Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.36.1 to 1.44.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.36.1...v1.44.0)
Also update akamai-purger integration test to avoid experimental API.
The `conn.GetState()` API is marked experimental and may change behavior
at any time. It appears to have changed between v1.36.1 and v1.44.0,
and so the akamai-purger integration tests which rely on it break.
Rather than writing our own loop which polls `conn.GetState()`, just
use the stable `WaitForReady(true)` connection option, and apply it to
all connections by setting it as a default option in the dial options.
The `go` directive inside go.mod determines certain behaviors of
the go command. Since we're using go 1.17 everywhere, we should
update our module's go directive to reflect that, and update its contents
to match the new behavior.
Particularly, updating to 1.17 here means that all indirect dependencies
are listed directly inside go.mod (in a separate block, to keep things clean),
and the go.sum and go.mod files are deleted from vendored dependencies
so that the go tool can correctly find the root of the module even when run
from a vendored dependency's subdirectory.
Followup from #5839.
I chose groupcache/lru as our LRU cache implementation because it's part
of the golang org, written by one of the Go authors, and very simple
and easy to read.
This adds an `AccountGetter` interface that is implemented by both the
AccountCache and the SA. If the WFE config includes an AccountCache field,
it will wrap the SA in an AccountCache with the configured max size and
expiration time.
We set an expiration time on account cache entries because we want a
bounded amount of time that they may be stale by. This will be used in
conjunction with a delay on account-updating pathways to ensure we don't
allow authentication with a deactivated account or changed key.
The account cache stores corepb.Registration objects because protobufs
have an established way to do a deep copy. Deep copies are important so
the cache can maintain its own internal state and ensure nothing external
is modifying it.
As part of this process I changed construction of the WFE. Previously,
"SA" and "RA" were public fields that were mutated after construction. Now
they are parameters to the constructor, along with the new "accountGetter"
parameter.
The cache includes stats for requests categorized by hits and misses.
This is a sort of proof of concept of the Redis interaction, which will
evolve into a tool for inspection and manual repair of missing entries,
if we find ourselves needing to do that.
The important bits here are rocsp/rocsp.go and
cmd/rocsp-tool/main.go. Also, the newly-vendored Redis client.
Update zlint from v3.2.0 to just past v3.3.0, pulling in both an update
to the zlint interface and a number of new and improved checks. In
particular, pull in `lint_dnsname_contains_prohibited_reserved_label`,
which checks that DNSNames do not begin with any two characters followed
by two dashes, unless those two leading characters are "xn".
Also, update our few custom lints to match the new zlint v3.3.0
interface.
Fixes#5720
Use the built-in grpc-go client and server interceptor chaining
utilities, instead of the ones provided by go-grpc-middleware.
Simplify our interceptors to call their handlers/invokers directly,
instead of delegating to the metrics interceptor, and add the
metrics interceptor to the chains instead.
Add Honeycomb tracing to all Boulder components which act as
HTTP servers, gRPC servers, or gRPC clients. Add many values
which we currently emit to logs to the trace spans. Add a way to
configure the Honeycomb integration to our config files, and by
default configure all of our tests to "mute" (send nothing).
Followup changes will refine the configuration, attempt to reduce
the new dependency load, and introduce better sampling.
Part of https://github.com/letsencrypt/dev-misc-tickets/issues/218
protoc now generates grpc code in a separate file from protobuf code.
Also, grpc servers are now required to embed an "unimplemented"
interface from the generated .pb.go file, which provides forward
compatibility.
Update the generate.go files since the invocation for protoc has changed
with the split into .pb.org and _grpc.pb.go.
Fixes#5368
Update the pinned version of zlint from v2.2.1 to v3.1.0.
Also update the relevant path from v2 to v3 in both go.mod
and in individual imports. Update the vendored files to match.
No changes from v2.2.1 to v3.1.0 appear to affect the lints
we directly care about (e.g. those that we explicitly ignore).
Fixes#5206
This brings in the following changes to zlint:
https://github.com/zmap/zlint/compare/v2.1.0...9ab0643
Importantly, this prevents the cert lifetime lint from triggering on
CA certs, and removes the OCSP url requirement lint entirely.
This version contains
go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e
which fixes CVE-2020-14040. All tests pass at tag v0.3.3 in the upstream repo.
Fixes#4877.
Updates publicsuffix-go to master (983d101) since it doesn't regularly
tag releases. This also pulls in a related update to x/net. All tests
pass.
Fixes#4818
There are some changes to the code generated in the latest version, so
this modifies every .pb.go file.
Also, the way protoc-gen-go decides where to put files has changed, so
each generate.go gets the --go_opt=paths=source_relative flag to
tell protoc to continue placing output next to the input.
Remove staticcheck from build.sh; we get it via golangci-lint now.
Pass --no-document to gem install fpm; this is recommended in the fpm docs.
