diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml index b69aaba9..65af218c 100644 --- a/.github/workflows/docker-release.yml +++ b/.github/workflows/docker-release.yml @@ -40,7 +40,7 @@ jobs: project: xnsnw3m20t - name: Build and push container - uses: depot/build-push-action@v1.17.0 + uses: depot/build-push-action@v1.18.0 id: build with: project: xnsnw3m20t diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 618d3fa7..114ea19b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -63,7 +63,7 @@ jobs: uses: goreleaser/goreleaser-action@v7 with: # renovate: datasource=github-releases depName=goreleaser/goreleaser - version: "v2.15.4" + version: "v2.16.0" args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/aws-source/adapters/lambda-function.go b/aws-source/adapters/lambda-function.go index 8f363eeb..234585ec 100644 --- a/aws-source/adapters/lambda-function.go +++ b/aws-source/adapters/lambda-function.go @@ -27,7 +27,6 @@ type FunctionDetails struct { // FunctionGetFunc Gets the details of a specific lambda function func functionGetFunc(ctx context.Context, client LambdaClient, scope string, input *lambda.GetFunctionInput) (*sdp.Item, error) { out, err := client.GetFunction(ctx, input) - if err != nil { return nil, err } @@ -108,14 +107,21 @@ func functionGetFunc(ctx context.Context, client LambdaClient, scope string, inp } } - attributes, err := ToAttributesWithExclude(function, "resultMetadata") + // Environment variables often contain secrets; extract links before redacting. + var envVars map[string]string + if function.Configuration != nil && function.Configuration.Environment != nil { + envVars = function.Configuration.Environment.Variables + configCopy := *function.Configuration + configCopy.Environment = nil + function.Configuration = &configCopy + } + attributes, err := ToAttributesWithExclude(function, "resultMetadata") if err != nil { return nil, err } err = attributes.Set("Name", *out.Configuration.FunctionName) - if err != nil { return nil, err } @@ -218,9 +224,9 @@ func functionGetFunc(ctx context.Context, client LambdaClient, scope string, inp } } - if function.Configuration.Environment != nil { + if envVars != nil { // Automatically extract links from the environment variables - newQueries, err := sdp.ExtractLinksFrom(function.Configuration.Environment.Variables) + newQueries, err := sdp.ExtractLinksFrom(envVars) if err == nil { item.LinkedItemQueries = append(item.LinkedItemQueries, newQueries...) } @@ -449,7 +455,6 @@ func ExtractLinksFromPolicy(policy *PolicyDocument) []*sdp.LinkedItemQuery { if scope == "" { // If we don't have a scope set then extract it from the target ARN parsedARN, err := ParseARN(statement.Condition.ArnLike.AWSSourceArn) - if err != nil { continue } @@ -473,7 +478,6 @@ func ExtractLinksFromPolicy(policy *PolicyDocument) []*sdp.LinkedItemQuery { // GetEventLinkedItem Gets the linked item request for a given destination ARN func GetEventLinkedItem(destinationARN string) (*sdp.LinkedItemQuery, error) { parsed, err := ParseARN(destinationARN) - if err != nil { return nil, err } @@ -532,7 +536,7 @@ func NewLambdaFunctionAdapter(client LambdaClient, accountID string, region stri ListInput: &lambda.ListFunctionsInput{}, GetFunc: functionGetFunc, AdapterMetadata: lambdaFunctionAdapterMetadata, - cache: cache, + cache: cache, GetInputMapper: func(scope, query string) *lambda.GetFunctionInput { return &lambda.GetFunctionInput{ FunctionName: &query, diff --git a/aws-source/adapters/lambda-function_test.go b/aws-source/adapters/lambda-function_test.go index df130bcc..4f861faa 100644 --- a/aws-source/adapters/lambda-function_test.go +++ b/aws-source/adapters/lambda-function_test.go @@ -2,6 +2,8 @@ package adapters import ( "context" + "encoding/json" + "strings" "testing" "time" @@ -169,9 +171,39 @@ func (t *TestLambdaClient) GetPolicy(ctx context.Context, params *lambda.GetPoli }, nil } -func TestFunctionGetFunc(t *testing.T) { +func TestFunctionGetFuncRedactsEnvironmentVariables(t *testing.T) { item, err := functionGetFunc(context.Background(), &TestLambdaClient{}, "foo", &lambda.GetFunctionInput{}) + if err != nil { + t.Fatal(err) + } + + attrMap := item.GetAttributes().GetAttrStruct().AsMap() + config, ok := attrMap["Configuration"].(map[string]any) + if !ok { + t.Fatalf("expected Configuration in attributes, got %T", attrMap["Configuration"]) + } + + if env, ok := config["Environment"].(map[string]any); ok { + if _, hasVariables := env["Variables"]; hasVariables { + t.Errorf("expected Configuration.Environment.Variables to be redacted, got %v", env["Variables"]) + } + } + // Ensure env var names and values do not appear anywhere in attributes. + attrJSON, err := json.Marshal(attrMap) + if err != nil { + t.Fatal(err) + } + + for _, secret := range []string{"sns_arn", "aws-controltower-AggregateSecurityNotifications"} { + if strings.Contains(string(attrJSON), secret) { + t.Errorf("expected attributes not to contain %q, got %s", secret, attrJSON) + } + } +} + +func TestFunctionGetFunc(t *testing.T) { + item, err := functionGetFunc(context.Background(), &TestLambdaClient{}, "foo", &lambda.GetFunctionInput{}) if err != nil { t.Error(err) } diff --git a/aws-source/module/provider/.github/workflows/release.yml b/aws-source/module/provider/.github/workflows/release.yml index 6f0edfd5..fb643441 100644 --- a/aws-source/module/provider/.github/workflows/release.yml +++ b/aws-source/module/provider/.github/workflows/release.yml @@ -46,7 +46,7 @@ jobs: uses: goreleaser/goreleaser-action@v7 with: # renovate: datasource=github-releases depName=goreleaser/goreleaser - version: "v2.15.4" + version: "v2.16.0" args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/go.mod b/go.mod index 01293ab0..c168c17e 100644 --- a/go.mod +++ b/go.mod @@ -24,12 +24,12 @@ require ( cloud.google.com/go/auth v0.20.0 cloud.google.com/go/auth/oauth2adapt v0.2.8 cloud.google.com/go/bigquery v1.77.0 - cloud.google.com/go/bigtable v1.47.0 + cloud.google.com/go/bigtable v1.48.0 cloud.google.com/go/certificatemanager v1.14.0 - cloud.google.com/go/compute v1.63.0 + cloud.google.com/go/compute v1.64.0 cloud.google.com/go/compute/metadata v0.9.0 // indirect cloud.google.com/go/container v1.52.0 - cloud.google.com/go/dataplex v1.34.0 + cloud.google.com/go/dataplex v1.35.0 cloud.google.com/go/dataproc/v2 v2.22.0 cloud.google.com/go/eventarc v1.23.0 cloud.google.com/go/filestore v1.15.0 @@ -51,7 +51,7 @@ require ( connectrpc.com/connect v1.20.0 // v1.19.0 was faulty, wait until it is above this version github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.1 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 - github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3 v3.0.0-beta.2 + github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3 v3.0.0-beta.3 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/batch/armbatch/v4 v4.0.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v7 v7.3.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/cosmos/armcosmos/v3 v3.4.0 @@ -65,40 +65,40 @@ require ( github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/postgresql/armpostgresqlflexibleservers/v5 v5.0.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.3.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/v2 v2.1.0 - github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/sql/armsql/v2 v2.0.0-beta.7 + github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/sql/armsql/v2 v2.0.0-beta.8 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage/v3 v3.0.0 github.com/Masterminds/semver/v3 v3.5.0 github.com/MrAlias/otel-schema-utils v0.4.0-alpha github.com/auth0/go-jwt-middleware/v3 v3.2.0 - github.com/aws/aws-sdk-go-v2 v1.41.7 - github.com/aws/aws-sdk-go-v2/config v1.32.17 - github.com/aws/aws-sdk-go-v2/credentials v1.19.16 - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.23 - github.com/aws/aws-sdk-go-v2/service/apigateway v1.40.0 - github.com/aws/aws-sdk-go-v2/service/autoscaling v1.66.2 - github.com/aws/aws-sdk-go-v2/service/cloudfront v1.64.0 - github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.57.0 - github.com/aws/aws-sdk-go-v2/service/directconnect v1.38.17 - github.com/aws/aws-sdk-go-v2/service/dynamodb v1.57.3 - github.com/aws/aws-sdk-go-v2/service/ec2 v1.303.0 - github.com/aws/aws-sdk-go-v2/service/ecs v1.80.0 - github.com/aws/aws-sdk-go-v2/service/efs v1.41.16 - github.com/aws/aws-sdk-go-v2/service/eks v1.84.0 - github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.33.25 - github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.54.12 - github.com/aws/aws-sdk-go-v2/service/iam v1.53.10 - github.com/aws/aws-sdk-go-v2/service/kms v1.52.0 - github.com/aws/aws-sdk-go-v2/service/lambda v1.90.1 - github.com/aws/aws-sdk-go-v2/service/networkfirewall v1.60.1 - github.com/aws/aws-sdk-go-v2/service/networkmanager v1.42.0 - github.com/aws/aws-sdk-go-v2/service/rds v1.118.2 - github.com/aws/aws-sdk-go-v2/service/route53 v1.62.7 - github.com/aws/aws-sdk-go-v2/service/s3 v1.101.0 - github.com/aws/aws-sdk-go-v2/service/sns v1.39.17 - github.com/aws/aws-sdk-go-v2/service/sqs v1.42.27 - github.com/aws/aws-sdk-go-v2/service/ssm v1.68.6 - github.com/aws/aws-sdk-go-v2/service/sts v1.42.1 - github.com/aws/smithy-go v1.25.1 + github.com/aws/aws-sdk-go-v2 v1.41.8 + github.com/aws/aws-sdk-go-v2/config v1.32.19 + github.com/aws/aws-sdk-go-v2/credentials v1.19.18 + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.24 + github.com/aws/aws-sdk-go-v2/service/apigateway v1.40.1 + github.com/aws/aws-sdk-go-v2/service/autoscaling v1.66.3 + github.com/aws/aws-sdk-go-v2/service/cloudfront v1.64.1 + github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.57.1 + github.com/aws/aws-sdk-go-v2/service/directconnect v1.38.18 + github.com/aws/aws-sdk-go-v2/service/dynamodb v1.57.5 + github.com/aws/aws-sdk-go-v2/service/ec2 v1.304.1 + github.com/aws/aws-sdk-go-v2/service/ecs v1.81.1 + github.com/aws/aws-sdk-go-v2/service/efs v1.41.17 + github.com/aws/aws-sdk-go-v2/service/eks v1.84.1 + github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.33.26 + github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.54.13 + github.com/aws/aws-sdk-go-v2/service/iam v1.53.11 + github.com/aws/aws-sdk-go-v2/service/kms v1.52.1 + github.com/aws/aws-sdk-go-v2/service/lambda v1.90.2 + github.com/aws/aws-sdk-go-v2/service/networkfirewall v1.61.1 + github.com/aws/aws-sdk-go-v2/service/networkmanager v1.42.1 + github.com/aws/aws-sdk-go-v2/service/rds v1.118.3 + github.com/aws/aws-sdk-go-v2/service/route53 v1.62.8 + github.com/aws/aws-sdk-go-v2/service/s3 v1.102.1 + github.com/aws/aws-sdk-go-v2/service/sns v1.39.18 + github.com/aws/aws-sdk-go-v2/service/sqs v1.42.28 + github.com/aws/aws-sdk-go-v2/service/ssm v1.68.7 + github.com/aws/aws-sdk-go-v2/service/sts v1.42.2 + github.com/aws/smithy-go v1.26.0 github.com/cenkalti/backoff/v5 v5.0.3 github.com/charmbracelet/glamour v0.10.0 github.com/coder/websocket v1.8.14 @@ -159,8 +159,8 @@ require ( golang.org/x/sync v0.20.0 golang.org/x/text v0.37.0 gonum.org/v1/gonum v0.17.0 - google.golang.org/api v0.280.0 - google.golang.org/genproto/googleapis/rpc v0.0.0-20260519071638-aa98bba5eb94 + google.golang.org/api v0.282.0 + google.golang.org/genproto/googleapis/rpc v0.0.0-20260526163538-3dc84a4a5aaa google.golang.org/grpc v1.81.1 google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af gopkg.in/ini.v1 v1.67.2 @@ -178,15 +178,13 @@ require ( atomicgo.dev/schedule v0.1.0 // indirect cel.dev/expr v0.25.1 // indirect cloud.google.com/go v0.123.0 // indirect - cloud.google.com/go/longrunning v0.9.0 // indirect + cloud.google.com/go/longrunning v1.0.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.12.0 // indirect - github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v3 v3.1.1 // indirect - github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/v3 v3.0.1 // indirect - github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 // indirect + github.com/AzureAD/microsoft-authentication-library-for-go v1.7.0 // indirect github.com/BurntSushi/toml v1.4.0 // indirect github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.31.0 // indirect - github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.55.0 // indirect - github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.55.0 // indirect + github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.56.0 // indirect + github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.56.0 // indirect github.com/ProtonMail/go-crypto v1.4.1 // indirect github.com/agext/levenshtein v1.2.3 // indirect github.com/alecthomas/chroma/v2 v2.16.0 // indirect @@ -197,17 +195,17 @@ require ( github.com/apache/arrow/go/v15 v15.0.2 // indirect github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.10 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.23 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.23 // indirect - github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.24 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.24 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.24 // indirect + github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.25 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.9 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.15 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.11.23 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.23 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.23 // indirect - github.com/aws/aws-sdk-go-v2/service/signin v1.0.11 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.30.17 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.21 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.17 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.12.1 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.24 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.24 // indirect + github.com/aws/aws-sdk-go-v2/service/signin v1.1.0 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.30.18 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.36.1 // indirect github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect github.com/aymerick/douceur v0.2.0 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect @@ -249,7 +247,7 @@ require ( github.com/google/go-cmp v0.7.0 // indirect github.com/google/go-tpm v0.9.8 // indirect github.com/google/s2a-go v0.1.9 // indirect - github.com/googleapis/enterprise-certificate-proxy v0.3.15 // indirect + github.com/googleapis/enterprise-certificate-proxy v0.3.16 // indirect github.com/gookit/color v1.6.0 // indirect github.com/gorilla/css v1.0.1 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 // indirect @@ -350,7 +348,7 @@ require ( golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect google.golang.org/appengine v1.6.8 // indirect google.golang.org/genproto v0.0.0-20260319201613-d00831a3d3e7 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20260526163538-3dc84a4a5aaa // indirect gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect k8s.io/klog/v2 v2.140.0 // indirect diff --git a/go.sum b/go.sum index fd447e54..2e79251b 100644 --- a/go.sum +++ b/go.sum @@ -26,20 +26,20 @@ cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIi cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c= cloud.google.com/go/bigquery v1.77.0 h1:L5AW3jhzEKpFVg4i0mVHxKpxogrqT7dczWBSr4m9MKU= cloud.google.com/go/bigquery v1.77.0/go.mod h1:J4wuqka/1hEpdJxH2oBrUR0vjTD+r7drGkpcA3yqERM= -cloud.google.com/go/bigtable v1.47.0 h1:NGLgDSr/i79BTGCjxH/maPKxyvl5q8/SsBsyLK52kdI= -cloud.google.com/go/bigtable v1.47.0/go.mod h1:GUM6PdkG3rrDse9kugqvX5+ktwo3ldfLtLi1VFn5Wj4= +cloud.google.com/go/bigtable v1.48.0 h1:+K6difi14hvfuh+19tvWVkvD6zYjN5mc3rJ1+q8ETyw= +cloud.google.com/go/bigtable v1.48.0/go.mod h1:6TjVhBmzk7N01MZwjxn/YsSnlaw96AYzsFDYhfyBqDs= cloud.google.com/go/certificatemanager v1.14.0 h1:31fCXgMFDLSXh9HeF2M6hLE+dPF/1UFyIJXLmqpr41g= cloud.google.com/go/certificatemanager v1.14.0/go.mod h1:QOA8qRoM6/Ik03+srLnBykenGTy0fk78dnPcx5ZWOW8= -cloud.google.com/go/compute v1.63.0 h1:KsBourH0wajM4RhzwPwRMKbxHVdvzGsk7StvACoWXD8= -cloud.google.com/go/compute v1.63.0/go.mod h1:Xm6PbsLgBpAg4va77ljbBdpMjzuU+uPp5Ze2dnZq7lw= +cloud.google.com/go/compute v1.64.0 h1:7MmuzeAxlG5MOG5PQD2NLtyYR6bWjkvGljRu7pByoRU= +cloud.google.com/go/compute v1.64.0/go.mod h1:eHhcRZ6vf70fQCS3VEsiWSh+nQ+tLvSMb7mwLQskgN0= cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs= cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10= cloud.google.com/go/container v1.52.0 h1:oAkZciqdQ+xpP29pa5UJfsBBvcWrNNgKsWvraoz9Ajk= cloud.google.com/go/container v1.52.0/go.mod h1:EvqoT2eXfxLweXXUlhAMGR0sOAB00XPzEjoL01esSDs= cloud.google.com/go/datacatalog v1.27.0 h1:AnghhtHKCqYIe62gTPHcn9nJr5jtxjZHV4D/Fob23gg= cloud.google.com/go/datacatalog v1.27.0/go.mod h1:YTI11pFlC5HCj4CphEf+qWCy/z9udd7o0HVN6c2Povg= -cloud.google.com/go/dataplex v1.34.0 h1:WXf+qC/Qhrq6B91HoXYcZJEv1nrLkFpM0HV+JX2SdPs= -cloud.google.com/go/dataplex v1.34.0/go.mod h1:sOazL+Bs/PTxiMHQ5yBboBvEW9qPrpGogx3+RAgfIt8= +cloud.google.com/go/dataplex v1.35.0 h1:EKEhiy/SGYwCH2DZ2r8JEFq1Hx+x+fjJZXRDY3rgPEk= +cloud.google.com/go/dataplex v1.35.0/go.mod h1:B7AFwXU1u3sp7FVQ3IFYnQguGTycJS2mF1voE0lLe1o= cloud.google.com/go/dataproc/v2 v2.22.0 h1:ypUlQKOHMHGv8FQCCNYd0XyM6tAaMDdbcSFBcjYWhbg= cloud.google.com/go/dataproc/v2 v2.22.0/go.mod h1:oARVSa38kAHvSuG+cozsrY2sE6UajGuvOOf9vS+ADHI= cloud.google.com/go/eventarc v1.23.0 h1:/EUAdoBWSlqQRbpQYTV2Msmg4esw3Mum3tEU7zkhLi4= @@ -54,8 +54,8 @@ cloud.google.com/go/kms v1.31.0 h1:LS8N92OxFDgOLg5NCo3OmbvjtQAIVT5gUHVLKIDHaFE= cloud.google.com/go/kms v1.31.0/go.mod h1:YIyXZym11R5uovJJt4oN5eUL3oPmirF3yKeIh6QAf4U= cloud.google.com/go/logging v1.18.0 h1:KhzZq+1cSkPH9YUaKLLhLtQxIHitVayBmk0sGfoM9+k= cloud.google.com/go/logging v1.18.0/go.mod h1:ZGKnpBaURITh+g/uom2VhbiFoFWvejcrHPDhxFtU/gI= -cloud.google.com/go/longrunning v0.9.0 h1:0EzbDEGsAvOZNbqXopgniY0w0a1phvu5IdUFq8grmqY= -cloud.google.com/go/longrunning v0.9.0/go.mod h1:pkTz846W7bF4o2SzdWJ40Hu0Re+UoNT6Q5t+igIcb8E= +cloud.google.com/go/longrunning v1.0.0 h1:lwzWEYD8+NkYV7dhexOz6kmlvajZA70+bW/xMhRVVdY= +cloud.google.com/go/longrunning v1.0.0/go.mod h1:8nqFBPOO1U/XkhWl0I19AMZEphrHi73VNABIpKYaTwM= cloud.google.com/go/monitoring v1.29.0 h1:AHhDsFaSax1/4k+qlIDX/SDGe6hggnfXJ9dkgD9qBPY= cloud.google.com/go/monitoring