go.mod: Update openshift-online/ocm-sdk-go

This requires golang-jwt/jwt/v4.
2022-05-17 19:15:17 +02:00 · 2022-05-17 19:15:17 +02:00 · 7529382890
commit 7529382890
parent 56a7059b40
111 changed files with 4401 additions and 1462 deletions
--- a/vendor/github.com/cenkalti/backoff/v4/exponential.go
+++ b/vendor/github.com/cenkalti/backoff/v4/exponential.go
@ -147,6 +147,9 @@ func (b *ExponentialBackOff) incrementCurrentInterval() {
 // Returns a random value from the following interval:
 // 	[currentInterval - randomizationFactor * currentInterval, currentInterval + randomizationFactor * currentInterval].
 func getRandomValueFromInterval(randomizationFactor, random float64, currentInterval time.Duration) time.Duration {
+	if randomizationFactor == 0 {
+		return currentInterval // make sure no randomness is used when randomizationFactor is 0.
+	}
 	var delta = randomizationFactor * float64(currentInterval)
 	var minInterval = float64(currentInterval) - delta
 	var maxInterval = float64(currentInterval) + delta
--- a/vendor/github.com/golang-jwt/jwt/v4/README.md
+++ b/vendor/github.com/golang-jwt/jwt/v4/README.md
@ -46,9 +46,16 @@ See [the project documentation](https://pkg.go.dev/github.com/golang-jwt/jwt) fo

 ## Extensions

-This library publishes all the necessary components for adding your own signing methods.  Simply implement the `SigningMethod` interface and register a factory method using `RegisterSigningMethod`.  
+This library publishes all the necessary components for adding your own signing methods.  Simply implement the `SigningMethod` interface and register a factory method using `RegisterSigningMethod`. 

-Here's an example of an extension that integrates with multiple Google Cloud Platform signing tools (AppEngine, IAM API, Cloud KMS): https://github.com/someone1/gcp-jwt-go
+A common use case would be integrating with different 3rd party signature providers, like key management services from various cloud providers or Hardware Security Modules (HSMs).
+
+| Extension | Purpose                                                                                      | Repo                                       |
+|-----------|----------------------------------------------------------------------------------------------|--------------------------------------------|
+| GCP       | Integrates with multiple Google Cloud Platform signing tools (AppEngine, IAM API, Cloud KMS) | https://github.com/someone1/gcp-jwt-go     |
+| AWS       | Integrates with AWS Key Management Service, KMS                                              | https://github.com/matelang/jwt-go-aws-kms |
+
+*Disclaimer*: Unless otherwise specified, these integrations are maintained by third parties and should not be considered as a primary offer by any of the mentioned cloud providers

 ## Compliance

@ -112,3 +119,5 @@ This library uses descriptive error messages whenever possible. If you are not g
 Documentation can be found [on pkg.go.dev](https://pkg.go.dev/github.com/golang-jwt/jwt).

 The command line utility included in this project (cmd/jwt) provides a straightforward example of token creation and parsing as well as a useful tool for debugging your own integration. You'll also find several implementation examples in the documentation.
+
+[golang-jwt](https://github.com/orgs/golang-jwt) incorporates a modified version of the JWT logo, which is distributed under the terms of the [MIT License](https://github.com/jsonwebtoken/jsonwebtoken.github.io/blob/master/LICENSE.txt).
--- a/vendor/github.com/golang-jwt/jwt/v4/claims.go
+++ b/vendor/github.com/golang-jwt/jwt/v4/claims.go
@ -56,17 +56,17 @@ func (c RegisteredClaims) Valid() error {
 	// default value in Go, let's not fail the verification for them.
 	if !c.VerifyExpiresAt(now, false) {
 		delta := now.Sub(c.ExpiresAt.Time)
-		vErr.Inner = fmt.Errorf("token is expired by %v", delta)
+		vErr.Inner = fmt.Errorf("%s by %s", ErrTokenExpired, delta)
 		vErr.Errors |= ValidationErrorExpired
 	}

 	if !c.VerifyIssuedAt(now, false) {
-		vErr.Inner = fmt.Errorf("token used before issued")
+		vErr.Inner = ErrTokenUsedBeforeIssued
 		vErr.Errors |= ValidationErrorIssuedAt
 	}

 	if !c.VerifyNotBefore(now, false) {
-		vErr.Inner = fmt.Errorf("token is not valid yet")
+		vErr.Inner = ErrTokenNotValidYet
 		vErr.Errors |= ValidationErrorNotValidYet
 	}

@ -149,17 +149,17 @@ func (c StandardClaims) Valid() error {
 	// default value in Go, let's not fail the verification for them.
 	if !c.VerifyExpiresAt(now, false) {
 		delta := time.Unix(now, 0).Sub(time.Unix(c.ExpiresAt, 0))
-		vErr.Inner = fmt.Errorf("token is expired by %v", delta)
+		vErr.Inner = fmt.Errorf("%s by %s", ErrTokenExpired, delta)
 		vErr.Errors |= ValidationErrorExpired
 	}

 	if !c.VerifyIssuedAt(now, false) {
-		vErr.Inner = fmt.Errorf("token used before issued")
+		vErr.Inner = ErrTokenUsedBeforeIssued
 		vErr.Errors |= ValidationErrorIssuedAt
 	}

 	if !c.VerifyNotBefore(now, false) {
-		vErr.Inner = fmt.Errorf("token is not valid yet")
+		vErr.Inner = ErrTokenNotValidYet
 		vErr.Errors |= ValidationErrorNotValidYet
 	}

--- a/vendor/github.com/golang-jwt/jwt/v4/errors.go
+++ b/vendor/github.com/golang-jwt/jwt/v4/errors.go
@ -9,6 +9,18 @@ var (
 	ErrInvalidKey      = errors.New("key is invalid")
 	ErrInvalidKeyType  = errors.New("key is of invalid type")
 	ErrHashUnavailable = errors.New("the requested hash function is unavailable")
+
+	ErrTokenMalformed        = errors.New("token is malformed")
+	ErrTokenUnverifiable     = errors.New("token is unverifiable")
+	ErrTokenSignatureInvalid = errors.New("token signature is invalid")
+
+	ErrTokenInvalidAudience  = errors.New("token has invalid audience")
+	ErrTokenExpired          = errors.New("token is expired")
+	ErrTokenUsedBeforeIssued = errors.New("token used before issued")
+	ErrTokenInvalidIssuer    = errors.New("token has invalid issuer")
+	ErrTokenNotValidYet      = errors.New("token is not valid yet")
+	ErrTokenInvalidId        = errors.New("token has invalid id")
+	ErrTokenInvalidClaims    = errors.New("token has invalid claims")
 )

 // The errors that might occur when parsing and validating a token
@ -62,3 +74,39 @@ func (e *ValidationError) Unwrap() error {
 func (e *ValidationError) valid() bool {
 	return e.Errors == 0
 }
+
+// Is checks if this ValidationError is of the supplied error. We are first checking for the exact error message
+// by comparing the inner error message. If that fails, we compare using the error flags. This way we can use
+// custom error messages (mainly for backwards compatability) and still leverage errors.Is using the global error variables.
+func (e *ValidationError) Is(err error) bool {
+	// Check, if our inner error is a direct match
+	if errors.Is(errors.Unwrap(e), err) {
+		return true
+	}
+
+	// Otherwise, we need to match using our error flags
+	switch err {
+	case ErrTokenMalformed:
+		return e.Errors&ValidationErrorMalformed != 0
+	case ErrTokenUnverifiable:
+		return e.Errors&ValidationErrorUnverifiable != 0
+	case ErrTokenSignatureInvalid:
+		return e.Errors&ValidationErrorSignatureInvalid != 0
+	case ErrTokenInvalidAudience:
+		return e.Errors&ValidationErrorAudience != 0
+	case ErrTokenExpired:
+		return e.Errors&ValidationErrorExpired != 0
+	case ErrTokenUsedBeforeIssued:
+		return e.Errors&ValidationErrorIssuedAt != 0
+	case ErrTokenInvalidIssuer:
+		return e.Errors&ValidationErrorIssuer != 0
+	case ErrTokenNotValidYet:
+		return e.Errors&ValidationErrorNotValidYet != 0
+	case ErrTokenInvalidId:
+		return e.Errors&ValidationErrorId != 0
+	case ErrTokenInvalidClaims:
+		return e.Errors&ValidationErrorClaimsInvalid != 0
+	}
+
+	return false
+}
--- a/vendor/github.com/golang-jwt/jwt/v4/go.mod
+++ b/vendor/github.com/golang-jwt/jwt/v4/go.mod
@ -1,3 +1,7 @@
 module github.com/golang-jwt/jwt/v4

-go 1.15
+go 1.16
+
+retract (
+    v4.4.0 // Contains a backwards incompatible change to the Claims interface.
+)
--- a/vendor/github.com/golang-jwt/jwt/v4/map_claims.go
+++ b/vendor/github.com/golang-jwt/jwt/v4/map_claims.go
@ -126,16 +126,19 @@ func (m MapClaims) Valid() error {
 	now := TimeFunc().Unix()

 	if !m.VerifyExpiresAt(now, false) {
+		// TODO(oxisto): this should be replaced with ErrTokenExpired
 		vErr.Inner = errors.New("Token is expired")
 		vErr.Errors |= ValidationErrorExpired
 	}

 	if !m.VerifyIssuedAt(now, false) {
+		// TODO(oxisto): this should be replaced with ErrTokenUsedBeforeIssued
 		vErr.Inner = errors.New("Token used before issued")
 		vErr.Errors |= ValidationErrorIssuedAt
 	}

 	if !m.VerifyNotBefore(now, false) {
+		// TODO(oxisto): this should be replaced with ErrTokenNotValidYet
 		vErr.Inner = errors.New("Token is not valid yet")
 		vErr.Errors |= ValidationErrorNotValidYet
 	}
--- a/vendor/github.com/golang-jwt/jwt/v4/parser_option.go
+++ b/vendor/github.com/golang-jwt/jwt/v4/parser_option.go
@ -1,6 +1,6 @@
 package jwt

-// ParserOption is used to implement functional-style options that modify the behaviour of the parser. To add
+// ParserOption is used to implement functional-style options that modify the behavior of the parser. To add
 // new options, just create a function (ideally beginning with With or Without) that returns an anonymous function that
 // takes a *Parser type as input and manipulates its configuration accordingly.
 type ParserOption func(*Parser)
@ -13,7 +13,7 @@ func WithValidMethods(methods []string) ParserOption {
 	}
 }

-// WithJSONNumber is an option to configure the underyling JSON parser with UseNumber
+// WithJSONNumber is an option to configure the underlying JSON parser with UseNumber
 func WithJSONNumber() ParserOption {
 	return func(p *Parser) {
 		p.UseJSONNumber = true
--- a/vendor/github.com/golang-jwt/jwt/v4/token.go
+++ b/vendor/github.com/golang-jwt/jwt/v4/token.go
@ -74,22 +74,19 @@ func (t *Token) SignedString(key interface{}) (string, error) {
 // the SignedString.
 func (t *Token) SigningString() (string, error) {
 	var err error
-	parts := make([]string, 2)
-	for i := range parts {
-		var jsonValue []byte
-		if i == 0 {
-			if jsonValue, err = json.Marshal(t.Header); err != nil {
-				return "", err
-			}
-		} else {
-			if jsonValue, err = json.Marshal(t.Claims); err != nil {
-				return "", err
-			}
-		}
+	var jsonValue []byte

-		parts[i] = EncodeSegment(jsonValue)
+	if jsonValue, err = json.Marshal(t.Header); err != nil {
+		return "", err
 	}
-	return strings.Join(parts, "."), nil
+	header := EncodeSegment(jsonValue)
+
+	if jsonValue, err = json.Marshal(t.Claims); err != nil {
+		return "", err
+	}
+	claim := EncodeSegment(jsonValue)
+
+	return strings.Join([]string{header, claim}, "."), nil
 }

 // Parse parses, validates, verifies the signature and returns the parsed token.
--- a/vendor/github.com/golang-jwt/jwt/v4/types.go
+++ b/vendor/github.com/golang-jwt/jwt/v4/types.go
@ -49,9 +49,13 @@ func newNumericDateFromSeconds(f float64) *NumericDate {
 // MarshalJSON is an implementation of the json.RawMessage interface and serializes the UNIX epoch
 // represented in NumericDate to a byte array, using the precision specified in TimePrecision.
 func (date NumericDate) MarshalJSON() (b []byte, err error) {
+	var prec int
+	if TimePrecision < time.Second {
+		prec = int(math.Log10(float64(time.Second) / float64(TimePrecision)))
+	}
 	f := float64(date.Truncate(TimePrecision).UnixNano()) / float64(time.Second)

-	return []byte(strconv.FormatFloat(f, 'f', -1, 64)), nil
+	return []byte(strconv.FormatFloat(f, 'f', prec, 64)), nil
 }

 // UnmarshalJSON is an implementation of the json.RawMessage interface and deserializses a
--- a/vendor/github.com/jackc/pgconn/CHANGELOG.md
+++ b/vendor/github.com/jackc/pgconn/CHANGELOG.md
@ -1,3 +1,9 @@
+# 1.12.0 (April 21, 2022)
+
+* Add pluggable GSSAPI support (Oliver Tan)
+* Fix: Consider any "0A000" error a possible cached plan changed error due to locale
+* Better match psql fallback behavior with multiple hosts
+
 # 1.11.0 (February 7, 2022)

 * Support port in ip from LookupFunc to override config (James Hartig)
--- a/vendor/github.com/jackc/pgconn/config.go
+++ b/vendor/github.com/jackc/pgconn/config.go
@ -176,8 +176,6 @@ func NetworkAddress(host string, port uint16) (network, address string) {
 //
 // Other known differences with libpq:
 //
-// If a host name resolves into multiple addresses, libpq will try all addresses. pgconn will only try the first.
-//
 // When multiple hosts are specified, libpq allows them to have different passwords set via the .pgpass file. pgconn
 // does not.
 //
@ -259,6 +257,8 @@ func ParseConfig(connString string) (*Config, error) {
 		"sslkey":               {},
 		"sslcert":              {},
 		"sslrootcert":          {},
+		"krbspn":               {},
+		"krbsrvname":           {},
 		"target_session_attrs": {},
 		"min_read_buffer_size": {},
 		"service":              {},
--- a/vendor/github.com/jackc/pgconn/go.mod
+++ b/vendor/github.com/jackc/pgconn/go.mod
@ -7,9 +7,9 @@ require (
 	github.com/jackc/pgio v1.0.0
 	github.com/jackc/pgmock v0.0.0-20210724152146-4ad1a8207f65
 	github.com/jackc/pgpassfile v1.0.0
-	github.com/jackc/pgproto3/v2 v2.1.1
+	github.com/jackc/pgproto3/v2 v2.3.0
 	github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b
 	github.com/stretchr/testify v1.7.0
 	golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97
-	golang.org/x/text v0.3.6
+	golang.org/x/text v0.3.7
 )
--- a/vendor/github.com/jackc/pgconn/go.sum
+++ b/vendor/github.com/jackc/pgconn/go.sum
@ -31,8 +31,11 @@ github.com/jackc/pgproto3/v2 v2.0.0-alpha1.0.20190609003834-432c2951c711/go.mod
 github.com/jackc/pgproto3/v2 v2.0.0-rc3/go.mod h1:ryONWYqW6dqSg1Lw6vXNMXoBJhpzvWKnT95C46ckYeM=
 github.com/jackc/pgproto3/v2 v2.0.0-rc3.0.20190831210041-4c03ce451f29/go.mod h1:ryONWYqW6dqSg1Lw6vXNMXoBJhpzvWKnT95C46ckYeM=
 github.com/jackc/pgproto3/v2 v2.0.6/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
-github.com/jackc/pgproto3/v2 v2.1.1 h1:7PQ/4gLoqnl87ZxL7xjO0DR5gYuviDCZxQJsUlFW1eI=
 github.com/jackc/pgproto3/v2 v2.1.1/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
+github.com/jackc/pgproto3/v2 v2.2.1-0.20220412121321-175856ffd3c8 h1:KxsCQec+1iwJXtxnbbS/dY0EJ6rJEUlFsrJUnL5A2XI=
+github.com/jackc/pgproto3/v2 v2.2.1-0.20220412121321-175856ffd3c8/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
+github.com/jackc/pgproto3/v2 v2.3.0 h1:brH0pCGBDkBW07HWlN/oSBXrmo3WB0UvZd1pIuDcL8Y=
+github.com/jackc/pgproto3/v2 v2.3.0/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
 github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b h1:C8S2+VttkHFdOOCXJe+YGfa4vHYwlt4Zx+IVXQ97jYg=
 github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b/go.mod h1:vsD4gTJCa9TptPL8sPkXrLZ+hDuNrZCnj29CQpr4X1E=
 github.com/jackc/pgtype v0.0.0-20190421001408-4ed0de4755e0/go.mod h1:hdSHsc1V01CGwFsrv11mJRHWJ6aifDLfdV3aVjFF0zg=
@ -112,8 +115,9 @@ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190425163242-31fd60d6bfdc/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190823170909-c4a336ef6a2f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
--- a/vendor/github.com/jackc/pgconn/krb5.go
+++ b/vendor/github.com/jackc/pgconn/krb5.go
@ -0,0 +1,94 @@
+package pgconn
+
+import (
+	"errors"
+	"github.com/jackc/pgproto3/v2"
+)
+
+// NewGSSFunc creates a GSS authentication provider, for use with
+// RegisterGSSProvider.
+type NewGSSFunc func() (GSS, error)
+
+var newGSS NewGSSFunc
+
+// RegisterGSSProvider registers a GSS authentication provider. For example, if
+// you need to use Kerberos to authenticate with your server, add this to your
+// main package:
+//
+//	import "github.com/otan/gopgkrb5"
+//
+//	func init() {
+//		pgconn.RegisterGSSProvider(func() (pgconn.GSS, error) { return gopgkrb5.NewGSS() })
+//	}
+func RegisterGSSProvider(newGSSArg NewGSSFunc) {
+	newGSS = newGSSArg
+}
+
+// GSS provides GSSAPI authentication (e.g., Kerberos).
+type GSS interface {
+	GetInitToken(host string, service string) ([]byte, error)
+	GetInitTokenFromSPN(spn string) ([]byte, error)
+	Continue(inToken []byte) (done bool, outToken []byte, err error)
+}
+
+func (c *PgConn) gssAuth() error {
+	if newGSS == nil {
+		return errors.New("kerberos error: no GSSAPI provider registered, see https://github.com/otan/gopgkrb5")
+	}
+	cli, err := newGSS()
+	if err != nil {
+		return err
+	}
+
+	var nextData []byte
+	if spn, ok := c.config.RuntimeParams["krbspn"]; ok {
+		// Use the supplied SPN if provided.
+		nextData, err = cli.GetInitTokenFromSPN(spn)
+	} else {
+		// Allow the kerberos service name to be overridden
+		service := "postgres"
+		if val, ok := c.config.RuntimeParams["krbsrvname"]; ok {
+			service = val
+		}
+		nextData, err = cli.GetInitToken(c.config.Host, service)
+	}
+	if err != nil {
+		return err
+	}
+
+	for {
+		gssResponse := &pgproto3.GSSResponse{
+			Data: nextData,
+		}
+		_, err = c.conn.Write(gssResponse.Encode(nil))
+		if err != nil {
+			return err
+		}
+		resp, err := c.rxGSSContinue()
+		if err != nil {
+			return err
+		}
+		var done bool
+		done, nextData, err = cli.Continue(resp.Data)
+		if err != nil {
+			return err
+		}
+		if done {
+			break
+		}
+	}
+	return nil
+}
+
+func (c *PgConn) rxGSSContinue() (*pgproto3.AuthenticationGSSContinue, error) {
+	msg, err := c.receiveMessage()
+	if err != nil {
+		return nil, err
+	}
+	gssContinue, ok := msg.(*pgproto3.AuthenticationGSSContinue)
+	if ok {
+		return gssContinue, nil
+	}
+
+	return nil, errors.New("expected AuthenticationGSSContinue message but received unexpected message")
+}
--- a/vendor/github.com/jackc/pgconn/pgconn.go
+++ b/vendor/github.com/jackc/pgconn/pgconn.go
@ -99,7 +99,7 @@ type PgConn struct {
 }

 // Connect establishes a connection to a PostgreSQL server using the environment and connString (in URL or DSN format)
-// to provide configuration. See documention for ParseConfig for details. ctx can be used to cancel a connect attempt.
+// to provide configuration. See documentation for ParseConfig for details. ctx can be used to cancel a connect attempt.
 func Connect(ctx context.Context, connString string) (*PgConn, error) {
 	config, err := ParseConfig(connString)
 	if err != nil {
@ -154,9 +154,14 @@ func ConnectConfig(ctx context.Context, config *Config) (pgConn *PgConn, err err
 			break
 		} else if pgerr, ok := err.(*PgError); ok {
 			err = &connectError{config: config, msg: "server error", err: pgerr}
-			ERRCODE_INVALID_PASSWORD := "28P01"                    // worng password
-			ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION := "28000" // db does not exist
-			if pgerr.Code == ERRCODE_INVALID_PASSWORD || pgerr.Code == ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION {
+			const ERRCODE_INVALID_PASSWORD = "28P01"                    // wrong password
+			const ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION = "28000" // wrong password or bad pg_hba.conf settings
+			const ERRCODE_INVALID_CATALOG_NAME = "3D000"                // db does not exist
+			const ERRCODE_INSUFFICIENT_PRIVILEGE = "42501"              // missing connect privilege
+			if pgerr.Code == ERRCODE_INVALID_PASSWORD ||
+				pgerr.Code == ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION ||
+				pgerr.Code == ERRCODE_INVALID_CATALOG_NAME ||
+				pgerr.Code == ERRCODE_INSUFFICIENT_PRIVILEGE {
 				break
 			}
 		}
@ -317,7 +322,12 @@ func connect(ctx context.Context, config *Config, fallbackConfig *FallbackConfig
 				pgConn.conn.Close()
 				return nil, &connectError{config: config, msg: "failed SASL auth", err: err}
 			}
-
+		case *pgproto3.AuthenticationGSS:
+			err = pgConn.gssAuth()
+			if err != nil {
+				pgConn.conn.Close()
+				return nil, &connectError{config: config, msg: "failed GSS auth", err: err}
+			}
 		case *pgproto3.ReadyForQuery:
 			pgConn.status = connStatusIdle
 			if config.ValidateConnect != nil {
--- a/vendor/github.com/jackc/pgconn/stmtcache/lru.go
+++ b/vendor/github.com/jackc/pgconn/stmtcache/lru.go
@ -102,10 +102,14 @@ func (c *LRU) StatementErrored(sql string, err error) {
 		return
 	}

