[fix][sec] Bump golang.org/x/net to address CVE-2025-22870, requires go 1.23

.github/workflows/bot.yml

@@ -22,7 +22,7 @@ on:
 
 jobs:
   pulsarbot:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     timeout-minutes: 10
     if: github.event_name == 'issue_comment' && contains(github.event.comment.body, '/pulsarbot')
     steps:

.github/workflows/ci.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go-version: [ '1.22', '1.23' ]
+        go-version: [ '1.23', '1.24' ]
     steps:
       - uses: actions/checkout@v3
       - uses: actions/setup-go@v5
@@ -36,7 +36,7 @@ jobs:
       - uses: actions/checkout@v3
       - uses: actions/setup-go@v5
         with:
-          go-version: '1.22'
+          go-version: '1.23'
       - name: Check license header
         run: docker run --rm -v $(pwd):/github/workspace ghcr.io/korandoru/hawkeye-native:v3 check
       - name: Run golangci-lint
@@ -48,7 +48,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go-version: [ '1.22', '1.23' ]
+        go-version: [ '1.23', '1.24' ]
     steps:
       - uses: actions/checkout@v3
       - name: Check for Docker images

Dockerfile

@@ -19,7 +19,7 @@
 # set via the Makefile or CLI
 ARG PULSAR_IMAGE=apachepulsar/pulsar:latest
 
-ARG GO_VERSION=1.22
+ARG GO_VERSION=1.23
 FROM golang:$GO_VERSION as golang
 
 FROM $PULSAR_IMAGE

Makefile

@@ -18,15 +18,23 @@
 #
 
 IMAGE_NAME = pulsar-client-go-test:latest
-PULSAR_VERSION ?= 4.0.0
+PULSAR_VERSION ?= latest
 PULSAR_IMAGE = apachepulsar/pulsar:$(PULSAR_VERSION)
-GO_VERSION ?= 1.22
+GO_VERSION ?= 1.23
 CONTAINER_ARCH ?= $(shell uname -m | sed s/x86_64/amd64/)
 
 # Golang standard bin directory.
 GOPATH ?= $(shell go env GOPATH)
 GOROOT ?= $(shell go env GOROOT)
 
+# Pass "-race" to go test if TEST_RACE is set to 1
+TEST_RACE ?= 1
+# Pass "-coverprofile" to go test if TEST_COVERAGE is set to 1
+TEST_COVERAGE ?= 0
+
+# Common docker run arguments for test containers
+DOCKER_TEST_ARGS = --rm -i -e TEST_RACE=${TEST_RACE} -e TEST_COVERAGE=${TEST_COVERAGE} ${IMAGE_NAME}
+
 build:
 	go build ./pulsar
 	go build ./pulsaradmin
@@ -53,23 +61,23 @@ container:
 test: container test_standalone test_clustered test_extensible_load_manager
 
 test_standalone: container
-	docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -i ${IMAGE_NAME} bash -c "cd /pulsar/pulsar-client-go && ./scripts/run-ci.sh"
+	docker run -v /var/run/docker.sock:/var/run/docker.sock ${DOCKER_TEST_ARGS} bash -c "cd /pulsar/pulsar-client-go && ./scripts/run-ci.sh"
 
 test_clustered: container
 	PULSAR_VERSION=${PULSAR_VERSION} docker compose -f integration-tests/clustered/docker-compose.yml up -d
 	until curl http://localhost:8080/metrics > /dev/null 2>&1; do sleep 1; done
-	docker run --rm --network "clustered_pulsar" -i ${IMAGE_NAME} bash -c "cd /pulsar/pulsar-client-go && ./scripts/run-ci-clustered.sh"
+	docker run --network=clustered_pulsar ${DOCKER_TEST_ARGS} bash -c "cd /pulsar/pulsar-client-go && ./scripts/run-ci-clustered.sh"
 	PULSAR_VERSION=${PULSAR_VERSION} docker compose -f integration-tests/clustered/docker-compose.yml down
 
 test_extensible_load_manager: container
 	PULSAR_VERSION=${PULSAR_VERSION} docker compose -f integration-tests/extensible-load-manager/docker-compose.yml up -d
 	until curl http://localhost:8080/metrics > /dev/null 2>&1; do sleep 1; done
-	docker run --rm --network "extensible-load-manager_pulsar" -i ${IMAGE_NAME} bash -c "cd /pulsar/pulsar-client-go && ./scripts/run-ci-extensible-load-manager.sh"
+	docker run --network=extensible-load-manager_pulsar ${DOCKER_TEST_ARGS} bash -c "cd /pulsar/pulsar-client-go && ./scripts/run-ci-extensible-load-manager.sh"
 
