diff --git a/.github/actions/secure-download-artifact/action.yml b/.github/actions/secure-download-artifact/action.yml index b2e6948dca..47d4ebec62 100644 --- a/.github/actions/secure-download-artifact/action.yml +++ b/.github/actions/secure-download-artifact/action.yml @@ -17,6 +17,19 @@ inputs: runs: using: "composite" steps: + - name: Validate the artifact path + shell: bash + env: + UNTRUSTED_PATH: "${{ inputs.path }}" + run: | + + set -euo pipefail + + if [ -e "$UNTRUSTED_PATH" ]; then + echo "Path $UNTRUSTED_PATH already exists" + exit 5 + fi + - name: Download the artifact uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # tag=v3.0.0 with: diff --git a/go.sum b/go.sum index 44f8ef5814..1327855b1b 100644 --- a/go.sum +++ b/go.sum @@ -41,7 +41,6 @@ cloud.google.com/go v0.97.0/go.mod h1:GF7l59pYBVlXQIBLx3a761cZ41F9bBH3JUlihCt2Ud cloud.google.com/go v0.98.0/go.mod h1:ua6Ush4NALrHk5QXDWnjvZHN93OuF0HfuEPq9I1X0cM= cloud.google.com/go v0.99.0/go.mod h1:w0Xx2nLzqWJPuozYQX+hFfCSI8WioryfRDzkoI/Y2ZA= cloud.google.com/go v0.100.1/go.mod h1:fs4QogzfH5n2pBXBP9vRiU+eCny7lD2vmFZy79Iuw1U= -cloud.google.com/go v0.100.2 h1:t9Iw5QH5v4XtlEQaCtUY7x6sCABps8sW0acw7e2WQ6Y= cloud.google.com/go v0.100.2/go.mod h1:4Xra9TjzAeYHrl5+oeLlzbM2k3mjVhZh4UqTZ//w99A= cloud.google.com/go v0.102.0 h1:DAq3r8y4mDgyB/ZPJ9v/5VJNqjgJAxTn6ZYLlUywOu8= cloud.google.com/go v0.102.0/go.mod h1:oWcCzKlqJ5zgHQt9YsaeTY9KzIvjyy0ArmiBUgpQ+nc= @@ -56,7 +55,6 @@ cloud.google.com/go/compute v0.1.0/go.mod h1:GAesmwr110a34z04OlxYkATPBEfVhkymfTB cloud.google.com/go/compute v1.3.0/go.mod h1:cCZiE1NHEtai4wiufUhW8I8S1JKkAnhnQJWM7YD99wM= cloud.google.com/go/compute v1.5.0/go.mod h1:9SMHyhJlzhlkJqrPAc839t2BZFTSk6Jdj6mkzQJeu0M= cloud.google.com/go/compute v1.6.0/go.mod h1:T29tfhtVbq1wvAPo0E3+7vhgmkOYeXjhFvz/FMzPu0s= -cloud.google.com/go/compute v1.6.1 h1:2sMmt8prCn7DPaG4Pmh0N3Inmc8cT8ae5k1M6VJ9Wqc= cloud.google.com/go/compute v1.6.1/go.mod h1:g85FgpzFvNULZ+S8AYq87axRKuf2Kh7deLqV/jJ3thU= cloud.google.com/go/compute v1.7.0 h1:v/k9Eueb8aAJ0vZuxKMrgm6kPhCLZU9HxFU+AFDs9Uk= cloud.google.com/go/compute v1.7.0/go.mod h1:435lt8av5oL9P3fv1OEzSbSUe+ybHXGMPQHHZWZxy9U= @@ -116,8 +114,6 @@ github.com/Azure/azure-sdk-for-go v29.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9mo github.com/Azure/azure-sdk-for-go v30.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v46.4.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v60.3.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go v65.0.0+incompatible h1:HzKLt3kIwMm4KeJYTdx9EbjRYTySD/t8i1Ee/W5EGXw= -github.com/Azure/azure-sdk-for-go v65.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v66.0.0+incompatible h1:bmmC38SlE8/E81nNADlgmVGurPWMHDX2YNXVQMrBpEE= github.com/Azure/azure-sdk-for-go v66.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-service-bus-go v0.9.1/go.mod h1:yzBx6/BUGfjfeqbRZny9AQIbIe3AcV9WZbAdpkoXOa0= @@ -279,40 +275,27 @@ github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN github.com/aws/aws-sdk-go v1.36.30/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= github.com/aws/aws-sdk-go v1.37.0/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= github.com/aws/aws-sdk-go v1.42.25/go.mod h1:gyRszuZ/icHmHAVE4gc/r+cfCmhA1AD+vqfWbgI+eHs= -github.com/aws/aws-sdk-go v1.44.22 h1:StP+vxaFzl445mSML6KzgiTcqpA+eVwbO5fMNvhVN7c= github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g= github.com/aws/aws-sdk-go-v2 v1.7.1/go.mod h1:L5LuPC1ZgDr2xQS7AmIec/Jlc7O/Y1u2KxJyNVab250= github.com/aws/aws-sdk-go-v2 v1.14.0/go.mod h1:ZA3Y8V0LrlWj63MQAnRHgKf/5QB//LSZCPNWlWrNGLU= -github.com/aws/aws-sdk-go-v2 v1.16.4 h1:swQTEQUyJF/UkEA94/Ga55miiKFoXmm/Zd67XHgmjSg= -github.com/aws/aws-sdk-go-v2 v1.16.4/go.mod h1:ytwTPBG6fXTZLxxeeCCWj2/EMYp/xDUgX+OET6TLNNU= github.com/aws/aws-sdk-go-v2 v1.16.5 h1:Ah9h1TZD9E2S1LzHpViBO3Jz9FPL5+rmflmb8hXirtI= github.com/aws/aws-sdk-go-v2 v1.16.5/go.mod h1:Wh7MEsmEApyL5hrWzpDkba4gwAPc5/piwLVLFnCxp48= github.com/aws/aws-sdk-go-v2/config v1.5.0/go.mod h1:RWlPOAW3E3tbtNAqTwvSW54Of/yP3oiZXMI0xfUdjyA= -github.com/aws/aws-sdk-go-v2/config v1.14.0 h1:Yr8/7R6H8nqqfqgLATrcB83ax6FE2HcDXEB54XPhE98= -github.com/aws/aws-sdk-go-v2/config v1.14.0/go.mod h1:GKDRrvsq/PTaOYc9252u8Uah1hsIdtor4oIrFvUNPNM= github.com/aws/aws-sdk-go-v2/config v1.15.11 h1:qfec8AtiCqVbwMcx51G1yO2PYVfWfhp2lWkDH65V9HA= github.com/aws/aws-sdk-go-v2/config v1.15.11/go.mod h1:mD5tNFciV7YHNjPpFYqJ6KGpoSfY107oZULvTHIxtbI= github.com/aws/aws-sdk-go-v2/credentials v1.3.1/go.mod h1:r0n73xwsIVagq8RsxmZbGSRQFj9As3je72C2WzUIToc= -github.com/aws/aws-sdk-go-v2/credentials v1.9.0 h1:R3Q5s1uGLUg0aUzi+oRaUqRXhd17G/9+PiVnAwXp4sY= -github.com/aws/aws-sdk-go-v2/credentials v1.9.0/go.mod h1:PyHKqk/+tJuDY7T8R580S1j/AcSD+ODeUZ99CAUKLqQ= github.com/aws/aws-sdk-go-v2/credentials v1.12.6 h1:No1wZFW4bcM/uF6Tzzj6IbaeQJM+xxqXOYmoObm33ws= github.com/aws/aws-sdk-go-v2/credentials v1.12.6/go.mod h1:mQgnRmBPF2S/M01W4T4Obp3ZaZB6o1s/R8cOUda9vtI= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.3.0/go.mod h1:2LAuqPx1I6jNfaGDucWfA2zqQCYCOMCDHiCOciALyNw= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.11.0 h1:CkM4d3lNeMXMZ0BDX3BtCktnKA1Ftud84Hb6d+Ix4Rk= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.11.0/go.mod h1:rwdUKJV5rm+vHu1ncD1iGDqahBEL8O0tBjVqo9eO2N0= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.6 h1:+NZzDh/RpcQTpo9xMFUgkseIam6PC+YJbdhbQp1NOXI= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.6/go.mod h1:ClLMcuQA/wcHPmOIfNzNI4Y1Q0oDbmEkbYhMFOzHDh8= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.5 h1:+phazLmKkjBYhFTsGYH9J7jgnA8+Aer2yE4QeS4zn6A= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.5/go.mod h1:2hXc8ooJqF2nAznsbJQIn+7h851/bu8GVC80OVTTqf8= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.12 h1:Zt7DDk5V7SyQULUUwIKzsROtVzp/kVvcz15uQx/Tkow= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.12/go.mod h1:Afj/U8svX6sJ77Q+FPWMzabJ9QjbwP32YlopgKALUpg= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.3.0 h1:PO+HNeJBeRK0yVD9CQZ+VUrYfd5sXqS7YdPYHHcDkR4= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.3.0/go.mod h1:miRSv9l093jX/t/j+mBCaLqFHo9xKYzJ7DGm1BsGoJM= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.6 