vendor: Update osbuild/images to commit dd48a38be218

This is needed for the test_distro.NewTestDistro change.
2023-09-15 08:18:06 -07:00 · 2023-09-15 08:18:06 -07:00 · 1b65f15449
commit 1b65f15449
parent eab16830aa
345 changed files with 276130 additions and 14546 deletions
--- a/vendor/github.com/google/s2a-go/internal/handshaker/service/service.go
+++ b/vendor/github.com/google/s2a-go/internal/handshaker/service/service.go
@ -21,50 +21,27 @@ package service

 import (
 	"context"
-	"net"
-	"os"
-	"strings"
 	"sync"
-	"time"

-	"google.golang.org/appengine"
-	"google.golang.org/appengine/socket"
 	grpc "google.golang.org/grpc"
-	"google.golang.org/grpc/grpclog"
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/credentials/insecure"
 )

-// An environment variable, if true, opportunistically use AppEngine-specific dialer to call S2A.
-const enableAppEngineDialerEnv = "S2A_ENABLE_APP_ENGINE_DIALER"
-
 var (
-	// appEngineDialerHook is an AppEngine-specific dial option that is set
-	// during init time. If nil, then the application is not running on Google
-	// AppEngine.
-	appEngineDialerHook func(context.Context) grpc.DialOption
 	// mu guards hsConnMap and hsDialer.
 	mu sync.Mutex
 	// hsConnMap represents a mapping from an S2A handshaker service address
 	// to a corresponding connection to an S2A handshaker service instance.
 	hsConnMap = make(map[string]*grpc.ClientConn)
 	// hsDialer will be reassigned in tests.
-	hsDialer = grpc.Dial
+	hsDialer = grpc.DialContext
 )

-func init() {
-	if !appengine.IsAppEngine() && !appengine.IsDevAppServer() {
-		return
-	}
-	appEngineDialerHook = func(ctx context.Context) grpc.DialOption {
-		return grpc.WithDialer(func(addr string, timeout time.Duration) (net.Conn, error) {
-			return socket.DialTimeout(ctx, "tcp", addr, timeout)
-		})
-	}
-}
-
 // Dial dials the S2A handshaker service. If a connection has already been
 // established, this function returns it. Otherwise, a new connection is
 // created.
-func Dial(handshakerServiceAddress string) (*grpc.ClientConn, error) {
+func Dial(ctx context.Context, handshakerServiceAddress string, transportCreds credentials.TransportCredentials) (*grpc.ClientConn, error) {
 	mu.Lock()
 	defer mu.Unlock()

