Merge main (at 5fe94c4e) into github_identity_provider

Dockerfile

@@ -1,10 +1,10 @@
 # syntax=docker/dockerfile:1
 
-# Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
-ARG BUILD_IMAGE=golang:1.22.1@sha256:0b55ab82ac2a54a6f8f85ec8b943b9e470c39e32c109b766bbc1b801f3fa8d3b
-ARG BASE_IMAGE=gcr.io/distroless/static:nonroot@sha256:55c636171053dbc8ae07a280023bd787d2921f10e569f3e319f1539076dbba11
+ARG BUILD_IMAGE=golang:1.22.2@sha256:450e3822c7a135e1463cd83e51c8e2eb03b86a02113c89424e6f0f8344bb4168
+ARG BASE_IMAGE=gcr.io/distroless/static:nonroot@sha256:f41b84cda410b05cc690c2e33d1973a31c6165a2721e2b5343aab50fecb63441
 
 # Prepare to cross-compile by always running the build stage in the build platform, not the target platform.
 FROM --platform=$BUILDPLATFORM $BUILD_IMAGE as build-env

cmd/pinniped/cmd/kubeconfig_test.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package cmd
@@ -18,6 +18,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	kubetesting "k8s.io/client-go/testing"
 	"k8s.io/client-go/tools/clientcmd"
+	"k8s.io/utils/ptr"
 
 	conciergev1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
@@ -27,6 +28,7 @@ import (
 	"go.pinniped.dev/internal/here"
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/internal/testutil/testlogger"
+	"go.pinniped.dev/internal/testutil/tlsserver"
 )
 
 func TestGetKubeconfig(t *testing.T) {
@@ -3198,7 +3200,7 @@ func TestGetKubeconfig(t *testing.T) {
 		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
 			var issuerEndpointPtr *string
-			issuerCABundle, issuerEndpoint := testutil.TLSTestServer(t, func(w http.ResponseWriter, r *http.Request) {
+			testServer, testServerCA := tlsserver.TestServerIPv4(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 				w.Header().Set("content-type", "application/json")
 				switch r.URL.Path {
 				case "/.well-known/openid-configuration":
@@ -3226,8 +3228,8 @@ func TestGetKubeconfig(t *testing.T) {
 				default:
 					t.Fatalf("tried to call issuer at a path that wasn't one of the expected discovery endpoints.")
 				}
-			})
-			issuerEndpointPtr = &issuerEndpoint
+			}), nil)
+			issuerEndpointPtr = ptr.To(testServer.URL)
 
 			testLog := testlogger.NewLegacy(t) //nolint:staticcheck  // old test with lots of log statements
 			cmd := kubeconfigCommand(kubeconfigDeps{
@@ -3248,7 +3250,7 @@ func TestGetKubeconfig(t *testing.T) {
 					}
 					fake := fakeconciergeclientset.NewSimpleClientset()
 					if tt.conciergeObjects != nil {
-						fake = fakeconciergeclientset.NewSimpleClientset(tt.conciergeObjects(issuerCABundle, issuerEndpoint)...)
+						fake = fakeconciergeclientset.NewSimpleClientset(tt.conciergeObjects(string(testServerCA), testServer.URL)...)
 					}
 					if len(tt.conciergeReactions) > 0 {
 						fake.ReactionChain = append(tt.conciergeReactions, fake.ReactionChain...)
@@ -3263,7 +3265,7 @@ func TestGetKubeconfig(t *testing.T) {
 			cmd.SetOut(&stdout)
 			cmd.SetErr(&stderr)
 
-			cmd.SetArgs(tt.args(issuerCABundle, issuerEndpoint))
+			cmd.SetArgs(tt.args(string(testServerCA), testServer.URL))
 
 			err := cmd.Execute()
 			if tt.wantError {
@@ -3274,19 +3276,19 @@ func TestGetKubeconfig(t *testing.T) {
 
 			var expectedLogs []string
 			if tt.wantLogs != nil {
-				expectedLogs = tt.wantLogs(issuerCABundle, issuerEndpoint)
+				expectedLogs = tt.wantLogs(string(testServerCA), testServer.URL)
 			}
 			testLog.Expect(expectedLogs)
 
 			expectedStdout := ""
 			if tt.wantStdout != nil {
-				expectedStdout = tt.wantStdout(issuerCABundle, issuerEndpoint)
+				expectedStdout = tt.wantStdout(string(testServerCA), testServer.URL)
 			}
 			require.Equal(t, expectedStdout, stdout.String(), "unexpected stdout")
 
