From a17970ce3bb8e66fcc2e04c8105d26578de0ca3b Mon Sep 17 00:00:00 2001 From: Sam Feifer Date: Tue, 7 May 2024 15:16:50 -0400 Subject: [PATCH] Resolves: RHEL-35761 Rebase to grafana 10.2.6 --- ...li-script-with-distro-specific-paths.patch | 24 +- 0002-add-manpages.patch | 2 +- 0003-update-default-configuration.patch | 26 +- 0004-remove-unused-backend-dependencies.patch | 107 +- 0005-remove-unused-frontend-crypto.patch | 249 +- ...skip-marketplace-plugin-install-test.patch | 6 +- 0007-fix-alert-test.patch | 19 - ...rs.patch => 0007-redact-weak-ciphers.patch | 26 +- 0008-graphite-functions-xss.patch | 30 - 0008-replace-faulty-slices-sort.patch | 40 + ...appers-and-systemd-with-distro-paths.patch | 76 + 0010-remove-bcrypt-references.patch | 108 + 0010-skip-tests.patch | 71 - 0011-remove-email-lookup.patch | 64 - 0012-coredump-selinux-error.patch | 13 - ...-vendor-patch-removed-backend-crypto.patch | 2762 +++++++++++------ 1002-vendor-use-pbkdf2-from-OpenSSL.patch | 21 +- create_bundles.sh | 25 +- create_bundles_in_container.sh | 2 +- grafana.fc | 1 + grafana.spec | 851 ++--- grafana.te | 19 +- list_bundled_nodejs_packages.py | 4 +- sources | 6 +- 24 files changed, 2766 insertions(+), 1786 deletions(-) delete mode 100644 0007-fix-alert-test.patch rename 0009-redact-weak-ciphers.patch => 0007-redact-weak-ciphers.patch (52%) delete mode 100644 0008-graphite-functions-xss.patch create mode 100644 0008-replace-faulty-slices-sort.patch create mode 100644 0009-update-wrappers-and-systemd-with-distro-paths.patch create mode 100644 0010-remove-bcrypt-references.patch delete mode 100644 0010-skip-tests.patch delete mode 100644 0011-remove-email-lookup.patch delete mode 100644 0012-coredump-selinux-error.patch diff --git a/0001-update-grafana-cli-script-with-distro-specific-paths.patch b/0001-update-grafana-cli-script-with-distro-specific-paths.patch index ae15f74..837d0ff 100644 --- a/0001-update-grafana-cli-script-with-distro-specific-paths.patch +++ b/0001-update-grafana-cli-script-with-distro-specific-paths.patch @@ -1,4 +1,4 @@ -From 226822e64ed4badb22e18740e6db411617b42bb7 Mon Sep 17 00:00:00 2001 +From 1e47ea7adc316e2df3d0081c2c0ebe75ddd6bda0 Mon Sep 17 00:00:00 2001 From: Andreas Gerstmayr Date: Wed, 22 Jun 2022 16:57:52 +0200 Subject: [PATCH] update grafana-cli script with distro-specific paths and @@ -6,18 +6,19 @@ Subject: [PATCH] update grafana-cli script with distro-specific paths and diff --git a/packaging/wrappers/grafana-cli b/packaging/wrappers/grafana-cli -index dafa075a2c..eda358c425 100755 +index 7c6c46aef9..945714642b 100755 --- a/packaging/wrappers/grafana-cli +++ b/packaging/wrappers/grafana-cli -@@ -5,18 +5,19 @@ +@@ -5,7 +5,7 @@ # the system-wide Grafana configuration that was bundled with the package as we # use the binary. -DEFAULT=/etc/default/grafana +DEFAULT=/etc/sysconfig/grafana-server - GRAFANA_HOME=/usr/share/grafana - CONF_DIR=/etc/grafana + GRAFANA_HOME="${GRAFANA_HOME:-/usr/share/grafana}" + +@@ -13,11 +13,12 @@ CONF_DIR=/etc/grafana DATA_DIR=/var/lib/grafana PLUGINS_DIR=/var/lib/grafana/plugins LOG_DIR=/var/log/grafana @@ -26,12 +27,12 @@ index dafa075a2c..eda358c425 100755 CONF_FILE=$CONF_DIR/grafana.ini PROVISIONING_CFG_DIR=$CONF_DIR/provisioning --EXECUTABLE=$GRAFANA_HOME/bin/grafana-cli +-EXECUTABLE="$GRAFANA_HOME/bin/grafana" +EXECUTABLE=$LIBEXEC_DIR/grafana-cli if [ ! -x $EXECUTABLE ]; then - echo "Program not installed or not executable" -@@ -28,12 +29,21 @@ if [ -f "$DEFAULT" ]; then + echo "$EXECUTABLE not installed or not executable" +@@ -29,14 +30,23 @@ if [ -f "$DEFAULT" ]; then . "$DEFAULT" fi @@ -42,8 +43,6 @@ index dafa075a2c..eda358c425 100755 - cfg:default.paths.data=${DATA_DIR} \ - cfg:default.paths.logs=${LOG_DIR} \ - cfg:default.paths.plugins=${PLUGINS_DIR}'" -- --eval $EXECUTABLE "$OPTS" '$@' +OPTS=("--homepath=${GRAFANA_HOME}" + "--config=${CONF_FILE}" + "--pluginsDir=${PLUGINS_DIR}" @@ -51,7 +50,10 @@ index dafa075a2c..eda358c425 100755 + cfg:default.paths.data=${DATA_DIR} \ + cfg:default.paths.logs=${LOG_DIR} \ + cfg:default.paths.plugins=${PLUGINS_DIR}") -+ + + CMD=cli + +-eval $EXECUTABLE "$CMD" "$OPTS" "$@" +if [ "$(id -u)" -eq 0 -o "$(id -g)" -eq 0 ]; then + cd "${GRAFANA_HOME}" + exec runuser -u "${GRAFANA_USER}" -- "$EXECUTABLE" "${OPTS[@]}" "$@" diff --git a/0002-add-manpages.patch b/0002-add-manpages.patch index 4ded6f1..a059e0a 100644 --- a/0002-add-manpages.patch +++ b/0002-add-manpages.patch @@ -1,4 +1,4 @@ -From c065b6608a65967bde152557566e0410238714a1 Mon Sep 17 00:00:00 2001 +From 5b6c18f715808f99c32550fc3b670fc5bf600f72 Mon Sep 17 00:00:00 2001 From: Andreas Gerstmayr Date: Wed, 22 Jun 2022 17:01:09 +0200 Subject: [PATCH] add manpages diff --git a/0003-update-default-configuration.patch b/0003-update-default-configuration.patch index e20a6fb..a0c961a 100644 --- a/0003-update-default-configuration.patch +++ b/0003-update-default-configuration.patch @@ -1,14 +1,14 @@ -From 3236aa416f6d1b109bff1fdd4127292988fb199c Mon Sep 17 00:00:00 2001 +From 026c4f235fd3bfc741304a5e12e13bd1c7b85eac Mon Sep 17 00:00:00 2001 From: Andreas Gerstmayr Date: Wed, 22 Jun 2022 17:05:48 +0200 Subject: [PATCH] update default configuration diff --git a/conf/defaults.ini b/conf/defaults.ini -index 2d6e1235b6..f0eff6d2ac 100644 +index 9f7cf4a90b..e1e5468bfa 100644 --- a/conf/defaults.ini +++ b/conf/defaults.ini -@@ -196,7 +196,7 @@ row_limit = 1000000 +@@ -240,7 +240,7 @@ user_agent = # No ip addresses are being tracked, only simple counters to track # running instances, dashboard and error counts. It is very helpful to us. # Change this option to false to disable reporting. @@ -17,20 +17,22 @@ index 2d6e1235b6..f0eff6d2ac 100644 # The name of the distributor of the Grafana instance. Ex hosted-grafana, grafana-labs reporting_distributor = grafana-labs -@@ -206,7 +206,7 @@ reporting_distributor = grafana-labs +@@ -249,8 +249,8 @@ reporting_distributor = grafana-labs + # for new versions of grafana. The check is used # in some UI views to notify that a grafana update exists. # This option does not cause any auto updates, nor send any information - # only a GET request to https://raw.githubusercontent.com/grafana/grafana/main/latest.json to get the latest version. +-# only a GET request to https://grafana.com/api/grafana/versions/stable to get the latest version. -check_for_updates = true ++# only a GET request to https://raw.githubusercontent.com/grafana/grafana/main/latest.json to get the latest version. +check_for_updates = false # Set to false to disable all checks to https://grafana.com # for new versions of plugins. The check is used diff --git a/conf/sample.ini b/conf/sample.ini -index 227c90e895..dc9fd6a3a5 100644 +index 916de769f9..2f270d4940 100644 --- a/conf/sample.ini +++ b/conf/sample.ini -@@ -202,7 +202,7 @@ +@@ -247,7 +247,7 @@ # No ip addresses are being tracked, only simple counters to track # running instances, dashboard and error counts. It is very helpful to us. # Change this option to false to disable reporting. @@ -39,16 +41,18 @@ index 227c90e895..dc9fd6a3a5 100644 # The name of the distributor of the Grafana instance. Ex hosted-grafana, grafana-labs ;reporting_distributor = grafana-labs -@@ -212,7 +212,7 @@ +@@ -256,8 +256,8 @@ + # for new versions of grafana. The check is used # in some UI views to notify that a grafana update exists. # This option does not cause any auto updates, nor send any information - # only a GET request to https://raw.githubusercontent.com/grafana/grafana/main/latest.json to get the latest version. +-# only a GET request to https://grafana.com/api/grafana/versions/stable to get the latest version. -;check_for_updates = true ++# only a GET request to https://raw.githubusercontent.com/grafana/grafana/main/latest.json to get the latest version. +;check_for_updates = false # Set to false to disable all checks to https://grafana.com # for new versions of plugins. The check is used -@@ -356,7 +356,7 @@ +@@ -427,7 +427,7 @@ # Minimum dashboard refresh interval. When set, this will restrict users to set the refresh interval of a dashboard lower than given interval. Per default this is 5 seconds. # The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m. @@ -57,7 +61,7 @@ index 227c90e895..dc9fd6a3a5 100644 # Path to the default home dashboard. If this value is empty, then Grafana uses StaticRootPath + "dashboards/home.json" ;default_home_dashboard_path = -@@ -1094,7 +1094,7 @@ +@@ -1411,7 +1411,7 @@ ;enable_alpha = false ;app_tls_skip_verify_insecure = false # Enter a comma-separated list of plugin identifiers to identify plugins to load even if they are unsigned. Plugins with modified signatures are never loaded. diff --git a/0004-remove-unused-backend-dependencies.patch b/0004-remove-unused-backend-dependencies.patch index ca105d1..1569748 100644 --- a/0004-remove-unused-backend-dependencies.patch +++ b/0004-remove-unused-backend-dependencies.patch @@ -1,4 +1,4 @@ -From 944d07247d07b433777ee6ab46bc55cc1d9debe8 Mon Sep 17 00:00:00 2001 +From 076177ff583b8e6d92948e0a4ddde0e8992d09a3 Mon Sep 17 00:00:00 2001 From: Andreas Gerstmayr Date: Wed, 22 Jun 2022 17:18:56 +0200 Subject: [PATCH] remove unused backend dependencies @@ -7,103 +7,56 @@ saml and gofpdf are not used in the OSS edition of Grafana after editing `pkg/extensions/main.go`, run `go mod tidy` diff --git a/go.mod b/go.mod -index 03c00985c4..faedd337d3 100644 +index fcbc09da5e..82fdf39842 100644 --- a/go.mod +++ b/go.mod -@@ -30,7 +30,6 @@ require ( - github.com/bradfitz/gomemcache v0.0.0-20190913173617-a41fca850d0b - github.com/centrifugal/centrifuge v0.25.0 - github.com/cortexproject/cortex v1.10.1-0.20211014125347-85c378182d0d -- github.com/crewjam/saml v0.4.9 - github.com/davecgh/go-spew v1.1.1 - github.com/denisenkom/go-mssqldb v0.12.0 - github.com/dop251/goja v0.0.0-20210804101310-32956a348b49 -@@ -67,7 +66,6 @@ require ( - github.com/influxdata/line-protocol v0.0.0-20210311194329-9aa0e372d097 - github.com/jmespath/go-jmespath v0.4.0 - github.com/json-iterator/go v1.1.12 -- github.com/jung-kurt/gofpdf v1.16.2 - github.com/lib/pq v1.10.4 - github.com/linkedin/goavro/v2 v2.10.0 - github.com/m3db/prometheus_remote_client_golang v0.4.4 -@@ -192,7 +190,6 @@ require ( +@@ -45,7 +45,6 @@ require ( + github.com/blang/semver/v4 v4.0.0 // @grafana/grafana-release-guild + github.com/bradfitz/gomemcache v0.0.0-20190913173617-a41fca850d0b // @grafana/backend-platform + github.com/centrifugal/centrifuge v0.30.2 // @grafana/grafana-app-platform-squad +- github.com/crewjam/saml v0.4.13 // @grafana/grafana-authnz-team + github.com/fatih/color v1.15.0 // @grafana/backend-platform + github.com/gchaincl/sqlhooks v1.3.0 // @grafana/backend-platform + github.com/go-ldap/ldap/v3 v3.4.4 // @grafana/grafana-authnz-team +@@ -187,7 +186,6 @@ require ( github.com/josharian/intern v1.0.0 // indirect github.com/jpillora/backoff v1.0.0 // indirect github.com/mailru/easyjson v0.7.7 // indirect - github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect github.com/mattetti/filebuffer v1.0.1 // indirect - github.com/mattn/go-runewidth v0.0.9 // indirect - github.com/miekg/dns v1.1.43 // indirect + github.com/mattn/go-runewidth v0.0.13 // indirect + github.com/miekg/dns v1.1.51 // indirect diff --git a/go.sum b/go.sum -index e3b45a9f35..b98dc78c57 100644 +index d05dfb55fd..b160387abe 100644 --- a/go.sum +++ b/go.sum -@@ -665,7 +665,6 @@ github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46t - github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= - github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= - github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= --github.com/crewjam/httperr v0.2.0/go.mod h1:Jlz+Sg/XqBQhyMjdDiC+GNNRzZTD7x39Gu3pglZ5oH4= - github.com/crossdock/crossdock-go v0.0.0-20160816171116-049aabb0122b/go.mod h1:v9FBN7gdVTpiD/+LZ7Po0UKvROyT87uLVxTHVky/dlQ= - github.com/cucumber/godog v0.8.1/go.mod h1:vSh3r/lM+psC1BPXvdkSEuNjmXfpVqrMGYAElF6hxnA= - github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4= -@@ -1376,8 +1375,6 @@ github.com/grafana/grafana-plugin-sdk-go v0.139.0 h1:2RQKM2QpSaWTtaGN6sK+R7LO7zy - github.com/grafana/grafana-plugin-sdk-go v0.139.0/go.mod h1:Y+Ps2sesZ62AyCnX+hzrYnyDQYe/ZZl+A8yKLOBm12c= - github.com/grafana/prometheus-alertmanager v0.24.1-0.20221012142027-823cd9150293 h1:dJIdfHqu+XjKz+w9zXLqXKPdp6Jjx/UPSOwdeSfWdeQ= - github.com/grafana/prometheus-alertmanager v0.24.1-0.20221012142027-823cd9150293/go.mod h1:HVHqK+BVPa/tmL8EMhLCCrPt2a1GdJpEyxr5hgur2UI= --github.com/grafana/saml v0.4.9-0.20230102094056-b61b9eb7c8b7 h1:cujJQ3XV6IK7Y96VpYurd2EpI5rfMRFcuyGqUlk+030= --github.com/grafana/saml v0.4.9-0.20230102094056-b61b9eb7c8b7/go.mod h1:9Zh6dWPtB3MSzTRt8fIFH60Z351QQ+s7hCU3J/tTlA4= - github.com/grafana/thema v0.0.0-20220817114012-ebeee841c104 h1:dYpwFYIChrMfpq3wDa/ZBxAbUGSW5NYmYBeSezhaoao= - github.com/grafana/thema v0.0.0-20220817114012-ebeee841c104/go.mod h1:fCV1rqv6XRQg2GfIQ7pU9zdxd5fLRcEBCnrDVwlK+ZY= - github.com/grafana/xorm v0.8.3-0.20220614223926-2fcda7565af6 h1:I9dh1MXGX0wGyxdV/Sl7+ugnki4Dfsy8lv2s5Yf887o= -@@ -1664,8 +1661,6 @@ github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7V - github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= - github.com/jung-kurt/gofpdf v1.0.0/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes= - github.com/jung-kurt/gofpdf v1.0.3-0.20190309125859-24315acbbda5/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes= --github.com/jung-kurt/gofpdf v1.16.2 h1:jgbatWHfRlPYiK85qgevsZTHviWXKwB1TTiKdz5PtRc= --github.com/jung-kurt/gofpdf v1.16.2/go.mod h1:1hl7y57EsiPAkLbOwzpzqgx1A30nQCk/YmFV8S2vmK0= - github.com/jwilder/encoding v0.0.0-20170811194829-b4e1701a28ef/go.mod h1:Ct9fl0F6iIOGgxJ5npU/IUOhOhqlVrGjyIZc8/MagT0= - github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0/go.mod h1:1NbS8ALrpOvjt0rHPNLyCIeMtbizbir8U//inJ+zuB8= - github.com/karrick/godirwalk v1.8.0/go.mod h1:H5KPZjojv4lE+QYImBI8xVtrBRgYrIVsaRPx4tDPEn4= -@@ -1787,8 +1782,6 @@ github.com/matryer/is v1.4.0 h1:sosSmIWwkYITGrxZ25ULNDeKiMNzFSr4V/eqBQP0PeE= +@@ -1826,8 +1826,6 @@ github.com/grafana/pyroscope/api v0.3.0/go.mod h1:JggA80ToAAUACYGfwL49XoFk5aN5ec + github.com/grafana/regexp v0.0.0-20221122212121-6b5c0a4cb7fd/go.mod h1:M5qHK+eWfAv8VR/265dIuEpL3fNfeC21tXXp9itM24A= + github.com/grafana/regexp v0.0.0-20221123153739-15dc172cd2db h1:7aN5cccjIqCLTzedH7MZzRZt5/lsAHch6Z3L2ZGn5FA= + github.com/grafana/regexp v0.0.0-20221123153739-15dc172cd2db/go.mod h1:M5qHK+eWfAv8VR/265dIuEpL3fNfeC21tXXp9itM24A= +-github.com/grafana/saml v0.4.15-0.20231025143828-a6c0e9b86a4c h1:1pHLC1ZTz7N5QI3jzCs5sqmVvAKe+JwGnpp9lQ+iUjY= +-github.com/grafana/saml v0.4.15-0.20231025143828-a6c0e9b86a4c/go.mod h1:S4+611dxnKt8z/ulbvaJzcgSHsuhjVc1QHNTcr1R7Fw= + github.com/grafana/sqlds/v2 v2.3.10 h1:HWKhE0vR6LoEiE+Is8CSZOgaB//D1yqb2ntkass9Fd4= + github.com/grafana/sqlds/v2 v2.3.10/go.mod h1:c6ibxnxRVGxV/0YkEgvy7QpQH/lyifFyV7K/14xvdIs= + github.com/grafana/tempo v1.5.1-0.20230524121406-1dc1bfe7085b h1:mDlkqgTEJuK7vjPG44f3ZMtId5AAYLWHvBVbiGqIOOQ= +@@ -2222,8 +2220,6 @@ github.com/markbates/sigtx v1.0.0/go.mod h1:QF1Hv6Ic6Ca6W+T+DL0Y/ypborFKyvUY9Hmu + github.com/markbates/willie v1.0.9/go.mod h1:fsrFVWl91+gXpx/6dv715j7i11fYPfZ9ZGfH0DQzY7w= + github.com/matryer/is v1.4.0 h1:sosSmIWwkYITGrxZ25ULNDeKiMNzFSr4V/eqBQP0PeE= github.com/matryer/is v1.4.0/go.mod h1:8I/i5uYgLzgsgEloJE1U6xx5HkBQpAZvepWuujKwMRU= - github.com/matryer/moq v0.0.0-20190312154309-6cfb0558e1bd/go.mod h1:9ELz6aaclSIGnZBoaSLZ3NAl1VTufbOrXBPvtcy6WiQ= - github.com/matryer/moq v0.2.7/go.mod h1:kITsx543GOENm48TUAQyJ9+SAvFSr7iGQXPoth/VUBk= -github.com/mattermost/xml-roundtrip-validator v0.1.0 h1:RXbVD2UAl7A7nOTR4u7E3ILa4IbtvKBHw64LDsmu9hU= -github.com/mattermost/xml-roundtrip-validator v0.1.0/go.mod h1:qccnGMcpgwcNaBnxqpJpWWUiPNr5H3O8eDgGV9gT5To= github.com/mattetti/filebuffer v1.0.1 h1:gG7pyfnSIZCxdoKq+cPa8T0hhYtD9NxCdI4D7PTjRLM= github.com/mattetti/filebuffer v1.0.1/go.mod h1:YdMURNDOttIiruleeVr6f56OrMc+MydEnTcXwtkxNVs= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= -@@ -2066,7 +2059,6 @@ github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR - github.com/peterh/liner v1.0.1-0.20180619022028-8c1271fcf47f/go.mod h1:xIteQHvHuaLYG9IFj6mSxM0fCKrs34IrEQUhOYuGPHc= - github.com/philhofer/fwd v1.0.0/go.mod h1:gk3iGcWd9+svBvR0sR+KPcfE+RNWozjowpeBVG3ZVNU= - github.com/phpdave11/gofpdf v1.4.2/go.mod h1:zpO6xFn9yxo3YLyMvW8HcKWVdbNqgIfOOp2dXMnm1mY= --github.com/phpdave11/gofpdi v1.0.7/go.mod h1:vBmVV0Do6hSBHC8uKUQ71JGW+ZGQq74llk/7bXwjDoI= - github.com/phpdave11/gofpdi v1.0.12/go.mod h1:vBmVV0Do6hSBHC8uKUQ71JGW+ZGQq74llk/7bXwjDoI= - github.com/pierrec/lz4 v1.0.2-0.20190131084431-473cd7ce01a1/go.mod h1:3/3N9NVKO0jef7pBehbT1qWhCMrIgbYNnFAZCqQ5LRc= - github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= -@@ -2696,7 +2688,6 @@ golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5y - golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= - golang.org/x/crypto v0.0.0-20211115234514-b4de73f9ece8/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= - golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= --golang.org/x/crypto v0.0.0-20220128200615-198e4374d7ed/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= - golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= - golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= - golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= diff --git a/pkg/extensions/main.go b/pkg/extensions/main.go -index 72371bdab4..a7bb7abe0f 100644 +index 327e208221..426aad2a21 100644 --- a/pkg/extensions/main.go +++ b/pkg/extensions/main.go -@@ -11,13 +11,11 @@ import ( +@@ -11,7 +11,6 @@ import ( + _ "github.com/beevik/etree" _ "github.com/blugelabs/bluge" _ "github.com/blugelabs/bluge_segment_api" - _ "github.com/cortexproject/cortex/pkg/util" - _ "github.com/crewjam/saml" + _ "github.com/go-jose/go-jose/v3" _ "github.com/gobwas/glob" _ "github.com/googleapis/gax-go/v2" - _ "github.com/grafana/dskit/backoff" - _ "github.com/grafana/dskit/flagext" - _ "github.com/grpc-ecosystem/go-grpc-middleware" -- _ "github.com/jung-kurt/gofpdf" - _ "github.com/linkedin/goavro/v2" - _ "github.com/m3db/prometheus_remote_client_golang/promremote" - _ "github.com/pkg/errors" diff --git a/0005-remove-unused-frontend-crypto.patch b/0005-remove-unused-frontend-crypto.patch index 89c90bf..268eadb 100644 --- a/0005-remove-unused-frontend-crypto.patch +++ b/0005-remove-unused-frontend-crypto.patch @@ -1,4 +1,4 @@ -From 3709d320189b10a12a3780d15e46afd777f06554 Mon Sep 17 00:00:00 2001 +From ddd615152004e0bc5985a574c05d31778351dfa3 Mon Sep 17 00:00:00 2001 From: Andreas Gerstmayr Date: Wed, 22 Jun 2022 17:36:47 +0200 Subject: [PATCH] remove unused frontend crypto @@ -7,49 +7,47 @@ update `package.json` and then run `yarn install` to update the `yarn.lock` lockfile diff --git a/package.json b/package.json -index e26f95d855..91d71f1414 100644 +index 38deb6d7de..aad5e88bf0 100644 --- a/package.json +++ b/package.json -@@ -405,8 +405,10 @@ - "whatwg-fetch": "3.6.2" - }, +@@ -425,6 +425,9 @@ "resolutions": { + "underscore": "1.13.6", + "@types/slate": "0.47.11", + "crypto-browserify": "https://registry.yarnpkg.com/@favware/skip-dependency/-/skip-dependency-1.1.3.tgz", + "selfsigned": "https://registry.yarnpkg.com/@favware/skip-dependency/-/skip-dependency-1.1.3.tgz", + "http-signature": "https://registry.yarnpkg.com/@favware/skip-dependency/-/skip-dependency-1.1.3.tgz", - "underscore": "1.13.4", -- "@mdx-js/loader/loader-utils": "^2.0.0", - "@types/slate": "0.47.9", - "@rushstack/node-core-library": "3.52.0", - "@rushstack/rig-package": "0.3.13", + "ngtemplate-loader/loader-utils": "^2.0.0", + "semver@~7.0.0": "7.5.4", + "semver@7.3.4": "7.5.4", diff --git a/yarn.lock b/yarn.lock -index f374e10e33..12c06ad883 100644 +index bf22ba52a1..1552ddc052 100644 --- a/yarn.lock +++ b/yarn.lock -@@ -14511,22 +14511,6 @@ __metadata: +@@ -10935,22 +10935,6 @@ __metadata: languageName: node linkType: hard -"asn1@npm:~0.2.3": -- version: 0.2.4 -- resolution: "asn1@npm:0.2.4" +- version: 0.2.6 +- resolution: "asn1@npm:0.2.6" - dependencies: -- safer-buffer: ~2.1.0 -- checksum: aa5d6f77b1e0597df53824c68cfe82d1d89ce41cb3520148611f025fbb3101b2d25dd6a40ad34e4fac10f6b19ed5e8628cd4b7d212261e80e83f02b39ee5663c +- safer-buffer: "npm:~2.1.0" +- checksum: cf629291fee6c1a6f530549939433ebf32200d7849f38b810ff26ee74235e845c0c12b2ed0f1607ac17383d19b219b69cefa009b920dab57924c5c544e495078 - languageName: node - linkType: hard - -"assert-plus@npm:1.0.0, assert-plus@npm:^1.0.0": - version: 1.0.0 - resolution: "assert-plus@npm:1.0.0" -- checksum: 19b4340cb8f0e6a981c07225eacac0e9d52c2644c080198765d63398f0075f83bbc0c8e95474d54224e297555ad0d631c1dcd058adb1ddc2437b41a6b424ac64 +- checksum: f4f991ae2df849cc678b1afba52d512a7cbf0d09613ba111e72255409ff9158550c775162a47b12d015d1b82b3c273e8e25df0e4783d3ddb008a293486d00a07 - languageName: node - linkType: hard - - "assert@npm:2.0.0": + "assert@npm:2.0.0, assert@npm:^2.0.0": version: 2.0.0 resolution: "assert@npm:2.0.0" -@@ -15231,15 +15215,6 @@ __metadata: +@@ -11427,15 +11411,6 @@ __metadata: languageName: node linkType: hard @@ -57,29 +55,29 @@ index f374e10e33..12c06ad883 100644 - version: 1.0.2 - resolution: "bcrypt-pbkdf@npm:1.0.2" - dependencies: -- tweetnacl: ^0.14.3 -- checksum: 4edfc9fe7d07019609ccf797a2af28351736e9d012c8402a07120c4453a3b789a15f2ee1530dc49eee8f7eb9379331a8dd4b3766042b9e502f74a68e7f662291 +- tweetnacl: "npm:^0.14.3" +- checksum: 13a4cde058250dbf1fa77a4f1b9a07d32ae2e3b9e28e88a0c7a1827835bc3482f3e478c4a0cfd4da6ff0c46dae07da1061123a995372b32cc563d9975f975404 - languageName: node - linkType: hard - "before-after-hook@npm:^2.2.0": version: 2.2.2 resolution: "before-after-hook@npm:2.2.2" -@@ -17053,13 +17028,6 @@ __metadata: +@@ -12929,13 +12904,6 @@ __metadata: languageName: node linkType: hard -"core-util-is@npm:1.0.2": - version: 1.0.2 - resolution: "core-util-is@npm:1.0.2" -- checksum: 7a4c925b497a2c91421e25bf76d6d8190f0b2359a9200dbeed136e63b2931d6294d3b1893eda378883ed363cd950f44a12a401384c609839ea616befb7927dab +- checksum: d0f7587346b44a1fe6c269267e037dd34b4787191e473c3e685f507229d88561c40eb18872fabfff02977301815d474300b7bfbd15396c13c5377393f7e87ec3 - languageName: node - linkType: hard - "core-util-is@npm:~1.0.0": version: 1.0.3 resolution: "core-util-is@npm:1.0.3" -@@ -18097,15 +18065,6 @@ __metadata: +@@ -13857,15 +13825,6 @@ __metadata: languageName: node linkType: hard @@ -87,15 +85,15 @@ index f374e10e33..12c06ad883 100644 - version: 1.14.1 - resolution: "dashdash@npm:1.14.1" - dependencies: -- assert-plus: ^1.0.0 -- checksum: 3634c249570f7f34e3d34f866c93f866c5b417f0dd616275decae08147dcdf8fccfaa5947380ccfb0473998ea3a8057c0b4cd90c875740ee685d0624b2983598 +- assert-plus: "npm:^1.0.0" +- checksum: 137b287fa021201ce100cef772c8eeeaaafdd2aa7282864022acf3b873021e54cb809e9c060fa164840bf54ff72d00d6e2d8da1ee5a86d7200eeefa1123a8f7f - languageName: node - linkType: hard - - "data-urls@npm:^2.0.0": - version: 2.0.0 - resolution: "data-urls@npm:2.0.0" -@@ -18842,16 +18801,6 @@ __metadata: + "data-urls@npm:^3.0.2": + version: 3.0.2 + resolution: "data-urls@npm:3.0.2" +@@ -14573,16 +14532,6 @@ __metadata: languageName: node linkType: hard @@ -103,37 +101,37 @@ index f374e10e33..12c06ad883 100644 - version: 0.1.2 - resolution: "ecc-jsbn@npm:0.1.2" - dependencies: -- jsbn: ~0.1.0 -- safer-buffer: ^2.1.0 -- checksum: 22fef4b6203e5f31d425f5b711eb389e4c6c2723402e389af394f8411b76a488fa414d309d866e2b577ce3e8462d344205545c88a8143cc21752a5172818888a +- jsbn: "npm:~0.1.0" +- safer-buffer: "npm:^2.1.0" +- checksum: d43591f2396196266e186e6d6928038cc11c76c3699a912cb9c13757060f7bbc7f17f47c4cb16168cdeacffc7965aef021142577e646fb3cb88810c15173eb57 - languageName: node - linkType: hard - "ee-first@npm:1.1.1": version: 1.1.1 resolution: "ee-first@npm:1.1.1" -@@ -20489,20 +20438,6 @@ __metadata: +@@ -15991,20 +15940,6 @@ __metadata: languageName: node linkType: hard -"extsprintf@npm:1.3.0": - version: 1.3.0 - resolution: "extsprintf@npm:1.3.0" -- checksum: cee7a4a1e34cffeeec18559109de92c27517e5641991ec6bab849aa64e3081022903dd53084f2080d0d2530803aa5ee84f1e9de642c365452f9e67be8f958ce2 +- checksum: 26967d6c7ecbfb5bc5b7a6c43503dc5fafd9454802037e9fa1665e41f615da4ff5918bd6cb871a3beabed01a31eca1ccd0bdfb41231f50ad50d405a430f78377 - languageName: node - linkType: hard - -"extsprintf@npm:^1.2.0": -- version: 1.4.0 -- resolution: "extsprintf@npm:1.4.0" -- checksum: 184dc8a413eb4b1ff16bdce797340e7ded4d28511d56a1c9afa5a95bcff6ace154063823eaf0206dbbb0d14059d74f382a15c34b7c0636fa74a7e681295eb67e +- version: 1.4.1 +- resolution: "extsprintf@npm:1.4.1" +- checksum: bfd6d55f3c0c04d826fe0213264b383c03f32825af6b1ff777f3f2dc49467e599361993568d75b7b19a8ea1bb08c8e7cd8c3d87d179ced91bb0dcf81ca6938e0 - languageName: node - linkType: hard - - "fast-deep-equal@npm:^3.0.0, fast-deep-equal@npm:^3.1.1, fast-deep-equal@npm:^3.1.3": + "fast-deep-equal@npm:^3.1.1, fast-deep-equal@npm:^3.1.3": version: 3.1.3 resolution: "fast-deep-equal@npm:3.1.3" -@@ -21462,15 +21397,6 @@ __metadata: +@@ -16916,15 +16851,6 @@ __metadata: languageName: node linkType: hard @@ -141,15 +139,15 @@ index f374e10e33..12c06ad883 100644 - version: 0.1.7 - resolution: "getpass@npm:0.1.7" - dependencies: -- assert-plus: ^1.0.0 +- assert-plus: "npm:^1.0.0" - checksum: ab18d55661db264e3eac6012c2d3daeafaab7a501c035ae0ccb193c3c23e9849c6e29b6ac762b9c2adae460266f925d55a3a2a3a3c8b94be2f222df94d70c046 - languageName: node - linkType: hard - - "git-raw-commits@npm:^2.0.8": - version: 2.0.11 - resolution: "git-raw-commits@npm:2.0.11" -@@ -22832,25 +22758,10 @@ __metadata: + "giget@npm:^1.0.0": + version: 1.1.2 + resolution: "giget@npm:1.1.2" +@@ -18263,25 +18189,10 @@ __metadata: languageName: node linkType: hard @@ -157,10 +155,10 @@ index f374e10e33..12c06ad883 100644 - version: 1.2.0 - resolution: "http-signature@npm:1.2.0" - dependencies: -- assert-plus: ^1.0.0 -- jsprim: ^1.2.2 -- sshpk: ^1.7.0 -- checksum: 3324598712266a9683585bb84a75dec4fd550567d5e0dd4a0fff6ff3f74348793404d3eeac4918fa0902c810eeee1a86419e4a2e92a164132dfe6b26743fb47c +- assert-plus: "npm:^1.0.0" +- jsprim: "npm:^1.2.2" +- sshpk: "npm:^1.7.0" +- checksum: 2ff7112e6b0d8f08b382dfe705078c655501f2ddd76cf589d108445a9dd388a0a9be928c37108261519a7f53e6bbd1651048d74057b804807cce1ec49e87a95b - languageName: node - linkType: hard - @@ -168,10 +166,10 @@ index f374e10e33..12c06ad883 100644 - version: 1.3.6 - resolution: "http-signature@npm:1.3.6" - dependencies: -- assert-plus: ^1.0.0 -- jsprim: ^2.0.2 -- sshpk: ^1.14.1 -- checksum: 10be2af4764e71fee0281392937050201ee576ac755c543f570d6d87134ce5e858663fe999a7adb3e4e368e1e356d0d7fec6b9542295b875726ff615188e7a0c +- assert-plus: "npm:^1.0.0" +- jsprim: "npm:^2.0.2" +- sshpk: "npm:^1.14.1" +- checksum: 5f08e0c82174999da97114facb0d0d47e268d60b6fc10f92cb87b99d5ccccd36f79b9508c29dda0b4f4e3a1b2f7bcaf847e68ecd5da2f1fc465fcd1d054b7884 +"http-signature@https://registry.yarnpkg.com/@favware/skip-dependency/-/skip-dependency-1.1.3.tgz": + version: 1.1.3 + resolution: "http-signature@https://registry.yarnpkg.com/@favware/skip-dependency/-/skip-dependency-1.1.3.tgz" @@ -179,47 +177,47 @@ index f374e10e33..12c06ad883 100644 languageName: node linkType: hard -@@ -25418,13 +25329,6 @@ __metadata: +@@ -20609,13 +20520,6 @@ __metadata: languageName: node linkType: hard -"jsbn@npm:~0.1.0": - version: 0.1.1 - resolution: "jsbn@npm:0.1.1" -- checksum: e5ff29c1b8d965017ef3f9c219dacd6e40ad355c664e277d31246c90545a02e6047018c16c60a00f36d561b3647215c41894f5d869ada6908a2e0ce4200c88f2 +- checksum: 5450133242845100e694f0ef9175f44c012691a9b770b2571e677314e6f70600abb10777cdfc9a0c6a9f2ac6d134577403633de73e2fcd0f97875a67744e2d14 - languageName: node - linkType: hard - - "jsdoc-type-pratt-parser@npm:~2.2.5": - version: 2.2.5 - resolution: "jsdoc-type-pratt-parser@npm:2.2.5" -@@ -25572,13 +25476,6 @@ __metadata: + "jscodeshift@npm:^0.14.0": + version: 0.14.0 + resolution: "jscodeshift@npm:0.14.0" +@@ -20767,13 +20671,6 @@ __metadata: languageName: node linkType: hard --"json-schema@npm:0.2.3, json-schema@npm:0.4.0": +-"json-schema@npm:0.4.0": - version: 0.4.0 - resolution: "json-schema@npm:0.4.0" -- checksum: 66389434c3469e698da0df2e7ac5a3281bcff75e797a5c127db7c5b56270e01ae13d9afa3c03344f76e32e81678337a8c912bdbb75101c62e487dc3778461d72 +- checksum: 8b3b64eff4a807dc2a3045b104ed1b9335cd8d57aa74c58718f07f0f48b8baa3293b00af4dcfbdc9144c3aafea1e97982cc27cc8e150fc5d93c540649507a458 - languageName: node - linkType: hard - "json-source-map@npm:0.6.1": version: 0.6.1 resolution: "json-source-map@npm:0.6.1" -@@ -25709,30 +25606,6 @@ __metadata: +@@ -20886,30 +20783,6 @@ __metadata: languageName: node linkType: hard -"jsprim@npm:^1.2.2": -- version: 1.4.1 -- resolution: "jsprim@npm:1.4.1" +- version: 1.4.2 +- resolution: "jsprim@npm:1.4.2" - dependencies: -- assert-plus: 1.0.0 -- extsprintf: 1.3.0 -- json-schema: 0.2.3 -- verror: 1.10.0 -- checksum: 6bcb20ec265ae18bb48e540a6da2c65f9c844f7522712d6dfcb01039527a49414816f4869000493363f1e1ea96cbad00e46188d5ecc78257a19f152467587373 +- assert-plus: "npm:1.0.0" +- extsprintf: "npm:1.3.0" +- json-schema: "npm:0.4.0" +- verror: "npm:1.10.0" +- checksum: df2bf234eab1b5078d01bcbff3553d50a243f7b5c10a169745efeda6344d62798bd1d85bcca6a8446f3b5d0495e989db45f9de8dae219f0f9796e70e0c776089 - languageName: node - linkType: hard - @@ -227,50 +225,27 @@ index f374e10e33..12c06ad883 100644 - version: 2.0.2 - resolution: "jsprim@npm:2.0.2" - dependencies: -- assert-plus: 1.0.0 -- extsprintf: 1.3.0 -- json-schema: 0.4.0 -- verror: 1.10.0 -- checksum: d175f6b1991e160cb0aa39bc857da780e035611986b5492f32395411879fdaf4e513d98677f08f7352dac93a16b66b8361c674b86a3fa406e2e7af6b26321838 +- assert-plus: "npm:1.0.0" +- extsprintf: "npm:1.3.0" +- json-schema: "npm:0.4.0" +- verror: "npm:1.10.0" +- checksum: fcfca5b55f83e1b8be5f932c71754bd37afd2611f81685abd05689e8ce718a91155ff7bd5b94c65ce483a787b5c43c6d0c18c1d2259fca5bb61a3f8ea2e29c0a - languageName: node - linkType: hard - "jsurl@npm:^0.1.5": version: 0.1.5 resolution: "jsurl@npm:0.1.5" -@@ -26192,6 +26065,17 @@ __metadata: +@@ -22734,7 +22607,7 @@ __metadata: languageName: node linkType: hard -+"loader-utils@npm:2.0.0": -+ version: 2.0.0 -+ resolution: "loader-utils@npm:2.0.0" -+ dependencies: -+ big.js: ^5.2.2 -+ emojis-list: ^3.0.0 -+ json5: ^2.1.2 -+ checksum: 6856423131b50b6f5f259da36f498cfd7fc3c3f8bb17777cf87fdd9159e797d4ba4288d9a96415fd8da62c2906960e88f74711dee72d03a9003bddcd0d364a51 -+ languageName: node -+ linkType: hard -+ - "loader-utils@npm:^2.0.0": - version: 2.0.3 - resolution: "loader-utils@npm:2.0.3" -@@ -27755,13 +27639,6 @@ __metadata: - languageName: node - linkType: hard - --"node-forge@npm:^1": -- version: 1.3.1 -- resolution: "node-forge@npm:1.3.1" -- checksum: 08fb072d3d670599c89a1704b3e9c649ff1b998256737f0e06fbd1a5bf41cae4457ccaee32d95052d80bbafd9ffe01284e078c8071f0267dc9744e51c5ed42a9 -- languageName: node -- linkType: hard -- - "node-gettext@npm:^3.0.0": - version: 3.0.0 - resolution: "node-gettext@npm:3.0.0" -@@ -33404,7 +33281,7 @@ __metadata: +-"node-forge@npm:^1, node-forge@npm:^1.3.1": ++"node-forge@npm:^1.3.1": + version: 1.3.1 + resolution: "node-forge@npm:1.3.1" + checksum: 05bab6868633bf9ad4c3b1dd50ec501c22ffd69f556cdf169a00998ca1d03e8107a6032ba013852f202035372021b845603aeccd7dfcb58cdb7430013b3daa8d +@@ -27151,7 +27024,7 @@ __metadata: languageName: node linkType: hard @@ -278,17 +253,17 @@ index f374e10e33..12c06ad883 100644 +"safer-buffer@npm:>= 2.1.2 < 3, safer-buffer@npm:>= 2.1.2 < 3.0.0": version: 2.1.2 resolution: "safer-buffer@npm:2.1.2" - checksum: cab8f25ae6f1434abee8d80023d7e72b598cf1327164ddab31003c51215526801e40b66c5e65d658a0af1e9d6478cadcb4c745f4bd6751f97d8644786c0978b0 -@@ -33623,12 +33500,10 @@ __metadata: + checksum: 7eaf7a0cf37cc27b42fb3ef6a9b1df6e93a1c6d98c6c6702b02fe262d5fcbd89db63320793b99b21cb5348097d0a53de81bd5f4e8b86e20cc9412e3f1cfb4e83 +@@ -27282,12 +27155,10 @@ __metadata: languageName: node linkType: hard --"selfsigned@npm:^2.0.1": -- version: 2.0.1 -- resolution: "selfsigned@npm:2.0.1" +-"selfsigned@npm:^2.1.1": +- version: 2.1.1 +- resolution: "selfsigned@npm:2.1.1" - dependencies: -- node-forge: ^1 -- checksum: 864e65c2f31ca877bce3ccdaa3bdef5e1e992b63b2a03641e00c24cd305bf2acce093431d1fed2e5ae9f526558db4be5e90baa2b3474c0428fcf7e25cc86ac93 +- node-forge: "npm:^1" +- checksum: 6005206e0d005448274aceceaded5195b944f67a42b72d212a6169d2e5f4bdc87c15a3fe45732c544db8c7175702091aaf95403ad6632585294a6ec8cca63638 +"selfsigned@https://registry.yarnpkg.com/@favware/skip-dependency/-/skip-dependency-1.1.3.tgz": + version: 1.1.3 + resolution: "selfsigned@https://registry.yarnpkg.com/@favware/skip-dependency/-/skip-dependency-1.1.3.tgz" @@ -296,49 +271,49 @@ index f374e10e33..12c06ad883 100644 languageName: node linkType: hard -@@ -34591,27 +34466,6 @@ __metadata: +@@ -28053,27 +27924,6 @@ __metadata: languageName: node linkType: hard -"sshpk@npm:^1.14.1, sshpk@npm:^1.7.0": -- version: 1.16.1 -- resolution: "sshpk@npm:1.16.1" +- version: 1.17.0 +- resolution: "sshpk@npm:1.17.0" - dependencies: -- asn1: ~0.2.3 -- assert-plus: ^1.0.0 -- bcrypt-pbkdf: ^1.0.0 -- dashdash: ^1.12.0 -- ecc-jsbn: ~0.1.1 -- getpass: ^0.1.1 -- jsbn: ~0.1.0 -- safer-buffer: ^2.0.2 -- tweetnacl: ~0.14.0 +- asn1: "npm:~0.2.3" +- assert-plus: "npm:^1.0.0" +- bcrypt-pbkdf: "npm:^1.0.0" +- dashdash: "npm:^1.12.0" +- ecc-jsbn: "npm:~0.1.1" +- getpass: "npm:^0.1.1" +- jsbn: "npm:~0.1.0" +- safer-buffer: "npm:^2.0.2" +- tweetnacl: "npm:~0.14.0" - bin: - sshpk-conv: bin/sshpk-conv - sshpk-sign: bin/sshpk-sign - sshpk-verify: bin/sshpk-verify -- checksum: 5e76afd1cedc780256f688b7c09327a8a650902d18e284dfeac97489a735299b03c3e72c6e8d22af03dbbe4d6f123fdfd5f3c4ed6bedbec72b9529a55051b857 +- checksum: 668c2a279a6ce66fd739ce5684e37927dd75427cc020c828a208f85890a4c400705d4ba09f32fa44efca894339dc6931941664f6f6ba36dfa543de6d006cbe9c - languageName: node - linkType: hard - - "ssri@npm:^8.0.0, ssri@npm:^8.0.1": - version: 8.0.1 - resolution: "ssri@npm:8.0.1" -@@ -36287,13 +36141,6 @@ __metadata: + "ssri@npm:^10.0.0, ssri@npm:^10.0.1": + version: 10.0.5 + resolution: "ssri@npm:10.0.5" +@@ -29479,13 +29329,6 @@ __metadata: languageName: node linkType: hard -"tweetnacl@npm:^0.14.3, tweetnacl@npm:~0.14.0": - version: 0.14.5 - resolution: "tweetnacl@npm:0.14.5" -- checksum: 6061daba1724f59473d99a7bb82e13f211cdf6e31315510ae9656fefd4779851cb927adad90f3b488c8ed77c106adc0421ea8055f6f976ff21b27c5c4e918487 +- checksum: 04ee27901cde46c1c0a64b9584e04c96c5fe45b38c0d74930710751ea991408b405747d01dfae72f80fc158137018aea94f9c38c651cb9c318f0861a310c3679 - languageName: node - linkType: hard - "type-check@npm:^0.4.0, type-check@npm:~0.4.0": version: 0.4.0 resolution: "type-check@npm:0.4.0" -@@ -37042,17 +36889,6 @@ __metadata: +@@ -30199,17 +30042,6 @@ __metadata: languageName: node linkType: soft @@ -346,13 +321,13 @@ index f374e10e33..12c06ad883 100644 - version: 1.10.0 - resolution: "verror@npm:1.10.0" - dependencies: -- assert-plus: ^1.0.0 -- core-util-is: 1.0.2 -- extsprintf: ^1.2.0 -- checksum: c431df0bedf2088b227a4e051e0ff4ca54df2c114096b0c01e1cbaadb021c30a04d7dd5b41ab277bcd51246ca135bf931d4c4c796ecae7a4fef6d744ecef36ea +- assert-plus: "npm:^1.0.0" +- core-util-is: "npm:1.0.2" +- extsprintf: "npm:^1.2.0" +- checksum: da548149dd9c130a8a2587c9ee71ea30128d1526925707e2d01ed9c5c45c9e9f86733c66a328247cdd5f7c1516fb25b0f959ba754bfbe15072aa99ff96468a29 - languageName: node - linkType: hard - - "vfile-location@npm:^3.0.0, vfile-location@npm:^3.2.0": - version: 3.2.0 - resolution: "vfile-location@npm:3.2.0" + "vinyl-fs@npm:^3.0.2": + version: 