diff --git a/go.mod b/go.mod
index dedb9f0f94..8a0fa5bd5f 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
module github.com/crc-org/crc/v2
-go 1.24.2
+go 1.25.0
require (
github.com/AlecAivazis/survey/v2 v2.3.7
@@ -92,7 +92,7 @@ require (
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/distribution/reference v0.6.0 // indirect
github.com/docker/distribution v2.8.3+incompatible // indirect
- github.com/docker/docker v28.5.1+incompatible // indirect
+ github.com/docker/docker v28.5.2+incompatible // indirect
github.com/docker/docker-credential-helpers v0.9.4 // indirect
github.com/docker/go-connections v0.6.0 // indirect
github.com/ebitengine/purego v0.9.1 // indirect
@@ -101,7 +101,7 @@ require (
github.com/felixge/httpsnoop v1.0.4 // indirect
github.com/fsnotify/fsnotify v1.9.0 // indirect
github.com/fxamacker/cbor/v2 v2.7.0 // indirect
- github.com/go-jose/go-jose/v4 v4.0.5 // indirect
+ github.com/go-jose/go-jose/v4 v4.1.3 // indirect
github.com/go-logr/logr v1.4.3 // indirect
github.com/go-ole/go-ole v1.3.0 // indirect
github.com/go-openapi/jsonpointer v0.21.0 // indirect
@@ -113,10 +113,10 @@ require (
github.com/gofrs/uuid v4.3.1+incompatible // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang/protobuf v1.5.4 // indirect
- github.com/google/btree v1.1.2 // indirect
+ github.com/google/btree v1.1.3 // indirect
github.com/google/gnostic-models v0.6.8 // indirect
github.com/google/go-cmp v0.7.0 // indirect
- github.com/google/go-containerregistry v0.20.6 // indirect
+ github.com/google/go-containerregistry v0.20.7 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/gopacket v1.1.19 // indirect
github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6 // indirect
@@ -131,7 +131,6 @@ require (
github.com/json-iterator/go v1.1.12 // indirect
github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
github.com/klauspost/pgzip v1.2.6 // indirect
- github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect
github.com/lufia/plan9stats v0.0.0-20240909124753-873cd0166683 // indirect
github.com/mailru/easyjson v0.7.7 // indirect
github.com/mattn/go-isatty v0.0.20 // indirect
@@ -147,6 +146,7 @@ require (
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+ github.com/nxadm/tail v1.4.11 // indirect
github.com/opencontainers/go-digest v1.0.0 // indirect
github.com/opencontainers/runtime-spec v1.2.1 // indirect
github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
@@ -156,45 +156,45 @@ require (
github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
github.com/proglottis/gpgme v0.1.5 // indirect
github.com/rivo/uniseg v0.4.7 // indirect
+ github.com/rogpeppe/go-internal v1.14.1 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/sagikazarmark/locafero v0.11.0 // indirect
github.com/secure-systems-lab/go-securesystemslib v0.9.1 // indirect
github.com/segmentio/backo-go v1.0.1 // indirect
- github.com/sigstore/fulcio v1.7.1 // indirect
- github.com/sigstore/protobuf-specs v0.4.1 // indirect
- github.com/sigstore/sigstore v1.9.5 // indirect
+ github.com/sigstore/fulcio v1.8.5 // indirect
+ github.com/sigstore/protobuf-specs v0.5.0 // indirect
+ github.com/sigstore/sigstore v1.10.3 // indirect
github.com/smallstep/pkcs7 v0.1.1 // indirect
github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect
github.com/spf13/afero v1.15.0 // indirect
github.com/stefanberger/go-pkcs11uri v0.0.0-20230803200340-78284954bff6 // indirect
github.com/stretchr/objx v0.5.2 // indirect
github.com/subosito/gotenv v1.6.0 // indirect
- github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
github.com/tklauser/go-sysconf v0.3.16 // indirect
github.com/tklauser/numcpus v0.11.0 // indirect
github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect
github.com/ulikunitz/xz v0.5.15 // indirect
- github.com/vbatts/tar-split v0.12.1 // indirect
+ github.com/vbatts/tar-split v0.12.2 // indirect
github.com/vbauerster/mpb/v8 v8.10.2 // indirect
github.com/x448/float16 v0.8.4 // indirect
go.podman.io/storage v1.61.0 // indirect
- go.yaml.in/yaml/v2 v2.4.2 // indirect
+ go.yaml.in/yaml/v2 v2.4.3 // indirect
go.yaml.in/yaml/v3 v3.0.4 // indirect
golang.org/x/mod v0.31.0 // indirect
- golang.org/x/oauth2 v0.32.0 // indirect
- golang.org/x/time v0.11.0 // indirect
+ golang.org/x/oauth2 v0.34.0 // indirect
+ golang.org/x/time v0.14.0 // indirect
golang.org/x/tools v0.40.0 // indirect
- google.golang.org/genproto/googleapis/api v0.0.0-20250414145226-207652e42e2e // indirect
- google.golang.org/genproto/googleapis/rpc v0.0.0-20250414145226-207652e42e2e // indirect
- google.golang.org/grpc v1.72.2 // indirect
- google.golang.org/protobuf v1.36.9 // indirect
+ google.golang.org/genproto/googleapis/api v0.0.0-20251222181119-0a764e51fe1b // indirect
+ google.golang.org/genproto/googleapis/rpc v0.0.0-20251222181119-0a764e51fe1b // indirect
+ google.golang.org/grpc v1.78.0 // indirect
+ google.golang.org/protobuf v1.36.11 // indirect
gopkg.in/cenkalti/backoff.v1 v1.1.0 // indirect
gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gvisor.dev/gvisor v0.0.0-20240916094835-a174eb65023f // indirect
k8s.io/klog/v2 v2.130.1 // indirect
k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect
- k8s.io/utils v0.0.0-20241210054802-24370beab758 // indirect
+ k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d // indirect
sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect
sigs.k8s.io/yaml v1.6.0 // indirect
diff --git a/go.sum b/go.sum
index e747943d00..b564e468c1 100644
--- a/go.sum
+++ b/go.sum
@@ -89,12 +89,12 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/cli v28.5.1+incompatible h1:ESutzBALAD6qyCLqbQSEf1a/U8Ybms5agw59yGVc+yY=
-github.com/docker/cli v28.5.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v29.0.3+incompatible h1:8J+PZIcF2xLd6h5sHPsp5pvvJA+Sr2wGQxHkRl53a1E=
+github.com/docker/cli v29.0.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v28.5.1+incompatible h1:Bm8DchhSD2J6PsFzxC35TZo4TLGR2PdW/E69rU45NhM=
-github.com/docker/docker v28.5.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v28.5.2+incompatible h1:DBX0Y0zAjZbSrm1uzOkdr1onVghKaftjlSWt4AFexzM=
+github.com/docker/docker v28.5.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
github.com/docker/docker-credential-helpers v0.9.4 h1:76ItO69/AP/V4yT9V4uuuItG0B1N8hvt0T0c0NN/DzI=
github.com/docker/docker-credential-helpers v0.9.4/go.mod h1:v1S+hepowrQXITkEfw6o4+BMbGot02wiKpzWhGUZK6c=
github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
@@ -115,6 +115,7 @@ github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2
github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
+github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
@@ -125,8 +126,8 @@ github.com/gkampitakis/go-diff v1.3.2 h1:Qyn0J9XJSDTgnsgHRdz9Zp24RaJeKMUHg2+PDZZ
github.com/gkampitakis/go-diff v1.3.2/go.mod h1:LLgOrpqleQe26cte8s36HTWcTmMEur6OPYerdAAS9tk=
github.com/gkampitakis/go-snaps v0.5.15 h1:amyJrvM1D33cPHwVrjo9jQxX8g/7E2wYdZ+01KS3zGE=
github.com/gkampitakis/go-snaps v0.5.15/go.mod h1:HNpx/9GoKisdhw9AFOBT1N7DBs9DiHo/hGheFGBZ+mc=
-github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE=
-github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA=
+github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
+github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
@@ -142,8 +143,6 @@ github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+Gr
github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
-github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
-github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw=
@@ -159,16 +158,16 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
-github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
-github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
+github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
+github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/google/go-containerregistry v0.20.6 h1:cvWX87UxxLgaH76b4hIvya6Dzz9qHB31qAwjAohdSTU=
-github.com/google/go-containerregistry v0.20.6/go.mod h1:T0x8MuoAoKX/873bkeSfLD2FAkwCDf9/HZgsFJ02E2Y=
+github.com/google/go-containerregistry v0.20.7 h1:24VGNpS0IwrOZ2ms2P1QE3Xa5X9p4phx0aUgzYzHW6I=
+github.com/google/go-containerregistry v0.20.7/go.mod h1:Lx5LCZQjLH1QBaMPeGwsME9biPeo1lPx6lbGj/UmzgM=
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -209,8 +208,6 @@ github.com/insomniacslk/dhcp v0.0.0-20240710054256-ddd8a41251c9 h1:LZJWucZz7ztCq
github.com/insomniacslk/dhcp v0.0.0-20240710054256-ddd8a41251c9/go.mod h1:KclMyHxX06VrVr0DJmeFSUb1ankt7xTfoOA35pCkoic=
github.com/jinzhu/copier v0.4.0 h1:w3ciUoD19shMCRargcpm0cm91ytaBhDvuRpz1ODO/U8=
github.com/jinzhu/copier v0.4.0/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg=
-github.com/jmhodges/clock v1.2.0 h1:eq4kys+NI0PLngzaHEe7AmPT90XMGIEySD1JfV1PDIs=
-github.com/jmhodges/clock v1.2.0/go.mod h1:qKjhA7x7u/lQpPB1XAqX1b1lCI/w3/fNuYpI/ZjLynI=
github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
@@ -239,8 +236,6 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec h1:2tTW6cDth2TSgRbAhD7yjZzTQmcN25sDRPEeinR51yQ=
-github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec/go.mod h1:TmwEoGCwIti7BCeJ9hescZgRtatxRE+A72pCoPfmcfk=
github.com/linuxkit/virtsock v0.0.0-20220523201153-1a23e78aa7a2 h1:DZMFueDbfz6PNc1GwDRA8+6lBx1TB9UnxDQliCqR73Y=
github.com/linuxkit/virtsock v0.0.0-20220523201153-1a23e78aa7a2/go.mod h1:SWzULI85WerrFt3u+nIm5F9l7EvxZTKQvd0InF3nmgM=
github.com/lufia/plan9stats v0.0.0-20240909124753-873cd0166683 h1:7UMa6KCCMjZEMDtTVdcGu0B1GmmC7QJKiCCjyTAWQy0=
@@ -329,21 +324,21 @@ github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 h1:o4JXh1EVt
github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
github.com/proglottis/gpgme v0.1.5 h1:KCGyOw8sQ+SI96j6G8D8YkOGn+1TwbQTT9/zQXoVlz0=
github.com/proglottis/gpgme v0.1.5/go.mod h1:5LoXMgpE4bttgwwdv9bLs/vwqv3qV7F4glEEZ7mRKrM=
-github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
-github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
+github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
+github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
-github.com/prometheus/common v0.63.0 h1:YR/EIY1o3mEFP/kZCD7iDMnLPlGyuU2Gb3HIcXnA98k=
-github.com/prometheus/common v0.63.0/go.mod h1:VVFF/fBIoToEnWRVkYoXEkq3R3paCoxG9PXP74SnV18=
-github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
-github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/prometheus/common v0.67.5 h1:pIgK94WWlQt1WLwAC5j2ynLaBRDiinoAb86HZHTUGI4=
+github.com/prometheus/common v0.67.5/go.mod h1:SjE/0MzDEEAyrdr5Gqc6G+sXI67maCxzaT3A2+HqjUw=
+github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
+github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
github.com/r3labs/sse/v2 v2.10.0 h1:hFEkLLFY4LDifoHdiCN/LlGBAdVJYsANaLqNYa1l/v0=
github.com/r3labs/sse/v2 v2.10.0/go.mod h1:Igau6Whc+F17QUgML1fYe1VPZzTV6EMCnYktEmkNJ7I=
github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
github.com/sagikazarmark/locafero v0.11.0 h1:1iurJgmM9G3PA/I+wWYIOw/5SyBtxapeHDcg+AAIFXc=
@@ -360,12 +355,12 @@ github.com/segmentio/backo-go v1.0.1 h1:68RQccglxZeyURy93ASB/2kc9QudzgIDexJ927N+
github.com/segmentio/backo-go v1.0.1/go.mod h1:9/Rh6yILuLysoQnZ2oNooD2g7aBnvM7r/fNVxRNWfBc=
github.com/shirou/gopsutil/v4 v4.25.12 h1:e7PvW/0RmJ8p8vPGJH4jvNkOyLmbkXgXW4m6ZPic6CY=
github.com/shirou/gopsutil/v4 v4.25.12/go.mod h1:EivAfP5x2EhLp2ovdpKSozecVXn1TmuG7SMzs/Wh4PU=
-github.com/sigstore/fulcio v1.7.1 h1:RcoW20Nz49IGeZyu3y9QYhyyV3ZKQ85T+FXPKkvE+aQ=
-github.com/sigstore/fulcio v1.7.1/go.mod h1:7lYY+hsd8Dt+IvKQRC+KEhWpCZ/GlmNvwIa5JhypMS8=
-github.com/sigstore/protobuf-specs v0.4.1 h1:5SsMqZbdkcO/DNHudaxuCUEjj6x29tS2Xby1BxGU7Zc=
-github.com/sigstore/protobuf-specs v0.4.1/go.mod h1:+gXR+38nIa2oEupqDdzg4qSBT0Os+sP7oYv6alWewWc=
-github.com/sigstore/sigstore v1.9.5 h1:Wm1LT9yF4LhQdEMy5A2JeGRHTrAWGjT3ubE5JUSrGVU=
-github.com/sigstore/sigstore v1.9.5/go.mod h1:VtxgvGqCmEZN9X2zhFSOkfXxvKUjpy8RpUW39oCtoII=
+github.com/sigstore/fulcio v1.8.5 h1:HYTD1/L5wlBp8JxsWxUf8hmfaNBBF/x3r3p5l6tZwbA=
+github.com/sigstore/fulcio v1.8.5/go.mod h1:tSLYK3JsKvJpDW1BsIsVHZgHj+f8TjXARzqIUWSsSPQ=
+github.com/sigstore/protobuf-specs v0.5.0 h1:F8YTI65xOHw70NrvPwJ5PhAzsvTnuJMGLkA4FIkofAY=
+github.com/sigstore/protobuf-specs v0.5.0/go.mod h1:+gXR+38nIa2oEupqDdzg4qSBT0Os+sP7oYv6alWewWc=
+github.com/sigstore/sigstore v1.10.3 h1:s7fBYYOzW/2Vd0nND2ZdpWySb5vRF2u9eix/NZMHJm0=
+github.com/sigstore/sigstore v1.10.3/go.mod h1:T26vXIkpnGEg391v3TaZ8EERcXbnjtZb/1erh5jbIQk=
github.com/sirupsen/logrus v1.9.4 h1:TsZE7l11zFCLZnZ+teH4Umoq5BhEIfIzfRDZ1Uzql2w=
github.com/sirupsen/logrus v1.9.4/go.mod h1:ftWc9WdOfJ0a92nsE2jF5u5ZwH8Bv2zdeOC42RjbV2g=
github.com/smallstep/pkcs7 v0.1.1 h1:x+rPdt2W088V9Vkjho4KtoggyktZJlMduZAtRHm68LU=
@@ -417,8 +412,6 @@ github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4=
github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY=
github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28=
-github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0=
-github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs=
github.com/tklauser/go-sysconf v0.3.16 h1:frioLaCQSsF5Cy1jgRBrzr6t502KIIwQ0MArYICU0nA=
github.com/tklauser/go-sysconf v0.3.16/go.mod h1:/qNL9xxDhc7tx3HSRsLWNnuzbVfh3e7gh/BmM179nYI=
github.com/tklauser/numcpus v0.11.0 h1:nSTwhKH5e1dMNsCdVBukSZrURJRoHbSEQjdEbY+9RXw=
@@ -427,8 +420,8 @@ github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8
github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701/go.mod h1:P3a5rG4X7tI17Nn3aOIAYr5HbIMukwXG0urG0WuL8OA=
github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY=
github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
-github.com/vbatts/tar-split v0.12.1 h1:CqKoORW7BUWBe7UL/iqTVvkTBOF8UvOMKOIZykxnnbo=
-github.com/vbatts/tar-split v0.12.1/go.mod h1:eF6B6i6ftWQcDqEn3/iGFRFRo8cBIMSJVOpnNdfTMFA=
+github.com/vbatts/tar-split v0.12.2 h1:w/Y6tjxpeiFMR47yzZPlPj/FcPLpXbTUi/9H7d3CPa4=
+github.com/vbatts/tar-split v0.12.2/go.mod h1:eF6B6i6ftWQcDqEn3/iGFRFRo8cBIMSJVOpnNdfTMFA=
github.com/vbauerster/mpb/v8 v8.10.2 h1:2uBykSHAYHekE11YvJhKxYmLATKHAGorZwFlyNw4hHM=
github.com/vbauerster/mpb/v8 v8.10.2/go.mod h1:+Ja4P92E3/CorSZgfDtK46D7AVbDqmBQRTmyTqPElo0=
github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
@@ -442,28 +435,28 @@ github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo
github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
github.com/zalando/go-keyring v0.2.6 h1:r7Yc3+H+Ux0+M72zacZoItR3UDxeWfKTcabvkI8ua9s=
github.com/zalando/go-keyring v0.2.6/go.mod h1:2TCrxYrbUNYfNS/Kgy/LSrkSQzZ5UPVH85RwfczwvcI=
-go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
-go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
-go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
-go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
-go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE=
-go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
-go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY=
-go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg=
-go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
-go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
-go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
-go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 h1:RbKq8BG0FI8OiXhBfcRtqqHcZcka+gU3cskNuf05R18=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0/go.mod h1:h06DGIukJOevXaj/xrNjhi/2098RZzcLTbc0jDAUbsg=
+go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8=
+go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM=
+go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA=
+go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI=
+go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E=
+go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg=
+go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM=
+go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA=
+go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE=
+go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
go.podman.io/common v0.66.1 h1:zDyd4HhVgQAN8LupBHCnhtM3FEOJ9DwmThjulXZq2qA=
go.podman.io/common v0.66.1/go.mod h1:aNd2a0S7pY+fx1X5kpQYuF4hbwLU8ZOccuVrhu7h1Xc=
go.podman.io/image/v5 v5.38.0 h1:aUKrCANkPvze1bnhLJsaubcfz0d9v/bSDLnwsXJm6G4=
go.podman.io/image/v5 v5.38.0/go.mod h1:hSIoIUzgBnmc4DjoIdzk63aloqVbD7QXDMkSE/cvG90=
go.podman.io/storage v1.61.0 h1:5hD/oyRYt1f1gxgvect+8syZBQhGhV28dCw2+CZpx0Q=
go.podman.io/storage v1.61.0/go.mod h1:A3UBK0XypjNZ6pghRhuxg62+2NIm5lcUGv/7XyMhMUI=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -501,8 +494,8 @@ golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o=
golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8=
-golang.org/x/oauth2 v0.32.0 h1:jsCblLleRMDrxMN29H3z/k1KliIvpLgCkE6R8FXXNgY=
-golang.org/x/oauth2 v0.32.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
+golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -525,6 +518,7 @@ golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -558,8 +552,8 @@ golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE=
golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8=
-golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
-golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
+golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
@@ -576,14 +570,16 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/genproto/googleapis/api v0.0.0-20250414145226-207652e42e2e h1:UdXH7Kzbj+Vzastr5nVfccbmFsmYNygVLSPk1pEfDoY=
-google.golang.org/genproto/googleapis/api v0.0.0-20250414145226-207652e42e2e/go.mod h1:085qFyf2+XaZlRdCgKNCIZ3afY2p4HHZdoIRpId8F4A=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250414145226-207652e42e2e h1:ztQaXfzEXTmCBvbtWYRhJxW+0iJcz2qXfd38/e9l7bA=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250414145226-207652e42e2e/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
-google.golang.org/grpc v1.72.2 h1:TdbGzwb82ty4OusHWepvFWGLgIbNo1/SUynEN0ssqv8=
-google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
-google.golang.org/protobuf v1.36.9 h1:w2gp2mA27hUeUzj9Ex9FBjsBm40zfaDtEWow293U7Iw=
-google.golang.org/protobuf v1.36.9/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
+gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
+gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
+google.golang.org/genproto/googleapis/api v0.0.0-20251222181119-0a764e51fe1b h1:uA40e2M6fYRBf0+8uN5mLlqUtV192iiksiICIBkYJ1E=
+google.golang.org/genproto/googleapis/api v0.0.0-20251222181119-0a764e51fe1b/go.mod h1:Xa7le7qx2vmqB/SzWUBa7KdMjpdpAHlh5QCSnjessQk=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251222181119-0a764e51fe1b h1:Mv8VFug0MP9e5vUxfBcE3vUkV6CImK3cMNMIDFjmzxU=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251222181119-0a764e51fe1b/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
+google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc=
+google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
gopkg.in/cenkalti/backoff.v1 v1.1.0 h1:Arh75ttbsvlpVA7WtVpH4u9h6Zl46xuptxqLxPiSo4Y=
gopkg.in/cenkalti/backoff.v1 v1.1.0/go.mod h1:J6Vskwqd+OMVJl8C33mmtxTBs2gyzfv7UDAkHu8BrjI=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -615,8 +611,8 @@ k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f h1:GA7//TjRY9yWGy1poLzYYJJ4JRdzg3+O6e8I+e+8T5Y=
k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f/go.mod h1:R/HEjbvWI0qdfb8viZUeVZm0X6IZnxAydC7YU42CMw4=
-k8s.io/utils v0.0.0-20241210054802-24370beab758 h1:sdbE21q2nlQtFh65saZY+rRM6x6aJJI8IUa1AmH/qa0=
-k8s.io/utils v0.0.0-20241210054802-24370beab758/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d h1:wAhiDyZ4Tdtt7e46e9M5ZSAJ/MnPGPs+Ki1gHw4w1R0=
+k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
libvirt.org/go/libvirtxml v1.11010.0 h1:lGUv6OQ4gz5Hm7F40G+swxmK/kcrMZGQ3M8/S+UyhME=
libvirt.org/go/libvirtxml v1.11010.0/go.mod h1:7Oq2BLDstLr/XtoQD8Fr3mfDNrzlI3utYKySXF2xkng=
sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
diff --git a/vendor/github.com/go-jose/go-jose/v4/CHANGELOG.md b/vendor/github.com/go-jose/go-jose/v4/CHANGELOG.md
deleted file mode 100644
index 6f717dbd86..0000000000
--- a/vendor/github.com/go-jose/go-jose/v4/CHANGELOG.md
+++ /dev/null
@@ -1,96 +0,0 @@
-# v4.0.4
-
-## Fixed
-
- - Reverted "Allow unmarshalling JSONWebKeySets with unsupported key types" as a
- breaking change. See #136 / #137.
-
-# v4.0.3
-
-## Changed
-
- - Allow unmarshalling JSONWebKeySets with unsupported key types (#130)
- - Document that OpaqueKeyEncrypter can't be implemented (for now) (#129)
- - Dependency updates
-
-# v4.0.2
-
-## Changed
-
- - Improved documentation of Verify() to note that JSONWebKeySet is a supported
- argument type (#104)
- - Defined exported error values for missing x5c header and unsupported elliptic
- curves error cases (#117)
-
-# v4.0.1
-
-## Fixed
-
- - An attacker could send a JWE containing compressed data that used large
- amounts of memory and CPU when decompressed by `Decrypt` or `DecryptMulti`.
- Those functions now return an error if the decompressed data would exceed
- 250kB or 10x the compressed size (whichever is larger). Thanks to
- Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@zer0yu and @chenjj)
- for reporting.
-
-# v4.0.0
-
-This release makes some breaking changes in order to more thoroughly
-address the vulnerabilities discussed in [Three New Attacks Against JSON Web
-Tokens][1], "Sign/encrypt confusion", "Billion hash attack", and "Polyglot
-token".
-
-## Changed
-
- - Limit JWT encryption types (exclude password or public key types) (#78)
- - Enforce minimum length for HMAC keys (#85)
- - jwt: match any audience in a list, rather than requiring all audiences (#81)
- - jwt: accept only Compact Serialization (#75)
- - jws: Add expected algorithms for signatures (#74)
- - Require specifying expected algorithms for ParseEncrypted,
- ParseSigned, ParseDetached, jwt.ParseEncrypted, jwt.ParseSigned,
- jwt.ParseSignedAndEncrypted (#69, #74)
- - Usually there is a small, known set of appropriate algorithms for a program
- to use and it's a mistake to allow unexpected algorithms. For instance the
- "billion hash attack" relies in part on programs accepting the PBES2
- encryption algorithm and doing the necessary work even if they weren't
- specifically configured to allow PBES2.
- - Revert "Strip padding off base64 strings" (#82)
- - The specs require base64url encoding without padding.
- - Minimum supported Go version is now 1.21
-
-## Added
-
- - ParseSignedCompact, ParseSignedJSON, ParseEncryptedCompact, ParseEncryptedJSON.
- - These allow parsing a specific serialization, as opposed to ParseSigned and
- ParseEncrypted, which try to automatically detect which serialization was
- provided. It's common to require a specific serialization for a specific
- protocol - for instance JWT requires Compact serialization.
-
-[1]: https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf
-
-# v3.0.2
-
-## Fixed
-
- - DecryptMulti: handle decompression error (#19)
-
-## Changed
-
- - jwe/CompactSerialize: improve performance (#67)
- - Increase the default number of PBKDF2 iterations to 600k (#48)
- - Return the proper algorithm for ECDSA keys (#45)
-
-## Added
-
- - Add Thumbprint support for opaque signers (#38)
-
-# v3.0.1
-
-## Fixed
-
- - Security issue: an attacker specifying a large "p2c" value can cause
- JSONWebEncryption.Decrypt and JSONWebEncryption.DecryptMulti to consume large
- amounts of CPU, causing a DoS. Thanks to Matt Schwager (@mschwager) for the
- disclosure and to Tom Tervoort for originally publishing the category of attack.
- https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf
diff --git a/vendor/github.com/go-jose/go-jose/v4/README.md b/vendor/github.com/go-jose/go-jose/v4/README.md
index 02b5749546..55c5509176 100644
--- a/vendor/github.com/go-jose/go-jose/v4/README.md
+++ b/vendor/github.com/go-jose/go-jose/v4/README.md
@@ -3,7 +3,6 @@
[](https://pkg.go.dev/github.com/go-jose/go-jose/v4)
[](https://pkg.go.dev/github.com/go-jose/go-jose/v4/jwt)
[](https://raw.githubusercontent.com/go-jose/go-jose/master/LICENSE)
-[](https://github.com/go-jose/go-jose/actions)
Package jose aims to provide an implementation of the Javascript Object Signing
and Encryption set of standards. This includes support for JSON Web Encryption,
@@ -29,17 +28,20 @@ libraries in other languages.
### Versions
-[Version 4](https://github.com/go-jose/go-jose)
-([branch](https://github.com/go-jose/go-jose/tree/main),
-[doc](https://pkg.go.dev/github.com/go-jose/go-jose/v4), [releases](https://github.com/go-jose/go-jose/releases)) is the current stable version:
+The forthcoming Version 5 will be released with several breaking API changes,
+and will require Golang's `encoding/json/v2`, which is currently requires
+Go 1.25 built with GOEXPERIMENT=jsonv2.
+
+Version 4 is the current stable version:
import "github.com/go-jose/go-jose/v4"
-The old [square/go-jose](https://github.com/square/go-jose) repo contains the prior v1 and v2 versions, which
-are still useable but not actively developed anymore.
+It supports at least the current and previous Golang release. Currently it
+requires Golang 1.24.
+
+Version 3 is only receiving critical security updates. Migration to Version 4 is recommended.
-Version 3, in this repo, is still receiving security fixes but not functionality
-updates.
+Versions 1 and 2 are obsolete, but can be found in the old repository, [square/go-jose](https://github.com/square/go-jose).
### Supported algorithms
@@ -47,36 +49,36 @@ See below for a table of supported algorithms. Algorithm identifiers match
the names in the [JSON Web Algorithms](https://dx.doi.org/10.17487/RFC7518)
standard where possible. The Godoc reference has a list of constants.
- Key encryption | Algorithm identifier(s)
- :------------------------- | :------------------------------
- RSA-PKCS#1v1.5 | RSA1_5
- RSA-OAEP | RSA-OAEP, RSA-OAEP-256
- AES key wrap | A128KW, A192KW, A256KW
- AES-GCM key wrap | A128GCMKW, A192GCMKW, A256GCMKW
- ECDH-ES + AES key wrap | ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW
- ECDH-ES (direct) | ECDH-ES1
- Direct encryption | dir1
+| Key encryption | Algorithm identifier(s) |
+|:-----------------------|:-----------------------------------------------|
+| RSA-PKCS#1v1.5 | RSA1_5 |
+| RSA-OAEP | RSA-OAEP, RSA-OAEP-256 |
+| AES key wrap | A128KW, A192KW, A256KW |
+| AES-GCM key wrap | A128GCMKW, A192GCMKW, A256GCMKW |
+| ECDH-ES + AES key wrap | ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW |
+| ECDH-ES (direct) | ECDH-ES1 |
+| Direct encryption | dir1 |
1. Not supported in multi-recipient mode
- Signing / MAC | Algorithm identifier(s)
- :------------------------- | :------------------------------
- RSASSA-PKCS#1v1.5 | RS256, RS384, RS512
- RSASSA-PSS | PS256, PS384, PS512
- HMAC | HS256, HS384, HS512
- ECDSA | ES256, ES384, ES512
- Ed25519 | EdDSA2
+| Signing / MAC | Algorithm identifier(s) |
+|:------------------|:------------------------|
+| RSASSA-PKCS#1v1.5 | RS256, RS384, RS512 |
+| RSASSA-PSS | PS256, PS384, PS512 |
+| HMAC | HS256, HS384, HS512 |
+| ECDSA | ES256, ES384, ES512 |
+| Ed25519 | EdDSA2 |
2. Only available in version 2 of the package
- Content encryption | Algorithm identifier(s)
- :------------------------- | :------------------------------
- AES-CBC+HMAC | A128CBC-HS256, A192CBC-HS384, A256CBC-HS512
- AES-GCM | A128GCM, A192GCM, A256GCM
+| Content encryption | Algorithm identifier(s) |
+|:-------------------|:--------------------------------------------|
+| AES-CBC+HMAC | A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 |
+| AES-GCM | A128GCM, A192GCM, A256GCM |
- Compression | Algorithm identifiers(s)
- :------------------------- | -------------------------------
- DEFLATE (RFC 1951) | DEF
+| Compression | Algorithm identifiers(s) |
+|:-------------------|--------------------------|
+| DEFLATE (RFC 1951) | DEF |
### Supported key types
@@ -85,12 +87,12 @@ library, and can be passed to corresponding functions such as `NewEncrypter` or
`NewSigner`. Each of these keys can also be wrapped in a JWK if desired, which
allows attaching a key id.
- Algorithm(s) | Corresponding types
- :------------------------- | -------------------------------
- RSA | *[rsa.PublicKey](https://pkg.go.dev/crypto/rsa/#PublicKey), *[rsa.PrivateKey](https://pkg.go.dev/crypto/rsa/#PrivateKey)
- ECDH, ECDSA | *[ecdsa.PublicKey](https://pkg.go.dev/crypto/ecdsa/#PublicKey), *[ecdsa.PrivateKey](https://pkg.go.dev/crypto/ecdsa/#PrivateKey)
- EdDSA1 | [ed25519.PublicKey](https://pkg.go.dev/crypto/ed25519#PublicKey), [ed25519.PrivateKey](https://pkg.go.dev/crypto/ed25519#PrivateKey)
- AES, HMAC | []byte
+| Algorithm(s) | Corresponding types |
+|:------------------|--------------------------------------------------------------------------------------------------------------------------------------|
+| RSA | *[rsa.PublicKey](https://pkg.go.dev/crypto/rsa/#PublicKey), *[rsa.PrivateKey](https://pkg.go.dev/crypto/rsa/#PrivateKey) |
+| ECDH, ECDSA | *[ecdsa.PublicKey](https://pkg.go.dev/crypto/ecdsa/#PublicKey), *[ecdsa.PrivateKey](https://pkg.go.dev/crypto/ecdsa/#PrivateKey) |
+| EdDSA1 | [ed25519.PublicKey](https://pkg.go.dev/crypto/ed25519#PublicKey), [ed25519.PrivateKey](https://pkg.go.dev/crypto/ed25519#PrivateKey) |
+| AES, HMAC | []byte |
1. Only available in version 2 or later of the package
diff --git a/vendor/github.com/go-jose/go-jose/v4/crypter.go b/vendor/github.com/go-jose/go-jose/v4/crypter.go
index d81b03b447..31290fc871 100644
--- a/vendor/github.com/go-jose/go-jose/v4/crypter.go
+++ b/vendor/github.com/go-jose/go-jose/v4/crypter.go
@@ -286,6 +286,10 @@ func makeJWERecipient(alg KeyAlgorithm, encryptionKey interface{}) (recipientKey
return newSymmetricRecipient(alg, encryptionKey)
case string:
return newSymmetricRecipient(alg, []byte(encryptionKey))
+ case JSONWebKey:
+ recipient, err := makeJWERecipient(alg, encryptionKey.Key)
+ recipient.keyID = encryptionKey.KeyID
+ return recipient, err
case *JSONWebKey:
recipient, err := makeJWERecipient(alg, encryptionKey.Key)
recipient.keyID = encryptionKey.KeyID
@@ -450,13 +454,9 @@ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error)
return nil, errors.New("go-jose/go-jose: too many recipients in payload; expecting only one")
}
- critical, err := headers.getCritical()
+ err := headers.checkNoCritical()
if err != nil {
- return nil, fmt.Errorf("go-jose/go-jose: invalid crit header")
- }
-
- if len(critical) > 0 {
- return nil, fmt.Errorf("go-jose/go-jose: unsupported crit header")
+ return nil, err
}
key, err := tryJWKS(decryptionKey, obj.Header)
@@ -523,13 +523,9 @@ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error)
func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Header, []byte, error) {
globalHeaders := obj.mergedHeaders(nil)
- critical, err := globalHeaders.getCritical()
+ err := globalHeaders.checkNoCritical()
if err != nil {
- return -1, Header{}, nil, fmt.Errorf("go-jose/go-jose: invalid crit header")
- }
-
- if len(critical) > 0 {
- return -1, Header{}, nil, fmt.Errorf("go-jose/go-jose: unsupported crit header")
+ return -1, Header{}, nil, err
}
key, err := tryJWKS(decryptionKey, obj.Header)
diff --git a/vendor/github.com/go-jose/go-jose/v4/jwe.go b/vendor/github.com/go-jose/go-jose/v4/jwe.go
index 9f1322dccc..6102f91000 100644
--- a/vendor/github.com/go-jose/go-jose/v4/jwe.go
+++ b/vendor/github.com/go-jose/go-jose/v4/jwe.go
@@ -274,7 +274,7 @@ func validateAlgEnc(headers rawHeader, keyAlgorithms []KeyAlgorithm, contentEncr
if alg != "" && !containsKeyAlgorithm(keyAlgorithms, alg) {
return fmt.Errorf("unexpected key algorithm %q; expected %q", alg, keyAlgorithms)
}
- if alg != "" && !containsContentEncryption(contentEncryption, enc) {
+ if enc != "" && !containsContentEncryption(contentEncryption, enc) {
return fmt.Errorf("unexpected content encryption algorithm %q; expected %q", enc, contentEncryption)
}
return nil
@@ -288,11 +288,20 @@ func ParseEncryptedCompact(
keyAlgorithms []KeyAlgorithm,
contentEncryption []ContentEncryption,
) (*JSONWebEncryption, error) {
- // Five parts is four separators
- if strings.Count(input, ".") != 4 {
- return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
+ var parts [5]string
+ var ok bool
+
+ for i := range 4 {
+ parts[i], input, ok = strings.Cut(input, ".")
+ if !ok {
+ return nil, errors.New("go-jose/go-jose: compact JWE format must have five parts")
+ }
+ }
+ // Validate that the last part does not contain more dots
+ if strings.ContainsRune(input, '.') {
+ return nil, errors.New("go-jose/go-jose: compact JWE format must have five parts")
}
- parts := strings.SplitN(input, ".", 5)
+ parts[4] = input
rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
if err != nil {
diff --git a/vendor/github.com/go-jose/go-jose/v4/jwk.go b/vendor/github.com/go-jose/go-jose/v4/jwk.go
index 9e57e93ba2..164d6a1619 100644
--- a/vendor/github.com/go-jose/go-jose/v4/jwk.go
+++ b/vendor/github.com/go-jose/go-jose/v4/jwk.go
@@ -175,6 +175,8 @@ func (k JSONWebKey) MarshalJSON() ([]byte, error) {
}
// UnmarshalJSON reads a key from its JSON representation.
+//
+// Returns ErrUnsupportedKeyType for unrecognized or unsupported "kty" header values.
func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
var raw rawJSONWebKey
err = json.Unmarshal(data, &raw)
@@ -228,7 +230,7 @@ func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
}
key, err = raw.symmetricKey()
case "OKP":
- if raw.Crv == "Ed25519" && raw.X != nil {
+ if raw.Crv == "Ed25519" {
if raw.D != nil {
key, err = raw.edPrivateKey()
if err == nil {
@@ -238,17 +240,27 @@ func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
key, err = raw.edPublicKey()
keyPub = key
}
- } else {
- return fmt.Errorf("go-jose/go-jose: unknown curve %s'", raw.Crv)
}
- default:
- return fmt.Errorf("go-jose/go-jose: unknown json web key type '%s'", raw.Kty)
+ case "":
+ // kty MUST be present
+ err = fmt.Errorf("go-jose/go-jose: missing json web key type")
}
if err != nil {
return
}
+ if key == nil {
+ // RFC 7517:
+ // 5. JWK Set Format
+ // ...
+ // Implementations SHOULD ignore JWKs within a JWK Set that use "kty"
+ // (key type) values that are not understood by them, that are missing
+ // required members, or for which values are out of the supported
+ // ranges.
+ return ErrUnsupportedKeyType
+ }
+
if certPub != nil && keyPub != nil {
if !reflect.DeepEqual(certPub, keyPub) {
return errors.New("go-jose/go-jose: invalid JWK, public keys in key and x5c fields do not match")
@@ -581,10 +593,10 @@ func fromEcPublicKey(pub *ecdsa.PublicKey) (*rawJSONWebKey, error) {
func (key rawJSONWebKey) edPrivateKey() (ed25519.PrivateKey, error) {
var missing []string
- switch {
- case key.D == nil:
+ if key.D == nil {
missing = append(missing, "D")
- case key.X == nil:
+ }
+ if key.X == nil {
missing = append(missing, "X")
}
@@ -611,19 +623,21 @@ func (key rawJSONWebKey) edPublicKey() (ed25519.PublicKey, error) {
func (key rawJSONWebKey) rsaPrivateKey() (*rsa.PrivateKey, error) {
var missing []string
- switch {
- case key.N == nil:
+ if key.N == nil {
missing = append(missing, "N")
- case key.E == nil:
+ }
+ if key.E == nil {
missing = append(missing, "E")
- case key.D == nil:
+ }
+ if key.D == nil {
missing = append(missing, "D")
- case key.P == nil:
+ }
+ if key.P == nil {
missing = append(missing, "P")
- case key.Q == nil:
+ }
+ if key.Q == nil {
missing = append(missing, "Q")
}
-
if len(missing) > 0 {
return nil, fmt.Errorf("go-jose/go-jose: invalid RSA private key, missing %s value(s)", strings.Join(missing, ", "))
}
@@ -698,8 +712,19 @@ func (key rawJSONWebKey) ecPrivateKey() (*ecdsa.PrivateKey, error) {
return nil, fmt.Errorf("go-jose/go-jose: unsupported elliptic curve '%s'", key.Crv)
}
- if key.X == nil || key.Y == nil || key.D == nil {
- return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key, missing x/y/d values")
+ var missing []string
+ if key.X == nil {
+ missing = append(missing, "X")
+ }
+ if key.Y == nil {
+ missing = append(missing, "Y")
+ }
+ if key.D == nil {
+ missing = append(missing, "D")
+ }
+
+ if len(missing) > 0 {
+ return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key, missing %s value(s)", strings.Join(missing, ", "))
}
// The length of this octet string MUST be the full size of a coordinate for
diff --git a/vendor/github.com/go-jose/go-jose/v4/jws.go b/vendor/github.com/go-jose/go-jose/v4/jws.go
index d09d8ba507..c40bd3ec10 100644
--- a/vendor/github.com/go-jose/go-jose/v4/jws.go
+++ b/vendor/github.com/go-jose/go-jose/v4/jws.go
@@ -75,7 +75,14 @@ type Signature struct {
original *rawSignatureInfo
}
-// ParseSigned parses a signed message in JWS Compact or JWS JSON Serialization.
+// ParseSigned parses a signed message in JWS Compact or JWS JSON Serialization. Validation fails if
+// the JWS is signed with an algorithm that isn't in the provided list of signature algorithms.
+// Applications should decide for themselves which signature algorithms are acceptable. If you're
+// not sure which signature algorithms your application might receive, consult the documentation of
+// the program which provides them or the protocol that you are implementing. You can also try
+// getting an example JWS and decoding it with a tool like https://jwt.io to see what its "alg"
+// header parameter indicates. The signature on the JWS does not get validated during parsing. Call
+// Verify() after parsing to validate the signature and obtain the payload.
//
// https://datatracker.ietf.org/doc/html/rfc7515#section-7
func ParseSigned(
@@ -90,7 +97,14 @@ func ParseSigned(
return parseSignedCompact(signature, nil, signatureAlgorithms)
}
-// ParseSignedCompact parses a message in JWS Compact Serialization.
+// ParseSignedCompact parses a message in JWS Compact Serialization. Validation fails if the JWS is
+// signed with an algorithm that isn't in the provided list of signature algorithms. Applications
+// should decide for themselves which signature algorithms are acceptable.If you're not sure which
+// signature algorithms your application might receive, consult the documentation of the program
+// which provides them or the protocol that you are implementing. You can also try getting an
+// example JWS and decoding it with a tool like https://jwt.io to see what its "alg" header
+// parameter indicates. The signature on the JWS does not get validated during parsing. Call
+// Verify() after parsing to validate the signature and obtain the payload.
//
// https://datatracker.ietf.org/doc/html/rfc7515#section-7.1
func ParseSignedCompact(
@@ -101,6 +115,15 @@ func ParseSignedCompact(
}
// ParseDetached parses a signed message in compact serialization format with detached payload.
+// Validation fails if the JWS is signed with an algorithm that isn't in the provided list of
+// signature algorithms. Applications should decide for themselves which signature algorithms are
+// acceptable. If you're not sure which signature algorithms your application might receive, consult
+// the documentation of the program which provides them or the protocol that you are implementing.
+// You can also try getting an example JWS and decoding it with a tool like https://jwt.io to see
+// what its "alg" header parameter indicates. The signature on the JWS does not get validated during
+// parsing. Call Verify() after parsing to validate the signature and obtain the payload.
+//
+// https://datatracker.ietf.org/doc/html/rfc7515#appendix-F
func ParseDetached(
signature string,
payload []byte,
@@ -181,6 +204,25 @@ func containsSignatureAlgorithm(haystack []SignatureAlgorithm, needle SignatureA
return false
}
+// ErrUnexpectedSignatureAlgorithm is returned when the signature algorithm in
+// the JWS header does not match one of the expected algorithms.
+type ErrUnexpectedSignatureAlgorithm struct {
+ // Got is the signature algorithm found in the JWS header.
+ Got SignatureAlgorithm
+ expected []SignatureAlgorithm
+}
+
+func (e *ErrUnexpectedSignatureAlgorithm) Error() string {
+ return fmt.Sprintf("unexpected signature algorithm %q; expected %q", e.Got, e.expected)
+}
+
+func newErrUnexpectedSignatureAlgorithm(got SignatureAlgorithm, expected []SignatureAlgorithm) error {
+ return &ErrUnexpectedSignatureAlgorithm{
+ Got: got,
+ expected: expected,
+ }
+}
+
// sanitized produces a cleaned-up JWS object from the raw JSON.
func (parsed *rawJSONWebSignature) sanitized(signatureAlgorithms []SignatureAlgorithm) (*JSONWebSignature, error) {
if len(signatureAlgorithms) == 0 {
@@ -236,8 +278,7 @@ func (parsed *rawJSONWebSignature) sanitized(signatureAlgorithms []SignatureAlgo
alg := SignatureAlgorithm(signature.Header.Algorithm)
if !containsSignatureAlgorithm(signatureAlgorithms, alg) {
- return nil, fmt.Errorf("go-jose/go-jose: unexpected signature algorithm %q; expected %q",
- alg, signatureAlgorithms)
+ return nil, newErrUnexpectedSignatureAlgorithm(alg, signatureAlgorithms)
}
if signature.header != nil {
@@ -285,8 +326,7 @@ func (parsed *rawJSONWebSignature) sanitized(signatureAlgorithms []SignatureAlgo
alg := SignatureAlgorithm(obj.Signatures[i].Header.Algorithm)
if !containsSignatureAlgorithm(signatureAlgorithms, alg) {
- return nil, fmt.Errorf("go-jose/go-jose: unexpected signature algorithm %q; expected %q",
- alg, signatureAlgorithms)
+ return nil, newErrUnexpectedSignatureAlgorithm(alg, signatureAlgorithms)
}
if obj.Signatures[i].header != nil {
@@ -321,35 +361,43 @@ func (parsed *rawJSONWebSignature) sanitized(signatureAlgorithms []SignatureAlgo
return obj, nil
}
+const tokenDelim = "."
+
// parseSignedCompact parses a message in compact format.
func parseSignedCompact(
input string,
payload []byte,
signatureAlgorithms []SignatureAlgorithm,
) (*JSONWebSignature, error) {
- // Three parts is two separators
- if strings.Count(input, ".") != 2 {
+ protected, s, ok := strings.Cut(input, tokenDelim)
+ if !ok { // no period found
+ return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
+ }
+ claims, sig, ok := strings.Cut(s, tokenDelim)
+ if !ok { // only one period found
+ return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
+ }
+ if strings.ContainsRune(sig, '.') { // too many periods found
return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
}
- parts := strings.SplitN(input, ".", 3)
- if parts[1] != "" && payload != nil {
+ if claims != "" && payload != nil {
return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
}
- rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
+ rawProtected, err := base64.RawURLEncoding.DecodeString(protected)
if err != nil {
return nil, err
}
if payload == nil {
- payload, err = base64.RawURLEncoding.DecodeString(parts[1])
+ payload, err = base64.RawURLEncoding.DecodeString(claims)
if err != nil {
return nil, err
}
}
- signature, err := base64.RawURLEncoding.DecodeString(parts[2])
+ signature, err := base64.RawURLEncoding.DecodeString(sig)
if err != nil {
return nil, err
}
diff --git a/vendor/github.com/go-jose/go-jose/v4/shared.go b/vendor/github.com/go-jose/go-jose/v4/shared.go
index 1ec3396126..35130b3aa8 100644
--- a/vendor/github.com/go-jose/go-jose/v4/shared.go
+++ b/vendor/github.com/go-jose/go-jose/v4/shared.go
@@ -77,6 +77,9 @@ var (
// ErrUnsupportedEllipticCurve indicates unsupported or unknown elliptic curve has been found.
ErrUnsupportedEllipticCurve = errors.New("go-jose/go-jose: unsupported/unknown elliptic curve")
+
+ // ErrUnsupportedCriticalHeader is returned when a header is marked critical but not supported by go-jose.
+ ErrUnsupportedCriticalHeader = errors.New("go-jose/go-jose: unsupported critical header")
)
// Key management algorithms
@@ -167,8 +170,8 @@ const (
)
// supportedCritical is the set of supported extensions that are understood and processed.
-var supportedCritical = map[string]bool{
- headerB64: true,
+var supportedCritical = map[string]struct{}{
+ headerB64: {},
}
// rawHeader represents the JOSE header for JWE/JWS objects (used for parsing).
@@ -346,6 +349,32 @@ func (parsed rawHeader) getCritical() ([]string, error) {
return q, nil
}
+// checkNoCritical verifies there are no critical headers present.
+func (parsed rawHeader) checkNoCritical() error {
+ if _, ok := parsed[headerCritical]; ok {
+ return ErrUnsupportedCriticalHeader
+ }
+
+ return nil
+}
+
+// checkSupportedCritical verifies there are no unsupported critical headers.
+// Supported headers are passed in as a set: map of names to empty structs
+func (parsed rawHeader) checkSupportedCritical(supported map[string]struct{}) error {
+ crit, err := parsed.getCritical()
+ if err != nil {
+ return err
+ }
+
+ for _, name := range crit {
+ if _, ok := supported[name]; !ok {
+ return ErrUnsupportedCriticalHeader
+ }
+ }
+
+ return nil
+}
+
// getS2C extracts parsed "p2c" from the raw JSON.
func (parsed rawHeader) getP2C() (int, error) {
v := parsed[headerP2C]
diff --git a/vendor/github.com/go-jose/go-jose/v4/signing.go b/vendor/github.com/go-jose/go-jose/v4/signing.go
index 3dec0112b6..5dbd04c278 100644
--- a/vendor/github.com/go-jose/go-jose/v4/signing.go
+++ b/vendor/github.com/go-jose/go-jose/v4/signing.go
@@ -404,15 +404,23 @@ func (obj JSONWebSignature) DetachedVerify(payload []byte, verificationKey inter
}
signature := obj.Signatures[0]
- headers := signature.mergedHeaders()
- critical, err := headers.getCritical()
- if err != nil {
- return err
+
+ if signature.header != nil {
+ // Per https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.11,
+ // 4.1.11. "crit" (Critical) Header Parameter
+ // "When used, this Header Parameter MUST be integrity
+ // protected; therefore, it MUST occur only within the JWS
+ // Protected Header."
+ err = signature.header.checkNoCritical()
+ if err != nil {
+ return err
+ }
}
- for _, name := range critical {
- if !supportedCritical[name] {
- return ErrCryptoFailure
+ if signature.protected != nil {
+ err = signature.protected.checkSupportedCritical(supportedCritical)
+ if err != nil {
+ return err
}
}
@@ -421,6 +429,7 @@ func (obj JSONWebSignature) DetachedVerify(payload []byte, verificationKey inter
return ErrCryptoFailure
}
+ headers := signature.mergedHeaders()
alg := headers.getSignatureAlgorithm()
err = verifier.verifyPayload(input, signature.Signature, alg)
if err == nil {
@@ -469,14 +478,22 @@ func (obj JSONWebSignature) DetachedVerifyMulti(payload []byte, verificationKey
outer:
for i, signature := range obj.Signatures {
- headers := signature.mergedHeaders()
- critical, err := headers.getCritical()
- if err != nil {
- continue
+ if signature.header != nil {
+ // Per https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.11,
+ // 4.1.11. "crit" (Critical) Header Parameter
+ // "When used, this Header Parameter MUST be integrity
+ // protected; therefore, it MUST occur only within the JWS
+ // Protected Header."
+ err = signature.header.checkNoCritical()
+ if err != nil {
+ continue outer
+ }
}
- for _, name := range critical {
- if !supportedCritical[name] {
+ if signature.protected != nil {
+ // Check for only supported critical headers
+ err = signature.protected.checkSupportedCritical(supportedCritical)
+ if err != nil {
continue outer
}
}
@@ -486,6 +503,7 @@ outer:
continue
}
+ headers := signature.mergedHeaders()
alg := headers.getSignatureAlgorithm()
err = verifier.verifyPayload(input, signature.Signature, alg)
if err == nil {
diff --git a/vendor/github.com/go-jose/go-jose/v4/symmetric.go b/vendor/github.com/go-jose/go-jose/v4/symmetric.go
index a69103b084..09efefb265 100644
--- a/vendor/github.com/go-jose/go-jose/v4/symmetric.go
+++ b/vendor/github.com/go-jose/go-jose/v4/symmetric.go
@@ -21,6 +21,7 @@ import (
"crypto/aes"
"crypto/cipher"
"crypto/hmac"
+ "crypto/pbkdf2"
"crypto/rand"
"crypto/sha256"
"crypto/sha512"
@@ -30,8 +31,6 @@ import (
"hash"
"io"
- "golang.org/x/crypto/pbkdf2"
-
josecipher "github.com/go-jose/go-jose/v4/cipher"
)
@@ -330,7 +329,10 @@ func (ctx *symmetricKeyCipher) encryptKey(cek []byte, alg KeyAlgorithm) (recipie
// derive key
keyLen, h := getPbkdf2Params(alg)
- key := pbkdf2.Key(ctx.key, salt, ctx.p2c, keyLen, h)
+ key, err := pbkdf2.Key(h, string(ctx.key), salt, ctx.p2c, keyLen)
+ if err != nil {
+ return recipientInfo{}, nil
+ }
// use AES cipher with derived key
block, err := aes.NewCipher(key)
@@ -432,7 +434,10 @@ func (ctx *symmetricKeyCipher) decryptKey(headers rawHeader, recipient *recipien
// derive key
keyLen, h := getPbkdf2Params(alg)
- key := pbkdf2.Key(ctx.key, salt, p2c, keyLen, h)
+ key, err := pbkdf2.Key(h, string(ctx.key), salt, p2c, keyLen)
+ if err != nil {
+ return nil, err
+ }
// use AES cipher with derived key
block, err := aes.NewCipher(key)
diff --git a/vendor/github.com/google/btree/btree.go b/vendor/github.com/google/btree/btree.go
index 969b910d70..6f5184fef7 100644
--- a/vendor/github.com/google/btree/btree.go
+++ b/vendor/github.com/google/btree/btree.go
@@ -479,7 +479,7 @@ func (n *node) growChildAndRemove(i int, item Item, minItems int, typ toRemove)
child := n.mutableChild(i)
// merge with right child
mergeItem := n.items.removeAt(i)
- mergeChild := n.children.removeAt(i + 1)
+ mergeChild := n.children.removeAt(i + 1).mutableFor(n.cow)
child.items = append(child.items, mergeItem)
child.items = append(child.items, mergeChild.items...)
child.children = append(child.children, mergeChild.children...)
diff --git a/vendor/github.com/letsencrypt/boulder/LICENSE.txt b/vendor/github.com/letsencrypt/boulder/LICENSE.txt
deleted file mode 100644
index fa274d92d7..0000000000
--- a/vendor/github.com/letsencrypt/boulder/LICENSE.txt
+++ /dev/null
@@ -1,375 +0,0 @@
-Copyright 2016 ISRG. All rights reserved.
-
-Mozilla Public License Version 2.0
-==================================
-
-1. Definitions
---------------
-
-1.1. "Contributor"
- means each individual or legal entity that creates, contributes to
- the creation of, or owns Covered Software.
-
-1.2. "Contributor Version"
- means the combination of the Contributions of others (if any) used
- by a Contributor and that particular Contributor's Contribution.
-
-1.3. "Contribution"
- means Covered Software of a particular Contributor.
-
-1.4. "Covered Software"
- means Source Code Form to which the initial Contributor has attached
- the notice in Exhibit A, the Executable Form of such Source Code
- Form, and Modifications of such Source Code Form, in each case
- including portions thereof.
-
-1.5. "Incompatible With Secondary Licenses"
- means
-
- (a) that the initial Contributor has attached the notice described
- in Exhibit B to the Covered Software; or
-
- (b) that the Covered Software was made available under the terms of
- version 1.1 or earlier of the License, but not also under the
- terms of a Secondary License.
-
-1.6. "Executable Form"
- means any form of the work other than Source Code Form.
-
-1.7. "Larger Work"
- means a work that combines Covered Software with other material, in
- a separate file or files, that is not Covered Software.
-
-1.8. "License"
- means this document.
-
-1.9. "Licensable"
- means having the right to grant, to the maximum extent possible,
- whether at the time of the initial grant or subsequently, any and
- all of the rights conveyed by this License.
-
-1.10. "Modifications"
- means any of the following:
-
- (a) any file in Source Code Form that results from an addition to,
- deletion from, or modification of the contents of Covered
- Software; or
-
- (b) any new file in Source Code Form that contains any Covered
- Software.
-
-1.11. "Patent Claims" of a Contributor
- means any patent claim(s), including without limitation, method,
- process, and apparatus claims, in any patent Licensable by such
- Contributor that would be infringed, but for the grant of the
- License, by the making, using, selling, offering for sale, having
- made, import, or transfer of either its Contributions or its
- Contributor Version.
-
-1.12. "Secondary License"
- means either the GNU General Public License, Version 2.0, the GNU
- Lesser General Public License, Version 2.1, the GNU Affero General
- Public License, Version 3.0, or any later versions of those
- licenses.
-
-1.13. "Source Code Form"
- means the form of the work preferred for making modifications.
-
-1.14. "You" (or "Your")
- means an individual or a legal entity exercising rights under this
- License. For legal entities, "You" includes any entity that
- controls, is controlled by, or is under common control with You. For
- purposes of this definition, "control" means (a) the power, direct
- or indirect, to cause the direction or management of such entity,
- whether by contract or otherwise, or (b) ownership of more than
- fifty percent (50%) of the outstanding shares or beneficial
- ownership of such entity.
-
-2. License Grants and Conditions
---------------------------------
-
-2.1. Grants
-
-Each Contributor hereby grants You a world-wide, royalty-free,
-non-exclusive license:
-
-(a) under intellectual property rights (other than patent or trademark)
- Licensable by such Contributor to use, reproduce, make available,
- modify, display, perform, distribute, and otherwise exploit its
- Contributions, either on an unmodified basis, with Modifications, or
- as part of a Larger Work; and
-
-(b) under Patent Claims of such Contributor to make, use, sell, offer
- for sale, have made, import, and otherwise transfer either its
- Contributions or its Contributor Version.
-
-2.2. Effective Date
-
-The licenses granted in Section 2.1 with respect to any Contribution
-become effective for each Contribution on the date the Contributor first
-distributes such Contribution.
-
-2.3. Limitations on Grant Scope
-
-The licenses granted in this Section 2 are the only rights granted under
-this License. No additional rights or licenses will be implied from the
-distribution or licensing of Covered Software under this License.
-Notwithstanding Section 2.1(b) above, no patent license is granted by a
-Contributor:
-
-(a) for any code that a Contributor has removed from Covered Software;
- or
-
-(b) for infringements caused by: (i) Your and any other third party's
- modifications of Covered Software, or (ii) the combination of its
- Contributions with other software (except as part of its Contributor
- Version); or
-
-(c) under Patent Claims infringed by Covered Software in the absence of
- its Contributions.
-
-This License does not grant any rights in the trademarks, service marks,
-or logos of any Contributor (except as may be necessary to comply with
-the notice requirements in Section 3.4).
-
-2.4. Subsequent Licenses
-
-No Contributor makes additional grants as a result of Your choice to
-distribute the Covered Software under a subsequent version of this
-License (see Section 10.2) or under the terms of a Secondary License (if
-permitted under the terms of Section 3.3).
-
-2.5. Representation
-
-Each Contributor represents that the Contributor believes its
-Contributions are its original creation(s) or it has sufficient rights
-to grant the rights to its Contributions conveyed by this License.
-
-2.6. Fair Use
-
-This License is not intended to limit any rights You have under
-applicable copyright doctrines of fair use, fair dealing, or other
-equivalents.
-
-2.7. Conditions
-
-Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted
-in Section 2.1.
-
-3. Responsibilities
--------------------
-
-3.1. Distribution of Source Form
-
-All distribution of Covered Software in Source Code Form, including any
-Modifications that You create or to which You contribute, must be under
-the terms of this License. You must inform recipients that the Source
-Code Form of the Covered Software is governed by the terms of this
-License, and how they can obtain a copy of this License. You may not
-attempt to alter or restrict the recipients' rights in the Source Code
-Form.
-
-3.2. Distribution of Executable Form
-
-If You distribute Covered Software in Executable Form then:
-
-(a) such Covered Software must also be made available in Source Code
- Form, as described in Section 3.1, and You must inform recipients of
- the Executable Form how they can obtain a copy of such Source Code
- Form by reasonable means in a timely manner, at a charge no more
- than the cost of distribution to the recipient; and
-
-(b) You may distribute such Executable Form under the terms of this
- License, or sublicense it under different terms, provided that the
- license for the Executable Form does not attempt to limit or alter
- the recipients' rights in the Source Code Form under this License.
-
-3.3. Distribution of a Larger Work
-
-You may create and distribute a Larger Work under terms of Your choice,
-provided that You also comply with the requirements of this License for
-the Covered Software. If the Larger Work is a combination of Covered
-Software with a work governed by one or more Secondary Licenses, and the
-Covered Software is not Incompatible With Secondary Licenses, this
-License permits You to additionally distribute such Covered Software
-under the terms of such Secondary License(s), so that the recipient of
-the Larger Work may, at their option, further distribute the Covered
-Software under the terms of either this License or such Secondary
-License(s).
-
-3.4. Notices
-
-You may not remove or alter the substance of any license notices
-(including copyright notices, patent notices, disclaimers of warranty,
-or limitations of liability) contained within the Source Code Form of
-the Covered Software, except that You may alter any license notices to
-the extent required to remedy known factual inaccuracies.
-
-3.5. Application of Additional Terms
-
-You may choose to offer, and to charge a fee for, warranty, support,
-indemnity or liability obligations to one or more recipients of Covered
-Software. However, You may do so only on Your own behalf, and not on
-behalf of any Contributor. You must make it absolutely clear that any
-such warranty, support, indemnity, or liability obligation is offered by
-You alone, and You hereby agree to indemnify every Contributor for any
-liability incurred by such Contributor as a result of warranty, support,
-indemnity or liability terms You offer. You may include additional
-disclaimers of warranty and limitations of liability specific to any
-jurisdiction.
-
-4. Inability to Comply Due to Statute or Regulation
----------------------------------------------------
-
-If it is impossible for You to comply with any of the terms of this
-License with respect to some or all of the Covered Software due to
-statute, judicial order, or regulation then You must: (a) comply with
-the terms of this License to the maximum extent possible; and (b)
-describe the limitations and the code they affect. Such description must
-be placed in a text file included with all distributions of the Covered
-Software under this License. Except to the extent prohibited by statute
-or regulation, such description must be sufficiently detailed for a
-recipient of ordinary skill to be able to understand it.
-
-5. Termination
---------------
-
-5.1. The rights granted under this License will terminate automatically
-if You fail to comply with any of its terms. However, if You become
-compliant, then the rights granted under this License from a particular
-Contributor are reinstated (a) provisionally, unless and until such
-Contributor explicitly and finally terminates Your grants, and (b) on an
-ongoing basis, if such Contributor fails to notify You of the
-non-compliance by some reasonable means prior to 60 days after You have
-come back into compliance. Moreover, Your grants from a particular
-Contributor are reinstated on an ongoing basis if such Contributor
-notifies You of the non-compliance by some reasonable means, this is the
-first time You have received notice of non-compliance with this License
-from such Contributor, and You become compliant prior to 30 days after
-Your receipt of the notice.
-
-5.2. If You initiate litigation against any entity by asserting a patent
-infringement claim (excluding declaratory judgment actions,
-counter-claims, and cross-claims) alleging that a Contributor Version
-directly or indirectly infringes any patent, then the rights granted to
-You by any and all Contributors for the Covered Software under Section
-2.1 of this License shall terminate.
-
-5.3. In the event of termination under Sections 5.1 or 5.2 above, all
-end user license agreements (excluding distributors and resellers) which
-have been validly granted by You or Your distributors under this License
-prior to termination shall survive termination.
-
-************************************************************************
-* *
-* 6. Disclaimer of Warranty *
-* ------------------------- *
-* *
-* Covered Software is provided under this License on an "as is" *
-* basis, without warranty of any kind, either expressed, implied, or *
-* statutory, including, without limitation, warranties that the *
-* Covered Software is free of defects, merchantable, fit for a *
-* particular purpose or non-infringing. The entire risk as to the *
-* quality and performance of the Covered Software is with You. *
-* Should any Covered Software prove defective in any respect, You *
-* (not any Contributor) assume the cost of any necessary servicing, *
-* repair, or correction. This disclaimer of warranty constitutes an *
-* essential part of this License. No use of any Covered Software is *
-* authorized under this License except under this disclaimer. *
-* *
-************************************************************************
-
-************************************************************************
-* *
-* 7. Limitation of Liability *
-* -------------------------- *
-* *
-* Under no circumstances and under no legal theory, whether tort *
-* (including negligence), contract, or otherwise, shall any *
-* Contributor, or anyone who distributes Covered Software as *
-* permitted above, be liable to You for any direct, indirect, *
-* special, incidental, or consequential damages of any character *
-* including, without limitation, damages for lost profits, loss of *
-* goodwill, work stoppage, computer failure or malfunction, or any *
-* and all other commercial damages or losses, even if such party *
-* shall have been informed of the possibility of such damages. This *
-* limitation of liability shall not apply to liability for death or *
-* personal injury resulting from such party's negligence to the *
-* extent applicable law prohibits such limitation. Some *
-* jurisdictions do not allow the exclusion or limitation of *
-* incidental or consequential damages, so this exclusion and *
-* limitation may not apply to You. *
-* *
-************************************************************************
-
-8. Litigation
--------------
-
-Any litigation relating to this License may be brought only in the
-courts of a jurisdiction where the defendant maintains its principal
-place of business and such litigation shall be governed by laws of that
-jurisdiction, without reference to its conflict-of-law provisions.
-Nothing in this Section shall prevent a party's ability to bring
-cross-claims or counter-claims.
-
-9. Miscellaneous
-----------------
-
-This License represents the complete agreement concerning the subject
-matter hereof. If any provision of this License is held to be
-unenforceable, such provision shall be reformed only to the extent
-necessary to make it enforceable. Any law or regulation which provides
-that the language of a contract shall be construed against the drafter
-shall not be used to construe this License against a Contributor.
-
-10. Versions of the License
----------------------------
-
-10.1. New Versions
-
-Mozilla Foundation is the license steward. Except as provided in Section
-10.3, no one other than the license steward has the right to modify or
-publish new versions of this License. Each version will be given a
-distinguishing version number.
-
-10.2. Effect of New Versions
-
-You may distribute the Covered Software under the terms of the version
-of the License under which You originally received the Covered Software,
-or under the terms of any subsequent version published by the license
-steward.
-
-10.3. Modified Versions
-
-If you create software not governed by this License, and you want to
-create a new license for such software, you may create and use a
-modified version of this License if you rename the license and remove
-any references to the name of the license steward (except to note that
-such modified license differs from this License).
-
-10.4. Distributing Source Code Form that is Incompatible With Secondary
-Licenses
-
-If You choose to distribute Source Code Form that is Incompatible With
-Secondary Licenses under the terms of this version of the License, the
-notice described in Exhibit B of this License must be attached.
-
-Exhibit A - Source Code Form License Notice
--------------------------------------------
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-If it is not possible or desirable to put the notice in a particular
-file, then You may include the notice in a location (such as a LICENSE
-file in a relevant directory) where a recipient would be likely to look
-for such a notice.
-
-You may add additional accurate notices of copyright ownership.
-
-Exhibit B - "Incompatible With Secondary Licenses" Notice
----------------------------------------------------------
-
- This Source Code Form is "Incompatible With Secondary Licenses", as
- defined by the Mozilla Public License, v. 2.0.
diff --git a/vendor/github.com/letsencrypt/boulder/core/challenges.go b/vendor/github.com/letsencrypt/boulder/core/challenges.go
deleted file mode 100644
index d5e7a87295..0000000000
--- a/vendor/github.com/letsencrypt/boulder/core/challenges.go
+++ /dev/null
@@ -1,41 +0,0 @@
-package core
-
-import "fmt"
-
-func newChallenge(challengeType AcmeChallenge, token string) Challenge {
- return Challenge{
- Type: challengeType,
- Status: StatusPending,
- Token: token,
- }
-}
-
-// HTTPChallenge01 constructs a http-01 challenge.
-func HTTPChallenge01(token string) Challenge {
- return newChallenge(ChallengeTypeHTTP01, token)
-}
-
-// DNSChallenge01 constructs a dns-01 challenge.
-func DNSChallenge01(token string) Challenge {
- return newChallenge(ChallengeTypeDNS01, token)
-}
-
-// TLSALPNChallenge01 constructs a tls-alpn-01 challenge.
-func TLSALPNChallenge01(token string) Challenge {
- return newChallenge(ChallengeTypeTLSALPN01, token)
-}
-
-// NewChallenge constructs a challenge of the given kind. It returns an
-// error if the challenge type is unrecognized.
-func NewChallenge(kind AcmeChallenge, token string) (Challenge, error) {
- switch kind {
- case ChallengeTypeHTTP01:
- return HTTPChallenge01(token), nil
- case ChallengeTypeDNS01:
- return DNSChallenge01(token), nil
- case ChallengeTypeTLSALPN01:
- return TLSALPNChallenge01(token), nil
- default:
- return Challenge{}, fmt.Errorf("unrecognized challenge type %q", kind)
- }
-}
diff --git a/vendor/github.com/letsencrypt/boulder/core/interfaces.go b/vendor/github.com/letsencrypt/boulder/core/interfaces.go
deleted file mode 100644
index 59b55a3f4b..0000000000
--- a/vendor/github.com/letsencrypt/boulder/core/interfaces.go
+++ /dev/null
@@ -1,14 +0,0 @@
-package core
-
-import (
- "github.com/letsencrypt/boulder/identifier"
-)
-
-// PolicyAuthority defines the public interface for the Boulder PA
-// TODO(#5891): Move this interface to a more appropriate location.
-type PolicyAuthority interface {
- WillingToIssue([]string) error
- ChallengesFor(identifier.ACMEIdentifier) ([]Challenge, error)
- ChallengeTypeEnabled(AcmeChallenge) bool
- CheckAuthz(*Authorization) error
-}
diff --git a/vendor/github.com/letsencrypt/boulder/core/objects.go b/vendor/github.com/letsencrypt/boulder/core/objects.go
deleted file mode 100644
index c01f551abd..0000000000
--- a/vendor/github.com/letsencrypt/boulder/core/objects.go
+++ /dev/null
@@ -1,505 +0,0 @@
-package core
-
-import (
- "crypto"
- "encoding/base64"
- "encoding/json"
- "fmt"
- "hash/fnv"
- "net"
- "strings"
- "time"
-
- "github.com/go-jose/go-jose/v4"
- "golang.org/x/crypto/ocsp"
-
- "github.com/letsencrypt/boulder/identifier"
- "github.com/letsencrypt/boulder/probs"
- "github.com/letsencrypt/boulder/revocation"
-)
-
-// AcmeStatus defines the state of a given authorization
-type AcmeStatus string
-
-// These statuses are the states of authorizations, challenges, and registrations
-const (
- StatusUnknown = AcmeStatus("unknown") // Unknown status; the default
- StatusPending = AcmeStatus("pending") // In process; client has next action
- StatusProcessing = AcmeStatus("processing") // In process; server has next action
- StatusReady = AcmeStatus("ready") // Order is ready for finalization
- StatusValid = AcmeStatus("valid") // Object is valid
- StatusInvalid = AcmeStatus("invalid") // Validation failed
- StatusRevoked = AcmeStatus("revoked") // Object no longer valid
- StatusDeactivated = AcmeStatus("deactivated") // Object has been deactivated
-)
-
-// AcmeResource values identify different types of ACME resources
-type AcmeResource string
-
-// The types of ACME resources
-const (
- ResourceNewReg = AcmeResource("new-reg")
- ResourceNewAuthz = AcmeResource("new-authz")
- ResourceNewCert = AcmeResource("new-cert")
- ResourceRevokeCert = AcmeResource("revoke-cert")
- ResourceRegistration = AcmeResource("reg")
- ResourceChallenge = AcmeResource("challenge")
- ResourceAuthz = AcmeResource("authz")
- ResourceKeyChange = AcmeResource("key-change")
-)
-
-// AcmeChallenge values identify different types of ACME challenges
-type AcmeChallenge string
-
-// These types are the available challenges
-const (
- ChallengeTypeHTTP01 = AcmeChallenge("http-01")
- ChallengeTypeDNS01 = AcmeChallenge("dns-01")
- ChallengeTypeTLSALPN01 = AcmeChallenge("tls-alpn-01")
-)
-
-// IsValid tests whether the challenge is a known challenge
-func (c AcmeChallenge) IsValid() bool {
- switch c {
- case ChallengeTypeHTTP01, ChallengeTypeDNS01, ChallengeTypeTLSALPN01:
- return true
- default:
- return false
- }
-}
-
-// OCSPStatus defines the state of OCSP for a domain
-type OCSPStatus string
-
-// These status are the states of OCSP
-const (
- OCSPStatusGood = OCSPStatus("good")
- OCSPStatusRevoked = OCSPStatus("revoked")
- // Not a real OCSP status. This is a placeholder we write before the
- // actual precertificate is issued, to ensure we never return "good" before
- // issuance succeeds, for BR compliance reasons.