v1.29.0/go.mod h1:72NOVjJXHY/HBfoLT0+qlCZBT059+9VXLeAnL2PeeVM= cloud.google.com/go/networksecurity v0.16.0 h1:ONJ1NxuE30yoelpruxZmED1LPToWIGmUn8+jdJY4NHQ= @@ -92,8 +92,8 @@ github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2 h1:yz1bePFlP5Vws5+ github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2/go.mod h1:Pa9ZNPuoNu/GztvBSKk9J1cDJW6vk/n0zLtV4mgd8N8= github.com/Azure/azure-sdk-for-go/sdk/internal v1.12.0 h1:fhqpLE3UEXi9lPaBRpQ6XuRW0nU7hgg4zlmZZa+a9q4= github.com/Azure/azure-sdk-for-go/sdk/internal v1.12.0/go.mod h1:7dCRMLwisfRH3dBupKeNCioWYUZ4SS09Z14H+7i8ZoY= -github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3 v3.0.0-beta.2 h1:qiir/pptnHqp6hV8QwV+IExYIf6cPsXBfUDUXQ27t2Y= -github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3 v3.0.0-beta.2/go.mod h1:jVRrRDLCOuif95HDYC23ADTMlvahB7tMdl519m9Iyjc= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3 v3.0.0-beta.3 h1:puJogXZNILDxFHrXTSgjF9P7lgJkr37hr31h5r7CC7I= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3 v3.0.0-beta.3/go.mod h1:ZCM0BEa95+Ov7zRyPZS40SY1pFANErtVgERanZHtgcg= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/batch/armbatch/v4 v4.0.0 h1:KBRoKIQlg79mFK5LRndDGPrCDGRl2xyFr/vG8afLGys= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/batch/armbatch/v4 v4.0.0/go.mod h1:w+PG/dv/phWHlE3OIKWa4CAITETZ52D8qznRGMbduPA= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v7 v7.3.0 h1:nyxugFxG2uhbMeJVCFFuD2j9wu+6KgeabITdINraQsE= @@ -106,8 +106,8 @@ github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/elasticsan/armelasticsan v github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/elasticsan/armelasticsan v1.2.0/go.mod h1:bXxc3uCnIUCh68pl4njcH45qUgRuR0kZfR6v06k18/A= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v2 v2.0.0 h1:PTFGRSlMKCQelWwxUyYVEUqseBJVemLyqWJjvMyt0do= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v2 v2.0.0/go.mod h1:LRr2FzBTQlONPPa5HREE5+RjSCTXl7BwOvYOaWTqCaI= -github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v3 v3.1.1 h1:1kpY4qe+BGAH2ykv4baVSqyx+AY5VjXeJ15SldlU6hs= -github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v3 v3.1.1/go.mod h1:nT6cWpWdUt+g81yuKmjeYPUtI73Ak3yQIT4PVVsCEEQ= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v3 v3.2.0 h1:+lnLQhKh3cgSOIOVH61UZ3s/l9d+bAZp5d/spt1+7UI= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v3 v3.2.0/go.mod h1:tStOHrivWUrcBolspvKV70Us1ckESYGYSHdG4LX8zyY= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/v2 v2.0.2 h1:O2iuZYGa1nIMDk2uAFR0F7hDALVXMvz8Zwarz6itQ3E= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/v2 v2.0.2/go.mod h1:7t88hsh6P4xqFM9uzaMX2qYfVsqDFkgFR4qdIX/OP+U= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/maintenance/armmaintenance v1.3.0 h1:rx/pIYQIlCjb+n7TzMyFUzIJYb+d0Gi7Vh+ozA0fSJA= @@ -124,32 +124,32 @@ github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/postgresql/armpostgresqlfl github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/postgresql/armpostgresqlflexibleservers/v5 v5.0.0/go.mod h1:EHRrmrnS2Q8fB3+DE30TTk04JLqjui5ZJEF7eMVQ2/M= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.3.0 h1:yzrctSl9GMIQ5lHu7jc8olOsGjWDCsBpJhWqfGa/YIM= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.3.0/go.mod h1:GE4m0rnnfwLGX0Y9A9A25Zx5N/90jneT5ABevqzhuFQ= -github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armdeployments v0.2.0 h1:bYq3jfB2x36hslKMHyge3+esWzROtJNk/4dCjsKlrl4= -github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armdeployments v0.2.0/go.mod h1:fewgRjNVE84QVVh798sIMFb7gPXPp7NmnekGnboSnXk= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armdeployments v1.0.0 h1:67nFqWXpo0x5Nz0XEb1yI7s8D+EHy8NsTinYw9sZnLk= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armdeployments v1.0.0/go.mod h1:fewgRjNVE84QVVh798sIMFb7gPXPp7NmnekGnboSnXk= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0 h1:Dd+RhdJn0OTtVGaeDLZpcumkIVCtA/3/Fo42+eoYvVM= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0/go.mod h1:5kakwfW5CjC9KK+Q4wjXAg+ShuIm2mBMua0ZFj2C8PE= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/v2 v2.1.0 h1:seyVIpxalxYmfjoo8MB4rRzWaobMG+KJ2+MAUrEvDGU= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/v2 v2.1.0/go.mod h1:M3QD7IyKZBaC4uAKjitTOSOXdcPC6JS1A9oOW3hYjbQ= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/v3 v3.0.1 h1:guyQA4b8XB2sbJZXzUnOF9mn0WDBv/ZT7me9wTipKtE= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/v3 v3.0.1/go.mod h1:8h8yhzh9o+0HeSIhUxYny+rEQajScrfIpNktvgYG3Q8= -github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/sql/armsql/v2 v2.0.0-beta.7 h1:SLsVdG/8T65poVMw5ZJtI/dUL7iIwvbkq+koqmWdmu8= -github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/sql/armsql/v2 v2.0.0-beta.7/go.mod h1:l9kSL5eB+KdZ2aovhkUYwyZE7oQwTEqVCxnpNKChi1U= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/sql/armsql/v2 v2.0.0-beta.8 h1:X5wmqo6zK8gS5sV6UmKbtH5MZCJghpY5QbtAspM2Vuo= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/sql/armsql/v2 v2.0.0-beta.8/go.mod h1:SgutGqhIddBTH0bzLUG6rkzXieokCtf4TgPBtCSUKTI= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage/v3 v3.0.0 h1:tqGq5xt/rNU57Eb52rf6bvrNWoKPSwLDVUQrJnF4C5U= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage/v3 v3.0.0/go.mod h1:HfDdtu9K0iFBSMMxFsHJPkAAxFWd2IUOW8HU8kEdF3Y= github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM= github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE= -github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 h1:XRzhVemXdgvJqCH0sFfrBUTnUJSBrBf7++ypk+twtRs= -github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk= +github.com/AzureAD/microsoft-authentication-library-for-go v1.7.0 h1:4iB+IesclUXdP0ICgAabvq2FYLXrJWKx1fJQ+GxSo3Y= +github.com/AzureAD/microsoft-authentication-library-for-go v1.7.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk= github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0= github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.31.0 h1:DHa2U07rk8syqvCge0QIGMCE1WxGj9njT44GH7zNJLQ= github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.31.0/go.mod h1:P4WPRUkOhJC13W//jWpyfJNDAIpvRbAUIYLX/4jtlE0= -github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.55.0 h1:UnDZ/zFfG1JhH/DqxIZYU/1CUAlTUScoXD/LcM2Ykk8= -github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.55.0/go.mod h1:IA1C1U7jO/ENqm/vhi7V9YYpBsp+IMyqNrEN94N7tVc= -github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.55.0 h1:7t/qx5Ost0s0wbA/VDrByOooURhp+ikYwv20i9Y07TQ= -github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.55.0/go.mod h1:vB2GH9GAYYJTO3mEn8oYwzEdhlayZIdQz6zdzgUIRvA= -github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.55.0 h1:0s6TxfCu2KHkkZPnBfsQ2y5qia0jl3MMrmBhu3nCOYk= -github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.55.0/go.mod h1:Mf6O40IAyB9zR/1J8nGDDPirZQQPbYJni8Yisy7NTMc= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.56.0 h1:O2sXMyJh8b7devAGdE+163xtRurt0RVpB6DIzX5vGfg= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.56.0/go.mod h1:hEpiGU18xf70qb3jbTcIggWAiEfX/cOIVc2OTe4OegA= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.56.0 h1:ZIT85vKP7LBS84XJ0WdJ3dPOX3iz4j3c0+lpajGQMyo= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.56.0/go.mod h1:rqP9UEhOXv9WhQ7Gjz+G5y/pf8+BJZW5/Ts0AhE0PwE= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.56.0 h1:0YP0+/ixwu+Uqeu/FGiBZNQ19huiUxxiPXIc9WsLKuQ= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.56.0/go.mod h1:6ZZMQhZKDvUvkJw2rc+oDP90tMMzuU/J+5HG1ZmPOmE= github.com/MarvinJWendt/testza v0.5.2 h1:53KDo64C1z/h/d/stCYCPY69bt/OSwjq5KpFNwi+zB4= github.com/MarvinJWendt/testza v0.5.2/go.mod h1:xu53QFE5sCdjtMCKk8YMQ2MnymimEctc4n3EjyIYvEY= github.com/Masterminds/semver/v3 v3.5.0 h1:kQceYJfbupGfZOKZQg0kou0DgAKhzDg2NZPAwZ/2OOE= @@ -183,88 +183,88 @@ github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4= github.com/auth0/go-jwt-middleware/v3 v3.2.0 h1:OP0/YH89A+w03zOjuRPPgKh5S+1+uAmY/vtllYUSWCM= github.com/auth0/go-jwt-middleware/v3 v3.2.0/go.mod h1:/f0hy3exUWxL7/4XJ1oSHBDSBf2Os2C1VT2RkQ9frs0= -github.com/aws/aws-sdk-go-v2 v1.41.7 h1:DWpAJt66FmnnaRIOT/8ASTucrvuDPZASqhhLey6tLY8= -github.com/aws/aws-sdk-go-v2 v1.41.7/go.mod h1:4LAfZOPHNVNQEckOACQx60Y8pSRjIkNZQz1w92xpMJc= +github.com/aws/aws-sdk-go-v2 v1.41.8 h1:sRs7nG6/RiEBZ/K5UO2sNw0w40U02Nmz1VtARloTZXk= +github.com/aws/aws-sdk-go-v2 v1.41.8/go.mod h1:4LAfZOPHNVNQEckOACQx60Y8pSRjIkNZQz1w92xpMJc= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.10 h1:gx1AwW1Iyk9Z9dD9F4akX5gnN3QZwUB20GGKH/I+Rho= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.10/go.mod h1:qqY157uZoqm5OXq/amuaBJyC9hgBCBQnsaWnPe905GY= -github.com/aws/aws-sdk-go-v2/config v1.32.17 h1:FpL4/758/diKwqbytU0prpuiu60fgXKUWCpDJtApclU= -github.com/aws/aws-sdk-go-v2/config v1.32.17/go.mod h1:OXqUMzgXytfoF9JaKkhrOYsyh72t9G+MJH8mMRaexOE= -github.com/aws/aws-sdk-go-v2/credentials v1.19.16 h1:r3RJBuU7X9ibt8RHbMjWE6y60QbKBiII6wSrXnapxSU= -github.com/aws/aws-sdk-go-v2/credentials v1.19.16/go.mod h1:6cx7zqDENJDbBIIWX6P8s0h6hqHC8Avbjh9Dseo27ug= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.23 h1:UuSfcORqNSz/ey3VPRS8TcVH2Ikf0/sC+Hdj400QI6U= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.23/go.mod