3.0.3 + resolution: "vinyl-fs@npm:3.0.3" diff --git a/0006-skip-marketplace-plugin-install-test.patch b/0006-skip-marketplace-plugin-install-test.patch index d56fe4e..3180726 100644 --- a/0006-skip-marketplace-plugin-install-test.patch +++ b/0006-skip-marketplace-plugin-install-test.patch @@ -1,4 +1,4 @@ -From a23cb1162fd705147489915667b83a236ad248be Mon Sep 17 00:00:00 2001 +From ed8a438d72a667844ae07804491b568ad2f5dcdd Mon Sep 17 00:00:00 2001 From: Andreas Gerstmayr Date: Thu, 23 Jun 2022 17:00:46 +0200 Subject: [PATCH] skip marketplace plugin install test @@ -8,10 +8,10 @@ Network connectivity is disabled in the build environment for security reasons, therefore we need to disable this test. diff --git a/pkg/tests/api/plugins/api_plugins_test.go b/pkg/tests/api/plugins/api_plugins_test.go -index 0d62275c4b..c237aa9389 100644 +index 4fc2295ed8..a326c40b04 100644 --- a/pkg/tests/api/plugins/api_plugins_test.go +++ b/pkg/tests/api/plugins/api_plugins_test.go -@@ -56,6 +56,7 @@ func TestPlugins(t *testing.T) { +@@ -71,6 +71,7 @@ func TestIntegrationPlugins(t *testing.T) { }) t.Run("Request is not forbidden if from an admin", func(t *testing.T) { diff --git a/0007-fix-alert-test.patch b/0007-fix-alert-test.patch deleted file mode 100644 index 71039d1..0000000 --- a/0007-fix-alert-test.patch +++ /dev/null @@ -1,19 +0,0 @@ -From 3236aa416f6d1b109bff1fdd4127292988fb199c Mon Sep 17 00:00:00 2001 -From: Stan Cox -Date: Wed, 22 Jun 2022 17:05:48 +0200 -Subject: [PATCH] fix alert test - - -diff --git a/pkg/tests/api/alerting/api_alertmanager_test.go b/pkg/tests/api/alerting/api_alertmanager_test.go -index 2d6e1235b6..f0eff6d2ac 100644 ---- a/pkg/tests/api/alerting/api_alertmanager_test.go 2023-01-24 14:44:19.000000000 -0500 -+++ b/pkg/tests/api/alerting/api_alertmanager_test.go 2023-04-13 16:20:51.718515009 -0400 -@@ -210,7 +210,7 @@ - { - "comment": "string", - "createdBy": "string", -- "endsAt": "2023-03-31T14:17:04.419Z", -+ "endsAt": "2032-03-31T14:17:04.419Z", - "matchers": [ - { - "isRegex": true, diff --git a/0009-redact-weak-ciphers.patch b/0007-redact-weak-ciphers.patch similarity index 52% rename from 0009-redact-weak-ciphers.patch rename to 0007-redact-weak-ciphers.patch index 746d0c2..1b7148a 100644 --- a/0009-redact-weak-ciphers.patch +++ b/0007-redact-weak-ciphers.patch @@ -1,30 +1,30 @@ -From 3236aa416f6d1b109bff1fdd4127292988fb199c Mon Sep 17 00:00:00 2001 +From 7ac26d6beb2175f0d6001ca0df322ce610401cce Mon Sep 17 00:00:00 2001 From: Stan Cox Date: Wed, 22 Jun 2022 17:05:48 +0200 Subject: [PATCH] redact weak ciphers diff --git a/pkg/api/http_server.go b/pkg/api/http_server.go -index 2d6e1235b6..f0eff6d2ac 100644 ---- a/pkg/api/http_server.go 2023-01-24 14:44:19.000000000 -0500 -+++ b/pkg/api/http_server.go 2023-04-21 13:14:02.684857018 -0400 -@@ -489,13 +489,13 @@ +index da04044683..8a29270d4d 100644 +--- a/pkg/api/http_server.go ++++ b/pkg/api/http_server.go +@@ -820,13 +820,13 @@ func (hs *HTTPServer) getDefaultCiphers(tlsVersion uint16, protocol string) []ui tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, -+// tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, ++ // tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, - tls.TLS_RSA_WITH_AES_128_GCM_SHA256, - tls.TLS_RSA_WITH_AES_256_GCM_SHA384, - tls.TLS_RSA_WITH_AES_128_CBC_SHA, - tls.TLS_RSA_WITH_AES_256_CBC_SHA, -+// tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, -+// tls.TLS_RSA_WITH_AES_128_GCM_SHA256, -+// tls.TLS_RSA_WITH_AES_256_GCM_SHA384, -+// tls.TLS_RSA_WITH_AES_128_CBC_SHA, -+// tls.TLS_RSA_WITH_AES_256_CBC_SHA, - }, ++ // tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, ++ // tls.TLS_RSA_WITH_AES_128_GCM_SHA256, ++ // tls.TLS_RSA_WITH_AES_256_GCM_SHA384, ++ // tls.TLS_RSA_WITH_AES_128_CBC_SHA, ++ // tls.TLS_RSA_WITH_AES_256_CBC_SHA, + } } - + if protocol == "h2" { diff --git a/0008-graphite-functions-xss.patch b/0008-graphite-functions-xss.patch deleted file mode 100644 index a686e9a..0000000 --- a/0008-graphite-functions-xss.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: ismail simsek -Date: Thu Mar 16 23:16:03 2023 +0100 -Subject: [PATCH] graphite functions xss - -commit e59427c074 - [v9.2.x] Fix xss in Graphite functions tooltip (#810) - - Fix xss in Graphite functions tooltip (#804) - - (cherry picked from commit 87aad3f11836f810ee1fdfee27827e746ef36055) - - Co-authored-by: Ludovic Viaud - -diff --git a/public/app/plugins/datasource/graphite/components/FunctionEditorControls.tsx b/public/app/plugins/datasource/graphite/components/FunctionEditorControls.tsx -index facd0b2511..d4d41da720 100644 ---- a/public/app/plugins/datasource/graphite/components/FunctionEditorControls.tsx -+++ b/public/app/plugins/datasource/graphite/components/FunctionEditorControls.tsx -@@ -11,11 +11,9 @@ export interface FunctionEditorControlsProps { - } - - const FunctionDescription = React.lazy(async () => { -- // @ts-ignore -- const { default: rst2html } = await import(/* webpackChunkName: "rst2html" */ 'rst2html'); - return { - default(props: { description?: string }) { -- return
; -+ return
{props.description}
; - }, - }; - }); diff --git a/0008-replace-faulty-slices-sort.patch b/0008-replace-faulty-slices-sort.patch new file mode 100644 index 0000000..b9cea8c --- /dev/null +++ b/0008-replace-faulty-slices-sort.patch @@ -0,0 +1,40 @@ +From 3f45f26993ed94837001bb9760d7859e7a057649 Mon Sep 17 00:00:00 2001 +From: Sam Feifer +Date: Fri, 1 Mar 2024 15:00:55 -0500 +Subject: [PATCH] replace faulty slices sort + + +diff --git a/pkg/services/sqlstore/migrator/dialect.go b/pkg/services/sqlstore/migrator/dialect.go +index 183b619de8..da21edeafa 100644 +--- a/pkg/services/sqlstore/migrator/dialect.go ++++ b/pkg/services/sqlstore/migrator/dialect.go +@@ -368,7 +368,8 @@ func (b *BaseDialect) InsertQuery(tableName string, row map[string]any) (string, + for col := range row { + keys = append(keys, col) + } +- slices.Sort[string](keys) ++ slices.Sort(keys) ++ //slices.Sort[string](keys) + + // build query and values + for _, col := range keys { +@@ -398,7 +399,8 @@ func (b *BaseDialect) UpdateQuery(tableName string, row map[string]any, where ma + for col := range row { + keys = append(keys, col) + } +- slices.Sort[string](keys) ++ slices.Sort(keys) ++ //slices.Sort[string](keys) + + // build update query and values + for _, col := range keys { +@@ -411,7 +413,8 @@ func (b *BaseDialect) UpdateQuery(tableName string, row map[string]any, where ma + for col := range where { + keys = append(keys, col) + } +- slices.Sort[string](keys) ++ slices.Sort(keys) ++ //slices.Sort[string](keys) + + // build where clause and values + for _, col := range keys { diff --git a/0009-update-wrappers-and-systemd-with-distro-paths.patch b/0009-update-wrappers-and-systemd-with-distro-paths.patch new file mode 100644 index 0000000..5331ddf --- /dev/null +++ b/0009-update-wrappers-and-systemd-with-distro-paths.patch @@ -0,0 +1,76 @@ +From 5fe02f961e67af04907dc57beda42456128ab1c8 Mon Sep 17 00:00:00 2001 +From: Sam Feifer +Date: Fri, 1 Mar 2024 15:05:24 -0500 +Subject: [PATCH] update wrappers and systemd with distro paths + + +diff --git a/packaging/rpm/systemd/grafana-server.service b/packaging/rpm/systemd/grafana-server.service +index e3adc3f469..b2e4aced06 100644 +--- a/packaging/rpm/systemd/grafana-server.service ++++ b/packaging/rpm/systemd/grafana-server.service +@@ -14,7 +14,7 @@ Restart=on-failure + WorkingDirectory=/usr/share/grafana + RuntimeDirectory=grafana + RuntimeDirectoryMode=0750 +-ExecStart=/usr/share/grafana/bin/grafana server \ ++ExecStart=/usr/sbin/grafana server \ + --config=${CONF_FILE} \ + --pidfile=${PID_FILE_DIR}/grafana-server.pid \ + --packaging=rpm \ +diff --git a/packaging/wrappers/grafana b/packaging/wrappers/grafana +index 86e0fc9faa..5c88bae4c3 100755 +--- a/packaging/wrappers/grafana ++++ b/packaging/wrappers/grafana +@@ -5,7 +5,7 @@ + # the system-wide Grafana configuration that was bundled with the package as we + # use the binary. + +-DEFAULT=/etc/default/grafana ++DEFAULT=/etc/sysconfig/grafana-server + + GRAFANA_HOME="${GRAFANA_HOME:-/usr/share/grafana}" + +@@ -13,11 +13,12 @@ CONF_DIR=/etc/grafana + DATA_DIR=/var/lib/grafana + PLUGINS_DIR=/var/lib/grafana/plugins + LOG_DIR=/var/log/grafana +++LIBEXEC_DIR=/usr/libexec/grafana + + CONF_FILE=$CONF_DIR/grafana.ini + PROVISIONING_CFG_DIR=$CONF_DIR/provisioning + +-EXECUTABLE="$GRAFANA_HOME/bin/grafana" +++EXECUTABLE=$LIBEXEC_DIR/grafana + + if [ ! -x $EXECUTABLE ]; then + echo "$EXECUTABLE not installed or not executable" +@@ -46,4 +47,13 @@ if [ "$CMD" = cli ]; then + --pluginsDir=${PLUGINS_DIR}" + fi + +-eval $EXECUTABLE "$CMD" "$OPTS" "$@" ++if [ "$(id -u)" -eq 0 -o "$(id -g)" -eq 0 ]; then ++ cd "${GRAFANA_HOME}" ++ exec runuser -u "${GRAFANA_USER}" -- "$EXECUTABLE" "$CMD" "${OPTS[@]}" "$@" ++elif [ "$(id -u -n)" = "${GRAFANA_USER}" ]; then ++ cd "${GRAFANA_HOME}" ++ exec "$EXECUTABLE" "$CMD" "${OPTS[@]}" "$@" ++else ++ echo "$0: please run this script as user \"${GRAFANA_USER}\" or root." ++ exit 5 ++fi +\ No newline at end of file +diff --git a/packaging/wrappers/grafana-server b/packaging/wrappers/grafana-server +index 466b0d7c69..6be356f562 100755 +--- a/packaging/wrappers/grafana-server ++++ b/packaging/wrappers/grafana-server +@@ -7,7 +7,8 @@ + + GRAFANA_HOME="${GRAFANA_HOME:-/usr/share/grafana}" + +-EXECUTABLE="$GRAFANA_HOME/bin/grafana" ++LIBEXEC_DIR=/usr/libexec/grafana ++EXECUTABLE=$LIBEXEC_DIR/grafana + + if [ ! -x $EXECUTABLE ]; then + echo "$EXECUTABLE not installed or not executable" diff --git a/0010-remove-bcrypt-references.patch b/0010-remove-bcrypt-references.patch new file mode 100644 index 0000000..d617c85 --- /dev/null +++ b/0010-remove-bcrypt-references.patch @@ -0,0 +1,108 @@ +From eb711315d4c8a81ff52984293758a47372c21b8d Mon Sep 17 00:00:00 2001 +From: Sam Feifer +Date: Fri, 1 Mar 2024 15:07:22 -0500 +Subject: [PATCH] remove bcrypt references + + +diff --git a/pkg/services/extsvcauth/oauthserver/oasimpl/service.go b/pkg/services/extsvcauth/oauthserver/oasimpl/service.go +index 8c5a90248d..43f6d11e08 100644 +--- a/pkg/services/extsvcauth/oauthserver/oasimpl/service.go ++++ b/pkg/services/extsvcauth/oauthserver/oasimpl/service.go +@@ -19,7 +19,6 @@ import ( + "github.com/ory/fosite/compose" + "github.com/ory/fosite/storage" + "github.com/ory/fosite/token/jwt" +- "golang.org/x/crypto/bcrypt" + + "github.com/grafana/grafana/pkg/api/routing" + "github.com/grafana/grafana/pkg/bus" +@@ -235,88 +234,7 @@ func (s *OAuth2ServiceImpl) RemoveExternalService(ctx context.Context, name stri + // it ensures that the associated service account has the correct permissions. + // Database consistency is not guaranteed, consider changing this in the future. + func (s *OAuth2ServiceImpl) SaveExternalService(ctx context.Context, registration *extsvcauth.ExternalServiceRegistration) (*extsvcauth.ExternalService, error) { +- if registration == nil { +- s.logger.Warn("RegisterExternalService called without registration") +- return nil, nil +- } +- slug := registration.Name +- s.logger.Info("Registering external service", "external service", slug) +- +- // Check if the client already exists in store +- client, errFetchExtSvc := s.sqlstore.GetExternalServiceByName(ctx, slug) +- if errFetchExtSvc != nil && !errors.Is(errFetchExtSvc, oauthserver.ErrClientNotFound) { +- s.logger.Error("Error fetching service", "external service", slug, "error", errFetchExtSvc) +- return nil, errFetchExtSvc +- } +- // Otherwise, create a new client +- if client == nil { +- s.logger.Debug("External service does not yet exist", "external service", slug) +- client = &oauthserver.OAuthExternalService{ +- Name: slug, +- ServiceAccountID: oauthserver.NoServiceAccountID, +- Audiences: s.cfg.AppURL, +- } +- } +- +- // Parse registration form to compute required permissions for the client +- client.SelfPermissions, client.ImpersonatePermissions = s.handleRegistrationPermissions(registration) +- +- if registration.OAuthProviderCfg == nil { +- return nil, errors.New("missing oauth provider configuration") +- } +- +- if registration.OAuthProviderCfg.RedirectURI != nil { +- client.RedirectURI = *registration.OAuthProviderCfg.RedirectURI +- } +- +- var errGenCred error +- client.ClientID, client.Secret, errGenCred = s.genCredentials() +- if errGenCred != nil { +- s.logger.Error("Error generating credentials", "client", client.LogID(), "error", errGenCred) +- return nil, errGenCred +- } +- +- grantTypes := s.computeGrantTypes(registration.Self.Enabled, registration.Impersonation.Enabled) +- client.GrantTypes = strings.Join(grantTypes, ",") +- +- // Handle key options +- s.logger.Debug("Handle key options") +- keys, err := s.handleKeyOptions(ctx, registration.OAuthProviderCfg.Key) +- if err != nil { +- s.logger.Error("Error handling key options", "client", client.LogID(), "error", err) +- return nil, err +- } +- if keys != nil { +- client.PublicPem = []byte(keys.PublicPem) +- } +- dto := client.ToExternalService(keys) +- +- hashedSecret, err := bcrypt.GenerateFromPassword([]byte(client.Secret), bcrypt.DefaultCost) +- if err != nil { +- s.logger.Error("Error hashing secret", "client", client.LogID(), "error", err) +- return nil, err +- } +- client.Secret = string(hashedSecret) +- +- s.logger.Debug("Save service account") +- saID, errSaveServiceAccount := s.saService.ManageExtSvcAccount(ctx, &serviceaccounts.ManageExtSvcAccountCmd{ +- ExtSvcSlug: slugify.Slugify(client.Name), +- Enabled: registration.Self.Enabled, +- OrgID: oauthserver.TmpOrgID, +- Permissions: client.SelfPermissions, +- }) +- if errSaveServiceAccount != nil { +- return nil, errSaveServiceAccount +- } +- client.ServiceAccountID = saID +- +- err = s.sqlstore.SaveExternalService(ctx, client) +- if err != nil { +- s.logger.Error("Error saving external service", "client", client.LogID(), "error", err) +- return nil, err +- } +- s.logger.Debug("Registered", "client", client.LogID()) +- return dto, nil ++ panic("bcrypt cipher not available") + } + + // randString generates a a cryptographically secure random string of n bytes diff --git a/0010-skip-tests.patch b/0010-skip-tests.patch deleted file mode 100644 index 832ac3b..0000000 --- a/0010-skip-tests.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 3236aa416f6d1b109bff1fdd4127292988fb199c Mon Sep 17 00:00:00 2001 -From: Stan Cox -Date: Wed, 22 Jun 2022 17:05:48 +0200 -Subject: [PATCH] skip tests - -These tests are problematic on s390 but lint complains about patches -in an %ifarch block so apply to all architectures. - -diff --git a/pkg/services/ngalert/notifier/alertmanager_test.go b/pkg/services/ngalert/notifier/alertmanager_test.go ---- a/pkg/services/ngalert/notifier/alertmanager_test.go 2023-06-04 22:38:26.566930436 -0400 -+++ b/pkg/services/ngalert/notifier/alertmanager_test.go 2023-06-06 13:25:43.785556819 -0400 -@@ -54,6 +54,7 @@ - } - - func TestPutAlert(t *testing.T) { -+ t.Skip("Skip testing TestPutAlert") - am := setupAMTest(t) - - startTime := time.Now() -@@ -350,6 +351,7 @@ - // implement a custom maintenance function for silences, because we snapshot - // our data differently, so we test that functionality. - func TestSilenceCleanup(t *testing.T) { -+ t.Skip("Skip testing TestSilenceCleanup") - require := require.New(t) - - oldRetention := retentionNotificationsAndSilences -diff --git a/pkg/services/ngalert/state/manager_test.go b/pkg/services/ngalert/state/manager_test.go ---- a/pkg/services/ngalert/state/manager_test.go 2023-06-04 22:38:26.570930475 -0400 -+++ b/pkg/services/ngalert/state/manager_test.go 2023-06-06 13:26:47.588172342 -0400 -@@ -78,6 +78,7 @@ - } - - func TestProcessEvalResults(t *testing.T) { -+ t.Skip("Skip testing TestProcessEvalResults") - evaluationTime, err := time.Parse("2006-01-02", "2021-03-25") - if err != nil { - t.Fatalf("error parsing date format: %s", err.Error()) -diff --git a/pkg/services/ngalert/schedule/schedule_test.go b/pkg/services/ngalert/schedule/schedule_test.go ---- a/pkg/services/ngalert/schedule/schedule_test.go 2023-06-04 22:38:26.569930465 -0400 -+++ b/pkg/services/ngalert/schedule/schedule_test.go 2023-06-06 13:27:14.475431726 -0400 -@@ -130,6 +130,7 @@ - } - - func TestAlertingTicker(t *testing.T) { -+ t.Skip("Skip testing TestAlertingTicker") - ctx := context.Background() - _, dbstore := tests.SetupTestEnv(t, 1) - -diff --git a/pkg/infra/filestorage/fs_integration_test.go b/pkg/infra/filestorage/fs_integration_test.go ---- a/pkg/infra/filestorage/fs_integration_test.go 2023-06-04 22:38:26.539930172 -0400 -+++ b/pkg/infra/filestorage/fs_integration_test.go 2023-06-06 13:27:48.535760305 -0400 -@@ -169,6 +169,7 @@ - } - - func TestIntegrationFsStorage(t *testing.T) { -+ t.Skip("Skip testing TestIntegrationFsStorage") - if testing.Short() { - t.Skip("skipping integration test") - } -diff --git a/pkg/tests/api/alerting/api_prometheus_test.go b/pkg/tests/api/alerting/api_prometheus_test.go ---- a/pkg/tests/api/alerting/api_prometheus_test.go 2023-06-04 22:38:26.588930651 -0400 -+++ b/pkg/tests/api/alerting/api_prometheus_test.go 2023-06-06 13:28:13.260998838 -0400 -@@ -25,6 +25,7 @@ - ) - - func TestPrometheusRules(t *testing.T) { -+ t.Skip("Skip testing TestPrometheusRules") - dir, path := testinfra.CreateGrafDir(t, testinfra.GrafanaOpts{ - DisableLegacyAlerting: true, - EnableUnifiedAlerting: true, diff --git a/0011-remove-email-lookup.patch b/0011-remove-email-lookup.patch deleted file mode 100644 index 8bbd1c6..0000000 --- a/0011-remove-email-lookup.patch +++ /dev/null @@ -1,64 +0,0 @@ -From bae86dbeb0ad68a205454e98e76985dc393183d4 Mon Sep 17 00:00:00 2001 -From: Ieva -Date: Tue, 6 Jun 2023 17:45:31 +0100 -Subject: [PATCH] Auth: Remove Email Lookup from oauth integrations 9.2 (#898) - -backport https://github.com/grafana/grafana-private-mirror/pull/894 to 9.3.x ---- - pkg/api/login_oauth.go | 17 +++++++++-------- - pkg/setting/setting.go | 5 ++++- - 2 files changed, 13 insertions(+), 9 deletions(-) - -diff --git a/pkg/api/login_oauth.go b/pkg/api/login_oauth.go -index 22014aee433c2..af00c56a68ccd 100644 ---- a/pkg/api/login_oauth.go -+++ b/pkg/api/login_oauth.go -@@ -302,16 +302,17 @@ func (hs *HTTPServer) SyncUser( - connect social.SocialConnector, - ) (*user.User, error) { - oauthLogger.Debug("Syncing Grafana user with corresponding OAuth profile") -+ lookupParams := models.UserLookupParams{} -+ if hs.Cfg.OAuthAllowInsecureEmailLookup { -+ lookupParams.Email = &extUser.Email -+ } -+ - // add/update user in Grafana - cmd := &models.UpsertUserCommand{ -- ReqContext: ctx, -- ExternalUser: extUser, -- SignupAllowed: connect.IsSignupAllowed(), -- UserLookupParams: models.UserLookupParams{ -- Email: &extUser.Email, -- UserID: nil, -- Login: nil, -- }, -+ ReqContext: ctx, -+ ExternalUser: extUser, -+ SignupAllowed: connect.IsSignupAllowed(), -+ UserLookupParams: lookupParams, - } - - if err := hs.Login.UpsertUser(ctx.Req.Context(), cmd); err != nil { -diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go -index 20e8f78a2f55c..03aa5c17d8682 100644 ---- a/pkg/setting/setting.go -+++ b/pkg/setting/setting.go -@@ -318,7 +318,8 @@ type Cfg struct { - AuthProxySyncTTL int - - // OAuth -- OAuthCookieMaxAge int -+ OAuthCookieMaxAge int -+ OAuthAllowInsecureEmailLookup bool - - // JWT Auth - JWTAuthEnabled bool -@@ -1305,6 +1306,8 @@ func readAuthSettings(iniFile *ini.File, cfg *Cfg) (err error) { - return err - } - -+ cfg.OAuthAllowInsecureEmailLookup = auth.Key("oauth_allow_insecure_email_lookup").MustBool(false) -+ - const defaultMaxLifetime = "30d" - maxLifetimeDurationVal := valueAsString(auth, "login_maximum_lifetime_duration", defaultMaxLifetime) - cfg.LoginMaxLifetime, err = gtime.ParseDuration(maxLifetimeDurationVal) diff --git a/0012-coredump-selinux-error.patch b/0012-coredump-selinux-error.patch deleted file mode 100644 index 5bdcc5b..0000000 --- a/0012-coredump-selinux-error.