- OCSPStatusNotReady = OCSPStatus("wait")
-)
-
-var OCSPStatusToInt = map[OCSPStatus]int{
- OCSPStatusGood: ocsp.Good,
- OCSPStatusRevoked: ocsp.Revoked,
- OCSPStatusNotReady: -1,
-}
-
-// DNSPrefix is attached to DNS names in DNS challenges
-const DNSPrefix = "_acme-challenge"
-
-type RawCertificateRequest struct {
- CSR JSONBuffer `json:"csr"` // The encoded CSR
-}
-
-// Registration objects represent non-public metadata attached
-// to account keys.
-type Registration struct {
- // Unique identifier
- ID int64 `json:"id,omitempty" db:"id"`
-
- // Account key to which the details are attached
- Key *jose.JSONWebKey `json:"key"`
-
- // Contact URIs
- Contact *[]string `json:"contact,omitempty"`
-
- // Agreement with terms of service
- Agreement string `json:"agreement,omitempty"`
-
- // InitialIP is the IP address from which the registration was created
- InitialIP net.IP `json:"initialIp"`
-
- // CreatedAt is the time the registration was created.
- CreatedAt *time.Time `json:"createdAt,omitempty"`
-
- Status AcmeStatus `json:"status"`
-}
-
-// ValidationRecord represents a validation attempt against a specific URL/hostname
-// and the IP addresses that were resolved and used.
-type ValidationRecord struct {
- // SimpleHTTP only
- URL string `json:"url,omitempty"`
-
- // Shared
- Hostname string `json:"hostname,omitempty"`
- Port string `json:"port,omitempty"`
- AddressesResolved []net.IP `json:"addressesResolved,omitempty"`
- AddressUsed net.IP `json:"addressUsed,omitempty"`
- // AddressesTried contains a list of addresses tried before the `AddressUsed`.
- // Presently this will only ever be one IP from `AddressesResolved` since the
- // only retry is in the case of a v6 failure with one v4 fallback. E.g. if
- // a record with `AddressesResolved: { 127.0.0.1, ::1 }` were processed for
- // a challenge validation with the IPv6 first flag on and the ::1 address
- // failed but the 127.0.0.1 retry succeeded then the record would end up
- // being:
- // {
- // ...
- // AddressesResolved: [ 127.0.0.1, ::1 ],
- // AddressUsed: 127.0.0.1
- // AddressesTried: [ ::1 ],
- // ...
- // }
- AddressesTried []net.IP `json:"addressesTried,omitempty"`
- // ResolverAddrs is the host:port of the DNS resolver(s) that fulfilled the
- // lookup for AddressUsed. During recursive A and AAAA lookups, a record may
- // instead look like A:host:port or AAAA:host:port
- ResolverAddrs []string `json:"resolverAddrs,omitempty"`
- // UsedRSAKEX is a *temporary* addition to the validation record, so we can
- // see how many servers that we reach out to during HTTP-01 and TLS-ALPN-01
- // validation are only willing to negotiate RSA key exchange mechanisms. The
- // field is not included in the serialized json to avoid cluttering the
- // database and log lines.
- // TODO(#7321): Remove this when we have collected sufficient data.
- UsedRSAKEX bool `json:"-"`
-}
-
-// Challenge is an aggregate of all data needed for any challenges.
-//
-// Rather than define individual types for different types of
-// challenge, we just throw all the elements into one bucket,
-// together with the common metadata elements.
-type Challenge struct {
- // Type is the type of challenge encoded in this object.
- Type AcmeChallenge `json:"type"`
-
- // URL is the URL to which a response can be posted. Required for all types.
- URL string `json:"url,omitempty"`
-
- // Status is the status of this challenge. Required for all types.
- Status AcmeStatus `json:"status,omitempty"`
-
- // Validated is the time at which the server validated the challenge. Required
- // if status is valid.
- Validated *time.Time `json:"validated,omitempty"`
-
- // Error contains the error that occurred during challenge validation, if any.
- // If set, the Status must be "invalid".
- Error *probs.ProblemDetails `json:"error,omitempty"`
-
- // Token is a random value that uniquely identifies the challenge. It is used
- // by all current challenges (http-01, tls-alpn-01, and dns-01).
- Token string `json:"token,omitempty"`
-
- // ProvidedKeyAuthorization used to carry the expected key authorization from
- // the RA to the VA. However, since this field is never presented to the user
- // via the ACME API, it should not be on this type.
- //
- // Deprecated: use vapb.PerformValidationRequest.ExpectedKeyAuthorization instead.
- // TODO(#7514): Remove this.
- ProvidedKeyAuthorization string `json:"keyAuthorization,omitempty"`
-
- // Contains information about URLs used or redirected to and IPs resolved and
- // used
- ValidationRecord []ValidationRecord `json:"validationRecord,omitempty"`
-}
-
-// ExpectedKeyAuthorization computes the expected KeyAuthorization value for
-// the challenge.
-func (ch Challenge) ExpectedKeyAuthorization(key *jose.JSONWebKey) (string, error) {
- if key == nil {
- return "", fmt.Errorf("Cannot authorize a nil key")
- }
-
- thumbprint, err := key.Thumbprint(crypto.SHA256)
- if err != nil {
- return "", err
- }
-
- return ch.Token + "." + base64.RawURLEncoding.EncodeToString(thumbprint), nil
-}
-
-// RecordsSane checks the sanity of a ValidationRecord object before sending it
-// back to the RA to be stored.
-func (ch Challenge) RecordsSane() bool {
- if ch.ValidationRecord == nil || len(ch.ValidationRecord) == 0 {
- return false
- }
-
- switch ch.Type {
- case ChallengeTypeHTTP01:
- for _, rec := range ch.ValidationRecord {
- // TODO(#7140): Add a check for ResolverAddress == "" only after the
- // core.proto change has been deployed.
- if rec.URL == "" || rec.Hostname == "" || rec.Port == "" || rec.AddressUsed == nil ||
- len(rec.AddressesResolved) == 0 {
- return false
- }
- }
- case ChallengeTypeTLSALPN01:
- if len(ch.ValidationRecord) > 1 {
- return false
- }
- if ch.ValidationRecord[0].URL != "" {
- return false
- }
- // TODO(#7140): Add a check for ResolverAddress == "" only after the
- // core.proto change has been deployed.
- if ch.ValidationRecord[0].Hostname == "" || ch.ValidationRecord[0].Port == "" ||
- ch.ValidationRecord[0].AddressUsed == nil || len(ch.ValidationRecord[0].AddressesResolved) == 0 {
- return false
- }
- case ChallengeTypeDNS01:
- if len(ch.ValidationRecord) > 1 {
- return false
- }
- // TODO(#7140): Add a check for ResolverAddress == "" only after the
- // core.proto change has been deployed.
- if ch.ValidationRecord[0].Hostname == "" {
- return false
- }
- return true
- default: // Unsupported challenge type
- return false
- }
-
- return true
-}
-
-// CheckPending ensures that a challenge object is pending and has a token.
-// This is used before offering the challenge to the client, and before actually
-// validating a challenge.
-func (ch Challenge) CheckPending() error {
- if ch.Status != StatusPending {
- return fmt.Errorf("challenge is not pending")
- }
-
- if !looksLikeAToken(ch.Token) {
- return fmt.Errorf("token is missing or malformed")
- }
-
- return nil
-}
-
-// StringID is used to generate a ID for challenges associated with new style authorizations.
-// This is necessary as these challenges no longer have a unique non-sequential identifier
-// in the new storage scheme. This identifier is generated by constructing a fnv hash over the
-// challenge token and type and encoding the first 4 bytes of it using the base64 URL encoding.
-func (ch Challenge) StringID() string {
- h := fnv.New128a()
- h.Write([]byte(ch.Token))
- h.Write([]byte(ch.Type))
- return base64.RawURLEncoding.EncodeToString(h.Sum(nil)[0:4])
-}
-
-// Authorization represents the authorization of an account key holder
-// to act on behalf of a domain. This struct is intended to be used both
-// internally and for JSON marshaling on the wire. Any fields that should be
-// suppressed on the wire (e.g., ID, regID) must be made empty before marshaling.
-type Authorization struct {
- // An identifier for this authorization, unique across
- // authorizations and certificates within this instance.
- ID string `json:"id,omitempty" db:"id"`
-
- // The identifier for which authorization is being given
- Identifier identifier.ACMEIdentifier `json:"identifier,omitempty" db:"identifier"`
-
- // The registration ID associated with the authorization
- RegistrationID int64 `json:"regId,omitempty" db:"registrationID"`
-
- // The status of the validation of this authorization
- Status AcmeStatus `json:"status,omitempty" db:"status"`
-
- // The date after which this authorization will be no
- // longer be considered valid. Note: a certificate may be issued even on the
- // last day of an authorization's lifetime. The last day for which someone can
- // hold a valid certificate based on an authorization is authorization
- // lifetime + certificate lifetime.
- Expires *time.Time `json:"expires,omitempty" db:"expires"`
-
- // An array of challenges objects used to validate the
- // applicant's control of the identifier. For authorizations
- // in process, these are challenges to be fulfilled; for
- // final authorizations, they describe the evidence that
- // the server used in support of granting the authorization.
- //
- // There should only ever be one challenge of each type in this
- // slice and the order of these challenges may not be predictable.
- Challenges []Challenge `json:"challenges,omitempty" db:"-"`
-
- // https://datatracker.ietf.org/doc/html/rfc8555#page-29
- //
- // wildcard (optional, boolean): This field MUST be present and true
- // for authorizations created as a result of a newOrder request
- // containing a DNS identifier with a value that was a wildcard
- // domain name. For other authorizations, it MUST be absent.
- // Wildcard domain names are described in Section 7.1.3.
- //
- // This is not represented in the database because we calculate it from
- // the identifier stored in the database. Unlike the identifier returned
- // as part of the authorization, the identifier we store in the database
- // can contain an asterisk.
- Wildcard bool `json:"wildcard,omitempty" db:"-"`
-}
-
-// FindChallengeByStringID will look for a challenge matching the given ID inside
-// this authorization. If found, it will return the index of that challenge within
-// the Authorization's Challenges array. Otherwise it will return -1.
-func (authz *Authorization) FindChallengeByStringID(id string) int {
- for i, c := range authz.Challenges {
- if c.StringID() == id {
- return i
- }
- }
- return -1
-}
-
-// SolvedBy will look through the Authorizations challenges, returning the type
-// of the *first* challenge it finds with Status: valid, or an error if no
-// challenge is valid.
-func (authz *Authorization) SolvedBy() (AcmeChallenge, error) {
- if len(authz.Challenges) == 0 {
- return "", fmt.Errorf("Authorization has no challenges")
- }
- for _, chal := range authz.Challenges {
- if chal.Status == StatusValid {
- return chal.Type, nil
- }
- }
- return "", fmt.Errorf("Authorization not solved by any challenge")
-}
-
-// JSONBuffer fields get encoded and decoded JOSE-style, in base64url encoding
-// with stripped padding.
-type JSONBuffer []byte
-
-// MarshalJSON encodes a JSONBuffer for transmission.
-func (jb JSONBuffer) MarshalJSON() (result []byte, err error) {
- return json.Marshal(base64.RawURLEncoding.EncodeToString(jb))
-}
-
-// UnmarshalJSON decodes a JSONBuffer to an object.
-func (jb *JSONBuffer) UnmarshalJSON(data []byte) (err error) {
- var str string
- err = json.Unmarshal(data, &str)
- if err != nil {
- return err
- }
- *jb, err = base64.RawURLEncoding.DecodeString(strings.TrimRight(str, "="))
- return
-}
-
-// Certificate objects are entirely internal to the server. The only
-// thing exposed on the wire is the certificate itself.
-type Certificate struct {
- ID int64 `db:"id"`
- RegistrationID int64 `db:"registrationID"`
-
- Serial string `db:"serial"`
- Digest string `db:"digest"`
- DER []byte `db:"der"`
- Issued time.Time `db:"issued"`
- Expires time.Time `db:"expires"`
-}
-
-// CertificateStatus structs are internal to the server. They represent the
-// latest data about the status of the certificate, required for generating new
-// OCSP responses and determining if a certificate has been revoked.
-type CertificateStatus struct {
- ID int64 `db:"id"`
-
- Serial string `db:"serial"`
-
- // status: 'good' or 'revoked'. Note that good, expired certificates remain
- // with status 'good' but don't necessarily get fresh OCSP responses.
- Status OCSPStatus `db:"status"`
-
- // ocspLastUpdated: The date and time of the last time we generated an OCSP
- // response. If we have never generated one, this has the zero value of
- // time.Time, i.e. Jan 1 1970.
- OCSPLastUpdated time.Time `db:"ocspLastUpdated"`
-
- // revokedDate: If status is 'revoked', this is the date and time it was
- // revoked. Otherwise it has the zero value of time.Time, i.e. Jan 1 1970.
- RevokedDate time.Time `db:"revokedDate"`
-
- // revokedReason: If status is 'revoked', this is the reason code for the
- // revocation. Otherwise it is zero (which happens to be the reason
- // code for 'unspecified').
- RevokedReason revocation.Reason `db:"revokedReason"`
-
- LastExpirationNagSent time.Time `db:"lastExpirationNagSent"`
-
- // NotAfter and IsExpired are convenience columns which allow expensive
- // queries to quickly filter out certificates that we don't need to care about
- // anymore. These are particularly useful for the expiration mailer and CRL
- // updater. See https://github.com/letsencrypt/boulder/issues/1864.
- NotAfter time.Time `db:"notAfter"`
- IsExpired bool `db:"isExpired"`
-
- // Note: this is not an issuance.IssuerNameID because that would create an
- // import cycle between core and issuance.
- // Note2: This field used to be called `issuerID`. We keep the old name in
- // the DB, but update the Go field name to be clear which type of ID this
- // is.
- IssuerNameID int64 `db:"issuerID"`
-}
-
-// FQDNSet contains the SHA256 hash of the lowercased, comma joined dNSNames
-// contained in a certificate.
-type FQDNSet struct {
- ID int64
- SetHash []byte
- Serial string
- Issued time.Time
- Expires time.Time
-}
-
-// SCTDERs is a convenience type
-type SCTDERs [][]byte
-
-// CertDER is a convenience type that helps differentiate what the
-// underlying byte slice contains
-type CertDER []byte
-
-// SuggestedWindow is a type exposed inside the RenewalInfo resource.
-type SuggestedWindow struct {
- Start time.Time `json:"start"`
- End time.Time `json:"end"`
-}
-
-// IsWithin returns true if the given time is within the suggested window,
-// inclusive of the start time and exclusive of the end time.
-func (window SuggestedWindow) IsWithin(now time.Time) bool {
- return !now.Before(window.Start) && now.Before(window.End)
-}
-
-// RenewalInfo is a type which is exposed to clients which query the renewalInfo
-// endpoint specified in draft-aaron-ari.
-type RenewalInfo struct {
- SuggestedWindow SuggestedWindow `json:"suggestedWindow"`
-}
-
-// RenewalInfoSimple constructs a `RenewalInfo` object and suggested window
-// using a very simple renewal calculation: calculate a point 2/3rds of the way
-// through the validity period, then give a 2-day window around that. Both the
-// `issued` and `expires` timestamps are expected to be UTC.
-func RenewalInfoSimple(issued time.Time, expires time.Time) RenewalInfo {
- validity := expires.Add(time.Second).Sub(issued)
- renewalOffset := validity / time.Duration(3)
- idealRenewal := expires.Add(-renewalOffset)
- return RenewalInfo{
- SuggestedWindow: SuggestedWindow{
- Start: idealRenewal.Add(-24 * time.Hour),
- End: idealRenewal.Add(24 * time.Hour),
- },
- }
-}
-
-// RenewalInfoImmediate constructs a `RenewalInfo` object with a suggested
-// window in the past. Per the draft-ietf-acme-ari-01 spec, clients should
-// attempt to renew immediately if the suggested window is in the past. The
-// passed `now` is assumed to be a timestamp representing the current moment in
-// time.
-func RenewalInfoImmediate(now time.Time) RenewalInfo {
- oneHourAgo := now.Add(-1 * time.Hour)
- return RenewalInfo{
- SuggestedWindow: SuggestedWindow{
- Start: oneHourAgo,
- End: oneHourAgo.Add(time.Minute * 30),
- },
- }
-}
diff --git a/vendor/github.com/letsencrypt/boulder/core/util.go b/vendor/github.com/letsencrypt/boulder/core/util.go
deleted file mode 100644
index 641521f169..0000000000
--- a/vendor/github.com/letsencrypt/boulder/core/util.go
+++ /dev/null
@@ -1,383 +0,0 @@
-package core
-
-import (
- "crypto"
- "crypto/ecdsa"
- "crypto/rand"
- "crypto/rsa"
- "crypto/sha256"
- "crypto/x509"
- "encoding/base64"
- "encoding/hex"
- "encoding/pem"
- "errors"
- "expvar"
- "fmt"
- "io"
- "math/big"
- mrand "math/rand"
- "os"
- "path"
- "reflect"
- "regexp"
- "sort"
- "strings"
- "time"
- "unicode"
-
- "github.com/go-jose/go-jose/v4"
- "google.golang.org/protobuf/types/known/durationpb"
- "google.golang.org/protobuf/types/known/timestamppb"
-)
-
-const Unspecified = "Unspecified"
-
-// Package Variables Variables
-
-// BuildID is set by the compiler (using -ldflags "-X core.BuildID $(git rev-parse --short HEAD)")
-// and is used by GetBuildID
-var BuildID string
-
-// BuildHost is set by the compiler and is used by GetBuildHost
-var BuildHost string
-
-// BuildTime is set by the compiler and is used by GetBuildTime
-var BuildTime string
-
-func init() {
- expvar.NewString("BuildID").Set(BuildID)
- expvar.NewString("BuildTime").Set(BuildTime)
-}
-
-// Random stuff
-
-type randSource interface {
- Read(p []byte) (n int, err error)
-}
-
-// RandReader is used so that it can be replaced in tests that require
-// deterministic output
-var RandReader randSource = rand.Reader
-
-// RandomString returns a randomly generated string of the requested length.
-func RandomString(byteLength int) string {
- b := make([]byte, byteLength)
- _, err := io.ReadFull(RandReader, b)
- if err != nil {
- panic(fmt.Sprintf("Error reading random bytes: %s", err))
- }
- return base64.RawURLEncoding.EncodeToString(b)
-}
-
-// NewToken produces a random string for Challenges, etc.
-func NewToken() string {
- return RandomString(32)
-}
-
-var tokenFormat = regexp.MustCompile(`^[\w-]{43}$`)
-
-// looksLikeAToken checks whether a string represents a 32-octet value in
-// the URL-safe base64 alphabet.
-func looksLikeAToken(token string) bool {
- return tokenFormat.MatchString(token)
-}
-
-// Fingerprints
-
-// Fingerprint256 produces an unpadded, URL-safe Base64-encoded SHA256 digest
-// of the data.
-func Fingerprint256(data []byte) string {
- d := sha256.New()
- _, _ = d.Write(data) // Never returns an error
- return base64.RawURLEncoding.EncodeToString(d.Sum(nil))
-}
-
-type Sha256Digest [sha256.Size]byte
-
-// KeyDigest produces the SHA256 digest of a provided public key.
-func KeyDigest(key crypto.PublicKey) (Sha256Digest, error) {
- switch t := key.(type) {
- case *jose.JSONWebKey:
- if t == nil {
- return Sha256Digest{}, errors.New("cannot compute digest of nil key")
- }
- return KeyDigest(t.Key)
- case jose.JSONWebKey:
- return KeyDigest(t.Key)
- default:
- keyDER, err := x509.MarshalPKIXPublicKey(key)
- if err != nil {
- return Sha256Digest{}, err
- }
- return sha256.Sum256(keyDER), nil
- }
-}
-
-// KeyDigestB64 produces a padded, standard Base64-encoded SHA256 digest of a
-// provided public key.
-func KeyDigestB64(key crypto.PublicKey) (string, error) {
- digest, err := KeyDigest(key)
- if err != nil {
- return "", err
- }
- return base64.StdEncoding.EncodeToString(digest[:]), nil
-}
-
-// KeyDigestEquals determines whether two public keys have the same digest.
-func KeyDigestEquals(j, k crypto.PublicKey) bool {
- digestJ, errJ := KeyDigestB64(j)
- digestK, errK := KeyDigestB64(k)
- // Keys that don't have a valid digest (due to marshalling problems)
- // are never equal. So, e.g. nil keys are not equal.
- if errJ != nil || errK != nil {
- return false
- }
- return digestJ == digestK
-}
-
-// PublicKeysEqual determines whether two public keys are identical.
-func PublicKeysEqual(a, b crypto.PublicKey) (bool, error) {
- switch ak := a.(type) {
- case *rsa.PublicKey:
- return ak.Equal(b), nil
- case *ecdsa.PublicKey:
- return ak.Equal(b), nil
- default:
- return false, fmt.Errorf("unsupported public key type %T", ak)
- }
-}
-
-// SerialToString converts a certificate serial number (big.Int) to a String
-// consistently.
-func SerialToString(serial *big.Int) string {
- return fmt.Sprintf("%036x", serial)
-}
-
-// StringToSerial converts a string into a certificate serial number (big.Int)
-// consistently.
-func StringToSerial(serial string) (*big.Int, error) {
- var serialNum big.Int
- if !ValidSerial(serial) {
- return &serialNum, fmt.Errorf("invalid serial number %q", serial)
- }
- _, err := fmt.Sscanf(serial, "%036x", &serialNum)
- return &serialNum, err
-}
-
-// ValidSerial tests whether the input string represents a syntactically
-// valid serial number, i.e., that it is a valid hex string between 32
-// and 36 characters long.
-func ValidSerial(serial string) bool {
- // Originally, serial numbers were 32 hex characters long. We later increased
- // them to 36, but we allow the shorter ones because they exist in some
- // production databases.
- if len(serial) != 32 && len(serial) != 36 {
- return false
- }
- _, err := hex.DecodeString(serial)
- return err == nil
-}
-
-// GetBuildID identifies what build is running.
-func GetBuildID() (retID string) {
- retID = BuildID
- if retID == "" {
- retID = Unspecified
- }
- return
-}
-
-// GetBuildTime identifies when this build was made
-func GetBuildTime() (retID string) {
- retID = BuildTime
- if retID == "" {
- retID = Unspecified
- }
- return
-}
-
-// GetBuildHost identifies the building host
-func GetBuildHost() (retID string) {
- retID = BuildHost
- if retID == "" {
- retID = Unspecified
- }
- return
-}
-
-// IsAnyNilOrZero returns whether any of the supplied values are nil, or (if not)
-// if any of them is its type's zero-value. This is useful for validating that
-// all required fields on a proto message are present.
-func IsAnyNilOrZero(vals ...interface{}) bool {
- for _, val := range vals {
- switch v := val.(type) {
- case nil:
- return true
- case bool:
- if !v {
- return true
- }
- case string:
- if v == "" {
- return true
- }
- case []string:
- if len(v) == 0 {
- return true
- }
- case byte:
- // Byte is an alias for uint8 and will cover that case.
- if v == 0 {
- return true
- }
- case []byte:
- if len(v) == 0 {
- return true
- }
- case int:
- if v == 0 {
- return true
- }
- case int8:
- if v == 0 {
- return true
- }
- case int16:
- if v == 0 {
- return true
- }
- case int32:
- if v == 0 {
- return true
- }
- case int64:
- if v == 0 {
- return true
- }
- case uint:
- if v == 0 {
- return true
- }
- case uint16:
- if v == 0 {
- return true
- }
- case uint32:
- if v == 0 {
- return true
- }
- case uint64:
- if v == 0 {
- return true
- }
- case float32:
- if v == 0 {
- return true
- }
- case float64:
- if v == 0 {
- return true
- }
- case time.Time:
- if v.IsZero() {
- return true
- }
- case *timestamppb.Timestamp:
- if v == nil || v.AsTime().IsZero() {
- return true
- }
- case *durationpb.Duration:
- if v == nil || v.AsDuration() == time.Duration(0) {
- return true
- }
- default:
- if reflect.ValueOf(v).IsZero() {
- return true
- }
- }
- }
- return false
-}
-
-// UniqueLowerNames returns the set of all unique names in the input after all
-// of them are lowercased. The returned names will be in their lowercased form
-// and sorted alphabetically.
-func UniqueLowerNames(names []string) (unique []string) {
- nameMap := make(map[string]int, len(names))
- for _, name := range names {
- nameMap[strings.ToLower(name)] = 1
- }
-
- unique = make([]string, 0, len(nameMap))
- for name := range nameMap {
- unique = append(unique, name)
- }
- sort.Strings(unique)
- return
-}
-
-// HashNames returns a hash of the names requested. This is intended for use
-// when interacting with the orderFqdnSets table and rate limiting.
-func HashNames(names []string) []byte {
- names = UniqueLowerNames(names)
- hash := sha256.Sum256([]byte(strings.Join(names, ",")))
- return hash[:]
-}
-
-// LoadCert loads a PEM certificate specified by filename or returns an error
-func LoadCert(filename string) (*x509.Certificate, error) {
- certPEM, err := os.ReadFile(filename)
- if err != nil {
- return nil, err
- }
- block, _ := pem.Decode(certPEM)
- if block == nil {
- return nil, fmt.Errorf("no data in cert PEM file %q", filename)
- }
- cert, err := x509.ParseCertificate(block.Bytes)
- if err != nil {
- return nil, err
- }
- return cert, nil
-}
-
-// retryJitter is used to prevent bunched retried queries from falling into lockstep
-const retryJitter = 0.2
-
-// RetryBackoff calculates a backoff time based on number of retries, will always
-// add jitter so requests that start in unison won't fall into lockstep. Because of
-// this the returned duration can always be larger than the maximum by a factor of
-// retryJitter. Adapted from
-// https://github.com/grpc/grpc-go/blob/v1.11.3/backoff.go#L77-L96
-func RetryBackoff(retries int, base, max time.Duration, factor float64) time.Duration {
- if retries == 0 {
- return 0
- }
- backoff, fMax := float64(base), float64(max)
- for backoff < fMax && retries > 1 {
- backoff *= factor
- retries--
- }
- if backoff > fMax {
- backoff = fMax
- }
- // Randomize backoff delays so that if a cluster of requests start at
- // the same time, they won't operate in lockstep.
- backoff *= (1 - retryJitter) + 2*retryJitter*mrand.Float64()
- return time.Duration(backoff)
-}
-
-// IsASCII determines if every character in a string is encoded in
-// the ASCII character set.
-func IsASCII(str string) bool {
- for _, r := range str {
- if r > unicode.MaxASCII {
- return false
- }
- }
- return true
-}
-
-func Command() string {
- return path.Base(os.Args[0])
-}
diff --git a/vendor/github.com/letsencrypt/boulder/goodkey/blocked.go b/vendor/github.com/letsencrypt/boulder/goodkey/blocked.go
deleted file mode 100644
index 198c09db4e..0000000000
--- a/vendor/github.com/letsencrypt/boulder/goodkey/blocked.go
+++ /dev/null
@@ -1,95 +0,0 @@
-package goodkey
-
-import (
- "crypto"
- "crypto/sha256"
- "encoding/base64"
- "encoding/hex"
- "errors"
- "os"
-
- "github.com/letsencrypt/boulder/core"
- "github.com/letsencrypt/boulder/strictyaml"
-)
-
-// blockedKeys is a type for maintaining a map of SHA256 hashes
-// of SubjectPublicKeyInfo's that should be considered blocked.
-// blockedKeys are created by using loadBlockedKeysList.
-type blockedKeys map[core.Sha256Digest]bool
-
-var ErrWrongDecodedSize = errors.New("not enough bytes decoded for sha256 hash")
-
-// blocked checks if the given public key is considered administratively
-// blocked based on a SHA256 hash of the SubjectPublicKeyInfo.
-// Important: blocked should not be called except on a blockedKeys instance
-// returned from loadBlockedKeysList.
-// function should not be used until after `loadBlockedKeysList` has returned.
-func (b blockedKeys) blocked(key crypto.PublicKey) (bool, error) {
- hash, err := core.KeyDigest(key)
- if err != nil {
- // the bool result should be ignored when err is != nil but to be on the
- // paranoid side return true anyway so that a key we can't compute the
- // digest for will always be blocked even if a caller foolishly discards the
- // err result.
- return true, err
- }
- return b[hash], nil
-}
-
-// loadBlockedKeysList creates a blockedKeys object that can be used to check if
-// a key is blocked. It creates a lookup map from a list of
-// SHA256 hashes of SubjectPublicKeyInfo's in the input YAML file
-// with the expected format:
-//
-// blocked:
-// - cuwGhNNI6nfob5aqY90e7BleU6l7rfxku4X3UTJ3Z7M=
-//
-// - Qebc1V3SkX3izkYRGNJilm9Bcuvf0oox4U2Rn+b4JOE=
-//
-// If no hashes are found in the input YAML an error is returned.
-func loadBlockedKeysList(filename string) (*blockedKeys, error) {
- yamlBytes, err := os.ReadFile(filename)
- if err != nil {
- return nil, err
- }
-
- var list struct {
- BlockedHashes []string `yaml:"blocked"`
- BlockedHashesHex []string `yaml:"blockedHashesHex"`
- }
- err = strictyaml.Unmarshal(yamlBytes, &list)
- if err != nil {
- return nil, err
- }
-
- if len(list.BlockedHashes) == 0 && len(list.BlockedHashesHex) == 0 {
- return nil, errors.New("no blocked hashes in YAML")
- }
-
- blockedKeys := make(blockedKeys, len(list.BlockedHashes)+len(list.BlockedHashesHex))
- for _, b64Hash := range list.BlockedHashes {
- decoded, err := base64.StdEncoding.DecodeString(b64Hash)
- if err != nil {
- return nil, err
- }
- if len(decoded) != sha256.Size {
- return nil, ErrWrongDecodedSize
- }
- var sha256Digest core.Sha256Digest
- copy(sha256Digest[:], decoded[0:sha256.Size])
- blockedKeys[sha256Digest] = true
- }
- for _, hexHash := range list.BlockedHashesHex {
- decoded, err := hex.DecodeString(hexHash)
- if err != nil {
- return nil, err
- }
- if len(decoded) != sha256.Size {
- return nil, ErrWrongDecodedSize
- }
- var sha256Digest core.Sha256Digest
- copy(sha256Digest[:], decoded[0:sha256.Size])
- blockedKeys[sha256Digest] = true
- }
- return &blockedKeys, nil
-}
diff --git a/vendor/github.com/letsencrypt/boulder/goodkey/good_key.go b/vendor/github.com/letsencrypt/boulder/goodkey/good_key.go
deleted file mode 100644
index 04a075d35b..0000000000
--- a/vendor/github.com/letsencrypt/boulder/goodkey/good_key.go
+++ /dev/null
@@ -1,460 +0,0 @@
-package goodkey
-
-import (
- "context"
- "crypto"
- "crypto/ecdsa"
- "crypto/elliptic"
- "crypto/rsa"
- "errors"
- "fmt"
- "math/big"
- "sync"
-
- "github.com/letsencrypt/boulder/core"
-
- "github.com/titanous/rocacheck"
-)
-
-// To generate, run: primes 2 752 | tr '\n' ,
-var smallPrimeInts = []int64{
- 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47,
- 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107,
- 109, 113, 127, 131, 137, 139, 149, 151, 157, 163, 167,
- 173, 179, 181, 191, 193, 197, 199, 211, 223, 227, 229,
- 233, 239, 241, 251, 257, 263, 269, 271, 277, 281, 283,
- 293, 307, 311, 313, 317, 331, 337, 347, 349, 353, 359,
- 367, 373, 379, 383, 389, 397, 401, 409, 419, 421, 431,
- 433, 439, 443, 449, 457, 461, 463, 467, 479, 487, 491,
- 499, 503, 509, 521, 523, 541, 547, 557, 563, 569, 571,
- 577, 587, 593, 599, 601, 607, 613, 617, 619, 631, 641,
- 643, 647, 653, 659, 661, 673, 677, 683, 691, 701, 709,
- 719, 727, 733, 739, 743, 751,
-}
-
-// singleton defines the object of a Singleton pattern
-var (
- smallPrimesSingleton sync.Once
- smallPrimesProduct *big.Int
-)
-
-type Config struct {
- // AllowedKeys enables or disables specific key algorithms and sizes. If
- // nil, defaults to just those keys allowed by the Let's Encrypt CPS.
- AllowedKeys *AllowedKeys
- // WeakKeyFile is the path to a JSON file containing truncated modulus hashes
- // of known weak RSA keys. If this config value is empty, then RSA modulus
- // hash checking will be disabled.
- WeakKeyFile string
- // BlockedKeyFile is the path to a YAML file containing base64-encoded SHA256
- // hashes of PKIX Subject Public Keys that should be blocked. If this config
- // value is empty, then blocked key checking will be disabled.
- BlockedKeyFile string
- // FermatRounds is an integer number of rounds of Fermat's factorization
- // method that should be performed to attempt to detect keys whose modulus can
- // be trivially factored because the two factors are very close to each other.
- // If this config value is empty (0), no factorization will be attempted.
- FermatRounds int
-}
-
-// AllowedKeys is a map of six specific key algorithm and size combinations to
-// booleans indicating whether keys of that type are considered good.
-type AllowedKeys struct {
- // Baseline Requirements, Section 6.1.5 requires key size >= 2048 and a multiple
- // of 8 bits: https://github.com/cabforum/servercert/blob/main/docs/BR.md#615-key-sizes
- // Baseline Requirements, Section 6.1.1.3 requires that we reject any keys which
- // have a known method to easily compute their private key, such as Debian Weak
- // Keys. Our enforcement mechanism relies on enumerating all Debian Weak Keys at
- // common key sizes, so we restrict all issuance to those common key sizes.
- RSA2048 bool
- RSA3072 bool
- RSA4096 bool
- // Baseline Requirements, Section 6.1.5 requires that ECDSA keys be valid
- // points on the NIST P-256, P-384, or P-521 elliptic curves.
- ECDSAP256 bool
- ECDSAP384 bool
- ECDSAP521 bool
-}
-
-// LetsEncryptCPS encodes the five key algorithms and sizes allowed by the Let's
-// Encrypt CPS CV-SSL Subscriber Certificate Profile: RSA 2048, RSA 3076, RSA
-// 4096, ECDSA 256 and ECDSA P384.
-// https://github.com/letsencrypt/cp-cps/blob/main/CP-CPS.md#dv-ssl-subscriber-certificate
-// If this is ever changed, the CP/CPS MUST be changed first.
-func LetsEncryptCPS() AllowedKeys {
- return AllowedKeys{
- RSA2048: true,
- RSA3072: true,
- RSA4096: true,
- ECDSAP256: true,
- ECDSAP384: true,
- }
-}
-
-// ErrBadKey represents an error with a key. It is distinct from the various
-// ways in which an ACME request can have an erroneous key (BadPublicKeyError,
-// BadCSRError) because this library is used to check both JWS signing keys and
-// keys in CSRs.
-var ErrBadKey = errors.New("")
-
-func badKey(msg string, args ...interface{}) error {
- return fmt.Errorf("%w%s", ErrBadKey, fmt.Errorf(msg, args...))
-}
-
-// BlockedKeyCheckFunc is used to pass in the sa.BlockedKey functionality to KeyPolicy,
-// rather than storing a full sa.SQLStorageAuthority. This allows external
-// users who don’t want to import all of boulder/sa, and makes testing
-// significantly simpler.
-// On success, the function returns a boolean which is true if the key is blocked.
-type BlockedKeyCheckFunc func(ctx context.Context, keyHash []byte) (bool, error)
-
-// KeyPolicy determines which types of key may be used with various boulder
-// operations.
-type KeyPolicy struct {
- allowedKeys AllowedKeys
- weakRSAList *WeakRSAKeys
- blockedList *blockedKeys
- fermatRounds int
- blockedCheck BlockedKeyCheckFunc
-}
-
-// NewPolicy returns a key policy based on the given configuration, with sane
-// defaults. If the config's AllowedKeys is nil, the LetsEncryptCPS AllowedKeys
-// is used. If the config's WeakKeyFile or BlockedKeyFile paths are empty, those
-// checks are disabled. If the config's FermatRounds is 0, Fermat Factorization
-// is disabled.
-func NewPolicy(config *Config, bkc BlockedKeyCheckFunc) (KeyPolicy, error) {
- if config == nil {
- config = &Config{}
- }
- kp := KeyPolicy{
- blockedCheck: bkc,
- }
- if config.AllowedKeys == nil {
- kp.allowedKeys = LetsEncryptCPS()
- } else {
- kp.allowedKeys = *config.AllowedKeys
- }
- if config.WeakKeyFile != "" {
- keyList, err := LoadWeakRSASuffixes(config.WeakKeyFile)
- if err != nil {
- return KeyPolicy{}, err
- }
- kp.weakRSAList = keyList
- }
- if config.BlockedKeyFile != "" {
- blocked, err := loadBlockedKeysList(config.BlockedKeyFile)
- if err != nil {
- return KeyPolicy{}, err
- }
- kp.blockedList = blocked
- }
- if config.FermatRounds < 0 {
- return KeyPolicy{}, fmt.Errorf("Fermat factorization rounds cannot be negative: %d", config.FermatRounds)
- }
- kp.fermatRounds = config.FermatRounds
- return kp, nil
-}
-
-// GoodKey returns true if the key is acceptable for both TLS use and account
-// key use (our requirements are the same for either one), according to basic
-// strength and algorithm checking. GoodKey only supports pointers: *rsa.PublicKey
-// and *ecdsa.PublicKey. It will reject non-pointer types.
-// TODO: Support JSONWebKeys once go-jose migration is done.
-func (policy *KeyPolicy) GoodKey(ctx context.Context, key crypto.PublicKey) error {
- // Early rejection of unacceptable key types to guard subsequent checks.
- switch t := key.(type) {
- case *rsa.PublicKey, *ecdsa.PublicKey:
- break
- default:
- return badKey("unsupported key type %T", t)
- }
- // If there is a blocked list configured then check if the public key is one
- // that has been administratively blocked.
- if policy.blockedList != nil {
- if blocked, err := policy.blockedList.blocked(key); err != nil {
- return fmt.Errorf("error checking blocklist for key: %v", key)
- } else if blocked {
- return badKey("public key is forbidden")
- }
- }
- if policy.blockedCheck != nil {
- digest, err := core.KeyDigest(key)
- if err != nil {
- return badKey("%w", err)
- }
- exists, err := policy.blockedCheck(ctx, digest[:])
- if err != nil {
- return err
- } else if exists {
- return badKey("public key is forbidden")
- }
- }
- switch t := key.(type) {
- case *rsa.PublicKey:
- return policy.goodKeyRSA(t)
- case *ecdsa.PublicKey:
- return policy.goodKeyECDSA(t)
- default:
- return badKey("unsupported key type %T", key)
- }
-}
-
-// GoodKeyECDSA determines if an ECDSA pubkey meets our requirements
-func (policy *KeyPolicy) goodKeyECDSA(key *ecdsa.PublicKey) (err error) {
- // Check the curve.
- //
- // The validity of the curve is an assumption for all following tests.
- err = policy.goodCurve(key.Curve)
- if err != nil {
- return err
- }
-
- // Key validation routine adapted from NIST SP800-56A § 5.6.2.3.2.
- //
- //
- // Assuming a prime field since a) we are only allowing such curves and b)
- // crypto/elliptic only supports prime curves. Where this assumption
- // simplifies the code below, it is explicitly stated and explained. If ever
- // adapting this code to support non-prime curves, refer to NIST SP800-56A §
- // 5.6.2.3.2 and adapt this code appropriately.
- params := key.Params()
-
- // SP800-56A § 5.6.2.3.2 Step 1.
- // Partial check of the public key for an invalid range in the EC group:
- // Verify that key is not the point at infinity O.
- // This code assumes that the point at infinity is (0,0), which is the
- // case for all supported curves.
- if isPointAtInfinityNISTP(key.X, key.Y) {
- return badKey("key x, y must not be the point at infinity")
- }
-
- // SP800-56A § 5.6.2.3.2 Step 2.
- // "Verify that x_Q and y_Q are integers in the interval [0,p-1] in the
- // case that q is an odd prime p, or that x_Q and y_Q are bit strings
- // of length m bits in the case that q = 2**m."
- //
- // Prove prime field: ASSUMED.
- // Prove q != 2: ASSUMED. (Curve parameter. No supported curve has q == 2.)
- // Prime field && q != 2 => q is an odd prime p
- // Therefore "verify that x, y are in [0, p-1]" satisfies step 2.
- //
- // Therefore verify that both x and y of the public key point have the unique
- // correct representation of an element in the underlying field by verifying
- // that x and y are integers in [0, p-1].
- if key.X.Sign() < 0 || key.Y.Sign() < 0 {
- return badKey("key x, y must not be negative")
- }
-
- if key.X.Cmp(params.P) >= 0 || key.Y.Cmp(params.P) >= 0 {
- return badKey("key x, y must not exceed P-1")
- }
-
- // SP800-56A § 5.6.2.3.2 Step 3.
- // "If q is an odd prime p, verify that (y_Q)**2 === (x_Q)***3 + a*x_Q + b (mod p).
- // If q = 2**m, verify that (y_Q)**2 + (x_Q)*(y_Q) == (x_Q)**3 + a*(x_Q)*2 + b in
- // the finite field of size 2**m.
- // (Ensures that the public key is on the correct elliptic curve.)"
- //
- // q is an odd prime p: proven/assumed above.
- // a = -3 for all supported curves.
- //
- // Therefore step 3 is satisfied simply by showing that
- // y**2 === x**3 - 3*x + B (mod P).
- //
- // This proves that the public key is on the correct elliptic curve.
- // But in practice, this test is provided by crypto/elliptic, so use that.
- if !key.Curve.IsOnCurve(key.X, key.Y) {
- return badKey("key point is not on the curve")
- }
-
- // SP800-56A § 5.6.2.3.2 Step 4.
- // "Verify that n*Q == Ø.
- // (Ensures that the public key has the correct order. Along with check 1,
- // ensures that the public key is in the correct range in the correct EC
- // subgroup, that is, it is in the correct EC subgroup and is not the
- // identity element.)"
- //
- // Ensure that public key has the correct order:
- // verify that n*Q = Ø.
- //
- // n*Q = Ø iff n*Q is the point at infinity (see step 1).
- ox, oy := key.Curve.ScalarMult(key.X, key.Y, params.N.Bytes())
- if !isPointAtInfinityNISTP(ox, oy) {
- return badKey("public key does not have correct order")
- }
-
- // End of SP800-56A § 5.6.2.3.2 Public Key Validation Routine.
- // Key is valid.
- return nil
-}
-
-// Returns true iff the point (x,y) on NIST P-256, NIST P-384 or NIST P-521 is
-// the point at infinity. These curves all have the same point at infinity
-// (0,0). This function must ONLY be used on points on curves verified to have
-// (0,0) as their point at infinity.
-func isPointAtInfinityNISTP(x, y *big.Int) bool {
- return x.Sign() == 0 && y.Sign() == 0
-}
-
-// GoodCurve determines if an elliptic curve meets our requirements.
-func (policy *KeyPolicy) goodCurve(c elliptic.Curve) (err error) {
- // Simply use a whitelist for now.
- params := c.Params()
- switch {
- case policy.allowedKeys.ECDSAP256 && params == elliptic.P256().Params():
- return nil
- case policy.allowedKeys.ECDSAP384 && params == elliptic.P384().Params():
- return nil
- case policy.allowedKeys.ECDSAP521 && params == elliptic.P521().Params():
- return nil
- default:
- return badKey("ECDSA curve %v not allowed", params.Name)
- }
-}
-
-// GoodKeyRSA determines if a RSA pubkey meets our requirements
-func (policy *KeyPolicy) goodKeyRSA(key *rsa.PublicKey) error {
- modulus := key.N
-
- err := policy.goodRSABitLen(key)
- if err != nil {
- return err
- }
-
- if policy.weakRSAList != nil && policy.weakRSAList.Known(key) {
- return badKey("key is on a known weak RSA key list")
- }
-
- // Rather than support arbitrary exponents, which significantly increases
- // the size of the key space we allow, we restrict E to the defacto standard
- // RSA exponent 65537. There is no specific standards document that specifies
- // 65537 as the 'best' exponent, but ITU X.509 Annex C suggests there are
- // notable merits for using it if using a fixed exponent.
- //
- // The CABF Baseline Requirements state:
- // The CA SHALL confirm that the value of the public exponent is an
- // odd number equal to 3 or more. Additionally, the public exponent
- // SHOULD be in the range between 2^16 + 1 and 2^256-1.
- //
- // By only allowing one exponent, which fits these constraints, we satisfy
- // these requirements.
- if key.E != 65537 {
- return badKey("key exponent must be 65537")
- }
-
- // The modulus SHOULD also have the following characteristics: an odd
- // number, not the power of a prime, and have no factors smaller than 752.
- // TODO: We don't yet check for "power of a prime."
- if checkSmallPrimes(modulus) {
- return badKey("key divisible by small prime")
- }
- // Check for weak keys generated by Infineon hardware
- // (see https://crocs.fi.muni.cz/public/papers/rsa_ccs17)
- if rocacheck.IsWeak(key) {
- return badKey("key generated by vulnerable Infineon-based hardware")
- }
- // Check if the key can be easily factored via Fermat's factorization method.
- if policy.fermatRounds > 0 {
- err := checkPrimeFactorsTooClose(modulus, policy.fermatRounds)
- if err != nil {
- return badKey("key generated with factors too close together: %w", err)
- }
- }
-
- return nil
-}
-
-func (policy *KeyPolicy) goodRSABitLen(key *rsa.PublicKey) error {
- // See comment on AllowedKeys above.
- modulusBitLen := key.N.BitLen()
- switch {
- case modulusBitLen == 2048 && policy.allowedKeys.RSA2048:
- return nil
- case modulusBitLen == 3072 && policy.allowedKeys.RSA3072:
- return nil
- case modulusBitLen == 4096 && policy.allowedKeys.RSA4096:
- return nil
- default:
- return badKey("key size not supported: %d", modulusBitLen)
- }
-}
-
-// Returns true iff integer i is divisible by any of the primes in smallPrimes.
-//
-// Short circuits; execution time is dependent on i. Do not use this on secret
-// values.
-//
-// Rather than checking each prime individually (invoking Mod on each),
-// multiply the primes together and let GCD do our work for us: if the
-// GCD between and is not one, we know we have
-// a bad key. This is substantially faster than checking each prime
-// individually.
-func checkSmallPrimes(i *big.Int) bool {
- smallPrimesSingleton.Do(func() {
- smallPrimesProduct = big.NewInt(1)
- for _, prime := range smallPrimeInts {
- smallPrimesProduct.Mul(smallPrimesProduct, big.NewInt(prime))
- }
- })
-
- // When the GCD is 1, i and smallPrimesProduct are coprime, meaning they
- // share no common factors. When the GCD is not one, it is the product of
- // all common factors, meaning we've identified at least one small prime
- // which invalidates i as a valid key.
-
- var result big.Int
- result.GCD(nil, nil, i, smallPrimesProduct)
- return result.Cmp(big.NewInt(1)) != 0
-}
-
-// Returns an error if the modulus n is able to be factored into primes p and q
-// via Fermat's factorization method. This method relies on the two primes being
-// very close together, which means that they were almost certainly not picked
-// independently from a uniform random distribution. Basically, if we can factor
-// the key this easily, so can anyone else.
-func checkPrimeFactorsTooClose(n *big.Int, rounds int) error {
- // Pre-allocate some big numbers that we'll use a lot down below.
- one := big.NewInt(1)
- bb := new(big.Int)
-
- // Any odd integer is equal to a difference of squares of integers:
- // n = a^2 - b^2 = (a + b)(a - b)
- // Any RSA public key modulus is equal to a product of two primes:
- // n = pq
- // Here we try to find values for a and b, since doing so also gives us the
- // prime factors p = (a + b) and q = (a - b).
-
- // We start with a close to the square root of the modulus n, to start with
- // two candidate prime factors that are as close together as possible and
- // work our way out from there. Specifically, we set a = ceil(sqrt(n)), the
- // first integer greater than the square root of n. Unfortunately, big.Int's
- // built-in square root function takes the floor, so we have to add one to get
- // the ceil.
- a := new(big.Int)
- a.Sqrt(n).Add(a, one)
-
- // We calculate b2 to see if it is a perfect square (i.e. b^2), and therefore
- // b is an integer. Specifically, b2 = a^2 - n.
- b2 := new(big.Int)
- b2.Mul(a, a).Sub(b2, n)
-
- for range rounds {
- // To see if b2 is a perfect square, we take its square root, square that,
- // and check to see if we got the same result back.
- bb.Sqrt(b2).Mul(bb, bb)
- if b2.Cmp(bb) == 0 {
- // b2 is a perfect square, so we've found integer values of a and b,
- // and can easily compute p and q as their sum and difference.
- bb.Sqrt(bb)
- p := new(big.Int).Add(a, bb)
- q := new(big.Int).Sub(a, bb)
- return fmt.Errorf("public modulus n = pq factored into p: %s; q: %s", p, q)
- }
-
- // Set up the next iteration by incrementing a by one and recalculating b2.
- a.Add(a, one)
- b2.Mul(a, a).Sub(b2, n)
- }
- return nil
-}
diff --git a/vendor/github.com/letsencrypt/boulder/goodkey/weak.go b/vendor/github.com/letsencrypt/boulder/goodkey/weak.go
deleted file mode 100644
index dd7afd5e4c..0000000000
--- a/vendor/github.com/letsencrypt/boulder/goodkey/weak.go
+++ /dev/null
@@ -1,66 +0,0 @@
-package goodkey
-
-// This file defines a basic method for testing if a given RSA public key is on one of
-// the Debian weak key lists and is therefore considered compromised. Instead of
-// directly loading the hash suffixes from the individual lists we flatten them all
-// into a single JSON list using cmd/weak-key-flatten for ease of use.
-
-import (
- "crypto/rsa"
- "crypto/sha1"
- "encoding/hex"
- "encoding/json"
- "fmt"
- "os"
-)
-
-type truncatedHash [10]byte
-
-type WeakRSAKeys struct {
- suffixes map[truncatedHash]struct{}
-}
-
-func LoadWeakRSASuffixes(path string) (*WeakRSAKeys, error) {
- f, err := os.ReadFile(path)
- if err != nil {
- return nil, err
- }
-
- var suffixList []string
- err = json.Unmarshal(f, &suffixList)
- if err != nil {
- return nil, err
- }
-
- wk := &WeakRSAKeys{suffixes: make(map[truncatedHash]struct{})}
- for _, suffix := range suffixList {
- err := wk.addSuffix(suffix)
- if err != nil {
- return nil, err
- }
- }
- return wk, nil
-}
-
-func (wk *WeakRSAKeys) addSuffix(str string) error {
- var suffix truncatedHash
- decoded, err := hex.DecodeString(str)
- if err != nil {
- return err
- }
- if len(decoded) != 10 {
- return fmt.Errorf("unexpected suffix length of %d", len(decoded))
- }
- copy(suffix[:], decoded)
- wk.suffixes[suffix] = struct{}{}
- return nil
-}
-
-func (wk *WeakRSAKeys) Known(key *rsa.PublicKey) bool {
- // Hash input is in the format "Modulus={upper-case hex of modulus}\n"
- hash := sha1.Sum([]byte(fmt.Sprintf("Modulus=%X\n", key.N.Bytes())))
- var suffix truncatedHash
- copy(suffix[:], hash[10:])
- _, present := wk.suffixes[suffix]
- return present
-}
diff --git a/vendor/github.com/letsencrypt/boulder/identifier/identifier.go b/vendor/github.com/letsencrypt/boulder/identifier/identifier.go
deleted file mode 100644
index cbf228f869..0000000000
--- a/vendor/github.com/letsencrypt/boulder/identifier/identifier.go
+++ /dev/null
@@ -1,32 +0,0 @@
-// The identifier package defines types for RFC 8555 ACME identifiers.
-package identifier
-
-// IdentifierType is a named string type for registered ACME identifier types.
-// See https://tools.ietf.org/html/rfc8555#section-9.7.7
-type IdentifierType string
-
-const (
- // DNS is specified in RFC 8555 for DNS type identifiers.
- DNS = IdentifierType("dns")
-)
-
-// ACMEIdentifier is a struct encoding an identifier that can be validated. The
-// protocol allows for different types of identifier to be supported (DNS
-// names, IP addresses, etc.), but currently we only support RFC 8555 DNS type
-// identifiers for domain names.
-type ACMEIdentifier struct {
- // Type is the registered IdentifierType of the identifier.
- Type IdentifierType `json:"type"`
- // Value is the value of the identifier. For a DNS type identifier it is
- // a domain name.
- Value string `json:"value"`
-}
-
-// DNSIdentifier is a convenience function for creating an ACMEIdentifier with
-// Type DNS for a given domain name.
-func DNSIdentifier(domain string) ACMEIdentifier {
- return ACMEIdentifier{
- Type: DNS,
- Value: domain,
- }
-}
diff --git a/vendor/github.com/letsencrypt/boulder/probs/probs.go b/vendor/github.com/letsencrypt/boulder/probs/probs.go
deleted file mode 100644
index ec6c272ae5..0000000000
--- a/vendor/github.com/letsencrypt/boulder/probs/probs.go
+++ /dev/null
@@ -1,343 +0,0 @@
-package probs
-
-import (
- "fmt"
- "net/http"
-
- "github.com/letsencrypt/boulder/identifier"
-)
-
-const (
- // Error types that can be used in ACME payloads. These are sorted in the
- // same order as they are defined in RFC8555 Section 6.7. We do not implement
- // the `compound`, `externalAccountRequired`, or `userActionRequired` errors,
- // because we have no path that would return them.
- AccountDoesNotExistProblem = ProblemType("accountDoesNotExist")
- AlreadyRevokedProblem = ProblemType("alreadyRevoked")
- BadCSRProblem = ProblemType("badCSR")
- BadNonceProblem = ProblemType("badNonce")
- BadPublicKeyProblem = ProblemType("badPublicKey")
- BadRevocationReasonProblem = ProblemType("badRevocationReason")
- BadSignatureAlgorithmProblem = ProblemType("badSignatureAlgorithm")
- CAAProblem = ProblemType("caa")
- // ConflictProblem is a problem type that is not defined in RFC8555.
- ConflictProblem = ProblemType("conflict")
- ConnectionProblem = ProblemType("connection")
- DNSProblem = ProblemType("dns")
- InvalidContactProblem = ProblemType("invalidContact")
- MalformedProblem = ProblemType("malformed")
- OrderNotReadyProblem = ProblemType("orderNotReady")
- RateLimitedProblem = ProblemType("rateLimited")
- RejectedIdentifierProblem = ProblemType("rejectedIdentifier")
- ServerInternalProblem = ProblemType("serverInternal")
- TLSProblem = ProblemType("tls")
- UnauthorizedProblem = ProblemType("unauthorized")
- UnsupportedContactProblem = ProblemType("unsupportedContact")
- UnsupportedIdentifierProblem = ProblemType("unsupportedIdentifier")
-
- ErrorNS = "urn:ietf:params:acme:error:"
-)
-
-// ProblemType defines the error types in the ACME protocol
-type ProblemType string
-
-// ProblemDetails objects represent problem documents
-// https://tools.ietf.org/html/draft-ietf-appsawg-http-problem-00
-type ProblemDetails struct {
- Type ProblemType `json:"type,omitempty"`
- Detail string `json:"detail,omitempty"`
- // HTTPStatus is the HTTP status code the ProblemDetails should probably be sent
- // as.
- HTTPStatus int `json:"status,omitempty"`
- // SubProblems are optional additional per-identifier problems. See
- // RFC 8555 Section 6.7.1: https://tools.ietf.org/html/rfc8555#section-6.7.1
- SubProblems []SubProblemDetails `json:"subproblems,omitempty"`
-}
-
-// SubProblemDetails represents sub-problems specific to an identifier that are
-// related to a top-level ProblemDetails.
-// See RFC 8555 Section 6.7.1: https://tools.ietf.org/html/rfc8555#section-6.7.1
-type SubProblemDetails struct {
- ProblemDetails
- Identifier identifier.ACMEIdentifier `json:"identifier"`
-}
-
-func (pd *ProblemDetails) Error() string {
- return fmt.Sprintf("%s :: %s", pd.Type, pd.Detail)
-}
-
-// WithSubProblems returns a new ProblemsDetails instance created by adding the
-// provided subProbs to the existing ProblemsDetail.
-func (pd *ProblemDetails) WithSubProblems(subProbs []SubProblemDetails) *ProblemDetails {
- return &ProblemDetails{
- Type: pd.Type,
- Detail: pd.Detail,
- HTTPStatus: pd.HTTPStatus,
- SubProblems: append(pd.SubProblems, subProbs...),
- }
-}
-
-// Helper functions which construct the basic RFC8555 Problem Documents, with
-// the Type already set and the Details supplied by the caller.
-
-// AccountDoesNotExist returns a ProblemDetails representing an
-// AccountDoesNotExistProblem error
-func AccountDoesNotExist(detail string) *ProblemDetails {
- return &ProblemDetails{
- Type: AccountDoesNotExistProblem,
- Detail: detail,
- HTTPStatus: http.StatusBadRequest,
- }
-}
-
-// AlreadyRevoked returns a ProblemDetails with a AlreadyRevokedProblem and a 400 Bad
-// Request status code.
-func AlreadyRevoked(detail string, a ...any) *ProblemDetails {
- return &ProblemDetails{
- Type: AlreadyRevokedProblem,
- Detail: fmt.Sprintf(detail, a...),
- HTTPStatus: http.StatusBadRequest,
- }
-}
-
-// BadCSR returns a ProblemDetails representing a BadCSRProblem.
-func BadCSR(detail string, a ...any) *ProblemDetails {
- return &ProblemDetails{
- Type: BadCSRProblem,
- Detail: fmt.Sprintf(detail, a...),
- HTTPStatus: http.StatusBadRequest,
- }
-}
-
-// BadNonce returns a ProblemDetails with a BadNonceProblem and a 400 Bad
-// Request status code.
-func BadNonce(detail string) *ProblemDetails {
- return &ProblemDetails{
- Type: BadNonceProblem,
- Detail: detail,
- HTTPStatus: http.StatusBadRequest,
- }
-}
-
-// BadPublicKey returns a ProblemDetails with a BadPublicKeyProblem and a 400 Bad
-// Request status code.
-func BadPublicKey(detail string, a ...any) *ProblemDetails {
- return &ProblemDetails{
- Type: BadPublicKeyProblem,
- Detail: fmt.Sprintf(detail, a...),
- HTTPStatus: http.StatusBadRequest,
- }
-}
-
-// BadRevocationReason returns a ProblemDetails representing
-// a BadRevocationReasonProblem
-func BadRevocationReason(detail string, a ...any) *ProblemDetails {
- return &ProblemDetails{
- Type: BadRevocationReasonProblem,
- Detail: fmt.Sprintf(detail, a...),
- HTTPStatus: http.StatusBadRequest,
- }
-}
-
-// BadSignatureAlgorithm returns a ProblemDetails with a BadSignatureAlgorithmProblem
-// and a 400 Bad Request status code.
-func BadSignatureAlgorithm(detail string, a ...any) *ProblemDetails {
- return &ProblemDetails{
- Type: BadSignatureAlgorithmProblem,
- Detail: fmt.Sprintf(detail, a...),
- HTTPStatus: http.StatusBadRequest,
- }
-}
-
-// CAA returns a ProblemDetails representing a CAAProblem
-func CAA(detail string) *ProblemDetails {
- return &ProblemDetails{
- Type: CAAProblem,
- Detail: detail,
- HTTPStatus: http.StatusForbidden,
- }
-}
-
-// Connection returns a ProblemDetails representing a ConnectionProblem
-// error
-func Connection(detail string) *ProblemDetails {
- return &ProblemDetails{
- Type: ConnectionProblem,
- Detail: detail,
- HTTPStatus: http.StatusBadRequest,
- }
-}
-
-// DNS returns a ProblemDetails representing a DNSProblem
-func DNS(detail string) *ProblemDetails {
- return &ProblemDetails{
- Type: DNSProblem,
- Detail: detail,
- HTTPStatus: http.StatusBadRequest,
- }
-}
-
-// InvalidContact returns a ProblemDetails representing an InvalidContactProblem.
-func InvalidContact(detail string) *ProblemDetails {
- return &ProblemDetails{
- Type: InvalidContactProblem,
- Detail: detail,
- HTTPStatus: http.StatusBadRequest,
- }
-}
-
-// Malformed returns a ProblemDetails with a MalformedProblem and a 400 Bad
-// Request status code.
-func Malformed(detail string, a ...any) *ProblemDetails {
- if len(a) > 0 {
- detail = fmt.Sprintf(detail, a...)
- }
- return &ProblemDetails{
- Type: MalformedProblem,
- Detail: detail,
- HTTPStatus: http.StatusBadRequest,
- }
-}
-
-// OrderNotReady returns a ProblemDetails representing a OrderNotReadyProblem
-func OrderNotReady(detail string, a ...any) *ProblemDetails {
- return &ProblemDetails{
- Type: OrderNotReadyProblem,
- Detail: fmt.Sprintf(detail, a...),
- HTTPStatus: http.StatusForbidden,
- }
-}
-
-// RateLimited returns a ProblemDetails representing a RateLimitedProblem error
-func RateLimited(detail string) *ProblemDetails {
- return &ProblemDetails{
- Type: RateLimitedProblem,
- Detail: detail,
- HTTPStatus: http.StatusTooManyRequests,
- }
-}
-
-// RejectedIdentifier returns a ProblemDetails with a RejectedIdentifierProblem and a 400 Bad
-// Request status code.
-func RejectedIdentifier(detail string) *ProblemDetails {
- return &ProblemDetails{
- Type: RejectedIdentifierProblem,
- Detail: detail,
- HTTPStatus: http.StatusBadRequest,
- }
-}
-
-// ServerInternal returns a ProblemDetails with a ServerInternalProblem and a
-// 500 Internal Server Failure status code.
-func ServerInternal(detail string) *ProblemDetails {
- return &ProblemDetails{
- Type: ServerInternalProblem,
- Detail: detail,
- HTTPStatus: http.StatusInternalServerError,
- }
-}
-
-// TLS returns a ProblemDetails representing a TLSProblem error
-func TLS(detail string) *ProblemDetails {
- return &ProblemDetails{
- Type: TLSProblem,
- Detail: detail,
- HTTPStatus: http.StatusBadRequest,
- }
-}
-
-// Unauthorized returns a ProblemDetails with an UnauthorizedProblem and a 403
-// Forbidden status code.
-func Unauthorized(detail string) *ProblemDetails {
- return &ProblemDetails{
- Type: UnauthorizedProblem,
- Detail: detail,
- HTTPStatus: http.StatusForbidden,
- }
-}
-
-// UnsupportedContact returns a ProblemDetails representing an
-// UnsupportedContactProblem
-func UnsupportedContact(detail string) *ProblemDetails {
- return &ProblemDetails{
- Type: UnsupportedContactProblem,
- Detail: detail,
- HTTPStatus: http.StatusBadRequest,
- }
-}
-
-// UnsupportedIdentifier returns a ProblemDetails representing an
-// UnsupportedIdentifierProblem
-func UnsupportedIdentifier(detail string, a ...any) *ProblemDetails {
- return &ProblemDetails{
- Type: UnsupportedIdentifierProblem,
- Detail: fmt.Sprintf(detail, a...),
- HTTPStatus: http.StatusBadRequest,
- }
-}
-
-// Additional helper functions that return variations on MalformedProblem with
-// different HTTP status codes set.
-
-// Canceled returns a ProblemDetails with a MalformedProblem and a 408 Request
-// Timeout status code.
-func Canceled(detail string, a ...any) *ProblemDetails {
- if len(a) > 0 {
- detail = fmt.Sprintf(detail, a...)
- }
- return &ProblemDetails{
- Type: MalformedProblem,
- Detail: detail,
- HTTPStatus: http.StatusRequestTimeout,
- }
-}
-
-// Conflict returns a ProblemDetails with a ConflictProblem and a 409 Conflict
-// status code.
-func Conflict(detail string) *ProblemDetails {
- return &ProblemDetails{
- Type: ConflictProblem,
- Detail: detail,
- HTTPStatus: http.StatusConflict,
- }
-}
-
-// ContentLengthRequired returns a ProblemDetails representing a missing
-// Content-Length header error
-func ContentLengthRequired() *ProblemDetails {
- return &ProblemDetails{
- Type: MalformedProblem,
- Detail: "missing Content-Length header",
- HTTPStatus: http.StatusLengthRequired,
- }
-}
-
-// InvalidContentType returns a ProblemDetails suitable for a missing
-// ContentType header, or an incorrect ContentType header
-func InvalidContentType(detail string) *ProblemDetails {
- return &ProblemDetails{
- Type: MalformedProblem,
- Detail: detail,
- HTTPStatus: http.StatusUnsupportedMediaType,
- }
-}
-
-// MethodNotAllowed returns a ProblemDetails representing a disallowed HTTP
-// method error.
-func MethodNotAllowed() *ProblemDetails {
- return &ProblemDetails{
- Type: MalformedProblem,
- Detail: "Method not allowed",
- HTTPStatus: http.StatusMethodNotAllowed,
- }
-}
-
-// NotFound returns a ProblemDetails with a MalformedProblem and a 404 Not Found
-// status code.
-func NotFound(detail string) *ProblemDetails {
- return &ProblemDetails{
- Type: MalformedProblem,
- Detail: detail,
- HTTPStatus: http.StatusNotFound,
- }
-}
diff --git a/vendor/github.com/letsencrypt/boulder/revocation/reasons.go b/vendor/github.com/letsencrypt/boulder/revocation/reasons.go
deleted file mode 100644
index 50f556be01..0000000000
--- a/vendor/github.com/letsencrypt/boulder/revocation/reasons.go
+++ /dev/null
@@ -1,72 +0,0 @@
-package revocation
-
-import (
- "fmt"
- "sort"
- "strings"
-
- "golang.org/x/crypto/ocsp"
-)
-
-// Reason is used to specify a certificate revocation reason
-type Reason int
-
-// ReasonToString provides a map from reason code to string
-var ReasonToString = map[Reason]string{
- ocsp.Unspecified: "unspecified",
- ocsp.KeyCompromise: "keyCompromise",
- ocsp.CACompromise: "cACompromise",
- ocsp.AffiliationChanged: "affiliationChanged",
- ocsp.Superseded: "superseded",
- ocsp.CessationOfOperation: "cessationOfOperation",
- ocsp.CertificateHold: "certificateHold",
- // 7 is unused
- ocsp.RemoveFromCRL: "removeFromCRL",
- ocsp.PrivilegeWithdrawn: "privilegeWithdrawn",
- ocsp.AACompromise: "aAcompromise",
-}
-
-// UserAllowedReasons contains the subset of Reasons which users are
-// allowed to use
-var UserAllowedReasons = map[Reason]struct{}{
- ocsp.Unspecified: {},
- ocsp.KeyCompromise: {},
- ocsp.Superseded: {},
- ocsp.CessationOfOperation: {},
-}
-
-// AdminAllowedReasons contains the subset of Reasons which admins are allowed
-// to use. Reasons not found here will soon be forbidden from appearing in CRLs
-// or OCSP responses by root programs.
-var AdminAllowedReasons = map[Reason]struct{}{
- ocsp.Unspecified: {},
- ocsp.KeyCompromise: {},
- ocsp.Superseded: {},
- ocsp.CessationOfOperation: {},
- ocsp.PrivilegeWithdrawn: {},
-}
-
-// UserAllowedReasonsMessage contains a string describing a list of user allowed
-// revocation reasons. This is useful when a revocation is rejected because it
-// is not a valid user supplied reason and the allowed values must be
-// communicated. This variable is populated during package initialization.
-var UserAllowedReasonsMessage = ""
-
-func init() {
- // Build a slice of ints from the allowed reason codes.
- // We want a slice because iterating `UserAllowedReasons` will change order
- // and make the message unpredictable and cumbersome for unit testing.
- // We use []ints instead of []Reason to use `sort.Ints` without fuss.
- var allowed []int
- for reason := range UserAllowedReasons {
- allowed = append(allowed, int(reason))
- }
- sort.Ints(allowed)
-
- var reasonStrings []string
- for _, reason := range allowed {
- reasonStrings = append(reasonStrings, fmt.Sprintf("%s (%d)",
- ReasonToString[Reason(reason)], reason))
- }
- UserAllowedReasonsMessage = strings.Join(reasonStrings, ", ")
-}
diff --git a/vendor/github.com/letsencrypt/boulder/strictyaml/yaml.go b/vendor/github.com/letsencrypt/boulder/strictyaml/yaml.go
deleted file mode 100644
index 8e3bae9965..0000000000
--- a/vendor/github.com/letsencrypt/boulder/strictyaml/yaml.go
+++ /dev/null
@@ -1,46 +0,0 @@
-// Package strictyaml provides a strict YAML unmarshaller based on `go-yaml/yaml`
-package strictyaml
-
-import (
- "bytes"
- "errors"
- "fmt"
- "io"
-
- "gopkg.in/yaml.v3"
-)
-
-// Unmarshal takes a byte array and an interface passed by reference. The
-// d.Decode will read the next YAML-encoded value from its input and store it in
-// the value pointed to by yamlObj. Any config keys from the incoming YAML
-// document which do not correspond to expected keys in the config struct will
-// result in errors.
-//
-// TODO(https://github.com/go-yaml/yaml/issues/639): Replace this function with
-// yaml.Unmarshal once a more ergonomic way to set unmarshal options is added
-// upstream.
-func Unmarshal(b []byte, yamlObj interface{}) error {
- r := bytes.NewReader(b)
-
- d := yaml.NewDecoder(r)
- d.KnownFields(true)
-
- // d.Decode will mutate yamlObj
- err := d.Decode(yamlObj)
-
- if err != nil {
- // io.EOF is returned when the YAML document is empty.
- if errors.Is(err, io.EOF) {
- return fmt.Errorf("unmarshalling YAML, bytes cannot be nil: %w", err)
- }
- return fmt.Errorf("unmarshalling YAML: %w", err)
- }
-
- // As bytes are read by the decoder, the length of the byte buffer should
- // decrease. If it doesn't, there's a problem.
- if r.Len() != 0 {
- return fmt.Errorf("yaml object of size %d bytes had %d bytes of unexpected unconsumed trailers", r.Size(), r.Len())
- }
-
- return nil
-}
diff --git a/vendor/github.com/sigstore/fulcio/pkg/certificate/extensions.go b/vendor/github.com/sigstore/fulcio/pkg/certificate/extensions.go
index 584aac971f..4ed41e31a1 100644
--- a/vendor/github.com/sigstore/fulcio/pkg/certificate/extensions.go
+++ b/vendor/github.com/sigstore/fulcio/pkg/certificate/extensions.go
@@ -53,6 +53,7 @@ var (
OIDBuildTrigger = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 20}
OIDRunInvocationURI = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 21}
OIDSourceRepositoryVisibilityAtSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 22}
+ OIDDeploymentEnvironment = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 23}
)
// Extensions contains all custom x509 extensions defined by Fulcio
@@ -132,6 +133,9 @@ type Extensions struct {
// Source repository visibility at the time of signing the certificate.