 	PULSAR_VERSION=${PULSAR_VERSION} docker compose -f integration-tests/blue-green/docker-compose.yml up -d
 	until curl http://localhost:8081/metrics > /dev/null 2>&1 ; do sleep 1; done
 
-	docker run --rm --network="extensible-load-manager_pulsar" -i ${IMAGE_NAME} bash -c "cd /pulsar/pulsar-client-go && ./scripts/run-ci-blue-green-cluster.sh"
+	docker run --network=extensible-load-manager_pulsar ${DOCKER_TEST_ARGS} bash -c "cd /pulsar/pulsar-client-go && ./scripts/run-ci-blue-green-cluster.sh"
 	PULSAR_VERSION=${PULSAR_VERSION} docker compose -f integration-tests/blue-green/docker-compose.yml down
 	PULSAR_VERSION=${PULSAR_VERSION} docker compose -f integration-tests/extensible-load-manager/docker-compose.yml down
 

README.md

@@ -38,7 +38,7 @@ CGo-based library.
 
 ## Requirements
 
-- Go 1.22+
+- Go 1.23+
 
 ## Status
 
@@ -148,7 +148,7 @@ Run the tests:
 
 Run the tests with specific versions of GOLANG and PULSAR:
 
-    make test GO_VERSION=1.22 PULSAR_VERSION=4.0.0
+    make test GO_VERSION=1.23 PULSAR_VERSION=4.0.3
 
 ## Contributing
 

go.mod

@@ -1,6 +1,6 @@
 module github.com/apache/pulsar-client-go
 
-go 1.22
+go 1.23.0
 
 require (
 	github.com/99designs/keyring v1.2.1
@@ -93,11 +93,11 @@ require (
 	go.opentelemetry.io/otel v1.24.0 // indirect
 	go.opentelemetry.io/otel/metric v1.24.0 // indirect
 	go.opentelemetry.io/otel/trace v1.24.0 // indirect
-	golang.org/x/crypto v0.31.0 // indirect
-	golang.org/x/net v0.33.0 // indirect
-	golang.org/x/sys v0.28.0 // indirect
-	golang.org/x/term v0.27.0 // indirect
-	golang.org/x/text v0.21.0 // indirect
+	golang.org/x/crypto v0.36.0 // indirect
+	golang.org/x/net v0.38.0 // indirect
+	golang.org/x/sys v0.31.0 // indirect
+	golang.org/x/term v0.30.0 // indirect
+	golang.org/x/text v0.23.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240318140521-94a12d6c2237 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect

go.sum

@@ -254,8 +254,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
-golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
+golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0=
@@ -269,8 +269,8 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
-golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
+golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
+golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/oauth2 v0.25.0 h1:CY4y7XT9v0cRI9oupztF8AgiIu99L/ksR/Xp/6jrZ70=
 golang.org/x/oauth2 v0.25.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -297,17 +297,17 @@ golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
-golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
+golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
-golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
+golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
+golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
-golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
+golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
+golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

pulsar/consumer_test.go

@@ -546,13 +546,19 @@ func TestPartitionTopicsConsumerPubSubEncryption(t *testing.T) {
 
 	makeHTTPCall(t, http.MethodPut, testURL, "6")
 