-	isInvalidCachedPlanError := pgErr.Severity == "ERROR" &&
-		pgErr.Code == "0A000" &&
-		pgErr.Message == "cached plan must not change result type"
-	if isInvalidCachedPlanError {
+	// https://github.com/jackc/pgx/issues/1162
+	//
+	// We used to look for the message "cached plan must not change result type". However, that message can be localized.
+	// Unfortunately, error code "0A000" - "FEATURE NOT SUPPORTED" is used for many different errors and the only way to
+	// tell the difference is by the message. But all that happens is we clear a statement that we otherwise wouldn't
+	// have so it should be safe.
+	possibleInvalidCachedPlanError := pgErr.Code == "0A000"
+	if possibleInvalidCachedPlanError {
 		c.stmtsToClear = append(c.stmtsToClear, sql)
 	}
 }
--- a/vendor/github.com/jackc/pgproto3/v2/authentication_gss.go
+++ b/vendor/github.com/jackc/pgproto3/v2/authentication_gss.go
@ -0,0 +1,58 @@
+package pgproto3
+
+import (
+	"encoding/binary"
+	"encoding/json"
+	"errors"
+	"github.com/jackc/pgio"
+)
+
+type AuthenticationGSS struct{}
+
+func (a *AuthenticationGSS) Backend() {}
+
+func (a *AuthenticationGSS) AuthenticationResponse() {}
+
+func (a *AuthenticationGSS) Decode(src []byte) error {
+	if len(src) < 4 {
+		return errors.New("authentication message too short")
+	}
+
+	authType := binary.BigEndian.Uint32(src)
+
+	if authType != AuthTypeGSS {
+		return errors.New("bad auth type")
+	}
+	return nil
+}
+
+func (a *AuthenticationGSS) Encode(dst []byte) []byte {
+	dst = append(dst, 'R')
+	dst = pgio.AppendInt32(dst, 4)
+	dst = pgio.AppendUint32(dst, AuthTypeGSS)
+	return dst
+}
+
+func (a *AuthenticationGSS) MarshalJSON() ([]byte, error) {
+	return json.Marshal(struct {
+		Type string
+		Data []byte
+	}{
+		Type: "AuthenticationGSS",
+	})
+}
+
+func (a *AuthenticationGSS) UnmarshalJSON(data []byte) error {
+	// Ignore null, like in the main JSON package.
+	if string(data) == "null" {
+		return nil
+	}
+
+	var msg struct {
+		Type string
+	}
+	if err := json.Unmarshal(data, &msg); err != nil {
+		return err
+	}
+	return nil
+}
--- a/vendor/github.com/jackc/pgproto3/v2/authentication_gss_continue.go
+++ b/vendor/github.com/jackc/pgproto3/v2/authentication_gss_continue.go
@ -0,0 +1,67 @@
+package pgproto3
+
+import (
+	"encoding/binary"
+	"encoding/json"
+	"errors"
+	"github.com/jackc/pgio"
+)
+
+type AuthenticationGSSContinue struct {
+	Data []byte
+}
+
+func (a *AuthenticationGSSContinue) Backend() {}
+
+func (a *AuthenticationGSSContinue) AuthenticationResponse() {}
+
+func (a *AuthenticationGSSContinue) Decode(src []byte) error {
+	if len(src) < 4 {
+		return errors.New("authentication message too short")
+	}
+
+	authType := binary.BigEndian.Uint32(src)
+
+	if authType != AuthTypeGSSCont {
+		return errors.New("bad auth type")
+	}
+
+	a.Data = src[4:]
+	return nil
+}
+
+func (a *AuthenticationGSSContinue) Encode(dst []byte) []byte {
+	dst = append(dst, 'R')
+	dst = pgio.AppendInt32(dst, int32(len(a.Data))+8)
+	dst = pgio.AppendUint32(dst, AuthTypeGSSCont)
+	dst = append(dst, a.Data...)
+	return dst
+}
+
+func (a *AuthenticationGSSContinue) MarshalJSON() ([]byte, error) {
+	return json.Marshal(struct {
+		Type string
+		Data []byte
+	}{
+		Type: "AuthenticationGSSContinue",
+		Data: a.Data,
+	})
+}
+
+func (a *AuthenticationGSSContinue) UnmarshalJSON(data []byte) error {
+	// Ignore null, like in the main JSON package.
+	if string(data) == "null" {
+		return nil
+	}
+
+	var msg struct {
+		Type string
+		Data []byte
+	}
+	if err := json.Unmarshal(data, &msg); err != nil {
+		return err
+	}
+
+	a.Data = msg.Data
+	return nil
+}
--- a/vendor/github.com/jackc/pgproto3/v2/backend.go
+++ b/vendor/github.com/jackc/pgproto3/v2/backend.go
@ -30,11 +30,10 @@ type Backend struct {
 	sync           Sync
 	terminate      Terminate

-	bodyLen      int
-	msgType      byte
-	partialMsg   bool
-	authType     uint32
-	
+	bodyLen    int
+	msgType    byte
+	partialMsg bool
+	authType   uint32
 }

 const (
@ -147,6 +146,8 @@ func (b *Backend) Receive() (FrontendMessage, error) {
 			msg = &SASLResponse{}
 		case AuthTypeSASLFinal:
 			msg = &SASLResponse{}
+		case AuthTypeGSS, AuthTypeGSSCont:
+			msg = &GSSResponse{}
 		case AuthTypeCleartextPassword, AuthTypeMD5Password:
 			fallthrough
 		default:
--- a/vendor/github.com/jackc/pgproto3/v2/copy_both_response.go
+++ b/vendor/github.com/jackc/pgproto3/v2/copy_both_response.go
@ -48,7 +48,7 @@ func (src *CopyBothResponse) Encode(dst []byte) []byte {
 	dst = append(dst, 'W')
 	sp := len(dst)
 	dst = pgio.AppendInt32(dst, -1)
-
+	dst = append(dst, src.OverallFormat)
 	dst = pgio.AppendUint16(dst, uint16(len(src.ColumnFormatCodes)))
 	for _, fc := range src.ColumnFormatCodes {
 		dst = pgio.AppendUint16(dst, fc)
--- a/vendor/github.com/jackc/pgproto3/v2/frontend.go
+++ b/vendor/github.com/jackc/pgproto3/v2/frontend.go
@ -16,6 +16,8 @@ type Frontend struct {
 	authenticationOk                AuthenticationOk
 	authenticationCleartextPassword AuthenticationCleartextPassword
 	authenticationMD5Password       AuthenticationMD5Password
+	authenticationGSS               AuthenticationGSS
+	authenticationGSSContinue       AuthenticationGSSContinue
 	authenticationSASL              AuthenticationSASL
 	authenticationSASLContinue      AuthenticationSASLContinue
 	authenticationSASLFinal         AuthenticationSASLFinal
@ -178,9 +180,9 @@ func (f *Frontend) findAuthenticationMessageType(src []byte) (BackendMessage, er
 	case AuthTypeSCMCreds:
 		return nil, errors.New("AuthTypeSCMCreds is unimplemented")
 	case AuthTypeGSS:
-		return nil, errors.New("AuthTypeGSS is unimplemented")
+		return &f.authenticationGSS, nil
 	case AuthTypeGSSCont:
-		return nil, errors.New("AuthTypeGSSCont is unimplemented")
+		return &f.authenticationGSSContinue, nil
 	case AuthTypeSSPI:
 		return nil, errors.New("AuthTypeSSPI is unimplemented")
 	case AuthTypeSASL:
--- a/vendor/github.com/jackc/pgproto3/v2/go.sum
+++ b/vendor/github.com/jackc/pgproto3/v2/go.sum
@ -9,6 +9,7 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
--- a/vendor/github.com/jackc/pgproto3/v2/gss_response.go
+++ b/vendor/github.com/jackc/pgproto3/v2/gss_response.go
@ -0,0 +1,48 @@
+package pgproto3
+
+import (
+	"encoding/json"
+	"github.com/jackc/pgio"
+)
+
+type GSSResponse struct {
+	Data []byte
+}
+
+// Frontend identifies this message as sendable by a PostgreSQL frontend.
+func (g *GSSResponse) Frontend() {}
+
+func (g *GSSResponse) Decode(data []byte) error {
+	g.Data = data
+	return nil
+}
+
+func (g *GSSResponse) Encode(dst []byte) []byte {
+	dst = append(dst, 'p')
+	dst = pgio.AppendInt32(dst, int32(4+len(g.Data)))
+	dst = append(dst, g.Data...)
+	return dst
+}
+
+// MarshalJSON implements encoding/json.Marshaler.
+func (g *GSSResponse) MarshalJSON() ([]byte, error) {
+	return json.Marshal(struct {
+		Type string
+		Data []byte
+	}{
+		Type: "GSSResponse",
+		Data: g.Data,
+	})
+}
+
+// UnmarshalJSON implements encoding/json.Unmarshaler.
+func (g *GSSResponse) UnmarshalJSON(data []byte) error {
+	var msg struct {
+		Data []byte
+	}
+	if err := json.Unmarshal(data, &msg); err != nil {
+		return err
+	}
+	g.Data = msg.Data
+	return nil
+}
--- a/vendor/github.com/jackc/pgtype/CHANGELOG.md
+++ b/vendor/github.com/jackc/pgtype/CHANGELOG.md
@ -1,3 +1,11 @@
+# 1.11.0 (April 21, 2022)
+
+* Add multirange for numeric, int4, and int8 (Vu)
+* JSONBArray now supports json.RawMessage (Jens Emil Schulz Østergaard)
+* Add RecordArray (WGH)
+* Add UnmarshalJSON to pgtype.Int2
+* Hstore.Set accepts map[string]Text
+
 # 1.10.0 (February 7, 2022)

 * Normalize UTC timestamps to comply with stdlib (Torkel Rogstad)
--- a/vendor/github.com/jackc/pgtype/hstore.go
+++ b/vendor/github.com/jackc/pgtype/hstore.go
@ -50,6 +50,8 @@ func (dst *Hstore) Set(src interface{}) error {
 			}
 		}
 		*dst = Hstore{Map: m, Status: Present}
+	case map[string]Text:
+		*dst = Hstore{Map: value, Status: Present}
 	default:
 		return fmt.Errorf("cannot convert %v to Hstore", src)
 	}
--- a/vendor/github.com/jackc/pgtype/int2.go
+++ b/vendor/github.com/jackc/pgtype/int2.go
@ -3,6 +3,7 @@ package pgtype
 import (
 	"database/sql/driver"
 	"encoding/binary"
+	"encoding/json"
 	"fmt"
 	"math"
 	"strconv"
@ -302,3 +303,19 @@ func (src Int2) MarshalJSON() ([]byte, error) {

 	return nil, errBadStatus
 }
+
+func (dst *Int2) UnmarshalJSON(b []byte) error {
+	var n *int16
+	err := json.Unmarshal(b, &n)
+	if err != nil {
+		return err
+	}
+
+	if n == nil {
+		*dst = Int2{Status: Null}
+	} else {
+		*dst = Int2{Int: *n, Status: Present}
+	}
+
+	return nil
+}
--- a/vendor/github.com/jackc/pgtype/int4_multirange.go
+++ b/vendor/github.com/jackc/pgtype/int4_multirange.go
@ -0,0 +1,239 @@
+package pgtype
+
+import (
+	"database/sql/driver"
+	"encoding/binary"
+	"fmt"
+
+	"github.com/jackc/pgio"
+)
+
+type Int4multirange struct {
+	Ranges []Int4range
+	Status Status
+}
+
+func (dst *Int4multirange) Set(src interface{}) error {
+	//untyped nil and typed nil interfaces are different
+	if src == nil {
+		*dst = Int4multirange{Status: Null}
+		return nil
+	}
+
+	switch value := src.(type) {
+	case Int4multirange:
+		*dst = value
+	case *Int4multirange:
+		*dst = *value
+	case string:
+		return dst.DecodeText(nil, []byte(value))
+	case []Int4range:
+		if value == nil {
+			*dst = Int4multirange{Status: Null}
+		} else if len(value) == 0 {
+			*dst = Int4multirange{Status: Present}
+		} else {
+			elements := make([]Int4range, len(value))
+			for i := range value {
+				if err := elements[i].Set(value[i]); err != nil {
+					return err
+				}
+			}
+			*dst = Int4multirange{
+				Ranges: elements,
+				Status: Present,
+			}
+		}
+	case []*Int4range:
+		if value == nil {
+			*dst = Int4multirange{Status: Null}
+		} else if len(value) == 0 {
+			*dst = Int4multirange{Status: Present}
+		} else {
+			elements := make([]Int4range, len(value))
+			for i := range value {
+				if err := elements[i].Set(value[i]); err != nil {
+					return err
+				}
+			}
+			*dst = Int4multirange{
+				Ranges: elements,
+				Status: Present,
+			}
+		}
+	default:
+		return fmt.Errorf("cannot convert %v to Int4multirange", src)
+	}
+
+	return nil
+
+}
+
+func (dst Int4multirange) Get() interface{} {
+	switch dst.Status {
+	case Present:
+		return dst
+	case Null:
+		return nil
+	default:
+		return dst.Status
+	}
+}
+
+func (src *Int4multirange) AssignTo(dst interface{}) error {
+	return fmt.Errorf("cannot assign %v to %T", src, dst)
+}
+
+func (dst *Int4multirange) DecodeText(ci *ConnInfo, src []byte) error {
+	if src == nil {
+		*dst = Int4multirange{Status: Null}
+		return nil
+	}
+
+	utmr, err := ParseUntypedTextMultirange(string(src))
+	if err != nil {
+		return err
+	}
+
+	var elements []Int4range
+
+	if len(utmr.Elements) > 0 {
+		elements = make([]Int4range, len(utmr.Elements))
+
+		for i, s := range utmr.Elements {
+			var elem Int4range
+
+			elemSrc := []byte(s)
+
+			err = elem.DecodeText(ci, elemSrc)
+			if err != nil {
+				return err
+			}
+
+			elements[i] = elem
+		}
+	}
+
+	*dst = Int4multirange{Ranges: elements, Status: Present}
+
+	return nil
+}
+
+func (dst *Int4multirange) DecodeBinary(ci *ConnInfo, src []byte) error {
+	if src == nil {
+		*dst = Int4multirange{Status: Null}
+		return nil
+	}
+
+	rp := 0
+
+	numElems := int(binary.BigEndian.Uint32(src[rp:]))
+	rp += 4
+
+	if numElems == 0 {
+		*dst = Int4multirange{Status: Present}
+		return nil
+	}
+
+	elements := make([]Int4range, numElems)
+
+	for i := range elements {
+		elemLen := int(int32(binary.BigEndian.Uint32(src[rp:])))
+		rp += 4
+		var elemSrc []byte
+		if elemLen >= 0 {
+			elemSrc = src[rp : rp+elemLen]
+			rp += elemLen
+		}
+		err := elements[i].DecodeBinary(ci, elemSrc)
+		if err != nil {
+			return err
+		}
+	}
+
+	*dst = Int4multirange{Ranges: elements, Status: Present}
+	return nil
+}
+
+func (src Int4multirange) EncodeText(ci *ConnInfo, buf []byte) ([]byte, error) {
+	switch src.Status {
+	case Null:
+		return nil, nil
+	case Undefined:
+		return nil, errUndefined
+	}
+
+	buf = append(buf, '{')
+
+	inElemBuf := make([]byte, 0, 32)
+	for i, elem := range src.Ranges {
+		if i > 0 {
+			buf = append(buf, ',')
+		}
+
+		elemBuf, err := elem.EncodeText(ci, inElemBuf)
+		if err != nil {
+			return nil, err
+		}
+		if elemBuf == nil {
+			return nil, fmt.Errorf("multi-range does not allow null range")
+		} else {
+			buf = append(buf, string(elemBuf)...)
+		}
+
+	}
+
+	buf = append(buf, '}')
+
+	return buf, nil
+}
+
+func (src Int4multirange) EncodeBinary(ci *ConnInfo, buf []byte) ([]byte, error) {
+	switch src.Status {
+	case Null:
+		return nil, nil
+	case Undefined:
+		return nil, errUndefined
+	}
+
+	buf = pgio.AppendInt32(buf, int32(len(src.Ranges)))
+
+	for i := range src.Ranges {
+		sp := len(buf)
+		buf = pgio.AppendInt32(buf, -1)
+
+		elemBuf, err := src.Ranges[i].EncodeBinary(ci, buf)
+		if err != nil {
+			return nil, err
+		}
+		if elemBuf != nil {
+			buf = elemBuf
+			pgio.SetInt32(buf[sp:], int32(len(buf[sp:])-4))
+		}
+	}
+
+	return buf, nil
+}
+
+// Scan implements the database/sql Scanner interface.
+func (dst *Int4multirange) Scan(src interface{}) error {
+	if src == nil {
+		return dst.DecodeText(nil, nil)
+	}
+
+	switch src := src.(type) {
+	case string:
+		return dst.DecodeText(nil, []byte(src))
+	case []byte:
+		srcCopy := make([]byte, len(src))
+		copy(srcCopy, src)
+		return dst.DecodeText(nil, srcCopy)
+	}
+
+	return fmt.Errorf("cannot scan %T", src)
+}
+
+// Value implements the database/sql/driver Valuer interface.
+func (src Int4multirange) Value() (driver.Value, error) {
+	return EncodeValueText(src)
+}
--- a/vendor/github.com/jackc/pgtype/int8_multirange.go
+++ b/vendor/github.com/jackc/pgtype/int8_multirange.go
@ -0,0 +1,239 @@
+package pgtype
+
+import (
+	"database/sql/driver"
+	"encoding/binary"
+	"fmt"
+
+	"github.com/jackc/pgio"
+)
+
+type Int8multirange struct {
+	Ranges []Int8range
+	Status Status
+}
+
+func (dst *Int8multirange) Set(src interface{}) error {
+	//untyped nil and typed nil interfaces are different
+	if src == nil {
+		*dst = Int8multirange{Status: Null}
+		return nil
+	}
+
+	switch value := src.(type) {
+	case Int8multirange:
+		*dst = value
+	case *Int8multirange:
+		*dst = *value
+	case string:
+		return dst.DecodeText(nil, []byte(value))
+	case []Int8range:
+		if value == nil {
+			*dst = Int8multirange{Status: Null}
+		} else if len(value) == 0 {
+			*dst = Int8multirange{Status: Present}
+		} else {
+			elements := make([]Int8range, len(value))
+			for i := range value {
+				if err := elements[i].Set(value[i]); err != nil {
+					return err
+				}
+			}
+			*dst = Int8multirange{
+				Ranges: elements,
+				Status: Present,
+			}
+		}
+	case []*Int8range:
+		if value == nil {
+			*dst = Int8multirange{Status: Null}
+		} else if len(value) == 0 {
+			*dst = Int8multirange{Status: Present}
+		} else {
+			elements := make([]Int8range, len(value))
+			for i := range value {
+				if err := elements[i].Set(value[i]); err != nil {
+					return err
+				}
+			}
+			*dst = Int8multirange{
+				Ranges: elements,
+				Status: Present,
+			}
+		}
+	default:
+		return fmt.Errorf("cannot convert %v to Int8multirange", src)
+	}
+
+	return nil
+
+}
+
+func (dst Int8multirange) Get() interface{} {
+	switch dst.Status {
+	case Present:
+		return dst
+	case Null:
+		return nil
+	default:
+		return dst.Status
+	}
+}
+
+func (src *Int8multirange) AssignTo(dst interface{}) error {
+	return fmt.Errorf("cannot assign %v to %T", src, dst)
+}
+
+func (dst *Int8multirange) DecodeText(ci *ConnInfo, src []byte) error {
+	if src == nil {
+		*dst = Int8multirange{Status: Null}
+		return nil
+	}
+
+	utmr, err := ParseUntypedTextMultirange(string(src))
+	if err != nil {
+		return err
+	}
+
+	var elements []Int8range
+
+	if len(utmr.Elements) > 0 {
+		elements = make([]Int8range, len(utmr.Elements))
+
+		for i, s := range utmr.Elements {
+			var elem Int8range
+
+			elemSrc := []byte(s)
+
+			err = elem.DecodeText(ci, elemSrc)
+			if err != nil {
+				return err
+			}
+
+			elements[i] = elem
+		}
+	}
+
+	*dst = Int8multirange{Ranges: elements, Status: Present}
+
+	return nil
+}
+
+func (dst *Int8multirange) DecodeBinary(ci *ConnInfo, src []byte) error {
+	if src == nil {
+		*dst = Int8multirange{Status: Null}
+		return nil
+	}
+
+	rp := 0
+
+	numElems := int(binary.BigEndian.Uint32(src[rp:]))
+	rp += 4
+
+	if numElems == 0 {
+		*dst = Int8multirange{Status: Present}
+		return nil
+	}
+
+	elements := make([]Int8range, numElems)
+
+	for i := range elements {
+		elemLen := int(int32(binary.BigEndian.Uint32(src[rp:])))
+		rp += 4
+		var elemSrc []byte
+		if elemLen >= 0 {
+			elemSrc = src[rp : rp+elemLen]
+			rp += elemLen
+		}
+		err := elements[i].DecodeBinary(ci, elemSrc)
+		if err != nil {
+			return err
+		}
+	}
+
+	*dst = Int8multirange{Ranges: elements, Status: Present}
+	return nil
+}
+
+func (src Int8multirange) EncodeText(ci *ConnInfo, buf []byte) ([]byte, error) {
+	switch src.Status {
+	case Null:
+		return nil, nil
+	case Undefined:
+		return nil, errUndefined
+	}
+
+	buf = append(buf, '{')
+
+	inElemBuf := make([]byte, 0, 32)
+	for i, elem := range src.Ranges {
+		if i > 0 {
+			buf = append(buf, ',')
+		}
+
+		elemBuf, err := elem.EncodeText(ci, inElemBuf)
+		if err != nil {
+			return nil, err
+		}
+		if elemBuf == nil {
+			return nil, fmt.Errorf("multi-range does not allow null range")
+		} else {
+			buf = append(buf, string(elemBuf)...)
+		}
+
+	}
+
+	buf = append(buf, '}')
+
+	return buf, nil
+}
+
+func (src Int8multirange) EncodeBinary(ci *ConnInfo, buf []byte) ([]byte, error) {
+	switch src.Status {
+	case Null:
+		return nil, nil
+	case Undefined:
+		return nil, errUndefined
+	}
+
+	buf = pgio.AppendInt32(buf, int32(len(src.Ranges)))
+
+	for i := range src.Ranges {
+		sp := len(buf)
+		buf = pgio.AppendInt32(buf, -1)
+
+		elemBuf, err := src.Ranges[i].EncodeBinary(ci, buf)
+		if err != nil {
+			return nil, err
+		}
+		if elemBuf != nil {
+			buf = elemBuf
+			pgio.SetInt32(buf[sp:], int32(len(buf[sp:])-4))
+		}
+	}
+
+	return buf, nil
+}
+
+// Scan implements the database/sql Scanner interface.
+func (dst *Int8multirange) Scan(src interface{}) error {
+	if src == nil {
+		return dst.DecodeText(nil, nil)
+	}
+
+	switch src := src.(type) {
+	case string:
+		return dst.DecodeText(nil, []byte(src))
+	case []byte:
+		srcCopy := make([]byte, len(src))
+		copy(srcCopy, src)
+		return dst.DecodeText(nil, srcCopy)
+	}
+
+	return fmt.Errorf("cannot scan %T", src)
+}
+
+// Value implements the database/sql/driver Valuer interface.
+func (src Int8multirange) Value() (driver.Value, error) {
+	return EncodeValueText(src)
+}
--- a/vendor/github.com/jackc/pgtype/jsonb_array.go
+++ b/vendor/github.com/jackc/pgtype/jsonb_array.go
@ -5,6 +5,7 @@ package pgtype
 import (
 	"database/sql/driver"
 	"encoding/binary"
+	"encoding/json"
 	"fmt"
 	"reflect"