h1:+G/OSGiOFnSOkYloKj/9M35s74LgVAdJBSD5lsFfqKg= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.23 h1:GpT/TrnBYuE5gan2cZbTtvP+JlHsutdmlV2YfEyNde0= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.23/go.mod h1:xYWD6BS9ywC5bS3sz9Xh04whO/hzK2plt2Zkyrp4JuA= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.23 h1:bpd8vxhlQi2r1hiueOw02f/duEPTMK59Q4QMAoTTtTo= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.23/go.mod h1:15DfR2nw+CRHIk0tqNyifu3G1YdAOy68RftkhMDDwYk= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.24 h1:OQqn11BtaYv1WLUowvcA30MpzIu8Ti4pcLPIIyoKZrA= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.24/go.mod h1:X5ZJyfwVrWA96GzPmUCWFQaEARPR7gCrpq2E92PJwAE= -github.com/aws/aws-sdk-go-v2/service/apigateway v1.40.0 h1:+s2yzvSERu63KCzhRQopwqfKcOYKMbP1LAw0RgR2PRM= -github.com/aws/aws-sdk-go-v2/service/apigateway v1.40.0/go.mod h1:MwilTAruv11x8EFjsk1R0VfjMdCxB6JHVtanCqsTR5o= -github.com/aws/aws-sdk-go-v2/service/autoscaling v1.66.2 h1:pPd+/Ujqf2+DmPOdB47EN7ox1iC21lu2zlOccUlfHeo= -github.com/aws/aws-sdk-go-v2/service/autoscaling v1.66.2/go.mod h1:b3XHAIEe5I9cmeZ9MLvUqj5DRWcBuh1/hpKDPb7T6KE= -github.com/aws/aws-sdk-go-v2/service/cloudfront v1.64.0 h1:a6XmNe8cAvfrXVKwjXzWl9HHtuyE/n4kBroNm2mSOyo= -github.com/aws/aws-sdk-go-v2/service/cloudfront v1.64.0/go.mod h1:brhMG/gR2xEB5lezxL2Cx+hqsEzGUn4LhNUtu7+ePFE= -github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.57.0 h1:dlkFtYOrwOuM7IIBD6FPLtt0Xvnph+8hqmmbzyowkCk= -github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.57.0/go.mod h1:7900IH3EvTrwNGLNx3QDKnQwPF/Cw+pD9cuvBDQ4org= -github.com/aws/aws-sdk-go-v2/service/directconnect v1.38.17 h1:fkeDjhbAy9ddanOVlxP2vnY2dbTxA8HL+DdV9HezVSs= -github.com/aws/aws-sdk-go-v2/service/directconnect v1.38.17/go.mod h1:kzj2OFWYl3uGXBkincAArVPtSG8QwXJRfCL8+Ztsw9o= -github.com/aws/aws-sdk-go-v2/service/dynamodb v1.57.3 h1:XgjzLEE8CrNYnr4Xmi1W5PfKsKMjp4Pu1rWkJNO43JI= -github.com/aws/aws-sdk-go-v2/service/dynamodb v1.57.3/go.mod h1:r7sfLXEN8RUA89tAHy1E7lCtVOOWIkqVy/FbnUdxW1E= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.303.0 h1:qkTLlFVQDSk0tbOqn49pxZjIVY2jy3n0FBXh+PphNkk= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.303.0/go.mod h1:Y95W0Hm6FYLPa6o0hbnJ+sWgmdc4ifcLFjGkdobWVhY= -github.com/aws/aws-sdk-go-v2/service/ecs v1.80.0 h1:orZYOYtvYU7A45XTWC/UchWSkkdWjOyXi8MYksnmQf0= -github.com/aws/aws-sdk-go-v2/service/ecs v1.80.0/go.mod h1:TIKZ9zIFS6W2k9FeW+r5sGVnlxp+aUt9oQ/St3Suj1o= -github.com/aws/aws-sdk-go-v2/service/efs v1.41.16 h1:qHmh61/S6g+scI9M4U3XYivCiEp1tUadKgyrczuLJpM= -github.com/aws/aws-sdk-go-v2/service/efs v1.41.16/go.mod h1:Q7WcY1H6krqZEnFyxyuzfLAnEad1Q69U4CrBbY4P2Fg= -github.com/aws/aws-sdk-go-v2/service/eks v1.84.0 h1:U9HMTDPdZtkCOTE8ACbHQJmXGBKP7/mBds7M1JbUZH0= -github.com/aws/aws-sdk-go-v2/service/eks v1.84.0/go.mod h1:JQcyECIV9iZHm+GMrWn1pTPTJYRavOVsqPvlCbjt+Fg= -github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.33.25 h1:VzmoYPRbNSUqk3pA04ZyGZUg52yfX259XXRqwr1lns4= -github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.33.25/go.mod h1:r7chQGimOmFs4oqawhO+i+o3ez2l69rzAco5KTb7bjY= -github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.54.12 h1:TJXv7kZjdXA2maPDaJFFEQPBrPmvPtMybN3qYDOpJ4Y= -github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.54.12/go.mod h1:lwjtb9DHOAmNt7EUW68Zd1Qd+cPyFxacXHN5c9JZ2VY= -github.com/aws/aws-sdk-go-v2/service/iam v1.53.10 h1:kcN3I3llO7VwIY5w3Pc5FmEonpsr23Ou7Cwk4qf7dik= -github.com/aws/aws-sdk-go-v2/service/iam v1.53.10/go.mod h1:1vkJzjCYC3byO0kIrBqLPzvZpuvYhPXkuyARs6E7tM4= +github.com/aws/aws-sdk-go-v2/config v1.32.19 h1:qRhIJMbevHUvIE7X4TK8N8zye5+5AhapcslPrvB+qKE= +github.com/aws/aws-sdk-go-v2/config v1.32.19/go.mod h1:RbJ24nfoya63+Mf5VI+CGCGk9vEdv28xPeii+gojRYs= +github.com/aws/aws-sdk-go-v2/credentials v1.19.18 h1:GcXQz2M/0ZvMo0v5DakUqbDBeBM1ZNaivkolEF4Esgw= +github.com/aws/aws-sdk-go-v2/credentials v1.19.18/go.mod h1:sHJ06tMGcD3ZpmMyJqV+VBsGilhSIZPIN+ZFy5Dg0C4= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.24 h1:FQm5ApnyzkuJdXLGskPce83CK1CQKC4RUnIHKVe4BU4= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.24/go.mod h1:JsC7dqQc55MlZ5mvNsDMMge71u8pVcSzU3RNz2h/5yQ= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.24 h1:u6kJU2i0va1AgtJsH3RdWKWqHULlTh7zHwb35Womf74= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.24/go.mod h1:7GY+xLcXOFUpCkNwDReft9qOAVg54A4/AnjHIU7sSAY= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.24 h1:Xhbcf3KugX6vX7SDyUK205Oicyfg7EGuvoVNyP5L6DM= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.24/go.mod h1:rwDgb2HNOGZsnTHylOUedM7Vnl+bCfnXDqUNPsFWYfk= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.25 h1:54CTMmlJ71Rk2dYvM9qZOob+39wjlVja2zDLxCu69Ew= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.25/go.mod h1:BZaHqxsS9vN1fvV5EfEl0OBLOk5+AajWsMu6MjqnZB4= +github.com/aws/aws-sdk-go-v2/service/apigateway v1.40.1 h1:t2zoClYnI9AHqxyV/lmECGAwz1gx2leWUF5v85MnEH0= +github.com/aws/aws-sdk-go-v2/service/apigateway v1.40.1/go.mod h1:nzQqqeubg1kjVdwEW+7aSs/Nvp6AC2lAX9UQFHt4U6c= +github.com/aws/aws-sdk-go-v2/service/autoscaling v1.66.3 h1:3ZLIDyYYWWxnxdt4EjbgHL6PQlnkiwKAJV4eSQv03ZY= +github.com/aws/aws-sdk-go-v2/service/autoscaling v1.66.3/go.mod h1:H5gqqRutsdQYgHMlFiqf6t3cmm98xRJwB0zzHc6vqzQ= +github.com/aws/aws-sdk-go-v2/service/cloudfront v1.64.1 h1:ZTPq5RiymFaH+UoFz0fRV2/mszi8QMXPU/OWr3uxigo= +github.com/aws/aws-sdk-go-v2/service/cloudfront v1.64.1/go.mod h1:gaGjhyTtT7wcnc7SIPC1+hACSRMQV7VRN8ACY6khGOc= +github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.57.1 h1:i4i1wpCbEiFsge84hmvuLHpBCdhgfoAJTfDpPMr+sZA= +github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.57.1/go.mod h1:751oDslfSNqbjCBSZYZKOvXl8Pbx9soAk2nISFo9sN0= +github.com/aws/aws-sdk-go-v2/service/directconnect v1.38.18 h1:aaZ+da2nGV0D4iSHdb36I7gqY354gfKXh/RItrHfLOE= +github.com/aws/aws-sdk-go-v2/service/directconnect v1.38.18/go.mod h1:7+LEXCl28CUDCuRgcmXUCL2G335G1zmXjOnmkQDKH2Q= +github.com/aws/aws-sdk-go-v2/service/dynamodb v1.57.5 h1:8dBj9DoTg1rNP/n5FC13c7zc97hx6Urc+jT+iSC7PVA= +github.com/aws/aws-sdk-go-v2/service/dynamodb v1.57.5/go.mod h1:cFa8ItF/dcfex+Op4D0oWbZePIq1ljmrAOAGlEQyGHo= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.304.1 h1:ViHXq1M38VYp2KuxM9Gcwohp9fwlpJ1noliwTmHcRFk= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.304.1/go.mod h1:+AkYu92PhPD3Utfj3ruK5hGpQF0OHm8ffj10X2T+ufE= +github.com/aws/aws-sdk-go-v2/service/ecs v1.81.1 h1:LyyVqeXzra+cPw0BGloOuowJCTvl6joUAxOgs3+lxNQ= +github.com/aws/aws-sdk-go-v2/service/ecs v1.81.1/go.mod h1:0Lg4lqs9OzRR/Ne8x/rQnRi7qe4LLPnLch/VhqmFPRc= +github.com/aws/aws-sdk-go-v2/service/efs v1.41.17 h1:0RViZJ5P2Tpm8OSTGFMVRJHDP6dhY0LKcYB/G99Reb4= +github.com/aws/aws-sdk-go-v2/service/efs v1.41.17/go.mod h1:epIbYreyUL7HvPdLyEGpao66ZKaeafXHAXuWdB3Oass= +github.com/aws/aws-sdk-go-v2/service/eks v1.84.1 h1:v3IeM72tqpk3LGx+PCPEP2IP8SsBwdIimDRpk+RcAvc= +github.com/aws/aws-sdk-go-v2/service/eks v1.84.1/go.mod h1:4KiCxT4w134foeUz8N5tKJBNaKMBw62nYTsr9ewDVP4= +github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.33.26 h1:4dwPvA64UPjLWC7m3yrdWeRVdvPDKPbqyBrH5n9NJKM= +github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.33.26/go.mod h1:Xct3NIOlINw4osqGbz1ryjxo5+Hro1YpY2xyZ426JYc= +github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.54.13 h1:buH8t6gaixz7eOUZT80GGgG/DZaUlsE/C/Tm8geXI18= +github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.54.13/go.mod h1:m5G75JYjHbUd9ojxhN36A2Z4hoYRQZ4aOApHJZfGsMA= +github.com/aws/aws-sdk-go-v2/service/iam v1.53.11 h1:xt4JHLHBQonQXApaYfS0FvdIeALRuaN/aUWxM+4RNSo= +github.com/aws/aws-sdk-go-v2/service/iam v1.53.11/go.mod h1:VkuYu8oSpQAx+hKNFvJqqei6/PACzkpqVdM6ylo0scg= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.9 h1:FLudkZLt5ci0ozzgkVo8BJGwvqNaZbTWb3UcucAateA= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.9/go.mod h1:w7wZ/s9qK7c8g4al+UyoF1Sp/Z45UwMGcqIzLWVQHWk= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.15 h1:ieLCO1JxUWuxTZ1cRd0GAaeX7O6cIxnwk7tc1LsQhC4= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.15/go.mod h1:e3IzZvQ3kAWNykvE0Tr0RDZCMFInMvhku3qNpcIQXhM= -github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.11.23 h1:3Eo/PBBnjFi1+gYfaL286dpmFSW3mTfodBIybq36Qv4= -github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.11.23/go.mod h1:3oh+5xGSd1iuxonVb3Qbm+WJYlbhczT9kbzr6doJLzY= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.23 h1:pbrxO/kuIwgEsOPLkaHu0O+m4fNgLU8B3vxQ+72jTPw= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.23/go.mod h1:/CMNUqoj46HpS3MNRDEDIwcgEnrtZlKRaHNaHxIFpNA= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.23 h1:03xatSQO4+AM1lTAbnRg5OK528EUg744nW7F73U8DKw= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.23/go.mod h1:M8l3mwgx5ToK7wot2sBBce/ojzgnPzZXUV445gTSyE8= -github.com/aws/aws-sdk-go-v2/service/kms v1.52.0 h1:QNtg+Mtj1zmepk568+UKBD5DFfqh+ESTUUqQT27JkQc= -github.com/aws/aws-sdk-go-v2/service/kms v1.52.0/go.mod h1:Y0+uxvxz6ib4KktRdK0V4X45Vcs/JyYoz8H71pO8xeI= -github.com/aws/aws-sdk-go-v2/service/lambda v1.90.1 h1:odCeJgHXfQoXEWQUIzPkKvsJTWcLMsaOWowNpovPFFw= -github.com/aws/aws-sdk-go-v2/service/lambda v1.90.1/go.mod