This commit updates the `github.com/weppos/publicsuffix-go` dependency
to 8a37cc7, the tip of master at the time of writing, to pull in new PSL
data.
Upstream unit tests are confirmed to pass:
```
~/go/src/github.com/weppos/publicsuffix-go$ git log --pretty=format:'%h' -n 1
a723c5d
~/go/src/github.com/weppos/publicsuffix-go$ go test ./...
? github.com/weppos/publicsuffix-go/cmd/load [no test files]
ok github.com/weppos/publicsuffix-go/net/publicsuffix 0.008s
ok github.com/weppos/publicsuffix-go/publicsuffix 0.005s
? github.com/weppos/publicsuffix-go/publicsuffix/generator [no test files]
```
In 0804e97 we updated `github.com/go-sql-driver/mysql` to a pinned
commit (b4242bab7dc5) newer than the latest tagged release (v1.4.1) to
avoid needing to pull in an extra dep. that was removed since v1.4.1.
Unfortunately for reasons that are not perfectly clear updating
`github.com/google/certificate-transparency-go` is preferring v1.4.1
over the pseudo-version made from the commit newer than v1.4.1 that we
previously pinned.
Since there is movement on making a v1.5.0 go-sql-driver mysql release
tag and we can likely get ct-go to use that we'll temporarily accept
this downgrade to update ct-go.
Unit tests are confirmed to pass:
```
~/go/src/github.com/go-sql-driver/mysql$ git log --pretty=format:'%h' -n 1
72cd26f
~/go/src/github.com/go-sql-driver/mysql$ go test ./...
ok github.com/go-sql-driver/mysql 0.081s
```
Note: This dep bump introduces a harmless, but annoying, error log
to our service startup output of the form:
> E203318 boulder-ra 2PvBvwg [AUDIT] ccResolverWrapper: error parsing service config: no JSON service config provided
We previously addressed this with the upstream project
(30f4150eec)
but the problem has returned. Filed https://github.com/letsencrypt/boulder/issues/4628
as a follow-up to chase this down.
Unit tests are confirmed to pass:
```
~/go/src/google.golang.org/grpc$ git log --pretty=format:'%h' -n 1
1a3960e
~/go/src/google.golang.org/grpc$ go test ./...
ok google.golang.org/grpc 18.163s
? google.golang.org/grpc/backoff [no test files]
? google.golang.org/grpc/balancer [no test files]
? google.golang.org/grpc/balancer/base [no test files]
ok google.golang.org/grpc/balancer/grpclb 15.491s
? google.golang.org/grpc/balancer/grpclb/grpc_lb_v1 [no test files]
ok google.golang.org/grpc/balancer/roundrobin 0.349s
? google.golang.org/grpc/balancer/weightedroundrobin [no test files]
? google.golang.org/grpc/benchmark [no test files]
? google.golang.org/grpc/benchmark/benchmain [no test files]
? google.golang.org/grpc/benchmark/benchresult [no test files]
? google.golang.org/grpc/benchmark/client [no test files]
ok google.golang.org/grpc/benchmark/flags 0.001s
? google.golang.org/grpc/benchmark/grpc_testing [no test files]
ok google.golang.org/grpc/benchmark/latency 1.005s
ok google.golang.org/grpc/benchmark/primitives 0.001s [no tests to run]
? google.golang.org/grpc/benchmark/server [no test files]
? google.golang.org/grpc/benchmark/stats [no test files]
? google.golang.org/grpc/benchmark/worker [no test files]
? google.golang.org/grpc/binarylog/grpc_binarylog_v1 [no test files]
? google.golang.org/grpc/channelz/grpc_channelz_v1 [no test files]
ok google.golang.org/grpc/channelz/service 0.009s
ok google.golang.org/grpc/codes 0.002s
? google.golang.org/grpc/connectivity [no test files]
ok google.golang.org/grpc/credentials 0.017s
ok google.golang.org/grpc/credentials/alts 0.003s
? google.golang.org/grpc/credentials/alts/internal [no test files]
ok google.golang.org/grpc/credentials/alts/internal/authinfo 0.003s
ok google.golang.org/grpc/credentials/alts/internal/conn 0.079s
ok google.golang.org/grpc/credentials/alts/internal/handshaker 0.039s
ok google.golang.org/grpc/credentials/alts/internal/handshaker/service 0.007s
? google.golang.org/grpc/credentials/alts/internal/proto/grpc_gcp [no test files]