@ -72,6 +73,25 @@ func (dst *JSONBArray) Set(src interface{}) error {
 			}
 		}

+	case []json.RawMessage:
+		if value == nil {
+			*dst = JSONBArray{Status: Null}
+		} else if len(value) == 0 {
+			*dst = JSONBArray{Status: Present}
+		} else {
+			elements := make([]JSONB, len(value))
+			for i := range value {
+				if err := elements[i].Set(value[i]); err != nil {
+					return err
+				}
+			}
+			*dst = JSONBArray{
+				Elements:   elements,
+				Dimensions: []ArrayDimension{{Length: int32(len(elements)), LowerBound: 1}},
+				Status:     Present,
+			}
+		}
+
 	case []JSONB:
 		if value == nil {
 			*dst = JSONBArray{Status: Null}
@ -214,6 +234,15 @@ func (src *JSONBArray) AssignTo(dst interface{}) error {
 				}
 				return nil

+			case *[]json.RawMessage:
+				*v = make([]json.RawMessage, len(src.Elements))
+				for i := range src.Elements {
+					if err := src.Elements[i].AssignTo(&((*v)[i])); err != nil {
+						return err
+					}
+				}
+				return nil
+
 			}
 		}

--- a/vendor/github.com/jackc/pgtype/multirange.go
+++ b/vendor/github.com/jackc/pgtype/multirange.go
@ -0,0 +1,83 @@
+package pgtype
+
+import (
+	"bytes"
+	"fmt"
+)
+
+type UntypedTextMultirange struct {
+	Elements []string
+}
+
+func ParseUntypedTextMultirange(src string) (*UntypedTextMultirange, error) {
+	utmr := &UntypedTextMultirange{}
+	utmr.Elements = make([]string, 0)
+
+	buf := bytes.NewBufferString(src)
+
+	skipWhitespace(buf)
+
+	r, _, err := buf.ReadRune()
+	if err != nil {
+		return nil, fmt.Errorf("invalid array: %v", err)
+	}
+
+	if r != '{' {
+		return nil, fmt.Errorf("invalid multirange, expected '{': %v", err)
+	}
+
+parseValueLoop:
+	for {
+		r, _, err = buf.ReadRune()
+		if err != nil {
+			return nil, fmt.Errorf("invalid multirange: %v", err)
+		}
+
+		switch r {
+		case ',': // skip range separator
+		case '}':
+			break parseValueLoop
+		default:
+			buf.UnreadRune()
+			value, err := parseRange(buf)
+			if err != nil {
+				return nil, fmt.Errorf("invalid multirange value: %v", err)
+			}
+			utmr.Elements = append(utmr.Elements, value)
+		}
+	}
+
+	skipWhitespace(buf)
+
+	if buf.Len() > 0 {
+		return nil, fmt.Errorf("unexpected trailing data: %v", buf.String())
+	}
+
+	return utmr, nil
+
+}
+
+func parseRange(buf *bytes.Buffer) (string, error) {
+
+	s := &bytes.Buffer{}
+
+	boundSepRead := false
+	for {
+		r, _, err := buf.ReadRune()
+		if err != nil {
+			return "", err
+		}
+
+		switch r {
+		case ',', '}':
+			if r == ',' && !boundSepRead {
+				boundSepRead = true
+				break
+			}
+			buf.UnreadRune()
+			return s.String(), nil
+		}
+
+		s.WriteRune(r)
+	}
+}
--- a/vendor/github.com/jackc/pgtype/num_multirange.go
+++ b/vendor/github.com/jackc/pgtype/num_multirange.go
@ -0,0 +1,239 @@
+package pgtype
+
+import (
+	"database/sql/driver"
+	"encoding/binary"
+	"fmt"
+
+	"github.com/jackc/pgio"
+)
+
+type Nummultirange struct {
+	Ranges []Numrange
+	Status Status
+}
+
+func (dst *Nummultirange) Set(src interface{}) error {
+	//untyped nil and typed nil interfaces are different
+	if src == nil {
+		*dst = Nummultirange{Status: Null}
+		return nil
+	}
+
+	switch value := src.(type) {
+	case Nummultirange:
+		*dst = value
+	case *Nummultirange:
+		*dst = *value
+	case string:
+		return dst.DecodeText(nil, []byte(value))
+	case []Numrange:
+		if value == nil {
+			*dst = Nummultirange{Status: Null}
+		} else if len(value) == 0 {
+			*dst = Nummultirange{Status: Present}
+		} else {
+			elements := make([]Numrange, len(value))
+			for i := range value {
+				if err := elements[i].Set(value[i]); err != nil {
+					return err
+				}
+			}
+			*dst = Nummultirange{
+				Ranges: elements,
+				Status: Present,
+			}
+		}
+	case []*Numrange:
+		if value == nil {
+			*dst = Nummultirange{Status: Null}
+		} else if len(value) == 0 {
+			*dst = Nummultirange{Status: Present}
+		} else {
+			elements := make([]Numrange, len(value))
+			for i := range value {
+				if err := elements[i].Set(value[i]); err != nil {
+					return err
+				}
+			}
+			*dst = Nummultirange{
+				Ranges: elements,
+				Status: Present,
+			}
+		}
+	default:
+		return fmt.Errorf("cannot convert %v to Nummultirange", src)
+	}
+
+	return nil
+
+}
+
+func (dst Nummultirange) Get() interface{} {
+	switch dst.Status {
+	case Present:
+		return dst
+	case Null:
+		return nil
+	default:
+		return dst.Status
+	}
+}
+
+func (src *Nummultirange) AssignTo(dst interface{}) error {
+	return fmt.Errorf("cannot assign %v to %T", src, dst)
+}
+
+func (dst *Nummultirange) DecodeText(ci *ConnInfo, src []byte) error {
+	if src == nil {
+		*dst = Nummultirange{Status: Null}
+		return nil
+	}
+
+	utmr, err := ParseUntypedTextMultirange(string(src))
+	if err != nil {
+		return err
+	}
+
+	var elements []Numrange
+
+	if len(utmr.Elements) > 0 {
+		elements = make([]Numrange, len(utmr.Elements))
+
+		for i, s := range utmr.Elements {
+			var elem Numrange
+
+			elemSrc := []byte(s)
+
+			err = elem.DecodeText(ci, elemSrc)
+			if err != nil {
+				return err
+			}
+
+			elements[i] = elem
+		}
+	}
+
+	*dst = Nummultirange{Ranges: elements, Status: Present}
+
+	return nil
+}
+
+func (dst *Nummultirange) DecodeBinary(ci *ConnInfo, src []byte) error {
+	if src == nil {
+		*dst = Nummultirange{Status: Null}
+		return nil
+	}
+
+	rp := 0
+
+	numElems := int(binary.BigEndian.Uint32(src[rp:]))
+	rp += 4
+
+	if numElems == 0 {
+		*dst = Nummultirange{Status: Present}
+		return nil
+	}
+
+	elements := make([]Numrange, numElems)
+
+	for i := range elements {
+		elemLen := int(int32(binary.BigEndian.Uint32(src[rp:])))
+		rp += 4
+		var elemSrc []byte
+		if elemLen >= 0 {
+			elemSrc = src[rp : rp+elemLen]
+			rp += elemLen
+		}
+		err := elements[i].DecodeBinary(ci, elemSrc)
+		if err != nil {
+			return err
+		}
+	}
+
+	*dst = Nummultirange{Ranges: elements, Status: Present}
+	return nil
+}
+
+func (src Nummultirange) EncodeText(ci *ConnInfo, buf []byte) ([]byte, error) {
+	switch src.Status {
+	case Null:
+		return nil, nil
+	case Undefined:
+		return nil, errUndefined
+	}
+
+	buf = append(buf, '{')
+
+	inElemBuf := make([]byte, 0, 32)
+	for i, elem := range src.Ranges {
+		if i > 0 {
+			buf = append(buf, ',')
+		}
+
+		elemBuf, err := elem.EncodeText(ci, inElemBuf)
+		if err != nil {
+			return nil, err
+		}
+		if elemBuf == nil {
+			return nil, fmt.Errorf("multi-range does not allow null range")
+		} else {
+			buf = append(buf, string(elemBuf)...)
+		}
+
+	}
+
+	buf = append(buf, '}')
+
+	return buf, nil
+}
+
+func (src Nummultirange) EncodeBinary(ci *ConnInfo, buf []byte) ([]byte, error) {
+	switch src.Status {
+	case Null:
+		return nil, nil
+	case Undefined:
+		return nil, errUndefined
+	}
+
+	buf = pgio.AppendInt32(buf, int32(len(src.Ranges)))
+
+	for i := range src.Ranges {
+		sp := len(buf)
+		buf = pgio.AppendInt32(buf, -1)
+
+		elemBuf, err := src.Ranges[i].EncodeBinary(ci, buf)
+		if err != nil {
+			return nil, err
+		}
+		if elemBuf != nil {
+			buf = elemBuf
+			pgio.SetInt32(buf[sp:], int32(len(buf[sp:])-4))
+		}
+	}
+
+	return buf, nil
+}
+
+// Scan implements the database/sql Scanner interface.
+func (dst *Nummultirange) Scan(src interface{}) error {
+	if src == nil {
+		return dst.DecodeText(nil, nil)
+	}
+
+	switch src := src.(type) {
+	case string:
+		return dst.DecodeText(nil, []byte(src))
+	case []byte:
+		srcCopy := make([]byte, len(src))
+		copy(srcCopy, src)
+		return dst.DecodeText(nil, srcCopy)
+	}
+
+	return fmt.Errorf("cannot scan %T", src)
+}
+
+// Value implements the database/sql/driver Valuer interface.
+func (src Nummultirange) Value() (driver.Value, error) {
+	return EncodeValueText(src)
+}
--- a/vendor/github.com/jackc/pgtype/pgtype.go
+++ b/vendor/github.com/jackc/pgtype/pgtype.go
@ -74,12 +74,15 @@ const (
 	JSONBArrayOID       = 3807
 	DaterangeOID        = 3912
 	Int4rangeOID        = 3904
+	Int4multirangeOID   = 4451
 	NumrangeOID         = 3906
+	NummultirangeOID    = 4532
 	TsrangeOID          = 3908
 	TsrangeArrayOID     = 3909
 	TstzrangeOID        = 3910
 	TstzrangeArrayOID   = 3911
 	Int8rangeOID        = 3926
+	Int8multirangeOID   = 4536
 )

 type Status byte
@ -288,8 +291,10 @@ func NewConnInfo() *ConnInfo {
 	ci.RegisterDataType(DataType{Value: &Int2{}, Name: "int2", OID: Int2OID})
 	ci.RegisterDataType(DataType{Value: &Int4{}, Name: "int4", OID: Int4OID})
 	ci.RegisterDataType(DataType{Value: &Int4range{}, Name: "int4range", OID: Int4rangeOID})
+	ci.RegisterDataType(DataType{Value: &Int4multirange{}, Name: "int4multirange", OID: Int4multirangeOID})
 	ci.RegisterDataType(DataType{Value: &Int8{}, Name: "int8", OID: Int8OID})
 	ci.RegisterDataType(DataType{Value: &Int8range{}, Name: "int8range", OID: Int8rangeOID})
+	ci.RegisterDataType(DataType{Value: &Int8multirange{}, Name: "int8multirange", OID: Int8multirangeOID})
 	ci.RegisterDataType(DataType{Value: &Interval{}, Name: "interval", OID: IntervalOID})
 	ci.RegisterDataType(DataType{Value: &JSON{}, Name: "json", OID: JSONOID})
 	ci.RegisterDataType(DataType{Value: &JSONB{}, Name: "jsonb", OID: JSONBOID})
@ -300,6 +305,7 @@ func NewConnInfo() *ConnInfo {
 	ci.RegisterDataType(DataType{Value: &Name{}, Name: "name", OID: NameOID})
 	ci.RegisterDataType(DataType{Value: &Numeric{}, Name: "numeric", OID: NumericOID})
 	ci.RegisterDataType(DataType{Value: &Numrange{}, Name: "numrange", OID: NumrangeOID})
+	ci.RegisterDataType(DataType{Value: &Nummultirange{}, Name: "nummultirange", OID: NummultirangeOID})
 	ci.RegisterDataType(DataType{Value: &OIDValue{}, Name: "oid", OID: OIDOID})
 	ci.RegisterDataType(DataType{Value: &Path{}, Name: "path", OID: PathOID})
 	ci.RegisterDataType(DataType{Value: &Point{}, Name: "point", OID: PointOID})
@ -873,72 +879,75 @@ var nameValues map[string]Value

 func init() {
 	nameValues = map[string]Value{
-		"_aclitem":     &ACLItemArray{},
-		"_bool":        &BoolArray{},
-		"_bpchar":      &BPCharArray{},
-		"_bytea":       &ByteaArray{},
-		"_cidr":        &CIDRArray{},
-		"_date":        &DateArray{},
-		"_float4":      &Float4Array{},
-		"_float8":      &Float8Array{},
-		"_inet":        &InetArray{},
-		"_int2":        &Int2Array{},
-		"_int4":        &Int4Array{},
-		"_int8":        &Int8Array{},
-		"_numeric":     &NumericArray{},
-		"_text":        &TextArray{},
-		"_timestamp":   &TimestampArray{},
-		"_timestamptz": &TimestamptzArray{},
-		"_uuid":        &UUIDArray{},
-		"_varchar":     &VarcharArray{},
-		"_jsonb":       &JSONBArray{},
-		"aclitem":      &ACLItem{},
-		"bit":          &Bit{},
-		"bool":         &Bool{},
-		"box":          &Box{},
-		"bpchar":       &BPChar{},
-		"bytea":        &Bytea{},
-		"char":         &QChar{},
-		"cid":          &CID{},
-		"cidr":         &CIDR{},
-		"circle":       &Circle{},
-		"date":         &Date{},
-		"daterange":    &Daterange{},
-		"float4":       &Float4{},
-		"float8":       &Float8{},
-		"hstore":       &Hstore{},
-		"inet":         &Inet{},
-		"int2":         &Int2{},
-		"int4":         &Int4{},
-		"int4range":    &Int4range{},
-		"int8":         &Int8{},
-		"int8range":    &Int8range{},
-		"interval":     &Interval{},
-		"json":         &JSON{},
-		"jsonb":        &JSONB{},
-		"line":         &Line{},
-		"lseg":         &Lseg{},
-		"macaddr":      &Macaddr{},
-		"name":         &Name{},
-		"numeric":      &Numeric{},
-		"numrange":     &Numrange{},
-		"oid":          &OIDValue{},
-		"path":         &Path{},
-		"point":        &Point{},
-		"polygon":      &Polygon{},
-		"record":       &Record{},
-		"text":         &Text{},
-		"tid":          &TID{},
-		"timestamp":    &Timestamp{},
-		"timestamptz":  &Timestamptz{},
-		"tsrange":      &Tsrange{},
-		"_tsrange":     &TsrangeArray{},
-		"tstzrange":    &Tstzrange{},
-		"_tstzrange":   &TstzrangeArray{},
-		"unknown":      &Unknown{},
-		"uuid":         &UUID{},
-		"varbit":       &Varbit{},
-		"varchar":      &Varchar{},
-		"xid":          &XID{},
+		"_aclitem":       &ACLItemArray{},
+		"_bool":          &BoolArray{},
+		"_bpchar":        &BPCharArray{},
+		"_bytea":         &ByteaArray{},
+		"_cidr":          &CIDRArray{},
+		"_date":          &DateArray{},
+		"_float4":        &Float4Array{},
+		"_float8":        &Float8Array{},
+		"_inet":          &InetArray{},
+		"_int2":          &Int2Array{},
+		"_int4":          &Int4Array{},
+		"_int8":          &Int8Array{},
+		"_numeric":       &NumericArray{},
+		"_text":          &TextArray{},
+		"_timestamp":     &TimestampArray{},
+		"_timestamptz":   &TimestamptzArray{},
+		"_uuid":          &UUIDArray{},
+		"_varchar":       &VarcharArray{},
+		"_jsonb":         &JSONBArray{},
+		"aclitem":        &ACLItem{},
+		"bit":            &Bit{},
+		"bool":           &Bool{},
+		"box":            &Box{},
+		"bpchar":         &BPChar{},
+		"bytea":          &Bytea{},
+		"char":           &QChar{},
+		"cid":            &CID{},
+		"cidr":           &CIDR{},
+		"circle":         &Circle{},
+		"date":           &Date{},
+		"daterange":      &Daterange{},
+		"float4":         &Float4{},
+		"float8":         &Float8{},
+		"hstore":         &Hstore{},
+		"inet":           &Inet{},
+		"int2":           &Int2{},
+		"int4":           &Int4{},
+		"int4range":      &Int4range{},
+		"int4multirange": &Int4multirange{},
+		"int8":           &Int8{},
+		"int8range":      &Int8range{},
+		"int8multirange": &Int8multirange{},
+		"interval":       &Interval{},
+		"json":           &JSON{},
+		"jsonb":          &JSONB{},
+		"line":           &Line{},
+		"lseg":           &Lseg{},
+		"macaddr":        &Macaddr{},
+		"name":           &Name{},
+		"numeric":        &Numeric{},
+		"numrange":       &Numrange{},
+		"nummultirange":  &Nummultirange{},
+		"oid":            &OIDValue{},
+		"path":           &Path{},
+		"point":          &Point{},
+		"polygon":        &Polygon{},
+		"record":         &Record{},
+		"text":           &Text{},
+		"tid":            &TID{},
+		"timestamp":      &Timestamp{},
+		"timestamptz":    &Timestamptz{},
+		"tsrange":        &Tsrange{},
+		"_tsrange":       &TsrangeArray{},
+		"tstzrange":      &Tstzrange{},
+		"_tstzrange":     &TstzrangeArray{},
+		"unknown":        &Unknown{},
+		"uuid":           &UUID{},
+		"varbit":         &Varbit{},
+		"varchar":        &Varchar{},
+		"xid":            &XID{},
 	}
 }
--- a/vendor/github.com/jackc/pgtype/record.go
+++ b/vendor/github.com/jackc/pgtype/record.go
@ -6,7 +6,7 @@ import (
 )