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/pkg/framework/coremodel/helpers.go b/pkg/framework/coremodel/helpers.go -index 20d111edba..6655f81cee 100644 ---- a/pkg/framework/coremodel/helpers.go -+++ b/pkg/framework/coremodel/helpers.go -@@ -26,7 +26,7 @@ func init() { - var err error - defaultFramework, err = doLoadFrameworkCUE(cuectx.ProvideCUEContext()) - if err != nil { -- panic(err) -+// panic(err) - } - } - diff --git a/1001-vendor-patch-removed-backend-crypto.patch b/1001-vendor-patch-removed-backend-crypto.patch index 6b506e7..82707ca 100644 --- a/1001-vendor-patch-removed-backend-crypto.patch +++ b/1001-vendor-patch-removed-backend-crypto.patch @@ -35,187 +35,18 @@ index 0000000000..871e612a61 +func Decrypt(priv *PrivateKey, c1, c2 *big.Int) (msg []byte, err error) { + panic("ElGamal encryption not available") +} -diff --git a/vendor/golang.org/x/crypto/openpgp/packet/packet.go b/vendor/golang.org/x/crypto/openpgp/packet/packet.go -index 0a19794a8e..25a5ee9158 100644 ---- a/vendor/golang.org/x/crypto/openpgp/packet/packet.go -+++ b/vendor/golang.org/x/crypto/openpgp/packet/packet.go -@@ -22,7 +22,6 @@ import ( - "math/big" - "math/bits" - -- "golang.org/x/crypto/cast5" - "golang.org/x/crypto/openpgp/errors" - ) - -@@ -493,7 +492,7 @@ func (cipher CipherFunction) KeySize() int { - case Cipher3DES: - return 24 - case CipherCAST5: -- return cast5.KeySize -+ panic("cast5 cipher not available") - case CipherAES128: - return 16 - case CipherAES192: -@@ -523,7 +522,7 @@ func (cipher CipherFunction) new(key []byte) (block cipher.Block) { - case Cipher3DES: - block, _ = des.NewTripleDESCipher(key) - case CipherCAST5: -- block, _ = cast5.NewCipher(key) -+ panic("cast5 cipher not available") - case CipherAES128, CipherAES192, CipherAES256: - block, _ = aes.NewCipher(key) - } -diff --git a/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go b/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go -index 6126030eb9..3a54c5f2b1 100644 ---- a/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go -+++ b/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go -@@ -5,13 +5,12 @@ - package packet - - import ( -- "crypto/cipher" - "crypto/sha1" - "crypto/subtle" -- "golang.org/x/crypto/openpgp/errors" - "hash" - "io" -- "strconv" -+ -+ "golang.org/x/crypto/openpgp/errors" - ) - - // SymmetricallyEncrypted represents a symmetrically encrypted byte string. The -@@ -45,46 +44,7 @@ func (se *SymmetricallyEncrypted) parse(r io.Reader) error { - // packet can be read. An incorrect key can, with high probability, be detected - // immediately and this will result in a KeyIncorrect error being returned. - func (se *SymmetricallyEncrypted) Decrypt(c CipherFunction, key []byte) (io.ReadCloser, error) { -- keySize := c.KeySize() -- if keySize == 0 { -- return nil, errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(c))) -- } -- if len(key) != keySize { -- return nil, errors.InvalidArgumentError("SymmetricallyEncrypted: incorrect key length") -- } -- -- if se.prefix == nil { -- se.prefix = make([]byte, c.blockSize()+2) -- _, err := readFull(se.contents, se.prefix) -- if err != nil { -- return nil, err -- } -- } else if len(se.prefix) != c.blockSize()+2 { -- return nil, errors.InvalidArgumentError("can't try ciphers with different block lengths") -- } -- -- ocfbResync := OCFBResync -- if se.MDC { -- // MDC packets use a different form of OCFB mode. -- ocfbResync = OCFBNoResync -- } -- -- s := NewOCFBDecrypter(c.new(key), se.prefix, ocfbResync) -- if s == nil { -- return nil, errors.ErrKeyIncorrect -- } -- -- plaintext := cipher.StreamReader{S: s, R: se.contents} -- -- if se.MDC { -- // MDC packets have an embedded hash that we need to check. -- h := sha1.New() -- h.Write(se.prefix) -- return &seMDCReader{in: plaintext, h: h}, nil -- } -- -- // Otherwise, we just need to wrap plaintext so that it's a valid ReadCloser. -- return seReader{plaintext}, nil -+ panic("OCFB cipher not available") - } - - // seReader wraps an io.Reader with a no-op Close method. -@@ -254,37 +214,5 @@ func (c noOpCloser) Close() error { - // written. - // If config is nil, sensible defaults will be used. - func SerializeSymmetricallyEncrypted(w io.Writer, c CipherFunction, key []byte, config *Config) (contents io.WriteCloser, err error) { -- if c.KeySize() != len(key) { -- return nil, errors.InvalidArgumentError("SymmetricallyEncrypted.Serialize: bad key length") -- } -- writeCloser := noOpCloser{w} -- ciphertext, err := serializeStreamHeader(writeCloser, packetTypeSymmetricallyEncryptedMDC) -- if err != nil { -- return -- } -- -- _, err = ciphertext.Write([]byte{symmetricallyEncryptedVersion}) -- if err != nil { -- return -- } -- -- block := c.new(key) -- blockSize := block.BlockSize() -- iv := make([]byte, blockSize) -- _, err = config.Random().Read(iv) -- if err != nil { -- return -- } -- s, prefix := NewOCFBEncrypter(block, iv, OCFBNoResync) -- _, err = ciphertext.Write(prefix) -- if err != nil { -- return -- } -- plaintext := cipher.StreamWriter{S: s, W: ciphertext} -- -- h := sha1.New() -- h.Write(iv) -- h.Write(iv[blockSize-2:]) -- contents = &seMDCWriter{w: plaintext, h: h} -- return -+ panic("OCFB cipher not available") - } -diff --git a/vendor/golang.org/x/crypto/pkcs12/crypto.go b/vendor/golang.org/x/crypto/pkcs12/crypto.go -index 484ca51b71..5f502b8df1 100644 ---- a/vendor/golang.org/x/crypto/pkcs12/crypto.go -+++ b/vendor/golang.org/x/crypto/pkcs12/crypto.go -@@ -11,8 +11,6 @@ import ( - "crypto/x509/pkix" - "encoding/asn1" - "errors" -- -- "golang.org/x/crypto/pkcs12/internal/rc2" - ) - - var ( -@@ -46,10 +44,6 @@ func (shaWithTripleDESCBC) deriveIV(salt, password []byte, iterations int) []byt - - type shaWith40BitRC2CBC struct{} - --func (shaWith40BitRC2CBC) create(key []byte) (cipher.Block, error) { -- return rc2.New(key, len(key)*8) --} -- - func (shaWith40BitRC2CBC) deriveKey(salt, password []byte, iterations int) []byte { - return pbkdf(sha1Sum, 20, 64, salt, password, iterations, 1, 5) - } -@@ -70,7 +64,7 @@ func pbDecrypterFor(algorithm pkix.AlgorithmIdentifier, password []byte) (cipher - case algorithm.Algorithm.Equal(oidPBEWithSHAAnd3KeyTripleDESCBC): - cipherType = shaWithTripleDESCBC{} - case algorithm.Algorithm.Equal(oidPBEWithSHAAnd40BitRC2CBC): -- cipherType = shaWith40BitRC2CBC{} -+ panic("RC2 encryption not available") - default: - return nil, 0, NotImplementedError("algorithm " + algorithm.Algorithm.String() + " is not supported") - } diff --git a/vendor/github.com/prometheus/exporter-toolkit/web/handler.go b/vendor/github.com/prometheus/exporter-toolkit/web/handler.go -index ae3ebc03b9..11dbc3c56e 100644 +index c607a16..11dbc3c 100644 --- a/vendor/github.com/prometheus/exporter-toolkit/web/handler.go +++ b/vendor/github.com/prometheus/exporter-toolkit/web/handler.go -@@ -16,13 +16,11 @@ +@@ -16,14 +16,11 @@ package web import ( - "encoding/hex" "fmt" "net/http" +- "strings" "sync" "github.com/go-kit/log" @@ -223,7 +54,7 @@ index ae3ebc03b9..11dbc3c56e 100644 ) // extraHTTPHeaders is a map of HTTP headers that can be added to HTTP -@@ -36,22 +34,6 @@ var extraHTTPHeaders = map[string][]string{ +@@ -37,22 +34,6 @@ var extraHTTPHeaders = map[string][]string{ "Content-Security-Policy": nil, } @@ -246,7 +77,7 @@ index ae3ebc03b9..11dbc3c56e 100644 // validateHeaderConfig checks that the provided header configuration is correct. // It does not check the validity of all the values, only the ones which are // well-defined enumerations. -@@ -83,55 +65,3 @@ type webHandler struct { +@@ -84,60 +65,3 @@ type webHandler struct { // only once in parallel as this is CPU intensive. bcryptMtx sync.Mutex } @@ -280,7 +111,12 @@ index ae3ebc03b9..11dbc3c56e 100644 - hashedPassword = "$2y$10$QOauhQNbBCuQDKes6eFzPeMqBSjb7Mr5DUmpZ/VcEd00UAV/LDeSi" - } - -- cacheKey := hex.EncodeToString(append(append([]byte(user), []byte(hashedPassword)...), []byte(pass)...)) +- cacheKey := strings.Join( +- []string{ +- hex.EncodeToString([]byte(user)), +- hex.EncodeToString([]byte(hashedPassword)), +- hex.EncodeToString([]byte(pass)), +- }, ":") - authOk, ok := u.cache.get(cacheKey) - - if !ok { @@ -289,7 +125,7 @@ index ae3ebc03b9..11dbc3c56e 100644 - err := bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(pass)) - u.bcryptMtx.Unlock() - -- authOk = err == nil +- authOk = validUser && err == nil - u.cache.set(cacheKey, authOk) - } - @@ -303,41 +139,81 @@ index ae3ebc03b9..11dbc3c56e 100644 - http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized) -} diff --git a/vendor/github.com/prometheus/exporter-toolkit/web/tls_config.go b/vendor/github.com/prometheus/exporter-toolkit/web/tls_config.go ---- grafana-9.2.2/vendor/github.com/prometheus/exporter-toolkit/web/tls_config.go 2023-03-13 20:00:00.000000000 -0400 -+++ /tmp/rpkg/grafana-1-v6p2z4of/grafana-9.2.2/vendor/github.com/prometheus/exporter-toolkit/web/tls_config.go 2023-03-16 13:43:13.300238021 -0400 -@@ -18,12 +18,8 @@ +index 61383bc..7f71298 100644 +--- a/vendor/github.com/prometheus/exporter-toolkit/web/tls_config.go ++++ b/vendor/github.com/prometheus/exporter-toolkit/web/tls_config.go +@@ -18,16 +18,10 @@ import ( "crypto/x509" + "errors" "fmt" - "io/ioutil" - "net" - "net/http" + "os" "path/filepath" +- "github.com/coreos/go-systemd/v22/activation" - "github.com/go-kit/log" - "github.com/go-kit/log/level" - "github.com/pkg/errors" config_util "github.com/prometheus/common/config" +- "golang.org/x/sync/errgroup" "gopkg.in/yaml.v2" -@@ -177,98 +173,6 @@ - return cfg, nil - } + ) --// ListenAndServe starts the server on the given address. Based on the file --// tlsConfigPath, TLS or basic auth could be enabled. --func ListenAndServe(server *http.Server, tlsConfigPath string, logger log.Logger) error { -- listener, err := net.Listen("tcp", server.Addr) -- if err != nil { -- return err +@@ -263,132 +257,16 @@ func ConfigToTLSConfig(c *TLSConfig) (*tls.Config, error) { + + // ServeMultiple starts the server on the given listeners. The FlagConfig is + // also passed on to Serve. +-func ServeMultiple(listeners []net.Listener, server *http.Server, flags *FlagConfig, logger log.Logger) error { +- errs := new(errgroup.Group) +- for _, l := range listeners { +- l := l +- errs.Go(func() error { +- return Serve(l, server, flags, logger) +- }) - } -- defer listener.Close() -- return Serve(listener, server, tlsConfigPath, logger) +- return errs.Wait() -} + + // ListenAndServe starts the server on addresses given in WebListenAddresses in + // the FlagConfig or instead uses systemd socket activated listeners if + // WebSystemdSocket in the FlagConfig is true. The FlagConfig is also passed on + // to ServeMultiple. +-func ListenAndServe(server *http.Server, flags *FlagConfig, logger log.Logger) error { +- if flags.WebSystemdSocket == nil && (flags.WebListenAddresses == nil || len(*flags.WebListenAddresses) == 0) { +- return ErrNoListeners +- } - --// Server starts the server on the given listener. Based on the file --// tlsConfigPath, TLS or basic auth could be enabled. --func Serve(l net.Listener, server *http.Server, tlsConfigPath string, logger log.Logger) error { +- if flags.WebSystemdSocket != nil && *flags.WebSystemdSocket { +- level.Info(logger).Log("msg", "Listening on systemd activated listeners instead of port listeners.") +- listeners, err := activation.Listeners() +- if err != nil { +- return err +- } +- if len(listeners) < 1 { +- return errors.New("no socket activation file descriptors found") +- } +- return ServeMultiple(listeners, server, flags, logger) +- } +- +- listeners := make([]net.Listener, 0, len(*flags.WebListenAddresses)) +- for _, address := range *flags.WebListenAddresses { +- listener, err := net.Listen("tcp", address) +- if err != nil { +- return err +- } +- defer listener.Close() +- listeners = append(listeners, listener) +- } +- return ServeMultiple(listeners, server, flags, logger) +-} + + // Server starts the server on the given listener. Based on the file path + // WebConfigFile in the FlagConfig, TLS or basic auth could be enabled. +-func Serve(l net.Listener, server *http.Server, flags *FlagConfig, logger log.Logger) error { +- level.Info(logger).Log("msg", "Listening on", "address", l.Addr().String()) +- tlsConfigPath := *flags.WebConfigFile - if tlsConfigPath == "" { -- level.Info(logger).Log("msg", "TLS is disabled.", "http2", false) +- level.Info(logger).Log("msg", "TLS is disabled.", "http2", false, "address", l.Addr().String()) - return server.Serve(l) - } - @@ -370,10 +246,10 @@ diff --git a/vendor/github.com/prometheus/exporter-toolkit/web/tls_config.go b/v - server.TLSNextProto = make(map[string]func(*http.Server, *tls.Conn, http.Handler)) - } - // Valid TLS config. -- level.Info(logger).Log("msg", "TLS is enabled.", "http2", c.HTTPConfig.HTTP2) +- level.Info(logger).Log("msg", "TLS is enabled.", "http2", c.HTTPConfig.HTTP2, "address", l.Addr().String()) - case errNoTLSConfig: - // No TLS config, back to plain HTTP. -- level.Info(logger).Log("msg", "TLS is disabled.", "http2", false) +- level.Info(logger).Log("msg", "TLS is disabled.", "http2", false, "address", l.Addr().String()) - return server.Serve(l) - default: - // Invalid TLS config. @@ -394,8 +270,8 @@ diff --git a/vendor/github.com/prometheus/exporter-toolkit/web/tls_config.go b/v - } - return server.ServeTLS(l, "", "") -} -- --// Validate configuration file by reading the configuration and the certificates. + + // Validate configuration file by reading the configuration and the certificates. -func Validate(tlsConfigPath string) error { - if tlsConfigPath == "" { - return nil @@ -413,11 +289,10 @@ diff --git a/vendor/github.com/prometheus/exporter-toolkit/web/tls_config.go b/v - } - return err -} -- - type cipher uint16 - func (c *cipher) UnmarshalYAML(unmarshal func(interface{}) error) error { -@@ -351,11 +255,3 @@ + type Cipher uint16 + +@@ -472,11 +350,3 @@ func (tv *TLSVersion) MarshalYAML() (interface{}, error) { } return fmt.Sprintf("%v", tv), nil } @@ -426,725 +301,1834 @@ diff --git a/vendor/github.com/prometheus/exporter-toolkit/web/tls_config.go b/v -// tlsConfigPath, TLS or basic auth could be enabled. -// -// Deprecated: Use ListenAndServe instead. --func Listen(server *http.Server, tlsConfigPath string, logger log.Logger) error { -- return ListenAndServe(server, tlsConfigPath, logger) +-func Listen(server *http.Server, flags *FlagConfig, logger log.Logger) error { +- return ListenAndServe(server, flags, logger) -} -diff a/vendor/github.com/go-git/go-git/v5/options.go b/vendor/github.com/go-git/go-git/v5/options.go ---- a/vendor/github.com/go-git/go-git/v5/options.go 2022-10-30 20:00:00.000000000 -0400 -+++ b/vendor/github.com/go-git/go-git/v5/options.go 2022-12-20 10:24:35.162653691 -0500 -@@ -7,7 +7,7 @@ - "strings" - "time" - -- "github.com/ProtonMail/go-crypto/openpgp" -+ // "github.com/ProtonMail/go-crypto/openpgp" - "github.com/go-git/go-git/v5/config" - "github.com/go-git/go-git/v5/plumbing" - "github.com/go-git/go-git/v5/plumbing/object" -@@ -434,7 +434,7 @@ - // SignKey denotes a key to sign the commit with. A nil value here means the - // commit will not be signed. The private key must be present and already - // decrypted. -- SignKey *openpgp.Entity -+ // SignKey *openpgp.Entity - } - - // Validate validates the fields and sets the default values. -@@ -517,7 +517,7 @@ - Message string - // SignKey denotes a key to sign the tag with. A nil value here means the tag - // will not be signed. The private key must be present and already decrypted. -- SignKey *openpgp.Entity -+ // SignKey *openpgp.Entity - } - - // Validate validates the fields and sets the default