SourceRepositoryVisibilityAtSigning string `json:"SourceRepositoryVisibilityAtSigning,omitempty" yaml:"source-repository-visibility-at-signing,omitempty"` // 1.3.6.1.4.1.57264.1.22
+
+ // Deployment target for a workflow or job
+ DeploymentEnvironment string `json:"DeploymentEnvironment,omitempty" yaml:"deployment-environment,omitempty"` // 1.3.6.1.4.1.57264.1.23
}
func (e Extensions) Render() ([]pkix.Extension, error) {
@@ -334,6 +338,16 @@ func (e Extensions) Render() ([]pkix.Extension, error) {
Value: val,
})
}
+ if e.DeploymentEnvironment != "" {
+ val, err := asn1.MarshalWithParams(e.DeploymentEnvironment, "utf8")
+ if err != nil {
+ return nil, err
+ }
+ exts = append(exts, pkix.Extension{
+ Id: OIDDeploymentEnvironment,
+ Value: val,
+ })
+ }
return exts, nil
}
@@ -417,6 +431,10 @@ func ParseExtensions(ext []pkix.Extension) (Extensions, error) {
if err := ParseDERString(e.Value, &out.SourceRepositoryVisibilityAtSigning); err != nil {
return Extensions{}, err
}
+ case e.Id.Equal(OIDDeploymentEnvironment):
+ if err := ParseDERString(e.Value, &out.DeploymentEnvironment); err != nil {
+ return Extensions{}, err
+ }
}
}
diff --git a/vendor/github.com/sigstore/protobuf-specs/gen/pb-go/common/v1/sigstore_common.pb.go b/vendor/github.com/sigstore/protobuf-specs/gen/pb-go/common/v1/sigstore_common.pb.go
index 40725bd79c..5f339b2d78 100644
--- a/vendor/github.com/sigstore/protobuf-specs/gen/pb-go/common/v1/sigstore_common.pb.go
+++ b/vendor/github.com/sigstore/protobuf-specs/gen/pb-go/common/v1/sigstore_common.pb.go
@@ -15,7 +15,7 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.36.5
-// protoc v5.29.4
+// protoc v6.30.2
// source: sigstore_common.proto
package v1
@@ -112,7 +112,8 @@ func (HashAlgorithm) EnumDescriptor() ([]byte, []int) {
// opinionated options instead of allowing every possible permutation.
//
// Any changes to this enum MUST be reflected in the algorithm registry.
-// See: docs/algorithm-registry.md
+//
+// See:
//
// To avoid the possibility of contradicting formats such as PKCS1 with
// ED25519 the valid permutations are listed as a linear set instead of a
@@ -159,8 +160,9 @@ const (
PublicKeyDetails_PKIX_ECDSA_P521_SHA_256 PublicKeyDetails = 20
// LMS and LM-OTS
//
- // These keys and signatures may be used by private Sigstore
- // deployments, but are not currently supported by the public
+ // These algorithms are deprecated and should not be used.
+ // Keys and signatures MAY be used by private Sigstore
+ // deployments, but will not be supported by the public
// good instance.
//
// USER WARNING: LMS and LM-OTS are both stateful signature schemes.
@@ -170,8 +172,26 @@ const (
// MUST NOT be used for more than one signature per LM-OTS key.
// If you cannot maintain these invariants, you MUST NOT use these
// schemes.
- PublicKeyDetails_LMS_SHA256 PublicKeyDetails = 14
+ //
+ // Deprecated: Marked as deprecated in sigstore_common.proto.
+ PublicKeyDetails_LMS_SHA256 PublicKeyDetails = 14
+ // Deprecated: Marked as deprecated in sigstore_common.proto.
PublicKeyDetails_LMOTS_SHA256 PublicKeyDetails = 15
+ // ML-DSA
+ //
+ // These ML_DSA_65 and ML-DSA_87 algorithms are the pure variants that
+ // take data to sign rather than the prehash variants (HashML-DSA), which
+ // take digests. While considered quantum-resistant, their usage
+ // involves tradeoffs in that signatures and keys are much larger, and
+ // this makes deployments more costly.
+ //
+ // USER WARNING: ML_DSA_65 and ML_DSA_87 are experimental algorithms.
+ // In the future they MAY be used by private Sigstore deployments, but
+ // they are not yet fully functional. This warning will be removed when
+ // these algorithms are widely supported by Sigstore clients and servers,
+ // but care should still be taken for production environments.
+ PublicKeyDetails_ML_DSA_65 PublicKeyDetails = 21 // See NIST FIPS 204
+ PublicKeyDetails_ML_DSA_87 PublicKeyDetails = 22
)
// Enum value maps for PublicKeyDetails.
@@ -198,6 +218,8 @@ var (
20: "PKIX_ECDSA_P521_SHA_256",
14: "LMS_SHA256",
15: "LMOTS_SHA256",
+ 21: "ML_DSA_65",
+ 22: "ML_DSA_87",
}
PublicKeyDetails_value = map[string]int32{
"PUBLIC_KEY_DETAILS_UNSPECIFIED": 0,
@@ -221,6 +243,8 @@ var (
"PKIX_ECDSA_P521_SHA_256": 20,
"LMS_SHA256": 14,
"LMOTS_SHA256": 15,
+ "ML_DSA_65": 21,
+ "ML_DSA_87": 22,
}
)
@@ -1134,7 +1158,7 @@ var file_sigstore_common_proto_rawDesc = string([]byte{
0x48, 0x41, 0x32, 0x5f, 0x33, 0x38, 0x34, 0x10, 0x02, 0x12, 0x0c, 0x0a, 0x08, 0x53, 0x48, 0x41,
0x32, 0x5f, 0x35, 0x31, 0x32, 0x10, 0x03, 0x12, 0x0c, 0x0a, 0x08, 0x53, 0x48, 0x41, 0x33, 0x5f,
0x32, 0x35, 0x36, 0x10, 0x04, 0x12, 0x0c, 0x0a, 0x08, 0x53, 0x48, 0x41, 0x33, 0x5f, 0x33, 0x38,
- 0x34, 0x10, 0x05, 0x2a, 0xe9, 0x04, 0x0a, 0x10, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65,
+ 0x34, 0x10, 0x05, 0x2a, 0x8f, 0x05, 0x0a, 0x10, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65,
0x79, 0x44, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x12, 0x22, 0x0a, 0x1e, 0x50, 0x55, 0x42, 0x4c,
0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x44, 0x45, 0x54, 0x41, 0x49, 0x4c, 0x53, 0x5f, 0x55,
0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x19, 0x0a, 0x11,
@@ -1170,25 +1194,27 @@ var file_sigstore_common_proto_rawDesc = string([]byte{
0x44, 0x53, 0x41, 0x5f, 0x50, 0x33, 0x38, 0x34, 0x5f, 0x53, 0x48, 0x41, 0x5f, 0x32, 0x35, 0x36,
0x10, 0x13, 0x1a, 0x02, 0x08, 0x01, 0x12, 0x1f, 0x0a, 0x17, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x45,
0x43, 0x44, 0x53, 0x41, 0x5f, 0x50, 0x35, 0x32, 0x31, 0x5f, 0x53, 0x48, 0x41, 0x5f, 0x32, 0x35,
- 0x36, 0x10, 0x14, 0x1a, 0x02, 0x08, 0x01, 0x12, 0x0e, 0x0a, 0x0a, 0x4c, 0x4d, 0x53, 0x5f, 0x53,
- 0x48, 0x41, 0x32, 0x35, 0x36, 0x10, 0x0e, 0x12, 0x10, 0x0a, 0x0c, 0x4c, 0x4d, 0x4f, 0x54, 0x53,
- 0x5f, 0x53, 0x48, 0x41, 0x32, 0x35, 0x36, 0x10, 0x0f, 0x22, 0x04, 0x08, 0x15, 0x10, 0x32, 0x2a,
- 0x6f, 0x0a, 0x1a, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x41, 0x6c, 0x74, 0x65, 0x72, 0x6e,
- 0x61, 0x74, 0x69, 0x76, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x2d, 0x0a,
- 0x29, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x41, 0x4c, 0x54, 0x45, 0x52, 0x4e, 0x41,
- 0x54, 0x49, 0x56, 0x45, 0x5f, 0x4e, 0x41, 0x4d, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55,
- 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05,
- 0x45, 0x4d, 0x41, 0x49, 0x4c, 0x10, 0x01, 0x12, 0x07, 0x0a, 0x03, 0x55, 0x52, 0x49, 0x10, 0x02,
- 0x12, 0x0e, 0x0a, 0x0a, 0x4f, 0x54, 0x48, 0x45, 0x52, 0x5f, 0x4e, 0x41, 0x4d, 0x45, 0x10, 0x03,
- 0x42, 0x7c, 0x0a, 0x1c, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65,
- 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31,
- 0x42, 0x0b, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a,
- 0x36, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x67, 0x73,
- 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2d, 0x73, 0x70,
- 0x65, 0x63, 0x73, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x62, 0x2d, 0x67, 0x6f, 0x2f, 0x63, 0x6f,
- 0x6d, 0x6d, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0xea, 0x02, 0x14, 0x53, 0x69, 0x67, 0x73, 0x74, 0x6f,
- 0x72, 0x65, 0x3a, 0x3a, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x3a, 0x3a, 0x56, 0x31, 0x62, 0x06,
- 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+ 0x36, 0x10, 0x14, 0x1a, 0x02, 0x08, 0x01, 0x12, 0x12, 0x0a, 0x0a, 0x4c, 0x4d, 0x53, 0x5f, 0x53,
+ 0x48, 0x41, 0x32, 0x35, 0x36, 0x10, 0x0e, 0x1a, 0x02, 0x08, 0x01, 0x12, 0x14, 0x0a, 0x0c, 0x4c,
+ 0x4d, 0x4f, 0x54, 0x53, 0x5f, 0x53, 0x48, 0x41, 0x32, 0x35, 0x36, 0x10, 0x0f, 0x1a, 0x02, 0x08,
+ 0x01, 0x12, 0x0d, 0x0a, 0x09, 0x4d, 0x4c, 0x5f, 0x44, 0x53, 0x41, 0x5f, 0x36, 0x35, 0x10, 0x15,
+ 0x12, 0x0d, 0x0a, 0x09, 0x4d, 0x4c, 0x5f, 0x44, 0x53, 0x41, 0x5f, 0x38, 0x37, 0x10, 0x16, 0x22,
+ 0x04, 0x08, 0x17, 0x10, 0x32, 0x2a, 0x6f, 0x0a, 0x1a, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74,
+ 0x41, 0x6c, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x74, 0x69, 0x76, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x54,
+ 0x79, 0x70, 0x65, 0x12, 0x2d, 0x0a, 0x29, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x41,
+ 0x4c, 0x54, 0x45, 0x52, 0x4e, 0x41, 0x54, 0x49, 0x56, 0x45, 0x5f, 0x4e, 0x41, 0x4d, 0x45, 0x5f,
+ 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44,
+ 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x45, 0x4d, 0x41, 0x49, 0x4c, 0x10, 0x01, 0x12, 0x07, 0x0a,
+ 0x03, 0x55, 0x52, 0x49, 0x10, 0x02, 0x12, 0x0e, 0x0a, 0x0a, 0x4f, 0x54, 0x48, 0x45, 0x52, 0x5f,
+ 0x4e, 0x41, 0x4d, 0x45, 0x10, 0x03, 0x42, 0x7c, 0x0a, 0x1c, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69,
+ 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x63, 0x6f, 0x6d,
+ 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x42, 0x0b, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x50, 0x72,
+ 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x36, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f,
+ 0x6d, 0x2f, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+ 0x62, 0x75, 0x66, 0x2d, 0x73, 0x70, 0x65, 0x63, 0x73, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x62,
+ 0x2d, 0x67, 0x6f, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0xea, 0x02, 0x14,
+ 0x53, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x3a, 0x3a, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e,
+ 0x3a, 0x3a, 0x56, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
})
var (
diff --git a/vendor/github.com/sigstore/sigstore/pkg/cryptoutils/publickey.go b/vendor/github.com/sigstore/sigstore/pkg/cryptoutils/publickey.go
index 1e2fa031be..1182d0ca35 100644
--- a/vendor/github.com/sigstore/sigstore/pkg/cryptoutils/publickey.go
+++ b/vendor/github.com/sigstore/sigstore/pkg/cryptoutils/publickey.go
@@ -16,10 +16,10 @@
package cryptoutils
import (
- "context"
"crypto"
"crypto/ecdsa"
"crypto/ed25519"
+ "crypto/elliptic"
"crypto/rsa"
"crypto/sha1" // nolint:gosec
"crypto/x509"
@@ -29,8 +29,7 @@ import (
"encoding/pem"
"errors"
"fmt"
-
- "github.com/letsencrypt/boulder/goodkey"
+ "slices"
)
const (
@@ -135,52 +134,25 @@ func genErrMsg(first, second crypto.PublicKey, keyType string) string {
}
// ValidatePubKey validates the parameters of an RSA, ECDSA, or ED25519 public key.
+//
+// Deprecated: Prefer goodkey.ValidatePubKey. This function has been
+// updated to verify only the size of the key for RSA or the curve
+// for ECDSA.
func ValidatePubKey(pub crypto.PublicKey) error {
- // goodkey policy enforces:
- // * RSA
- // * Size of key: 2048 <= size <= 4096, size % 8 = 0
- // * Exponent E = 65537 (Default exponent for OpenSSL and Golang)
- // * Small primes check for modulus
- // * Weak keys generated by Infineon hardware (see https://crocs.fi.muni.cz/public/papers/rsa_ccs17)
- // * Key is easily factored with Fermat's factorization method
- // * EC
- // * Public key Q is not the identity element (Ø)
- // * Public key Q's x and y are within [0, p-1]
- // * Public key Q is on the curve
- // * Public key Q's order matches the subgroups (nQ = Ø)
- allowedKeys := &goodkey.AllowedKeys{
- RSA2048: true,
- RSA3072: true,
- RSA4096: true,
- ECDSAP256: true,
- ECDSAP384: true,
- ECDSAP521: true,
- }
- cfg := &goodkey.Config{
- FermatRounds: 100,
- AllowedKeys: allowedKeys,
- }
- p, err := goodkey.NewPolicy(cfg, nil)
- if err != nil {
- // Should not occur, only chances to return errors are if fermat rounds
- // are <0 or when loading blocked/weak keys from disk (not used here)
- return errors.New("unable to initialize key policy")
- }
-
switch pk := pub.(type) {
case *rsa.PublicKey:
- // ctx is unused
- return p.GoodKey(context.Background(), pub)
+ if !slices.Contains([]int{2048, 3072, 4096}, pk.Size()*8) {
+ return fmt.Errorf("rsa key size %d is not supported supported, modulus size must be 2048, 3072, or 4096", pk.Size()*8)
+ }
+ return nil
case *ecdsa.PublicKey:
- // ctx is unused
- return p.GoodKey(context.Background(), pub)
+ if !slices.Contains([]elliptic.Curve{elliptic.P256(), elliptic.P384(), elliptic.P521()}, pk.Curve) {
+ return fmt.Errorf("ecdsa curve %T is not supported, must be NIST P-256, P-384 or P-521", pk.Curve)
+ }
+ return nil
case ed25519.PublicKey:
- return validateEd25519Key(pk)
+ // Nothing to validate for Ed25519
+ return nil
}
- return errors.New("unsupported public key type")
-}
-
-// No validations currently, ED25519 supports only one key size.
-func validateEd25519Key(_ ed25519.PublicKey) error {
- return nil
+ return fmt.Errorf("unsupported public key type: %T", pub)
}
diff --git a/vendor/github.com/sigstore/sigstore/pkg/cryptoutils/safestring.go b/vendor/github.com/sigstore/sigstore/pkg/cryptoutils/safestring.go
new file mode 100644
index 0000000000..cdc69aec37
--- /dev/null
+++ b/vendor/github.com/sigstore/sigstore/pkg/cryptoutils/safestring.go
@@ -0,0 +1,34 @@
+//
+// Copyright 2025 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cryptoutils
+
+import (
+ "crypto/rand"
+ "encoding/base64"
+)
+
+// GenerateRandomURLSafeString generates a cryptographically secure random
+// URL-safe string with the specified number of bits of entropy.
+func GenerateRandomURLSafeString(entropyLength uint) string {
+ if entropyLength == 0 {
+ return ""
+ }
+ // Round up to the nearest byte to ensure minimum entropy is met
+ entropyBytes := (entropyLength + 7) / 8
+ b := make([]byte, entropyBytes)
+ _, _ = rand.Read(b)
+ return base64.RawURLEncoding.EncodeToString(b)
+}
diff --git a/vendor/github.com/sigstore/sigstore/pkg/cryptoutils/sans.go b/vendor/github.com/sigstore/sigstore/pkg/cryptoutils/sans.go
index d237ef58ea..abcea306a0 100644
--- a/vendor/github.com/sigstore/sigstore/pkg/cryptoutils/sans.go
+++ b/vendor/github.com/sigstore/sigstore/pkg/cryptoutils/sans.go
@@ -132,6 +132,9 @@ func UnmarshalOtherNameSAN(exts []pkix.Extension) (string, error) {
// and OtherName SANs
func GetSubjectAlternateNames(cert *x509.Certificate) []string {
sans := []string{}
+ if cert == nil {
+ return sans
+ }
sans = append(sans, cert.DNSNames...)
sans = append(sans, cert.EmailAddresses...)
for _, ip := range cert.IPAddresses {
diff --git a/vendor/github.com/sigstore/sigstore/pkg/signature/message.go b/vendor/github.com/sigstore/sigstore/pkg/signature/message.go
index 6f8449eea9..44771ff3da 100644
--- a/vendor/github.com/sigstore/sigstore/pkg/signature/message.go
+++ b/vendor/github.com/sigstore/sigstore/pkg/signature/message.go
@@ -55,10 +55,10 @@ func ComputeDigestForSigning(rawMessage io.Reader, defaultHashFunc crypto.Hash,
if hashedWith != crypto.Hash(0) && len(digest) != hashedWith.Size() {
err = errors.New("unexpected length of digest for hash function specified")
}
- return
+ return digest, hashedWith, err
}
digest, err = hashMessage(rawMessage, hashedWith)
- return
+ return digest, hashedWith, err
}
// ComputeDigestForVerifying calculates the digest value for the specified message using a hash function selected by the following process:
@@ -81,10 +81,10 @@ func ComputeDigestForVerifying(rawMessage io.Reader, defaultHashFunc crypto.Hash
if hashedWith != crypto.Hash(0) && len(digest) != hashedWith.Size() {
err = errors.New("unexpected length of digest for hash function specified")
}
- return
+ return digest, hashedWith, err
}
digest, err = hashMessage(rawMessage, hashedWith)
- return
+ return digest, hashedWith, err
}
func hashMessage(rawMessage io.Reader, hashFunc crypto.Hash) ([]byte, error) {
diff --git a/vendor/github.com/sigstore/sigstore/pkg/signature/signer.go b/vendor/github.com/sigstore/sigstore/pkg/signature/signer.go
index 1122989ff6..50f432798d 100644
--- a/vendor/github.com/sigstore/sigstore/pkg/signature/signer.go
+++ b/vendor/github.com/sigstore/sigstore/pkg/signature/signer.go
@@ -31,9 +31,6 @@ import (
"github.com/sigstore/sigstore/pkg/cryptoutils"
"github.com/sigstore/sigstore/pkg/signature/options"
-
- // these ensure we have the implementations loaded
- _ "golang.org/x/crypto/sha3"
)
// Signer creates digital signatures over a message using a specified key pair
diff --git a/vendor/github.com/titanous/rocacheck/LICENSE b/vendor/github.com/titanous/rocacheck/LICENSE
deleted file mode 100644
index 7bdce481fa..0000000000
--- a/vendor/github.com/titanous/rocacheck/LICENSE
+++ /dev/null
@@ -1,22 +0,0 @@
-MIT License
-
-Copyright (c) 2017, Jonathan Rudenberg
-Copyright (c) 2017, CRoCS, EnigmaBridge Ltd.
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
diff --git a/vendor/github.com/titanous/rocacheck/README.md b/vendor/github.com/titanous/rocacheck/README.md
deleted file mode 100644
index b8e765ea9c..0000000000
--- a/vendor/github.com/titanous/rocacheck/README.md
+++ /dev/null
@@ -1,7 +0,0 @@
-# rocacheck [](https://godoc.org/github.com/titanous/rocacheck)
-
-Package rocacheck is a Go implementation of the [key fingerprint
-algorithm](https://github.com/crocs-muni/roca) that checks if an RSA key was
-generated by broken Infineon code and is vulnerable to factorization via the
-[Return of Coppersmith's Attack
-(ROCA)](https://crocs.fi.muni.cz/public/papers/rsa_ccs17) / CVE-2017-15361.
diff --git a/vendor/github.com/titanous/rocacheck/rocacheck.go b/vendor/github.com/titanous/rocacheck/rocacheck.go
deleted file mode 100644
index e813579bb8..0000000000
--- a/vendor/github.com/titanous/rocacheck/rocacheck.go
+++ /dev/null
@@ -1,52 +0,0 @@
-// Package rocacheck checks if a key was generated by broken Infineon code and
-// is vulnerable to factorization via the Return of Coppersmith's Attack (ROCA)
-// / CVE-2017-15361.
-package rocacheck
-
-import (
- "crypto/rsa"
- "math/big"
-)
-
-type test struct {
- Prime *big.Int
- Fingerprints map[int64]struct{}
-}
-
-var tests = make([]test, 17)
-
-func init() {
- bigOne := big.NewInt(1)
- n := &big.Int{}
- // relations table from https://github.com/crocs-muni/roca/pull/40
- for i, r := range [][2]int64{
- {2, 11}, {6, 13}, {8, 17}, {9, 19}, {3, 37}, {26, 53}, {20, 61},
- {35, 71}, {24, 73}, {13, 79}, {6, 97}, {51, 103}, {53, 107},
- {54, 109}, {42, 127}, {50, 151}, {78, 157},
- } {
- fps := make(map[int64]struct{})
- bp := big.NewInt(r[1])
- br := big.NewInt(r[0])
- for j := int64(0); j < r[1]; j++ {
- if n.Exp(big.NewInt(j), br, bp).Cmp(bigOne) == 0 {
- fps[j] = struct{}{}
- }
- }
- tests[i] = test{
- Prime: big.NewInt(r[1]),
- Fingerprints: fps,
- }
- }
-}
-
-// IsWeak returns true if a RSA public key is vulnerable to Return of
-// Coppersmith's Attack (ROCA).
-func IsWeak(k *rsa.PublicKey) bool {
- tmp := &big.Int{}
- for _, t := range tests {
- if _, ok := t.Fingerprints[tmp.Mod(k.N, t.Prime).Int64()]; !ok {
- return false
- }
- }
- return true
-}
diff --git a/vendor/github.com/vbatts/tar-split/archive/tar/common.go b/vendor/github.com/vbatts/tar-split/archive/tar/common.go
index dee9e47e4a..e687a08c96 100644
--- a/vendor/github.com/vbatts/tar-split/archive/tar/common.go
+++ b/vendor/github.com/vbatts/tar-split/archive/tar/common.go
@@ -34,6 +34,7 @@ var (
errMissData = errors.New("archive/tar: sparse file references non-existent data")
errUnrefData = errors.New("archive/tar: sparse file contains unreferenced data")
errWriteHole = errors.New("archive/tar: write non-NUL byte in sparse hole")
+ errSparseTooLong = errors.New("archive/tar: sparse map too long")
)
type headerError []string
diff --git a/vendor/github.com/vbatts/tar-split/archive/tar/reader.go b/vendor/github.com/vbatts/tar-split/archive/tar/reader.go
index 248a7ccb15..a645c41605 100644
--- a/vendor/github.com/vbatts/tar-split/archive/tar/reader.go
+++ b/vendor/github.com/vbatts/tar-split/archive/tar/reader.go
@@ -581,12 +581,17 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) {
cntNewline int64
buf bytes.Buffer
blk block
+ totalSize int
)
// feedTokens copies data in blocks from r into buf until there are
// at least cnt newlines in buf. It will not read more blocks than needed.
feedTokens := func(n int64) error {
for cntNewline < n {
+ totalSize += len(blk)
+ if totalSize > maxSpecialFileSize {
+ return errSparseTooLong
+ }
if _, err := mustReadFull(r, blk[:]); err != nil {
return err
}
@@ -619,8 +624,8 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) {
}
// Parse for all member entries.
- // numEntries is trusted after this since a potential attacker must have
- // committed resources proportional to what this library used.
+ // numEntries is trusted after this since feedTokens limits the number of
+ // tokens based on maxSpecialFileSize.
if err := feedTokens(2 * numEntries); err != nil {
return nil, err
}
diff --git a/vendor/golang.org/x/crypto/ocsp/ocsp.go b/vendor/golang.org/x/crypto/ocsp/ocsp.go
deleted file mode 100644
index e6c645e7ce..0000000000
--- a/vendor/golang.org/x/crypto/ocsp/ocsp.go
+++ /dev/null
@@ -1,793 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package ocsp parses OCSP responses as specified in RFC 2560. OCSP responses
-// are signed messages attesting to the validity of a certificate for a small
-// period of time. This is used to manage revocation for X.509 certificates.
-package ocsp
-
-import (
- "crypto"
- "crypto/ecdsa"
- "crypto/elliptic"
- "crypto/rand"
- "crypto/rsa"
- _ "crypto/sha1"
- _ "crypto/sha256"
- _ "crypto/sha512"
- "crypto/x509"
- "crypto/x509/pkix"
- "encoding/asn1"
- "errors"
- "fmt"
- "math/big"
- "strconv"
- "time"
-)
-
-var idPKIXOCSPBasic = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 5, 5, 7, 48, 1, 1})
-
-// ResponseStatus contains the result of an OCSP request. See
-// https://tools.ietf.org/html/rfc6960#section-2.3
-type ResponseStatus int
-
-const (
- Success ResponseStatus = 0
- Malformed ResponseStatus = 1
- InternalError ResponseStatus = 2
- TryLater ResponseStatus = 3
- // Status code four is unused in OCSP. See
- // https://tools.ietf.org/html/rfc6960#section-4.2.1
- SignatureRequired ResponseStatus = 5
- Unauthorized ResponseStatus = 6
-)
-
-func (r ResponseStatus) String() string {
- switch r {
- case Success:
- return "success"
- case Malformed:
- return "malformed"
- case InternalError:
- return "internal error"
- case TryLater:
- return "try later"
- case SignatureRequired:
- return "signature required"
- case Unauthorized:
- return "unauthorized"
- default:
- return "unknown OCSP status: " + strconv.Itoa(int(r))
- }
-}
-
-// ResponseError is an error that may be returned by ParseResponse to indicate
-// that the response itself is an error, not just that it's indicating that a
-// certificate is revoked, unknown, etc.
-type ResponseError struct {
- Status ResponseStatus
-}
-
-func (r ResponseError) Error() string {
- return "ocsp: error from server: " + r.Status.String()
-}
-
-// These are internal structures that reflect the ASN.1 structure of an OCSP
-// response. See RFC 2560, section 4.2.
-
-type certID struct {
- HashAlgorithm pkix.AlgorithmIdentifier
- NameHash []byte
- IssuerKeyHash []byte
- SerialNumber *big.Int
-}
-
-// https://tools.ietf.org/html/rfc2560#section-4.1.1
-type ocspRequest struct {
- TBSRequest tbsRequest
-}
-
-type tbsRequest struct {
- Version int `asn1:"explicit,tag:0,default:0,optional"`
- RequestorName pkix.RDNSequence `asn1:"explicit,tag:1,optional"`
- RequestList []request
-}
-
-type request struct {
- Cert certID
-}
-
-type responseASN1 struct {
- Status asn1.Enumerated
- Response responseBytes `asn1:"explicit,tag:0,optional"`
-}
-
-type responseBytes struct {
- ResponseType asn1.ObjectIdentifier
- Response []byte
-}
-
-type basicResponse struct {
- TBSResponseData responseData
- SignatureAlgorithm pkix.AlgorithmIdentifier
- Signature asn1.BitString
- Certificates []asn1.RawValue `asn1:"explicit,tag:0,optional"`
-}
-
-type responseData struct {
- Raw asn1.RawContent
- Version int `asn1:"optional,default:0,explicit,tag:0"`
- RawResponderID asn1.RawValue
- ProducedAt time.Time `asn1:"generalized"`
- Responses []singleResponse
-}
-
-type singleResponse struct {
- CertID certID
- Good asn1.Flag `asn1:"tag:0,optional"`
- Revoked revokedInfo `asn1:"tag:1,optional"`
- Unknown asn1.Flag `asn1:"tag:2,optional"`
- ThisUpdate time.Time `asn1:"generalized"`
- NextUpdate time.Time `asn1:"generalized,explicit,tag:0,optional"`
- SingleExtensions []pkix.Extension `asn1:"explicit,tag:1,optional"`
-}
-
-type revokedInfo struct {
- RevocationTime time.Time `asn1:"generalized"`
- Reason asn1.Enumerated `asn1:"explicit,tag:0,optional"`
-}
-
-var (
- oidSignatureMD2WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 2}
- oidSignatureMD5WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 4}
- oidSignatureSHA1WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 5}
- oidSignatureSHA256WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 11}
- oidSignatureSHA384WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 12}
- oidSignatureSHA512WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 13}
- oidSignatureDSAWithSHA1 = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 3}
- oidSignatureDSAWithSHA256 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 3, 2}
- oidSignatureECDSAWithSHA1 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 1}
- oidSignatureECDSAWithSHA256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 2}
- oidSignatureECDSAWithSHA384 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 3}
- oidSignatureECDSAWithSHA512 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 4}
-)
-
-var hashOIDs = map[crypto.Hash]asn1.ObjectIdentifier{
- crypto.SHA1: asn1.ObjectIdentifier([]int{1, 3, 14, 3, 2, 26}),
- crypto.SHA256: asn1.ObjectIdentifier([]int{2, 16, 840, 1, 101, 3, 4, 2, 1}),
- crypto.SHA384: asn1.ObjectIdentifier([]int{2, 16, 840, 1, 101, 3, 4, 2, 2}),
- crypto.SHA512: asn1.ObjectIdentifier([]int{2, 16, 840, 1, 101, 3, 4, 2, 3}),
-}
-
-// TODO(rlb): This is also from crypto/x509, so same comment as AGL's below
-var signatureAlgorithmDetails = []struct {
- algo x509.SignatureAlgorithm
- oid asn1.ObjectIdentifier
- pubKeyAlgo x509.PublicKeyAlgorithm
- hash crypto.Hash
-}{
- {x509.MD2WithRSA, oidSignatureMD2WithRSA, x509.RSA, crypto.Hash(0) /* no value for MD2 */},
- {x509.MD5WithRSA, oidSignatureMD5WithRSA, x509.RSA, crypto.MD5},
- {x509.SHA1WithRSA, oidSignatureSHA1WithRSA, x509.RSA, crypto.SHA1},
- {x509.SHA256WithRSA, oidSignatureSHA256WithRSA, x509.RSA, crypto.SHA256},
- {x509.SHA384WithRSA, oidSignatureSHA384WithRSA, x509.RSA, crypto.SHA384},
- {x509.SHA512WithRSA, oidSignatureSHA512WithRSA, x509.RSA, crypto.SHA512},
- {x509.DSAWithSHA1, oidSignatureDSAWithSHA1, x509.DSA, crypto.SHA1},
- {x509.DSAWithSHA256, oidSignatureDSAWithSHA256, x509.DSA, crypto.SHA256},
- {x509.ECDSAWithSHA1, oidSignatureECDSAWithSHA1, x509.ECDSA, crypto.SHA1},
- {x509.ECDSAWithSHA256, oidSignatureECDSAWithSHA256, x509.ECDSA, crypto.SHA256},
- {x509.ECDSAWithSHA384, oidSignatureECDSAWithSHA384, x509.ECDSA, crypto.SHA384},
- {x509.ECDSAWithSHA512, oidSignatureECDSAWithSHA512, x509.ECDSA, crypto.SHA512},
-}
-
-// TODO(rlb): This is also from crypto/x509, so same comment as AGL's below
-func signingParamsForPublicKey(pub interface{}, requestedSigAlgo x509.SignatureAlgorithm) (hashFunc crypto.Hash, sigAlgo pkix.AlgorithmIdentifier, err error) {
- var pubType x509.PublicKeyAlgorithm
-
- switch pub := pub.(type) {
- case *rsa.PublicKey:
- pubType = x509.RSA
- hashFunc = crypto.SHA256
- sigAlgo.Algorithm = oidSignatureSHA256WithRSA
- sigAlgo.Parameters = asn1.RawValue{
- Tag: 5,
- }
-
- case *ecdsa.PublicKey:
- pubType = x509.ECDSA
-
- switch pub.Curve {
- case elliptic.P224(), elliptic.P256():
- hashFunc = crypto.SHA256
- sigAlgo.Algorithm = oidSignatureECDSAWithSHA256
- case elliptic.P384():
- hashFunc = crypto.SHA384
- sigAlgo.Algorithm = oidSignatureECDSAWithSHA384
- case elliptic.P521():
- hashFunc = crypto.SHA512
- sigAlgo.Algorithm = oidSignatureECDSAWithSHA512
- default:
- err = errors.New("x509: unknown elliptic curve")
- }
-
- default:
- err = errors.New("x509: only RSA and ECDSA keys supported")
- }
-
- if err != nil {
- return
- }
-
- if requestedSigAlgo == 0 {
- return
- }
-
- found := false
- for _, details := range signatureAlgorithmDetails {
- if details.algo == requestedSigAlgo {
- if details.pubKeyAlgo != pubType {
- err = errors.New("x509: requested SignatureAlgorithm does not match private key type")
- return
- }
- sigAlgo.Algorithm, hashFunc = details.oid, details.hash
- if hashFunc == 0 {
- err = errors.New("x509: cannot sign with hash function requested")
- return
- }
- found = true
- break
- }
- }
-
- if !found {
- err = errors.New("x509: unknown SignatureAlgorithm")
- }
-
- return
-}
-
-// TODO(agl): this is taken from crypto/x509 and so should probably be exported
-// from crypto/x509 or crypto/x509/pkix.
-func getSignatureAlgorithmFromOID(oid asn1.ObjectIdentifier) x509.SignatureAlgorithm {
- for _, details := range signatureAlgorithmDetails {
- if oid.Equal(details.oid) {
- return details.algo
- }
- }
- return x509.UnknownSignatureAlgorithm
-}
-
-// TODO(rlb): This is not taken from crypto/x509, but it's of the same general form.
-func getHashAlgorithmFromOID(target asn1.ObjectIdentifier) crypto.Hash {
- for hash, oid := range hashOIDs {
- if oid.Equal(target) {
- return hash
- }
- }
- return crypto.Hash(0)
-}
-
-func getOIDFromHashAlgorithm(target crypto.Hash) asn1.ObjectIdentifier {
- for hash, oid := range hashOIDs {
- if hash == target {
- return oid
- }
- }
- return nil
-}
-
-// This is the exposed reflection of the internal OCSP structures.
-
-// The status values that can be expressed in OCSP. See RFC 6960.
-// These are used for the Response.Status field.
-const (
- // Good means that the certificate is valid.
- Good = 0
- // Revoked means that the certificate has been deliberately revoked.
- Revoked = 1
- // Unknown means that the OCSP responder doesn't know about the certificate.
- Unknown = 2
- // ServerFailed is unused and was never used (see
- // https://go-review.googlesource.com/#/c/18944). ParseResponse will
- // return a ResponseError when an error response is parsed.
- ServerFailed = 3
-)
-
-// The enumerated reasons for revoking a certificate. See RFC 5280.
-const (
- Unspecified = 0
- KeyCompromise = 1
- CACompromise = 2
- AffiliationChanged = 3
- Superseded = 4
- CessationOfOperation = 5
- CertificateHold = 6
-
- RemoveFromCRL = 8
- PrivilegeWithdrawn = 9
- AACompromise = 10
-)
-
-// Request represents an OCSP request. See RFC 6960.
-type Request struct {
- HashAlgorithm crypto.Hash
- IssuerNameHash []byte
- IssuerKeyHash []byte
- SerialNumber *big.Int
-}
-
-// Marshal marshals the OCSP request to ASN.1 DER encoded form.
-func (req *Request) Marshal() ([]byte, error) {
- hashAlg := getOIDFromHashAlgorithm(req.HashAlgorithm)
- if hashAlg == nil {
- return nil, errors.New("Unknown hash algorithm")
- }
- return asn1.Marshal(ocspRequest{
- tbsRequest{
- Version: 0,
- RequestList: []request{
- {
- Cert: certID{
- pkix.AlgorithmIdentifier{
- Algorithm: hashAlg,
- Parameters: asn1.RawValue{Tag: 5 /* ASN.1 NULL */},
- },
- req.IssuerNameHash,
- req.IssuerKeyHash,
- req.SerialNumber,
- },
- },
- },
- },
- })
-}
-
-// Response represents an OCSP response containing a single SingleResponse. See
-// RFC 6960.
-type Response struct {
- Raw []byte
-
- // Status is one of {Good, Revoked, Unknown}
- Status int
- SerialNumber *big.Int
- ProducedAt, ThisUpdate, NextUpdate, RevokedAt time.Time
- RevocationReason int
- Certificate *x509.Certificate
- // TBSResponseData contains the raw bytes of the signed response. If
- // Certificate is nil then this can be used to verify Signature.
- TBSResponseData []byte
- Signature []byte
- SignatureAlgorithm x509.SignatureAlgorithm
-
- // IssuerHash is the hash used to compute the IssuerNameHash and IssuerKeyHash.
- // Valid values are crypto.SHA1, crypto.SHA256, crypto.SHA384, and crypto.SHA512.
- // If zero, the default is crypto.SHA1.
- IssuerHash crypto.Hash
-
- // RawResponderName optionally contains the DER-encoded subject of the
- // responder certificate. Exactly one of RawResponderName and
- // ResponderKeyHash is set.
- RawResponderName []byte
- // ResponderKeyHash optionally contains the SHA-1 hash of the
- // responder's public key. Exactly one of RawResponderName and
- // ResponderKeyHash is set.
- ResponderKeyHash []byte
-
- // Extensions contains raw X.509 extensions from the singleExtensions field
- // of the OCSP response. When parsing certificates, this can be used to
- // extract non-critical extensions that are not parsed by this package. When
- // marshaling OCSP responses, the Extensions field is ignored, see
- // ExtraExtensions.
- Extensions []pkix.Extension
-
- // ExtraExtensions contains extensions to be copied, raw, into any marshaled
- // OCSP response (in the singleExtensions field). Values override any
- // extensions that would otherwise be produced based on the other fields. The
- // ExtraExtensions field is not populated when parsing certificates, see
- // Extensions.
- ExtraExtensions []pkix.Extension
-}
-
-// These are pre-serialized error responses for the various non-success codes
-// defined by OCSP. The Unauthorized code in particular can be used by an OCSP
-// responder that supports only pre-signed responses as a response to requests
-// for certificates with unknown status. See RFC 5019.
-var (
- MalformedRequestErrorResponse = []byte{0x30, 0x03, 0x0A, 0x01, 0x01}
- InternalErrorErrorResponse = []byte{0x30, 0x03, 0x0A, 0x01, 0x02}
- TryLaterErrorResponse = []byte{0x30, 0x03, 0x0A, 0x01, 0x03}
- SigRequredErrorResponse = []byte{0x30, 0x03, 0x0A, 0x01, 0x05}
- UnauthorizedErrorResponse = []byte{0x30, 0x03, 0x0A, 0x01, 0x06}
-)
-
-// CheckSignatureFrom checks that the signature in resp is a valid signature
-// from issuer. This should only be used if resp.Certificate is nil. Otherwise,
-// the OCSP response contained an intermediate certificate that created the
-// signature. That signature is checked by ParseResponse and only
-// resp.Certificate remains to be validated.
-func (resp *Response) CheckSignatureFrom(issuer *x509.Certificate) error {
- return issuer.CheckSignature(resp.SignatureAlgorithm, resp.TBSResponseData, resp.Signature)
-}
-
-// ParseError results from an invalid OCSP response.
-type ParseError string
-
-func (p ParseError) Error() string {
- return string(p)
-}
-
-// ParseRequest parses an OCSP request in DER form. It only supports
-// requests for a single certificate. Signed requests are not supported.
-// If a request includes a signature, it will result in a ParseError.
-func ParseRequest(bytes []byte) (*Request, error) {
- var req ocspRequest
- rest, err := asn1.Unmarshal(bytes, &req)
- if err != nil {
- return nil, err
- }
- if len(rest) > 0 {
- return nil, ParseError("trailing data in OCSP request")
- }
-
- if len(req.TBSRequest.RequestList) == 0 {
- return nil, ParseError("OCSP request contains no request body")
- }
- innerRequest := req.TBSRequest.RequestList[0]
-
- hashFunc := getHashAlgorithmFromOID(innerRequest.Cert.HashAlgorithm.Algorithm)
- if hashFunc == crypto.Hash(0) {
- return nil, ParseError("OCSP request uses unknown hash function")
- }
-
- return &Request{
- HashAlgorithm: hashFunc,
- IssuerNameHash: innerRequest.Cert.NameHash,
- IssuerKeyHash: innerRequest.Cert.IssuerKeyHash,
- SerialNumber: innerRequest.Cert.SerialNumber,
- }, nil
-}
-
-// ParseResponse parses an OCSP response in DER form. The response must contain
-// only one certificate status. To parse the status of a specific certificate
-// from a response which may contain multiple statuses, use ParseResponseForCert
-// instead.
-//
-// If the response contains an embedded certificate, then that certificate will
-// be used to verify the response signature. If the response contains an
-// embedded certificate and issuer is not nil, then issuer will be used to verify
-// the signature on the embedded certificate.
-//
-// If the response does not contain an embedded certificate and issuer is not
-// nil, then issuer will be used to verify the response signature.
-//
-// Invalid responses and parse failures will result in a ParseError.
-// Error responses will result in a ResponseError.
-func ParseResponse(bytes []byte, issuer *x509.Certificate) (*Response, error) {
- return ParseResponseForCert(bytes, nil, issuer)
-}
-
-// ParseResponseForCert acts identically to ParseResponse, except it supports
-// parsing responses that contain multiple statuses. If the response contains
-// multiple statuses and cert is not nil, then ParseResponseForCert will return
-// the first status which contains a matching serial, otherwise it will return an
-// error. If cert is nil, then the first status in the response will be returned.
-func ParseResponseForCert(bytes []byte, cert, issuer *x509.Certificate) (*Response, error) {
- var resp responseASN1
- rest, err := asn1.Unmarshal(bytes, &resp)
- if err != nil {
- return nil, err
- }
- if len(rest) > 0 {
- return nil, ParseError("trailing data in OCSP response")
- }
-
- if status := ResponseStatus(resp.Status); status != Success {
- return nil, ResponseError{status}
- }
-
- if !resp.Response.ResponseType.Equal(idPKIXOCSPBasic) {
- return nil, ParseError("bad OCSP response type")
- }
-
- var basicResp basicResponse
- rest, err = asn1.Unmarshal(resp.Response.Response, &basicResp)
- if err != nil {
- return nil, err
- }
- if len(rest) > 0 {
- return nil, ParseError("trailing data in OCSP response")
- }
-
- if n := len(basicResp.TBSResponseData.Responses); n == 0 || cert == nil && n > 1 {
- return nil, ParseError("OCSP response contains bad number of responses")
- }
-
- var singleResp singleResponse
- if cert == nil {
- singleResp = basicResp.TBSResponseData.Responses[0]
- } else {
- match := false
- for _, resp := range basicResp.TBSResponseData.Responses {
- if cert.SerialNumber.Cmp(resp.CertID.SerialNumber) == 0 {
- singleResp = resp
- match = true
- break
- }
- }
- if !match {
- return nil, ParseError("no response matching the supplied certificate")
- }
- }
-
- ret := &Response{
- Raw: bytes,
- TBSResponseData: basicResp.TBSResponseData.Raw,
- Signature: basicResp.Signature.RightAlign(),
- SignatureAlgorithm: getSignatureAlgorithmFromOID(basicResp.SignatureAlgorithm.Algorithm),
- Extensions: singleResp.SingleExtensions,
- SerialNumber: singleResp.CertID.SerialNumber,
- ProducedAt: basicResp.TBSResponseData.ProducedAt,
- ThisUpdate: singleResp.ThisUpdate,
- NextUpdate: singleResp.NextUpdate,
- }
-
- // Handle the ResponderID CHOICE tag. ResponderID can be flattened into
- // TBSResponseData once https://go-review.googlesource.com/34503 has been
- // released.
- rawResponderID := basicResp.TBSResponseData.RawResponderID
- switch rawResponderID.Tag {
- case 1: // Name
- var rdn pkix.RDNSequence
- if rest, err := asn1.Unmarshal(rawResponderID.Bytes, &rdn); err != nil || len(rest) != 0 {
- return nil, ParseError("invalid responder name")
- }
- ret.RawResponderName = rawResponderID.Bytes
- case 2: // KeyHash
- if rest, err := asn1.Unmarshal(rawResponderID.Bytes, &ret.ResponderKeyHash); err != nil || len(rest) != 0 {
- return nil, ParseError("invalid responder key hash")
- }
- default:
- return nil, ParseError("invalid responder id tag")
- }
-
- if len(basicResp.Certificates) > 0 {
- // Responders should only send a single certificate (if they
- // send any) that connects the responder's certificate to the
- // original issuer. We accept responses with multiple
- // certificates due to a number responders sending them[1], but
- // ignore all but the first.
- //
- // [1] https://github.com/golang/go/issues/21527
- ret.Certificate, err = x509.ParseCertificate(basicResp.Certificates[0].FullBytes)
- if err != nil {
- return nil, err
- }
-
- if err := ret.CheckSignatureFrom(ret.Certificate); err != nil {
- return nil, ParseError("bad signature on embedded certificate: " + err.Error())
- }
-
- if issuer != nil {
- if err := issuer.CheckSignature(ret.Certificate.SignatureAlgorithm, ret.Certificate.RawTBSCertificate, ret.Certificate.Signature); err != nil {
- return nil, ParseError("bad OCSP signature: " + err.Error())
- }
- }
- } else if issuer != nil {
- if err := ret.CheckSignatureFrom(issuer); err != nil {
- return nil, ParseError("bad OCSP signature: " + err.Error())
- }
- }
-
- for _, ext := range singleResp.SingleExtensions {
- if ext.Critical {
- return nil, ParseError("unsupported critical extension")
- }
- }
-
- for h, oid := range hashOIDs {
- if singleResp.CertID.HashAlgorithm.Algorithm.Equal(oid) {
- ret.IssuerHash = h
- break
- }
- }
- if ret.IssuerHash == 0 {
- return nil, ParseError("unsupported issuer hash algorithm")
- }
-
- switch {
- case bool(singleResp.Good):
- ret.Status = Good
- case bool(singleResp.Unknown):
- ret.Status = Unknown
- default:
- ret.Status = Revoked
- ret.RevokedAt = singleResp.Revoked.RevocationTime
- ret.RevocationReason = int(singleResp.Revoked.Reason)
- }
-
- return ret, nil
-}
-
-// RequestOptions contains options for constructing OCSP requests.
-type RequestOptions struct {
- // Hash contains the hash function that should be used when
- // constructing the OCSP request. If zero, SHA-1 will be used.
- Hash crypto.Hash
-}
-
-func (opts *RequestOptions) hash() crypto.Hash {
- if opts == nil || opts.Hash == 0 {
- // SHA-1 is nearly universally used in OCSP.
- return crypto.SHA1
- }
- return opts.Hash
-}
-
-// CreateRequest returns a DER-encoded, OCSP request for the status of cert. If
-// opts is nil then sensible defaults are used.
-func CreateRequest(cert, issuer *x509.Certificate, opts *RequestOptions) ([]byte, error) {
- hashFunc := opts.hash()
-
- // OCSP seems to be the only place where these raw hash identifiers are
- // used. I took the following from
- // http://msdn.microsoft.com/en-us/library/ff635603.aspx
- _, ok := hashOIDs[hashFunc]
- if !ok {
- return nil, x509.ErrUnsupportedAlgorithm
- }
-
- if !hashFunc.Available() {
- return nil, x509.ErrUnsupportedAlgorithm
- }
- h := opts.hash().New()
-
- var publicKeyInfo struct {
- Algorithm pkix.AlgorithmIdentifier
- PublicKey asn1.BitString
- }
- if _, err := asn1.Unmarshal(issuer.RawSubjectPublicKeyInfo, &publicKeyInfo); err != nil {
- return nil, err
- }
-
- h.Write(publicKeyInfo.PublicKey.RightAlign())
- issuerKeyHash := h.Sum(nil)
-
- h.Reset()
- h.Write(issuer.RawSubject)
- issuerNameHash := h.Sum(nil)
-
- req := &Request{
- HashAlgorithm: hashFunc,
- IssuerNameHash: issuerNameHash,
- IssuerKeyHash: issuerKeyHash,
- SerialNumber: cert.SerialNumber,
- }
- return req.Marshal()
-}
-
-// CreateResponse returns a DER-encoded OCSP response with the specified contents.
-// The fields in the response are populated as follows:
-//
-// The responder cert is used to populate the responder's name field, and the
-// certificate itself is provided alongside the OCSP response signature.
-//
-// The issuer cert is used to populate the IssuerNameHash and IssuerKeyHash fields.
-//
-// The template is used to populate the SerialNumber, Status, RevokedAt,
-// RevocationReason, ThisUpdate, and NextUpdate fields.
-//
-// If template.IssuerHash is not set, SHA1 will be used.
-//
-// The ProducedAt date is automatically set to the current date, to the nearest minute.
-func CreateResponse(issuer, responderCert *x509.Certificate, template Response, priv crypto.Signer) ([]byte, error) {
- var publicKeyInfo struct {
- Algorithm pkix.AlgorithmIdentifier
- PublicKey asn1.BitString
- }
- if _, err := asn1.Unmarshal(issuer.RawSubjectPublicKeyInfo, &publicKeyInfo); err != nil {
- return nil, err
- }
-
- if template.IssuerHash == 0 {
- template.IssuerHash = crypto.SHA1
- }
- hashOID := getOIDFromHashAlgorithm(template.IssuerHash)
- if hashOID == nil {
- return nil, errors.New("unsupported issuer hash algorithm")
- }
-
- if !template.IssuerHash.Available() {
- return nil, fmt.Errorf("issuer hash algorithm %v not linked into binary", template.IssuerHash)
- }
- h := template.IssuerHash.New()
- h.Write(publicKeyInfo.PublicKey.RightAlign())
- issuerKeyHash := h.Sum(nil)
-
- h.Reset()
- h.Write(issuer.RawSubject)
- issuerNameHash := h.Sum(nil)
-
- innerResponse := singleResponse{
- CertID: certID{
- HashAlgorithm: pkix.AlgorithmIdentifier{
- Algorithm: hashOID,
- Parameters: asn1.RawValue{Tag: 5 /* ASN.1 NULL */},
- },
- NameHash: issuerNameHash,
- IssuerKeyHash: issuerKeyHash,
- SerialNumber: template.SerialNumber,
- },
- ThisUpdate: template.ThisUpdate.UTC(),
- NextUpdate: template.NextUpdate.UTC(),
- SingleExtensions: template.ExtraExtensions,
- }
-
- switch template.Status {
- case Good:
- innerResponse.Good = true
- case Unknown:
- innerResponse.Unknown = true
- case Revoked:
- innerResponse.Revoked = revokedInfo{
- RevocationTime: template.RevokedAt.UTC(),
- Reason: asn1.Enumerated(template.RevocationReason),
- }
- }
-
- rawResponderID := asn1.RawValue{
- Class: 2, // context-specific
- Tag: 1, // Name (explicit tag)
- IsCompound: true,
- Bytes: responderCert.RawSubject,
- }
- tbsResponseData := responseData{
- Version: 0,
- RawResponderID: rawResponderID,
- ProducedAt: time.Now().Truncate(time.Minute).UTC(),
- Responses: []singleResponse{innerResponse},
- }
-
- tbsResponseDataDER, err := asn1.Marshal(tbsResponseData)
- if err != nil {
- return nil, err
- }
-
- hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(priv.Public(), template.SignatureAlgorithm)
- if err != nil {
- return nil, err
- }
-
- responseHash := hashFunc.New()
- responseHash.Write(tbsResponseDataDER)
- signature, err := priv.Sign(rand.Reader, responseHash.Sum(nil), hashFunc)
- if err != nil {
- return nil, err
- }
-
- response := basicResponse{
- TBSResponseData: tbsResponseData,
- SignatureAlgorithm: signatureAlgorithm,
- Signature: asn1.BitString{
- Bytes: signature,
- BitLength: 8 * len(signature),
- },
- }
- if template.Certificate != nil {
- response.Certificates = []asn1.RawValue{
- {FullBytes: template.Certificate.Raw},
- }
- }
- responseDER, err := asn1.Marshal(response)
- if err != nil {
- return nil, err
- }
-
- return asn1.Marshal(responseASN1{
- Status: asn1.Enumerated(Success),
- Response: responseBytes{
- ResponseType: idPKIXOCSPBasic,
- Response: responseDER,
- },
- })
-}
diff --git a/vendor/golang.org/x/oauth2/deviceauth.go b/vendor/golang.org/x/oauth2/deviceauth.go
index e99c92f39c..e783a94374 100644
--- a/vendor/golang.org/x/oauth2/deviceauth.go
+++ b/vendor/golang.org/x/oauth2/deviceauth.go
@@ -6,6 +6,7 @@ import (
"errors"
"fmt"
"io"
+ "mime"
"net/http"
"net/url"
"strings"
@@ -116,10 +117,38 @@ func retrieveDeviceAuth(ctx context.Context, c *Config, v url.Values) (*DeviceAu
return nil, fmt.Errorf("oauth2: cannot auth device: %v", err)
}
if code := r.StatusCode; code < 200 || code > 299 {
- return nil, &RetrieveError{
+ retrieveError := &RetrieveError{
Response: r,
Body: body,
}
+
+ content, _, _ := mime.ParseMediaType(r.Header.Get("Content-Type"))
+ switch content {
+ case "application/x-www-form-urlencoded", "text/plain":
+ // some endpoints return a query string
+ vals, err := url.ParseQuery(string(body))
+ if err != nil {
+ return nil, retrieveError
+ }
+ retrieveError.ErrorCode = vals.Get("error")
+ retrieveError.ErrorDescription = vals.Get("error_description")
+ retrieveError.ErrorURI = vals.Get("error_uri")
+ default:
+ var tj struct {
+ // https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
+ ErrorCode string `json:"error"`
+ ErrorDescription string `json:"error_description"`
+ ErrorURI string `json:"error_uri"`
+ }
+ if json.Unmarshal(body, &tj) != nil {
+ return nil, retrieveError
+ }
+ retrieveError.ErrorCode = tj.ErrorCode
+ retrieveError.ErrorDescription = tj.ErrorDescription
+ retrieveError.ErrorURI = tj.ErrorURI
+ }
+
+ return nil, retrieveError
}
da := &DeviceAuthResponse{}
diff --git a/vendor/golang.org/x/oauth2/oauth2.go b/vendor/golang.org/x/oauth2/oauth2.go
index 3e3b630695..5c527d31fd 100644
--- a/vendor/golang.org/x/oauth2/oauth2.go
+++ b/vendor/golang.org/x/oauth2/oauth2.go
@@ -98,7 +98,7 @@ const (
// in the POST body as application/x-www-form-urlencoded parameters.
AuthStyleInParams AuthStyle = 1
- // AuthStyleInHeader sends the client_id and client_password
+ // AuthStyleInHeader sends the client_id and client_secret
// using HTTP Basic Authorization. This is an optional style
// described in the OAuth2 RFC 6749 section 2.3.1.
AuthStyleInHeader AuthStyle = 2
diff --git a/vendor/golang.org/x/oauth2/pkce.go b/vendor/golang.org/x/oauth2/pkce.go
index cea8374d51..f99384f0f5 100644
--- a/vendor/golang.org/x/oauth2/pkce.go
+++ b/vendor/golang.org/x/oauth2/pkce.go
@@ -51,7 +51,7 @@ func S256ChallengeFromVerifier(verifier string) string {
return base64.RawURLEncoding.EncodeToString(sha[:])
}
-// S256ChallengeOption derives a PKCE code challenge derived from verifier with
+// S256ChallengeOption derives a PKCE code challenge from the verifier with
// method S256. It should be passed to [Config.AuthCodeURL] or [Config.DeviceAuth]
// only.
func S256ChallengeOption(verifier string) AuthCodeOption {
diff --git a/vendor/golang.org/x/oauth2/token.go b/vendor/golang.org/x/oauth2/token.go
index 239ec32962..e995eebb5e 100644
--- a/vendor/golang.org/x/oauth2/token.go
+++ b/vendor/golang.org/x/oauth2/token.go
@@ -103,7 +103,7 @@ func (t *Token) WithExtra(extra any) *Token {
}
// Extra returns an extra field.
-// Extra fields are key-value pairs returned by the server as a
+// Extra fields are key-value pairs returned by the server as
// part of the token retrieval response.
func (t *Token) Extra(key string) any {
if raw, ok := t.raw.(map[string]any); ok {
diff --git a/vendor/golang.org/x/oauth2/transport.go b/vendor/golang.org/x/oauth2/transport.go
index 8bbebbac9e..9922ec3316 100644
--- a/vendor/golang.org/x/oauth2/transport.go
+++ b/vendor/golang.org/x/oauth2/transport.go
@@ -58,7 +58,7 @@ func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) {
var cancelOnce sync.Once
// CancelRequest does nothing. It used to be a legacy cancellation mechanism
-// but now only it only logs on first use to warn that it's deprecated.
+// but now only logs on first use to warn that it's deprecated.
//
// Deprecated: use contexts for cancellation instead.
func (t *Transport) CancelRequest(req *http.Request) {
diff --git a/vendor/golang.org/x/time/rate/rate.go b/vendor/golang.org/x/time/rate/rate.go
index 794b2e32bf..563270c154 100644
--- a/vendor/golang.org/x/time/rate/rate.go
+++ b/vendor/golang.org/x/time/rate/rate.go
@@ -195,7 +195,7 @@ func (r *Reservation) CancelAt(t time.Time) {
// update state
r.lim.last = t
r.lim.tokens = tokens
- if r.timeToAct == r.lim.lastEvent {
+ if r.timeToAct.Equal(r.lim.lastEvent) {
prevEvent := r.timeToAct.Add(r.limit.durationFromTokens(float64(-r.tokens)))
if !prevEvent.Before(t) {
r.lim.lastEvent = prevEvent
diff --git a/vendor/golang.org/x/time/rate/sometimes.go b/vendor/golang.org/x/time/rate/sometimes.go
index 6ba99ddb67..9b83932692 100644
--- a/vendor/golang.org/x/time/rate/sometimes.go
+++ b/vendor/golang.org/x/time/rate/sometimes.go
@@ -61,7 +61,9 @@ func (s *Sometimes) Do(f func()) {
(s.Every > 0 && s.count%s.Every == 0) ||
(s.Interval > 0 && time.Since(s.last) >= s.Interval) {
f()
- s.last = time.Now()
+ if s.Interval > 0 {
+ s.last = time.Now()
+ }
}
s.count++
}
diff --git a/vendor/google.golang.org/grpc/CONTRIBUTING.md b/vendor/google.golang.org/grpc/CONTRIBUTING.md
index d9bfa6e1e7..2079de7b0e 100644
--- a/vendor/google.golang.org/grpc/CONTRIBUTING.md
+++ b/vendor/google.golang.org/grpc/CONTRIBUTING.md
@@ -1,73 +1,159 @@
# How to contribute
-We definitely welcome your patches and contributions to gRPC! Please read the gRPC
-organization's [governance rules](https://github.com/grpc/grpc-community/blob/master/governance.md)
-and [contribution guidelines](https://github.com/grpc/grpc-community/blob/master/CONTRIBUTING.md) before proceeding.
+We welcome your patches and contributions to gRPC! Please read the gRPC
+organization's [governance
+rules](https://github.com/grpc/grpc-community/blob/master/governance.md) before
+proceeding.
If you are new to GitHub, please start by reading [Pull Request howto](https://help.github.com/articles/about-pull-requests/)
## Legal requirements
In order to protect both you and ourselves, you will need to sign the
-[Contributor License Agreement](https://identity.linuxfoundation.org/projects/cncf).
+[Contributor License
+Agreement](https://identity.linuxfoundation.org/projects/cncf). When you create
+your first PR, a link will be added as a comment that contains the steps needed
+to complete this process.
+
+## Getting Started
+
+A great way to start is by searching through our open issues. [Unassigned issues
+labeled as "help
+wanted"](https://github.com/grpc/grpc-go/issues?q=sort%3Aupdated-desc%20is%3Aissue%20is%3Aopen%20label%3A%22Status%3A%20Help%20Wanted%22%20no%3Aassignee)
+are especially nice for first-time contributors, as they should be well-defined
+problems that already have agreed-upon solutions.
+
+## Code Style
+
+We follow [Google's published Go style
+guide](https://google.github.io/styleguide/go/). Note that there are three
+primary documents that make up this style guide; please follow them as closely
+as possible. If a reviewer recommends something that contradicts those
+guidelines, there may be valid reasons to do so, but it should be rare.
## Guidelines for Pull Requests
-How to get your contributions merged smoothly and quickly.
+
+Please read the following carefully to ensure your contributions can be merged
+smoothly and quickly.
+
+### PR Contents
- Create **small PRs** that are narrowly focused on **addressing a single
- concern**. We often times receive PRs that are trying to fix several things at
- a time, but only one fix is considered acceptable, nothing gets merged and
- both author's & review's time is wasted. Create more PRs to address different
- concerns and everyone will be happy.
+ concern**. We often receive PRs that attempt to fix several things at the same
+ time, and if one part of the PR has a problem, that will hold up the entire
+ PR.
+
+- If your change does not address an **open issue** with an **agreed
+ resolution**, consider opening an issue and discussing it first. If you are
+ suggesting a behavioral or API change, consider starting with a [gRFC
+ proposal](https://github.com/grpc/proposal). Many new features that are not
+ bug fixes will require cross-language agreement.
+
+- If you want to fix **formatting or style**, consider whether your changes are
+ an obvious improvement or might be considered a personal preference. If a
+ style change is based on preference, it likely will not be accepted. If it
+ corrects widely agreed-upon anti-patterns, then please do create a PR and
+ explain the benefits of the change.
+
+- For correcting **misspellings**, please be aware that we use some terms that
+ are sometimes flagged by spell checkers. As an example, "if an only if" is
+ often written as "iff". Please do not make spelling correction changes unless
+ you are certain they are misspellings.
+
+- **All tests need to be passing** before your change can be merged. We
+ recommend you run tests locally before creating your PR to catch breakages
+ early on:
-- If you are searching for features to work on, issues labeled [Status: Help
- Wanted](https://github.com/grpc/grpc-go/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc+label%3A%22Status%3A+Help+Wanted%22)
- is a great place to start. These issues are well-documented and usually can be
- resolved with a single pull request.
+ - `./scripts/vet.sh` to catch vet errors.
+ - `go test -cpu 1,4 -timeout 7m ./...` to run the tests.
+ - `go test -race -cpu 1,4 -timeout 7m ./...` to run tests in race mode.
-- If you are adding a new file, make sure it has the copyright message template
- at the top as a comment. You can copy over the message from an existing file
- and update the year.
+ Note that we have a multi-module repo, so `go test` commands may need to be
+ run from the root of each module in order to cause all tests to run.
+
+ *Alternatively*, you may find it easier to push your changes to your fork on
+ GitHub, which will trigger a GitHub Actions run that you can use to verify
+ everything is passing.
+
+- Note that there are two GitHub actions checks that need not be green:
+
+ 1. We test the freshness of the generated proto code we maintain via the
+ `vet-proto` check. If the source proto files are updated, but our repo is
+ not updated, an optional checker will fail. This will be fixed by our team
+ in a separate PR and will not prevent the merge of your PR.
+
+ 2. We run a checker that will fail if there is any change in dependencies of
+ an exported package via the `dependencies` check. If new dependencies are
+ added that are not appropriate, we may not accept your PR (see below).
+
+- If you are adding a **new file**, make sure it has the **copyright message**
+ template at the top as a comment. You can copy the message from an existing
+ file and update the year.
- The grpc package should only depend on standard Go packages and a small number
- of exceptions. If your contribution introduces new dependencies which are NOT
- in the [list](https://godoc.org/google.golang.org/grpc?imports), you need a
- discussion with gRPC-Go authors and consultants.
+ of exceptions. **If your contribution introduces new dependencies**, you will
+ need a discussion with gRPC-Go maintainers.
-- For speculative changes, consider opening an issue and discussing it first. If
- you are suggesting a behavioral or API change, consider starting with a [gRFC
- proposal](https://github.com/grpc/proposal).
+### PR Descriptions
-- Provide a good **PR description** as a record of **what** change is being made
- and **why** it was made. Link to a GitHub issue if it exists.
+- **PR titles** should start with the name of the component being addressed, or
+ the type of change. Examples: transport, client, server, round_robin, xds,
+ cleanup, deps.
-- If you want to fix formatting or style, consider whether your changes are an
- obvious improvement or might be considered a personal preference. If a style
- change is based on preference, it likely will not be accepted. If it corrects
- widely agreed-upon anti-patterns, then please do create a PR and explain the
- benefits of the change.
+- Read and follow the **guidelines for PR titles and descriptions** here:
+ https://google.github.io/eng-practices/review/developer/cl-descriptions.html
-- Unless your PR is trivial, you should expect there will be reviewer comments
- that you'll need to address before merging. We'll mark it as `Status: Requires
- Reporter Clarification` if we expect you to respond to these comments in a
- timely manner. If the PR remains inactive for 6 days, it will be marked as
- `stale` and automatically close 7 days after that if we don't hear back from
- you.
+ *particularly* the sections "First Line" and "Body is Informative".
-- Maintain **clean commit history** and use **meaningful commit messages**. PRs
- with messy commit history are difficult to review and won't be merged. Use
- `rebase -i upstream/master` to curate your commit history and/or to bring in
- latest changes from master (but avoid rebasing in the middle of a code
- review).
+ Note: your PR description will be used as the git commit message in a
+ squash-and-merge if your PR is approved. We may make changes to this as
+ necessary.
-- Keep your PR up to date with upstream/master (if there are merge conflicts, we
- can't really merge your change).
+- **Does this PR relate to an open issue?** On the first line, please use the
+ tag `Fixes #` to ensure the issue is closed when the PR is merged. Or
+ use `Updates #` if the PR is related to an open issue, but does not fix
+ it. Consider filing an issue if one does not already exist.
-- **All tests need to be passing** before your change can be merged. We
- recommend you **run tests locally** before creating your PR to catch breakages
- early on.
- - `./scripts/vet.sh` to catch vet errors
- - `go test -cpu 1,4 -timeout 7m ./...` to run the tests
- - `go test -race -cpu 1,4 -timeout 7m ./...` to run tests in race mode
+- PR descriptions *must* conclude with **release notes** as follows:
+
+ ```
+ RELEASE NOTES:
+ * :
+ ```
+
+ This need not match the PR title.
+
+ The summary must:
+
+ * be something that gRPC users will understand.
+
+ * clearly explain the feature being added, the issue being fixed, or the
+ behavior being changed, etc. If fixing a bug, be clear about how the bug
+ can be triggered by an end-user.
+
+ * begin with a capital letter and use complete sentences.
-- Exceptions to the rules can be made if there's a compelling reason for doing so.
+ * be as short as possible to describe the change being made.
+
+ If a PR is *not* end-user visible -- e.g. a cleanup, testing change, or
+ GitHub-related, use `RELEASE NOTES: n/a`.
+
+### PR Process
+
+- Please **self-review** your code changes before sending your PR. This will
+ prevent simple, obvious errors from causing delays.
+
+- Maintain a **clean commit history** and use **meaningful commit messages**.
+ PRs with messy commit histories are difficult to review and won't be merged.
+ Before sending your PR, ensure your changes are based on top of the latest
+ `upstream/master` commits, and avoid rebasing in the middle of a code review.
+ You should **never use `git push -f`** unless absolutely necessary during a
+ review, as it can interfere with GitHub's tracking of comments.
+
+- Unless your PR is trivial, you should **expect reviewer comments** that you
+ will need to address before merging. We'll label the PR as `Status: Requires
+ Reporter Clarification` if we expect you to respond to these comments in a
+ timely manner. If the PR remains inactive for 6 days, it will be marked as
+ `stale`, and we will automatically close it after 7 days if we don't hear back
+ from you. Please feel free to ping issues or bugs if you do not get a response
+ within a week.
diff --git a/vendor/google.golang.org/grpc/MAINTAINERS.md b/vendor/google.golang.org/grpc/MAINTAINERS.md
index 5d4096d46a..df35bb9a88 100644
--- a/vendor/google.golang.org/grpc/MAINTAINERS.md
+++ b/vendor/google.golang.org/grpc/MAINTAINERS.md
@@ -9,21 +9,19 @@ for general contribution guidelines.
## Maintainers (in alphabetical order)
-- [aranjans](https://github.com/aranjans), Google LLC
- [arjan-bal](https://github.com/arjan-bal), Google LLC
- [arvindbr8](https://github.com/arvindbr8), Google LLC
- [atollena](https://github.com/atollena), Datadog, Inc.
- [dfawley](https://github.com/dfawley), Google LLC
- [easwars](https://github.com/easwars), Google LLC
-- [erm-g](https://github.com/erm-g), Google LLC
- [gtcooke94](https://github.com/gtcooke94), Google LLC
-- [purnesh42h](https://github.com/purnesh42h), Google LLC
-- [zasweq](https://github.com/zasweq), Google LLC
## Emeritus Maintainers (in alphabetical order)
- [adelez](https://github.com/adelez)
+- [aranjans](https://github.com/aranjans)
- [canguler](https://github.com/canguler)
- [cesarghali](https://github.com/cesarghali)
+- [erm-g](https://github.com/erm-g)
- [iamqizhao](https://github.com/iamqizhao)
- [jeanbza](https://github.com/jeanbza)
- [jtattermusch](https://github.com/jtattermusch)
@@ -32,5 +30,7 @@ for general contribution guidelines.
- [matt-kwong](https://github.com/matt-kwong)
- [menghanl](https://github.com/menghanl)
- [nicolasnoble](https://github.com/nicolasnoble)
+- [purnesh42h](https://github.com/purnesh42h)
- [srini100](https://github.com/srini100)
- [yongni](https://github.com/yongni)
+- [zasweq](https://github.com/zasweq)
diff --git a/vendor/google.golang.org/grpc/README.md b/vendor/google.golang.org/grpc/README.md
index b572707c62..f9a88d597e 100644
--- a/vendor/google.golang.org/grpc/README.md
+++ b/vendor/google.golang.org/grpc/README.md
@@ -32,6 +32,7 @@ import "google.golang.org/grpc"
- [Low-level technical docs](Documentation) from this repository
- [Performance benchmark][]
- [Examples](examples)
+- [Contribution guidelines](CONTRIBUTING.md)
## FAQ
diff --git a/vendor/google.golang.org/grpc/balancer/balancer.go b/vendor/google.golang.org/grpc/balancer/balancer.go
index c9b343c715..b1264017db 100644
--- a/vendor/google.golang.org/grpc/balancer/balancer.go
+++ b/vendor/google.golang.org/grpc/balancer/balancer.go
@@ -360,6 +360,10 @@ type Balancer interface {
// call SubConn.Shutdown for its existing SubConns; however, this will be
// required in a future release, so it is recommended.
Close()
+ // ExitIdle instructs the LB policy to reconnect to backends / exit the
+ // IDLE state, if appropriate and possible. Note that SubConns that enter
+ // the IDLE state will not reconnect until SubConn.Connect is called.
+ ExitIdle()
}
// ExitIdler is an optional interface for balancers to implement. If
@@ -367,8 +371,8 @@ type Balancer interface {
// the ClientConn is idle. If unimplemented, ClientConn.Connect will cause
// all SubConns to connect.
//
-// Notice: it will be required for all balancers to implement this in a future
-// release.
