go.mod: update github.com/containers/image/v5

Version 5.22 introduced a new option to /etc/containers/policy.json called keyPaths, see https://github.com/containers/image/pull/1609 EL9 immediately took advantage of this new feature and started using it, see 04645c4a84 This quickly became an issue in our code: The go library (containers/image) parses the configuration file very strictly and refuses to create a client when policy.json with an unknown key is present on the filesystem. As we used 5.21.1 that doesn't know the new key, our unit tests started to failing when containers-common was present. Reproducer: podman run --pull=always --rm -it centos:stream9 dnf install -y dnf-plugins-core dnf config-manager --set-enabled crb dnf install -y gpgme-devel libassuan-devel krb5-devel golang git-core git clone https://github.com/osbuild/osbuild-composer cd osbuild-composer # install the new containers-common and run the test dnf install -y https://kojihub.stream.centos.org/kojifiles/packages/containers-common/1/44.el9/x86_64/containers-common-1-44.el9.x86_64.rpm go test -count 1 ./... # this returns: --- FAIL: TestClientResolve (0.00s) client_test.go:31: Error Trace: client_test.go:31 Error: Received unexpected error: Unknown key "keyPaths" invalid policy in "/etc/containers/policy.json" github.com/containers/image/v5/signature.NewPolicyFromFile /osbuild-composer/vendor/github.com/containers/image/v5/signature/policy_config.go:88 github.com/osbuild/osbuild-composer/internal/container.NewClient /osbuild-composer/internal/container/client.go:123 github.com/osbuild/osbuild-composer/internal/container_test.TestClientResolve /osbuild-composer/internal/container/client_test.go:29 testing.tRunner /usr/lib/golang/src/testing/testing.go:1439 runtime.goexit /usr/lib/golang/src/runtime/asm_amd64.s:1571 Test: TestClientResolve client_test.go:32: Error Trace: client_test.go:32 Error: Expected value not to be nil. Test: TestClientResolve When run with an older containers-common, it succeeds: dnf install -y https://kojihub.stream.centos.org/kojifiles/packages/containers-common/1/40.el9/x86_64/containers-common-1-40.el9.x86_64.rpm go test -count 1 ./... PASS To sum it up, I had to upgrade github.com/containers/image/v5 to v5.22.0. Unfortunately, this wasn't so simple, see go get github.com/containers/image/v5@latest go: github.com/containers/image/v5@v5.22.0 requires github.com/letsencrypt/boulder@v0.0.0-20220331220046-b23ab962616e requires github.com/honeycombio/beeline-go@v1.1.1 requires github.com/gobuffalo/pop/v5@v5.3.1 requires github.com/mattn/go-sqlite3@v2.0.3+incompatible: reading github.com/mattn/go-sqlite3/go.mod at revision v2.0.3: unknown revision v2.0.3 It turns out that github.com/mattn/go-sqlite3@v2.0.3+incompatible has been recently retracted https://github.com/mattn/go-sqlite3/pull/998 and this broke a ton of packages depending on it. I was able to fix it by adding exclude github.com/mattn/go-sqlite3 v2.0.3+incompatible to our go.mod, see https://github.com/mattn/go-sqlite3/issues/975#issuecomment-955661657 After adding it, go get github.com/containers/image/v5@latest succeeded and tools/prepare-source.sh took care of the rest. Signed-off-by: Ondřej Budai <ondrej@budai.cz>
2022-08-28 20:29:14 +02:00 · 2022-08-28 20:29:14 +02:00 · 29f66a251f
commit 29f66a251f
parent fa514c5326
694 changed files with 90636 additions and 50426 deletions
--- a/vendor/github.com/letsencrypt/boulder/sa/proto/sa.pb.go
+++ b/vendor/github.com/letsencrypt/boulder/sa/proto/sa.pb.go
--- a/vendor/github.com/letsencrypt/boulder/sa/proto/sa.proto
+++ b/vendor/github.com/letsencrypt/boulder/sa/proto/sa.proto
@ -0,0 +1,272 @@
+syntax = "proto3";
+
+package sa;
+option go_package = "github.com/letsencrypt/boulder/sa/proto";
+
+import "core/proto/core.proto";
+import "google/protobuf/empty.proto";
+
+service StorageAuthority {
+  // Getters
+  rpc GetRegistration(RegistrationID) returns (core.Registration) {}
+  rpc GetRegistrationByKey(JSONWebKey) returns (core.Registration) {}
+  rpc GetSerialMetadata(Serial) returns (SerialMetadata) {}
+  rpc GetCertificate(Serial) returns (core.Certificate) {}
+  rpc GetPrecertificate(Serial) returns (core.Certificate) {}
+  rpc GetCertificateStatus(Serial) returns (core.CertificateStatus) {}
+  rpc CountCertificatesByNames(CountCertificatesByNamesRequest) returns (CountByNames) {}
+  rpc CountRegistrationsByIP(CountRegistrationsByIPRequest) returns (Count) {}
+  rpc CountRegistrationsByIPRange(CountRegistrationsByIPRequest) returns (Count) {}
+  rpc CountOrders(CountOrdersRequest) returns (Count) {}
+  // Return a count of authorizations with status "invalid" that belong to
+  // a given registration ID and expire in the given time range.
