EdDSA based signatures`, key) - } - return signer, nil - } - - // This fallback exists for cases when jwk.Key was passed, or - // users gave us a pointer instead of non-pointer, etc. - var privkey ed25519.PrivateKey - if err := keyconv.Ed25519PrivateKey(&privkey, key); err != nil { - return nil, fmt.Errorf(`failed to retrieve ed25519.PrivateKey out of %T: %w`, key, err) - } - return privkey, nil -} - // SignEdDSA generates an EdDSA (Ed25519) signature for the given payload. // The raw parameter should be the pre-computed signing input (typically header.payload). // EdDSA is deterministic and doesn't require additional hashing of the input. +// +// This function is now a thin wrapper around dsig.SignEdDSA. For new projects, you should +// consider using dsig instead of this function. func SignEdDSA(key ed25519.PrivateKey, payload []byte) ([]byte, error) { - return ed25519.Sign(key, payload), nil + // Use dsig.Sign with EdDSA algorithm constant + return dsig.Sign(key, dsig.EdDSA, payload, nil) } // VerifyEdDSA verifies an EdDSA (Ed25519) signature for the given payload. // This function verifies the signature using Ed25519 verification algorithm. // The payload parameter should be the pre-computed signing input (typically header.payload). // EdDSA is deterministic and provides strong security guarantees without requiring hash function selection. +// +// This function is now a thin wrapper around dsig.VerifyEdDSA. For new projects, you should +// consider using dsig instead of this function. func VerifyEdDSA(key ed25519.PublicKey, payload, signature []byte) error { - if !ed25519.Verify(key, payload, signature) { - return fmt.Errorf("invalid EdDSA signature") - } - return nil + // Use dsig.Verify with EdDSA algorithm constant + return dsig.Verify(key, dsig.EdDSA, payload, signature) } diff --git a/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/es256k.go b/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/es256k.go new file mode 100644 index 000000000..a8761ee0f --- /dev/null +++ b/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/es256k.go @@ -0,0 +1,14 @@ +//go:build jwx_es256k + +package jwsbb + +import ( + dsigsecp256k1 "github.com/lestrrat-go/dsig-secp256k1" +) + +const es256k = "ES256K" + +func init() { + // Add ES256K mapping when this build tag is enabled + jwsToDsigAlgorithm[es256k] = dsigsecp256k1.ECDSAWithSecp256k1AndSHA256 +} diff --git a/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/hmac.go b/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/hmac.go index 782915ff2..8e70eb667 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/hmac.go +++ b/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/hmac.go @@ -1,67 +1,52 @@ package jwsbb import ( - "crypto/hmac" - "crypto/sha256" - "crypto/sha512" "fmt" "hash" - "github.com/lestrrat-go/jwx/v3/internal/keyconv" + "github.com/lestrrat-go/dsig" ) -var hmacHashFuncs = map[string]func() hash.Hash{ - "HS256": sha256.New, - "HS384": sha512.New384, - "HS512": sha512.New, -} - -func isSupportedHMACAlgorithm(alg string) bool { - _, ok := hmacHashFuncs[alg] - return ok -} - -// HMACHashFuncFor returns the appropriate hash function for the given HMAC algorithm. -// Supported algorithms: HS256 (SHA-256), HS384 (SHA-384), HS512 (SHA-512). -// Returns the hash function constructor and an error if the algorithm is unsupported. -func HMACHashFuncFor(alg string) (func() hash.Hash, error) { - if h, ok := hmacHashFuncs[alg]; ok { - return h, nil +// hmacHashToDsigAlgorithm maps HMAC hash function sizes to dsig algorithm constants +func hmacHashToDsigAlgorithm(hfunc func() hash.Hash) (string, error) { + h := hfunc() + switch h.Size() { + case 32: // SHA256 + return dsig.HMACWithSHA256, nil + case 48: // SHA384 + return dsig.HMACWithSHA384, nil + case 64: // SHA512 + return dsig.HMACWithSHA512, nil + default: + return "", fmt.Errorf("unsupported HMAC hash function: size=%d", h.Size()) } - return nil, fmt.Errorf("unsupported HMAC algorithm %s", alg) -} - -func toHMACKey(dst *[]byte, key any) error { - if err := keyconv.ByteSliceKey(dst, key); err != nil { - return fmt.Errorf(`jws.toHMACKey: invalid key type %T. []byte is required: %w`, key, err) - } - - if len(*dst) == 0 { - return fmt.Errorf(`jws.toHMACKey: missing key while signing payload`) - } - return nil } // SignHMAC generates an HMAC signature for the given payload using the specified hash function and key. // The raw parameter should be the pre-computed signing input (typically header.payload). +// +// This function is now a thin wrapper around dsig.SignHMAC. For new projects, you should +// consider using dsig instead of this function. func SignHMAC(key, payload []byte, hfunc func() hash.Hash) ([]byte, error) { - h := hmac.New(hfunc, key) - if _, err := h.Write(payload); err != nil { - return nil, fmt.Errorf(`failed to write payload using hmac: %w`, err) + dsigAlg, err := hmacHashToDsigAlgorithm(hfunc) + if err != nil { + return nil, fmt.Errorf("jwsbb.SignHMAC: %w", err) } - return h.Sum(nil), nil + + return dsig.Sign(key, dsigAlg, payload, nil) } // VerifyHMAC verifies an HMAC signature for the given payload. // This function verifies the signature using the specified key and hash function. // The payload parameter should be the pre-computed signing input (typically header.payload). +// +// This function is now a thin wrapper around dsig.VerifyHMAC. For new projects, you should +// consider using dsig instead of this function. func VerifyHMAC(key, payload, signature []byte, hfunc func() hash.Hash) error { - expected, err := SignHMAC(key, payload, hfunc) + dsigAlg, err := hmacHashToDsigAlgorithm(hfunc) if err != nil { - return fmt.Errorf("failed to sign payload for verification: %w", err) + return fmt.Errorf("jwsbb.VerifyHMAC: %w", err) } - if !hmac.Equal(signature, expected) { - return fmt.Errorf("invalid HMAC signature") - } - return nil + + return dsig.Verify(key, dsigAlg, payload, signature) } diff --git a/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/jwsbb.go b/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/jwsbb.go index 51d01df63..6a67ee8f8 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/jwsbb.go +++ b/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/jwsbb.go @@ -12,8 +12,40 @@ // 1. Does minimal checking of input parameters (for performance); callers need to ensure that the parameters are valid. // 2. All exported functions are strongly typed (i.e. they do not take `any` types unless they absolutely have to). // 3. Does not rely on other public jwx packages (they are standalone, except for internal packages). +// +// This implementation uses github.com/lestrrat-go/dsig as the underlying signature provider. package jwsbb +import ( + "github.com/lestrrat-go/dsig" +) + +// JWS algorithm name constants +const ( + // HMAC algorithms + hs256 = "HS256" + hs384 = "HS384" + hs512 = "HS512" + + // RSA PKCS#1 v1.5 algorithms + rs256 = "RS256" + rs384 = "RS384" + rs512 = "RS512" + + // RSA PSS algorithms + ps256 = "PS256" + ps384 = "PS384" + ps512 = "PS512" + + // ECDSA algorithms + es256 = "ES256" + es384 = "ES384" + es512 = "ES512" + + // EdDSA algorithm + edDSA = "EdDSA" +) + // Signer is a generic interface that defines the method for signing payloads. // The type parameter K represents the key type (e.g., []byte for HMAC keys, // *rsa.PrivateKey for RSA keys, *ecdsa.PrivateKey for ECDSA keys). @@ -27,3 +59,36 @@ type Signer[K any] interface { type Verifier[K any] interface { Verify(key K, buf []byte, signature []byte) error } + +// JWS to dsig algorithm mapping +var jwsToDsigAlgorithm = map[string]string{ + // HMAC algorithms + hs256: dsig.HMACWithSHA256, + hs384: dsig.HMACWithSHA384, + hs512: dsig.HMACWithSHA512, + + // RSA PKCS#1 v1.5 algorithms + rs256: dsig.RSAPKCS1v15WithSHA256, + rs384: dsig.RSAPKCS1v15WithSHA384, + rs512: dsig.RSAPKCS1v15WithSHA512, + + // RSA PSS algorithms + ps256: dsig.RSAPSSWithSHA256, + ps384: dsig.RSAPSSWithSHA384, + ps512: dsig.RSAPSSWithSHA512, + + // ECDSA algorithms + es256: dsig.ECDSAWithP256AndSHA256, + es384: dsig.ECDSAWithP384AndSHA384, + es512: dsig.ECDSAWithP521AndSHA512, + // Note: ES256K requires external dependency and is handled separately + + // EdDSA algorithm + edDSA: dsig.EdDSA, +} + +// getDsigAlgorithm returns the dsig algorithm name for a JWS algorithm +func getDsigAlgorithm(jwsAlg string) (string, bool) { + dsigAlg, ok := jwsToDsigAlgorithm[jwsAlg] + return dsigAlg, ok +} diff --git a/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/rsa.go b/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/rsa.go index f3083dcea..36997cef7 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/rsa.go +++ b/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/rsa.go @@ -6,53 +6,33 @@ import ( "fmt" "io" - "github.com/lestrrat-go/jwx/v3/jws/internal/keytype" + "github.com/lestrrat-go/dsig" ) -func rsaGetSignerCryptoSignerKey(key any) (crypto.Signer, bool, error) { - cs, isCryptoSigner := key.(crypto.Signer) - if isCryptoSigner { - if !keytype.IsValidRSAKey(key) { - return nil, false, fmt.Errorf(`cannot use key of type %T`, key) +// rsaHashToDsigAlgorithm maps RSA hash functions to dsig algorithm constants +func rsaHashToDsigAlgorithm(h crypto.Hash, pss bool) (string, error) { + if pss { + switch h { + case crypto.SHA256: + return dsig.RSAPSSWithSHA256, nil + case crypto.SHA384: + return dsig.RSAPSSWithSHA384, nil + case crypto.SHA512: + return dsig.RSAPSSWithSHA512, nil + default: + return "", fmt.Errorf("unsupported hash algorithm for RSA-PSS: %v", h) + } + } else { + switch h { + case crypto.SHA256: + return dsig.RSAPKCS1v15WithSHA256, nil + case crypto.SHA384: + return dsig.RSAPKCS1v15WithSHA384, nil + case crypto.SHA512: + return dsig.RSAPKCS1v15WithSHA512, nil + default: + return "", fmt.Errorf("unsupported hash algorithm for RSA PKCS#1 v1.5: %v", h) } - return cs, true, nil - } - return nil, false, nil -} - -var rsaHashFuncs = map[string]struct { - Hash crypto.Hash - PSS bool // whether to use PSS padding -}{ - "RS256": {Hash: crypto.SHA256, PSS: false}, - "RS384": {Hash: crypto.SHA384, PSS: false}, - "RS512": {Hash: crypto.SHA512, PSS: false}, - "PS256": {Hash: crypto.SHA256, PSS: true}, - "PS384": {Hash: crypto.SHA384, PSS: true}, - "PS512": {Hash: crypto.SHA512, PSS: true}, -} - -func isSuppotedRSAAlgorithm(alg string) bool { - _, ok := rsaHashFuncs[alg] - return ok -} - -// RSAHashFuncFor returns the appropriate hash function and PSS flag for the given RSA algorithm. -// Supported algorithms: RS256, RS384, RS512 (PKCS#1 v1.5) and PS256, PS384, PS512 (PSS). -// Returns the hash function, PSS flag, and an error if the algorithm is unsupported. -func RSAHashFuncFor(alg string) (crypto.Hash, bool, error) { - if h, ok := rsaHashFuncs[alg]; ok { - return h.Hash, h.PSS, nil - } - return 0, false, fmt.Errorf("unsupported RSA algorithm %s", alg) -} - -// RSAPSSOptions returns the PSS options for RSA-PSS signatures with the specified hash. -// The salt length is set to equal the hash length as per RFC 7518. -func RSAPSSOptions(h crypto.Hash) rsa.PSSOptions { - return rsa.PSSOptions{ - Hash: h, - SaltLength: rsa.PSSSaltLengthEqualsHash, } } @@ -62,25 +42,30 @@ func RSAPSSOptions(h crypto.Hash) rsa.PSSOptions { // // The rr parameter is an optional io.Reader that can be used to provide randomness for signing. // If rr is nil, it defaults to rand.Reader. +// +// This function is now a thin wrapper around dsig.SignRSA. For new projects, you should +// consider using dsig instead of this function. func SignRSA(key *rsa.PrivateKey, payload []byte, h crypto.Hash, pss bool, rr io.Reader) ([]byte, error) { - var opts crypto.SignerOpts = h - if pss { - rsaopts := RSAPSSOptions(h) - opts = &rsaopts + dsigAlg, err := rsaHashToDsigAlgorithm(h, pss) + if err != nil { + return nil, fmt.Errorf("jwsbb.SignRSA: %w", err) } - return cryptosign(key, payload, h, opts, rr) + + return dsig.Sign(key, dsigAlg, payload, rr) } // VerifyRSA verifies an RSA signature for the given payload and header. // This function constructs the signing input by encoding the