+// Deprecated: All balancers must implement this interface. This interface will
+// be removed in a future release.
type ExitIdler interface {
// ExitIdle instructs the LB policy to reconnect to backends / exit the
// IDLE state, if appropriate and possible. Note that SubConns that enter
diff --git a/vendor/google.golang.org/grpc/balancer/endpointsharding/endpointsharding.go b/vendor/google.golang.org/grpc/balancer/endpointsharding/endpointsharding.go
index cc606f4dae..360db08ebc 100644
--- a/vendor/google.golang.org/grpc/balancer/endpointsharding/endpointsharding.go
+++ b/vendor/google.golang.org/grpc/balancer/endpointsharding/endpointsharding.go
@@ -37,6 +37,8 @@ import (
"google.golang.org/grpc/resolver"
)
+var randIntN = rand.IntN
+
// ChildState is the balancer state of a child along with the endpoint which
// identifies the child balancer.
type ChildState struct {
@@ -45,7 +47,15 @@ type ChildState struct {
// Balancer exposes only the ExitIdler interface of the child LB policy.
// Other methods of the child policy are called only by endpointsharding.
- Balancer balancer.ExitIdler
+ Balancer ExitIdler
+}
+
+// ExitIdler provides access to only the ExitIdle method of the child balancer.
+type ExitIdler interface {
+ // ExitIdle instructs the LB policy to reconnect to backends / exit the
+ // IDLE state, if appropriate and possible. Note that SubConns that enter
+ // the IDLE state will not reconnect until SubConn.Connect is called.
+ ExitIdle()
}
// Options are the options to configure the behaviour of the
@@ -104,6 +114,21 @@ type endpointSharding struct {
mu sync.Mutex
}
+// rotateEndpoints returns a slice of all the input endpoints rotated a random
+// amount.
+func rotateEndpoints(es []resolver.Endpoint) []resolver.Endpoint {
+ les := len(es)
+ if les == 0 {
+ return es
+ }
+ r := randIntN(les)
+ // Make a copy to avoid mutating data beyond the end of es.
+ ret := make([]resolver.Endpoint, les)
+ copy(ret, es[r:])
+ copy(ret[les-r:], es[:r])
+ return ret
+}
+
// UpdateClientConnState creates a child for new endpoints and deletes children
// for endpoints that are no longer present. It also updates all the children,
// and sends a single synchronous update of the childrens' aggregated state at
@@ -125,7 +150,7 @@ func (es *endpointSharding) UpdateClientConnState(state balancer.ClientConnState
newChildren := resolver.NewEndpointMap[*balancerWrapper]()
// Update/Create new children.
- for _, endpoint := range state.ResolverState.Endpoints {
+ for _, endpoint := range rotateEndpoints(state.ResolverState.Endpoints) {
if _, ok := newChildren.Get(endpoint); ok {
// Endpoint child was already created, continue to avoid duplicate
// update.
@@ -205,6 +230,16 @@ func (es *endpointSharding) Close() {
}
}
+func (es *endpointSharding) ExitIdle() {
+ es.childMu.Lock()
+ defer es.childMu.Unlock()
+ for _, bw := range es.children.Load().Values() {
+ if !bw.isClosed {
+ bw.child.ExitIdle()
+ }
+ }
+}
+
// updateState updates this component's state. It sends the aggregated state,
// and a picker with round robin behavior with all the child states present if
// needed.
@@ -261,7 +296,7 @@ func (es *endpointSharding) updateState() {
p := &pickerWithChildStates{
pickers: pickers,
childStates: childStates,
- next: uint32(rand.IntN(len(pickers))),
+ next: uint32(randIntN(len(pickers))),
}
es.cc.UpdateState(balancer.State{
ConnectivityState: aggState,
@@ -326,15 +361,13 @@ func (bw *balancerWrapper) UpdateState(state balancer.State) {
// ExitIdle pings an IDLE child balancer to exit idle in a new goroutine to
// avoid deadlocks due to synchronous balancer state updates.
func (bw *balancerWrapper) ExitIdle() {
- if ei, ok := bw.child.(balancer.ExitIdler); ok {
- go func() {
- bw.es.childMu.Lock()
- if !bw.isClosed {
- ei.ExitIdle()
- }
- bw.es.childMu.Unlock()
- }()
- }
+ go func() {
+ bw.es.childMu.Lock()
+ if !bw.isClosed {
+ bw.child.ExitIdle()
+ }
+ bw.es.childMu.Unlock()
+ }()
}
// updateClientConnStateLocked delivers the ClientConnState to the child
diff --git a/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirst.go b/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirst.go
index ea8899818c..b4bc3a2bf3 100644
--- a/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirst.go
+++ b/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirst.go
@@ -16,55 +16,124 @@
*
*/
-// Package pickfirst contains the pick_first load balancing policy.
+// Package pickfirst contains the pick_first load balancing policy which
+// is the universal leaf policy.
package pickfirst
import (
"encoding/json"
"errors"
"fmt"
- rand "math/rand/v2"
+ "net"
+ "net/netip"
+ "sync"
+ "time"
"google.golang.org/grpc/balancer"
"google.golang.org/grpc/balancer/pickfirst/internal"
"google.golang.org/grpc/connectivity"
+ expstats "google.golang.org/grpc/experimental/stats"
"google.golang.org/grpc/grpclog"
- "google.golang.org/grpc/internal/envconfig"
internalgrpclog "google.golang.org/grpc/internal/grpclog"
"google.golang.org/grpc/internal/pretty"
"google.golang.org/grpc/resolver"
"google.golang.org/grpc/serviceconfig"
-
- _ "google.golang.org/grpc/balancer/pickfirst/pickfirstleaf" // For automatically registering the new pickfirst if required.
)
func init() {
- if envconfig.NewPickFirstEnabled {
- return
- }
balancer.Register(pickfirstBuilder{})
}
-var logger = grpclog.Component("pick-first-lb")
+// Name is the name of the pick_first balancer.
+const Name = "pick_first"
+
+// enableHealthListenerKeyType is a unique key type used in resolver
+// attributes to indicate whether the health listener usage is enabled.
+type enableHealthListenerKeyType struct{}
+
+var (
+ logger = grpclog.Component("pick-first-leaf-lb")
+ disconnectionsMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
+ Name: "grpc.lb.pick_first.disconnections",
+ Description: "EXPERIMENTAL. Number of times the selected subchannel becomes disconnected.",
+ Unit: "{disconnection}",
+ Labels: []string{"grpc.target"},
+ Default: false,
+ })
+ connectionAttemptsSucceededMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
+ Name: "grpc.lb.pick_first.connection_attempts_succeeded",
+ Description: "EXPERIMENTAL. Number of successful connection attempts.",
+ Unit: "{attempt}",
+ Labels: []string{"grpc.target"},
+ Default: false,
+ })
+ connectionAttemptsFailedMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
+ Name: "grpc.lb.pick_first.connection_attempts_failed",
+ Description: "EXPERIMENTAL. Number of failed connection attempts.",
+ Unit: "{attempt}",
+ Labels: []string{"grpc.target"},
+ Default: false,
+ })
+)
const (
- // Name is the name of the pick_first balancer.
- Name = "pick_first"
- logPrefix = "[pick-first-lb %p] "
+ // TODO: change to pick-first when this becomes the default pick_first policy.
+ logPrefix = "[pick-first-leaf-lb %p] "
+ // connectionDelayInterval is the time to wait for during the happy eyeballs
+ // pass before starting the next connection attempt.
+ connectionDelayInterval = 250 * time.Millisecond
+)
+
+type ipAddrFamily int
+
+const (
+ // ipAddrFamilyUnknown represents strings that can't be parsed as an IP
+ // address.
+ ipAddrFamilyUnknown ipAddrFamily = iota
+ ipAddrFamilyV4
+ ipAddrFamilyV6
)
type pickfirstBuilder struct{}
-func (pickfirstBuilder) Build(cc balancer.ClientConn, _ balancer.BuildOptions) balancer.Balancer {
- b := &pickfirstBalancer{cc: cc}
+func (pickfirstBuilder) Build(cc balancer.ClientConn, bo balancer.BuildOptions) balancer.Balancer {
+ b := &pickfirstBalancer{
+ cc: cc,
+ target: bo.Target.String(),
+ metricsRecorder: cc.MetricsRecorder(),
+
+ subConns: resolver.NewAddressMapV2[*scData](),
+ state: connectivity.Connecting,
+ cancelConnectionTimer: func() {},
+ }
b.logger = internalgrpclog.NewPrefixLogger(logger, fmt.Sprintf(logPrefix, b))
return b
}
-func (pickfirstBuilder) Name() string {
+func (b pickfirstBuilder) Name() string {
return Name
}
+func (pickfirstBuilder) ParseConfig(js json.RawMessage) (serviceconfig.LoadBalancingConfig, error) {
+ var cfg pfConfig
+ if err := json.Unmarshal(js, &cfg); err != nil {
+ return nil, fmt.Errorf("pickfirst: unable to unmarshal LB policy config: %s, error: %v", string(js), err)
+ }
+ return cfg, nil
+}
+
+// EnableHealthListener updates the state to configure pickfirst for using a
+// generic health listener.
+//
+// # Experimental
+//
+// Notice: This API is EXPERIMENTAL and may be changed or removed in a later
+// release.
+func EnableHealthListener(state resolver.State) resolver.State {
+ state.Attributes = state.Attributes.WithValue(enableHealthListenerKeyType{}, true)
+ return state
+}
+
type pfConfig struct {
serviceconfig.LoadBalancingConfig `json:"-"`
@@ -74,90 +143,129 @@ type pfConfig struct {
ShuffleAddressList bool `json:"shuffleAddressList"`
}
-func (pickfirstBuilder) ParseConfig(js json.RawMessage) (serviceconfig.LoadBalancingConfig, error) {
- var cfg pfConfig
- if err := json.Unmarshal(js, &cfg); err != nil {
- return nil, fmt.Errorf("pickfirst: unable to unmarshal LB policy config: %s, error: %v", string(js), err)
+// scData keeps track of the current state of the subConn.
+// It is not safe for concurrent access.
+type scData struct {
+ // The following fields are initialized at build time and read-only after
+ // that.
+ subConn balancer.SubConn
+ addr resolver.Address
+
+ rawConnectivityState connectivity.State
+ // The effective connectivity state based on raw connectivity, health state
+ // and after following sticky TransientFailure behaviour defined in A62.
+ effectiveState connectivity.State
+ lastErr error
+ connectionFailedInFirstPass bool
+}
+
+func (b *pickfirstBalancer) newSCData(addr resolver.Address) (*scData, error) {
+ sd := &scData{
+ rawConnectivityState: connectivity.Idle,
+ effectiveState: connectivity.Idle,
+ addr: addr,
}
- return cfg, nil
+ sc, err := b.cc.NewSubConn([]resolver.Address{addr}, balancer.NewSubConnOptions{
+ StateListener: func(state balancer.SubConnState) {
+ b.updateSubConnState(sd, state)
+ },
+ })
+ if err != nil {
+ return nil, err
+ }
+ sd.subConn = sc
+ return sd, nil
}
type pickfirstBalancer struct {
- logger *internalgrpclog.PrefixLogger
- state connectivity.State
- cc balancer.ClientConn
- subConn balancer.SubConn
+ // The following fields are initialized at build time and read-only after
+ // that and therefore do not need to be guarded by a mutex.
+ logger *internalgrpclog.PrefixLogger
+ cc balancer.ClientConn
+ target string
+ metricsRecorder expstats.MetricsRecorder // guaranteed to be non nil
+
+ // The mutex is used to ensure synchronization of updates triggered
+ // from the idle picker and the already serialized resolver,
+ // SubConn state updates.
+ mu sync.Mutex
+ // State reported to the channel based on SubConn states and resolver
+ // updates.
+ state connectivity.State
+ // scData for active subonns mapped by address.
+ subConns *resolver.AddressMapV2[*scData]
+ addressList addressList
+ firstPass bool
+ numTF int
+ cancelConnectionTimer func()
+ healthCheckingEnabled bool
}
+// ResolverError is called by the ClientConn when the name resolver produces
+// an error or when pickfirst determined the resolver update to be invalid.
func (b *pickfirstBalancer) ResolverError(err error) {
+ b.mu.Lock()
+ defer b.mu.Unlock()
+ b.resolverErrorLocked(err)
+}
+
+func (b *pickfirstBalancer) resolverErrorLocked(err error) {
if b.logger.V(2) {
b.logger.Infof("Received error from the name resolver: %v", err)
}
- if b.subConn == nil {
- b.state = connectivity.TransientFailure
- }
- if b.state != connectivity.TransientFailure {
- // The picker will not change since the balancer does not currently
- // report an error.
+ // The picker will not change since the balancer does not currently
+ // report an error. If the balancer hasn't received a single good resolver
+ // update yet, transition to TRANSIENT_FAILURE.
+ if b.state != connectivity.TransientFailure && b.addressList.size() > 0 {
+ if b.logger.V(2) {
+ b.logger.Infof("Ignoring resolver error because balancer is using a previous good update.")
+ }
return
}
- b.cc.UpdateState(balancer.State{
+
+ b.updateBalancerState(balancer.State{
ConnectivityState: connectivity.TransientFailure,
Picker: &picker{err: fmt.Errorf("name resolver error: %v", err)},
})
}
-// Shuffler is an interface for shuffling an address list.
-type Shuffler interface {
- ShuffleAddressListForTesting(n int, swap func(i, j int))
-}
-
-// ShuffleAddressListForTesting pseudo-randomizes the order of addresses. n
-// is the number of elements. swap swaps the elements with indexes i and j.
-func ShuffleAddressListForTesting(n int, swap func(i, j int)) { rand.Shuffle(n, swap) }
-
func (b *pickfirstBalancer) UpdateClientConnState(state balancer.ClientConnState) error {
+ b.mu.Lock()
+ defer b.mu.Unlock()
+ b.cancelConnectionTimer()
if len(state.ResolverState.Addresses) == 0 && len(state.ResolverState.Endpoints) == 0 {
- // The resolver reported an empty address list. Treat it like an error by
- // calling b.ResolverError.
- if b.subConn != nil {
- // Shut down the old subConn. All addresses were removed, so it is
- // no longer valid.
- b.subConn.Shutdown()
- b.subConn = nil
- }
- b.ResolverError(errors.New("produced zero addresses"))
+ // Cleanup state pertaining to the previous resolver state.
+ // Treat an empty address list like an error by calling b.ResolverError.
+ b.closeSubConnsLocked()
+ b.addressList.updateAddrs(nil)
+ b.resolverErrorLocked(errors.New("produced zero addresses"))
return balancer.ErrBadResolverState
}
- // We don't have to guard this block with the env var because ParseConfig
- // already does so.
+ b.healthCheckingEnabled = state.ResolverState.Attributes.Value(enableHealthListenerKeyType{}) != nil
cfg, ok := state.BalancerConfig.(pfConfig)
if state.BalancerConfig != nil && !ok {
- return fmt.Errorf("pickfirst: received illegal BalancerConfig (type %T): %v", state.BalancerConfig, state.BalancerConfig)
+ return fmt.Errorf("pickfirst: received illegal BalancerConfig (type %T): %v: %w", state.BalancerConfig, state.BalancerConfig, balancer.ErrBadResolverState)
}
if b.logger.V(2) {
b.logger.Infof("Received new config %s, resolver state %s", pretty.ToJSON(cfg), pretty.ToJSON(state.ResolverState))
}
- var addrs []resolver.Address
+ var newAddrs []resolver.Address
if endpoints := state.ResolverState.Endpoints; len(endpoints) != 0 {
- // Perform the optional shuffling described in gRFC A62. The shuffling will
- // change the order of endpoints but not touch the order of the addresses
- // within each endpoint. - A61
+ // Perform the optional shuffling described in gRFC A62. The shuffling
+ // will change the order of endpoints but not touch the order of the
+ // addresses within each endpoint. - A61
if cfg.ShuffleAddressList {
endpoints = append([]resolver.Endpoint{}, endpoints...)
internal.RandShuffle(len(endpoints), func(i, j int) { endpoints[i], endpoints[j] = endpoints[j], endpoints[i] })
}
- // "Flatten the list by concatenating the ordered list of addresses for each
- // of the endpoints, in order." - A61
+ // "Flatten the list by concatenating the ordered list of addresses for
+ // each of the endpoints, in order." - A61
for _, endpoint := range endpoints {
- // "In the flattened list, interleave addresses from the two address
- // families, as per RFC-8304 section 4." - A61
- // TODO: support the above language.
- addrs = append(addrs, endpoint.Addresses...)
+ newAddrs = append(newAddrs, endpoint.Addresses...)
}
} else {
// Endpoints not set, process addresses until we migrate resolver
@@ -166,42 +274,53 @@ func (b *pickfirstBalancer) UpdateClientConnState(state balancer.ClientConnState
// target do not forward the corresponding correct endpoints down/split
// endpoints properly. Once all balancers correctly forward endpoints
// down, can delete this else conditional.
- addrs = state.ResolverState.Addresses
+ newAddrs = state.ResolverState.Addresses
if cfg.ShuffleAddressList {
- addrs = append([]resolver.Address{}, addrs...)
- rand.Shuffle(len(addrs), func(i, j int) { addrs[i], addrs[j] = addrs[j], addrs[i] })
+ newAddrs = append([]resolver.Address{}, newAddrs...)
+ internal.RandShuffle(len(newAddrs), func(i, j int) { newAddrs[i], newAddrs[j] = newAddrs[j], newAddrs[i] })
}
}
- if b.subConn != nil {
- b.cc.UpdateAddresses(b.subConn, addrs)
+ // If an address appears in multiple endpoints or in the same endpoint
+ // multiple times, we keep it only once. We will create only one SubConn
+ // for the address because an AddressMap is used to store SubConns.
+ // Not de-duplicating would result in attempting to connect to the same
+ // SubConn multiple times in the same pass. We don't want this.
+ newAddrs = deDupAddresses(newAddrs)
+ newAddrs = interleaveAddresses(newAddrs)
+
+ prevAddr := b.addressList.currentAddress()
+ prevSCData, found := b.subConns.Get(prevAddr)
+ prevAddrsCount := b.addressList.size()
+ isPrevRawConnectivityStateReady := found && prevSCData.rawConnectivityState == connectivity.Ready
+ b.addressList.updateAddrs(newAddrs)
+
+ // If the previous ready SubConn exists in new address list,
+ // keep this connection and don't create new SubConns.
+ if isPrevRawConnectivityStateReady && b.addressList.seekTo(prevAddr) {
return nil
}
- var subConn balancer.SubConn
- subConn, err := b.cc.NewSubConn(addrs, balancer.NewSubConnOptions{
- StateListener: func(state balancer.SubConnState) {
- b.updateSubConnState(subConn, state)
- },
- })
- if err != nil {
- if b.logger.V(2) {
- b.logger.Infof("Failed to create new SubConn: %v", err)
- }
- b.state = connectivity.TransientFailure
- b.cc.UpdateState(balancer.State{
- ConnectivityState: connectivity.TransientFailure,
- Picker: &picker{err: fmt.Errorf("error creating connection: %v", err)},
+ b.reconcileSubConnsLocked(newAddrs)
+ // If it's the first resolver update or the balancer was already READY
+ // (but the new address list does not contain the ready SubConn) or
+ // CONNECTING, enter CONNECTING.
+ // We may be in TRANSIENT_FAILURE due to a previous empty address list,
+ // we should still enter CONNECTING because the sticky TF behaviour
+ // mentioned in A62 applies only when the TRANSIENT_FAILURE is reported
+ // due to connectivity failures.
+ if isPrevRawConnectivityStateReady || b.state == connectivity.Connecting || prevAddrsCount == 0 {
+ // Start connection attempt at first address.
+ b.forceUpdateConcludedStateLocked(balancer.State{
+ ConnectivityState: connectivity.Connecting,
+ Picker: &picker{err: balancer.ErrNoSubConnAvailable},
})
- return balancer.ErrBadResolverState
+ b.startFirstPassLocked()
+ } else if b.state == connectivity.TransientFailure {
+ // If we're in TRANSIENT_FAILURE, we stay in TRANSIENT_FAILURE until
+ // we're READY. See A62.
+ b.startFirstPassLocked()
}
- b.subConn = subConn
- b.state = connectivity.Idle
- b.cc.UpdateState(balancer.State{
- ConnectivityState: connectivity.Connecting,
- Picker: &picker{err: balancer.ErrNoSubConnAvailable},
- })
- b.subConn.Connect()
return nil
}
@@ -211,63 +330,484 @@ func (b *pickfirstBalancer) UpdateSubConnState(subConn balancer.SubConn, state b
b.logger.Errorf("UpdateSubConnState(%v, %+v) called unexpectedly", subConn, state)
}
-func (b *pickfirstBalancer) updateSubConnState(subConn balancer.SubConn, state balancer.SubConnState) {
- if b.logger.V(2) {
- b.logger.Infof("Received SubConn state update: %p, %+v", subConn, state)
+func (b *pickfirstBalancer) Close() {
+ b.mu.Lock()
+ defer b.mu.Unlock()
+ b.closeSubConnsLocked()
+ b.cancelConnectionTimer()
+ b.state = connectivity.Shutdown
+}
+
+// ExitIdle moves the balancer out of idle state. It can be called concurrently
+// by the idlePicker and clientConn so access to variables should be
+// synchronized.
+func (b *pickfirstBalancer) ExitIdle() {
+ b.mu.Lock()
+ defer b.mu.Unlock()
+ if b.state == connectivity.Idle {
+ // Move the balancer into CONNECTING state immediately. This is done to
+ // avoid staying in IDLE if a resolver update arrives before the first
+ // SubConn reports CONNECTING.
+ b.updateBalancerState(balancer.State{
+ ConnectivityState: connectivity.Connecting,
+ Picker: &picker{err: balancer.ErrNoSubConnAvailable},
+ })
+ b.startFirstPassLocked()
+ }
+}
+
+func (b *pickfirstBalancer) startFirstPassLocked() {
+ b.firstPass = true
+ b.numTF = 0
+ // Reset the connection attempt record for existing SubConns.
+ for _, sd := range b.subConns.Values() {
+ sd.connectionFailedInFirstPass = false
+ }
+ b.requestConnectionLocked()
+}
+
+func (b *pickfirstBalancer) closeSubConnsLocked() {
+ for _, sd := range b.subConns.Values() {
+ sd.subConn.Shutdown()
+ }
+ b.subConns = resolver.NewAddressMapV2[*scData]()
+}
+
+// deDupAddresses ensures that each address appears only once in the slice.
+func deDupAddresses(addrs []resolver.Address) []resolver.Address {
+ seenAddrs := resolver.NewAddressMapV2[bool]()
+ retAddrs := []resolver.Address{}
+
+ for _, addr := range addrs {
+ if _, ok := seenAddrs.Get(addr); ok {
+ continue
+ }
+ seenAddrs.Set(addr, true)
+ retAddrs = append(retAddrs, addr)
+ }
+ return retAddrs
+}
+
+// interleaveAddresses interleaves addresses of both families (IPv4 and IPv6)
+// as per RFC-8305 section 4.
+// Whichever address family is first in the list is followed by an address of
+// the other address family; that is, if the first address in the list is IPv6,
+// then the first IPv4 address should be moved up in the list to be second in
+// the list. It doesn't support configuring "First Address Family Count", i.e.
+// there will always be a single member of the first address family at the
+// beginning of the interleaved list.
+// Addresses that are neither IPv4 nor IPv6 are treated as part of a third
+// "unknown" family for interleaving.
+// See: https://datatracker.ietf.org/doc/html/rfc8305#autoid-6
+func interleaveAddresses(addrs []resolver.Address) []resolver.Address {
+ familyAddrsMap := map[ipAddrFamily][]resolver.Address{}
+ interleavingOrder := []ipAddrFamily{}
+ for _, addr := range addrs {
+ family := addressFamily(addr.Addr)
+ if _, found := familyAddrsMap[family]; !found {
+ interleavingOrder = append(interleavingOrder, family)
+ }
+ familyAddrsMap[family] = append(familyAddrsMap[family], addr)
+ }
+
+ interleavedAddrs := make([]resolver.Address, 0, len(addrs))
+
+ for curFamilyIdx := 0; len(interleavedAddrs) < len(addrs); curFamilyIdx = (curFamilyIdx + 1) % len(interleavingOrder) {
+ // Some IP types may have fewer addresses than others, so we look for
+ // the next type that has a remaining member to add to the interleaved
+ // list.
+ family := interleavingOrder[curFamilyIdx]
+ remainingMembers := familyAddrsMap[family]
+ if len(remainingMembers) > 0 {
+ interleavedAddrs = append(interleavedAddrs, remainingMembers[0])
+ familyAddrsMap[family] = remainingMembers[1:]
+ }
+ }
+
+ return interleavedAddrs
+}
+
+// addressFamily returns the ipAddrFamily after parsing the address string.
+// If the address isn't of the format "ip-address:port", it returns
+// ipAddrFamilyUnknown. The address may be valid even if it's not an IP when
+// using a resolver like passthrough where the address may be a hostname in
+// some format that the dialer can resolve.
+func addressFamily(address string) ipAddrFamily {
+ // Parse the IP after removing the port.
+ host, _, err := net.SplitHostPort(address)
+ if err != nil {
+ return ipAddrFamilyUnknown
+ }
+ ip, err := netip.ParseAddr(host)
+ if err != nil {
+ return ipAddrFamilyUnknown
+ }
+ switch {
+ case ip.Is4() || ip.Is4In6():
+ return ipAddrFamilyV4
+ case ip.Is6():
+ return ipAddrFamilyV6
+ default:
+ return ipAddrFamilyUnknown
+ }
+}
+
+// reconcileSubConnsLocked updates the active subchannels based on a new address
+// list from the resolver. It does this by:
+// - closing subchannels: any existing subchannels associated with addresses
+// that are no longer in the updated list are shut down.
+// - removing subchannels: entries for these closed subchannels are removed
+// from the subchannel map.
+//
+// This ensures that the subchannel map accurately reflects the current set of
+// addresses received from the name resolver.
+func (b *pickfirstBalancer) reconcileSubConnsLocked(newAddrs []resolver.Address) {
+ newAddrsMap := resolver.NewAddressMapV2[bool]()
+ for _, addr := range newAddrs {
+ newAddrsMap.Set(addr, true)
+ }
+
+ for _, oldAddr := range b.subConns.Keys() {
+ if _, ok := newAddrsMap.Get(oldAddr); ok {
+ continue
+ }
+ val, _ := b.subConns.Get(oldAddr)
+ val.subConn.Shutdown()
+ b.subConns.Delete(oldAddr)
+ }
+}
+
+// shutdownRemainingLocked shuts down remaining subConns. Called when a subConn
+// becomes ready, which means that all other subConn must be shutdown.
+func (b *pickfirstBalancer) shutdownRemainingLocked(selected *scData) {
+ b.cancelConnectionTimer()
+ for _, sd := range b.subConns.Values() {
+ if sd.subConn != selected.subConn {
+ sd.subConn.Shutdown()
+ }
+ }
+ b.subConns = resolver.NewAddressMapV2[*scData]()
+ b.subConns.Set(selected.addr, selected)
+}
+
+// requestConnectionLocked starts connecting on the subchannel corresponding to
+// the current address. If no subchannel exists, one is created. If the current
+// subchannel is in TransientFailure, a connection to the next address is
+// attempted until a subchannel is found.
+func (b *pickfirstBalancer) requestConnectionLocked() {
+ if !b.addressList.isValid() {
+ return
+ }
+ var lastErr error
+ for valid := true; valid; valid = b.addressList.increment() {
+ curAddr := b.addressList.currentAddress()
+ sd, ok := b.subConns.Get(curAddr)
+ if !ok {
+ var err error
+ // We want to assign the new scData to sd from the outer scope,
+ // hence we can't use := below.
+ sd, err = b.newSCData(curAddr)
+ if err != nil {
+ // This should never happen, unless the clientConn is being shut
+ // down.
+ if b.logger.V(2) {
+ b.logger.Infof("Failed to create a subConn for address %v: %v", curAddr.String(), err)
+ }
+ // Do nothing, the LB policy will be closed soon.
+ return
+ }
+ b.subConns.Set(curAddr, sd)
+ }
+
+ switch sd.rawConnectivityState {
+ case connectivity.Idle:
+ sd.subConn.Connect()
+ b.scheduleNextConnectionLocked()
+ return
+ case connectivity.TransientFailure:
+ // The SubConn is being re-used and failed during a previous pass
+ // over the addressList. It has not completed backoff yet.
+ // Mark it as having failed and try the next address.
+ sd.connectionFailedInFirstPass = true
+ lastErr = sd.lastErr
+ continue
+ case connectivity.Connecting:
+ // Wait for the connection attempt to complete or the timer to fire
+ // before attempting the next address.
+ b.scheduleNextConnectionLocked()
+ return
+ default:
+ b.logger.Errorf("SubConn with unexpected state %v present in SubConns map.", sd.rawConnectivityState)
+ return
+
+ }
+ }
+
+ // All the remaining addresses in the list are in TRANSIENT_FAILURE, end the
+ // first pass if possible.
+ b.endFirstPassIfPossibleLocked(lastErr)
+}
+
+func (b *pickfirstBalancer) scheduleNextConnectionLocked() {
+ b.cancelConnectionTimer()
+ if !b.addressList.hasNext() {
+ return
}
- if b.subConn != subConn {
+ curAddr := b.addressList.currentAddress()
+ cancelled := false // Access to this is protected by the balancer's mutex.
+ closeFn := internal.TimeAfterFunc(connectionDelayInterval, func() {
+ b.mu.Lock()
+ defer b.mu.Unlock()
+ // If the scheduled task is cancelled while acquiring the mutex, return.
+ if cancelled {
+ return
+ }
if b.logger.V(2) {
- b.logger.Infof("Ignored state change because subConn is not recognized")
+ b.logger.Infof("Happy Eyeballs timer expired while waiting for connection to %q.", curAddr.Addr)
+ }
+ if b.addressList.increment() {
+ b.requestConnectionLocked()
}
+ })
+ // Access to the cancellation callback held by the balancer is guarded by
+ // the balancer's mutex, so it's safe to set the boolean from the callback.
+ b.cancelConnectionTimer = sync.OnceFunc(func() {
+ cancelled = true
+ closeFn()
+ })
+}
+
+func (b *pickfirstBalancer) updateSubConnState(sd *scData, newState balancer.SubConnState) {
+ b.mu.Lock()
+ defer b.mu.Unlock()
+ oldState := sd.rawConnectivityState
+ sd.rawConnectivityState = newState.ConnectivityState
+ // Previously relevant SubConns can still callback with state updates.
+ // To prevent pickers from returning these obsolete SubConns, this logic
+ // is included to check if the current list of active SubConns includes this
+ // SubConn.
+ if !b.isActiveSCData(sd) {
return
}
- if state.ConnectivityState == connectivity.Shutdown {
- b.subConn = nil
+ if newState.ConnectivityState == connectivity.Shutdown {
+ sd.effectiveState = connectivity.Shutdown
return
}
- switch state.ConnectivityState {
- case connectivity.Ready:
- b.cc.UpdateState(balancer.State{
- ConnectivityState: state.ConnectivityState,
- Picker: &picker{result: balancer.PickResult{SubConn: subConn}},
- })
- case connectivity.Connecting:
- if b.state == connectivity.TransientFailure {
- // We stay in TransientFailure until we are Ready. See A62.
+ // Record a connection attempt when exiting CONNECTING.
+ if newState.ConnectivityState == connectivity.TransientFailure {
+ sd.connectionFailedInFirstPass = true
+ connectionAttemptsFailedMetric.Record(b.metricsRecorder, 1, b.target)
+ }
+
+ if newState.ConnectivityState == connectivity.Ready {
+ connectionAttemptsSucceededMetric.Record(b.metricsRecorder, 1, b.target)
+ b.shutdownRemainingLocked(sd)
+ if !b.addressList.seekTo(sd.addr) {
+ // This should not fail as we should have only one SubConn after
+ // entering READY. The SubConn should be present in the addressList.
+ b.logger.Errorf("Address %q not found address list in %v", sd.addr, b.addressList.addresses)
return
}
- b.cc.UpdateState(balancer.State{
- ConnectivityState: state.ConnectivityState,
+ if !b.healthCheckingEnabled {
+ if b.logger.V(2) {
+ b.logger.Infof("SubConn %p reported connectivity state READY and the health listener is disabled. Transitioning SubConn to READY.", sd.subConn)
+ }
+
+ sd.effectiveState = connectivity.Ready
+ b.updateBalancerState(balancer.State{
+ ConnectivityState: connectivity.Ready,
+ Picker: &picker{result: balancer.PickResult{SubConn: sd.subConn}},
+ })
+ return
+ }
+ if b.logger.V(2) {
+ b.logger.Infof("SubConn %p reported connectivity state READY. Registering health listener.", sd.subConn)
+ }
+ // Send a CONNECTING update to take the SubConn out of sticky-TF if
+ // required.
+ sd.effectiveState = connectivity.Connecting
+ b.updateBalancerState(balancer.State{
+ ConnectivityState: connectivity.Connecting,
Picker: &picker{err: balancer.ErrNoSubConnAvailable},
})
+ sd.subConn.RegisterHealthListener(func(scs balancer.SubConnState) {
+ b.updateSubConnHealthState(sd, scs)
+ })
+ return
+ }
+
+ // If the LB policy is READY, and it receives a subchannel state change,
+ // it means that the READY subchannel has failed.
+ // A SubConn can also transition from CONNECTING directly to IDLE when
+ // a transport is successfully created, but the connection fails
+ // before the SubConn can send the notification for READY. We treat
+ // this as a successful connection and transition to IDLE.
+ // TODO: https://github.com/grpc/grpc-go/issues/7862 - Remove the second
+ // part of the if condition below once the issue is fixed.
+ if oldState == connectivity.Ready || (oldState == connectivity.Connecting && newState.ConnectivityState == connectivity.Idle) {
+ // Once a transport fails, the balancer enters IDLE and starts from
+ // the first address when the picker is used.
+ b.shutdownRemainingLocked(sd)
+ sd.effectiveState = newState.ConnectivityState
+ // READY SubConn interspliced in between CONNECTING and IDLE, need to
+ // account for that.
+ if oldState == connectivity.Connecting {
+ // A known issue (https://github.com/grpc/grpc-go/issues/7862)
+ // causes a race that prevents the READY state change notification.
+ // This works around it.
+ connectionAttemptsSucceededMetric.Record(b.metricsRecorder, 1, b.target)
+ }
+ disconnectionsMetric.Record(b.metricsRecorder, 1, b.target)
+ b.addressList.reset()
+ b.updateBalancerState(balancer.State{
+ ConnectivityState: connectivity.Idle,
+ Picker: &idlePicker{exitIdle: sync.OnceFunc(b.ExitIdle)},
+ })
+ return
+ }
+
+ if b.firstPass {
+ switch newState.ConnectivityState {
+ case connectivity.Connecting:
+ // The effective state can be in either IDLE, CONNECTING or
+ // TRANSIENT_FAILURE. If it's TRANSIENT_FAILURE, stay in
+ // TRANSIENT_FAILURE until it's READY. See A62.
+ if sd.effectiveState != connectivity.TransientFailure {
+ sd.effectiveState = connectivity.Connecting
+ b.updateBalancerState(balancer.State{
+ ConnectivityState: connectivity.Connecting,
+ Picker: &picker{err: balancer.ErrNoSubConnAvailable},
+ })
+ }
+ case connectivity.TransientFailure:
+ sd.lastErr = newState.ConnectionError
+ sd.effectiveState = connectivity.TransientFailure
+ // Since we're re-using common SubConns while handling resolver
+ // updates, we could receive an out of turn TRANSIENT_FAILURE from
+ // a pass over the previous address list. Happy Eyeballs will also
+ // cause out of order updates to arrive.
+
+ if curAddr := b.addressList.currentAddress(); equalAddressIgnoringBalAttributes(&curAddr, &sd.addr) {
+ b.cancelConnectionTimer()
+ if b.addressList.increment() {
+ b.requestConnectionLocked()
+ return
+ }
+ }
+
+ // End the first pass if we've seen a TRANSIENT_FAILURE from all
+ // SubConns once.
+ b.endFirstPassIfPossibleLocked(newState.ConnectionError)
+ }
+ return
+ }
+
+ // We have finished the first pass, keep re-connecting failing SubConns.
+ switch newState.ConnectivityState {
+ case connectivity.TransientFailure:
+ b.numTF = (b.numTF + 1) % b.subConns.Len()
+ sd.lastErr = newState.ConnectionError
+ if b.numTF%b.subConns.Len() == 0 {
+ b.updateBalancerState(balancer.State{
+ ConnectivityState: connectivity.TransientFailure,
+ Picker: &picker{err: newState.ConnectionError},
+ })
+ }
+ // We don't need to request re-resolution since the SubConn already
+ // does that before reporting TRANSIENT_FAILURE.
+ // TODO: #7534 - Move re-resolution requests from SubConn into
+ // pick_first.
case connectivity.Idle:
- if b.state == connectivity.TransientFailure {
- // We stay in TransientFailure until we are Ready. Also kick the
- // subConn out of Idle into Connecting. See A62.
- b.subConn.Connect()
+ sd.subConn.Connect()
+ }
+}
+
+// endFirstPassIfPossibleLocked ends the first happy-eyeballs pass if all the
+// addresses are tried and their SubConns have reported a failure.
+func (b *pickfirstBalancer) endFirstPassIfPossibleLocked(lastErr error) {
+ // An optimization to avoid iterating over the entire SubConn map.
+ if b.addressList.isValid() {
+ return
+ }
+ // Connect() has been called on all the SubConns. The first pass can be
+ // ended if all the SubConns have reported a failure.
+ for _, sd := range b.subConns.Values() {
+ if !sd.connectionFailedInFirstPass {
return
}
- b.cc.UpdateState(balancer.State{
- ConnectivityState: state.ConnectivityState,
- Picker: &idlePicker{subConn: subConn},
+ }
+ b.firstPass = false
+ b.updateBalancerState(balancer.State{
+ ConnectivityState: connectivity.TransientFailure,
+ Picker: &picker{err: lastErr},
+ })
+ // Start re-connecting all the SubConns that are already in IDLE.
+ for _, sd := range b.subConns.Values() {
+ if sd.rawConnectivityState == connectivity.Idle {
+ sd.subConn.Connect()
+ }
+ }
+}
+
+func (b *pickfirstBalancer) isActiveSCData(sd *scData) bool {
+ activeSD, found := b.subConns.Get(sd.addr)
+ return found && activeSD == sd
+}
+
+func (b *pickfirstBalancer) updateSubConnHealthState(sd *scData, state balancer.SubConnState) {
+ b.mu.Lock()
+ defer b.mu.Unlock()
+ // Previously relevant SubConns can still callback with state updates.
+ // To prevent pickers from returning these obsolete SubConns, this logic
+ // is included to check if the current list of active SubConns includes
+ // this SubConn.
+ if !b.isActiveSCData(sd) {
+ return
+ }
+ sd.effectiveState = state.ConnectivityState
+ switch state.ConnectivityState {
+ case connectivity.Ready:
+ b.updateBalancerState(balancer.State{
+ ConnectivityState: connectivity.Ready,
+ Picker: &picker{result: balancer.PickResult{SubConn: sd.subConn}},
})
case connectivity.TransientFailure:
- b.cc.UpdateState(balancer.State{
- ConnectivityState: state.ConnectivityState,
- Picker: &picker{err: state.ConnectionError},
+ b.updateBalancerState(balancer.State{
+ ConnectivityState: connectivity.TransientFailure,
+ Picker: &picker{err: fmt.Errorf("pickfirst: health check failure: %v", state.ConnectionError)},
+ })
+ case connectivity.Connecting:
+ b.updateBalancerState(balancer.State{
+ ConnectivityState: connectivity.Connecting,
+ Picker: &picker{err: balancer.ErrNoSubConnAvailable},
})
+ default:
+ b.logger.Errorf("Got unexpected health update for SubConn %p: %v", state)
}
- b.state = state.ConnectivityState
}
-func (b *pickfirstBalancer) Close() {
+// updateBalancerState stores the state reported to the channel and calls
+// ClientConn.UpdateState(). As an optimization, it avoids sending duplicate
+// updates to the channel.
+func (b *pickfirstBalancer) updateBalancerState(newState balancer.State) {
+ // In case of TransientFailures allow the picker to be updated to update
+ // the connectivity error, in all other cases don't send duplicate state
+ // updates.
+ if newState.ConnectivityState == b.state && b.state != connectivity.TransientFailure {
+ return
+ }
+ b.forceUpdateConcludedStateLocked(newState)
}
-func (b *pickfirstBalancer) ExitIdle() {
- if b.subConn != nil && b.state == connectivity.Idle {
- b.subConn.Connect()
- }
+// forceUpdateConcludedStateLocked stores the state reported to the channel and
+// calls ClientConn.UpdateState().
+// A separate function is defined to force update the ClientConn state since the
+// channel doesn't correctly assume that LB policies start in CONNECTING and
+// relies on LB policy to send an initial CONNECTING update.
+func (b *pickfirstBalancer) forceUpdateConcludedStateLocked(newState balancer.State) {
+ b.state = newState.ConnectivityState
+ b.cc.UpdateState(newState)
}
type picker struct {
@@ -282,10 +822,87 @@ func (p *picker) Pick(balancer.PickInfo) (balancer.PickResult, error) {
// idlePicker is used when the SubConn is IDLE and kicks the SubConn into
// CONNECTING when Pick is called.
type idlePicker struct {
- subConn balancer.SubConn
+ exitIdle func()
}
func (i *idlePicker) Pick(balancer.PickInfo) (balancer.PickResult, error) {
- i.subConn.Connect()
+ i.exitIdle()
return balancer.PickResult{}, balancer.ErrNoSubConnAvailable
}
+
+// addressList manages sequentially iterating over addresses present in a list
+// of endpoints. It provides a 1 dimensional view of the addresses present in
+// the endpoints.
+// This type is not safe for concurrent access.
+type addressList struct {
+ addresses []resolver.Address
+ idx int
+}
+
+func (al *addressList) isValid() bool {
+ return al.idx < len(al.addresses)
+}
+
+func (al *addressList) size() int {
+ return len(al.addresses)
+}
+
+// increment moves to the next index in the address list.
+// This method returns false if it went off the list, true otherwise.
+func (al *addressList) increment() bool {
+ if !al.isValid() {
+ return false
+ }
+ al.idx++
+ return al.idx < len(al.addresses)
+}
+
+// currentAddress returns the current address pointed to in the addressList.
+// If the list is in an invalid state, it returns an empty address instead.
+func (al *addressList) currentAddress() resolver.Address {
+ if !al.isValid() {
+ return resolver.Address{}
+ }
+ return al.addresses[al.idx]
+}
+
+func (al *addressList) reset() {
+ al.idx = 0
+}
+
+func (al *addressList) updateAddrs(addrs []resolver.Address) {
+ al.addresses = addrs
+ al.reset()
+}
+
+// seekTo returns false if the needle was not found and the current index was
+// left unchanged.
+func (al *addressList) seekTo(needle resolver.Address) bool {
+ for ai, addr := range al.addresses {
+ if !equalAddressIgnoringBalAttributes(&addr, &needle) {
+ continue
+ }
+ al.idx = ai
+ return true
+ }
+ return false
+}
+
+// hasNext returns whether incrementing the addressList will result in moving
+// past the end of the list. If the list has already moved past the end, it
+// returns false.
+func (al *addressList) hasNext() bool {
+ if !al.isValid() {
+ return false
+ }
+ return al.idx+1 < len(al.addresses)
+}
+
+// equalAddressIgnoringBalAttributes returns true is a and b are considered
+// equal. This is different from the Equal method on the resolver.Address type
+// which considers all fields to determine equality. Here, we only consider
+// fields that are meaningful to the SubConn.
+func equalAddressIgnoringBalAttributes(a, b *resolver.Address) bool {
+ return a.Addr == b.Addr && a.ServerName == b.ServerName &&
+ a.Attributes.Equal(b.Attributes)
+}
diff --git a/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go b/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go
deleted file mode 100644
index 494314f235..0000000000
--- a/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go
+++ /dev/null
@@ -1,927 +0,0 @@
-/*
- *
- * Copyright 2024 gRPC authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- */
-
-// Package pickfirstleaf contains the pick_first load balancing policy which
-// will be the universal leaf policy after dualstack changes are implemented.
-//
-// # Experimental
-//
-// Notice: This package is EXPERIMENTAL and may be changed or removed in a
-// later release.
-package pickfirstleaf
-
-import (
- "encoding/json"
- "errors"
- "fmt"
- "net"
- "net/netip"
- "sync"
- "time"
-
- "google.golang.org/grpc/balancer"
- "google.golang.org/grpc/balancer/pickfirst/internal"
- "google.golang.org/grpc/connectivity"
- expstats "google.golang.org/grpc/experimental/stats"
- "google.golang.org/grpc/grpclog"
- "google.golang.org/grpc/internal/envconfig"
- internalgrpclog "google.golang.org/grpc/internal/grpclog"
- "google.golang.org/grpc/internal/pretty"
- "google.golang.org/grpc/resolver"
- "google.golang.org/grpc/serviceconfig"
-)
-
-func init() {
- if envconfig.NewPickFirstEnabled {
- // Register as the default pick_first balancer.
- Name = "pick_first"
- }
- balancer.Register(pickfirstBuilder{})
-}
-
-type (
- // enableHealthListenerKeyType is a unique key type used in resolver
- // attributes to indicate whether the health listener usage is enabled.
- enableHealthListenerKeyType struct{}
- // managedByPickfirstKeyType is an attribute key type to inform Outlier
- // Detection that the generic health listener is being used.
- // TODO: https://github.com/grpc/grpc-go/issues/7915 - Remove this when
- // implementing the dualstack design. This is a hack. Once Dualstack is
- // completed, outlier detection will stop sending ejection updates through
- // the connectivity listener.
- managedByPickfirstKeyType struct{}
-)
-
-var (
- logger = grpclog.Component("pick-first-leaf-lb")
- // Name is the name of the pick_first_leaf balancer.
- // It is changed to "pick_first" in init() if this balancer is to be
- // registered as the default pickfirst.
- Name = "pick_first_leaf"
- disconnectionsMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
- Name: "grpc.lb.pick_first.disconnections",
- Description: "EXPERIMENTAL. Number of times the selected subchannel becomes disconnected.",
- Unit: "disconnection",
- Labels: []string{"grpc.target"},
- Default: false,
- })
- connectionAttemptsSucceededMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
- Name: "grpc.lb.pick_first.connection_attempts_succeeded",
- Description: "EXPERIMENTAL. Number of successful connection attempts.",
- Unit: "attempt",
- Labels: []string{"grpc.target"},
- Default: false,
- })
- connectionAttemptsFailedMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
- Name: "grpc.lb.pick_first.connection_attempts_failed",
- Description: "EXPERIMENTAL. Number of failed connection attempts.",
- Unit: "attempt",
- Labels: []string{"grpc.target"},
- Default: false,
- })
-)
-
-const (
- // TODO: change to pick-first when this becomes the default pick_first policy.
- logPrefix = "[pick-first-leaf-lb %p] "
- // connectionDelayInterval is the time to wait for during the happy eyeballs
- // pass before starting the next connection attempt.
- connectionDelayInterval = 250 * time.Millisecond
-)
-
-type ipAddrFamily int
-
-const (
- // ipAddrFamilyUnknown represents strings that can't be parsed as an IP
- // address.
- ipAddrFamilyUnknown ipAddrFamily = iota
- ipAddrFamilyV4
- ipAddrFamilyV6
-)
-
-type pickfirstBuilder struct{}
-
-func (pickfirstBuilder) Build(cc balancer.ClientConn, bo balancer.BuildOptions) balancer.Balancer {
- b := &pickfirstBalancer{
- cc: cc,
- target: bo.Target.String(),
- metricsRecorder: cc.MetricsRecorder(),
-
- subConns: resolver.NewAddressMapV2[*scData](),
- state: connectivity.Connecting,
- cancelConnectionTimer: func() {},
- }
- b.logger = internalgrpclog.NewPrefixLogger(logger, fmt.Sprintf(logPrefix, b))
- return b
-}
-
-func (b pickfirstBuilder) Name() string {
- return Name
-}
-
-func (pickfirstBuilder) ParseConfig(js json.RawMessage) (serviceconfig.LoadBalancingConfig, error) {
- var cfg pfConfig
- if err := json.Unmarshal(js, &cfg); err != nil {
- return nil, fmt.Errorf("pickfirst: unable to unmarshal LB policy config: %s, error: %v", string(js), err)
- }
- return cfg, nil
-}
-
-// EnableHealthListener updates the state to configure pickfirst for using a
-// generic health listener.
-func EnableHealthListener(state resolver.State) resolver.State {
- state.Attributes = state.Attributes.WithValue(enableHealthListenerKeyType{}, true)
- return state
-}
-
-// IsManagedByPickfirst returns whether an address belongs to a SubConn
-// managed by the pickfirst LB policy.
-// TODO: https://github.com/grpc/grpc-go/issues/7915 - This is a hack to disable
-// outlier_detection via the with connectivity listener when using pick_first.
-// Once Dualstack changes are complete, all SubConns will be created by
-// pick_first and outlier detection will only use the health listener for
-// ejection. This hack can then be removed.
-func IsManagedByPickfirst(addr resolver.Address) bool {
- return addr.BalancerAttributes.Value(managedByPickfirstKeyType{}) != nil
-}
-
-type pfConfig struct {
- serviceconfig.LoadBalancingConfig `json:"-"`
-
- // If set to true, instructs the LB policy to shuffle the order of the list
- // of endpoints received from the name resolver before attempting to
- // connect to them.
- ShuffleAddressList bool `json:"shuffleAddressList"`
-}
-
-// scData keeps track of the current state of the subConn.
-// It is not safe for concurrent access.
-type scData struct {
- // The following fields are initialized at build time and read-only after
- // that.
- subConn balancer.SubConn
- addr resolver.Address
-
- rawConnectivityState connectivity.State
- // The effective connectivity state based on raw connectivity, health state
- // and after following sticky TransientFailure behaviour defined in A62.
- effectiveState connectivity.State
- lastErr error
- connectionFailedInFirstPass bool
-}
-
-func (b *pickfirstBalancer) newSCData(addr resolver.Address) (*scData, error) {
- addr.BalancerAttributes = addr.BalancerAttributes.WithValue(managedByPickfirstKeyType{}, true)
- sd := &scData{
- rawConnectivityState: connectivity.Idle,
- effectiveState: connectivity.Idle,
- addr: addr,
- }
- sc, err := b.cc.NewSubConn([]resolver.Address{addr}, balancer.NewSubConnOptions{
- StateListener: func(state balancer.SubConnState) {
- b.updateSubConnState(sd, state)
- },
- })
- if err != nil {
- return nil, err
- }
- sd.subConn = sc
- return sd, nil
-}
-
-type pickfirstBalancer struct {
- // The following fields are initialized at build time and read-only after
- // that and therefore do not need to be guarded by a mutex.
- logger *internalgrpclog.PrefixLogger
- cc balancer.ClientConn
- target string
- metricsRecorder expstats.MetricsRecorder // guaranteed to be non nil
-
- // The mutex is used to ensure synchronization of updates triggered
- // from the idle picker and the already serialized resolver,
- // SubConn state updates.
- mu sync.Mutex
- // State reported to the channel based on SubConn states and resolver
- // updates.
- state connectivity.State
- // scData for active subonns mapped by address.
- subConns *resolver.AddressMapV2[*scData]
- addressList addressList
- firstPass bool
- numTF int
- cancelConnectionTimer func()
- healthCheckingEnabled bool
-}
-
-// ResolverError is called by the ClientConn when the name resolver produces
-// an error or when pickfirst determined the resolver update to be invalid.
-func (b *pickfirstBalancer) ResolverError(err error) {
- b.mu.Lock()
- defer b.mu.Unlock()
- b.resolverErrorLocked(err)
-}
-
-func (b *pickfirstBalancer) resolverErrorLocked(err error) {
- if b.logger.V(2) {
- b.logger.Infof("Received error from the name resolver: %v", err)
- }
-
- // The picker will not change since the balancer does not currently
- // report an error. If the balancer hasn't received a single good resolver
- // update yet, transition to TRANSIENT_FAILURE.
- if b.state != connectivity.TransientFailure && b.addressList.size() > 0 {
- if b.logger.V(2) {
- b.logger.Infof("Ignoring resolver error because balancer is using a previous good update.")
- }
- return
- }
-
- b.updateBalancerState(balancer.State{
- ConnectivityState: connectivity.TransientFailure,
- Picker: &picker{err: fmt.Errorf("name resolver error: %v", err)},
- })
-}
-
-func (b *pickfirstBalancer) UpdateClientConnState(state balancer.ClientConnState) error {
- b.mu.Lock()
- defer b.mu.Unlock()
- b.cancelConnectionTimer()
- if len(state.ResolverState.Addresses) == 0 && len(state.ResolverState.Endpoints) == 0 {
- // Cleanup state pertaining to the previous resolver state.
- // Treat an empty address list like an error by calling b.ResolverError.
- b.closeSubConnsLocked()
- b.addressList.updateAddrs(nil)
- b.resolverErrorLocked(errors.New("produced zero addresses"))
- return balancer.ErrBadResolverState
- }
- b.healthCheckingEnabled = state.ResolverState.Attributes.Value(enableHealthListenerKeyType{}) != nil
- cfg, ok := state.BalancerConfig.(pfConfig)
- if state.BalancerConfig != nil && !ok {
- return fmt.Errorf("pickfirst: received illegal BalancerConfig (type %T): %v: %w", state.BalancerConfig, state.BalancerConfig, balancer.ErrBadResolverState)
- }
-
- if b.logger.V(2) {
- b.logger.Infof("Received new config %s, resolver state %s", pretty.ToJSON(cfg), pretty.ToJSON(state.ResolverState))
- }
-
- var newAddrs []resolver.Address
- if endpoints := state.ResolverState.Endpoints; len(endpoints) != 0 {
- // Perform the optional shuffling described in gRFC A62. The shuffling
- // will change the order of endpoints but not touch the order of the
- // addresses within each endpoint. - A61
- if cfg.ShuffleAddressList {
- endpoints = append([]resolver.Endpoint{}, endpoints...)
- internal.RandShuffle(len(endpoints), func(i, j int) { endpoints[i], endpoints[j] = endpoints[j], endpoints[i] })
- }
-
- // "Flatten the list by concatenating the ordered list of addresses for
- // each of the endpoints, in order." - A61
- for _, endpoint := range endpoints {
- newAddrs = append(newAddrs, endpoint.Addresses...)
- }
- } else {
- // Endpoints not set, process addresses until we migrate resolver
- // emissions fully to Endpoints. The top channel does wrap emitted
- // addresses with endpoints, however some balancers such as weighted
- // target do not forward the corresponding correct endpoints down/split
- // endpoints properly. Once all balancers correctly forward endpoints
- // down, can delete this else conditional.
- newAddrs = state.ResolverState.Addresses
- if cfg.ShuffleAddressList {
- newAddrs = append([]resolver.Address{}, newAddrs...)
- internal.RandShuffle(len(endpoints), func(i, j int) { endpoints[i], endpoints[j] = endpoints[j], endpoints[i] })
- }
- }
-
- // If an address appears in multiple endpoints or in the same endpoint
- // multiple times, we keep it only once. We will create only one SubConn
- // for the address because an AddressMap is used to store SubConns.
- // Not de-duplicating would result in attempting to connect to the same
- // SubConn multiple times in the same pass. We don't want this.
- newAddrs = deDupAddresses(newAddrs)
- newAddrs = interleaveAddresses(newAddrs)
-
- prevAddr := b.addressList.currentAddress()
- prevSCData, found := b.subConns.Get(prevAddr)
- prevAddrsCount := b.addressList.size()
- isPrevRawConnectivityStateReady := found && prevSCData.rawConnectivityState == connectivity.Ready
- b.addressList.updateAddrs(newAddrs)
-
- // If the previous ready SubConn exists in new address list,
- // keep this connection and don't create new SubConns.
- if isPrevRawConnectivityStateReady && b.addressList.seekTo(prevAddr) {
- return nil
- }
-
- b.reconcileSubConnsLocked(newAddrs)
- // If it's the first resolver update or the balancer was already READY
- // (but the new address list does not contain the ready SubConn) or
- // CONNECTING, enter CONNECTING.
- // We may be in TRANSIENT_FAILURE due to a previous empty address list,
- // we should still enter CONNECTING because the sticky TF behaviour
- // mentioned in A62 applies only when the TRANSIENT_FAILURE is reported
- // due to connectivity failures.
- if isPrevRawConnectivityStateReady || b.state == connectivity.Connecting || prevAddrsCount == 0 {
- // Start connection attempt at first address.
- b.forceUpdateConcludedStateLocked(balancer.State{
- ConnectivityState: connectivity.Connecting,
- Picker: &picker{err: balancer.ErrNoSubConnAvailable},
- })
- b.startFirstPassLocked()
- } else if b.state == connectivity.TransientFailure {
- // If we're in TRANSIENT_FAILURE, we stay in TRANSIENT_FAILURE until
- // we're READY. See A62.
- b.startFirstPassLocked()
- }
- return nil
-}
-
-// UpdateSubConnState is unused as a StateListener is always registered when
-// creating SubConns.
-func (b *pickfirstBalancer) UpdateSubConnState(subConn balancer.SubConn, state balancer.SubConnState) {
- b.logger.Errorf("UpdateSubConnState(%v, %+v) called unexpectedly", subConn, state)
-}
-
-func (b *pickfirstBalancer) Close() {
- b.mu.Lock()
- defer b.mu.Unlock()
- b.closeSubConnsLocked()
- b.cancelConnectionTimer()
- b.state = connectivity.Shutdown
-}
-
-// ExitIdle moves the balancer out of idle state. It can be called concurrently
-// by the idlePicker and clientConn so access to variables should be
-// synchronized.
-func (b *pickfirstBalancer) ExitIdle() {
- b.mu.Lock()
- defer b.mu.Unlock()
- if b.state == connectivity.Idle {
- b.startFirstPassLocked()
- }
-}
-
-func (b *pickfirstBalancer) startFirstPassLocked() {
- b.firstPass = true
- b.numTF = 0
- // Reset the connection attempt record for existing SubConns.
- for _, sd := range b.subConns.Values() {
- sd.connectionFailedInFirstPass = false
- }
- b.requestConnectionLocked()
-}
-
-func (b *pickfirstBalancer) closeSubConnsLocked() {
- for _, sd := range b.subConns.Values() {
- sd.subConn.Shutdown()
- }
- b.subConns = resolver.NewAddressMapV2[*scData]()
-}
-
-// deDupAddresses ensures that each address appears only once in the slice.
-func deDupAddresses(addrs []resolver.Address) []resolver.Address {
- seenAddrs := resolver.NewAddressMapV2[*scData]()
- retAddrs := []resolver.Address{}
-
- for _, addr := range addrs {
- if _, ok := seenAddrs.Get(addr); ok {
- continue
- }
- retAddrs = append(retAddrs, addr)
- }
- return retAddrs
-}
-
-// interleaveAddresses interleaves addresses of both families (IPv4 and IPv6)
-// as per RFC-8305 section 4.
-// Whichever address family is first in the list is followed by an address of
-// the other address family; that is, if the first address in the list is IPv6,
-// then the first IPv4 address should be moved up in the list to be second in
-// the list. It doesn't support configuring "First Address Family Count", i.e.
-// there will always be a single member of the first address family at the
-// beginning of the interleaved list.
-// Addresses that are neither IPv4 nor IPv6 are treated as part of a third
-// "unknown" family for interleaving.
-// See: https://datatracker.ietf.org/doc/html/rfc8305#autoid-6
-func interleaveAddresses(addrs []resolver.Address) []resolver.Address {
- familyAddrsMap := map[ipAddrFamily][]resolver.Address{}
- interleavingOrder := []ipAddrFamily{}
- for _, addr := range addrs {
- family := addressFamily(addr.Addr)
- if _, found := familyAddrsMap[family]; !found {
- interleavingOrder = append(interleavingOrder, family)
- }
- familyAddrsMap[family] = append(familyAddrsMap[family], addr)
- }
-
- interleavedAddrs := make([]resolver.Address, 0, len(addrs))
-
- for curFamilyIdx := 0; len(interleavedAddrs) < len(addrs); curFamilyIdx = (curFamilyIdx + 1) % len(interleavingOrder) {
- // Some IP types may have fewer addresses than others, so we look for
- // the next type that has a remaining member to add to the interleaved
- // list.
- family := interleavingOrder[curFamilyIdx]
- remainingMembers := familyAddrsMap[family]
- if len(remainingMembers) > 0 {
- interleavedAddrs = append(interleavedAddrs, remainingMembers[0])
- familyAddrsMap[family] = remainingMembers[1:]
- }
- }
-
- return interleavedAddrs
-}
-
-// addressFamily returns the ipAddrFamily after parsing the address string.
-// If the address isn't of the format "ip-address:port", it returns
-// ipAddrFamilyUnknown. The address may be valid even if it's not an IP when
-// using a resolver like passthrough where the address may be a hostname in
-// some format that the dialer can resolve.
-func addressFamily(address string) ipAddrFamily {
- // Parse the IP after removing the port.
- host, _, err := net.SplitHostPort(address)
- if err != nil {
- return ipAddrFamilyUnknown
- }
- ip, err := netip.ParseAddr(host)
- if err != nil {
- return ipAddrFamilyUnknown
- }
- switch {
- case ip.Is4() || ip.Is4In6():
- return ipAddrFamilyV4
- case ip.Is6():
- return ipAddrFamilyV6
- default:
- return ipAddrFamilyUnknown
- }
-}
-
-// reconcileSubConnsLocked updates the active subchannels based on a new address
-// list from the resolver. It does this by:
-// - closing subchannels: any existing subchannels associated with addresses
-// that are no longer in the updated list are shut down.
-// - removing subchannels: entries for these closed subchannels are removed
-// from the subchannel map.
-//
-// This ensures that the subchannel map accurately reflects the current set of
-// addresses received from the name resolver.
-func (b *pickfirstBalancer) reconcileSubConnsLocked(newAddrs []resolver.Address) {
- newAddrsMap := resolver.NewAddressMapV2[bool]()
- for _, addr := range newAddrs {
- newAddrsMap.Set(addr, true)
- }
-
- for _, oldAddr := range b.subConns.Keys() {
- if _, ok := newAddrsMap.Get(oldAddr); ok {
- continue
- }
- val, _ := b.subConns.Get(oldAddr)
- val.subConn.Shutdown()
- b.subConns.Delete(oldAddr)
- }
-}
-
-// shutdownRemainingLocked shuts down remaining subConns. Called when a subConn
-// becomes ready, which means that all other subConn must be shutdown.
-func (b *pickfirstBalancer) shutdownRemainingLocked(selected *scData) {
- b.cancelConnectionTimer()
- for _, sd := range b.subConns.Values() {
- if sd.subConn != selected.subConn {
- sd.subConn.Shutdown()
- }
- }
- b.subConns = resolver.NewAddressMapV2[*scData]()
- b.subConns.Set(selected.addr, selected)
-}
-
-// requestConnectionLocked starts connecting on the subchannel corresponding to
-// the current address. If no subchannel exists, one is created. If the current
-// subchannel is in TransientFailure, a connection to the next address is
-// attempted until a subchannel is found.
-func (b *pickfirstBalancer) requestConnectionLocked() {
- if !b.addressList.isValid() {
- return
- }
- var lastErr error
- for valid := true; valid; valid = b.addressList.increment() {
- curAddr := b.addressList.currentAddress()
- sd, ok := b.subConns.Get(curAddr)
- if !ok {
- var err error
- // We want to assign the new scData to sd from the outer scope,
- // hence we can't use := below.
- sd, err = b.newSCData(curAddr)
- if err != nil {
- // This should never happen, unless the clientConn is being shut
- // down.
- if b.logger.V(2) {
- b.logger.Infof("Failed to create a subConn for address %v: %v", curAddr.String(), err)
- }
- // Do nothing, the LB policy will be closed soon.
- return
- }
- b.subConns.Set(curAddr, sd)
- }
-
- switch sd.rawConnectivityState {
- case connectivity.Idle:
- sd.subConn.Connect()
- b.scheduleNextConnectionLocked()
- return
- case connectivity.TransientFailure:
- // The SubConn is being re-used and failed during a previous pass
- // over the addressList. It has not completed backoff yet.
- // Mark it as having failed and try the next address.
- sd.connectionFailedInFirstPass = true
- lastErr = sd.lastErr
- continue
- case connectivity.Connecting:
- // Wait for the connection attempt to complete or the timer to fire
- // before attempting the next address.
- b.scheduleNextConnectionLocked()
- return
- default:
- b.logger.Errorf("SubConn with unexpected state %v present in SubConns map.", sd.rawConnectivityState)
- return
-
- }
- }
-
- // All the remaining addresses in the list are in TRANSIENT_FAILURE, end the
- // first pass if possible.
- b.endFirstPassIfPossibleLocked(lastErr)
-}
-
-func (b *pickfirstBalancer) scheduleNextConnectionLocked() {
- b.cancelConnectionTimer()
- if !b.addressList.hasNext() {
- return
- }
- curAddr := b.addressList.currentAddress()
- cancelled := false // Access to this is protected by the balancer's mutex.
- closeFn := internal.TimeAfterFunc(connectionDelayInterval, func() {
- b.mu.Lock()
- defer b.mu.Unlock()
- // If the scheduled task is cancelled while acquiring the mutex, return.
- if cancelled {
- return
- }
- if b.logger.V(2) {
- b.logger.Infof("Happy Eyeballs timer expired while waiting for connection to %q.", curAddr.Addr)
- }
- if b.addressList.increment() {
- b.requestConnectionLocked()
- }
- })
- // Access to the cancellation callback held by the balancer is guarded by
- // the balancer's mutex, so it's safe to set the boolean from the callback.
- b.cancelConnectionTimer = sync.OnceFunc(func() {
- cancelled = true
- closeFn()
- })
-}
-
-func (b *pickfirstBalancer) updateSubConnState(sd *scData, newState balancer.SubConnState) {
- b.mu.Lock()
- defer b.mu.Unlock()
- oldState := sd.rawConnectivityState
- sd.rawConnectivityState = newState.ConnectivityState
- // Previously relevant SubConns can still callback with state updates.
- // To prevent pickers from returning these obsolete SubConns, this logic
- // is included to check if the current list of active SubConns includes this
- // SubConn.
- if !b.isActiveSCData(sd) {
- return
- }
- if newState.ConnectivityState == connectivity.Shutdown {
- sd.effectiveState = connectivity.Shutdown
- return
- }
-
- // Record a connection attempt when exiting CONNECTING.
- if newState.ConnectivityState == connectivity.TransientFailure {
- sd.connectionFailedInFirstPass = true
- connectionAttemptsFailedMetric.Record(b.metricsRecorder, 1, b.target)
- }
-
- if newState.ConnectivityState == connectivity.Ready {
- connectionAttemptsSucceededMetric.Record(b.metricsRecorder, 1, b.target)
- b.shutdownRemainingLocked(sd)
- if !b.addressList.seekTo(sd.addr) {
- // This should not fail as we should have only one SubConn after
- // entering READY. The SubConn should be present in the addressList.
- b.logger.Errorf("Address %q not found address list in %v", sd.addr, b.addressList.addresses)
- return
- }
- if !b.healthCheckingEnabled {
- if b.logger.V(2) {
- b.logger.Infof("SubConn %p reported connectivity state READY and the health listener is disabled. Transitioning SubConn to READY.", sd.subConn)
- }
-
- sd.effectiveState = connectivity.Ready
- b.updateBalancerState(balancer.State{
- ConnectivityState: connectivity.Ready,
- Picker: &picker{result: balancer.PickResult{SubConn: sd.subConn}},
- })
- return
- }
- if b.logger.V(2) {
- b.logger.Infof("SubConn %p reported connectivity state READY. Registering health listener.", sd.subConn)
- }
- // Send a CONNECTING update to take the SubConn out of sticky-TF if
- // required.
- sd.effectiveState = connectivity.Connecting
- b.updateBalancerState(balancer.State{
- ConnectivityState: connectivity.Connecting,
- Picker: &picker{err: balancer.ErrNoSubConnAvailable},
- })
- sd.subConn.RegisterHealthListener(func(scs balancer.SubConnState) {
- b.updateSubConnHealthState(sd, scs)
- })
- return
- }
-
- // If the LB policy is READY, and it receives a subchannel state change,
- // it means that the READY subchannel has failed.
- // A SubConn can also transition from CONNECTING directly to IDLE when
- // a transport is successfully created, but the connection fails
- // before the SubConn can send the notification for READY. We treat
- // this as a successful connection and transition to IDLE.
- // TODO: https://github.com/grpc/grpc-go/issues/7862 - Remove the second
- // part of the if condition below once the issue is fixed.
- if oldState == connectivity.Ready || (oldState == connectivity.Connecting && newState.ConnectivityState == connectivity.Idle) {
- // Once a transport fails, the balancer enters IDLE and starts from
- // the first address when the picker is used.
- b.shutdownRemainingLocked(sd)
- sd.effectiveState = newState.ConnectivityState
- // READY SubConn interspliced in between CONNECTING and IDLE, need to
- // account for that.
- if oldState == connectivity.Connecting {
- // A known issue (https://github.com/grpc/grpc-go/issues/7862)
- // causes a race that prevents the READY state change notification.
- // This works around it.
- connectionAttemptsSucceededMetric.Record(b.metricsRecorder, 1, b.target)
- }
- disconnectionsMetric.Record(b.metricsRecorder, 1, b.target)
- b.addressList.reset()
- b.updateBalancerState(balancer.State{
- ConnectivityState: connectivity.Idle,
- Picker: &idlePicker{exitIdle: sync.OnceFunc(b.ExitIdle)},
- })
- return
- }
-
- if b.firstPass {
- switch newState.ConnectivityState {
- case connectivity.Connecting:
- // The effective state can be in either IDLE, CONNECTING or
- // TRANSIENT_FAILURE. If it's TRANSIENT_FAILURE, stay in
- // TRANSIENT_FAILURE until it's READY. See A62.
- if sd.effectiveState != connectivity.TransientFailure {
- sd.effectiveState = connectivity.Connecting
- b.updateBalancerState(balancer.State{
- ConnectivityState: connectivity.Connecting,
- Picker: &picker{err: balancer.ErrNoSubConnAvailable},
- })
- }
- case connectivity.TransientFailure:
- sd.lastErr = newState.ConnectionError
- sd.effectiveState = connectivity.TransientFailure
- // Since we're re-using common SubConns while handling resolver
- // updates, we could receive an out of turn TRANSIENT_FAILURE from
- // a pass over the previous address list. Happy Eyeballs will also
- // cause out of order updates to arrive.
-
- if curAddr := b.addressList.currentAddress(); equalAddressIgnoringBalAttributes(&curAddr, &sd.addr) {
- b.cancelConnectionTimer()
- if b.addressList.increment() {
- b.requestConnectionLocked()
- return
- }
- }
-
- // End the first pass if we've seen a TRANSIENT_FAILURE from all
- // SubConns once.
- b.endFirstPassIfPossibleLocked(newState.ConnectionError)
- }
- return
- }
-
- // We have finished the first pass, keep re-connecting failing SubConns.
- switch newState.ConnectivityState {
- case connectivity.TransientFailure:
- b.numTF = (b.numTF + 1) % b.subConns.Len()
- sd.lastErr = newState.ConnectionError
- if b.numTF%b.subConns.Len() == 0 {
- b.updateBalancerState(balancer.State{
- ConnectivityState: connectivity.TransientFailure,
- Picker: &picker{err: newState.ConnectionError},
- })
- }
- // We don't need to request re-resolution since the SubConn already
- // does that before reporting TRANSIENT_FAILURE.
- // TODO: #7534 - Move re-resolution requests from SubConn into
- // pick_first.
- case connectivity.Idle:
- sd.subConn.Connect()
- }
-}
-
-// endFirstPassIfPossibleLocked ends the first happy-eyeballs pass if all the
-// addresses are tried and their SubConns have reported a failure.
-func (b *pickfirstBalancer) endFirstPassIfPossibleLocked(lastErr error) {
- // An optimization to avoid iterating over the entire SubConn map.
- if b.addressList.isValid() {
- return
- }
- // Connect() has been called on all the SubConns. The first pass can be
- // ended if all the SubConns have reported a failure.
- for _, sd := range b.subConns.Values() {
- if !sd.connectionFailedInFirstPass {
- return
- }
- }
- b.firstPass = false
- b.updateBalancerState(balancer.State{
- ConnectivityState: connectivity.TransientFailure,
- Picker: &picker{err: lastErr},
- })
- // Start re-connecting all the SubConns that are already in IDLE.