? google.golang.org/grpc/credentials/alts/internal/testutil [no test files]
? google.golang.org/grpc/credentials/google [no test files]
ok google.golang.org/grpc/credentials/internal 0.005s
? google.golang.org/grpc/credentials/oauth [no test files]
? google.golang.org/grpc/encoding [no test files]
? google.golang.org/grpc/encoding/gzip [no test files]
ok google.golang.org/grpc/encoding/proto 0.025s
? google.golang.org/grpc/examples/features/authentication/client [no test files]
? google.golang.org/grpc/examples/features/authentication/server [no test files]
? google.golang.org/grpc/examples/features/cancellation/client [no test files]
? google.golang.org/grpc/examples/features/cancellation/server [no test files]
? google.golang.org/grpc/examples/features/compression/client [no test files]
? google.golang.org/grpc/examples/features/compression/server [no test files]
? google.golang.org/grpc/examples/features/deadline/client [no test files]
? google.golang.org/grpc/examples/features/deadline/server [no test files]
? google.golang.org/grpc/examples/features/debugging/client [no test files]
? google.golang.org/grpc/examples/features/debugging/server [no test files]
? google.golang.org/grpc/examples/features/encryption/ALTS/client [no test files]
? google.golang.org/grpc/examples/features/encryption/ALTS/server [no test files]
? google.golang.org/grpc/examples/features/encryption/TLS/client [no test files]
? google.golang.org/grpc/examples/features/encryption/TLS/server [no test files]
? google.golang.org/grpc/examples/features/errors/client [no test files]
? google.golang.org/grpc/examples/features/errors/server [no test files]
? google.golang.org/grpc/examples/features/interceptor/client [no test files]
? google.golang.org/grpc/examples/features/interceptor/server [no test files]
? google.golang.org/grpc/examples/features/keepalive/client [no test files]
? google.golang.org/grpc/examples/features/keepalive/server [no test files]
? google.golang.org/grpc/examples/features/load_balancing/client [no test files]
? google.golang.org/grpc/examples/features/load_balancing/server [no test files]
? google.golang.org/grpc/examples/features/metadata/client [no test files]
? google.golang.org/grpc/examples/features/metadata/server [no test files]
? google.golang.org/grpc/examples/features/multiplex/client [no test files]
? google.golang.org/grpc/examples/features/multiplex/server [no test files]
? google.golang.org/grpc/examples/features/name_resolving/client [no test files]
? google.golang.org/grpc/examples/features/name_resolving/server [no test files]
? google.golang.org/grpc/examples/features/proto [no test files]
? google.golang.org/grpc/examples/features/proto/echo [no test files]
? google.golang.org/grpc/examples/features/reflection/server [no test files]
? google.golang.org/grpc/examples/features/retry/client [no test files]
? google.golang.org/grpc/examples/features/retry/server [no test files]
? google.golang.org/grpc/examples/features/wait_for_ready [no test files]
? google.golang.org/grpc/examples/helloworld/greeter_client [no test files]
? google.golang.org/grpc/examples/helloworld/greeter_server [no test files]
? google.golang.org/grpc/examples/helloworld/helloworld [no test files]
ok google.golang.org/grpc/examples/helloworld/mock_helloworld 0.003s
? google.golang.org/grpc/examples/route_guide/client [no test files]
ok google.golang.org/grpc/examples/route_guide/mock_routeguide 0.005s
? google.golang.org/grpc/examples/route_guide/routeguide [no test files]
? google.golang.org/grpc/examples/route_guide/server [no test files]
ok google.golang.org/grpc/grpclog 0.003s
? google.golang.org/grpc/grpclog/glogger [no test files]
ok google.golang.org/grpc/health 0.063s
? google.golang.org/grpc/health/grpc_health_v1 [no test files]
? google.golang.org/grpc/internal [no test files]
? google.golang.org/grpc/internal/backoff [no test files]