 			actualStderr := stderr.String()
 			if tt.wantStderr != nil {
-				testutil.RequireErrorString(t, actualStderr, tt.wantStderr(issuerCABundle, issuerEndpoint))
+				testutil.RequireErrorString(t, actualStderr, tt.wantStderr(string(testServerCA), testServer.URL))
 			} else {
 				require.Empty(t, actualStderr, "unexpected stderr")
 			}

go.mod

@@ -29,17 +29,21 @@ replace go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttpt
 // This is an indirect dep which has CVE-2024-24786, so replace it with a fixed version
 replace google.golang.org/protobuf => google.golang.org/protobuf v1.33.0
 
+// https://github.com/coreos/go-oidc/releases/tag/v3.10.0 starts to use https://github.com/go-jose/go-jose/releases/tag/v4.0.0.
+// Unfortunately this has breaking changes.
+replace github.com/coreos/go-oidc/v3 => github.com/coreos/go-oidc/v3 v3.9.0
+
 require (
 	github.com/MakeNowJust/heredoc/v2 v2.0.1
-	github.com/chromedp/cdproto v0.0.0-20240312231614-1e5096e63154
+	github.com/chromedp/cdproto v0.0.0-20240328024531-fe04f09ede24
 	github.com/chromedp/chromedp v0.9.5
-	github.com/coreos/go-oidc/v3 v3.9.0
+	github.com/coreos/go-oidc/v3 v3.10.0
 	github.com/coreos/go-semver v0.3.1
 	github.com/creack/pty v1.1.21
 	github.com/davecgh/go-spew v1.1.1
 	github.com/felixge/httpsnoop v1.0.4
 	github.com/go-jose/go-jose/v3 v3.0.3
-	github.com/go-ldap/ldap/v3 v3.4.6
+	github.com/go-ldap/ldap/v3 v3.4.7
 	github.com/go-logr/logr v1.4.1
 	github.com/go-logr/stdr v1.2.2
 	github.com/go-logr/zapr v1.3.0
@@ -52,7 +56,7 @@ require (
 	github.com/gorilla/websocket v1.5.1
 	github.com/joshlf/go-acl v0.0.0-20200411065538-eae00ae38531
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826
-	github.com/ory/fosite v0.46.1
+	github.com/ory/fosite v0.46.2-0.20240403135905-5e039ca9eef1
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c
 	github.com/pkg/errors v0.9.1
 	github.com/sclevine/spec v1.4.0
@@ -62,22 +66,22 @@ require (
 	github.com/tdewolff/minify/v2 v2.20.19
 	go.uber.org/mock v0.4.0
 	go.uber.org/zap v1.27.0
-	golang.org/x/crypto v0.21.0
-	golang.org/x/net v0.22.0
-	golang.org/x/oauth2 v0.18.0
-	golang.org/x/sync v0.6.0
-	golang.org/x/term v0.18.0
+	golang.org/x/crypto v0.22.0
+	golang.org/x/net v0.24.0
+	golang.org/x/oauth2 v0.19.0
+	golang.org/x/sync v0.7.0
+	golang.org/x/term v0.19.0
 	golang.org/x/text v0.14.0
 	k8s.io/api v0.29.3
 	k8s.io/apiextensions-apiserver v0.29.3
 	k8s.io/apimachinery v0.29.3
 	k8s.io/apiserver v0.29.3
 	k8s.io/client-go v0.29.3
 	k8s.io/component-base v0.29.3
-	k8s.io/gengo v0.0.0-20240310015720-9cff6334dab4
+	k8s.io/gengo v0.0.0-20240404160639-a0386bf69313
 	k8s.io/klog/v2 v2.120.1
 	k8s.io/kube-aggregator v0.29.3
-	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340
+	k8s.io/kube-openapi v0.0.0-20240411171206-dc4e619f62f3
 	k8s.io/utils v0.0.0-20240310230437-4693a0247e57
 	sigs.k8s.io/yaml v1.4.0
 )
@@ -182,10 +186,9 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc // indirect
 	golang.org/x/mod v0.15.0 // indirect
-	golang.org/x/sys v0.18.0 // indirect
+	golang.org/x/sys v0.19.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	golang.org/x/tools v0.18.0 // indirect
-	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect