build(deps): bump cloud.google.com/go/compute from 1.10.0 to 1.19.3

Bumps [cloud.google.com/go/compute](https://github.com/googleapis/google-cloud-go) from 1.10.0 to 1.19.3. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/documentai/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/kms/v1.10.0...compute/v1.19.3) --- updated-dependencies: - dependency-name: cloud.google.com/go/compute dependency-type: direct:production update-type: version-update:semver-minor ... Migrated to the new version by following https://github.com/googleapis/google-cloud-go/blob/main/migration.md Co-authored-by: Tomáš Hozza <thozza@redhat.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Tomáš Hozza <thozza@redhat.com>
2023-05-17 05:12:27 +00:00 · 2023-05-17 05:12:27 +00:00 · 60e55b5ed3
commit 60e55b5ed3
parent 468c63d433
448 changed files with 119170 additions and 54581 deletions
--- a/vendor/github.com/googleapis/enterprise-certificate-proxy/client/client.go
+++ b/vendor/github.com/googleapis/enterprise-certificate-proxy/client/client.go
@ -1,16 +1,28 @@
 // Copyright 2022 Google LLC.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package client is a cross-platform client for the signer binary (a.k.a."EnterpriseCertSigner").
 //
-// Client is a cross-platform client for the signer binary (a.k.a."EnterpriseCertSigner").
 // The signer binary is OS-specific, but exposes a standard set of APIs for the client to use.
 package client

 import (
 	"crypto"
+	"crypto/ecdsa"
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/gob"
+	"errors"
 	"fmt"
 	"io"
 	"net/rpc"
@ -67,14 +79,16 @@ func (k *Key) CertificateChain() [][]byte {
 // Close closes the RPC connection and kills the signer subprocess.
 // Call this to free up resources when the Key object is no longer needed.
 func (k *Key) Close() error {
-	if err := k.client.Close(); err != nil {
-		return fmt.Errorf("failed to close RPC connection: %w", err)
-	}
 	if err := k.cmd.Process.Kill(); err != nil {
 		return fmt.Errorf("failed to kill signer process: %w", err)
 	}
-	if err := k.cmd.Wait(); err.Error() != "signal: killed" {
-		return fmt.Errorf("signer process was not killed: %w", err)
+	// Wait for cmd to exit and release resources. Since the process is forcefully killed, this
+	// will return a non-nil error (varies by OS), which we will ignore.
+	_ = k.cmd.Wait()
+	// The Pipes connecting the RPC client should have been closed when the signer subprocess was killed.
+	// Calling `k.client.Close()` before `k.cmd.Process.Kill()` or `k.cmd.Wait()` _will_ cause a segfault.
+	if err := k.client.Close(); err.Error() != "close |0: file already closed" {
+		return fmt.Errorf("failed to close RPC connection: %w", err)
 	}
 	return nil
 }
@ -84,12 +98,19 @@ func (k *Key) Public() crypto.PublicKey {
 	return k.publicKey
 }

-// Sign signs a message by encrypting a message digest, using the specified signer options.
+// Sign signs a message digest, using the specified signer options.
 func (k *Key) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) (signed []byte, err error) {
+	if opts != nil && opts.HashFunc() != 0 && len(digest) != opts.HashFunc().Size() {
+		return nil, fmt.Errorf("Digest length of %v bytes does not match Hash function size of %v bytes", len(digest), opts.HashFunc().Size())
+	}
 	err = k.client.Call(signAPI, SignArgs{Digest: digest, Opts: opts}, &signed)
 	return
 }

+// ErrCredUnavailable is a sentinel error that indicates ECP Cred is unavailable,
+// possibly due to missing config or missing binary path.
+var ErrCredUnavailable = errors.New("Cred is unavailable")
+
 // Cred spawns a signer subprocess that listens on stdin/stdout to perform certificate
 // related operations, including signing messages with the private key.
 //
@ -103,6 +124,9 @@ func Cred(configFilePath string) (*Key, error) {
 	}
 	enterpriseCertSignerPath, err := util.LoadSignerBinaryPath(configFilePath)
 	if err != nil {
+		if errors.Is(err, util.ErrConfigUnavailable) {
+			return nil, ErrCredUnavailable
+		}
 		return nil, err
 	}
 	k := &Key{
@ -147,5 +171,15 @@ func Cred(configFilePath string) (*Key, error) {
 		return nil, fmt.Errorf("invalid public key type: %T", publicKey)
 	}

+	switch pub := k.publicKey.(type) {
+	case *rsa.PublicKey:
+		if pub.Size() < 256 {
+			return nil, fmt.Errorf("RSA modulus size is less than 2048 bits: %v", pub.Size()*8)
+		}
+	case *ecdsa.PublicKey:
+	default:
+		return nil, fmt.Errorf("unsupported public key type: %v", pub)
+	}
+
 	return k, nil
 }
--- a/vendor/github.com/googleapis/enterprise-certificate-proxy/client/util/util.go
+++ b/vendor/github.com/googleapis/enterprise-certificate-proxy/client/util/util.go
@ -1,17 +1,30 @@
+// Copyright 2022 Google LLC.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 // Package util provides helper functions for the client.
 package util

 import (
 	"encoding/json"
 	"errors"
-	"io/ioutil"
+	"io"
 	"os"
 	"os/user"
 	"path/filepath"
 	"runtime"
 )

-const configFileName = "enterprise_certificate_config.json"
+const configFileName = "certificate_config.json"

 // EnterpriseCertificateConfig contains parameters for initializing signer.
 type EnterpriseCertificateConfig struct {
@ -20,17 +33,24 @@ type EnterpriseCertificateConfig struct {

 // Libs specifies the locations of helper libraries.
 type Libs struct {
-	SignerBinary string `json:"signer_binary"`
+	ECP string `json:"ecp"`
 }

+// ErrConfigUnavailable is a sentinel error that indicates ECP config is unavailable,
+// possibly due to entire config missing or missing binary path.
+var ErrConfigUnavailable = errors.New("Config is unavailable")
+
 // LoadSignerBinaryPath retrieves the path of the signer binary from the config file.
 func LoadSignerBinaryPath(configFilePath string) (path string, err error) {
 	jsonFile, err := os.Open(configFilePath)
 	if err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			return "", ErrConfigUnavailable
+		}
 		return "", err
 	}

-	byteValue, err := ioutil.ReadAll(jsonFile)
+	byteValue, err := io.ReadAll(jsonFile)
 	if err != nil {
 		return "", err
 	}
@ -39,9 +59,9 @@ func LoadSignerBinaryPath(configFilePath string) (path string, err error) {
 	if err != nil {
 		return "", err
 	}
-	signerBinaryPath := config.Libs.SignerBinary
+	signerBinaryPath := config.Libs.ECP
 	if signerBinaryPath == "" {
-		return "", errors.New("Signer binary path is missing.")
+		return "", ErrConfigUnavailable
 	}
 	return signerBinaryPath, nil
 }
@ -61,9 +81,8 @@ func guessHomeDir() string {
 func getDefaultConfigFileDirectory() (directory string) {
 	if runtime.GOOS == "windows" {
 		return filepath.Join(os.Getenv("APPDATA"), "gcloud")
-	} else {
-		return filepath.Join(guessHomeDir(), ".config/gcloud")
 	}
+	return filepath.Join(guessHomeDir(), ".config/gcloud")
 }

 // GetDefaultConfigFilePath returns the default path of the enterprise certificate config file created by gCloud.