? google.golang.org/grpc/internal/balancerload [no test files]
ok google.golang.org/grpc/internal/binarylog 0.026s
ok google.golang.org/grpc/internal/buffer 0.002s
ok google.golang.org/grpc/internal/cache 0.653s
ok google.golang.org/grpc/internal/channelz 0.005s
? google.golang.org/grpc/internal/envconfig [no test files]
? google.golang.org/grpc/internal/grpcrand [no test files]
ok google.golang.org/grpc/internal/grpcsync 0.002s
ok google.golang.org/grpc/internal/grpctest 0.002s
ok google.golang.org/grpc/internal/leakcheck 4.083s
ok google.golang.org/grpc/internal/proto/grpc_service_config 0.002s
ok google.golang.org/grpc/internal/resolver/dns 1.620s
? google.golang.org/grpc/internal/resolver/passthrough [no test files]
? google.golang.org/grpc/internal/syscall [no test files]
ok google.golang.org/grpc/internal/testutils 0.002s
ok google.golang.org/grpc/internal/transport 81.078s
ok google.golang.org/grpc/internal/wrr 0.008s
? google.golang.org/grpc/interop [no test files]
? google.golang.org/grpc/interop/alts/client [no test files]
? google.golang.org/grpc/interop/alts/server [no test files]
? google.golang.org/grpc/interop/client [no test files]
? google.golang.org/grpc/interop/fake_grpclb [no test files]
? google.golang.org/grpc/interop/grpc_testing [no test files]
? google.golang.org/grpc/interop/http2 [no test files]
? google.golang.org/grpc/interop/server [no test files]
? google.golang.org/grpc/keepalive [no test files]
ok google.golang.org/grpc/metadata 0.004s
ok google.golang.org/grpc/naming 0.156s
? google.golang.org/grpc/peer [no test files]
ok google.golang.org/grpc/reflection 0.010s
? google.golang.org/grpc/reflection/grpc_reflection_v1alpha [no test files]
? google.golang.org/grpc/reflection/grpc_testing [no test files]
? google.golang.org/grpc/reflection/grpc_testingv3 [no test files]
? google.golang.org/grpc/resolver [no test files]
? google.golang.org/grpc/resolver/dns [no test files]
? google.golang.org/grpc/resolver/manual [no test files]
? google.golang.org/grpc/resolver/passthrough [no test files]
? google.golang.org/grpc/serviceconfig [no test files]
ok google.golang.org/grpc/stats 0.046s
? google.golang.org/grpc/stats/grpc_testing [no test files]
ok google.golang.org/grpc/status 0.008s
? google.golang.org/grpc/stress/client [no test files]
? google.golang.org/grpc/stress/grpc_testing [no test files]
? google.golang.org/grpc/stress/metrics_client [no test files]
? google.golang.org/grpc/tap [no test files]
ok google.golang.org/grpc/test 30.190s
ok google.golang.org/grpc/test/bufconn 0.204s
? google.golang.org/grpc/test/codec_perf [no test files]
? google.golang.org/grpc/test/go_vet [no test files]
? google.golang.org/grpc/test/grpc_testing [no test files]
? google.golang.org/grpc/xds/experimental [no test files]
ok google.golang.org/grpc/xds/internal 0.003s
ok google.golang.org/grpc/xds/internal/balancer 5.113s
ok google.golang.org/grpc/xds/internal/balancer/edsbalancer 1.264s
ok google.golang.org/grpc/xds/internal/balancer/lrs 0.246s
ok google.golang.org/grpc/xds/internal/balancer/orca 0.002s
ok google.golang.org/grpc/xds/internal/client 0.004s
? google.golang.org/grpc/xds/internal/proto [no test files]
? google.golang.org/grpc/xds/internal/proto/udpa/data/orca/v1 [no test files]
? google.golang.org/grpc/xds/internal/proto/udpa/service/orca/v1 [no test files]
? google.golang.org/grpc/xds/internal/proto/udpa/type/v1 [no test files]
ok google.golang.org/grpc/xds/internal/resolver 0.004s
```
Updates https://github.com/letsencrypt/boulder/issues/4548
Unit tests are confirmed to pass:
```
~/go/src/github.com/miekg/pkcs11$ git log --pretty=format:'%h' -n 1
210dc1e
~/go/src/github.com/miekg/pkcs11$ go test ./...
ok github.com/miekg/pkcs11 0.645s
? github.com/miekg/pkcs11/p11 [no test files]
```
Unit tests are confirmed to pass:
```
~/go/src/golang.org/x/crypto$ git log --pretty=format:'%h' -n 1
e1110fd
~/go/src/golang.org/x/crypto$ go test ./...