h1:eeXdGVtXEe+2Jc49+/vAzna3FAQnUD4AagAw8tzbmfc= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.6/go.mod h1:FwpAKI+FBPIELJIdmQzlLtRe8LQSOreMcM2wBsPMvvc= github.com/aws/aws-sdk-go-v2/internal/ini v1.1.1/go.mod h1:Zy8smImhTdOETZqfyn01iNOe0CNggVbPjCajyaz6Gvg= -github.com/aws/aws-sdk-go-v2/internal/ini v1.3.6 h1:c8s9EhIPVFMFS+R1+rtEghGrf7v83gSUWbcCYX/OPes= -github.com/aws/aws-sdk-go-v2/internal/ini v1.3.6/go.mod h1:o1ippSg3yJx5EuT4AOGXJCUcmt5vrcxla1cg6K1Q8Iw= github.com/aws/aws-sdk-go-v2/internal/ini v1.3.13 h1:L/l0WbIpIadRO7i44jZh1/XeXpNDX0sokFppb4ZnXUI= github.com/aws/aws-sdk-go-v2/internal/ini v1.3.13/go.mod h1:hiM/y1XPp3DoEPhoVEYc/CZcS58dP6RKJRDFp99wdX0= github.com/aws/aws-sdk-go-v2/service/ecr v1.4.1/go.mod h1:FglZcyeiBqcbvyinl+n14aT/EWC7S1MIH+Gan2iizt0= @@ -322,24 +305,17 @@ github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.4.1/go.mod h1:eD5Eo4drVP2FLTw0 github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.12.0 h1:LsqBpyRofMG6eDs6YGud6FhdGyIyXelAasPOZ6wWLro= github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.12.0/go.mod h1:IArQ3IBR00FkuraKwudKZZU32OxJfdTdwV+W5iZh3Y4= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.2.1/go.mod h1:zceowr5Z1Nh2WVP8bf/3ikB41IZW59E4yIYbg+pC6mw= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.8.0 h1:JNMALY8/ZnFsfAzBHtC4gq8JeZPANmIoI2VaBgYzbf8= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.8.0/go.mod h1:rBDLgXDAwHOfxZKLRDl8OGTPzFDC+a2pLqNNj8+QwfI= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.6 h1:0ZxYAZ1cn7Swi/US55VKciCE6RhRHIwCKIWaMLdT6pg= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.6/go.mod h1:DxAPjquoEHf3rUHh1b9+47RAaXB8/7cB6jkzCt/GOEI= +github.com/aws/aws-sdk-go-v2/service/kms v1.17.3 h1:M9bIvNNpbtvDTlZC5I38Kn2yuinJZ/9L+AM2Qom23zI= github.com/aws/aws-sdk-go-v2/service/sso v1.3.1/go.mod h1:J3A3RGUvuCZjvSuZEcOpHDnzZP/sKbhDWV2T1EOzFIM= -github.com/aws/aws-sdk-go-v2/service/sso v1.10.0 h1:qCuSRiQhsPU46NH79HUyPQEn5AcpMj+2gsqMYwtzdw8= -github.com/aws/aws-sdk-go-v2/service/sso v1.10.0/go.mod h1:m1CRRFX7eH3EE6w0ntdu+lo+Ph9VS7y8qRV/vdym0ZY= github.com/aws/aws-sdk-go-v2/service/sso v1.11.9 h1:Gju1UO3E8ceuoYc/AHcdXLuTZ0WGE1PT2BYDwcYhJg8= github.com/aws/aws-sdk-go-v2/service/sso v1.11.9/go.mod h1:UqRD9bBt15P0ofRyDZX6CfsIqPpzeHOhZKWzgSuAzpo= github.com/aws/aws-sdk-go-v2/service/sts v1.6.0/go.mod h1:q7o0j7d7HrJk/vr9uUt3BVRASvcU7gYZB9PUgPiByXg= -github.com/aws/aws-sdk-go-v2/service/sts v1.15.0 h1:zC/vHxWTlqZ0tIPJItg0zWHsa25cH7tXsUknSGcH39o= -github.com/aws/aws-sdk-go-v2/service/sts v1.15.0/go.mod h1:E264g2Gl5U9KTGzmd8ypGEAoh75VmqyuA/Ox5O1eRE4= github.com/aws/aws-sdk-go-v2/service/sts v1.16.7 h1:HLzjwQM9975FQWSF3uENDGHT1gFQm/q3QXu2BYIcI08= github.com/aws/aws-sdk-go-v2/service/sts v1.16.7/go.mod h1:lVxTdiiSHY3jb1aeg+BBFtDzZGSUCv6qaNOyEGCJ1AY= github.com/aws/smithy-go v1.6.0/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAmR5n+E= github.com/aws/smithy-go v1.11.0/go.mod h1:3xHYmszWVx2c0kIwQeEVf9uSm4fYZt67FBJnwub1bgM= -github.com/aws/smithy-go v1.11.2 h1:eG/N+CcUMAvsdffgMvjMKwfyDzIkjM6pfxMJ8Mzc6mE= -github.com/aws/smithy-go v1.11.2/go.mod h1:3xHYmszWVx2c0kIwQeEVf9uSm4fYZt67FBJnwub1bgM= github.com/aws/smithy-go v1.11.3 h1:DQixirEFM9IaKxX1olZ3ke3nvxRS2xMDteKIDWxozW8= github.com/aws/smithy-go v1.11.3/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20220228164355-396b2034c795 h1:IWeCJzU+IYaO2rVEBlGPTBfe90cmGXFTLdhUFlzDGsY= @@ -760,7 +736,7 @@ github.com/go-playground/validator/v10 v10.11.0/go.mod h1:i+3WkQ1FvaUjjxh1kSvIA4 github.com/go-redis/redis v6.15.8+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA= github.com/go-redis/redis v6.15.9+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA= github.com/go-rod/rod v0.101.8/go.mod h1:N/zlT53CfSpq74nb6rOR0K8UF0SPUPBmzBnArrms+mY= -github.com/go-rod/rod v0.106.8 h1:pVMVz0jMtLVyx8FhJEEA6l+EY9Iw/nJTDYT/he4+UJc= +github.com/go-rod/rod v0.107.2 h1:T2nSPKBrHuM/nhGPS/rl9Uwz0dI7T2M9xYF5owqxjMQ= github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= @@ -913,8 +889,6 @@ github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8 github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg= github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-containerregistry v0.7.1-0.20211118220127-abdc633f8305/go.mod h1:6cMIl1RfryEiPzBE67OgtZdEiLWz4myqCQIiBMy3CsM= -github.com/google/go-containerregistry v0.9.0 h1:5Ths7RjxyFV0huKChQTgY6fLzvHhZMpLTFNja8U0/0w= -github.com/google/go-containerregistry v0.9.0/go.mod h1:9eq4BnSufyT1kHNffX+vSXVonaJ7yaIOulrKZejMxnQ= github.com/google/go-containerregistry v0.10.0 h1:qd/fv2nQajGZJenaNcdaghlwSPjQ0NphN9hzArr2WWg= github.com/google/go-containerregistry v0.10.0/go.mod h1:C7uwbB1QUAtvnknyd3ethxJRd4gtEjU/9WLXzckfI1Y= github.com/google/go-github/v28 v28.1.1/go.mod h1:bsqJWQX05omyWVmc00nEUql9mhQyv38lDZ8kPZcQVoM= @@ -953,7 +927,6 @@ github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLe github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= @@ -974,7 +947,6 @@ github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+ github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/wire v0.3.0/go.mod h1:i1DMg/Lu8Sz5yYl25iOdmc5CT5qusaa+zmRWs16741s= -github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa h1:7MYGT2XEMam7Mtzv1yDUYXANedWvwk3HKkR3MyGowy8= github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8= github.com/googleapis/enterprise-certificate-proxy v0.1.0 h1:zO8WHNx/MYiAKJ3d5spxZXZE6KHmIQGQcAzwUzV7qQw= github.com/googleapis/enterprise-certificate-proxy v0.1.0/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8= @@ -1090,7 +1062,7 @@ github.com/hashicorp/go-secure-stdlib/mlock v0.1.2 h1:p4AKXPPS24tO8Wc8i1gLvSKdmk github.com/hashicorp/go-secure-stdlib/mlock v0.1.2/go.mod h1:zq93CJChV6L9QTfGKtfBxKqD7BqqXx5O04A/ns2p5+I= github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= github.com/hashicorp/go-secure-stdlib/parseutil v0.1.2/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= -github.com/hashicorp/go-secure-stdlib/parseutil v0.1.5 h1:MBgwAFPUbfuI0+tmDU/aeM1MARvdbqWmiieXIalKqDE= +github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 h1:om4Al8Oy7kCm/B86rLCLah4Dt5Aa0Fr5rYBG60OzwHQ= github.com/hashicorp/go-secure-stdlib/password v0.1.1/go.mod