 // Record is the generic PostgreSQL record type such as is created with the
-// "row" function. Record only implements BinaryEncoder and Value. The text
+// "row" function. Record only implements BinaryDecoder and Value. The text
 // format output format from PostgreSQL does not include type information and is
 // therefore impossible to decode. No encoders are implemented because
 // PostgreSQL does not support input of generic records.
--- a/vendor/github.com/jackc/pgtype/record_array.go
+++ b/vendor/github.com/jackc/pgtype/record_array.go
@ -0,0 +1,318 @@
+// Code generated by erb. DO NOT EDIT.
+
+package pgtype
+
+import (
+	"encoding/binary"
+	"fmt"
+	"reflect"
+)
+
+type RecordArray struct {
+	Elements   []Record
+	Dimensions []ArrayDimension
+	Status     Status
+}
+
+func (dst *RecordArray) Set(src interface{}) error {
+	// untyped nil and typed nil interfaces are different
+	if src == nil {
+		*dst = RecordArray{Status: Null}
+		return nil
+	}
+
+	if value, ok := src.(interface{ Get() interface{} }); ok {
+		value2 := value.Get()
+		if value2 != value {
+			return dst.Set(value2)
+		}
+	}
+
+	// Attempt to match to select common types:
+	switch value := src.(type) {
+
+	case [][]Value:
+		if value == nil {
+			*dst = RecordArray{Status: Null}
+		} else if len(value) == 0 {
+			*dst = RecordArray{Status: Present}
+		} else {
+			elements := make([]Record, len(value))
+			for i := range value {
+				if err := elements[i].Set(value[i]); err != nil {
+					return err
+				}
+			}
+			*dst = RecordArray{
+				Elements:   elements,
+				Dimensions: []ArrayDimension{{Length: int32(len(elements)), LowerBound: 1}},
+				Status:     Present,
+			}
+		}
+
+	case []Record:
+		if value == nil {
+			*dst = RecordArray{Status: Null}
+		} else if len(value) == 0 {
+			*dst = RecordArray{Status: Present}
+		} else {
+			*dst = RecordArray{
+				Elements:   value,
+				Dimensions: []ArrayDimension{{Length: int32(len(value)), LowerBound: 1}},
+				Status:     Present,
+			}
+		}
+	default:
+		// Fallback to reflection if an optimised match was not found.
+		// The reflection is necessary for arrays and multidimensional slices,
+		// but it comes with a 20-50% performance penalty for large arrays/slices
+		reflectedValue := reflect.ValueOf(src)
+		if !reflectedValue.IsValid() || reflectedValue.IsZero() {
+			*dst = RecordArray{Status: Null}
+			return nil
+		}
+
+		dimensions, elementsLength, ok := findDimensionsFromValue(reflectedValue, nil, 0)
+		if !ok {
+			return fmt.Errorf("cannot find dimensions of %v for RecordArray", src)
+		}
+		if elementsLength == 0 {
+			*dst = RecordArray{Status: Present}
+			return nil
+		}
+		if len(dimensions) == 0 {
+			if originalSrc, ok := underlyingSliceType(src); ok {
+				return dst.Set(originalSrc)
+			}
+			return fmt.Errorf("cannot convert %v to RecordArray", src)
+		}
+
+		*dst = RecordArray{
+			Elements:   make([]Record, elementsLength),
+			Dimensions: dimensions,
+			Status:     Present,
+		}
+		elementCount, err := dst.setRecursive(reflectedValue, 0, 0)
+		if err != nil {
+			// Maybe the target was one dimension too far, try again:
+			if len(dst.Dimensions) > 1 {
+				dst.Dimensions = dst.Dimensions[:len(dst.Dimensions)-1]
+				elementsLength = 0
+				for _, dim := range dst.Dimensions {
+					if elementsLength == 0 {
+						elementsLength = int(dim.Length)
+					} else {
+						elementsLength *= int(dim.Length)
+					}
+				}
+				dst.Elements = make([]Record, elementsLength)
+				elementCount, err = dst.setRecursive(reflectedValue, 0, 0)
+				if err != nil {
+					return err
+				}
+			} else {
+				return err
+			}
+		}
+		if elementCount != len(dst.Elements) {
+			return fmt.Errorf("cannot convert %v to RecordArray, expected %d dst.Elements, but got %d instead", src, len(dst.Elements), elementCount)
+		}
+	}
+
+	return nil
+}
+
+func (dst *RecordArray) setRecursive(value reflect.Value, index, dimension int) (int, error) {
+	switch value.Kind() {
+	case reflect.Array:
+		fallthrough
+	case reflect.Slice:
+		if len(dst.Dimensions) == dimension {
+			break
+		}
+
+		valueLen := value.Len()
+		if int32(valueLen) != dst.Dimensions[dimension].Length {
+			return 0, fmt.Errorf("multidimensional arrays must have array expressions with matching dimensions")
+		}
+		for i := 0; i < valueLen; i++ {
+			var err error
+			index, err = dst.setRecursive(value.Index(i), index, dimension+1)
+			if err != nil {
+				return 0, err
+			}
+		}
+
+		return index, nil
+	}
+	if !value.CanInterface() {
+		return 0, fmt.Errorf("cannot convert all values to RecordArray")
+	}
+	if err := dst.Elements[index].Set(value.Interface()); err != nil {
+		return 0, fmt.Errorf("%v in RecordArray", err)
+	}
+	index++
+
+	return index, nil
+}
+
+func (dst RecordArray) Get() interface{} {
+	switch dst.Status {
+	case Present:
+		return dst
+	case Null:
+		return nil
+	default:
+		return dst.Status
+	}
+}
+
+func (src *RecordArray) AssignTo(dst interface{}) error {
+	switch src.Status {
+	case Present:
+		if len(src.Dimensions) <= 1 {
+			// Attempt to match to select common types:
+			switch v := dst.(type) {
+
+			case *[][]Value:
+				*v = make([][]Value, len(src.Elements))
+				for i := range src.Elements {
+					if err := src.Elements[i].AssignTo(&((*v)[i])); err != nil {
+						return err
+					}
+				}
+				return nil
+
+			}
+		}
+
+		// Try to convert to something AssignTo can use directly.
+		if nextDst, retry := GetAssignToDstType(dst); retry {
+			return src.AssignTo(nextDst)
+		}
+
+		// Fallback to reflection if an optimised match was not found.
+		// The reflection is necessary for arrays and multidimensional slices,
+		// but it comes with a 20-50% performance penalty for large arrays/slices
+		value := reflect.ValueOf(dst)
+		if value.Kind() == reflect.Ptr {
+			value = value.Elem()
+		}
+
+		switch value.Kind() {
+		case reflect.Array, reflect.Slice:
+		default:
+			return fmt.Errorf("cannot assign %T to %T", src, dst)
+		}
+
+		if len(src.Elements) == 0 {
+			if value.Kind() == reflect.Slice {
+				value.Set(reflect.MakeSlice(value.Type(), 0, 0))
+				return nil
+			}
+		}
+
+		elementCount, err := src.assignToRecursive(value, 0, 0)
+		if err != nil {
+			return err
+		}
+		if elementCount != len(src.Elements) {
+			return fmt.Errorf("cannot assign %v, needed to assign %d elements, but only assigned %d", dst, len(src.Elements), elementCount)
+		}
+
+		return nil
+	case Null:
+		return NullAssignTo(dst)
+	}
+
+	return fmt.Errorf("cannot decode %#v into %T", src, dst)
+}
+
+func (src *RecordArray) assignToRecursive(value reflect.Value, index, dimension int) (int, error) {
+	switch kind := value.Kind(); kind {
+	case reflect.Array:
+		fallthrough
+	case reflect.Slice:
+		if len(src.Dimensions) == dimension {
+			break
+		}
+
+		length := int(src.Dimensions[dimension].Length)
+		if reflect.Array == kind {
+			typ := value.Type()
+			if typ.Len() != length {
+				return 0, fmt.Errorf("expected size %d array, but %s has size %d array", length, typ, typ.Len())
+			}
+			value.Set(reflect.New(typ).Elem())
+		} else {
+			value.Set(reflect.MakeSlice(value.Type(), length, length))
+		}
+
+		var err error
+		for i := 0; i < length; i++ {
+			index, err = src.assignToRecursive(value.Index(i), index, dimension+1)
+			if err != nil {
+				return 0, err
+			}
+		}
+
+		return index, nil
+	}
+	if len(src.Dimensions) != dimension {
+		return 0, fmt.Errorf("incorrect dimensions, expected %d, found %d", len(src.Dimensions), dimension)
+	}
+	if !value.CanAddr() {
+		return 0, fmt.Errorf("cannot assign all values from RecordArray")
+	}
+	addr := value.Addr()
+	if !addr.CanInterface() {
+		return 0, fmt.Errorf("cannot assign all values from RecordArray")
+	}
+	if err := src.Elements[index].AssignTo(addr.Interface()); err != nil {
+		return 0, err
+	}
+	index++
+	return index, nil
+}
+
+func (dst *RecordArray) DecodeBinary(ci *ConnInfo, src []byte) error {
+	if src == nil {
+		*dst = RecordArray{Status: Null}
+		return nil
+	}
+
+	var arrayHeader ArrayHeader
+	rp, err := arrayHeader.DecodeBinary(ci, src)
+	if err != nil {
+		return err
+	}
+
+	if len(arrayHeader.Dimensions) == 0 {
+		*dst = RecordArray{Dimensions: arrayHeader.Dimensions, Status: Present}
+		return nil
+	}
+
+	elementCount := arrayHeader.Dimensions[0].Length
+	for _, d := range arrayHeader.Dimensions[1:] {
+		elementCount *= d.Length
+	}
+
+	elements := make([]Record, elementCount)
+
+	for i := range elements {
+		elemLen := int(int32(binary.BigEndian.Uint32(src[rp:])))
+		rp += 4
+		var elemSrc []byte
+		if elemLen >= 0 {
+			elemSrc = src[rp : rp+elemLen]
+			rp += elemLen
+		}
+		err = elements[i].DecodeBinary(ci, elemSrc)
+		if err != nil {
+			return err
+		}
+	}
+
+	*dst = RecordArray{Elements: elements, Dimensions: arrayHeader.Dimensions, Status: Present}
+	return nil
+}
--- a/vendor/github.com/jackc/pgtype/typed_array.go.erb
+++ b/vendor/github.com/jackc/pgtype/typed_array.go.erb
@ -1,5 +1,17 @@
 // Code generated by erb. DO NOT EDIT.

+<%
+  # defaults when not explicitly set on command line
+
+  binary_format ||= "true"
+  text_format ||= "true"
+
+  text_null ||= "NULL"
+
+  encode_binary ||= binary_format
+  decode_binary ||= binary_format
+%>
+
 package pgtype

 import (
@ -279,6 +291,7 @@ func (src *<%= pgtype_array_type %>) assignToRecursive(value reflect.Value, inde
 	return index, nil
 }

+<% if text_format == "true" %>
 func (dst *<%= pgtype_array_type %>) DecodeText(ci *ConnInfo, src []byte) error {
 	if src == nil {
 		*dst = <%= pgtype_array_type %>{Status: Null}
@ -314,8 +327,9 @@ func (dst *<%= pgtype_array_type %>) DecodeText(ci *ConnInfo, src []byte) error

 	return nil
 }
+<% end %>

-<% if binary_format == "true" %>
+<% if decode_binary == "true" %>
 func (dst *<%= pgtype_array_type %>) DecodeBinary(ci *ConnInfo, src []byte) error {
 	if src == nil {
 		*dst = <%= pgtype_array_type %>{Status: Null}
@ -359,6 +373,7 @@ func (dst *<%= pgtype_array_type %>) DecodeBinary(ci *ConnInfo, src []byte) erro
 }
 <% end %>

+<% if text_format == "true" %>
 func (src <%= pgtype_array_type %>) EncodeText(ci *ConnInfo, buf []byte) ([]byte, error) {
 	switch src.Status {
 	case Null:
@ -415,8 +430,9 @@ func (src <%= pgtype_array_type %>) EncodeText(ci *ConnInfo, buf []byte) ([]byte

 	return buf, nil
 }
+<% end %>

-<% if binary_format == "true" %>
+<% if encode_binary == "true" %>
 	func (src <%= pgtype_array_type %>) EncodeBinary(ci *ConnInfo, buf []byte) ([]byte, error) {
 		switch src.Status {
 		case Null:
@ -462,6 +478,7 @@ func (src <%= pgtype_array_type %>) EncodeText(ci *ConnInfo, buf []byte) ([]byte
 	}
 <% end %>

+<% if text_format == "true" %>
 // Scan implements the database/sql Scanner interface.
 func (dst *<%= pgtype_array_type %>) Scan(src interface{}) error {
 	if src == nil {
@ -492,3 +509,4 @@ func (src <%= pgtype_array_type %>) Value() (driver.Value, error) {

 	return string(buf), nil
 }
+<% end %>
--- a/vendor/github.com/jackc/pgtype/typed_array_gen.sh
+++ b/vendor/github.com/jackc/pgtype/typed_array_gen.sh
@ -1,28 +1,30 @@
-erb pgtype_array_type=Int2Array pgtype_element_type=Int2 go_array_types=[]int16,[]*int16,[]uint16,[]*uint16,[]int32,[]*int32,[]uint32,[]*uint32,[]int64,[]*int64,[]uint64,[]*uint64,[]int,[]*int,[]uint,[]*uint element_type_name=int2 text_null=NULL binary_format=true typed_array.go.erb > int2_array.go
-erb pgtype_array_type=Int4Array pgtype_element_type=Int4 go_array_types=[]int16,[]*int16,[]uint16,[]*uint16,[]int32,[]*int32,[]uint32,[]*uint32,[]int64,[]*int64,[]uint64,[]*uint64,[]int,[]*int,[]uint,[]*uint element_type_name=int4 text_null=NULL binary_format=true typed_array.go.erb > int4_array.go
-erb pgtype_array_type=Int8Array pgtype_element_type=Int8 go_array_types=[]int16,[]*int16,[]uint16,[]*uint16,[]int32,[]*int32,[]uint32,[]*uint32,[]int64,[]*int64,[]uint64,[]*uint64,[]int,[]*int,[]uint,[]*uint element_type_name=int8 text_null=NULL binary_format=true typed_array.go.erb > int8_array.go
-erb pgtype_array_type=BoolArray pgtype_element_type=Bool go_array_types=[]bool,[]*bool element_type_name=bool text_null=NULL binary_format=true typed_array.go.erb > bool_array.go
-erb pgtype_array_type=DateArray pgtype_element_type=Date go_array_types=[]time.Time,[]*time.Time element_type_name=date text_null=NULL binary_format=true typed_array.go.erb > date_array.go
-erb pgtype_array_type=TimestamptzArray pgtype_element_type=Timestamptz go_array_types=[]time.Time,[]*time.Time element_type_name=timestamptz text_null=NULL binary_format=true typed_array.go.erb > timestamptz_array.go
-erb pgtype_array_type=TstzrangeArray pgtype_element_type=Tstzrange go_array_types=[]Tstzrange element_type_name=tstzrange text_null=NULL binary_format=true typed_array.go.erb > tstzrange_array.go
-erb pgtype_array_type=TsrangeArray pgtype_element_type=Tsrange go_array_types=[]Tsrange element_type_name=tsrange text_null=NULL binary_format=true typed_array.go.erb > tsrange_array.go
-erb pgtype_array_type=TimestampArray pgtype_element_type=Timestamp go_array_types=[]time.Time,[]*time.Time element_type_name=timestamp text_null=NULL binary_format=true typed_array.go.erb > timestamp_array.go
-erb pgtype_array_type=Float4Array pgtype_element_type=Float4 go_array_types=[]float32,[]*float32 element_type_name=float4 text_null=NULL binary_format=true typed_array.go.erb > float4_array.go
-erb pgtype_array_type=Float8Array pgtype_element_type=Float8 go_array_types=[]float64,[]*float64 element_type_name=float8 text_null=NULL binary_format=true typed_array.go.erb > float8_array.go
-erb pgtype_array_type=InetArray pgtype_element_type=Inet go_array_types=[]*net.IPNet,[]net.IP,[]*net.IP element_type_name=inet text_null=NULL binary_format=true typed_array.go.erb > inet_array.go
-erb pgtype_array_type=MacaddrArray pgtype_element_type=Macaddr go_array_types=[]net.HardwareAddr,[]*net.HardwareAddr element_type_name=macaddr text_null=NULL binary_format=true typed_array.go.erb > macaddr_array.go
-erb pgtype_array_type=CIDRArray pgtype_element_type=CIDR go_array_types=[]*net.IPNet,[]net.IP,[]*net.IP element_type_name=cidr text_null=NULL binary_format=true typed_array.go.erb > cidr_array.go
-erb pgtype_array_type=TextArray pgtype_element_type=Text go_array_types=[]string,[]*string element_type_name=text text_null=NULL binary_format=true typed_array.go.erb > text_array.go
-erb pgtype_array_type=VarcharArray pgtype_element_type=Varchar go_array_types=[]string,[]*string element_type_name=varchar text_null=NULL binary_format=true typed_array.go.erb > varchar_array.go
-erb pgtype_array_type=BPCharArray pgtype_element_type=BPChar go_array_types=[]string,[]*string element_type_name=bpchar text_null=NULL binary_format=true typed_array.go.erb > bpchar_array.go
-erb pgtype_array_type=ByteaArray pgtype_element_type=Bytea go_array_types=[][]byte element_type_name=bytea text_null=NULL binary_format=true typed_array.go.erb > bytea_array.go
-erb pgtype_array_type=ACLItemArray pgtype_element_type=ACLItem go_array_types=[]string,[]*string element_type_name=aclitem text_null=NULL binary_format=false typed_array.go.erb > aclitem_array.go
-erb pgtype_array_type=HstoreArray pgtype_element_type=Hstore go_array_types=[]map[string]string element_type_name=hstore text_null=NULL binary_format=true typed_array.go.erb > hstore_array.go
-erb pgtype_array_type=NumericArray pgtype_element_type=Numeric go_array_types=[]float32,[]*float32,[]float64,[]*float64,[]int64,[]*int64,[]uint64,[]*uint64 element_type_name=numeric text_null=NULL binary_format=true typed_array.go.erb > numeric_array.go
-erb pgtype_array_type=UUIDArray pgtype_element_type=UUID go_array_types=[][16]byte,[][]byte,[]string,[]*string element_type_name=uuid text_null=NULL binary_format=true typed_array.go.erb > uuid_array.go
-erb pgtype_array_type=JSONBArray pgtype_element_type=JSONB go_array_types=[]string,[][]byte element_type_name=jsonb text_null=NULL binary_format=true typed_array.go.erb > jsonb_array.go
+erb pgtype_array_type=Int2Array pgtype_element_type=Int2 go_array_types=[]int16,[]*int16,[]uint16,[]*uint16,[]int32,[]*int32,[]uint32,[]*uint32,[]int64,[]*int64,[]uint64,[]*uint64,[]int,[]*int,[]uint,[]*uint element_type_name=int2 typed_array.go.erb > int2_array.go
+erb pgtype_array_type=Int4Array pgtype_element_type=Int4 go_array_types=[]int16,[]*int16,[]uint16,[]*uint16,[]int32,[]*int32,[]uint32,[]*uint32,[]int64,[]*int64,[]uint64,[]*uint64,[]int,[]*int,[]uint,[]*uint element_type_name=int4 typed_array.go.erb > int4_array.go
+erb pgtype_array_type=Int8Array pgtype_element_type=Int8 go_array_types=[]int16,[]*int16,[]uint16,[]*uint16,[]int32,[]*int32,[]uint32,[]*uint32,[]int64,[]*int64,[]uint64,[]*uint64,[]int,[]*int,[]uint,[]*uint element_type_name=int8 typed_array.go.erb > int8_array.go
+erb pgtype_array_type=BoolArray pgtype_element_type=Bool go_array_types=[]bool,[]*bool element_type_name=bool typed_array.go.erb > bool_array.go
+erb pgtype_array_type=DateArray pgtype_element_type=Date go_array_types=[]time.Time,[]*time.Time element_type_name=date typed_array.go.erb > date_array.go
+erb pgtype_array_type=TimestamptzArray pgtype_element_type=Timestamptz go_array_types=[]time.Time,[]*time.Time element_type_name=timestamptz typed_array.go.erb > timestamptz_array.go
+erb pgtype_array_type=TstzrangeArray pgtype_element_type=Tstzrange go_array_types=[]Tstzrange element_type_name=tstzrange typed_array.go.erb > tstzrange_array.go
+erb pgtype_array_type=TsrangeArray pgtype_element_type=Tsrange go_array_types=[]Tsrange element_type_name=tsrange typed_array.go.erb > tsrange_array.go
+erb pgtype_array_type=TimestampArray pgtype_element_type=Timestamp go_array_types=[]time.Time,[]*time.Time element_type_name=timestamp typed_array.go.erb > timestamp_array.go
+erb pgtype_array_type=Float4Array pgtype_element_type=Float4 go_array_types=[]float32,[]*float32 element_type_name=float4 typed_array.go.erb > float4_array.go
+erb pgtype_array_type=Float8Array pgtype_element_type=Float8 go_array_types=[]float64,[]*float64 element_type_name=float8 typed_array.go.erb > float8_array.go
+erb pgtype_array_type=InetArray pgtype_element_type=Inet go_array_types=[]*net.IPNet,[]net.IP,[]*net.IP element_type_name=inet typed_array.go.erb > inet_array.go
+erb pgtype_array_type=MacaddrArray pgtype_element_type=Macaddr go_array_types=[]net.HardwareAddr,[]*net.HardwareAddr element_type_name=macaddr typed_array.go.erb > macaddr_array.go
+erb pgtype_array_type=CIDRArray pgtype_element_type=CIDR go_array_types=[]*net.IPNet,[]net.IP,[]*net.IP element_type_name=cidr typed_array.go.erb > cidr_array.go
+erb pgtype_array_type=TextArray pgtype_element_type=Text go_array_types=[]string,[]*string element_type_name=text typed_array.go.erb > text_array.go
+erb pgtype_array_type=VarcharArray pgtype_element_type=Varchar go_array_types=[]string,[]*string element_type_name=varchar typed_array.go.erb > varchar_array.go
+erb pgtype_array_type=BPCharArray pgtype_element_type=BPChar go_array_types=[]string,[]*string element_type_name=bpchar typed_array.go.erb > bpchar_array.go
+erb pgtype_array_type=ByteaArray pgtype_element_type=Bytea go_array_types=[][]byte element_type_name=bytea typed_array.go.erb > bytea_array.go
+erb pgtype_array_type=ACLItemArray pgtype_element_type=ACLItem go_array_types=[]string,[]*string element_type_name=aclitem binary_format=false typed_array.go.erb > aclitem_array.go
+erb pgtype_array_type=HstoreArray pgtype_element_type=Hstore go_array_types=[]map[string]string element_type_name=hstore typed_array.go.erb > hstore_array.go
+erb pgtype_array_type=NumericArray pgtype_element_type=Numeric go_array_types=[]float32,[]*float32,[]float64,[]*float64,[]int64,[]*int64,[]uint64,[]*uint64 element_type_name=numeric typed_array.go.erb > numeric_array.go
+erb pgtype_array_type=UUIDArray pgtype_element_type=UUID go_array_types=[][16]byte,[][]byte,[]string,[]*string element_type_name=uuid typed_array.go.erb > uuid_array.go
+erb pgtype_array_type=JSONBArray pgtype_element_type=JSONB go_array_types=[]string,[][]byte,[]json.RawMessage element_type_name=jsonb typed_array.go.erb > jsonb_array.go