- for _, sd := range b.subConns.Values() {
- if sd.rawConnectivityState == connectivity.Idle {
- sd.subConn.Connect()
- }
- }
-}
-
-func (b *pickfirstBalancer) isActiveSCData(sd *scData) bool {
- activeSD, found := b.subConns.Get(sd.addr)
- return found && activeSD == sd
-}
-
-func (b *pickfirstBalancer) updateSubConnHealthState(sd *scData, state balancer.SubConnState) {
- b.mu.Lock()
- defer b.mu.Unlock()
- // Previously relevant SubConns can still callback with state updates.
- // To prevent pickers from returning these obsolete SubConns, this logic
- // is included to check if the current list of active SubConns includes
- // this SubConn.
- if !b.isActiveSCData(sd) {
- return
- }
- sd.effectiveState = state.ConnectivityState
- switch state.ConnectivityState {
- case connectivity.Ready:
- b.updateBalancerState(balancer.State{
- ConnectivityState: connectivity.Ready,
- Picker: &picker{result: balancer.PickResult{SubConn: sd.subConn}},
- })
- case connectivity.TransientFailure:
- b.updateBalancerState(balancer.State{
- ConnectivityState: connectivity.TransientFailure,
- Picker: &picker{err: fmt.Errorf("pickfirst: health check failure: %v", state.ConnectionError)},
- })
- case connectivity.Connecting:
- b.updateBalancerState(balancer.State{
- ConnectivityState: connectivity.Connecting,
- Picker: &picker{err: balancer.ErrNoSubConnAvailable},
- })
- default:
- b.logger.Errorf("Got unexpected health update for SubConn %p: %v", state)
- }
-}
-
-// updateBalancerState stores the state reported to the channel and calls
-// ClientConn.UpdateState(). As an optimization, it avoids sending duplicate
-// updates to the channel.
-func (b *pickfirstBalancer) updateBalancerState(newState balancer.State) {
- // In case of TransientFailures allow the picker to be updated to update
- // the connectivity error, in all other cases don't send duplicate state
- // updates.
- if newState.ConnectivityState == b.state && b.state != connectivity.TransientFailure {
- return
- }
- b.forceUpdateConcludedStateLocked(newState)
-}
-
-// forceUpdateConcludedStateLocked stores the state reported to the channel and
-// calls ClientConn.UpdateState().
-// A separate function is defined to force update the ClientConn state since the
-// channel doesn't correctly assume that LB policies start in CONNECTING and
-// relies on LB policy to send an initial CONNECTING update.
-func (b *pickfirstBalancer) forceUpdateConcludedStateLocked(newState balancer.State) {
- b.state = newState.ConnectivityState
- b.cc.UpdateState(newState)
-}
-
-type picker struct {
- result balancer.PickResult
- err error
-}
-
-func (p *picker) Pick(balancer.PickInfo) (balancer.PickResult, error) {
- return p.result, p.err
-}
-
-// idlePicker is used when the SubConn is IDLE and kicks the SubConn into
-// CONNECTING when Pick is called.
-type idlePicker struct {
- exitIdle func()
-}
-
-func (i *idlePicker) Pick(balancer.PickInfo) (balancer.PickResult, error) {
- i.exitIdle()
- return balancer.PickResult{}, balancer.ErrNoSubConnAvailable
-}
-
-// addressList manages sequentially iterating over addresses present in a list
-// of endpoints. It provides a 1 dimensional view of the addresses present in
-// the endpoints.
-// This type is not safe for concurrent access.
-type addressList struct {
- addresses []resolver.Address
- idx int
-}
-
-func (al *addressList) isValid() bool {
- return al.idx < len(al.addresses)
-}
-
-func (al *addressList) size() int {
- return len(al.addresses)
-}
-
-// increment moves to the next index in the address list.
-// This method returns false if it went off the list, true otherwise.
-func (al *addressList) increment() bool {
- if !al.isValid() {
- return false
- }
- al.idx++
- return al.idx < len(al.addresses)
-}
-
-// currentAddress returns the current address pointed to in the addressList.
-// If the list is in an invalid state, it returns an empty address instead.
-func (al *addressList) currentAddress() resolver.Address {
- if !al.isValid() {
- return resolver.Address{}
- }
- return al.addresses[al.idx]
-}
-
-func (al *addressList) reset() {
- al.idx = 0
-}
-
-func (al *addressList) updateAddrs(addrs []resolver.Address) {
- al.addresses = addrs
- al.reset()
-}
-
-// seekTo returns false if the needle was not found and the current index was
-// left unchanged.
-func (al *addressList) seekTo(needle resolver.Address) bool {
- for ai, addr := range al.addresses {
- if !equalAddressIgnoringBalAttributes(&addr, &needle) {
- continue
- }
- al.idx = ai
- return true
- }
- return false
-}
-
-// hasNext returns whether incrementing the addressList will result in moving
-// past the end of the list. If the list has already moved past the end, it
-// returns false.
-func (al *addressList) hasNext() bool {
- if !al.isValid() {
- return false
- }
- return al.idx+1 < len(al.addresses)
-}
-
-// equalAddressIgnoringBalAttributes returns true is a and b are considered
-// equal. This is different from the Equal method on the resolver.Address type
-// which considers all fields to determine equality. Here, we only consider
-// fields that are meaningful to the SubConn.
-func equalAddressIgnoringBalAttributes(a, b *resolver.Address) bool {
- return a.Addr == b.Addr && a.ServerName == b.ServerName &&
- a.Attributes.Equal(b.Attributes)
-}
diff --git a/vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go b/vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go
index 35da5d1ec9..22e6e32679 100644
--- a/vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go
+++ b/vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go
@@ -26,7 +26,7 @@ import (
"google.golang.org/grpc/balancer"
"google.golang.org/grpc/balancer/endpointsharding"
- "google.golang.org/grpc/balancer/pickfirst/pickfirstleaf"
+ "google.golang.org/grpc/balancer/pickfirst"
"google.golang.org/grpc/grpclog"
internalgrpclog "google.golang.org/grpc/internal/grpclog"
)
@@ -47,7 +47,7 @@ func (bb builder) Name() string {
}
func (bb builder) Build(cc balancer.ClientConn, opts balancer.BuildOptions) balancer.Balancer {
- childBuilder := balancer.Get(pickfirstleaf.Name).Build
+ childBuilder := balancer.Get(pickfirst.Name).Build
bal := &rrBalancer{
cc: cc,
Balancer: endpointsharding.NewBalancer(cc, opts, childBuilder, endpointsharding.Options{}),
@@ -67,13 +67,6 @@ func (b *rrBalancer) UpdateClientConnState(ccs balancer.ClientConnState) error {
return b.Balancer.UpdateClientConnState(balancer.ClientConnState{
// Enable the health listener in pickfirst children for client side health
// checks and outlier detection, if configured.
- ResolverState: pickfirstleaf.EnableHealthListener(ccs.ResolverState),
+ ResolverState: pickfirst.EnableHealthListener(ccs.ResolverState),
})
}
-
-func (b *rrBalancer) ExitIdle() {
- // Should always be ok, as child is endpoint sharding.
- if ei, ok := b.Balancer.(balancer.ExitIdler); ok {
- ei.ExitIdle()
- }
-}
diff --git a/vendor/google.golang.org/grpc/balancer_wrapper.go b/vendor/google.golang.org/grpc/balancer_wrapper.go
index 948a21ef68..2c760e623f 100644
--- a/vendor/google.golang.org/grpc/balancer_wrapper.go
+++ b/vendor/google.golang.org/grpc/balancer_wrapper.go
@@ -450,13 +450,14 @@ func (acbw *acBalancerWrapper) healthListenerRegFn() func(context.Context, func(
if acbw.ccb.cc.dopts.disableHealthCheck {
return noOpRegisterHealthListenerFn
}
+ cfg := acbw.ac.cc.healthCheckConfig()
+ if cfg == nil {
+ return noOpRegisterHealthListenerFn
+ }
regHealthLisFn := internal.RegisterClientHealthCheckListener
if regHealthLisFn == nil {
// The health package is not imported.
- return noOpRegisterHealthListenerFn
- }
- cfg := acbw.ac.cc.healthCheckConfig()
- if cfg == nil {
+ channelz.Error(logger, acbw.ac.channelz, "Health check is requested but health package is not imported.")
return noOpRegisterHealthListenerFn
}
return func(ctx context.Context, listener func(balancer.SubConnState)) func() {
diff --git a/vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go b/vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go
index 825c31795f..42c61cf9fe 100644
--- a/vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go
+++ b/vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go
@@ -18,7 +18,7 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
-// protoc-gen-go v1.36.5
+// protoc-gen-go v1.36.10
// protoc v5.27.1
// source: grpc/binlog/v1/binarylog.proto
@@ -858,133 +858,68 @@ func (x *Address) GetIpPort() uint32 {
var File_grpc_binlog_v1_binarylog_proto protoreflect.FileDescriptor
-var file_grpc_binlog_v1_binarylog_proto_rawDesc = string([]byte{
- 0x0a, 0x1e, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x62, 0x69, 0x6e, 0x6c, 0x6f, 0x67, 0x2f, 0x76, 0x31,
- 0x2f, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
- 0x12, 0x11, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67,
- 0x2e, 0x76, 0x31, 0x1a, 0x1e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74,
- 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72,
- 0x6f, 0x74, 0x6f, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74,
- 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70,
- 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xbb, 0x07, 0x0a, 0x0c, 0x47, 0x72, 0x70, 0x63, 0x4c, 0x6f, 0x67,
- 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x38, 0x0a, 0x09, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61,
- 0x6d, 0x70, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
- 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73,
- 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x12,
- 0x17, 0x0a, 0x07, 0x63, 0x61, 0x6c, 0x6c, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x04,
- 0x52, 0x06, 0x63, 0x61, 0x6c, 0x6c, 0x49, 0x64, 0x12, 0x35, 0x0a, 0x17, 0x73, 0x65, 0x71, 0x75,
- 0x65, 0x6e, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x5f, 0x77, 0x69, 0x74, 0x68, 0x69, 0x6e, 0x5f, 0x63,
- 0x61, 0x6c, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x04, 0x52, 0x14, 0x73, 0x65, 0x71, 0x75, 0x65,
- 0x6e, 0x63, 0x65, 0x49, 0x64, 0x57, 0x69, 0x74, 0x68, 0x69, 0x6e, 0x43, 0x61, 0x6c, 0x6c, 0x12,
- 0x3d, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x29, 0x2e,
- 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x76,
- 0x31, 0x2e, 0x47, 0x72, 0x70, 0x63, 0x4c, 0x6f, 0x67, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x2e, 0x45,
- 0x76, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x3e,
- 0x0a, 0x06, 0x6c, 0x6f, 0x67, 0x67, 0x65, 0x72, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x26,
- 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e,
- 0x76, 0x31, 0x2e, 0x47, 0x72, 0x70, 0x63, 0x4c, 0x6f, 0x67, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x2e,
- 0x4c, 0x6f, 0x67, 0x67, 0x65, 0x72, 0x52, 0x06, 0x6c, 0x6f, 0x67, 0x67, 0x65, 0x72, 0x12, 0x46,
- 0x0a, 0x0d, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18,
- 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e,
- 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74,
- 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x48, 0x00, 0x52, 0x0c, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74,
- 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x46, 0x0a, 0x0d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72,
- 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1f, 0x2e,
- 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x76,
- 0x31, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x48, 0x00,
- 0x52, 0x0c, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x36,
- 0x0a, 0x07, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32,
- 0x1a, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67,
- 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x48, 0x00, 0x52, 0x07, 0x6d,
- 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x36, 0x0a, 0x07, 0x74, 0x72, 0x61, 0x69, 0x6c, 0x65,
- 0x72, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62,
- 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x72, 0x61, 0x69,
- 0x6c, 0x65, 0x72, 0x48, 0x00, 0x52, 0x07, 0x74, 0x72, 0x61, 0x69, 0x6c, 0x65, 0x72, 0x12, 0x2b,
- 0x0a, 0x11, 0x70, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x74, 0x72, 0x75, 0x6e, 0x63, 0x61,
- 0x74, 0x65, 0x64, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x08, 0x52, 0x10, 0x70, 0x61, 0x79, 0x6c, 0x6f,
- 0x61, 0x64, 0x54, 0x72, 0x75, 0x6e, 0x63, 0x61, 0x74, 0x65, 0x64, 0x12, 0x2e, 0x0a, 0x04, 0x70,
- 0x65, 0x65, 0x72, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x72, 0x70, 0x63,
- 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x64,
- 0x64, 0x72, 0x65, 0x73, 0x73, 0x52, 0x04, 0x70, 0x65, 0x65, 0x72, 0x22, 0xf5, 0x01, 0x0a, 0x09,
- 0x45, 0x76, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, 0x65, 0x12, 0x16, 0x0a, 0x12, 0x45, 0x56, 0x45,
- 0x4e, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10,
- 0x00, 0x12, 0x1c, 0x0a, 0x18, 0x45, 0x56, 0x45, 0x4e, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f,
- 0x43, 0x4c, 0x49, 0x45, 0x4e, 0x54, 0x5f, 0x48, 0x45, 0x41, 0x44, 0x45, 0x52, 0x10, 0x01, 0x12,
- 0x1c, 0x0a, 0x18, 0x45, 0x56, 0x45, 0x4e, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x45,
- 0x52, 0x56, 0x45, 0x52, 0x5f, 0x48, 0x45, 0x41, 0x44, 0x45, 0x52, 0x10, 0x02, 0x12, 0x1d, 0x0a,
- 0x19, 0x45, 0x56, 0x45, 0x4e, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x43, 0x4c, 0x49, 0x45,
- 0x4e, 0x54, 0x5f, 0x4d, 0x45, 0x53, 0x53, 0x41, 0x47, 0x45, 0x10, 0x03, 0x12, 0x1d, 0x0a, 0x19,
- 0x45, 0x56, 0x45, 0x4e, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x45, 0x52, 0x56, 0x45,
- 0x52, 0x5f, 0x4d, 0x45, 0x53, 0x53, 0x41, 0x47, 0x45, 0x10, 0x04, 0x12, 0x20, 0x0a, 0x1c, 0x45,
- 0x56, 0x45, 0x4e, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x43, 0x4c, 0x49, 0x45, 0x4e, 0x54,
- 0x5f, 0x48, 0x41, 0x4c, 0x46, 0x5f, 0x43, 0x4c, 0x4f, 0x53, 0x45, 0x10, 0x05, 0x12, 0x1d, 0x0a,
- 0x19, 0x45, 0x56, 0x45, 0x4e, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x45, 0x52, 0x56,
- 0x45, 0x52, 0x5f, 0x54, 0x52, 0x41, 0x49, 0x4c, 0x45, 0x52, 0x10, 0x06, 0x12, 0x15, 0x0a, 0x11,
- 0x45, 0x56, 0x45, 0x4e, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x43, 0x41, 0x4e, 0x43, 0x45,
- 0x4c, 0x10, 0x07, 0x22, 0x42, 0x0a, 0x06, 0x4c, 0x6f, 0x67, 0x67, 0x65, 0x72, 0x12, 0x12, 0x0a,
- 0x0e, 0x4c, 0x4f, 0x47, 0x47, 0x45, 0x52, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10,
- 0x00, 0x12, 0x11, 0x0a, 0x0d, 0x4c, 0x4f, 0x47, 0x47, 0x45, 0x52, 0x5f, 0x43, 0x4c, 0x49, 0x45,
- 0x4e, 0x54, 0x10, 0x01, 0x12, 0x11, 0x0a, 0x0d, 0x4c, 0x4f, 0x47, 0x47, 0x45, 0x52, 0x5f, 0x53,
- 0x45, 0x52, 0x56, 0x45, 0x52, 0x10, 0x02, 0x42, 0x09, 0x0a, 0x07, 0x70, 0x61, 0x79, 0x6c, 0x6f,
- 0x61, 0x64, 0x22, 0xbb, 0x01, 0x0a, 0x0c, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x48, 0x65, 0x61,
- 0x64, 0x65, 0x72, 0x12, 0x37, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18,
- 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e,
- 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61,
- 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x1f, 0x0a, 0x0b,
- 0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28,
- 0x09, 0x52, 0x0a, 0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x1c, 0x0a,
- 0x09, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09,
- 0x52, 0x09, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x12, 0x33, 0x0a, 0x07, 0x74,
- 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67,
- 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44,
- 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x07, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74,
- 0x22, 0x47, 0x0a, 0x0c, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72,
- 0x12, 0x37, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x01,
- 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79,
- 0x6c, 0x6f, 0x67, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52,
- 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0xb1, 0x01, 0x0a, 0x07, 0x54, 0x72,
- 0x61, 0x69, 0x6c, 0x65, 0x72, 0x12, 0x37, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74,
- 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62,
- 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x65, 0x74, 0x61,
- 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x1f,
- 0x0a, 0x0b, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x5f, 0x63, 0x6f, 0x64, 0x65, 0x18, 0x02, 0x20,
- 0x01, 0x28, 0x0d, 0x52, 0x0a, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x43, 0x6f, 0x64, 0x65, 0x12,
- 0x25, 0x0a, 0x0e, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x5f, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67,
- 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x4d,
- 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x25, 0x0a, 0x0e, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73,
- 0x5f, 0x64, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0d,
- 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x44, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x22, 0x35, 0x0a,
- 0x07, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x6c, 0x65, 0x6e, 0x67,
- 0x74, 0x68, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x06, 0x6c, 0x65, 0x6e, 0x67, 0x74, 0x68,
- 0x12, 0x12, 0x0a, 0x04, 0x64, 0x61, 0x74, 0x61, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x04,
- 0x64, 0x61, 0x74, 0x61, 0x22, 0x42, 0x0a, 0x08, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61,
- 0x12, 0x36, 0x0a, 0x05, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32,
- 0x20, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67,
- 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72,
- 0x79, 0x52, 0x05, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x22, 0x37, 0x0a, 0x0d, 0x4d, 0x65, 0x74, 0x61,
- 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79,
- 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76,
- 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75,
- 0x65, 0x22, 0xb8, 0x01, 0x0a, 0x07, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x33, 0x0a,
- 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1f, 0x2e, 0x67, 0x72,
- 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x76, 0x31, 0x2e,
- 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x2e, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79,
- 0x70, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x02, 0x20,
- 0x01, 0x28, 0x09, 0x52, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x17, 0x0a, 0x07,
- 0x69, 0x70, 0x5f, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x06, 0x69,
- 0x70, 0x50, 0x6f, 0x72, 0x74, 0x22, 0x45, 0x0a, 0x04, 0x54, 0x79, 0x70, 0x65, 0x12, 0x10, 0x0a,
- 0x0c, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12,
- 0x0d, 0x0a, 0x09, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x49, 0x50, 0x56, 0x34, 0x10, 0x01, 0x12, 0x0d,
- 0x0a, 0x09, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x49, 0x50, 0x56, 0x36, 0x10, 0x02, 0x12, 0x0d, 0x0a,
- 0x09, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x49, 0x58, 0x10, 0x03, 0x42, 0x5c, 0x0a, 0x14,
- 0x69, 0x6f, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f,
- 0x67, 0x2e, 0x76, 0x31, 0x42, 0x0e, 0x42, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x4c, 0x6f, 0x67, 0x50,
- 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x32, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x67,
- 0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x62,
- 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x5f, 0x62, 0x69,
- 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x5f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
- 0x6f, 0x33,
-})
+const file_grpc_binlog_v1_binarylog_proto_rawDesc = "" +
+ "\n" +
+ "\x1egrpc/binlog/v1/binarylog.proto\x12\x11grpc.binarylog.v1\x1a\x1egoogle/protobuf/duration.proto\x1a\x1fgoogle/protobuf/timestamp.proto\"\xbb\a\n" +
+ "\fGrpcLogEntry\x128\n" +
+ "\ttimestamp\x18\x01 \x01(\v2\x1a.google.protobuf.TimestampR\ttimestamp\x12\x17\n" +
+ "\acall_id\x18\x02 \x01(\x04R\x06callId\x125\n" +
+ "\x17sequence_id_within_call\x18\x03 \x01(\x04R\x14sequenceIdWithinCall\x12=\n" +
+ "\x04type\x18\x04 \x01(\x0e2).grpc.binarylog.v1.GrpcLogEntry.EventTypeR\x04type\x12>\n" +
+ "\x06logger\x18\x05 \x01(\x0e2&.grpc.binarylog.v1.GrpcLogEntry.LoggerR\x06logger\x12F\n" +
+ "\rclient_header\x18\x06 \x01(\v2\x1f.grpc.binarylog.v1.ClientHeaderH\x00R\fclientHeader\x12F\n" +
+ "\rserver_header\x18\a \x01(\v2\x1f.grpc.binarylog.v1.ServerHeaderH\x00R\fserverHeader\x126\n" +
+ "\amessage\x18\b \x01(\v2\x1a.grpc.binarylog.v1.MessageH\x00R\amessage\x126\n" +
+ "\atrailer\x18\t \x01(\v2\x1a.grpc.binarylog.v1.TrailerH\x00R\atrailer\x12+\n" +
+ "\x11payload_truncated\x18\n" +
+ " \x01(\bR\x10payloadTruncated\x12.\n" +
+ "\x04peer\x18\v \x01(\v2\x1a.grpc.binarylog.v1.AddressR\x04peer\"\xf5\x01\n" +
+ "\tEventType\x12\x16\n" +
+ "\x12EVENT_TYPE_UNKNOWN\x10\x00\x12\x1c\n" +
+ "\x18EVENT_TYPE_CLIENT_HEADER\x10\x01\x12\x1c\n" +
+ "\x18EVENT_TYPE_SERVER_HEADER\x10\x02\x12\x1d\n" +
+ "\x19EVENT_TYPE_CLIENT_MESSAGE\x10\x03\x12\x1d\n" +
+ "\x19EVENT_TYPE_SERVER_MESSAGE\x10\x04\x12 \n" +
+ "\x1cEVENT_TYPE_CLIENT_HALF_CLOSE\x10\x05\x12\x1d\n" +
+ "\x19EVENT_TYPE_SERVER_TRAILER\x10\x06\x12\x15\n" +
+ "\x11EVENT_TYPE_CANCEL\x10\a\"B\n" +
+ "\x06Logger\x12\x12\n" +
+ "\x0eLOGGER_UNKNOWN\x10\x00\x12\x11\n" +
+ "\rLOGGER_CLIENT\x10\x01\x12\x11\n" +
+ "\rLOGGER_SERVER\x10\x02B\t\n" +
+ "\apayload\"\xbb\x01\n" +
+ "\fClientHeader\x127\n" +
+ "\bmetadata\x18\x01 \x01(\v2\x1b.grpc.binarylog.v1.MetadataR\bmetadata\x12\x1f\n" +
+ "\vmethod_name\x18\x02 \x01(\tR\n" +
+ "methodName\x12\x1c\n" +
+ "\tauthority\x18\x03 \x01(\tR\tauthority\x123\n" +
+ "\atimeout\x18\x04 \x01(\v2\x19.google.protobuf.DurationR\atimeout\"G\n" +
+ "\fServerHeader\x127\n" +
+ "\bmetadata\x18\x01 \x01(\v2\x1b.grpc.binarylog.v1.MetadataR\bmetadata\"\xb1\x01\n" +
+ "\aTrailer\x127\n" +
+ "\bmetadata\x18\x01 \x01(\v2\x1b.grpc.binarylog.v1.MetadataR\bmetadata\x12\x1f\n" +
+ "\vstatus_code\x18\x02 \x01(\rR\n" +
+ "statusCode\x12%\n" +
+ "\x0estatus_message\x18\x03 \x01(\tR\rstatusMessage\x12%\n" +
+ "\x0estatus_details\x18\x04 \x01(\fR\rstatusDetails\"5\n" +
+ "\aMessage\x12\x16\n" +
+ "\x06length\x18\x01 \x01(\rR\x06length\x12\x12\n" +
+ "\x04data\x18\x02 \x01(\fR\x04data\"B\n" +
+ "\bMetadata\x126\n" +
+ "\x05entry\x18\x01 \x03(\v2 .grpc.binarylog.v1.MetadataEntryR\x05entry\"7\n" +
+ "\rMetadataEntry\x12\x10\n" +
+ "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
+ "\x05value\x18\x02 \x01(\fR\x05value\"\xb8\x01\n" +
+ "\aAddress\x123\n" +
+ "\x04type\x18\x01 \x01(\x0e2\x1f.grpc.binarylog.v1.Address.TypeR\x04type\x12\x18\n" +
+ "\aaddress\x18\x02 \x01(\tR\aaddress\x12\x17\n" +
+ "\aip_port\x18\x03 \x01(\rR\x06ipPort\"E\n" +
+ "\x04Type\x12\x10\n" +
+ "\fTYPE_UNKNOWN\x10\x00\x12\r\n" +
+ "\tTYPE_IPV4\x10\x01\x12\r\n" +
+ "\tTYPE_IPV6\x10\x02\x12\r\n" +
+ "\tTYPE_UNIX\x10\x03B\\\n" +
+ "\x14io.grpc.binarylog.v1B\x0eBinaryLogProtoP\x01Z2google.golang.org/grpc/binarylog/grpc_binarylog_v1b\x06proto3"
var (
file_grpc_binlog_v1_binarylog_proto_rawDescOnce sync.Once
diff --git a/vendor/google.golang.org/grpc/clientconn.go b/vendor/google.golang.org/grpc/clientconn.go
index 4f350ca56a..b767d3e33e 100644
--- a/vendor/google.golang.org/grpc/clientconn.go
+++ b/vendor/google.golang.org/grpc/clientconn.go
@@ -35,16 +35,19 @@ import (
"google.golang.org/grpc/balancer/pickfirst"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/connectivity"
+ "google.golang.org/grpc/credentials"
+ expstats "google.golang.org/grpc/experimental/stats"
"google.golang.org/grpc/internal"
"google.golang.org/grpc/internal/channelz"
"google.golang.org/grpc/internal/grpcsync"
"google.golang.org/grpc/internal/idle"
iresolver "google.golang.org/grpc/internal/resolver"
- "google.golang.org/grpc/internal/stats"
+ istats "google.golang.org/grpc/internal/stats"
"google.golang.org/grpc/internal/transport"
"google.golang.org/grpc/keepalive"
"google.golang.org/grpc/resolver"
"google.golang.org/grpc/serviceconfig"
+ "google.golang.org/grpc/stats"
"google.golang.org/grpc/status"
_ "google.golang.org/grpc/balancer/roundrobin" // To register roundrobin.
@@ -97,6 +100,41 @@ var (
errTransportCredentialsMissing = errors.New("grpc: the credentials require transport level security (use grpc.WithTransportCredentials() to set)")
)
+var (
+ disconnectionsMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
+ Name: "grpc.subchannel.disconnections",
+ Description: "EXPERIMENTAL. Number of times the selected subchannel becomes disconnected.",
+ Unit: "{disconnection}",
+ Labels: []string{"grpc.target"},
+ OptionalLabels: []string{"grpc.lb.backend_service", "grpc.lb.locality", "grpc.disconnect_error"},
+ Default: false,
+ })
+ connectionAttemptsSucceededMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
+ Name: "grpc.subchannel.connection_attempts_succeeded",
+ Description: "EXPERIMENTAL. Number of successful connection attempts.",
+ Unit: "{attempt}",
+ Labels: []string{"grpc.target"},
+ OptionalLabels: []string{"grpc.lb.backend_service", "grpc.lb.locality"},
+ Default: false,
+ })
+ connectionAttemptsFailedMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
+ Name: "grpc.subchannel.connection_attempts_failed",
+ Description: "EXPERIMENTAL. Number of failed connection attempts.",
+ Unit: "{attempt}",
+ Labels: []string{"grpc.target"},
+ OptionalLabels: []string{"grpc.lb.backend_service", "grpc.lb.locality"},
+ Default: false,
+ })
+ openConnectionsMetric = expstats.RegisterInt64UpDownCount(expstats.MetricDescriptor{
+ Name: "grpc.subchannel.open_connections",
+ Description: "EXPERIMENTAL. Number of open connections.",
+ Unit: "{attempt}",
+ Labels: []string{"grpc.target"},
+ OptionalLabels: []string{"grpc.lb.backend_service", "grpc.security_level", "grpc.lb.locality"},
+ Default: false,
+ })
+)
+
const (
defaultClientMaxReceiveMessageSize = 1024 * 1024 * 4
defaultClientMaxSendMessageSize = math.MaxInt32
@@ -208,9 +246,10 @@ func NewClient(target string, opts ...DialOption) (conn *ClientConn, err error)
channelz.Infof(logger, cc.channelz, "Channel authority set to %q", cc.authority)
cc.csMgr = newConnectivityStateManager(cc.ctx, cc.channelz)
- cc.pickerWrapper = newPickerWrapper(cc.dopts.copts.StatsHandlers)
+ cc.pickerWrapper = newPickerWrapper()
- cc.metricsRecorderList = stats.NewMetricsRecorderList(cc.dopts.copts.StatsHandlers)
+ cc.metricsRecorderList = istats.NewMetricsRecorderList(cc.dopts.copts.StatsHandlers)
+ cc.statsHandler = istats.NewCombinedHandler(cc.dopts.copts.StatsHandlers...)
cc.initIdleStateLocked() // Safe to call without the lock, since nothing else has a reference to cc.
cc.idlenessMgr = idle.NewManager((*idler)(cc), cc.dopts.idleTimeout)
@@ -260,9 +299,10 @@ func DialContext(ctx context.Context, target string, opts ...DialOption) (conn *
}()
// This creates the name resolver, load balancer, etc.
- if err := cc.idlenessMgr.ExitIdleMode(); err != nil {
- return nil, err
+ if err := cc.exitIdleMode(); err != nil {
+ return nil, fmt.Errorf("failed to exit idle mode: %w", err)
}
+ cc.idlenessMgr.UnsafeSetNotIdle()
// Return now for non-blocking dials.
if !cc.dopts.block {
@@ -330,7 +370,7 @@ func (cc *ClientConn) addTraceEvent(msg string) {
Severity: channelz.CtInfo,
}
}
- channelz.AddTraceEvent(logger, cc.channelz, 0, ted)
+ channelz.AddTraceEvent(logger, cc.channelz, 1, ted)
}
type idler ClientConn
@@ -339,14 +379,17 @@ func (i *idler) EnterIdleMode() {
(*ClientConn)(i).enterIdleMode()
}
-func (i *idler) ExitIdleMode() error {
- return (*ClientConn)(i).exitIdleMode()
+func (i *idler) ExitIdleMode() {
+ // Ignore the error returned from this method, because from the perspective
+ // of the caller (idleness manager), the channel would have always moved out
+ // of IDLE by the time this method returns.
+ (*ClientConn)(i).exitIdleMode()
}
// exitIdleMode moves the channel out of idle mode by recreating the name
// resolver and load balancer. This should never be called directly; use
// cc.idlenessMgr.ExitIdleMode instead.
-func (cc *ClientConn) exitIdleMode() (err error) {
+func (cc *ClientConn) exitIdleMode() error {
cc.mu.Lock()
if cc.conns == nil {
cc.mu.Unlock()
@@ -354,11 +397,23 @@ func (cc *ClientConn) exitIdleMode() (err error) {
}
cc.mu.Unlock()
+ // Set state to CONNECTING before building the name resolver
+ // so the channel does not remain in IDLE.
+ cc.csMgr.updateState(connectivity.Connecting)
+
// This needs to be called without cc.mu because this builds a new resolver
// which might update state or report error inline, which would then need to
// acquire cc.mu.
if err := cc.resolverWrapper.start(); err != nil {
- return err
+ // If resolver creation fails, treat it like an error reported by the
+ // resolver before any valid updates. Set channel's state to
+ // TransientFailure, and set an erroring picker with the resolver build
+ // error, which will returned as part of any subsequent RPCs.
+ logger.Warningf("Failed to start resolver: %v", err)
+ cc.csMgr.updateState(connectivity.TransientFailure)
+ cc.mu.Lock()
+ cc.updateResolverStateAndUnlock(resolver.State{}, err)
+ return fmt.Errorf("failed to start resolver: %w", err)
}
cc.addTraceEvent("exiting idle mode")
@@ -456,7 +511,7 @@ func (cc *ClientConn) validateTransportCredentials() error {
func (cc *ClientConn) channelzRegistration(target string) {
parentChannel, _ := cc.dopts.channelzParent.(*channelz.Channel)
cc.channelz = channelz.RegisterChannel(parentChannel, target)
- cc.addTraceEvent("created")
+ cc.addTraceEvent(fmt.Sprintf("created for target %q", target))
}
// chainUnaryClientInterceptors chains all unary client interceptors into one.
@@ -621,7 +676,8 @@ type ClientConn struct {
channelz *channelz.Channel // Channelz object.
resolverBuilder resolver.Builder // See initParsedTargetAndResolverBuilder().
idlenessMgr *idle.Manager
- metricsRecorderList *stats.MetricsRecorderList
+ metricsRecorderList *istats.MetricsRecorderList
+ statsHandler stats.Handler
// The following provide their own synchronization, and therefore don't
// require cc.mu to be held to access them.
@@ -678,10 +734,8 @@ func (cc *ClientConn) GetState() connectivity.State {
// Notice: This API is EXPERIMENTAL and may be changed or removed in a later
// release.
func (cc *ClientConn) Connect() {
- if err := cc.idlenessMgr.ExitIdleMode(); err != nil {
- cc.addTraceEvent(err.Error())
- return
- }
+ cc.idlenessMgr.ExitIdleMode()
+
// If the ClientConn was not in idle mode, we need to call ExitIdle on the
// LB policy so that connections can be created.
cc.mu.Lock()
@@ -689,22 +743,31 @@ func (cc *ClientConn) Connect() {
cc.mu.Unlock()
}
-// waitForResolvedAddrs blocks until the resolver has provided addresses or the
-// context expires. Returns nil unless the context expires first; otherwise
-// returns a status error based on the context.
-func (cc *ClientConn) waitForResolvedAddrs(ctx context.Context) error {
+// waitForResolvedAddrs blocks until the resolver provides addresses or the
+// context expires, whichever happens first.
+//
+// Error is nil unless the context expires first; otherwise returns a status
+// error based on the context.
+//
+// The returned boolean indicates whether it did block or not. If the
+// resolution has already happened once before, it returns false without
+// blocking. Otherwise, it wait for the resolution and return true if
+// resolution has succeeded or return false along with error if resolution has
+// failed.
+func (cc *ClientConn) waitForResolvedAddrs(ctx context.Context) (bool, error) {
// This is on the RPC path, so we use a fast path to avoid the
// more-expensive "select" below after the resolver has returned once.
if cc.firstResolveEvent.HasFired() {
- return nil
+ return false, nil
}
+ internal.NewStreamWaitingForResolver()
select {
case <-cc.firstResolveEvent.Done():
- return nil
+ return true, nil
case <-ctx.Done():
- return status.FromContextError(ctx.Err()).Err()
+ return false, status.FromContextError(ctx.Err()).Err()
case <-cc.ctx.Done():
- return ErrClientConnClosing
+ return false, ErrClientConnClosing
}
}
@@ -723,8 +786,8 @@ func init() {
internal.EnterIdleModeForTesting = func(cc *ClientConn) {
cc.idlenessMgr.EnterIdleModeForTesting()
}
- internal.ExitIdleModeForTesting = func(cc *ClientConn) error {
- return cc.idlenessMgr.ExitIdleMode()
+ internal.ExitIdleModeForTesting = func(cc *ClientConn) {
+ cc.idlenessMgr.ExitIdleMode()
}
}
@@ -849,6 +912,7 @@ func (cc *ClientConn) newAddrConnLocked(addrs []resolver.Address, opts balancer.
channelz: channelz.RegisterSubChannel(cc.channelz, ""),
resetBackoff: make(chan struct{}),
}
+ ac.updateTelemetryLabelsLocked()
ac.ctx, ac.cancel = context.WithCancel(cc.ctx)
// Start with our address set to the first address; this may be updated if
// we connect to different addresses.
@@ -965,7 +1029,7 @@ func (ac *addrConn) updateAddrs(addrs []resolver.Address) {
}
ac.addrs = addrs
-
+ ac.updateTelemetryLabelsLocked()
if ac.state == connectivity.Shutdown ||
ac.state == connectivity.TransientFailure ||
ac.state == connectivity.Idle {
@@ -1067,13 +1131,6 @@ func (cc *ClientConn) healthCheckConfig() *healthCheckConfig {
return cc.sc.healthCheckConfig
}
-func (cc *ClientConn) getTransport(ctx context.Context, failfast bool, method string) (transport.ClientTransport, balancer.PickResult, error) {
- return cc.pickerWrapper.pick(ctx, failfast, balancer.PickInfo{
- Ctx: ctx,
- FullMethodName: method,
- })
-}
-
func (cc *ClientConn) applyServiceConfigAndBalancer(sc *ServiceConfig, configSelector iresolver.ConfigSelector) {
if sc == nil {
// should never reach here.
@@ -1211,6 +1268,9 @@ type addrConn struct {
resetBackoff chan struct{}
channelz *channelz.SubChannel
+
+ localityLabel string
+ backendServiceLabel string
}
// Note: this requires a lock on ac.mu.
@@ -1218,6 +1278,18 @@ func (ac *addrConn) updateConnectivityState(s connectivity.State, lastErr error)
if ac.state == s {
return
}
+
+ // If we are transitioning out of Ready, it means there is a disconnection.
+ // A SubConn can also transition from CONNECTING directly to IDLE when
+ // a transport is successfully created, but the connection fails
+ // before the SubConn can send the notification for READY. We treat
+ // this as a successful connection and transition to IDLE.
+ // TODO: https://github.com/grpc/grpc-go/issues/7862 - Remove the second
+ // part of the if condition below once the issue is fixed.
+ if ac.state == connectivity.Ready || (ac.state == connectivity.Connecting && s == connectivity.Idle) {
+ disconnectionsMetric.Record(ac.cc.metricsRecorderList, 1, ac.cc.target, ac.backendServiceLabel, ac.localityLabel, "unknown")
+ openConnectionsMetric.Record(ac.cc.metricsRecorderList, -1, ac.cc.target, ac.backendServiceLabel, ac.securityLevelLocked(), ac.localityLabel)
+ }
ac.state = s
ac.channelz.ChannelMetrics.State.Store(&s)
if lastErr == nil {
@@ -1275,6 +1347,15 @@ func (ac *addrConn) resetTransportAndUnlock() {
ac.mu.Unlock()
if err := ac.tryAllAddrs(acCtx, addrs, connectDeadline); err != nil {
+ if !errors.Is(err, context.Canceled) {
+ connectionAttemptsFailedMetric.Record(ac.cc.metricsRecorderList, 1, ac.cc.target, ac.backendServiceLabel, ac.localityLabel)
+ } else {
+ if logger.V(2) {
+ // This records cancelled connection attempts which can be later
+ // replaced by a metric.
+ logger.Infof("Context cancellation detected; not recording this as a failed connection attempt.")
+ }
+ }
// TODO: #7534 - Move re-resolution requests into the pick_first LB policy
// to ensure one resolution request per pass instead of per subconn failure.
ac.cc.resolveNow(resolver.ResolveNowOptions{})
@@ -1314,10 +1395,50 @@ func (ac *addrConn) resetTransportAndUnlock() {
}
// Success; reset backoff.
ac.mu.Lock()
+ connectionAttemptsSucceededMetric.Record(ac.cc.metricsRecorderList, 1, ac.cc.target, ac.backendServiceLabel, ac.localityLabel)
+ openConnectionsMetric.Record(ac.cc.metricsRecorderList, 1, ac.cc.target, ac.backendServiceLabel, ac.securityLevelLocked(), ac.localityLabel)
ac.backoffIdx = 0
ac.mu.Unlock()
}
+// updateTelemetryLabelsLocked calculates and caches the telemetry labels based on the
+// first address in addrConn.
+func (ac *addrConn) updateTelemetryLabelsLocked() {
+ labelsFunc, ok := internal.AddressToTelemetryLabels.(func(resolver.Address) map[string]string)
+ if !ok || len(ac.addrs) == 0 {
+ // Reset defaults
+ ac.localityLabel = ""
+ ac.backendServiceLabel = ""
+ return
+ }
+ labels := labelsFunc(ac.addrs[0])
+ ac.localityLabel = labels["grpc.lb.locality"]
+ ac.backendServiceLabel = labels["grpc.lb.backend_service"]
+}
+
+type securityLevelKey struct{}
+
+func (ac *addrConn) securityLevelLocked() string {
+ var secLevel string
+ // During disconnection, ac.transport is nil. Fall back to the security level
+ // stored in the current address during connection.
+ if ac.transport == nil {
+ secLevel, _ = ac.curAddr.Attributes.Value(securityLevelKey{}).(string)
+ return secLevel
+ }
+ authInfo := ac.transport.Peer().AuthInfo
+ if ci, ok := authInfo.(interface {
+ GetCommonAuthInfo() credentials.CommonAuthInfo
+ }); ok {
+ secLevel = ci.GetCommonAuthInfo().SecurityLevel.String()
+ // Store the security level in the current address' attributes so
+ // that it remains available for disconnection metrics after the
+ // transport is closed.
+ ac.curAddr.Attributes = ac.curAddr.Attributes.WithValue(securityLevelKey{}, secLevel)
+ }
+ return secLevel
+}
+
// tryAllAddrs tries to create a connection to the addresses, and stop when at
// the first successful one. It returns an error if no address was successfully
// connected, or updates ac appropriately with the new transport.
@@ -1822,7 +1943,7 @@ func (cc *ClientConn) initAuthority() error {
} else if auth, ok := cc.resolverBuilder.(resolver.AuthorityOverrider); ok {
cc.authority = auth.OverrideAuthority(cc.parsedTarget)
} else if strings.HasPrefix(endpoint, ":") {
- cc.authority = "localhost" + endpoint
+ cc.authority = "localhost" + encodeAuthority(endpoint)
} else {
cc.authority = encodeAuthority(endpoint)
}
diff --git a/vendor/google.golang.org/grpc/credentials/credentials.go b/vendor/google.golang.org/grpc/credentials/credentials.go
index 665e790bb0..06f6c6c70a 100644
--- a/vendor/google.golang.org/grpc/credentials/credentials.go
+++ b/vendor/google.golang.org/grpc/credentials/credentials.go
@@ -44,8 +44,7 @@ type PerRPCCredentials interface {
// A54). uri is the URI of the entry point for the request. When supported
// by the underlying implementation, ctx can be used for timeout and
// cancellation. Additionally, RequestInfo data will be available via ctx
- // to this call. TODO(zhaoq): Define the set of the qualified keys instead
- // of leaving it as an arbitrary string.
+ // to this call.
GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error)
// RequireTransportSecurity indicates whether the credentials requires
// transport security.
@@ -96,10 +95,11 @@ func (c CommonAuthInfo) GetCommonAuthInfo() CommonAuthInfo {
return c
}
-// ProtocolInfo provides information regarding the gRPC wire protocol version,
-// security protocol, security protocol version in use, server name, etc.
+// ProtocolInfo provides static information regarding transport credentials.
type ProtocolInfo struct {
// ProtocolVersion is the gRPC wire protocol version.
+ //
+ // Deprecated: this is unused by gRPC.
ProtocolVersion string
// SecurityProtocol is the security protocol in use.
SecurityProtocol string
@@ -109,7 +109,16 @@ type ProtocolInfo struct {
//
// Deprecated: please use Peer.AuthInfo.
SecurityVersion string
- // ServerName is the user-configured server name.
+ // ServerName is the user-configured server name. If set, this overrides
+ // the default :authority header used for all RPCs on the channel using the
+ // containing credentials, unless grpc.WithAuthority is set on the channel,
+ // in which case that setting will take precedence.
+ //
+ // This must be a valid `:authority` header according to
+ // [RFC3986](https://datatracker.ietf.org/doc/html/rfc3986#section-3.2).
+ //
+ // Deprecated: Users should use grpc.WithAuthority to override the authority
+ // on a channel instead of configuring the credentials.
ServerName string
}
@@ -120,6 +129,20 @@ type AuthInfo interface {
AuthType() string
}
+// AuthorityValidator validates the authority used to override the `:authority`
+// header. This is an optional interface that implementations of AuthInfo can
+// implement if they support per-RPC authority overrides. It is invoked when the
+// application attempts to override the HTTP/2 `:authority` header using the
+// CallAuthority call option.
+type AuthorityValidator interface {
+ // ValidateAuthority checks the authority value used to override the
+ // `:authority` header. The authority parameter is the override value
+ // provided by the application via the CallAuthority option. This value
+ // typically corresponds to the server hostname or endpoint the RPC is
+ // targeting. It returns non-nil error if the validation fails.
+ ValidateAuthority(authority string) error
+}
+
// ErrConnDispatched indicates that rawConn has been dispatched out of gRPC
// and the caller should not close rawConn.
var ErrConnDispatched = errors.New("credentials: rawConn is dispatched out of gRPC")
@@ -159,12 +182,17 @@ type TransportCredentials interface {
// Clone makes a copy of this TransportCredentials.
Clone() TransportCredentials
// OverrideServerName specifies the value used for the following:
+ //
// - verifying the hostname on the returned certificates
// - as SNI in the client's handshake to support virtual hosting
// - as the value for `:authority` header at stream creation time
//
- // Deprecated: use grpc.WithAuthority instead. Will be supported
- // throughout 1.x.
+ // The provided string should be a valid `:authority` header according to
+ // [RFC3986](https://datatracker.ietf.org/doc/html/rfc3986#section-3.2).
+ //
+ // Deprecated: this method is unused by gRPC. Users should use
+ // grpc.WithAuthority to override the authority on a channel instead of
+ // configuring the credentials.
OverrideServerName(string) error
}
@@ -207,14 +235,32 @@ type RequestInfo struct {
AuthInfo AuthInfo
}
+// requestInfoKey is a struct to be used as the key to store RequestInfo in a
+// context.
+type requestInfoKey struct{}
+
// RequestInfoFromContext extracts the RequestInfo from the context if it exists.
//
// This API is experimental.
func RequestInfoFromContext(ctx context.Context) (ri RequestInfo, ok bool) {
- ri, ok = icredentials.RequestInfoFromContext(ctx).(RequestInfo)
+ ri, ok = ctx.Value(requestInfoKey{}).(RequestInfo)
return ri, ok
}
+// NewContextWithRequestInfo creates a new context from ctx and attaches ri to it.
+//
+// This RequestInfo will be accessible via RequestInfoFromContext.
+//
+// Intended to be used from tests for PerRPCCredentials implementations (that
+// often need to check connection's SecurityLevel). Should not be used from
+// non-test code: the gRPC client already prepares a context with the correct
+// RequestInfo attached when calling PerRPCCredentials.GetRequestMetadata.
+//
+// This API is experimental.
+func NewContextWithRequestInfo(ctx context.Context, ri RequestInfo) context.Context {
+ return context.WithValue(ctx, requestInfoKey{}, ri)
+}
+
// ClientHandshakeInfo holds data to be passed to ClientHandshake. This makes
// it possible to pass arbitrary data to the handshaker from gRPC, resolver,
// balancer etc. Individual credential implementations control the actual
diff --git a/vendor/google.golang.org/grpc/credentials/insecure/insecure.go b/vendor/google.golang.org/grpc/credentials/insecure/insecure.go
index 4c805c6446..93156c0f34 100644
--- a/vendor/google.golang.org/grpc/credentials/insecure/insecure.go
+++ b/vendor/google.golang.org/grpc/credentials/insecure/insecure.go
@@ -30,7 +30,7 @@ import (
// NewCredentials returns a credentials which disables transport security.
//
// Note that using this credentials with per-RPC credentials which require
-// transport security is incompatible and will cause grpc.Dial() to fail.
+// transport security is incompatible and will cause RPCs to fail.
func NewCredentials() credentials.TransportCredentials {
return insecureTC{}
}
@@ -71,6 +71,12 @@ func (info) AuthType() string {
return "insecure"
}
+// ValidateAuthority allows any value to be overridden for the :authority
+// header.
+func (info) ValidateAuthority(string) error {
+ return nil
+}
+
// insecureBundle implements an insecure bundle.
// An insecure bundle provides a thin wrapper around insecureTC to support
// the credentials.Bundle interface.
diff --git a/vendor/google.golang.org/grpc/credentials/tls.go b/vendor/google.golang.org/grpc/credentials/tls.go
index bd5fe22b6a..8277be7d6f 100644
--- a/vendor/google.golang.org/grpc/credentials/tls.go
+++ b/vendor/google.golang.org/grpc/credentials/tls.go
@@ -22,6 +22,7 @@ import (
"context"
"crypto/tls"
"crypto/x509"
+ "errors"
"fmt"
"net"
"net/url"
@@ -50,6 +51,21 @@ func (t TLSInfo) AuthType() string {
return "tls"
}
+// ValidateAuthority validates the provided authority being used to override the
+// :authority header by verifying it against the peer certificates. It returns a
+// non-nil error if the validation fails.
+func (t TLSInfo) ValidateAuthority(authority string) error {
+ var errs []error
+ for _, cert := range t.State.PeerCertificates {
+ var err error
+ if err = cert.VerifyHostname(authority); err == nil {
+ return nil
+ }
+ errs = append(errs, err)
+ }
+ return fmt.Errorf("credentials: invalid authority %q: %v", authority, errors.Join(errs...))
+}
+
// cipherSuiteLookup returns the string version of a TLS cipher suite ID.
func cipherSuiteLookup(cipherSuiteID uint16) string {
for _, s := range tls.CipherSuites() {
@@ -94,14 +110,14 @@ func (c tlsCreds) Info() ProtocolInfo {
func (c *tlsCreds) ClientHandshake(ctx context.Context, authority string, rawConn net.Conn) (_ net.Conn, _ AuthInfo, err error) {
// use local cfg to avoid clobbering ServerName if using multiple endpoints
cfg := credinternal.CloneTLSConfig(c.config)
- if cfg.ServerName == "" {
- serverName, _, err := net.SplitHostPort(authority)
- if err != nil {
- // If the authority had no host port or if the authority cannot be parsed, use it as-is.
- serverName = authority
- }
- cfg.ServerName = serverName
+
+ serverName, _, err := net.SplitHostPort(authority)
+ if err != nil {
+ // If the authority had no host port or if the authority cannot be parsed, use it as-is.
+ serverName = authority
}
+ cfg.ServerName = serverName
+
conn := tls.Client(rawConn, cfg)
errChannel := make(chan error, 1)
go func() {
@@ -243,9 +259,11 @@ func applyDefaults(c *tls.Config) *tls.Config {
// certificates to establish the identity of the client need to be included in
// the credentials (eg: for mTLS), use NewTLS instead, where a complete
// tls.Config can be specified.
-// serverNameOverride is for testing only. If set to a non empty string,
-// it will override the virtual host name of authority (e.g. :authority header
-// field) in requests.
+//
+// serverNameOverride is for testing only. If set to a non empty string, it will
+// override the virtual host name of authority (e.g. :authority header field) in
+// requests. Users should use grpc.WithAuthority passed to grpc.NewClient to
+// override the authority of the client instead.
func NewClientTLSFromCert(cp *x509.CertPool, serverNameOverride string) TransportCredentials {
return NewTLS(&tls.Config{ServerName: serverNameOverride, RootCAs: cp})
}
@@ -255,9 +273,11 @@ func NewClientTLSFromCert(cp *x509.CertPool, serverNameOverride string) Transpor
// certificates to establish the identity of the client need to be included in
// the credentials (eg: for mTLS), use NewTLS instead, where a complete
// tls.Config can be specified.
-// serverNameOverride is for testing only. If set to a non empty string,
-// it will override the virtual host name of authority (e.g. :authority header
-// field) in requests.
+//
+// serverNameOverride is for testing only. If set to a non empty string, it will
+// override the virtual host name of authority (e.g. :authority header field) in
+// requests. Users should use grpc.WithAuthority passed to grpc.NewClient to
+// override the authority of the client instead.
func NewClientTLSFromFile(certFile, serverNameOverride string) (TransportCredentials, error) {
b, err := os.ReadFile(certFile)
if err != nil {
diff --git a/vendor/google.golang.org/grpc/dialoptions.go b/vendor/google.golang.org/grpc/dialoptions.go
index 405a2ffeb3..7a5ac2e7c4 100644
--- a/vendor/google.golang.org/grpc/dialoptions.go
+++ b/vendor/google.golang.org/grpc/dialoptions.go
@@ -213,6 +213,7 @@ func WithReadBufferSize(s int) DialOption {
func WithInitialWindowSize(s int32) DialOption {
return newFuncDialOption(func(o *dialOptions) {
o.copts.InitialWindowSize = s
+ o.copts.StaticWindowSize = true
})
}
@@ -222,6 +223,26 @@ func WithInitialWindowSize(s int32) DialOption {
func WithInitialConnWindowSize(s int32) DialOption {
return newFuncDialOption(func(o *dialOptions) {
o.copts.InitialConnWindowSize = s
+ o.copts.StaticWindowSize = true
+ })
+}
+
+// WithStaticStreamWindowSize returns a DialOption which sets the initial
+// stream window size to the value provided and disables dynamic flow control.
+func WithStaticStreamWindowSize(s int32) DialOption {
+ return newFuncDialOption(func(o *dialOptions) {
+ o.copts.InitialWindowSize = s
+ o.copts.StaticWindowSize = true
+ })
+}
+
+// WithStaticConnWindowSize returns a DialOption which sets the initial
+// connection window size to the value provided and disables dynamic flow
+// control.
+func WithStaticConnWindowSize(s int32) DialOption {
+ return newFuncDialOption(func(o *dialOptions) {
+ o.copts.InitialConnWindowSize = s
+ o.copts.StaticWindowSize = true
})
}
@@ -360,7 +381,7 @@ func WithReturnConnectionError() DialOption {
//
// Note that using this DialOption with per-RPC credentials (through
// WithCredentialsBundle or WithPerRPCCredentials) which require transport
-// security is incompatible and will cause grpc.Dial() to fail.
+// security is incompatible and will cause RPCs to fail.
//
// Deprecated: use WithTransportCredentials and insecure.NewCredentials()
// instead. Will be supported throughout 1.x.
@@ -587,6 +608,8 @@ func WithChainStreamInterceptor(interceptors ...StreamClientInterceptor) DialOpt
// WithAuthority returns a DialOption that specifies the value to be used as the
// :authority pseudo-header and as the server name in authentication handshake.
+// This overrides all other ways of setting authority on the channel, but can be
+// overridden per-call by using grpc.CallAuthority.
func WithAuthority(a string) DialOption {
return newFuncDialOption(func(o *dialOptions) {
o.authority = a
diff --git a/vendor/google.golang.org/grpc/encoding/encoding.go b/vendor/google.golang.org/grpc/encoding/encoding.go
index 11d0ae142c..dadd21e40f 100644
--- a/vendor/google.golang.org/grpc/encoding/encoding.go
+++ b/vendor/google.golang.org/grpc/encoding/encoding.go
@@ -27,8 +27,10 @@ package encoding
import (
"io"
+ "slices"
"strings"
+ "google.golang.org/grpc/encoding/internal"
"google.golang.org/grpc/internal/grpcutil"
)
@@ -36,6 +38,24 @@ import (
// It is intended for grpc internal use only.
const Identity = "identity"
+func init() {
+ internal.RegisterCompressorForTesting = func(c Compressor) func() {
+ name := c.Name()
+ curCompressor, found := registeredCompressor[name]
+ RegisterCompressor(c)
+ return func() {
+ if found {
+ registeredCompressor[name] = curCompressor
+ return
+ }
+ delete(registeredCompressor, name)
+ grpcutil.RegisteredCompressorNames = slices.DeleteFunc(grpcutil.RegisteredCompressorNames, func(s string) bool {
+ return s == name
+ })
+ }
+ }
+}
+
// Compressor is used for compressing and decompressing when sending or
// receiving messages.
//
diff --git a/vendor/google.golang.org/grpc/encoding/internal/internal.go b/vendor/google.golang.org/grpc/encoding/internal/internal.go
new file mode 100644
index 0000000000..ee9acb4377
--- /dev/null
+++ b/vendor/google.golang.org/grpc/encoding/internal/internal.go
@@ -0,0 +1,28 @@
+/*
+ *
+ * Copyright 2025 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+// Package internal contains code internal to the encoding package.
+package internal
+
+// RegisterCompressorForTesting registers a compressor in the global compressor
+// registry. It returns a cleanup function that should be called at the end
+// of the test to unregister the compressor.
+//
+// This prevents compressors registered in one test from appearing in the
+// encoding headers of subsequent tests.
+var RegisterCompressorForTesting any // func RegisterCompressor(c Compressor) func()
diff --git a/vendor/google.golang.org/grpc/encoding/proto/proto.go b/vendor/google.golang.org/grpc/encoding/proto/proto.go
index ceec319dd2..1ab874c7ad 100644
--- a/vendor/google.golang.org/grpc/encoding/proto/proto.go
+++ b/vendor/google.golang.org/grpc/encoding/proto/proto.go
@@ -46,9 +46,25 @@ func (c *codecV2) Marshal(v any) (data mem.BufferSlice, err error) {
return nil, fmt.Errorf("proto: failed to marshal, message is %T, want proto.Message", v)
}
+ // Important: if we remove this Size call then we cannot use
+ // UseCachedSize in MarshalOptions below.
size := proto.Size(vv)
+
+ // MarshalOptions with UseCachedSize allows reusing the result from the
+ // previous Size call. This is safe here because:
+ //
+ // 1. We just computed the size.
+ // 2. We assume the message is not being mutated concurrently.
+ //
+ // Important: If the proto.Size call above is removed, using UseCachedSize
+ // becomes unsafe and may lead to incorrect marshaling.
+ //
+ // For more details, see the doc of UseCachedSize:
+ // https://pkg.go.dev/google.golang.org/protobuf/proto#MarshalOptions
+ marshalOptions := proto.MarshalOptions{UseCachedSize: true}
+
if mem.IsBelowBufferPoolingThreshold(size) {
- buf, err := proto.Marshal(vv)
+ buf, err := marshalOptions.Marshal(vv)
if err != nil {
return nil, err
}
@@ -56,7 +72,7 @@ func (c *codecV2) Marshal(v any) (data mem.BufferSlice, err error) {
} else {
pool := mem.DefaultBufferPool()
buf := pool.Get(size)
- if _, err := (proto.MarshalOptions{}).MarshalAppend((*buf)[:0], vv); err != nil {
+ if _, err := marshalOptions.MarshalAppend((*buf)[:0], vv); err != nil {
pool.Put(buf)
return nil, err
}
diff --git a/vendor/google.golang.org/grpc/experimental/stats/metricregistry.go b/vendor/google.golang.org/grpc/experimental/stats/metricregistry.go
index ad75313a18..472813f58f 100644
--- a/vendor/google.golang.org/grpc/experimental/stats/metricregistry.go
+++ b/vendor/google.golang.org/grpc/experimental/stats/metricregistry.go
@@ -75,6 +75,8 @@ const (
MetricTypeIntHisto
MetricTypeFloatHisto
MetricTypeIntGauge
+ MetricTypeIntUpDownCount
+ MetricTypeIntAsyncGauge
)
// Int64CountHandle is a typed handle for a int count metric. This handle
@@ -93,6 +95,23 @@ func (h *Int64CountHandle) Record(recorder MetricsRecorder, incr int64, labels .
recorder.RecordInt64Count(h, incr, labels...)
}
+// Int64UpDownCountHandle is a typed handle for an int up-down counter metric.
+// This handle is passed at the recording point in order to know which metric
+// to record on.
+type Int64UpDownCountHandle MetricDescriptor
+
+// Descriptor returns the int64 up-down counter handle typecast to a pointer to a
+// MetricDescriptor.
+func (h *Int64UpDownCountHandle) Descriptor() *MetricDescriptor {
+ return (*MetricDescriptor)(h)
+}
+
+// Record records the int64 up-down counter value on the metrics recorder provided.
+// The value 'v' can be positive to increment or negative to decrement.
+func (h *Int64UpDownCountHandle) Record(recorder MetricsRecorder, v int64, labels ...string) {
+ recorder.RecordInt64UpDownCount(h, v, labels...)
+}
+
// Float64CountHandle is a typed handle for a float count metric. This handle is
// passed at the recording point in order to know which metric to record on.
type Float64CountHandle MetricDescriptor
@@ -154,6 +173,30 @@ func (h *Int64GaugeHandle) Record(recorder MetricsRecorder, incr int64, labels .
recorder.RecordInt64Gauge(h, incr, labels...)
}
+// AsyncMetric is a marker interface for asynchronous metric types.
+type AsyncMetric interface {
+ isAsync()
+ Descriptor() *MetricDescriptor
+}
+
+// Int64AsyncGaugeHandle is a typed handle for an int gauge metric. This handle is
+// passed at the recording point in order to know which metric to record on.
+type Int64AsyncGaugeHandle MetricDescriptor
+
+// isAsync implements the AsyncMetric interface.
+func (h *Int64AsyncGaugeHandle) isAsync() {}
+
+// Descriptor returns the int64 gauge handle typecast to a pointer to a
+// MetricDescriptor.
+func (h *Int64AsyncGaugeHandle) Descriptor() *MetricDescriptor {
+ return (*MetricDescriptor)(h)
+}
+
+// Record records the int64 gauge value on the metrics recorder provided.
+func (h *Int64AsyncGaugeHandle) Record(recorder AsyncMetricsRecorder, value int64, labels ...string) {
+ recorder.RecordInt64AsyncGauge(h, value, labels...)
+}
+
// registeredMetrics are the registered metric descriptor names.
var registeredMetrics = make(map[string]bool)
@@ -249,6 +292,35 @@ func RegisterInt64Gauge(descriptor MetricDescriptor) *Int64GaugeHandle {
return (*Int64GaugeHandle)(descPtr)
}
+// RegisterInt64UpDownCount registers the metric description onto the global registry.
+// It returns a typed handle to use for recording data.
+//
+// NOTE: this function must only be called during initialization time (i.e. in
+// an init() function), and is not thread-safe. If multiple metrics are
+// registered with the same name, this function will panic.
+func RegisterInt64UpDownCount(descriptor MetricDescriptor) *Int64UpDownCountHandle {
+ registerMetric(descriptor.Name, descriptor.Default)
+ // Set the specific metric type for the up-down counter
+ descriptor.Type = MetricTypeIntUpDownCount
+ descPtr := &descriptor
+ metricsRegistry[descriptor.Name] = descPtr
+ return (*Int64UpDownCountHandle)(descPtr)
+}
+
+// RegisterInt64AsyncGauge registers the metric description onto the global registry.
+// It returns a typed handle to use for recording data.
+//
+// NOTE: this function must only be called during initialization time (i.e. in
+// an init() function), and is not thread-safe. If multiple metrics are
+// registered with the same name, this function will panic.
+func RegisterInt64AsyncGauge(descriptor MetricDescriptor) *Int64AsyncGaugeHandle {
+ registerMetric(descriptor.Name, descriptor.Default)
+ descriptor.Type = MetricTypeIntAsyncGauge
+ descPtr := &descriptor
+ metricsRegistry[descriptor.Name] = descPtr
+ return (*Int64AsyncGaugeHandle)(descPtr)
+}
+
// snapshotMetricsRegistryForTesting snapshots the global data of the metrics
// registry. Returns a cleanup function that sets the metrics registry to its
// original state.
diff --git a/vendor/google.golang.org/grpc/experimental/stats/metrics.go b/vendor/google.golang.org/grpc/experimental/stats/metrics.go
index ee1423605a..d7d404cbe4 100644
--- a/vendor/google.golang.org/grpc/experimental/stats/metrics.go
+++ b/vendor/google.golang.org/grpc/experimental/stats/metrics.go
@@ -38,6 +38,16 @@ type MetricsRecorder interface {
// RecordInt64Gauge records the measurement alongside labels on the int
// gauge associated with the provided handle.
RecordInt64Gauge(handle *Int64GaugeHandle, incr int64, labels ...string)
+ // RecordInt64UpDownCounter records the measurement alongside labels on the int
+ // count associated with the provided handle.
+ RecordInt64UpDownCount(handle *Int64UpDownCountHandle, incr int64, labels ...string)
+}
+
+// AsyncMetricsRecorder records on asynchronous metrics derived from metric registry.
+type AsyncMetricsRecorder interface {
+ // RecordInt64AsyncGauge records the measurement alongside labels on the int
+ // count associated with the provided handle asynchronously
+ RecordInt64AsyncGauge(handle *Int64AsyncGaugeHandle, incr int64, labels ...string)
}
// Metrics is an experimental legacy alias of the now-stable stats.MetricSet.
diff --git a/vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go b/vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go
index fbc1ca356a..f38de74a49 100644
--- a/vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go
+++ b/vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go
@@ -67,6 +67,10 @@ type Balancer struct {
// balancerCurrent before the UpdateSubConnState is called on the
// balancerCurrent.
currentMu sync.Mutex
+
+ // activeGoroutines tracks all the goroutines that this balancer has started
+ // and that should be waited on when the balancer closes.
+ activeGoroutines sync.WaitGroup
}
// swap swaps out the current lb with the pending lb and updates the ClientConn.
@@ -76,7 +80,9 @@ func (gsb *Balancer) swap() {
cur := gsb.balancerCurrent
gsb.balancerCurrent = gsb.balancerPending
gsb.balancerPending = nil
+ gsb.activeGoroutines.Add(1)
go func() {
+ defer gsb.activeGoroutines.Done()
gsb.currentMu.Lock()
defer gsb.currentMu.Unlock()
cur.Close()
@@ -223,15 +229,7 @@ func (gsb *Balancer) ExitIdle() {
// There is no need to protect this read with a mutex, as the write to the
// Balancer field happens in SwitchTo, which completes before this can be
// called.
- if ei, ok := balToUpdate.Balancer.(balancer.ExitIdler); ok {
- ei.ExitIdle()
- return
- }
- gsb.mu.Lock()
- defer gsb.mu.Unlock()
- for sc := range balToUpdate.subconns {
- sc.Connect()
- }
+ balToUpdate.ExitIdle()
}
// updateSubConnState forwards the update to the appropriate child.
@@ -282,6 +280,7 @@ func (gsb *Balancer) Close() {
currentBalancerToClose.Close()
pendingBalancerToClose.Close()
+ gsb.activeGoroutines.Wait()
}
// balancerWrapper wraps a balancer.Balancer, and overrides some Balancer
@@ -332,7 +331,12 @@ func (bw *balancerWrapper) UpdateState(state balancer.State) {
defer bw.gsb.mu.Unlock()
bw.lastState = state
+ // If Close() acquires the mutex before UpdateState(), the balancer
+ // will already have been removed from the current or pending state when
+ // reaching this point.
if !bw.gsb.balancerCurrentOrPending(bw) {
+ // Returning here ensures that (*Balancer).swap() is not invoked after
+ // (*Balancer).Close() and therefore prevents "use after close".
return
}
diff --git a/vendor/google.golang.org/grpc/internal/buffer/unbounded.go b/vendor/google.golang.org/grpc/internal/buffer/unbounded.go
index 11f91668ac..467392b8d4 100644
--- a/vendor/google.golang.org/grpc/internal/buffer/unbounded.go
+++ b/vendor/google.golang.org/grpc/internal/buffer/unbounded.go
@@ -83,6 +83,7 @@ func (b *Unbounded) Load() {
default:
}
} else if b.closing && !b.closed {
+ b.closed = true
close(b.c)
}
}
diff --git a/vendor/google.golang.org/grpc/internal/channelz/trace.go b/vendor/google.golang.org/grpc/internal/channelz/trace.go
index 2bffe47776..3b7ba59662 100644
--- a/vendor/google.golang.org/grpc/internal/channelz/trace.go
+++ b/vendor/google.golang.org/grpc/internal/channelz/trace.go
@@ -194,7 +194,7 @@ func (r RefChannelType) String() string {
// If channelz is not turned ON, this will simply log the event descriptions.
func AddTraceEvent(l grpclog.DepthLoggerV2, e Entity, depth int, desc *TraceEvent) {
// Log only the trace description associated with the bottom most entity.
- d := fmt.Sprintf("[%s]%s", e, desc.Desc)
+ d := fmt.Sprintf("[%s] %s", e, desc.Desc)
switch desc.Severity {
case CtUnknown, CtInfo:
l.InfoDepth(depth+1, d)
diff --git a/vendor/google.golang.org/grpc/internal/credentials/credentials.go b/vendor/google.golang.org/grpc/internal/credentials/credentials.go
index 9deee7f651..48b22d9cf0 100644
--- a/vendor/google.golang.org/grpc/internal/credentials/credentials.go
+++ b/vendor/google.golang.org/grpc/internal/credentials/credentials.go
@@ -20,20 +20,6 @@ import (
"context"
)
-// requestInfoKey is a struct to be used as the key to store RequestInfo in a
-// context.
-type requestInfoKey struct{}
-
-// NewRequestInfoContext creates a context with ri.
-func NewRequestInfoContext(ctx context.Context, ri any) context.Context {
- return context.WithValue(ctx, requestInfoKey{}, ri)
-}
-
-// RequestInfoFromContext extracts the RequestInfo from ctx.
-func RequestInfoFromContext(ctx context.Context) any {
- return ctx.Value(requestInfoKey{})
-}
-
// clientHandshakeInfoKey is a struct used as the key to store
// ClientHandshakeInfo in a context.
type clientHandshakeInfoKey struct{}
diff --git a/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go b/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go
index cc5713fd9d..6414ee4bbe 100644
--- a/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go
+++ b/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go
@@ -26,35 +26,31 @@ import (
)
var (
- // TXTErrIgnore is set if TXT errors should be ignored ("GRPC_GO_IGNORE_TXT_ERRORS" is not "false").
+ // EnableTXTServiceConfig is set if the DNS resolver should perform TXT
+ // lookups for service config ("GRPC_ENABLE_TXT_SERVICE_CONFIG" is not
+ // "false").
+ EnableTXTServiceConfig = boolFromEnv("GRPC_ENABLE_TXT_SERVICE_CONFIG", true)
+
+ // TXTErrIgnore is set if TXT errors should be ignored
+ // ("GRPC_GO_IGNORE_TXT_ERRORS" is not "false").
TXTErrIgnore = boolFromEnv("GRPC_GO_IGNORE_TXT_ERRORS", true)
+
// RingHashCap indicates the maximum ring size which defaults to 4096
// entries but may be overridden by setting the environment variable
// "GRPC_RING_HASH_CAP". This does not override the default bounds
// checking which NACKs configs specifying ring sizes > 8*1024*1024 (~8M).
RingHashCap = uint64FromEnv("GRPC_RING_HASH_CAP", 4096, 1, 8*1024*1024)
- // LeastRequestLB is set if we should support the least_request_experimental
- // LB policy, which can be enabled by setting the environment variable
- // "GRPC_EXPERIMENTAL_ENABLE_LEAST_REQUEST" to "true".
- LeastRequestLB = boolFromEnv("GRPC_EXPERIMENTAL_ENABLE_LEAST_REQUEST", false)
+
// ALTSMaxConcurrentHandshakes is the maximum number of concurrent ALTS
// handshakes that can be performed.
ALTSMaxConcurrentHandshakes = uint64FromEnv("GRPC_ALTS_MAX_CONCURRENT_HANDSHAKES", 100, 1, 100)
+
// EnforceALPNEnabled is set if TLS connections to servers with ALPN disabled
// should be rejected. The HTTP/2 protocol requires ALPN to be enabled, this
// option is present for backward compatibility. This option may be overridden
// by setting the environment variable "GRPC_ENFORCE_ALPN_ENABLED" to "true"
// or "false".
EnforceALPNEnabled = boolFromEnv("GRPC_ENFORCE_ALPN_ENABLED", true)
- // XDSFallbackSupport is the env variable that controls whether support for
- // xDS fallback is turned on. If this is unset or is false, only the first
- // xDS server in the list of server configs will be used.
- XDSFallbackSupport = boolFromEnv("GRPC_EXPERIMENTAL_XDS_FALLBACK", true)
- // NewPickFirstEnabled is set if the new pickfirst leaf policy is to be used
- // instead of the exiting pickfirst implementation. This can be disabled by
- // setting the environment variable "GRPC_EXPERIMENTAL_ENABLE_NEW_PICK_FIRST"
- // to "false".