h1:9hH302QllNwu1o2TGYtSk8I8kTAN0ca1EHpwhm5Mmzo= github.com/hashicorp/go-secure-stdlib/strutil v0.1.1/go.mod h1:gKOamz3EwoIoJq7mlMIRBpVTAUn8qPCrEclOKKWhD3U= github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts= @@ -1126,9 +1098,9 @@ github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/J github.com/hashicorp/serf v0.9.5/go.mod h1:UWDWwZeL5cuWDJdl0C6wrvrUwEqtQ4ZKBKKENpqIUyk= github.com/hashicorp/serf v0.9.6/go.mod h1:TXZNMjZQijwlDvp+r0b63xZ45H7JmCmgg4gpTwn9UV4= github.com/hashicorp/vault/api v1.3.1/go.mod h1:QeJoWxMFt+MsuWcYhmwRLwKEXrjwAFFywzhptMsTIUw= -github.com/hashicorp/vault/api v1.6.0 h1:B8UUYod1y1OoiGHq9GtpiqSnGOUEWHaA26AY8RQEDY4= +github.com/hashicorp/vault/api v1.7.2 h1:kawHE7s/4xwrdKbkmwQi0wYaIeUhk5ueek7ljuezCVQ= github.com/hashicorp/vault/sdk v0.3.0/go.mod h1:aZ3fNuL5VNydQk8GcLJ2TV8YCRVvyaakYkhZRoVuhj0= -github.com/hashicorp/vault/sdk v0.5.0 h1:EED7p0OCU3OY5SAqJwSANofY1YKMytm+jDHDQ2EzGVQ= +github.com/hashicorp/vault/sdk v0.5.1 h1:zly/TmNgOXCGgWIRA8GojyXzG817POtVh3uzIwzZx+8= github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87 h1:xixZ2bWeofWV68J+x6AzmKuVM/JWCQwkWm6GW/MUR6I= github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ= @@ -1430,7 +1402,6 @@ github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108 github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= -github.com/onsi/ginkgo/v2 v2.0.0/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c= github.com/onsi/gomega v0.0.0-20151007035656-2152b45fa28a/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= @@ -1440,9 +1411,7 @@ github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7J github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.10.3/go.mod h1:V9xEwhxec5O8UDM77eCW8vLymOMltsqPVYWrpDsH8xc= github.com/onsi/gomega v1.16.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= -github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= github.com/onsi/gomega v1.18.1 h1:M1GfJqGRrBrrGGsbxzV5dqM2U2ApXefZCQpkukxYRLE= -github.com/onsi/gomega v1.18.1/go.mod h1:0q+aL8jAiMXy9hbwj2mr5GziHiwhAIQpFmmtT5hitRs= github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk= github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= @@ -1636,7 +1605,6 @@ github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo= github.com/secure-systems-lab/go-securesystemslib v0.2.0/go.mod h1:eIjBmIP8LD2MLBL/DkQWayLiz006Q4p+hCu79rvWleY= github.com/secure-systems-lab/go-securesystemslib v0.3.0/go.mod h1:o8hhjkbNl2gOamKUA/eNW3xUrntHT9L4W89W1nfj43U= -github.com/secure-systems-lab/go-securesystemslib v0.3.1/go.mod h1:o8hhjkbNl2gOamKUA/eNW3xUrntHT9L4W89W1nfj43U= github.com/secure-systems-lab/go-securesystemslib v0.4.0 h1:b23VGrQhTA8cN2CbBw7/FulN9fTtqYUdS5+Oxzt+DUE= github.com/secure-systems-lab/go-securesystemslib v0.4.0/go.mod h1:FGBZgq2tXWICsxWQW1msNf49F0Pf2Op5Htayx335Qbs= github.com/securego/gosec/v2 v2.9.1/go.mod h1:oDcDLcatOJxkCGaCaq8lua1jTnYf6Sou4wdiJ1n4iHc= @@ -1657,15 +1625,9 @@ github.com/sigstore/cosign v1.9.0 h1:E1Kkc6I99dNCGfjwU0B7XTJNEpltNi2GUVEQcswY2Ow github.com/sigstore/cosign v1.9.0/go.mod h1:AkVaXopS0Z/3h/hVOyvIwKrXMOilKmlLgUlr8FkrKQM= github.com/sigstore/fulcio v0.1.2-0.20220114150912-86a2036f9bc7 h1:XE7A9lJ+wYhmUFBWYTaw3Ph943zHB4iBYd5R0SX0ZOA= github.com/sigstore/fulcio v0.1.2-0.20220114150912-86a2036f9bc7/go.mod h1:ANQivY/lfOp9hN92S813LEthkm/kit96hzeIF3SNoZA= -github.com/sigstore/rekor v0.8.2 h1:EjKptG+F5LXQM6H/bHHVhm6pT+zuAuwKhHqR3sDO3gE= -github.com/sigstore/rekor v0.8.2/go.mod h1:N5EhbXF8pZRGNbtLiyAkCvaW6O3PRNa6NKLwzN/3Scw= -github.com/sigstore/rekor v0.9.0 h1:4h6Z+PHBoDOxnVnmFldqKlDA+RN/xsuhpA7BSje+W0I= -github.com/sigstore/rekor v0.9.0/go.mod h1:ulCPpuSiKMhxMoYC4UOhJEObskh5tV6sXOdRwjGnvG0= github.com/sigstore/rekor v0.9.1 h1:xk+Sg6xWLYctIqlIxZP+sxZl9sfEl0OIbPgxo527Gxg= github.com/sigstore/rekor v0.9.1/go.mod h1:7YBvw8sKQpTUD8jwahpAgex3zF+q2+RAEsgnWXb3O4I= github.com/sigstore/sigstore v1.1.0/go.mod h1:gDpcHw4VwpoL5C6N1Ud1YtBsc+ikRDwDelDlWRyYoE8= -github.com/sigstore/sigstore v1.2.1-0.20220526001230-8dc4fa90a468 h1:UZfTfGy/yiCG+pNyVwTw+PA2aiR33VIb0z0LORq9Gvg= -github.com/sigstore/sigstore v1.2.1-0.20220526001230-8dc4fa90a468/go.mod h1:xAQdMn1pZ7FcOtHU6chqIsvVKt9KGb4mJZljPQUdcpA= github.com/sigstore/sigstore v1.3.0 h1:KeD5cUPkgg4BI9CwSuuZsxPpVKVlX5r2jGqHKQHPo9U= github.com/sigstore/sigstore v1.3.0/go.mod h1:ZfBKePNU4Iv//RZCGmxA7JE+tf5qpWA5XTRYUi1waKc= github.com/sirupsen/logrus v1.0.4-0.20170822132746-89742aefa4b2/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc= @@ -1759,8 +1721,8 @@ github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81P github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.7.1 h1:5TQK59W5E3v0r2duFAb7P95B6hEeOyEnHRa8MjYSMTY= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk= github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= github.com/subosito/gotenv v1.3.0 h1:mjC+YW8QpAdXibNi+vNWgzmgBH4+5l5dCXv8cNysBLI= github.com/subosito/gotenv v1.3.0/go.mod h1:YzJjq/33h7nrwdY+iHMhEOEEbW0ovIz0tB6t6PwAXzs= @@ -1781,8 +1743,6 @@ github.com/tetafro/godot v1.4.11/go.mod h1:LR3CJpxDVGlYOWn3ZZg1PgNZdTUvzsZWu8xaE github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gtvVDbmPg= github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU= github.com/theupdateframework/go-tuf v0.0.0-20211203210025-7ded50136bf9/go.mod h1:n2n6wwC9BEnYS/C/APAtNln0eM5zYAYOkOTx6VEG/mA= -github.com/theupdateframework/go-tuf v0.3.0 h1:od2sc5+BSkKZhmUG2o2rmruy0BGSmhrbDhCnpxh87X8= -github.com/theupdateframework/go-tuf v0.3.0/go.mod h1:E5XP0wXitrFUHe4b8cUcAAdxBW4LbfnqF4WXXGLgWNo= github.com/theupdateframework/go-tuf v0.3.1 h1:NkjMlCuLcDpHNtsWXY4lTmbbQQ5nOM7JSBbOKEEiI1c= github.com/theupdateframework/go-tuf v0.3.1/go.mod h1:lhHZ3Vt2pdAh15h0Cc6gWdlI+Okn2ZznD3q/cNjd5jw= github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk= @@ -2165,8 +2125,6 @@ golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220421235706-1d1ef9303861/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.0.0-20220520000938-2e3eb7b945c2 h1:NWy5+hlRbC7HK+PmcXVUmW1IMyFce7to56IUvhUFm7Y= -golang.org/x/net v0.0.0-20220520000938-2e3eb7b945c2/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220617184016-355a448f1bc9/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e