header and payload according to JWS specification, // then verifies the signature using the specified public key and hash algorithm. // If pss is true, RSA-PSS verification is used; otherwise, PKCS#1 v1.5 verification is used. +// +// This function is now a thin wrapper around dsig.VerifyRSA. For new projects, you should +// consider using dsig instead of this function. func VerifyRSA(key *rsa.PublicKey, payload, signature []byte, h crypto.Hash, pss bool) error { - hasher := h.New() - hasher.Write(payload) - digest := hasher.Sum(nil) - if pss { - return rsa.VerifyPSS(key, h, digest, signature, &rsa.PSSOptions{Hash: h, SaltLength: rsa.PSSSaltLengthEqualsHash}) + dsigAlg, err := rsaHashToDsigAlgorithm(h, pss) + if err != nil { + return fmt.Errorf("jwsbb.VerifyRSA: %w", err) } - return rsa.VerifyPKCS1v15(key, h, digest, signature) + + return dsig.Verify(key, dsigAlg, payload, signature) } diff --git a/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/sign.go b/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/sign.go index 0599ee5df..6f36ab055 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/sign.go +++ b/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/sign.go @@ -2,94 +2,109 @@ package jwsbb import ( "crypto" + "crypto/ecdsa" + "crypto/ed25519" "crypto/rsa" "fmt" "io" + "github.com/lestrrat-go/dsig" "github.com/lestrrat-go/jwx/v3/internal/keyconv" ) // Sign generates a JWS signature using the specified key and algorithm. // -// This function loads the signer registered in the hwsbb package _ONLY_. +// This function loads the signer registered in the jwsbb package _ONLY_. // It does not support custom signers that the user might have registered. // // rr is an io.Reader that provides randomness for signing. If rr is nil, it defaults to rand.Reader. // Not all algorithms require this parameter, but it is included for consistency. // 99% of the time, you can pass nil for rr, and it will work fine. func Sign(key any, alg string, payload []byte, rr io.Reader) ([]byte, error) { - switch { - case isSupportedHMACAlgorithm(alg): - return dispatchHMACSign(key, alg, payload) - case isSuppotedRSAAlgorithm(alg): - return dispatchRSASign(key, alg, payload, rr) - case isSuppotedECDSAAlgorithm(alg): - return dispatchECDSASign(key, alg, payload, rr) - case isSupportedEdDSAAlgorithm(alg): - return dispatchEdDSASign(key, alg, payload, rr) + dsigAlg, ok := getDsigAlgorithm(alg) + if !ok { + return nil, fmt.Errorf(`jwsbb.Sign: unsupported signature algorithm %q`, alg) } - return nil, fmt.Errorf(`jwsbb.Sign: unsupported signature algorithm %q`, alg) + // Get dsig algorithm info to determine key conversion strategy + dsigInfo, ok := dsig.GetAlgorithmInfo(dsigAlg) + if !ok { + return nil, fmt.Errorf(`jwsbb.Sign: dsig algorithm %q not registered`, dsigAlg) + } + + switch dsigInfo.Family { + case dsig.HMAC: + return dispatchHMACSign(key, dsigAlg, payload) + case dsig.RSA: + return dispatchRSASign(key, dsigAlg, payload, rr) + case dsig.ECDSA: + return dispatchECDSASign(key, dsigAlg, payload, rr) + case dsig.EdDSAFamily: + return dispatchEdDSASign(key, dsigAlg, payload, rr) + default: + return nil, fmt.Errorf(`jwsbb.Sign: unsupported dsig algorithm family %q`, dsigInfo.Family) + } } -func dispatchHMACSign(key any, alg string, payload []byte) ([]byte, error) { - h, err := HMACHashFuncFor(alg) - if err != nil { - return nil, fmt.Errorf(`jwsbb.Sign: failed to get hash function for %s: %w`, alg, err) - } - +func dispatchHMACSign(key any, dsigAlg string, payload []byte) ([]byte, error) { var hmackey []byte - if err := toHMACKey(&hmackey, key); err != nil { - return nil, fmt.Errorf(`jwsbb.Sign: %w`, err) + if err := keyconv.ByteSliceKey(&hmackey, key); err != nil { + return nil, fmt.Errorf(`jwsbb.Sign: invalid key type %T. []byte is required: %w`, key, err) } - return SignHMAC(hmackey, payload, h) + + return dsig.Sign(hmackey, dsigAlg, payload, nil) } -func dispatchRSASign(key any, alg string, payload []byte, rr io.Reader) ([]byte, error) { - h, pss, err := RSAHashFuncFor(alg) - if err != nil { - return nil, fmt.Errorf(`jwsbb.Sign: failed to get hash function for %s: %w`, alg, err) - } - cs, isCryptoSigner, err := rsaGetSignerCryptoSignerKey(key) - if err != nil { - return nil, fmt.Errorf(`jwsbb.Sign: %w`, err) - } - if isCryptoSigner { - var options crypto.SignerOpts = h - if pss { - rsaopts := RSAPSSOptions(h) - options = &rsaopts +func dispatchRSASign(key any, dsigAlg string, payload []byte, rr io.Reader) ([]byte, error) { + // Try crypto.Signer first (dsig can handle it directly) + if signer, ok := key.(crypto.Signer); ok { + // Verify it's an RSA key + if _, ok := signer.Public().(*rsa.PublicKey); ok { + return dsig.Sign(signer, dsigAlg, payload, rr) } - return SignCryptoSigner(cs, payload, h, options, rr) } + // Fall back to concrete key types var privkey *rsa.PrivateKey if err := keyconv.RSAPrivateKey(&privkey, key); err != nil { - return nil, fmt.Errorf(`jws.RSASigner: invalid key type %T. rsa.PrivateKey is required: %w`, key, err) - } - return SignRSA(privkey, payload, h, pss, rr) -} - -func dispatchEdDSASign(key any, _ string, payload []byte, rr io.Reader) ([]byte, error) { - signer, err := eddsaGetSigner(key) - if err != nil { - return nil, fmt.Errorf(`jws.EdDSASigner: %w`, err) + return nil, fmt.Errorf(`jwsbb.Sign: invalid key type %T. *rsa.PrivateKey is required: %w`, key, err) } - return SignCryptoSigner(signer, payload, crypto.Hash(0), crypto.Hash(0), rr) + return dsig.Sign(privkey, dsigAlg, payload, rr) } -func dispatchECDSASign(key any, alg string, payload []byte, rr io.Reader) ([]byte, error) { - h, err := ECDSAHashFuncFor(alg) - if err != nil { - return nil, fmt.Errorf(`jwsbb.Sign: failed to get hash function for %s: %w`, alg, err) +func dispatchECDSASign(key any, dsigAlg string, payload []byte, rr io.Reader) ([]byte, error) { + // Try crypto.Signer first (dsig can handle it directly) + if signer, ok := key.(crypto.Signer); ok { + // Verify it's an ECDSA key + if _, ok := signer.Public().(*ecdsa.PublicKey); ok { + return dsig.Sign(signer, dsigAlg, payload, rr) + } } - privkey, cs, isCryptoSigner, err := ecdsaGetSignerKey(key) - if err != nil { - return nil, fmt.Errorf(`jws.ECDSASigner: %w`, err) + + // Fall back to concrete key types + var privkey *ecdsa.PrivateKey + if err := keyconv.ECDSAPrivateKey(&privkey, key); err != nil { + return nil, fmt.Errorf(`jwsbb.Sign: invalid key type %T. *ecdsa.PrivateKey is required: %w`, key, err) } - if isCryptoSigner { - return SignECDSACryptoSigner(cs, payload, h, rr) - } - return SignECDSA(privkey, payload, h, rr) + + return dsig.Sign(privkey, dsigAlg, payload, rr) +} + +func dispatchEdDSASign(key any, dsigAlg string, payload []byte, rr io.Reader) ([]byte, error) { + // Try crypto.Signer first (dsig can handle it directly) + if signer, ok := key.(crypto.Signer); ok { + // Verify it's an EdDSA key + if _, ok := signer.Public().(ed25519.PublicKey); ok { + return dsig.Sign(signer, dsigAlg, payload, rr) + } + } + + // Fall back to concrete key types + var privkey ed25519.PrivateKey + if err := keyconv.Ed25519PrivateKey(&privkey, key); err != nil { + return nil, fmt.Errorf(`jwsbb.Sign: invalid key type %T. ed25519.PrivateKey is required: %w`, key, err) + } + + return dsig.Sign(privkey, dsigAlg, payload, rr) } diff --git a/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/verify.go b/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/verify.go index 85121199f..bac3ff487 100644 --- a/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/verify.go +++ b/vendor/github.com/lestrrat-go/jwx/v3/jws/jwsbb/verify.go @@ -7,6 +7,7 @@ import ( "crypto/rsa" "fmt" + "github.com/lestrrat-go/dsig" "github.com/lestrrat-go/jwx/v3/internal/keyconv" ) @@ -15,113 +16,90 @@ import ( // This function loads the verifier registered in the jwsbb package _ONLY_. // It does not support custom verifiers that the user might have registered. func Verify(key any, alg string, payload, signature []byte) error { - switch { - case isSupportedHMACAlgorithm(alg): - return dispatchHMACVerify(key, alg, payload, signature) - case isSuppotedRSAAlgorithm(alg): - return dispatchRSAVerify(key, alg, payload, signature) - case isSuppotedECDSAAlgorithm(alg): - return dispatchECDSAVerify(key, alg, payload, signature) - case isSupportedEdDSAAlgorithm(alg): - return dispatchEdDSAVerify(key, alg, payload, signature) + dsigAlg, ok := getDsigAlgorithm(alg) + if !ok { + return fmt.Errorf(`jwsbb.Verify: unsupported signature algorithm %q`, alg) } - return fmt.Errorf(`jwsbb.Verify: unsupported signature algorithm %q`, alg) + // Get dsig algorithm info to determine key conversion strategy + dsigInfo, ok := dsig.GetAlgorithmInfo(dsigAlg) + if !ok { + return fmt.Errorf(`jwsbb.Verify: dsig algorithm %q not registered`, dsigAlg) + } + + switch dsigInfo.Family { + case dsig.HMAC: + return dispatchHMACVerify(key, dsigAlg, payload, signature) + case dsig.RSA: + return dispatchRSAVerify(key, dsigAlg, payload, signature) + case dsig.ECDSA: + return dispatchECDSAVerify(key, dsigAlg, payload, signature) + case dsig.EdDSAFamily: + return dispatchEdDSAVerify(key, dsigAlg, payload, signature) + default: + return fmt.Errorf(`jwsbb.Verify: unsupported dsig algorithm family %q`, dsigInfo.Family) + } } -func dispatchHMACVerify(key any, alg string, payload, signature []byte) error { - h, err := HMACHashFuncFor(alg) - if err != nil { - return fmt.Errorf(`jwsbb.Verify: failed to get hash function for %s: %w`, alg, err) - } - +func dispatchHMACVerify(key any, dsigAlg string, payload, signature []byte) error { var hmackey []byte - if err := toHMACKey(&hmackey, key); err != nil { - return fmt.Errorf(`jwsbb.Verify: %w`, err) + if err := keyconv.ByteSliceKey(&hmackey, key); err != nil { + return fmt.Errorf(`jwsbb.Verify: invalid key type %T. []byte is required: %w`, key, err) } - return VerifyHMAC(hmackey, payload, signature, h) + + return dsig.Verify(hmackey, dsigAlg, payload, signature) } -func dispatchRSAVerify(key any, alg string, payload, signature []byte) error { - h, pss, err := RSAHashFuncFor(alg) - if err != nil { - return fmt.Errorf(`jwsbb.Verify: failed to get hash function for %s: %w`, alg, err) +func dispatchRSAVerify(key any, dsigAlg string, payload, signature []byte) error { + // Try crypto.Signer first (dsig can handle it directly) + if signer, ok := key.(crypto.Signer); ok { + // Verify it's an RSA key + if _, ok := signer.Public().(*rsa.PublicKey); ok { + return dsig.Verify(signer, dsigAlg, payload, signature) + } } + // Fall back to concrete key types var pubkey *rsa.PublicKey - - if cs, ok := key.(crypto.Signer); ok { - cpub := cs.Public() - switch cpub := cpub.(type) { - case rsa.PublicKey: - pubkey = &cpub - case *rsa.PublicKey: - pubkey = cpub - default: - return fmt.Errorf(`jwsbb.Verify: failed to retrieve rsa.PublicKey out of crypto.Signer %T`, key) - } - } else { - if err := keyconv.RSAPublicKey(&pubkey, key); err != nil { - return fmt.Errorf(`jwsbb.Verify: failed to retrieve rsa.PublicKey out of %T: %w`, key, err) - } + if err := keyconv.RSAPublicKey(&pubkey, key); err != nil { + return fmt.Errorf(`jwsbb.Verify: invalid key type %T. *rsa.PublicKey is required: %w`, key, err) } - return VerifyRSA(pubkey, payload, signature, h, pss) + return dsig.Verify(pubkey, dsigAlg, payload, signature) } -func dispatchECDSAVerify(key any, alg string, payload, signature []byte) error { - h, err := ECDSAHashFuncFor(alg) - if err != nil { - return fmt.Errorf(`jwsbb.Verify: failed to get hash function for %s: %w`, alg, err) - } - - pubkey, cs, isCryptoSigner, err := ecdsaGetVerifierKey(key) - if err != nil { - return fmt.Errorf(`jwsbb.Verify: %w`, err) - } - if isCryptoSigner { - return VerifyECDSACryptoSigner(cs, payload, signature, h) - } - return VerifyECDSA(pubkey, payload, signature, h) -} - -func dispatchEdDSAVerify(key any, _ string, payload, signature []byte) error { - var pubkey ed25519.PublicKey - signer, ok := key.(crypto.Signer) - if ok { - v := signer.Public() - pubkey, ok = v.