values. -diff a/vendor/github.com/go-git/go-git/v5/plumbing/object/commit.go b/vendor/github.com/go-git/go-git/v5/plumbing/object/commit.go ---- a/vendor/github.com/go-git/go-git/v5/plumbing/object/commit.go 2022-10-30 20:00:00.000000000 -0400 -+++ b/vendor/github.com/go-git/go-git/v5/plumbing/object/commit.go 2022-12-20 10:33:26.630073026 -0500 -@@ -9,7 +9,7 @@ - "io" - "strings" - -- "github.com/ProtonMail/go-crypto/openpgp" -+ // "github.com/ProtonMail/go-crypto/openpgp" - - "github.com/go-git/go-git/v5/plumbing" - "github.com/go-git/go-git/v5/plumbing/storer" -@@ -354,7 +354,8 @@ - - // Verify performs PGP verification of the commit with a provided armored - // keyring and returns openpgp.Entity associated with verifying key on success. --func (c *Commit) Verify(armoredKeyRing string) (*openpgp.Entity, error) { -+func (c *Commit) Verify(armoredKeyRing string) (*int, error) { -+ /* - keyRingReader := strings.NewReader(armoredKeyRing) - keyring, err := openpgp.ReadArmoredKeyRing(keyRingReader) - if err != nil { -@@ -375,6 +376,8 @@ - } - - return openpgp.CheckArmoredDetachedSignature(keyring, er, signature, nil) -+ */ -+ return nil, nil - } - - func indent(t string) string { -diff a/vendor/github.com/go-git/go-git/v5/plumbing/object/tag.go b/vendor/github.com/go-git/go-git/v5/plumbing/object/tag.go ---- a/vendor/github.com/go-git/go-git/v5/plumbing/object/tag.go 2022-10-30 20:00:00.000000000 -0400 -+++ b/vendor/github.com/go-git/go-git/v5/plumbing/object/tag.go 2022-12-20 10:37:05.542949113 -0500 -@@ -6,9 +6,9 @@ - "fmt" - "io" - stdioutil "io/ioutil" -- "strings" -+ // "strings" - -- "github.com/ProtonMail/go-crypto/openpgp" -+ // "github.com/ProtonMail/go-crypto/openpgp" - - "github.com/go-git/go-git/v5/plumbing" - "github.com/go-git/go-git/v5/plumbing/storer" -@@ -284,7 +284,8 @@ - - // Verify performs PGP verification of the tag with a provided armored - // keyring and returns openpgp.Entity associated with verifying key on success. --func (t *Tag) Verify(armoredKeyRing string) (*openpgp.Entity, error) { -+func (t *Tag) Verify(armoredKeyRing string) (*int, error) { -+ /* - keyRingReader := strings.NewReader(armoredKeyRing) - keyring, err := openpgp.ReadArmoredKeyRing(keyRingReader) - if err != nil { -@@ -305,6 +306,8 @@ - } - - return openpgp.CheckArmoredDetachedSignature(keyring, er, signature, nil) -+ */ -+ return nil, nil - } - - // TagIter provides an iterator for a set of tags. -diff a/vendor/github.com/go-git/go-git/v5/plumbing/transport/ssh/auth_method.go b/vendor/github.com/go-git/go-git/v5/plumbing/transport/ssh/auth_method.go ---- a/vendor/github.com/go-git/go-git/v5/plumbing/transport/ssh/auth_method.go 2022-10-30 20:00:00.000000000 -0400 -+++ b/vendor/github.com/go-git/go-git/v5/plumbing/transport/ssh/auth_method.go 2022-12-20 13:42:13.659296361 -0500 -@@ -1,6 +1,7 @@ - package ssh - - import ( -+ /* - "errors" - "fmt" - "io/ioutil" -@@ -14,6 +15,7 @@ - sshagent "github.com/xanzy/ssh-agent" - "golang.org/x/crypto/ssh" - "golang.org/x/crypto/ssh/knownhosts" -+ */ +diff --git a/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/algorithm/cipher.go b/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/algorithm/cipher.go +index 5760cff..0c87736 100644 +--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/algorithm/cipher.go ++++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/algorithm/cipher.go +@@ -8,8 +8,6 @@ import ( + "crypto/aes" + "crypto/cipher" + "crypto/des" +- +- "golang.org/x/crypto/cast5" ) - const DefaultUsername = "git" -@@ -22,10 +24,12 @@ - // must implement. The clientConfig method returns the ssh client - // configuration needed to establish an ssh connection. - type AuthMethod interface { -+ /* - transport.AuthMethod - // ClientConfig should return a valid ssh.ClientConfig to be used to create - // a connection to the SSH server. - ClientConfig() (*ssh.ClientConfig, error) -+ */ - } + // Cipher is an official symmetric key cipher algorithm. See RFC 4880, +@@ -38,7 +36,6 @@ const ( + // http://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-13 + var CipherById = map[uint8]Cipher{ + TripleDES.Id(): TripleDES, +- CAST5.Id(): CAST5, + AES128.Id(): AES128, + AES192.Id(): AES192, + AES256.Id(): AES256, +@@ -53,7 +50,6 @@ func (sk CipherFunction) Id() uint8 { - // The names of the AuthMethod implementations. To be returned by the -@@ -42,78 +46,101 @@ - // KeyboardInteractive implements AuthMethod by using a - // prompt/response sequence controlled by the server. - type KeyboardInteractive struct { -+ /* - User string - Challenge ssh.KeyboardInteractiveChallenge - HostKeyCallbackHelper -+ */ - } - - func (a *KeyboardInteractive) Name() string { -- return KeyboardInteractiveName -+ // return KeyboardInteractiveName -+ return "" - } - - func (a *KeyboardInteractive) String() string { -- return fmt.Sprintf("user: %s, name: %s", a.User, a.Name()) -+ // return fmt.Sprintf("user: %s, name: %s", a.User, a.Name()) -+ return "" - } - --func (a *KeyboardInteractive) ClientConfig() (*ssh.ClientConfig, error) { -+func (a *KeyboardInteractive) ClientConfig() (*int, error) { -+ /* - return a.SetHostKeyCallback(&ssh.ClientConfig{ - User: a.User, - Auth: []ssh.AuthMethod{ - a.Challenge, - }, - }) -+ */ -+ return nil, nil - } - - // Password implements AuthMethod by using the given password. - type Password struct { -+ /* - User string - Password string - HostKeyCallbackHelper -+ */ - } - - func (a *Password) Name() string { -- return PasswordName -+ // return PasswordName -+ return "" - } - - func (a *Password) String() string { -- return fmt.Sprintf("user: %s, name: %s", a.User, a.Name()) -+ // return fmt.Sprintf("user: %s, name: %s", a.User, a.Name()) -+ return "" - } - --func (a *Password) ClientConfig() (*ssh.ClientConfig, error) { -+func (a *Password) ClientConfig() (*int, error) { -+ /* - return a.SetHostKeyCallback(&ssh.ClientConfig{ - User: a.User, - Auth: []ssh.AuthMethod{ssh.Password(a.Password)}, - }) -+ */ -+ return nil, nil - } - - // PasswordCallback implements AuthMethod by using a callback - // to fetch the password. - type PasswordCallback struct { -+ /* - User string - Callback func() (pass string, err error) - HostKeyCallbackHelper -+ */ - } - - func (a *PasswordCallback) Name() string { -- return PasswordCallbackName -+ // return PasswordCallbackName -+ return "" - } - - func (a *PasswordCallback) String() string { -- return fmt.Sprintf("user: %s, name: %s", a.User, a.Name()) -+ // return fmt.Sprintf("user: %s, name: %s", a.User, a.Name()) -+ return "" - } - --func (a *PasswordCallback) ClientConfig() (*ssh.ClientConfig, error) { -+func (a *PasswordCallback) ClientConfig() (*int, error) { -+ /* - return a.SetHostKeyCallback(&ssh.ClientConfig{ - User: a.User, - Auth: []ssh.AuthMethod{ssh.PasswordCallback(a.Callback)}, - }) -+ */ -+ return nil, nil - } - - // PublicKeys implements AuthMethod by using the given key pairs. - type PublicKeys struct { -+ /* - User string - Signer ssh.Signer - HostKeyCallbackHelper -+ */ - } - - // NewPublicKeys returns a PublicKeys from a PEM encoded private key. An -@@ -121,6 +148,7 @@ - // encrypted PEM block otherwise password should be empty. It supports RSA - // (PKCS#1), PKCS#8, DSA (OpenSSL), and ECDSA private keys. - func NewPublicKeys(user string, pemBytes []byte, password string) (*PublicKeys, error) { -+ /* - signer, err := ssh.ParsePrivateKey(pemBytes) - if _, ok := err.(*ssh.PassphraseMissingError); ok { - signer, err = ssh.ParsePrivateKeyWithPassphrase(pemBytes, []byte(password)) -@@ -129,36 +157,47 @@ - return nil, err + var keySizeByID = map[uint8]int{ + TripleDES.Id(): 24, +- CAST5.Id(): cast5.KeySize, + AES128.Id(): 16, + AES192.Id(): 24, + AES256.Id(): 32, +@@ -65,7 +61,7 @@ func (cipher CipherFunction) KeySize() int { + case TripleDES: + return 24 + case CAST5: +- return cast5.KeySize ++ panic("cast5 cipher not available") + case AES128: + return 16 + case AES192: +@@ -82,7 +78,7 @@ func (cipher CipherFunction) BlockSize() int { + case TripleDES: + return des.BlockSize + case CAST5: +- return 8 ++ panic("cast5 cipher not available") + case AES128, AES192, AES256: + return 16 } - return &PublicKeys{User: user, Signer: signer}, nil -+ */ -+ return nil, nil - } - - // NewPublicKeysFromFile returns a PublicKeys from a file containing a PEM - // encoded private key. An encryption password should be given if the pemBytes - // contains a password encrypted PEM block otherwise password should be empty. - func NewPublicKeysFromFile(user, pemFile, password string) (*PublicKeys, error) { -+ /* - bytes, err := ioutil.ReadFile(pemFile) - if err != nil { - return nil, err +@@ -96,7 +92,7 @@ func (cipher CipherFunction) New(key []byte) (block cipher.Block) { + case TripleDES: + block, err = des.NewTripleDESCipher(key) + case CAST5: +- block, err = cast5.NewCipher(key) ++ panic("cast5 cipher not available") + case AES128, AES192, AES256: + block, err = aes.NewCipher(key) } +diff --git a/vendor/github.com/ProtonMail/go-crypto/openpgp/s2k/s2k.go b/vendor/github.com/ProtonMail/go-crypto/openpgp/s2k/s2k.go +index a436959..420df86 100644 +--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/s2k/s2k.go ++++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/s2k/s2k.go +@@ -15,7 +15,6 @@ import ( - return NewPublicKeys(user, bytes, password) -+ */ -+ return nil, nil - } - - func (a *PublicKeys) Name() string { -- return PublicKeysName -+ // return PublicKeysName -+ return "" - } - - func (a *PublicKeys) String() string { -- return fmt.Sprintf("user: %s, name: %s", a.User, a.Name()) -+ // return fmt.Sprintf("user: %s, name: %s", a.User, a.Name()) -+ return "" - } - --func (a *PublicKeys) ClientConfig() (*ssh.ClientConfig, error) { -+func (a *PublicKeys) ClientConfig() (*int, error) { -+ /* - return a.SetHostKeyCallback(&ssh.ClientConfig{ - User: a.User, - Auth: []ssh.AuthMethod{ssh.PublicKeys(a.Signer)}, - }) -+ */ -+ return nil, nil - } - - func username() (string, error) { -+ /* - var username string - if user, err := user.Current(); err == nil { - username = user.Username -@@ -171,20 +210,25 @@ - } - - return username, nil -+ */ -+ return "", nil - } - - // PublicKeysCallback implements AuthMethod by asking a - // ssh.agent.Agent to act as a signer. - type PublicKeysCallback struct { -+ /* - User string - Callback func() (signers []ssh.Signer, err error) - HostKeyCallbackHelper -+ */ - } - - // NewSSHAgentAuth returns a PublicKeysCallback based on a SSH agent, it opens - // a pipe with the SSH agent and uses the pipe as the implementer of the public - // key callback function. - func NewSSHAgentAuth(u string) (*PublicKeysCallback, error) { -+ /* - var err error - if u == "" { - u, err = username() -@@ -202,21 +246,28 @@ - User: u, - Callback: a.Signers, - }, nil -+ */ -+ return nil, nil - } - - func (a *PublicKeysCallback) Name() string { -- return PublicKeysCallbackName -+ // return PublicKeysCallbackName -+ return "" - } - - func (a *PublicKeysCallback) String() string { -- return fmt.Sprintf("user: %s, name: %s", a.User, a.Name()) -+ // return fmt.Sprintf("user: %s, name: %s", a.User, a.Name()) -+ return "" - } - --func (a *PublicKeysCallback) ClientConfig() (*ssh.ClientConfig, error) { -+func (a *PublicKeysCallback) ClientConfig() (*int, error) { -+ /* - return a.SetHostKeyCallback(&ssh.ClientConfig{ - User: a.User, - Auth: []ssh.AuthMethod{ssh.PublicKeysCallback(a.Callback)}, - }) -+ */ -+ return nil, nil - } - - // NewKnownHostsCallback returns ssh.HostKeyCallback based on a file based on a -@@ -229,7 +280,8 @@ - // If SSH_KNOWN_HOSTS is not set the following file locations will be used: - // ~/.ssh/known_hosts - // /etc/ssh/ssh_known_hosts --func NewKnownHostsCallback(files ...string) (ssh.HostKeyCallback, error) { -+func NewKnownHostsCallback(files ...string) (*int, error) { -+ /* - var err error - - if len(files) == 0 { -@@ -243,9 +295,12 @@ - } - - return knownhosts.New(files...) -+ */ -+ return nil, nil - } - --func getDefaultKnownHostsFiles() ([]string, error) { -+func getDefaultKnownHostsFiles() (*int, error) { -+ /* - files := filepath.SplitList(os.Getenv("SSH_KNOWN_HOSTS")) - if len(files) != 0 { - return files, nil -@@ -260,9 +315,12 @@ - filepath.Join(homeDirPath, "/.ssh/known_hosts"), - "/etc/ssh/ssh_known_hosts", - }, nil -+ */ -+ return nil, nil - } - --func filterKnownHostsFiles(files ...string) ([]string, error) { -+func filterKnownHostsFiles(files ...string) (*int, error) { -+ /* - var out []string - for _, file := range files { - _, err := os.Stat(file) -@@ -281,6 +339,8 @@ - } - - return out, nil -+ */ -+ return nil, nil - } - - // HostKeyCallbackHelper is a helper that provides common functionality to -@@ -289,13 +349,14 @@ - // HostKeyCallback is the function type used for verifying server keys. - // If nil default callback will be create using NewKnownHostsCallback - // without argument. -- HostKeyCallback ssh.HostKeyCallback -+ // HostKeyCallback ssh.HostKeyCallback - } - - // SetHostKeyCallback sets the field HostKeyCallback in the given cfg. If - // HostKeyCallback is empty a default callback is created using - // NewKnownHostsCallback. --func (m *HostKeyCallbackHelper) SetHostKeyCallback(cfg *ssh.ClientConfig) (*ssh.ClientConfig, error) { -+func (m *HostKeyCallbackHelper) SetHostKeyCallback(*int) (*int, error) { -+ /* - var err error - if m.HostKeyCallback == nil { - if m.HostKeyCallback, err = NewKnownHostsCallback(); err != nil { -@@ -305,4 +366,6 @@ - - cfg.HostKeyCallback = m.HostKeyCallback - return cfg, nil -+ */ -+ return nil, nil - } -diff a/vendor/github.com/go-git/go-git/v5/plumbing/transport/ssh/common.go b/vendor/github.com/go-git/go-git/v5/plumbing/transport/ssh/common.go ---- a/vendor/github.com/go-git/go-git/v5/plumbing/transport/ssh/common.go 2022-10-30 20:00:00.000000000 -0400 -+++ b/vendor/github.com/go-git/go-git/v5/plumbing/transport/ssh/common.go 2022-12-20 14:01:25.825788050 -0500 -@@ -2,18 +2,22 @@ - package ssh - - import ( -- "context" -+ // "context" - "fmt" -+ /* - "reflect" - "strconv" - "strings" -+ */ - - "github.com/go-git/go-git/v5/plumbing/transport" - "github.com/go-git/go-git/v5/plumbing/transport/internal/common" - - "github.com/kevinburke/ssh_config" -+ /* - "golang.org/x/crypto/ssh" - "golang.org/x/net/proxy" -+ */ + "github.com/ProtonMail/go-crypto/openpgp/errors" + "github.com/ProtonMail/go-crypto/openpgp/internal/algorithm" +- "golang.org/x/crypto/argon2" ) - // DefaultClient is the default SSH client. -@@ -28,23 +32,26 @@ - } + type Mode uint8 +@@ -27,7 +26,6 @@ const ( + SimpleS2K Mode = 0 + SaltedS2K Mode = 1 + IteratedSaltedS2K Mode = 3 +- Argon2S2K Mode = 4 + GnuS2K Mode = 101 + ) - // NewClient creates a new SSH client with an optional *ssh.ClientConfig. --func NewClient(config *ssh.ClientConfig) transport.Transport { -- return common.NewClient(&runner{config: config}) -+func NewClient(*int) transport.Transport { -+ // return common.NewClient(&runner{config: config}) -+ return nil - } - - // DefaultAuthBuilder is the function used to create a default AuthMethod, when - // the user doesn't provide any. - var DefaultAuthBuilder = func(user string) (AuthMethod, error) { -- return NewSSHAgentAuth(user) -+ // return NewSSHAgentAuth(user) -+ return nil, nil - } - - const DefaultPort = 22 - - type runner struct { -- config *ssh.ClientConfig -+ // config *ssh.ClientConfig - } - - func (r *runner) Command(cmd string, ep *transport.Endpoint, auth transport.AuthMethod) (common.Command, error) { -+ /* - c := &command{command: cmd, endpoint: ep, config: r.config} - if auth != nil { - c.setAuth(auth) -@@ -54,9 +61,12 @@ - return nil, err - } - return c, nil -+ */ -+ return nil, nil - } - - type command struct { -+ /* - *ssh.Session - connected bool - command string -@@ -64,24 +74,29 @@ - client *ssh.Client - auth AuthMethod - config *ssh.ClientConfig -+ */ - } - - func (c *command) setAuth(auth transport.AuthMethod) error { -+ /* - a, ok := auth.