h1:TsQ7F31D3bUCLeqPT0u+yjp1guoArKaNKmCr22PYgTQ= @@ -2196,7 +2154,6 @@ golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= -golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 h1:OSnWWcOd/CtWQC2cYSBgbTSJv3ciqd8r54ySIW2y3RE= golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE= golang.org/x/oauth2 v0.0.0-20220630143837-2104d58473e0 h1:VnGaRqoLmqZH/3TMLJwYCEWkR4j1nuIU1U9TvbqsDUw= @@ -2214,8 +2171,6 @@ golang.org/x/sync v0.0.0-20200930132711-30421366ff76/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20220513210516-0976fa681c29 h1:w8s32wxx3sY+OjLlv9qltkLU5yvJzxjjgiHWLjdIcw4= -golang.org/x/sync v0.0.0-20220513210516-0976fa681c29/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f h1:Ax0t5p6N38Ga0dThY21weqDEyz2oklo4IvDkpigvkD8= golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -2360,9 +2315,7 @@ golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220422013727-9388b58f7150/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220502124256-b6088ccd6cba/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a h1:dGzPydgVsqGcTRVwiLJ1jVbufYwmzD3LfVPLKsKg+0k= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d h1:Zu/JngovGLVi6t2J3nmAf3AoTDwuzw85YZ3b9o4yU7s= golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c h1:aFV+BgZ4svzjfabn8ERpuB4JI4N6/rdy1iusx77G3oU= golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -2517,7 +2470,6 @@ golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df h1:5Pf6pFKu98ODmgnpvkJ3kFUOQGGLIzLIkbzUHp47618= golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f h1:uF6paiQQebLeSXkrTqHqz0MXhXXS1KgF41eUdBNvxK0= golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= @@ -2574,9 +2526,6 @@ google.golang.org/api v0.75.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69 google.golang.org/api v0.77.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69ljA= google.golang.org/api v0.78.0/go.mod h1:1Sg78yoMLOhlQTeF+ARBoytAcH1NNyyl390YMy6rKmw= google.golang.org/api v0.80.0/go.mod h1:xY3nI94gbvBrE0J6NHXhxOmW97HG7Khjkku6AFB3Hyg= -google.golang.org/api v0.81.0 h1:o8WF5AvfidafWbFjsRyupxyEQJNUWxLZJCK5NXrxZZ8= -google.golang.org/api v0.81.0/go.mod h1:FA6Mb/bZxj706H2j+j2d6mHEEaHBmbbWnkfvmorOCko= -google.golang.org/api v0.84.0 h1:NMB9J4cCxs9xEm+1Z9QiO3eFvn7EnQj3Eo3hN6ugVlg= google.golang.org/api v0.84.0/go.mod h1:NTsGnUFJMYROtiquksZHBWtHfeMC7iYthki7Eq3pa8o= google.golang.org/api v0.85.0 h1:8rJoHuRxx+vCmZtAO/3k1dRLvYNVyTJtZ5oaFZvhgvc= google.golang.org/api v0.85.0/go.mod h1:AqZf8Ep9uZ2pyTvgL+x0D3Zt0eoT9b5E8fmzfu6FO2g= @@ -2702,11 +2651,8 @@ google.golang.org/genproto v0.0.0-20220422154200-b37d22cd5731/go.mod h1:8w6bsBMX google.golang.org/genproto v0.0.0-20220429170224-98d788798c3e/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= google.golang.org/genproto v0.0.0-20220505152158-f39f71e6c8f3/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= google.golang.org/genproto v0.0.0-20220518221133-4f43b3371335/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= -google.golang.org/genproto v0.0.0-20220519153652-3a47de7e79bd h1:e0TwkXOdbnH/1x5rc5MZ/VYyiZ4v+RdVfrGMqEwT68I= -google.golang.org/genproto v0.0.0-20220519153652-3a47de7e79bd/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= google.golang.org/genproto v0.0.0-20220523171625-347a074981d8/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= google.golang.org/genproto v0.0.0-20220608133413-ed9918b62aac/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= -google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90 h1:4SPz2GL2CXJt28MTF8V6Ap/9ZiVbQlJeGSd9qtA7DLs= google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= google.golang.org/genproto v0.0.0-20220617124728-180714bec0ad h1:kqrS+lhvaMHCxul6sKQvKJ8nAAhlVItmZV822hYFH/U= google.golang.org/genproto v0.0.0-20220617124728-180714bec0ad/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= @@ -2905,8 +2851,6 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.15/go.mod h1:LEScyz sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs= sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 h1:kDi4JBNAsJWfz1aEXhO8Jg87JJaPNLh5tIzYHgStQ9Y= sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2/go.mod h1:B+TnT182UBxE84DiCz4CVE26eOSDAeYCpfDnC2kdKMY= -sigs.k8s.io/release-utils v0.6.0 h1:wJDuzWJqPH4a5FAxAXE2aBvbB6UMIW7iYMhsKnIMQkA= -sigs.k8s.io/release-utils v0.6.0/go.mod h1:kR1/DuYCJ4covppUasYNcA11OixC9O37B/E0ejRfb+c= sigs.k8s.io/release-utils v0.7.1 h1:dQuGqQi7XGW4PSLJ6JRlN2JUDkeXSepDL1nTdl9QTPY= sigs.k8s.io/release-utils v0.7.1/go.mod h1:SK+/kkc2i7ZO0CFXDCvXpzIZyt13cPlscaApaZD7VmU= sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= diff --git a/internal/builders/generic/attest.go b/internal/builders/generic/attest.go index bf65639fe9..369803fdd5 100644 --- a/internal/builders/generic/attest.go +++ b/internal/builders/generic/attest.go @@ -20,9 +20,7 @@ import ( "context" "encoding/base64" "encoding/json" - "io" "os" - "path/filepath" "regexp" "strings" @@ -64,16 +62,6 @@ type errNoName struct { errors.WrappableError } -// errInvalidPath indicates an invalid path. -type errInvalidPath struct { - errors.WrappableError -} - -// errInternal indicates an internal error. -type errInternal struct { - errors.WrappableError -} - // errDuplicateSubject indicates a duplicate subject name. type errDuplicateSubject struct { errors.WrappableError @@ -135,46 +123,6 @@ func parseSubjects(b64str string) ([]intoto.Subject, error) { return parsed, nil } -func pathIsUnderCurrentDirectory(path string) error { - wd, err := os.Getwd() - if err != nil { - return errors.Errorf(&errInternal{}, "os.Getwd(): %w", err) - } - p, err := filepath.Abs(path) - if err != nil { - return errors.Errorf(&errInternal{}, "filepath.Abs(): %w", err) - } - - if !strings.HasPrefix(p, wd+"/") && - wd != p { - return errors.Errorf(&errInvalidPath{}, "invalid path: %q", path) - } - - return nil -} - -func getFile(path string) (io.Writer, error) { - if path == "-" { - return os.Stdout, nil - } - - if err := pathIsUnderCurrentDirectory(path); err != nil { - return nil, err - } - - return os.OpenFile(filepath.Clean(path), os.O_WRONLY|os.O_CREATE, 0o600) -} - -func verifyAttestationPath(path string) error { - if !strings.HasSuffix(path, "intoto.jsonl") { - return errors.Errorf(&errInvalidPath{}, "invalid suffix: %q. Must be .intoto.jsonl", path) - } - if err := pathIsUnderCurrentDirectory(path); err != nil { - return err - } - return nil -} - type provenanceOnlyBuild struct { *slsa.GithubActionsBuild } @@ -202,7 +150,7 @@ run in the context of a Github Actions workflow.