-	// create producer
+	// Verify encryption keys exist
+	keyReader := crypto.NewFileKeyReader("crypto/testdata/pub_key_rsa.pem", "crypto/testdata/pri_key_rsa.pem")
+	_, err = keyReader.PublicKey("client-rsa.pem", nil)
+	assert.Nil(t, err, "Failed to load public key")
+	_, err = keyReader.PrivateKey("client-rsa.pem", nil)
+	assert.Nil(t, err, "Failed to load private key")
+
+	// create producer with encryption
 	producer, err := client.CreateProducer(ProducerOptions{
 		Topic: topic,
 		Encryption: &ProducerEncryptionInfo{
-			KeyReader: crypto.NewFileKeyReader("crypto/testdata/pub_key_rsa.pem",
-				"crypto/testdata/pri_key_rsa.pem"),
-			Keys: []string{"client-rsa.pem"},
+			KeyReader: keyReader,
+			Keys:      []string{"client-rsa.pem"},
 		},
 	})
 	assert.Nil(t, err)
@@ -564,21 +570,24 @@ func TestPartitionTopicsConsumerPubSubEncryption(t *testing.T) {
 	assert.Equal(t, topic+"-partition-1", topics[1])
 	assert.Equal(t, topic+"-partition-2", topics[2])
 
+	// create consumer with encryption
 	consumer, err := client.Subscribe(ConsumerOptions{
 		Topic:             topic,
 		SubscriptionName:  "my-sub",
 		Type:              Exclusive,
 		ReceiverQueueSize: 10,
 		Decryption: &MessageDecryptionInfo{
-			KeyReader: crypto.NewFileKeyReader("crypto/testdata/pub_key_rsa.pem",
-				"crypto/testdata/pri_key_rsa.pem"),
+			KeyReader:                   keyReader,
 			ConsumerCryptoFailureAction: crypto.ConsumerCryptoFailureActionFail,
 		},
 	})
 	assert.Nil(t, err)
 	defer consumer.Close()
 
-	ctx := context.Background()
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+
+	// Send messages with encryption
 	for i := 0; i < 10; i++ {
 		_, err := producer.Send(ctx, &ProducerMessage{
 			Payload: []byte(fmt.Sprintf("hello-%d", i)),
@@ -588,6 +597,7 @@ func TestPartitionTopicsConsumerPubSubEncryption(t *testing.T) {
 
 	msgs := make([]string, 0)
 
+	// Receive messages with encryption
 	for i := 0; i < 10; i++ {
 		msg, err := consumer.Receive(ctx)
 		assert.Nil(t, err)

scripts/pulsar-test-service-start.sh

@@ -24,6 +24,9 @@ cd $SRC_DIR
 
 IMAGE_NAME=pulsar-client-go-test:latest
 
+export PULSAR_MEM="-Xms1g -Xmx1g -XX:MaxDirectMemorySize=1g"
+export PULSAR_STANDALONE_USE_ZOOKEEPER=1
+
 if [[ -f /.dockerenv ]]; then
     # When running tests inside docker
     PULSAR_ADMIN=/pulsar/bin/pulsar-admin
@@ -38,6 +41,8 @@ else
                 -p 6650:6650 \
                 -p 8443:8443 \
                 -p 6651:6651 \
+                -e PULSAR_MEM=${PULSAR_MEM} \
+                -e PULSAR_STANDALONE_USE_ZOOKEEPER=${PULSAR_STANDALONE_USE_ZOOKEEPER} \
                 ${IMAGE_NAME} \
                 /pulsar/bin/pulsar standalone \
                     --no-functions-worker --no-stream-storage

scripts/run-ci-blue-green-cluster.sh

@@ -16,7 +16,34 @@
 # specific language governing permissions and limitations
 # under the License.
 