+  rpc CountFQDNSets(CountFQDNSetsRequest) returns (Count) {}
+  rpc FQDNSetExists(FQDNSetExistsRequest) returns (Exists) {}
+  rpc PreviousCertificateExists(PreviousCertificateExistsRequest) returns (Exists) {}
+  rpc GetAuthorization2(AuthorizationID2) returns (core.Authorization) {}
+  rpc GetAuthorizations2(GetAuthorizationsRequest) returns (Authorizations) {}
+  rpc GetPendingAuthorization2(GetPendingAuthorizationRequest) returns (core.Authorization) {}
+  rpc CountPendingAuthorizations2(RegistrationID) returns (Count) {}
+  rpc GetValidOrderAuthorizations2(GetValidOrderAuthorizationsRequest) returns (Authorizations) {}
+  rpc CountInvalidAuthorizations2(CountInvalidAuthorizationsRequest) returns (Count) {}
+  rpc GetValidAuthorizations2(GetValidAuthorizationsRequest) returns (Authorizations) {}
+  rpc KeyBlocked(KeyBlockedRequest) returns (Exists) {}
+  // Adders
+  rpc NewRegistration(core.Registration) returns (core.Registration) {}
+  rpc UpdateRegistration(core.Registration) returns (google.protobuf.Empty) {}
+  rpc AddCertificate(AddCertificateRequest) returns (AddCertificateResponse) {}
+  rpc AddPrecertificate(AddCertificateRequest) returns (google.protobuf.Empty) {}
+  rpc AddSerial(AddSerialRequest) returns (google.protobuf.Empty) {}
+  rpc DeactivateRegistration(RegistrationID) returns (google.protobuf.Empty) {}
+  rpc NewOrder(NewOrderRequest) returns (core.Order) {}
+  rpc NewOrderAndAuthzs(NewOrderAndAuthzsRequest) returns (core.Order) {}
+  rpc SetOrderProcessing(OrderRequest) returns (google.protobuf.Empty) {}
+  rpc SetOrderError(SetOrderErrorRequest) returns (google.protobuf.Empty) {}
+  rpc FinalizeOrder(FinalizeOrderRequest) returns (google.protobuf.Empty) {}
+  rpc GetOrder(OrderRequest) returns (core.Order) {}
+  rpc GetOrderForNames(GetOrderForNamesRequest) returns (core.Order) {}
+  rpc RevokeCertificate(RevokeCertificateRequest) returns (google.protobuf.Empty) {}
+  rpc UpdateRevokedCertificate(RevokeCertificateRequest) returns (google.protobuf.Empty) {}
+  rpc NewAuthorizations2(AddPendingAuthorizationsRequest) returns (Authorization2IDs) {}
+  rpc FinalizeAuthorization2(FinalizeAuthorizationRequest) returns (google.protobuf.Empty) {}
+  rpc DeactivateAuthorization2(AuthorizationID2) returns (google.protobuf.Empty) {}
+  rpc AddBlockedKey(AddBlockedKeyRequest) returns (google.protobuf.Empty) {}
+}
+
+message RegistrationID {
+  int64 id = 1;
+}
+
+message JSONWebKey {
+  bytes jwk = 1; 
+}
+
+message AuthorizationID {
+  string id = 1;
+}
+
+message GetPendingAuthorizationRequest {
+  int64 registrationID = 1;
+  string identifierType = 2;
+  string identifierValue = 3;
+  // Result must be valid until at least this Unix timestamp (nanos)
+  int64 validUntil = 4;
+}
+
+message GetValidAuthorizationsRequest {
+  int64 registrationID = 1;
+  repeated string domains = 2;
+  int64 now = 3; // Unix timestamp (nanoseconds)
+}
+
+message ValidAuthorizations {
+  message MapElement {
+          string domain = 1;
+          core.Authorization authz = 2;
+  }
+  repeated MapElement valid = 1;
+}
+
+message Serial {
+  string serial = 1;
+}
+
+message SerialMetadata {
+  string serial = 1;
+  int64 registrationID = 2;
+  int64 created = 3; // Unix timestamp (nanoseconds)
+  int64 expires = 4; // Unix timestamp (nanoseconds)
+}
+
+message Range {
+  int64 earliest = 1; // Unix timestamp (nanoseconds)
+  int64 latest = 2;   // Unix timestamp (nanoseconds)
+}
+
+message Count {
+  int64 count = 1;
+}
+
+message CountCertificatesByNamesRequest {
+  Range range = 1;
+  repeated string names = 2;
+}
+
+message CountByNames {
+  map<string, int64> counts = 1;
+}
+
+message CountRegistrationsByIPRequest {
+  bytes ip = 1;
+  Range range = 2;
+}
+
+message CountInvalidAuthorizationsRequest {
+  int64 registrationID = 1;
+  string hostname = 2;
+  // Count authorizations that expire in this range.
+  Range range = 3;
+}
+
+message CountOrdersRequest {
+  int64 accountID = 1;
+  Range range = 2;
+}
+
+message CountFQDNSetsRequest {
+  int64 window = 1;
+  repeated string domains = 2;
+}
+
+message FQDNSetExistsRequest {
+  repeated string domains = 1;
+}
+
+message PreviousCertificateExistsRequest {
+  string domain = 1;
+  int64 regID = 2;
+}
+
+message Exists {
+  bool exists = 1;
+}
+
+message AddSerialRequest {
+  int64 regID = 1;
+  string serial = 2;
+  int64 created = 3; // Unix timestamp (nanoseconds)
+  int64 expires = 4; // Unix timestamp (nanoseconds)
+}
+
+message AddCertificateRequest {
+  bytes der = 1;
+  int64 regID = 2;
+  // A signed OCSP response for the certificate contained in "der".
+  // Note: The certificate status in the OCSP response is assumed to be 0 (good).
+  bytes ocsp = 3;
+  // An issued time. When not present the SA defaults to using
+  // the current time. The orphan-finder uses this parameter to add
+  // certificates with the correct historic issued date
+  int64 issued = 4;
+  int64 issuerID = 5;
+}
+
+message AddCertificateResponse {
+  string digest = 1;
+}
+
+message OrderRequest {
+  int64 id = 1;
+}
+
+message NewOrderRequest {
+  int64 registrationID = 1;
+  int64 expires = 2;
+  repeated string names = 3;
+  repeated int64 v2Authorizations = 4;
+}
+
+message NewOrderAndAuthzsRequest {
+  NewOrderRequest newOrder = 1;
+  repeated core.Authorization newAuthzs = 2;
+}
+
+message SetOrderErrorRequest {
+  int64 id = 1;
+  core.ProblemDetails error = 2;
+}
+
+message GetValidOrderAuthorizationsRequest {
+  int64 id = 1;
+  int64 acctID = 2;
+}
+
+message GetOrderForNamesRequest {
+  int64 acctID = 1;
+  repeated string names = 2;
+}
+
+message FinalizeOrderRequest {
+  int64 id = 1;
+  string certificateSerial = 2;
+}
+
+message GetAuthorizationsRequest {
+  int64 registrationID = 1;
+  repeated string domains = 2;
+  int64 now = 3; // Unix timestamp (nanoseconds)
+}
+
+message Authorizations {
+  message MapElement {
+          string domain = 1;
+          core.Authorization authz = 2;
+  }
+  repeated MapElement authz = 1;
+}
+
+message AddPendingAuthorizationsRequest {
+  repeated core.Authorization authz = 1;
+}
+
+message AuthorizationIDs {
+  repeated string ids = 1;
+}
+
+message AuthorizationID2 {
+  int64 id = 1;
+}
+
+message Authorization2IDs {
+  repeated int64 ids = 1;
+}
+
+message RevokeCertificateRequest {
+  string serial = 1;
+  int64 reason = 2;
+  int64 date = 3; // Unix timestamp (nanoseconds)
+  int64 backdate = 5; // Unix timestamp (nanoseconds)
+  bytes response = 4;
+}
+
+message FinalizeAuthorizationRequest {
+  int64 id = 1;
+  string status = 2;
+  int64 expires = 3; // Unix timestamp (nanoseconds)
+  string attempted = 4;
+  repeated core.ValidationRecord validationRecords = 5;
+  core.ProblemDetails validationError = 6;
+  int64 attemptedAt = 7; // Unix timestamp (nanoseconds)
+}
+
+message AddBlockedKeyRequest {
+  bytes keyHash = 1;
+  int64 added = 2; // Unix timestamp (nanoseconds)
+  string source = 3;
+  string comment = 4;
+  int64 revokedBy = 5;
+}
+
+message KeyBlockedRequest {
+  bytes keyHash = 1;
+}
--- a/vendor/github.com/letsencrypt/boulder/sa/proto/sa_grpc.pb.go
+++ b/vendor/github.com/letsencrypt/boulder/sa/proto/sa_grpc.pb.go
--- a/vendor/github.com/letsencrypt/boulder/sa/proto/subsets.go
+++ b/vendor/github.com/letsencrypt/boulder/sa/proto/subsets.go
@ -0,0 +1,46 @@
+// Copied from the auto-generated sa_grpc.pb.go
+
+package proto
+
+import (
+	context "context"
+
+	proto "github.com/letsencrypt/boulder/core/proto"