h1:NbtJVztitG7JkuoI4GSrDUlsB32zeXqKBvXj6bUxcMo= -github.com/aws/aws-sdk-go-v2/service/networkfirewall v1.60.1 h1:acbBwzoZSM3oet/FcUNddED5V7zBauXiRxsD2NJcD70= -github.com/aws/aws-sdk-go-v2/service/networkfirewall v1.60.1/go.mod h1:oWCet/AjsuKhMkvcXOGEeS2QmssLJX1UmX2SiKCEsFM= -github.com/aws/aws-sdk-go-v2/service/networkmanager v1.42.0 h1:xWEOUBxKqNCR3qkUsmYOPUyW7ZlyWzKX6s0f81PW60A= -github.com/aws/aws-sdk-go-v2/service/networkmanager v1.42.0/go.mod h1:x0O7AHep2gwquyfW6gmNql2OM4LEloyJGFflJfEJV+U= -github.com/aws/aws-sdk-go-v2/service/rds v1.118.2 h1:pkEeQneYFpTAnGhyqSbyp/DlCPPJTGt0GkWahlLYzMA= -github.com/aws/aws-sdk-go-v2/service/rds v1.118.2/go.mod h1:7gS+cGrKF0mH253QHFlStmx79ws+DlNk+04ZRfmw3U0= -github.com/aws/aws-sdk-go-v2/service/route53 v1.62.7 h1:twRRMmtSITnt/rrp+D7UDLzE5pKMZe759aalkUdN+OY= -github.com/aws/aws-sdk-go-v2/service/route53 v1.62.7/go.mod h1:ztM1lr+sRoCAI8336ZUvlRPbToue0d3gE/wd6jomSJ8= -github.com/aws/aws-sdk-go-v2/service/s3 v1.101.0 h1:etqBTKY581iwLL/H/S2sVgk3C9lAsTJFeXWFDsDcWOU= -github.com/aws/aws-sdk-go-v2/service/s3 v1.101.0/go.mod h1:L2dcoOgS2VSgbPLvpak2NyUPsO1TBN7M45Z4H7DlRc4= -github.com/aws/aws-sdk-go-v2/service/signin v1.0.11 h1:TdJ+HdzOBhU8+iVAOGUTU63VXopcumCOF1paFulHWZc= -github.com/aws/aws-sdk-go-v2/service/signin v1.0.11/go.mod h1:R82ZRExE/nheo0N+T8zHPcLRTcH8MGsnR3BiVGX0TwI= -github.com/aws/aws-sdk-go-v2/service/sns v1.39.17 h1:synXIPC/L4Cc489P0XDcrVJzHSLj7krKRpFLalbGM2k= -github.com/aws/aws-sdk-go-v2/service/sns v1.39.17/go.mod h1:4ABZnI23uNK37waIjGwkubnCwGhepIt9x1GvASfljJA= -github.com/aws/aws-sdk-go-v2/service/sqs v1.42.27 h1:QgaWXVmNDxv/U/3UIHfGb7ohvtFgerf/bYcYylj4i8E= -github.com/aws/aws-sdk-go-v2/service/sqs v1.42.27/go.mod h1:8S6ExnLprS0oIeA8ZlHkJUJ0BMpKqnRPws/S0jegTqQ= -github.com/aws/aws-sdk-go-v2/service/ssm v1.68.6 h1:0LPJjbSNEDHidGOXa0LfvSVbdn9/GdlJUQTgE0kFpso= -github.com/aws/aws-sdk-go-v2/service/ssm v1.68.6/go.mod h1:SrZAopBP5/lyQ6NBVXKlRp8wPIXhzBCZU98sEozmv8Y= -github.com/aws/aws-sdk-go-v2/service/sso v1.30.17 h1:7byT8HUWrgoRp6sXjxtZwgOKfhss5fW6SkLBtqzgRoE= -github.com/aws/aws-sdk-go-v2/service/sso v1.30.17/go.mod h1:xNWknVi4Ezm1vg1QsB/5EWpAJURq22uqd38U8qKvOJc= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.21 h1:+1Kl1zx6bWi4X7cKi3VYh29h8BvsCoHQEQ6ST9X8w7w= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.21/go.mod h1:4vIRDq+CJB2xFAXZ+YgGUTiEft7oAQlhIs71xcSeuVg= -github.com/aws/aws-sdk-go-v2/service/sts v1.42.1 h1:F/M5Y9I3nwr2IEpshZgh1GeHpOItExNM9L1euNuh/fk= -github.com/aws/aws-sdk-go-v2/service/sts v1.42.1/go.mod h1:mTNxImtovCOEEuD65mKW7DCsL+2gjEH+RPEAexAzAio= -github.com/aws/smithy-go v1.25.1 h1:J8ERsGSU7d+aCmdQur5Txg6bVoYelvQJgtZehD12GkI= -github.com/aws/smithy-go v1.25.1/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.17 h1:Zma31M1f9bbD/bsl6haTxupA0+z72L3l2ujKAH37zuI= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.17/go.mod h1:ZNHrGwBST3tZxBCTKbindx0BEdPN0Jnh7yJ7EVnktUM= +github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.12.1 h1:7InFIafuKLWUQ3hieU3b23JmEKlFAWIzq9GHmYn4rWA= +github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.12.1/go.mod h1:lfCeSIEwe7jvMcEBKcQ/vVoYK0RNJh1X8pja5GqDQtM= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.24 h1:CQW2FTrflfoslYWLf3fv7vG28Q219+v8YJS5QTQb2+Y= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.24/go.mod h1:Xfx13T+u3nH6EEzgl9fBSO6nDRmze1FvnZNYkctQ2zw= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.24 h1:yPLVC8Lbsw92eepgdIZCChHRNQek5eAvAz5wS+UIpJE= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.24/go.mod h1:H2h39H1AivHYkozUIUYoVJGMUOvdJ4Lv9DLyUSMAjW8= +github.com/aws/aws-sdk-go-v2/service/kms v1.52.1 h1:qBc+5ZvMjb+Y+Ho+0wwyBYBITH1Wm5M1RJpt8DELPVU= +github.com/aws/aws-sdk-go-v2/service/kms v1.52.1/go.mod h1:bWSG4E0FxeeDdfXseEnPfkFv4MqTY/6fDFGUHu/Wkb0= +github.com/aws/aws-sdk-go-v2/service/lambda v1.90.2 h1:dBiVUhd21cs5C3RUiAKTMc4Cw+5kvTBhM/GGlYTXrpo= +github.com/aws/aws-sdk-go-v2/service/lambda v1.90.2/go.mod h1:gFmCYh+m/TwFPR3o30V83jaNVIzN5ozPrf7eC29mBJU= +github.com/aws/aws-sdk-go-v2/service/networkfirewall v1.61.1 h1:ewqow8gclzOTZRvgxkynXFaj9h8YQE8wJTRpyMMjtqw= +github.com/aws/aws-sdk-go-v2/service/networkfirewall v1.61.1/go.mod h1:7bRBjeRP7pMQOX2qP8d7kEO1FV1WekbuMq5ZJXQpxCo= +github.com/aws/aws-sdk-go-v2/service/networkmanager v1.42.1 h1:9o2GTfTTFQtorK/GUQt7Oj53+WuUJmfXcyTsQqQux34= +github.com/aws/aws-sdk-go-v2/service/networkmanager v1.42.1/go.mod h1:jWEPRVbipvd1/BZHOIgQjBN0RjPX+VE+vi7EbO52gkI= +github.com/aws/aws-sdk-go-v2/service/rds v1.118.3 h1:Q6o5SuzC3+T1WjA6y/+vxPkFRFXPiGilPCdhdQZ4qp8= +github.com/aws/aws-sdk-go-v2/service/rds v1.118.3/go.mod h1:Fjbrf3IlJCagXHMf1GRBLmpcBXK60g3y9laWG2lgUmg= +github.com/aws/aws-sdk-go-v2/service/route53 v1.62.8 h1:1QC1xoZg5XSes1CXQ20Y0qTaaeDj12e7bB0/Yw9sQwI= +github.com/aws/aws-sdk-go-v2/service/route53 v1.62.8/go.mod h1:+GpgmfX7rnzQ8WMbMCMnI+VOjPZCf9yaUlBmRTvQgFE= +github.com/aws/aws-sdk-go-v2/service/s3 v1.102.1 h1:vttIo8BQwfnhimKRBZBBF3Y38SAIxif72B/M91m9hDk= +github.com/aws/aws-sdk-go-v2/service/s3 v1.102.1/go.mod h1:2qjInACJr84m/Tm4XXCcVNpejmbKy9kz7TEa6viQHSk= +github.com/aws/aws-sdk-go-v2/service/signin v1.1.0 h1:yQo3eZ5qFaL1sJWqs1nL6j3yPHA2/R7c6tQ4T+0IO10= +github.com/aws/aws-sdk-go-v2/service/signin v1.1.0/go.mod h1:3Zzou41Qt/ueXfIzHvTEjDNuR5IjCUBVF01SNhrt1e8= +github.com/aws/aws-sdk-go-v2/service/sns v1.39.18 h1:z5zzs1HGWZX1PVs7DcnjSuuuoKx0tkM9RfU+5hLoKAE= +github.com/aws/aws-sdk-go-v2/service/sns v1.39.18/go.mod h1:OtbHWFTJ/cJHF/3t+H7ZJpMY43NbngwFrt0xq5u/28c= +github.com/aws/aws-sdk-go-v2/service/sqs v1.42.28 h1:CsLiNChqRvXWtIjyjUaqg9vq+0md9R1vC+hGZ18zmTI= +github.com/aws/aws-sdk-go-v2/service/sqs v1.42.28/go.mod h1:ZhBg8NNBEs+UuIILtpcUaX8iV4yU/sF7vBiS+U9P83A= +github.com/aws/aws-sdk-go-v2/service/ssm v1.68.7 h1:mKVjTrV40syRvcLfenT75nY8MTr6Nz3UyXSNxUaANRA= +github.com/aws/aws-sdk-go-v2/service/ssm v1.68.7/go.mod h1:67nfKysKquQ5VKZOPfxI8+0FCa18Vj8Ojy2nKjPHkR4= +github.com/aws/aws-sdk-go-v2/service/sso v1.30.18 h1:ApLTFdAZfDhZSiY5uskwECKHkSNNF83y2Ru2r7SezWA= +github.com/aws/aws-sdk-go-v2/service/sso v1.30.18/go.mod h1:A9K9qx2l6nK89hp+a350FdGfRkrkH5HdiEjHbiy/Q/c= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.36.1 h1:4VD7TIZOGzehrgQ8vDE+1c6BQW4ErZPGY8ohZT5LXEE= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.36.1/go.mod h1:er0SFJfdV89Rit5hIJu/EXtv+qC2XMnxoksLmcUFkqM= +github.com/aws/aws-sdk-go-v2/service/sts v1.42.2 h1:XKnxlM4KZH1gktcsh3zSWc7GW4KivEv/OkifmHOhCUY= +github.com/aws/aws-sdk-go-v2/service/sts v1.42.2/go.mod h1:KJYmkQaFB3SUW2j3aBkPsxNmAb4ZsSOvbvCpuxzHJA0= +github.com/aws/smithy-go v1.26.0 h1:9ouqbi+NyKP7fV3Te7UElCwdAb6Y8uk7LGwPE5tVe/s= +github.com/aws/smithy-go v1.26.0/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc= github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k= github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8= github.com/aymanbagabas/go-udiff v0.4.1 h1:OEIrQ8maEeDBXQDoGCbbTTXYJMYRCRO1fnodZ12Gv5o= @@ -410,8 +410,8 @@ github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaU github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/googleapis/enterprise-certificate-proxy v0.3.15 h1:xolVQTEXusUcAA5UgtyRLjelpFFHWlPQ4XfWGc7MBas= -github.com/googleapis/enterprise-certificate-proxy v0.3.15/go.mod h1:vqVt9yG9480NtzREnTlmGSBmFrA+bzb0yl0TxoBQXOg= +github.com/googleapis/enterprise-certificate-proxy v0.3.16 h1:F/VPrx0YPBdksZJQdCAp0WUsqnNmZpUZszzfYt0M5Dw= +github.com/googleapis/enterprise-certificate-proxy v0.3.16/go.mod h1:9Yb0eAkH/Xqhvv3zbeKf/+wMJqCeocWc6KIhDvEAuYE= github.com/googleapis/gax-go/v2 v2.22.0 h1:PjIWBpgGIVKGoCXuiCoP64altEJCj3/Ei+kSU5vlZD4= github.com/googleapis/gax-go/v2 v2.22.0/go.mod h1:irWBbALSr0Sk3qlqb9SyJ1h68WjgeFuiOzI4Rqw5+aY= github.com/gookit/assert v0.1.1 h1:lh3GcawXe/p+cU7ESTZ5Ui3Sm/x8JWpIis4/1aF0mY0= @@ -830,17 +830,17 @@ golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da h1:noIWHXmPHxILtqtCOPIhS golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90= gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4= gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E= -google.golang.org/api v0.280.0 h1:F4OfEHZhZh6a7uTufJAXXVd/2TQ8EjM4vZH+jX/vFYk= -google.golang.org/api v0.280.0/go.mod h1:oGKmPZRDoD3vdkf6MA7F4VNkR1rxCiuaPSkhsf3EolU= +google.golang.org/api v0.282.0 h1:WmJiSVqUnKqJCpJOx7YADbXaC+9DDsnGSfllFSj7R2I= +google.golang.org/api v0.282.0/go.mod h1:6Wssta4c5n9qHq5CBhmlai5h/PUa1djdDAIhYEHyvcM= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM= google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= google.golang.org/genproto v0.0.0-20260319201613-d00831a3d3e7 h1:XzmzkmB14QhVhgnawEVsOn6OFsnpyxNPRY9QV01dNB0= google.golang.org/genproto v0.0.0-20260319201613-d00831a3d3e7/go.mod h1:L43LFes82YgSonw6iTXTxXUX1OlULt4AQtkik4ULL/I= -google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 h1:VPWxll4HlMw1Vs/qXtN7BvhZqsS9cdAittCNvVENElA= -google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:7QBABkRtR8z+TEnmXTqIqwJLlzrZKVfAUm7tY3yGv0M= -google.golang.org/genproto/googleapis/rpc v0.0.0-20260519071638-aa98bba5eb94 h1:eZCjr/aAF8c5ccm5pb6T4EXgIei5MlAAPWPJk+5ArfY= -google.golang.org/genproto/googleapis/rpc