(ed25519.PublicKey) - if !ok { - return fmt.Errorf(`jwsbb.Verify: expected crypto.Signer.Public() to return ed25519.PublicKey, but got %T`, v) - } - } else { - if err := keyconv.Ed25519PublicKey(&pubkey, key); err != nil { - return fmt.Errorf(`jwsbb.Verify: failed to retrieve ed25519.PublicKey out of %T: %w`, key, err) +func dispatchECDSAVerify(key any, dsigAlg string, payload, signature []byte) error { + // Try crypto.Signer first (dsig can handle it directly) + if signer, ok := key.(crypto.Signer); ok { + // Verify it's an ECDSA key + if _, ok := signer.Public().(*ecdsa.PublicKey); ok { + return dsig.Verify(signer, dsigAlg, payload, signature) } } - return VerifyEdDSA(pubkey, payload, signature) -} - -func ecdsaGetVerifierKey(key any) (*ecdsa.PublicKey, crypto.Signer, bool, error) { - cs, isCryptoSigner := key.(crypto.Signer) - if isCryptoSigner { - switch key.(type) { - case ecdsa.PublicKey, *ecdsa.PublicKey: - // if it's ecdsa.PublicKey, it's more efficient to - // go through the non-crypto.Signer route. Set isCryptoSigner to false - isCryptoSigner = false - } - } - - if isCryptoSigner { - return nil, cs, true, nil - } - + // Fall back to concrete key types var pubkey *ecdsa.PublicKey if err := keyconv.ECDSAPublicKey(&pubkey, key); err != nil { - return nil, nil, false, fmt.Errorf(`invalid key type %T. ecdsa.PublicKey is required: %w`, key, err) + return fmt.Errorf(`jwsbb.Verify: invalid key type %T. *ecdsa.PublicKey is required: %w`, key, err) } - return pubkey, nil, false, nil + return dsig.Verify(pubkey, dsigAlg, payload, signature) +} + +func dispatchEdDSAVerify(key any, dsigAlg string, payload, signature []byte) error { + // Try crypto.Signer first (dsig can handle it directly) + if signer, ok := key.(crypto.Signer); ok { + // Verify it's an EdDSA key + if _, ok := signer.Public().(ed25519.PublicKey); ok { + return dsig.Verify(signer, dsigAlg, payload, signature) + } + } + + // Fall back to concrete key types + var pubkey ed25519.PublicKey + if err := keyconv.Ed25519PublicKey(&pubkey, key); err != nil { + return fmt.Errorf(`jwsbb.Verify: invalid key type %T. ed25519.PublicKey is required: %w`, key, err) + } + + return dsig.Verify(pubkey, dsigAlg, payload, signature) } diff --git a/vendor/github.com/open-policy-agent/opa/capabilities/v1.9.0.json b/vendor/github.com/open-policy-agent/opa/capabilities/v1.9.0.json new file mode 100644 index 000000000..0a37621d0 --- /dev/null +++ b/vendor/github.com/open-policy-agent/opa/capabilities/v1.9.0.json @@ -0,0 +1,4867 @@ +{ + "builtins": [ + { + "name": "abs", + "decl": { + "args": [ + { + "type": "number" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "all", + "decl": { + "args": [ + { + "of": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "and", + "decl": { + "args": [ + { + "of": { + "type": "any" + }, + "type": "set" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "result": { + "of": { + "type": "any" + }, + "type": "set" + }, + "type": "function" + }, + "infix": "\u0026" + }, + { + "name": "any", + "decl": { + "args": [ + { + "of": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "array.concat", + "decl": { + "args": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "dynamic": { + "type": "any" + }, + "type": "array" + } + ], + "result": { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + "type": "function" + } + }, + { + "name": "array.reverse", + "decl": { + "args": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + } + ], + "result": { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + "type": "function" + } + }, + { + "name": "array.slice", + "decl": { + "args": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "type": "number" + }, + { + "type": "number" + } + ], + "result": { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + "type": "function" + } + }, + { + "name": "assign", + "decl": { + "args": [ + { + "type": "any" + }, + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + }, + "infix": ":=" + }, + { + "name": "base64.decode", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "base64.encode", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "base64.is_valid", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "base64url.decode", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "base64url.encode", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "base64url.encode_no_pad", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "bits.and", + "decl": { + "args": [ + { + "type": "number" + }, + { + "type": "number" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "bits.lsh", + "decl": { + "args": [ + { + "type": "number" + }, + { + "type": "number" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "bits.negate", + "decl": { + "args": [ + { + "type": "number" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "bits.or", + "decl": { + "args": [ + { + "type": "number" + }, + { + "type": "number" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "bits.rsh", + "decl": { + "args": [ + { + "type": "number" + }, + { + "type": "number" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "bits.xor", + "decl": { + "args": [ + { + "type": "number" + }, + { + "type": "number" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "cast_array", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + "type": "function" + } + }, + { + "name": "cast_boolean", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "cast_null", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "type": "null" + }, + "type": "function" + } + }, + { + "name": "cast_object", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + "type": "function" + } + }, + { + "name": "cast_set", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "of": { + "type": "any" + }, + "type": "set" + }, + "type": "function" + } + }, + { + "name": "cast_string", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "ceil", + "decl": { + "args": [ + { + "type": "number" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "concat", + "decl": { + "args": [ + { + "type": "string" + }, + { + "of": [ + { + "dynamic": { + "type": "string" + }, + "type": "array" + }, + { + "of": { + "type": "string" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "contains", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "count", + "decl": { + "args": [ + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "crypto.hmac.equal", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "crypto.hmac.md5", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "crypto.hmac.sha1", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "crypto.hmac.sha256", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "crypto.hmac.sha512", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "crypto.md5", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "crypto.parse_private_keys", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "dynamic": { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + "type": "array" + }, + "type": "function" + } + }, + { + "name": "crypto.sha1", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "crypto.sha256", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "crypto.x509.parse_and_verify_certificates", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "static": [ + { + "type": "boolean" + }, + { + "dynamic": { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + "type": "array" + } + ], + "type": "array" + }, + "type": "function" + } + }, + { + "name": "crypto.x509.parse_and_verify_certificates_with_options", + "decl": { + "args": [ + { + "type": "string" + }, + { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "result": { + "static": [ + { + "type": "boolean" + }, + { + "dynamic": { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + "type": "array" + } + ], + "type": "array" + }, + "type": "function" + } + }, + { + "name": "crypto.x509.parse_certificate_request", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + "type": "function" + } + }, + { + "name": "crypto.x509.parse_certificates", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "dynamic": { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + "type": "array" + }, + "type": "function" + } + }, + { + "name": "crypto.x509.parse_keypair", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + "type": "function" + } + }, + { + "name": "crypto.x509.parse_rsa_private_key", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + "type": "function" + } + }, + { + "name": "div", + "decl": { + "args": [ + { + "type": "number" + }, + { + "type": "number" + } + ], + "result": { + "type": "number" + }, + "type": "function" + }, + "infix": "/" + }, + { + "name": "endswith", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "eq", + "decl": { + "args": [ + { + "type": "any" + }, + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + }, + "infix": "=" + }, + { + "name": "equal", + "decl": { + "args": [ + { + "type": "any" + }, + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + }, + "infix": "==" + }, + { + "name": "floor", + "decl": { + "args": [ + { + "type": "number" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "format_int", + "decl": { + "args": [ + { + "type": "number" + }, + { + "type": "number" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "glob.match", + "decl": { + "args": [ + { + "type": "string" + }, + { + "of": [ + { + "type": "null" + }, + { + "dynamic": { + "type": "string" + }, + "type": "array" + } + ], + "type": "any" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "glob.quote_meta", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "graph.reachable", + "decl": { + "args": [ + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "of": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + }, + "type": "object" + }, + { + "of": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "of": { + "type": "any" + }, + "type": "set" + }, + "type": "function" + } + }, + { + "name": "graph.reachable_paths", + "decl": { + "args": [ + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "of": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + }, + "type": "object" + }, + { + "of": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "of": { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + "type": "set" + }, + "type": "function" + } + }, + { + "name": "graphql.is_valid", + "decl": { + "args": [ + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "type": "any" + }, + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "graphql.parse", + "decl": { + "args": [ + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "type": "any" + }, + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "type": "any" + } + ], + "result": { + "static": [ + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "type": "array" + }, + "type": "function" + } + }, + { + "name": "graphql.parse_and_verify", + "decl": { + "args": [ + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "type": "any" + }, + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "type": "any" + } + ], + "result": { + "static": [ + { + "type": "boolean" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "type": "array" + }, + "type": "function" + } + }, + { + "name": "graphql.parse_query", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + "type": "function" + } + }, + { + "name": "graphql.parse_schema", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + "type": "function" + } + }, + { + "name": "graphql.schema_is_valid", + "decl": { + "args": [ + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "gt", + "decl": { + "args": [ + { + "type": "any" + }, + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + }, + "infix": "\u003e" + }, + { + "name": "gte", + "decl": { + "args": [ + { + "type": "any" + }, + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + }, + "infix": "\u003e=" + }, + { + "name": "hex.decode", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "hex.encode", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "http.send", + "decl": { + "args": [ + { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "result": { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + "type": "function" + }, + "nondeterministic": true + }, + { + "name": "indexof", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "indexof_n", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "dynamic": { + "type": "number" + }, + "type": "array" + }, + "type": "function" + } + }, + { + "name": "internal.member_2", + "decl": { + "args": [ + { + "type": "any" + }, + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + }, + "infix": "in" + }, + { + "name": "internal.member_3", + "decl": { + "args": [ + { + "type": "any" + }, + { + "type": "any" + }, + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + }, + "infix": "in" + }, + { + "name": "internal.print", + "decl": { + "args": [ + { + "dynamic": { + "of": { + "type": "any" + }, + "type": "set" + }, + "type": "array" + } + ], + "type": "function" + } + }, + { + "name": "internal.test_case", + "decl": { + "args": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + } + ], + "type": "function" + } + }, + { + "name": "intersection", + "decl": { + "args": [ + { + "of": { + "of": { + "type": "any" + }, + "type": "set" + }, + "type": "set" + } + ], + "result": { + "of": { + "type": "any" + }, + "type": "set" + }, + "type": "function" + } + }, + { + "name": "io.jwt.decode", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "static": [ + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "type": "string" + } + ], + "type": "array" + }, + "type": "function" + } + }, + { + "name": "io.jwt.decode_verify", + "decl": { + "args": [ + { + "type": "string" + }, + { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "result": { + "static": [ + { + "type": "boolean" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "type": "array" + }, + "type": "function" + }, + "nondeterministic": true + }, + { + "name": "io.jwt.encode_sign", + "decl": { + "args": [ + { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "result": { + "type": "string" + }, + "type": "function" + }, + "nondeterministic": true + }, + { + "name": "io.jwt.encode_sign_raw", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + }, + "nondeterministic": true + }, + { + "name": "io.jwt.verify_eddsa", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "io.jwt.verify_es256", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "io.jwt.verify_es384", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "io.jwt.verify_es512", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "io.jwt.verify_hs256", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "io.jwt.verify_hs384", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "io.jwt.verify_hs512", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "io.jwt.verify_ps256", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "io.jwt.verify_ps384", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "io.jwt.verify_ps512", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "io.jwt.verify_rs256", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "io.jwt.verify_rs384", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "io.jwt.verify_rs512", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "is_array", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "is_boolean", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "is_null", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "is_number", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "is_object", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "is_set", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "is_string", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "json.filter", + "decl": { + "args": [ + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "of": [ + { + "dynamic": { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "any" + }, + "type": "array" + } + ], + "type": "any" + }, + "type": "array" + }, + { + "of": { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "any" + }, + "type": "array" + } + ], + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "type": "any" + }, + "type": "function" + } + }, + { + "name": "json.is_valid", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "json.marshal", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "json.marshal_with_options", + "decl": { + "args": [ + { + "type": "any" + }, + { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "static": [ + { + "key": "indent", + "value": { + "type": "string" + } + }, + { + "key": "prefix", + "value": { + "type": "string" + } + }, + { + "key": "pretty", + "value": { + "type": "boolean" + } + } + ], + "type": "object" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "json.match_schema", + "decl": { + "args": [ + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "type": "any" + }, + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "type": "any" + } + ], + "result": { + "static": [ + { + "type": "boolean" + }, + { + "dynamic": { + "static": [ + { + "key": "desc", + "value": { + "type": "string" + } + }, + { + "key": "error", + "value": { + "type": "string" + } + }, + { + "key": "field", + "value": { + "type": "string" + } + }, + { + "key": "type", + "value": { + "type": "string" + } + } + ], + "type": "object" + }, + "type": "array" + } + ], + "type": "array" + }, + "type": "function" + } + }, + { + "name": "json.patch", + "decl": { + "args": [ + { + "type": "any" + }, + { + "dynamic": { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "static": [ + { + "key": "op", + "value": { + "type": "string" + } + }, + { + "key": "path", + "value": { + "type": "any" + } + } + ], + "type": "object" + }, + "type": "array" + } + ], + "result": { + "type": "any" + }, + "type": "function" + } + }, + { + "name": "json.remove", + "decl": { + "args": [ + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "of": [ + { + "dynamic": { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "any" + }, + "type": "array" + } + ], + "type": "any" + }, + "type": "array" + }, + { + "of": { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "any" + }, + "type": "array" + } + ], + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "type": "any" + }, + "type": "function" + } + }, + { + "name": "json.unmarshal", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "any" + }, + "type": "function" + } + }, + { + "name": "json.verify_schema", + "decl": { + "args": [ + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "type": "any" + } + ], + "result": { + "static": [ + { + "type": "boolean" + }, + { + "of": [ + { + "type": "null" + }, + { + "type": "string" + } + ], + "type": "any" + } + ], + "type": "array" + }, + "type": "function" + } + }, + { + "name": "lower", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "lt", + "decl": { + "args": [ + { + "type": "any" + }, + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + }, + "infix": "\u003c" + }, + { + "name": "lte", + "decl": { + "args": [ + { + "type": "any" + }, + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + }, + "infix": "\u003c=" + }, + { + "name": "max", + "decl": { + "args": [ + { + "of": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "type": "any" + }, + "type": "function" + } + }, + { + "name": "min", + "decl": { + "args": [ + { + "of": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "type": "any" + }, + "type": "function" + } + }, + { + "name": "minus", + "decl": { + "args": [ + { + "of": [ + { + "type": "number" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + }, + { + "of": [ + { + "type": "number" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "of": [ + { + "type": "number" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + }, + "type": "function" + }, + "infix": "-" + }, + { + "name": "mul", + "decl": { + "args": [ + { + "type": "number" + }, + { + "type": "number" + } + ], + "result": { + "type": "number" + }, + "type": "function" + }, + "infix": "*" + }, + { + "name": "neq", + "decl": { + "args": [ + { + "type": "any" + }, + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + }, + "infix": "!=" + }, + { + "name": "net.cidr_contains", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "net.cidr_contains_matches", + "decl": { + "args": [ + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "any" + }, + "type": "array" + } + ], + "type": "any" + }, + "type": "array" + }, + { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "any" + }, + "type": "array" + } + ], + "type": "any" + } + }, + "type": "object" + }, + { + "of": { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "any" + }, + "type": "array" + } + ], + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + }, + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "any" + }, + "type": "array" + } + ], + "type": "any" + }, + "type": "array" + }, + { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "any" + }, + "type": "array" + } + ], + "type": "any" + } + }, + "type": "object" + }, + { + "of": { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "any" + }, + "type": "array" + } + ], + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "of": { + "static": [ + { + "type": "any" + }, + { + "type": "any" + } + ], + "type": "array" + }, + "type": "set" + }, + "type": "function" + } + }, + { + "name": "net.cidr_expand", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "of": { + "type": "string" + }, + "type": "set" + }, + "type": "function" + } + }, + { + "name": "net.cidr_intersects", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "net.cidr_is_valid", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "net.cidr_merge", + "decl": { + "args": [ + { + "of": [ + { + "dynamic": { + "of": [ + { + "type": "string" + } + ], + "type": "any" + }, + "type": "array" + }, + { + "of": { + "type": "string" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "of": { + "type": "string" + }, + "type": "set" + }, + "type": "function" + } + }, + { + "name": "net.cidr_overlap", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "net.lookup_ip_addr", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "of": { + "type": "string" + }, + "type": "set" + }, + "type": "function" + }, + "nondeterministic": true + }, + { + "name": "numbers.range", + "decl": { + "args": [ + { + "type": "number" + }, + { + "type": "number" + } + ], + "result": { + "dynamic": { + "type": "number" + }, + "type": "array" + }, + "type": "function" + } + }, + { + "name": "numbers.range_step", + "decl": { + "args": [ + { + "type": "number" + }, + { + "type": "number" + }, + { + "type": "number" + } + ], + "result": { + "dynamic": { + "type": "number" + }, + "type": "array" + }, + "type": "function" + } + }, + { + "name": "object.filter", + "decl": { + "args": [ + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "of": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "type": "any" + }, + "type": "function" + } + }, + { + "name": "object.get", + "decl": { + "args": [ + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "type": "any" + }, + { + "type": "any" + } + ], + "result": { + "type": "any" + }, + "type": "function" + } + }, + { + "name": "object.keys", + "decl": { + "args": [ + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "result": { + "of": { + "type": "any" + }, + "type": "set" + }, + "type": "function" + } + }, + { + "name": "object.remove", + "decl": { + "args": [ + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "of": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "type": "any" + }, + "type": "function" + } + }, + { + "name": "object.subset", + "decl": { + "args": [ + { + "of": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + }, + { + "of": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "type": "any" + }, + "type": "function" + } + }, + { + "name": "object.union", + "decl": { + "args": [ + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "result": { + "type": "any" + }, + "type": "function" + } + }, + { + "name": "object.union_n", + "decl": { + "args": [ + { + "dynamic": { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + "type": "array" + } + ], + "result": { + "type": "any" + }, + "type": "function" + } + }, + { + "name": "opa.runtime", + "decl": { + "result": { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + "type": "function" + }, + "nondeterministic": true + }, + { + "name": "or", + "decl": { + "args": [ + { + "of": { + "type": "any" + }, + "type": "set" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "result": { + "of": { + "type": "any" + }, + "type": "set" + }, + "type": "function" + }, + "infix": "|" + }, + { + "name": "plus", + "decl": { + "args": [ + { + "type": "number" + }, + { + "type": "number" + } + ], + "result": { + "type": "number" + }, + "type": "function" + }, + "infix": "+" + }, + { + "name": "print", + "decl": { + "type": "function", + "variadic": { + "type": "any" + } + } + }, + { + "name": "product", + "decl": { + "args": [ + { + "of": [ + { + "dynamic": { + "type": "number" + }, + "type": "array" + }, + { + "of": { + "type": "number" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "providers.aws.sign_req", + "decl": { + "args": [ + { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + { + "type": "number" + } + ], + "result": { + "dynamic": { + "key": { + "type": "any" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + "type": "function" + } + }, + { + "name": "rand.intn", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "number" + } + ], + "result": { + "type": "number" + }, + "type": "function" + }, + "nondeterministic": true + }, + { + "name": "re_match", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "regex.find_all_string_submatch_n", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "number" + } + ], + "result": { + "dynamic": { + "dynamic": { + "type": "string" + }, + "type": "array" + }, + "type": "array" + }, + "type": "function" + } + }, + { + "name": "regex.find_n", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "number" + } + ], + "result": { + "dynamic": { + "type": "string" + }, + "type": "array" + }, + "type": "function" + } + }, + { + "name": "regex.globs_match", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "regex.is_valid", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "regex.match", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "regex.replace", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "regex.split", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "dynamic": { + "type": "string" + }, + "type": "array" + }, + "type": "function" + } + }, + { + "name": "regex.template_match", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "rego.metadata.chain", + "decl": { + "result": { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + "type": "function" + } + }, + { + "name": "rego.metadata.rule", + "decl": { + "result": { + "type": "any" + }, + "type": "function" + } + }, + { + "name": "rego.parse_module", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + "type": "function" + } + }, + { + "name": "rem", + "decl": { + "args": [ + { + "type": "number" + }, + { + "type": "number" + } + ], + "result": { + "type": "number" + }, + "type": "function" + }, + "infix": "%" + }, + { + "name": "replace", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "round", + "decl": { + "args": [ + { + "type": "number" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "semver.compare", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "semver.is_valid", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "set_diff", + "decl": { + "args": [ + { + "of": { + "type": "any" + }, + "type": "set" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "result": { + "of": { + "type": "any" + }, + "type": "set" + }, + "type": "function" + } + }, + { + "name": "sort", + "decl": { + "args": [ + { + "of": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "of": { + "type": "any" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + "type": "function" + } + }, + { + "name": "split", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "dynamic": { + "type": "string" + }, + "type": "array" + }, + "type": "function" + } + }, + { + "name": "sprintf", + "decl": { + "args": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "any" + }, + "type": "array" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "startswith", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "strings.any_prefix_match", + "decl": { + "args": [ + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "string" + }, + "type": "array" + }, + { + "of": { + "type": "string" + }, + "type": "set" + } + ], + "type": "any" + }, + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "string" + }, + "type": "array" + }, + { + "of": { + "type": "string" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "strings.any_suffix_match", + "decl": { + "args": [ + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "string" + }, + "type": "array" + }, + { + "of": { + "type": "string" + }, + "type": "set" + } + ], + "type": "any" + }, + { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "string" + }, + "type": "array" + }, + { + "of": { + "type": "string" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "strings.count", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "strings.render_template", + "decl": { + "args": [ + { + "type": "string" + }, + { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "strings.replace_n", + "decl": { + "args": [ + { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "strings.reverse", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "substring", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "number" + }, + { + "type": "number" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "sum", + "decl": { + "args": [ + { + "of": [ + { + "dynamic": { + "type": "number" + }, + "type": "array" + }, + { + "of": { + "type": "number" + }, + "type": "set" + } + ], + "type": "any" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "time.add_date", + "decl": { + "args": [ + { + "type": "number" + }, + { + "type": "number" + }, + { + "type": "number" + }, + { + "type": "number" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "time.clock", + "decl": { + "args": [ + { + "of": [ + { + "type": "number" + }, + { + "static": [ + { + "type": "number" + }, + { + "type": "string" + } + ], + "type": "array" + } + ], + "type": "any" + } + ], + "result": { + "static": [ + { + "type": "number" + }, + { + "type": "number" + }, + { + "type": "number" + } + ], + "type": "array" + }, + "type": "function" + } + }, + { + "name": "time.date", + "decl": { + "args": [ + { + "of": [ + { + "type": "number" + }, + { + "static": [ + { + "type": "number" + }, + { + "type": "string" + } + ], + "type": "array" + } + ], + "type": "any" + } + ], + "result": { + "static": [ + { + "type": "number" + }, + { + "type": "number" + }, + { + "type": "number" + } + ], + "type": "array" + }, + "type": "function" + } + }, + { + "name": "time.diff", + "decl": { + "args": [ + { + "of": [ + { + "type": "number" + }, + { + "static": [ + { + "type": "number" + }, + { + "type": "string" + } + ], + "type": "array" + } + ], + "type": "any" + }, + { + "of": [ + { + "type": "number" + }, + { + "static": [ + { + "type": "number" + }, + { + "type": "string" + } + ], + "type": "array" + } + ], + "type": "any" + } + ], + "result": { + "static": [ + { + "type": "number" + }, + { + "type": "number" + }, + { + "type": "number" + }, + { + "type": "number" + }, + { + "type": "number" + }, + { + "type": "number" + } + ], + "type": "array" + }, + "type": "function" + } + }, + { + "name": "time.format", + "decl": { + "args": [ + { + "of": [ + { + "type": "number" + }, + { + "static": [ + { + "type": "number" + }, + { + "type": "string" + } + ], + "type": "array" + }, + { + "static": [ + { + "type": "number" + }, + { + "type": "string" + }, + { + "type": "string" + } + ], + "type": "array" + } + ], + "type": "any" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "time.now_ns", + "decl": { + "result": { + "type": "number" + }, + "type": "function" + }, + "nondeterministic": true + }, + { + "name": "time.parse_duration_ns", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "time.parse_ns", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "time.parse_rfc3339_ns", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "time.weekday", + "decl": { + "args": [ + { + "of": [ + { + "type": "number" + }, + { + "static": [ + { + "type": "number" + }, + { + "type": "string" + } + ], + "type": "array" + } + ], + "type": "any" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "to_number", + "decl": { + "args": [ + { + "of": [ + { + "type": "null" + }, + { + "type": "boolean" + }, + { + "type": "number" + }, + { + "type": "string" + } + ], + "type": "any" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "trace", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "trim", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "trim_left", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "trim_prefix", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "trim_right", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "trim_space", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "trim_suffix", + "decl": { + "args": [ + { + "type": "string" + }, + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "type_name", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "union", + "decl": { + "args": [ + { + "of": { + "of": { + "type": "any" + }, + "type": "set" + }, + "type": "set" + } + ], + "result": { + "of": { + "type": "any" + }, + "type": "set" + }, + "type": "function" + } + }, + { + "name": "units.parse", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "units.parse_bytes", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "number" + }, + "type": "function" + } + }, + { + "name": "upper", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "urlquery.decode", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "urlquery.decode_object", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "dynamic": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "function" + } + }, + { + "name": "urlquery.encode", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "urlquery.encode_object", + "decl": { + "args": [ + { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "of": [ + { + "type": "string" + }, + { + "dynamic": { + "type": "string" + }, + "type": "array" + }, + { + "of": { + "type": "string" + }, + "type": "set" + } + ], + "type": "any" + } + }, + "type": "object" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "uuid.parse", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "dynamic": { + "key": { + "type": "string" + }, + "value": { + "type": "any" + } + }, + "type": "object" + }, + "type": "function" + } + }, + { + "name": "uuid.rfc4122", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "string" + }, + "type": "function" + }, + "nondeterministic": true + }, + { + "name": "walk", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "static": [ + { + "dynamic": { + "type": "any" + }, + "type": "array" + }, + { + "type": "any" + } + ], + "type": "array" + }, + "type": "function" + }, + "relation": true + }, + { + "name": "yaml.is_valid", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "boolean" + }, + "type": "function" + } + }, + { + "name": "yaml.marshal", + "decl": { + "args": [ + { + "type": "any" + } + ], + "result": { + "type": "string" + }, + "type": "function" + } + }, + { + "name": "yaml.unmarshal", + "decl": { + "args": [ + { + "type": "string" + } + ], + "result": { + "type": "any" + }, + "type": "function" + } + } + ], + "wasm_abi_versions": [ + { + "version": 1, + "minor_version": 1 + }, + { + "version": 1, + "minor_version": 2 + } + ], + "features": [ + "keywords_in_refs", + "rego_v1" + ] +} diff --git a/vendor/github.com/open-policy-agent/opa/internal/runtime/init/init.go b/vendor/github.com/open-policy-agent/opa/internal/runtime/init/init.go index 4f93a4f12..530deadb9 100644 --- a/vendor/github.com/open-policy-agent/opa/internal/runtime/init/init.go +++ b/vendor/github.com/open-policy-agent/opa/internal/runtime/init/init.go @@ -176,7 +176,7 @@ func LoadPathsForRegoVersion(regoVersion ast.RegoVersion, } } - if len(nonBundlePaths) == 0 { + if asBundle { return &result, nil } diff --git