+	grpc "google.golang.org/grpc"
+	emptypb "google.golang.org/protobuf/types/known/emptypb"
+)
+
+// StorageAuthorityGetterClient is a read-only subset of the sapb.StorageAuthorityClient interface
+type StorageAuthorityGetterClient interface {
+	GetRegistration(ctx context.Context, in *RegistrationID, opts ...grpc.CallOption) (*proto.Registration, error)
+	GetRegistrationByKey(ctx context.Context, in *JSONWebKey, opts ...grpc.CallOption) (*proto.Registration, error)
+	GetCertificate(ctx context.Context, in *Serial, opts ...grpc.CallOption) (*proto.Certificate, error)
+	GetPrecertificate(ctx context.Context, in *Serial, opts ...grpc.CallOption) (*proto.Certificate, error)
+	GetCertificateStatus(ctx context.Context, in *Serial, opts ...grpc.CallOption) (*proto.CertificateStatus, error)
+	CountCertificatesByNames(ctx context.Context, in *CountCertificatesByNamesRequest, opts ...grpc.CallOption) (*CountByNames, error)
+	CountRegistrationsByIP(ctx context.Context, in *CountRegistrationsByIPRequest, opts ...grpc.CallOption) (*Count, error)
+	CountRegistrationsByIPRange(ctx context.Context, in *CountRegistrationsByIPRequest, opts ...grpc.CallOption) (*Count, error)
+	CountOrders(ctx context.Context, in *CountOrdersRequest, opts ...grpc.CallOption) (*Count, error)
+	CountFQDNSets(ctx context.Context, in *CountFQDNSetsRequest, opts ...grpc.CallOption) (*Count, error)
+	FQDNSetExists(ctx context.Context, in *FQDNSetExistsRequest, opts ...grpc.CallOption) (*Exists, error)
+	PreviousCertificateExists(ctx context.Context, in *PreviousCertificateExistsRequest, opts ...grpc.CallOption) (*Exists, error)
+	GetAuthorization2(ctx context.Context, in *AuthorizationID2, opts ...grpc.CallOption) (*proto.Authorization, error)
+	GetAuthorizations2(ctx context.Context, in *GetAuthorizationsRequest, opts ...grpc.CallOption) (*Authorizations, error)
+	GetPendingAuthorization2(ctx context.Context, in *GetPendingAuthorizationRequest, opts ...grpc.CallOption) (*proto.Authorization, error)
+	CountPendingAuthorizations2(ctx context.Context, in *RegistrationID, opts ...grpc.CallOption) (*Count, error)
+	GetValidOrderAuthorizations2(ctx context.Context, in *GetValidOrderAuthorizationsRequest, opts ...grpc.CallOption) (*Authorizations, error)
+	CountInvalidAuthorizations2(ctx context.Context, in *CountInvalidAuthorizationsRequest, opts ...grpc.CallOption) (*Count, error)
+	GetValidAuthorizations2(ctx context.Context, in *GetValidAuthorizationsRequest, opts ...grpc.CallOption) (*Authorizations, error)
+	KeyBlocked(ctx context.Context, in *KeyBlockedRequest, opts ...grpc.CallOption) (*Exists, error)
+	GetOrder(ctx context.Context, in *OrderRequest, opts ...grpc.CallOption) (*proto.Order, error)
+	GetOrderForNames(ctx context.Context, in *GetOrderForNamesRequest, opts ...grpc.CallOption) (*proto.Order, error)
+}
+
+// StorageAuthorityCertificateClient is a subset of the sapb.StorageAuthorityClient interface that only reads and writes certificates
+type StorageAuthorityCertificateClient interface {
+	AddSerial(ctx context.Context, in *AddSerialRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
+	AddPrecertificate(ctx context.Context, in *AddCertificateRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
+	GetPrecertificate(ctx context.Context, in *Serial, opts ...grpc.CallOption) (*proto.Certificate, error)
+	AddCertificate(ctx context.Context, in *AddCertificateRequest, opts ...grpc.CallOption) (*AddCertificateResponse, error)
+	GetCertificate(ctx context.Context, in *Serial, opts ...grpc.CallOption) (*proto.Certificate, error)
+}