 # While the binary format is theoretically possible it is only practical to use the text format.
-erb pgtype_array_type=EnumArray pgtype_element_type=GenericText go_array_types=[]string,[]*string text_null=NULL binary_format=false typed_array.go.erb > enum_array.go
+erb pgtype_array_type=EnumArray pgtype_element_type=GenericText go_array_types=[]string,[]*string binary_format=false typed_array.go.erb > enum_array.go
+
+erb pgtype_array_type=RecordArray pgtype_element_type=Record go_array_types=[][]Value element_type_name=record text_null=NULL encode_binary=false text_format=false typed_array.go.erb > record_array.go

 goimports -w *_array.go
--- a/vendor/github.com/jackc/pgtype/typed_multirange.go.erb
+++ b/vendor/github.com/jackc/pgtype/typed_multirange.go.erb
@ -0,0 +1,239 @@
+package pgtype
+
+import (
+	"database/sql/driver"
+	"encoding/binary"
+	"fmt"
+
+	"github.com/jackc/pgio"
+)
+
+type <%= multirange_type %> struct {
+	Ranges 	[]<%= range_type %>
+	Status  Status
+}
+
+func (dst *<%= multirange_type %>) Set(src interface{}) error {
+	//untyped nil and typed nil interfaces are different
+	if src == nil {
+		*dst = <%= multirange_type %>{Status: Null}
+		return nil
+	}
+
+	switch value := src.(type) {
+	case <%= multirange_type %>:
+		*dst = value
+	case *<%= multirange_type %>:
+		*dst = *value
+	case string:
+		return dst.DecodeText(nil, []byte(value))
+	case []<%= range_type %>:
+		if value == nil {
+			*dst = <%= multirange_type %>{Status: Null}
+		} else if len(value) == 0 {
+			*dst = <%= multirange_type %>{Status: Present}
+		} else {
+			elements := make([]<%= range_type %>, len(value))
+			for i := range value {
+				if err := elements[i].Set(value[i]); err != nil {
+					return err
+				}
+			}
+			*dst = <%= multirange_type %>{
+				Ranges: elements,
+				Status:    Present,
+			}
+		}
+	case []*<%= range_type %>:
+		if value == nil {
+			*dst = <%= multirange_type %>{Status: Null}
+		} else if len(value) == 0 {
+			*dst = <%= multirange_type %>{Status: Present}
+		} else {
+			elements := make([]<%= range_type %>, len(value))
+			for i := range value {
+				if err := elements[i].Set(value[i]); err != nil {
+					return err
+				}
+			}
+			*dst = <%= multirange_type %>{
+				Ranges: elements,
+				Status:    Present,
+			}
+		}
+	default:
+		return fmt.Errorf("cannot convert %v to <%= multirange_type %>", src)
+	}
+
+	return nil
+
+}
+
+func (dst <%= multirange_type %>) Get() interface{} {
+	switch dst.Status {
+	case Present:
+		return dst
+	case Null:
+		return nil
+	default:
+		return dst.Status
+	}
+}
+
+func (src *<%= multirange_type %>) AssignTo(dst interface{}) error {
+	return fmt.Errorf("cannot assign %v to %T", src, dst)
+}
+
+func (dst *<%= multirange_type %>) DecodeText(ci *ConnInfo, src []byte) error {
+	if src == nil {
+		*dst = <%= multirange_type %>{Status: Null}
+		return nil
+	}
+
+	utmr, err := ParseUntypedTextMultirange(string(src))
+	if err != nil {
+		return err
+	}
+
+	var elements []<%= range_type %>
+
+	if len(utmr.Elements) > 0 {
+		elements = make([]<%= range_type %>, len(utmr.Elements))
+
+		for i, s := range utmr.Elements {
+			var elem <%= range_type %>
+
+			elemSrc := []byte(s)
+
+			err = elem.DecodeText(ci, elemSrc)
+			if err != nil {
+				return err
+			}
+
+			elements[i] = elem
+		}
+	}
+
+	*dst = <%= multirange_type %>{Ranges: elements, Status: Present}
+
+	return nil
+}
+
+func (dst *<%= multirange_type %>) DecodeBinary(ci *ConnInfo, src []byte) error {
+	if src == nil {
+		*dst = <%= multirange_type %>{Status: Null}
+		return nil
+	}
+
+	rp := 0
+
+	numElems := int(binary.BigEndian.Uint32(src[rp:]))
+	rp += 4
+
+	if numElems == 0 {
+		*dst = <%= multirange_type %>{Status: Present}
+		return nil
+	}
+
+	elements := make([]<%= range_type %>, numElems)
+
+	for i := range elements {
+		elemLen := int(int32(binary.BigEndian.Uint32(src[rp:])))
+		rp += 4
+		var elemSrc []byte
+		if elemLen >= 0 {
+			elemSrc = src[rp : rp+elemLen]
+			rp += elemLen
+		}
+		err := elements[i].DecodeBinary(ci, elemSrc)
+		if err != nil {
+			return err
+		}
+	}
+
+	*dst = <%= multirange_type %>{Ranges: elements, Status: Present}
+	return nil
+}
+
+func (src <%= multirange_type %>) EncodeText(ci *ConnInfo, buf []byte) ([]byte, error) {
+	switch src.Status {
+	case Null:
+		return nil, nil
+	case Undefined:
+		return nil, errUndefined
+	}
+
+	buf = append(buf, '{')
+
+	inElemBuf := make([]byte, 0, 32)
+	for i, elem := range src.Ranges {
+		if i > 0 {
+			buf = append(buf, ',')
+		}
+
+		elemBuf, err := elem.EncodeText(ci, inElemBuf)
+		if err != nil {
+			return nil, err
+		}
+		if elemBuf == nil {
+			return nil, fmt.Errorf("multi-range does not allow null range")
+		} else {
+			buf = append(buf, string(elemBuf)...)
+		}
+
+	}
+
+	buf = append(buf, '}')
+
+	return buf, nil
+}
+
+func (src <%= multirange_type %>) EncodeBinary(ci *ConnInfo, buf []byte) ([]byte, error) {
+	switch src.Status {
+	case Null:
+		return nil, nil
+	case Undefined:
+		return nil, errUndefined
+	}
+
+	buf = pgio.AppendInt32(buf, int32(len(src.Ranges)))
+
+	for i := range src.Ranges {
+		sp := len(buf)
+		buf = pgio.AppendInt32(buf, -1)
+
+		elemBuf, err := src.Ranges[i].EncodeBinary(ci, buf)
+		if err != nil {
+			return nil, err
+		}
+		if elemBuf != nil {
+			buf = elemBuf
+			pgio.SetInt32(buf[sp:], int32(len(buf[sp:])-4))
+		}
+	}
+
+	return buf, nil
+}
+
+// Scan implements the database/sql Scanner interface.
+func (dst *<%= multirange_type %>) Scan(src interface{}) error {
+	if src == nil {
+		return dst.DecodeText(nil, nil)
+	}
+
+	switch src := src.(type) {
+	case string:
+		return dst.DecodeText(nil, []byte(src))
+	case []byte:
+		srcCopy := make([]byte, len(src))
+		copy(srcCopy, src)
+		return dst.DecodeText(nil, srcCopy)
+	}
+
+	return fmt.Errorf("cannot scan %T", src)
+}
+
+// Value implements the database/sql/driver Valuer interface.
+func (src <%= multirange_type %>) Value() (driver.Value, error) {
+	return EncodeValueText(src)
+}
--- a/vendor/github.com/jackc/pgtype/typed_multirange_gen.sh
+++ b/vendor/github.com/jackc/pgtype/typed_multirange_gen.sh
@ -0,0 +1,8 @@
+erb range_type=Numrange multirange_type=Nummultirange typed_multirange.go.erb > num_multirange.go
+erb range_type=Int4range multirange_type=Int4multirange typed_multirange.go.erb > int4_multirange.go
+erb range_type=Int8range multirange_type=Int8multirange typed_multirange.go.erb > int8_multirange.go
+# TODO
+# erb range_type=Tsrange multirange_type=Tsmultirange typed_multirange.go.erb > ts_multirange.go
+# erb range_type=Tstzrange multirange_type=Tstzmultirange typed_multirange.go.erb > tstz_multirange.go
+# erb range_type=Daterange multirange_type=Datemultirange typed_multirange.go.erb > date_multirange.go
+goimports -w *multirange.go
--- a/vendor/github.com/jackc/pgx/v4/CHANGELOG.md
+++ b/vendor/github.com/jackc/pgx/v4/CHANGELOG.md
@ -1,3 +1,13 @@
+# 4.16.0 (April 21, 2022)
+
+* Upgrade pgconn to v1.12.0
+* Upgrade pgproto3 to v2.3.0
+* Upgrade pgtype to v1.11.0
+* Fix: Do not panic when context cancelled while getting statement from cache.
+* Fix: Less memory pinning from old Rows.
+* Fix: Support '\r' line ending when sanitizing SQL comment.
+* Add pluggable GSSAPI support (Oliver Tan)
+
 # 4.15.0 (February 7, 2022)

 * Upgrade to pgconn v1.11.0
--- a/vendor/github.com/jackc/pgx/v4/README.md
+++ b/vendor/github.com/jackc/pgx/v4/README.md
@ -98,26 +98,6 @@ There are three areas in particular where pgx can provide a significant performa
   perform nearly 3x the number of queries per second.
 3. Batched queries - Multiple queries can be batched together to minimize network round trips.

-## Comparison with Alternatives
-
-* [pq](http://godoc.org/github.com/lib/pq)
-* [go-pg](https://github.com/go-pg/pg)
-
-For prepared queries with small sets of simple data types, all drivers will have have similar performance. However, if prepared statements aren't being explicitly used, pgx can have a significant performance advantage due to automatic statement preparation.
-pgx also can perform better when using PostgreSQL-specific data types or query batching. See
-[go_db_bench](https://github.com/jackc/go_db_bench) for some database driver benchmarks.
-
-### Compatibility with `database/sql`
-
-pq is exclusively used with `database/sql`. go-pg does not use `database/sql` at all. pgx supports `database/sql` as well as
-its own interface.
-
-### Level of access, ORM
-
-go-pg is a PostgreSQL client and ORM. It includes many features that traditionally sit above the database driver, such as ORM, struct mapping, soft deletes, schema migrations, and sharding support.
-
-pgx is "closer to the metal" and such abstractions are beyond the scope of the pgx project, which first and foremost, aims to be a performant driver and toolkit.
-
 ## Testing

 pgx tests naturally require a PostgreSQL database. It will connect to the database specified in the `PGX_TEST_DATABASE` environment
@ -201,3 +181,7 @@ pgerrcode contains constants for the PostgreSQL error codes.
 ### [github.com/georgysavva/scany](https://github.com/georgysavva/scany)

 Library for scanning data from a database into Go structs and more.
+
+### [https://github.com/otan/gopgkrb5](https://github.com/otan/gopgkrb5)
+
+Adds GSSAPI / Kerberos authentication support.
--- a/vendor/github.com/jackc/pgx/v4/conn.go
+++ b/vendor/github.com/jackc/pgx/v4/conn.go
@ -73,9 +73,8 @@ type Conn struct {

 	connInfo *pgtype.ConnInfo

-	wbuf             []byte
-	preallocatedRows []connRows
-	eqb              extendedQueryBuilder
+	wbuf []byte
+	eqb  extendedQueryBuilder
 }

 // Identifier a PostgreSQL identifier or name. Identifiers can be composed of
@ -366,30 +365,6 @@ func (c *Conn) Ping(ctx context.Context) error {
 	return err
 }

-func connInfoFromRows(rows Rows, err error) (map[string]uint32, error) {
-	if err != nil {
-		return nil, err
-	}
-	defer rows.Close()
-
-	nameOIDs := make(map[string]uint32, 256)
-	for rows.Next() {
-		var oid uint32
-		var name pgtype.Text
-		if err = rows.Scan(&oid, &name); err != nil {
-			return nil, err
-		}
-
-		nameOIDs[name.String] = oid
-	}
-
-	if err = rows.Err(); err != nil {
-		return nil, err
-	}
-
-	return nameOIDs, err
-}
-
 // PgConn returns the underlying *pgconn.PgConn. This is an escape hatch method that allows lower level access to the
 // PostgreSQL connection than pgx exposes.
 //
@ -414,7 +389,8 @@ func (c *Conn) Exec(ctx context.Context, sql string, arguments ...interface{}) (
 	commandTag, err := c.exec(ctx, sql, arguments...)
 	if err != nil {
 		if c.shouldLog(LogLevelError) {
-			c.log(ctx, LogLevelError, "Exec", map[string]interface{}{"sql": sql, "args": logQueryArgs(arguments), "err": err})
+			endTime := time.Now()
+			c.log(ctx, LogLevelError, "Exec", map[string]interface{}{"sql": sql, "args": logQueryArgs(arguments), "err": err, "time": endTime.Sub(startTime)})
 		}
 		return commandTag, err
 	}
@ -537,12 +513,7 @@ func (c *Conn) execPrepared(ctx context.Context, sd *pgconn.StatementDescription
 }

 func (c *Conn) getRows(ctx context.Context, sql string, args []interface{}) *connRows {
-	if len(c.preallocatedRows) == 0 {
-		c.preallocatedRows = make([]connRows, 64)
-	}
-
-	r := &c.preallocatedRows[len(c.preallocatedRows)-1]
-	c.preallocatedRows = c.preallocatedRows[0 : len(c.preallocatedRows)-1]
+	r := &connRows{}

 	r.ctx = ctx
 	r.logger = c
@ -797,8 +768,7 @@ func (c *Conn) SendBatch(ctx context.Context, b *Batch) BatchResults {
 			var err error
 			sd, err = stmtCache.Get(ctx, bi.query)
 			if err != nil {
-				// the stmtCache was prefilled from distinctUnpreparedQueries above so we are guaranteed no errors
-				panic("BUG: unexpected error from stmtCache")
+				return &batchResults{ctx: ctx, conn: c, err: err}
 			}
 		}

--- a/vendor/github.com/jackc/pgx/v4/go.mod
+++ b/vendor/github.com/jackc/pgx/v4/go.mod
@ -7,10 +7,10 @@ require (
 	github.com/cockroachdb/apd v1.1.0
 	github.com/go-kit/log v0.1.0
 	github.com/gofrs/uuid v4.0.0+incompatible
-	github.com/jackc/pgconn v1.11.0
+	github.com/jackc/pgconn v1.12.0
 	github.com/jackc/pgio v1.0.0
-	github.com/jackc/pgproto3/v2 v2.2.0
-	github.com/jackc/pgtype v1.10.0
+	github.com/jackc/pgproto3/v2 v2.3.0
+	github.com/jackc/pgtype v1.11.0
 	github.com/jackc/puddle v1.2.1
 	github.com/rs/zerolog v1.15.0
 	github.com/shopspring/decimal v1.2.0
--- a/vendor/github.com/jackc/pgx/v4/go.sum
+++ b/vendor/github.com/jackc/pgx/v4/go.sum
@ -36,6 +36,8 @@ github.com/jackc/pgconn v1.10.1 h1:DzdIHIjG1AxGwoEEqS+mGsURyjt4enSmqzACXvVzOT8=
 github.com/jackc/pgconn v1.10.1/go.mod h1:4z2w8XhRbP1hYxkpTuBjTS3ne3J48K83+u0zoyvg2pI=
 github.com/jackc/pgconn v1.11.0 h1:HiHArx4yFbwl91X3qqIHtUFoiIfLNJXCQRsnzkiwwaQ=
 github.com/jackc/pgconn v1.11.0/go.mod h1:4z2w8XhRbP1hYxkpTuBjTS3ne3J48K83+u0zoyvg2pI=
+github.com/jackc/pgconn v1.12.0 h1:/RvQ24k3TnNdfBSW0ou9EOi5jx2cX7zfE8n2nLKuiP0=
+github.com/jackc/pgconn v1.12.0/go.mod h1:ZkhRC59Llhrq3oSfrikvwQ5NaxYExr6twkdkMLaKono=
 github.com/jackc/pgio v1.0.0 h1:g12B9UwVnzGhueNavwioyEEpAmqMe1E/BN9ES+8ovkE=
 github.com/jackc/pgio v1.0.0/go.mod h1:oP+2QK2wFfUWgr+gxjoBH9KGBb31Eio69xUb0w5bYf8=
 github.com/jackc/pgmock v0.0.0-20190831213851-13a1b77aafa2/go.mod h1:fGZlG77KXmcq05nJLRkk0+p82V8B8Dw8KN2/V9c/OAE=
@ -55,6 +57,8 @@ github.com/jackc/pgproto3/v2 v2.1.1 h1:7PQ/4gLoqnl87ZxL7xjO0DR5gYuviDCZxQJsUlFW1
 github.com/jackc/pgproto3/v2 v2.1.1/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
 github.com/jackc/pgproto3/v2 v2.2.0 h1:r7JypeP2D3onoQTCxWdTpCtJ4D+qpKr0TxvoyMhZ5ns=
 github.com/jackc/pgproto3/v2 v2.2.0/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
+github.com/jackc/pgproto3/v2 v2.3.0 h1:brH0pCGBDkBW07HWlN/oSBXrmo3WB0UvZd1pIuDcL8Y=
+github.com/jackc/pgproto3/v2 v2.3.0/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
 github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b h1:C8S2+VttkHFdOOCXJe+YGfa4vHYwlt4Zx+IVXQ97jYg=
 github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b/go.mod h1:vsD4gTJCa9TptPL8sPkXrLZ+hDuNrZCnj29CQpr4X1E=
 github.com/jackc/pgtype v0.0.0-20190421001408-4ed0de4755e0/go.mod h1:hdSHsc1V01CGwFsrv11mJRHWJ6aifDLfdV3aVjFF0zg=
@ -69,6 +73,8 @@ github.com/jackc/pgtype v1.9.1 h1:MJc2s0MFS8C3ok1wQTdQxWuXQcB6+HwAm5x1CzW7mf0=
 github.com/jackc/pgtype v1.9.1/go.mod h1:LUMuVrfsFfdKGLw+AFFVv6KtHOFMwRgDDzBt76IqCA4=
 github.com/jackc/pgtype v1.10.0 h1:ILnBWrRMSXGczYvmkYD6PsYyVFUNLTnIUJHHDLmqk38=
 github.com/jackc/pgtype v1.10.0/go.mod h1:LUMuVrfsFfdKGLw+AFFVv6KtHOFMwRgDDzBt76IqCA4=
+github.com/jackc/pgtype v1.11.0 h1:u4uiGPz/1hryuXzyaBhSk6dnIyyG2683olG2OV+UUgs=
+github.com/jackc/pgtype v1.11.0/go.mod h1:LUMuVrfsFfdKGLw+AFFVv6KtHOFMwRgDDzBt76IqCA4=
 github.com/jackc/pgx/v4 v4.0.0-20190420224344-cc3461e65d96/go.mod h1:mdxmSJJuR08CZQyj1PVQBHy9XOp5p8/SHH6a0psbY9Y=
 github.com/jackc/pgx/v4 v4.0.0-20190421002000-1b8f0016e912/go.mod h1:no/Y67Jkk/9WuGR0JG/JseM9irFbnEPbuWV2EELPNuM=
 github.com/jackc/pgx/v4 v4.0.0-pre1.0.20190824185557-6972a5742186/go.mod h1:X+GQnOEnf1dqHGpw7JmHqHc1NxDoalibchSk9/RWuDc=
@ -187,6 +193,8 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190425163242-31fd60d6bfdc/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
--- a/vendor/github.com/jackc/pgx/v4/internal/sanitize/sanitize.go
+++ b/vendor/github.com/jackc/pgx/v4/internal/sanitize/sanitize.go
@ -246,7 +246,7 @@ func oneLineCommentState(l *sqlLexer) stateFn {
 		case '\\':
 			_, width = utf8.DecodeRuneInString(l.src[l.pos:])
 			l.pos += width
-		case '\n':
+		case '\n', '\r':
 			return rawState
 		case utf8.RuneError:
 			if l.pos-l.start > 0 {
--- a/vendor/github.com/jackc/pgx/v4/large_objects.go
+++ b/vendor/github.com/jackc/pgx/v4/large_objects.go
@ -108,13 +108,13 @@ func (o *LargeObject) Tell() (n int64, err error) {
 	return n, err
 }

-// Trunctes the large object to size.
+// Truncate the large object to size.
 func (o *LargeObject) Truncate(size int64) (err error) {
 	_, err = o.tx.Exec(o.ctx, "select lo_truncate64($1, $2)", o.fd, size)
 	return err
 }

-// Close closees the large object descriptor.
+// Close the large object descriptor.
 func (o *LargeObject) Close() error {
 	_, err := o.tx.Exec(o.ctx, "select lo_close($1)", o.fd)
 	return err
--- a/vendor/github.com/jackc/pgx/v4/pgxpool/pool.go
+++ b/vendor/github.com/jackc/pgx/v4/pgxpool/pool.go
@ -112,7 +112,7 @@ type Config struct {
 	// MaxConnIdleTime is the duration after which an idle connection will be automatically closed by the health check.
 	MaxConnIdleTime time.Duration