`, check(err) // Verify the extension path and extension. - err = verifyAttestationPath(attPath) + err = utils.VerifyAttestationPath(attPath) check(err) var parsedSubjects []intoto.Subject @@ -236,7 +184,7 @@ run in the context of a Github Actions workflow.`, p, err := g.Generate(ctx) check(err) - // Note: we verify the path within getFile(). + // Note: the path is validated within CreateNewFileUnderCurrentDirectory(). if attPath != "" { var attBytes []byte if utils.IsPresubmitTests() { @@ -257,7 +205,7 @@ run in the context of a Github Actions workflow.`, attBytes = att.Bytes() } - f, err := getFile(attPath) + f, err := utils.CreateNewFileUnderCurrentDirectory(attPath, os.O_WRONLY) check(err) _, err = f.Write(attBytes) @@ -268,7 +216,7 @@ run in the context of a Github Actions workflow.`, pb, err := json.Marshal(p.Predicate) check(err) - pf, err := getFile(predicatePath) + pf, err := utils.CreateNewFileUnderCurrentDirectory(predicatePath, os.O_WRONLY) check(err) _, err = pf.Write(pb) diff --git a/internal/builders/generic/attest_test.go b/internal/builders/generic/attest_test.go index 404d506e41..6750a84507 100644 --- a/internal/builders/generic/attest_test.go +++ b/internal/builders/generic/attest_test.go @@ -11,120 +11,6 @@ import ( "github.com/slsa-framework/slsa-github-generator/internal/errors" ) -func Test_pathIsUnderCurrentDirectory(t *testing.T) { - t.Parallel() - - tests := []struct { - name string - path string - expected error - }{ - { - name: "valid same path", - path: "./", - expected: nil, - }, - { - name: "valid path no slash", - path: "./some/valid/path", - expected: nil, - }, - { - name: "valid path with slash", - path: "./some/valid/path/", - expected: nil, - }, - { - name: "valid path with no dot", - path: "some/valid/path/", - expected: nil, - }, - { - name: "some valid path", - path: "../generic/some/valid/path", - expected: nil, - }, - { - name: "parent invalid path", - path: "../invalid/path", - expected: &errInvalidPath{}, - }, - { - name: "some invalid fullpath", - path: "/some/invalid/fullpath", - expected: &errInvalidPath{}, - }, - } - for _, tt := range tests { - tt := tt // Re-initializing variable so it is not changed while executing the closure below - t.Run(tt.name, func(t *testing.T) { - t.Parallel() - - err := pathIsUnderCurrentDirectory(tt.path) - if (err == nil && tt.expected != nil) || - (err != nil && tt.expected == nil) { - t.Fatalf("unexpected error: %v", cmp.Diff(err, tt.expected, cmpopts.EquateErrors())) - } - - if err != nil && !errors.As(err, &tt.expected) { - t.Fatalf("unexpected error: %v", cmp.Diff(err, tt.expected, cmpopts.EquateErrors())) - } - }) - } -} - -func Test_verifyAttestationPath(t *testing.T) { - t.Parallel() - - tests := []struct { - name string - path string - expected error - }{ - { - name: "valid file", - path: "./path/to/valid.intoto.jsonl", - expected: nil, - }, - { - name: "invalid path", - path: "../some/invalid/valid.intoto.jsonl", - expected: &errInvalidPath{}, - }, - { - name: "invalid extension", - path: "some/file.ntoto.jsonl", - expected: &errInvalidPath{}, - }, - { - name: "invalid not exntension", - path: "some/file.intoto.jsonl.", - expected: &errInvalidPath{}, - }, - { - name: "invalid folder exntension", - path: "file.intoto.jsonl/file", - expected: &errInvalidPath{}, - }, - } - for _, tt := range tests { - tt := tt // Re-initializing variable so it is not changed while executing the closure below - t.Run(tt.name, func(t *testing.T) { - t.Parallel() - - err := verifyAttestationPath(tt.path) - if (err == nil && tt.expected != nil) || - (err != nil && tt.expected == nil) { - t.Fatalf("unexpected error: %v", cmp.Diff(err, tt.expected, cmpopts.EquateErrors())) - } - - if err != nil && !errors.As(err, &tt.expected) { - t.Fatalf("unexpected error: %v", cmp.Diff(err, tt.expected, cmpopts.EquateErrors())) - } - }) - } -} - // TestParseSubjects tests the parseSubjects function. func TestParseSubjects(t *testing.T) { testCases := []struct { diff --git a/internal/builders/go/main.go b/internal/builders/go/main.go index a1b609bdef..a980925d58 100644 --- a/internal/builders/go/main.go +++ b/internal/builders/go/main.go @@ -20,7 +20,6 @@ import ( "flag" "fmt" "io" - "io/ioutil" "os" "os/exec" "path/filepath" @@ -31,6 +30,7 @@ import ( _ "github.com/sigstore/cosign/pkg/providers/github" "github.com/slsa-framework/slsa-github-generator/internal/builders/go/pkg" + "github.com/slsa-framework/slsa-github-generator/internal/utils" ) func usage(p string) { @@ -84,7 +84,11 @@ func runProvenanceGeneration(subject, digest, commands, envs, workingDir, rekor } filename := fmt.Sprintf("%s.intoto.jsonl", subject) - err = ioutil.WriteFile(filename, attBytes, 0o600) + f, err := utils.CreateNewFileUnderCurrentDirectory(filename, os.O_WRONLY) + if err != nil { + return err + } + _, err = f.Write(attBytes) if err != nil { return err } diff --git a/internal/builders/go/main_test.go b/internal/builders/go/main_test.go index a1f546415f..d543929b56 100644 --- a/internal/builders/go/main_test.go +++ b/internal/builders/go/main_test.go @@ -11,17 +11,18 @@ import ( "regexp" "testing" - "github.com/slsa-framework/slsa-github-generator/internal/builders/go/pkg" - "github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp/cmpopts" + + "github.com/slsa-framework/slsa-github-generator/internal/builders/go/pkg" + "github.com/slsa-framework/slsa-github-generator/internal/utils" ) func errCmp(e1, e2 error) bool { return errors.Is(e1, e2) || errors.Is(e2, e1) } -func Test_runVerify(t *testing.T) { +func Test_runBuild(t *testing.T) { t.Parallel() tests := []struct { subject string @@ -237,11 +238,6 @@ func Test_runVerify(t *testing.T) { config: "./pkg/testdata/releaser-invalid-envs.yml", err: pkg.ErrorInvalidEnvironmentVariable, }, - { - name: "invalid main", - config: "./pkg/testdata/releaser-invalid-main.yml", - err: pkg.ErrorInvalidDirectory, - }, { name: "invalid path", config: "../pkg/testdata/releaser-invalid-main.yml", @@ -391,12 +387,12 @@ func extract(lines string) ([]string, []string, string, string, error) { return []string{}, []string{}, "", "", err } - cmd, err := pkg.UnmarshallList(scmd) + cmd, err := utils.UnmarshalList(scmd) if err != nil { return []string{}, []string{}, "", "", err } - env, err := pkg.UnmarshallList(senv) + env, err := utils.UnmarshalList(senv) if err != nil { return []string{}, []string{}, "", "", err } diff --git a/internal/builders/go/pkg/build.go b/internal/builders/go/pkg/build.go index ac27b090d8..0e3e428744 100644 --- a/internal/builders/go/pkg/build.go +++ b/internal/builders/go/pkg/build.go @@ -22,6 +22,8 @@ import ( "regexp" "strings" "syscall" + + "github.com/slsa-framework/slsa-github-generator/internal/utils" ) var ( @@ -117,7 +119,7 @@ func (b *GoBuild) Run(dry bool) error { // Share the resolved name of the binary. fmt.Printf("::set-output name=go-binary-name::%s\n", filename) - command, err := marshallToString(com) + command, err := utils.MarshalToString(com) if err != nil { return err } @@ -129,7 +131,7 @@ func (b *GoBuild) Run(dry bool) error { return err } - menv, err := marshallToString(env) + menv, err := utils.MarshalToString(env) if err != nil { return err } diff --git a/internal/builders/go/pkg/config.go b/internal/builders/go/pkg/config.go index 82c7458610..b8e21892d1 100644 --- a/internal/builders/go/pkg/config.go +++ b/internal/builders/go/pkg/config.go @@ -22,11 +22,17 @@ import ( "strings" "gopkg.in/yaml.v3" + + "github.com/slsa-framework/slsa-github-generator/internal/utils" ) var ( + // ErrorInvalidEnvironmentVariable is an invalid environment variable. ErrorInvalidEnvironmentVariable = errors.New("invalid environment variable") - ErrorUnsupportedVersion = errors.New("version not supported") + // ErrorUnsupportedVersion is non-supported version. + ErrorUnsupportedVersion = errors.New("version not supported") + // ErrorInvalidDirectory is an invalid directory. + ErrorInvalidDirectory = errors.New("invalid directory") ) var supportedVersions = map[int]bool{ @@ -109,7 +115,11 @@ func fromConfig(cf *goReleaserConfigFile) (*GoReleaserConfig, error) { } func validatePath(path string) error { - return pathIsUnderCurrentDirectory(path) + err := utils.PathIsUnderCurrentDirectory(path) + if err != nil { + return convertPathError(err, "PathIsUnderCurrentDirectory") + } + return nil } func validateDir(cf *goReleaserConfigFile) error { @@ -125,7 +135,24 @@ func validateMain(cf *goReleaserConfigFile) error { } // Validate the main path is under the current directory. - return pathIsUnderCurrentDirectory(*cf.Main) + if err := utils.PathIsUnderCurrentDirectory(*cf.Main); err != nil { + return convertPathError(err, "PathIsUnderCurrentDirectory") + } + return nil +} + +func convertPathError(e error, msg string) error { + // TODO(https://github.com/slsa-framework/slsa-github-generator/issues/599): use same error contructions. + if e != nil { + var errInternal *utils.ErrInternal + var errPath *utils.ErrInvalidPath + if errors.As(e, &errInternal) || + errors.As(e, &errPath) { + return ErrorInvalidDirectory + } + return fmt.Errorf("%s: %w", msg, e) + } + return e } func validateVersion(cf *goReleaserConfigFile) error { diff --git a/internal/builders/go/pkg/config_test.go b/internal/builders/go/pkg/config_test.go index 354971c9c3..88ce5857aa 100644 --- a/internal/builders/go/pkg/config_test.go +++ b/internal/builders/go/pkg/config_test.go @@ -146,6 +146,7 @@ func Test_ConfigFromFile(t *testing.T) { t.Parallel() cfg, err := ConfigFromFile(tt.path) + if !errCmp(err, tt.err) { t.Errorf(cmp.Diff(err, tt.err)) } diff --git a/internal/builders/go/pkg/marshall.go b/internal/builders/go/pkg/marshall.go deleted file mode 100644 index 5055877baa..0000000000 --- a/internal/builders/go/pkg/marshall.go +++ /dev/null @@ -1,42 +0,0 @@ -// Copyright 2022 SLSA Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package pkg - -import ( - "encoding/base64" - "encoding/json" - "fmt" -) - -func marshallToString(args interface{}) (string, error) { - jsonData, err := json.Marshal(args) - if err != nil { - return "", fmt.Errorf("json.Marshal: %w", err) - } - - encoded := base64.StdEncoding.EncodeToString(jsonData) - if err != nil { - return "", fmt.Errorf("base64.StdEncoding.EncodeString: %w", err) - } - return encoded, nil -} - -func marshallToBytes(args interface{}) ([]byte, error) { - encoded, err := marshallToString(args) - if err != nil { - return []byte{}, nil - } - return []byte(encoded), nil -} diff --git a/internal/builders/go/pkg/marshall_test.go b/internal/builders/go/pkg/marshall_test.go deleted file mode 100644 index b0efc08464..0000000000 --- a/internal/builders/go/pkg/marshall_test.go +++ /dev/null @@ -1,61 +0,0 @@ -// Copyright 2022 SLSA Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package pkg - -import ( - "testing" - - "github.com/google/go-cmp/cmp" -) - -func Test_marshall(t *testing.T) { - t.Parallel() - - tests := []struct { - name string - variables []string - expected string - }{ - { - name: "single arg", - variables: []string{"--arg"}, - expected: "WyItLWFyZyJd", - }, - { - name: "list args", - variables: []string{ - "/usr/lib/google-golang/bin/go", - "build", "-mod=vendor", "-trimpath", - "-tags=netgo", - "-ldflags=-X main.gitVersion=v1.2.3 -X main.gitSomething=somthg", - }, - expected: "WyIvdXNyL2xpYi9nb29nbGUtZ29sYW5nL2Jpbi9nbyIsImJ1aWxkIiwiLW1vZD12ZW5kb3IiLCItdHJpbXBhdGgiLCItdGFncz1uZXRnbyIsIi1sZGZsYWdzPS1YIG1haW4uZ2l0VmVyc2lvbj12MS4yLjMgLVggbWFpbi5naXRTb21ldGhpbmc9c29tdGhnIl0=", - }, - } - for _, tt := range tests { - tt := tt // Re-initializing variable so it is not changed while executing the closure below - t.Run(tt.name, func(t *testing.T) { - t.Parallel() - - r, err := marshallToString(tt.variables) - if err != nil { - t.Errorf("marshallToString: %v", err) - } - if !cmp.Equal(r, tt.expected) { - t.Errorf(cmp.Diff(r, tt.expected)) - } - }) - } -} diff --git a/internal/builders/go/pkg/provenance.go b/internal/builders/go/pkg/provenance.go index 