ok golang.org/x/crypto/acme 6.879s
ok golang.org/x/crypto/acme/autocert 1.213s
? golang.org/x/crypto/acme/autocert/internal/acmetest [no test files]
? golang.org/x/crypto/acme/internal/acmeprobe [no test files]
ok golang.org/x/crypto/argon2 0.084s
ok golang.org/x/crypto/bcrypt 2.224s
ok golang.org/x/crypto/blake2b 0.049s
ok golang.org/x/crypto/blake2s 0.034s
ok golang.org/x/crypto/blowfish 0.005s
ok golang.org/x/crypto/bn256 0.311s
ok golang.org/x/crypto/cast5 2.527s
ok golang.org/x/crypto/chacha20 0.013s
ok golang.org/x/crypto/chacha20poly1305 0.423s
ok golang.org/x/crypto/cryptobyte 0.002s
? golang.org/x/crypto/cryptobyte/asn1 [no test files]
ok golang.org/x/crypto/curve25519 0.017s
ok golang.org/x/crypto/ed25519 0.047s
? golang.org/x/crypto/ed25519/internal/edwards25519 [no test files]
ok golang.org/x/crypto/hkdf 0.009s
ok golang.org/x/crypto/internal/subtle 0.011s
ok golang.org/x/crypto/md4 0.001s
ok golang.org/x/crypto/nacl/auth 4.920s
ok golang.org/x/crypto/nacl/box 0.019s
ok golang.org/x/crypto/nacl/secretbox 0.002s
ok golang.org/x/crypto/nacl/sign 0.002s
ok golang.org/x/crypto/ocsp 0.020s
ok golang.org/x/crypto/openpgp 3.302s
ok golang.org/x/crypto/openpgp/armor 0.001s
ok golang.org/x/crypto/openpgp/clearsign 13.182s
ok golang.org/x/crypto/openpgp/elgamal 0.008s
? golang.org/x/crypto/openpgp/errors [no test files]
ok golang.org/x/crypto/openpgp/packet 0.115s
ok golang.org/x/crypto/openpgp/s2k 5.114s
ok golang.org/x/crypto/otr 0.163s
ok golang.org/x/crypto/pbkdf2 0.025s
ok golang.org/x/crypto/pkcs12 0.036s
ok golang.org/x/crypto/pkcs12/internal/rc2 0.001s
ok golang.org/x/crypto/poly1305 0.025s
ok golang.org/x/crypto/ripemd160 0.018s
ok golang.org/x/crypto/salsa20 0.029s
ok golang.org/x/crypto/salsa20/salsa 0.009s
ok golang.org/x/crypto/scrypt 0.384s
ok golang.org/x/crypto/sha3 0.121s
ok golang.org/x/crypto/ssh 2.779s
ok golang.org/x/crypto/ssh/agent 0.460s
ok golang.org/x/crypto/ssh/knownhosts 0.018s
ok golang.org/x/crypto/ssh/terminal 0.006s
ok golang.org/x/crypto/ssh/test 2.059s
ok golang.org/x/crypto/tea 0.003s
ok golang.org/x/crypto/twofish 0.013s
ok golang.org/x/crypto/xtea 0.009s
ok golang.org/x/crypto/xts 0.001s
```
Unit tests are confirmed to pass:
```
~/go/src/golang.org/x/net$ git log --pretty=format:'%h' -n 1
2180aed
~/go/src/golang.org/x/net$ go test ./...
ok golang.org/x/net/bpf 0.494s
ok golang.org/x/net/context 0.058s
ok golang.org/x/net/context/ctxhttp 0.104s
? golang.org/x/net/dict [no test files]
ok golang.org/x/net/dns/dnsmessage 0.074s
ok golang.org/x/net/html 0.097s
ok golang.org/x/net/html/atom 0.002s
ok golang.org/x/net/html/charset 0.020s
ok golang.org/x/net/http/httpguts 0.028s
ok golang.org/x/net/http/httpproxy 0.003s
ok golang.org/x/net/http2 125.352s
ok golang.org/x/net/http2/h2c 0.015s
? golang.org/x/net/http2/h2i [no test files]
ok golang.org/x/net/http2/hpack 0.042s
ok golang.org/x/net/icmp 0.002s
ok golang.org/x/net/idna 0.012s
? golang.org/x/net/internal/iana [no test files]
ok golang.org/x/net/internal/socket 4.560s
ok golang.org/x/net/internal/socks 0.222s
ok golang.org/x/net/internal/sockstest 0.015s
ok golang.org/x/net/internal/timeseries 0.020s
ok golang.org/x/net/ipv4 0.053s
ok golang.org/x/net/ipv6 0.043s
ok golang.org/x/net/nettest 1.057s
ok golang.org/x/net/netutil 0.819s
ok golang.org/x/net/proxy 0.039s
ok golang.org/x/net/publicsuffix 0.146s
ok golang.org/x/net/trace 0.007s
ok golang.org/x/net/webdav 0.091s
ok golang.org/x/net/webdav/internal/xml 0.010s
ok golang.org/x/net/websocket 0.026s
ok golang.org/x/net/xsrftoken 0.019s
```
Unit tests are confirmed to pass:
```
~/go/src/gopkg.in/yaml.v2$ git log --pretty=format:'%h' -n 1
f90ceb4
~/go/src/gopkg.in/yaml.v2$ go test ./...
ok gopkg.in/yaml.v2 2.873s
```
Unit tests confirmed to pass:
```
~/go/src/github.com/golang/mock$ git log --pretty=format:'%h' -n 1
d74b935
~/go/src/github.com/golang/mock$ go test ./...