a/vendor/github.com/open-policy-agent/opa/v1/ast/annotations.go b/vendor/github.com/open-policy-agent/opa/v1/ast/annotations.go index 3465f0808..36f854c61 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/ast/annotations.go +++ b/vendor/github.com/open-policy-agent/opa/v1/ast/annotations.go @@ -34,6 +34,7 @@ type ( RelatedResources []*RelatedResourceAnnotation `json:"related_resources,omitempty"` Authors []*AuthorAnnotation `json:"authors,omitempty"` Schemas []*SchemaAnnotation `json:"schemas,omitempty"` + Compile *CompileAnnotation `json:"compile,omitempty"` Custom map[string]any `json:"custom,omitempty"` Location *Location `json:"location,omitempty"` @@ -48,6 +49,11 @@ type ( Definition *any `json:"definition,omitempty"` } + CompileAnnotation struct { + Unknowns []Ref `json:"unknowns,omitempty"` + MaskRule Ref `json:"mask_rule,omitempty"` // NOTE: This doesn't need to start with "data.package", it can be relative + } + AuthorAnnotation struct { Name string `json:"name"` Email string `json:"email,omitempty"` @@ -151,6 +157,10 @@ func (a *Annotations) Compare(other *Annotations) int { return cmp } + if cmp := a.Compile.Compare(other.Compile); cmp != 0 { + return cmp + } + if a.Entrypoint != other.Entrypoint { if a.Entrypoint { return 1 @@ -403,6 +413,8 @@ func (a *Annotations) Copy(node Node) *Annotations { cpy.Schemas[i] = a.Schemas[i].Copy() } + cpy.Compile = a.Compile.Copy() + if a.Custom != nil { cpy.Custom = deepcopy.Map(a.Custom) } @@ -716,6 +728,44 @@ func (s *SchemaAnnotation) String() string { return string(bs) } +// Copy returns a deep copy of s. +func (c *CompileAnnotation) Copy() *CompileAnnotation { + if c == nil { + return nil + } + cpy := *c + for i := range c.Unknowns { + cpy.Unknowns[i] = c.Unknowns[i].Copy() + } + return &cpy +} + +// Compare returns an integer indicating if s is less than, equal to, or greater +// than other. +func (c *CompileAnnotation) Compare(other *CompileAnnotation) int { + switch { + case c == nil && other == nil: + return 0 + case c != nil && other == nil: + return 1 + case c == nil && other != nil: + return -1 + } + + if cmp := slices.CompareFunc(c.Unknowns, other.Unknowns, + func(x, y Ref) int { + return x.Compare(y) + }); cmp != 0 { + return cmp + } + return c.MaskRule.Compare(other.MaskRule) +} + +func (c *CompileAnnotation) String() string { + bs, _ := json.Marshal(c) + return string(bs) +} + func newAnnotationSet() *AnnotationSet { return &AnnotationSet{ byRule: map[*Rule][]*Annotations{}, diff --git a/vendor/github.com/open-policy-agent/opa/v1/ast/index.go b/vendor/github.com/open-policy-agent/opa/v1/ast/index.go index bcaf4a706..845447b6d 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/ast/index.go +++ b/vendor/github.com/open-policy-agent/opa/v1/ast/index.go @@ -213,7 +213,7 @@ func (i *baseDocEqIndex) Lookup(resolver ValueResolver) (*IndexResult, error) { return result, nil } -func (i *baseDocEqIndex) AllRules(_ ValueResolver) (*IndexResult, error) { +func (i *baseDocEqIndex) AllRules(ValueResolver) (*IndexResult, error) { tr := newTrieTraversalResult() // Walk over the rule trie and accumulate _all_ rules @@ -285,33 +285,51 @@ func newrefindices(isVirtual func(Ref) bool) *refindices { } } +// anyValue is a fake variable we used to put "naked ref" expressions +// into the rule index +var anyValue = Var("__any__") + // Update attempts to update the refindices for the given expression in the // given rule. If the expression cannot be indexed the update does not affect // the indices. func (i *refindices) Update(rule *Rule, expr *Expr) { - if expr.Negated { - return - } - if len(expr.With) > 0 { // NOTE(tsandall): In the future, we may need to consider expressions // that have with statements applied to them. return } - op := expr.Operator() + if expr.Negated { + // NOTE(sr): We could try to cover simple expressions, like + // not input.funky => input.funky == false or undefined (two refindex?) + return + } + op := expr.Operator() + if op == nil { + if ts, ok := expr.Terms.(*Term); ok { + // NOTE(sr): If we wanted to cover function args, we'd need to also + // check for type "Var" here. But since it's impossible to call a + // function with a undefined argument, there's no point to recording + // "needs to be anything" for function args + if ref, ok := ts.Value.(Ref); ok { // "naked ref" + i.updateEq(rule, ref, anyValue) + } + } + } + + a, b := expr.Operand(0), expr.Operand(1) switch { case op.Equal(equalityRef): - i.updateEq(rule, expr) + i.updateEq(rule, a.Value, b.Value) case op.Equal(equalRef) && len(expr.Operands()) == 2: // NOTE(tsandall): if equal() is called with more than two arguments the // output value is being captured in which case the indexer cannot // exclude the rule if the equal() call would return false (because the // false value must still be produced.) - i.updateEq(rule, expr) + i.updateEq(rule, a.Value, b.Value) case op.Equal(globMatchRef) && len(expr.Operands()) == 3: // NOTE(sr): Same as with equal() above -- 4 operands means the output @@ -366,8 +384,7 @@ func (i *refindices) Mapper(rule *Rule, ref Ref) *valueMapper { return nil } -func (i *refindices) updateEq(rule *Rule, expr *Expr) { - a, b := expr.Operand(0), expr.Operand(1) +func (i *refindices) updateEq(rule *Rule, a, b Value) { args := rule.Head.Args if idx, ok := eqOperandsToRefAndValue(i.isVirtual, args, a, b); ok { i.insert(rule, idx) @@ -426,12 +443,7 @@ func (i *refindices) updateGlobMatch(rule *Rule, expr *Expr) { } func (i *refindices) insert(rule *Rule, index *refindex) { - - count, ok := i.frequency.Get(index.Ref) - if !ok { - count = 0 - } - + count, _ := i.frequency.Get(index.Ref) i.frequency.Put(index.Ref, count+1) for pos, other := range i.rules[rule] { @@ -454,7 +466,7 @@ func (i *refindices) index(rule *Rule, ref Ref) *refindex { } type trieWalker interface { - Do(x any) trieWalker + Do(any) trieWalker } type trieTraversalResult struct { @@ -816,11 +828,11 @@ func (node *trieNode) traverseUnknown(resolver ValueResolver, tr *trieTraversalR // for the argument number. So for `f(x, y) { x = 10; y = 12 }`, we'll // bind `args[0]` and `args[1]` to this rule when called for (x=10) and // (y=12) respectively. -func eqOperandsToRefAndValue(isVirtual func(Ref) bool, args []*Term, a, b *Term) (*refindex, bool) { - switch v := a.Value.(type) { +func eqOperandsToRefAndValue(isVirtual func(Ref) bool, args []*Term, a, b Value) (*refindex, bool) { + switch v := a.(type) { case Var: for i, arg := range args { - if arg.Value.Compare(a.Value) == 0 { + if arg.Value.Compare(a) == 0 { if bval, ok := indexValue(b); ok { return &refindex{Ref: Ref{FunctionArgRootDocument, InternedTerm(i)}, Value: bval}, true } @@ -843,8 +855,8 @@ func eqOperandsToRefAndValue(isVirtual func(Ref) bool, args []*Term, a, b *Term) return nil, false } -func indexValue(b *Term) (Value, bool) { - switch b := b.Value.(type) { +func indexValue(b Value) (Value, bool) { + switch b := b.(type) { case Null, Boolean, Number, String, Var: return b, true case *Array: diff --git a/vendor/github.com/open-policy-agent/opa/v1/ast/parser.go b/vendor/github.com/open-policy-agent/opa/v1/ast/parser.go index d897952ea..1599a7355 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/ast/parser.go +++ b/vendor/github.com/open-policy-agent/opa/v1/ast/parser.go @@ -1259,23 +1259,25 @@ func (p *Parser) parseLiteralExpr(negated bool) *Expr { return nil } } - // If we find a plain `every` identifier, attempt to parse an every expression, - // add hint if it succeeds. - if term, ok := expr.Terms.(*Term); ok && Var("every").Equal(term.Value) { - var hint bool - t := p.save() - p.restore(s) - if expr := p.futureParser().parseEvery(); expr != nil { - _, hint = expr.Terms.(*Every) - } - p.restore(t) - if hint { - p.hint("`import future.keywords.every` for `every x in xs { ... }` expressions") + + if p.isFutureKeyword("every") { + // If we find a plain `every` identifier, attempt to parse an every expression, + // add hint if it succeeds. + if term, ok := expr.Terms.(*Term); ok && Var("every").Equal(term.Value) { + var hint bool + t := p.save() + p.restore(s) + if expr := p.futureParser().parseEvery(); expr != nil { + _, hint = expr.Terms.(*Every) + } + p.restore(t) + if hint { + p.hint("`import future.keywords.every` for `every x in xs { ... }` expressions") + } } } - return expr } - return nil + return expr } func (p *Parser) parseWith() []*With { @@ -1368,26 +1370,28 @@ func (p *Parser) parseSome() *Expr { } p.restore(s) - s = p.save() // new copy for later - var hint bool - p.scan() - if term := p.futureParser().parseTermInfixCall(); term != nil { - if call, ok := term.Value.(Call); ok { - switch call[0].String() { - case Member.Name, MemberWithKey.Name: - hint = true + + if p.isFutureKeyword("in") { + s = p.save() // new copy for later + var hint bool + p.scan() + if term := p.futureParser().parseTermInfixCall(); term != nil { + if call, ok := term.Value.(Call); ok { + switch call[0].String() { + case Member.Name, MemberWithKey.Name: + hint = true + } } } + + // go on as before, it's `some x[...]` or illegal + p.restore(s) + if hint { + p.hint("`import future.keywords.in` for `some x in xs` expressions") + } } - // go on as before, it's `some x[...]` or illegal - p.restore(s) - if hint { - p.hint("`import future.keywords.in` for `some x in xs` expressions") - } - for { // collecting var args - p.scan() if p.s.tok != tokens.Ident { @@ -2566,6 +2570,7 @@ type rawAnnotation struct { RelatedResources []any `yaml:"related_resources"` Authors []any `yaml:"authors"` Schemas []map[string]any `yaml:"schemas"` + Compile map[string]any `yaml:"compile"` Custom map[string]any `yaml:"custom"` } @@ -2633,6 +2638,40 @@ func (b *metadataParser) Parse() (*Annotations, error) { result.RelatedResources = append(result.RelatedResources, rr) } + if raw.Compile != nil { + result.Compile = &CompileAnnotation{} + if unknowns, ok := raw.Compile["unknowns"]; ok { + if unknowns, ok := unknowns.([]any); ok { + result.Compile.Unknowns = make([]Ref, len(unknowns)) + for i := range unknowns { + if unknown, ok := unknowns[i].(string); ok { + ref, err := ParseRef(unknown) + if err != nil { + return nil, fmt.Errorf("invalid unknowns element %q: %w", unknown, err) + } + result.Compile.Unknowns[i] = ref + } + } + } + } + if mask, ok := raw.Compile["mask_rule"]; ok { + if mask, ok := mask.(string); ok { + maskTerm, err := ParseTerm(mask) + if err != nil { + return nil, fmt.Errorf("invalid mask_rule annotation %q: %w", mask, err) + } + switch v := maskTerm.Value.(type) { + case Var, String: + result.Compile.MaskRule = Ref{maskTerm} + case Ref: + result.Compile.MaskRule = v + default: + return nil, fmt.Errorf("invalid mask_rule annotation type %q: %[1]T", mask) + } + } + } + } + for _, pair := range raw.Schemas { k, v := unwrapPair(pair) @@ -2916,6 +2955,11 @@ func IsFutureKeywordForRegoVersion(s string, v RegoVersion) bool { return yes } +// isFutureKeyword answers if keyword is from the "future" with the parser options set. +func (p *Parser) isFutureKeyword(s string) bool { + return IsFutureKeywordForRegoVersion(s, p.po.RegoVersion) +} + func (p *Parser) futureImport(imp *Import, allowedFutureKeywords map[string]tokens.Token) { path := imp.Path.Value.