-set -e -x
+set -x
 
-go test -race -coverprofile=/tmp/coverage-blue_green_topic_migration -timeout=5m -tags extensible_load_manager -v -run TestBlueGreenMigrationTestSuite ./pulsar
-go tool cover -html=/tmp/coverage-blue_green_topic_migration -o coverage-blue_green_topic_migration.html
+TEST_LOG=/tmp/test-log-$(date +%s).log
+
+# Default values for test configuration
+: "${TEST_RACE:=1}"
+: "${TEST_COVERAGE:=0}"
+
+# Build the test command dynamically
+TEST_CMD="go test"
+if [ "$TEST_RACE" = "1" ]; then
+    TEST_CMD="$TEST_CMD -race"
+fi
+if [ "$TEST_COVERAGE" = "1" ]; then
+    TEST_CMD="$TEST_CMD -coverprofile=/tmp/coverage-blue_green_topic_migration"
+fi
+TEST_CMD="$TEST_CMD -timeout=5m -tags extensible_load_manager -v -run TestBlueGreenMigrationTestSuite ./pulsar"
+
+$TEST_CMD 2>&1 | tee $TEST_LOG
+retval=$?
+if [ $retval -ne 0 ]; then
+    # Make it easier to find out which test failed
+    echo "Tests failed"
+    grep -- "--- FAIL: " $TEST_LOG
+    exit $retval
+else
+    echo "Tests passed"
+    if [ "$TEST_COVERAGE" = "1" ]; then
+        go tool cover -html=/tmp/coverage-blue_green_topic_migration -o coverage-blue_green_topic_migration.html
+    fi
+fi

scripts/run-ci-clustered.sh

@@ -16,8 +16,35 @@
 # specific language governing permissions and limitations
 # under the License.
 
-set -e -x
+set -x
 
-go test -race -coverprofile=/tmp/coverage -timeout=5m -tags clustered -v -run 'Test.*ClusteredTestSuite|TestTransactionDisabled' -v ./pulsar
-go tool cover -html=/tmp/coverage -o coverage.html
+TEST_LOG=/tmp/test-log-$(date +%s).log
+
+# Default values for test configuration
+: "${TEST_RACE:=1}"
+: "${TEST_COVERAGE:=0}"
+
+# Build the test command dynamically
+TEST_CMD="go test"
+if [ "$TEST_RACE" = "1" ]; then
+    TEST_CMD="$TEST_CMD -race"
+fi
+if [ "$TEST_COVERAGE" = "1" ]; then
+    TEST_CMD="$TEST_CMD -coverprofile=/tmp/coverage"
+fi
+TEST_CMD="$TEST_CMD -timeout=5m -tags clustered -v -run 'Test.*ClusteredTestSuite|TestTransactionDisabled' -v ./pulsar"
+
+$TEST_CMD 2>&1 | tee $TEST_LOG
+retval=$?
+if [ $retval -ne 0 ]; then
+    # Make it easier to find out which test failed
+    echo "Tests failed"
+    grep -- "--- FAIL: " $TEST_LOG
+    exit $retval
+else
+    echo "Tests passed"
+    if [ "$TEST_COVERAGE" = "1" ]; then
+        go tool cover -html=/tmp/coverage -o coverage.html
+    fi
+fi
 

scripts/run-ci-extensible-load-manager.sh

@@ -16,8 +16,35 @@
 # specific language governing permissions and limitations
 # under the License.
 
-set -e -x
+set -x
 
-go test -race -coverprofile=/tmp/coverage -timeout=5m -tags extensible_load_manager -v -run TestExtensibleLoadManagerTestSuite ./pulsar
-go tool cover -html=/tmp/coverage -o coverage.html
+TEST_LOG=/tmp/test-log-$(date +%s).log
+
+# Default values for test configuration
+: "${TEST_RACE:=1}"
+: "${TEST_COVERAGE:=0}"
+
+# Build the test command dynamically
+TEST_CMD="go test"
+if [ "$TEST_RACE" = "1" ]; then
+    TEST_CMD="$TEST_CMD -race"
+fi
+if [ "$TEST_COVERAGE" = "1" ]; then
+    TEST_CMD="$TEST_CMD -coverprofile=/tmp/coverage"
+fi
+TEST_CMD="$TEST_CMD -timeout=5m -tags extensible_load_manager -v -run TestExtensibleLoadManagerTestSuite ./pulsar"
+
+$TEST_CMD 2>&1 | tee $TEST_LOG
+retval=$?
+if [ $retval -ne 0 ]; then
+    # Make it easier to find out which test failed
+    echo "Tests failed"
+    grep -- "--- FAIL: " $TEST_LOG
+    exit $retval
+else
+    echo "Tests passed"
+    if [ "$TEST_COVERAGE" = "1" ]; then
+        go tool cover -html=/tmp/coverage -o coverage.html
+    fi
+fi