-	// MaxConns is the maximum size of the pool.
+	// MaxConns is the maximum size of the pool. The default is the greater of 4 or runtime.NumCPU().
 	MaxConns int32

 	// MinConns is the minimum size of the pool. The health check will increase the number of connections to this
--- a/vendor/github.com/jackc/pgx/v4/tx.go
+++ b/vendor/github.com/jackc/pgx/v4/tx.go
@ -192,7 +192,7 @@ func (tx *dbTx) Begin(ctx context.Context) (Tx, error) {
 		return nil, err
 	}

-	return &dbSavepoint{tx: tx, savepointNum: tx.savepointNum}, nil
+	return &dbSimulatedNestedTx{tx: tx, savepointNum: tx.savepointNum}, nil
 }

 func (tx *dbTx) BeginFunc(ctx context.Context, f func(Tx) error) (err error) {
@ -329,15 +329,15 @@ func (tx *dbTx) Conn() *Conn {
 	return tx.conn
 }

-// dbSavepoint represents a nested transaction implemented by a savepoint.
-type dbSavepoint struct {
+// dbSimulatedNestedTx represents a simulated nested transaction implemented by a savepoint.
+type dbSimulatedNestedTx struct {
 	tx           Tx
 	savepointNum int64
 	closed       bool
 }

 // Begin starts a pseudo nested transaction implemented with a savepoint.
-func (sp *dbSavepoint) Begin(ctx context.Context) (Tx, error) {
+func (sp *dbSimulatedNestedTx) Begin(ctx context.Context) (Tx, error) {
 	if sp.closed {
 		return nil, ErrTxClosed
 	}
@ -345,7 +345,7 @@ func (sp *dbSavepoint) Begin(ctx context.Context) (Tx, error) {
 	return sp.tx.Begin(ctx)
 }

-func (sp *dbSavepoint) BeginFunc(ctx context.Context, f func(Tx) error) (err error) {
+func (sp *dbSimulatedNestedTx) BeginFunc(ctx context.Context, f func(Tx) error) (err error) {
 	if sp.closed {
 		return ErrTxClosed
 	}
@ -354,7 +354,7 @@ func (sp *dbSavepoint) BeginFunc(ctx context.Context, f func(Tx) error) (err err
 }

 // Commit releases the savepoint essentially committing the pseudo nested transaction.
-func (sp *dbSavepoint) Commit(ctx context.Context) error {
+func (sp *dbSimulatedNestedTx) Commit(ctx context.Context) error {
 	if sp.closed {
 		return ErrTxClosed
 	}
@ -367,7 +367,7 @@ func (sp *dbSavepoint) Commit(ctx context.Context) error {
 // Rollback rolls back to the savepoint essentially rolling back the pseudo nested transaction. Rollback will return
 // ErrTxClosed if the dbSavepoint is already closed, but is otherwise safe to call multiple times. Hence, a defer sp.Rollback()
 // is safe even if sp.Commit() will be called first in a non-error condition.
-func (sp *dbSavepoint) Rollback(ctx context.Context) error {
+func (sp *dbSimulatedNestedTx) Rollback(ctx context.Context) error {
 	if sp.closed {
 		return ErrTxClosed
 	}
@ -378,7 +378,7 @@ func (sp *dbSavepoint) Rollback(ctx context.Context) error {
 }

 // Exec delegates to the underlying Tx
-func (sp *dbSavepoint) Exec(ctx context.Context, sql string, arguments ...interface{}) (commandTag pgconn.CommandTag, err error) {
+func (sp *dbSimulatedNestedTx) Exec(ctx context.Context, sql string, arguments ...interface{}) (commandTag pgconn.CommandTag, err error) {
 	if sp.closed {
 		return nil, ErrTxClosed
 	}
@ -387,7 +387,7 @@ func (sp *dbSavepoint) Exec(ctx context.Context, sql string, arguments ...interf
 }

 // Prepare delegates to the underlying Tx
-func (sp *dbSavepoint) Prepare(ctx context.Context, name, sql string) (*pgconn.StatementDescription, error) {
+func (sp *dbSimulatedNestedTx) Prepare(ctx context.Context, name, sql string) (*pgconn.StatementDescription, error) {
 	if sp.closed {
 		return nil, ErrTxClosed
 	}
@ -396,7 +396,7 @@ func (sp *dbSavepoint) Prepare(ctx context.Context, name, sql string) (*pgconn.S
 }

 // Query delegates to the underlying Tx
-func (sp *dbSavepoint) Query(ctx context.Context, sql string, args ...interface{}) (Rows, error) {
+func (sp *dbSimulatedNestedTx) Query(ctx context.Context, sql string, args ...interface{}) (Rows, error) {
 	if sp.closed {
 		// Because checking for errors can be deferred to the *Rows, build one with the error
 		err := ErrTxClosed
@ -407,13 +407,13 @@ func (sp *dbSavepoint) Query(ctx context.Context, sql string, args ...interface{
 }

 // QueryRow delegates to the underlying Tx
-func (sp *dbSavepoint) QueryRow(ctx context.Context, sql string, args ...interface{}) Row {
+func (sp *dbSimulatedNestedTx) QueryRow(ctx context.Context, sql string, args ...interface{}) Row {
 	rows, _ := sp.Query(ctx, sql, args...)
 	return (*connRow)(rows.(*connRows))
 }

 // QueryFunc delegates to the underlying Tx.
-func (sp *dbSavepoint) QueryFunc(ctx context.Context, sql string, args []interface{}, scans []interface{}, f func(QueryFuncRow) error) (pgconn.CommandTag, error) {
+func (sp *dbSimulatedNestedTx) QueryFunc(ctx context.Context, sql string, args []interface{}, scans []interface{}, f func(QueryFuncRow) error) (pgconn.CommandTag, error) {
 	if sp.closed {
 		return nil, ErrTxClosed
 	}
@ -422,7 +422,7 @@ func (sp *dbSavepoint) QueryFunc(ctx context.Context, sql string, args []interfa
 }

 // CopyFrom delegates to the underlying *Conn
-func (sp *dbSavepoint) CopyFrom(ctx context.Context, tableName Identifier, columnNames []string, rowSrc CopyFromSource) (int64, error) {
+func (sp *dbSimulatedNestedTx) CopyFrom(ctx context.Context, tableName Identifier, columnNames []string, rowSrc CopyFromSource) (int64, error) {
 	if sp.closed {
 		return 0, ErrTxClosed
 	}
@ -431,7 +431,7 @@ func (sp *dbSavepoint) CopyFrom(ctx context.Context, tableName Identifier, colum
 }

 // SendBatch delegates to the underlying *Conn
-func (sp *dbSavepoint) SendBatch(ctx context.Context, b *Batch) BatchResults {
+func (sp *dbSimulatedNestedTx) SendBatch(ctx context.Context, b *Batch) BatchResults {
 	if sp.closed {
 		return &batchResults{err: ErrTxClosed}
 	}
@ -439,10 +439,10 @@ func (sp *dbSavepoint) SendBatch(ctx context.Context, b *Batch) BatchResults {
 	return sp.tx.SendBatch(ctx, b)
 }

-func (sp *dbSavepoint) LargeObjects() LargeObjects {
+func (sp *dbSimulatedNestedTx) LargeObjects() LargeObjects {
 	return LargeObjects{tx: sp}
 }

-func (sp *dbSavepoint) Conn() *Conn {
+func (sp *dbSimulatedNestedTx) Conn() *Conn {
 	return sp.tx.Conn()
 }
--- a/vendor/github.com/microcosm-cc/bluemonday/.editorconfig
+++ b/vendor/github.com/microcosm-cc/bluemonday/.editorconfig
@ -0,0 +1,4 @@
+root = true
+
+[*]
+end_of_line = lf
--- a/vendor/github.com/microcosm-cc/bluemonday/.gitattributes
+++ b/vendor/github.com/microcosm-cc/bluemonday/.gitattributes
@ -0,0 +1 @@
+* text=auto eol=lf
--- a/vendor/github.com/microcosm-cc/bluemonday/CREDITS.md
+++ b/vendor/github.com/microcosm-cc/bluemonday/CREDITS.md
@ -4,4 +4,5 @@
 1. Andrew Krasichkov @buglloc https://github.com/buglloc
 1. Mike Samuel mikesamuel@gmail.com
 1. Dmitri Shuralyov shurcooL@gmail.com
-1. https://github.com/opennota
+1. opennota https://github.com/opennota https://gitlab.com/opennota
+1. Tom Anthony https://www.tomanthony.co.uk/
--- a/vendor/github.com/microcosm-cc/bluemonday/Makefile
+++ b/vendor/github.com/microcosm-cc/bluemonday/Makefile
@ -3,6 +3,7 @@
 #   all:          Builds the code locally after testing
 #
 #   fmt:          Formats the source files
+#   fmt-check:    Check if the source files are formated
 #   build:        Builds the code locally
 #   vet:          Vets the code
 #   lint:         Runs lint over the code (you do not need to fix everything)
@ -11,6 +12,8 @@
 #
 #   install:      Builds, tests and installs the code locally

+GOFILES_NOVENDOR = $(shell find . -type f -name '*.go' -not -path "./vendor/*" -not -path "./.git/*")
+
 .PHONY: all fmt build vet lint test cover install

 # The first target is always the default action if `make` is called without
@ -19,7 +22,10 @@
 all: fmt vet test install

 fmt:
-	@gofmt -s -w ./$*
+	@gofmt -s -w ${GOFILES_NOVENDOR}
+
+fmt-check:
+	@([ -z "$(shell gofmt -d $(GOFILES_NOVENDOR) | head)" ]) || (echo "Source is unformatted"; exit 1)

 build:
 	@go build
--- a/vendor/github.com/microcosm-cc/bluemonday/README.md
+++ b/vendor/github.com/microcosm-cc/bluemonday/README.md
@ -180,7 +180,7 @@ p.AllowElementsMatching(regex.MustCompile(`^my-element-`))

 Or add elements as a virtue of adding an attribute:
 ```go
-// Not the recommended pattern, see the recommendation on using .Matching() below
+// Note the recommended pattern, see the recommendation on using .Matching() below
 p.AllowAttrs("nowrap").OnElements("td", "th")
 ```

@ -222,7 +222,7 @@ p.AllowElements("fieldset", "select", "option")

 Although it's possible to handle inline CSS using `AllowAttrs` with a `Matching` rule, writing a single monolithic regular expression to safely process all inline CSS which you wish to allow is not a trivial task.  Instead of attempting to do so, you can allow the `style` attribute on whichever element(s) you desire and use style policies to control and sanitize inline styles.

-It is suggested that you use `Matching` (with a suitable regular expression)
+It is strongly recommended that you use `Matching` (with a suitable regular expression)
 `MatchingEnum`, or `MatchingHandler` to ensure each style matches your needs,
 but default handlers are supplied for most widely used styles.

@ -379,6 +379,8 @@ Both examples exhibit the same issue, they declare attributes but do not then sp

 We are not yet including any tools to help allow and sanitize CSS. Which means that unless you wish to do the heavy lifting in a single regular expression (inadvisable), **you should not allow the "style" attribute anywhere**.

+In the same theme, both `<script>` and `<style>` are considered harmful. These elements (and their content) will not be rendered by default, and require you to explicitly set `p.AllowUnsafe(true)`. You should be aware that allowing these elements defeats the purpose of using a HTML sanitizer as you would be explicitly allowing either JavaScript (and any plainly written XSS) and CSS (which can modify a DOM to insert JS), and additionally but limitations in this library mean it is not aware of whether HTML is validly structured and that can allow these elements to bypass some of the safety mechanisms built into the [WhatWG HTML parser standard](https://html.spec.whatwg.org/multipage/parsing.html#parsing-main-inselect).
+
 It is not the job of bluemonday to fix your bad HTML, it is merely the job of bluemonday to prevent malicious HTML getting through. If you have mismatched HTML elements, or non-conforming nesting of elements, those will remain. But if you have well-structured HTML bluemonday will not break it.

 ## TODO
--- a/vendor/github.com/microcosm-cc/bluemonday/go.mod
+++ b/vendor/github.com/microcosm-cc/bluemonday/go.mod
@ -3,7 +3,6 @@ module github.com/microcosm-cc/bluemonday
 go 1.16

 require (
-	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d
 	github.com/aymerick/douceur v0.2.0
 	github.com/gorilla/css v1.0.0 // indirect
 	golang.org/x/net v0.0.0-20210614182718-04defd469f4e
--- a/vendor/github.com/microcosm-cc/bluemonday/go.sum
+++ b/vendor/github.com/microcosm-cc/bluemonday/go.sum
@ -1,17 +1,10 @@
-github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d h1:Byv0BzEl3/e6D5CLfI0j/7hiIEtvGVFPCZ7Ei2oq8iQ=
-github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
 github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk=
 github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
 github.com/gorilla/css v1.0.0 h1:BQqNyPTi50JCFMTw/b67hByjMVXZRwGha6wxVGkeihY=
 github.com/gorilla/css v1.0.0/go.mod h1:Dn721qIggHpt4+EFCcTLTU/vk5ySda2ReITrtgBl60c=
-golang.org/x/net v0.0.0-20210421230115-4e50805a0758 h1:aEpZnXcAmXkd6AvLb2OPt+EN1Zu/8Ne3pCqPjja5PXY=
-golang.org/x/net v0.0.0-20210421230115-4e50805a0758/go.mod h1:72T/g9IO56b78aLF+1Kcs5dz7/ng1VjMUvfKvpfy+jM=
-golang.org/x/net v0.0.0-20210610132358-84b48f89b13b h1:k+E048sYJHyVnsr1GDrRZWQ32D2C7lWs9JRc0bel53A=
-golang.org/x/net v0.0.0-20210610132358-84b48f89b13b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210614182718-04defd469f4e h1:XpT3nA5TvE525Ne3hInMh6+GETgn27Zfm9dxsThnX2Q=
 golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210420072515-93ed5bcd2bfe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
--- a/vendor/github.com/microcosm-cc/bluemonday/helpers.go
+++ b/vendor/github.com/microcosm-cc/bluemonday/helpers.go
@ -295,3 +295,9 @@ func (p *Policy) AllowTables() {
 		CellVerticalAlign,
 	).OnElements("tbody", "tfoot")
 }
+
+func (p *Policy) AllowIFrames(vals ...SandboxValue) {
+	p.AllowAttrs("sandbox").OnElements("iframe")
+
+	p.RequireSandboxOnIFrame(vals...)
+}
--- a/vendor/github.com/microcosm-cc/bluemonday/policy.go
+++ b/vendor/github.com/microcosm-cc/bluemonday/policy.go
@ -74,6 +74,9 @@ type Policy struct {
 	// When true, add crossorigin="anonymous" to HTML audio, img, link, script, and video tags
 	requireCrossOriginAnonymous bool

+	// When true, add and filter sandbox attribute on iframe tags
+	requireSandboxOnIFrame map[string]bool
+
 	// When true add target="_blank" to fully qualified links
 	// Will add for href="http://foo"
 	// Will skip for href="/foo" or href="foo"
@ -134,6 +137,19 @@ type Policy struct {
 	setOfElementsMatchingAllowedWithoutAttrs []*regexp.Regexp

 	setOfElementsToSkipContent map[string]struct{}
+
+	// Permits fundamentally unsafe elements.
+	//
+	// If false (default) then elements such as `style` and `script` will not be
+	// permitted even if declared in a policy. These elements when combined with
+	// untrusted input cannot be safely handled by bluemonday at this point in
+	// time.
+	//
+	// If true then `style` and `script` would be permitted by bluemonday if a
+	// policy declares them. However this is not recommended under any circumstance
+	// and can lead to XSS being rendered thus defeating the purpose of using a
+	// HTML sanitizer.
+	allowUnsafe bool
 }

 type attrPolicy struct {
@ -176,6 +192,25 @@ type stylePolicyBuilder struct {

 type urlPolicy func(url *url.URL) (allowUrl bool)

+type SandboxValue int64
+
+const (
+	SandboxAllowDownloads SandboxValue = iota
+	SandboxAllowDownloadsWithoutUserActivation
+	SandboxAllowForms
+	SandboxAllowModals
+	SandboxAllowOrientationLock
+	SandboxAllowPointerLock
+	SandboxAllowPopups
+	SandboxAllowPopupsToEscapeSandbox
+	SandboxAllowPresentation
+	SandboxAllowSameOrigin
+	SandboxAllowScripts
+	SandboxAllowStorageAccessByUserActivation
+	SandboxAllowTopNavigation
+	SandboxAllowTopNavigationByUserActivation
+)
+
 // init initializes the maps if this has not been done already
 func (p *Policy) init() {
 	if !p.initialized {
@ -667,6 +702,58 @@ func (p *Policy) AllowURLSchemeWithCustomPolicy(
 	return p
 }

+// RequireSandboxOnIFrame will result in all iframe tags having a sandbox="" tag
+// Any sandbox values not specified here will be filtered from the generated HTML
+func (p *Policy) RequireSandboxOnIFrame(vals ...SandboxValue) {
+	p.requireSandboxOnIFrame = make(map[string]bool)
+
+	for _, val := range vals {
+		switch SandboxValue(val) {
+		case SandboxAllowDownloads:
+			p.requireSandboxOnIFrame["allow-downloads"] = true
+
+		case SandboxAllowDownloadsWithoutUserActivation:
+			p.requireSandboxOnIFrame["allow-downloads-without-user-activation"] = true
+
+		case SandboxAllowForms:
+			p.requireSandboxOnIFrame["allow-forms"] = true
+
+		case SandboxAllowModals:
+			p.requireSandboxOnIFrame["allow-modals"] = true
+
+		case SandboxAllowOrientationLock:
+			p.requireSandboxOnIFrame["allow-orientation-lock"] = true
+
+		case SandboxAllowPointerLock:
+			p.requireSandboxOnIFrame["allow-pointer-lock"] = true
+
+		case SandboxAllowPopups:
+			p.requireSandboxOnIFrame["allow-popups"] = true
+
+		case SandboxAllowPopupsToEscapeSandbox:
+			p.requireSandboxOnIFrame["allow-popups-to-escape-sandbox"] = true
+
+		case SandboxAllowPresentation:
+			p.requireSandboxOnIFrame["allow-presentation"] = true
+
+		case SandboxAllowSameOrigin:
+			p.requireSandboxOnIFrame["allow-same-origin"] = true
+
+		case SandboxAllowScripts:
+			p.requireSandboxOnIFrame["allow-scripts"] = true
+
+		case SandboxAllowStorageAccessByUserActivation:
+			p.requireSandboxOnIFrame["allow-storage-access-by-user-activation"] = true
+
+		case SandboxAllowTopNavigation:
+			p.requireSandboxOnIFrame["allow-top-navigation"] = true
+
+		case SandboxAllowTopNavigationByUserActivation:
+			p.requireSandboxOnIFrame["allow-top-navigation-by-user-activation"] = true
+		}
+	}
+}
+
 // AddSpaceWhenStrippingTag states whether to add a single space " " when
 // removing tags that are not allowed by the policy.
 //
@ -714,6 +801,23 @@ func (p *Policy) AllowElementsContent(names ...string) *Policy {
 	return p
 }

+// AllowUnsafe permits fundamentally unsafe elements.
+//
+// If false (default) then elements such as `style` and `script` will not be
+// permitted even if declared in a policy. These elements when combined with
+// untrusted input cannot be safely handled by bluemonday at this point in
+// time.
+//
+// If true then `style` and `script` would be permitted by bluemonday if a
+// policy declares them. However this is not recommended under any circumstance
+// and can lead to XSS being rendered thus defeating the purpose of using a
+// HTML sanitizer.
+func (p *Policy) AllowUnsafe(allowUnsafe bool) *Policy {
+	p.init()
+	p.allowUnsafe = allowUnsafe
+	return p
+}
+
 // addDefaultElementsWithoutAttrs adds the HTML elements that we know are valid
 // without any attributes to an internal map.
 // i.e. we know that <table> is valid, but <bdo> isn't valid as the "dir" attr
--- a/vendor/github.com/microcosm-cc/bluemonday/sanitize.go
+++ b/vendor/github.com/microcosm-cc/bluemonday/sanitize.go
@ -130,7 +130,7 @@ func escapeUrlComponent(w stringWriterWriter, val string) error {
 	return err
 }

-// Query represents a single part of the query string, a query param 
+// Query represents a single part of the query string, a query param
 type Query struct {
 	Key      string
 	Value    string
@ -240,7 +240,7 @@ func (p *Policy) sanitize(r io.Reader, w io.Writer) error {
 	// rather than:
 	//   p := bluemonday.NewPolicy()
 	// If this is the case, and if they haven't yet triggered an action that
-	// would initiliaze the maps, then we need to do that.
+	// would initialize the maps, then we need to do that.
 	p.init()

 	buff, ok := w.(stringWriterWriter)
@ -293,6 +293,17 @@ func (p *Policy) sanitize(r io.Reader, w io.Writer) error {

 			mostRecentlyStartedToken = normaliseElementName(token.Data)

+			switch normaliseElementName(token.Data) {
+			case `script`:
+				if !p.allowUnsafe {
+					continue
+				}
+			case `style`:
+				if !p.allowUnsafe {
+					continue
+				}
+			}
+
 			aps, ok := p.elsAndAttrs[token.Data]
 			if !ok {
 				aa, matched := p.matchRegex(token.Data)
@ -341,6 +352,17 @@ func (p *Policy) sanitize(r io.Reader, w io.Writer) error {
 				mostRecentlyStartedToken = ""
 			}