@ -72,17 +49,14 @@ func Dial(handshakerServiceAddress string) (*grpc.ClientConn, error) {
 	if !ok {
 		// Create a new connection to the S2A handshaker service. Note that
 		// this connection stays open until the application is closed.
-		grpcOpts := []grpc.DialOption{
-			grpc.WithInsecure(),
-		}
-		if enableAppEngineDialer() && appEngineDialerHook != nil {
-			if grpclog.V(1) {
-				grpclog.Info("Using AppEngine-specific dialer to talk to S2A.")
-			}
-			grpcOpts = append(grpcOpts, appEngineDialerHook(context.Background()))
+		var grpcOpts []grpc.DialOption
+		if transportCreds != nil {
+			grpcOpts = append(grpcOpts, grpc.WithTransportCredentials(transportCreds))
+		} else {
+			grpcOpts = append(grpcOpts, grpc.WithTransportCredentials(insecure.NewCredentials()))
 		}
 		var err error
-		hsConn, err = hsDialer(handshakerServiceAddress, grpcOpts...)
+		hsConn, err = hsDialer(ctx, handshakerServiceAddress, grpcOpts...)
 		if err != nil {
 			return nil, err
 		}
@ -90,10 +64,3 @@ func Dial(handshakerServiceAddress string) (*grpc.ClientConn, error) {
 	}
 	return hsConn, nil
 }
-
-func enableAppEngineDialer() bool {
-	if strings.ToLower(os.Getenv(enableAppEngineDialerEnv)) == "true" {
-		return true
-	}
-	return false
-}
--- a/vendor/github.com/google/s2a-go/internal/record/ticketsender.go
+++ b/vendor/github.com/google/s2a-go/internal/record/ticketsender.go
@ -83,13 +83,15 @@ func (t *ticketSender) sendTicketsToS2A(sessionTickets [][]byte, callComplete ch
 					t.ensureProcessSessionTickets.Done()
 				}
 			}()
-			hsConn, err := service.Dial(t.hsAddr)
+			ctx, cancel := context.WithTimeout(context.Background(), sessionTimeout)
+			defer cancel()
+			// The transportCreds only needs to be set when talking to S2AV2 and also
+			// if mTLS is required.
+			hsConn, err := service.Dial(ctx, t.hsAddr, nil)
 			if err != nil {
 				return err
 			}
 			client := s2apb.NewS2AServiceClient(hsConn)
-			ctx, cancel := context.WithTimeout(context.Background(), sessionTimeout)
-			defer cancel()
 			session, err := client.SetUpSession(ctx)
 			if err != nil {
 				return err
--- a/vendor/github.com/google/s2a-go/internal/v2/s2av2.go
+++ b/vendor/github.com/google/s2a-go/internal/v2/s2av2.go
@ -52,11 +52,12 @@ const (
 const s2aTimeoutEnv = "S2A_TIMEOUT"

 type s2av2TransportCreds struct {
-	info         *credentials.ProtocolInfo
-	isClient     bool
-	serverName   string
-	s2av2Address string
-	tokenManager *tokenmanager.AccessTokenManager
+	info           *credentials.ProtocolInfo
+	isClient       bool
+	serverName     string
+	s2av2Address   string
+	transportCreds credentials.TransportCredentials
+	tokenManager   *tokenmanager.AccessTokenManager
 	// localIdentity should only be used by the client.
 	localIdentity *commonpbv1.Identity
 	// localIdentities should only be used by the server.
@ -69,7 +70,7 @@ type s2av2TransportCreds struct {

 // NewClientCreds returns a client-side transport credentials object that uses
 // the S2Av2 to establish a secure connection with a server.
-func NewClientCreds(s2av2Address string, localIdentity *commonpbv1.Identity, verificationMode s2av2pb.ValidatePeerCertificateChainReq_VerificationMode, fallbackClientHandshakeFunc fallback.ClientHandshake, getS2AStream func(ctx context.Context, s2av2Address string) (stream.S2AStream, error), serverAuthorizationPolicy []byte) (credentials.TransportCredentials, error) {
+func NewClientCreds(s2av2Address string, transportCreds credentials.TransportCredentials, localIdentity *commonpbv1.Identity, verificationMode s2av2pb.ValidatePeerCertificateChainReq_VerificationMode, fallbackClientHandshakeFunc fallback.ClientHandshake, getS2AStream func(ctx context.Context, s2av2Address string) (stream.S2AStream, error), serverAuthorizationPolicy []byte) (credentials.TransportCredentials, error) {
 	// Create an AccessTokenManager instance to use to authenticate to S2Av2.
 	accessTokenManager, err := tokenmanager.NewSingleTokenAccessTokenManager()

@ -80,6 +81,7 @@ func NewClientCreds(s2av2Address string, localIdentity *commonpbv1.Identity, ver
 		isClient:                  true,
 		serverName:                "",
 		s2av2Address:              s2av2Address,
+		transportCreds:            transportCreds,
 		localIdentity:             localIdentity,
 		verificationMode:          verificationMode,
 		fallbackClientHandshake:   fallbackClientHandshakeFunc,
@ -99,7 +101,7 @@ func NewClientCreds(s2av2Address string, localIdentity *commonpbv1.Identity, ver