(Ref) diff --git a/vendor/github.com/open-policy-agent/opa/v1/bundle/file.go b/vendor/github.com/open-policy-agent/opa/v1/bundle/file.go index 12e159254..d008c3d44 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/bundle/file.go +++ b/vendor/github.com/open-policy-agent/opa/v1/bundle/file.go @@ -462,7 +462,7 @@ func (it *iterator) Next() (*storage.Update, error) { f := it.files[it.idx] it.idx++ - isPolicy := false + var isPolicy bool if strings.HasSuffix(f.name, RegoExt) { isPolicy = true } diff --git a/vendor/github.com/open-policy-agent/opa/v1/metrics/metrics.go b/vendor/github.com/open-policy-agent/opa/v1/metrics/metrics.go index 316ffe789..481f27337 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/metrics/metrics.go +++ b/vendor/github.com/open-policy-agent/opa/v1/metrics/metrics.go @@ -19,21 +19,27 @@ import ( // Well-known metric names. const ( - BundleRequest = "bundle_request" - ServerHandler = "server_handler" - ServerQueryCacheHit = "server_query_cache_hit" - SDKDecisionEval = "sdk_decision_eval" - RegoQueryCompile = "rego_query_compile" - RegoQueryEval = "rego_query_eval" - RegoQueryParse = "rego_query_parse" - RegoModuleParse = "rego_module_parse" - RegoDataParse = "rego_data_parse" - RegoModuleCompile = "rego_module_compile" - RegoPartialEval = "rego_partial_eval" - RegoInputParse = "rego_input_parse" - RegoLoadFiles = "rego_load_files" - RegoLoadBundles = "rego_load_bundles" - RegoExternalResolve = "rego_external_resolve" + BundleRequest = "bundle_request" + ServerHandler = "server_handler" + ServerQueryCacheHit = "server_query_cache_hit" + SDKDecisionEval = "sdk_decision_eval" + RegoQueryCompile = "rego_query_compile" + RegoQueryEval = "rego_query_eval" + RegoQueryParse = "rego_query_parse" + RegoModuleParse = "rego_module_parse" + RegoDataParse = "rego_data_parse" + RegoModuleCompile = "rego_module_compile" + RegoPartialEval = "rego_partial_eval" + RegoInputParse = "rego_input_parse" + RegoLoadFiles = "rego_load_files" + RegoLoadBundles = "rego_load_bundles" + RegoExternalResolve = "rego_external_resolve" + CompilePrepPartial = "compile_prep_partial" + CompileEvalConstraints = "compile_eval_constraints" + CompileTranslateQueries = "compile_translate_queries" + CompileExtractAnnotationsUnknowns = "compile_extract_annotations_unknowns" + CompileExtractAnnotationsMask = "compile_extract_annotations_mask" + CompileEvalMaskRule = "compile_eval_mask_rule" ) // Info contains attributes describing the underlying metrics provider. diff --git a/vendor/github.com/open-policy-agent/opa/v1/topdown/eval.go b/vendor/github.com/open-policy-agent/opa/v1/topdown/eval.go index f0f301e6a..4b3a9ba26 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/topdown/eval.go +++ b/vendor/github.com/open-policy-agent/opa/v1/topdown/eval.go @@ -1646,12 +1646,11 @@ func (e *eval) getRules(ref ast.Ref, args []*ast.Term) (*ast.IndexResult, error) var result *ast.IndexResult var err error + resolver.e = e if e.indexing { - resolver.e = e resolver.args = args result, err = index.Lookup(resolver) } else { - resolver.e = e result, err = index.AllRules(resolver) } if err != nil { diff --git a/vendor/github.com/open-policy-agent/opa/v1/topdown/graphql.go b/vendor/github.com/open-policy-agent/opa/v1/topdown/graphql.go index 8539a9e0d..f3bdf8e41 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/topdown/graphql.go +++ b/vendor/github.com/open-policy-agent/opa/v1/topdown/graphql.go @@ -675,7 +675,7 @@ const gqlCacheName = "graphql" func init() { - var defaultCacheEntries int = 10 + var defaultCacheEntries = 10 var graphqlCacheConfig = cache.NamedValueCacheConfig{ MaxNumEntries: &defaultCacheEntries, } diff --git a/vendor/github.com/open-policy-agent/opa/v1/topdown/http.go b/vendor/github.com/open-policy-agent/opa/v1/topdown/http.go index 36fa1572e..f7dc3dc2e 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/topdown/http.go +++ b/vendor/github.com/open-policy-agent/opa/v1/topdown/http.go @@ -99,6 +99,7 @@ var ( requiredKeys = ast.NewSet(ast.InternedTerm("method"), ast.InternedTerm("url")) httpSendLatencyMetricKey = "rego_builtin_http_send" httpSendInterQueryCacheHits = httpSendLatencyMetricKey + "_interquery_cache_hits" + httpSendNetworkRequests = httpSendLatencyMetricKey + "_network_requests" ) type httpSendKey string @@ -1535,6 +1536,9 @@ func (c *interQueryCache) ExecuteHTTPRequest() (*http.Response, error) { return nil, handleHTTPSendErr(c.bctx, err) } + // Increment counter for actual network requests + c.bctx.Metrics.Counter(httpSendNetworkRequests).Incr() + return executeHTTPRequest(c.httpReq, c.httpClient, c.req) } @@ -1586,6 +1590,10 @@ func (c *intraQueryCache) ExecuteHTTPRequest() (*http.Response, error) { if err != nil { return nil, handleHTTPSendErr(c.bctx, err) } + + // Increment counter for actual network requests + c.bctx.Metrics.Counter(httpSendNetworkRequests).Incr() + return executeHTTPRequest(httpReq, httpClient, c.req) } diff --git a/vendor/github.com/open-policy-agent/opa/v1/topdown/numbers.go b/vendor/github.com/open-policy-agent/opa/v1/topdown/numbers.go index a3f8f0854..1e05a247a 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/topdown/numbers.go +++ b/vendor/github.com/open-policy-agent/opa/v1/topdown/numbers.go @@ -15,8 +15,10 @@ import ( type randIntCachingKey string -var zero = big.NewInt(0) -var one = big.NewInt(1) +var ( + zero = big.NewInt(0) + one = big.NewInt(1) +) func builtinNumbersRange(bctx BuiltinContext, operands []*ast.Term, iter func(*ast.Term) error) error { if canGenerateCheapRange(operands) { @@ -45,8 +47,9 @@ func builtinNumbersRangeStep(bctx BuiltinContext, operands []*ast.Term, iter fun if canGenerateCheapRangeStep(operands) { step, _ := builtins.IntOperand(operands[2].Value, 3) if step <= 0 { - return errors.New("numbers.range_step: step must be a positive number above zero") + return errors.New("numbers.range_step: step must be a positive integer") } + return generateCheapRange(operands, step, iter) } @@ -66,7 +69,7 @@ func builtinNumbersRangeStep(bctx BuiltinContext, operands []*ast.Term, iter fun } if step.Cmp(zero) <= 0 { - return errors.New("numbers.range_step: step must be a positive number above zero") + return errors.New("numbers.range_step: step must be a positive integer") } ast, err := generateRange(bctx, x, y, step, "numbers.range_step") @@ -158,11 +161,9 @@ func generateRange(bctx BuiltinContext, x *big.Int, y *big.Int, step *big.Int, f } func builtinRandIntn(bctx BuiltinContext, operands []*ast.Term, iter func(*ast.Term) error) error { - strOp, err := builtins.StringOperand(operands[0].Value, 1) if err != nil { return err - } n, err := builtins.IntOperand(operands[1].Value, 2) @@ -178,7 +179,7 @@ func builtinRandIntn(bctx BuiltinContext, operands []*ast.Term, iter func(*ast.T n = -n } - var key = randIntCachingKey(fmt.Sprintf("%s-%d", strOp, n)) + key := randIntCachingKey(fmt.Sprintf("%s-%d", strOp, n)) if val, ok := bctx.Cache.Get(key); ok { return iter(val.(*ast.Term)) diff --git a/vendor/github.com/open-policy-agent/opa/v1/version/version.go b/vendor/github.com/open-policy-agent/opa/v1/version/version.go index ea6d25bbb..f8644aaba 100644 --- a/vendor/github.com/open-policy-agent/opa/v1/version/version.go +++ b/vendor/github.com/open-policy-agent/opa/v1/version/version.go @@ -10,7 +10,7 @@ import ( "runtime/debug" ) -var Version = "1.8.0" +var Version = "1.9.0" // GoVersion is the version of Go this was built with var GoVersion = runtime.Version() diff --git a/vendor/github.com/prometheus/procfs/Makefile.common b/vendor/github.com/prometheus/procfs/Makefile.common index 0ed55c2ba..4de21512f 100644 --- a/vendor/github.com/prometheus/procfs/Makefile.common +++ b/vendor/github.com/prometheus/procfs/Makefile.common @@ -33,7 +33,7 @@ GOHOSTOS ?= $(shell $(GO) env GOHOSTOS) GOHOSTARCH ?= $(shell $(GO) env GOHOSTARCH) GO_VERSION ?= $(shell $(GO) version) -GO_VERSION_NUMBER ?= $(word 3, $(GO_VERSION))Error Parsing File +GO_VERSION_NUMBER ?= $(word 3, $(GO_VERSION)) PRE_GO_111 ?= $(shell echo $(GO_VERSION_NUMBER) | grep -E 'go1\.(10|[0-9])\.') PROMU := $(FIRST_GOPATH)/bin/promu @@ -61,7 +61,8 @@ PROMU_URL := https://github.com/prometheus/promu/releases/download/v$(PROMU_ SKIP_GOLANGCI_LINT := GOLANGCI_LINT := GOLANGCI_LINT_OPTS ?= -GOLANGCI_LINT_VERSION ?= v2.0.2 +GOLANGCI_LINT_VERSION ?= v2.1.5 +GOLANGCI_FMT_OPTS ?= # golangci-lint only supports linux, darwin and windows platforms on i386/amd64/arm64. # windows isn't included here because of the path separator being different. ifeq ($(GOHOSTOS),$(filter $(GOHOSTOS),linux darwin)) @@ -156,9 +157,13 @@ $(GOTEST_DIR): @mkdir -p $@ .PHONY: common-format -common-format: +common-format: $(GOLANGCI_LINT) @echo ">> formatting code" $(GO) fmt $(pkgs) +ifdef GOLANGCI_LINT + @echo ">> formatting code with golangci-lint" + $(GOLANGCI_LINT) fmt $(GOLANGCI_FMT_OPTS) +endif .PHONY: common-vet common-vet: @@ -248,8 +253,8 @@ $(PROMU): cp $(PROMU_TMP)/promu-$(PROMU_VERSION).$(GO_BUILD_PLATFORM)/promu $(FIRST_GOPATH)/bin/promu rm -r $(PROMU_TMP) -.PHONY: proto -proto: +.PHONY: common-proto +common-proto: @echo ">> generating code from proto files" @./scripts/genproto.sh diff --git a/vendor/github.com/prometheus/procfs/mdstat.go b/vendor/github.com/prometheus/procfs/mdstat.go index 67a9d2b44..1fd4381b2 100644 --- a/vendor/github.com/prometheus/procfs/mdstat.go +++ b/vendor/github.com/prometheus/procfs/mdstat.go @@ -123,13 +123,16 @@ func parseMDStat(mdStatData []byte) ([]MDStat, error) { finish := float64(0) pct := float64(0) recovering := strings.Contains(lines[syncLineIdx], "recovery") + reshaping := strings.Contains(lines[syncLineIdx], "reshape") resyncing := strings.Contains(lines[syncLineIdx], "resync") checking := strings.Contains(lines[syncLineIdx], "check") // Append recovery and resyncing state info. - if recovering || resyncing || checking { + if recovering || resyncing || checking || reshaping { if recovering { state = "recovering" + } else if reshaping { + state = "reshaping" } else if checking { state = "checking" } else { diff --git a/vendor/github.com/prometheus/procfs/meminfo.go b/vendor/github.com/prometheus/procfs/meminfo.go index 4b2c4050a..937e1f960 100644 --- a/vendor/github.com/prometheus/procfs/meminfo.go +++ b/vendor/github.com/prometheus/procfs/meminfo.go @@ -66,6 +66,10 @@ type Meminfo struct { // Memory which has been evicted from RAM, and is temporarily // on the disk SwapFree *uint64 + // Memory consumed by the zswap backend (compressed size) + Zswap *uint64 + // Amount of anonymous memory stored in zswap (original size) + Zswapped *uint64 // Memory which is waiting to get written back to the disk Dirty *uint64 // Memory which is actively being written back to the disk @@ -85,6 +89,8 @@ type Meminfo struct { // amount of memory dedicated to the lowest level of page // tables. PageTables *uint64 + // secondary page tables. + SecPageTables *uint64 // NFS pages sent to the server, but not yet committed to // stable storage NFSUnstable *uint64 @@ -129,15 +135,18 @@ type Meminfo struct { Percpu *uint64 HardwareCorrupted *uint64 AnonHugePages *uint64 + FileHugePages *uint64 ShmemHugePages *uint64 ShmemPmdMapped *uint64 CmaTotal *uint64 CmaFree *uint64 + Unaccepted *uint64 HugePagesTotal *uint64 HugePagesFree *uint64 HugePagesRsvd *uint64 HugePagesSurp *uint64 Hugepagesize *uint64 + Hugetlb *uint64 DirectMap4k *uint64 DirectMap2M *uint64 DirectMap1G *uint64 @@ -161,6 +170,8 @@ type Meminfo struct { MlockedBytes *uint64 SwapTotalBytes *uint64 SwapFreeBytes *uint64 + ZswapBytes *uint64 + ZswappedBytes *uint64 DirtyBytes *uint64 WritebackBytes *uint64 AnonPagesBytes *uint64 @@ -171,6 +182,7 @@ type Meminfo struct { SUnreclaimBytes *uint64 KernelStackBytes *uint64 PageTablesBytes *uint64 + SecPageTablesBytes *uint64 NFSUnstableBytes *uint64 BounceBytes *uint64 WritebackTmpBytes *uint64 @@ -182,11 +194,14 @@ type Meminfo struct { PercpuBytes *uint64 HardwareCorruptedBytes *uint64 AnonHugePagesBytes *uint64 + FileHugePagesBytes *uint64 ShmemHugePagesBytes *uint64 ShmemPmdMappedBytes *uint64 CmaTotalBytes *uint64 CmaFreeBytes *uint64 + UnacceptedBytes *uint64 HugepagesizeBytes *uint64 + HugetlbBytes *uint64 DirectMap4kBytes *uint64 DirectMap2MBytes *uint64 DirectMap1GBytes *uint64 @@ -287,6 +302,12 @@ func parseMemInfo(r io.Reader) (*Meminfo, error) { case "SwapFree:": m.SwapFree = &val m.SwapFreeBytes = &valBytes + case "Zswap:": + m.Zswap = &val + m.ZswapBytes = &valBytes + case "Zswapped:": + m.Zswapped = &val + m.ZswapBytes = &valBytes case "Dirty:": m.Dirty = &val m.DirtyBytes = &valBytes @@ -317,6 +338,9 @@ func parseMemInfo(r io.Reader) (*Meminfo, error) { case "PageTables:": m.PageTables = &val m.PageTablesBytes = &valBytes + case "SecPageTables:": + m.SecPageTables = &val + m.SecPageTablesBytes = &valBytes case "NFS_Unstable:": m.NFSUnstable = &val m.NFSUnstableBytes = &valBytes @@ -350,6 +374,9 @@ func parseMemInfo(r io.Reader) (*Meminfo, error) { case "AnonHugePages:": m.AnonHugePages = &val m.AnonHugePagesBytes = &valBytes + case "FileHugePages:": + m.FileHugePages = &val + m.FileHugePagesBytes = &valBytes case "ShmemHugePages:": m.ShmemHugePages = &val m.ShmemHugePagesBytes = &valBytes @@ -362,6 +389,9 @@ func parseMemInfo(r io.Reader) (*Meminfo, error) { case "CmaFree:": m.CmaFree = &val m.CmaFreeBytes = &valBytes + case "Unaccepted:": + m.Unaccepted = &val + m.UnacceptedBytes = &valBytes case "HugePages_Total:": m.HugePagesTotal = &val case "HugePages_Free:": @@ -373,6 +403,9 @@ func parseMemInfo(r io.Reader) (*Meminfo, error) { case "Hugepagesize:": m.Hugepagesize = &val m.HugepagesizeBytes = &valBytes + case "Hugetlb:": + m.Hugetlb = &val + m.HugetlbBytes = &valBytes case "DirectMap4k:": m.DirectMap4k = &val m.DirectMap4kBytes = &valBytes diff --git a/vendor/github.com/prometheus/procfs/proc_stat.go b/vendor/github.com/prometheus/procfs/proc_stat.go index 06a8d931c..3328556bd 100644 --- a/vendor/github.com/prometheus/procfs/proc_stat.go +++ b/vendor/github.com/prometheus/procfs/proc_stat.go @@ -101,6 +101,12 @@ type ProcStat struct { RSS int // Soft limit in bytes on the rss of the process. RSSLimit uint64 + // The address above which program text can run. + StartCode uint64 + // The address below which program text can run. + EndCode uint64 + // The address of the start (i.e., bottom) of the stack. + StartStack uint64 // CPU number last executed on. Processor uint // Real-time scheduling priority, a number in the range 1 to 99 for processes @@ -177,9 +183,9 @@ func (p Proc) Stat() (ProcStat, error) { &s.VSize, &s.RSS, &s.RSSLimit, - &ignoreUint64, - &ignoreUint64, - &ignoreUint64, + &s.StartCode, + &s.EndCode, + &s.StartStack, &ignoreUint64, &ignoreUint64, &ignoreUint64, diff --git a/vendor/github.com/prometheus/procfs/proc_statm.go b/vendor/github.com/prometheus/procfs/proc_statm.go new file mode 100644 index 000000000..ed5798424 --- /dev/null +++ b/vendor/github.com/prometheus/procfs/proc_statm.go @@ -0,0 +1,116 @@ +// Copyright 2025 The Prometheus Authors +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package procfs + +import ( + "os" + "strconv" + "strings" + + "github.com/prometheus/procfs/internal/util" +) + +// - https://man7.org/linux/man-pages/man5/proc_pid_statm.5.html + +// ProcStatm Provides memory usage information for a process, measured in memory pages. +// Read from /proc/[pid]/statm. +type ProcStatm struct { + // The process ID. + PID int + // total program size (same as VmSize in status) + Size uint64 + // resident set size (same as VmRSS in status) + Resident uint64 + // number of resident shared pages (i.e., backed by a file) + Shared uint64 + // text (code) + Text uint64 + // library (unused since Linux 2.6; always 0) + Lib uint64 + // data + stack + Data uint64 + // dirty pages (unused since Linux 2.6; always 0) + Dt uint64 +} + +// NewStatm returns the current status information of the process. +// Deprecated: Use p.Statm() instead. +func (p Proc) NewStatm() (ProcStatm, error) { + return p.Statm() +} + +// Statm returns the current memory usage information of the process. +func (p Proc) Statm() (ProcStatm, error) { + data, err := util.ReadFileNoStat(p.path("statm")) + if err != nil { + return ProcStatm{}, err + } + + statmSlice, err := parseStatm(data) + if err != nil { + return ProcStatm{}, err + } + + procStatm := ProcStatm{ + PID: p.PID, + Size: statmSlice[0], + Resident: statmSlice[1], + Shared: statmSlice[2], + Text: statmSlice[3], + Lib: statmSlice[4], + Data: statmSlice[5], + Dt: statmSlice[6], + } + + return procStatm, nil +} + +// parseStatm return /proc/[pid]/statm data to uint64 slice. +func parseStatm(data []byte) ([]uint64, error) { + var statmSlice []uint64 + statmItems := strings.Fields(string(data)) + for i := 0; i < len(statmItems); i++ { + statmItem, err := strconv.ParseUint(statmItems[i], 10, 64) + if err != nil { + return nil, err + } + statmSlice = append(statmSlice, statmItem) + } + return statmSlice, nil +} + +// SizeBytes returns the process of total program size in bytes. +func (s ProcStatm) SizeBytes() uint64 { + return s.Size * uint64(os.Getpagesize()) +} + +// ResidentBytes returns the process of resident set size in bytes. +func (s ProcStatm) ResidentBytes() uint64 { + return s.Resident * uint64(os.Getpagesize()) +} + +// SHRBytes returns the process of share memory size in bytes. +func (s ProcStatm) SHRBytes() uint64 { + return s.Shared * uint64(os.Getpagesize()) +} + +// TextBytes returns the process of text (code) size in bytes. +func (s ProcStatm) TextBytes() uint64 { + return s.Text * uint64(os.Getpagesize()) +} + +// DataBytes returns the process of data + stack size in bytes. +func (s ProcStatm) DataBytes() uint64 { + return s.Data * uint64(os.Getpagesize()) +} diff --git a/vendor/github.com/rcrowley/go-metrics/.travis.yml b/vendor/github.com/rcrowley/go-metrics/.travis.yml index 409a5b631..ce9afeaee 100644 --- a/vendor/github.com/rcrowley/go-metrics/.travis.yml +++ b/vendor/github.com/rcrowley/go-metrics/.travis.yml @@ -13,6 +13,7 @@ go: - "1.12" - "1.13" - "1.14" + - "1.15" script: - ./validate.sh diff --git a/vendor/github.com/rcrowley/go-metrics/README.md b/vendor/github.com/rcrowley/go-metrics/README.md index 27ddfee8b..6492bfe85 100644 --- a/vendor/github.com/rcrowley/go-metrics/README.md +++ b/vendor/github.com/rcrowley/go-metrics/README.md @@ -7,6 +7,15 @@ Go port of Coda Hale's Metrics library: . Documentation: . +Archived as of April 1 2025 +----- +This repository is no longer maintained. The authors recommend you explore the +following newer, more widely adopted libraries for your Go instrumentation +needs: + +* [OpenTelemetry Go SDK](https://opentelemetry.io/docs/languages/go/instrumentation/#metrics) +* [Prometheus Go Client Library](https://pkg.go.dev/github.com/prometheus/client_golang/prometheus) + Usage ----- diff --git a/vendor/github.com/sirupsen/logrus/terminal_check_bsd.go b/vendor/github.com/sirupsen/logrus/terminal_check_bsd.go index 499789984..69956b425 100644 --- a/vendor/github.com/sirupsen/logrus/terminal_check_bsd.go +++ b/vendor/github.com/sirupsen/logrus/terminal_check_bsd.go @@ -1,4 +1,4 @@ -// +build darwin dragonfly freebsd netbsd openbsd +// +build darwin dragonfly freebsd netbsd openbsd hurd // +build !js package logrus diff --git a/vendor/github.com/sirupsen/logrus/terminal_check_unix.go b/vendor/github.com/sirupsen/logrus/terminal_check_unix.go index 04748b851..c9aed267a 100644 --- a/vendor/github.com/sirupsen/logrus/terminal_check_unix.go +++ b/vendor/github.com/sirupsen/logrus/terminal_check_unix.go @@ -1,5 +1,7 @@ +//go:build (linux || aix || zos) && !js && !wasi // +build linux aix zos // +build !js +// +build !wasi package logrus diff --git a/vendor/github.com/sirupsen/logrus/terminal_check_wasi.go b/vendor/github.com/sirupsen/logrus/terminal_check_wasi.go new file mode 100644 index 000000000..2822b212f --- /dev/null +++ b/vendor/github.com/sirupsen/logrus/terminal_check_wasi.go @@ -0,0 +1,8 @@ +//go:build wasi +// +build wasi + +package logrus + +func isTerminal(fd int) bool { + return false +} diff --git a/vendor/github.com/sirupsen/logrus/terminal_check_wasip1.go b/vendor/github.com/sirupsen/logrus/terminal_check_wasip1.go new file mode 100644 index 000000000..108a6be12 --- /dev/null +++ b/vendor/github.com/sirupsen/logrus/terminal_check_wasip1.go @@ -0,0 +1,8 @@ +//go:build wasip1 +// +build wasip1 + +package logrus + +func isTerminal(fd int) bool { + return false +} diff --git a/vendor/github.com/spf13/pflag/flag.go b/vendor/github.com/spf13/pflag/flag.go index eeed1e92b..2fd3c5759 100644 --- a/vendor/github.com/spf13/pflag/flag.go +++ b/vendor/github.com/spf13/pflag/flag.go @@ -143,8 +143,9 @@ type ParseErrorsAllowlist struct { UnknownFlags bool } -// DEPRECATED: please use ParseErrorsAllowlist instead -// This type will be removed in a future release +// ParseErrorsWhitelist defines the parsing errors that can be ignored. +// +// Deprecated: use [ParseErrorsAllowlist] instead. This type will be removed in a future release. type ParseErrorsWhitelist = ParseErrorsAllowlist // NormalizedName is a flag name that has been normalized according to rules @@ -165,8 +166,9 @@ type FlagSet struct { // ParseErrorsAllowlist is used to configure an allowlist of errors ParseErrorsAllowlist ParseErrorsAllowlist - // DEPRECATED: please use ParseErrorsAllowlist instead - // This field will be removed in a future release + // ParseErrorsAllowlist is used to configure an allowlist of errors. + // + // Deprecated: use [FlagSet.ParseErrorsAllowlist] instead. This field will be removed in a future release. ParseErrorsWhitelist ParseErrorsAllowlist name string @@ -1185,7 +1187,7 @@ func (f *FlagSet) Parse(arguments []string) error { case ContinueOnError: return err case ExitOnError: - if errors.Is(err, ErrHelp) { + if err == ErrHelp { os.Exit(0) } fmt.Fprintln(f.Output(), err) @@ -1214,7 +1216,7 @@ func (f *FlagSet) ParseAll(arguments []string, fn func(flag *Flag, value string) case ContinueOnError: return err case ExitOnError: - if errors.Is(err, ErrHelp) { + if err == ErrHelp { os.Exit(0) } fmt.Fprintln(f.Output(), err) diff --git a/vendor/modules.txt b/vendor/modules.txt index ac8f9e51f..6bf22fc80 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -891,17 +891,24 @@ github.com/leonelquinteros/gotext/plurals # github.com/lestrrat-go/blackmagic v1.0.4 ## explicit; go 1.23 github.com/lestrrat-go/blackmagic +# github.com/lestrrat-go/dsig v1.0.0 +## explicit; go 1.23.0 +github.com/lestrrat-go/dsig +github.com/lestrrat-go/dsig/internal/ecutil +# github.com/lestrrat-go/dsig-secp256k1 v1.0.0 +## explicit; go 1.23.0 +github.com/lestrrat-go/dsig-secp256k1 # github.com/lestrrat-go/httpcc v1.0.1 ## explicit; go 1.16 github.com/lestrrat-go/httpcc -# github.com/lestrrat-go/httprc/v3 v3.0.0 -## explicit; go 1.23 +# github.com/lestrrat-go/httprc/v3 v3.0.1 +## explicit; go 1.23.0 github.com/lestrrat-go/httprc/v3 github.com/lestrrat-go/httprc/v3/errsink github.com/lestrrat-go/httprc/v3/proxysink github.com/lestrrat-go/httprc/v3/tracesink -# github.com/lestrrat-go/jwx/v3 v3.0.10 -## explicit; go 1.23.0 +# github.com/lestrrat-go/jwx/v3 v3.0.11 +## explicit; go 1.24.4 github.com/lestrrat-go/jwx/v3 github.com/lestrrat-go/jwx/v3/cert github.com/lestrrat-go/jwx/v3/internal/base64 @@ -1230,7 +1237,7 @@ github.com/onsi/gomega/matchers/support/goraph/edge github.com/onsi/gomega/matchers/support/goraph/node github.com/onsi/gomega/matchers/support/goraph/util github.com/onsi/gomega/types -# github.com/open-policy-agent/opa v1.8.0 +# github.com/open-policy-agent/opa v1.9.0 ## explicit; go 1.24.6 github.com/open-policy-agent/opa/ast github.com/open-policy-agent/opa/ast/json @@ -1803,7 +1810,7 @@ github.com/prometheus/common/expfmt github.com/prometheus/common/helpers/templates github.com/prometheus/common/model github.com/prometheus/common/promslog -# github.com/prometheus/procfs v0.16.1 +# github.com/prometheus/procfs v0.17.0 ## explicit; go 1.23.0 github.com/prometheus/procfs github.com/prometheus/procfs/internal/fs @@ -1816,7 +1823,7 @@ github.com/prometheus/statsd_exporter/pkg/mapper/fsm # github.com/r3labs/sse/v2 v2.10.0 ## explicit; go 1.13 github.com/r3labs/sse/v2 -# github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 +# github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 ## explicit github.com/rcrowley/go-metrics # github.com/riandyrn/otelchi v0.12.2 @@ -1956,7 +1963,7 @@ github.com/shurcooL/httpfs/vfsutil # github.com/shurcooL/vfsgen v0.0.0-20230704071429-0000e147ea92 ## explicit; go 1.19 github.com/shurcooL/vfsgen -# github.com/sirupsen/logrus v1.9.3 +# github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af ## explicit; go 1.13 github.com/sirupsen/logrus # github.com/skeema/knownhosts v1.3.0 @@ -1973,7 +1980,7 @@ github.com/spf13/afero/mem # github.com/spf13/cobra v1.10.1 ## explicit; go 1.15 github.com/spf13/cobra -# github.com/spf13/pflag v1.0.9 +# github.com/spf13/pflag v1.0.10 ## explicit; go 1.12 github.com/spf13/pflag # github.com/stretchr/objx v0.5.2