1226ad5c6f..db5c9a8653 100644 --- a/internal/builders/go/pkg/provenance.go +++ b/internal/builders/go/pkg/provenance.go @@ -74,12 +74,12 @@ func GenerateProvenance(name, digest, command, envs, workingDir string, s signin return nil, fmt.Errorf("sha256 digest is not valid: %s", digest) } - com, err := UnmarshallList(command) + com, err := utils.UnmarshalList(command) if err != nil { return nil, err } - env, err := UnmarshallList(envs) + env, err := utils.UnmarshalList(envs) if err != nil { return nil, err } @@ -150,7 +150,7 @@ func GenerateProvenance(name, digest, command, envs, workingDir string, s signin if utils.IsPresubmitTests() { fmt.Println("Pre-submit tests detected. Skipping signing.") - return marshallToBytes(*p) + return utils.MarshalToBytes(*p) } // Sign the provenance. diff --git a/internal/builders/go/pkg/utils.go b/internal/utils/marshal.go similarity index 62% rename from internal/builders/go/pkg/utils.go rename to internal/utils/marshal.go index 9bd279e1e9..7f4373ac54 100644 --- a/internal/builders/go/pkg/utils.go +++ b/internal/utils/marshal.go @@ -12,39 +12,16 @@ // See the License for the specific language governing permissions and // limitations under the License. -package pkg +package utils import ( "encoding/base64" "encoding/json" - "errors" "fmt" - "os" - "path/filepath" - "strings" ) -var ErrorInvalidDirectory = errors.New("invalid directory") - -func pathIsUnderCurrentDirectory(path string) error { - wd, err := os.Getwd() - if err != nil { - return err - } - p, err := filepath.Abs(path) - if err != nil { - return err - } - - if !strings.HasPrefix(p, wd+"/") && - wd != p { - return ErrorInvalidDirectory - } - - return nil -} - -func UnmarshallList(arg string) ([]string, error) { +// UnmarshalList unmarshals a string into a list of strings. +func UnmarshalList(arg string) ([]string, error) { var res []string // If argument is empty, return an empty list early, // because `json.Unmarshal` would fail. @@ -62,3 +39,26 @@ func UnmarshallList(arg string) ([]string, error) { } return res, nil } + +// MarshalToString marshals to a string. +func MarshalToString(args interface{}) (string, error) { + jsonData, err := json.Marshal(args) + if err != nil { + return "", fmt.Errorf("json.Marshal: %w", err) + } + + encoded := base64.StdEncoding.EncodeToString(jsonData) + if err != nil { + return "", fmt.Errorf("base64.StdEncoding.EncodeString: %w", err) + } + return encoded, nil +} + +// MarshalToBytes marshals to a byte array. +func MarshalToBytes(args interface{}) ([]byte, error) { + encoded, err := MarshalToString(args) + if err != nil { + return nil, err + } + return []byte(encoded), nil +} diff --git a/internal/builders/go/pkg/utils_test.go b/internal/utils/marshal_test.go similarity index 64% rename from internal/builders/go/pkg/utils_test.go rename to internal/utils/marshal_test.go index f62f183774..3001d46523 100644 --- a/internal/builders/go/pkg/utils_test.go +++ b/internal/utils/marshal_test.go @@ -12,7 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -package pkg +package utils import ( "testing" @@ -20,48 +20,28 @@ import ( "github.com/google/go-cmp/cmp" ) -func Test_pathIsUnderCurrentDirectory(t *testing.T) { +func Test_MarshalToString(t *testing.T) { t.Parallel() tests := []struct { - name string - path string - expected error + name string + variables []string + expected string }{ { - name: "valid same path", - path: "./", - expected: nil, - }, - { - name: "valid path no slash", - path: "./some/valid/path", - expected: nil, - }, - { - name: "valid path with slash", - path: "./some/valid/path/", - expected: nil, - }, - { - name: "valid path with no dot", - path: "some/valid/path/", - expected: nil, - }, - { - name: "some valid path", - path: "../pkg/some/valid/path", - expected: nil, - }, - { - name: "parent invalid path", - path: "../invalid/path", - expected: ErrorInvalidDirectory, + name: "single arg", + variables: []string{"--arg"}, + expected: "WyItLWFyZyJd", }, { - name: "some invalid fullpath", - path: "/some/invalid/fullpath", - expected: ErrorInvalidDirectory, + name: "list args", + variables: []string{ + "/usr/lib/google-golang/bin/go", + "build", "-mod=vendor", "-trimpath", + "-tags=netgo", + "-ldflags=-X main.gitVersion=v1.2.3 -X main.gitSomething=somthg", + }, + expected: "WyIvdXNyL2xpYi9nb29nbGUtZ29sYW5nL2Jpbi9nbyIsImJ1aWxkIiwiLW1vZD12ZW5kb3IiLCItdHJpbXBhdGgiLCItdGFncz1uZXRnbyIsIi1sZGZsYWdzPS1YIG1haW4uZ2l0VmVyc2lvbj12MS4yLjMgLVggbWFpbi5naXRTb21ldGhpbmc9c29tdGhnIl0=", }, } for _, tt := range tests { @@ -69,15 +49,18 @@ func Test_pathIsUnderCurrentDirectory(t *testing.T) { t.Run(tt.name, func(t *testing.T) { t.Parallel() - err := pathIsUnderCurrentDirectory(tt.path) - if !errCmp(err, tt.expected) { - t.Errorf(cmp.Diff(err, tt.expected)) + r, err := MarshalToString(tt.variables) + if err != nil { + t.Errorf("MarshalToString: %v", err) + } + if !cmp.Equal(r, tt.expected) { + t.Errorf(cmp.Diff(r, tt.expected)) } }) } } -func Test_UnmarshallList(t *testing.T) { +func Test_UnmarshalList(t *testing.T) { t.Parallel() tests := []struct { @@ -110,9 +93,9 @@ func Test_UnmarshallList(t *testing.T) { t.Run(tt.name, func(t *testing.T) { t.Parallel() - r, err := UnmarshallList(tt.value) + r, err := UnmarshalList(tt.value) if err != nil && len(tt.expected) != 0 { - t.Errorf("UnmarshallList: %v", err) + t.Errorf("UnmarshalList: %v", err) } if !cmp.Equal(r, tt.expected) { diff --git a/internal/utils/path.go b/internal/utils/path.go new file mode 100644 index 0000000000..e6a9f1dac0 --- /dev/null +++ b/internal/utils/path.go @@ -0,0 +1,90 @@ +// Copyright 2022 SLSA Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// https://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package utils + +import ( + "io" + "os" + "path/filepath" + "strings" + + "github.com/slsa-framework/slsa-github-generator/internal/errors" +) + +// ErrInternal indicates an internal error. +type ErrInternal struct { + errors.WrappableError +} + +// ErrInvalidPath indicates an invalid path. +type ErrInvalidPath struct { + errors.WrappableError +} + +// PathIsUnderCurrentDirectory checks whether the `path` +// is under the current working