+			switch normaliseElementName(token.Data) {
+			case `script`:
+				if !p.allowUnsafe {
+					continue
+				}
+			case `style`:
+				if !p.allowUnsafe {
+					continue
+				}
+			}
+
 			if skipClosingTag && closingTagToSkipStack[len(closingTagToSkipStack)-1] == token.Data {
 				closingTagToSkipStack = closingTagToSkipStack[:len(closingTagToSkipStack)-1]
 				if len(closingTagToSkipStack) == 0 {
@ -386,6 +408,17 @@ func (p *Policy) sanitize(r io.Reader, w io.Writer) error {

 		case html.SelfClosingTagToken:

+			switch normaliseElementName(token.Data) {
+			case `script`:
+				if !p.allowUnsafe {
+					continue
+				}
+			case `style`:
+				if !p.allowUnsafe {
+					continue
+				}
+			}
+
 			aps, ok := p.elsAndAttrs[token.Data]
 			if !ok {
 				aa, matched := p.matchRegex(token.Data)
@ -425,14 +458,22 @@ func (p *Policy) sanitize(r io.Reader, w io.Writer) error {
 				case `script`:
 					// not encouraged, but if a policy allows JavaScript we
 					// should not HTML escape it as that would break the output
-					if _, err := buff.WriteString(token.Data); err != nil {
-						return err
+					//
+					// requires p.AllowUnsafe()
+					if p.allowUnsafe {
+						if _, err := buff.WriteString(token.Data); err != nil {
+							return err
+						}
 					}
 				case "style":
 					// not encouraged, but if a policy allows CSS styles we
 					// should not HTML escape it as that would break the output
-					if _, err := buff.WriteString(token.Data); err != nil {
-						return err
+					//
+					// requires p.AllowUnsafe()
+					if p.allowUnsafe {
+						if _, err := buff.WriteString(token.Data); err != nil {
+							return err
+						}
 					}
 				default:
 					// HTML escape the text
@ -524,11 +565,11 @@ attrsLoop:
 			for _, ap := range apl {
 				if ap.regexp != nil {
 					if ap.regexp.MatchString(htmlAttr.Val) {
-				htmlAttr.Val = escapeAttribute(htmlAttr.Val)
+						htmlAttr.Val = escapeAttribute(htmlAttr.Val)
 						cleanAttrs = append(cleanAttrs, htmlAttr)
 					}
 				} else {
-				htmlAttr.Val = escapeAttribute(htmlAttr.Val)
+					htmlAttr.Val = escapeAttribute(htmlAttr.Val)
 					cleanAttrs = append(cleanAttrs, htmlAttr)
 				}
 			}
@ -768,6 +809,33 @@ attrsLoop:
 		}
 	}

+	if p.requireSandboxOnIFrame != nil && elementName == "iframe" {
+		var sandboxFound bool
+		for i, htmlAttr := range cleanAttrs {
+			if htmlAttr.Key == "sandbox" {
+				sandboxFound = true
+				var cleanVals []string
+				cleanValsSet := make(map[string]bool)
+				for _, val := range strings.Fields(htmlAttr.Val) {
+					if p.requireSandboxOnIFrame[val] {
+						if !cleanValsSet[val] {
+							cleanVals = append(cleanVals, val)
+							cleanValsSet[val] = true
+						}
+					}
+				}
+				cleanAttrs[i].Val = strings.Join(cleanVals, " ")
+			}
+		}
+
+		if !sandboxFound {
+			sandbox := html.Attribute{}
+			sandbox.Key = "sandbox"
+			sandbox.Val = ""
+			cleanAttrs = append(cleanAttrs, sandbox)
+		}
+	}
+
 	return cleanAttrs
 }

@ -1058,4 +1126,4 @@ func escapeAttribute(val string) string {
 	val = strings.Replace(val, string([]rune{'\u00A0'}), `&nbsp;`, -1)
 	val = strings.Replace(val, `"`, `&quot;`, -1)
 	return val
-}
+}
--- a/vendor/github.com/microcosm-cc/bluemonday/stringwriterwriter_go1.12.go
+++ b/vendor/github.com/microcosm-cc/bluemonday/stringwriterwriter_go1.12.go
@ -1,3 +1,4 @@
+//go:build go1.12
 // +build go1.12

 package bluemonday
--- a/vendor/github.com/microcosm-cc/bluemonday/stringwriterwriter_ltgo1.12.go
+++ b/vendor/github.com/microcosm-cc/bluemonday/stringwriterwriter_ltgo1.12.go
@ -1,3 +1,4 @@
+//go:build go1.1 && !go1.12
 // +build go1.1,!go1.12

 package bluemonday
--- a/vendor/github.com/openshift-online/ocm-sdk-go/authentication/context.go
+++ b/vendor/github.com/openshift-online/ocm-sdk-go/authentication/context.go
@ -22,7 +22,7 @@ import (
 	"context"
 	"fmt"

-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v4"
 )

 // ContextWithToken creates a new context containing the given token.
--- a/vendor/github.com/openshift-online/ocm-sdk-go/authentication/handler.go
+++ b/vendor/github.com/openshift-online/ocm-sdk-go/authentication/handler.go
@ -35,8 +35,8 @@ import (
 	"sync"
 	"time"

-	"github.com/ghodss/yaml"
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v4"
+	"gopkg.in/yaml.v3"

 	"github.com/openshift-online/ocm-sdk-go/errors"
 	"github.com/openshift-online/ocm-sdk-go/logging"
@ -388,8 +388,8 @@ func (b *HandlerBuilder) Build() (handler *Handler, err error) {

 // aclItem is the type used to read a single ACL item from a YAML document.
 type aclItem struct {
-	Claim   string `json:"claim"`
-	Pattern string `json:"pattern"`
+	Claim   string `yaml:"claim"`
+	Pattern string `yaml:"pattern"`
 }

 // loadACLFile loads the given ACL file into the given map of ACL items.
--- a/vendor/github.com/openshift-online/ocm-sdk-go/authentication/helpers.go
+++ b/vendor/github.com/openshift-online/ocm-sdk-go/authentication/helpers.go
@ -22,7 +22,7 @@ import (
 	"fmt"
 	"time"

-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v4"
 )

 // tokenRemaining determines if the given token will eventually expire (offile access tokens and
--- a/vendor/github.com/openshift-online/ocm-sdk-go/authentication/token_info.go
+++ b/vendor/github.com/openshift-online/ocm-sdk-go/authentication/token_info.go
@ -16,7 +16,9 @@ limitations under the License.

 package authentication

-import "github.com/golang-jwt/jwt"
+import (
+	"github.com/golang-jwt/jwt/v4"
+)

 // tokenInfo stores information about a token. We need to store both the original text and the
 // parsed objects because some tokens (refresh tokens in particular) may be opaque strings instead
--- a/vendor/github.com/openshift-online/ocm-sdk-go/authentication/transport_wrapper.go
+++ b/vendor/github.com/openshift-online/ocm-sdk-go/authentication/transport_wrapper.go
@ -22,23 +22,24 @@ package authentication
 import (
 	"bytes"
 	"context"
+	"encoding/base64"
 	"encoding/json"
-	"sync"
-
 	"fmt"
 	"io/ioutil"
 	"net/http"
 	"net/url"
 	"strconv"
 	"strings"
+	"sync"
 	"time"

-	//
 	"github.com/cenkalti/backoff/v4"
-	jwt "github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v4"
+	"github.com/google/uuid"
+	"github.com/prometheus/client_golang/prometheus"
+
 	"github.com/openshift-online/ocm-sdk-go/internal"
 	"github.com/openshift-online/ocm-sdk-go/logging"
-	"github.com/prometheus/client_golang/prometheus"
 )

 // Default values:
@ -80,20 +81,21 @@ type TransportWrapperBuilder struct {
 // one that adds authorization tokens to requests.
 type TransportWrapper struct {
 	// Fields used for basic functionality:
-	logger         logging.Logger
-	clientID       string
-	clientSecret   string
-	user           string
-	password       string
-	scopes         []string
-	agent          string
-	clientSelector *internal.ClientSelector
-	tokenURL       string
-	tokenServer    *internal.ServerAddress
-	tokenMutex     *sync.Mutex
-	tokenParser    *jwt.Parser
-	accessToken    *tokenInfo
-	refreshToken   *tokenInfo
+	logger                logging.Logger
+	clientID              string
+	clientSecret          string
+	user                  string
+	password              string
+	scopes                []string
+	agent                 string
+	clientSelector        *internal.ClientSelector
+	tokenURL              string
+	tokenServer           *internal.ServerAddress
+	tokenMutex            *sync.Mutex
+	tokenParser           *jwt.Parser
+	accessToken           *tokenInfo
+	refreshToken          *tokenInfo
+	pullSecretAccessToken *tokenInfo

 	// Fields used for metrics:
 	metricsSubsystem    string
@ -343,21 +345,43 @@ func (b *TransportWrapperBuilder) Build(ctx context.Context) (result *TransportW
 	// Parse the tokens:
 	var accessToken *tokenInfo
 	var refreshToken *tokenInfo
+	var pullSecretAccessToken *tokenInfo
 	for i, text := range b.tokens {
 		var object *jwt.Token
+
 		object, _, err = tokenParser.ParseUnverified(text, jwt.MapClaims{})
 		if err != nil {
 			b.logger.Debug(
 				ctx,
-				"Can't parse token %d, will assume that it is an opaque "+
-					"refresh token: %v",
+				"Can't parse token %d, will assume that it is either an "+
+					"opaque refresh token or pull secret access token: %v",
 				i, err,
 			)
-			refreshToken = &tokenInfo{
+
+			// Attempt to detect/parse the token as a pull-secret access token
+			err := parsePullSecretAccessToken(text)
+			if err != nil {
+				b.logger.Debug(
+					ctx,
+					"Can't parse pull secret access token %d, will assume "+
+						"that it is an opaque refresh token: %v",
+					i, err,
+				)
+
+				// Not a pull-secret access token, so assume a opaque refresh token
+				refreshToken = &tokenInfo{
+					text: text,
+				}
+				continue
+			}
+
+			// Parsing as a pull-secret access token was successful, treat it as such
+			pullSecretAccessToken = &tokenInfo{
 				text: text,
 			}
 			continue
 		}
+
 		claims, ok := object.Claims.(jwt.MapClaims)
 		if !ok {
 			err = fmt.Errorf("claims of token %d are of type '%T'", i, claims)
@ -525,24 +549,25 @@ func (b *TransportWrapperBuilder) Build(ctx context.Context) (result *TransportW

 	// Create and populate the object:
 	result = &TransportWrapper{
-		logger:              b.logger,
-		clientID:            clientID,
-		clientSecret:        clientSecret,
-		user:                b.user,
-		password:            b.password,
-		scopes:              scopes,
-		agent:               b.agent,
-		clientSelector:      clientSelector,
-		tokenURL:            tokenURL,
-		tokenServer:         tokenServer,
-		tokenMutex:          &sync.Mutex{},
-		tokenParser:         tokenParser,
-		accessToken:         accessToken,
-		refreshToken:        refreshToken,
-		metricsSubsystem:    b.metricsSubsystem,
-		metricsRegisterer:   b.metricsRegisterer,
-		tokenCountMetric:    tokenCountMetric,
-		tokenDurationMetric: tokenDurationMetric,
+		logger:                b.logger,
+		clientID:              clientID,
+		clientSecret:          clientSecret,
+		user:                  b.user,
+		password:              b.password,
+		scopes:                scopes,
+		agent:                 b.agent,
+		clientSelector:        clientSelector,
+		tokenURL:              tokenURL,
+		tokenServer:           tokenServer,
+		tokenMutex:            &sync.Mutex{},
+		tokenParser:           tokenParser,
+		accessToken:           accessToken,
+		refreshToken:          refreshToken,
+		pullSecretAccessToken: pullSecretAccessToken,
+		metricsSubsystem:      b.metricsSubsystem,
+		metricsRegisterer:     b.metricsRegisterer,
+		tokenCountMetric:      tokenCountMetric,
+		tokenDurationMetric:   tokenDurationMetric,
 	}

 	return
@ -615,8 +640,16 @@ func (t *roundTripper) RoundTrip(request *http.Request) (response *http.Response
 	if request.Header == nil {
 		request.Header = make(http.Header)
 	}
+
+	// If the access token is a pull-secret-access-token type, a
+	// different Authorization header must be used
 	if token != "" {
-		request.Header.Set("Authorization", "Bearer "+token)
+		if err := parsePullSecretAccessToken(token); err == nil {
+			// It is a pull-secret access token
+			request.Header.Set("Authorization", "AccessToken "+token)
+		} else {
+			request.Header.Set("Authorization", "Bearer "+token)
+		}
 	}

 	// Call the wrapped transport:
@ -690,6 +723,12 @@ func (w *TransportWrapper) tokens(ctx context.Context, attempt int,
 	w.tokenMutex.Lock()
 	defer w.tokenMutex.Unlock()

+	// A pull-secret access token can just be used as-is
+	if w.pullSecretAccessToken != nil {
+		access = w.pullSecretAccessToken.text
+		return
+	}
+
 	// Check the expiration times of the tokens:
 	now := time.Now()
 	var accessExpires bool
@ -1042,6 +1081,25 @@ func (w *TransportWrapper) debugExpiry(ctx context.Context, typ string, token *t
 	}
 }

+// parsePullSecretAccessToken will parse the supplied token to verify conformity
+// with that of a pull secret access token. A pull secret access token is of the
+// form <cluster id>:<Base64d pull secret token>.
+func parsePullSecretAccessToken(text string) error {
+	elems := strings.Split(text, ":")
+	if len(elems) != 2 {
+		return fmt.Errorf("Unparseable pull secret token")
+	}
+	_, err := uuid.Parse(elems[0])
+	if err != nil {
+		return fmt.Errorf("Unparseable pull secret token cluster ID")
+	}
+	_, err = base64.StdEncoding.DecodeString(elems[1])
+	if err != nil {
+		return fmt.Errorf("Unparseable pull secret token value")
+	}
+	return nil
+}
+
 // Names of fields in the token form:
 const (
 	grantTypeField    = "grant_type"
--- a/vendor/github.com/openshift-online/ocm-sdk-go/errors/errors.go
+++ b/vendor/github.com/openshift-online/ocm-sdk-go/errors/errors.go
@ -40,6 +40,7 @@ const ErrorNilKind = "ErrorNil"
 // ErrorBuilder is a builder for the error type.
 type ErrorBuilder struct {
 	bitmap_     uint32
+	status      int
 	id          string
 	href        string
 	code        string
@ -51,6 +52,7 @@ type ErrorBuilder struct {
 // Error represents errors.
 type Error struct {
 	bitmap_     uint32
+	status      int
 	id          string
 	href        string
 	code        string
@ -64,51 +66,76 @@ func NewError() *ErrorBuilder {
 	return &ErrorBuilder{}
 }

+// Status sets the HTTP status code.
+func (b *ErrorBuilder) Status(value int) *ErrorBuilder {
+	b.status = value
+	b.bitmap_ |= 1
+	return b
+}
+
 // ID sets the identifier of the error.
 func (b *ErrorBuilder) ID(value string) *ErrorBuilder {
 	b.id = value
-	b.bitmap_ |= 1
+	b.bitmap_ |= 2
 	return b
 }

 // HREF sets the link of the error.
 func (b *ErrorBuilder) HREF(value string) *ErrorBuilder {
 	b.href = value
-	b.bitmap_ |= 2
+	b.bitmap_ |= 4
 	return b
 }

 // Code sets the code of the error.
 func (b *ErrorBuilder) Code(value string) *ErrorBuilder {
 	b.code = value
-	b.bitmap_ |= 4
+	b.bitmap_ |= 8
 	return b
 }

 // Reason sets the reason of the error.
 func (b *ErrorBuilder) Reason(value string) *ErrorBuilder {
 	b.reason = value
-	b.bitmap_ |= 8
+	b.bitmap_ |= 16
 	return b
 }

 // OperationID sets the identifier of the operation that caused the error.
 func (b *ErrorBuilder) OperationID(value string) *ErrorBuilder {
 	b.operationID = value
-	b.bitmap_ |= 16
+	b.bitmap_ |= 32
 	return b
 }

 // Details sets additional details of the error.
 func (b *ErrorBuilder) Details(value interface{}) *ErrorBuilder {
 	b.details = value
-	b.bitmap_ |= 32
+	b.bitmap_ |= 64
+	return b
+}
+
+// Copy copies the attributes of the given error into this
+// builder, discarding any previous values.
+func (b *ErrorBuilder) Copy(object *Error) *ErrorBuilder {
+	if object == nil {
+		return b
+	}
+	b.bitmap_ = object.bitmap_
+	b.status = object.status
+	b.id = object.id
+	b.href = object.href
+	b.code = object.code
+	b.reason = object.reason
+	b.details = object.details
+	b.operationID = object.operationID
 	return b
 }

 // Build uses the information stored in the builder to create a new error object.
 func (b *ErrorBuilder) Build() (result *Error, err error) {
 	result = &Error{
+		status:      b.status,
 		id:          b.id,
 		href:        b.href,
 		code:        b.code,
@ -128,9 +155,27 @@ func (e *Error) Kind() string {
 	return ErrorKind
 }

+// Status returns the HTTP status code.
+func (e *Error) Status() int {
+	if e != nil && e.bitmap_&1 != 0 {
+		return e.status
+	}
+	return 0
+}
+
+// GetStatus returns the HTTP status code of the error and a flag indicating
+// if the status has a value.
+func (e *Error) GetStatus() (value int, ok bool) {
+	ok = e != nil && e.bitmap_&1 != 0
+	if ok {
+		value = e.status
+	}
+	return
+}
+
 // ID returns the identifier of the error.
 func (e *Error) ID() string {
-	if e != nil && e.bitmap_&1 != 0 {
+	if e != nil && e.bitmap_&2 != 0 {
 		return e.id
 	}
 	return ""
@ -139,7 +184,7 @@ func (e *Error) ID() string {
 // GetID returns the identifier of the error and a flag indicating if the
 // identifier has a value.
 func (e *Error) GetID() (value string, ok bool) {
-	ok = e != nil && e.bitmap_&1 != 0
+	ok = e != nil && e.bitmap_&2 != 0
 	if ok {
 		value = e.id
 	}
@ -148,7 +193,7 @@ func (e *Error) GetID() (value string, ok bool) {

 // HREF returns the link to the error.
 func (e *Error) HREF() string {
-	if e != nil && e.bitmap_&2 != 0 {
+	if e != nil && e.bitmap_&4 != 0 {
 		return e.href
 	}
 	return ""
@ -157,7 +202,7 @@ func (e *Error) HREF() string {
 // GetHREF returns the link of the error and a flag indicating if the
 // link has a value.
 func (e *Error) GetHREF() (value string, ok bool) {
-	ok = e != nil && e.bitmap_&2 != 0
+	ok = e != nil && e.bitmap_&4 != 0
 	if ok {
 		value = e.href
 	}
@ -166,7 +211,7 @@ func (e *Error) GetHREF() (value string, ok bool) {

 // Code returns the code of the error.
 func (e *Error) Code() string {
-	if e != nil && e.bitmap_&4 != 0 {
+	if e != nil && e.bitmap_&8 != 0 {
 		return e.code
 	}
 	return ""
@ -175,7 +220,7 @@ func (e *Error) Code() string {
 // GetCode returns the link of the error and a flag indicating if the
 // code has a value.
 func (e *Error) GetCode() (value string, ok bool) {
-	ok = e != nil && e.bitmap_&4 != 0
+	ok = e != nil && e.bitmap_&8 != 0
 	if ok {
 		value = e.code
 	}
@ -184,7 +229,7 @@ func (e *Error) GetCode() (value string, ok bool) {

 // Reason returns the reason of the error.
 func (e *Error) Reason() string {
-	if e != nil && e.bitmap_&8 != 0 {
+	if e != nil && e.bitmap_&16 != 0 {
 		return e.reason
 	}
 	return ""
@ -193,7 +238,7 @@ func (e *Error) Reason() string {
 // GetReason returns the link of the error and a flag indicating if the
 // reason has a value.
 func (e *Error) GetReason() (value string, ok bool) {
-	ok = e != nil && e.bitmap_&8 != 0
+	ok = e != nil && e.bitmap_&16 != 0
 	if ok {
 		value = e.reason
 	}
@ -202,7 +247,7 @@ func (e *Error) GetReason() (value string, ok bool) {

 // OperationID returns the identifier of the operation that caused the error.
 func (e *Error) OperationID() string {
-	if e != nil && e.bitmap_&16 != 0 {
+	if e != nil && e.bitmap_&32 != 0 {
 		return e.operationID
 	}
 	return ""
@ -211,7 +256,7 @@ func (e *Error) OperationID() string {
 // GetOperationID returns the identifier of the operation that caused the error and
 // a flag indicating if that identifier does have a value.
 func (e *Error) GetOperationID() (value string, ok bool) {
-	ok = e != nil && e.bitmap_&16 != 0
+	ok = e != nil && e.bitmap_&32 != 0
 	if ok {
 		value = e.operationID
 	}
@ -220,7 +265,7 @@ func (e *Error) GetOperationID() (value string, ok bool) {