go: downloading golang.org/x/tools v0.0.0-20190425150028-36563e24a262
go: extracting golang.org/x/tools v0.0.0-20190425150028-36563e24a262
go: finding golang.org/x/tools v0.0.0-20190425150028-36563e24a262
ok github.com/golang/mock/gomock 0.003s
? github.com/golang/mock/gomock/internal/mock_gomock [no test files]
ok github.com/golang/mock/mockgen 0.008s
ok github.com/golang/mock/mockgen/internal/tests/aux_imports_embedded_interface 0.002s
? github.com/golang/mock/mockgen/internal/tests/aux_imports_embedded_interface/faux [no test files]
? github.com/golang/mock/mockgen/internal/tests/copyright_file [no test files]
? github.com/golang/mock/mockgen/internal/tests/custom_package_name/client/v1 [no test files]
ok github.com/golang/mock/mockgen/internal/tests/custom_package_name/greeter 0.003s
? github.com/golang/mock/mockgen/internal/tests/custom_package_name/validator [no test files]
? github.com/golang/mock/mockgen/internal/tests/dot_imports [no test files]
? github.com/golang/mock/mockgen/internal/tests/empty_interface [no test files]
ok github.com/golang/mock/mockgen/internal/tests/generated_identifier_conflict 0.006s
? github.com/golang/mock/mockgen/internal/tests/import_source [no test files]
? github.com/golang/mock/mockgen/internal/tests/import_source/definition [no test files]
? github.com/golang/mock/mockgen/internal/tests/internal_pkg [no test files]
? github.com/golang/mock/mockgen/internal/tests/internal_pkg/subdir/internal/pkg [no test files]
? github.com/golang/mock/mockgen/internal/tests/internal_pkg/subdir/internal/pkg/reflect_output [no test files]
? github.com/golang/mock/mockgen/internal/tests/internal_pkg/subdir/internal/pkg/source_output [no test files]
ok github.com/golang/mock/mockgen/internal/tests/mock_in_test_package 0.045s [no tests to run]
ok github.com/golang/mock/mockgen/internal/tests/test_package 0.002s [no tests to run]
ok github.com/golang/mock/mockgen/internal/tests/unexported_method 0.002s
? github.com/golang/mock/mockgen/internal/tests/vendor_dep [no test files]
? github.com/golang/mock/mockgen/internal/tests/vendor_dep/source_mock_package [no test files]
? github.com/golang/mock/mockgen/internal/tests/vendor_pkg [no test files]
ok github.com/golang/mock/mockgen/model 0.007s
ok github.com/golang/mock/sample 0.003s
ok github.com/golang/mock/sample/concurrent 0.002s
? github.com/golang/mock/sample/concurrent/mock [no test files]
? github.com/golang/mock/sample/imp1 [no test files]
? github.com/golang/mock/sample/imp2 [no test files]
? github.com/golang/mock/sample/imp3 [no test files]
? github.com/golang/mock/sample/imp4 [no test files]
? github.com/golang/mock/sample/mock_user [no test files]
```
Incorporates square/go-jose#282.
$ go test gopkg.in/square/go-jose.v2
go: finding gopkg.in/square/go-jose.v2 v2.4.1
ok gopkg.in/square/go-jose.v2 46.790s
* deps: update publicsuffix-go to 342bab7
This updates `github.com/weppos/publicsuffix-go` to 342bab7, the tip of
master at the time of writing.
Unit tests are confirmed to pass:
```
~/go/src/github.com/weppos/publicsuffix-go$ git log --pretty=format:'%h' -n 1
342bab7
~/go/src/github.com/weppos/publicsuffix-go$ go test ./...
? github.com/weppos/publicsuffix-go/cmd/load [no test files]
ok github.com/weppos/publicsuffix-go/net/publicsuffix 0.023s
ok github.com/weppos/publicsuffix-go/publicsuffix 0.015s
? github.com/weppos/publicsuffix-go/publicsuffix/generator [no test files]
```
* deps: update zmap/zlint to 71201e7
This updates `github.com/zmap/zlint` to 71201e7, the tip of master at
the time of writing.
Unit tests are confirmed to pass:
```
~/go/src/github.com/zmap/zlint$ git log --pretty=format:'%h' -n 1
71201e7
~/go/src/github.com/zmap/zlint$ go test ./...
ok github.com/zmap/zlint 0.205s
? github.com/zmap/zlint/cmd/zlint [no test files]
? github.com/zmap/zlint/cmd/zlint-gtld-update [no test files]
ok github.com/zmap/zlint/lints 0.214s
ok github.com/zmap/zlint/util 0.014s
```
This is a breaking API change: pkcs11key now takes as input a public key rather than
a private key label. In order to find the private key, it first finds the public key's CKA_ID
in the token, then looks for a private key with the same CKA_ID. From ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-30/pkcs-11v2-30b-d6.pdf:
> The CKA_ID field is intended to distinguish among multiple keys. In
the case of public and private keys, this field assists in handling
multiple keys held by the same subject; the key identifier for a
public key and its corresponding private key should be the same.
This does require that both the public key and private key are present and have
appropriate CKA_IDs set. I've verified this is the case in prod. In our integration
testing environment it was not the case, so I've tweaked entrypoint.sh to load
public keys into SoftHSM and set their CKA_ID.
The initial part of this change was written by @cpu. I've reviewed and approved
those commits.
* cmd: update prometheus.NewProcessCollector args.