(AuthMethod) - if !ok { - return transport.ErrInvalidAuthMethod +@@ -87,10 +85,10 @@ func decodeCount(c uint8) int { + // encodeMemory converts the Argon2 "memory" in the range parallelism*8 to + // 2**31, inclusive, to an encoded memory. The return value is the + // octet that is actually stored in the GPG file. encodeMemory panics +-// if is not in the above range ++// if is not in the above range + // See OpenPGP crypto refresh Section 3.7.1.4. + func encodeMemory(memory uint32, parallelism uint8) uint8 { +- if memory < (8 * uint32(parallelism)) || memory > uint32(2147483648) { ++ if memory < (8*uint32(parallelism)) || memory > uint32(2147483648) { + panic("Memory argument memory is outside the required range") } - c.auth = a -+ */ - return nil +@@ -174,33 +172,20 @@ func Iterated(out []byte, h hash.Hash, in []byte, salt []byte, count int) { + + // Argon2 writes to out the key derived from the password (in) with the Argon2 + // function (the crypto refresh, section 3.7.1.4) +-func Argon2(out []byte, in []byte, salt []byte, passes uint8, paralellism uint8, memoryExp uint8) { +- key := argon2.IDKey(in, salt, uint32(passes), decodeMemory(memoryExp), paralellism, uint32(len(out))) +- copy(out[:], key) +-} + + // Generate generates valid parameters from given configuration. + // It will enforce the Iterated and Salted or Argon2 S2K method. + func Generate(rand io.Reader, c *Config) (*Params, error) { + var params *Params +- if c != nil && c.Mode() == Argon2S2K { +- // handle Argon2 case +- argonConfig := c.Argon2() +- params = &Params{ +- mode: Argon2S2K, +- passes: argonConfig.Passes(), +- parallelism: argonConfig.Parallelism(), +- memoryExp: argonConfig.EncodedMemory(), +- } +- } else if c != nil && c.PassphraseIsHighEntropy && c.Mode() == SaltedS2K { // Allow SaltedS2K if PassphraseIsHighEntropy ++ if c != nil && c.PassphraseIsHighEntropy && c.Mode() == SaltedS2K { // Allow SaltedS2K if PassphraseIsHighEntropy + hashId, ok := algorithm.HashToHashId(c.hash()) + if !ok { + return nil, errors.UnsupportedError("no such hash") + } + + params = &Params{ +- mode: SaltedS2K, +- hashId: hashId, ++ mode: SaltedS2K, ++ hashId: hashId, + } + } else { // Enforce IteratedSaltedS2K method otherwise + hashId, ok := algorithm.HashToHashId(c.hash()) +@@ -211,7 +196,7 @@ func Generate(rand io.Reader, c *Config) (*Params, error) { + c.S2KMode = IteratedSaltedS2K + } + params = &Params{ +- mode: IteratedSaltedS2K, ++ mode: IteratedSaltedS2K, + hashId: hashId, + countByte: c.EncodedCount(), + } +@@ -274,16 +259,6 @@ func ParseIntoParams(r io.Reader) (params *Params, err error) { + copy(params.salt(), buf[1:9]) + params.countByte = buf[9] + return params, nil +- case Argon2S2K: +- _, err = io.ReadFull(r, buf[:Argon2SaltSize+3]) +- if err != nil { +- return nil, err +- } +- copy(params.salt(), buf[:Argon2SaltSize]) +- params.passes = buf[Argon2SaltSize] +- params.parallelism = buf[Argon2SaltSize+1] +- params.memoryExp = buf[Argon2SaltSize+2] +- return params, nil + case GnuS2K: + // This is a GNU extension. See + // https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=doc/DETAILS;h=fe55ae16ab4e26d8356dc574c9e8bc935e71aef1;hb=23191d7851eae2217ecdac6484349849a24fd94a#l1109 +@@ -306,9 +281,10 @@ func (params *Params) Dummy() bool { + + func (params *Params) salt() []byte { + switch params.mode { +- case SaltedS2K, IteratedSaltedS2K: return params.saltBytes[:8] +- case Argon2S2K: return params.saltBytes[:Argon2SaltSize] +- default: return nil ++ case SaltedS2K, IteratedSaltedS2K: ++ return params.saltBytes[:8] ++ default: ++ return nil + } } - func (c *command) Start() error { -- return c.Session.Start(endpointToCommand(c.command, c.endpoint)) -+ // return c.Session.Start(endpointToCommand(c.command, c.endpoint)) -+ return nil - } - - // Close closes the SSH session and connection. - func (c *command) Close() error { -+ /* - if !c.connected { - return nil +@@ -317,15 +293,13 @@ func (params *Params) Function() (f func(out, in []byte), err error) { + return nil, errors.ErrDummyPrivateKey("dummy key found") } -@@ -99,6 +114,8 @@ + var hashObj crypto.Hash +- if params.mode != Argon2S2K { +- var ok bool +- hashObj, ok = algorithm.HashIdToHashWithSha1(params.hashId) +- if !ok { +- return nil, errors.UnsupportedError("hash for S2K function: " + strconv.Itoa(int(params.hashId))) +- } +- if !hashObj.Available() { +- return nil, errors.UnsupportedError("hash not available: " + strconv.Itoa(int(hashObj))) +- } ++ var ok bool ++ hashObj, ok = algorithm.HashIdToHashWithSha1(params.hashId) ++ if !ok { ++ return nil, errors.UnsupportedError("hash for S2K function: " + strconv.Itoa(int(params.hashId))) ++ } ++ if !hashObj.Available() { ++ return nil, errors.UnsupportedError("hash not available: " + strconv.Itoa(int(hashObj))) } - return err -+ */ -+ return nil - } + switch params.mode { +@@ -346,11 +320,6 @@ func (params *Params) Function() (f func(out, in []byte), err error) { + Iterated(out, hashObj.New(), in, params.salt(), decodeCount(params.countByte)) + } - // connect connects to the SSH server, unless a AuthMethod was set with -@@ -106,6 +123,7 @@ - // it connects to a SSH agent, using the address stored in the SSH_AUTH_SOCK - // environment var. - func (c *command) connect() error { -+ /* - if c.connected { - return transport.ErrAlreadyConnected - } -@@ -136,10 +154,12 @@ +- return f, nil +- case Argon2S2K: +- f := func(out, in []byte) { +- Argon2(out, in, params.salt(), params.passes, params.parallelism, params.memoryExp) +- } + return f, nil } - c.connected = true -+ */ - return nil - } - --func dial(network, addr string, config *ssh.ClientConfig) (*ssh.Client, error) { -+func dial(network, addr string, config *int) (*int, error) { -+ /* - var ( - ctx = context.Background() - cancel context.CancelFunc -@@ -160,9 +180,12 @@ - return nil, err - } - return ssh.NewClient(c, chans, reqs), nil -+ */ -+ return nil, nil - } - - func (c *command) getHostWithPort() string { -+ /* - if addr, found := c.doGetHostWithPortFromSSHConfig(); found { - return addr - } -@@ -174,9 +197,12 @@ - } - - return fmt.Sprintf("%s:%d", host, port) -+ */ -+ return "" - } - - func (c *command) doGetHostWithPortFromSSHConfig() (addr string, found bool) { -+ /* - if DefaultSSHConfig == nil { +@@ -361,10 +330,8 @@ func (params *Params) Serialize(w io.Writer) (err error) { + if _, err = w.Write([]byte{uint8(params.mode)}); err != nil { return } -@@ -202,12 +228,13 @@ +- if params.mode != Argon2S2K { +- if _, err = w.Write([]byte{params.hashId}); err != nil { +- return +- } ++ if _, err = w.Write([]byte{params.hashId}); err != nil { ++ return + } + if params.Dummy() { + _, err = w.Write(append([]byte("GNU"), 1)) +@@ -377,9 +344,6 @@ func (params *Params) Serialize(w io.Writer) (err error) { + if params.mode == IteratedSaltedS2K { + _, err = w.Write([]byte{params.countByte}) + } +- if params.mode == Argon2S2K { +- _, err = w.Write([]byte{params.passes, params.parallelism, params.memoryExp}) +- } } - - addr = fmt.Sprintf("%s:%d", host, port) -+ */ return } - - func (c *command) setAuthFromEndpoint() error { - var err error -- c.auth, err = DefaultAuthBuilder(c.endpoint.User) -+ // c.auth, err = DefaultAuthBuilder(c.endpoint.User) - return err - } - -@@ -215,7 +242,8 @@ - return fmt.Sprintf("%s '%s'", cmd, ep.Path) - } - --func overrideConfig(overrides *ssh.ClientConfig, c *ssh.ClientConfig) { -+func overrideConfig(overrides *int, c *int) { -+ /* - if overrides == nil { - return - } -@@ -232,4 +260,5 @@ - } - - *c = vc.Interface().(ssh.ClientConfig) -+ */ - } -diff a/vendor/github.com/go-git/go-git/v5/repository.go b/vendor/github.com/go-git/go-git/v5/repository.go ---- a/vendor/github.com/go-git/go-git/v5/repository.go 2022-10-30 20:00:00.000000000 -0400 -+++ b/vendor/github.com/go-git/go-git/v5/repository.go 2022-12-20 13:46:57.584666477 -0500 -@@ -13,7 +13,7 @@ - "strings" - "time" - -- "github.com/ProtonMail/go-crypto/openpgp" -+ // "github.com/ProtonMail/go-crypto/openpgp" - "github.com/go-git/go-billy/v5" - "github.com/go-git/go-billy/v5/osfs" - "github.com/go-git/go-billy/v5/util" -@@ -706,6 +706,7 @@ - Target: hash, - } - -+ /* - if opts.SignKey != nil { - sig, err := r.buildTagSignature(tag, opts.SignKey) - if err != nil { -@@ -714,6 +715,7 @@ - - tag.PGPSignature = sig - } -+ */ - - obj := r.Storer.NewEncodedObject() - if err := tag.Encode(obj); err != nil { -@@ -723,7 +725,8 @@ - return r.Storer.SetEncodedObject(obj) - } - --func (r *Repository) buildTagSignature(tag *object.Tag, signKey *openpgp.Entity) (string, error) { -+func (r *Repository) buildTagSignature(tag *object.Tag, signKey *int) (string, error) { -+ /* - encoded := &plumbing.MemoryObject{} - if err := tag.Encode(encoded); err != nil { - return "", err -@@ -740,6 +743,8 @@ - } - - return b.String(), nil -+ */ -+ return "", nil - } - - // Tag returns a tag from the repository. -diff a/vendor/github.com/go-git/go-git/v5/worktree_commit.go b/vendor/github.com/go-git/go-git/v5/worktree_commit.go ---- a/vendor/github.com/go-git/go-git/v5/worktree_commit.go 2022-10-30 20:00:00.000000000 -0400 -+++ b/vendor/github.com/go-git/go-git/v5/worktree_commit.go 2022-12-20 13:47:27.671919357 -0500 -@@ -1,7 +1,7 @@ - package git +diff --git a/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetrically_encrypted_aead.go b/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetrically_encrypted_aead.go +index e96252c..42ddccf 100644 +--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetrically_encrypted_aead.go ++++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetrically_encrypted_aead.go +@@ -5,12 +5,9 @@ + package packet import ( -- "bytes" -+ // "bytes" - "path" - "sort" - "strings" -@@ -12,7 +12,7 @@ - "github.com/go-git/go-git/v5/plumbing/object" - "github.com/go-git/go-git/v5/storage" +- "crypto/cipher" +- "crypto/sha256" + "io" -- "github.com/ProtonMail/go-crypto/openpgp" -+ // "github.com/ProtonMail/go-crypto/openpgp" - "github.com/go-git/go-billy/v5" + "github.com/ProtonMail/go-crypto/openpgp/errors" +- "golang.org/x/crypto/hkdf" ) -@@ -101,6 +101,7 @@ - ParentHashes: opts.Parents, - } + // parseAead parses a V2 SEIPD packet (AEAD) as specified in +@@ -62,95 +59,11 @@ func (se *SymmetricallyEncrypted) associatedData() []byte { + // decryptAead decrypts a V2 SEIPD packet (AEAD) as specified in + // https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#section-5.13.2 + func (se *SymmetricallyEncrypted) decryptAead(inputKey []byte) (io.ReadCloser, error) { +- aead, nonce := getSymmetricallyEncryptedAeadInstance(se.Cipher, se.Mode, inputKey, se.Salt[:], se.associatedData()) +- +- // Carry the first tagLen bytes +- tagLen := se.Mode.TagLength() +- peekedBytes := make([]byte, tagLen) +- n, err := io.ReadFull(se.Contents, peekedBytes) +- if n < tagLen || (err != nil && err != io.EOF) { +- return nil, errors.StructuralError("not enough data to decrypt:" + err.Error()) +- } +- +- return &aeadDecrypter{ +- aeadCrypter: aeadCrypter{ +- aead: aead, +- chunkSize: decodeAEADChunkSize(se.ChunkSizeByte), +- initialNonce: nonce, +- associatedData: se.associatedData(), +- chunkIndex: make([]byte, 8), +- packetTag: packetTypeSymmetricallyEncryptedIntegrityProtected, +- }, +- reader: se.Contents, +- peekedBytes: peekedBytes, +- }, nil ++ panic("hkdf cipher not available") + } -+ /* - if opts.SignKey != nil { - sig, err := w.buildCommitSignature(commit, opts.SignKey) - if err != nil { -@@ -108,6 +109,7 @@ + // serializeSymmetricallyEncryptedAead encrypts to a writer a V2 SEIPD packet (AEAD) as specified in + // https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#section-5.13.2 + func serializeSymmetricallyEncryptedAead(ciphertext io.WriteCloser, cipherSuite CipherSuite, chunkSizeByte byte, rand io.Reader, inputKey []byte) (Contents io.WriteCloser, err error) { +- // cipherFunc must have block size 16 to use AEAD +- if cipherSuite.Cipher.blockSize() != 16 { +- return nil, errors.InvalidArgumentError("invalid aead cipher function") +- } +- +- if cipherSuite.Cipher.KeySize() != len(inputKey) { +- return nil, errors.InvalidArgumentError("error in aead serialization: bad key length") +- } +- +- // Data for en/decryption: tag, version, cipher, aead mode, chunk size +- prefix := []byte{ +- 0xD2, +- symmetricallyEncryptedVersionAead, +- byte(cipherSuite.Cipher), +- byte(cipherSuite.Mode), +- chunkSizeByte, +- } +- +- // Write header (that correspond to prefix except first byte) +- n, err := ciphertext.Write(prefix[1:]) +- if err != nil || n < 4 { +- return nil, err +- } +- +- // Random salt +- salt := make([]byte, aeadSaltSize) +- if _, err := rand.Read(salt); err != nil { +- return nil, err +- } +- +- if _, err := ciphertext.Write(salt); err != nil { +- return nil, err +- } +- +- aead, nonce := getSymmetricallyEncryptedAeadInstance(cipherSuite.Cipher, cipherSuite.Mode, inputKey, salt, prefix) +- +- return &aeadEncrypter{ +- aeadCrypter: aeadCrypter{ +- aead: aead, +- chunkSize: decodeAEADChunkSize(chunkSizeByte), +- associatedData: prefix, +- chunkIndex: make([]byte, 8), +- initialNonce: nonce, +- packetTag: packetTypeSymmetricallyEncryptedIntegrityProtected, +- }, +- writer: ciphertext, +- }, nil +-} +- +-func getSymmetricallyEncryptedAeadInstance(c CipherFunction, mode AEADMode, inputKey, salt, associatedData []byte) (aead cipher.AEAD, nonce []byte) { +- hkdfReader := hkdf.New(sha256.New, inputKey, salt, associatedData) +- +- encryptionKey := make([]byte, c.KeySize()) +- _, _ = readFull(hkdfReader, encryptionKey) +- +- // Last 64 bits of nonce are the counter +- nonce = make([]byte, mode.IvLength()-8) +- +- _, _ = readFull(hkdfReader, nonce) +- +- blockCipher := c.new(encryptionKey) +- aead = mode.new(blockCipher) +- +- return ++ panic("hkdf cipher not available") + } +diff --git a/vendor/github.com/ProtonMail/go-crypto/openpgp/read.go b/vendor/github.com/ProtonMail/go-crypto/openpgp/read.go +index 8499c73..eaffe19 100644 +--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/read.go ++++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/read.go +@@ -17,7 +17,6 @@ import ( + "github.com/ProtonMail/go-crypto/openpgp/errors" + "github.com/ProtonMail/go-crypto/openpgp/internal/algorithm" + "github.com/ProtonMail/go-crypto/openpgp/packet" +- _ "golang.org/x/crypto/sha3" + ) + + // SignatureType is the armor type for a PGP signature. +diff --git a/vendor/github.com/google/s2a-go/internal/record/internal/aeadcrypter/chachapoly.go b/vendor/github.com/google/s2a-go/internal/record/internal/aeadcrypter/chachapoly.go +index 214df4c..f049462 100644 +--- a/vendor/github.com/google/s2a-go/internal/record/internal/aeadcrypter/chachapoly.go ++++ b/vendor/github.com/google/s2a-go/internal/record/internal/aeadcrypter/chachapoly.go +@@ -20,9 +20,6 @@ package aeadcrypter + + import ( + "crypto/cipher" +- "fmt" +- +- "golang.org/x/crypto/chacha20poly1305" + ) + + // Supported key size in bytes. +@@ -39,14 +36,7 @@ type chachapoly struct { + // NewChachaPoly creates a Chacha-Poly crypter instance. Note that the key must + // be Chacha20Poly1305KeySize bytes in length. + func NewChachaPoly(key []byte) (S2AAEADCrypter, error) { +- if len(key) != Chacha20Poly1305KeySize { +- return nil, fmt.Errorf("%d bytes, given: %d", Chacha20Poly1305KeySize, len(key)) +- } +- c, err := chacha20poly1305.New(key) +- if err != nil { +- return nil, err +- } +- return &chachapoly{aead: c}, nil ++ panic("chachap20poly1305 cipher not available") + } + + // Encrypt is the encryption function. dst can contain bytes at the beginning of +diff --git a/vendor/github.com/google/s2a-go/internal/record/internal/halfconn/halfconn.go b/vendor/github.com/google/s2a-go/internal/record/internal/halfconn/halfconn.go +index dff99ff..052f645 100644 +--- a/vendor/github.com/google/s2a-go/internal/record/internal/halfconn/halfconn.go ++++ b/vendor/github.com/google/s2a-go/internal/record/internal/halfconn/halfconn.go +@@ -26,7 +26,6 @@ import ( + + s2apb "github.com/google/s2a-go/internal/proto/common_go_proto" + "github.com/google/s2a-go/internal/record/internal/aeadcrypter" +- "golang.org/x/crypto/cryptobyte" + ) + + // The constants below were taken from Section 7.2 and 7.3 in +@@ -175,19 +174,5 @@ func (hc *S2AHalfConnection) maskedNonce(sequence uint64) []byte { + // deriveSecret implements the Derive-Secret function, as specified in + // https://tools.ietf.org/html/rfc8446#section-7.1. + func (hc *S2AHalfConnection) deriveSecret(secret, label []byte, length int) ([]byte, error) { +- var hkdfLabel cryptobyte.Builder +- hkdfLabel.AddUint16(uint16(length)) +- hkdfLabel.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(label) +- }) +- // Append an empty `Context` field to the label, as specified in the RFC. +- // The half connection does not use the `Context` field. +- hkdfLabel.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes([]byte("")) +- }) +- hkdfLabelBytes, err := hkdfLabel.Bytes() +- if err != nil { +- return nil, fmt.Errorf("deriveSecret failed: %v", err) +- } +- return hc.expander.expand(secret, hkdfLabelBytes, length) ++ panic("cryptobyte cipher not available") + } +diff --git a/vendor/github.com/google/s2a-go/internal/record/internal/halfconn/expander.go b/vendor/github.com/google/s2a-go/internal/record/internal/halfconn/expander.go +index e05f2c3..f46c3a9 100644 +--- a/vendor/github.com/google/s2a-go/internal/record/internal/halfconn/expander.go ++++ b/vendor/github.com/google/s2a-go/internal/record/internal/halfconn/expander.go +@@ -19,10 +19,7 @@ + package halfconn + + import ( +- "fmt" + "hash" +- +- "golang.org/x/crypto/hkdf" + ) + + // hkdfExpander is the interface for the HKDF expansion function; see +@@ -47,13 +44,5 @@ func newDefaultHKDFExpander(h func() hash.Hash) hkdfExpander { + } + + func (d *defaultHKDFExpander) expand(secret, label []byte, length int) ([]byte, error) { +- outBuf := make([]byte, length) +- n, err := hkdf.Expand(d.h, secret, label).Read(outBuf) +- if err != nil { +- return nil, fmt.Errorf("hkdf.Expand.Read failed with error: %v", err) +- } +- if n < length { +- return nil, fmt.Errorf("hkdf.Expand.Read returned unexpected length, got %d, want %d", n, length) +- } +- return outBuf, nil ++ panic("hkdf cipher not available") + } +diff --git a/vendor/github.com/Masterminds/sprig/v3/crypto.go b/vendor/github.com/Masterminds/sprig/v3/crypto.go +index 13a5cd5..a92eaec 100644 +--- a/vendor/github.com/Masterminds/sprig/v3/crypto.go ++++ b/vendor/github.com/Masterminds/sprig/v3/crypto.go +@@ -9,7 +9,6 @@ import ( + "crypto/ecdsa" + "crypto/ed25519" + "crypto/elliptic" +- "crypto/hmac" + "crypto/rand" + "crypto/rsa" + "crypto/sha1" +@@ -18,7 +17,6 @@ import ( + "crypto/x509/pkix" + "encoding/asn1" + "encoding/base64" +- "encoding/binary" + "encoding/hex" + "encoding/pem" + "errors" +@@ -32,8 +30,6 @@ import ( + "strings" + + "github.com/google/uuid" +- bcrypt_lib "golang.org/x/crypto/bcrypt" +- "golang.org/x/crypto/scrypt" + ) + + func sha256sum(input string) string { +@@ -52,12 +48,7 @@ func adler32sum(input string) string { + } + + func bcrypt(input string) string { +- hash, err := bcrypt_lib.GenerateFromPassword([]byte(input), bcrypt_lib.DefaultCost) +- if err != nil { +- return fmt.Sprintf("failed to encrypt string with bcrypt: %s", err) +- } +- +- return string(hash) ++ panic("bcrypt cipher not available") + } + + func htpasswd(username string, password string) string { +@@ -108,40 +99,7 @@ var templateCharacters = map[byte]string{ + } + + func derivePassword(counter uint32, passwordType, password, user, site string) string { +- var templates = passwordTypeTemplates[passwordType] +- if templates == nil { +- return fmt.Sprintf("cannot find password template %s", passwordType) +- } +- +- var buffer bytes.Buffer +- buffer.WriteString(masterPasswordSeed) +- binary.Write(&buffer, binary.BigEndian, uint32(len(user))) +- buffer.WriteString(user) +- +- salt := buffer.Bytes() +- key, err := scrypt.Key([]byte(password), salt, 32768, 8, 2, 64) +- if err != nil { +- return fmt.Sprintf("failed to derive password: %s", err) +- } +- +- buffer.Truncate(len(masterPasswordSeed)) +- binary.Write(&buffer, binary.BigEndian, uint32(len(site))) +- buffer.WriteString(site) +- binary.Write(&buffer, binary.BigEndian, counter) +- +- var hmacv = hmac.New(sha256.New, key) +- hmacv.Write(buffer.Bytes()) +- var seed = hmacv.Sum(nil) +- var temp = templates[int(seed[0])%len(templates)] +- +- buffer.Truncate(0) +- for i, element := range temp { +- passChars := templateCharacters[element] +- passChar := passChars[int(seed[i+1])%len(passChars)] +- buffer.WriteByte(passChar) +- } +- +- return buffer.String() ++ panic("scrypt cipher not available") + } + + func generatePrivateKey(typ string) string { +diff --git a/vendor/github.com/microsoft/go-mssqldb/integratedauth/ntlm/ntlm.go b/vendor/github.com/microsoft/go-mssqldb/integratedauth/ntlm/ntlm.go +index d95032f..f5cbe66 100644 +--- a/vendor/github.com/microsoft/go-mssqldb/integratedauth/ntlm/ntlm.go ++++ b/vendor/github.com/microsoft/go-mssqldb/integratedauth/ntlm/ntlm.go +@@ -16,7 +16,6 @@ import ( + "github.com/microsoft/go-mssqldb/msdsn" + + //lint:ignore SA1019 MD4 is used by legacy NTLM +- "golang.org/x/crypto/md4" + ) + + const ( +@@ -162,10 +161,7 @@ func lmResponse(challenge [8]byte, password string) [24]byte { + } + + func ntlmHash(password string) (hash [21]byte) { +- h := md4.New() +- h.Write(utf16le(password)) +- h.Sum(hash[:0]) +- return ++ panic("md4 cipher not available") + } + + func ntResponse(challenge [8]byte, password string) [24]byte { +@@ -194,12 +190,7 @@ func ntlmSessionResponse(clientNonce [8]byte, serverChallenge [8]byte, password + } + + func ntlmHashNoPadding(val string) []byte { +- hash := make([]byte, 16) +- h := md4.New() +- h.Write(utf16le(val)) +- h.Sum(hash[:0]) +- +- return hash ++ panic("md4 cipher not available") + } + + func hmacMD5(passwordHash, data []byte) []byte { +diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_certificate_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_certificate_credential.go +index 804eba899e..221306e7dc 100644 +--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_certificate_credential.go ++++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_certificate_credential.go +@@ -16,7 +16,6 @@ import ( + "github.com/Azure/azure-sdk-for-go/sdk/azcore" + "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" + "github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential" +- "golang.org/x/crypto/pkcs12" + ) + + const credNameCert = "ClientCertificateCredential" +@@ -158,15 +157,7 @@ func loadPEMCert(certData []byte) ([]*pem.Block, error) { + } + + func loadPKCS12Cert(certData []byte, password string) ([]*pem.Block, error) { +- blocks, err := pkcs12.ToPEM(certData, password) +- if err != nil { +- return nil, err +- } +- if len(blocks) == 0 { +- // not mentioning PKCS12 in this message because we end up here when certData is garbage +- return nil, errors.New("didn't find any certificate content") +- } +- return blocks, err ++ panic("pkcs12 cipher not available") + } + + var _ azcore.TokenCredential = (*ClientCertificateCredential)(nil) +diff --git a/vendor/github.com/Azure/go-autorest/autorest/adal/persist.go b/vendor/github.com/Azure/go-autorest/autorest/adal/persist.go +index 2a974a3..1ea6648 100644 +--- a/vendor/github.com/Azure/go-autorest/autorest/adal/persist.go ++++ b/vendor/github.com/Azure/go-autorest/autorest/adal/persist.go +@@ -23,8 +23,6 @@ import ( + "io/ioutil" + "os" + "path/filepath" +- +- "golang.org/x/crypto/pkcs12" + ) + + var ( +@@ -90,46 +88,5 @@ func SaveToken(path string, mode os.FileMode, token Token) error { + // private key or an error is returned. + // If the private key is not password protected pass the empty string for password. + func DecodePfxCertificateData(pfxData []byte, password string) (*x509.Certificate, *rsa.PrivateKey, error) { +- blocks, err := pkcs12.ToPEM(pfxData, password) +- if err != nil { +- return nil, nil, err +- } +- // first extract the private key +- var priv *rsa.PrivateKey +- for _, block := range blocks { +- if block.Type == "PRIVATE KEY" { +- priv, err = x509.ParsePKCS1PrivateKey(block.Bytes) +- if err != nil { +- return nil, nil, err +- } +- break +- } +- } +- if priv == nil { +- return nil, nil, ErrMissingPrivateKey +- } +- // now find the certificate with the matching public key of our private key +- var cert *x509.Certificate +- for _, block := range blocks { +- if block.Type == "CERTIFICATE" { +- pcert, err := x509.ParseCertificate(block.Bytes) +- if err != nil { +- return nil, nil, err +- } +- certKey, ok := pcert.PublicKey.(*rsa.PublicKey) +- if !ok { +- // keep looking +- continue +- } +- if priv.E == certKey.E && priv.N.Cmp(certKey.N) == 0 { +- // found a match +- cert = pcert +- break +- } +- } +- } +- if cert == nil { +- return nil, nil, ErrMissingCertificate +- } +- return cert, priv, nil ++ panic("pkcs12 cipher not available") + } +diff --git a/vendor/github.com/Azure/go-ntlmssp/nlmp.go b/vendor/github.com/Azure/go-ntlmssp/nlmp.go +index 1e65abe..0ef2301 100644 +--- a/vendor/github.com/Azure/go-ntlmssp/nlmp.go ++++ b/vendor/github.com/Azure/go-ntlmssp/nlmp.go +@@ -10,7 +10,6 @@ package ntlmssp + import ( + "crypto/hmac" + "crypto/md5" +- "golang.org/x/crypto/md4" + "strings" + ) + +@@ -19,9 +18,7 @@ func getNtlmV2Hash(password, username, target string) []byte { + } + + func getNtlmHash(password string) []byte { +- hash := md4.New() +- hash.Write(toUnicode(password)) +- return hash.Sum(nil) ++ panic("md4 cipher not available") + } + + func computeNtlmV2Response(ntlmV2Hash, serverChallenge, clientChallenge, +diff --git a/vendor/github.com/ory/fosite/hash_bcrypt.go b/vendor/github.com/ory/fosite/hash_bcrypt.go +index 44b8fcb..4a75d24 100644 +--- a/vendor/github.com/ory/fosite/hash_bcrypt.go ++++ b/vendor/github.com/ory/fosite/hash_bcrypt.go +@@ -5,10 +5,6 @@ package fosite + + import ( + "context" +- +- "github.com/ory/x/errorsx" +- +- "golang.org/x/crypto/bcrypt" + ) + + const DefaultBCryptWorkFactor = 12 +@@ -21,20 +17,9 @@ type BCrypt struct { + } + + func (b *BCrypt) Hash(ctx context.Context, data []byte) ([]byte, error) { +- wf := b.Config.GetBCryptCost(ctx) +- if wf == 0 { +- wf = DefaultBCryptWorkFactor +- } +- s, err := bcrypt.GenerateFromPassword(data, wf) +- if err != nil { +- return nil, errorsx.WithStack(err) +- } +- return s, nil ++ panic("bcrypt ciper not available") + } + + func (b *BCrypt) Compare(ctx context.Context, hash, data []byte) error { +- if err := bcrypt.CompareHashAndPassword(hash, data); err != nil { +- return errorsx.WithStack(err) +- } +- return nil ++ panic("bcrypt cipher not available") + } +diff --git a/vendor/filippo.io/age/internal/stream/stream.go b/vendor/filippo.io/age/internal/stream/stream.go +index 7cf02c4..29f4f44 100644 +--- a/vendor/filippo.io/age/internal/stream/stream.go ++++ b/vendor/filippo.io/age/internal/stream/stream.go +@@ -10,9 +10,6 @@ import ( + "errors" + "fmt" + "io" +- +- "golang.org/x/crypto/chacha20poly1305" +- "golang.org/x/crypto/poly1305" + ) + + const ChunkSize = 64 * 1024 +@@ -25,23 +22,16 @@ type Reader struct { + buf [encChunkSize]byte + + err error +- nonce [chacha20poly1305.NonceSize]byte ++ nonce []byte + } + + const ( +- encChunkSize = ChunkSize + poly1305.TagSize ++ encChunkSize = ChunkSize + lastChunkFlag = 0x01 + ) + + func NewReader(key []byte, src io.Reader) (*Reader, error) { +- aead, err := chacha20poly1305.New(key) +- if err != nil { +- return nil, err +- } +- return &Reader{ +- a: aead, +- src: src, +- }, nil ++ panic("chacha20poly1305 cipher not available") + } + + func (r *Reader) Read(p []byte) (int, error) { +@@ -87,64 +77,20 @@ func (r *Reader) Read(p []byte) (int, error) { + // in r.unread. last is true if the chunk was marked as the end of the message. + // readChunk must not be called again after returning a last chunk or an error. + func (r *Reader) readChunk() (last bool, err error) { +- if len(r.unread) != 0 { +- panic("stream: internal error: readChunk called with dirty buffer") +- } ++ panic("poly1305 cipher not available") + +- in := r.buf[:] +- n, err := io.ReadFull(r.src, in) +- switch { +- case err == io.EOF: +- // A message can't end without a marked chunk. This message is truncated. +- return false, io.ErrUnexpectedEOF +- case err == io.ErrUnexpectedEOF: +- // The last chunk can be short, but not empty unless it's the first and +- // only chunk. +- if !nonceIsZero(&r.nonce) && n == r.a.Overhead() { +- return false, errors.New("last chunk is empty, try age v1.0.0, and please consider reporting this") +- } +- in = in[:n] +- last = true +- setLastChunkFlag(&r.nonce) +- case err != nil: +- return false, err +- } +- +- outBuf := make([]byte, 0, ChunkSize) +- out, err := r.a.Open(outBuf, r.nonce[:], in, nil) +- if err != nil && !last { +- // Check if this was a full-length final chunk. +- last = true +- setLastChunkFlag(&r.nonce) +- out, err = r.a.Open(outBuf, r.nonce[:], in, nil) +- } +- if err != nil { +- return false, errors.New("failed to decrypt and authenticate payload chunk") +- } +- +- incNonce(&r.nonce) +- r.unread = r.buf[:copy(r.buf[:], out)] +- return last, nil + } + +-func incNonce(nonce *[chacha20poly1305.NonceSize]byte) { +- for i := len(nonce) - 2; i >= 0; i-- { +- nonce[i]++ +- if nonce[i] != 0 { +- break +- } else if i == 0 { +- // The counter is 88 bits, this is unreachable. +- panic("stream: chunk counter wrapped around") +- } +- } ++func incNonce(nonce *[]byte) { ++ panic("chacha20poly1305 cipher not available") + } + +-func setLastChunkFlag(nonce *[chacha20poly1305.NonceSize]byte) { +- nonce[len(nonce)-1] = lastChunkFlag ++func setLastChunkFlag(nonce *[]byte) { ++ panic("chacha20poly1305 cipher not available") + } + +-func nonceIsZero(nonce *[chacha20poly1305.NonceSize]byte) bool { +- return *nonce == [chacha20poly1305.NonceSize]byte{} ++func nonceIsZero(nonce *[]byte) bool { ++ panic("chacha20poly1305 cipher not available") + } + + type Writer struct { +@@ -152,47 +98,17 @@ type Writer struct { + dst io.Writer + unwritten []byte // backed by buf + buf [encChunkSize]byte +- nonce [chacha20poly1305.NonceSize]byte ++ nonce []byte + err error + } + + func NewWriter(key []byte, dst io.Writer) (*Writer, error) { +- aead, err := chacha20poly1305.New(key) +- if err != nil { +- return nil, err +- } +- w := &Writer{ +- a: aead, +- dst: dst, +- } +- w.unwritten = w.buf[:0] +- return w, nil ++ panic("chacha20poly1305 cipher not available") ++ + } + + func (w *Writer) Write(p []byte) (n int, err error) { +- // TODO: consider refactoring with a bytes.Buffer. +- if w.err != nil { +- return 0, w.err +- } +- if len(p) == 0 { +- return 0, nil +- } +- +- total := len(p) +- for len(p) > 0 { +- freeBuf := w.buf[len(w.unwritten):ChunkSize] +- n := copy(freeBuf, p) +- p = p[n:] +- w.unwritten = w.unwritten[:len(w.unwritten)+n] +- +- if len(w.unwritten) == ChunkSize && len(p) > 0 { +- if err := w.flushChunk(notLastChunk); err != nil { +- w.err = err +- return 0, err +- } +- } +- } +- return total, nil ++ panic("chacha20poly1305 cipher not available") + } + + // Close flushes the last chunk. It does not close the underlying Writer. +@@ -216,16 +132,5 @@ const ( + ) + + func (w *Writer) flushChunk(last bool) error { +- if !last && len(w.unwritten) != ChunkSize { +- panic("stream: internal error: flush called with partial chunk") +- } +- +- if last { +- setLastChunkFlag(&w.nonce) +- } +- buf := w.a.Seal(w.buf[:0], w.nonce[:], w.unwritten, nil) +- _, err := w.dst.Write(buf) +- w.unwritten = w.buf[:0] +- incNonce(&w.nonce) +- return err ++ panic("chacha20poly1305 cipher not available") + } +diff --git a/vendor/filippo.io/age/primitives.go b/vendor/filippo.io/age/primitives.go +index 804b019..2ee760f 100644 +--- a/vendor/filippo.io/age/primitives.go ++++ b/vendor/filippo.io/age/primitives.go +@@ -5,29 +5,14 @@ + package age + + import ( +- "crypto/hmac" +- "crypto/sha256" + "errors" +- "io" + + "filippo.io/age/internal/format" +- "golang.org/x/crypto/chacha20poly1305" +- "golang.org/x/crypto/hkdf" + ) + + // aeadEncrypt encrypts a message with a one-time key. + func aeadEncrypt(key, plaintext []byte) ([]byte, error) { +- aead, err := chacha20poly1305.New(key) +- if err != nil { +- return nil, err +- } +- // The nonce is fixed because this function is only used in places where the +- // spec guarantees each key is only used once (by deriving it from values +- // that include fresh randomness), allowing us to save the overhead. +- // For the code that encrypts the actual payload, look at the +- // filippo.io/age/internal/stream package. +- nonce := make([]byte, chacha20poly1305.NonceSize) +- return aead.Seal(nil, nonce, plaintext, nil), nil ++ panic("chacha20poly1305 cipher not available") + } + + var errIncorrectCiphertextSize = errors.New("encrypted value has unexpected length") +@@ -38,35 +23,13 @@ var errIncorrectCiphertextSize = errors.New("encrypted value has unexpected leng + // can be crafted that decrypts successfully under multiple keys. Short + // ciphertexts can only target two keys, which has limited impact. + func aeadDecrypt(key []byte, size int, ciphertext []byte) ([]byte, error) { +- aead, err := chacha20poly1305.New(key) +- if err != nil { +- return nil, err +- } +- if len(ciphertext) != size+aead.Overhead() { +- return nil, errIncorrectCiphertextSize +- } +- nonce := make([]byte, chacha20poly1305.NonceSize) +- return aead.Open(nil, nonce, ciphertext, nil) ++ panic("chacha20poly1305 cipher not available") + } + + func headerMAC(fileKey []byte, hdr *format.Header) ([]byte, error) { +- h := hkdf.New(sha256.New, fileKey, nil, []byte("header")) +- hmacKey := make([]byte, 32) +- if _, err := io.ReadFull(h, hmacKey); err != nil { +- return nil, err +- } +- hh := hmac.New(sha256.New, hmacKey) +- if err := hdr.MarshalWithoutMAC(hh); err != nil { +- return nil, err +- } +- return hh.Sum(nil), nil ++ panic("hkdf cipher not available") + } + + func streamKey(fileKey, nonce []byte) []byte { +- h := hkdf.New(sha256.New, fileKey, nonce, []byte("payload")) +- streamKey := make([]byte, chacha20poly1305.KeySize) +- if _, err := io.ReadFull(h, streamKey); err != nil { +- panic("age: internal error: failed to read from HKDF: " + err.Error()) +- } +- return streamKey ++ panic("chacha20poly1305 cipher not available") + } +diff --git a/vendor/filippo.io/age/scrypt.go b/vendor/filippo.io/age/scrypt.go +index 1346ad1..a97e385 100644 +--- a/vendor/filippo.io/age/scrypt.go ++++ b/vendor/filippo.io/age/scrypt.go +@@ -5,15 +5,8 @@ + package age + + import ( +- "crypto/rand" + "errors" +- "fmt" + "regexp" +- "strconv" +- +- "filippo.io/age/internal/format" +- "golang.org/x/crypto/chacha20poly1305" +- "golang.org/x/crypto/scrypt" + ) + + const scryptLabel = "age-encryption.org/v1/scrypt" +@@ -61,30 +54,7 @@ func (r *ScryptRecipient) SetWorkFactor(logN int) { + const scryptSaltSize = 16 + + func (r *ScryptRecipient) Wrap(fileKey []byte) ([]*Stanza, error) { +- salt := make([]byte, scryptSaltSize) +- if _, err := rand.Read(salt[:]); err != nil { +- return nil, err +- } +- +- logN := r.workFactor +- l := &Stanza{ +- Type: "scrypt", +- Args: []string{format.EncodeToString(salt), strconv.Itoa(logN)}, +- } +- +- salt = append([]byte(scryptLabel), salt...) +- k, err := scrypt.Key(r.password, salt, 1< i.maxWorkFactor { +- return nil, fmt.Errorf("scrypt work factor too large: %v", logN) +- } +- if logN <= 0 { // unreachable +- return nil, fmt.Errorf("invalid scrypt work factor: %v", logN) +- } +- +- salt = append([]byte(scryptLabel), salt...) +- k, err := scrypt.Key(i.password, salt, 1< 32 { +- return "", errors.New("square/go-jose: invalid elliptic key (too large)") +- } +- return fmt.Sprintf(edThumbprintTemplate, crv, +- newFixedSizeBuffer(ed, 32).base64()), nil +-} +- + // Thumbprint computes the JWK Thumbprint of a key using the + // indicated hash algorithm. + func (k *JSONWebKey) Thumbprint(hash crypto.Hash) ([]byte, error) { + var input string + var err error + switch key := k.Key.(type) { +- case ed25519.PublicKey: +- input, err = edThumbprintInput(key) + case *ecdsa.PublicKey: + input, err = ecThumbprintInput(key.Curve, key.X, key.Y) + case *ecdsa.PrivateKey: +@@ -381,8 +356,6 @@ func (k *JSONWebKey) Thumbprint(hash crypto.Hash) ([]byte, error) { + input, err = rsaThumbprintInput(key.N, key.E) + case *rsa.PrivateKey: + input, err = rsaThumbprintInput(key.N, key.E) +- case ed25519.PrivateKey: +- input, err = edThumbprintInput(ed25519.PublicKey(key[32:])) + default: + return nil, fmt.Errorf("square/go-jose: unknown key type '%s'", reflect.TypeOf(key)) } - return b.String(), nil -+ */ -+ return "", nil +@@ -399,7 +372,7 @@ func (k *JSONWebKey) Thumbprint(hash crypto.Hash) ([]byte, error) { + // IsPublic returns true if the JWK represents a public key (not symmetric, not private). + func (k *JSONWebKey) IsPublic() bool { + switch k.Key.