- NewPickFirstEnabled = boolFromEnv("GRPC_EXPERIMENTAL_ENABLE_NEW_PICK_FIRST", true)
// XDSEndpointHashKeyBackwardCompat controls the parsing of the endpoint hash
// key from EDS LbEndpoint metadata. Endpoint hash keys can be disabled by
@@ -69,6 +65,23 @@ var (
// to gRFC A76. It can be enabled by setting the environment variable
// "GRPC_EXPERIMENTAL_RING_HASH_SET_REQUEST_HASH_KEY" to "true".
RingHashSetRequestHashKey = boolFromEnv("GRPC_EXPERIMENTAL_RING_HASH_SET_REQUEST_HASH_KEY", false)
+
+ // ALTSHandshakerKeepaliveParams is set if we should add the
+ // KeepaliveParams when dial the ALTS handshaker service.
+ ALTSHandshakerKeepaliveParams = boolFromEnv("GRPC_EXPERIMENTAL_ALTS_HANDSHAKER_KEEPALIVE_PARAMS", false)
+
+ // EnableDefaultPortForProxyTarget controls whether the resolver adds a default port 443
+ // to a target address that lacks one. This flag only has an effect when all of
+ // the following conditions are met:
+ // - A connect proxy is being used.
+ // - Target resolution is disabled.
+ // - The DNS resolver is being used.
+ EnableDefaultPortForProxyTarget = boolFromEnv("GRPC_EXPERIMENTAL_ENABLE_DEFAULT_PORT_FOR_PROXY_TARGET", true)
+
+ // XDSAuthorityRewrite indicates whether xDS authority rewriting is enabled.
+ // This feature is defined in gRFC A81 and is enabled by setting the
+ // environment variable GRPC_EXPERIMENTAL_XDS_AUTHORITY_REWRITE to "true".
+ XDSAuthorityRewrite = boolFromEnv("GRPC_EXPERIMENTAL_XDS_AUTHORITY_REWRITE", false)
)
func boolFromEnv(envVar string, def bool) bool {
diff --git a/vendor/google.golang.org/grpc/internal/envconfig/xds.go b/vendor/google.golang.org/grpc/internal/envconfig/xds.go
index 2eb97f832b..7685d08b54 100644
--- a/vendor/google.golang.org/grpc/internal/envconfig/xds.go
+++ b/vendor/google.golang.org/grpc/internal/envconfig/xds.go
@@ -63,4 +63,20 @@ var (
// For more details, see:
// https://github.com/grpc/proposal/blob/master/A82-xds-system-root-certs.md.
XDSSystemRootCertsEnabled = boolFromEnv("GRPC_EXPERIMENTAL_XDS_SYSTEM_ROOT_CERTS", false)
+
+ // XDSSPIFFEEnabled controls if SPIFFE Bundle Maps can be used as roots of
+ // trust. For more details, see:
+ // https://github.com/grpc/proposal/blob/master/A87-mtls-spiffe-support.md
+ XDSSPIFFEEnabled = boolFromEnv("GRPC_EXPERIMENTAL_XDS_MTLS_SPIFFE", false)
+
+ // XDSHTTPConnectEnabled is true if gRPC should parse custom Metadata
+ // configuring use of an HTTP CONNECT proxy via xDS from cluster resources.
+ // For more details, see:
+ // https://github.com/grpc/proposal/blob/master/A86-xds-http-connect.md
+ XDSHTTPConnectEnabled = boolFromEnv("GRPC_EXPERIMENTAL_XDS_HTTP_CONNECT", false)
+
+ // XDSBootstrapCallCredsEnabled controls if call credentials can be used in
+ // xDS bootstrap configuration via the `call_creds` field. For more details,
+ // see: https://github.com/grpc/proposal/blob/master/A97-xds-jwt-call-creds.md
+ XDSBootstrapCallCredsEnabled = boolFromEnv("GRPC_EXPERIMENTAL_XDS_BOOTSTRAP_CALL_CREDS", false)
)
diff --git a/vendor/google.golang.org/grpc/internal/experimental.go b/vendor/google.golang.org/grpc/internal/experimental.go
index 7617be2158..c90cc51bdd 100644
--- a/vendor/google.golang.org/grpc/internal/experimental.go
+++ b/vendor/google.golang.org/grpc/internal/experimental.go
@@ -25,4 +25,8 @@ var (
// BufferPool is implemented by the grpc package and returns a server
// option to configure a shared buffer pool for a grpc.Server.
BufferPool any // func (grpc.SharedBufferPool) grpc.ServerOption
+
+ // AcceptCompressors is implemented by the grpc package and returns
+ // a call option that restricts the grpc-accept-encoding header for a call.
+ AcceptCompressors any // func(...string) grpc.CallOption
)
diff --git a/vendor/google.golang.org/grpc/internal/grpcsync/callback_serializer.go b/vendor/google.golang.org/grpc/internal/grpcsync/callback_serializer.go
index 8e8e861280..9b6d8a1fa3 100644
--- a/vendor/google.golang.org/grpc/internal/grpcsync/callback_serializer.go
+++ b/vendor/google.golang.org/grpc/internal/grpcsync/callback_serializer.go
@@ -80,25 +80,11 @@ func (cs *CallbackSerializer) ScheduleOr(f func(ctx context.Context), onFailure
func (cs *CallbackSerializer) run(ctx context.Context) {
defer close(cs.done)
- // TODO: when Go 1.21 is the oldest supported version, this loop and Close
- // can be replaced with:
- //
- // context.AfterFunc(ctx, cs.callbacks.Close)
- for ctx.Err() == nil {
- select {
- case <-ctx.Done():
- // Do nothing here. Next iteration of the for loop will not happen,
- // since ctx.Err() would be non-nil.
- case cb := <-cs.callbacks.Get():
- cs.callbacks.Load()
- cb.(func(context.Context))(ctx)
- }
- }
-
- // Close the buffer to prevent new callbacks from being added.
- cs.callbacks.Close()
+ // Close the buffer when the context is canceled
+ // to prevent new callbacks from being added.
+ context.AfterFunc(ctx, cs.callbacks.Close)
- // Run all pending callbacks.
+ // Run all callbacks.
for cb := range cs.callbacks.Get() {
cs.callbacks.Load()
cb.(func(context.Context))(ctx)
diff --git a/vendor/google.golang.org/grpc/internal/grpcsync/event.go b/vendor/google.golang.org/grpc/internal/grpcsync/event.go
index fbe697c376..d788c24930 100644
--- a/vendor/google.golang.org/grpc/internal/grpcsync/event.go
+++ b/vendor/google.golang.org/grpc/internal/grpcsync/event.go
@@ -21,28 +21,25 @@
package grpcsync
import (
- "sync"
"sync/atomic"
)
// Event represents a one-time event that may occur in the future.
type Event struct {
- fired int32
+ fired atomic.Bool
c chan struct{}
- o sync.Once
}
// Fire causes e to complete. It is safe to call multiple times, and
// concurrently. It returns true iff this call to Fire caused the signaling
-// channel returned by Done to close.
+// channel returned by Done to close. If Fire returns false, it is possible
+// the Done channel has not been closed yet.
func (e *Event) Fire() bool {
- ret := false
- e.o.Do(func() {
- atomic.StoreInt32(&e.fired, 1)
+ if e.fired.CompareAndSwap(false, true) {
close(e.c)
- ret = true
- })
- return ret
+ return true
+ }
+ return false
}
// Done returns a channel that will be closed when Fire is called.
@@ -52,7 +49,7 @@ func (e *Event) Done() <-chan struct{} {
// HasFired returns true if Fire has been called.
func (e *Event) HasFired() bool {
- return atomic.LoadInt32(&e.fired) == 1
+ return e.fired.Load()
}
// NewEvent returns a new, ready-to-use Event.
diff --git a/vendor/google.golang.org/grpc/internal/idle/idle.go b/vendor/google.golang.org/grpc/internal/idle/idle.go
index 2c13ee9dac..d3cd24f80b 100644
--- a/vendor/google.golang.org/grpc/internal/idle/idle.go
+++ b/vendor/google.golang.org/grpc/internal/idle/idle.go
@@ -21,7 +21,6 @@
package idle
import (
- "fmt"
"math"
"sync"
"sync/atomic"
@@ -33,15 +32,15 @@ var timeAfterFunc = func(d time.Duration, f func()) *time.Timer {
return time.AfterFunc(d, f)
}
-// Enforcer is the functionality provided by grpc.ClientConn to enter
-// and exit from idle mode.
-type Enforcer interface {
- ExitIdleMode() error
+// ClientConn is the functionality provided by grpc.ClientConn to enter and exit
+// from idle mode.
+type ClientConn interface {
+ ExitIdleMode()
EnterIdleMode()
}
-// Manager implements idleness detection and calls the configured Enforcer to
-// enter/exit idle mode when appropriate. Must be created by NewManager.
+// Manager implements idleness detection and calls the ClientConn to enter/exit
+// idle mode when appropriate. Must be created by NewManager.
type Manager struct {
// State accessed atomically.
lastCallEndTime int64 // Unix timestamp in nanos; time when the most recent RPC completed.
@@ -51,8 +50,8 @@ type Manager struct {
// Can be accessed without atomics or mutex since these are set at creation
// time and read-only after that.
- enforcer Enforcer // Functionality provided by grpc.ClientConn.
- timeout time.Duration
+ cc ClientConn // Functionality provided by grpc.ClientConn.
+ timeout time.Duration
// idleMu is used to guarantee mutual exclusion in two scenarios:
// - Opposing intentions:
@@ -72,9 +71,9 @@ type Manager struct {
// NewManager creates a new idleness manager implementation for the
// given idle timeout. It begins in idle mode.
-func NewManager(enforcer Enforcer, timeout time.Duration) *Manager {
+func NewManager(cc ClientConn, timeout time.Duration) *Manager {
return &Manager{
- enforcer: enforcer,
+ cc: cc,
timeout: timeout,
actuallyIdle: true,
activeCallsCount: -math.MaxInt32,
@@ -127,7 +126,7 @@ func (m *Manager) handleIdleTimeout() {
// Now that we've checked that there has been no activity, attempt to enter
// idle mode, which is very likely to succeed.
- if m.tryEnterIdleMode() {
+ if m.tryEnterIdleMode(true) {
// Successfully entered idle mode. No timer needed until we exit idle.
return
}
@@ -142,10 +141,13 @@ func (m *Manager) handleIdleTimeout() {
// that, it performs a last minute check to ensure that no new RPC has come in,
// making the channel active.
//
+// checkActivity controls if a check for RPC activity, since the last time the
+// idle_timeout fired, is made.
+
// Return value indicates whether or not the channel moved to idle mode.
//
// Holds idleMu which ensures mutual exclusion with exitIdleMode.
-func (m *Manager) tryEnterIdleMode() bool {
+func (m *Manager) tryEnterIdleMode(checkActivity bool) bool {
// Setting the activeCallsCount to -math.MaxInt32 indicates to OnCallBegin()
// that the channel is either in idle mode or is trying to get there.
if !atomic.CompareAndSwapInt32(&m.activeCallsCount, 0, -math.MaxInt32) {
@@ -166,7 +168,7 @@ func (m *Manager) tryEnterIdleMode() bool {
atomic.AddInt32(&m.activeCallsCount, math.MaxInt32)
return false
}
- if atomic.LoadInt32(&m.activeSinceLastTimerCheck) == 1 {
+ if checkActivity && atomic.LoadInt32(&m.activeSinceLastTimerCheck) == 1 {
// A very short RPC could have come in (and also finished) after we
// checked for calls count and activity in handleIdleTimeout(), but
// before the CAS operation. So, we need to check for activity again.
@@ -177,44 +179,37 @@ func (m *Manager) tryEnterIdleMode() bool {
// No new RPCs have come in since we set the active calls count value to
// -math.MaxInt32. And since we have the lock, it is safe to enter idle mode
// unconditionally now.
- m.enforcer.EnterIdleMode()
+ m.cc.EnterIdleMode()
m.actuallyIdle = true
return true
}
// EnterIdleModeForTesting instructs the channel to enter idle mode.
func (m *Manager) EnterIdleModeForTesting() {
- m.tryEnterIdleMode()
+ m.tryEnterIdleMode(false)
}
// OnCallBegin is invoked at the start of every RPC.
-func (m *Manager) OnCallBegin() error {
+func (m *Manager) OnCallBegin() {
if m.isClosed() {
- return nil
+ return
}
if atomic.AddInt32(&m.activeCallsCount, 1) > 0 {
// Channel is not idle now. Set the activity bit and allow the call.
atomic.StoreInt32(&m.activeSinceLastTimerCheck, 1)
- return nil
+ return
}
// Channel is either in idle mode or is in the process of moving to idle
// mode. Attempt to exit idle mode to allow this RPC.
- if err := m.ExitIdleMode(); err != nil {
- // Undo the increment to calls count, and return an error causing the
- // RPC to fail.
- atomic.AddInt32(&m.activeCallsCount, -1)
- return err
- }
-
+ m.ExitIdleMode()
atomic.StoreInt32(&m.activeSinceLastTimerCheck, 1)
- return nil
}
-// ExitIdleMode instructs m to call the enforcer's ExitIdleMode and update m's
+// ExitIdleMode instructs m to call the ClientConn's ExitIdleMode and update its
// internal state.
-func (m *Manager) ExitIdleMode() error {
+func (m *Manager) ExitIdleMode() {
// Holds idleMu which ensures mutual exclusion with tryEnterIdleMode.
m.idleMu.Lock()
defer m.idleMu.Unlock()
@@ -231,12 +226,10 @@ func (m *Manager) ExitIdleMode() error {
// m.ExitIdleMode.
//
// In any case, there is nothing to do here.
- return nil
+ return
}
- if err := m.enforcer.ExitIdleMode(); err != nil {
- return fmt.Errorf("failed to exit idle mode: %w", err)
- }
+ m.cc.ExitIdleMode()
// Undo the idle entry process. This also respects any new RPC attempts.
atomic.AddInt32(&m.activeCallsCount, math.MaxInt32)
@@ -244,7 +237,23 @@ func (m *Manager) ExitIdleMode() error {
// Start a new timer to fire after the configured idle timeout.
m.resetIdleTimerLocked(m.timeout)
- return nil
+}
+
+// UnsafeSetNotIdle instructs the Manager to update its internal state to
+// reflect the reality that the channel is no longer in IDLE mode.
+//
+// N.B. This method is intended only for internal use by the gRPC client
+// when it exits IDLE mode **manually** from `Dial`. The callsite must ensure:
+// - The channel was **actually in IDLE mode** immediately prior to the call.
+// - There is **no concurrent activity** that could cause the channel to exit
+// IDLE mode *naturally* at the same time.
+func (m *Manager) UnsafeSetNotIdle() {
+ m.idleMu.Lock()
+ defer m.idleMu.Unlock()
+
+ atomic.AddInt32(&m.activeCallsCount, math.MaxInt32)
+ m.actuallyIdle = false
+ m.resetIdleTimerLocked(m.timeout)
}
// OnCallEnd is invoked at the end of every RPC.
diff --git a/vendor/google.golang.org/grpc/internal/internal.go b/vendor/google.golang.org/grpc/internal/internal.go
index 2ce012cda1..27bef83d97 100644
--- a/vendor/google.golang.org/grpc/internal/internal.go
+++ b/vendor/google.golang.org/grpc/internal/internal.go
@@ -182,35 +182,6 @@ var (
// other features, including the CSDS service.
NewXDSResolverWithClientForTesting any // func(xdsclient.XDSClient) (resolver.Builder, error)
- // RegisterRLSClusterSpecifierPluginForTesting registers the RLS Cluster
- // Specifier Plugin for testing purposes, regardless of the XDSRLS environment
- // variable.
- //
- // TODO: Remove this function once the RLS env var is removed.
- RegisterRLSClusterSpecifierPluginForTesting func()
-
- // UnregisterRLSClusterSpecifierPluginForTesting unregisters the RLS Cluster
- // Specifier Plugin for testing purposes. This is needed because there is no way
- // to unregister the RLS Cluster Specifier Plugin after registering it solely
- // for testing purposes using RegisterRLSClusterSpecifierPluginForTesting().
- //
- // TODO: Remove this function once the RLS env var is removed.
- UnregisterRLSClusterSpecifierPluginForTesting func()
-
- // RegisterRBACHTTPFilterForTesting registers the RBAC HTTP Filter for testing
- // purposes, regardless of the RBAC environment variable.
- //
- // TODO: Remove this function once the RBAC env var is removed.
- RegisterRBACHTTPFilterForTesting func()
-
- // UnregisterRBACHTTPFilterForTesting unregisters the RBAC HTTP Filter for
- // testing purposes. This is needed because there is no way to unregister the
- // HTTP Filter after registering it solely for testing purposes using
- // RegisterRBACHTTPFilterForTesting().
- //
- // TODO: Remove this function once the RBAC env var is removed.
- UnregisterRBACHTTPFilterForTesting func()
-
// ORCAAllowAnyMinReportingInterval is for examples/orca use ONLY.
ORCAAllowAnyMinReportingInterval any // func(so *orca.ServiceOptions)
@@ -266,6 +237,17 @@ var (
TimeAfterFunc = func(d time.Duration, f func()) Timer {
return time.AfterFunc(d, f)
}
+
+ // NewStreamWaitingForResolver is a test hook that is triggered when a
+ // new stream blocks while waiting for name resolution. This can be
+ // used in tests to synchronize resolver updates and avoid race conditions.
+ // When set, the function will be called before the stream enters
+ // the blocking state.
+ NewStreamWaitingForResolver = func() {}
+
+ // AddressToTelemetryLabels is an xDS-provided function to extract telemetry
+ // labels from a resolver.Address. Callers must assert its type before calling.
+ AddressToTelemetryLabels any // func(addr resolver.Address) map[string]string
)
// HealthChecker defines the signature of the client-side LB channel health
diff --git a/vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go b/vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go
index 20b8fb098a..5bfa67b726 100644
--- a/vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go
+++ b/vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go
@@ -22,11 +22,13 @@ package delegatingresolver
import (
"fmt"
+ "net"
"net/http"
"net/url"
"sync"
"google.golang.org/grpc/grpclog"
+ "google.golang.org/grpc/internal/envconfig"
"google.golang.org/grpc/internal/proxyattributes"
"google.golang.org/grpc/internal/transport"
"google.golang.org/grpc/internal/transport/networktype"
@@ -40,6 +42,8 @@ var (
HTTPSProxyFromEnvironment = http.ProxyFromEnvironment
)
+const defaultPort = "443"
+
// delegatingResolver manages both target URI and proxy address resolution by
// delegating these tasks to separate child resolvers. Essentially, it acts as
// an intermediary between the gRPC ClientConn and the child resolvers.
@@ -107,10 +111,18 @@ func New(target resolver.Target, cc resolver.ClientConn, opts resolver.BuildOpti
targetResolver: nopResolver{},
}
+ addr := target.Endpoint()
var err error
- r.proxyURL, err = proxyURLForTarget(target.Endpoint())
+ if target.URL.Scheme == "dns" && !targetResolutionEnabled && envconfig.EnableDefaultPortForProxyTarget {
+ addr, err = parseTarget(addr)
+ if err != nil {
+ return nil, fmt.Errorf("delegating_resolver: invalid target address %q: %v", target.Endpoint(), err)
+ }
+ }
+
+ r.proxyURL, err = proxyURLForTarget(addr)
if err != nil {
- return nil, fmt.Errorf("delegating_resolver: failed to determine proxy URL for target %s: %v", target, err)
+ return nil, fmt.Errorf("delegating_resolver: failed to determine proxy URL for target %q: %v", target, err)
}
// proxy is not configured or proxy address excluded using `NO_PROXY` env
@@ -132,8 +144,8 @@ func New(target resolver.Target, cc resolver.ClientConn, opts resolver.BuildOpti
// bypass the target resolver and store the unresolved target address.
if target.URL.Scheme == "dns" && !targetResolutionEnabled {
r.targetResolverState = &resolver.State{
- Addresses: []resolver.Address{{Addr: target.Endpoint()}},
- Endpoints: []resolver.Endpoint{{Addresses: []resolver.Address{{Addr: target.Endpoint()}}}},
+ Addresses: []resolver.Address{{Addr: addr}},
+ Endpoints: []resolver.Endpoint{{Addresses: []resolver.Address{{Addr: addr}}}},
}
r.updateTargetResolverState(*r.targetResolverState)
return r, nil
@@ -202,6 +214,44 @@ func needsProxyResolver(state *resolver.State) bool {
return false
}
+// parseTarget takes a target string and ensures it is a valid "host:port" target.
+//
+// It does the following:
+// 1. If the target already has a port (e.g., "host:port", "[ipv6]:port"),
+// it is returned as is.
+// 2. If the host part is empty (e.g., ":80"), it defaults to "localhost",
+// returning "localhost:80".
+// 3. If the target is missing a port (e.g., "host", "ipv6"), the defaultPort
+// is added.
+//
+// An error is returned for empty targets or targets with a trailing colon
+// but no port (e.g., "host:").
+func parseTarget(target string) (string, error) {
+ if target == "" {
+ return "", fmt.Errorf("missing address")
+ }
+
+ host, port, err := net.SplitHostPort(target)
+ if err != nil {
+ // If SplitHostPort fails, it's likely because the port is missing.
+ // We append the default port and return the result.
+ return net.JoinHostPort(target, defaultPort), nil
+ }
+
+ // If SplitHostPort succeeds, we check for edge cases.
+ if port == "" {
+ // A success with an empty port means the target had a trailing colon,
+ // e.g., "host:", which is an error.
+ return "", fmt.Errorf("missing port after port-separator colon")
+ }
+ if host == "" {
+ // A success with an empty host means the target was like ":80".
+ // We default the host to "localhost".
+ host = "localhost"
+ }
+ return net.JoinHostPort(host, port), nil
+}
+
func skipProxy(address resolver.Address) bool {
// Avoid proxy when network is not tcp.
networkType, ok := networktype.Get(address)
diff --git a/vendor/google.golang.org/grpc/internal/resolver/dns/dns_resolver.go b/vendor/google.golang.org/grpc/internal/resolver/dns/dns_resolver.go
index ba5c5a95d0..ada5251cff 100644
--- a/vendor/google.golang.org/grpc/internal/resolver/dns/dns_resolver.go
+++ b/vendor/google.golang.org/grpc/internal/resolver/dns/dns_resolver.go
@@ -132,13 +132,13 @@ func (b *dnsBuilder) Build(target resolver.Target, cc resolver.ClientConn, opts
// DNS address (non-IP).
ctx, cancel := context.WithCancel(context.Background())
d := &dnsResolver{
- host: host,
- port: port,
- ctx: ctx,
- cancel: cancel,
- cc: cc,
- rn: make(chan struct{}, 1),
- disableServiceConfig: opts.DisableServiceConfig,
+ host: host,
+ port: port,
+ ctx: ctx,
+ cancel: cancel,
+ cc: cc,
+ rn: make(chan struct{}, 1),
+ enableServiceConfig: envconfig.EnableTXTServiceConfig && !opts.DisableServiceConfig,
}
d.resolver, err = internal.NewNetResolver(target.URL.Host)
@@ -181,8 +181,8 @@ type dnsResolver struct {
// finishes, race detector sometimes will warn lookup (READ the lookup
// function pointers) inside watcher() goroutine has data race with
// replaceNetFunc (WRITE the lookup function pointers).
- wg sync.WaitGroup
- disableServiceConfig bool
+ wg sync.WaitGroup
+ enableServiceConfig bool
}
// ResolveNow invoke an immediate resolution of the target that this
@@ -346,7 +346,7 @@ func (d *dnsResolver) lookup() (*resolver.State, error) {
if len(srv) > 0 {
state = grpclbstate.Set(state, &grpclbstate.State{BalancerAddresses: srv})
}
- if !d.disableServiceConfig {
+ if d.enableServiceConfig {
state.ServiceConfig = d.lookupTXT(ctx)
}
return &state, nil
diff --git a/vendor/google.golang.org/grpc/internal/stats/metrics_recorder_list.go b/vendor/google.golang.org/grpc/internal/stats/metrics_recorder_list.go
index 79044657be..d5f7e4d62d 100644
--- a/vendor/google.golang.org/grpc/internal/stats/metrics_recorder_list.go
+++ b/vendor/google.golang.org/grpc/internal/stats/metrics_recorder_list.go
@@ -64,6 +64,16 @@ func (l *MetricsRecorderList) RecordInt64Count(handle *estats.Int64CountHandle,
}
}
+// RecordInt64UpDownCount records the measurement alongside labels on the int
+// count associated with the provided handle.
+func (l *MetricsRecorderList) RecordInt64UpDownCount(handle *estats.Int64UpDownCountHandle, incr int64, labels ...string) {
+ verifyLabels(handle.Descriptor(), labels...)
+
+ for _, metricRecorder := range l.metricsRecorders {
+ metricRecorder.RecordInt64UpDownCount(handle, incr, labels...)
+ }
+}
+
// RecordFloat64Count records the measurement alongside labels on the float
// count associated with the provided handle.
func (l *MetricsRecorderList) RecordFloat64Count(handle *estats.Float64CountHandle, incr float64, labels ...string) {
diff --git a/vendor/google.golang.org/grpc/internal/stats/stats.go b/vendor/google.golang.org/grpc/internal/stats/stats.go
new file mode 100644
index 0000000000..49019b80d1
--- /dev/null
+++ b/vendor/google.golang.org/grpc/internal/stats/stats.go
@@ -0,0 +1,70 @@
+/*
+ *
+ * Copyright 2025 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package stats
+
+import (
+ "context"
+
+ "google.golang.org/grpc/stats"
+)
+
+type combinedHandler struct {
+ handlers []stats.Handler
+}
+
+// NewCombinedHandler combines multiple stats.Handlers into a single handler.
+//
+// It returns nil if no handlers are provided. If only one handler is
+// provided, it is returned directly without wrapping.
+func NewCombinedHandler(handlers ...stats.Handler) stats.Handler {
+ switch len(handlers) {
+ case 0:
+ return nil
+ case 1:
+ return handlers[0]
+ default:
+ return &combinedHandler{handlers: handlers}
+ }
+}
+
+func (ch *combinedHandler) TagRPC(ctx context.Context, info *stats.RPCTagInfo) context.Context {
+ for _, h := range ch.handlers {
+ ctx = h.TagRPC(ctx, info)
+ }
+ return ctx
+}
+
+func (ch *combinedHandler) HandleRPC(ctx context.Context, stats stats.RPCStats) {
+ for _, h := range ch.handlers {
+ h.HandleRPC(ctx, stats)
+ }
+}
+
+func (ch *combinedHandler) TagConn(ctx context.Context, info *stats.ConnTagInfo) context.Context {
+ for _, h := range ch.handlers {
+ ctx = h.TagConn(ctx, info)
+ }
+ return ctx
+}
+
+func (ch *combinedHandler) HandleConn(ctx context.Context, stats stats.ConnStats) {
+ for _, h := range ch.handlers {
+ h.HandleConn(ctx, stats)
+ }
+}
diff --git a/vendor/google.golang.org/grpc/internal/status/status.go b/vendor/google.golang.org/grpc/internal/status/status.go
index 1186f1e9a9..aad171cd02 100644
--- a/vendor/google.golang.org/grpc/internal/status/status.go
+++ b/vendor/google.golang.org/grpc/internal/status/status.go
@@ -236,3 +236,11 @@ func IsRestrictedControlPlaneCode(s *Status) bool {
}
return false
}
+
+// RawStatusProto returns the internal protobuf message for use by gRPC itself.
+func RawStatusProto(s *Status) *spb.Status {
+ if s == nil {
+ return nil
+ }
+ return s.s
+}
diff --git a/vendor/google.golang.org/grpc/internal/transport/client_stream.go b/vendor/google.golang.org/grpc/internal/transport/client_stream.go
index ccc0e017e5..980452519e 100644
--- a/vendor/google.golang.org/grpc/internal/transport/client_stream.go
+++ b/vendor/google.golang.org/grpc/internal/transport/client_stream.go
@@ -29,25 +29,27 @@ import (
// ClientStream implements streaming functionality for a gRPC client.
type ClientStream struct {
- *Stream // Embed for common stream functionality.
+ Stream // Embed for common stream functionality.
ct *http2Client
done chan struct{} // closed at the end of stream to unblock writers.
doneFunc func() // invoked at the end of stream.
- headerChan chan struct{} // closed to indicate the end of header metadata.
- headerChanClosed uint32 // set when headerChan is closed. Used to avoid closing headerChan multiple times.
+ headerChan chan struct{} // closed to indicate the end of header metadata.
+ header metadata.MD // the received header metadata
+
+ status *status.Status // the status error received from the server
+
+ // Non-pointer fields are at the end to optimize GC allocations.
+
// headerValid indicates whether a valid header was received. Only
// meaningful after headerChan is closed (always call waitOnHeader() before
// reading its value).
- headerValid bool
- header metadata.MD // the received header metadata
- noHeaders bool // set if the client never received headers (set only after the stream is done).
-
- bytesReceived atomic.Bool // indicates whether any bytes have been received on this stream
- unprocessed atomic.Bool // set if the server sends a refused stream or GOAWAY including this stream
-
- status *status.Status // the status error received from the server
+ headerValid bool
+ noHeaders bool // set if the client never received headers (set only after the stream is done).
+ headerChanClosed uint32 // set when headerChan is closed. Used to avoid closing headerChan multiple times.
+ bytesReceived atomic.Bool // indicates whether any bytes have been received on this stream
+ unprocessed atomic.Bool // set if the server sends a refused stream or GOAWAY including this stream
}
// Read reads an n byte message from the input stream.
@@ -142,3 +144,11 @@ func (s *ClientStream) TrailersOnly() bool {
func (s *ClientStream) Status() *status.Status {
return s.status
}
+
+func (s *ClientStream) requestRead(n int) {
+ s.ct.adjustWindow(s, uint32(n))
+}
+
+func (s *ClientStream) updateWindow(n int) {
+ s.ct.updateWindow(s, uint32(n))
+}
diff --git a/vendor/google.golang.org/grpc/internal/transport/controlbuf.go b/vendor/google.golang.org/grpc/internal/transport/controlbuf.go
index ef72fbb3a0..2dcd1e63bd 100644
--- a/vendor/google.golang.org/grpc/internal/transport/controlbuf.go
+++ b/vendor/google.golang.org/grpc/internal/transport/controlbuf.go
@@ -40,6 +40,13 @@ var updateHeaderTblSize = func(e *hpack.Encoder, v uint32) {
e.SetMaxDynamicTableSizeLimit(v)
}
+// itemNodePool is used to reduce heap allocations.
+var itemNodePool = sync.Pool{
+ New: func() any {
+ return &itemNode{}
+ },
+}
+
type itemNode struct {
it any
next *itemNode
@@ -51,7 +58,9 @@ type itemList struct {
}
func (il *itemList) enqueue(i any) {
- n := &itemNode{it: i}
+ n := itemNodePool.Get().(*itemNode)
+ n.next = nil
+ n.it = i
if il.tail == nil {
il.head, il.tail = n, n
return
@@ -71,7 +80,9 @@ func (il *itemList) dequeue() any {
return nil
}
i := il.head.it
+ temp := il.head
il.head = il.head.next
+ itemNodePool.Put(temp)
if il.head == nil {
il.tail = nil
}
@@ -146,10 +157,11 @@ type earlyAbortStream struct {
func (*earlyAbortStream) isTransportResponseFrame() bool { return false }
type dataFrame struct {
- streamID uint32
- endStream bool
- h []byte
- reader mem.Reader
+ streamID uint32
+ endStream bool
+ h []byte
+ data mem.BufferSlice
+ processing bool
// onEachWrite is called every time
// a part of data is written out.
onEachWrite func()
@@ -234,6 +246,7 @@ type outStream struct {
itl *itemList
bytesOutStanding int
wq *writeQuota
+ reader mem.Reader
next *outStream
prev *outStream
@@ -461,7 +474,9 @@ func (c *controlBuffer) finish() {
v.onOrphaned(ErrConnClosing)
}
case *dataFrame:
- _ = v.reader.Close()
+ if !v.processing {
+ v.data.Free()
+ }
}
}
@@ -481,6 +496,16 @@ const (
serverSide
)
+// maxWriteBufSize is the maximum length (number of elements) the cached
+// writeBuf can grow to. The length depends on the number of buffers
+// contained within the BufferSlice produced by the codec, which is
+// generally small.
+//
+// If a writeBuf larger than this limit is required, it will be allocated
+// and freed after use, rather than being cached. This avoids holding
+// on to large amounts of memory.
+const maxWriteBufSize = 64
+
// Loopy receives frames from the control buffer.
// Each frame is handled individually; most of the work done by loopy goes
// into handling data frames. Loopy maintains a queue of active streams, and each
@@ -515,6 +540,8 @@ type loopyWriter struct {
// Side-specific handlers
ssGoAwayHandler func(*goAway) (bool, error)
+
+ writeBuf [][]byte // cached slice to avoid heap allocations for calls to mem.Reader.Peek.
}
func newLoopyWriter(s side, fr *framer, cbuf *controlBuffer, bdpEst *bdpEstimator, conn net.Conn, logger *grpclog.PrefixLogger, goAwayHandler func(*goAway) (bool, error), bufferPool mem.BufferPool) *loopyWriter {
@@ -790,10 +817,13 @@ func (l *loopyWriter) cleanupStreamHandler(c *cleanupStream) error {
// a RST_STREAM before stream initialization thus the stream might
// not be established yet.
delete(l.estdStreams, c.streamID)
+ str.reader.Close()
str.deleteSelf()
for head := str.itl.dequeueAll(); head != nil; head = head.next {
if df, ok := head.it.(*dataFrame); ok {
- _ = df.reader.Close()
+ if !df.processing {
+ df.data.Free()
+ }
}
}
}
@@ -928,7 +958,13 @@ func (l *loopyWriter) processData() (bool, error) {
if str == nil {
return true, nil
}
+ reader := &str.reader
dataItem := str.itl.peek().(*dataFrame) // Peek at the first data item this stream.
+ if !dataItem.processing {
+ dataItem.processing = true
+ reader.Reset(dataItem.data)
+ dataItem.data.Free()
+ }
// A data item is represented by a dataFrame, since it later translates into
// multiple HTTP2 data frames.
// Every dataFrame has two buffers; h that keeps grpc-message header and data
@@ -936,13 +972,13 @@ func (l *loopyWriter) processData() (bool, error) {
// from data is copied to h to make as big as the maximum possible HTTP2 frame
// size.
- if len(dataItem.h) == 0 && dataItem.reader.Remaining() == 0 { // Empty data frame
+ if len(dataItem.h) == 0 && reader.Remaining() == 0 { // Empty data frame
// Client sends out empty data frame with endStream = true
- if err := l.framer.fr.WriteData(dataItem.streamID, dataItem.endStream, nil); err != nil {
+ if err := l.framer.writeData(dataItem.streamID, dataItem.endStream, nil); err != nil {
return false, err
}
str.itl.dequeue() // remove the empty data item from stream
- _ = dataItem.reader.Close()
+ reader.Close()
if str.itl.isEmpty() {
str.state = empty
} else if trailer, ok := str.itl.peek().(*headerFrame); ok { // the next item is trailers.
@@ -971,29 +1007,24 @@ func (l *loopyWriter) processData() (bool, error) {
}
// Compute how much of the header and data we can send within quota and max frame length
hSize := min(maxSize, len(dataItem.h))
- dSize := min(maxSize-hSize, dataItem.reader.Remaining())
- remainingBytes := len(dataItem.h) + dataItem.reader.Remaining() - hSize - dSize
+ dSize := min(maxSize-hSize, reader.Remaining())
+ remainingBytes := len(dataItem.h) + reader.Remaining() - hSize - dSize
size := hSize + dSize
- var buf *[]byte
-
- if hSize != 0 && dSize == 0 {
- buf = &dataItem.h
- } else {
- // Note: this is only necessary because the http2.Framer does not support
- // partially writing a frame, so the sequence must be materialized into a buffer.
- // TODO: Revisit once https://github.com/golang/go/issues/66655 is addressed.
- pool := l.bufferPool
- if pool == nil {
- // Note that this is only supposed to be nil in tests. Otherwise, stream is
- // always initialized with a BufferPool.
- pool = mem.DefaultBufferPool()
+ l.writeBuf = l.writeBuf[:0]
+ if hSize > 0 {
+ l.writeBuf = append(l.writeBuf, dataItem.h[:hSize])
+ }
+ if dSize > 0 {
+ var err error
+ l.writeBuf, err = reader.Peek(dSize, l.writeBuf)
+ if err != nil {
+ // This must never happen since the reader must have at least dSize
+ // bytes.
+ // Log an error to fail tests.
+ l.logger.Errorf("unexpected error while reading Data frame payload: %v", err)
+ return false, err
}
- buf = pool.Get(size)
- defer pool.Put(buf)
-
- copy((*buf)[:hSize], dataItem.h)
- _, _ = dataItem.reader.Read((*buf)[hSize:])
}
// Now that outgoing flow controls are checked we can replenish str's write quota
@@ -1006,7 +1037,14 @@ func (l *loopyWriter) processData() (bool, error) {
if dataItem.onEachWrite != nil {
dataItem.onEachWrite()
}
- if err := l.framer.fr.WriteData(dataItem.streamID, endStream, (*buf)[:size]); err != nil {
+ err := l.framer.writeData(dataItem.streamID, endStream, l.writeBuf)
+ reader.Discard(dSize)
+ if cap(l.writeBuf) > maxWriteBufSize {
+ l.writeBuf = nil
+ } else {
+ clear(l.writeBuf)
+ }
+ if err != nil {
return false, err
}
str.bytesOutStanding += size
@@ -1014,7 +1052,7 @@ func (l *loopyWriter) processData() (bool, error) {
dataItem.h = dataItem.h[hSize:]
if remainingBytes == 0 { // All the data from that message was written out.
- _ = dataItem.reader.Close()
+ reader.Close()
str.itl.dequeue()
}
if str.itl.isEmpty() {
diff --git a/vendor/google.golang.org/grpc/internal/transport/flowcontrol.go b/vendor/google.golang.org/grpc/internal/transport/flowcontrol.go
index dfc0f224ec..7cfbc9637b 100644
--- a/vendor/google.golang.org/grpc/internal/transport/flowcontrol.go
+++ b/vendor/google.golang.org/grpc/internal/transport/flowcontrol.go
@@ -28,7 +28,7 @@ import (
// writeQuota is a soft limit on the amount of data a stream can
// schedule before some of it is written out.
type writeQuota struct {
- quota int32
+ _ noCopy
// get waits on read from when quota goes less than or equal to zero.
// replenish writes on it when quota goes positive again.
ch chan struct{}
@@ -38,16 +38,17 @@ type writeQuota struct {
// It is implemented as a field so that it can be updated
// by tests.
replenish func(n int)
+ quota int32
}
-func newWriteQuota(sz int32, done <-chan struct{}) *writeQuota {
- w := &writeQuota{
- quota: sz,
- ch: make(chan struct{}, 1),
- done: done,
- }
+// init allows a writeQuota to be initialized in-place, which is useful for
+// resetting a buffer or for avoiding a heap allocation when the buffer is
+// embedded in another struct.
+func (w *writeQuota) init(sz int32, done <-chan struct{}) {
+ w.quota = sz
+ w.ch = make(chan struct{}, 1)
+ w.done = done
w.replenish = w.realReplenish
- return w
}
func (w *writeQuota) get(sz int32) error {
@@ -67,9 +68,9 @@ func (w *writeQuota) get(sz int32) error {
func (w *writeQuota) realReplenish(n int) {
sz := int32(n)
- a := atomic.AddInt32(&w.quota, sz)
- b := a - sz
- if b <= 0 && a > 0 {
+ newQuota := atomic.AddInt32(&w.quota, sz)
+ previousQuota := newQuota - sz
+ if previousQuota <= 0 && newQuota > 0 {
select {
case w.ch <- struct{}{}:
default:
diff --git a/vendor/google.golang.org/grpc/internal/transport/handler_server.go b/vendor/google.golang.org/grpc/internal/transport/handler_server.go
index 3dea235735..7ab3422b8a 100644
--- a/vendor/google.golang.org/grpc/internal/transport/handler_server.go
+++ b/vendor/google.golang.org/grpc/internal/transport/handler_server.go
@@ -50,7 +50,7 @@ import (
// NewServerHandlerTransport returns a ServerTransport handling gRPC from
// inside an http.Handler, or writes an HTTP error to w and returns an error.
// It requires that the http Server supports HTTP/2.
-func NewServerHandlerTransport(w http.ResponseWriter, r *http.Request, stats []stats.Handler, bufferPool mem.BufferPool) (ServerTransport, error) {
+func NewServerHandlerTransport(w http.ResponseWriter, r *http.Request, stats stats.Handler, bufferPool mem.BufferPool) (ServerTransport, error) {
if r.Method != http.MethodPost {
w.Header().Set("Allow", http.MethodPost)
msg := fmt.Sprintf("invalid gRPC request method %q", r.Method)
@@ -170,7 +170,7 @@ type serverHandlerTransport struct {
// TODO make sure this is consistent across handler_server and http2_server
contentSubtype string
- stats []stats.Handler
+ stats stats.Handler
logger *grpclog.PrefixLogger
bufferPool mem.BufferPool
@@ -274,14 +274,14 @@ func (ht *serverHandlerTransport) writeStatus(s *ServerStream, st *status.Status
}
})
- if err == nil { // transport has not been closed
+ if err == nil && ht.stats != nil { // transport has not been closed
// Note: The trailer fields are compressed with hpack after this call returns.
// No WireLength field is set here.
- for _, sh := range ht.stats {
- sh.HandleRPC(s.Context(), &stats.OutTrailer{
- Trailer: s.trailer.Copy(),
- })
- }
+ s.hdrMu.Lock()
+ ht.stats.HandleRPC(s.Context(), &stats.OutTrailer{
+ Trailer: s.trailer.Copy(),
+ })
+ s.hdrMu.Unlock()
}
ht.Close(errors.New("finished writing status"))
return err
@@ -372,19 +372,23 @@ func (ht *serverHandlerTransport) writeHeader(s *ServerStream, md metadata.MD) e
ht.rw.(http.Flusher).Flush()
})
- if err == nil {
- for _, sh := range ht.stats {
- // Note: The header fields are compressed with hpack after this call returns.
- // No WireLength field is set here.
- sh.HandleRPC(s.Context(), &stats.OutHeader{
- Header: md.Copy(),
- Compression: s.sendCompress,
- })
- }
+ if err == nil && ht.stats != nil {
+ // Note: The header fields are compressed with hpack after this call returns.
+ // No WireLength field is set here.
+ ht.stats.HandleRPC(s.Context(), &stats.OutHeader{
+ Header: md.Copy(),
+ Compression: s.sendCompress,
+ })
}
return err
}
+func (ht *serverHandlerTransport) adjustWindow(*ServerStream, uint32) {
+}
+
+func (ht *serverHandlerTransport) updateWindow(*ServerStream, uint32) {
+}
+
func (ht *serverHandlerTransport) HandleStreams(ctx context.Context, startStream func(*ServerStream)) {
// With this transport type there will be exactly 1 stream: this HTTP request.
var cancel context.CancelFunc
@@ -409,11 +413,9 @@ func (ht *serverHandlerTransport) HandleStreams(ctx context.Context, startStream
ctx = metadata.NewIncomingContext(ctx, ht.headerMD)
req := ht.req
s := &ServerStream{
- Stream: &Stream{
+ Stream: Stream{
id: 0, // irrelevant
ctx: ctx,
- requestRead: func(int) {},
- buf: newRecvBuffer(),
method: req.URL.Path,
recvCompress: req.Header.Get("grpc-encoding"),
contentSubtype: ht.contentSubtype,
@@ -422,9 +424,11 @@ func (ht *serverHandlerTransport) HandleStreams(ctx context.Context, startStream
st: ht,
headerWireLength: 0, // won't have access to header wire length until golang/go#18997.
}
- s.trReader = &transportReader{
- reader: &recvBufferReader{ctx: s.ctx, ctxDone: s.ctx.Done(), recv: s.buf},
- windowHandler: func(int) {},
+ s.Stream.buf.init()
+ s.readRequester = s
+ s.trReader = transportReader{
+ reader: recvBufferReader{ctx: s.ctx, ctxDone: s.ctx.Done(), recv: &s.buf},
+ windowHandler: s,
}
// readerDone is closed when the Body.Read-ing goroutine exits.
diff --git a/vendor/google.golang.org/grpc/internal/transport/http2_client.go b/vendor/google.golang.org/grpc/internal/transport/http2_client.go
index 171e690a3f..38ca031af6 100644
--- a/vendor/google.golang.org/grpc/internal/transport/http2_client.go
+++ b/vendor/google.golang.org/grpc/internal/transport/http2_client.go
@@ -44,6 +44,7 @@ import (
"google.golang.org/grpc/internal/grpcutil"
imetadata "google.golang.org/grpc/internal/metadata"
"google.golang.org/grpc/internal/proxyattributes"
+ istats "google.golang.org/grpc/internal/stats"
istatus "google.golang.org/grpc/internal/status"
isyscall "google.golang.org/grpc/internal/syscall"
"google.golang.org/grpc/internal/transport/networktype"
@@ -105,7 +106,7 @@ type http2Client struct {
kp keepalive.ClientParameters
keepaliveEnabled bool
- statsHandlers []stats.Handler
+ statsHandler stats.Handler
initialWindowSize int32
@@ -309,11 +310,9 @@ func NewHTTP2Client(connectCtx, ctx context.Context, addr resolver.Address, opts
scheme = "https"
}
}
- dynamicWindow := true
icwz := int32(initialWindowSize)
if opts.InitialConnWindowSize >= defaultWindowSize {
icwz = opts.InitialConnWindowSize
- dynamicWindow = false
}
writeBufSize := opts.WriteBufferSize
readBufSize := opts.ReadBufferSize
@@ -337,14 +336,14 @@ func NewHTTP2Client(connectCtx, ctx context.Context, addr resolver.Address, opts
writerDone: make(chan struct{}),
goAway: make(chan struct{}),
keepaliveDone: make(chan struct{}),
- framer: newFramer(conn, writeBufSize, readBufSize, opts.SharedWriteBuffer, maxHeaderListSize),
+ framer: newFramer(conn, writeBufSize, readBufSize, opts.SharedWriteBuffer, maxHeaderListSize, opts.BufferPool),
fc: &trInFlow{limit: uint32(icwz)},
scheme: scheme,
activeStreams: make(map[uint32]*ClientStream),
isSecure: isSecure,
perRPCCreds: perRPCCreds,
kp: kp,
- statsHandlers: opts.StatsHandlers,
+ statsHandler: istats.NewCombinedHandler(opts.StatsHandlers...),
initialWindowSize: initialWindowSize,
nextID: 1,
maxConcurrentStreams: defaultMaxStreamsClient,
@@ -371,7 +370,7 @@ func NewHTTP2Client(connectCtx, ctx context.Context, addr resolver.Address, opts
})
t.logger = prefixLoggerForClientTransport(t)
// Add peer information to the http2client context.
- t.ctx = peer.NewContext(t.ctx, t.getPeer())
+ t.ctx = peer.NewContext(t.ctx, t.Peer())
if md, ok := addr.Metadata.(*metadata.MD); ok {
t.md = *md
@@ -381,23 +380,21 @@ func NewHTTP2Client(connectCtx, ctx context.Context, addr resolver.Address, opts
t.controlBuf = newControlBuffer(t.ctxDone)
if opts.InitialWindowSize >= defaultWindowSize {
t.initialWindowSize = opts.InitialWindowSize
- dynamicWindow = false
}
- if dynamicWindow {
+ if !opts.StaticWindowSize {
t.bdpEst = &bdpEstimator{
bdp: initialWindowSize,
updateFlowControl: t.updateFlowControl,
}
}
- for _, sh := range t.statsHandlers {
- t.ctx = sh.TagConn(t.ctx, &stats.ConnTagInfo{
+ if t.statsHandler != nil {
+ t.ctx = t.statsHandler.TagConn(t.ctx, &stats.ConnTagInfo{
RemoteAddr: t.remoteAddr,
LocalAddr: t.localAddr,
})
- connBegin := &stats.ConnBegin{
+ t.statsHandler.HandleConn(t.ctx, &stats.ConnBegin{
Client: true,
- }
- sh.HandleConn(t.ctx, connBegin)
+ })
}
if t.keepaliveEnabled {
t.kpDormancyCond = sync.NewCond(&t.mu)
@@ -484,10 +481,9 @@ func NewHTTP2Client(connectCtx, ctx context.Context, addr resolver.Address, opts
func (t *http2Client) newStream(ctx context.Context, callHdr *CallHdr) *ClientStream {
// TODO(zhaoq): Handle uint32 overflow of Stream.id.
s := &ClientStream{
- Stream: &Stream{
+ Stream: Stream{
method: callHdr.Method,
sendCompress: callHdr.SendCompress,
- buf: newRecvBuffer(),
contentSubtype: callHdr.ContentSubtype,
},
ct: t,
@@ -495,31 +491,26 @@ func (t *http2Client) newStream(ctx context.Context, callHdr *CallHdr) *ClientSt
headerChan: make(chan struct{}),
doneFunc: callHdr.DoneFunc,
}
- s.wq = newWriteQuota(defaultWriteQuota, s.done)
- s.requestRead = func(n int) {
- t.adjustWindow(s, uint32(n))
- }
+ s.Stream.buf.init()
+ s.Stream.wq.init(defaultWriteQuota, s.done)
+ s.readRequester = s
// The client side stream context should have exactly the same life cycle with the user provided context.
// That means, s.ctx should be read-only. And s.ctx is done iff ctx is done.
// So we use the original context here instead of creating a copy.
s.ctx = ctx
- s.trReader = &transportReader{
- reader: &recvBufferReader{
- ctx: s.ctx,
- ctxDone: s.ctx.Done(),
- recv: s.buf,
- closeStream: func(err error) {
- s.Close(err)
- },
- },
- windowHandler: func(n int) {
- t.updateWindow(s, uint32(n))
+ s.trReader = transportReader{
+ reader: recvBufferReader{
+ ctx: s.ctx,
+ ctxDone: s.ctx.Done(),
+ recv: &s.buf,
+ clientStream: s,
},
+ windowHandler: s,
}
return s
}
-func (t *http2Client) getPeer() *peer.Peer {
+func (t *http2Client) Peer() *peer.Peer {
return &peer.Peer{
Addr: t.remoteAddr,
AuthInfo: t.authInfo, // Can be nil
@@ -545,7 +536,7 @@ func (t *http2Client) createHeaderFields(ctx context.Context, callHdr *CallHdr)
Method: callHdr.Method,
AuthInfo: t.authInfo,
}
- ctxWithRequestInfo := icredentials.NewRequestInfoContext(ctx, ri)
+ ctxWithRequestInfo := credentials.NewContextWithRequestInfo(ctx, ri)
authData, err := t.getTrAuthData(ctxWithRequestInfo, aud)
if err != nil {
return nil, err
@@ -559,6 +550,22 @@ func (t *http2Client) createHeaderFields(ctx context.Context, callHdr *CallHdr)
// Make the slice of certain predictable size to reduce allocations made by append.
hfLen := 7 // :method, :scheme, :path, :authority, content-type, user-agent, te
hfLen += len(authData) + len(callAuthData)
+ registeredCompressors := t.registeredCompressors
+ if callHdr.AcceptedCompressors != nil {
+ registeredCompressors = *callHdr.AcceptedCompressors
+ }
+ if callHdr.PreviousAttempts > 0 {
+ hfLen++
+ }
+ if callHdr.SendCompress != "" {
+ hfLen++
+ }
+ if registeredCompressors != "" {
+ hfLen++
+ }
+ if _, ok := ctx.Deadline(); ok {
+ hfLen++
+ }
headerFields := make([]hpack.HeaderField, 0, hfLen)
headerFields = append(headerFields, hpack.HeaderField{Name: ":method", Value: "POST"})
headerFields = append(headerFields, hpack.HeaderField{Name: ":scheme", Value: t.scheme})
@@ -571,7 +578,6 @@ func (t *http2Client) createHeaderFields(ctx context.Context, callHdr *CallHdr)
headerFields = append(headerFields, hpack.HeaderField{Name: "grpc-previous-rpc-attempts", Value: strconv.Itoa(callHdr.PreviousAttempts)})
}
- registeredCompressors := t.registeredCompressors
if callHdr.SendCompress != "" {
headerFields = append(headerFields, hpack.HeaderField{Name: "grpc-encoding", Value: callHdr.SendCompress})
// Include the outgoing compressor name when compressor is not registered
@@ -592,6 +598,9 @@ func (t *http2Client) createHeaderFields(ctx context.Context, callHdr *CallHdr)
// Send out timeout regardless its value. The server can detect timeout context by itself.
// TODO(mmukhi): Perhaps this field should be updated when actually writing out to the wire.
timeout := time.Until(dl)
+ if timeout <= 0 {
+ return nil, status.Error(codes.DeadlineExceeded, context.DeadlineExceeded.Error())
+ }
headerFields = append(headerFields, hpack.HeaderField{Name: "grpc-timeout", Value: grpcutil.EncodeDuration(timeout)})
}
for k, v := range authData {
@@ -736,7 +745,7 @@ func (e NewStreamError) Error() string {
// NewStream creates a stream and registers it into the transport as "active"
// streams. All non-nil errors returned will be *NewStreamError.
func (t *http2Client) NewStream(ctx context.Context, callHdr *CallHdr) (*ClientStream, error) {
- ctx = peer.NewContext(ctx, t.getPeer())
+ ctx = peer.NewContext(ctx, t.Peer())
// ServerName field of the resolver returned address takes precedence over
// Host field of CallHdr to determine the :authority header. This is because,
@@ -749,6 +758,25 @@ func (t *http2Client) NewStream(ctx context.Context, callHdr *CallHdr) (*ClientS
callHdr = &newCallHdr
}
+ // The authority specified via the `CallAuthority` CallOption takes the
+ // highest precedence when determining the `:authority` header. It overrides
+ // any value present in the Host field of CallHdr. Before applying this
+ // override, the authority string is validated. If the credentials do not
+ // implement the AuthorityValidator interface, or if validation fails, the
+ // RPC is failed with a status code of `UNAVAILABLE`.
+ if callHdr.Authority != "" {
+ auth, ok := t.authInfo.(credentials.AuthorityValidator)
+ if !ok {
+ return nil, &NewStreamError{Err: status.Errorf(codes.Unavailable, "credentials type %q does not implement the AuthorityValidator interface, but authority override specified with CallAuthority call option", t.authInfo.AuthType())}
+ }
+ if err := auth.ValidateAuthority(callHdr.Authority); err != nil {
+ return nil, &NewStreamError{Err: status.Errorf(codes.Unavailable, "failed to validate authority %q : %v", callHdr.Authority, err)}
+ }
+ newCallHdr := *callHdr
+ newCallHdr.Host = callHdr.Authority
+ callHdr = &newCallHdr
+ }
+
headerFields, err := t.createHeaderFields(ctx, callHdr)
if err != nil {
return nil, &NewStreamError{Err: err, AllowTransparentRetry: false}
@@ -792,7 +820,7 @@ func (t *http2Client) NewStream(ctx context.Context, callHdr *CallHdr) (*ClientS
return nil
},
onOrphaned: cleanup,
- wq: s.wq,
+ wq: &s.wq,
}
firstTry := true
var ch chan struct{}
@@ -823,7 +851,7 @@ func (t *http2Client) NewStream(ctx context.Context, callHdr *CallHdr) (*ClientS
transportDrainRequired = t.nextID > MaxStreamID
s.id = hdr.streamID
- s.fc = &inFlow{limit: uint32(t.initialWindowSize)}
+ s.fc = inFlow{limit: uint32(t.initialWindowSize)}
t.activeStreams[s.id] = s
t.mu.Unlock()
@@ -874,27 +902,23 @@ func (t *http2Client) NewStream(ctx context.Context, callHdr *CallHdr) (*ClientS
return nil, &NewStreamError{Err: ErrConnClosing, AllowTransparentRetry: true}
}
}
- if len(t.statsHandlers) != 0 {
+ if t.statsHandler != nil {
header, ok := metadata.FromOutgoingContext(ctx)
if ok {
header.Set("user-agent", t.userAgent)
} else {
header = metadata.Pairs("user-agent", t.userAgent)
}
- for _, sh := range t.statsHandlers {
- // Note: The header fields are compressed with hpack after this call returns.
- // No WireLength field is set here.
- // Note: Creating a new stats object to prevent pollution.
- outHeader := &stats.OutHeader{
- Client: true,
- FullMethod: callHdr.Method,
- RemoteAddr: t.remoteAddr,
- LocalAddr: t.localAddr,
- Compression: callHdr.SendCompress,
- Header: header,
- }
- sh.HandleRPC(s.ctx, outHeader)
- }
+ // Note: The header fields are compressed with hpack after this call returns.
+ // No WireLength field is set here.
+ t.statsHandler.HandleRPC(s.ctx, &stats.OutHeader{
+ Client: true,
+ FullMethod: callHdr.Method,
+ RemoteAddr: t.remoteAddr,
+ LocalAddr: t.localAddr,
+ Compression: callHdr.SendCompress,
+ Header: header,
+ })
}
if transportDrainRequired {
if t.logger.V(logLevel) {
@@ -971,6 +995,9 @@ func (t *http2Client) closeStream(s *ClientStream, err error, rst bool, rstCode
// accessed anymore.
func (t *http2Client) Close(err error) {
t.conn.SetWriteDeadline(time.Now().Add(time.Second * 10))
+ // For background on the deadline value chosen here, see
+ // https://github.com/grpc/grpc-go/issues/8425#issuecomment-3057938248 .
+ t.conn.SetReadDeadline(time.Now().Add(time.Second))
t.mu.Lock()
// Make sure we only close once.
if t.state == closing {
@@ -1032,11 +1059,10 @@ func (t *http2Client) Close(err error) {
for _, s := range streams {
t.closeStream(s, err, false, http2.ErrCodeNo, st, nil, false)
}
- for _, sh := range t.statsHandlers {
- connEnd := &stats.ConnEnd{
+ if t.statsHandler != nil {
+ t.statsHandler.HandleConn(t.ctx, &stats.ConnEnd{
Client: true,
- }
- sh.HandleConn(t.ctx, connEnd)
+ })
}
}
@@ -1069,32 +1095,29 @@ func (t *http2Client) GracefulClose() {
// Write formats the data into HTTP2 data frame(s) and sends it out. The caller
// should proceed only if Write returns nil.
func (t *http2Client) write(s *ClientStream, hdr []byte, data mem.BufferSlice, opts *WriteOptions) error {
- reader := data.Reader()
-
if opts.Last {
// If it's the last message, update stream state.
if !s.compareAndSwapState(streamActive, streamWriteDone) {
- _ = reader.Close()
return errStreamDone
}
} else if s.getState() != streamActive {
- _ = reader.Close()
return errStreamDone
}
df := &dataFrame{
streamID: s.id,
endStream: opts.Last,
h: hdr,
- reader: reader,
+ data: data,
}
- if hdr != nil || df.reader.Remaining() != 0 { // If it's not an empty data frame, check quota.
- if err := s.wq.get(int32(len(hdr) + df.reader.Remaining())); err != nil {
- _ = reader.Close()
+ dataLen := data.Len()
+ if hdr != nil || dataLen != 0 { // If it's not an empty data frame, check quota.
+ if err := s.wq.get(int32(len(hdr) + dataLen)); err != nil {
return err
}
}
+ data.Ref()
if err := t.controlBuf.put(df); err != nil {
- _ = reader.Close()
+ data.Free()
return err
}
t.incrMsgSent()
@@ -1150,7 +1173,7 @@ func (t *http2Client) updateFlowControl(n uint32) {
})
}
-func (t *http2Client) handleData(f *http2.DataFrame) {
+func (t *http2Client) handleData(f *parsedDataFrame) {
size := f.Header().Length
var sendBDPPing bool
if t.bdpEst != nil {
@@ -1194,22 +1217,15 @@ func (t *http2Client) handleData(f *http2.DataFrame) {
t.closeStream(s, io.EOF, true, http2.ErrCodeFlowControl, status.New(codes.Internal, err.Error()), nil, false)
return
}
+ dataLen := f.data.Len()
if f.Header().Flags.Has(http2.FlagDataPadded) {
- if w := s.fc.onRead(size - uint32(len(f.Data()))); w > 0 {
+ if w := s.fc.onRead(size - uint32(dataLen)); w > 0 {
t.controlBuf.put(&outgoingWindowUpdate{s.id, w})
}
}
- // TODO(bradfitz, zhaoq): A copy is required here because there is no
- // guarantee f.Data() is consumed before the arrival of next frame.
- // Can this copy be eliminated?
- if len(f.Data()) > 0 {
- pool := t.bufferPool
- if pool == nil {
- // Note that this is only supposed to be nil in tests. Otherwise, stream is
- // always initialized with a BufferPool.
- pool = mem.DefaultBufferPool()
- }
- s.write(recvMsg{buffer: mem.Copy(f.Data(), pool)})
+ if dataLen > 0 {
+ f.data.Ref()
+ s.write(recvMsg{buffer: f.data})
}
}
// The server has closed the stream without sending trailers. Record that
@@ -1449,17 +1465,14 @@ func (t *http2Client) operateHeaders(frame *http2.MetaHeadersFrame) {
contentTypeErr = "malformed header: missing HTTP content-type"
grpcMessage string
recvCompress string
- httpStatusCode *int
httpStatusErr string
- rawStatusCode = codes.Unknown
+ // the code from the grpc-status header, if present
+ grpcStatusCode = codes.Unknown
// headerError is set if an error is encountered while parsing the headers
headerError string
+ httpStatus string
)
- if initialHeader {
- httpStatusErr = "malformed header: missing HTTP status"
- }
-
for _, hf := range frame.Fields {
switch hf.Name {
case "content-type":
@@ -1475,35 +1488,15 @@ func (t *http2Client) operateHeaders(frame *http2.MetaHeadersFrame) {
case "grpc-status":
code, err := strconv.ParseInt(hf.Value, 10, 32)
if err != nil {
- se := status.New(codes.Internal, fmt.Sprintf("transport: malformed grpc-status: %v", err))
+ se := status.New(codes.Unknown, fmt.Sprintf("transport: malformed grpc-status: %v", err))
t.closeStream(s, se.Err(), true, http2.ErrCodeProtocol, se, nil, endStream)
return
}
- rawStatusCode = codes.Code(uint32(code))
+ grpcStatusCode = codes.Code(uint32(code))
case "grpc-message":
grpcMessage = decodeGrpcMessage(hf.Value)
case ":status":
- if hf.Value == "200" {
- httpStatusErr = ""
- statusCode := 200
- httpStatusCode = &statusCode
- break
- }
-
- c, err := strconv.ParseInt(hf.Value, 10, 32)
- if err != nil {
- se := status.New(codes.Internal, fmt.Sprintf("transport: malformed http-status: %v", err))
- t.closeStream(s, se.Err(), true, http2.ErrCodeProtocol, se, nil, endStream)
- return
- }
- statusCode := int(c)
- httpStatusCode = &statusCode
-
- httpStatusErr = fmt.Sprintf(
- "unexpected HTTP status code received from server: %d (%s)",
- statusCode,
- http.StatusText(statusCode),
- )
+ httpStatus = hf.Value
default:
if isReservedHeader(hf.Name) && !isWhitelistedHeader(hf.Name) {
break
@@ -1518,25 +1511,52 @@ func (t *http2Client) operateHeaders(frame *http2.MetaHeadersFrame) {
}
}
- if !isGRPC || httpStatusErr != "" {
- var code = codes.Internal // when header does not include HTTP status, return INTERNAL
-
- if httpStatusCode != nil {
+ // If a non-gRPC response is received, then evaluate the HTTP status to
+ // process the response and close the stream.
+ // In case http status doesn't provide any error information (status : 200),
+ // then evalute response code to be Unknown.
+ if !isGRPC {
+ var grpcErrorCode = codes.Internal
+ if httpStatus == "" {
+ httpStatusErr = "malformed header: missing HTTP status"
+ } else {
+ // Parse the status codes (e.g. "200", 404").
+ statusCode, err := strconv.Atoi(httpStatus)
+ if err != nil {
+ se := status.New(grpcErrorCode, fmt.Sprintf("transport: malformed http-status: %v", err))
+ t.closeStream(s, se.Err(), true, http2.ErrCodeProtocol, se, nil, endStream)
+ return
+ }
+ if statusCode >= 100 && statusCode < 200 {
+ if endStream {
+ se := status.New(codes.Internal, fmt.Sprintf(
+ "protocol error: informational header with status code %d must not have END_STREAM set", statusCode))
+ t.closeStream(s, se.Err(), true, http2.ErrCodeProtocol, se, nil, endStream)
+ }
+ // In case of informational headers, return.
+ return
+ }
+ httpStatusErr = fmt.Sprintf(
+ "unexpected HTTP status code received from server: %d (%s)",
+ statusCode,
+ http.StatusText(statusCode),
+ )
var ok bool
- code, ok = HTTPStatusConvTab[*httpStatusCode]
+ grpcErrorCode, ok = HTTPStatusConvTab[statusCode]
if !ok {
- code = codes.Unknown
+ grpcErrorCode = codes.Unknown
}
}
var errs []string
if httpStatusErr != "" {
errs = append(errs, httpStatusErr)
}
+
if contentTypeErr != "" {
errs = append(errs, contentTypeErr)
}
- // Verify the HTTP response is a 200.
- se := status.New(code, strings.Join(errs, "; "))
+
+ se := status.New(grpcErrorCode, strings.Join(errs, "; "))
t.closeStream(s, se.Err(), true, http2.ErrCodeProtocol, se, nil, endStream)
return
}
@@ -1567,22 +1587,20 @@ func (t *http2Client) operateHeaders(frame *http2.MetaHeadersFrame) {
}
}
- for _, sh := range t.statsHandlers {
+ if t.statsHandler != nil {
if !endStream {
- inHeader := &stats.InHeader{
+ t.statsHandler.HandleRPC(s.ctx, &stats.InHeader{
Client: true,
WireLength: int(frame.Header().Length),
Header: metadata.MD(mdata).Copy(),
Compression: s.recvCompress,
- }
- sh.HandleRPC(s.ctx, inHeader)
+ })
} else {
- inTrailer := &stats.InTrailer{
+ t.statsHandler.HandleRPC(s.ctx, &stats.InTrailer{
Client: true,
WireLength: int(frame.Header().Length),
Trailer: metadata.MD(mdata).Copy(),
- }
- sh.HandleRPC(s.ctx, inTrailer)
+ })
}
}
@@ -1590,7 +1608,7 @@ func (t *http2Client) operateHeaders(frame *http2.MetaHeadersFrame) {
return
}
- status := istatus.NewWithProto(rawStatusCode, grpcMessage, mdata[grpcStatusDetailsBinHeader])
+ status := istatus.NewWithProto(grpcStatusCode, grpcMessage, mdata[grpcStatusDetailsBinHeader])
// If client received END_STREAM from server while stream was still active,
// send RST_STREAM.
@@ -1637,7 +1655,7 @@ func (t *http2Client) reader(errCh chan<- error) {
// loop to keep reading incoming messages on this transport.
for {
t.controlBuf.throttle()
- frame, err := t.framer.fr.ReadFrame()
+ frame, err := t.framer.readFrame()
if t.keepaliveEnabled {
atomic.StoreInt64(&t.lastRead, time.Now().UnixNano())
}
@@ -1652,7 +1670,7 @@ func (t *http2Client) reader(errCh chan<- error) {
if s != nil {
// use error detail to provide better err message
code := http2ErrConvTab[se.Code]
- errorDetail := t.framer.fr.ErrorDetail()
+ errorDetail := t.framer.errorDetail()
var msg string
if errorDetail != nil {
msg = errorDetail.Error()
@@ -1670,8 +1688,9 @@ func (t *http2Client) reader(errCh chan<- error) {
switch frame := frame.(type) {
case *http2.MetaHeadersFrame:
t.operateHeaders(frame)
- case *http2.DataFrame:
+ case *parsedDataFrame:
t.handleData(frame)
+ frame.data.Free()
case *http2.RSTStreamFrame:
t.handleRSTStream(frame)
case *http2.SettingsFrame:
@@ -1791,8 +1810,6 @@ func (t *http2Client) socketMetrics() *channelz.EphemeralSocketMetrics {
}
}
-func (t *http2Client) RemoteAddr() net.Addr { return t.remoteAddr }
-
func (t *http2Client) incrMsgSent() {
if channelz.IsOn() {
t.channelz.SocketMetrics.MessagesSent.Add(1)
diff --git a/vendor/google.golang.org/grpc/internal/transport/http2_server.go b/vendor/google.golang.org/grpc/internal/transport/http2_server.go
index 7e53eb1735..6f78a6b0c8 100644
--- a/vendor/google.golang.org/grpc/internal/transport/http2_server.go
+++ b/vendor/google.golang.org/grpc/internal/transport/http2_server.go
@@ -35,13 +35,15 @@ import (
"golang.org/x/net/http2"
"golang.org/x/net/http2/hpack"
+ "google.golang.org/protobuf/proto"
+
"google.golang.org/grpc/internal"
"google.golang.org/grpc/internal/grpclog"
"google.golang.org/grpc/internal/grpcutil"
"google.golang.org/grpc/internal/pretty"
+ istatus "google.golang.org/grpc/internal/status"
"google.golang.org/grpc/internal/syscall"
"google.golang.org/grpc/mem"
- "google.golang.org/protobuf/proto"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/credentials"
@@ -85,7 +87,7 @@ type http2Server struct {
// updates, reset streams, and various settings) to the controller.
controlBuf *controlBuffer
fc *trInFlow
- stats []stats.Handler
+ stats stats.Handler
// Keepalive and max-age parameters for the server.
kp keepalive.ServerParameters
// Keepalive enforcement policy.
@@ -131,6 +133,10 @@ type http2Server struct {
maxStreamID uint32 // max stream ID ever seen
logger *grpclog.PrefixLogger
+ // setResetPingStrikes is stored as a closure instead of making this a
+ // method on http2Server to avoid a heap allocation when converting a method
+ // to a closure for passing to frames objects.
+ setResetPingStrikes func()
}
// NewServerTransport creates a http2 transport with conn and configuration
@@ -163,7 +169,7 @@ func NewServerTransport(conn net.Conn, config *ServerConfig) (_ ServerTransport,
if config.MaxHeaderListSize != nil {
maxHeaderListSize = *config.MaxHeaderListSize
}
- framer := newFramer(conn, writeBufSize, readBufSize, config.SharedWriteBuffer, maxHeaderListSize)
+ framer := newFramer(conn, writeBufSize, readBufSize, config.SharedWriteBuffer, maxHeaderListSize, config.BufferPool)
// Send initial settings as connection preface to client.
isettings := []http2.Setting{{
ID: http2.SettingMaxFrameSize,
@@ -175,16 +181,13 @@ func NewServerTransport(conn net.Conn, config *ServerConfig) (_ ServerTransport,
Val: config.MaxStreams,
})
}
- dynamicWindow := true
iwz := int32(initialWindowSize)
if config.InitialWindowSize >= defaultWindowSize {
iwz = config.InitialWindowSize
- dynamicWindow = false
}
icwz := int32(initialWindowSize)
if config.InitialConnWindowSize >= defaultWindowSize {
icwz = config.InitialConnWindowSize
- dynamicWindow = false
}
if iwz != defaultWindowSize {
isettings = append(isettings, http2.Setting{
@@ -258,13 +261,16 @@ func NewServerTransport(conn net.Conn, config *ServerConfig) (_ ServerTransport,
fc: &trInFlow{limit: uint32(icwz)},
state: reachable,
activeStreams: make(map[uint32]*ServerStream),
- stats: config.StatsHandlers,
+ stats: config.StatsHandler,
kp: kp,
idle: time.Now(),
kep: kep,
initialWindowSize: iwz,
bufferPool: config.BufferPool,
}
+ t.setResetPingStrikes = func() {
+ atomic.StoreUint32(&t.resetPingStrikes, 1)
+ }
var czSecurity credentials.ChannelzSecurityValue
if au, ok := authInfo.(credentials.ChannelzSecurityInfo); ok {
czSecurity = au.GetSecurityValue()
@@ -284,7 +290,7 @@ func NewServerTransport(conn net.Conn, config *ServerConfig) (_ ServerTransport,
t.logger = prefixLoggerForServerTransport(t)
t.controlBuf = newControlBuffer(t.done)
- if dynamicWindow {
+ if !config.StaticWindowSize {
t.bdpEst = &bdpEstimator{
bdp: initialWindowSize,
updateFlowControl: t.updateFlowControl,
@@ -385,16 +391,15 @@ func (t *http2Server) operateHeaders(ctx context.Context, frame *http2.MetaHeade
}
t.maxStreamID = streamID
- buf := newRecvBuffer()
s := &ServerStream{
- Stream: &Stream{
- id: streamID,
- buf: buf,
- fc: &inFlow{limit: uint32(t.initialWindowSize)},
+ Stream: Stream{
+ id: streamID,
+ fc: inFlow{limit: uint32(t.initialWindowSize)},
},
st: t,
headerWireLength: int(frame.Header().Length),
}
+ s.Stream.buf.init()
var (
// if false, content-type was missing or invalid
isGRPC = false
@@ -595,10 +600,25 @@ func (t *http2Server) operateHeaders(ctx context.Context, frame *http2.MetaHeade
return nil
}
}
+
+ if s.ctx.Err() != nil {
+ t.mu.Unlock()
+ // Early abort in case the timeout was zero or so low it already fired.