There's a new struct `prometheus.ProcessCollectorOpts` that is expected
to be used as the sole argument to `prometheus.NewProcessCollector`. We
don't need to specify `os.Getpid` as the `PidFn` of the struct because
the default is to assume `os.Getpid`. Similarly we don't need to set the
namespace to `""` explicitly, it is the default.
* SA: reimplement db metrics as custom collector.
The modern Prometheus golang API supports translating between legacy
metric sources on the fly with a custom collector. We can use this
approach to collect the metrics from `gorp.DbMap`'s via the `sql.DB`
type's `Stats` function and the returned `sql.DbStats` struct.
This is a cleaner solution overall (we can lose the DB metrics updating
go routine) and it avoids the need to use the now-removed `Set` method
of the `prometheus.Counter` type.
* test: Update CountHistogramSamples.
The `With` function of `prometheus.HistogramVec` types we tend to use as
the argument to `test.CountHistogramSamples` changed to return
a `prometheus.Observer`. Since we only use this function in test
contexts, and only with things that cast back to
a `prometheus.Histogram` we take that approach to fix the problem
without updating call-sites.
This updates the `github.com/eggsampler/acme` dependency used in our Go-based
integration tests to v3. Notably this fixes a data race we encountered in CI.
With the data race fixed this branch can also revert
54a798b7f6 and resolve
https://github.com/letsencrypt/boulder/issues/4542
I ran a `go mod tidy` to cleanup the old `v2` copy of the dep and it also
removed a few stale cfssl/mysql items from the `go.mod`.
Upstream library's tests are confirmed to pass:
```
~/go/src/github.com/eggsampler/acme$ git log --pretty=format:'%h' -n 1
b581dc6
~/go/src/github.com/eggsampler/acme$ make pebble
mkdir -p /home/daniel/go/src/github.com/letsencrypt/pebble
git clone --depth 1 https://github.com/letsencrypt/pebble.git /home/daniel/go/src/github.com/letsencrypt/pebble \
|| (cd /home/daniel/go/src/github.com/letsencrypt/pebble; git checkout -f master && git reset --hard HEAD && git pull -q)
fatal: destination path '/home/daniel/go/src/github.com/letsencrypt/pebble' already exists and is not an empty directory.
Already on 'master'
Your branch is up-to-date with 'le/master'.
HEAD is now at 6c2d514 wfe: compare Identifier.Type with acme.IndentifierIP (#287)
docker-compose -f /home/daniel/go/src/github.com/letsencrypt/pebble/docker-compose.yml up -d
Creating network "pebble_acmenet" with driver "bridge"
Creating pebble_challtestsrv_1 ... done
Creating pebble_pebble_1 ... done
while ! wget --delete-after -q --no-check-certificate "https://localhost:14000/dir" ; do sleep 1 ; done
go clean -testcache
go test -race -coverprofile=coverage_18.txt -covermode=atomic github.com/eggsampler/acme/v3
ok github.com/eggsampler/acme/v3 24.292s coverage: 83.0% of statements
docker-compose -f /home/daniel/go/src/github.com/letsencrypt/pebble/docker-compose.yml down
Stopping pebble_pebble_1 ... done
Stopping pebble_challtestsrv_1 ... done
Removing pebble_pebble_1 ... done
Removing pebble_challtestsrv_1 ... done
Removing network pebble_acmenet
```
Updates `github.com/weppos/publicsuffix-go` to 3dd5f42, and
`github.com/zmap/zlint` to eea5fe8. Both hashes are the tip of master at
the time of writing.
Unit tests are confirmed to pass:
```
~/go/src/github.com/weppos/publicsuffix-go$ git log --pretty=format:'%h' -n 1
3dd5f42
~/go/src/github.com/weppos/publicsuffix-go$ go test ./...
? github.com/weppos/publicsuffix-go/cmd/load [no test files]
ok github.com/weppos/publicsuffix-go/net/publicsuffix 0.008s
ok github.com/weppos/publicsuffix-go/publicsuffix 0.005s
? github.com/weppos/publicsuffix-go/publicsuffix/generator [no test files]
~/go/src/github.com/zmap/zlint$ git log --pretty=format:'%h' -n 1
eea5fe8
~/go/src/github.com/zmap/zlint$ go test ./...
ok github.com/zmap/zlint 0.240s
? github.com/zmap/zlint/cmd/zlint [no test files]
? github.com/zmap/zlint/cmd/zlint-gtld-update [no test files]
ok github.com/zmap/zlint/lints 0.156s
ok github.com/zmap/zlint/util 0.020s
```
The most recent tagged release of mysql is v1.4.1, from a year ago. It
also happens to pull in an unwanted dependency (appengine) that the
latest commit does not.
Tests pass:
$ go test -count=1 github.com/go-sql-driver/mysql
ok github.com/go-sql-driver/mysql 0.068s
Fixes#4530
Newer Go versions seem to give a different psuedoversion for this
dependency at the same commit than when we initially switched to Go
modules for Boulder. Fixing the psuedoversion now so it won't trip up
future updates unexpectedly.