 // Details returns the details of the error
 func (e *Error) Details() interface{} {
-	if e != nil && e.bitmap_&32 != 0 {
+	if e != nil && e.bitmap_&64 != 0 {
 		return e.details
 	}
 	return nil
@ -229,7 +274,7 @@ func (e *Error) Details() interface{} {
 // GetDetails returns the details of the error and a flag
 // indicating if the details have a value.
 func (e *Error) GetDetails() (value interface{}, ok bool) {
-	ok = e != nil && e.bitmap_&32 != 0
+	ok = e != nil && e.bitmap_&64 != 0
 	if ok {
 		value = e.details
 	}
@ -239,13 +284,16 @@ func (e *Error) GetDetails() (value interface{}, ok bool) {
 // Error is the implementation of the error interface.
 func (e *Error) Error() string {
 	chunks := make([]string, 0, 3)
-	if e.id != "" {
+	if e.bitmap_&1 != 0 {
+		chunks = append(chunks, fmt.Sprintf("status is %d", e.status))
+	}
+	if e.bitmap_&2 != 0 {
 		chunks = append(chunks, fmt.Sprintf("identifier is '%s'", e.id))
 	}
-	if e.code != "" {
+	if e.bitmap_&8 != 0 {
 		chunks = append(chunks, fmt.Sprintf("code is '%s'", e.code))
 	}
-	if e.operationID != "" {
+	if e.bitmap_&32 != 0 {
 		chunks = append(chunks, fmt.Sprintf("operation identifier is '%s'", e.operationID))
 	}
 	var result string
@ -255,7 +303,7 @@ func (e *Error) Error() string {
 	} else if size > 1 {
 		result = strings.Join(chunks[0:size-1], ", ") + " and " + chunks[size-1]
 	}
-	if e.reason != "" {
+	if e.bitmap_&16 != 0 {
 		if result != "" {
 			result = result + ": "
 		}
@ -283,6 +331,18 @@ func UnmarshalError(source interface{}) (object *Error, err error) {
 	err = iterator.Error
 	return
 }
+
+// UnmarshalErrorStatus reads an error from the given source and sets
+// the given status code.
+func UnmarshalErrorStatus(source interface{}, status int) (object *Error, err error) {
+	object, err = UnmarshalError(source)
+	if err != nil {
+		return
+	}
+	object.status = status
+	object.bitmap_ |= 1
+	return
+}
 func readError(iterator *jsoniter.Iterator) *Error {
 	object := &Error{}
 	for {
@ -291,24 +351,27 @@ func readError(iterator *jsoniter.Iterator) *Error {
 			break
 		}
 		switch field {
+		case "status":
+			object.status = iterator.ReadInt()
+			object.bitmap_ |= 1
 		case "id":
 			object.id = iterator.ReadString()
-			object.bitmap_ |= 1
+			object.bitmap_ |= 2
 		case "href":
 			object.href = iterator.ReadString()
-			object.bitmap_ |= 2
+			object.bitmap_ |= 4
 		case "code":
 			object.code = iterator.ReadString()
-			object.bitmap_ |= 4
+			object.bitmap_ |= 8
 		case "reason":
 			object.reason = iterator.ReadString()
-			object.bitmap_ |= 8
+			object.bitmap_ |= 16
 		case "operation_id":
 			object.operationID = iterator.ReadString()
-			object.bitmap_ |= 16
+			object.bitmap_ |= 32
 		case "details":
 			object.details = iterator.ReadAny().GetInterface()
-			object.bitmap_ |= 32
+			object.bitmap_ |= 64
 		default:
 			iterator.ReadAny()
 		}
@ -320,7 +383,10 @@ func readError(iterator *jsoniter.Iterator) *Error {
 func MarshalError(e *Error, writer io.Writer) error {
 	stream := helpers.NewStream(writer)
 	writeError(e, stream)
-	stream.Flush()
+	err := stream.Flush()
+	if err != nil {
+		return err
+	}
 	return stream.Error
 }
 func writeError(e *Error, stream *jsoniter.Stream) {
@ -328,31 +394,36 @@ func writeError(e *Error, stream *jsoniter.Stream) {
 	stream.WriteObjectField("kind")
 	stream.WriteString(ErrorKind)
 	if e.bitmap_&1 != 0 {
+		stream.WriteMore()
+		stream.WriteObjectField("status")
+		stream.WriteInt(e.status)
+	}
+	if e.bitmap_&2 != 0 {
 		stream.WriteMore()
 		stream.WriteObjectField("id")
 		stream.WriteString(e.id)
 	}
-	if e.bitmap_&2 != 0 {
+	if e.bitmap_&4 != 0 {
 		stream.WriteMore()
 		stream.WriteObjectField("href")
 		stream.WriteString(e.href)
 	}
-	if e.bitmap_&4 != 0 {
+	if e.bitmap_&8 != 0 {
 		stream.WriteMore()
 		stream.WriteObjectField("code")
 		stream.WriteString(e.code)
 	}
-	if e.bitmap_&8 != 0 {
+	if e.bitmap_&16 != 0 {
 		stream.WriteMore()
 		stream.WriteObjectField("reason")
 		stream.WriteString(e.reason)
 	}
-	if e.bitmap_&16 != 0 {
+	if e.bitmap_&32 != 0 {
 		stream.WriteMore()
 		stream.WriteObjectField("operation_id")
 		stream.WriteString(e.operationID)
 	}
-	if e.bitmap_&32 != 0 {
+	if e.bitmap_&64 != 0 {
 		stream.WriteMore()
 		stream.WriteObjectField("details")
 		stream.WriteVal(e.details)
--- a/vendor/github.com/openshift-online/ocm-sdk-go/helpers/helpers.go
+++ b/vendor/github.com/openshift-online/ocm-sdk-go/helpers/helpers.go
@ -34,7 +34,14 @@ func AddValue(query *url.Values, name string, value interface{}) {
 	if *query == nil {
 		*query = make(url.Values)
 	}
-	query.Add(name, fmt.Sprintf("%v", value))
+	var text string
+	switch typed := value.(type) {
+	case time.Time:
+		text = typed.UTC().Format(time.RFC3339)
+	default:
+		text = fmt.Sprintf("%v", value)
+	}
+	query.Add(name, text)
 }

 // CopyQuery creates a copy of the given set of query parameters.
@ -67,6 +74,12 @@ func CopyHeader(header http.Header) http.Header {
 	return result
 }

+const impersonateUserHeader = "Impersonate-User"
+
+func AddImpersonationHeader(header *http.Header, user string) {
+	AddHeader(header, impersonateUserHeader, user)
+}
+
 // CopyValues copies a slice of strings.
 func CopyValues(values []string) []string {
 	if values == nil {
@ -113,6 +126,7 @@ func PollContext(
 	// Create a cancellable context so that we can explicitly cancel it when we know that the next
 	// iteration of the loop will be after the deadline:
 	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()

 	// If no expected status has been explicitly specified then add the default:
 	if len(statuses) == 0 {
--- a/vendor/github.com/openshift-online/ocm-sdk-go/internal/client_selector.go
+++ b/vendor/github.com/openshift-online/ocm-sdk-go/internal/client_selector.go
@ -349,23 +349,12 @@ func (s *ClientSelector) createTransport(ctx context.Context,
 				dialer := net.Dialer{}
 				return dialer.DialContext(ctx, UnixNetwork, address.Socket)
 			}
-			transport.DialTLS = func(_, _ string) (net.Conn, error) { // nolint
-				// TODO: This ignores the passed context because it isn't currently
-				// supported. Once we migrate to Go 1.15 it should be done like
-				// this:
-				//
-				//	transport.DialTLSContext = func(ctx context.Context,
-				//		_, _ string) (net.Conn, error) {
-				//		dialer := tls.Dialer{
-				//			Config: config,
-				//		}
-				//		return dialer.DialContext(ctx, network, address.Socket)
-				//	}
-				//
-				// This will only have a negative impact in applications that
-				// specify a deadline or timeout in the passed context, as it
-				// will be ignored.
-				return tls.Dial(UnixNetwork, address.Socket, config)
+			transport.DialTLSContext = func(ctx context.Context, _, _ string) (net.Conn,
+				error) {
+				dialer := tls.Dialer{
+					Config: config,
+				}
+				return dialer.DialContext(ctx, UnixNetwork, address.Socket)
 			}
 		}

--- a/vendor/github.com/openshift-online/ocm-sdk-go/internal/system_cas_other.go
+++ b/vendor/github.com/openshift-online/ocm-sdk-go/internal/system_cas_other.go
@ -1,3 +1,4 @@
+//go:build !windows
 // +build !windows

 /*
--- a/vendor/github.com/openshift-online/ocm-sdk-go/internal/system_cas_windows.go
+++ b/vendor/github.com/openshift-online/ocm-sdk-go/internal/system_cas_windows.go
@ -1,3 +1,4 @@
+//go:build windows
 // +build windows

 /*
@ -34,18 +35,65 @@ import (
 // can do (or know to do) till Go learns to read the Windows CA trust store.
 func loadSystemCAs() (pool *x509.CertPool, err error) {
 	pool = x509.NewCertPool()
-	pool.AppendCertsFromPEM(ssoCA)
+	pool.AppendCertsFromPEM(ssoCA1)
+	pool.AppendCertsFromPEM(ssoCA2)
 	pool.AppendCertsFromPEM(apiCA1)
 	pool.AppendCertsFromPEM(apiCA2)
 	return
 }

-// This certificate has been obtained with the following command:
+// The SSO certificates has been obtained with the following command:
 //
-//	$ openssl s_client \
-//	-connect sso.redhat.com:443 \
-//	-showcerts
-var ssoCA = []byte(`
+//	$ openssl s_client -connect sso.redhat.com:443 -showcerts
+var ssoCA1 = []byte(`
+-----BEGIN CERTIFICATE-----
+MIIH5jCCBs6gAwIBAgIQCXX/who4sAsoWCcqTgTIwDANBgkqhkiG9w0BAQsFADB1
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk
+IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTIxMTIwMTAwMDAwMFoXDTIyMTIwMTIz
+NTk1OVowgcoxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYB
+BAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQF
+EwcyOTQ1NDM2MQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xpbmEx
+EDAOBgNVBAcTB1JhbGVpZ2gxFjAUBgNVBAoTDVJlZCBIYXQsIEluYy4xFzAVBgNV
+BAMTDnNzby5yZWRoYXQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAuJ3OufFJ2mm6s5DcS8QQ2HukHUVwVbooK8nT5VFm2xl1TcL18iEhUr+nBlSg
+tG6JvLch7GwZ9vO64sxbDLOck7cVHU5ddu59Wv/KwKiwe9Hs6D7bCxQhUINWrFEN
+3nPaBPLMOdPBawpbtO9Uh+2+aPG4gQASztb40wa0eEnwhe4QjEWhGBx5eshxg8xX
+CokWLucwR19GQxkDCRYlSHZ8FM3h8GVKULrUAiiwANkIXZ5ffKDCr//xxIy6Qt5F
+zGc3SExQxM5aRnIi24hzasyIYgK0wUBl9bfvMSHQRpe/oDQ7pVG+DM/DMsgqbPpa
+363b9liTwcWaWNIfNOPiuUz0eQIDAQABo4IEGjCCBBYwHwYDVR0jBBgwFoAUPdNQ
+pdagre7zSmAKZdMh1Pj41g8wHQYDVR0OBBYEFOcUAXLthwGqFZOEpHQzU3vqeYs2
+MIHEBgNVHREEgbwwgbmCFHNzby5zdGFnZS5yZWRoYXQuY29tgg5zc28ucmVkaGF0
+LmNvbYIVb2NzcC5zdGFnZS5yZWRoYXQuY29tgg9vY3NwLnJlZGhhdC5jb22CF29j
+c3AucHJlcHJvZC5yZWRoYXQuY29tghNvY3NwLmRldi5yZWRoYXQuY29tghVhdXRo
+LnN0YWdlLnJlZGhhdC5jb22CD2F1dGgucmVkaGF0LmNvbYITYXV0aC5kZXYucmVk
+aGF0LmNvbTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
+AQUFBwMCMHUGA1UdHwRuMGwwNKAyoDCGLmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNv
+bS9zaGEyLWV2LXNlcnZlci1nMy5jcmwwNKAyoDCGLmh0dHA6Ly9jcmw0LmRpZ2lj
+ZXJ0LmNvbS9zaGEyLWV2LXNlcnZlci1nMy5jcmwwSgYDVR0gBEMwQTALBglghkgB
+hv1sAgEwMgYFZ4EMAQEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2Vy
+dC5jb20vQ1BTMIGIBggrBgEFBQcBAQR8MHowJAYIKwYBBQUHMAGGGGh0dHA6Ly9v
+Y3NwLmRpZ2ljZXJ0LmNvbTBSBggrBgEFBQcwAoZGaHR0cDovL2NhY2VydHMuZGln
+aWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkV4dGVuZGVkVmFsaWRhdGlvblNlcnZlckNB
+LmNydDAMBgNVHRMBAf8EAjAAMIIBgAYKKwYBBAHWeQIEAgSCAXAEggFsAWoAdwAp
+eb7wnjk5IfBWc59jpXflvld9nGAK+PlNXSZcJV3HhAAAAX126giiAAAEAwBIMEYC
+IQCpy8SAGEcmYEIHk8WJeJGX2FrLXf2xgvMfQwI+tCVFagIhALaVEmIsytgKw36M
+PZuMdMutuBxIYod3QDCJPm/Rp7W6AHcAUaOw9f0BeZxWbbg3eI8MpHrMGyfL956I
+QpoN/tSLBeUAAAF9duoIdgAABAMASDBGAiEAzFInu58+b4YTNxVBxeMjADGM8VEc
+GYZeVOV1yTVvI4ICIQDoW/o+hz0chsuGtxiHTl7+gDv3XBItNNmOJHS6pxwNwAB2
+AEHIyrHfIkZKEMahOglCh15OMYsbA+vrS8do8JBilgb2AAABfXbqCPsAAAQDAEcw
+RQIhAIc96iDui/2j/56OXDMERH33bC1LoehOhUN1anvZhT6QAiAge864T+lTU9vK
+kZ3pp30K95Jtr+qsaSBQ8PFQjE38UDANBgkqhkiG9w0BAQsFAAOCAQEAwK1NVoNb
+GT9W5AWkjeu2rbJUeo+06lgVJtCV4sS8dIkloKfFFn/aZ1tBmiia+i6do5Zej+pZ
+vf33jr3OxCWEDKoNFA3kjLx6JwSpYovcaVccTE7HnNrS05wwEN8pTcoDIVYBgnEh
+FLlMJ8X4c1ba+1ZE08ZzoJAKNLFcl3Hz7Mt/Umg/oSbNZcJINWvpERwUDKqscPIQ
+ZVSFgKGfs4Rdcv+ZXZBgTnN5eNWA6ryySsQuoJDhsHBYcXKLGKu8qemwYfaGVMzo
+ER7HUMzQI3HxQyX5t+feEaU6Vjjrq9/pFwZyaYlji205jEHWqaGEgJpNlIVY+/PT
+/5lvjY2E7c4fmw==
+-----END CERTIFICATE-----
+`)
+
+var ssoCA2 = []byte(`
 -----BEGIN CERTIFICATE-----
 MIIEtjCCA56gAwIBAgIQDHmpRLCMEZUgkmFf4msdgzANBgkqhkiG9w0BAQsFADBs
 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
@ -76,74 +124,67 @@ oVWNWlZopCJwqjyBcdmdqEU79OX2olHdx3ti6G8MdOu42vi/hw15UJGQmxg7kVkn
 -----END CERTIFICATE-----
 `)

-// This certificate has been obtained with the following command:
+// The API certificates have been obtained with the following command:
 //
-//	$ openssl s_client \
-//	-connect api.openshift.com:443 \
-//	-showcerts
+//	$ openssl s_client -connect api.openshift.com:443 -showcerts
 var apiCA1 = []byte(`
 -----BEGIN CERTIFICATE-----
-MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
-TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
-cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
-WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
-RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
-R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
-sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
-NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
-Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
-/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
-AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
-Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
-FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
-AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
-Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
-gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
-PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
-ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
-CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
-lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
-avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
-yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
-yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
-hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
-HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
-MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
-nLRbwHOoq7hHwg==
+MIIFmzCCBSGgAwIBAgIQBQ+NDVzn4QRZqly06Ep3yjAKBggqhkjOPQQDAzBWMQsw
+CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTAwLgYDVQQDEydEaWdp
+Q2VydCBUTFMgSHlicmlkIEVDQyBTSEEzODQgMjAyMCBDQTEwHhcNMjIwNDI5MDAw
+MDAwWhcNMjMwNTAzMjM1OTU5WjBsMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9y
+dGggQ2Fyb2xpbmExEDAOBgNVBAcTB1JhbGVpZ2gxFjAUBgNVBAoTDVJlZCBIYXQs
+IEluYy4xGjAYBgNVBAMTEWFwaS5vcGVuc2hpZnQuY29tMHYwEAYHKoZIzj0CAQYF
+K4EEACIDYgAEGdA2EA1g7ynRHLSKRjOlyPtqPnFoEAadzuNqedwTWBN3bA16Q6tr
+j18rsF6kERbHmypiNMHDwymxQuYhEEJdlUL9zWnDl//Tt3P97WlJ0yQ96i478ofG
+E73IYHzK8C8No4IDnDCCA5gwHwYDVR0jBBgwFoAUCrwIKReMpTlteg7OM8cus+37
+w3owHQYDVR0OBBYEFJC5XsZwzzRxFn5ghyFFxkdygoynMDMGA1UdEQQsMCqCEWFw
+aS5vcGVuc2hpZnQuY29tghV3d3cuYXBpLm9wZW5zaGlmdC5jb20wDgYDVR0PAQH/
+BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBmwYDVR0fBIGT
+MIGQMEagRKBChkBodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUTFNI
+eWJyaWRFQ0NTSEEzODQyMDIwQ0ExLTEuY3JsMEagRKBChkBodHRwOi8vY3JsNC5k
+aWdpY2VydC5jb20vRGlnaUNlcnRUTFNIeWJyaWRFQ0NTSEEzODQyMDIwQ0ExLTEu
+Y3JsMD4GA1UdIAQ3MDUwMwYGZ4EMAQICMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93
+d3cuZGlnaWNlcnQuY29tL0NQUzCBhQYIKwYBBQUHAQEEeTB3MCQGCCsGAQUFBzAB
+hhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wTwYIKwYBBQUHMAKGQ2h0dHA6Ly9j
+YWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRMU0h5YnJpZEVDQ1NIQTM4NDIw
+MjBDQTEtMS5jcnQwCQYDVR0TBAIwADCCAX8GCisGAQQB1nkCBAIEggFvBIIBawFp
+AHcArfe++nz/EMiLnT2cHj4YarRnKV3PsQwkyoWGNOvcgooAAAGAc3NizAAABAMA
+SDBGAiEAwR6POASNS3R+vdTvqP0LpoP0VB8m6JV3P8xn//Z10fYCIQDyV7C7V7yf
+XuXzorhEXWg2npekZVkT0fS7jTUSmZJgTgB2ADXPGRu/sWxXvw+tTG1Cy7u2JyAm
+Ueo/4SrvqAPDO9ZMAAABgHNzYsoAAAQDAEcwRQIgcTIfCrJMjzjuX3qnyR4lWwI9
+e7AIjAm7P+c9B7CpgoECIQDUhSzYogCMx5QdFqFEi18KlX89bjKscSukieVbzc98
+DwB2ALNzdwfhhFD4Y4bWBancEQlKeS2xZwwLh9zwAw55NqWaAAABgHNzYvwAAAQD
+AEcwRQIhAN3WIvRA3tejaDj1ceCPQgb4tK97AOqWbdzOa4CbA6+oAiAbv0wFXElw
+vuMPbYUjraXeyntGPfmTf/8MNlkd0aW20DAKBggqhkjOPQQDAwNoADBlAjEAiho0
+712CjvYGMezC6cF6V8+lPWjb1PGRXzTMNYNBvUp0jCla5oznm6hLRpcqw8z3AjAq
+sjE4cTA4Jy91GD6dAwd9uhwvEl5IpHIMb8GkxOybDAAHsioc3AGlfXFuls9GBdc=
 -----END CERTIFICATE-----
 `)

 var apiCA2 = []byte(`
 -----BEGIN CERTIFICATE-----
-MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
-MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
-DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
-TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
-cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
-AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
-ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
-wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
-LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
-4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
-bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
-sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
-Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
-FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
-SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
-PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
-TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
-SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
-c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
-+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
-ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
-b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
-U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
-MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
-5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
-9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
-WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
-he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
-Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
+MIIEFzCCAv+gAwIBAgIQB/LzXIeod6967+lHmTUlvTANBgkqhkiG9w0BAQwFADBh
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
+QTAeFw0yMTA0MTQwMDAwMDBaFw0zMTA0MTMyMzU5NTlaMFYxCzAJBgNVBAYTAlVT
+MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxMDAuBgNVBAMTJ0RpZ2lDZXJ0IFRMUyBI
+eWJyaWQgRUNDIFNIQTM4NCAyMDIwIENBMTB2MBAGByqGSM49AgEGBSuBBAAiA2IA
+BMEbxppbmNmkKaDp1AS12+umsmxVwP/tmMZJLwYnUcu/cMEFesOxnYeJuq20ExfJ
+qLSDyLiQ0cx0NTY8g3KwtdD3ImnI8YDEe0CPz2iHJlw5ifFNkU3aiYvkA8ND5b8v
+c6OCAYIwggF+MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFAq8CCkXjKU5
+bXoOzjPHLrPt+8N6MB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA4G
+A1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdgYI
+KwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5j
+b20wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdp
+Q2VydEdsb2JhbFJvb3RDQS5jcnQwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2Ny
+bDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNybDA9BgNVHSAE
+NjA0MAsGCWCGSAGG/WwCATAHBgVngQwBATAIBgZngQwBAgEwCAYGZ4EMAQICMAgG
+BmeBDAECAzANBgkqhkiG9w0BAQwFAAOCAQEAR1mBf9QbH7Bx9phdGLqYR5iwfnYr
+6v8ai6wms0KNMeZK6BnQ79oU59cUkqGS8qcuLa/7Hfb7U7CKP/zYFgrpsC62pQsY
+kDUmotr2qLcy/JUjS8ZFucTP5Hzu5sn4kL1y45nDHQsFfGqXbbKrAjbYwrwsAZI/
+BKOLdRHHuSm8EdCGupK8JvllyDfNJvaGEwwEqonleLHBTnm8dqMLUeTF0J5q/hos
+Vq4GNiejcxwIfZMy0MJEGdqN9A57HSgDKwmKdsp33Id6rHtSJlWncg+d0ohP/rEh
+xRqhqjn1VtvChMQ1H3Dau0bwhr9kAMQ+959GG50jBbl9s08PqUU643QwmA==
 -----END CERTIFICATE-----
 `)