v0.0.0-20260519071638-aa98bba5eb94/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8= +google.golang.org/genproto/googleapis/api v0.0.0-20260526163538-3dc84a4a5aaa h1:Kjn0N0tCrDgiAFW+lGO4JZ3ck44CehvJQMAwj9QF0G8= +google.golang.org/genproto/googleapis/api v0.0.0-20260526163538-3dc84a4a5aaa/go.mod h1:q4lMZS6kskjT5HvCPrnnypcDPVJqT/f4nfxmkE7gryY= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260526163538-3dc84a4a5aaa h1:mZHHdPZl0dbGHCflZgAq/Q468DWVFcU2whhB2KAo8fk= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260526163538-3dc84a4a5aaa/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8= google.golang.org/grpc v1.81.1 h1:VnnIIZ88UzOOKLukQi+ImGz8O1Wdp8nAGGnvOfEIWQQ= google.golang.org/grpc v1.81.1/go.mod h1:xGH9GfzOyMTGIOXBJmXt+BX/V0kcdQbdcuwQ/zNw42I= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= diff --git a/go/auth/auth_test.go b/go/auth/auth_test.go index f8d85bae..6a12bc9d 100644 --- a/go/auth/auth_test.go +++ b/go/auth/auth_test.go @@ -65,7 +65,7 @@ func GetTestOAuthTokenClient(t *testing.T) *natsTokenClient { var clientSecret string var exists bool - errorFormat := "environment variable %v not found. Set up your test environment first. See: https://github.com/overmindtech/cli/go/auth0-test-data" + errorFormat := "environment variable %v not found. Load secrets via op run --env-file=./.devcontainer/env/op.local.env (see docs/DEVELOPMENT_PLAYBOOKS.md)" // Read secrets form the environment if domain, exists = os.LookupEnv("OVERMIND_NTE_ALLPERMS_DOMAIN"); !exists || domain == "" { diff --git a/go/auth/mcpoauth.go b/go/auth/mcpoauth.go index 99ef0184..64640638 100644 --- a/go/auth/mcpoauth.go +++ b/go/auth/mcpoauth.go @@ -18,11 +18,20 @@ import ( // // scopes should include both the standard OIDC scopes and any // application-specific scopes (e.g. "admin:read", "changes:read"). -func NewMCPOAuthMetadataHandler(auth0Domain, issuerURL, registrationEndpointURL string, scopes []string) http.Handler { +func NewMCPOAuthMetadataHandler(auth0Domain, issuerURL, registrationEndpointURL string, scopes []string, authorizationEndpointOverride, tokenEndpointOverride string) http.Handler { + authEndpoint := fmt.Sprintf("https://%s/authorize", auth0Domain) + if authorizationEndpointOverride != "" { + authEndpoint = authorizationEndpointOverride + } + tokenEndpoint := fmt.Sprintf("https://%s/oauth/token", auth0Domain) + if tokenEndpointOverride != "" { + tokenEndpoint = tokenEndpointOverride + } + metadata := map[string]any{ "issuer": issuerURL, - "authorization_endpoint": fmt.Sprintf("https://%s/authorize", auth0Domain), - "token_endpoint": fmt.Sprintf("https://%s/oauth/token", auth0Domain), + "authorization_endpoint": authEndpoint, + "token_endpoint": tokenEndpoint, "registration_endpoint": registrationEndpointURL, "jwks_uri": fmt.Sprintf("https://%s/.well-known/jwks.json", auth0Domain), @@ -133,6 +142,20 @@ func NewMCPPRMHandler(authorizationServerURL, resourceURL string, scopes []strin }) } +const ( + cursorMCPRedirectURI = "cursor://anysphere.cursor-mcp/oauth/callback" + cursorCloudAgentsRedirect = "https://www.cursor.com/agents/mcp/oauth/callback" +) + +// IsAllowedMCPRedirect returns true when uri is a registered Cursor MCP +// handoff target (desktop cursor://, Cloud Agents HTTPS, or loopback). +func IsAllowedMCPRedirect(uri string) bool { + if uri == cursorMCPRedirectURI || uri == cursorCloudAgentsRedirect { + return true + } + return IsLocalhostRedirect(uri) +} + // IsLocalhostRedirect returns true if the URI is a loopback redirect, which is // the standard callback for native/public OAuth clients (RFC 8252 Section 7.3). func IsLocalhostRedirect(raw string) bool { diff --git a/go/auth/mcpoauth_test.go b/go/auth/mcpoauth_test.go index 0c5f61ec..1c19bb0a 100644 --- a/go/auth/mcpoauth_test.go +++ b/go/auth/mcpoauth_test.go @@ -15,6 +15,8 @@ func TestNewMCPOAuthMetadataHandler(t *testing.T) { "https://api.example.com/area51/oauth", "https://api.example.com/area51/oauth/register", scopes, + "", + "", ) req := httptest.NewRequestWithContext(t.Context(), http.MethodGet, "/.well-known/oauth-authorization-server/area51/oauth", nil) @@ -176,6 +178,50 @@ func TestNewMCPPRMHandler(t *testing.T) { } } +func TestNewMCPOAuthMetadataHandler_Overrides(t *testing.T) { + scopes := []string{"openid"} + handler := NewMCPOAuthMetadataHandler( + "auth.example.com", + "https://api.example.com/brent/oauth", + "https://api.example.com/brent/oauth/register", + scopes, + "https://api.example.com/brent/oauth/authorize", + "https://api.example.com/brent/oauth/token", + ) + + req := httptest.NewRequestWithContext(t.Context(), http.MethodGet, "/metadata", nil) + rec := httptest.NewRecorder() + handler.ServeHTTP(rec, req) + + var body map[string]any + if err := json.NewDecoder(rec.Body).Decode(&body); err != nil { + t.Fatalf("decode: %v", err) + } + if body["authorization_endpoint"] != "https://api.example.com/brent/oauth/authorize" { + t.Errorf("authorization_endpoint = %v", body["authorization_endpoint"]) + } + if body["token_endpoint"] != "https://api.example.com/brent/oauth/token" { + t.Errorf("token_endpoint = %v", body["token_endpoint"]) + } +} + +func TestIsAllowedMCPRedirect(t *testing.T) { + tests := []struct { + uri string + want bool + }{ + {"cursor://anysphere.cursor-mcp/oauth/callback", true}, + {"https://www.cursor.com/agents/mcp/oauth/callback", true}, + {"http://127.0.0.1/callback", true}, + {"https://evil.com/callback", false}, + } + for _, tt := range tests { + if got := IsAllowedMCPRedirect(tt.uri); got != tt.want { + t.Errorf("IsAllowedMCPRedirect(%q) = %v, want %v", tt.uri, got, tt.want) + } + } +} + func TestIsLocalhostRedirect(t *testing.T) { tests := []struct { uri string diff --git a/go/discovery/engine.go b/go/discovery/engine.go index 05d79414..7eb759d7 100644 --- a/go/discovery/engine.go +++ b/go/discovery/engine.go @@ -437,6 +437,7 @@ func (e *Engine) IsNATSConnected() bool { // See: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes func (e *Engine) LivenessHealthCheck(ctx context.Context) error { span := trace.SpanFromContext(ctx) + span.SetAttributes(attribute.String("ovm.healthcheck.type", "liveness")) e.natsConnectionMutex.Lock() var ( @@ -854,12 +855,9 @@ func (e *Engine) InitialiseAdapters(ctx context.Context, initFn func(ctx context // This checks only engine initialization (NATS connection, heartbeats) and does NOT check adapter-specific health. func (e *Engine) LivenessProbeHandlerFunc() func(http.ResponseWriter, *http.Request) { return func(rw http.ResponseWriter, r *http.Request) { - ctx, span := tracing.Tracer().Start(r.Context(), "healthcheck.liveness") - defer span.End() - - err := e.LivenessHealthCheck(ctx) + err := e.LivenessHealthCheck(r.Context()) if err != nil { - log.WithContext(ctx).WithError(err).Error("Liveness check failed") + log.WithContext(r.Context()).WithError(err).Error("Liveness check failed") http.Error(rw, err.Error(), http.StatusServiceUnavailable) return } @@ -880,12 +878,9 @@ func (e *Engine) SetReadinessCheck(check func(context.Context) error) { // This checks adapter-specific health only (not engine/liveness). func (e *Engine) ReadinessProbeHandlerFunc() func(http.ResponseWriter, *http.Request) { return func(rw http.ResponseWriter, r *http.Request) { - ctx, span := tracing.Tracer().Start(r.Context(), "healthcheck.readiness") - defer span.End() - - err := e.ReadinessHealthCheck(ctx) + err := e.ReadinessHealthCheck(r.Context()) if err != nil { - log.WithContext(ctx).WithError(err).Error("Readiness check failed") + log.WithContext(r.Context()).WithError(err).Error("Readiness check failed") http.Error(rw, err.Error(), http.StatusServiceUnavailable) return } @@ -894,14 +889,26 @@ func (e *Engine) ReadinessProbeHandlerFunc() func(http.ResponseWriter, *http.Req } } +// healthProbeHandler returns the HTTP handler for Kubernetes liveness/readiness probes. +// Spans are created by otelhttp (via wrapHealthProbeHandler) so http.route is set +// for collector sampling. +func (e *Engine) healthProbeHandler() http.Handler { + mux := http.NewServeMux() + mux.HandleFunc("GET /healthz/alive", e.LivenessProbeHandlerFunc()) + mux.HandleFunc("GET /healthz/ready", e.ReadinessProbeHandlerFunc()) + + serviceName := "source-healthz" + if e.EngineConfig != nil && e.EngineConfig.SourceName != "" { + serviceName = e.EngineConfig.SourceName + "-healthz" + } + + return wrapHealthProbeHandler(mux, serviceName) +} + // ServeHealthProbes starts an HTTP server for Kubernetes health probes on the given port. // Registers /healthz/alive (liveness) and /healthz/ready (readiness). // Runs in a goroutine. Use for sources that only need health checks on the given port. func (e *Engine) ServeHealthProbes(port int) { - mux := http.NewServeMux() - mux.HandleFunc("/healthz/alive", e.LivenessProbeHandlerFunc()) - mux.HandleFunc("/healthz/ready", e.ReadinessProbeHandlerFunc()) - logFields := log.Fields{"port": port} if e.EngineConfig != nil { logFields["ovm.engine.type"] = e.EngineConfig.EngineType @@ -913,7 +920,7 @@ func (e *Engine) ServeHealthProbes(port int) { defer sentry.Recover() server := &http.Server{ Addr: fmt.Sprintf(":%d", port), - Handler: mux, + Handler: e.healthProbeHandler(), ReadTimeout: 