This branch also updates the WFE2 parseJWS function to match the error string fixed in the upstream project for the case where a JWS EC public key fails to unmarshal due to an incorrect length.
Resolves#4300
A unit test is included to verify that a TLS-ALPN-01 challenge to
a TLS 1.3 only server doesn't succeed when the `GODEBUG` value to
disable TLS 1.3 in `docker-compose.yml` is set. Without this env var
the test fails on the Go 1.13 build because of the new default:
```
=== RUN TestTLSALPN01TLS13
--- FAIL: TestTLSALPN01TLS13 (0.04s)
tlsalpn_test.go:531: expected problem validating TLS-ALPN-01 challenge against a TLS 1.3 only server, got nil
FAIL
FAIL github.com/letsencrypt/boulder/va 0.065s
```
With the env var set the test passes, getting the expected connection
problem reporting a tls error:
```
=== RUN TestTLSALPN01TLS13
2019/09/13 18:59:00 http: TLS handshake error from 127.0.0.1:51240: tls: client offered only unsupported versions: [303 302 301]
--- PASS: TestTLSALPN01TLS13 (0.03s)
PASS
ok github.com/letsencrypt/boulder/va 1.054s
```
Since we plan to eventually enable TLS 1.3 support and the `GODEBUG`
mechanism tested in the above test is platform-wide vs package
specific I decided it wasn't worth the time investment to write a
similar HTTP-01 unit test that verifies the TLS 1.3 behaviour on a
HTTP-01 HTTP->HTTPS redirect.
Resolves https://github.com/letsencrypt/boulder/issues/4415
This test adds support in ct-test-srv for rejecting precertificates by
hostname, in order to artificially generate a condition where a
precertificate is issued but no final certificate can be issued. Right
now the final check in the test is temporarily disabled until the
feature is fixed.
Also, as our first Go-based integration test, this pulls in the
eggsampler/acme Go client, and adds some suport in integration-test.py.
This also refactors ct-test-srv slightly to use a ServeMux, and fixes
a couple of cases of not returning immediately on error.
* deps: update github.com/zmap/zlint to latest.
This captures a new lint (`e_subject_printable_string_badalpha`) that
addresses a historic Let's Encrypt incident related to the allowed
PrintableString character set. It also pulls in minor housekeeping
related to consistently prefixing lint names with their respective lint
result level.
* review: fix expected lint name in TestIgnoredLint.
The upstream `zlint` project added a missing `w_` prefix on the
`ct_sct_policy_count_unsatisifed` lint that needed to be reflected in
expected test output.
* deps: update github.com/zmap/zlint to latest.
Update the `github.com/zmap/zlint` dependency to b126a9b. This captures
a small fix to the `ct_sct_policy_count_unsatisfied` lint that ensures
it isn't run for precertificates.
* config: remove ct_sct_policy_count_unsatisfied from ignored_lints.
With the latest `zlint` the `ct_sct_policy_count_unsatisfied` lint won't
flag precertificates as having an info-level lint result for missing
SCTs. With that fix in place we no longer have to ignore this lint in
the config-next CA configs that enable preissuance linting.
This will unblock pre-issuance linting support by updating the
`github.com/cloudflare/cfssl` dependency to the `1.3.4` tag which
notably includes the zlint integration developed in
cloudflare/cfssl#1015
Notably this brings in:
* A mild perf. boost from an updated transitive zcrypto dep and a reworked util func.
* A new KeyUsage lint for ECDSA keys.
* Updated gTLD data.
* A required `LintStatus` deserialization fix that will unblock a CFSSL update.
The `TestIgnoredLint` unit test is updated to no longer expect a warning from the
` w_serial_number_low_entropy` lint. This lint was removed in the upstream project.
Also excises the existing bad padding metrics code, adds a special error for when we encounter badly padded keys, and adds a test for the new special error.
Fixes#4070 and fixes#3964.
Because the package versions in go.mod match what we use in Godeps.json,
there are no substantive code diffs. However, there are some tiny
differences resulting from how go mod vendors things differently than
godep:
go mod does not preserve executable permissions on shell scripts
Some packages have import lines like:
package ocsp // import "golang.org/x/crypto/ocsp"
godep used to remove the comment from these lines, but go mod vendor does not.
This introduces several indirect dependencies that we didn't have
before. This is because godep used to operate at a package level, but
go mod operates at a module (~= repository) level. So if we used a
given repository, but didn't use all of its packages, we wouldn't
previously care about the transitive dependencies of the packages we
weren't using. However, in the go mod world, once we care about the
repository, we care about all of that repository's transitive
dependencies. AFAICT this doesn't affect vendoring.
Fixes#4116
dependabot[bot]