 // NewServerCreds returns a server-side transport credentials object that uses
 // the S2Av2 to establish a secure connection with a client.
-func NewServerCreds(s2av2Address string, localIdentities []*commonpbv1.Identity, verificationMode s2av2pb.ValidatePeerCertificateChainReq_VerificationMode, getS2AStream func(ctx context.Context, s2av2Address string) (stream.S2AStream, error)) (credentials.TransportCredentials, error) {
+func NewServerCreds(s2av2Address string, transportCreds credentials.TransportCredentials, localIdentities []*commonpbv1.Identity, verificationMode s2av2pb.ValidatePeerCertificateChainReq_VerificationMode, getS2AStream func(ctx context.Context, s2av2Address string) (stream.S2AStream, error)) (credentials.TransportCredentials, error) {
 	// Create an AccessTokenManager instance to use to authenticate to S2Av2.
 	accessTokenManager, err := tokenmanager.NewSingleTokenAccessTokenManager()
 	creds := &s2av2TransportCreds{
@ -108,6 +110,7 @@ func NewServerCreds(s2av2Address string, localIdentities []*commonpbv1.Identity,
 		},
 		isClient:         false,
 		s2av2Address:     s2av2Address,
+		transportCreds:   transportCreds,
 		localIdentities:  localIdentities,
 		verificationMode: verificationMode,
 		getS2AStream:     getS2AStream,
@ -136,7 +139,7 @@ func (c *s2av2TransportCreds) ClientHandshake(ctx context.Context, serverAuthori
 	var err error
 	retry.Run(timeoutCtx,
 		func() error {
-			s2AStream, err = createStream(timeoutCtx, c.s2av2Address, c.getS2AStream)
+			s2AStream, err = createStream(timeoutCtx, c.s2av2Address, c.transportCreds, c.getS2AStream)
 			return err
 		})
 	if err != nil {
@ -210,7 +213,7 @@ func (c *s2av2TransportCreds) ServerHandshake(rawConn net.Conn) (net.Conn, crede
 	var err error
 	retry.Run(ctx,
 		func() error {
-			s2AStream, err = createStream(ctx, c.s2av2Address, c.getS2AStream)
+			s2AStream, err = createStream(ctx, c.s2av2Address, c.transportCreds, c.getS2AStream)
 			return err
 		})
 	if err != nil {
@ -311,11 +314,12 @@ func (c *s2av2TransportCreds) Clone() credentials.TransportCredentials {
 func NewClientTLSConfig(
 	ctx context.Context,
 	s2av2Address string,
+	transportCreds credentials.TransportCredentials,
 	tokenManager tokenmanager.AccessTokenManager,
 	verificationMode s2av2pb.ValidatePeerCertificateChainReq_VerificationMode,
 	serverName string,
 	serverAuthorizationPolicy []byte) (*tls.Config, error) {
-	s2AStream, err := createStream(ctx, s2av2Address, nil)
+	s2AStream, err := createStream(ctx, s2av2Address, transportCreds, nil)
 	if err != nil {
 		grpclog.Infof("Failed to connect to S2Av2: %v", err)
 		return nil, err
@ -358,12 +362,12 @@ func (x s2AGrpcStream) CloseSend() error {
 	return x.stream.CloseSend()
 }

-func createStream(ctx context.Context, s2av2Address string, getS2AStream func(ctx context.Context, s2av2Address string) (stream.S2AStream, error)) (stream.S2AStream, error) {
+func createStream(ctx context.Context, s2av2Address string, transportCreds credentials.TransportCredentials, getS2AStream func(ctx context.Context, s2av2Address string) (stream.S2AStream, error)) (stream.S2AStream, error) {
 	if getS2AStream != nil {
 		return getS2AStream(ctx, s2av2Address)
 	}
 	// TODO(rmehta19): Consider whether to close the connection to S2Av2.
-	conn, err := service.Dial(s2av2Address)
+	conn, err := service.Dial(ctx, s2av2Address, transportCreds)
 	if err != nil {
 		return nil, err
 	}