+ t.controlBuf.put(&earlyAbortStream{
+ httpStatus: http.StatusOK,
+ streamID: s.id,
+ contentSubtype: s.contentSubtype,
+ status: status.New(codes.DeadlineExceeded, context.DeadlineExceeded.Error()),
+ rst: !frame.StreamEnded(),
+ })
+ return nil
+ }
+
t.activeStreams[streamID] = s
if len(t.activeStreams) == 1 {
t.idle = time.Time{}
}
+
// Start a timer to close the stream on reaching the deadline.
if timeoutSet {
// We need to wait for s.cancel to be updated before calling
@@ -620,25 +640,21 @@ func (t *http2Server) operateHeaders(ctx context.Context, frame *http2.MetaHeade
t.channelz.SocketMetrics.StreamsStarted.Add(1)
t.channelz.SocketMetrics.LastRemoteStreamCreatedTimestamp.Store(time.Now().UnixNano())
}
- s.requestRead = func(n int) {
- t.adjustWindow(s, uint32(n))
- }
+ s.readRequester = s
s.ctxDone = s.ctx.Done()
- s.wq = newWriteQuota(defaultWriteQuota, s.ctxDone)
- s.trReader = &transportReader{
- reader: &recvBufferReader{
+ s.Stream.wq.init(defaultWriteQuota, s.ctxDone)
+ s.trReader = transportReader{
+ reader: recvBufferReader{
ctx: s.ctx,
ctxDone: s.ctxDone,
- recv: s.buf,
- },
- windowHandler: func(n int) {
- t.updateWindow(s, uint32(n))
+ recv: &s.buf,
},
+ windowHandler: s,
}
// Register the stream with loopy.
t.controlBuf.put(®isterStream{
streamID: s.id,
- wq: s.wq,
+ wq: &s.wq,
})
handle(s)
return nil
@@ -654,7 +670,7 @@ func (t *http2Server) HandleStreams(ctx context.Context, handle func(*ServerStre
}()
for {
t.controlBuf.throttle()
- frame, err := t.framer.fr.ReadFrame()
+ frame, err := t.framer.readFrame()
atomic.StoreInt64(&t.lastRead, time.Now().UnixNano())
if err != nil {
if se, ok := err.(http2.StreamError); ok {
@@ -691,8 +707,9 @@ func (t *http2Server) HandleStreams(ctx context.Context, handle func(*ServerStre
})
continue
}
- case *http2.DataFrame:
+ case *parsedDataFrame:
t.handleData(frame)
+ frame.data.Free()
case *http2.RSTStreamFrame:
t.handleRSTStream(frame)
case *http2.SettingsFrame:
@@ -772,7 +789,7 @@ func (t *http2Server) updateFlowControl(n uint32) {
}
-func (t *http2Server) handleData(f *http2.DataFrame) {
+func (t *http2Server) handleData(f *parsedDataFrame) {
size := f.Header().Length
var sendBDPPing bool
if t.bdpEst != nil {
@@ -817,22 +834,15 @@ func (t *http2Server) handleData(f *http2.DataFrame) {
t.closeStream(s, true, http2.ErrCodeFlowControl, false)
return
}
+ dataLen := f.data.Len()
if f.Header().Flags.Has(http2.FlagDataPadded) {
- if w := s.fc.onRead(size - uint32(len(f.Data()))); w > 0 {
+ if w := s.fc.onRead(size - uint32(dataLen)); w > 0 {
t.controlBuf.put(&outgoingWindowUpdate{s.id, w})
}
}
- // TODO(bradfitz, zhaoq): A copy is required here because there is no
- // guarantee f.Data() is consumed before the arrival of next frame.
- // Can this copy be eliminated?
- if len(f.Data()) > 0 {
- pool := t.bufferPool
- if pool == nil {
- // Note that this is only supposed to be nil in tests. Otherwise, stream is
- // always initialized with a BufferPool.
- pool = mem.DefaultBufferPool()
- }
- s.write(recvMsg{buffer: mem.Copy(f.Data(), pool)})
+ if dataLen > 0 {
+ f.data.Ref()
+ s.write(recvMsg{buffer: f.data})
}
}
if f.StreamEnded() {
@@ -1015,10 +1025,6 @@ func (t *http2Server) writeHeader(s *ServerStream, md metadata.MD) error {
return nil
}
-func (t *http2Server) setResetPingStrikes() {
- atomic.StoreUint32(&t.resetPingStrikes, 1)
-}
-
func (t *http2Server) writeHeaderLocked(s *ServerStream) error {
// TODO(mmukhi): Benchmark if the performance gets better if count the metadata and other header fields
// first and create a slice of that exact size.
@@ -1043,19 +1049,18 @@ func (t *http2Server) writeHeaderLocked(s *ServerStream) error {
t.closeStream(s, true, http2.ErrCodeInternal, false)
return ErrHeaderListSizeLimitViolation
}
- for _, sh := range t.stats {
+ if t.stats != nil {
// Note: Headers are compressed with hpack after this call returns.
// No WireLength field is set here.
- outHeader := &stats.OutHeader{
+ t.stats.HandleRPC(s.Context(), &stats.OutHeader{
Header: s.header.Copy(),
Compression: s.sendCompress,
- }
- sh.HandleRPC(s.Context(), outHeader)
+ })
}
return nil
}
-// WriteStatus sends stream status to the client and terminates the stream.
+// writeStatus sends stream status to the client and terminates the stream.
// There is no further I/O operations being able to perform on this stream.
// TODO(zhaoq): Now it indicates the end of entire stream. Revisit if early
// OK is adopted.
@@ -1083,7 +1088,7 @@ func (t *http2Server) writeStatus(s *ServerStream, st *status.Status) error {
headerFields = append(headerFields, hpack.HeaderField{Name: "grpc-status", Value: strconv.Itoa(int(st.Code()))})
headerFields = append(headerFields, hpack.HeaderField{Name: "grpc-message", Value: encodeGrpcMessage(st.Message())})
- if p := st.Proto(); p != nil && len(p.Details) > 0 {
+ if p := istatus.RawStatusProto(st); len(p.GetDetails()) > 0 {
// Do not use the user's grpc-status-details-bin (if present) if we are
// even attempting to set our own.
delete(s.trailer, grpcStatusDetailsBinHeader)
@@ -1118,10 +1123,10 @@ func (t *http2Server) writeStatus(s *ServerStream, st *status.Status) error {
// Send a RST_STREAM after the trailers if the client has not already half-closed.
rst := s.getState() == streamActive
t.finishStream(s, rst, http2.ErrCodeNo, trailingHeader, true)
- for _, sh := range t.stats {
+ if t.stats != nil {
// Note: The trailer fields are compressed with hpack after this call returns.
// No WireLength field is set here.
- sh.HandleRPC(s.Context(), &stats.OutTrailer{
+ t.stats.HandleRPC(s.Context(), &stats.OutTrailer{
Trailer: s.trailer.Copy(),
})
}
@@ -1131,17 +1136,13 @@ func (t *http2Server) writeStatus(s *ServerStream, st *status.Status) error {
// Write converts the data into HTTP2 data frame and sends it out. Non-nil error
// is returns if it fails (e.g., framing error, transport error).
func (t *http2Server) write(s *ServerStream, hdr []byte, data mem.BufferSlice, _ *WriteOptions) error {
- reader := data.Reader()
-
if !s.isHeaderSent() { // Headers haven't been written yet.
if err := t.writeHeader(s, nil); err != nil {
- _ = reader.Close()
return err
}
} else {
// Writing headers checks for this condition.
if s.getState() == streamDone {
- _ = reader.Close()
return t.streamContextErr(s)
}
}
@@ -1149,15 +1150,16 @@ func (t *http2Server) write(s *ServerStream, hdr []byte, data mem.BufferSlice, _
df := &dataFrame{
streamID: s.id,
h: hdr,
- reader: reader,
+ data: data,
onEachWrite: t.setResetPingStrikes,
}
- if err := s.wq.get(int32(len(hdr) + df.reader.Remaining())); err != nil {
- _ = reader.Close()
+ dataLen := data.Len()
+ if err := s.wq.get(int32(len(hdr) + dataLen)); err != nil {
return t.streamContextErr(s)
}
+ data.Ref()
if err := t.controlBuf.put(df); err != nil {
- _ = reader.Close()
+ data.Free()
return err
}
t.incrMsgSent()
@@ -1292,7 +1294,8 @@ func (t *http2Server) Close(err error) {
// deleteStream deletes the stream s from transport's active streams.
func (t *http2Server) deleteStream(s *ServerStream, eosReceived bool) {
t.mu.Lock()
- if _, ok := t.activeStreams[s.id]; ok {
+ _, isActive := t.activeStreams[s.id]
+ if isActive {
delete(t.activeStreams, s.id)
if len(t.activeStreams) == 0 {
t.idle = time.Now()
@@ -1300,7 +1303,7 @@ func (t *http2Server) deleteStream(s *ServerStream, eosReceived bool) {
}
t.mu.Unlock()
- if channelz.IsOn() {
+ if isActive && channelz.IsOn() {
if eosReceived {
t.channelz.SocketMetrics.StreamsSucceeded.Add(1)
} else {
@@ -1340,10 +1343,10 @@ func (t *http2Server) closeStream(s *ServerStream, rst bool, rstCode http2.ErrCo
// called to interrupt the potential blocking on other goroutines.
s.cancel()
- oldState := s.swapState(streamDone)
- if oldState == streamDone {
- return
- }
+ // We can't return early even if the stream's state is "done" as the state
+ // might have been set by the `finishStream` method. Deleting the stream via
+ // `finishStream` can get blocked on flow control.
+ s.swapState(streamDone)
t.deleteStream(s, eosReceived)
t.controlBuf.put(&cleanupStream{
diff --git a/vendor/google.golang.org/grpc/internal/transport/http_util.go b/vendor/google.golang.org/grpc/internal/transport/http_util.go
index f997f9fdb5..5bbb641ad9 100644
--- a/vendor/google.golang.org/grpc/internal/transport/http_util.go
+++ b/vendor/google.golang.org/grpc/internal/transport/http_util.go
@@ -25,7 +25,6 @@ import (
"fmt"
"io"
"math"
- "net"
"net/http"
"net/url"
"strconv"
@@ -37,6 +36,7 @@ import (
"golang.org/x/net/http2"
"golang.org/x/net/http2/hpack"
"google.golang.org/grpc/codes"
+ "google.golang.org/grpc/mem"
)
const (
@@ -196,11 +196,11 @@ func decodeTimeout(s string) (time.Duration, error) {
if !ok {
return 0, fmt.Errorf("transport: timeout unit is not recognized: %q", s)
}
- t, err := strconv.ParseInt(s[:size-1], 10, 64)
+ t, err := strconv.ParseUint(s[:size-1], 10, 64)
if err != nil {
return 0, err
}
- const maxHours = math.MaxInt64 / int64(time.Hour)
+ const maxHours = math.MaxInt64 / uint64(time.Hour)
if d == time.Hour && t > maxHours {
// This timeout would overflow math.MaxInt64; clamp it.
return time.Duration(math.MaxInt64), nil
@@ -300,11 +300,11 @@ type bufWriter struct {
buf []byte
offset int
batchSize int
- conn net.Conn
+ conn io.Writer
err error
}
-func newBufWriter(conn net.Conn, batchSize int, pool *sync.Pool) *bufWriter {
+func newBufWriter(conn io.Writer, batchSize int, pool *sync.Pool) *bufWriter {
w := &bufWriter{
batchSize: batchSize,
conn: conn,
@@ -388,15 +388,29 @@ func toIOError(err error) error {
return ioError{error: err}
}
+type parsedDataFrame struct {
+ http2.FrameHeader
+ data mem.Buffer
+}
+
+func (df *parsedDataFrame) StreamEnded() bool {
+ return df.FrameHeader.Flags.Has(http2.FlagDataEndStream)
+}
+
type framer struct {
- writer *bufWriter
- fr *http2.Framer
+ writer *bufWriter
+ fr *http2.Framer
+ headerBuf []byte // cached slice for framer headers to reduce heap allocs.
+ reader io.Reader
+ dataFrame parsedDataFrame // Cached data frame to avoid heap allocations.
+ pool mem.BufferPool
+ errDetail error
}
var writeBufferPoolMap = make(map[int]*sync.Pool)
var writeBufferMutex sync.Mutex
-func newFramer(conn net.Conn, writeBufferSize, readBufferSize int, sharedWriteBuffer bool, maxHeaderListSize uint32) *framer {
+func newFramer(conn io.ReadWriter, writeBufferSize, readBufferSize int, sharedWriteBuffer bool, maxHeaderListSize uint32, memPool mem.BufferPool) *framer {
if writeBufferSize < 0 {
writeBufferSize = 0
}
@@ -412,6 +426,8 @@ func newFramer(conn net.Conn, writeBufferSize, readBufferSize int, sharedWriteBu
f := &framer{
writer: w,
fr: http2.NewFramer(w, r),
+ reader: r,
+ pool: memPool,
}
f.fr.SetMaxReadFrameSize(http2MaxFrameLen)
// Opt-in to Frame reuse API on framer to reduce garbage.
@@ -422,6 +438,146 @@ func newFramer(conn net.Conn, writeBufferSize, readBufferSize int, sharedWriteBu
return f
}
+// writeData writes a DATA frame.
+//
+// It is the caller's responsibility not to violate the maximum frame size.
+func (f *framer) writeData(streamID uint32, endStream bool, data [][]byte) error {
+ var flags http2.Flags
+ if endStream {
+ flags = http2.FlagDataEndStream
+ }
+ length := uint32(0)
+ for _, d := range data {
+ length += uint32(len(d))
+ }
+ // TODO: Replace the header write with the framer API being added in
+ // https://github.com/golang/go/issues/66655.
+ f.headerBuf = append(f.headerBuf[:0],
+ byte(length>>16),
+ byte(length>>8),
+ byte(length),
+ byte(http2.FrameData),
+ byte(flags),
+ byte(streamID>>24),
+ byte(streamID>>16),
+ byte(streamID>>8),
+ byte(streamID))
+ if _, err := f.writer.Write(f.headerBuf); err != nil {
+ return err
+ }
+ for _, d := range data {
+ if _, err := f.writer.Write(d); err != nil {
+ return err
+ }
+ }
+ return nil
+}
+
+// readFrame reads a single frame. The returned Frame is only valid
+// until the next call to readFrame.
+func (f *framer) readFrame() (any, error) {
+ f.errDetail = nil
+ fh, err := f.fr.ReadFrameHeader()
+ if err != nil {
+ f.errDetail = f.fr.ErrorDetail()
+ return nil, err
+ }
+ // Read the data frame directly from the underlying io.Reader to avoid
+ // copies.
+ if fh.Type == http2.FrameData {
+ err = f.readDataFrame(fh)
+ return &f.dataFrame, err
+ }
+ fr, err := f.fr.ReadFrameForHeader(fh)
+ if err != nil {
+ f.errDetail = f.fr.ErrorDetail()
+ return nil, err
+ }
+ return fr, err
+}
+
+// errorDetail returns a more detailed error of the last error
+// returned by framer.readFrame. For instance, if readFrame
+// returns a StreamError with code PROTOCOL_ERROR, errorDetail
+// will say exactly what was invalid. errorDetail is not guaranteed
+// to return a non-nil value.
+// errorDetail is reset after the next call to readFrame.
+func (f *framer) errorDetail() error {
+ return f.errDetail
+}
+
+func (f *framer) readDataFrame(fh http2.FrameHeader) (err error) {
+ if fh.StreamID == 0 {
+ // DATA frames MUST be associated with a stream. If a
+ // DATA frame is received whose stream identifier
+ // field is 0x0, the recipient MUST respond with a
+ // connection error (Section 5.4.1) of type
+ // PROTOCOL_ERROR.
+ f.errDetail = errors.New("DATA frame with stream ID 0")
+ return http2.ConnectionError(http2.ErrCodeProtocol)
+ }
+ // Converting a *[]byte to a mem.SliceBuffer incurs a heap allocation. This
+ // conversion is performed by mem.NewBuffer. To avoid the extra allocation
+ // a []byte is allocated directly if required and cast to a mem.SliceBuffer.
+ var buf []byte
+ // poolHandle is the pointer returned by the buffer pool (if it's used.).
+ var poolHandle *[]byte
+ useBufferPool := !mem.IsBelowBufferPoolingThreshold(int(fh.Length))
+ if useBufferPool {
+ poolHandle = f.pool.Get(int(fh.Length))
+ buf = *poolHandle
+ defer func() {
+ if err != nil {
+ f.pool.Put(poolHandle)
+ }
+ }()
+ } else {
+ buf = make([]byte, int(fh.Length))
+ }
+ if fh.Flags.Has(http2.FlagDataPadded) {
+ if fh.Length == 0 {
+ return io.ErrUnexpectedEOF
+ }
+ // This initial 1-byte read can be inefficient for unbuffered readers,
+ // but it allows the rest of the payload to be read directly to the
+ // start of the destination slice. This makes it easy to return the
+ // original slice back to the buffer pool.
+ if _, err := io.ReadFull(f.reader, buf[:1]); err != nil {
+ return err
+ }
+ padSize := buf[0]
+ buf = buf[:len(buf)-1]
+ if int(padSize) > len(buf) {
+ // If the length of the padding is greater than the
+ // length of the frame payload, the recipient MUST
+ // treat this as a connection error.
+ // Filed: https://github.com/http2/http2-spec/issues/610
+ f.errDetail = errors.New("pad size larger than data payload")
+ return http2.ConnectionError(http2.ErrCodeProtocol)
+ }
+ if _, err := io.ReadFull(f.reader, buf); err != nil {
+ return err
+ }
+ buf = buf[:len(buf)-int(padSize)]
+ } else if _, err := io.ReadFull(f.reader, buf); err != nil {
+ return err
+ }
+
+ f.dataFrame.FrameHeader = fh
+ if useBufferPool {
+ // Update the handle to point to the (potentially re-sliced) buf.
+ *poolHandle = buf
+ f.dataFrame.data = mem.NewBuffer(poolHandle, f.pool)
+ } else {
+ f.dataFrame.data = mem.SliceBuffer(buf)
+ }
+ return nil
+}
+
+func (df *parsedDataFrame) Header() http2.FrameHeader {
+ return df.FrameHeader
+}
+
func getWriteBufferPool(size int) *sync.Pool {
writeBufferMutex.Lock()
defer writeBufferMutex.Unlock()
diff --git a/vendor/google.golang.org/grpc/internal/transport/server_stream.go b/vendor/google.golang.org/grpc/internal/transport/server_stream.go
index cf8da0b52d..ed6a13b750 100644
--- a/vendor/google.golang.org/grpc/internal/transport/server_stream.go
+++ b/vendor/google.golang.org/grpc/internal/transport/server_stream.go
@@ -32,7 +32,7 @@ import (
// ServerStream implements streaming functionality for a gRPC server.
type ServerStream struct {
- *Stream // Embed for common stream functionality.
+ Stream // Embed for common stream functionality.
st internalServerTransport
ctxDone <-chan struct{} // closed at the end of stream. Cache of ctx.Done() (for performance)
@@ -43,12 +43,13 @@ type ServerStream struct {
// Holds compressor names passed in grpc-accept-encoding metadata from the
// client.
clientAdvertisedCompressors string
- headerWireLength int
// hdrMu protects outgoing header and trailer metadata.
hdrMu sync.Mutex
header metadata.MD // the outgoing header metadata. Updated by WriteHeader.
headerSent atomic.Bool // atomically set when the headers are sent out.
+
+ headerWireLength int
}
// Read reads an n byte message from the input stream.
@@ -178,3 +179,11 @@ func (s *ServerStream) SetTrailer(md metadata.MD) error {
s.hdrMu.Unlock()
return nil
}
+
+func (s *ServerStream) requestRead(n int) {
+ s.st.adjustWindow(s, uint32(n))
+}
+
+func (s *ServerStream) updateWindow(n int) {
+ s.st.updateWindow(s, uint32(n))
+}
diff --git a/vendor/google.golang.org/grpc/internal/transport/transport.go b/vendor/google.golang.org/grpc/internal/transport/transport.go
index af4a4aeab1..6daf1e002d 100644
--- a/vendor/google.golang.org/grpc/internal/transport/transport.go
+++ b/vendor/google.golang.org/grpc/internal/transport/transport.go
@@ -68,11 +68,11 @@ type recvBuffer struct {
err error
}
-func newRecvBuffer() *recvBuffer {
- b := &recvBuffer{
- c: make(chan recvMsg, 1),
- }
- return b
+// init allows a recvBuffer to be initialized in-place, which is useful
+// for resetting a buffer or for avoiding a heap allocation when the buffer
+// is embedded in another struct.
+func (b *recvBuffer) init() {
+ b.c = make(chan recvMsg, 1)
}
func (b *recvBuffer) put(r recvMsg) {
@@ -123,12 +123,13 @@ func (b *recvBuffer) get() <-chan recvMsg {
// recvBufferReader implements io.Reader interface to read the data from
// recvBuffer.
type recvBufferReader struct {
- closeStream func(error) // Closes the client transport stream with the given error and nil trailer metadata.
- ctx context.Context
- ctxDone <-chan struct{} // cache of ctx.Done() (for performance).
- recv *recvBuffer
- last mem.Buffer // Stores the remaining data in the previous calls.
- err error
+ _ noCopy
+ clientStream *ClientStream // The client transport stream is closed with a status representing ctx.Err() and nil trailer metadata.
+ ctx context.Context
+ ctxDone <-chan struct{} // cache of ctx.Done() (for performance).
+ recv *recvBuffer
+ last mem.Buffer // Stores the remaining data in the previous calls.
+ err error
}
func (r *recvBufferReader) ReadMessageHeader(header []byte) (n int, err error) {
@@ -139,7 +140,7 @@ func (r *recvBufferReader) ReadMessageHeader(header []byte) (n int, err error) {
n, r.last = mem.ReadUnsafe(header, r.last)
return n, nil
}
- if r.closeStream != nil {
+ if r.clientStream != nil {
n, r.err = r.readMessageHeaderClient(header)
} else {
n, r.err = r.readMessageHeader(header)
@@ -164,7 +165,7 @@ func (r *recvBufferReader) Read(n int) (buf mem.Buffer, err error) {
}
return buf, nil
}
- if r.closeStream != nil {
+ if r.clientStream != nil {
buf, r.err = r.readClient(n)
} else {
buf, r.err = r.read(n)
@@ -209,7 +210,7 @@ func (r *recvBufferReader) readMessageHeaderClient(header []byte) (n int, err er
// TODO: delaying ctx error seems like a unnecessary side effect. What
// we really want is to mark the stream as done, and return ctx error
// faster.
- r.closeStream(ContextErr(r.ctx.Err()))
+ r.clientStream.Close(ContextErr(r.ctx.Err()))
m := <-r.recv.get()
return r.readMessageHeaderAdditional(m, header)
case m := <-r.recv.get():
@@ -236,7 +237,7 @@ func (r *recvBufferReader) readClient(n int) (buf mem.Buffer, err error) {
// TODO: delaying ctx error seems like a unnecessary side effect. What
// we really want is to mark the stream as done, and return ctx error
// faster.
- r.closeStream(ContextErr(r.ctx.Err()))
+ r.clientStream.Close(ContextErr(r.ctx.Err()))
m := <-r.recv.get()
return r.readAdditional(m, n)
case m := <-r.recv.get():
@@ -285,27 +286,32 @@ const (
// Stream represents an RPC in the transport layer.
type Stream struct {
- id uint32
ctx context.Context // the associated context of the stream
method string // the associated RPC method of the stream
recvCompress string
sendCompress string
- buf *recvBuffer
- trReader *transportReader
- fc *inFlow
- wq *writeQuota
-
- // Callback to state application's intentions to read data. This
- // is used to adjust flow control, if needed.
- requestRead func(int)
- state streamState
+ readRequester readRequester
// contentSubtype is the content-subtype for requests.
// this must be lowercase or the behavior is undefined.
contentSubtype string
trailer metadata.MD // the key-value map of trailer metadata.
+
+ // Non-pointer fields are at the end to optimize GC performance.
+ state streamState
+ id uint32
+ buf recvBuffer
+ trReader transportReader
+ fc inFlow
+ wq writeQuota
+}
+
+// readRequester is used to state application's intentions to read data. This
+// is used to adjust flow control, if needed.
+type readRequester interface {
+ requestRead(int)
}
func (s *Stream) swapState(st streamState) streamState {
@@ -355,7 +361,7 @@ func (s *Stream) ReadMessageHeader(header []byte) (err error) {
if er := s.trReader.er; er != nil {
return er
}
- s.requestRead(len(header))
+ s.readRequester.requestRead(len(header))
for len(header) != 0 {
n, err := s.trReader.ReadMessageHeader(header)
header = header[n:]
@@ -378,7 +384,7 @@ func (s *Stream) read(n int) (data mem.BufferSlice, err error) {
if er := s.trReader.er; er != nil {
return nil, er
}
- s.requestRead(n)
+ s.readRequester.requestRead(n)
for n != 0 {
buf, err := s.trReader.Read(n)
var bufLen int
@@ -401,16 +407,34 @@ func (s *Stream) read(n int) (data mem.BufferSlice, err error) {
return data, nil
}
+// noCopy may be embedded into structs which must not be copied
+// after the first use.
+//
+// See https://golang.org/issues/8005#issuecomment-190753527
+// for details.
+type noCopy struct {
+}
+
+func (*noCopy) Lock() {}
+func (*noCopy) Unlock() {}
+
// transportReader reads all the data available for this Stream from the transport and
// passes them into the decoder, which converts them into a gRPC message stream.
// The error is io.EOF when the stream is done or another non-nil error if
// the stream broke.
type transportReader struct {
- reader *recvBufferReader
+ _ noCopy
// The handler to control the window update procedure for both this
// particular stream and the associated transport.
- windowHandler func(int)
+ windowHandler windowHandler
er error
+ reader recvBufferReader
+}
+
+// The handler to control the window update procedure for both this
+// particular stream and the associated transport.
+type windowHandler interface {
+ updateWindow(int)
}
func (t *transportReader) ReadMessageHeader(header []byte) (int, error) {
@@ -419,7 +443,7 @@ func (t *transportReader) ReadMessageHeader(header []byte) (int, error) {
t.er = err
return 0, err
}
- t.windowHandler(n)
+ t.windowHandler.updateWindow(n)
return n, nil
}
@@ -429,7 +453,7 @@ func (t *transportReader) Read(n int) (mem.Buffer, error) {
t.er = err
return buf, err
}
- t.windowHandler(buf.Len())
+ t.windowHandler.updateWindow(buf.Len())
return buf, nil
}
@@ -454,7 +478,7 @@ type ServerConfig struct {
ConnectionTimeout time.Duration
Credentials credentials.TransportCredentials
InTapHandle tap.ServerInHandle
- StatsHandlers []stats.Handler
+ StatsHandler stats.Handler
KeepaliveParams keepalive.ServerParameters
KeepalivePolicy keepalive.EnforcementPolicy
InitialWindowSize int32
@@ -466,6 +490,7 @@ type ServerConfig struct {
MaxHeaderListSize *uint32
HeaderTableSize *uint32
BufferPool mem.BufferPool
+ StaticWindowSize bool
}
// ConnectOptions covers all relevant options for communicating with the server.
@@ -504,6 +529,8 @@ type ConnectOptions struct {
MaxHeaderListSize *uint32
// The mem.BufferPool to use when reading/writing to the wire.
BufferPool mem.BufferPool
+ // StaticWindowSize controls whether dynamic window sizing is enabled.
+ StaticWindowSize bool
}
// WriteOptions provides additional hints and information for message
@@ -526,6 +553,12 @@ type CallHdr struct {
// outbound message.
SendCompress string
+ // AcceptedCompressors overrides the grpc-accept-encoding header for this
+ // call. When nil, the transport advertises the default set of registered
+ // compressors. A non-nil pointer overrides that value (including the empty
+ // string to advertise none).
+ AcceptedCompressors *string
+
// Creds specifies credentials.PerRPCCredentials for a call.
Creds credentials.PerRPCCredentials
@@ -540,6 +573,11 @@ type CallHdr struct {
PreviousAttempts int // value of grpc-previous-rpc-attempts header to set
DoneFunc func() // called when the stream is finished
+
+ // Authority is used to explicitly override the `:authority` header. If set,
+ // this value takes precedence over the Host field and will be used as the
+ // value for the `:authority` header.
+ Authority string
}
// ClientTransport is the common interface for all gRPC client-side transport
@@ -576,8 +614,9 @@ type ClientTransport interface {
// with a human readable string with debug info.
GetGoAwayReason() (GoAwayReason, string)
- // RemoteAddr returns the remote network address.
- RemoteAddr() net.Addr
+ // Peer returns information about the peer associated with the Transport.
+ // The returned information includes authentication and network address details.
+ Peer() *peer.Peer
}
// ServerTransport is the common interface for all gRPC server-side transport
@@ -607,6 +646,8 @@ type internalServerTransport interface {
write(s *ServerStream, hdr []byte, data mem.BufferSlice, opts *WriteOptions) error
writeStatus(s *ServerStream, st *status.Status) error
incrMsgRecv()
+ adjustWindow(s *ServerStream, n uint32)
+ updateWindow(s *ServerStream, n uint32)
}
// connectionErrorf creates an ConnectionError with the specified error description.
diff --git a/vendor/google.golang.org/grpc/mem/buffer_pool.go b/vendor/google.golang.org/grpc/mem/buffer_pool.go
index c37c58c023..e37afdd198 100644
--- a/vendor/google.golang.org/grpc/mem/buffer_pool.go
+++ b/vendor/google.golang.org/grpc/mem/buffer_pool.go
@@ -32,12 +32,17 @@ type BufferPool interface {
Get(length int) *[]byte
// Put returns a buffer to the pool.
+ //
+ // The provided pointer must hold a prefix of the buffer obtained via
+ // BufferPool.Get to ensure the buffer's entire capacity can be re-used.
Put(*[]byte)
}
+const goPageSize = 4 << 10 // 4KiB. N.B. this must be a power of 2.
+
var defaultBufferPoolSizes = []int{
256,
- 4 << 10, // 4KB (go page size)
+ goPageSize,
16 << 10, // 16KB (max HTTP/2 frame size used by gRPC)
32 << 10, // 32KB (default buffer size for io.Copy)
1 << 20, // 1MB
@@ -118,7 +123,11 @@ type sizedBufferPool struct {
}
func (p *sizedBufferPool) Get(size int) *[]byte {
- buf := p.pool.Get().(*[]byte)
+ buf, ok := p.pool.Get().(*[]byte)
+ if !ok {
+ buf := make([]byte, size, p.defaultSize)
+ return &buf
+ }
b := *buf
clear(b[:cap(b)])
*buf = b[:size]
@@ -137,12 +146,6 @@ func (p *sizedBufferPool) Put(buf *[]byte) {
func newSizedBufferPool(size int) *sizedBufferPool {
return &sizedBufferPool{
- pool: sync.Pool{
- New: func() any {
- buf := make([]byte, size)
- return &buf
- },
- },
defaultSize: size,
}
}
@@ -160,6 +163,7 @@ type simpleBufferPool struct {
func (p *simpleBufferPool) Get(size int) *[]byte {
bs, ok := p.pool.Get().(*[]byte)
if ok && cap(*bs) >= size {
+ clear((*bs)[:cap(*bs)])
*bs = (*bs)[:size]
return bs
}
@@ -170,7 +174,14 @@ func (p *simpleBufferPool) Get(size int) *[]byte {
p.pool.Put(bs)
}
- b := make([]byte, size)
+ // If we're going to allocate, round up to the nearest page. This way if
+ // requests frequently arrive with small variation we don't allocate
+ // repeatedly if we get unlucky and they increase over time. By default we
+ // only allocate here if size > 1MiB. Because goPageSize is a power of 2, we
+ // can round up efficiently.
+ allocSize := (size + goPageSize - 1) & ^(goPageSize - 1)
+
+ b := make([]byte, size, allocSize)
return &b
}
diff --git a/vendor/google.golang.org/grpc/mem/buffer_slice.go b/vendor/google.golang.org/grpc/mem/buffer_slice.go
index 65002e2cc8..084fb19c6d 100644
--- a/vendor/google.golang.org/grpc/mem/buffer_slice.go
+++ b/vendor/google.golang.org/grpc/mem/buffer_slice.go
@@ -19,6 +19,7 @@
package mem
import (
+ "fmt"
"io"
)
@@ -117,47 +118,53 @@ func (s BufferSlice) MaterializeToBuffer(pool BufferPool) Buffer {
// Reader returns a new Reader for the input slice after taking references to
// each underlying buffer.
-func (s BufferSlice) Reader() Reader {
+func (s BufferSlice) Reader() *Reader {
s.Ref()
- return &sliceReader{
+ return &Reader{
data: s,
len: s.Len(),
}
}
// Reader exposes a BufferSlice's data as an io.Reader, allowing it to interface
-// with other parts systems. It also provides an additional convenience method
-// Remaining(), which returns the number of unread bytes remaining in the slice.
+// with other systems.
+//
// Buffers will be freed as they are read.
-type Reader interface {
- io.Reader
- io.ByteReader
- // Close frees the underlying BufferSlice and never returns an error. Subsequent
- // calls to Read will return (0, io.EOF).
- Close() error
- // Remaining returns the number of unread bytes remaining in the slice.
- Remaining() int
-}
-
-type sliceReader struct {
+//
+// A Reader can be constructed from a BufferSlice; alternatively the zero value
+// of a Reader may be used after calling Reset on it.
+type Reader struct {
data BufferSlice
len int
// The index into data[0].ReadOnlyData().
bufferIdx int
}
-func (r *sliceReader) Remaining() int {
+// Remaining returns the number of unread bytes remaining in the slice.
+func (r *Reader) Remaining() int {
return r.len
}
-func (r *sliceReader) Close() error {
+// Reset frees the currently held buffer slice and starts reading from the
+// provided slice. This allows reusing the reader object.
+func (r *Reader) Reset(s BufferSlice) {
+ r.data.Free()
+ s.Ref()
+ r.data = s
+ r.len = s.Len()
+ r.bufferIdx = 0
+}
+
+// Close frees the underlying BufferSlice and never returns an error. Subsequent
+// calls to Read will return (0, io.EOF).
+func (r *Reader) Close() error {
r.data.Free()
r.data = nil
r.len = 0
return nil
}
-func (r *sliceReader) freeFirstBufferIfEmpty() bool {
+func (r *Reader) freeFirstBufferIfEmpty() bool {
if len(r.data) == 0 || r.bufferIdx != len(r.data[0].ReadOnlyData()) {
return false
}
@@ -168,7 +175,7 @@ func (r *sliceReader) freeFirstBufferIfEmpty() bool {
return true
}
-func (r *sliceReader) Read(buf []byte) (n int, _ error) {
+func (r *Reader) Read(buf []byte) (n int, _ error) {
if r.len == 0 {
return 0, io.EOF
}
@@ -191,7 +198,8 @@ func (r *sliceReader) Read(buf []byte) (n int, _ error) {
return n, nil
}
-func (r *sliceReader) ReadByte() (byte, error) {
+// ReadByte reads a single byte.
+func (r *Reader) ReadByte() (byte, error) {
if r.len == 0 {
return 0, io.EOF
}
@@ -279,3 +287,59 @@ nextBuffer:
}
}
}
+
+// Discard skips the next n bytes, returning the number of bytes discarded.
+//
+// It frees buffers as they are fully consumed.
+//
+// If Discard skips fewer than n bytes, it also returns an error.
+func (r *Reader) Discard(n int) (discarded int, err error) {
+ total := n
+ for n > 0 && r.len > 0 {
+ curData := r.data[0].ReadOnlyData()
+ curSize := min(n, len(curData)-r.bufferIdx)
+ n -= curSize
+ r.len -= curSize
+ r.bufferIdx += curSize
+ if r.bufferIdx >= len(curData) {
+ r.data[0].Free()
+ r.data = r.data[1:]
+ r.bufferIdx = 0
+ }
+ }
+ discarded = total - n
+ if n > 0 {
+ return discarded, fmt.Errorf("insufficient bytes in reader")
+ }
+ return discarded, nil
+}
+
+// Peek returns the next n bytes without advancing the reader.
+//
+// Peek appends results to the provided res slice and returns the updated slice.
+// This pattern allows re-using the storage of res if it has sufficient
+// capacity.
+//
+// The returned subslices are views into the underlying buffers and are only
+// valid until the reader is advanced past the corresponding buffer.
+//
+// If Peek returns fewer than n bytes, it also returns an error.
+func (r *Reader) Peek(n int, res [][]byte) ([][]byte, error) {
+ for i := 0; n > 0 && i < len(r.data); i++ {
+ curData := r.data[i].ReadOnlyData()
+ start := 0
+ if i == 0 {
+ start = r.bufferIdx
+ }
+ curSize := min(n, len(curData)-start)
+ if curSize == 0 {
+ continue
+ }
+ res = append(res, curData[start:start+curSize])
+ n -= curSize
+ }
+ if n > 0 {
+ return nil, fmt.Errorf("insufficient bytes in reader")
+ }
+ return res, nil
+}
diff --git a/vendor/google.golang.org/grpc/picker_wrapper.go b/vendor/google.golang.org/grpc/picker_wrapper.go
index a2d2a798d4..aa52bfe95f 100644
--- a/vendor/google.golang.org/grpc/picker_wrapper.go
+++ b/vendor/google.golang.org/grpc/picker_wrapper.go
@@ -29,7 +29,6 @@ import (
"google.golang.org/grpc/internal/channelz"
istatus "google.golang.org/grpc/internal/status"
"google.golang.org/grpc/internal/transport"
- "google.golang.org/grpc/stats"
"google.golang.org/grpc/status"
)
@@ -48,14 +47,11 @@ type pickerGeneration struct {
// actions and unblock when there's a picker update.
type pickerWrapper struct {
// If pickerGen holds a nil pointer, the pickerWrapper is closed.
- pickerGen atomic.Pointer[pickerGeneration]
- statsHandlers []stats.Handler // to record blocking picker calls
+ pickerGen atomic.Pointer[pickerGeneration]
}
-func newPickerWrapper(statsHandlers []stats.Handler) *pickerWrapper {
- pw := &pickerWrapper{
- statsHandlers: statsHandlers,
- }
+func newPickerWrapper() *pickerWrapper {
+ pw := &pickerWrapper{}
pw.pickerGen.Store(&pickerGeneration{
blockingCh: make(chan struct{}),
})
@@ -93,6 +89,12 @@ func doneChannelzWrapper(acbw *acBalancerWrapper, result *balancer.PickResult) {
}
}
+type pick struct {
+ transport transport.ClientTransport // the selected transport
+ result balancer.PickResult // the contents of the pick from the LB policy
+ blocked bool // set if a picker call queued for a new picker
+}
+
// pick returns the transport that will be used for the RPC.
// It may block in the following cases:
// - there's no picker
@@ -100,15 +102,16 @@ func doneChannelzWrapper(acbw *acBalancerWrapper, result *balancer.PickResult) {
// - the current picker returns other errors and failfast is false.
// - the subConn returned by the current picker is not READY
// When one of these situations happens, pick blocks until the picker gets updated.
-func (pw *pickerWrapper) pick(ctx context.Context, failfast bool, info balancer.PickInfo) (transport.ClientTransport, balancer.PickResult, error) {
+func (pw *pickerWrapper) pick(ctx context.Context, failfast bool, info balancer.PickInfo) (pick, error) {
var ch chan struct{}
var lastPickErr error
+ pickBlocked := false
for {
pg := pw.pickerGen.Load()
if pg == nil {
- return nil, balancer.PickResult{}, ErrClientConnClosing
+ return pick{}, ErrClientConnClosing
}
if pg.picker == nil {
ch = pg.blockingCh
@@ -127,9 +130,9 @@ func (pw *pickerWrapper) pick(ctx context.Context, failfast bool, info balancer.
}
switch ctx.Err() {
case context.DeadlineExceeded:
- return nil, balancer.PickResult{}, status.Error(codes.DeadlineExceeded, errStr)
+ return pick{}, status.Error(codes.DeadlineExceeded, errStr)
case context.Canceled:
- return nil, balancer.PickResult{}, status.Error(codes.Canceled, errStr)
+ return pick{}, status.Error(codes.Canceled, errStr)
}
case <-ch:
}
@@ -145,9 +148,7 @@ func (pw *pickerWrapper) pick(ctx context.Context, failfast bool, info balancer.
// In the second case, the only way it will get to this conditional is
// if there is a new picker.
if ch != nil {
- for _, sh := range pw.statsHandlers {
- sh.HandleRPC(ctx, &stats.PickerUpdated{})
- }
+ pickBlocked = true
}
ch = pg.blockingCh
@@ -164,7 +165,7 @@ func (pw *pickerWrapper) pick(ctx context.Context, failfast bool, info balancer.
if istatus.IsRestrictedControlPlaneCode(st) {
err = status.Errorf(codes.Internal, "received picker error with illegal status: %v", err)
}
- return nil, balancer.PickResult{}, dropError{error: err}
+ return pick{}, dropError{error: err}
}
// For all other errors, wait for ready RPCs should block and other
// RPCs should fail with unavailable.
@@ -172,7 +173,7 @@ func (pw *pickerWrapper) pick(ctx context.Context, failfast bool, info balancer.
lastPickErr = err
continue
}
- return nil, balancer.PickResult{}, status.Error(codes.Unavailable, err.Error())
+ return pick{}, status.Error(codes.Unavailable, err.Error())
}
acbw, ok := pickResult.SubConn.(*acBalancerWrapper)
@@ -183,9 +184,8 @@ func (pw *pickerWrapper) pick(ctx context.Context, failfast bool, info balancer.
if t := acbw.ac.getReadyTransport(); t != nil {
if channelz.IsOn() {
doneChannelzWrapper(acbw, &pickResult)
- return t, pickResult, nil
}
- return t, pickResult, nil
+ return pick{transport: t, result: pickResult, blocked: pickBlocked}, nil
}
if pickResult.Done != nil {
// Calling done with nil error, no bytes sent and no bytes received.
diff --git a/vendor/google.golang.org/grpc/preloader.go b/vendor/google.golang.org/grpc/preloader.go
index ee0ff969af..1e783febf9 100644
--- a/vendor/google.golang.org/grpc/preloader.go
+++ b/vendor/google.golang.org/grpc/preloader.go
@@ -47,9 +47,6 @@ func (p *PreparedMsg) Encode(s Stream, msg any) error {
}
// check if the context has the relevant information to prepareMsg
- if rpcInfo.preloaderInfo == nil {
- return status.Errorf(codes.Internal, "grpc: rpcInfo.preloaderInfo is nil")
- }
if rpcInfo.preloaderInfo.codec == nil {
return status.Errorf(codes.Internal, "grpc: rpcInfo.preloaderInfo.codec is nil")
}
diff --git a/vendor/google.golang.org/grpc/resolver/resolver.go b/vendor/google.golang.org/grpc/resolver/resolver.go
index b84ef26d46..8e6af9514b 100644
--- a/vendor/google.golang.org/grpc/resolver/resolver.go
+++ b/vendor/google.golang.org/grpc/resolver/resolver.go
@@ -332,6 +332,11 @@ type AuthorityOverrider interface {
// OverrideAuthority returns the authority to use for a ClientConn with the
// given target. The implementation must generate it without blocking,
// typically in line, and must keep it unchanged.
+ //
+ // The returned string must be a valid ":authority" header value, i.e. be
+ // encoded according to
+ // [RFC3986](https://datatracker.ietf.org/doc/html/rfc3986#section-3.2) as
+ // necessary.
OverrideAuthority(Target) string
}
diff --git a/vendor/google.golang.org/grpc/resolver_wrapper.go b/vendor/google.golang.org/grpc/resolver_wrapper.go
index 80e16a327c..6e61376437 100644
--- a/vendor/google.golang.org/grpc/resolver_wrapper.go
+++ b/vendor/google.golang.org/grpc/resolver_wrapper.go
@@ -69,6 +69,7 @@ func (ccr *ccResolverWrapper) start() error {
errCh := make(chan error)
ccr.serializer.TrySchedule(func(ctx context.Context) {
if ctx.Err() != nil {
+ errCh <- ctx.Err()
return
}
opts := resolver.BuildOptions{
diff --git a/vendor/google.golang.org/grpc/rpc_util.go b/vendor/google.golang.org/grpc/rpc_util.go
index ad20e9dff2..8160f94304 100644
--- a/vendor/google.golang.org/grpc/rpc_util.go
+++ b/vendor/google.golang.org/grpc/rpc_util.go
@@ -33,6 +33,8 @@ import (
"google.golang.org/grpc/credentials"
"google.golang.org/grpc/encoding"
"google.golang.org/grpc/encoding/proto"
+ "google.golang.org/grpc/internal"
+ "google.golang.org/grpc/internal/grpcutil"
"google.golang.org/grpc/internal/transport"
"google.golang.org/grpc/mem"
"google.golang.org/grpc/metadata"
@@ -41,6 +43,10 @@ import (
"google.golang.org/grpc/status"
)
+func init() {
+ internal.AcceptCompressors = acceptCompressors
+}
+
// Compressor defines the interface gRPC uses to compress a message.
//
// Deprecated: use package encoding.
@@ -151,15 +157,32 @@ func (d *gzipDecompressor) Type() string {
// callInfo contains all related configuration and information about an RPC.
type callInfo struct {
- compressorName string
- failFast bool
- maxReceiveMessageSize *int
- maxSendMessageSize *int
- creds credentials.PerRPCCredentials
- contentSubtype string
- codec baseCodec
- maxRetryRPCBufferSize int
- onFinish []func(err error)
+ compressorName string
+ failFast bool
+ maxReceiveMessageSize *int
+ maxSendMessageSize *int
+ creds credentials.PerRPCCredentials
+ contentSubtype string
+ codec baseCodec
+ maxRetryRPCBufferSize int
+ onFinish []func(err error)
+ authority string
+ acceptedResponseCompressors []string
+}
+
+func acceptedCompressorAllows(allowed []string, name string) bool {
+ if allowed == nil {
+ return true
+ }
+ if name == "" || name == encoding.Identity {
+ return true
+ }
+ for _, a := range allowed {
+ if a == name {
+ return true
+ }
+ }
+ return false
}
func defaultCallInfo() *callInfo {
@@ -169,6 +192,29 @@ func defaultCallInfo() *callInfo {
}
}
+func newAcceptedCompressionConfig(names []string) ([]string, error) {
+ if len(names) == 0 {
+ return nil, nil
+ }
+ var allowed []string
+ seen := make(map[string]struct{}, len(names))
+ for _, name := range names {
+ name = strings.TrimSpace(name)
+ if name == "" || name == encoding.Identity {
+ continue
+ }
+ if !grpcutil.IsCompressorNameRegistered(name) {
+ return nil, status.Errorf(codes.InvalidArgument, "grpc: compressor %q is not registered", name)
+ }
+ if _, dup := seen[name]; dup {
+ continue
+ }
+ seen[name] = struct{}{}
+ allowed = append(allowed, name)
+ }
+ return allowed, nil
+}
+
// CallOption configures a Call before it starts or extracts information from
// a Call after it completes.
type CallOption interface {
@@ -365,6 +411,36 @@ func (o MaxRecvMsgSizeCallOption) before(c *callInfo) error {
}
func (o MaxRecvMsgSizeCallOption) after(*callInfo, *csAttempt) {}
+// CallAuthority returns a CallOption that sets the HTTP/2 :authority header of
+// an RPC to the specified value. When using CallAuthority, the credentials in
+// use must implement the AuthorityValidator interface.
+//
+// # Experimental
+//
+// Notice: This API is EXPERIMENTAL and may be changed or removed in a later
+// release.
+func CallAuthority(authority string) CallOption {
+ return AuthorityOverrideCallOption{Authority: authority}
+}
+
+// AuthorityOverrideCallOption is a CallOption that indicates the HTTP/2
+// :authority header value to use for the call.
+//
+// # Experimental
+//
+// Notice: This type is EXPERIMENTAL and may be changed or removed in a later
+// release.
+type AuthorityOverrideCallOption struct {
+ Authority string
+}
+
+func (o AuthorityOverrideCallOption) before(c *callInfo) error {
+ c.authority = o.Authority
+ return nil
+}
+
+func (o AuthorityOverrideCallOption) after(*callInfo, *csAttempt) {}
+
// MaxCallSendMsgSize returns a CallOption which sets the maximum message size
// in bytes the client can send. If this is not set, gRPC uses the default
// `math.MaxInt32`.
@@ -440,6 +516,31 @@ func (o CompressorCallOption) before(c *callInfo) error {
}
func (o CompressorCallOption) after(*callInfo, *csAttempt) {}
+// acceptCompressors returns a CallOption that limits the compression algorithms
+// advertised in the grpc-accept-encoding header for response messages.
+// Compression algorithms not in the provided list will not be advertised, and
+// responses compressed with non-listed algorithms will be rejected.
+func acceptCompressors(names ...string) CallOption {
+ cp := append([]string(nil), names...)
+ return acceptCompressorsCallOption{names: cp}
+}
+
+// acceptCompressorsCallOption is a CallOption that limits response compression.
+type acceptCompressorsCallOption struct {
+ names []string
+}
+
+func (o acceptCompressorsCallOption) before(c *callInfo) error {
+ allowed, err := newAcceptedCompressionConfig(o.names)
+ if err != nil {
+ return err
+ }
+ c.acceptedResponseCompressors = allowed
+ return nil
+}
+
+func (acceptCompressorsCallOption) after(*callInfo, *csAttempt) {}
+
// CallContentSubtype returns a CallOption that will set the content-subtype
// for a call. For example, if content-subtype is "json", the Content-Type over
// the wire will be "application/grpc+json". The content-subtype is converted
@@ -626,8 +727,20 @@ type streamReader interface {
Read(n int) (mem.BufferSlice, error)
}
+// noCopy may be embedded into structs which must not be copied
+// after the first use.
+//
+// See https://golang.org/issues/8005#issuecomment-190753527
+// for details.
+type noCopy struct {
+}
+
+func (*noCopy) Lock() {}
+func (*noCopy) Unlock() {}
+
// parser reads complete gRPC messages from the underlying reader.
type parser struct {
+ _ noCopy
// r is the underlying reader.
// See the comment on recvMsg for the permissible
// error types.
@@ -814,8 +927,7 @@ func (p *payloadInfo) free() {
// the buffer is no longer needed.
// TODO: Refactor this function to reduce the number of arguments.
// See: https://google.github.io/styleguide/go/best-practices.html#function-argument-lists
-func recvAndDecompress(p *parser, s recvCompressor, dc Decompressor, maxReceiveMessageSize int, payInfo *payloadInfo, compressor encoding.Compressor, isServer bool,
-) (out mem.BufferSlice, err error) {
+func recvAndDecompress(p *parser, s recvCompressor, dc Decompressor, maxReceiveMessageSize int, payInfo *payloadInfo, compressor encoding.Compressor, isServer bool) (out mem.BufferSlice, err error) {
pf, compressed, err := p.recvMsg(maxReceiveMessageSize)
if err != nil {
return nil, err
@@ -918,7 +1030,7 @@ func recv(p *parser, c baseCodec, s recvCompressor, dc Decompressor, m any, maxR
// Information about RPC
type rpcInfo struct {
failfast bool
- preloaderInfo *compressorInfo
+ preloaderInfo compressorInfo
}
// Information about Preloader
@@ -937,7 +1049,7 @@ type rpcInfoContextKey struct{}
func newContextWithRPCInfo(ctx context.Context, failfast bool, codec baseCodec, cp Compressor, comp encoding.Compressor) context.Context {
return context.WithValue(ctx, rpcInfoContextKey{}, &rpcInfo{
failfast: failfast,
- preloaderInfo: &compressorInfo{
+ preloaderInfo: compressorInfo{
codec: codec,
cp: cp,
comp: comp,
diff --git a/vendor/google.golang.org/grpc/server.go b/vendor/google.golang.org/grpc/server.go
index 976e70ae06..ddd3773411 100644
--- a/vendor/google.golang.org/grpc/server.go
+++ b/vendor/google.golang.org/grpc/server.go
@@ -124,7 +124,8 @@ type serviceInfo struct {
// Server is a gRPC server to serve RPC requests.
type Server struct {
- opts serverOptions
+ opts serverOptions
+ statsHandler stats.Handler
mu sync.Mutex // guards following
lis map[net.Listener]bool
@@ -179,6 +180,7 @@ type serverOptions struct {
numServerWorkers uint32
bufferPool mem.BufferPool
waitForHandlers bool
+ staticWindowSize bool
}
var defaultServerOptions = serverOptions{
@@ -279,6 +281,7 @@ func ReadBufferSize(s int) ServerOption {
func InitialWindowSize(s int32) ServerOption {
return newFuncServerOption(func(o *serverOptions) {
o.initialWindowSize = s
+ o.staticWindowSize = true
})
}
@@ -287,6 +290,29 @@ func InitialWindowSize(s int32) ServerOption {
func InitialConnWindowSize(s int32) ServerOption {
return newFuncServerOption(func(o *serverOptions) {
o.initialConnWindowSize = s
+ o.staticWindowSize = true
+ })
+}
+
+// StaticStreamWindowSize returns a ServerOption to set the initial stream
+// window size to the value provided and disables dynamic flow control.
+// The lower bound for window size is 64K and any value smaller than that
+// will be ignored.
+func StaticStreamWindowSize(s int32) ServerOption {
+ return newFuncServerOption(func(o *serverOptions) {
+ o.initialWindowSize = s
+ o.staticWindowSize = true
+ })
+}
+
+// StaticConnWindowSize returns a ServerOption to set the initial connection
+// window size to the value provided and disables dynamic flow control.
+// The lower bound for window size is 64K and any value smaller than that
+// will be ignored.
+func StaticConnWindowSize(s int32) ServerOption {
+ return newFuncServerOption(func(o *serverOptions) {
+ o.initialConnWindowSize = s
+ o.staticWindowSize = true
})
}
@@ -667,13 +693,14 @@ func NewServer(opt ...ServerOption) *Server {
o.apply(&opts)
}
s := &Server{
- lis: make(map[net.Listener]bool),
- opts: opts,
- conns: make(map[string]map[transport.ServerTransport]bool),
- services: make(map[string]*serviceInfo),
- quit: grpcsync.NewEvent(),
- done: grpcsync.NewEvent(),
- channelz: channelz.RegisterServer(""),
+ lis: make(map[net.Listener]bool),
+ opts: opts,
+ statsHandler: istats.NewCombinedHandler(opts.statsHandlers...),
+ conns: make(map[string]map[transport.ServerTransport]bool),
+ services: make(map[string]*serviceInfo),
+ quit: grpcsync.NewEvent(),
+ done: grpcsync.NewEvent(),
+ channelz: channelz.RegisterServer(""),
}
chainUnaryServerInterceptors(s)
chainStreamServerInterceptors(s)
@@ -974,7 +1001,7 @@ func (s *Server) newHTTP2Transport(c net.Conn) transport.ServerTransport {
ConnectionTimeout: s.opts.connectionTimeout,
Credentials: s.opts.creds,
InTapHandle: s.opts.inTapHandle,
- StatsHandlers: s.opts.statsHandlers,
+ StatsHandler: s.statsHandler,
KeepaliveParams: s.opts.keepaliveParams,
KeepalivePolicy: s.opts.keepalivePolicy,
InitialWindowSize: s.opts.initialWindowSize,
@@ -986,6 +1013,7 @@ func (s *Server) newHTTP2Transport(c net.Conn) transport.ServerTransport {
MaxHeaderListSize: s.opts.maxHeaderListSize,
HeaderTableSize: s.opts.headerTableSize,
BufferPool: s.opts.bufferPool,
+ StaticWindowSize: s.opts.staticWindowSize,
}
st, err := transport.NewServerTransport(c, config)
if err != nil {
@@ -1010,18 +1038,18 @@ func (s *Server) newHTTP2Transport(c net.Conn) transport.ServerTransport {
func (s *Server) serveStreams(ctx context.Context, st transport.ServerTransport, rawConn net.Conn) {
ctx = transport.SetConnection(ctx, rawConn)
ctx = peer.NewContext(ctx, st.Peer())
- for _, sh := range s.opts.statsHandlers {
- ctx = sh.TagConn(ctx, &stats.ConnTagInfo{
+ if s.statsHandler != nil {
+ ctx = s.statsHandler.TagConn(ctx, &stats.ConnTagInfo{
RemoteAddr: st.Peer().Addr,
LocalAddr: st.Peer().LocalAddr,
})
- sh.HandleConn(ctx, &stats.ConnBegin{})
+ s.statsHandler.HandleConn(ctx, &stats.ConnBegin{})
}
defer func() {
st.Close(errors.New("finished serving streams for the server transport"))
- for _, sh := range s.opts.statsHandlers {
- sh.HandleConn(ctx, &stats.ConnEnd{})
+ if s.statsHandler != nil {
+ s.statsHandler.HandleConn(ctx, &stats.ConnEnd{})
}
}()
@@ -1078,7 +1106,7 @@ var _ http.Handler = (*Server)(nil)
// Notice: This API is EXPERIMENTAL and may be changed or removed in a
// later release.
func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
- st, err := transport.NewServerHandlerTransport(w, r, s.opts.statsHandlers, s.opts.bufferPool)
+ st, err := transport.NewServerHandlerTransport(w, r, s.statsHandler, s.opts.bufferPool)
if err != nil {
// Errors returned from transport.NewServerHandlerTransport have
// already been written to w.
@@ -1172,12 +1200,8 @@ func (s *Server) sendResponse(ctx context.Context, stream *transport.ServerStrea
return status.Errorf(codes.ResourceExhausted, "grpc: trying to send message larger than max (%d vs. %d)", payloadLen, s.opts.maxSendMessageSize)
}
err = stream.Write(hdr, payload, opts)
- if err == nil {
- if len(s.opts.statsHandlers) != 0 {
- for _, sh := range s.opts.statsHandlers {
- sh.HandleRPC(ctx, outPayload(false, msg, dataLen, payloadLen, time.Now()))
- }
- }
+ if err == nil && s.statsHandler != nil {
+ s.statsHandler.HandleRPC(ctx, outPayload(false, msg, dataLen, payloadLen, time.Now()))
}
return err
}
@@ -1219,16 +1243,15 @@ func getChainUnaryHandler(interceptors []UnaryServerInterceptor, curr int, info
}
func (s *Server) processUnaryRPC(ctx context.Context, stream *transport.ServerStream, info *serviceInfo, md *MethodDesc, trInfo *traceInfo) (err error) {
- shs := s.opts.statsHandlers
- if len(shs) != 0 || trInfo != nil || channelz.IsOn() {
+ sh := s.statsHandler
+ if sh != nil || trInfo != nil || channelz.IsOn() {
if channelz.IsOn() {
s.incrCallsStarted()
}
var statsBegin *stats.Begin
- for _, sh := range shs {
- beginTime := time.Now()
+ if sh != nil {
statsBegin = &stats.Begin{
- BeginTime: beginTime,
+ BeginTime: time.Now(),
IsClientStream: false,
IsServerStream: false,
}
@@ -1256,7 +1279,7 @@ func (s *Server) processUnaryRPC(ctx context.Context, stream *transport.ServerSt
trInfo.tr.Finish()
}
- for _, sh := range shs {
+ if sh != nil {
end := &stats.End{
BeginTime: statsBegin.BeginTime,
EndTime: time.Now(),
@@ -1353,7 +1376,7 @@ func (s *Server) processUnaryRPC(ctx context.Context, stream *transport.ServerSt
}
var payInfo *payloadInfo
- if len(shs) != 0 || len(binlogs) != 0 {
+ if sh != nil || len(binlogs) != 0 {
payInfo = &payloadInfo{}
defer payInfo.free()
}
@@ -1379,7 +1402,7 @@ func (s *Server) processUnaryRPC(ctx context.Context, stream *transport.ServerSt
return status.Errorf(codes.Internal, "grpc: error unmarshalling request: %v", err)
}
- for _, sh := range shs {
+ if sh != nil {
sh.HandleRPC(ctx, &stats.InPayload{
RecvTime: time.Now(),
Payload: v,
@@ -1553,32 +1576,30 @@ func (s *Server) processStreamingRPC(ctx context.Context, stream *transport.Serv
if channelz.IsOn() {
s.incrCallsStarted()
}
- shs := s.opts.statsHandlers
+ sh := s.statsHandler
var statsBegin *stats.Begin
- if len(shs) != 0 {
- beginTime := time.Now()
+ if sh != nil {
statsBegin = &stats.Begin{
- BeginTime: beginTime,
+ BeginTime: time.Now(),
IsClientStream: sd.ClientStreams,
IsServerStream: sd.ServerStreams,
}
- for _, sh := range shs {
- sh.HandleRPC(ctx, statsBegin)
- }
+ sh.HandleRPC(ctx, statsBegin)
}
ctx = NewContextWithServerTransportStream(ctx, stream)
ss := &serverStream{
ctx: ctx,
s: stream,
- p: &parser{r: stream, bufferPool: s.opts.bufferPool},
+ p: parser{r: stream, bufferPool: s.opts.bufferPool},
codec: s.getCodec(stream.ContentSubtype()),
+ desc: sd,
maxReceiveMessageSize: s.opts.maxReceiveMessageSize,
maxSendMessageSize: s.opts.maxSendMessageSize,
trInfo: trInfo,
- statsHandler: shs,
+ statsHandler: sh,
}
- if len(shs) != 0 || trInfo != nil || channelz.IsOn() {
+ if sh != nil || trInfo != nil || channelz.IsOn() {
// See comment in processUnaryRPC on defers.
defer func() {
if trInfo != nil {
@@ -1592,7 +1613,7 @@ func (s *Server) processStreamingRPC(ctx context.Context, stream *transport.Serv
ss.mu.Unlock()
}
- if len(shs) != 0 {
+ if sh != nil {
end := &stats.End{
BeginTime: statsBegin.BeginTime,
EndTime: time.Now(),
@@ -1600,9 +1621,7 @@ func (s *Server) processStreamingRPC(ctx context.Context, stream *transport.Serv
if err != nil && err != io.EOF {
end.Error = toRPCErr(err)
}
- for _, sh := range shs {
- sh.HandleRPC(ctx, end)
- }
+ sh.HandleRPC(ctx, end)
}
if channelz.IsOn() {
@@ -1791,19 +1810,17 @@ func (s *Server) handleStream(t transport.ServerTransport, stream *transport.Ser
method := sm[pos+1:]
// FromIncomingContext is expensive: skip if there are no statsHandlers
- if len(s.opts.statsHandlers) > 0 {
+ if s.statsHandler != nil {
md, _ := metadata.FromIncomingContext(ctx)
- for _, sh := range s.opts.statsHandlers {
- ctx = sh.TagRPC(ctx, &stats.RPCTagInfo{FullMethodName: stream.Method()})
- sh.HandleRPC(ctx, &stats.InHeader{
- FullMethod: stream.Method(),
- RemoteAddr: t.Peer().Addr,
- LocalAddr: t.Peer().LocalAddr,
- Compression: stream.RecvCompress(),
- WireLength: stream.HeaderWireLength(),
- Header: md,
- })
- }
+ ctx = s.statsHandler.TagRPC(ctx, &stats.RPCTagInfo{FullMethodName: stream.Method()})
+ s.statsHandler.HandleRPC(ctx, &stats.InHeader{
+ FullMethod: stream.Method(),
+ RemoteAddr: t.Peer().Addr,
+ LocalAddr: t.Peer().LocalAddr,
+ Compression: stream.RecvCompress(),
+ WireLength: stream.HeaderWireLength(),
+ Header: md,
+ })
}
// To have calls in stream callouts work. Will delete once all stats handler
// calls come from the gRPC layer.
diff --git a/vendor/google.golang.org/grpc/stats/handlers.go b/vendor/google.golang.org/grpc/stats/handlers.go
index dc03731e45..67194a592f 100644
--- a/vendor/google.golang.org/grpc/stats/handlers.go
+++ b/vendor/google.golang.org/grpc/stats/handlers.go
@@ -38,6 +38,15 @@ type RPCTagInfo struct {
// FailFast indicates if this RPC is failfast.
// This field is only valid on client side, it's always false on server side.
FailFast bool
+ // NameResolutionDelay indicates if the RPC needed to wait for the
+ // initial name resolver update before it could begin. This should only
+ // happen if the channel is IDLE when the RPC is started. Note that
+ // all retry or hedging attempts for an RPC that experienced a delay
+ // will have it set.
+ //
+ // This field is only valid on the client side; it is always false on
+ // the server side.
+ NameResolutionDelay bool
}
// Handler defines the interface for the related stats handling (e.g., RPCs, connections).
diff --git a/vendor/google.golang.org/grpc/stats/stats.go b/vendor/google.golang.org/grpc/stats/stats.go
index baf7740efb..10bf998aa5 100644
--- a/vendor/google.golang.org/grpc/stats/stats.go
+++ b/vendor/google.golang.org/grpc/stats/stats.go
@@ -64,15 +64,21 @@ func (s *Begin) IsClient() bool { return s.Client }
func (s *Begin) isRPCStats() {}
-// PickerUpdated indicates that the LB policy provided a new picker while the
-// RPC was waiting for one.
-type PickerUpdated struct{}
+// DelayedPickComplete indicates that the RPC is unblocked following a delay in
+// selecting a connection for the call.
+type DelayedPickComplete struct{}
-// IsClient indicates if the stats information is from client side. Only Client
-// Side interfaces with a Picker, thus always returns true.
-func (*PickerUpdated) IsClient() bool { return true }
+// IsClient indicates DelayedPickComplete is available on the client.
+func (*DelayedPickComplete) IsClient() bool { return true }
-func (*PickerUpdated) isRPCStats() {}
+func (*DelayedPickComplete) isRPCStats() {}
+
+// PickerUpdated indicates that the RPC is unblocked following a delay in
+// selecting a connection for the call.
+//
+// Deprecated: will be removed in a future release; use DelayedPickComplete
+// instead.
+type PickerUpdated = DelayedPickComplete
// InPayload contains stats about an incoming payload.
type InPayload struct {
diff --git a/vendor/google.golang.org/grpc/stream.go b/vendor/google.golang.org/grpc/stream.go
index 12163150ba..ec9577b278 100644
--- a/vendor/google.golang.org/grpc/stream.go
+++ b/vendor/google.golang.org/grpc/stream.go
@@ -25,6 +25,7 @@ import (
"math"
rand "math/rand/v2"
"strconv"
+ "strings"
"sync"
"time"
@@ -101,9 +102,9 @@ type ClientStream interface {
// It must only be called after stream.CloseAndRecv has returned, or
// stream.Recv has returned a non-nil error (including io.EOF).
Trailer() metadata.MD
- // CloseSend closes the send direction of the stream. It closes the stream
- // when non-nil error is met. It is also not safe to call CloseSend
- // concurrently with SendMsg.
+ // CloseSend closes the send direction of the stream. This method always
+ // returns a nil error. The status of the stream may be discovered using
+ // RecvMsg. It is also not safe to call CloseSend concurrently with SendMsg.
CloseSend() error
// Context returns the context for this stream.
//
@@ -177,13 +178,43 @@ func NewClientStream(ctx context.Context, desc *StreamDesc, cc *ClientConn, meth
return cc.NewStream(ctx, desc, method, opts...)
}
+var emptyMethodConfig = serviceconfig.MethodConfig{}
+
+// endOfClientStream performs cleanup actions required for both successful and
+// failed streams. This includes incrementing channelz stats and invoking all
+// registered OnFinish call options.
+func endOfClientStream(cc *ClientConn, err error, opts ...CallOption) {
+ if channelz.IsOn() {
+ if err != nil {
+ cc.incrCallsFailed()
+ } else {
+ cc.incrCallsSucceeded()
+ }
+ }
+
+ for _, o := range opts {
+ if o, ok := o.(OnFinishCallOption); ok {
+ o.OnFinish(err)
+ }
+ }
+}
+
func newClientStream(ctx context.Context, desc *StreamDesc, cc *ClientConn, method string, opts ...CallOption) (_ ClientStream, err error) {
+ if channelz.IsOn() {
+ cc.incrCallsStarted()
+ }
+ defer func() {
+ if err != nil {
+ // Ensure cleanup when stream creation fails.
+ endOfClientStream(cc, err, opts...)
+ }
+ }()
+
// Start tracking the RPC for idleness purposes. This is where a stream is
// created for both streaming and unary RPCs, and hence is a good place to
// track active RPC count.
- if err := cc.idlenessMgr.OnCallBegin(); err != nil {
- return nil, err
- }
+ cc.idlenessMgr.OnCallBegin()
+
// Add a calloption, to decrement the active call count, that gets executed
// when the RPC completes.
opts = append([]CallOption{OnFinish(func(error) { cc.idlenessMgr.OnCallEnd() })}, opts...)
@@ -202,24 +233,17 @@ func newClientStream(ctx context.Context, desc *StreamDesc, cc *ClientConn, meth
}
}
}
- if channelz.IsOn() {
- cc.incrCallsStarted()
- defer func() {
- if err != nil {
- cc.incrCallsFailed()
- }
- }()
- }
// Provide an opportunity for the first RPC to see the first service config
// provided by the resolver.
- if err := cc.waitForResolvedAddrs(ctx); err != nil {
+ nameResolutionDelayed, err := cc.waitForResolvedAddrs(ctx)
+ if err != nil {
return nil, err
}
- var mc serviceconfig.MethodConfig
+ mc := &emptyMethodConfig
var onCommit func()
newStream := func(ctx context.Context, done func()) (iresolver.ClientStream, error) {
- return newClientStreamWithParams(ctx, desc, cc, method, mc, onCommit, done, opts...)
+ return newClientStreamWithParams(ctx, desc, cc, method, mc, onCommit, done, nameResolutionDelayed, opts...)