directory. Examples: +// ./file, ./some/path, ../.file would return `nil`. +// `../etc/password` would return an error. +func PathIsUnderCurrentDirectory(path string) error { + wd, err := os.Getwd() + if err != nil { + return errors.Errorf(&ErrInternal{}, "os.Getwd(): %w", err) + } + p, err := filepath.Abs(path) + if err != nil { + return errors.Errorf(&ErrInternal{}, "filepath.Abs(): %w", err) + } + + if !strings.HasPrefix(p, wd+"/") && + wd != p { + return errors.Errorf(&ErrInvalidPath{}, "invalid path: %q", path) + } + + return nil +} + +// VerifyAttestationPath verifies that the path of an attestation +// is valid. It checks that the path is under the current working directory +// and that the extension of the file is `intoto.jsonl`. +func VerifyAttestationPath(path string) error { + if !strings.HasSuffix(path, "intoto.jsonl") { + return errors.Errorf(&ErrInvalidPath{}, "invalid suffix: %q. Must be .intoto.jsonl", path) + } + if err := PathIsUnderCurrentDirectory(path); err != nil { + return err + } + return nil +} + +// CreateNewFileUnderCurrentDirectory create a new file under the current directory +// and fails if the file already exists. The file is always created with the pemisisons +// `0o600`. +func CreateNewFileUnderCurrentDirectory(path string, flag int) (io.Writer, error) { + if path == "-" { + return os.Stdout, nil + } + + if err := PathIsUnderCurrentDirectory(path); err != nil { + return nil, err + } + + // Ensure we never overwrite an existing file. + fp, err := os.OpenFile(filepath.Clean(path), flag|os.O_CREATE|os.O_EXCL, 0o600) + if err != nil { + return nil, errors.Errorf(&ErrInternal{}, "os.OpenFile(): %v", err) + } + + return fp, nil +} diff --git a/internal/utils/path_test.go b/internal/utils/path_test.go new file mode 100644 index 0000000000..6ef1b277a4 --- /dev/null +++ b/internal/utils/path_test.go @@ -0,0 +1,191 @@ +// Copyright 2022 SLSA Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// https://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package utils + +import ( + "os" + "testing" + + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" + + "github.com/slsa-framework/slsa-github-generator/internal/errors" +) + +func Test_PathIsUnderCurrentDirectory(t *testing.T) { + t.Parallel() + + tests := []struct { + name string + path string + expected error + }{ + { + name: "valid same path", + path: "./", + expected: nil, + }, + { + name: "valid path no slash", + path: "./some/valid/path", + expected: nil, + }, + { + name: "valid path with slash", + path: "./some/valid/path/", + expected: nil, + }, + { + name: "valid path with no dot", + path: "some/valid/path/", + expected: nil, + }, + { + name: "some valid path", + path: "../utils/some/valid/path", + expected: nil, + }, + { + name: "parent invalid path", + path: "../invalid/path", + expected: &ErrInvalidPath{}, + }, + { + name: "some invalid fullpath", + path: "/some/invalid/fullpath", + expected: &ErrInvalidPath{}, + }, + } + for _, tt := range tests { + tt := tt // Re-initializing variable so it is not changed while executing the closure below + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + err := PathIsUnderCurrentDirectory(tt.path) + if (err == nil && tt.expected != nil) || + (err != nil && tt.expected == nil) { + t.Fatalf("unexpected error: %v", cmp.Diff(err, tt.expected, cmpopts.EquateErrors())) + } + + if err != nil && !errors.As(err, &tt.expected) { + t.Fatalf("unexpected error: %v", cmp.Diff(err, tt.expected, cmpopts.EquateErrors())) + } + }) + } +} + +func Test_VerifyAttestationPath(t *testing.T) { + t.Parallel() + + tests := []struct { + name string + path string + expected error + }{ + { + name: "valid file", + path: "./path/to/valid.intoto.jsonl", + expected: nil, + }, + { + name: "invalid path", + path: "../some/invalid/valid.intoto.jsonl", + expected: &ErrInvalidPath{}, + }, + { + name: "invalid extension", + path: "some/file.ntoto.jsonl", + expected: &ErrInvalidPath{}, + }, + { + name: "invalid not exntension", + path: "some/file.intoto.jsonl.", + expected: &ErrInvalidPath{}, + }, + { + name: "invalid folder exntension", + path: "file.intoto.jsonl/file", + expected: &ErrInvalidPath{}, + }, + } + for _, tt := range tests { + tt := tt // Re-initializing variable so it is not changed while executing the closure below + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + err := VerifyAttestationPath(tt.path) + if (err == nil && tt.expected != nil) || + (err != nil && tt.expected == nil) { + t.Fatalf("unexpected error: %v", cmp.Diff(err, tt.expected, cmpopts.EquateErrors())) + } + + if err != nil && !errors.As(err, &tt.expected) { + t.Fatalf("unexpected error: %v", cmp.Diff(err, tt.expected, cmpopts.EquateErrors())) + } + }) + } +} + +func Test_CreateNewFileUnderCurrentDirectory(t *testing.T) { + t.Parallel() + + tests := []struct { + name string + path string + existingPath bool + expected error + }{ + { + name: "valid file cannot create", + path: "./path/to/validfile", + expected: &ErrInvalidPath{}, + }, + { + name: "invalid path", + path: "../some/invalid/file", + expected: &ErrInvalidPath{}, + }, + { + name: "existing file", + path: "existing_file", + existingPath: true, + expected: &ErrInvalidPath{}, + }, + } + for _, tt := range tests { + tt := tt // Re-initializing variable so it is not changed while executing the closure below + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + if tt.existingPath { + if _, err := os.Stat(tt.path); err != nil { + if _, err := CreateNewFileUnderCurrentDirectory(tt.path, os.O_WRONLY); err != nil { + t.Fatalf("unexpected error: %v", err) + } + } + } + + _, err := CreateNewFileUnderCurrentDirectory(tt.path, os.O_WRONLY) + if (err == nil && tt.expected != nil) || + (err != nil && tt.expected == nil) { + t.Fatalf("unexpected error: %v", cmp.Diff(err, tt.expected, cmpopts.EquateErrors())) + } + + if err != nil && !errors.As(err, &tt.expected) { + t.Fatalf("unexpected error: %v", cmp.Diff(err, tt.expected, cmpopts.EquateErrors())) + } + }) + } +} diff --git a/internal/utils/utils.go b/internal/utils/presubmits.go similarity index 100% rename from internal/utils/utils.go rename to internal/utils/presubmits.go