(type) { +- case *ecdsa.PublicKey, *rsa.PublicKey, ed25519.PublicKey: ++ case *ecdsa.PublicKey, *rsa.PublicKey: + return true + default: + return false +@@ -417,8 +390,6 @@ func (k *JSONWebKey) Public() JSONWebKey { + ret.Key = key.Public() + case *rsa.PrivateKey: + ret.Key = key.Public() +- case ed25519.PrivateKey: +- ret.Key = key.Public() + default: + return JSONWebKey{} // returning invalid key + } +@@ -447,14 +418,6 @@ func (k *JSONWebKey) Valid() bool { + if key.N == nil || key.E == 0 || key.D == nil || len(key.Primes) < 2 { + return false + } +- case ed25519.PublicKey: +- if len(key) != 32 { +- return false +- } +- case ed25519.PrivateKey: +- if len(key) != 64 { +- return false +- } + default: + return false + } +@@ -472,14 +435,6 @@ func (key rawJSONWebKey) rsaPublicKey() (*rsa.PublicKey, error) { + }, nil } - // buildTreeHelper converts a given index.Index file into multiple git objects +-func fromEdPublicKey(pub ed25519.PublicKey) *rawJSONWebKey { +- return &rawJSONWebKey{ +- Kty: "OKP", +- Crv: "Ed25519", +- X: newBuffer(pub), +- } +-} +- + func fromRsaPublicKey(pub *rsa.PublicKey) *rawJSONWebKey { + return &rawJSONWebKey{ + Kty: "RSA", +@@ -559,36 +514,6 @@ func fromEcPublicKey(pub *ecdsa.PublicKey) (*rawJSONWebKey, error) { + return key, nil + } + +-func (key rawJSONWebKey) edPrivateKey() (ed25519.PrivateKey, error) { +- var missing []string +- switch { +- case key.D == nil: +- missing = append(missing, "D") +- case key.X == nil: +- missing = append(missing, "X") +- } +- +- if len(missing) > 0 { +- return nil, fmt.Errorf("square/go-jose: invalid Ed25519 private key, missing %s value(s)", strings.Join(missing, ", ")) +- } +- +- privateKey := make([]byte, ed25519.PrivateKeySize) +- copy(privateKey[0:32], key.D.bytes()) +- copy(privateKey[32:], key.X.bytes()) +- rv := ed25519.PrivateKey(privateKey) +- return rv, nil +-} +- +-func (key rawJSONWebKey) edPublicKey() (ed25519.PublicKey, error) { +- if key.X == nil { +- return nil, fmt.Errorf("square/go-jose: invalid Ed key, missing x value") +- } +- publicKey := make([]byte, ed25519.PublicKeySize) +- copy(publicKey[0:32], key.X.bytes()) +- rv := ed25519.PublicKey(publicKey) +- return rv, nil +-} +- + func (key rawJSONWebKey) rsaPrivateKey() (*rsa.PrivateKey, error) { + var missing []string + switch { +@@ -634,13 +559,6 @@ func (key rawJSONWebKey) rsaPrivateKey() (*rsa.PrivateKey, error) { + return rv, err + } + +-func fromEdPrivateKey(ed ed25519.PrivateKey) (*rawJSONWebKey, error) { +- raw := fromEdPublicKey(ed25519.PublicKey(ed[32:])) +- +- raw.D = newBuffer(ed[0:32]) +- return raw, nil +-} +- + func fromRsaPrivateKey(rsa *rsa.PrivateKey) (*rawJSONWebKey, error) { + if len(rsa.Primes) != 2 { + return nil, ErrUnsupportedKeyType +diff --git a/vendor/gopkg.in/square/go-jose.v2/signing.go b/vendor/gopkg.in/square/go-jose.v2/signing.go +index bad820c..8065475 100644 +--- a/vendor/gopkg.in/square/go-jose.v2/signing.go ++++ b/vendor/gopkg.in/square/go-jose.v2/signing.go +@@ -24,8 +24,6 @@ import ( + "errors" + "fmt" + +- "golang.org/x/crypto/ed25519" +- + "gopkg.in/square/go-jose.v2/json" + ) + +@@ -154,10 +152,6 @@ func NewMultiSigner(sigs []SigningKey, opts *SignerOptions) (Signer, error) { + // newVerifier creates a verifier based on the key type + func newVerifier(verificationKey interface{}) (payloadVerifier, error) { + switch verificationKey := verificationKey.(type) { +- case ed25519.PublicKey: +- return &edEncrypterVerifier{ +- publicKey: verificationKey, +- }, nil + case *rsa.PublicKey: + return &rsaEncrypterVerifier{ + publicKey: verificationKey, +@@ -193,8 +187,6 @@ func (ctx *genericSigner) addRecipient(alg SignatureAlgorithm, signingKey interf + + func makeJWSRecipient(alg SignatureAlgorithm, signingKey interface{}) (recipientSigInfo, error) { + switch signingKey := signingKey.(type) { +- case ed25519.PrivateKey: +- return newEd25519Signer(alg, signingKey) + case *rsa.PrivateKey: + return newRSASigner(alg, signingKey) + case *ecdsa.PrivateKey: +diff --git a/vendor/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/envelope.go b/vendor/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/envelope.go +index 4bb18ee8..a3342a76 100644 +--- a/vendor/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/envelope.go ++++ b/vendor/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/envelope.go +@@ -23,14 +23,11 @@ import ( + "crypto/cipher" + "crypto/rand" + "encoding/base64" +- "fmt" + "time" + + "k8s.io/apiserver/pkg/storage/value" + "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/metrics" + "k8s.io/utils/lru" +- +- "golang.org/x/crypto/cryptobyte" + ) + + func init() { +@@ -82,75 +79,12 @@ func NewEnvelopeTransformer(envelopeService Service, cacheSize int, baseTransfor + + // TransformFromStorage decrypts data encrypted by this transformer using envelope encryption. + func (t *envelopeTransformer) TransformFromStorage(ctx context.Context, data []byte, dataCtx value.Context) ([]byte, bool, error) { +- metrics.RecordArrival(metrics.FromStorageLabel, time.Now()) +- +- // Read the 16 bit length-of-DEK encoded at the start of the encrypted DEK. 16 bits can +- // represent a maximum key length of 65536 bytes. We are using a 256 bit key, whose +- // length cannot fit in 8 bits (1 byte). Thus, we use 16 bits (2 bytes) to store the length. +- var encKey cryptobyte.String +- s := cryptobyte.String(data) +- if ok := s.ReadUint16LengthPrefixed(&encKey); !ok { +- return nil, false, fmt.Errorf("invalid data encountered by envelope transformer: failed to read uint16 length prefixed data") +- } +- +- encData := []byte(s) +- +- // Look up the decrypted DEK from cache or Envelope. +- transformer := t.getTransformer(encKey) +- if transformer == nil { +- if t.cacheEnabled { +- value.RecordCacheMiss() +- } +- key, err := t.envelopeService.Decrypt(encKey) +- if err != nil { +- // Do NOT wrap this err using fmt.Errorf() or similar functions +- // because this gRPC status error has useful error code when +- // record the metric. +- return nil, false, err +- } +- +- transformer, err = t.addTransformer(encKey, key) +- if err != nil { +- return nil, false, err +- } +- } +- +- return transformer.TransformFromStorage(ctx, encData, dataCtx) ++ panic("cryptobyte cipher not available") + } + + // TransformToStorage encrypts data to be written to disk using envelope encryption. + func (t *envelopeTransformer) TransformToStorage(ctx context.Context, data []byte, dataCtx value.Context) ([]byte, error) { +- metrics.RecordArrival(metrics.ToStorageLabel, time.Now()) +- newKey, err := generateKey(32) +- if err != nil { +- return nil, err +- } +- +- encKey, err := t.envelopeService.Encrypt(newKey) +- if err != nil { +- // Do NOT wrap this err using fmt.Errorf() or similar functions +- // because this gRPC status error has useful error code when +- // record the metric. +- return nil, err +- } +- +- transformer, err := t.addTransformer(encKey, newKey) +- if err != nil { +- return nil, err +- } +- +- result, err := transformer.TransformToStorage(ctx, data, dataCtx) +- if err != nil { +- return nil, err +- } +- // Append the length of the encrypted DEK as the first 2 bytes. +- b := cryptobyte.NewBuilder(nil) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes([]byte(encKey)) +- }) +- b.AddBytes(result) +- +- return b.Bytes() ++ panic("cryptobyte cipher not available") + } + + var _ value.Transformer = &envelopeTransformer{} +diff --git a/vendor/k8s.io/apiserver/pkg/storage/value/encrypt/aes/aes_extended_nonce.go b/vendor/k8s.io/apiserver/pkg/storage/value/encrypt/aes/aes_extended_nonce.go +index cf8f3930..de4d145f 100644 +--- a/vendor/k8s.io/apiserver/pkg/storage/value/encrypt/aes/aes_extended_nonce.go ++++ b/vendor/k8s.io/apiserver/pkg/storage/value/encrypt/aes/aes_extended_nonce.go +@@ -20,14 +20,10 @@ import ( + "bytes" + "context" + "crypto/aes" +- "crypto/sha256" + "errors" + "fmt" +- "io" + "time" + +- "golang.org/x/crypto/hkdf" +- + "k8s.io/apiserver/pkg/storage/value" + "k8s.io/utils/clock" + ) +@@ -132,14 +128,7 @@ func (e *extendedNonceGCM) derivedKeyTransformer(info []byte, dataCtx value.Cont + } + + func (e *extendedNonceGCM) sha256KDFExpandOnly(info []byte) ([]byte, error) { +- kdf := hkdf.Expand(sha256.New, e.seed, info) +- +- derivedKey := make([]byte, derivedKeySizeExtendedNonceGCM) +- if _, err := io.ReadFull(kdf, derivedKey); err != nil { +- return nil, fmt.Errorf("failed to read a derived key from KDF: %w", err) +- } +- +- return derivedKey, nil ++ panic("hkdf cipher not available") + } + + func newGCMTransformerWithInfo(key, info []byte) (*transformerWithInfo, error) { + +diff --git a/vendor/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go b/vendor/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go +index 45d5db58..db3bd2f9 100644 +--- a/vendor/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go ++++ b/vendor/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go +@@ -23,12 +23,10 @@ import ( + "crypto/cipher" + "crypto/sha256" + "fmt" +- "sort" + "time" + "unsafe" + + "github.com/gogo/protobuf/proto" +- "golang.org/x/crypto/cryptobyte" + + utilerrors "k8s.io/apimachinery/pkg/util/errors" + "k8s.io/apimachinery/pkg/util/uuid" +@@ -418,41 +416,7 @@ func getRequestInfoFromContext(ctx context.Context) *genericapirequest.RequestIn + // a. annotation key + // b. annotation value + func generateCacheKey(encryptedDEKSourceType kmstypes.EncryptedDEKSourceType, encryptedDEKSource []byte, keyID string, annotations map[string][]byte) ([]byte, error) { +- // TODO(aramase): use sync pool buffer to avoid allocations +- b := cryptobyte.NewBuilder(nil) +- b.AddUint32(uint32(encryptedDEKSourceType)) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(encryptedDEKSource) +- }) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(toBytes(keyID)) +- }) +- if len(annotations) == 0 { +- return b.Bytes() +- } +- +- // add the length of annotations to the cache key +- b.AddUint32(uint32(len(annotations))) +- +- // Sort the annotations by key. +- keys := make([]string, 0, len(annotations)) +- for k := range annotations { +- k := k +- keys = append(keys, k) +- } +- sort.Strings(keys) +- for _, k := range keys { +- // The maximum size of annotations is annotationsMaxSize (32 kB) so we can safely +- // assume that the length of the key and value will fit in a uint16. +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(toBytes(k)) +- }) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(annotations[k]) +- }) +- } +- +- return b.Bytes() ++ panic("cryptobyte cipher not available") + } + + // toBytes performs unholy acts to avoid allocations + +diff --git a/vendor/k8s.io/apiserver/pkg/storage/value/encrypt/secretbox/secretbox.go b/vendor/k8s.io/apiserver/pkg/storage/value/encrypt/secretbox/secretbox.go +index 9aec8acd..d0a19c71 100644 +--- a/vendor/k8s.io/apiserver/pkg/storage/value/encrypt/secretbox/secretbox.go ++++ b/vendor/k8s.io/apiserver/pkg/storage/value/encrypt/secretbox/secretbox.go +@@ -19,10 +19,6 @@ package secretbox + + import ( + "context" +- "crypto/rand" +- "fmt" +- +- "golang.org/x/crypto/nacl/secretbox" + + "k8s.io/apiserver/pkg/storage/value" + ) +@@ -43,28 +39,9 @@ func NewSecretboxTransformer(key [32]byte) value.Transformer { + } + + func (t *secretboxTransformer) TransformFromStorage(ctx context.Context, data []byte, dataCtx value.Context) ([]byte, bool, error) { +- if len(data) < (secretbox.Overhead + nonceSize) { +- return nil, false, fmt.Errorf("the stored data was shorter than the required size") +- } +- var nonce [nonceSize]byte +- copy(nonce[:], data[:nonceSize]) +- data = data[nonceSize:] +- out := make([]byte, 0, len(data)-secretbox.Overhead) +- result, ok := secretbox.Open(out, data, &nonce, &t.key) +- if !ok { +- return nil, false, fmt.Errorf("output array was not large enough for encryption") +- } +- return result, false, nil ++ panic("nacl cipher not available") + } + + func (t *secretboxTransformer) TransformToStorage(ctx context.Context, data []byte, dataCtx value.Context) ([]byte, error) { +- var nonce [nonceSize]byte +- n, err := rand.Read(nonce[:]) +- if err != nil { +- return nil, err +- } +- if n != nonceSize { +- return nil, fmt.Errorf("unable to read sufficient random bytes") +- } +- return secretbox.Seal(nonce[:], data, &nonce, &t.key), nil ++ panic("nacl cipher not available") + } + +diff --git a/vendor/k8s.io/apiserver/pkg/server/config.go b/vendor/k8s.io/apiserver/pkg/server/config.go +index d678f52d..da4abbae 100644 +--- a/vendor/k8s.io/apiserver/pkg/server/config.go ++++ b/vendor/k8s.io/apiserver/pkg/server/config.go +@@ -18,8 +18,6 @@ package server + + import ( + "context" +- "crypto/sha256" +- "encoding/base32" + "fmt" + "net" + "net/http" +@@ -34,7 +32,6 @@ import ( + + jsonpatch "github.com/evanphx/json-patch" + "github.com/google/uuid" +- "golang.org/x/crypto/cryptobyte" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" +@@ -374,29 +371,7 @@ func NewConfig(codecs serializer.CodecFactory) *Config { + defaultHealthChecks := []healthz.HealthChecker{healthz.PingHealthz, healthz.LogHealthz} + var id string + if utilfeature.DefaultFeatureGate.Enabled(genericfeatures.APIServerIdentity) { +- hostname, err := hostnameFunc() +- if err != nil { +- klog.Fatalf("error getting hostname for apiserver identity: %v", err) +- } +- +- // Since the hash needs to be unique across each kube-apiserver and aggregated apiservers, +- // the hash used for the identity should include both the hostname and the identity value. +- // TODO: receive the identity value as a parameter once the apiserver identity lease controller +- // post start hook is moved to generic apiserver. +- b := cryptobyte.NewBuilder(nil) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes([]byte(hostname)) +- }) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes([]byte("kube-apiserver")) +- }) +- hashData, err := b.Bytes() +- if err != nil { +- klog.Fatalf("error building hash data for apiserver identity: %v", err) +- } +- +- hash := sha256.Sum256(hashData) +- id = "apiserver-" + strings.ToLower(base32.StdEncoding.WithPadding(base32.NoPadding).EncodeToString(hash[:16])) ++ panic("cryptobyte cipher not available") + } + lifecycleSignals := newLifecycleSignals() diff --git a/1002-vendor-use-pbkdf2-from-OpenSSL.patch b/1002-vendor-use-pbkdf2-from-OpenSSL.patch index 48a4536..ad92fb1 100644 --- a/1002-vendor-use-pbkdf2-from-OpenSSL.patch +++ b/1002-vendor-use-pbkdf2-from-OpenSSL.patch @@ -23,7 +23,7 @@ index 0000000000..5a06918832 + +package boring + -+// #include "openssl_pbkdf2.h" ++// #include "/usr/lib/golang/src/vendor/github.com/golang-fips/openssl/v2/goopenssl.h" +// #cgo LDFLAGS: -ldl +import "C" +import ( @@ -39,14 +39,14 @@ index 0000000000..5a06918832 + emptySha256 = sha256.Sum256([]byte{}) +) + -+func hashToMD(h hash.Hash) *C.GO_EVP_MD { ++func hashToMD(h hash.Hash) C.GO_EVP_MD_PTR { + emptyHash := h.Sum([]byte{}) + + switch { + case bytes.Equal(emptyHash, emptySha1[:]): -+ return C._goboringcrypto_EVP_sha1() ++ return C.go_openssl_EVP_sha1() + case bytes.Equal(emptyHash, emptySha256[:]): -+ return C._goboringcrypto_EVP_sha256() ++ return C.go_openssl_EVP_sha256() + } + return nil +} @@ -78,7 +78,7 @@ index 0000000000..5a06918832 + } + + out := make([]byte, keyLen) -+ ok := C._goboringcrypto_PKCS5_PBKDF2_HMAC(charptr(password), C.int(len(password)), ucharptr(salt), C.int(len(salt)), C.int(iter), md, C.int(keyLen), ucharptr(out)) ++ ok := C.go_openssl_PKCS5_PBKDF2_HMAC(charptr(password), C.int(len(password)), ucharptr(salt), C.int(len(salt)), C.int(iter), md, C.int(keyLen), ucharptr(out)) + if ok != 1 { + panic("boringcrypto: PKCS5_PBKDF2_HMAC failed") + } @@ -106,17 +106,6 @@ index 0000000000..e244fb5663 +func Pbkdf2Key(password, salt []byte, iter, keyLen int, h func() hash.Hash) []byte { + panic("boringcrypto: not available") +} -diff --git a/vendor/golang.org/x/crypto/internal/boring/openssl_pbkdf2.h b/vendor/golang.org/x/crypto/internal/boring/openssl_pbkdf2.h -new file mode 100644 -index 0000000000..6dfdf10424 ---- /dev/null -+++ b/vendor/golang.org/x/crypto/internal/boring/openssl_pbkdf2.h -@@ -0,0 +1,5 @@ -+#include "/usr/lib/golang/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h" -+ -+DEFINEFUNC(int, PKCS5_PBKDF2_HMAC, -+ (const char *pass, int passlen, const unsigned char *salt, int saltlen, int iter, EVP_MD *digest, int keylen, unsigned char *out), -+ (pass, passlen, salt, saltlen, iter, digest, keylen, out)) diff --git a/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go b/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go index 593f653008..799a611f94 100644 --- a/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go diff --git a/create_bundles.sh b/create_bundles.sh index 647ad5c..feb9994 100755 --- a/create_bundles.sh +++ b/create_bundles.sh @@ -30,9 +30,28 @@ make gen-go rm -r vendor/golang.org/x/crypto/bcrypt rm -r vendor/golang.org/x/crypto/blowfish rm -r vendor/golang.org/x/crypto/cast5 -rm -r vendor/golang.org/x/crypto/openpgp/elgamal -rm vendor/golang.org/x/crypto/openpgp/packet/ocfb.go -rm -r vendor/golang.org/x/crypto/pkcs12/internal/rc2 +rm -r vendor/golang.org/x/crypto/acme +rm -r vendor/golang.org/x/crypto/argon2 +rm -r vendor/golang.org/x/crypto/blake2b +rm -r vendor/golang.org/x/crypto/chacha20 +rm -r vendor/golang.org/x/crypto/chacha20poly1305 +rm -r vendor/golang.org/x/crypto/cryptobyte +rm -r vendor/golang.org/x/crypto/curve25519 +rm -r vendor/golang.org/x/crypto/ed25519 +rm -r vendor/golang.org/x/crypto/hkdf +rm -r vendor/golang.org/x/crypto/internal +rm -r vendor/golang.org/x/crypto/md4 +rm -r vendor/golang.org/x/crypto/nacl +rm -r vendor/golang.org/x/crypto/openpgp +rm -r vendor/golang.org/x/crypto/pkcs12 +rm -r vendor/golang.org/x/crypto/poly1305 +rm -r vendor/golang.org/x/crypto/salsa20 +rm -r vendor/golang.org/x/crypto/scrypt +rm -r vendor/golang.org/x/crypto/sha3 + +# Remove unused code under apsl licenses +rm -r vendor/modernc.org/libc +rm -r vendor/modernc.org/sqlite # List bundled dependencies awk '$2 ~ /^v/ && $4 != "indirect" {print "Provides: bundled(golang(" $1 ")) = " substr($2, 2)}' go.mod | \ diff --git a/create_bundles_in_container.sh b/create_bundles_in_container.sh index bbed4ca..216efab 100755 --- a/create_bundles_in_container.sh +++ b/create_bundles_in_container.sh @@ -6,7 +6,7 @@ # cat <