}
rpcInfo := iresolver.RPCInfo{Context: ctx, Method: method}
@@ -239,7 +263,7 @@ func newClientStream(ctx context.Context, desc *StreamDesc, cc *ClientConn, meth
if rpcConfig.Context != nil {
ctx = rpcConfig.Context
}
- mc = rpcConfig.MethodConfig
+ mc = &rpcConfig.MethodConfig
onCommit = rpcConfig.OnCommitted
if rpcConfig.Interceptor != nil {
rpcInfo.Context = nil
@@ -257,7 +281,7 @@ func newClientStream(ctx context.Context, desc *StreamDesc, cc *ClientConn, meth
return newStream(ctx, func() {})
}
-func newClientStreamWithParams(ctx context.Context, desc *StreamDesc, cc *ClientConn, method string, mc serviceconfig.MethodConfig, onCommit, doneFunc func(), opts ...CallOption) (_ iresolver.ClientStream, err error) {
+func newClientStreamWithParams(ctx context.Context, desc *StreamDesc, cc *ClientConn, method string, mc *serviceconfig.MethodConfig, onCommit, doneFunc func(), nameResolutionDelayed bool, opts ...CallOption) (_ iresolver.ClientStream, err error) {
callInfo := defaultCallInfo()
if mc.WaitForReady != nil {
callInfo.failFast = !*mc.WaitForReady
@@ -296,6 +320,11 @@ func newClientStreamWithParams(ctx context.Context, desc *StreamDesc, cc *Client
Method: method,
ContentSubtype: callInfo.contentSubtype,
DoneFunc: doneFunc,
+ Authority: callInfo.authority,
+ }
+ if allowed := callInfo.acceptedResponseCompressors; len(allowed) > 0 {
+ headerValue := strings.Join(allowed, ",")
+ callHdr.AcceptedCompressors = &headerValue
}
// Set our outgoing compression according to the UseCompressor CallOption, if
@@ -321,19 +350,20 @@ func newClientStreamWithParams(ctx context.Context, desc *StreamDesc, cc *Client
}
cs := &clientStream{
- callHdr: callHdr,
- ctx: ctx,
- methodConfig: &mc,
- opts: opts,
- callInfo: callInfo,
- cc: cc,
- desc: desc,
- codec: callInfo.codec,
- compressorV0: compressorV0,
- compressorV1: compressorV1,
- cancel: cancel,
- firstAttempt: true,
- onCommit: onCommit,
+ callHdr: callHdr,
+ ctx: ctx,
+ methodConfig: mc,
+ opts: opts,
+ callInfo: callInfo,
+ cc: cc,
+ desc: desc,
+ codec: callInfo.codec,
+ compressorV0: compressorV0,
+ compressorV1: compressorV1,
+ cancel: cancel,
+ firstAttempt: true,
+ onCommit: onCommit,
+ nameResolutionDelay: nameResolutionDelayed,
}
if !cc.dopts.disableRetry {
cs.retryThrottler = cc.retryThrottler.Load().(*retryThrottler)
@@ -415,19 +445,21 @@ func (cs *clientStream) newAttemptLocked(isTransparent bool) (*csAttempt, error)
ctx := newContextWithRPCInfo(cs.ctx, cs.callInfo.failFast, cs.callInfo.codec, cs.compressorV0, cs.compressorV1)
method := cs.callHdr.Method
var beginTime time.Time
- shs := cs.cc.dopts.copts.StatsHandlers
- for _, sh := range shs {
- ctx = sh.TagRPC(ctx, &stats.RPCTagInfo{FullMethodName: method, FailFast: cs.callInfo.failFast})
+ sh := cs.cc.statsHandler
+ if sh != nil {
beginTime = time.Now()
- begin := &stats.Begin{
+ ctx = sh.TagRPC(ctx, &stats.RPCTagInfo{
+ FullMethodName: method, FailFast: cs.callInfo.failFast,
+ NameResolutionDelay: cs.nameResolutionDelay,
+ })
+ sh.HandleRPC(ctx, &stats.Begin{
Client: true,
BeginTime: beginTime,
FailFast: cs.callInfo.failFast,
IsClientStream: cs.desc.ClientStreams,
IsServerStream: cs.desc.ServerStreams,
IsTransparentRetryAttempt: isTransparent,
- }
- sh.HandleRPC(ctx, begin)
+ })
}
var trInfo *traceInfo
@@ -458,7 +490,7 @@ func (cs *clientStream) newAttemptLocked(isTransparent bool) (*csAttempt, error)
beginTime: beginTime,
cs: cs,
decompressorV0: cs.cc.dopts.dc,
- statsHandlers: shs,
+ statsHandler: sh,
trInfo: trInfo,
}, nil
}
@@ -466,8 +498,9 @@ func (cs *clientStream) newAttemptLocked(isTransparent bool) (*csAttempt, error)
func (a *csAttempt) getTransport() error {
cs := a.cs
- var err error
- a.transport, a.pickResult, err = cs.cc.getTransport(a.ctx, cs.callInfo.failFast, cs.callHdr.Method)
+ pickInfo := balancer.PickInfo{Ctx: a.ctx, FullMethodName: cs.callHdr.Method}
+ pick, err := cs.cc.pickerWrapper.pick(a.ctx, cs.callInfo.failFast, pickInfo)
+ a.transport, a.pickResult = pick.transport, pick.result
if err != nil {
if de, ok := err.(dropError); ok {
err = de.error
@@ -476,7 +509,10 @@ func (a *csAttempt) getTransport() error {
return err
}
if a.trInfo != nil {
- a.trInfo.firstLine.SetRemoteAddr(a.transport.RemoteAddr())
+ a.trInfo.firstLine.SetRemoteAddr(a.transport.Peer().Addr)
+ }
+ if pick.blocked && a.statsHandler != nil {
+ a.statsHandler.HandleRPC(a.ctx, &stats.DelayedPickComplete{})
}
return nil
}
@@ -520,7 +556,7 @@ func (a *csAttempt) newStream() error {
}
a.transportStream = s
a.ctx = s.Context()
- a.parser = &parser{r: s, bufferPool: a.cs.cc.dopts.copts.BufferPool}
+ a.parser = parser{r: s, bufferPool: a.cs.cc.dopts.copts.BufferPool}
return nil
}
@@ -540,6 +576,8 @@ type clientStream struct {
sentLast bool // sent an end stream
+ receivedFirstMsg bool // set after the first message is received
+
methodConfig *MethodConfig
ctx context.Context // the application's context, wrapped by stats/tracing
@@ -573,6 +611,9 @@ type clientStream struct {
onCommit func()
replayBuffer []replayOp // operations to replay on retry
replayBufferSize int // current size of replayBuffer
+ // nameResolutionDelay indicates if there was a delay in the name resolution.
+ // This field is only valid on client side, it's always false on server side.
+ nameResolutionDelay bool
}
type replayOp struct {
@@ -587,7 +628,7 @@ type csAttempt struct {
cs *clientStream
transport transport.ClientTransport
transportStream *transport.ClientStream
- parser *parser
+ parser parser
pickResult balancer.PickResult
finished bool
@@ -601,8 +642,8 @@ type csAttempt struct {
// and cleared when the finish method is called.
trInfo *traceInfo
- statsHandlers []stats.Handler
- beginTime time.Time
+ statsHandler stats.Handler
+ beginTime time.Time
// set for newStream errors that may be transparently retried
allowTransparentRetry bool
@@ -987,7 +1028,7 @@ func (cs *clientStream) RecvMsg(m any) error {
func (cs *clientStream) CloseSend() error {
if cs.sentLast {
- // TODO: return an error and finish the stream instead, due to API misuse?
+ // Return a nil error on repeated calls to this method.
return nil
}
cs.sentLast = true
@@ -1008,7 +1049,10 @@ func (cs *clientStream) CloseSend() error {
binlog.Log(cs.ctx, chc)
}
}
- // We never returned an error here for reasons.
+ // We don't return an error here as we expect users to read all messages
+ // from the stream and get the RPC status from RecvMsg(). Note that
+ // SendMsg() must return an error when one occurs so the application
+ // knows to stop sending messages, but that does not apply here.
return nil
}
@@ -1023,9 +1067,6 @@ func (cs *clientStream) finish(err error) {
return
}
cs.finished = true
- for _, onFinish := range cs.callInfo.onFinish {
- onFinish(err)
- }
cs.commitAttemptLocked()
if cs.attempt != nil {
cs.attempt.finish(err)
@@ -1065,13 +1106,7 @@ func (cs *clientStream) finish(err error) {
if err == nil {
cs.retryThrottler.successfulRPC()
}
- if channelz.IsOn() {
- if err != nil {
- cs.cc.incrCallsFailed()
- } else {
- cs.cc.incrCallsSucceeded()
- }
- }
+ endOfClientStream(cs.cc, err, cs.opts...)
cs.cancel()
}
@@ -1093,17 +1128,15 @@ func (a *csAttempt) sendMsg(m any, hdr []byte, payld mem.BufferSlice, dataLength
}
return io.EOF
}
- if len(a.statsHandlers) != 0 {
- for _, sh := range a.statsHandlers {
- sh.HandleRPC(a.ctx, outPayload(true, m, dataLength, payloadLength, time.Now()))
- }
+ if a.statsHandler != nil {
+ a.statsHandler.HandleRPC(a.ctx, outPayload(true, m, dataLength, payloadLength, time.Now()))
}
return nil
}
func (a *csAttempt) recvMsg(m any, payInfo *payloadInfo) (err error) {
cs := a.cs
- if len(a.statsHandlers) != 0 && payInfo == nil {
+ if a.statsHandler != nil && payInfo == nil {
payInfo = &payloadInfo{}
defer payInfo.free()
}
@@ -1117,6 +1150,10 @@ func (a *csAttempt) recvMsg(m any, payInfo *payloadInfo) (err error) {
a.decompressorV0 = nil
a.decompressorV1 = encoding.GetCompressor(ct)
}
+ // Validate that the compression method is acceptable for this call.
+ if !acceptedCompressorAllows(cs.callInfo.acceptedResponseCompressors, ct) {
+ return status.Errorf(codes.Internal, "grpc: peer compressed the response with %q which is not allowed by AcceptCompressors", ct)
+ }
} else {
// No compression is used; disable our decompressor.
a.decompressorV0 = nil
@@ -1124,16 +1161,21 @@ func (a *csAttempt) recvMsg(m any, payInfo *payloadInfo) (err error) {
// Only initialize this state once per stream.
a.decompressorSet = true
}
- if err := recv(a.parser, cs.codec, a.transportStream, a.decompressorV0, m, *cs.callInfo.maxReceiveMessageSize, payInfo, a.decompressorV1, false); err != nil {
+ if err := recv(&a.parser, cs.codec, a.transportStream, a.decompressorV0, m, *cs.callInfo.maxReceiveMessageSize, payInfo, a.decompressorV1, false); err != nil {
if err == io.EOF {
if statusErr := a.transportStream.Status().Err(); statusErr != nil {
return statusErr
}
+ // Received no msg and status OK for non-server streaming rpcs.
+ if !cs.desc.ServerStreams && !cs.receivedFirstMsg {
+ return status.Error(codes.Internal, "cardinality violation: received no response message from non-server-streaming RPC")
+ }
return io.EOF // indicates successful end of stream.
}
return toRPCErr(err)
}
+ cs.receivedFirstMsg = true
if a.trInfo != nil {
a.mu.Lock()
if a.trInfo.tr != nil {
@@ -1141,8 +1183,8 @@ func (a *csAttempt) recvMsg(m any, payInfo *payloadInfo) (err error) {
}
a.mu.Unlock()
}
- for _, sh := range a.statsHandlers {
- sh.HandleRPC(a.ctx, &stats.InPayload{
+ if a.statsHandler != nil {
+ a.statsHandler.HandleRPC(a.ctx, &stats.InPayload{
Client: true,
RecvTime: time.Now(),
Payload: m,
@@ -1157,12 +1199,12 @@ func (a *csAttempt) recvMsg(m any, payInfo *payloadInfo) (err error) {
}
// Special handling for non-server-stream rpcs.
// This recv expects EOF or errors, so we don't collect inPayload.
- if err := recv(a.parser, cs.codec, a.transportStream, a.decompressorV0, m, *cs.callInfo.maxReceiveMessageSize, nil, a.decompressorV1, false); err == io.EOF {
+ if err := recv(&a.parser, cs.codec, a.transportStream, a.decompressorV0, m, *cs.callInfo.maxReceiveMessageSize, nil, a.decompressorV1, false); err == io.EOF {
return a.transportStream.Status().Err() // non-server streaming Recv returns nil on success
} else if err != nil {
return toRPCErr(err)
}
- return toRPCErr(errors.New("grpc: client streaming protocol violation: get , want "))
+ return status.Error(codes.Internal, "cardinality violation: expected for non server-streaming RPCs, but received another message")
}
func (a *csAttempt) finish(err error) {
@@ -1195,15 +1237,14 @@ func (a *csAttempt) finish(err error) {
ServerLoad: balancerload.Parse(tr),
})
}
- for _, sh := range a.statsHandlers {
- end := &stats.End{
+ if a.statsHandler != nil {
+ a.statsHandler.HandleRPC(a.ctx, &stats.End{
Client: true,
BeginTime: a.beginTime,
EndTime: time.Now(),
Trailer: tr,
Error: err,
- }
- sh.HandleRPC(a.ctx, end)
+ })
}
if a.trInfo != nil && a.trInfo.tr != nil {
if err == nil {
@@ -1309,7 +1350,7 @@ func newNonRetryClientStream(ctx context.Context, desc *StreamDesc, method strin
return nil, err
}
as.transportStream = s
- as.parser = &parser{r: s, bufferPool: ac.dopts.copts.BufferPool}
+ as.parser = parser{r: s, bufferPool: ac.dopts.copts.BufferPool}
ac.incrCallsStarted()
if desc != unaryStreamDesc {
// Listen on stream context to cleanup when the stream context is
@@ -1344,6 +1385,7 @@ type addrConnStream struct {
transport transport.ClientTransport
ctx context.Context
sentLast bool
+ receivedFirstMsg bool
desc *StreamDesc
codec baseCodec
sendCompressorV0 Compressor
@@ -1351,7 +1393,7 @@ type addrConnStream struct {
decompressorSet bool
decompressorV0 Decompressor
decompressorV1 encoding.Compressor
- parser *parser
+ parser parser
// mu guards finished and is held for the entire finish method.
mu sync.Mutex
@@ -1372,7 +1414,7 @@ func (as *addrConnStream) Trailer() metadata.MD {
func (as *addrConnStream) CloseSend() error {
if as.sentLast {
- // TODO: return an error and finish the stream instead, due to API misuse?
+ // Return a nil error on repeated calls to this method.
return nil
}
as.sentLast = true
@@ -1457,6 +1499,10 @@ func (as *addrConnStream) RecvMsg(m any) (err error) {
as.decompressorV0 = nil
as.decompressorV1 = encoding.GetCompressor(ct)
}
+ // Validate that the compression method is acceptable for this call.
+ if !acceptedCompressorAllows(as.callInfo.acceptedResponseCompressors, ct) {
+ return status.Errorf(codes.Internal, "grpc: peer compressed the response with %q which is not allowed by AcceptCompressors", ct)
+ }
} else {
// No compression is used; disable our decompressor.
as.decompressorV0 = nil
@@ -1464,15 +1510,20 @@ func (as *addrConnStream) RecvMsg(m any) (err error) {
// Only initialize this state once per stream.
as.decompressorSet = true
}
- if err := recv(as.parser, as.codec, as.transportStream, as.decompressorV0, m, *as.callInfo.maxReceiveMessageSize, nil, as.decompressorV1, false); err != nil {
+ if err := recv(&as.parser, as.codec, as.transportStream, as.decompressorV0, m, *as.callInfo.maxReceiveMessageSize, nil, as.decompressorV1, false); err != nil {
if err == io.EOF {
if statusErr := as.transportStream.Status().Err(); statusErr != nil {
return statusErr
}
+ // Received no msg and status OK for non-server streaming rpcs.
+ if !as.desc.ServerStreams && !as.receivedFirstMsg {
+ return status.Error(codes.Internal, "cardinality violation: received no response message from non-server-streaming RPC")
+ }
return io.EOF // indicates successful end of stream.
}
return toRPCErr(err)
}
+ as.receivedFirstMsg = true
if as.desc.ServerStreams {
// Subsequent messages should be received by subsequent RecvMsg calls.
@@ -1481,12 +1532,12 @@ func (as *addrConnStream) RecvMsg(m any) (err error) {
// Special handling for non-server-stream rpcs.
// This recv expects EOF or errors, so we don't collect inPayload.
- if err := recv(as.parser, as.codec, as.transportStream, as.decompressorV0, m, *as.callInfo.maxReceiveMessageSize, nil, as.decompressorV1, false); err == io.EOF {
+ if err := recv(&as.parser, as.codec, as.transportStream, as.decompressorV0, m, *as.callInfo.maxReceiveMessageSize, nil, as.decompressorV1, false); err == io.EOF {
return as.transportStream.Status().Err() // non-server streaming Recv returns nil on success
} else if err != nil {
return toRPCErr(err)
}
- return toRPCErr(errors.New("grpc: client streaming protocol violation: get , want "))
+ return status.Error(codes.Internal, "cardinality violation: expected for non server-streaming RPCs, but received another message")
}
func (as *addrConnStream) finish(err error) {
@@ -1569,8 +1620,9 @@ type ServerStream interface {
type serverStream struct {
ctx context.Context
s *transport.ServerStream
- p *parser
+ p parser
codec baseCodec
+ desc *StreamDesc
compressorV0 Compressor
compressorV1 encoding.Compressor
@@ -1579,11 +1631,13 @@ type serverStream struct {
sendCompressorName string
+ recvFirstMsg bool // set after the first message is received
+
maxReceiveMessageSize int
maxSendMessageSize int
trInfo *traceInfo
- statsHandler []stats.Handler
+ statsHandler stats.Handler
binlogs []binarylog.MethodLogger
// serverHeaderBinlogged indicates whether server header has been logged. It
@@ -1719,10 +1773,8 @@ func (ss *serverStream) SendMsg(m any) (err error) {
binlog.Log(ss.ctx, sm)
}
}
- if len(ss.statsHandler) != 0 {
- for _, sh := range ss.statsHandler {
- sh.HandleRPC(ss.s.Context(), outPayload(false, m, dataLen, payloadLen, time.Now()))
- }
+ if ss.statsHandler != nil {
+ ss.statsHandler.HandleRPC(ss.s.Context(), outPayload(false, m, dataLen, payloadLen, time.Now()))
}
return nil
}
@@ -1753,11 +1805,11 @@ func (ss *serverStream) RecvMsg(m any) (err error) {
}
}()
var payInfo *payloadInfo
- if len(ss.statsHandler) != 0 || len(ss.binlogs) != 0 {
+ if ss.statsHandler != nil || len(ss.binlogs) != 0 {
payInfo = &payloadInfo{}
defer payInfo.free()
}
- if err := recv(ss.p, ss.codec, ss.s, ss.decompressorV0, m, ss.maxReceiveMessageSize, payInfo, ss.decompressorV1, true); err != nil {
+ if err := recv(&ss.p, ss.codec, ss.s, ss.decompressorV0, m, ss.maxReceiveMessageSize, payInfo, ss.decompressorV1, true); err != nil {
if err == io.EOF {
if len(ss.binlogs) != 0 {
chc := &binarylog.ClientHalfClose{}
@@ -1765,6 +1817,10 @@ func (ss *serverStream) RecvMsg(m any) (err error) {
binlog.Log(ss.ctx, chc)
}
}
+ // Received no request msg for non-client streaming rpcs.
+ if !ss.desc.ClientStreams && !ss.recvFirstMsg {
+ return status.Error(codes.Internal, "cardinality violation: received no request message from non-client-streaming RPC")
+ }
return err
}
if err == io.ErrUnexpectedEOF {
@@ -1772,16 +1828,15 @@ func (ss *serverStream) RecvMsg(m any) (err error) {
}
return toRPCErr(err)
}
- if len(ss.statsHandler) != 0 {
- for _, sh := range ss.statsHandler {
- sh.HandleRPC(ss.s.Context(), &stats.InPayload{
- RecvTime: time.Now(),
- Payload: m,
- Length: payInfo.uncompressedBytes.Len(),
- WireLength: payInfo.compressedLength + headerLen,
- CompressedLength: payInfo.compressedLength,
- })
- }
+ ss.recvFirstMsg = true
+ if ss.statsHandler != nil {
+ ss.statsHandler.HandleRPC(ss.s.Context(), &stats.InPayload{
+ RecvTime: time.Now(),
+ Payload: m,
+ Length: payInfo.uncompressedBytes.Len(),
+ WireLength: payInfo.compressedLength + headerLen,
+ CompressedLength: payInfo.compressedLength,
+ })
}
if len(ss.binlogs) != 0 {
cm := &binarylog.ClientMessage{
@@ -1791,7 +1846,19 @@ func (ss *serverStream) RecvMsg(m any) (err error) {
binlog.Log(ss.ctx, cm)
}
}
- return nil
+
+ if ss.desc.ClientStreams {
+ // Subsequent messages should be received by subsequent RecvMsg calls.
+ return nil
+ }
+ // Special handling for non-client-stream rpcs.
+ // This recv expects EOF or errors, so we don't collect inPayload.
+ if err := recv(&ss.p, ss.codec, ss.s, ss.decompressorV0, m, ss.maxReceiveMessageSize, nil, ss.decompressorV1, true); err == io.EOF {
+ return nil
+ } else if err != nil {
+ return err
+ }
+ return status.Error(codes.Internal, "cardinality violation: received multiple request messages for non-client-streaming RPC")
}
// MethodFromServerStream returns the method string for the input stream.
diff --git a/vendor/google.golang.org/grpc/version.go b/vendor/google.golang.org/grpc/version.go
index 2bae4db890..ff7840fd8e 100644
--- a/vendor/google.golang.org/grpc/version.go
+++ b/vendor/google.golang.org/grpc/version.go
@@ -19,4 +19,4 @@
package grpc
// Version is the current grpc version.
-const Version = "1.72.2"
+const Version = "1.78.0"
diff --git a/vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go b/vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go
index 669133d04d..c96e448346 100644
--- a/vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go
+++ b/vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go
@@ -32,7 +32,7 @@ var byteType = reflect.TypeOf(byte(0))
func Unmarshal(tag string, goType reflect.Type, evs protoreflect.EnumValueDescriptors) protoreflect.FieldDescriptor {
f := new(filedesc.Field)
f.L0.ParentFile = filedesc.SurrogateProto2
- f.L1.EditionFeatures = f.L0.ParentFile.L1.EditionFeatures
+ packed := false
for len(tag) > 0 {
i := strings.IndexByte(tag, ',')
if i < 0 {
@@ -108,7 +108,7 @@ func Unmarshal(tag string, goType reflect.Type, evs protoreflect.EnumValueDescri
f.L1.StringName.InitJSON(jsonName)
}
case s == "packed":
- f.L1.EditionFeatures.IsPacked = true
+ packed = true
case strings.HasPrefix(s, "def="):
// The default tag is special in that everything afterwards is the
// default regardless of the presence of commas.
@@ -121,6 +121,13 @@ func Unmarshal(tag string, goType reflect.Type, evs protoreflect.EnumValueDescri
tag = strings.TrimPrefix(tag[i:], ",")
}
+ // Update EditionFeatures after the loop and after we know whether this is
+ // a proto2 or proto3 field.
+ f.L1.EditionFeatures = f.L0.ParentFile.L1.EditionFeatures
+ if packed {
+ f.L1.EditionFeatures.IsPacked = true
+ }
+
// The generator uses the group message name instead of the field name.
// We obtain the real field name by lowercasing the group name.
if f.L1.Kind == protoreflect.GroupKind {
diff --git a/vendor/google.golang.org/protobuf/internal/encoding/text/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/text/decode.go
index 099b2bf451..9aa7a9bb77 100644
--- a/vendor/google.golang.org/protobuf/internal/encoding/text/decode.go
+++ b/vendor/google.golang.org/protobuf/internal/encoding/text/decode.go
@@ -424,27 +424,34 @@ func (d *Decoder) parseFieldName() (tok Token, err error) {
return Token{}, d.newSyntaxError("invalid field name: %s", errId(d.in))
}
-// parseTypeName parses Any type URL or extension field name. The name is
-// enclosed in [ and ] characters. The C++ parser does not handle many legal URL
-// strings. This implementation is more liberal and allows for the pattern
-// ^[-_a-zA-Z0-9]+([./][-_a-zA-Z0-9]+)*`). Whitespaces and comments are allowed
-// in between [ ], '.', '/' and the sub names.
+// parseTypeName parses an Any type URL or an extension field name. The name is
+// enclosed in [ and ] characters. We allow almost arbitrary type URL prefixes,
+// closely following the text-format spec [1,2]. We implement "ExtensionName |
+// AnyName" as follows (with some exceptions for backwards compatibility):
+//
+// char = [-_a-zA-Z0-9]
+// url_char = char | [.~!$&'()*+,;=] | "%", hex, hex
+//
+// Ident = char, { char }
+// TypeName = Ident, { ".", Ident } ;
+// UrlPrefix = url_char, { url_char | "/" } ;
+// ExtensionName = "[", TypeName, "]" ;
+// AnyName = "[", UrlPrefix, "/", TypeName, "]" ;
+//
+// Additionally, we allow arbitrary whitespace and comments between [ and ].
+//
+// [1] https://protobuf.dev/reference/protobuf/textformat-spec/#characters
+// [2] https://protobuf.dev/reference/protobuf/textformat-spec/#field-names
func (d *Decoder) parseTypeName() (Token, error) {
- startPos := len(d.orig) - len(d.in)
// Use alias s to advance first in order to use d.in for error handling.
- // Caller already checks for [ as first character.
+ // Caller already checks for [ as first character (d.in[0] == '[').
s := consume(d.in[1:], 0)
if len(s) == 0 {
return Token{}, ErrUnexpectedEOF
}
+ // Collect everything between [ and ] in name.
var name []byte
- for len(s) > 0 && isTypeNameChar(s[0]) {
- name = append(name, s[0])
- s = s[1:]
- }
- s = consume(s, 0)
-
var closed bool
for len(s) > 0 && !closed {
switch {
@@ -452,23 +459,20 @@ func (d *Decoder) parseTypeName() (Token, error) {
s = s[1:]
closed = true
- case s[0] == '/', s[0] == '.':
- if len(name) > 0 && (name[len(name)-1] == '/' || name[len(name)-1] == '.') {
- return Token{}, d.newSyntaxError("invalid type URL/extension field name: %s",
- d.orig[startPos:len(d.orig)-len(s)+1])
- }
+ case s[0] == '/' || isTypeNameChar(s[0]) || isUrlExtraChar(s[0]):
name = append(name, s[0])
- s = s[1:]
- s = consume(s, 0)
- for len(s) > 0 && isTypeNameChar(s[0]) {
- name = append(name, s[0])
- s = s[1:]
+ s = consume(s[1:], 0)
+
+ // URL percent-encoded chars
+ case s[0] == '%':
+ if len(s) < 3 || !isHexChar(s[1]) || !isHexChar(s[2]) {
+ return Token{}, d.parseTypeNameError(s, 3)
}
- s = consume(s, 0)
+ name = append(name, s[0], s[1], s[2])
+ s = consume(s[3:], 0)
default:
- return Token{}, d.newSyntaxError(
- "invalid type URL/extension field name: %s", d.orig[startPos:len(d.orig)-len(s)+1])
+ return Token{}, d.parseTypeNameError(s, 1)
}
}
@@ -476,15 +480,38 @@ func (d *Decoder) parseTypeName() (Token, error) {
return Token{}, ErrUnexpectedEOF
}
- // First character cannot be '.'. Last character cannot be '.' or '/'.
- size := len(name)
- if size == 0 || name[0] == '.' || name[size-1] == '.' || name[size-1] == '/' {
- return Token{}, d.newSyntaxError("invalid type URL/extension field name: %s",
- d.orig[startPos:len(d.orig)-len(s)])
+ // Split collected name on last '/' into urlPrefix and typeName (if '/' is
+ // present).
+ typeName := name
+ if i := bytes.LastIndexByte(name, '/'); i != -1 {
+ urlPrefix := name[:i]
+ typeName = name[i+1:]
+
+ // urlPrefix may be empty (for backwards compatibility).
+ // If non-empty, it must not start with '/'.
+ if len(urlPrefix) > 0 && urlPrefix[0] == '/' {
+ return Token{}, d.parseTypeNameError(s, 0)
+ }
}
+ // typeName must not be empty (note: "" splits to [""]) and all identifier
+ // parts must not be empty.
+ for _, ident := range bytes.Split(typeName, []byte{'.'}) {
+ if len(ident) == 0 {
+ return Token{}, d.parseTypeNameError(s, 0)
+ }
+ }
+
+ // typeName must not contain any percent-encoded or special URL chars.
+ for _, b := range typeName {
+ if b == '%' || (b != '.' && isUrlExtraChar(b)) {
+ return Token{}, d.parseTypeNameError(s, 0)
+ }
+ }
+
+ startPos := len(d.orig) - len(d.in)
+ endPos := len(d.orig) - len(s)
d.in = s
- endPos := len(d.orig) - len(d.in)
d.consume(0)
return Token{
@@ -496,16 +523,32 @@ func (d *Decoder) parseTypeName() (Token, error) {
}, nil
}
+func (d *Decoder) parseTypeNameError(s []byte, numUnconsumedChars int) error {
+ return d.newSyntaxError(
+ "invalid type URL/extension field name: %s",
+ d.in[:len(d.in)-len(s)+min(numUnconsumedChars, len(s))],
+ )
+}
+
+func isHexChar(b byte) bool {
+ return ('0' <= b && b <= '9') ||
+ ('a' <= b && b <= 'f') ||
+ ('A' <= b && b <= 'F')
+}
+
func isTypeNameChar(b byte) bool {
- return (b == '-' || b == '_' ||
+ return b == '-' || b == '_' ||
('0' <= b && b <= '9') ||
('a' <= b && b <= 'z') ||
- ('A' <= b && b <= 'Z'))
+ ('A' <= b && b <= 'Z')
}
-func isWhiteSpace(b byte) bool {
+// isUrlExtraChar complements isTypeNameChar with extra characters that we allow
+// in URLs but not in type names. Note that '/' is not included so that it can
+// be treated specially.
+func isUrlExtraChar(b byte) bool {
switch b {
- case ' ', '\n', '\r', '\t':
+ case '.', '~', '!', '$', '&', '(', ')', '*', '+', ',', ';', '=':
return true
default:
return false
diff --git a/vendor/google.golang.org/protobuf/internal/filedesc/desc.go b/vendor/google.golang.org/protobuf/internal/filedesc/desc.go
index 688aabe434..c775e5832f 100644
--- a/vendor/google.golang.org/protobuf/internal/filedesc/desc.go
+++ b/vendor/google.golang.org/protobuf/internal/filedesc/desc.go
@@ -32,6 +32,7 @@ const (
EditionProto3 Edition = 999
Edition2023 Edition = 1000
Edition2024 Edition = 1001
+ EditionUnstable Edition = 9999
EditionUnsupported Edition = 100000
)
@@ -72,9 +73,10 @@ type (
EditionFeatures EditionFeatures
}
FileL2 struct {
- Options func() protoreflect.ProtoMessage
- Imports FileImports
- Locations SourceLocations
+ Options func() protoreflect.ProtoMessage
+ Imports FileImports
+ OptionImports func() protoreflect.FileImports
+ Locations SourceLocations
}
// EditionFeatures is a frequently-instantiated struct, so please take care
@@ -126,12 +128,9 @@ func (fd *File) ParentFile() protoreflect.FileDescriptor { return fd }
func (fd *File) Parent() protoreflect.Descriptor { return nil }
func (fd *File) Index() int { return 0 }
func (fd *File) Syntax() protoreflect.Syntax { return fd.L1.Syntax }
-
-// Not exported and just used to reconstruct the original FileDescriptor proto
-func (fd *File) Edition() int32 { return int32(fd.L1.Edition) }
-func (fd *File) Name() protoreflect.Name { return fd.L1.Package.Name() }
-func (fd *File) FullName() protoreflect.FullName { return fd.L1.Package }
-func (fd *File) IsPlaceholder() bool { return false }
+func (fd *File) Name() protoreflect.Name { return fd.L1.Package.Name() }
+func (fd *File) FullName() protoreflect.FullName { return fd.L1.Package }
+func (fd *File) IsPlaceholder() bool { return false }
func (fd *File) Options() protoreflect.ProtoMessage {
if f := fd.lazyInit().Options; f != nil {
return f()
@@ -150,6 +149,16 @@ func (fd *File) Format(s fmt.State, r rune) { descfmt.FormatD
func (fd *File) ProtoType(protoreflect.FileDescriptor) {}
func (fd *File) ProtoInternal(pragma.DoNotImplement) {}
+// The next two are not part of the FileDescriptor interface. They are just used to reconstruct
+// the original FileDescriptor proto.
+func (fd *File) Edition() int32 { return int32(fd.L1.Edition) }
+func (fd *File) OptionImports() protoreflect.FileImports {
+ if f := fd.lazyInit().OptionImports; f != nil {
+ return f()
+ }
+ return emptyFiles
+}
+
func (fd *File) lazyInit() *FileL2 {
if atomic.LoadUint32(&fd.once) == 0 {
fd.lazyInitOnce()
@@ -182,9 +191,9 @@ type (
L2 *EnumL2 // protected by fileDesc.once
}
EnumL1 struct {
- eagerValues bool // controls whether EnumL2.Values is already populated
-
EditionFeatures EditionFeatures
+ Visibility int32
+ eagerValues bool // controls whether EnumL2.Values is already populated
}
EnumL2 struct {
Options func() protoreflect.ProtoMessage
@@ -219,6 +228,11 @@ func (ed *Enum) ReservedNames() protoreflect.Names { return &ed.lazyInit()
func (ed *Enum) ReservedRanges() protoreflect.EnumRanges { return &ed.lazyInit().ReservedRanges }
func (ed *Enum) Format(s fmt.State, r rune) { descfmt.FormatDesc(s, r, ed) }
func (ed *Enum) ProtoType(protoreflect.EnumDescriptor) {}
+
+// This is not part of the EnumDescriptor interface. It is just used to reconstruct
+// the original FileDescriptor proto.
+func (ed *Enum) Visibility() int32 { return ed.L1.Visibility }
+
func (ed *Enum) lazyInit() *EnumL2 {
ed.L0.ParentFile.lazyInit() // implicitly initializes L2
return ed.L2
@@ -244,13 +258,13 @@ type (
L2 *MessageL2 // protected by fileDesc.once
}
MessageL1 struct {
- Enums Enums
- Messages Messages
- Extensions Extensions
- IsMapEntry bool // promoted from google.protobuf.MessageOptions
- IsMessageSet bool // promoted from google.protobuf.MessageOptions
-
+ Enums Enums
+ Messages Messages
+ Extensions Extensions
EditionFeatures EditionFeatures
+ Visibility int32
+ IsMapEntry bool // promoted from google.protobuf.MessageOptions
+ IsMessageSet bool // promoted from google.protobuf.MessageOptions
}
MessageL2 struct {
Options func() protoreflect.ProtoMessage
@@ -319,6 +333,11 @@ func (md *Message) Messages() protoreflect.MessageDescriptors { return &md.L
func (md *Message) Extensions() protoreflect.ExtensionDescriptors { return &md.L1.Extensions }
func (md *Message) ProtoType(protoreflect.MessageDescriptor) {}
func (md *Message) Format(s fmt.State, r rune) { descfmt.FormatDesc(s, r, md) }
+
+// This is not part of the MessageDescriptor interface. It is just used to reconstruct
+// the original FileDescriptor proto.
+func (md *Message) Visibility() int32 { return md.L1.Visibility }
+
func (md *Message) lazyInit() *MessageL2 {
md.L0.ParentFile.lazyInit() // implicitly initializes L2
return md.L2
diff --git a/vendor/google.golang.org/protobuf/internal/filedesc/desc_init.go b/vendor/google.golang.org/protobuf/internal/filedesc/desc_init.go
index d2f549497e..e91860f5a2 100644
--- a/vendor/google.golang.org/protobuf/internal/filedesc/desc_init.go
+++ b/vendor/google.golang.org/protobuf/internal/filedesc/desc_init.go
@@ -284,6 +284,13 @@ func (ed *Enum) unmarshalSeed(b []byte, sb *strs.Builder, pf *File, pd protorefl
case genid.EnumDescriptorProto_Value_field_number:
numValues++
}
+ case protowire.VarintType:
+ v, m := protowire.ConsumeVarint(b)
+ b = b[m:]
+ switch num {
+ case genid.EnumDescriptorProto_Visibility_field_number:
+ ed.L1.Visibility = int32(v)
+ }
default:
m := protowire.ConsumeFieldValue(num, typ, b)
b = b[m:]
@@ -365,6 +372,13 @@ func (md *Message) unmarshalSeed(b []byte, sb *strs.Builder, pf *File, pd protor
md.unmarshalSeedOptions(v)
}
prevField = num
+ case protowire.VarintType:
+ v, m := protowire.ConsumeVarint(b)
+ b = b[m:]
+ switch num {
+ case genid.DescriptorProto_Visibility_field_number:
+ md.L1.Visibility = int32(v)
+ }
default:
m := protowire.ConsumeFieldValue(num, typ, b)
b = b[m:]
diff --git a/vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go b/vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go
index d4c94458bd..78f02b1b49 100644
--- a/vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go
+++ b/vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go
@@ -134,6 +134,7 @@ func (fd *File) unmarshalFull(b []byte) {
var enumIdx, messageIdx, extensionIdx, serviceIdx int
var rawOptions []byte
+ var optionImports []string
fd.L2 = new(FileL2)
for len(b) > 0 {
num, typ, n := protowire.ConsumeTag(b)
@@ -157,6 +158,8 @@ func (fd *File) unmarshalFull(b []byte) {
imp = PlaceholderFile(path)
}
fd.L2.Imports = append(fd.L2.Imports, protoreflect.FileImport{FileDescriptor: imp})
+ case genid.FileDescriptorProto_OptionDependency_field_number:
+ optionImports = append(optionImports, sb.MakeString(v))
case genid.FileDescriptorProto_EnumType_field_number:
fd.L1.Enums.List[enumIdx].unmarshalFull(v, sb)
enumIdx++
@@ -178,6 +181,23 @@ func (fd *File) unmarshalFull(b []byte) {
}
}
fd.L2.Options = fd.builder.optionsUnmarshaler(&descopts.File, rawOptions)
+ if len(optionImports) > 0 {
+ var imps FileImports
+ var once sync.Once
+ fd.L2.OptionImports = func() protoreflect.FileImports {
+ once.Do(func() {
+ imps = make(FileImports, len(optionImports))
+ for i, path := range optionImports {
+ imp, _ := fd.builder.FileRegistry.FindFileByPath(path)
+ if imp == nil {
+ imp = PlaceholderFile(path)
+ }
+ imps[i] = protoreflect.FileImport{FileDescriptor: imp}
+ }
+ })
+ return &imps
+ }
+ }
}
func (ed *Enum) unmarshalFull(b []byte, sb *strs.Builder) {
@@ -310,7 +330,6 @@ func (md *Message) unmarshalFull(b []byte, sb *strs.Builder) {
md.L1.Extensions.List[extensionIdx].unmarshalFull(v, sb)
extensionIdx++
case genid.DescriptorProto_Options_field_number:
- md.unmarshalOptions(v)
rawOptions = appendOptions(rawOptions, v)
}
default:
@@ -336,27 +355,6 @@ func (md *Message) unmarshalFull(b []byte, sb *strs.Builder) {
md.L2.Options = md.L0.ParentFile.builder.optionsUnmarshaler(&descopts.Message, rawOptions)
}
-func (md *Message) unmarshalOptions(b []byte) {
- for len(b) > 0 {
- num, typ, n := protowire.ConsumeTag(b)
- b = b[n:]
- switch typ {
- case protowire.VarintType:
- v, m := protowire.ConsumeVarint(b)
- b = b[m:]
- switch num {
- case genid.MessageOptions_MapEntry_field_number:
- md.L1.IsMapEntry = protowire.DecodeBool(v)
- case genid.MessageOptions_MessageSetWireFormat_field_number:
- md.L1.IsMessageSet = protowire.DecodeBool(v)
- }
- default:
- m := protowire.ConsumeFieldValue(num, typ, b)
- b = b[m:]
- }
- }
-}
-
func unmarshalMessageReservedRange(b []byte) (r [2]protoreflect.FieldNumber) {
for len(b) > 0 {
num, typ, n := protowire.ConsumeTag(b)
diff --git a/vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go b/vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go
index 950a6a325a..65aaf4d210 100644
--- a/vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go
+++ b/vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go
@@ -26,6 +26,7 @@ const (
Edition_EDITION_PROTO3_enum_value = 999
Edition_EDITION_2023_enum_value = 1000
Edition_EDITION_2024_enum_value = 1001
+ Edition_EDITION_UNSTABLE_enum_value = 9999
Edition_EDITION_1_TEST_ONLY_enum_value = 1
Edition_EDITION_2_TEST_ONLY_enum_value = 2
Edition_EDITION_99997_TEST_ONLY_enum_value = 99997
diff --git a/vendor/google.golang.org/protobuf/internal/impl/codec_map.go b/vendor/google.golang.org/protobuf/internal/impl/codec_map.go
index 229c698013..4a3bf393ef 100644
--- a/vendor/google.golang.org/protobuf/internal/impl/codec_map.go
+++ b/vendor/google.golang.org/protobuf/internal/impl/codec_map.go
@@ -113,6 +113,9 @@ func sizeMap(mapv reflect.Value, mapi *mapInfo, f *coderFieldInfo, opts marshalO
}
func consumeMap(b []byte, mapv reflect.Value, wtyp protowire.Type, mapi *mapInfo, f *coderFieldInfo, opts unmarshalOptions) (out unmarshalOutput, err error) {
+ if opts.depth--; opts.depth < 0 {
+ return out, errRecursionDepth
+ }
if wtyp != protowire.BytesType {
return out, errUnknown
}
@@ -170,6 +173,9 @@ func consumeMap(b []byte, mapv reflect.Value, wtyp protowire.Type, mapi *mapInfo
}
func consumeMapOfMessage(b []byte, mapv reflect.Value, wtyp protowire.Type, mapi *mapInfo, f *coderFieldInfo, opts unmarshalOptions) (out unmarshalOutput, err error) {
+ if opts.depth--; opts.depth < 0 {
+ return out, errRecursionDepth
+ }
if wtyp != protowire.BytesType {
return out, errUnknown
}
diff --git a/vendor/google.golang.org/protobuf/internal/impl/decode.go b/vendor/google.golang.org/protobuf/internal/impl/decode.go
index e0dd21fa5f..1228b5c8c2 100644
--- a/vendor/google.golang.org/protobuf/internal/impl/decode.go
+++ b/vendor/google.golang.org/protobuf/internal/impl/decode.go
@@ -102,8 +102,7 @@ var errUnknown = errors.New("unknown")
func (mi *MessageInfo) unmarshalPointer(b []byte, p pointer, groupTag protowire.Number, opts unmarshalOptions) (out unmarshalOutput, err error) {
mi.init()
- opts.depth--
- if opts.depth < 0 {
+ if opts.depth--; opts.depth < 0 {
return out, errRecursionDepth
}
if flags.ProtoLegacy && mi.isMessageSet {
diff --git a/vendor/google.golang.org/protobuf/internal/impl/validate.go b/vendor/google.golang.org/protobuf/internal/impl/validate.go
index 7b2995dde5..99a1eb95f7 100644
--- a/vendor/google.golang.org/protobuf/internal/impl/validate.go
+++ b/vendor/google.golang.org/protobuf/internal/impl/validate.go
@@ -68,9 +68,13 @@ func Validate(mt protoreflect.MessageType, in protoiface.UnmarshalInput) (out pr
if in.Resolver == nil {
in.Resolver = protoregistry.GlobalTypes
}
+ if in.Depth == 0 {
+ in.Depth = protowire.DefaultRecursionLimit
+ }
o, st := mi.validate(in.Buf, 0, unmarshalOptions{
flags: in.Flags,
resolver: in.Resolver,
+ depth: in.Depth,
})
if o.initialized {
out.Flags |= protoiface.UnmarshalInitialized
@@ -257,6 +261,9 @@ func (mi *MessageInfo) validate(b []byte, groupTag protowire.Number, opts unmars
states[0].typ = validationTypeGroup
states[0].endGroup = groupTag
}
+ if opts.depth--; opts.depth < 0 {
+ return out, ValidationInvalid
+ }
initialized := true
start := len(b)
State:
@@ -451,6 +458,13 @@ State:
mi: vi.mi,
tail: b,
})
+ if vi.typ == validationTypeMessage ||
+ vi.typ == validationTypeGroup ||
+ vi.typ == validationTypeMap {
+ if opts.depth--; opts.depth < 0 {
+ return out, ValidationInvalid
+ }
+ }
b = v
continue State
case validationTypeRepeatedVarint:
@@ -499,6 +513,9 @@ State:
mi: vi.mi,
endGroup: num,
})
+ if opts.depth--; opts.depth < 0 {
+ return out, ValidationInvalid
+ }
continue State
case flags.ProtoLegacy && vi.typ == validationTypeMessageSetItem:
typeid, v, n, err := messageset.ConsumeFieldValue(b, false)
@@ -521,6 +538,13 @@ State:
mi: xvi.mi,
tail: b[n:],
})
+ if xvi.typ == validationTypeMessage ||
+ xvi.typ == validationTypeGroup ||
+ xvi.typ == validationTypeMap {
+ if opts.depth--; opts.depth < 0 {
+ return out, ValidationInvalid
+ }
+ }
b = v
continue State
}
@@ -547,12 +571,14 @@ State:
switch st.typ {
case validationTypeMessage, validationTypeGroup:
numRequiredFields = int(st.mi.numRequiredFields)
+ opts.depth++
case validationTypeMap:
// If this is a map field with a message value that contains
// required fields, require that the value be present.
if st.mi != nil && st.mi.numRequiredFields > 0 {
numRequiredFields = 1
}
+ opts.depth++
}
// If there are more than 64 required fields, this check will
// always fail and we will report that the message is potentially
diff --git a/vendor/google.golang.org/protobuf/internal/version/version.go b/vendor/google.golang.org/protobuf/internal/version/version.go
index 31e79a6535..763fd82841 100644
--- a/vendor/google.golang.org/protobuf/internal/version/version.go
+++ b/vendor/google.golang.org/protobuf/internal/version/version.go
@@ -52,7 +52,7 @@ import (
const (
Major = 1
Minor = 36
- Patch = 9
+ Patch = 11
PreRelease = ""
)
diff --git a/vendor/google.golang.org/protobuf/proto/decode.go b/vendor/google.golang.org/protobuf/proto/decode.go
index 4cbf1aeaf7..889d8511d2 100644
--- a/vendor/google.golang.org/protobuf/proto/decode.go
+++ b/vendor/google.golang.org/protobuf/proto/decode.go
@@ -121,9 +121,8 @@ func (o UnmarshalOptions) unmarshal(b []byte, m protoreflect.Message) (out proto
out, err = methods.Unmarshal(in)
} else {
- o.RecursionLimit--
- if o.RecursionLimit < 0 {
- return out, errors.New("exceeded max recursion depth")
+ if o.RecursionLimit--; o.RecursionLimit < 0 {
+ return out, errRecursionDepth
}
err = o.unmarshalMessageSlow(b, m)
}
@@ -220,6 +219,9 @@ func (o UnmarshalOptions) unmarshalSingular(b []byte, wtyp protowire.Type, m pro
}
func (o UnmarshalOptions) unmarshalMap(b []byte, wtyp protowire.Type, mapv protoreflect.Map, fd protoreflect.FieldDescriptor) (n int, err error) {
+ if o.RecursionLimit--; o.RecursionLimit < 0 {
+ return 0, errRecursionDepth
+ }
if wtyp != protowire.BytesType {
return 0, errUnknown
}
@@ -305,3 +307,5 @@ func (o UnmarshalOptions) unmarshalMap(b []byte, wtyp protowire.Type, mapv proto
var errUnknown = errors.New("BUG: internal error (unknown)")
var errDecode = errors.New("cannot parse invalid wire-format data")
+
+var errRecursionDepth = errors.New("exceeded maximum recursion depth")
diff --git a/vendor/google.golang.org/protobuf/reflect/protodesc/desc.go b/vendor/google.golang.org/protobuf/reflect/protodesc/desc.go
index 823dbf3ba6..40f17af4e3 100644
--- a/vendor/google.golang.org/protobuf/reflect/protodesc/desc.go
+++ b/vendor/google.golang.org/protobuf/reflect/protodesc/desc.go
@@ -108,7 +108,9 @@ func (o FileOptions) New(fd *descriptorpb.FileDescriptorProto, r Resolver) (prot
if f.L1.Path == "" {
return nil, errors.New("file path must be populated")
}
- if f.L1.Syntax == protoreflect.Editions && (fd.GetEdition() < editionssupport.Minimum || fd.GetEdition() > editionssupport.Maximum) {
+ if f.L1.Syntax == protoreflect.Editions &&
+ (fd.GetEdition() < editionssupport.Minimum || fd.GetEdition() > editionssupport.Maximum) &&
+ fd.GetEdition() != descriptorpb.Edition_EDITION_UNSTABLE {
// Allow cmd/protoc-gen-go/testdata to use any edition for easier
// testing of upcoming edition features.
if !strings.HasPrefix(fd.GetName(), "cmd/protoc-gen-go/testdata/") {
@@ -152,6 +154,31 @@ func (o FileOptions) New(fd *descriptorpb.FileDescriptorProto, r Resolver) (prot
imp := &f.L2.Imports[i]
imps.importPublic(imp.Imports())
}
+ optionImps := importSet{f.Path(): true}
+ if len(fd.GetOptionDependency()) > 0 {
+ optionImports := make(filedesc.FileImports, len(fd.GetOptionDependency()))
+ for i, path := range fd.GetOptionDependency() {
+ imp := &optionImports[i]
+ f, err := r.FindFileByPath(path)
+ if err == protoregistry.NotFound {
+ // We always allow option imports to be unresolvable.
+ f = filedesc.PlaceholderFile(path)
+ } else if err != nil {
+ return nil, errors.New("could not resolve import %q: %v", path, err)
+ }
+ imp.FileDescriptor = f
+
+ if imps[imp.Path()] || optionImps[imp.Path()] {
+ return nil, errors.New("already imported %q", path)
+ }
+ // This needs to be a separate map so that we don't recognize non-options
+ // symbols coming from option imports.
+ optionImps[imp.Path()] = true
+ }
+ f.L2.OptionImports = func() protoreflect.FileImports {
+ return &optionImports
+ }
+ }
// Handle source locations.
f.L2.Locations.File = f
diff --git a/vendor/google.golang.org/protobuf/reflect/protodesc/desc_init.go b/vendor/google.golang.org/protobuf/reflect/protodesc/desc_init.go
index 9da34998b1..c826ad0430 100644
--- a/vendor/google.golang.org/protobuf/reflect/protodesc/desc_init.go
+++ b/vendor/google.golang.org/protobuf/reflect/protodesc/desc_init.go
@@ -29,6 +29,7 @@ func (r descsByName) initEnumDeclarations(eds []*descriptorpb.EnumDescriptorProt
e.L2.Options = func() protoreflect.ProtoMessage { return opts }
}
e.L1.EditionFeatures = mergeEditionFeatures(parent, ed.GetOptions().GetFeatures())
+ e.L1.Visibility = int32(ed.GetVisibility())
for _, s := range ed.GetReservedName() {
e.L2.ReservedNames.List = append(e.L2.ReservedNames.List, protoreflect.Name(s))
}
@@ -70,6 +71,7 @@ func (r descsByName) initMessagesDeclarations(mds []*descriptorpb.DescriptorProt
return nil, err
}
m.L1.EditionFeatures = mergeEditionFeatures(parent, md.GetOptions().GetFeatures())
+ m.L1.Visibility = int32(md.GetVisibility())
if opts := md.GetOptions(); opts != nil {
opts = proto.Clone(opts).(*descriptorpb.MessageOptions)
m.L2.Options = func() protoreflect.ProtoMessage { return opts }
diff --git a/vendor/google.golang.org/protobuf/reflect/protodesc/editions.go b/vendor/google.golang.org/protobuf/reflect/protodesc/editions.go
index 697a61b290..147b8c7398 100644
--- a/vendor/google.golang.org/protobuf/reflect/protodesc/editions.go
+++ b/vendor/google.golang.org/protobuf/reflect/protodesc/editions.go
@@ -46,6 +46,8 @@ func toEditionProto(ed filedesc.Edition) descriptorpb.Edition {
return descriptorpb.Edition_EDITION_2023
case filedesc.Edition2024:
return descriptorpb.Edition_EDITION_2024
+ case filedesc.EditionUnstable:
+ return descriptorpb.Edition_EDITION_UNSTABLE
default:
panic(fmt.Sprintf("unknown value for edition: %v", ed))
}
@@ -58,7 +60,7 @@ func getFeatureSetFor(ed filedesc.Edition) *descriptorpb.FeatureSet {
return def
}
edpb := toEditionProto(ed)
- if defaults.GetMinimumEdition() > edpb || defaults.GetMaximumEdition() < edpb {
+ if (defaults.GetMinimumEdition() > edpb || defaults.GetMaximumEdition() < edpb) && edpb != descriptorpb.Edition_EDITION_UNSTABLE {
// This should never happen protodesc.(FileOptions).New would fail when
// initializing the file descriptor.
// This most likely means the embedded defaults were not updated.
diff --git a/vendor/google.golang.org/protobuf/reflect/protodesc/proto.go b/vendor/google.golang.org/protobuf/reflect/protodesc/proto.go
index 9b880aa8c9..6f91074e36 100644
--- a/vendor/google.golang.org/protobuf/reflect/protodesc/proto.go
+++ b/vendor/google.golang.org/protobuf/reflect/protodesc/proto.go
@@ -70,16 +70,27 @@ func ToFileDescriptorProto(file protoreflect.FileDescriptor) *descriptorpb.FileD
if syntax := file.Syntax(); syntax != protoreflect.Proto2 && syntax.IsValid() {
p.Syntax = proto.String(file.Syntax().String())
}
+ desc := file
+ if fileImportDesc, ok := file.(protoreflect.FileImport); ok {
+ desc = fileImportDesc.FileDescriptor
+ }
if file.Syntax() == protoreflect.Editions {
- desc := file
- if fileImportDesc, ok := file.(protoreflect.FileImport); ok {
- desc = fileImportDesc.FileDescriptor
- }
-
if editionsInterface, ok := desc.(interface{ Edition() int32 }); ok {
p.Edition = descriptorpb.Edition(editionsInterface.Edition()).Enum()
}
}
+ type hasOptionImports interface {
+ OptionImports() protoreflect.FileImports
+ }
+ if opts, ok := desc.(hasOptionImports); ok {
+ if optionImports := opts.OptionImports(); optionImports.Len() > 0 {
+ optionDeps := make([]string, optionImports.Len())
+ for i := range optionImports.Len() {
+ optionDeps[i] = optionImports.Get(i).Path()
+ }
+ p.OptionDependency = optionDeps
+ }
+ }
return p
}
@@ -123,6 +134,14 @@ func ToDescriptorProto(message protoreflect.MessageDescriptor) *descriptorpb.Des
for i, names := 0, message.ReservedNames(); i < names.Len(); i++ {
p.ReservedName = append(p.ReservedName, string(names.Get(i)))
}
+ type hasVisibility interface {
+ Visibility() int32
+ }
+ if vis, ok := message.(hasVisibility); ok {
+ if visibility := vis.Visibility(); visibility > 0 {
+ p.Visibility = descriptorpb.SymbolVisibility(visibility).Enum()
+ }
+ }
return p
}
@@ -216,6 +235,14 @@ func ToEnumDescriptorProto(enum protoreflect.EnumDescriptor) *descriptorpb.EnumD
for i, names := 0, enum.ReservedNames(); i < names.Len(); i++ {
p.ReservedName = append(p.ReservedName, string(names.Get(i)))
}
+ type hasVisibility interface {
+ Visibility() int32
+ }
+ if vis, ok := enum.(hasVisibility); ok {
+ if visibility := vis.Visibility(); visibility > 0 {
+ p.Visibility = descriptorpb.SymbolVisibility(visibility).Enum()
+ }
+ }
return p
}
diff --git a/vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go b/vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go
index 4eacb523c3..0b23faa957 100644
--- a/vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go
+++ b/vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go
@@ -69,6 +69,8 @@ const (
// comparison.
Edition_EDITION_2023 Edition = 1000
Edition_EDITION_2024 Edition = 1001
+ // A placeholder edition for developing and testing unscheduled features.
+ Edition_EDITION_UNSTABLE Edition = 9999
// Placeholder editions for testing feature resolution. These should not be
// used or relied on outside of tests.
Edition_EDITION_1_TEST_ONLY Edition = 1
@@ -91,6 +93,7 @@ var (
999: "EDITION_PROTO3",
1000: "EDITION_2023",
1001: "EDITION_2024",
+ 9999: "EDITION_UNSTABLE",
1: "EDITION_1_TEST_ONLY",
2: "EDITION_2_TEST_ONLY",
99997: "EDITION_99997_TEST_ONLY",
@@ -105,6 +108,7 @@ var (
"EDITION_PROTO3": 999,
"EDITION_2023": 1000,
"EDITION_2024": 1001,
+ "EDITION_UNSTABLE": 9999,
"EDITION_1_TEST_ONLY": 1,
"EDITION_2_TEST_ONLY": 2,
"EDITION_99997_TEST_ONLY": 99997,
@@ -4793,11 +4797,11 @@ const file_google_protobuf_descriptor_proto_rawDesc = "" +
"\x18EnumValueDescriptorProto\x12\x12\n" +
"\x04name\x18\x01 \x01(\tR\x04name\x12\x16\n" +
"\x06number\x18\x02 \x01(\x05R\x06number\x12;\n" +
- "\aoptions\x18\x03 \x01(\v2!.google.protobuf.EnumValueOptionsR\aoptions\"\xa7\x01\n" +
+ "\aoptions\x18\x03 \x01(\v2!.google.protobuf.EnumValueOptionsR\aoptions\"\xb5\x01\n" +
"\x16ServiceDescriptorProto\x12\x12\n" +
"\x04name\x18\x01 \x01(\tR\x04name\x12>\n" +
"\x06method\x18\x02 \x03(\v2&.google.protobuf.MethodDescriptorProtoR\x06method\x129\n" +
- "\aoptions\x18\x03 \x01(\v2\x1f.google.protobuf.ServiceOptionsR\aoptions\"\x89\x02\n" +
+ "\aoptions\x18\x03 \x01(\v2\x1f.google.protobuf.ServiceOptionsR\aoptionsJ\x04\b\x04\x10\x05R\x06stream\"\x89\x02\n" +
"\x15MethodDescriptorProto\x12\x12\n" +
"\x04name\x18\x01 \x01(\tR\x04name\x12\x1d\n" +
"\n" +
@@ -5033,14 +5037,15 @@ const file_google_protobuf_descriptor_proto_rawDesc = "" +
"\bSemantic\x12\b\n" +
"\x04NONE\x10\x00\x12\a\n" +
"\x03SET\x10\x01\x12\t\n" +
- "\x05ALIAS\x10\x02*\xa7\x02\n" +
+ "\x05ALIAS\x10\x02*\xbe\x02\n" +
"\aEdition\x12\x13\n" +
"\x0fEDITION_UNKNOWN\x10\x00\x12\x13\n" +
"\x0eEDITION_LEGACY\x10\x84\a\x12\x13\n" +
"\x0eEDITION_PROTO2\x10\xe6\a\x12\x13\n" +
"\x0eEDITION_PROTO3\x10\xe7\a\x12\x11\n" +
"\fEDITION_2023\x10\xe8\a\x12\x11\n" +
- "\fEDITION_2024\x10\xe9\a\x12\x17\n" +
+ "\fEDITION_2024\x10\xe9\a\x12\x15\n" +
+ "\x10EDITION_UNSTABLE\x10\x8fN\x12\x17\n" +
"\x13EDITION_1_TEST_ONLY\x10\x01\x12\x17\n" +
"\x13EDITION_2_TEST_ONLY\x10\x02\x12\x1d\n" +
"\x17EDITION_99997_TEST_ONLY\x10\x9d\x8d\x06\x12\x1d\n" +
diff --git a/vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go b/vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go
index 06d584c14b..484c21fd53 100644
--- a/vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go
+++ b/vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go
@@ -172,13 +172,14 @@ import (
// ) to obtain a formatter capable of generating timestamps in this format.
type Timestamp struct {
state protoimpl.MessageState `protogen:"open.v1"`
- // Represents seconds of UTC time since Unix epoch
- // 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
- // 9999-12-31T23:59:59Z inclusive.
+ // Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must
+ // be between -315576000000 and 315576000000 inclusive (which corresponds to
+ // 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z).
Seconds int64 `protobuf:"varint,1,opt,name=seconds,proto3" json:"seconds,omitempty"`
- // Non-negative fractions of a second at nanosecond resolution. Negative
- // second values with fractions must still have non-negative nanos values
- // that count forward in time. Must be from 0 to 999,999,999
+ // Non-negative fractions of a second at nanosecond resolution. This field is
+ // the nanosecond portion of the duration, not an alternative to seconds.
+ // Negative second values with fractions must still have non-negative nanos
+ // values that count forward in time. Must be between 0 and 999,999,999
// inclusive.
Nanos int32 `protobuf:"varint,2,opt,name=nanos,proto3" json:"nanos,omitempty"`
unknownFields protoimpl.UnknownFields
diff --git a/vendor/k8s.io/utils/clock/testing/fake_clock.go b/vendor/k8s.io/utils/clock/testing/fake_clock.go
index 462c40c2c8..9503690be2 100644
--- a/vendor/k8s.io/utils/clock/testing/fake_clock.go
+++ b/vendor/k8s.io/utils/clock/testing/fake_clock.go
@@ -221,14 +221,26 @@ func (f *FakeClock) setTimeLocked(t time.Time) {
f.waiters = newWaiters
}
-// HasWaiters returns true if After or AfterFunc has been called on f but not yet satisfied (so you can
-// write race-free tests).
+// HasWaiters returns true if Waiters() returns non-0 (so you can write race-free tests).
func (f *FakeClock) HasWaiters() bool {
f.lock.RLock()
defer f.lock.RUnlock()
return len(f.waiters) > 0
}
+// Waiters returns the number of "waiters" on the clock (so you can write race-free
+// tests). A waiter exists for:
+// - every call to After that has not yet signaled its channel.
+// - every call to AfterFunc that has not yet called its callback.
+// - every timer created with NewTimer which is currently ticking.
+// - every ticker created with NewTicker which is currently ticking.
+// - every ticker created with Tick.
+func (f *FakeClock) Waiters() int {
+ f.lock.RLock()
+ defer f.lock.RUnlock()
+ return len(f.waiters)
+}
+
// Sleep is akin to time.Sleep
func (f *FakeClock) Sleep(d time.Duration) {
f.Step(d)
diff --git a/vendor/k8s.io/utils/net/multi_listen.go b/vendor/k8s.io/utils/net/multi_listen.go
index 7cb7795bec..e5d508055d 100644
--- a/vendor/k8s.io/utils/net/multi_listen.go
+++ b/vendor/k8s.io/utils/net/multi_listen.go
@@ -21,6 +21,7 @@ import (
"fmt"
"net"
"sync"
+ "sync/atomic"
)
// connErrPair pairs conn and error which is returned by accept on sub-listeners.
@@ -38,6 +39,7 @@ type multiListener struct {
connCh chan connErrPair
// stopCh communicates from parent to child listeners.
stopCh chan struct{}
+ closed atomic.Bool
}
// compile time check to ensure *multiListener implements net.Listener
@@ -150,10 +152,8 @@ func (ml *multiListener) Accept() (net.Conn, error) {
// the go-routines to exit.
func (ml *multiListener) Close() error {
// Make sure this can be called repeatedly without explosions.
- select {
- case <-ml.stopCh:
+ if !ml.closed.CompareAndSwap(false, true) {
return fmt.Errorf("use of closed network connection")
- default:
}
// Tell all sub-listeners to stop.
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 0eaa9c9f5a..49e4e7fe5a 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -197,7 +197,7 @@ github.com/distribution/reference
## explicit
github.com/docker/distribution/registry/api/errcode
github.com/docker/distribution/registry/api/v2
-# github.com/docker/docker v28.5.1+incompatible
+# github.com/docker/docker v28.5.2+incompatible
## explicit
github.com/docker/docker/api/types/versions
# github.com/docker/docker-credential-helpers v0.9.4
@@ -238,8 +238,8 @@ github.com/fsnotify/fsnotify/internal
# github.com/fxamacker/cbor/v2 v2.7.0
## explicit; go 1.17
github.com/fxamacker/cbor/v2
-# github.com/go-jose/go-jose/v4 v4.0.5
-## explicit; go 1.21
+# github.com/go-jose/go-jose/v4 v4.1.3
+## explicit; go 1.24.0
github.com/go-jose/go-jose/v4
github.com/go-jose/go-jose/v4/cipher
github.com/go-jose/go-jose/v4/json
@@ -285,7 +285,7 @@ github.com/golang/protobuf/ptypes
github.com/golang/protobuf/ptypes/any
github.com/golang/protobuf/ptypes/duration
github.com/golang/protobuf/ptypes/timestamp
-# github.com/google/btree v1.1.2
+# github.com/google/btree v1.1.3
## explicit; go 1.18
github.com/google/btree
# github.com/google/gnostic-models v0.6.8
@@ -302,8 +302,8 @@ github.com/google/go-cmp/cmp/internal/diff
github.com/google/go-cmp/cmp/internal/flags
github.com/google/go-cmp/cmp/internal/function
github.com/google/go-cmp/cmp/internal/value
-# github.com/google/go-containerregistry v0.20.6
-## explicit; go 1.24
+# github.com/google/go-containerregistry v0.20.7
+## explicit; go 1.24.0
github.com/google/go-containerregistry/pkg/name
# github.com/google/gofuzz v1.2.0
## explicit; go 1.12
@@ -386,14 +386,6 @@ github.com/klauspost/pgzip
# github.com/kofalt/go-memoize v0.0.0-20220914132407-0b5d6a304579
## explicit; go 1.19
github.com/kofalt/go-memoize
-# github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec
-## explicit; go 1.22.0
-github.com/letsencrypt/boulder/core
-github.com/letsencrypt/boulder/goodkey
-github.com/letsencrypt/boulder/identifier
-github.com/letsencrypt/boulder/probs
-github.com/letsencrypt/boulder/revocation
-github.com/letsencrypt/boulder/strictyaml
# github.com/linuxkit/virtsock v0.0.0-20220523201153-1a23e78aa7a2
## explicit; go 1.17
github.com/linuxkit/virtsock/pkg/hvsock
@@ -450,6 +442,8 @@ github.com/modern-go/reflect2
# github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
## explicit
github.com/munnerz/goautoneg
+# github.com/nxadm/tail v1.4.11
+## explicit; go 1.13
# github.com/onsi/ginkgo/v2 v2.27.5
## explicit; go 1.23.0
github.com/onsi/ginkgo/v2
@@ -559,6 +553,8 @@ github.com/r3labs/sse/v2
# github.com/rivo/uniseg v0.4.7
## explicit; go 1.18
github.com/rivo/uniseg
+# github.com/rogpeppe/go-internal v1.14.1
+## explicit; go 1.23
# github.com/russross/blackfriday/v2 v2.1.0
## explicit
github.com/russross/blackfriday/v2
@@ -585,14 +581,14 @@ github.com/shirou/gopsutil/v4/internal/common
github.com/shirou/gopsutil/v4/mem
github.com/shirou/gopsutil/v4/net
github.com/shirou/gopsutil/v4/process
-# github.com/sigstore/fulcio v1.7.1
-## explicit; go 1.24.0
+# github.com/sigstore/fulcio v1.8.5
+## explicit; go 1.25.0
github.com/sigstore/fulcio/pkg/certificate
-# github.com/sigstore/protobuf-specs v0.4.1
+# github.com/sigstore/protobuf-specs v0.5.0
## explicit; go 1.22.0
github.com/sigstore/protobuf-specs/gen/pb-go/common/v1
-# github.com/sigstore/sigstore v1.9.5
-## explicit; go 1.23.0
+# github.com/sigstore/sigstore v1.10.3
+## explicit; go 1.25.0
github.com/sigstore/sigstore/pkg/cryptoutils
github.com/sigstore/sigstore/pkg/signature
github.com/sigstore/sigstore/pkg/signature/options
@@ -648,9 +644,6 @@ github.com/stretchr/testify/require
# github.com/subosito/gotenv v1.6.0
## explicit; go 1.18
github.com/subosito/gotenv
-# github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399
-## explicit
-github.com/titanous/rocacheck
# github.com/tklauser/go-sysconf v0.3.16
## explicit; go 1.24.0
github.com/tklauser/go-sysconf
@@ -667,7 +660,7 @@ github.com/ulikunitz/xz
github.com/ulikunitz/xz/internal/hash
github.com/ulikunitz/xz/internal/xlog
github.com/ulikunitz/xz/lzma
-# github.com/vbatts/tar-split v0.12.1
+# github.com/vbatts/tar-split v0.12.2
## explicit; go 1.17
github.com/vbatts/tar-split/archive/tar
github.com/vbatts/tar-split/tar/asm
@@ -768,7 +761,7 @@ go.podman.io/storage/pkg/reexec
go.podman.io/storage/pkg/regexp
go.podman.io/storage/pkg/system
go.podman.io/storage/pkg/unshare
-# go.yaml.in/yaml/v2 v2.4.2
+# go.yaml.in/yaml/v2 v2.4.3
## explicit; go 1.15
go.yaml.in/yaml/v2
# go.yaml.in/yaml/v3 v3.0.4
@@ -789,7 +782,6 @@ golang.org/x/crypto/hkdf
golang.org/x/crypto/internal/alias
golang.org/x/crypto/internal/poly1305
golang.org/x/crypto/nacl/secretbox
-golang.org/x/crypto/ocsp
golang.org/x/crypto/openpgp
golang.org/x/crypto/openpgp/armor
golang.org/x/crypto/openpgp/clearsign
@@ -826,7 +818,7 @@ golang.org/x/net/internal/timeseries
golang.org/x/net/ipv4
golang.org/x/net/ipv6
golang.org/x/net/trace
-# golang.org/x/oauth2 v0.32.0
+# golang.org/x/oauth2 v0.34.0
## explicit; go 1.24.0
golang.org/x/oauth2
golang.org/x/oauth2/internal
@@ -870,8 +862,8 @@ golang.org/x/text/transform
golang.org/x/text/unicode/bidi
golang.org/x/text/unicode/norm
golang.org/x/text/width
-# golang.org/x/time v0.11.0
-## explicit; go 1.23.0
+# golang.org/x/time v0.14.0
+## explicit; go 1.24.0
golang.org/x/time/rate
# golang.org/x/tools v0.40.0
## explicit; go 1.24.0
@@ -895,15 +887,15 @@ golang.org/x/tools/internal/stdlib
golang.org/x/tools/internal/typeparams
golang.org/x/tools/internal/typesinternal
golang.org/x/tools/internal/versions
-# google.golang.org/genproto/googleapis/api v0.0.0-20250414145226-207652e42e2e
-## explicit; go 1.23.0
+# google.golang.org/genproto/googleapis/api v0.0.0-20251222181119-0a764e51fe1b
+## explicit; go 1.24.0
google.golang.org/genproto/googleapis/api
google.golang.org/genproto/googleapis/api/annotations
-# google.golang.org/genproto/googleapis/rpc v0.0.0-20250414145226-207652e42e2e
-## explicit; go 1.23.0
+# google.golang.org/genproto/googleapis/rpc v0.0.0-20251222181119-0a764e51fe1b
+## explicit; go 1.24.0
google.golang.org/genproto/googleapis/rpc/status
-# google.golang.org/grpc v1.72.2
-## explicit; go 1.23
+# google.golang.org/grpc v1.78.0
+## explicit; go 1.24.0
google.golang.org/grpc
google.golang.org/grpc/attributes
google.golang.org/grpc/backoff
@@ -913,7 +905,6 @@ google.golang.org/grpc/balancer/endpointsharding
google.golang.org/grpc/balancer/grpclb/state
google.golang.org/grpc/balancer/pickfirst
google.golang.org/grpc/balancer/pickfirst/internal
-google.golang.org/grpc/balancer/pickfirst/pickfirstleaf
google.golang.org/grpc/balancer/roundrobin
google.golang.org/grpc/binarylog/grpc_binarylog_v1
google.golang.org/grpc/channelz
@@ -922,6 +913,7 @@ google.golang.org/grpc/connectivity
google.golang.org/grpc/credentials
google.golang.org/grpc/credentials/insecure
google.golang.org/grpc/encoding
+google.golang.org/grpc/encoding/internal
google.golang.org/grpc/encoding/proto
google.golang.org/grpc/experimental/stats
google.golang.org/grpc/grpclog
@@ -964,7 +956,7 @@ google.golang.org/grpc/serviceconfig
google.golang.org/grpc/stats
google.golang.org/grpc/status
google.golang.org/grpc/tap
-# google.golang.org/protobuf v1.36.9
+# google.golang.org/protobuf v1.36.11
## explicit; go 1.23
google.golang.org/protobuf/encoding/protojson
google.golang.org/protobuf/encoding/prototext
@@ -1335,7 +1327,7 @@ k8s.io/kube-openapi/pkg/schemaconv
k8s.io/kube-openapi/pkg/spec3
k8s.io/kube-openapi/pkg/util/proto
k8s.io/kube-openapi/pkg/validation/spec
-# k8s.io/utils v0.0.0-20241210054802-24370beab758
+# k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d
## explicit; go 1.18
k8s.io/utils/clock
k8s.io/utils/clock/testing