5 * time.Second, WriteTimeout: 10 * time.Second, } diff --git a/go/discovery/engine_health_probe_test.go b/go/discovery/engine_health_probe_test.go new file mode 100644 index 00000000..f9bbeb7f --- /dev/null +++ b/go/discovery/engine_health_probe_test.go @@ -0,0 +1,192 @@ +package discovery + +import ( + "context" + "net/http" + "net/http/httptest" + "testing" + + "go.opentelemetry.io/otel" + sdktrace "go.opentelemetry.io/otel/sdk/trace" + "go.opentelemetry.io/otel/sdk/trace/tracetest" +) + +func setupHealthProbeTracing(t *testing.T) *tracetest.InMemoryExporter { + t.Helper() + + exp := tracetest.NewInMemoryExporter() + tp := sdktrace.NewTracerProvider( + sdktrace.WithSyncer(exp), + sdktrace.WithSampler(sdktrace.AlwaysSample()), + ) + prev := otel.GetTracerProvider() + otel.SetTracerProvider(tp) + t.Cleanup(func() { + _ = tp.Shutdown(context.Background()) + otel.SetTracerProvider(prev) + }) + + return exp +} + +func assertNoLegacyHealthcheckSpans(t *testing.T, spans tracetest.SpanStubs) { + t.Helper() + + for _, s := range spans { + if s.Name == "healthcheck.liveness" || s.Name == "healthcheck.readiness" { + t.Errorf("unexpected legacy healthcheck span name %q", s.Name) + } + } +} + +func findHTTPProbeSpan(t *testing.T, spans tracetest.SpanStubs, wantRoute string) tracetest.SpanStub { + t.Helper() + + for _, s := range spans { + if s.Name != "GET "+wantRoute { + continue + } + for _, a := range s.Attributes { + if string(a.Key) == "http.route" && a.Value.AsString() == wantRoute { + return s + } + } + } + t.Fatalf("expected span GET %s with http.route=%s, got spans: %v", wantRoute, wantRoute, spanNames(spans)) + return tracetest.SpanStub{} +} + +func spanNames(spans tracetest.SpanStubs) []string { + names := make([]string, 0, len(spans)) + for _, s := range spans { + names = append(names, s.Name) + } + return names +} + +func attrString(span tracetest.SpanStub, key string) (string, bool) { + for _, a := range span.Attributes { + if string(a.Key) == key { + return a.Value.AsString(), true + } + } + return "", false +} + +func TestHealthProbeHandler_ReadinessUninitialized(t *testing.T) { + exp := setupHealthProbeTracing(t) + + ec := EngineConfig{SourceName: "test-source"} + e, err := NewEngine(&ec) + if err != nil { + t.Fatalf("NewEngine: %v", err) + } + + handler := e.healthProbeHandler() + req := httptest.NewRequestWithContext(t.Context(), http.MethodGet, "/healthz/ready", nil) + rec := httptest.NewRecorder() + handler.ServeHTTP(rec, req) + + if rec.Code != http.StatusServiceUnavailable { + t.Fatalf("expected status %d, got %d", http.StatusServiceUnavailable, rec.Code) + } + + spans := exp.GetSpans() + assertNoLegacyHealthcheckSpans(t, spans) + + if len(spans) != 1 { + t.Fatalf("expected exactly 1 span, got %d: %v", len(spans), spanNames(spans)) + } + + span := findHTTPProbeSpan(t, spans, "/healthz/ready") + healthType, ok := attrString(span, "ovm.healthcheck.type") + if !ok || healthType != "readiness" { + t.Errorf("expected ovm.healthcheck.type=readiness, got %q (ok=%v)", healthType, ok) + } + + statusOK := false + for _, a := range span.Attributes { + if string(a.Key) == "http.response.status_code" && a.Value.AsInt64() == int64(http.StatusServiceUnavailable) { + statusOK = true + } + } + if !statusOK { + t.Errorf("expected http.response.status_code=%d on probe span", http.StatusServiceUnavailable) + } +} + +func TestHealthProbeHandler_ReadinessOK(t *testing.T) { + exp := setupHealthProbeTracing(t) + + ec := EngineConfig{SourceName: "test-source"} + e, err := NewEngine(&ec) + if err != nil { + t.Fatalf("NewEngine: %v", err) + } + e.MarkAdaptersInitialized() + + handler := e.healthProbeHandler() + req := httptest.NewRequestWithContext(t.Context(), http.MethodGet, "/healthz/ready", nil) + rec := httptest.NewRecorder() + handler.ServeHTTP(rec, req) + + if rec.Code != http.StatusOK { + t.Fatalf("expected status %d, got %d", http.StatusOK, rec.Code) + } + + spans := exp.GetSpans() + assertNoLegacyHealthcheckSpans(t, spans) + + if len(spans) != 1 { + t.Fatalf("expected exactly 1 span, got %d: %v", len(spans), spanNames(spans)) + } + + span := findHTTPProbeSpan(t, spans, "/healthz/ready") + healthType, ok := attrString(span, "ovm.healthcheck.type") + if !ok || healthType != "readiness" { + t.Errorf("expected ovm.healthcheck.type=readiness, got %q (ok=%v)", healthType, ok) + } +} + +func TestHealthProbeHandler_LivenessNoNATS(t *testing.T) { + exp := setupHealthProbeTracing(t) + + ec := EngineConfig{SourceName: "test-source"} + e, err := NewEngine(&ec) + if err != nil { + t.Fatalf("NewEngine: %v", err) + } + + handler := e.healthProbeHandler() + req := httptest.NewRequestWithContext(t.Context(), http.MethodGet, "/healthz/alive", nil) + rec := httptest.NewRecorder() + handler.ServeHTTP(rec, req) + + if rec.Code != http.StatusServiceUnavailable { + t.Fatalf("expected status %d, got %d", http.StatusServiceUnavailable, rec.Code) + } + + spans := exp.GetSpans() + assertNoLegacyHealthcheckSpans(t, spans) + + if len(spans) != 1 { + t.Fatalf("expected exactly 1 span, got %d: %v", len(spans), spanNames(spans)) + } + + span := findHTTPProbeSpan(t, spans, "/healthz/alive") + healthType, ok := attrString(span, "ovm.healthcheck.type") + if !ok || healthType != "liveness" { + t.Errorf("expected ovm.healthcheck.type=liveness, got %q (ok=%v)", healthType, ok) + } + + statusOK := false + for _, a := range span.Attributes { + if string(a.Key) == "http.response.status_code" && a.Value.AsInt64() == int64(http.StatusServiceUnavailable) { + statusOK = true + } + } + if !statusOK { + t.Errorf("expected http.response.status_code=%d on probe span", http.StatusServiceUnavailable) + } +} + diff --git a/go/discovery/engine_test.go b/go/discovery/engine_test.go index f90ae870..e50d915e 100644 --- a/go/discovery/engine_test.go +++ b/go/discovery/engine_test.go @@ -762,7 +762,7 @@ func GetTestOAuthTokenClient(t *testing.T, account string) auth.TokenClient { var clientSecret string var exists bool - errorFormat := "environment variable %v not found. Set up your test environment first. See: https://github.com/overmindtech/cli/go/auth0-test-data" + errorFormat := "environment variable %v not found. Load secrets via op run --env-file=./.devcontainer/env/op.local.env (see docs/DEVELOPMENT_PLAYBOOKS.md)" // Read secrets form the environment if domain, exists = os.LookupEnv("OVERMIND_NTE_ALLPERMS_DOMAIN"); !exists || domain == "" { diff --git a/go/discovery/health_probe_middleware.go b/go/discovery/health_probe_middleware.go new file mode 100644 index 00000000..74ab22f4 --- /dev/null +++ b/go/discovery/health_probe_middleware.go @@ -0,0 +1,85 @@ +package discovery + +import ( + "net/http" + "strings" + + sentryhttp "github.com/getsentry/sentry-go/http" + "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp" + "go.opentelemetry.io/otel/attribute" + "go.opentelemetry.io/otel/trace" +) + +// wrapHealthProbeHandler applies the source health-probe middleware chain. +// +// Chain (outer → inner): +// 1. sentryhttp — per-request panic capture with Repanic: true +// 2. otelhttp — creates the HTTP span; span name prefers http.Request.Pattern +// (set by http.ServeMux in Go 1.22+) over the fallback service name +// 3. routeAttributeMiddleware — sets http.route after the mux runs +// 4. albTraceIDMiddleware — records X-Amzn-Trace-Id as aws.alb.trace_id +// +// This is intentionally a local copy of the subset of go/startup.WrapHandler +// that source health probes use. go/discovery is synced into the public +// overmindtech/cli repo via copybara, but go/startup is not — see +// copy.bara.sky. Importing go/startup from here breaks `go mod tidy` in cli +// because the import path becomes unresolvable in the synced module. +// +// Keep behaviour in sync with go/startup.WrapHandler when called with only +// WithServiceName (no audit logger). +func wrapHealthProbeHandler(handler http.Handler, serviceName string) http.Handler { + h := albTraceIDMiddleware(handler) + h = routeAttributeMiddleware(h) + + h = otelhttp.NewHandler( + h, serviceName, + otelhttp.WithSpanNameFormatter(patternSpanNameFormatter), + ) + + sentryHandler := sentryhttp.New(sentryhttp.Options{Repanic: true}) + h = sentryHandler.Handle(h) + + return h +} + +// patternSpanNameFormatter returns the http.Request.Pattern (set by +// http.ServeMux in Go 1.22+) when available, falling back to the static +// operation name for unmatched routes (404s). +func patternSpanNameFormatter(operation string, r *http.Request) string { + if r.Pattern != "" { + return r.Pattern + } + return operation +} + +// routeAttributeMiddleware sets the http.route span attribute after the +// inner handler runs, using http.Request.Pattern populated by http.ServeMux. +// otelhttp's RequestTraceAttrs runs before the mux, so Pattern is still empty +// at that point — this middleware fills the gap. +func routeAttributeMiddleware(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + next.ServeHTTP(w, r) + if r.Pattern != "" { + route := r.Pattern + if idx := strings.IndexByte(route, '/'); idx >= 0 { + route = route[idx:] + } + trace.SpanFromContext(r.Context()).SetAttributes( + attribute.String("http.route", route), + ) + } + }) +} + +// albTraceIDMiddleware extracts the AWS ALB trace ID from the +// X-Amzn-Trace-Id header and records it as a span attribute. +func albTraceIDMiddleware(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + if v := r.Header.Get("X-Amzn-Trace-Id"); v != "" { + trace.SpanFromContext(r.Context()).SetAttributes( + attribute.String("aws.alb.trace_id", v), + ) + } + next.ServeHTTP(w, r) + }) +} diff --git a/go/sdpcache/cache_test.go b/go/sdpcache/cache_test.go index 8f02695d..6cea1a8b 100644 --- a/go/sdpcache/cache_test.go +++ b/go/sdpcache/cache_test.go @@ -317,7 +317,9 @@ func TestDelete(t *testing.T) { item := GenerateRandomItem() ck := CacheKeyFromQuery(item.GetMetadata().GetSourceQuery(), item.GetMetadata().GetSourceName()) - cache.StoreItem(t.Context(), item, time.Millisecond, ck) + // Use a generous TTL: ShardedCache LIST fan-out can race with sub-ms + // expiry on loaded CI runners when duration is time.Millisecond. + cache.StoreItem(t.Context(), item, 10*time.Second, ck) sst := SST{ SourceName: item.GetMetadata().GetSourceName(), Scope: item.GetScope(), diff --git a/sources/azure/manual/keyvault-secret.go b/sources/azure/manual/keyvault-secret.go index 801e150e..65347044 100644 --- a/sources/azure/manual/keyvault-secret.go +++ b/sources/azure/manual/keyvault-secret.go @@ -161,7 +161,7 @@ func (k keyvaultSecretWrapper) SearchStream(ctx context.Context, stream discover } func (k keyvaultSecretWrapper) azureSecretToSDPItem(secret *armkeyvault.Secret, vaultName, secretName, scope string) (*sdp.Item, *sdp.QueryError) { - attributes, err := shared.ToAttributesWithExclude(secret, "tags") + attributes, err := shared.ToAttributesWithExclude(secret, "tags", "Properties.Value") if err != nil { return nil, azureshared.QueryError(err, scope, k.Type()) } diff --git a/sources/gcp/manual/iam-service-account-key.go b/sources/gcp/manual/iam-service-account-key.go index 4ce0dbbc..1a8a512b 100644 --- a/sources/gcp/manual/iam-service-account-key.go +++ b/sources/gcp/manual/iam-service-account-key.go @@ -152,7 +152,10 @@ func (c iamServiceAccountKeyWrapper) SearchStream(ctx context.Context, stream di // gcpIAMServiceAccountKeyToSDPItem converts a ServiceAccountKey to an sdp.Item func (c iamServiceAccountKeyWrapper) gcpIAMServiceAccountKeyToSDPItem(key *adminpb.ServiceAccountKey, location gcpshared.LocationInfo) (*sdp.Item, *sdp.QueryError) { - attributes, err := shared.ToAttributesWithExclude(key) + // private_key_data is only ever populated on CreateServiceAccountKey responses + // (this adapter only Gets/Lists), but exclude it defensively so key material can + // never reach SDP attributes. public_key_data is non-sensitive but excluded for tidiness. + attributes, err := shared.ToAttributesWithExclude(key, "private_key_data", "public_key_data") if err != nil { return nil, &sdp.QueryError{ ErrorType: sdp.QueryError_OTHER, diff --git a/sources/gcp/manual/iam-service-account-key_test.go b/sources/gcp/manual/iam-service-account-key_test.go index ae2c745c..4e5896e1 100644 --- a/sources/gcp/manual/iam-service-account-key_test.go +++ b/sources/gcp/manual/iam-service-account-key_test.go @@ -34,7 +34,7 @@ func TestIAMServiceAccountKey(t *testing.T) { t.Run("Get", func(t *testing.T) { wrapper := manual.NewIAMServiceAccountKey(mockClient, []gcpshared.LocationInfo{gcpshared.NewProjectLocation(projectID)}) - mockClient.EXPECT().Get(ctx, gomock.Any()).Return(createServiceAccountKey(testKeyFullName), nil) + mockClient.EXPECT().Get(ctx, gomock.Any()).Return(createServiceAccountKeyWithKeyData(testKeyFullName), nil) adapter := sources.WrapperToAdapter(wrapper, sdpcache.NewNoOpCache()) @@ -43,13 +43,28 @@ func TestIAMServiceAccountKey(t *testing.T) { t.Fatalf("Expected no error, got: %v", qErr) } + t.Run("ExcludesKeyMaterialFromAttributes", func(t *testing.T) { + fields := sdpItem.GetAttributes().GetAttrStruct().GetFields() + excludedFields := []string{ + "private_key_data", + "public_key_data", + "PrivateKeyData", + "PublicKeyData", + } + for _, field := range excludedFields { + if _, ok := fields[field]; ok { + t.Errorf("Expected attribute %q to be excluded, but it was present", field) + } + } + }) + t.Run("StaticTests", func(t *testing.T) { queryTests := shared.QueryTests{ { - ExpectedType: gcpshared.IAMServiceAccount.String(), - ExpectedMethod: sdp.QueryMethod_GET, - ExpectedQuery: testServiceAccount, - ExpectedScope: projectID, + ExpectedType: gcpshared.IAMServiceAccount.String(), + ExpectedMethod: sdp.QueryMethod_GET, + ExpectedQuery: testServiceAccount, + ExpectedScope: projectID, }, } @@ -234,3 +249,13 @@ func createServiceAccountKey(name string) *adminpb.ServiceAccountKey { Name: name, } } + +// createServiceAccountKeyWithKeyData creates a ServiceAccountKey with key material set. +// Used to verify that private/public key fields are excluded from SDP attributes. +func createServiceAccountKeyWithKeyData(name string) *adminpb.ServiceAccountKey { + return &adminpb.ServiceAccountKey{ + Name: name, + PrivateKeyData: []byte("fake-private-key-material"), + PublicKeyData: []byte("fake-public-key-material"), + } +} diff --git a/sources/shared/util.go b/sources/shared/util.go index aa4b98df..a642a1c5 100644 --- a/sources/shared/util.go +++ b/sources/shared/util.go @@ -1,27 +1,71 @@ package shared import ( + "encoding/json" "strings" "github.com/overmindtech/cli/go/sdp-go" ) // ToAttributesWithExclude converts an interface to SDP attributes using the `sdp.ToAttributesSorted` -// function, and also allows the user to exclude certain top-level fields from -// the resulting attributes +// function, and also allows the user to exclude certain fields from the resulting attributes. +// Top-level exclusions use the field name as it appears in JSON (e.g. "tags"). +// Dot-separated paths exclude nested fields (e.g. "Properties.Value" matches properties.value). func ToAttributesWithExclude(i any, exclusions ...string) (*sdp.ItemAttributes, error) { - attrs, err := sdp.ToAttributesViaJson(i) + b, err := json.Marshal(i) if err != nil { return nil, err } + var m map[string]any + if err := json.Unmarshal(b, &m); err != nil { + return nil, err + } + for _, exclusion := range exclusions { - if s := attrs.GetAttrStruct(); s != nil { - delete(s.GetFields(), exclusion) + if exclusion == "" { + continue + } + if strings.Contains(exclusion, ".") { + deleteNestedMapKey(m, strings.Split(exclusion, ".")) + } else { + deleteMapKey(m, exclusion) + } + } + + return sdp.ToAttributes(m) +} + +func deleteMapKey(m map[string]any, key string) { + for k := range m { + if strings.EqualFold(k, key) { + delete(m, k) + return } } +} + +func deleteNestedMapKey(m map[string]any, path []string) { + if len(path) == 0 || m == nil { + return + } - return attrs, nil + key := path[0] + for k, v := range m { + if !strings.EqualFold(k, key) { + continue + } + if len(path) == 1 { + delete(m, k) + return + } + nested, ok := v.(map[string]any) + if !ok { + return + } + deleteNestedMapKey(nested, path[1:]) + return + } } // CompositeLookupKey creates a composite lookup key from multiple query parts. diff --git a/sources/shared/util_test.go b/sources/shared/util_test.go index baf8c986..2cf25ff6 100644 --- a/sources/shared/util_test.go +++ b/sources/shared/util_test.go @@ -1,7 +1,10 @@ package shared import ( + "encoding/json" "testing" + + "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/v2" ) func TestCompositeLookupKey(t *testing.T) { @@ -41,3 +44,64 @@ func TestCompositeLookupKey(t *testing.T) { }) } } + +func TestToAttributesWithExclude_nestedPath(t *testing.T) { + t.Parallel() + + secret := &armkeyvault.Secret{ + Name: new("test-secret"), + Tags: map[string]*string{ + "env": new("prod"), + }, + Properties: &armkeyvault.SecretProperties{ + Value: new("secret-value"), + SecretURI: new("https://vault.vault.azure.net/secrets/test-secret"), + }, + } + + attrs, err := ToAttributesWithExclude(secret, "tags", "Properties.Value") + if err != nil { + t.Fatalf("ToAttributesWithExclude: %v", err) + } + + attrMap := attrs.GetAttrStruct().AsMap() + if _, ok := attrMap["tags"]; ok { + t.Fatalf("expected tags to be excluded, got %v", attrMap["tags"]) + } + + b, err := json.Marshal(attrMap) + if err != nil { + t.Fatalf("marshal attributes: %v", err) + } + attrsJSON := string(b) + if containsJSONStringValue(attrsJSON, "secret-value") { + t.Fatalf("secret value leaked in attributes: %s", attrsJSON) + } + if !containsJSONStringValue(attrsJSON, "https://vault.vault.azure.net/secrets/test-secret") { + t.Fatalf("expected secretUri to remain in attributes: %s", attrsJSON) + } +} + +func containsJSONStringValue(attrsJSON, value string) bool { + var m map[string]any + if err := json.Unmarshal([]byte(attrsJSON), &m); err != nil { + return false + } + return mapContainsStringValue(m, value) +} + +func mapContainsStringValue(m map[string]any, value string) bool { + for _, v := range m { + switch x := v.(type) { + case string: + if x == value { + return true + } + case map[string]any: + if mapContainsStringValue(x, value) { + return true + } + } + } + return false +}